* [PATCH 5.15 000/476] 5.15.149-rc1 review
@ 2024-02-21 13:00 Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 001/476] ksmbd: free ppace array on error in parse_dacl Greg Kroah-Hartman
` (485 more replies)
0 siblings, 486 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
This is the start of the stable review cycle for the 5.15.149 release.
There are 476 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.149-rc1
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: gadget: Ignore End Transfer delay on teardown
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
media: Revert "media: rkisp1: Drop IRQF_SHARED"
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Execute gadget stop after halting the controller
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: gadget: Don't delay End Transfer on delayed_status
Peter Suti <peter.suti@streamunlimited.com>
staging: fbtft: core: set smem_len before fb_deferred_io_init call
Kees Cook <keescook@chromium.org>
smb3: Replace smb2pdu 1-element arrays with flex-arrays
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Add null pointer checks
Florian Fainelli <florian.fainelli@broadcom.com>
net: bcmgenet: Fix EEE implementation
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack"
Konrad Dybcio <konrad.dybcio@linaro.org>
drm/msm/dsi: Enable runtime PM
Douglas Anderson <dianders@chromium.org>
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
Easwar Hariharan <eahariha@linux.microsoft.com>
arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata
Mikulas Patocka <mpatocka@redhat.com>
dm: limit the number of targets and parameter size area
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: replace WARN_ONs for invalid DAT metadata block requests
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix potential bug in end_buffer_async_write
Linus Torvalds <torvalds@linuxfoundation.org>
sched/membarrier: reduce the ability to hammer on sys_membarrier
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: Missing gc cancellations fixed
Eric Dumazet <edumazet@google.com>
net: prevent mss overflow in skb_segment()
Davidlohr Bueso <dave@stgolabs.net>
hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range()
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: fix performance regression in swap operation
Carlos Llamas <cmllamas@google.com>
scripts/decode_stacktrace.sh: optionally use LLVM utilities
Miguel Ojeda <ojeda@kernel.org>
scripts: decode_stacktrace: demangle Rust symbols
Schspa Shi <schspa@gmail.com>
scripts/decode_stacktrace.sh: support old bash version
Nam Cao <namcao@linutronix.de>
fbdev: flush deferred IO before closing
Takashi Iwai <tiwai@suse.de>
fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release()
Takashi Iwai <tiwai@suse.de>
fbdev: Fix invalid page access after closing deferred I/O devices
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: Rename pagelist to pagereflist for deferred I/O
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: Track deferred-I/O pages in pageref struct
Chuansheng Liu <chuansheng.liu@intel.com>
fbdev: defio: fix the pagelist corruption
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: Don't sort deferred-I/O pages by default
Thomas Zimmermann <tzimmermann@suse.de>
fbdev/defio: Early-out if page is already enlisted
Lino Sanfilippo <l.sanfilippo@kunbus.com>
serial: 8250_exar: Set missing rs485_supported flag
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250_exar: Fill in rs485_supported
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Queue PM runtime idle on disconnect event
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Handle EP0 request dequeuing properly
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Submit endxfer command if delayed during disconnect
Wesley Cheng <quic_wcheng@quicinc.com>
usb: dwc3: gadget: Force sending delayed status during soft disconnect
Mayank Rana <quic_mrana@quicinc.com>
usb: dwc3: Fix ep0 handling when getting reset while doing control transfer
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: gadget: Delay issuing End Transfer
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: gadget: Only End Transfer for ep0 data phase
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: ep0: Don't prepare beyond Setup stage
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: gadget: Wait for ep0 xfers to complete during dequeue
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
David Lin <yu-hao.lin@nxp.com>
wifi: mwifiex: fix uninitialized firmware_stat
Sjoerd Simons <sjoerd@collabora.com>
bus: moxtet: Add spi device table
David Lin <yu-hao.lin@nxp.com>
wifi: mwifiex: add extra delay for firmware ready
Lukas Wunner <lukas@wunner.de>
wifi: mwifiex: Support SD8978 chipset
Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
mwifiex: Select firmware based on strapping
Christian König <christian.koenig@amd.com>
dma-buf: add dma_fence_timestamp helper
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Fix task hung while purging oob_skb in GC.
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Inform kmemleak of saved_cmdlines allocation
Konrad Dybcio <konrad.dybcio@linaro.org>
pmdomain: core: Move the unused cleanup to a _sync initcall
Oleksij Rempel <linux@rempel-privat.de>
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
Ziqi Zhao <astrajoan@yahoo.com>
can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
Nuno Sa <nuno.sa@analog.com>
of: property: fix typo in io-channels
Prakash Sangappa <prakash.sangappa@oracle.com>
mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
Rishabh Dave <ridave@redhat.com>
ceph: prevent use-after-free in encode_cap_msg()
Sinthu Raja <sinthu.raja@ti.com>
net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
Alexandra Winter <wintera@linux.ibm.com>
s390/qeth: Fix potential loss of L3-IP@ in case of network issues
Sinthu Raja <sinthu.raja@ti.com>
net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
Marc Zyngier <maz@kernel.org>
irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
Doug Berger <opendmb@gmail.com>
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
Daniel de Villiers <daniel.devilliers@corigine.com>
nfp: flower: prevent re-adding mac index for bonded port
Daniel Basilio <daniel.basilio@corigine.com>
nfp: use correct macro for LengthSelect in BAR config
Kim Phillips <kim.phillips@amd.com>
crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix data corruption in dsync block recovery for small block sizes
bo liu <bo.liu@senarytech.com>
ALSA: hda/conexant: Add quirk for SWS JS201D
Alexander Stein <alexander.stein@ew.tq-group.com>
mmc: slot-gpio: Allow non-sleeping GPIO ro
Steve Wahl <steve.wahl@hpe.com>
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
Aleksander Mazur <deweloper@wp.pl>
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
Naveen N Rao <naveen@kernel.org>
powerpc/64: Set task pt_regs->link to the LR value on scv entry
Hugo Villeneuve <hvilleneuve@dimonoff.com>
serial: max310x: fail probe if clock crystal is unstable
Hugo Villeneuve <hvilleneuve@dimonoff.com>
serial: max310x: improve crystal stable clock detection
Hugo Villeneuve <hvilleneuve@dimonoff.com>
serial: max310x: set default value when reading clock ready bit
Vincent Donnefort <vdonnefort@google.com>
ring-buffer: Clean ring_buffer_poll_wait() error return
Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
Philip Yang <Philip.Yang@amd.com>
drm/prime: Support page array >= 4GB
Sean Young <sean@mess.org>
media: rc: bpf attach/detach requires write permission
Mario Limonciello <mario.limonciello@amd.com>
iio: accel: bma400: Fix a compilation problem
Dinghao Liu <dinghao.liu@zju.edu.cn>
iio: core: fix memleak in iio_device_register_sysfs
zhili.liu <zhili.liu@ucas.com.cn>
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
David Schiller <david.schiller@jku.at>
staging: iio: ad5933: fix type mismatch regression
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Fix wasted memory in saved_cmdlines logic
Baokun Li <libaokun1@huawei.com>
ext4: fix double-free of blocks due to wrong extents moved_len
Ekansh Gupta <quic_ekangupt@quicinc.com>
misc: fastrpc: Mark all sessions as invalid in cb_remove
Carlos Llamas <cmllamas@google.com>
binder: signal epoll threads of self-work
Vitaly Rodionov <vitalyr@opensource.cirrus.com>
ALSA: hda/cs8409: Suppress vmaster control for Dolphin models
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: codecs: wcd938x: handle deferred probe
Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
Jan Beulich <jbeulich@suse.com>
xen-netback: properly sync TX responses
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
Fedor Pchelkin <pchelkin@ispras.ru>
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
Nathan Chancellor <nathan@kernel.org>
kbuild: Fix changing ELF file type for output of gen_btf for big endian
Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: core: correct documentation of fw_csr_string() kernel API
Ondrej Mosnacek <omosnace@redhat.com>
lsm: fix the logic in security_inode_getsecctx()
Mario Limonciello <mario.limonciello@amd.com>
Revert "drm/amd: flush any delayed gfxoff on suspend entry"
Lee Duncan <lduncan@suse.com>
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
Paolo Abeni <pabeni@redhat.com>
mptcp: fix data re-injection from stale subflow
Radek Krejci <radek.krejci@oracle.com>
modpost: trim leading spaces when processing source files list
Jean Delvare <jdelvare@suse.de>
i2c: i801: Fix block process call transactions
Heiner Kallweit <hkallweit1@gmail.com>
i2c: i801: Remove i801_set_block_buffer_mode
Jiangfeng Xiao <xiaojiangfeng@huawei.com>
powerpc/kasan: Fix addr error caused by page alignment
Zhipeng Lu <alexious@zju.edu.cn>
media: ir_toy: fix a memleak in irtoy_tx
Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
yuan linyu <yuanlinyu@hihonor.com>
usb: f_mass_storage: forbid async queue when shutdown happen
Oliver Neukum <oneukum@suse.com>
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
Christian A. Ehrhardt <lk@c--e.de>
usb: ucsi_acpi: Fix command completion handling
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP
Jason Gerecke <killertofu@gmail.com>
HID: wacom: Do not register input devices until after hid_hw_start
Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
Johan Hovold <johan+linaro@kernel.org>
HID: i2c-hid-of: fix NULL-deref on failed power up
Luka Guzenko <l.guzenko@web.de>
ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx
David Senoner <seda18@rolmail.net>
ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32
Michael Kelley <mhklinux@outlook.com>
scsi: storvsc: Fix ring buffer size calculation
Zach O'Keefe <zokeefe@google.com>
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing/trigger: Fix to return error if failed to alloc snapshot
Samuel Holland <samuel.holland@sifive.com>
scs: add CONFIG_MMU dependency for vfree_atomic()
Ivan Vecera <ivecera@redhat.com>
i40e: Fix waiting for queues of all VSIs to be disabled
Guenter Roeck <linux@roeck-us.net>
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
Breno Leitao <leitao@debian.org>
net: sysfs: Fix /sys/class/net/<iface> path for statistics
Alexey Khoroshilov <khoroshilov@ispras.ru>
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: ppc4xx: Drop write-only variable
Aaron Conole <aconole@redhat.com>
net: openvswitch: limit the number of recursions from action sets
Dan Carpenter <dan.carpenter@linaro.org>
wifi: iwlwifi: Fix some error codes
Christian A. Ehrhardt <lk@c--e.de>
of: unittest: Fix compile in the non-dynamic case
David Sterba <dsterba@suse.com>
btrfs: send: return EOPNOTSUPP on unknown flags
Boris Burkov <boris@bur.io>
btrfs: forbid deleting live subvol qgroup
Qu Wenruo <wqu@suse.com>
btrfs: do not ASSERT() if the newly created subvolume already got read
Boris Burkov <boris@bur.io>
btrfs: forbid creating subvol qgroups
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_set_rbtree: skip end interval element from gc
Furong Xu <0x1207@gmail.com>
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
Simon Horman <horms@kernel.org>
net: stmmac: xgmac: use #define for string constants
Jiri Wiesner <jwiesner@suse.de>
clocksource: Skip watchdog check for large watchdog intervals
Prathu Baronia <prathubaronia2011@gmail.com>
vhost: use kzalloc() instead of kmalloc() followed by memset()
Hans de Goede <hdegoede@redhat.com>
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
Werner Sembach <wse@tuxedocomputers.com>
Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU
Frederic Weisbecker <frederic@kernel.org>
hrtimer: Report offline hrtimer enqueue
Prashanth K <quic_prashk@quicinc.com>
usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK
Prashanth K <quic_prashk@quicinc.com>
usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK
Leonard Dallmayr <leonard.dallmayr@mailbox.org>
USB: serial: cp210x: add ID for IMST iM871A-USB
Puliang Lu <puliang.lu@fibocom.com>
USB: serial: option: add Fibocom FM101-GL variant
JackBB Wu <wojackbb@gmail.com>
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
Julian Sikorski <belegdol+github@gmail.com>
ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter
Justin Stitt <justinstitt@google.com>
drivers: lkdtm: fix clang -Wformat warning
Tejun Heo <tj@kernel.org>
blk-iocost: Fix an UBSAN shift-out-of-bounds warning
Ming Lei <ming.lei@redhat.com>
scsi: core: Move scsi_host_busy() out of host lock if it is for per-command
Dan Carpenter <dan.carpenter@linaro.org>
fs/ntfs3: Fix an NULL dereference bug
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo: remove scratch_aligned pointer
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo: add helper to release pcpu scratch area
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo: store index in scratch maps
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: reject direction for ct id
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Implement bounds check for stream encoder creation in DCN301
Anson Jacob <Anson.Jacob@amd.com>
drm/amd/display: Fix multiple memory leaks reported by coverity
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_compat: restrict match/target protocol to u16
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_compat: reject unused compat flag
Eric Dumazet <edumazet@google.com>
ppp_async: limit MRU to 64K
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.
Shigeru Yoshida <syoshida@redhat.com>
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
David Howells <dhowells@redhat.com>
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
Eric Dumazet <edumazet@google.com>
inet: read sk->sk_family once in inet_recv_error()
Zhang Rui <rui.zhang@intel.com>
hwmon: (coretemp) Fix bogus core_id to attr name mapping
Zhang Rui <rui.zhang@intel.com>
hwmon: (coretemp) Fix out-of-bounds memory access
Loic Prylli <lprylli@netflix.com>
hwmon: (aspeed-pwm-tacho) mutex for tach reading
Zhipeng Lu <alexious@zju.edu.cn>
octeontx2-pf: Fix a memleak otx2_sq_init
Zhipeng Lu <alexious@zju.edu.cn>
atm: idt77252: fix a memleak in open_card_ubr0
Antoine Tenart <atenart@kernel.org>
tunnels: fix out of bounds access when building IPv6 PMTU error
Paolo Abeni <pabeni@redhat.com>
selftests: net: avoid just another constant wait
Paolo Abeni <pabeni@redhat.com>
selftests: net: cut more slack for gro fwd tests.
Furong Xu <0x1207@gmail.com>
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
Kuogee Hsieh <quic_khsieh@quicinc.com>
drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case
Tony Lindgren <tony@atomide.com>
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
Frank Li <Frank.Li@nxp.com>
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
Jai Luthra <j-luthra@ti.com>
dmaengine: ti: k3-udma: Report short packet errors
Guanhua Gao <guanhua.gao@nxp.com>
dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: lpass-wsa-macro: fix compander volume hack
Zhengchao Shao <shaozhengchao@huawei.com>
bonding: remove print in bond_verify_device_path
Benjamin Berg <bberg@redhat.com>
HID: apple: Add 2021 magic keyboard FN key mapping
Alex Henrie <alexhenrie24@gmail.com>
HID: apple: Add support for the 2021 Magic Keyboard
Praveen Kaligineedi <pkaligineedi@google.com>
gve: Fix use-after-free vulnerability
Huang Shijie <shijie@os.amperecomputing.com>
arm64: irq: set the correct node for shadow call stack
Breno Leitao <leitao@debian.org>
net: sysfs: Fix /sys/class/net/<iface> path
Paolo Abeni <pabeni@redhat.com>
selftests: net: fix available tunnels detection
Eric Dumazet <edumazet@google.com>
af_unix: fix lockdep positive in sk_diag_dump_icons()
Zhipeng Lu <alexious@zju.edu.cn>
net: ipv4: fix a memleak in ip_setup_cork
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
Linus Lüssing <linus.luessing@c0d3.blue>
bridge: mcast: fix disabled snooping after long uptime
Eric Dumazet <edumazet@google.com>
llc: call sock_orphan() at release time
Helge Deller <deller@kernel.org>
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbe: Refactor overtemp event handling
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbe: Refactor returning internal error codes
Piotr Skajewski <piotrx.skajewski@intel.com>
ixgbe: Remove non-inclusive language
Eric Dumazet <edumazet@google.com>
tcp: add sanity checks to rx zerocopy
Eric Dumazet <edumazet@google.com>
ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
Eric Dumazet <edumazet@google.com>
ip6_tunnel: use dev_sw_netstats_rx_add()
Paolo Abeni <pabeni@redhat.com>
selftests: net: give more time for GRO aggregation
Ming Lei <ming.lei@redhat.com>
scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
Su Hui <suhui@nfschina.com>
scsi: isci: Fix an error code problem in isci_io_request_build()
Stephen Rothwell <sfr@canb.auug.org.au>
drm: using mul_u32_u32() requires linux/math64.h
Edward Adam Davis <eadavis@qq.com>
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
Peter Zijlstra <peterz@infradead.org>
perf: Fix the nr_addr_filters fix
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdkfd: Fix 'node' NULL check in 'svm_range_get_range_boundaries()'
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()'
Xiubo Li <xiubli@redhat.com>
ceph: fix deadlock or deadcode of misusing dget()
Ming Lei <ming.lei@redhat.com>
blk-mq: fix IO hang from sbitmap wakeup race
Zhu Yanjun <yanjun.zhu@linux.dev>
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
Felix Kuehling <felix.kuehling@amd.com>
drm/amdkfd: Fix lock dependency warning
Ian Rogers <irogers@google.com>
libsubcmd: Fix memory leak in uniq()
Hans de Goede <hdegoede@redhat.com>
misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
Bjorn Helgaas <bhelgaas@google.com>
PCI/AER: Decode Requester ID when no error info found
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Fix 64GT/s effective data rate calculation
Max Kellermann <max.kellermann@ionos.com>
fs/kernfs/dir: obey S_ISGID
Adrian Reber <areber@redhat.com>
tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
selftests/sgx: Fix linker script asserts
Hardik Gajjar <hgajjar@de.adit-jv.com>
usb: hub: Replace hardcoded quirk value with BIT() macro
James Clark <james.clark@arm.com>
perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present
Daniel Stodden <dns@arista.com>
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
Guilherme G. Piccoli <gpiccoli@igalia.com>
PCI: Only override AMD USB controller if required
Xiaowu.ding <xiaowu.ding@jaguarmicro.com>
mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt
Peter Robinson <pbrobinson@gmail.com>
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
Harshit Shah <harshitshah.opendev@gmail.com>
i3c: master: cdns: Update maximum prescaler value for i2c clock
Johannes Berg <johannes.berg@intel.com>
um: time-travel: fix time corruption
Nathan Chancellor <nathan@kernel.org>
um: net: Fix return type of uml_net_start_xmit()
Benjamin Berg <benjamin@sipsolutions.net>
um: Don't use vfprintf() for os_info()
Anton Ivanov <anton.ivanov@cambridgegreys.com>
um: Fix naming clash between UML and scheduler
Heiner Kallweit <hkallweit1@gmail.com>
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
bo liu <bo.liu@senarytech.com>
ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
Felix Kuehling <Felix.Kuehling@amd.com>
drm/amdgpu: Let KFD sync with VM fences
Alexander Stein <alexander.stein@ew.tq-group.com>
clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks
Kuan-Wei Chiu <visitorckw@gmail.com>
clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu()
Josip Pavic <josip.pavic@amd.com>
drm/amd/display: make flip_timestamp_in_us a 64-bit variable
Werner Fischer <devlists@wefi.net>
watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
Kuan-Wei Chiu <visitorckw@gmail.com>
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
Kuan-Wei Chiu <visitorckw@gmail.com>
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
Wang, Beyond <Wang.Beyond@amd.com>
drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap
Rob Clark <robdclark@chromium.org>
drm/msm/dpu: Ratelimit framedone timeout msgs
Kieran Bingham <kieran.bingham@ideasonboard.com>
media: i2c: imx335: Fix hblank min/max values
Su Hui <suhui@nfschina.com>
media: ddbridge: fix an error code problem in ddb_probe
Daniel Vacek <neelx@redhat.com>
IB/ipoib: Fix mcast list locking
Douglas Anderson <dianders@chromium.org>
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
Chao Yu <chao@kernel.org>
f2fs: fix to tag gcing flag on page during block migration
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
media: rkisp1: Drop IRQF_SHARED
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: hda: Intel: add HDA_ARL PCI ID support
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
PCI: add INTEL_HDA_ARL to pci_ids.h
Michael Tretter <m.tretter@pengutronix.de>
media: rockchip: rga: fix swizzling for RGB formats
Ghanshyam Agrawal <ghanshyam1898@gmail.com>
media: stk1160: Fixed high volume of stk1160_dbg messages
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/mipi-dsi: Fix detach call without attach
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/framebuffer: Fix use of uninitialized variable
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/drm_file: fix use of uninitialized variable
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: fix write pointers on zoned device after roll forward
Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
drm/amd/display: Fix tiled display misalignment
Jack Wang <jinpu.wang@ionos.com>
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
Al Viro <viro@zeniv.linux.org.uk>
fast_dput(): handle underflows gracefully
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Refer to correct stream index at loops
Chao Yu <chao@kernel.org>
f2fs: fix to check return value of f2fs_reserve_new_block()
Suman Ghosh <sumang@marvell.com>
octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry
Andrii Staikov <andrii.staikov@intel.com>
i40e: Fix VF disable behavior to block all traffic
Lin Ma <linma@zju.edu.cn>
bridge: cfm: fix enum typo in br_cc_ccm_tx_parse
Frédéric Danis <frederic.danis@collabora.com>
Bluetooth: L2CAP: Fix possible multiple reject send
Zijun Hu <quic_zijuhu@quicinc.com>
Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
Benjamin Berg <benjamin.berg@intel.com>
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
Su Hui <suhui@nfschina.com>
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
Alexander Tsoy <alexander@tsoy.me>
ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision
Mingyi Zhang <zhangmingyi5@huawei.com>
libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
Zenm Chen <zenmchen@gmail.com>
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
Mao Jinlong <quic_jinlmao@quicinc.com>
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
Mao Jinlong <quic_jinlmao@quicinc.com>
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
Alex Lyakas <alex.lyakas@zadara.com>
md: Whenassemble the array, consult the superblock of the freshest device
Christoph Hellwig <hch@lst.de>
block: prevent an integer overflow in bvec_try_merge_hw_page
Tobias Waldekranz <tobias@waldekranz.com>
net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
Fabio Estevam <festevam@denx.de>
ARM: dts: imx23/28: Fix the DMA controller node name
Fabio Estevam <festevam@denx.de>
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
Fabio Estevam <festevam@denx.de>
ARM: dts: imx27-apf27dev: Fix LED name
Fabio Estevam <festevam@denx.de>
ARM: dts: imx25/27: Pass timing0
Fabio Estevam <festevam@denx.de>
ARM: dts: imx25: Fix the iim compatible string
Kees Cook <keescook@chromium.org>
block/rnbd-srv: Check for unlikely string overflow
Shannon Nelson <shannon.nelson@amd.com>
ionic: pass opcode to devcmd_wait
Fabio Estevam <festevam@denx.de>
ARM: dts: imx1: Fix sram node
Fabio Estevam <festevam@denx.de>
ARM: dts: imx27: Fix sram node
Fabio Estevam <festevam@denx.de>
ARM: dts: imx: Use flash@0,0 pattern
Fabio Estevam <festevam@denx.de>
ARM: dts: imx25/27-eukrea: Fix RTC node name
Johan Jonker <jbx6244@gmail.com>
ARM: dts: rockchip: fix rk3036 hdmi ports node
Hou Tao <houtao1@huawei.com>
bpf: Set uattr->batch.count as zero before batched update or deletion
Hannes Reinecke <hare@suse.de>
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
Hannes Reinecke <hare@suse.de>
scsi: libfc: Don't schedule abort twice
Hou Tao <houtao1@huawei.com>
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx7s: Fix nand-controller #size-cells
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx7s: Fix lcdif compatible
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx7d: Fix coresight funnel ports
ching Huang <ching2048@areca.com.tw>
scsi: arcmsr: Support new PCI device IDs 1883 and 1886
Zhengchao Shao <shaozhengchao@huawei.com>
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
Ido Schimmel <idosch@nvidia.com>
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Fix possible file string name overflow when updating firmware
Yafang Shao <laoar.shao@gmail.com>
selftests/bpf: Fix issues in setup_classid_environment()
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Fix pyperf180 compilation failure with clang18
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: satisfy compiler by having explicit return in btf test
Shiji Yang <yangshiji66@outlook.com>
wifi: rt2x00: restart beacon queue when hardware reset
Baokun Li <libaokun1@huawei.com>
ext4: avoid online resizing failures due to oversized flex bg
Baokun Li <libaokun1@huawei.com>
ext4: remove unnecessary check from alloc_flex_gd()
Baokun Li <libaokun1@huawei.com>
ext4: unify the type of flexbg_size to unsigned int
Ye Bin <yebin10@huawei.com>
ext4: fix inconsistent between segment fstrim and full fstrim
Gabriel Krisman Bertazi <krisman@suse.de>
ecryptfs: Reject casefold directory inodes
Anna Schumaker <Anna.Schumaker@Netapp.com>
SUNRPC: Fix a suspicious RCU usage warning
Heiko Carstens <hca@linux.ibm.com>
KVM: s390: fix setting of fpc register
Heiko Carstens <hca@linux.ibm.com>
s390/ptrace: handle setting of fpc register correctly
Arnd Bergmann <arnd@arndb.de>
arch: consolidate arch_irq_work_raise prototypes
Edward Adam Davis <eadavis@qq.com>
jfs: fix array-index-out-of-bounds in diNewExt
Oleg Nesterov <oleg@redhat.com>
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
Oleg Nesterov <oleg@redhat.com>
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
Oleg Nesterov <oleg@redhat.com>
afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
Thomas Bourgoin <thomas.bourgoin@foss.st.com>
crypto: stm32/crc32 - fix parsing list of devices
Bharat Bhushan <bbhushan2@marvell.com>
crypto: octeontx2 - Fix cptvf driver cleanup
Weichen Chen <weichen.chen@mediatek.com>
pstore/ram: Fix crash when setting number of cpus to an odd number
Edward Adam Davis <eadavis@qq.com>
jfs: fix uaf in jfs_evict_inode
Manas Ghandat <ghandatmanas@gmail.com>
jfs: fix array-index-out-of-bounds in dbAdjTree
Manas Ghandat <ghandatmanas@gmail.com>
jfs: fix slab-out-of-bounds Read in dtSearch
Osama Muhammad <osmtendev@gmail.com>
UBSAN: array-index-out-of-bounds in dtSplitRoot
Osama Muhammad <osmtendev@gmail.com>
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
Shuai Xue <xueshuai@linux.alibaba.com>
ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
Mukesh Ojha <quic_mojha@quicinc.com>
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
Prarit Bhargava <prarit@redhat.com>
ACPI: extlog: fix NULL pointer dereference check
Dmitry Antipov <dmantipov@yandex.ru>
PNP: ACPI: fix fortify warning
Yuluo Qiu <qyl27@outlook.com>
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
Chris Riches <chris.riches@nutanix.com>
audit: Send netlink ACK before setting connection in auditd_set
Rui Zhang <zr.zhang@vivo.com>
regulator: core: Only increment use_count when enable_count changes
Andrzej Hajda <andrzej.hajda@intel.com>
debugobjects: Stop accessing objects after releasing hash bucket lock
Greg KH <gregkh@linuxfoundation.org>
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
Zhiquan Li <zhiquan1.li@intel.com>
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
Naveen N Rao <naveen@kernel.org>
powerpc/lib: Validate size for vector operations
Stephen Rothwell <sfr@canb.auug.org.au>
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
Jun'ichi Nomura <junichi.nomura@nec.com>
x86/boot: Ignore NMIs during very early boot
Michael Ellerman <mpe@ellerman.id.au>
powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping()
Michael Ellerman <mpe@ellerman.id.au>
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
Michael Ellerman <mpe@ellerman.id.au>
powerpc: Fix build error due to is_valid_bugaddr()
Mark Rutland <mark.rutland@arm.com>
drivers/perf: pmuv3: don't expose SW_INCR event in sysfs
Huang Shijie <shijie@os.amperecomputing.com>
arm64: irq: set the correct node for VMAP stack
Kunwu Chan <chentao@kylinos.cn>
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
Richard Palethorpe <rpalethorpe@suse.com>
x86/entry/ia32: Ensure s32 is sign extended to s64
Tim Chen <tim.c.chen@linux.intel.com>
tick/sched: Preserve number of idle sleeps across CPU hotplug events
Xi Ruoyao <xry111@xry111.site>
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
Kamal Dasu <kamal.dasu@broadcom.com>
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
Li Lingfeng <lilingfeng3@huawei.com>
block: Move checking GENHD_FL_NO_PART to bdev_add_partition()
Wenhua Lin <Wenhua.Lin@unisoc.com>
gpio: eic-sprd: Clear interrupt after set the interrupt type
Fedor Pchelkin <pchelkin@ispras.ru>
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
Arnd Bergmann <arnd@arndb.de>
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
Markus Niebel <Markus.Niebel@ew.tq-group.com>
drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33]
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Refine computation of P-state for given frequency
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Drop redundant intel_pstate_get_hwp_cap() call
Lin Ma <linma@zju.edu.cn>
ksmbd: fix global oob in ksmbd_nl_policy
Chuck Lever <chuck.lever@oracle.com>
NFSD: Add documenting comment for nfsd4_release_lockowner()
Chuck Lever <chuck.lever@oracle.com>
NFSD: Modernize nfsd4_release_lockowner()
Josef Bacik <josef@toxicpanda.com>
btrfs: add definition for EXTENT_TREE_V2
Christian Marangi <ansuelsmth@gmail.com>
PM / devfreq: Fix buffer overflow in trans_stat_show
Charan Teja Kalla <quic_charante@quicinc.com>
mm/sparsemem: fix race in accessing memory_section->usage
Rolf Eike Beer <eb@emlix.com>
mm: use __pfn_to_section() instead of open coding it
Zheng Wang <zyytlz.wz@163.com>
media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
Johan Hovold <johan+linaro@kernel.org>
ARM: dts: qcom: sdx55: fix USB SS wakeup
Johan Hovold <johan+linaro@kernel.org>
ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts
Johan Hovold <johan+linaro@kernel.org>
ARM: dts: qcom: sdx55: fix pdc '#interrupt-cells'
Paul Cercueil <paul@crapouillou.net>
ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12
Johan Hovold <johan+linaro@kernel.org>
ARM: dts: qcom: sdx55: fix USB wakeup interrupt types
Lukas Schauer <lukas@schauer.dev>
pipe: wakeup wr_wait after setting max_usage
Max Kellermann <max.kellermann@ionos.com>
fs/pipe: move check to pipe_has_watch_queue()
Krishna chaitanya chundru <quic_krichai@quicinc.com>
bus: mhi: host: Add alignment check for event ring read pointer
Manivannan Sadhasivam <mani@kernel.org>
bus: mhi: host: Rename "struct mhi_tre" to "struct mhi_ring_element"
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Fix possible deadlocks in core system-wide PM code
Li zeming <zeming@nfschina.com>
PM: core: Remove unnecessary (void *) conversions
Dan Carpenter <dan.carpenter@linaro.org>
drm/bridge: nxp-ptn3460: simplify some error checking
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm/tidss: Fix atomic_flush check
Dan Carpenter <dan.carpenter@linaro.org>
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm: Don't unref the same fb many times by mistake due to deadlock handling
Mario Limonciello <mario.limonciello@amd.com>
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
Dave Chinner <dchinner@redhat.com>
xfs: read only mounts with fsopen mount API are busted
Cristian Marussi <cristian.marussi@arm.com>
firmware: arm_scmi: Check mailbox/SMT channel for consistency
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
Michael Kelley <mhklinux@outlook.com>
hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
wifi: iwlwifi: fix a memory corruption
Bernd Edlinger <bernd.edlinger@hotmail.de>
exec: Fix error handling in begin_new_exec()
Ilya Dryomov <idryomov@gmail.com>
rbd: don't move requests to the running list on errors
Omar Sandoval <osandov@fb.com>
btrfs: don't abort filesystem when attempting to snapshot deleted subvolume
Qu Wenruo <wqu@suse.com>
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
David Sterba <dsterba@suse.com>
btrfs: don't warn if discard range is not aligned to sector
Chung-Chiang Cheng <cccheng@synology.com>
btrfs: tree-checker: fix inline ref size in error messages
Fedor Pchelkin <pchelkin@ispras.ru>
btrfs: ref-verify: free ref cache before clearing mount opt
Omar Sandoval <osandov@fb.com>
btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted
Filipe Manana <fdmanana@suse.com>
btrfs: fix race between reading a directory and adding entries to it
Filipe Manana <fdmanana@suse.com>
btrfs: refresh dir last index during a rewinddir(3) call
Filipe Manana <fdmanana@suse.com>
btrfs: set last dir index to the current last index when opening dir
Filipe Manana <fdmanana@suse.com>
btrfs: fix infinite directory reads
Shenwei Wang <shenwei.wang@nxp.com>
net: fec: fix the unhandled context fault from smmu
Zhipeng Lu <alexious@zju.edu.cn>
fjes: fix memleaks in fjes_hw_setup
Jakub Kicinski <kuba@kernel.org>
selftests: netdevsim: fix the udp_tunnel_nic test
Jenishkumar Maheshbhai Patel <jpatel2@marvell.com>
net: mvpp2: clear BM pool before initialization
Bernd Edlinger <bernd.edlinger@hotmail.de>
net: stmmac: Wait a bit for the reset to take effect
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: validate NFPROTO_* family
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
Florian Westphal <fw@strlen.de>
netfilter: nft_limit: reject configurations that cause integer overflow
Kees Cook <keescook@chromium.org>
overflow: Allow mixed type arguments
Dinghao Liu <dinghao.liu@zju.edu.cn>
net/mlx5e: fix a potential double-free in fs_any_create_groups
Zhipeng Lu <alexious@zju.edu.cn>
net/mlx5e: fix a double-free in arfs_create_groups
Yevgeny Kliteynik <kliteyn@nvidia.com>
net/mlx5: DR, Can't go to uplink vport on RX rule
Shun Hao <shunh@nvidia.com>
net/mlx5: DR, Align mlx5dv_dr API vport action with FW behavior
Yevgeny Kliteynik <kliteyn@nvidia.com>
net/mlx5: DR, Replace local WIRE_PORT macro with the existing MLX5_VPORT_UPLINK
Yevgeny Kliteynik <kliteyn@nvidia.com>
net/mlx5: DR, Use the right GVMI number for drop action
Zhengchao Shao <shaozhengchao@huawei.com>
ipv6: init the accept_queue's spinlocks in inet6_create
Zhengchao Shao <shaozhengchao@huawei.com>
netlink: fix potential sleeping issue in mqueue_flush_file
Salvatore Dipietro <dipiets@amazon.com>
tcp: Add memory barrier to tcp_push()
David Howells <dhowells@redhat.com>
afs: Hide silly-rename files from userspace
Petr Pavlu <petr.pavlu@suse.com>
tracing: Ensure visibility when inserting an element into tracing_map
Sharath Srinivasan <sharath.srinivasan@oracle.com>
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
Kuniyuki Iwashima <kuniyu@amazon.com>
llc: Drop support for ETH_P_TR_802_2.
Eric Dumazet <edumazet@google.com>
llc: make llc_ui_sendmsg() more robust against bonding changes
Lin Ma <linma@zju.edu.cn>
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
Michael Chan <michael.chan@broadcom.com>
bnxt_en: Wait for FLR to complete during probe
Zhengchao Shao <shaozhengchao@huawei.com>
tcp: make sure init the accept_queue's spinlocks once
Wen Gu <guwen@linux.alibaba.com>
net/smc: fix illegal rmb_desc access in SMC-D connection dump
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: Add missing set_freezable() for freezable kthread
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: send lease break notification on FILE_RENAME_INFORMATION
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: don't increment epoch if current state and request state are same
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix potential circular locking issue in smb2_set_ea()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: set v2 lease version on lease upgrade
Al Viro <viro@zeniv.linux.org.uk>
rename(): fix the locking of subdirectories
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
Dave Airlie <airlied@redhat.com>
nouveau/vmm: don't set addr on the fail path to avoid warning
Mario Limonciello <mario.limonciello@amd.com>
rtc: Adjust failure return code for cmos_set_alarm()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
mmc: mmc_spi: remove custom DMA mapped buffers
Avri Altman <avri.altman@wdc.com>
mmc: core: Use mrq.sbc in close-ended ffu
Vegard Nossum <vegard.nossum@oracle.com>
scripts/get_abi: fix source path leak
Alfred Piccioni <alpic@google.com>
lsm: new security_file_ioctl_compat() hook
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sm8150: fix USB wakeup interrupt types
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sc7180: fix USB wakeup interrupt types
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
async: Introduce async_schedule_dev_nocall()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
async: Split async_schedule_node_domain()
Helge Deller <deller@gmx.de>
parisc/firmware: Fix F-extend for PDC addresses
Bhaumik Bhatt <bbhatt@codeaurora.org>
bus: mhi: host: Add spinlock to protect WP access when queueing TREs
Qiang Yu <quic_qianyu@quicinc.com>
bus: mhi: host: Drop chan lock before queuing buffers
Serge Semin <fancer.lancer@gmail.com>
mips: Fix max_mapnr being uninitialized on early stages
Bingbu Cao <bingbu.cao@intel.com>
media: ov9734: Enable runtime PM before registering async sub-device
Xiaolei Wang <xiaolei.wang@windriver.com>
rpmsg: virtio: Free driver_override when rpmsg_remove()
Bingbu Cao <bingbu.cao@intel.com>
media: imx355: Enable runtime PM before registering async sub-device
Herbert Xu <herbert@gondor.apana.org.au>
crypto: s390/aes - Fix buffer overread in CTR mode
Herbert Xu <herbert@gondor.apana.org.au>
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
Hongchen Zhang <zhanghongchen@loongson.cn>
PM: hibernate: Enforce ordering during image compression/decompression
Herbert Xu <herbert@gondor.apana.org.au>
crypto: api - Disallow identical driver names
David Disseldorp <ddiss@suse.de>
btrfs: sysfs: validate scrub_speed_max value
Suraj Jitindar Singh <surajjs@amazon.com>
ext4: allow for the last group to be marked as trimmed
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio:adc:ad7091r: Move exports into IIO_AD7091R namespace.
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan()
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: core: Simplify power management during async scan
Amelie Delaunay <amelie.delaunay@foss.st.com>
dmaengine: fix NULL pointer in channel unregistration function
Marcelo Schmitt <marcelo.schmitt@analog.com>
iio: adc: ad7091r: Enable internal vref if external vref is not supplied
Marcelo Schmitt <marcelo.schmitt@analog.com>
iio: adc: ad7091r: Allow users to configure device events
Marcelo Schmitt <marcelo.schmitt@analog.com>
iio: adc: ad7091r: Set alert bit in config register
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: only v2 leases handle the directory
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: validate mech token in session setup
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: don't allow O_TRUNC open on read-only share
Fedor Pchelkin <pchelkin@ispras.ru>
ksmbd: free ppace array on error in parse_dacl
-------------
Diffstat:
Documentation/ABI/testing/sysfs-class-devfreq | 3 +
Documentation/ABI/testing/sysfs-class-net-queues | 22 +--
.../ABI/testing/sysfs-class-net-statistics | 48 ++---
Documentation/arm64/silicon-errata.rst | 7 +
.../bindings/net/wireless/marvell-8xxx.txt | 4 +-
Documentation/filesystems/directory-locking.rst | 29 +--
Documentation/filesystems/locking.rst | 5 +-
Documentation/filesystems/porting.rst | 18 ++
Documentation/sound/soc/dapm.rst | 2 +-
Makefile | 4 +-
arch/Kconfig | 1 +
arch/arm/boot/dts/exynos4210-i9100.dts | 8 +
arch/arm/boot/dts/imx1-ads.dts | 2 +-
arch/arm/boot/dts/imx1-apf9328.dts | 2 +-
arch/arm/boot/dts/imx1.dtsi | 5 +-
arch/arm/boot/dts/imx23-sansa.dts | 12 +-
arch/arm/boot/dts/imx23.dtsi | 2 +-
arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi | 2 +-
.../imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts | 2 +-
.../imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts | 2 +-
.../imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts | 2 +-
arch/arm/boot/dts/imx25-pdk.dts | 2 +-
arch/arm/boot/dts/imx25.dtsi | 2 +-
arch/arm/boot/dts/imx27-apf27dev.dts | 4 +-
arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 4 +-
.../boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 2 +-
arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts | 2 +-
arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi | 2 +-
arch/arm/boot/dts/imx27.dtsi | 3 +
arch/arm/boot/dts/imx28.dtsi | 2 +-
arch/arm/boot/dts/imx7d.dtsi | 3 -
arch/arm/boot/dts/imx7s.dtsi | 10 +-
arch/arm/boot/dts/qcom-sdx55.dtsi | 10 +-
arch/arm/boot/dts/rk3036.dtsi | 14 +-
arch/arm64/boot/dts/qcom/msm8996.dtsi | 21 +++
arch/arm64/boot/dts/qcom/msm8998.dtsi | 32 ++--
arch/arm64/boot/dts/qcom/sc7180.dtsi | 4 +-
arch/arm64/boot/dts/qcom/sdm845.dtsi | 16 +-
arch/arm64/boot/dts/qcom/sm8150.dtsi | 8 +-
arch/arm64/include/asm/cputype.h | 4 +
arch/arm64/include/asm/irq_work.h | 2 -
arch/arm64/kernel/cpu_errata.c | 3 +
arch/arm64/kernel/irq.c | 7 +-
arch/arm64/kernel/perf_event.c | 6 +-
arch/csky/include/asm/irq_work.h | 2 +-
arch/mips/include/asm/checksum.h | 3 +-
arch/mips/kernel/elf.c | 6 +
arch/mips/mm/init.c | 12 +-
arch/parisc/kernel/firmware.c | 4 +-
arch/powerpc/include/asm/irq_work.h | 1 -
arch/powerpc/include/asm/mmu.h | 4 +
arch/powerpc/include/asm/mmzone.h | 8 -
arch/powerpc/kernel/interrupt_64.S | 4 +-
arch/powerpc/kernel/traps.c | 2 +
arch/powerpc/lib/sstep.c | 10 +
arch/powerpc/mm/book3s64/pgtable.c | 2 +
arch/powerpc/mm/init-common.c | 5 +-
arch/powerpc/mm/kasan/kasan_init_32.c | 1 +
arch/powerpc/mm/mmu_decl.h | 5 +
arch/riscv/include/asm/irq_work.h | 2 +-
arch/s390/crypto/aes_s390.c | 4 +-
arch/s390/crypto/paes_s390.c | 4 +-
arch/s390/include/asm/irq_work.h | 2 -
arch/s390/kernel/ptrace.c | 6 +-
arch/s390/kvm/kvm-s390.c | 5 -
arch/um/drivers/net_kern.c | 2 +-
arch/um/include/shared/kern_util.h | 2 +-
arch/um/kernel/process.c | 2 +-
arch/um/kernel/time.c | 32 +++-
arch/um/os-Linux/helper.c | 6 +-
arch/um/os-Linux/util.c | 19 +-
arch/x86/Kconfig.cpu | 2 +-
arch/x86/boot/compressed/ident_map_64.c | 5 +
arch/x86/boot/compressed/idt_64.c | 1 +
arch/x86/boot/compressed/idt_handlers_64.S | 1 +
arch/x86/boot/compressed/misc.h | 1 +
arch/x86/include/asm/irq_work.h | 1 -
arch/x86/include/asm/syscall_wrapper.h | 25 ++-
arch/x86/kernel/cpu/mce/core.c | 16 ++
arch/x86/mm/ident_map.c | 23 ++-
block/bio.c | 2 +-
block/blk-iocost.c | 7 +
block/blk-mq.c | 16 ++
block/ioctl.c | 2 -
block/partitions/core.c | 5 +
crypto/algapi.c | 1 +
drivers/acpi/acpi_extlog.c | 5 +-
drivers/acpi/acpi_video.c | 9 +
drivers/acpi/apei/ghes.c | 29 ++-
drivers/android/binder.c | 10 +
drivers/atm/idt77252.c | 2 +
drivers/base/arch_numa.c | 2 +-
drivers/base/power/domain.c | 2 +-
drivers/base/power/main.c | 160 ++++++++--------
drivers/base/power/runtime.c | 5 +
drivers/block/rbd.c | 22 ++-
drivers/block/rnbd/rnbd-srv.c | 19 +-
drivers/bluetooth/hci_qca.c | 1 +
drivers/bus/mhi/host/init.c | 6 +-
drivers/bus/mhi/host/internal.h | 2 +-
drivers/bus/mhi/host/main.c | 49 +++--
drivers/bus/moxtet.c | 7 +
drivers/char/hw_random/core.c | 36 ++--
drivers/clk/hisilicon/clk-hi3620.c | 4 +-
drivers/clk/imx/clk-imx8qxp.c | 24 ++-
drivers/clk/imx/clk-scu.c | 4 +-
drivers/clk/mmp/clk-of-pxa168.c | 3 +
drivers/cpufreq/intel_pstate.c | 67 ++++---
drivers/crypto/ccp/sev-dev.c | 10 +-
drivers/crypto/marvell/octeontx2/otx2_cptlf.c | 6 +-
drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c | 3 +
drivers/crypto/stm32/stm32-crc32.c | 2 +-
drivers/devfreq/devfreq.c | 83 ++++++---
drivers/dma-buf/dma-fence-unwrap.c | 176 ++++++++++++++++++
drivers/dma-buf/sync_file.c | 9 +-
drivers/dma/dmaengine.c | 3 +
drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +-
drivers/dma/fsl-qdma.c | 27 +--
drivers/dma/ti/k3-udma.c | 10 +-
drivers/firewire/core-device.c | 7 +-
drivers/firmware/arm_scmi/common.h | 1 +
drivers/firmware/arm_scmi/mailbox.c | 14 ++
drivers/firmware/arm_scmi/shmem.c | 6 +
drivers/gpio/gpio-eic-sprd.c | 32 +++-
drivers/gpio/gpiolib-acpi.c | 14 ++
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 9 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 36 ++--
drivers/gpu/drm/amd/display/dc/core/dc.c | 4 +
drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 2 +-
.../gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 6 +-
.../drm/amd/display/dc/dcn301/dcn301_resource.c | 6 +-
.../drm/amd/display/dc/dcn302/dcn302_resource.c | 6 +-
.../gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 6 +-
.../amd/pm/powerplay/hwmgr/process_pptables_v1_0.c | 2 +-
drivers/gpu/drm/bridge/nxp-ptn3460.c | 6 +-
drivers/gpu/drm/drm_fb_helper.c | 11 +-
drivers/gpu/drm/drm_file.c | 2 +-
drivers/gpu/drm/drm_framebuffer.c | 2 +-
drivers/gpu/drm/drm_mipi_dsi.c | 17 +-
drivers/gpu/drm/drm_plane.c | 1 +
drivers/gpu/drm/drm_prime.c | 2 +-
drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 4 +-
drivers/gpu/drm/exynos/exynos_drm_drv.c | 11 ++
drivers/gpu/drm/exynos/exynos_drm_fimd.c | 4 +-
drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 5 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 1 +
drivers/gpu/drm/msm/dp/dp_link.c | 12 +-
drivers/gpu/drm/msm/dp/dp_reg.h | 3 +
drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +
drivers/gpu/drm/nouveau/nouveau_vmm.c | 3 +
drivers/gpu/drm/panel/panel-simple.c | 2 +
drivers/gpu/drm/scheduler/sched_main.c | 3 +-
drivers/gpu/drm/tidss/tidss_crtc.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 8 +-
drivers/hid/hid-apple.c | 33 +++-
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-picolcd_fb.c | 2 +-
drivers/hid/hid-quirks.c | 1 +
drivers/hid/i2c-hid/i2c-hid-of.c | 1 +
drivers/hid/wacom_sys.c | 63 +++++--
drivers/hid/wacom_wac.c | 9 +-
drivers/hwmon/aspeed-pwm-tacho.c | 7 +
drivers/hwmon/coretemp.c | 40 ++--
drivers/i2c/busses/i2c-i801.c | 19 +-
drivers/i3c/master/i3c-master-cdns.c | 7 +-
drivers/iio/accel/Kconfig | 2 +
drivers/iio/adc/ad7091r-base.c | 173 ++++++++++++++++-
drivers/iio/adc/ad7091r-base.h | 8 +
drivers/iio/adc/ad7091r5.c | 29 +--
drivers/iio/industrialio-core.c | 5 +-
drivers/iio/light/hid-sensor-als.c | 1 +
drivers/iio/magnetometer/rm3100-core.c | 10 +-
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 7 +-
drivers/input/keyboard/atkbd.c | 13 +-
drivers/input/serio/i8042-acpipnpio.h | 6 +
drivers/irqchip/irq-brcmstb-l2.c | 5 +-
drivers/irqchip/irq-gic-v3-its.c | 22 ++-
drivers/leds/trigger/ledtrig-panic.c | 5 +-
drivers/mailbox/arm_mhuv2.c | 3 +-
drivers/md/dm-core.h | 2 +
drivers/md/dm-ioctl.c | 3 +-
drivers/md/dm-table.c | 9 +-
drivers/md/md.c | 54 +++++-
drivers/media/i2c/imx335.c | 4 +-
drivers/media/i2c/imx355.c | 12 +-
drivers/media/i2c/ov9734.c | 19 +-
drivers/media/pci/ddbridge/ddbridge-main.c | 2 +-
drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 6 +-
drivers/media/platform/rockchip/rga/rga.c | 15 +-
drivers/media/rc/bpf-lirc.c | 6 +-
drivers/media/rc/ir_toy.c | 2 +
drivers/media/rc/lirc_dev.c | 5 +-
drivers/media/rc/rc-core-priv.h | 2 +-
drivers/media/usb/stk1160/stk1160-video.c | 5 +-
drivers/mfd/Kconfig | 1 +
drivers/misc/fastrpc.c | 2 +-
drivers/misc/lis3lv02d/lis3lv02d_i2c.c | 1 +
drivers/misc/lkdtm/bugs.c | 2 +-
drivers/mmc/core/block.c | 46 ++++-
drivers/mmc/core/slot-gpio.c | 6 +-
drivers/mmc/host/mmc_spi.c | 186 +------------------
drivers/net/bonding/bond_alb.c | 3 +-
drivers/net/dsa/mv88e6xxx/chip.h | 4 +-
drivers/net/dsa/mv88e6xxx/serdes.c | 8 +-
drivers/net/dsa/mv88e6xxx/serdes.h | 8 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 +--
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +
drivers/net/ethernet/freescale/fec_main.c | 2 +
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 5 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 32 ++++
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 +
drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c | 36 ++--
drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c | 61 +++---
drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 177 +++++++++---------
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 44 ++---
drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c | 34 ++--
drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 1 -
drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c | 105 +++++------
drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 51 +-----
drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c | 44 ++---
drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 149 +++++++--------
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 27 ++-
.../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 13 +-
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 +-
.../mellanox/mlx5/core/en/fs_tt_redirect.c | 1 +
drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c | 26 +--
.../mellanox/mlx5/core/steering/dr_action.c | 19 +-
.../mellanox/mlx5/core/steering/dr_domain.c | 2 +-
.../ethernet/mellanox/mlx5/core/steering/dr_rule.c | 4 +-
.../mellanox/mlx5/core/steering/dr_types.h | 7 +-
.../ethernet/netronome/nfp/flower/tunnel_conf.c | 2 +-
.../ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 6 +-
drivers/net/ethernet/pensando/ionic/ionic_dev.c | 1 +
drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 +
drivers/net/ethernet/pensando/ionic/ionic_main.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 1 +
drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 +
.../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++++-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +
drivers/net/ethernet/ti/cpsw.c | 2 +
drivers/net/ethernet/ti/cpsw_new.c | 3 +
drivers/net/fjes/fjes_hw.c | 37 +++-
drivers/net/hyperv/netvsc.c | 5 +-
drivers/net/hyperv/netvsc_drv.c | 4 +-
drivers/net/ppp/ppp_async.c | 4 +
drivers/net/virtio_net.c | 9 +-
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +-
drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 12 +-
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +-
drivers/net/wireless/marvell/mwifiex/Kconfig | 5 +-
drivers/net/wireless/marvell/mwifiex/sdio.c | 67 ++++++-
drivers/net/wireless/marvell/mwifiex/sdio.h | 8 +
drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 3 +
drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 11 ++
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++
.../net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +-
.../net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 +-
drivers/net/xen-netback/netback.c | 100 +++++-----
drivers/of/property.c | 2 +-
drivers/of/unittest.c | 12 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aer.c | 9 +-
drivers/pci/quirks.c | 24 ++-
drivers/pci/switch/switchtec.c | 25 ++-
drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 -
drivers/phy/ti/phy-omap-usb2.c | 4 +-
drivers/pnp/pnpacpi/rsparser.c | 12 +-
drivers/regulator/core.c | 52 +++---
drivers/rpmsg/virtio_rpmsg_bus.c | 1 +
drivers/rtc/rtc-cmos.c | 4 +-
drivers/s390/net/qeth_l3_main.c | 9 +-
drivers/scsi/arcmsr/arcmsr.h | 4 +
drivers/scsi/arcmsr/arcmsr_hba.c | 6 +
drivers/scsi/fcoe/fcoe_ctlr.c | 20 +-
drivers/scsi/isci/request.c | 2 +-
drivers/scsi/libfc/fc_fcp.c | 18 +-
drivers/scsi/lpfc/lpfc.h | 1 +
drivers/scsi/lpfc/lpfc_init.c | 4 +-
drivers/scsi/scsi_error.c | 9 +-
drivers/scsi/scsi_lib.c | 4 +-
drivers/scsi/scsi_priv.h | 2 +-
drivers/scsi/storvsc_drv.c | 12 +-
drivers/scsi/ufs/ufshcd.c | 14 +-
drivers/spi/spi-bcm-qspi.c | 4 +-
drivers/spi/spi-ppc4xx.c | 5 -
drivers/staging/fbtft/fbtft-core.c | 14 +-
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
drivers/tty/serial/8250/8250_exar.c | 13 ++
drivers/tty/serial/max310x.c | 33 +++-
drivers/tty/tty_ioctl.c | 4 +-
drivers/usb/core/hub.c | 34 ++--
drivers/usb/dwc3/core.h | 1 +
drivers/usb/dwc3/ep0.c | 27 ++-
drivers/usb/dwc3/gadget.c | 162 +++++++++++++---
drivers/usb/dwc3/gadget.h | 3 +
drivers/usb/dwc3/host.c | 4 +-
drivers/usb/gadget/function/f_mass_storage.c | 20 +-
drivers/usb/host/xhci-plat.c | 3 +
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/option.c | 1 +
drivers/usb/serial/qcserial.c | 2 +
drivers/usb/typec/ucsi/ucsi_acpi.c | 17 +-
drivers/vhost/vhost.c | 5 +-
drivers/video/fbdev/broadsheetfb.c | 14 +-
drivers/video/fbdev/core/fb_defio.c | 168 +++++++++++++----
drivers/video/fbdev/core/fbmem.c | 4 +
drivers/video/fbdev/hecubafb.c | 3 +-
drivers/video/fbdev/hyperv_fb.c | 8 +-
drivers/video/fbdev/metronomefb.c | 14 +-
drivers/video/fbdev/sh_mobile_lcdcfb.c | 20 +-
drivers/video/fbdev/smscufx.c | 9 +-
drivers/video/fbdev/ssd1307fb.c | 3 +-
drivers/video/fbdev/udlfb.c | 10 +-
drivers/video/fbdev/xen-fbfront.c | 8 +-
drivers/watchdog/it87_wdt.c | 14 +-
drivers/xen/gntdev-dmabuf.c | 54 +++---
fs/afs/callback.c | 3 +-
fs/afs/dir.c | 8 +
fs/afs/server.c | 7 +-
fs/btrfs/ctree.h | 22 +++
fs/btrfs/delayed-inode.c | 5 +-
fs/btrfs/delayed-inode.h | 1 +
fs/btrfs/disk-io.c | 13 +-
fs/btrfs/extent-tree.c | 3 +-
fs/btrfs/inode.c | 172 ++++++++++-------
fs/btrfs/ioctl.c | 12 ++
fs/btrfs/qgroup.c | 14 ++
fs/btrfs/ref-verify.c | 6 +-
fs/btrfs/send.c | 2 +-
fs/btrfs/sysfs.c | 9 +-
fs/btrfs/tree-checker.c | 2 +-
fs/ceph/caps.c | 12 +-
fs/cifs/smb2misc.c | 2 +-
fs/cifs/smb2ops.c | 14 +-
fs/cifs/smb2pdu.c | 13 +-
fs/cifs/smb2pdu.h | 42 +++--
fs/dcache.c | 7 +-
fs/ecryptfs/inode.c | 8 +
fs/exec.c | 3 +
fs/ext4/mballoc.c | 26 ++-
fs/ext4/move_extent.c | 6 +-
fs/ext4/resize.c | 37 ++--
fs/f2fs/compress.c | 4 +-
fs/f2fs/file.c | 2 +
fs/f2fs/recovery.c | 25 ++-
fs/hugetlbfs/inode.c | 13 +-
fs/ioctl.c | 3 +-
fs/jfs/jfs_dmap.c | 57 +++---
fs/jfs/jfs_dtree.c | 7 +-
fs/jfs/jfs_imap.c | 3 +
fs/jfs/jfs_mount.c | 6 +-
fs/kernfs/dir.c | 12 ++
fs/ksmbd/asn1.c | 5 +
fs/ksmbd/connection.c | 7 +-
fs/ksmbd/connection.h | 2 +-
fs/ksmbd/ksmbd_netlink.h | 3 +-
fs/ksmbd/oplock.c | 22 ++-
fs/ksmbd/smb2pdu.c | 53 +++---
fs/ksmbd/smbacl.c | 11 +-
fs/ksmbd/transport_ipc.c | 4 +-
fs/ksmbd/transport_rdma.c | 11 +-
fs/ksmbd/transport_tcp.c | 13 +-
fs/namei.c | 60 +++---
fs/nfsd/nfs4state.c | 61 +++---
fs/nilfs2/dat.c | 27 ++-
fs/nilfs2/file.c | 8 +-
fs/nilfs2/recovery.c | 7 +-
fs/nilfs2/segment.c | 8 +-
fs/ntfs3/fsntfs.c | 16 +-
fs/ntfs3/index.c | 3 +-
fs/ntfs3/ntfs_fs.h | 2 +-
fs/pipe.c | 19 +-
fs/pstore/ram.c | 1 +
fs/ubifs/dir.c | 2 +
fs/xfs/xfs_super.c | 27 ++-
include/asm-generic/numa.h | 2 +
include/drm/drm_color_mgmt.h | 1 +
include/drm/drm_fb_helper.h | 3 +-
include/drm/drm_mipi_dsi.h | 2 +
include/linux/async.h | 2 +
include/linux/bpf.h | 6 +-
include/linux/dma-fence.h | 19 ++
include/linux/dmaengine.h | 3 +-
include/linux/fb.h | 18 +-
include/linux/hrtimer.h | 4 +-
include/linux/irq_work.h | 3 +
include/linux/lsm_hook_defs.h | 2 +
include/linux/mmc/sdio_ids.h | 1 +
include/linux/mmzone.h | 18 +-
include/linux/netfilter/ipset/ip_set.h | 4 +
include/linux/overflow.h | 72 ++++----
include/linux/pci_ids.h | 1 +
include/linux/pipe_fs_i.h | 16 ++
include/linux/pm_runtime.h | 4 +
include/linux/security.h | 9 +
include/linux/syscalls.h | 1 +
include/net/af_unix.h | 20 +-
include/net/inet_connection_sock.h | 8 +
include/net/llc_pdu.h | 6 +-
include/net/netfilter/nf_tables.h | 2 +
include/uapi/linux/btrfs.h | 4 +
include/uapi/linux/netfilter/nf_tables.h | 2 +
kernel/async.c | 85 ++++++---
kernel/audit.c | 31 +++-
kernel/bpf/arraymap.c | 12 +-
kernel/bpf/hashtab.c | 6 +-
kernel/bpf/map_in_map.c | 2 +-
kernel/bpf/map_in_map.h | 2 +-
kernel/bpf/syscall.c | 6 +
kernel/events/core.c | 38 ++--
kernel/power/swap.c | 38 ++--
kernel/sched/membarrier.c | 9 +
kernel/time/clocksource.c | 25 ++-
kernel/time/hrtimer.c | 17 +-
kernel/time/tick-sched.c | 5 +
kernel/trace/ring_buffer.c | 2 +-
kernel/trace/trace.c | 78 ++++----
kernel/trace/trace_events_trigger.c | 6 +-
kernel/trace/tracing_map.c | 7 +-
lib/debugobjects.c | 204 ++++++++-------------
lib/mpi/ec.c | 3 +
mm/page-writeback.c | 2 +-
mm/sparse.c | 17 +-
net/8021q/vlan_netlink.c | 4 +
net/bluetooth/l2cap_core.c | 3 +-
net/bridge/br_cfm_netlink.c | 2 +-
net/bridge/br_multicast.c | 20 +-
net/bridge/br_private.h | 4 +-
net/can/j1939/j1939-priv.h | 3 +-
net/can/j1939/main.c | 2 +-
net/can/j1939/socket.c | 46 +++--
net/core/request_sock.c | 3 -
net/core/skbuff.c | 3 +-
net/hsr/hsr_device.c | 4 +-
net/ipv4/af_inet.c | 9 +-
net/ipv4/inet_connection_sock.c | 4 +
net/ipv4/ip_output.c | 12 +-
net/ipv4/ip_tunnel_core.c | 2 +-
net/ipv4/tcp.c | 13 +-
net/ipv6/addrconf_core.c | 21 ++-
net/ipv6/af_inet6.c | 3 +
net/ipv6/ip6_tunnel.c | 28 ++-
net/llc/af_llc.c | 26 ++-
net/llc/llc_core.c | 7 -
net/mac80211/tx.c | 3 +-
net/mptcp/protocol.c | 3 -
net/netfilter/ipset/ip_set_bitmap_gen.h | 14 +-
net/netfilter/ipset/ip_set_core.c | 39 +++-
net/netfilter/ipset/ip_set_hash_gen.h | 19 +-
net/netfilter/ipset/ip_set_list_set.c | 13 +-
net/netfilter/nf_log.c | 7 +-
net/netfilter/nf_tables_api.c | 34 ++--
net/netfilter/nft_chain_filter.c | 11 +-
net/netfilter/nft_compat.c | 23 ++-
net/netfilter/nft_ct.c | 27 +++
net/netfilter/nft_flow_offload.c | 5 +
net/netfilter/nft_limit.c | 23 ++-
net/netfilter/nft_nat.c | 5 +
net/netfilter/nft_rt.c | 5 +
net/netfilter/nft_set_pipapo.c | 108 +++++------
net/netfilter/nft_set_pipapo.h | 18 +-
net/netfilter/nft_set_pipapo_avx2.c | 17 +-
net/netfilter/nft_set_rbtree.c | 6 +-
net/netfilter/nft_socket.c | 5 +
net/netfilter/nft_synproxy.c | 7 +-
net/netfilter/nft_tproxy.c | 5 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/nft_xfrm.c | 5 +
net/netlink/af_netlink.c | 2 +-
net/nfc/nci/core.c | 4 +
net/openvswitch/flow_netlink.c | 49 +++--
net/rds/af_rds.c | 2 +-
net/rxrpc/conn_event.c | 8 +
net/rxrpc/conn_service.c | 3 +-
net/smc/smc_diag.c | 2 +-
net/sunrpc/xprtmultipath.c | 17 +-
net/tipc/bearer.c | 6 +
net/unix/af_unix.c | 14 +-
net/unix/diag.c | 2 +-
net/unix/garbage.c | 12 ++
net/wireless/scan.c | 4 +
scripts/decode_stacktrace.sh | 60 +++++-
scripts/get_abi.pl | 2 +-
scripts/link-vmlinux.sh | 9 +-
scripts/mod/sumversion.c | 7 +-
security/security.c | 32 +++-
security/selinux/hooks.c | 28 +++
security/smack/smack_lsm.c | 1 +
security/tomoyo/tomoyo.c | 1 +
sound/hda/hdac_stream.c | 9 +-
sound/hda/intel-dsp-config.c | 10 +
sound/pci/hda/hda_intel.c | 2 +
sound/pci/hda/patch_conexant.c | 133 +++++++++++++-
sound/pci/hda/patch_cs8409.c | 1 +
sound/pci/hda/patch_realtek.c | 3 +
sound/soc/codecs/lpass-wsa-macro.c | 7 -
sound/soc/codecs/rt5645.c | 1 +
sound/soc/codecs/wcd938x.c | 2 +-
sound/usb/quirks.c | 4 +
tools/build/feature/test-libopencsd.c | 4 +-
tools/lib/bpf/libbpf.c | 2 +
tools/lib/subcmd/help.c | 18 +-
tools/testing/selftests/bpf/cgroup_helpers.c | 18 +-
tools/testing/selftests/bpf/prog_tests/btf.c | 1 +
tools/testing/selftests/bpf/prog_tests/tailcalls.c | 55 ------
tools/testing/selftests/bpf/progs/pyperf180.c | 22 +++
.../selftests/bpf/progs/tailcall_bpf2bpf6.c | 42 -----
.../drivers/net/netdevsim/udp_tunnel_nic.sh | 9 +
tools/testing/selftests/net/pmtu.sh | 34 ++--
tools/testing/selftests/net/setup_veth.sh | 2 +-
tools/testing/selftests/net/udpgro_fwd.sh | 14 +-
tools/testing/selftests/net/udpgso_bench_rx.c | 2 +-
tools/testing/selftests/sgx/test_encl.lds | 6 +-
527 files changed, 5153 insertions(+), 2726 deletions(-)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 001/476] ksmbd: free ppace array on error in parse_dacl
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 002/476] ksmbd: dont allow O_TRUNC open on read-only share Greg Kroah-Hartman
` (484 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e ]
The ppace array is not freed if one of the init_acl_state() calls inside
parse_dacl() fails. At the moment the function may fail only due to the
memory allocation errors so it's highly unlikely in this case but
nevertheless a fix is needed.
Move ppace allocation after the init_acl_state() calls with proper error
handling.
Found by Linux Verification Center (linuxtesting.org).
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/smbacl.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
index 9ace5027684d..3a6c0abdb035 100644
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -399,10 +399,6 @@ static void parse_dacl(struct user_namespace *user_ns,
if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
return;
- ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
- if (!ppace)
- return;
-
ret = init_acl_state(&acl_state, num_aces);
if (ret)
return;
@@ -412,6 +408,13 @@ static void parse_dacl(struct user_namespace *user_ns,
return;
}
+ ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
+ if (!ppace) {
+ free_acl_state(&default_acl_state);
+ free_acl_state(&acl_state);
+ return;
+ }
+
/*
* reset rwx permissions for user/group/other.
* Also, if num_aces is 0 i.e. DACL has no ACEs,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 002/476] ksmbd: dont allow O_TRUNC open on read-only share
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 001/476] ksmbd: free ppace array on error in parse_dacl Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 003/476] ksmbd: validate mech token in session setup Greg Kroah-Hartman
` (483 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit d592a9158a112d419f341f035d18d02f8d232def ]
When file is changed using notepad on read-only share(read_only = yes in
ksmbd.conf), There is a problem where existing data is truncated.
notepad in windows try to O_TRUNC open(FILE_OVERWRITE_IF) and all data
in file is truncated. This patch don't allow O_TRUNC open on read-only
share and add KSMBD_TREE_CONN_FLAG_WRITABLE check in smb2_set_info().
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/smb2pdu.c | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 8875c04e8382..bf3bb37c00a9 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -2968,7 +2968,7 @@ int smb2_open(struct ksmbd_work *work)
&may_flags);
if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- if (open_flags & O_CREAT) {
+ if (open_flags & (O_CREAT | O_TRUNC)) {
ksmbd_debug(SMB,
"User does not have write permission\n");
rc = -EACCES;
@@ -5945,12 +5945,6 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
}
case FILE_RENAME_INFORMATION:
{
- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- ksmbd_debug(SMB,
- "User does not have write permission\n");
- return -EACCES;
- }
-
if (buf_len < sizeof(struct smb2_file_rename_info))
return -EINVAL;
@@ -5970,12 +5964,6 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
}
case FILE_DISPOSITION_INFORMATION:
{
- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- ksmbd_debug(SMB,
- "User does not have write permission\n");
- return -EACCES;
- }
-
if (buf_len < sizeof(struct smb2_file_disposition_info))
return -EINVAL;
@@ -6037,7 +6025,7 @@ int smb2_set_info(struct ksmbd_work *work)
{
struct smb2_set_info_req *req;
struct smb2_set_info_rsp *rsp;
- struct ksmbd_file *fp;
+ struct ksmbd_file *fp = NULL;
int rc = 0;
unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
@@ -6057,6 +6045,13 @@ int smb2_set_info(struct ksmbd_work *work)
rsp = smb2_get_msg(work->response_buf);
}
+ if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+ ksmbd_debug(SMB, "User does not have write permission\n");
+ pr_err("User does not have write permission\n");
+ rc = -EACCES;
+ goto err_out;
+ }
+
if (!has_file_id(id)) {
id = req->VolatileFileId;
pid = req->PersistentFileId;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 003/476] ksmbd: validate mech token in session setup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 001/476] ksmbd: free ppace array on error in parse_dacl Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 002/476] ksmbd: dont allow O_TRUNC open on read-only share Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 004/476] ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Greg Kroah-Hartman
` (482 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sasha Levin, zdi-disclosures
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 92e470163d96df8db6c4fa0f484e4a229edb903d ]
If client send invalid mech token in session setup request, ksmbd
validate and make the error if it is invalid.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22890
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/asn1.c | 5 +++++
fs/ksmbd/connection.h | 1 +
fs/ksmbd/smb2pdu.c | 22 +++++++++++++++++-----
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/fs/ksmbd/asn1.c b/fs/ksmbd/asn1.c
index 4a4b2b03ff33..b931a99ab9c8 100644
--- a/fs/ksmbd/asn1.c
+++ b/fs/ksmbd/asn1.c
@@ -214,10 +214,15 @@ static int ksmbd_neg_token_alloc(void *context, size_t hdrlen,
{
struct ksmbd_conn *conn = context;
+ if (!vlen)
+ return -EINVAL;
+
conn->mechToken = kmemdup_nul(value, vlen, GFP_KERNEL);
if (!conn->mechToken)
return -ENOMEM;
+ conn->mechTokenLen = (unsigned int)vlen;
+
return 0;
}
diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h
index 3c005246a32e..342f935f5770 100644
--- a/fs/ksmbd/connection.h
+++ b/fs/ksmbd/connection.h
@@ -88,6 +88,7 @@ struct ksmbd_conn {
__u16 dialect;
char *mechToken;
+ unsigned int mechTokenLen;
struct ksmbd_conn_ops *conn_ops;
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index bf3bb37c00a9..92ea42876e75 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1414,7 +1414,10 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn,
char *name;
unsigned int name_off, name_len, secbuf_len;
- secbuf_len = le16_to_cpu(req->SecurityBufferLength);
+ if (conn->use_spnego && conn->mechToken)
+ secbuf_len = conn->mechTokenLen;
+ else
+ secbuf_len = le16_to_cpu(req->SecurityBufferLength);
if (secbuf_len < sizeof(struct authenticate_message)) {
ksmbd_debug(SMB, "blob len %d too small\n", secbuf_len);
return NULL;
@@ -1505,7 +1508,10 @@ static int ntlm_authenticate(struct ksmbd_work *work,
struct authenticate_message *authblob;
authblob = user_authblob(conn, req);
- sz = le16_to_cpu(req->SecurityBufferLength);
+ if (conn->use_spnego && conn->mechToken)
+ sz = conn->mechTokenLen;
+ else
+ sz = le16_to_cpu(req->SecurityBufferLength);
rc = ksmbd_decode_ntlmssp_auth_blob(authblob, sz, conn, sess);
if (rc) {
set_user_flag(sess->user, KSMBD_USER_FLAG_BAD_PASSWORD);
@@ -1778,8 +1784,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
negblob_off = le16_to_cpu(req->SecurityBufferOffset);
negblob_len = le16_to_cpu(req->SecurityBufferLength);
- if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer) ||
- negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) {
+ if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer)) {
rc = -EINVAL;
goto out_err;
}
@@ -1788,8 +1793,15 @@ int smb2_sess_setup(struct ksmbd_work *work)
negblob_off);
if (decode_negotiation_token(conn, negblob, negblob_len) == 0) {
- if (conn->mechToken)
+ if (conn->mechToken) {
negblob = (struct negotiate_message *)conn->mechToken;
+ negblob_len = conn->mechTokenLen;
+ }
+ }
+
+ if (negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) {
+ rc = -EINVAL;
+ goto out_err;
}
if (server_conf.auth_mechs & conn->auth_mechs) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 004/476] ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 003/476] ksmbd: validate mech token in session setup Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 005/476] ksmbd: only v2 leases handle the directory Greg Kroah-Hartman
` (481 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sasha Levin, zdi-disclosures
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 38d20c62903d669693a1869aa68c4dd5674e2544 ]
The race is between the handling of a new TCP connection and
its disconnection. It leads to UAF on `struct tcp_transport` in
ksmbd_tcp_new_connection() function.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22991
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/connection.c | 6 ------
fs/ksmbd/connection.h | 1 -
fs/ksmbd/transport_rdma.c | 11 ++++++-----
fs/ksmbd/transport_tcp.c | 13 +++++++------
4 files changed, 13 insertions(+), 18 deletions(-)
diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index 0a7a30bd531f..3db9c06c946d 100644
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -415,13 +415,7 @@ static void stop_sessions(void)
again:
down_read(&conn_list_lock);
list_for_each_entry(conn, &conn_list, conns_list) {
- struct task_struct *task;
-
t = conn->transport;
- task = t->handler;
- if (task)
- ksmbd_debug(CONN, "Stop session handler %s/%d\n",
- task->comm, task_pid_nr(task));
ksmbd_conn_set_exiting(conn);
if (t->ops->shutdown) {
up_read(&conn_list_lock);
diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h
index 342f935f5770..0e04cf8b1d89 100644
--- a/fs/ksmbd/connection.h
+++ b/fs/ksmbd/connection.h
@@ -135,7 +135,6 @@ struct ksmbd_transport_ops {
struct ksmbd_transport {
struct ksmbd_conn *conn;
struct ksmbd_transport_ops *ops;
- struct task_struct *handler;
};
#define KSMBD_TCP_RECV_TIMEOUT (7 * HZ)
diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c
index 252a1e7afcc0..355673f2830b 100644
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -2039,6 +2039,7 @@ static bool rdma_frwr_is_supported(struct ib_device_attr *attrs)
static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id)
{
struct smb_direct_transport *t;
+ struct task_struct *handler;
int ret;
if (!rdma_frwr_is_supported(&new_cm_id->device->attrs)) {
@@ -2056,11 +2057,11 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id)
if (ret)
goto out_err;
- KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop,
- KSMBD_TRANS(t)->conn, "ksmbd:r%u",
- smb_direct_port);
- if (IS_ERR(KSMBD_TRANS(t)->handler)) {
- ret = PTR_ERR(KSMBD_TRANS(t)->handler);
+ handler = kthread_run(ksmbd_conn_handler_loop,
+ KSMBD_TRANS(t)->conn, "ksmbd:r%u",
+ smb_direct_port);
+ if (IS_ERR(handler)) {
+ ret = PTR_ERR(handler);
pr_err("Can't start thread\n");
goto out_err;
}
diff --git a/fs/ksmbd/transport_tcp.c b/fs/ksmbd/transport_tcp.c
index eff7a1d793f0..9d4222154dcc 100644
--- a/fs/ksmbd/transport_tcp.c
+++ b/fs/ksmbd/transport_tcp.c
@@ -185,6 +185,7 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk)
struct sockaddr *csin;
int rc = 0;
struct tcp_transport *t;
+ struct task_struct *handler;
t = alloc_transport(client_sk);
if (!t) {
@@ -199,13 +200,13 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk)
goto out_error;
}
- KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop,
- KSMBD_TRANS(t)->conn,
- "ksmbd:%u",
- ksmbd_tcp_get_port(csin));
- if (IS_ERR(KSMBD_TRANS(t)->handler)) {
+ handler = kthread_run(ksmbd_conn_handler_loop,
+ KSMBD_TRANS(t)->conn,
+ "ksmbd:%u",
+ ksmbd_tcp_get_port(csin));
+ if (IS_ERR(handler)) {
pr_err("cannot start conn thread\n");
- rc = PTR_ERR(KSMBD_TRANS(t)->handler);
+ rc = PTR_ERR(handler);
free_transport(t);
}
return rc;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 005/476] ksmbd: only v2 leases handle the directory
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 004/476] ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 006/476] iio: adc: ad7091r: Set alert bit in config register Greg Kroah-Hartman
` (480 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 77bebd186442a7d703b796784db7495129cc3e70 ]
When smb2 leases is disable, ksmbd can send oplock break notification
and cause wait oplock break ack timeout. It may appear like hang when
accessing a directory. This patch make only v2 leases handle the
directory.
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/oplock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
index 2da256259722..678627659803 100644
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -1191,6 +1191,12 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid,
bool prev_op_has_lease;
__le32 prev_op_state = 0;
+ /* Only v2 leases handle the directory */
+ if (S_ISDIR(file_inode(fp->filp)->i_mode)) {
+ if (!lctx || lctx->version != 2)
+ return 0;
+ }
+
opinfo = alloc_opinfo(work, pid, tid);
if (!opinfo)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 006/476] iio: adc: ad7091r: Set alert bit in config register
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 005/476] ksmbd: only v2 leases handle the directory Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 007/476] iio: adc: ad7091r: Allow users to configure device events Greg Kroah-Hartman
` (479 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, Jonathan Cameron,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Schmitt <marcelo.schmitt@analog.com>
[ Upstream commit 149694f5e79b0c7a36ceb76e7c0d590db8f151c1 ]
The ad7091r-base driver sets up an interrupt handler for firing events
when inputs are either above or below a certain threshold.
However, for the interrupt signal to come from the device it must be
configured to enable the ALERT/BUSY/GPO pin to be used as ALERT, which
was not being done until now.
Enable interrupt signals on the ALERT/BUSY/GPO pin by setting the proper
bit in the configuration register.
Signed-off-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Link: https://lore.kernel.org/r/e8da2ee98d6df88318b14baf3dc9630e20218418.1702746240.git.marcelo.schmitt1@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 020e71c7ffc2 ("iio: adc: ad7091r: Allow users to configure device events")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7091r-base.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/iio/adc/ad7091r-base.c b/drivers/iio/adc/ad7091r-base.c
index 811f04448d8d..ad089c0ff953 100644
--- a/drivers/iio/adc/ad7091r-base.c
+++ b/drivers/iio/adc/ad7091r-base.c
@@ -28,6 +28,7 @@
#define AD7091R_REG_RESULT_CONV_RESULT(x) ((x) & 0xfff)
/* AD7091R_REG_CONF */
+#define AD7091R_REG_CONF_ALERT_EN BIT(4)
#define AD7091R_REG_CONF_AUTO BIT(8)
#define AD7091R_REG_CONF_CMD BIT(10)
@@ -232,6 +233,11 @@ int ad7091r_probe(struct device *dev, const char *name,
iio_dev->channels = chip_info->channels;
if (irq) {
+ ret = regmap_update_bits(st->map, AD7091R_REG_CONF,
+ AD7091R_REG_CONF_ALERT_EN, BIT(4));
+ if (ret)
+ return ret;
+
ret = devm_request_threaded_irq(dev, irq, NULL,
ad7091r_event_handler,
IRQF_TRIGGER_FALLING | IRQF_ONESHOT, name, iio_dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 007/476] iio: adc: ad7091r: Allow users to configure device events
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 006/476] iio: adc: ad7091r: Set alert bit in config register Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 008/476] iio: adc: ad7091r: Enable internal vref if external vref is not supplied Greg Kroah-Hartman
` (478 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Marcelo Schmitt,
Stable, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Schmitt <marcelo.schmitt@analog.com>
[ Upstream commit 020e71c7ffc25dfe29ed9be6c2d39af7bd7f661f ]
AD7091R-5 devices are supported by the ad7091r-5 driver together with
the ad7091r-base driver. Those drivers declared iio events for notifying
user space when ADC readings fall bellow the thresholds of low limit
registers or above the values set in high limit registers.
However, to configure iio events and their thresholds, a set of callback
functions must be implemented and those were not present until now.
The consequence of trying to configure ad7091r-5 events without the
proper callback functions was a null pointer dereference in the kernel
because the pointers to the callback functions were not set.
Implement event configuration callbacks allowing users to read/write
event thresholds and enable/disable event generation.
Since the event spec structs are generic to AD7091R devices, also move
those from the ad7091r-5 driver the base driver so they can be reused
when support for ad7091r-2/-4/-8 be added.
Fixes: ca69300173b6 ("iio: adc: Add support for AD7091R5 ADC")
Suggested-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Link: https://lore.kernel.org/r/59552d3548dabd56adc3107b7b4869afee2b0c3c.1703013352.git.marcelo.schmitt1@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7091r-base.c | 156 +++++++++++++++++++++++++++++++++
drivers/iio/adc/ad7091r-base.h | 6 ++
drivers/iio/adc/ad7091r5.c | 28 +-----
3 files changed, 166 insertions(+), 24 deletions(-)
diff --git a/drivers/iio/adc/ad7091r-base.c b/drivers/iio/adc/ad7091r-base.c
index ad089c0ff953..9ddda08918db 100644
--- a/drivers/iio/adc/ad7091r-base.c
+++ b/drivers/iio/adc/ad7091r-base.c
@@ -6,6 +6,7 @@
*/
#include <linux/bitops.h>
+#include <linux/bitfield.h>
#include <linux/iio/events.h>
#include <linux/iio/iio.h>
#include <linux/interrupt.h>
@@ -50,6 +51,27 @@ struct ad7091r_state {
struct mutex lock; /*lock to prevent concurent reads */
};
+const struct iio_event_spec ad7091r_events[] = {
+ {
+ .type = IIO_EV_TYPE_THRESH,
+ .dir = IIO_EV_DIR_RISING,
+ .mask_separate = BIT(IIO_EV_INFO_VALUE) |
+ BIT(IIO_EV_INFO_ENABLE),
+ },
+ {
+ .type = IIO_EV_TYPE_THRESH,
+ .dir = IIO_EV_DIR_FALLING,
+ .mask_separate = BIT(IIO_EV_INFO_VALUE) |
+ BIT(IIO_EV_INFO_ENABLE),
+ },
+ {
+ .type = IIO_EV_TYPE_THRESH,
+ .dir = IIO_EV_DIR_EITHER,
+ .mask_separate = BIT(IIO_EV_INFO_HYSTERESIS),
+ },
+};
+EXPORT_SYMBOL_NS_GPL(ad7091r_events, IIO_AD7091R);
+
static int ad7091r_set_mode(struct ad7091r_state *st, enum ad7091r_mode mode)
{
int ret, conf;
@@ -169,8 +191,142 @@ static int ad7091r_read_raw(struct iio_dev *iio_dev,
return ret;
}
+static int ad7091r_read_event_config(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *chan,
+ enum iio_event_type type,
+ enum iio_event_direction dir)
+{
+ struct ad7091r_state *st = iio_priv(indio_dev);
+ int val, ret;
+
+ switch (dir) {
+ case IIO_EV_DIR_RISING:
+ ret = regmap_read(st->map,
+ AD7091R_REG_CH_HIGH_LIMIT(chan->channel),
+ &val);
+ if (ret)
+ return ret;
+ return val != AD7091R_HIGH_LIMIT;
+ case IIO_EV_DIR_FALLING:
+ ret = regmap_read(st->map,
+ AD7091R_REG_CH_LOW_LIMIT(chan->channel),
+ &val);
+ if (ret)
+ return ret;
+ return val != AD7091R_LOW_LIMIT;
+ default:
+ return -EINVAL;
+ }
+}
+
+static int ad7091r_write_event_config(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *chan,
+ enum iio_event_type type,
+ enum iio_event_direction dir, int state)
+{
+ struct ad7091r_state *st = iio_priv(indio_dev);
+
+ if (state) {
+ return regmap_set_bits(st->map, AD7091R_REG_CONF,
+ AD7091R_REG_CONF_ALERT_EN);
+ } else {
+ /*
+ * Set thresholds either to 0 or to 2^12 - 1 as appropriate to
+ * prevent alerts and thus disable event generation.
+ */
+ switch (dir) {
+ case IIO_EV_DIR_RISING:
+ return regmap_write(st->map,
+ AD7091R_REG_CH_HIGH_LIMIT(chan->channel),
+ AD7091R_HIGH_LIMIT);
+ case IIO_EV_DIR_FALLING:
+ return regmap_write(st->map,
+ AD7091R_REG_CH_LOW_LIMIT(chan->channel),
+ AD7091R_LOW_LIMIT);
+ default:
+ return -EINVAL;
+ }
+ }
+}
+
+static int ad7091r_read_event_value(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *chan,
+ enum iio_event_type type,
+ enum iio_event_direction dir,
+ enum iio_event_info info, int *val, int *val2)
+{
+ struct ad7091r_state *st = iio_priv(indio_dev);
+ int ret;
+
+ switch (info) {
+ case IIO_EV_INFO_VALUE:
+ switch (dir) {
+ case IIO_EV_DIR_RISING:
+ ret = regmap_read(st->map,
+ AD7091R_REG_CH_HIGH_LIMIT(chan->channel),
+ val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ case IIO_EV_DIR_FALLING:
+ ret = regmap_read(st->map,
+ AD7091R_REG_CH_LOW_LIMIT(chan->channel),
+ val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
+ }
+ case IIO_EV_INFO_HYSTERESIS:
+ ret = regmap_read(st->map,
+ AD7091R_REG_CH_HYSTERESIS(chan->channel),
+ val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
+ }
+}
+
+static int ad7091r_write_event_value(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *chan,
+ enum iio_event_type type,
+ enum iio_event_direction dir,
+ enum iio_event_info info, int val, int val2)
+{
+ struct ad7091r_state *st = iio_priv(indio_dev);
+
+ switch (info) {
+ case IIO_EV_INFO_VALUE:
+ switch (dir) {
+ case IIO_EV_DIR_RISING:
+ return regmap_write(st->map,
+ AD7091R_REG_CH_HIGH_LIMIT(chan->channel),
+ val);
+ case IIO_EV_DIR_FALLING:
+ return regmap_write(st->map,
+ AD7091R_REG_CH_LOW_LIMIT(chan->channel),
+ val);
+ default:
+ return -EINVAL;
+ }
+ case IIO_EV_INFO_HYSTERESIS:
+ return regmap_write(st->map,
+ AD7091R_REG_CH_HYSTERESIS(chan->channel),
+ val);
+ default:
+ return -EINVAL;
+ }
+}
+
static const struct iio_info ad7091r_info = {
.read_raw = ad7091r_read_raw,
+ .read_event_config = &ad7091r_read_event_config,
+ .write_event_config = &ad7091r_write_event_config,
+ .read_event_value = &ad7091r_read_event_value,
+ .write_event_value = &ad7091r_write_event_value,
};
static irqreturn_t ad7091r_event_handler(int irq, void *private)
diff --git a/drivers/iio/adc/ad7091r-base.h b/drivers/iio/adc/ad7091r-base.h
index 509748aef9b1..7a78976a2f80 100644
--- a/drivers/iio/adc/ad7091r-base.h
+++ b/drivers/iio/adc/ad7091r-base.h
@@ -8,6 +8,10 @@
#ifndef __DRIVERS_IIO_ADC_AD7091R_BASE_H__
#define __DRIVERS_IIO_ADC_AD7091R_BASE_H__
+/* AD7091R_REG_CH_LIMIT */
+#define AD7091R_HIGH_LIMIT 0xFFF
+#define AD7091R_LOW_LIMIT 0x0
+
struct device;
struct ad7091r_state;
@@ -17,6 +21,8 @@ struct ad7091r_chip_info {
unsigned int vref_mV;
};
+extern const struct iio_event_spec ad7091r_events[3];
+
extern const struct regmap_config ad7091r_regmap_config;
int ad7091r_probe(struct device *dev, const char *name,
diff --git a/drivers/iio/adc/ad7091r5.c b/drivers/iio/adc/ad7091r5.c
index 9665679c3ea6..e60511460786 100644
--- a/drivers/iio/adc/ad7091r5.c
+++ b/drivers/iio/adc/ad7091r5.c
@@ -12,26 +12,6 @@
#include "ad7091r-base.h"
-static const struct iio_event_spec ad7091r5_events[] = {
- {
- .type = IIO_EV_TYPE_THRESH,
- .dir = IIO_EV_DIR_RISING,
- .mask_separate = BIT(IIO_EV_INFO_VALUE) |
- BIT(IIO_EV_INFO_ENABLE),
- },
- {
- .type = IIO_EV_TYPE_THRESH,
- .dir = IIO_EV_DIR_FALLING,
- .mask_separate = BIT(IIO_EV_INFO_VALUE) |
- BIT(IIO_EV_INFO_ENABLE),
- },
- {
- .type = IIO_EV_TYPE_THRESH,
- .dir = IIO_EV_DIR_EITHER,
- .mask_separate = BIT(IIO_EV_INFO_HYSTERESIS),
- },
-};
-
#define AD7091R_CHANNEL(idx, bits, ev, num_ev) { \
.type = IIO_VOLTAGE, \
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW), \
@@ -44,10 +24,10 @@ static const struct iio_event_spec ad7091r5_events[] = {
.scan_type.realbits = bits, \
}
static const struct iio_chan_spec ad7091r5_channels_irq[] = {
- AD7091R_CHANNEL(0, 12, ad7091r5_events, ARRAY_SIZE(ad7091r5_events)),
- AD7091R_CHANNEL(1, 12, ad7091r5_events, ARRAY_SIZE(ad7091r5_events)),
- AD7091R_CHANNEL(2, 12, ad7091r5_events, ARRAY_SIZE(ad7091r5_events)),
- AD7091R_CHANNEL(3, 12, ad7091r5_events, ARRAY_SIZE(ad7091r5_events)),
+ AD7091R_CHANNEL(0, 12, ad7091r_events, ARRAY_SIZE(ad7091r_events)),
+ AD7091R_CHANNEL(1, 12, ad7091r_events, ARRAY_SIZE(ad7091r_events)),
+ AD7091R_CHANNEL(2, 12, ad7091r_events, ARRAY_SIZE(ad7091r_events)),
+ AD7091R_CHANNEL(3, 12, ad7091r_events, ARRAY_SIZE(ad7091r_events)),
};
static const struct iio_chan_spec ad7091r5_channels_noirq[] = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 008/476] iio: adc: ad7091r: Enable internal vref if external vref is not supplied
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 007/476] iio: adc: ad7091r: Allow users to configure device events Greg Kroah-Hartman
@ 2024-02-21 13:00 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 009/476] dmaengine: fix NULL pointer in channel unregistration function Greg Kroah-Hartman
` (477 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, Stable,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Schmitt <marcelo.schmitt@analog.com>
[ Upstream commit e71c5c89bcb165a02df35325aa13d1ee40112401 ]
The ADC needs a voltage reference to work correctly.
Users can provide an external voltage reference or use the chip internal
reference to operate the ADC.
The availability of an in chip reference for the ADC saves the user from
having to supply an external voltage reference, which makes the external
reference an optional property as described in the device tree
documentation.
Though, to use the internal reference, it must be enabled by writing to
the configuration register.
Enable AD7091R internal voltage reference if no external vref is supplied.
Fixes: 260442cc5be4 ("iio: adc: ad7091r5: Add scale and external VREF support")
Signed-off-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Link: https://lore.kernel.org/r/b865033fa6a4fc4bf2b4a98ec51a6144e0f64f77.1703013352.git.marcelo.schmitt1@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7091r-base.c | 7 +++++++
drivers/iio/adc/ad7091r-base.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/drivers/iio/adc/ad7091r-base.c b/drivers/iio/adc/ad7091r-base.c
index 9ddda08918db..f345542e69a0 100644
--- a/drivers/iio/adc/ad7091r-base.c
+++ b/drivers/iio/adc/ad7091r-base.c
@@ -405,7 +405,14 @@ int ad7091r_probe(struct device *dev, const char *name,
if (IS_ERR(st->vref)) {
if (PTR_ERR(st->vref) == -EPROBE_DEFER)
return -EPROBE_DEFER;
+
st->vref = NULL;
+ /* Enable internal vref */
+ ret = regmap_set_bits(st->map, AD7091R_REG_CONF,
+ AD7091R_REG_CONF_INT_VREF);
+ if (ret)
+ return dev_err_probe(st->dev, ret,
+ "Error on enable internal reference\n");
} else {
ret = regulator_enable(st->vref);
if (ret)
diff --git a/drivers/iio/adc/ad7091r-base.h b/drivers/iio/adc/ad7091r-base.h
index 7a78976a2f80..b9e1c8bf3440 100644
--- a/drivers/iio/adc/ad7091r-base.h
+++ b/drivers/iio/adc/ad7091r-base.h
@@ -8,6 +8,8 @@
#ifndef __DRIVERS_IIO_ADC_AD7091R_BASE_H__
#define __DRIVERS_IIO_ADC_AD7091R_BASE_H__
+#define AD7091R_REG_CONF_INT_VREF BIT(0)
+
/* AD7091R_REG_CH_LIMIT */
#define AD7091R_HIGH_LIMIT 0xFFF
#define AD7091R_LOW_LIMIT 0x0
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 009/476] dmaengine: fix NULL pointer in channel unregistration function
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-02-21 13:00 ` [PATCH 5.15 008/476] iio: adc: ad7091r: Enable internal vref if external vref is not supplied Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 010/476] scsi: ufs: core: Simplify power management during async scan Greg Kroah-Hartman
` (476 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amelie Delaunay, Dave Jiang,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amelie Delaunay <amelie.delaunay@foss.st.com>
[ Upstream commit f5c24d94512f1b288262beda4d3dcb9629222fc7 ]
__dma_async_device_channel_register() can fail. In case of failure,
chan->local is freed (with free_percpu()), and chan->local is nullified.
When dma_async_device_unregister() is called (because of managed API or
intentionally by DMA controller driver), channels are unconditionally
unregistered, leading to this NULL pointer:
[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[...]
[ 1.484499] Call trace:
[ 1.486930] device_del+0x40/0x394
[ 1.490314] device_unregister+0x20/0x7c
[ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0
Look at dma_async_device_register() function error path, channel device
unregistration is done only if chan->local is not NULL.
Then add the same condition at the beginning of
__dma_async_device_channel_unregister() function, to avoid NULL pointer
issue whatever the API used to reach this function.
Fixes: d2fb0a043838 ("dmaengine: break out channel registration")
Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20231213160452.2598073-1-amelie.delaunay@foss.st.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dmaengine.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 4ec7bb58c195..9559ebd61f3b 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1108,6 +1108,9 @@ EXPORT_SYMBOL_GPL(dma_async_device_channel_register);
static void __dma_async_device_channel_unregister(struct dma_device *device,
struct dma_chan *chan)
{
+ if (chan->local == NULL)
+ return;
+
WARN_ONCE(!device->device_release && chan->client_count,
"%s called while %d clients hold a reference\n",
__func__, chan->client_count);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 010/476] scsi: ufs: core: Simplify power management during async scan
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 009/476] dmaengine: fix NULL pointer in channel unregistration function Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 011/476] scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan() Greg Kroah-Hartman
` (475 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Can Guo,
Manivannan Sadhasivam, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit daf7795406bf307997366f694888bd317ae5b5fa ]
ufshcd_init() calls pm_runtime_get_sync() before it calls
async_schedule(). ufshcd_async_scan() calls pm_runtime_put_sync() directly
or indirectly from ufshcd_add_lus(). Simplify ufshcd_async_scan() by always
calling pm_runtime_put_sync() from ufshcd_async_scan().
Cc: <stable@vger.kernel.org>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20231218225229.2542156-2-bvanassche@acm.org
Reviewed-by: Can Guo <quic_cang@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: ee36710912b2 ("scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index e78461f66400..0354e3bce455 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -7896,7 +7896,6 @@ static int ufshcd_add_lus(struct ufs_hba *hba)
ufs_bsg_probe(hba);
ufshpb_init(hba);
scsi_scan_host(hba->host);
- pm_runtime_put_sync(hba->dev);
out:
return ret;
@@ -8018,15 +8017,15 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
/* Probe and add UFS logical units */
ret = ufshcd_add_lus(hba);
+
out:
+ pm_runtime_put_sync(hba->dev);
/*
* If we failed to initialize the device or the device is not
* present, turn off the power/clocks etc.
*/
- if (ret) {
- pm_runtime_put_sync(hba->dev);
+ if (ret)
ufshcd_hba_exit(hba);
- }
}
static const struct attribute_group *ufshcd_driver_groups[] = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 011/476] scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 010/476] scsi: ufs: core: Simplify power management during async scan Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 012/476] iio:adc:ad7091r: Move exports into IIO_AD7091R namespace Greg Kroah-Hartman
` (474 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Mentz, Bart Van Assche,
Can Guo, Manivannan Sadhasivam, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit ee36710912b2075c417100a8acc642c9c6496501 ]
Calling ufshcd_hba_exit() from a function that is called asynchronously
from ufshcd_init() is wrong because this triggers multiple race
conditions. Instead of calling ufshcd_hba_exit(), log an error message.
Reported-by: Daniel Mentz <danielmentz@google.com>
Fixes: 1d337ec2f35e ("ufs: improve init sequence")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20231218225229.2542156-3-bvanassche@acm.org
Reviewed-by: Can Guo <quic_cang@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 0354e3bce455..03b33c34f702 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -8020,12 +8020,9 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
out:
pm_runtime_put_sync(hba->dev);
- /*
- * If we failed to initialize the device or the device is not
- * present, turn off the power/clocks etc.
- */
+
if (ret)
- ufshcd_hba_exit(hba);
+ dev_err(hba->dev, "%s failed: %d\n", __func__, ret);
}
static const struct attribute_group *ufshcd_driver_groups[] = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 012/476] iio:adc:ad7091r: Move exports into IIO_AD7091R namespace.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 011/476] scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 013/476] ext4: allow for the last group to be marked as trimmed Greg Kroah-Hartman
` (473 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Paul Cercueil,
Andy Shevchenko
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 8a0080af84d3fb2423f0b3b55eff666f545eb097 upstream.
In order to avoid unnecessary pollution of the global symbol namespace
move the core/library functions into a specific namespace and import
that into the various specific device drivers that use them.
For more information see https://lwn.net/Articles/760045/
An alternative here would be to conclude that we are unlikely to see
support for the other ad7091r parts in the near future and just merge
the two modules into one supporting just the i2c -5 variant.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Paul Cercueil <paul@crapouillou.net>
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220130205701.334592-3-jic23@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7091r-base.c | 4 ++--
drivers/iio/adc/ad7091r5.c | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad7091r-base.c
+++ b/drivers/iio/adc/ad7091r-base.c
@@ -429,7 +429,7 @@ int ad7091r_probe(struct device *dev, co
return devm_iio_device_register(dev, iio_dev);
}
-EXPORT_SYMBOL_GPL(ad7091r_probe);
+EXPORT_SYMBOL_NS_GPL(ad7091r_probe, IIO_AD7091R);
static bool ad7091r_writeable_reg(struct device *dev, unsigned int reg)
{
@@ -459,7 +459,7 @@ const struct regmap_config ad7091r_regma
.writeable_reg = ad7091r_writeable_reg,
.volatile_reg = ad7091r_volatile_reg,
};
-EXPORT_SYMBOL_GPL(ad7091r_regmap_config);
+EXPORT_SYMBOL_NS_GPL(ad7091r_regmap_config, IIO_AD7091R);
MODULE_AUTHOR("Beniamin Bia <beniamin.bia@analog.com>");
MODULE_DESCRIPTION("Analog Devices AD7091Rx multi-channel converters");
--- a/drivers/iio/adc/ad7091r5.c
+++ b/drivers/iio/adc/ad7091r5.c
@@ -91,3 +91,4 @@ module_i2c_driver(ad7091r5_driver);
MODULE_AUTHOR("Beniamin Bia <beniamin.bia@analog.com>");
MODULE_DESCRIPTION("Analog Devices AD7091R5 multi-channel ADC driver");
MODULE_LICENSE("GPL v2");
+MODULE_IMPORT_NS(IIO_AD7091R);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 013/476] ext4: allow for the last group to be marked as trimmed
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 012/476] iio:adc:ad7091r: Move exports into IIO_AD7091R namespace Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 014/476] btrfs: sysfs: validate scrub_speed_max value Greg Kroah-Hartman
` (472 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Jitindar Singh, Jan Kara,
Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suraj Jitindar Singh <surajjs@amazon.com>
commit 7c784d624819acbeefb0018bac89e632467cca5a upstream.
The ext4 filesystem tracks the trim status of blocks at the group
level. When an entire group has been trimmed then it is marked as
such and subsequent trim invocations with the same minimum trim size
will not be attempted on that group unless it is marked as able to be
trimmed again such as when a block is freed.
Currently the last group can't be marked as trimmed due to incorrect
logic in ext4_last_grp_cluster(). ext4_last_grp_cluster() is supposed
to return the zero based index of the last cluster in a group. This is
then used by ext4_try_to_trim_range() to determine if the trim
operation spans the entire group and as such if the trim status of the
group should be recorded.
ext4_last_grp_cluster() takes a 0 based group index, thus the valid
values for grp are 0..(ext4_get_groups_count - 1). Any group index
less than (ext4_get_groups_count - 1) is not the last group and must
have EXT4_CLUSTERS_PER_GROUP(sb) clusters. For the last group we need
to calculate the number of clusters based on the number of blocks in
the group. Finally subtract 1 from the number of clusters as zero
based indexing is expected. Rearrange the function slightly to make
it clear what we are calculating and returning.
Reproducer:
// Create file system where the last group has fewer blocks than
// blocks per group
$ mkfs.ext4 -b 4096 -g 8192 /dev/nvme0n1 8191
$ mount /dev/nvme0n1 /mnt
Before Patch:
$ fstrim -v /mnt
/mnt: 25.9 MiB (27156480 bytes) trimmed
// Group not marked as trimmed so second invocation still discards blocks
$ fstrim -v /mnt
/mnt: 25.9 MiB (27156480 bytes) trimmed
After Patch:
fstrim -v /mnt
/mnt: 25.9 MiB (27156480 bytes) trimmed
// Group marked as trimmed so second invocation DOESN'T discard any blocks
fstrim -v /mnt
/mnt: 0 B (0 bytes) trimmed
Fixes: 45e4ab320c9b ("ext4: move setting of trimmed bit into ext4_try_to_trim_range()")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231213051635.37731-1-surajjs@amazon.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -6434,11 +6434,16 @@ __acquires(bitlock)
static ext4_grpblk_t ext4_last_grp_cluster(struct super_block *sb,
ext4_group_t grp)
{
- if (grp < ext4_get_groups_count(sb))
- return EXT4_CLUSTERS_PER_GROUP(sb) - 1;
- return (ext4_blocks_count(EXT4_SB(sb)->s_es) -
- ext4_group_first_block_no(sb, grp) - 1) >>
- EXT4_CLUSTER_BITS(sb);
+ unsigned long nr_clusters_in_group;
+
+ if (grp < (ext4_get_groups_count(sb) - 1))
+ nr_clusters_in_group = EXT4_CLUSTERS_PER_GROUP(sb);
+ else
+ nr_clusters_in_group = (ext4_blocks_count(EXT4_SB(sb)->s_es) -
+ ext4_group_first_block_no(sb, grp))
+ >> EXT4_CLUSTER_BITS(sb);
+
+ return nr_clusters_in_group - 1;
}
static bool ext4_trim_interrupted(void)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 014/476] btrfs: sysfs: validate scrub_speed_max value
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 013/476] ext4: allow for the last group to be marked as trimmed Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 015/476] crypto: api - Disallow identical driver names Greg Kroah-Hartman
` (471 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Disseldorp, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Disseldorp <ddiss@suse.de>
commit 2b0122aaa800b021e36027d7f29e206f87c761d6 upstream.
The value set as scrub_speed_max accepts size with suffixes
(k/m/g/t/p/e) but we should still validate it for trailing characters,
similar to what we do with chunk_size_store.
CC: stable@vger.kernel.org # 5.15+
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/sysfs.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -1523,6 +1523,10 @@ static ssize_t btrfs_devinfo_scrub_speed
unsigned long long limit;
limit = memparse(buf, &endptr);
+ /* There could be trailing '\n', also catch any typos after the value. */
+ endptr = skip_spaces(endptr);
+ if (*endptr != 0)
+ return -EINVAL;
WRITE_ONCE(device->scrub_speed_max, limit);
return len;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 015/476] crypto: api - Disallow identical driver names
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 014/476] btrfs: sysfs: validate scrub_speed_max value Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 016/476] PM: hibernate: Enforce ordering during image compression/decompression Greg Kroah-Hartman
` (470 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 27016f75f5ed47e2d8e0ca75a8ff1f40bc1a5e27 upstream.
Disallow registration of two algorithms with identical driver names.
Cc: <stable@vger.kernel.org>
Reported-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/algapi.c | 1 +
1 file changed, 1 insertion(+)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -258,6 +258,7 @@ static struct crypto_larval *__crypto_re
}
if (!strcmp(q->cra_driver_name, alg->cra_name) ||
+ !strcmp(q->cra_driver_name, alg->cra_driver_name) ||
!strcmp(q->cra_name, alg->cra_driver_name))
goto err;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 016/476] PM: hibernate: Enforce ordering during image compression/decompression
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 015/476] crypto: api - Disallow identical driver names Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 017/476] hwrng: core - Fix page fault dead lock on mmap-ed hwrng Greg Kroah-Hartman
` (469 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongchen Zhang, Weihao Li,
Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongchen Zhang <zhanghongchen@loongson.cn>
commit 71cd7e80cfde548959952eac7063aeaea1f2e1c6 upstream.
An S4 (suspend to disk) test on the LoongArch 3A6000 platform sometimes
fails with the following error messaged in the dmesg log:
Invalid LZO compressed length
That happens because when compressing/decompressing the image, the
synchronization between the control thread and the compress/decompress/crc
thread is based on a relaxed ordering interface, which is unreliable, and the
following situation may occur:
CPU 0 CPU 1
save_image_lzo lzo_compress_threadfn
atomic_set(&d->stop, 1);
atomic_read(&data[thr].stop)
data[thr].cmp = data[thr].cmp_len;
WRITE data[thr].cmp_len
Then CPU0 gets a stale cmp_len and writes it to disk. During resume from S4,
wrong cmp_len is loaded.
To maintain data consistency between the two threads, use the acquire/release
variants of atomic set and read operations.
Fixes: 081a9d043c98 ("PM / Hibernate: Improve performance of LZO/plain hibernation, checksum image")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Hongchen Zhang <zhanghongchen@loongson.cn>
Co-developed-by: Weihao Li <liweihao@loongson.cn>
Signed-off-by: Weihao Li <liweihao@loongson.cn>
[ rjw: Subject rewrite and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/power/swap.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -603,11 +603,11 @@ static int crc32_threadfn(void *data)
unsigned i;
while (1) {
- wait_event(d->go, atomic_read(&d->ready) ||
+ wait_event(d->go, atomic_read_acquire(&d->ready) ||
kthread_should_stop());
if (kthread_should_stop()) {
d->thr = NULL;
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
break;
}
@@ -616,7 +616,7 @@ static int crc32_threadfn(void *data)
for (i = 0; i < d->run_threads; i++)
*d->crc32 = crc32_le(*d->crc32,
d->unc[i], *d->unc_len[i]);
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
}
return 0;
@@ -646,12 +646,12 @@ static int lzo_compress_threadfn(void *d
struct cmp_data *d = data;
while (1) {
- wait_event(d->go, atomic_read(&d->ready) ||
+ wait_event(d->go, atomic_read_acquire(&d->ready) ||
kthread_should_stop());
if (kthread_should_stop()) {
d->thr = NULL;
d->ret = -1;
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
break;
}
@@ -660,7 +660,7 @@ static int lzo_compress_threadfn(void *d
d->ret = lzo1x_1_compress(d->unc, d->unc_len,
d->cmp + LZO_HEADER, &d->cmp_len,
d->wrk);
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
}
return 0;
@@ -798,7 +798,7 @@ static int save_image_lzo(struct swap_ma
data[thr].unc_len = off;
- atomic_set(&data[thr].ready, 1);
+ atomic_set_release(&data[thr].ready, 1);
wake_up(&data[thr].go);
}
@@ -806,12 +806,12 @@ static int save_image_lzo(struct swap_ma
break;
crc->run_threads = thr;
- atomic_set(&crc->ready, 1);
+ atomic_set_release(&crc->ready, 1);
wake_up(&crc->go);
for (run_threads = thr, thr = 0; thr < run_threads; thr++) {
wait_event(data[thr].done,
- atomic_read(&data[thr].stop));
+ atomic_read_acquire(&data[thr].stop));
atomic_set(&data[thr].stop, 0);
ret = data[thr].ret;
@@ -850,7 +850,7 @@ static int save_image_lzo(struct swap_ma
}
}
- wait_event(crc->done, atomic_read(&crc->stop));
+ wait_event(crc->done, atomic_read_acquire(&crc->stop));
atomic_set(&crc->stop, 0);
}
@@ -1132,12 +1132,12 @@ static int lzo_decompress_threadfn(void
struct dec_data *d = data;
while (1) {
- wait_event(d->go, atomic_read(&d->ready) ||
+ wait_event(d->go, atomic_read_acquire(&d->ready) ||
kthread_should_stop());
if (kthread_should_stop()) {
d->thr = NULL;
d->ret = -1;
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
break;
}
@@ -1150,7 +1150,7 @@ static int lzo_decompress_threadfn(void
flush_icache_range((unsigned long)d->unc,
(unsigned long)d->unc + d->unc_len);
- atomic_set(&d->stop, 1);
+ atomic_set_release(&d->stop, 1);
wake_up(&d->done);
}
return 0;
@@ -1338,7 +1338,7 @@ static int load_image_lzo(struct swap_ma
}
if (crc->run_threads) {
- wait_event(crc->done, atomic_read(&crc->stop));
+ wait_event(crc->done, atomic_read_acquire(&crc->stop));
atomic_set(&crc->stop, 0);
crc->run_threads = 0;
}
@@ -1374,7 +1374,7 @@ static int load_image_lzo(struct swap_ma
pg = 0;
}
- atomic_set(&data[thr].ready, 1);
+ atomic_set_release(&data[thr].ready, 1);
wake_up(&data[thr].go);
}
@@ -1393,7 +1393,7 @@ static int load_image_lzo(struct swap_ma
for (run_threads = thr, thr = 0; thr < run_threads; thr++) {
wait_event(data[thr].done,
- atomic_read(&data[thr].stop));
+ atomic_read_acquire(&data[thr].stop));
atomic_set(&data[thr].stop, 0);
ret = data[thr].ret;
@@ -1424,7 +1424,7 @@ static int load_image_lzo(struct swap_ma
ret = snapshot_write_next(snapshot);
if (ret <= 0) {
crc->run_threads = thr + 1;
- atomic_set(&crc->ready, 1);
+ atomic_set_release(&crc->ready, 1);
wake_up(&crc->go);
goto out_finish;
}
@@ -1432,13 +1432,13 @@ static int load_image_lzo(struct swap_ma
}
crc->run_threads = thr;
- atomic_set(&crc->ready, 1);
+ atomic_set_release(&crc->ready, 1);
wake_up(&crc->go);
}
out_finish:
if (crc->run_threads) {
- wait_event(crc->done, atomic_read(&crc->stop));
+ wait_event(crc->done, atomic_read_acquire(&crc->stop));
atomic_set(&crc->stop, 0);
}
stop = ktime_get();
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 017/476] hwrng: core - Fix page fault dead lock on mmap-ed hwrng
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 016/476] PM: hibernate: Enforce ordering during image compression/decompression Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 018/476] crypto: s390/aes - Fix buffer overread in CTR mode Greg Kroah-Hartman
` (468 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis,
syzbot+c52ab18308964d248092, Herbert Xu
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream.
There is a dead-lock in the hwrng device read path. This triggers
when the user reads from /dev/hwrng into memory also mmap-ed from
/dev/hwrng. The resulting page fault triggers a recursive read
which then dead-locks.
Fix this by using a stack buffer when calling copy_to_user.
Reported-by: Edward Adam Davis <eadavis@qq.com>
Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com
Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/hw_random/core.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -24,10 +24,13 @@
#include <linux/random.h>
#include <linux/sched.h>
#include <linux/slab.h>
+#include <linux/string.h>
#include <linux/uaccess.h>
#define RNG_MODULE_NAME "hw_random"
+#define RNG_BUFFER_SIZE (SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES)
+
static struct hwrng *current_rng;
/* the current rng has been explicitly chosen by user via sysfs */
static int cur_rng_set_by_user;
@@ -59,7 +62,7 @@ static inline int rng_get_data(struct hw
static size_t rng_buffer_size(void)
{
- return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES;
+ return RNG_BUFFER_SIZE;
}
static void add_early_randomness(struct hwrng *rng)
@@ -206,6 +209,7 @@ static inline int rng_get_data(struct hw
static ssize_t rng_dev_read(struct file *filp, char __user *buf,
size_t size, loff_t *offp)
{
+ u8 buffer[RNG_BUFFER_SIZE];
ssize_t ret = 0;
int err = 0;
int bytes_read, len;
@@ -233,34 +237,37 @@ static ssize_t rng_dev_read(struct file
if (bytes_read < 0) {
err = bytes_read;
goto out_unlock_reading;
+ } else if (bytes_read == 0 &&
+ (filp->f_flags & O_NONBLOCK)) {
+ err = -EAGAIN;
+ goto out_unlock_reading;
}
+
data_avail = bytes_read;
}
- if (!data_avail) {
- if (filp->f_flags & O_NONBLOCK) {
- err = -EAGAIN;
- goto out_unlock_reading;
- }
- } else {
- len = data_avail;
+ len = data_avail;
+ if (len) {
if (len > size)
len = size;
data_avail -= len;
- if (copy_to_user(buf + ret, rng_buffer + data_avail,
- len)) {
+ memcpy(buffer, rng_buffer + data_avail, len);
+ }
+ mutex_unlock(&reading_mutex);
+ put_rng(rng);
+
+ if (len) {
+ if (copy_to_user(buf + ret, buffer, len)) {
err = -EFAULT;
- goto out_unlock_reading;
+ goto out;
}
size -= len;
ret += len;
}
- mutex_unlock(&reading_mutex);
- put_rng(rng);
if (need_resched())
schedule_timeout_interruptible(1);
@@ -271,6 +278,7 @@ static ssize_t rng_dev_read(struct file
}
}
out:
+ memzero_explicit(buffer, sizeof(buffer));
return ret ? : err;
out_unlock_reading:
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 018/476] crypto: s390/aes - Fix buffer overread in CTR mode
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 017/476] hwrng: core - Fix page fault dead lock on mmap-ed hwrng Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 019/476] media: imx355: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
` (467 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangwu Zhang, Herbert Xu,
Harald Freudenberger
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit d07f951903fa9922c375b8ab1ce81b18a0034e3b upstream.
When processing the last block, the s390 ctr code will always read
a whole block, even if there isn't a whole block of data left. Fix
this by using the actual length left and copy it into a buffer first
for processing.
Fixes: 0200f3ecc196 ("crypto: s390 - add System z hardware support for CTR mode")
Cc: <stable@vger.kernel.org>
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewd-by: Harald Freudenberger <freude@de.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/crypto/aes_s390.c | 4 +++-
arch/s390/crypto/paes_s390.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -601,7 +601,9 @@ static int ctr_aes_crypt(struct skcipher
* final block may be < AES_BLOCK_SIZE, copy only nbytes
*/
if (nbytes) {
- cpacf_kmctr(sctx->fc, sctx->key, buf, walk.src.virt.addr,
+ memset(buf, 0, AES_BLOCK_SIZE);
+ memcpy(buf, walk.src.virt.addr, nbytes);
+ cpacf_kmctr(sctx->fc, sctx->key, buf, buf,
AES_BLOCK_SIZE, walk.iv);
memcpy(walk.dst.virt.addr, buf, nbytes);
crypto_inc(walk.iv, AES_BLOCK_SIZE);
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@@ -688,9 +688,11 @@ static int ctr_paes_crypt(struct skciphe
* final block may be < AES_BLOCK_SIZE, copy only nbytes
*/
if (nbytes) {
+ memset(buf, 0, AES_BLOCK_SIZE);
+ memcpy(buf, walk.src.virt.addr, nbytes);
while (1) {
if (cpacf_kmctr(ctx->fc, ¶m, buf,
- walk.src.virt.addr, AES_BLOCK_SIZE,
+ buf, AES_BLOCK_SIZE,
walk.iv) == AES_BLOCK_SIZE)
break;
if (__paes_convert_key(ctx))
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 019/476] media: imx355: Enable runtime PM before registering async sub-device
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 018/476] crypto: s390/aes - Fix buffer overread in CTR mode Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 020/476] rpmsg: virtio: Free driver_override when rpmsg_remove() Greg Kroah-Hartman
` (466 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Sakari Ailus, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit efa5fe19c0a9199f49e36e1f5242ed5c88da617d upstream.
As the sensor device maybe accessible right after its async sub-device is
registered, such as ipu-bridge will try to power up sensor by sensor's
client device's runtime PM from the async notifier callback, if runtime PM
is not enabled, it will fail.
So runtime PM should be ready before its async sub-device is registered
and accessible by others.
Fixes: df0b5c4a7ddd ("media: add imx355 camera sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx355.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/media/i2c/imx355.c
+++ b/drivers/media/i2c/imx355.c
@@ -1784,10 +1784,6 @@ static int imx355_probe(struct i2c_clien
goto error_handler_free;
}
- ret = v4l2_async_register_subdev_sensor(&imx355->sd);
- if (ret < 0)
- goto error_media_entity;
-
/*
* Device is already turned on by i2c-core with ACPI domain PM.
* Enable runtime PM and turn off the device.
@@ -1796,9 +1792,15 @@ static int imx355_probe(struct i2c_clien
pm_runtime_enable(&client->dev);
pm_runtime_idle(&client->dev);
+ ret = v4l2_async_register_subdev_sensor(&imx355->sd);
+ if (ret < 0)
+ goto error_media_entity_runtime_pm;
+
return 0;
-error_media_entity:
+error_media_entity_runtime_pm:
+ pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
media_entity_cleanup(&imx355->sd.entity);
error_handler_free:
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 020/476] rpmsg: virtio: Free driver_override when rpmsg_remove()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 019/476] media: imx355: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 021/476] media: ov9734: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
` (465 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Mathieu Poirier
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit d5362c37e1f8a40096452fc201c30e705750e687 upstream.
Free driver_override when rpmsg_remove(), otherwise
the following memory leak will occur:
unreferenced object 0xffff0000d55d7080 (size 128):
comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s)
hex dump (first 32 bytes):
72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320
[<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70
[<00000000228a60c3>] kstrndup+0x4c/0x90
[<0000000077158695>] driver_set_override+0xd0/0x164
[<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170
[<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30
[<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec
[<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280
[<00000000443331cc>] really_probe+0xbc/0x2dc
[<00000000391064b1>] __driver_probe_device+0x78/0xe0
[<00000000a41c9a5b>] driver_probe_device+0xd8/0x160
[<000000009c3bd5df>] __device_attach_driver+0xb8/0x140
[<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4
[<000000003b929a36>] __device_attach+0x9c/0x19c
[<00000000a94e0ba8>] device_initial_probe+0x14/0x20
[<000000003c999637>] bus_probe_device+0xa0/0xac
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Fixes: b0b03b811963 ("rpmsg: Release rpmsg devices in backends")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231215020049.78750-1-xiaolei.wang@windriver.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/virtio_rpmsg_bus.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -377,6 +377,7 @@ static void virtio_rpmsg_release_device(
struct rpmsg_device *rpdev = to_rpmsg_device(dev);
struct virtio_rpmsg_channel *vch = to_virtio_rpmsg_channel(rpdev);
+ kfree(rpdev->driver_override);
kfree(vch);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 021/476] media: ov9734: Enable runtime PM before registering async sub-device
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 020/476] rpmsg: virtio: Free driver_override when rpmsg_remove() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 022/476] mips: Fix max_mapnr being uninitialized on early stages Greg Kroah-Hartman
` (464 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Sakari Ailus, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit e242e9c144050ed120cf666642ba96b7c4462a4c upstream.
As the sensor device maybe accessible right after its async sub-device is
registered, such as ipu-bridge will try to power up sensor by sensor's
client device's runtime PM from the async notifier callback, if runtime PM
is not enabled, it will fail.
So runtime PM should be ready before its async sub-device is registered
and accessible by others.
Fixes: d3f863a63fe4 ("media: i2c: Add ov9734 image sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov9734.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/media/i2c/ov9734.c
+++ b/drivers/media/i2c/ov9734.c
@@ -939,6 +939,7 @@ static int ov9734_remove(struct i2c_clie
media_entity_cleanup(&sd->entity);
v4l2_ctrl_handler_free(sd->ctrl_handler);
pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
mutex_destroy(&ov9734->mutex);
return 0;
@@ -986,13 +987,6 @@ static int ov9734_probe(struct i2c_clien
goto probe_error_v4l2_ctrl_handler_free;
}
- ret = v4l2_async_register_subdev_sensor(&ov9734->sd);
- if (ret < 0) {
- dev_err(&client->dev, "failed to register V4L2 subdev: %d",
- ret);
- goto probe_error_media_entity_cleanup;
- }
-
/*
* Device is already turned on by i2c-core with ACPI domain PM.
* Enable runtime PM and turn off the device.
@@ -1001,9 +995,18 @@ static int ov9734_probe(struct i2c_clien
pm_runtime_enable(&client->dev);
pm_runtime_idle(&client->dev);
+ ret = v4l2_async_register_subdev_sensor(&ov9734->sd);
+ if (ret < 0) {
+ dev_err(&client->dev, "failed to register V4L2 subdev: %d",
+ ret);
+ goto probe_error_media_entity_cleanup_pm;
+ }
+
return 0;
-probe_error_media_entity_cleanup:
+probe_error_media_entity_cleanup_pm:
+ pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
media_entity_cleanup(&ov9734->sd.entity);
probe_error_v4l2_ctrl_handler_free:
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 022/476] mips: Fix max_mapnr being uninitialized on early stages
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 021/476] media: ov9734: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 023/476] bus: mhi: host: Drop chan lock before queuing buffers Greg Kroah-Hartman
` (463 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Serge Semin, Thomas Bogendoerfer
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Serge Semin <fancer.lancer@gmail.com>
commit e1a9ae45736989c972a8d1c151bc390678ae6205 upstream.
max_mapnr variable is utilized in the pfn_valid() method in order to
determine the upper PFN space boundary. Having it uninitialized
effectively makes any PFN passed to that method invalid. That in its turn
causes the kernel mm-subsystem occasion malfunctions even after the
max_mapnr variable is actually properly updated. For instance,
pfn_valid() is called in the init_unavailable_range() method in the
framework of the calls-chain on MIPS:
setup_arch()
+-> paging_init()
+-> free_area_init()
+-> memmap_init()
+-> memmap_init_zone_range()
+-> init_unavailable_range()
Since pfn_valid() always returns "false" value before max_mapnr is
initialized in the mem_init() method, any flatmem page-holes will be left
in the poisoned/uninitialized state including the IO-memory pages. Thus
any further attempts to map/remap the IO-memory by using MMU may fail.
In particular it happened in my case on attempt to map the SRAM region.
The kernel bootup procedure just crashed on the unhandled unaligned access
bug raised in the __update_cache() method:
> Unhandled kernel unaligned access[#1]:
> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-XXX-dirty #2056
> ...
> Call Trace:
> [<8011ef9c>] __update_cache+0x88/0x1bc
> [<80385944>] ioremap_page_range+0x110/0x2a4
> [<80126948>] ioremap_prot+0x17c/0x1f4
> [<80711b80>] __devm_ioremap+0x8c/0x120
> [<80711e0c>] __devm_ioremap_resource+0xf4/0x218
> [<808bf244>] sram_probe+0x4f4/0x930
> [<80889d20>] platform_probe+0x68/0xec
> ...
Let's fix the problem by initializing the max_mapnr variable as soon as
the required data is available. In particular it can be done right in the
paging_init() method before free_area_init() is called since all the PFN
zone boundaries have already been calculated by that time.
Cc: stable@vger.kernel.org
Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/mm/init.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/arch/mips/mm/init.c
+++ b/arch/mips/mm/init.c
@@ -417,7 +417,12 @@ void __init paging_init(void)
(highend_pfn - max_low_pfn) << (PAGE_SHIFT - 10));
max_zone_pfns[ZONE_HIGHMEM] = max_low_pfn;
}
+
+ max_mapnr = highend_pfn ? highend_pfn : max_low_pfn;
+#else
+ max_mapnr = max_low_pfn;
#endif
+ high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT);
free_area_init(max_zone_pfns);
}
@@ -453,13 +458,6 @@ void __init mem_init(void)
*/
BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT));
-#ifdef CONFIG_HIGHMEM
- max_mapnr = highend_pfn ? highend_pfn : max_low_pfn;
-#else
- max_mapnr = max_low_pfn;
-#endif
- high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT);
-
maar_init();
memblock_free_all();
setup_zero_pages(); /* Setup zeroed pages. */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 023/476] bus: mhi: host: Drop chan lock before queuing buffers
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 022/476] mips: Fix max_mapnr being uninitialized on early stages Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 024/476] bus: mhi: host: Add spinlock to protect WP access when queueing TREs Greg Kroah-Hartman
` (462 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiang Yu, Jeffrey Hugo,
Manivannan Sadhasivam
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Yu <quic_qianyu@quicinc.com>
commit 01bd694ac2f682fb8017e16148b928482bc8fa4b upstream.
Ensure read and write locks for the channel are not taken in succession by
dropping the read lock from parse_xfer_event() such that a callback given
to client can potentially queue buffers and acquire the write lock in that
process. Any queueing of buffers should be done without channel read lock
acquired as it can result in multiple locks and a soft lockup.
Cc: <stable@vger.kernel.org> # 5.7
Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1702276972-41296-3-git-send-email-quic_qianyu@quicinc.com
[mani: added fixes tag and cc'ed stable]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -633,6 +633,8 @@ static int parse_xfer_event(struct mhi_c
mhi_del_ring_element(mhi_cntrl, tre_ring);
local_rp = tre_ring->rp;
+ read_unlock_bh(&mhi_chan->lock);
+
/* notify client */
mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result);
@@ -658,6 +660,8 @@ static int parse_xfer_event(struct mhi_c
kfree(buf_info->cb_buf);
}
}
+
+ read_lock_bh(&mhi_chan->lock);
}
break;
} /* CC_EOT */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 024/476] bus: mhi: host: Add spinlock to protect WP access when queueing TREs
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 023/476] bus: mhi: host: Drop chan lock before queuing buffers Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 025/476] parisc/firmware: Fix F-extend for PDC addresses Greg Kroah-Hartman
` (461 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bhaumik Bhatt, Qiang Yu,
Jeffrey Hugo, Manivannan Sadhasivam
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bhaumik Bhatt <bbhatt@codeaurora.org>
commit b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9 upstream.
Protect WP accesses such that multiple threads queueing buffers for
incoming data do not race.
Meanwhile, if CONFIG_TRACE_IRQFLAGS is enabled, irq will be enabled once
__local_bh_enable_ip is called as part of write_unlock_bh. Hence, let's
take irqsave lock after TRE is generated to avoid running write_unlock_bh
when irqsave lock is held.
Cc: stable@vger.kernel.org
Fixes: 189ff97cca53 ("bus: mhi: core: Add support for data transfer")
Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1702276972-41296-2-git-send-email-quic_qianyu@quicinc.com
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -1114,17 +1114,15 @@ static int mhi_queue(struct mhi_device *
if (unlikely(MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state)))
return -EIO;
- read_lock_irqsave(&mhi_cntrl->pm_lock, flags);
-
ret = mhi_is_ring_full(mhi_cntrl, tre_ring);
- if (unlikely(ret)) {
- ret = -EAGAIN;
- goto exit_unlock;
- }
+ if (unlikely(ret))
+ return -EAGAIN;
ret = mhi_gen_tre(mhi_cntrl, mhi_chan, buf_info, mflags);
if (unlikely(ret))
- goto exit_unlock;
+ return ret;
+
+ read_lock_irqsave(&mhi_cntrl->pm_lock, flags);
/* Packet is queued, take a usage ref to exit M3 if necessary
* for host->device buffer, balanced put is done on buffer completion
@@ -1144,7 +1142,6 @@ static int mhi_queue(struct mhi_device *
if (dir == DMA_FROM_DEVICE)
mhi_cntrl->runtime_put(mhi_cntrl);
-exit_unlock:
read_unlock_irqrestore(&mhi_cntrl->pm_lock, flags);
return ret;
@@ -1196,6 +1193,9 @@ int mhi_gen_tre(struct mhi_controller *m
int eot, eob, chain, bei;
int ret;
+ /* Protect accesses for reading and incrementing WP */
+ write_lock_bh(&mhi_chan->lock);
+
buf_ring = &mhi_chan->buf_ring;
tre_ring = &mhi_chan->tre_ring;
@@ -1213,8 +1213,10 @@ int mhi_gen_tre(struct mhi_controller *m
if (!info->pre_mapped) {
ret = mhi_cntrl->map_single(mhi_cntrl, buf_info);
- if (ret)
+ if (ret) {
+ write_unlock_bh(&mhi_chan->lock);
return ret;
+ }
}
eob = !!(flags & MHI_EOB);
@@ -1231,6 +1233,8 @@ int mhi_gen_tre(struct mhi_controller *m
mhi_add_ring_element(mhi_cntrl, tre_ring);
mhi_add_ring_element(mhi_cntrl, buf_ring);
+ write_unlock_bh(&mhi_chan->lock);
+
return 0;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 025/476] parisc/firmware: Fix F-extend for PDC addresses
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 024/476] bus: mhi: host: Add spinlock to protect WP access when queueing TREs Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 026/476] async: Split async_schedule_node_domain() Greg Kroah-Hartman
` (460 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 735ae74f73e55c191d48689bd11ff4a06ea0508f upstream.
When running with narrow firmware (64-bit kernel using a 32-bit
firmware), extend PDC addresses into the 0xfffffff0.00000000
region instead of the 0xf0f0f0f0.00000000 region.
This fixes the power button on the C3700 machine in qemu (64-bit CPU
with 32-bit firmware), and my assumption is that the previous code was
really never used (because most 64-bit machines have a 64-bit firmware),
or it just worked on very old machines because they may only decode
40-bit of virtual addresses.
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/firmware.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/parisc/kernel/firmware.c
+++ b/arch/parisc/kernel/firmware.c
@@ -123,10 +123,10 @@ static unsigned long f_extend(unsigned l
#ifdef CONFIG_64BIT
if(unlikely(parisc_narrow_firmware)) {
if((address & 0xff000000) == 0xf0000000)
- return 0xf0f0f0f000000000UL | (u32)address;
+ return (0xfffffff0UL << 32) | (u32)address;
if((address & 0xf0000000) == 0xf0000000)
- return 0xffffffff00000000UL | (u32)address;
+ return (0xffffffffUL << 32) | (u32)address;
}
#endif
return address;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 026/476] async: Split async_schedule_node_domain()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 025/476] parisc/firmware: Fix F-extend for PDC addresses Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 027/476] async: Introduce async_schedule_dev_nocall() Greg Kroah-Hartman
` (459 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Stanislaw Gruszka, Youngmin Nam, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 6aa09a5bccd8e224d917afdb4c278fc66aacde4d upstream.
In preparation for subsequent changes, split async_schedule_node_domain()
in two pieces so as to allow the bottom part of it to be called from a
somewhat different code path.
No functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Tested-by: Youngmin Nam <youngmin.nam@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/async.c | 56 ++++++++++++++++++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 22 deletions(-)
--- a/kernel/async.c
+++ b/kernel/async.c
@@ -145,6 +145,39 @@ static void async_run_entry_fn(struct wo
wake_up(&async_done);
}
+static async_cookie_t __async_schedule_node_domain(async_func_t func,
+ void *data, int node,
+ struct async_domain *domain,
+ struct async_entry *entry)
+{
+ async_cookie_t newcookie;
+ unsigned long flags;
+
+ INIT_LIST_HEAD(&entry->domain_list);
+ INIT_LIST_HEAD(&entry->global_list);
+ INIT_WORK(&entry->work, async_run_entry_fn);
+ entry->func = func;
+ entry->data = data;
+ entry->domain = domain;
+
+ spin_lock_irqsave(&async_lock, flags);
+
+ /* allocate cookie and queue */
+ newcookie = entry->cookie = next_cookie++;
+
+ list_add_tail(&entry->domain_list, &domain->pending);
+ if (domain->registered)
+ list_add_tail(&entry->global_list, &async_global_pending);
+
+ atomic_inc(&entry_count);
+ spin_unlock_irqrestore(&async_lock, flags);
+
+ /* schedule for execution */
+ queue_work_node(node, system_unbound_wq, &entry->work);
+
+ return newcookie;
+}
+
/**
* async_schedule_node_domain - NUMA specific version of async_schedule_domain
* @func: function to execute asynchronously
@@ -186,29 +219,8 @@ async_cookie_t async_schedule_node_domai
func(data, newcookie);
return newcookie;
}
- INIT_LIST_HEAD(&entry->domain_list);
- INIT_LIST_HEAD(&entry->global_list);
- INIT_WORK(&entry->work, async_run_entry_fn);
- entry->func = func;
- entry->data = data;
- entry->domain = domain;
-
- spin_lock_irqsave(&async_lock, flags);
- /* allocate cookie and queue */
- newcookie = entry->cookie = next_cookie++;
-
- list_add_tail(&entry->domain_list, &domain->pending);
- if (domain->registered)
- list_add_tail(&entry->global_list, &async_global_pending);
-
- atomic_inc(&entry_count);
- spin_unlock_irqrestore(&async_lock, flags);
-
- /* schedule for execution */
- queue_work_node(node, system_unbound_wq, &entry->work);
-
- return newcookie;
+ return __async_schedule_node_domain(func, data, node, domain, entry);
}
EXPORT_SYMBOL_GPL(async_schedule_node_domain);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 027/476] async: Introduce async_schedule_dev_nocall()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 026/476] async: Split async_schedule_node_domain() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 028/476] arm64: dts: qcom: sc7180: fix USB wakeup interrupt types Greg Kroah-Hartman
` (458 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Youngmin Nam,
Ulf Hansson, Stanislaw Gruszka
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 7d4b5d7a37bdd63a5a3371b988744b060d5bb86f upstream.
In preparation for subsequent changes, introduce a specialized variant
of async_schedule_dev() that will not invoke the argument function
synchronously when it cannot be scheduled for asynchronous execution.
The new function, async_schedule_dev_nocall(), will be used for fixing
possible deadlocks in the system-wide power management core code.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com> for the series.
Tested-by: Youngmin Nam <youngmin.nam@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/async.h | 2 ++
kernel/async.c | 29 +++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/include/linux/async.h
+++ b/include/linux/async.h
@@ -90,6 +90,8 @@ async_schedule_dev(async_func_t func, st
return async_schedule_node(func, dev, dev_to_node(dev));
}
+bool async_schedule_dev_nocall(async_func_t func, struct device *dev);
+
/**
* async_schedule_dev_domain - A device specific version of async_schedule_domain
* @func: function to execute asynchronously
--- a/kernel/async.c
+++ b/kernel/async.c
@@ -244,6 +244,35 @@ async_cookie_t async_schedule_node(async
EXPORT_SYMBOL_GPL(async_schedule_node);
/**
+ * async_schedule_dev_nocall - A simplified variant of async_schedule_dev()
+ * @func: function to execute asynchronously
+ * @dev: device argument to be passed to function
+ *
+ * @dev is used as both the argument for the function and to provide NUMA
+ * context for where to run the function.
+ *
+ * If the asynchronous execution of @func is scheduled successfully, return
+ * true. Otherwise, do nothing and return false, unlike async_schedule_dev()
+ * that will run the function synchronously then.
+ */
+bool async_schedule_dev_nocall(async_func_t func, struct device *dev)
+{
+ struct async_entry *entry;
+
+ entry = kzalloc(sizeof(struct async_entry), GFP_KERNEL);
+
+ /* Give up if there is no memory or too much work. */
+ if (!entry || atomic_read(&entry_count) > MAX_WORK) {
+ kfree(entry);
+ return false;
+ }
+
+ __async_schedule_node_domain(func, dev, dev_to_node(dev),
+ &async_dfl_domain, entry);
+ return true;
+}
+
+/**
* async_synchronize_full - synchronize all asynchronous function calls
*
* This function waits until all asynchronous function calls have been done.
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 028/476] arm64: dts: qcom: sc7180: fix USB wakeup interrupt types
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 027/476] async: Introduce async_schedule_dev_nocall() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 029/476] arm64: dts: qcom: sdm845: " Greg Kroah-Hartman
` (457 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 9b956999bf725fd62613f719c3178fdbee6e5f47 upstream.
The DP/DM wakeup interrupts are edge triggered and which edge to trigger
on depends on use-case and whether a Low speed or Full/High speed device
is connected.
Fixes: 0b766e7fe5a2 ("arm64: dts: qcom: sc7180: Add USB related nodes")
Cc: stable@vger.kernel.org # 5.10
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231120164331.8116-4-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sc7180.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi
+++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi
@@ -2774,8 +2774,8 @@
interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
<&pdc 6 IRQ_TYPE_LEVEL_HIGH>,
- <&pdc 8 IRQ_TYPE_LEVEL_HIGH>,
- <&pdc 9 IRQ_TYPE_LEVEL_HIGH>;
+ <&pdc 8 IRQ_TYPE_EDGE_BOTH>,
+ <&pdc 9 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 029/476] arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 028/476] arm64: dts: qcom: sc7180: fix USB wakeup interrupt types Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 030/476] arm64: dts: qcom: sm8150: " Greg Kroah-Hartman
` (456 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 84ad9ac8d9ca29033d589e79a991866b38e23b85 upstream.
The DP/DM wakeup interrupts are edge triggered and which edge to trigger
on depends on use-case and whether a Low speed or Full/High speed device
is connected.
Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes")
Cc: stable@vger.kernel.org # 4.20
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231120164331.8116-9-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm845.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
@@ -3769,8 +3769,8 @@
interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
<GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 488 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 489 IRQ_TYPE_LEVEL_HIGH>;
+ <GIC_SPI 488 IRQ_TYPE_EDGE_BOTH>,
+ <GIC_SPI 489 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
@@ -3817,8 +3817,8 @@
interrupts = <GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>,
<GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 490 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 491 IRQ_TYPE_LEVEL_HIGH>;
+ <GIC_SPI 490 IRQ_TYPE_EDGE_BOTH>,
+ <GIC_SPI 491 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 030/476] arm64: dts: qcom: sm8150: fix USB wakeup interrupt types
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 029/476] arm64: dts: qcom: sdm845: " Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 031/476] arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
` (455 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Marek, Jack Pham,
Johan Hovold, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 54524b6987d1fffe64cbf3dded1b2fa6b903edf9 upstream.
The DP/DM wakeup interrupts are edge triggered and which edge to trigger
on depends on use-case and whether a Low speed or Full/High speed device
is connected.
Fixes: 0c9dde0d2015 ("arm64: dts: qcom: sm8150: Add secondary USB and PHY nodes")
Fixes: b33d2868e8d3 ("arm64: dts: qcom: sm8150: Add USB and PHY device nodes")
Cc: stable@vger.kernel.org # 5.10
Cc: Jonathan Marek <jonathan@marek.ca>
Cc: Jack Pham <quic_jackp@quicinc.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Jack Pham <quic_jackp@quicinc.com>
Link: https://lore.kernel.org/r/20231120164331.8116-11-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sm8150.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi
@@ -3094,8 +3094,8 @@
interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
<GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 488 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 489 IRQ_TYPE_LEVEL_HIGH>;
+ <GIC_SPI 488 IRQ_TYPE_EDGE_BOTH>,
+ <GIC_SPI 489 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
@@ -3139,8 +3139,8 @@
interrupts = <GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>,
<GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 490 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 491 IRQ_TYPE_LEVEL_HIGH>;
+ <GIC_SPI 490 IRQ_TYPE_EDGE_BOTH>,
+ <GIC_SPI 491 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 031/476] arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 030/476] arm64: dts: qcom: sm8150: " Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 032/476] lsm: new security_file_ioctl_compat() hook Greg Kroah-Hartman
` (454 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Konrad Dybcio,
Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 204f9ed4bad6293933179517624143b8f412347c upstream.
The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt
controller in order to be able to wake the system up from low-power
states and to be able to detect disconnect events, which requires
triggering on falling edges.
A recent commit updated the trigger type but failed to change the
interrupt provider as required. This leads to the current Linux driver
failing to probe instead of printing an error during suspend and USB
wakeup not working as intended.
Fixes: 84ad9ac8d9ca ("arm64: dts: qcom: sdm845: fix USB wakeup interrupt types")
Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes")
Cc: stable@vger.kernel.org # 4.20
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20231213173403.29544-3-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm845.dtsi | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
@@ -3767,10 +3767,10 @@
<&gcc GCC_USB30_PRIM_MASTER_CLK>;
assigned-clock-rates = <19200000>, <150000000>;
- interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 488 IRQ_TYPE_EDGE_BOTH>,
- <GIC_SPI 489 IRQ_TYPE_EDGE_BOTH>;
+ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>,
+ <&pdc_intc 8 IRQ_TYPE_EDGE_BOTH>,
+ <&pdc_intc 9 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
@@ -3815,10 +3815,10 @@
<&gcc GCC_USB30_SEC_MASTER_CLK>;
assigned-clock-rates = <19200000>, <150000000>;
- interrupts = <GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 490 IRQ_TYPE_EDGE_BOTH>,
- <GIC_SPI 491 IRQ_TYPE_EDGE_BOTH>;
+ interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>,
+ <&pdc_intc 10 IRQ_TYPE_EDGE_BOTH>,
+ <&pdc_intc 11 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 032/476] lsm: new security_file_ioctl_compat() hook
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 031/476] arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 033/476] scripts/get_abi: fix source path leak Greg Kroah-Hartman
` (453 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alfred Piccioni, Stephen Smalley,
Paul Moore
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alfred Piccioni <alpic@google.com>
commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream.
Some ioctl commands do not require ioctl permission, but are routed to
other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
However, if a 32-bit process is running on a 64-bit kernel, it emits
32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
being checked erroneously, which leads to these ioctl operations being
routed to the ioctl permission, rather than the correct file
permissions.
This was also noted in a RED-PEN finding from a while back -
"/* RED-PEN how should LSM module know it's handling 32bit? */".
This patch introduces a new hook, security_file_ioctl_compat(), that is
called from the compat ioctl syscall. All current LSMs have been changed
to support this hook.
Reviewing the three places where we are currently using
security_file_ioctl(), it appears that only SELinux needs a dedicated
compat change; TOMOYO and SMACK appear to be functional without any
change.
Cc: stable@vger.kernel.org
Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"")
Signed-off-by: Alfred Piccioni <alpic@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: subject tweak, line length fixes, and alignment corrections]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ioctl.c | 3 +--
include/linux/lsm_hook_defs.h | 2 ++
include/linux/security.h | 9 +++++++++
security/security.c | 18 ++++++++++++++++++
security/selinux/hooks.c | 28 ++++++++++++++++++++++++++++
security/smack/smack_lsm.c | 1 +
security/tomoyo/tomoyo.c | 1 +
7 files changed, 60 insertions(+), 2 deletions(-)
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -920,8 +920,7 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned i
if (!f.file)
return -EBADF;
- /* RED-PEN how should LSM module know it's handling 32bit? */
- error = security_file_ioctl(f.file, cmd, arg);
+ error = security_file_ioctl_compat(f.file, cmd, arg);
if (error)
goto out;
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -165,6 +165,8 @@ LSM_HOOK(int, 0, file_alloc_security, st
LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
unsigned long arg)
+LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
+ unsigned long arg)
LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -382,6 +382,8 @@ int security_file_permission(struct file
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+int security_file_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg);
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags);
int security_mmap_addr(unsigned long addr);
@@ -962,6 +964,13 @@ static inline int security_file_ioctl(st
{
return 0;
}
+
+static inline int security_file_ioctl_compat(struct file *file,
+ unsigned int cmd,
+ unsigned long arg)
+{
+ return 0;
+}
static inline int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags)
--- a/security/security.c
+++ b/security/security.c
@@ -1556,6 +1556,24 @@ int security_file_ioctl(struct file *fil
}
EXPORT_SYMBOL_GPL(security_file_ioctl);
+/**
+ * security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode
+ * @file: associated file
+ * @cmd: ioctl cmd
+ * @arg: ioctl arguments
+ *
+ * Compat version of security_file_ioctl() that correctly handles 32-bit
+ * processes running on 64-bit kernels.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_file_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ return call_int_hook(file_ioctl_compat, 0, file, cmd, arg);
+}
+EXPORT_SYMBOL_GPL(security_file_ioctl_compat);
+
static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
{
/*
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3810,6 +3810,33 @@ static int selinux_file_ioctl(struct fil
return error;
}
+static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ /*
+ * If we are in a 64-bit kernel running 32-bit userspace, we need to
+ * make sure we don't compare 32-bit flags to 64-bit flags.
+ */
+ switch (cmd) {
+ case FS_IOC32_GETFLAGS:
+ cmd = FS_IOC_GETFLAGS;
+ break;
+ case FS_IOC32_SETFLAGS:
+ cmd = FS_IOC_SETFLAGS;
+ break;
+ case FS_IOC32_GETVERSION:
+ cmd = FS_IOC_GETVERSION;
+ break;
+ case FS_IOC32_SETVERSION:
+ cmd = FS_IOC_SETVERSION;
+ break;
+ default:
+ break;
+ }
+
+ return selinux_file_ioctl(file, cmd, arg);
+}
+
static int default_noexec __ro_after_init;
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
@@ -7208,6 +7235,7 @@ static struct security_hook_list selinux
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
+ LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4767,6 +4767,7 @@ static struct security_hook_list smack_h
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
+ LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl),
LSM_HOOK_INIT(file_lock, smack_file_lock),
LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
LSM_HOOK_INIT(mmap_file, smack_mmap_file),
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -546,6 +546,7 @@ static struct security_hook_list tomoyo_
LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
+ LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl),
LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 033/476] scripts/get_abi: fix source path leak
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 032/476] lsm: new security_file_ioctl_compat() hook Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 034/476] mmc: core: Use mrq.sbc in close-ended ffu Greg Kroah-Hartman
` (452 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jani Nikula, Vegard Nossum, Jonathan Corbet
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 5889d6ede53bc17252f79c142387e007224aa554 upstream.
The code currently leaks the absolute path of the ABI files into the
rendered documentation.
There exists code to prevent this, but it is not effective when an
absolute path is passed, which it is when $srctree is used.
I consider this to be a minimal, stop-gap fix; a better fix would strip
off the actual prefix instead of hacking it off with a regex.
Link: https://mastodon.social/@vegard/111677490643495163
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Link: https://lore.kernel.org/r/20231231235959.3342928-1-vegard.nossum@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/get_abi.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/get_abi.pl
+++ b/scripts/get_abi.pl
@@ -75,7 +75,7 @@ sub parse_abi {
$name =~ s,.*/,,;
my $fn = $file;
- $fn =~ s,Documentation/ABI/,,;
+ $fn =~ s,.*Documentation/ABI/,,;
my $nametag = "File $fn";
$data{$nametag}->{what} = "File $name";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 034/476] mmc: core: Use mrq.sbc in close-ended ffu
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 033/476] scripts/get_abi: fix source path leak Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 035/476] mmc: mmc_spi: remove custom DMA mapped buffers Greg Kroah-Hartman
` (451 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Adrian Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avri Altman <avri.altman@wdc.com>
commit 4d0c8d0aef6355660b6775d57ccd5d4ea2e15802 upstream.
Field Firmware Update (ffu) may use close-ended or open ended sequence.
Each such sequence is comprised of a write commands enclosed between 2
switch commands - to and from ffu mode. So for the close-ended case, it
will be: cmd6->cmd23-cmd25-cmd6.
Some host controllers however, get confused when multi-block rw is sent
without sbc, and may generate auto-cmd12 which breaks the ffu sequence.
I encountered this issue while testing fwupd (github.com/fwupd/fwupd)
on HP Chromebook x2, a qualcomm based QC-7c, code name - strongbad.
Instead of a quirk, or hooking the request function of the msm ops,
it would be better to fix the ioctl handling and make it use mrq.sbc
instead of issuing SET_BLOCK_COUNT separately.
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231129092535.3278-1-avri.altman@wdc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/block.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -399,6 +399,10 @@ struct mmc_blk_ioc_data {
struct mmc_ioc_cmd ic;
unsigned char *buf;
u64 buf_bytes;
+ unsigned int flags;
+#define MMC_BLK_IOC_DROP BIT(0) /* drop this mrq */
+#define MMC_BLK_IOC_SBC BIT(1) /* use mrq.sbc */
+
struct mmc_rpmb_data *rpmb;
};
@@ -464,7 +468,7 @@ static int mmc_blk_ioctl_copy_to_user(st
}
static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
- struct mmc_blk_ioc_data *idata)
+ struct mmc_blk_ioc_data **idatas, int i)
{
struct mmc_command cmd = {}, sbc = {};
struct mmc_data data = {};
@@ -472,10 +476,18 @@ static int __mmc_blk_ioctl_cmd(struct mm
struct scatterlist sg;
int err;
unsigned int target_part;
+ struct mmc_blk_ioc_data *idata = idatas[i];
+ struct mmc_blk_ioc_data *prev_idata = NULL;
if (!card || !md || !idata)
return -EINVAL;
+ if (idata->flags & MMC_BLK_IOC_DROP)
+ return 0;
+
+ if (idata->flags & MMC_BLK_IOC_SBC)
+ prev_idata = idatas[i - 1];
+
/*
* The RPMB accesses comes in from the character device, so we
* need to target these explicitly. Else we just target the
@@ -542,7 +554,7 @@ static int __mmc_blk_ioctl_cmd(struct mm
return err;
}
- if (idata->rpmb) {
+ if (idata->rpmb || prev_idata) {
sbc.opcode = MMC_SET_BLOCK_COUNT;
/*
* We don't do any blockcount validation because the max size
@@ -550,6 +562,8 @@ static int __mmc_blk_ioctl_cmd(struct mm
* 'Reliable Write' bit here.
*/
sbc.arg = data.blocks | (idata->ic.write_flag & BIT(31));
+ if (prev_idata)
+ sbc.arg = prev_idata->ic.arg;
sbc.flags = MMC_RSP_R1 | MMC_CMD_AC;
mrq.sbc = &sbc;
}
@@ -561,6 +575,15 @@ static int __mmc_blk_ioctl_cmd(struct mm
mmc_wait_for_req(card->host, &mrq);
memcpy(&idata->ic.response, cmd.resp, sizeof(cmd.resp));
+ if (prev_idata) {
+ memcpy(&prev_idata->ic.response, sbc.resp, sizeof(sbc.resp));
+ if (sbc.error) {
+ dev_err(mmc_dev(card->host), "%s: sbc error %d\n",
+ __func__, sbc.error);
+ return sbc.error;
+ }
+ }
+
if (cmd.error) {
dev_err(mmc_dev(card->host), "%s: cmd error %d\n",
__func__, cmd.error);
@@ -1030,6 +1053,20 @@ static inline void mmc_blk_reset_success
md->reset_done &= ~type;
}
+static void mmc_blk_check_sbc(struct mmc_queue_req *mq_rq)
+{
+ struct mmc_blk_ioc_data **idata = mq_rq->drv_op_data;
+ int i;
+
+ for (i = 1; i < mq_rq->ioc_count; i++) {
+ if (idata[i - 1]->ic.opcode == MMC_SET_BLOCK_COUNT &&
+ mmc_op_multi(idata[i]->ic.opcode)) {
+ idata[i - 1]->flags |= MMC_BLK_IOC_DROP;
+ idata[i]->flags |= MMC_BLK_IOC_SBC;
+ }
+ }
+}
+
/*
* The non-block commands come back from the block layer after it queued it and
* processed it with all other requests and then they get issued in this
@@ -1057,11 +1094,14 @@ static void mmc_blk_issue_drv_op(struct
if (ret)
break;
}
+
+ mmc_blk_check_sbc(mq_rq);
+
fallthrough;
case MMC_DRV_OP_IOCTL_RPMB:
idata = mq_rq->drv_op_data;
for (i = 0, ret = 0; i < mq_rq->ioc_count; i++) {
- ret = __mmc_blk_ioctl_cmd(card, md, idata[i]);
+ ret = __mmc_blk_ioctl_cmd(card, md, idata, i);
if (ret)
break;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 035/476] mmc: mmc_spi: remove custom DMA mapped buffers
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 034/476] mmc: core: Use mrq.sbc in close-ended ffu Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 036/476] rtc: Adjust failure return code for cmos_set_alarm() Greg Kroah-Hartman
` (450 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 84a6be7db9050dd2601c9870f65eab9a665d2d5d upstream.
There is no need to duplicate what SPI core or individual controller
drivers already do, i.e. mapping the buffers for DMA capable transfers.
Note, that the code, besides its redundancy, was buggy: strictly speaking
there is no guarantee, while it's true for those which can use this code
(see below), that the SPI host controller _is_ the device which does DMA.
Also see the Link tags below.
Additional notes. Currently only two SPI host controller drivers may use
premapped (by the user) DMA buffers:
- drivers/spi/spi-au1550.c
- drivers/spi/spi-fsl-spi.c
Both of them have DMA mapping support code. I don't expect that SPI host
controller code is worse than what has been done in mmc_spi. Hence I do
not expect any regressions here. Otherwise, I'm pretty much sure these
regressions have to be fixed in the respective drivers, and not here.
That said, remove all related pieces of DMA mapping code from mmc_spi.
Link: https://lore.kernel.org/linux-mmc/c73b9ba9-1699-2aff-e2fd-b4b4f292a3ca@raspberrypi.org/
Link: https://stackoverflow.com/questions/67620728/mmc-spi-issue-not-able-to-setup-mmc-sd-card-in-linux
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231207221901.3259962-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmc_spi.c | 186 +--------------------------------------------
1 file changed, 5 insertions(+), 181 deletions(-)
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -15,7 +15,7 @@
#include <linux/slab.h>
#include <linux/module.h>
#include <linux/bio.h>
-#include <linux/dma-mapping.h>
+#include <linux/dma-direction.h>
#include <linux/crc7.h>
#include <linux/crc-itu-t.h>
#include <linux/scatterlist.h>
@@ -119,19 +119,14 @@ struct mmc_spi_host {
struct spi_transfer status;
struct spi_message readback;
- /* underlying DMA-aware controller, or null */
- struct device *dma_dev;
-
/* buffer used for commands and for message "overhead" */
struct scratch *data;
- dma_addr_t data_dma;
/* Specs say to write ones most of the time, even when the card
* has no need to read its input data; and many cards won't care.
* This is our source of those ones.
*/
void *ones;
- dma_addr_t ones_dma;
};
@@ -147,11 +142,8 @@ static inline int mmc_cs_off(struct mmc_
return spi_setup(host->spi);
}
-static int
-mmc_spi_readbytes(struct mmc_spi_host *host, unsigned len)
+static int mmc_spi_readbytes(struct mmc_spi_host *host, unsigned int len)
{
- int status;
-
if (len > sizeof(*host->data)) {
WARN_ON(1);
return -EIO;
@@ -159,19 +151,7 @@ mmc_spi_readbytes(struct mmc_spi_host *h
host->status.len = len;
- if (host->dma_dev)
- dma_sync_single_for_device(host->dma_dev,
- host->data_dma, sizeof(*host->data),
- DMA_FROM_DEVICE);
-
- status = spi_sync_locked(host->spi, &host->readback);
-
- if (host->dma_dev)
- dma_sync_single_for_cpu(host->dma_dev,
- host->data_dma, sizeof(*host->data),
- DMA_FROM_DEVICE);
-
- return status;
+ return spi_sync_locked(host->spi, &host->readback);
}
static int mmc_spi_skip(struct mmc_spi_host *host, unsigned long timeout,
@@ -506,23 +486,11 @@ mmc_spi_command_send(struct mmc_spi_host
t = &host->t;
memset(t, 0, sizeof(*t));
t->tx_buf = t->rx_buf = data->status;
- t->tx_dma = t->rx_dma = host->data_dma;
t->len = cp - data->status;
t->cs_change = 1;
spi_message_add_tail(t, &host->m);
- if (host->dma_dev) {
- host->m.is_dma_mapped = 1;
- dma_sync_single_for_device(host->dma_dev,
- host->data_dma, sizeof(*host->data),
- DMA_BIDIRECTIONAL);
- }
status = spi_sync_locked(host->spi, &host->m);
-
- if (host->dma_dev)
- dma_sync_single_for_cpu(host->dma_dev,
- host->data_dma, sizeof(*host->data),
- DMA_BIDIRECTIONAL);
if (status < 0) {
dev_dbg(&host->spi->dev, " ... write returned %d\n", status);
cmd->error = status;
@@ -540,9 +508,6 @@ mmc_spi_command_send(struct mmc_spi_host
* We always provide TX data for data and CRC. The MMC/SD protocol
* requires us to write ones; but Linux defaults to writing zeroes;
* so we explicitly initialize it to all ones on RX paths.
- *
- * We also handle DMA mapping, so the underlying SPI controller does
- * not need to (re)do it for each message.
*/
static void
mmc_spi_setup_data_message(
@@ -552,11 +517,8 @@ mmc_spi_setup_data_message(
{
struct spi_transfer *t;
struct scratch *scratch = host->data;
- dma_addr_t dma = host->data_dma;
spi_message_init(&host->m);
- if (dma)
- host->m.is_dma_mapped = 1;
/* for reads, readblock() skips 0xff bytes before finding
* the token; for writes, this transfer issues that token.
@@ -570,8 +532,6 @@ mmc_spi_setup_data_message(
else
scratch->data_token = SPI_TOKEN_SINGLE;
t->tx_buf = &scratch->data_token;
- if (dma)
- t->tx_dma = dma + offsetof(struct scratch, data_token);
spi_message_add_tail(t, &host->m);
}
@@ -581,7 +541,6 @@ mmc_spi_setup_data_message(
t = &host->t;
memset(t, 0, sizeof(*t));
t->tx_buf = host->ones;
- t->tx_dma = host->ones_dma;
/* length and actual buffer info are written later */
spi_message_add_tail(t, &host->m);
@@ -591,14 +550,9 @@ mmc_spi_setup_data_message(
if (direction == DMA_TO_DEVICE) {
/* the actual CRC may get written later */
t->tx_buf = &scratch->crc_val;
- if (dma)
- t->tx_dma = dma + offsetof(struct scratch, crc_val);
} else {
t->tx_buf = host->ones;
- t->tx_dma = host->ones_dma;
t->rx_buf = &scratch->crc_val;
- if (dma)
- t->rx_dma = dma + offsetof(struct scratch, crc_val);
}
spi_message_add_tail(t, &host->m);
@@ -621,10 +575,7 @@ mmc_spi_setup_data_message(
memset(t, 0, sizeof(*t));
t->len = (direction == DMA_TO_DEVICE) ? sizeof(scratch->status) : 1;
t->tx_buf = host->ones;
- t->tx_dma = host->ones_dma;
t->rx_buf = scratch->status;
- if (dma)
- t->rx_dma = dma + offsetof(struct scratch, status);
t->cs_change = 1;
spi_message_add_tail(t, &host->m);
}
@@ -653,23 +604,13 @@ mmc_spi_writeblock(struct mmc_spi_host *
if (host->mmc->use_spi_crc)
scratch->crc_val = cpu_to_be16(crc_itu_t(0, t->tx_buf, t->len));
- if (host->dma_dev)
- dma_sync_single_for_device(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
status = spi_sync_locked(spi, &host->m);
-
if (status != 0) {
dev_dbg(&spi->dev, "write error (%d)\n", status);
return status;
}
- if (host->dma_dev)
- dma_sync_single_for_cpu(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
-
/*
* Get the transmission data-response reply. It must follow
* immediately after the data block we transferred. This reply
@@ -718,8 +659,6 @@ mmc_spi_writeblock(struct mmc_spi_host *
}
t->tx_buf += t->len;
- if (host->dma_dev)
- t->tx_dma += t->len;
/* Return when not busy. If we didn't collect that status yet,
* we'll need some more I/O.
@@ -783,30 +722,12 @@ mmc_spi_readblock(struct mmc_spi_host *h
}
leftover = status << 1;
- if (host->dma_dev) {
- dma_sync_single_for_device(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
- dma_sync_single_for_device(host->dma_dev,
- t->rx_dma, t->len,
- DMA_FROM_DEVICE);
- }
-
status = spi_sync_locked(spi, &host->m);
if (status < 0) {
dev_dbg(&spi->dev, "read error %d\n", status);
return status;
}
- if (host->dma_dev) {
- dma_sync_single_for_cpu(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
- dma_sync_single_for_cpu(host->dma_dev,
- t->rx_dma, t->len,
- DMA_FROM_DEVICE);
- }
-
if (bitshift) {
/* Walk through the data and the crc and do
* all the magic to get byte-aligned data.
@@ -841,8 +762,6 @@ mmc_spi_readblock(struct mmc_spi_host *h
}
t->rx_buf += t->len;
- if (host->dma_dev)
- t->rx_dma += t->len;
return 0;
}
@@ -857,7 +776,6 @@ mmc_spi_data_do(struct mmc_spi_host *hos
struct mmc_data *data, u32 blk_size)
{
struct spi_device *spi = host->spi;
- struct device *dma_dev = host->dma_dev;
struct spi_transfer *t;
enum dma_data_direction direction;
struct scatterlist *sg;
@@ -884,31 +802,8 @@ mmc_spi_data_do(struct mmc_spi_host *hos
*/
for_each_sg(data->sg, sg, data->sg_len, n_sg) {
int status = 0;
- dma_addr_t dma_addr = 0;
void *kmap_addr;
unsigned length = sg->length;
- enum dma_data_direction dir = direction;
-
- /* set up dma mapping for controller drivers that might
- * use DMA ... though they may fall back to PIO
- */
- if (dma_dev) {
- /* never invalidate whole *shared* pages ... */
- if ((sg->offset != 0 || length != PAGE_SIZE)
- && dir == DMA_FROM_DEVICE)
- dir = DMA_BIDIRECTIONAL;
-
- dma_addr = dma_map_page(dma_dev, sg_page(sg), 0,
- PAGE_SIZE, dir);
- if (dma_mapping_error(dma_dev, dma_addr)) {
- data->error = -EFAULT;
- break;
- }
- if (direction == DMA_TO_DEVICE)
- t->tx_dma = dma_addr + sg->offset;
- else
- t->rx_dma = dma_addr + sg->offset;
- }
/* allow pio too; we don't allow highmem */
kmap_addr = kmap(sg_page(sg));
@@ -943,8 +838,6 @@ mmc_spi_data_do(struct mmc_spi_host *hos
if (direction == DMA_FROM_DEVICE)
flush_dcache_page(sg_page(sg));
kunmap(sg_page(sg));
- if (dma_dev)
- dma_unmap_page(dma_dev, dma_addr, PAGE_SIZE, dir);
if (status < 0) {
data->error = status;
@@ -981,21 +874,9 @@ mmc_spi_data_do(struct mmc_spi_host *hos
scratch->status[0] = SPI_TOKEN_STOP_TRAN;
host->early_status.tx_buf = host->early_status.rx_buf;
- host->early_status.tx_dma = host->early_status.rx_dma;
host->early_status.len = statlen;
- if (host->dma_dev)
- dma_sync_single_for_device(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
-
tmp = spi_sync_locked(spi, &host->m);
-
- if (host->dma_dev)
- dma_sync_single_for_cpu(host->dma_dev,
- host->data_dma, sizeof(*scratch),
- DMA_BIDIRECTIONAL);
-
if (tmp < 0) {
if (!data->error)
data->error = tmp;
@@ -1269,52 +1150,6 @@ mmc_spi_detect_irq(int irq, void *mmc)
return IRQ_HANDLED;
}
-#ifdef CONFIG_HAS_DMA
-static int mmc_spi_dma_alloc(struct mmc_spi_host *host)
-{
- struct spi_device *spi = host->spi;
- struct device *dev;
-
- if (!spi->master->dev.parent->dma_mask)
- return 0;
-
- dev = spi->master->dev.parent;
-
- host->ones_dma = dma_map_single(dev, host->ones, MMC_SPI_BLOCKSIZE,
- DMA_TO_DEVICE);
- if (dma_mapping_error(dev, host->ones_dma))
- return -ENOMEM;
-
- host->data_dma = dma_map_single(dev, host->data, sizeof(*host->data),
- DMA_BIDIRECTIONAL);
- if (dma_mapping_error(dev, host->data_dma)) {
- dma_unmap_single(dev, host->ones_dma, MMC_SPI_BLOCKSIZE,
- DMA_TO_DEVICE);
- return -ENOMEM;
- }
-
- dma_sync_single_for_cpu(dev, host->data_dma, sizeof(*host->data),
- DMA_BIDIRECTIONAL);
-
- host->dma_dev = dev;
- return 0;
-}
-
-static void mmc_spi_dma_free(struct mmc_spi_host *host)
-{
- if (!host->dma_dev)
- return;
-
- dma_unmap_single(host->dma_dev, host->ones_dma, MMC_SPI_BLOCKSIZE,
- DMA_TO_DEVICE);
- dma_unmap_single(host->dma_dev, host->data_dma, sizeof(*host->data),
- DMA_BIDIRECTIONAL);
-}
-#else
-static inline int mmc_spi_dma_alloc(struct mmc_spi_host *host) { return 0; }
-static inline void mmc_spi_dma_free(struct mmc_spi_host *host) {}
-#endif
-
static int mmc_spi_probe(struct spi_device *spi)
{
void *ones;
@@ -1406,24 +1241,17 @@ static int mmc_spi_probe(struct spi_devi
host->powerup_msecs = 250;
}
- /* preallocate dma buffers */
+ /* Preallocate buffers */
host->data = kmalloc(sizeof(*host->data), GFP_KERNEL);
if (!host->data)
goto fail_nobuf1;
- status = mmc_spi_dma_alloc(host);
- if (status)
- goto fail_dma;
-
/* setup message for status/busy readback */
spi_message_init(&host->readback);
- host->readback.is_dma_mapped = (host->dma_dev != NULL);
spi_message_add_tail(&host->status, &host->readback);
host->status.tx_buf = host->ones;
- host->status.tx_dma = host->ones_dma;
host->status.rx_buf = &host->data->status;
- host->status.rx_dma = host->data_dma + offsetof(struct scratch, status);
host->status.cs_change = 1;
/* register card detect irq */
@@ -1468,9 +1296,8 @@ static int mmc_spi_probe(struct spi_devi
if (!status)
has_ro = true;
- dev_info(&spi->dev, "SD/MMC host %s%s%s%s%s\n",
+ dev_info(&spi->dev, "SD/MMC host %s%s%s%s\n",
dev_name(&mmc->class_dev),
- host->dma_dev ? "" : ", no DMA",
has_ro ? "" : ", no WP",
(host->pdata && host->pdata->setpower)
? "" : ", no poweroff",
@@ -1481,8 +1308,6 @@ static int mmc_spi_probe(struct spi_devi
fail_gpiod_request:
mmc_remove_host(mmc);
fail_glue_init:
- mmc_spi_dma_free(host);
-fail_dma:
kfree(host->data);
fail_nobuf1:
mmc_spi_put_pdata(spi);
@@ -1504,7 +1329,6 @@ static int mmc_spi_remove(struct spi_dev
mmc_remove_host(mmc);
- mmc_spi_dma_free(host);
kfree(host->data);
kfree(host->ones);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 036/476] rtc: Adjust failure return code for cmos_set_alarm()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 035/476] mmc: mmc_spi: remove custom DMA mapped buffers Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 037/476] nouveau/vmm: dont set addr on the fail path to avoid warning Greg Kroah-Hartman
` (449 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Jończyk,
Mario Limonciello, Alexandre Belloni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 1311a8f0d4b23f58bbababa13623aa40b8ad4e0c upstream.
When mc146818_avoid_UIP() fails to return a valid value, this is because
UIP didn't clear in the timeout period. Adjust the return code in this
case to -ETIMEDOUT.
Tested-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
Reviewed-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
Acked-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
Cc: <stable@vger.kernel.org>
Fixes: cdedc45c579f ("rtc: cmos: avoid UIP when reading alarm time")
Fixes: cd17420ebea5 ("rtc: cmos: avoid UIP when writing alarm time")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://lore.kernel.org/r/20231128053653.101798-3-mario.limonciello@amd.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-cmos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -292,7 +292,7 @@ static int cmos_read_alarm(struct device
/* This not only a rtc_op, but also called directly */
if (!is_valid_irq(cmos->irq))
- return -EIO;
+ return -ETIMEDOUT;
/* Basic alarms only support hour, minute, and seconds fields.
* Some also support day and month, for alarms up to a year in
@@ -557,7 +557,7 @@ static int cmos_set_alarm(struct device
* Use mc146818_avoid_UIP() to avoid this.
*/
if (!mc146818_avoid_UIP(cmos_set_alarm_callback, &p))
- return -EIO;
+ return -ETIMEDOUT;
cmos->alarm_expires = rtc_tm_to_time64(&t->time);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 037/476] nouveau/vmm: dont set addr on the fail path to avoid warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 036/476] rtc: Adjust failure return code for cmos_set_alarm() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 038/476] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
` (448 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Faith Ekstrand, Dave Airlie
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit cacea81390fd8c8c85404e5eb2adeb83d87a912e upstream.
nvif_vmm_put gets called if addr is set, but if the allocation
fails we don't need to call put, otherwise we get a warning like
[523232.435671] ------------[ cut here ]------------
[523232.435674] WARNING: CPU: 8 PID: 1505697 at drivers/gpu/drm/nouveau/nvif/vmm.c:68 nvif_vmm_put+0x72/0x80 [nouveau]
[523232.435795] Modules linked in: uinput rfcomm snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr bnep sunrpc binfmt_misc intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common isst_if_common iwlmvm nfit libnvdimm vfat fat x86_pkg_temp_thermal intel_powerclamp mac80211 snd_soc_avs snd_soc_hda_codec coretemp snd_hda_ext_core snd_soc_core snd_hda_codec_realtek kvm_intel snd_hda_codec_hdmi snd_compress snd_hda_codec_generic ac97_bus snd_pcm_dmaengine snd_hda_intel libarc4 snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm iwlwifi snd_hda_core btusb snd_hwdep btrtl snd_seq btintel irqbypass btbcm rapl snd_seq_device eeepc_wmi btmtk intel_cstate iTCO_wdt cfg80211 snd_pcm asus_wmi bluetooth intel_pmc_bxt iTCO_vendor_support snd_timer ledtrig_audio pktcdvd snd mei_me
[523232.435828] sparse_keymap intel_uncore i2c_i801 platform_profile wmi_bmof mei pcspkr ioatdma soundcore i2c_smbus rfkill idma64 dca joydev acpi_tad loop zram nouveau drm_ttm_helper ttm video drm_exec drm_gpuvm gpu_sched crct10dif_pclmul i2c_algo_bit nvme crc32_pclmul crc32c_intel drm_display_helper polyval_clmulni nvme_core polyval_generic e1000e mxm_wmi cec ghash_clmulni_intel r8169 sha512_ssse3 nvme_common wmi pinctrl_sunrisepoint uas usb_storage ip6_tables ip_tables fuse
[523232.435849] CPU: 8 PID: 1505697 Comm: gnome-shell Tainted: G W 6.6.0-rc7-nvk-uapi+ #12
[523232.435851] Hardware name: System manufacturer System Product Name/ROG STRIX X299-E GAMING II, BIOS 1301 09/24/2021
[523232.435852] RIP: 0010:nvif_vmm_put+0x72/0x80 [nouveau]
[523232.435934] Code: 00 00 48 89 e2 be 02 00 00 00 48 c7 04 24 00 00 00 00 48 89 44 24 08 e8 fc bf ff ff 85
c0 75 0a 48 c7 43 08 00 00 00 00 eb b3 <0f> 0b eb f2 e8 f5 c9 b2 e6 0f 1f 44 00 00 90 90 90 90 90 90 90 90
[523232.435936] RSP: 0018:ffffc900077ffbd8 EFLAGS: 00010282
[523232.435937] RAX: 00000000fffffffe RBX: ffffc900077ffc00 RCX: 0000000000000010
[523232.435938] RDX: 0000000000000010 RSI: ffffc900077ffb38 RDI: ffffc900077ffbd8
[523232.435940] RBP: ffff888e1c4f2140 R08: 0000000000000000 R09: 0000000000000000
[523232.435940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888503811800
[523232.435941] R13: ffffc900077ffca0 R14: ffff888e1c4f2140 R15: ffff88810317e1e0
[523232.435942] FS: 00007f933a769640(0000) GS:ffff88905fa00000(0000) knlGS:0000000000000000
[523232.435943] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[523232.435944] CR2: 00007f930bef7000 CR3: 00000005d0322001 CR4: 00000000003706e0
[523232.435945] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[523232.435946] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[523232.435964] Call Trace:
[523232.435965] <TASK>
[523232.435966] ? nvif_vmm_put+0x72/0x80 [nouveau]
[523232.436051] ? __warn+0x81/0x130
[523232.436055] ? nvif_vmm_put+0x72/0x80 [nouveau]
[523232.436138] ? report_bug+0x171/0x1a0
[523232.436142] ? handle_bug+0x3c/0x80
[523232.436144] ? exc_invalid_op+0x17/0x70
[523232.436145] ? asm_exc_invalid_op+0x1a/0x20
[523232.436149] ? nvif_vmm_put+0x72/0x80 [nouveau]
[523232.436230] ? nvif_vmm_put+0x64/0x80 [nouveau]
[523232.436342] nouveau_vma_del+0x80/0xd0 [nouveau]
[523232.436506] nouveau_vma_new+0x1a0/0x210 [nouveau]
[523232.436671] nouveau_gem_object_open+0x1d0/0x1f0 [nouveau]
[523232.436835] drm_gem_handle_create_tail+0xd1/0x180
[523232.436840] drm_prime_fd_to_handle_ioctl+0x12e/0x200
[523232.436844] ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10
[523232.436847] drm_ioctl_kernel+0xd3/0x180
[523232.436849] drm_ioctl+0x26d/0x4b0
[523232.436851] ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10
[523232.436855] nouveau_drm_ioctl+0x5a/0xb0 [nouveau]
[523232.437032] __x64_sys_ioctl+0x94/0xd0
[523232.437036] do_syscall_64+0x5d/0x90
[523232.437040] ? syscall_exit_to_user_mode+0x2b/0x40
[523232.437044] ? do_syscall_64+0x6c/0x90
[523232.437046] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Reported-by: Faith Ekstrand <faith.ekstrand@collabora.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240117213852.295565-1-airlied@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_vmm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_vmm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_vmm.c
@@ -108,6 +108,9 @@ nouveau_vma_new(struct nouveau_bo *nvbo,
} else {
ret = nvif_vmm_get(&vmm->vmm, PTES, false, mem->mem.page, 0,
mem->mem.size, &tmp);
+ if (ret)
+ goto done;
+
vma->addr = tmp.addr;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 038/476] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 037/476] nouveau/vmm: dont set addr on the fail path to avoid warning Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 039/476] rename(): fix the locking of subdirectories Greg Kroah-Hartman
` (447 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Eric Biggers,
Eric Biggers, Richard Weinberger
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 1e022216dcd248326a5bb95609d12a6815bca4e2 upstream.
For error handling path in ubifs_symlink(), inode will be marked as
bad first, then iput() is invoked. If inode->i_link is initialized by
fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't
be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error
handling path, because make_bad_inode() has changed 'inode->i_mode' as
'S_IFREG'.
Following kmemleak is easy to be reproduced by injecting error in
ubifs_jnl_update() when doing symlink in encryption scenario:
unreferenced object 0xffff888103da3d98 (size 8):
comm "ln", pid 1692, jiffies 4294914701 (age 12.045s)
backtrace:
kmemdup+0x32/0x70
__fscrypt_encrypt_symlink+0xed/0x1c0
ubifs_symlink+0x210/0x300 [ubifs]
vfs_symlink+0x216/0x360
do_symlinkat+0x11a/0x190
do_syscall_64+0x3b/0xe0
There are two ways fixing it:
1. Remove make_bad_inode() in error handling path. We can do that
because ubifs_evict_inode() will do same processes for good
symlink inode and bad symlink inode, for inode->i_nlink checking
is before is_bad_inode().
2. Free inode->i_link before marking inode bad.
Method 2 is picked, it has less influence, personally, I think.
Cc: stable@vger.kernel.org
Fixes: 2c58d548f570 ("fscrypt: cache decrypted symlink target in ->i_link")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -1225,6 +1225,8 @@ out_cancel:
dir_ui->ui_size = dir->i_size;
mutex_unlock(&dir_ui->ui_mutex);
out_inode:
+ /* Free inode->i_link before inode is marked as bad. */
+ fscrypt_free_inode(inode);
make_bad_inode(inode);
iput(inode);
out_fname:
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 039/476] rename(): fix the locking of subdirectories
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 038/476] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 040/476] ksmbd: set v2 lease version on lease upgrade Greg Kroah-Hartman
` (446 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Al Viro
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 22e111ed6c83dcde3037fc81176012721bc34c0b upstream.
We should never lock two subdirectories without having taken
->s_vfs_rename_mutex; inode pointer order or not, the "order" proposed
in 28eceeda130f "fs: Lock moved directories" is not transitive, with
the usual consequences.
The rationale for locking renamed subdirectory in all cases was
the possibility of race between rename modifying .. in a subdirectory to
reflect the new parent and another thread modifying the same subdirectory.
For a lot of filesystems that's not a problem, but for some it can lead
to trouble (e.g. the case when short directory contents is kept in the
inode, but creating a file in it might push it across the size limit
and copy its contents into separate data block(s)).
However, we need that only in case when the parent does change -
otherwise ->rename() doesn't need to do anything with .. entry in the
first place. Some instances are lazy and do a tautological update anyway,
but it's really not hard to avoid.
Amended locking rules for rename():
find the parent(s) of source and target
if source and target have the same parent
lock the common parent
else
lock ->s_vfs_rename_mutex
lock both parents, in ancestor-first order; if neither
is an ancestor of another, lock the parent of source
first.
find the source and target.
if source and target have the same parent
if operation is an overwriting rename of a subdirectory
lock the target subdirectory
else
if source is a subdirectory
lock the source
if target is a subdirectory
lock the target
lock non-directories involved, in inode pointer order if both
source and target are such.
That way we are guaranteed that parents are locked (for obvious reasons),
that any renamed non-directory is locked (nfsd relies upon that),
that any victim is locked (emptiness check needs that, among other things)
and subdirectory that changes parent is locked (needed to protect the update
of .. entries). We are also guaranteed that any operation locking more
than one directory either takes ->s_vfs_rename_mutex or locks a parent
followed by its child.
Cc: stable@vger.kernel.org
Fixes: 28eceeda130f "fs: Lock moved directories"
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/filesystems/directory-locking.rst | 29 ++++++-----
Documentation/filesystems/locking.rst | 5 +-
Documentation/filesystems/porting.rst | 18 +++++++
fs/namei.c | 60 ++++++++++++++----------
4 files changed, 74 insertions(+), 38 deletions(-)
--- a/Documentation/filesystems/directory-locking.rst
+++ b/Documentation/filesystems/directory-locking.rst
@@ -22,13 +22,16 @@ exclusive.
3) object removal. Locking rules: caller locks parent, finds victim,
locks victim and calls the method. Locks are exclusive.
-4) rename() that is _not_ cross-directory. Locking rules: caller locks the
-parent and finds source and target. We lock both (provided they exist). If we
-need to lock two inodes of different type (dir vs non-dir), we lock directory
-first. If we need to lock two inodes of the same type, lock them in inode
-pointer order. Then call the method. All locks are exclusive.
-NB: we might get away with locking the source (and target in exchange
-case) shared.
+4) rename() that is _not_ cross-directory. Locking rules: caller locks
+the parent and finds source and target. Then we decide which of the
+source and target need to be locked. Source needs to be locked if it's a
+non-directory; target - if it's a non-directory or about to be removed.
+Take the locks that need to be taken, in inode pointer order if need
+to take both (that can happen only when both source and target are
+non-directories - the source because it wouldn't be locked otherwise
+and the target because mixing directory and non-directory is allowed
+only with RENAME_EXCHANGE, and that won't be removing the target).
+After the locks had been taken, call the method. All locks are exclusive.
5) link creation. Locking rules:
@@ -44,20 +47,17 @@ rules:
* lock the filesystem
* lock parents in "ancestors first" order. If one is not ancestor of
- the other, lock them in inode pointer order.
+ the other, lock the parent of source first.
* find source and target.
* if old parent is equal to or is a descendent of target
fail with -ENOTEMPTY
* if new parent is equal to or is a descendent of source
fail with -ELOOP
- * Lock both the source and the target provided they exist. If we
- need to lock two inodes of different type (dir vs non-dir), we lock
- the directory first. If we need to lock two inodes of the same type,
- lock them in inode pointer order.
+ * Lock subdirectories involved (source before target).
+ * Lock non-directories involved, in inode pointer order.
* call the method.
-All ->i_rwsem are taken exclusive. Again, we might get away with locking
-the source (and target in exchange case) shared.
+All ->i_rwsem are taken exclusive.
The rules above obviously guarantee that all directories that are going to be
read, modified or removed by method will be locked by caller.
@@ -67,6 +67,7 @@ If no directory is its own ancestor, the
Proof:
+[XXX: will be updated once we are done massaging the lock_rename()]
First of all, at any moment we have a linear ordering of the
objects - A < B iff (A is an ancestor of B) or (B is not an ancestor
of A and ptr(A) < ptr(B)).
--- a/Documentation/filesystems/locking.rst
+++ b/Documentation/filesystems/locking.rst
@@ -98,7 +98,7 @@ symlink: exclusive
mkdir: exclusive
unlink: exclusive (both)
rmdir: exclusive (both)(see below)
-rename: exclusive (all) (see below)
+rename: exclusive (both parents, some children) (see below)
readlink: no
get_link: no
setattr: exclusive
@@ -118,6 +118,9 @@ fileattr_set: exclusive
Additionally, ->rmdir(), ->unlink() and ->rename() have ->i_rwsem
exclusive on victim.
cross-directory ->rename() has (per-superblock) ->s_vfs_rename_sem.
+ ->unlink() and ->rename() have ->i_rwsem exclusive on all non-directories
+ involved.
+ ->rename() has ->i_rwsem exclusive on any subdirectory that changes parent.
See Documentation/filesystems/directory-locking.rst for more detailed discussion
of the locking scheme for directory operations.
--- a/Documentation/filesystems/porting.rst
+++ b/Documentation/filesystems/porting.rst
@@ -908,3 +908,21 @@ Calling conventions for file_open_root()
instead of passing mount and dentry separately. For callers that used to
pass <mnt, mnt->mnt_root> pair (i.e. the root of given mount), a new helper
is provided - file_open_root_mnt(). In-tree users adjusted.
+
+---
+
+**mandatory**
+
+If ->rename() update of .. on cross-directory move needs an exclusion with
+directory modifications, do *not* lock the subdirectory in question in your
+->rename() - it's done by the caller now [that item should've been added in
+28eceeda130f "fs: Lock moved directories"].
+
+---
+
+**mandatory**
+
+On same-directory ->rename() the (tautological) update of .. is not protected
+by any locks; just don't do it if the old parent is the same as the new one.
+We really can't lock two subdirectories in same-directory rename - not without
+deadlocks.
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2993,20 +2993,14 @@ static struct dentry *lock_two_directori
p = d_ancestor(p2, p1);
if (p) {
inode_lock_nested(p2->d_inode, I_MUTEX_PARENT);
- inode_lock_nested(p1->d_inode, I_MUTEX_CHILD);
+ inode_lock_nested(p1->d_inode, I_MUTEX_PARENT2);
return p;
}
p = d_ancestor(p1, p2);
- if (p) {
- inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
- inode_lock_nested(p2->d_inode, I_MUTEX_CHILD);
- return p;
- }
-
- lock_two_inodes(p1->d_inode, p2->d_inode,
- I_MUTEX_PARENT, I_MUTEX_PARENT2);
- return NULL;
+ inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
+ inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2);
+ return p;
}
/*
@@ -4691,11 +4685,12 @@ SYSCALL_DEFINE2(link, const char __user
*
* a) we can get into loop creation.
* b) race potential - two innocent renames can create a loop together.
- * That's where 4.4 screws up. Current fix: serialization on
+ * That's where 4.4BSD screws up. Current fix: serialization on
* sb->s_vfs_rename_mutex. We might be more accurate, but that's another
* story.
- * c) we have to lock _four_ objects - parents and victim (if it exists),
- * and source.
+ * c) we may have to lock up to _four_ objects - parents and victim (if it exists),
+ * and source (if it's a non-directory or a subdirectory that moves to
+ * different parent).
* And that - after we got ->i_mutex on parents (until then we don't know
* whether the target exists). Solution: try to be smart with locking
* order for inodes. We rely on the fact that tree topology may change
@@ -4727,6 +4722,7 @@ int vfs_rename(struct renamedata *rd)
bool new_is_dir = false;
unsigned max_links = new_dir->i_sb->s_max_links;
struct name_snapshot old_name;
+ bool lock_old_subdir, lock_new_subdir;
if (source == target)
return 0;
@@ -4780,15 +4776,32 @@ int vfs_rename(struct renamedata *rd)
take_dentry_name_snapshot(&old_name, old_dentry);
dget(new_dentry);
/*
- * Lock all moved children. Moved directories may need to change parent
- * pointer so they need the lock to prevent against concurrent
- * directory changes moving parent pointer. For regular files we've
- * historically always done this. The lockdep locking subclasses are
- * somewhat arbitrary but RENAME_EXCHANGE in particular can swap
- * regular files and directories so it's difficult to tell which
- * subclasses to use.
+ * Lock children.
+ * The source subdirectory needs to be locked on cross-directory
+ * rename or cross-directory exchange since its parent changes.
+ * The target subdirectory needs to be locked on cross-directory
+ * exchange due to parent change and on any rename due to becoming
+ * a victim.
+ * Non-directories need locking in all cases (for NFS reasons);
+ * they get locked after any subdirectories (in inode address order).
+ *
+ * NOTE: WE ONLY LOCK UNRELATED DIRECTORIES IN CROSS-DIRECTORY CASE.
+ * NEVER, EVER DO THAT WITHOUT ->s_vfs_rename_mutex.
*/
- lock_two_inodes(source, target, I_MUTEX_NORMAL, I_MUTEX_NONDIR2);
+ lock_old_subdir = new_dir != old_dir;
+ lock_new_subdir = new_dir != old_dir || !(flags & RENAME_EXCHANGE);
+ if (is_dir) {
+ if (lock_old_subdir)
+ inode_lock_nested(source, I_MUTEX_CHILD);
+ if (target && (!new_is_dir || lock_new_subdir))
+ inode_lock(target);
+ } else if (new_is_dir) {
+ if (lock_new_subdir)
+ inode_lock_nested(target, I_MUTEX_CHILD);
+ inode_lock(source);
+ } else {
+ lock_two_nondirectories(source, target);
+ }
error = -EPERM;
if (IS_SWAPFILE(source) || (target && IS_SWAPFILE(target)))
@@ -4836,8 +4849,9 @@ int vfs_rename(struct renamedata *rd)
d_exchange(old_dentry, new_dentry);
}
out:
- inode_unlock(source);
- if (target)
+ if (!is_dir || lock_old_subdir)
+ inode_unlock(source);
+ if (target && (!new_is_dir || lock_new_subdir))
inode_unlock(target);
dput(new_dentry);
if (!error) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 040/476] ksmbd: set v2 lease version on lease upgrade
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 039/476] rename(): fix the locking of subdirectories Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 041/476] ksmbd: fix potential circular locking issue in smb2_set_ea() Greg Kroah-Hartman
` (445 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Tom Talpey, Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit bb05367a66a9990d2c561282f5620bb1dbe40c28 ]
If file opened with v2 lease is upgraded with v1 lease, smb server
should response v2 lease create context to client.
This patch fix smb2.lease.v2_epoch2 test failure.
This test case assumes the following scenario:
1. smb2 create with v2 lease(R, LEASE1 key)
2. smb server return smb2 create response with v2 lease context(R,
LEASE1 key, epoch + 1)
3. smb2 create with v1 lease(RH, LEASE1 key)
4. smb server return smb2 create response with v2 lease context(RH,
LEASE1 key, epoch + 2)
i.e. If same client(same lease key) try to open a file that is being
opened with v2 lease with v1 lease, smb server should return v2 lease.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Acked-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/oplock.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -1036,6 +1036,7 @@ static void copy_lease(struct oplock_inf
lease2->duration = lease1->duration;
lease2->flags = lease1->flags;
lease2->epoch = lease1->epoch++;
+ lease2->version = lease1->version;
}
static int add_lease_global_list(struct oplock_info *opinfo)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 041/476] ksmbd: fix potential circular locking issue in smb2_set_ea()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 040/476] ksmbd: set v2 lease version on lease upgrade Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 042/476] ksmbd: dont increment epoch if current state and request state are same Greg Kroah-Hartman
` (444 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 6fc0a265e1b932e5e97a038f99e29400a93baad0 ]
smb2_set_ea() can be called in parent inode lock range.
So add get_write argument to smb2_set_ea() not to call nested
mnt_want_write().
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2pdu.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -2323,11 +2323,12 @@ out:
* @eabuf: set info command buffer
* @buf_len: set info command buffer length
* @path: dentry path for get ea
+ * @get_write: get write access to a mount
*
* Return: 0 on success, otherwise error
*/
static int smb2_set_ea(struct smb2_ea_info *eabuf, unsigned int buf_len,
- const struct path *path)
+ const struct path *path, bool get_write)
{
struct user_namespace *user_ns = mnt_user_ns(path->mnt);
char *attr_name = NULL, *value;
@@ -3012,7 +3013,7 @@ int smb2_open(struct ksmbd_work *work)
rc = smb2_set_ea(&ea_buf->ea,
le32_to_cpu(ea_buf->ccontext.DataLength),
- &path);
+ &path, false);
if (rc == -EOPNOTSUPP)
rc = 0;
else if (rc)
@@ -5994,7 +5995,7 @@ static int smb2_set_info_file(struct ksm
return -EINVAL;
return smb2_set_ea((struct smb2_ea_info *)req->Buffer,
- buf_len, &fp->filp->f_path);
+ buf_len, &fp->filp->f_path, true);
}
case FILE_POSITION_INFORMATION:
{
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 042/476] ksmbd: dont increment epoch if current state and request state are same
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 041/476] ksmbd: fix potential circular locking issue in smb2_set_ea() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 043/476] ksmbd: send lease break notification on FILE_RENAME_INFORMATION Greg Kroah-Hartman
` (443 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit b6e9a44e99603fe10e1d78901fdd97681a539612 ]
If existing lease state and request state are same, don't increment
epoch in create context.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/oplock.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -105,7 +105,7 @@ static int alloc_lease(struct oplock_inf
lease->is_dir = lctx->is_dir;
memcpy(lease->parent_lease_key, lctx->parent_lease_key, SMB2_LEASE_KEY_SIZE);
lease->version = lctx->version;
- lease->epoch = le16_to_cpu(lctx->epoch);
+ lease->epoch = le16_to_cpu(lctx->epoch) + 1;
INIT_LIST_HEAD(&opinfo->lease_entry);
opinfo->o_lease = lease;
@@ -541,6 +541,9 @@ static struct oplock_info *same_client_h
continue;
}
+ if (lctx->req_state != lease->state)
+ lease->epoch++;
+
/* upgrading lease */
if ((atomic_read(&ci->op_count) +
atomic_read(&ci->sop_count)) == 1) {
@@ -1035,7 +1038,7 @@ static void copy_lease(struct oplock_inf
SMB2_LEASE_KEY_SIZE);
lease2->duration = lease1->duration;
lease2->flags = lease1->flags;
- lease2->epoch = lease1->epoch++;
+ lease2->epoch = lease1->epoch;
lease2->version = lease1->version;
}
@@ -1454,7 +1457,7 @@ void create_lease_buf(u8 *rbuf, struct l
memcpy(buf->lcontext.LeaseKey, lease->lease_key,
SMB2_LEASE_KEY_SIZE);
buf->lcontext.LeaseFlags = lease->flags;
- buf->lcontext.Epoch = cpu_to_le16(++lease->epoch);
+ buf->lcontext.Epoch = cpu_to_le16(lease->epoch);
buf->lcontext.LeaseState = lease->state;
memcpy(buf->lcontext.ParentLeaseKey, lease->parent_lease_key,
SMB2_LEASE_KEY_SIZE);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 043/476] ksmbd: send lease break notification on FILE_RENAME_INFORMATION
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 042/476] ksmbd: dont increment epoch if current state and request state are same Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 044/476] ksmbd: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
` (442 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 3fc74c65b367476874da5fe6f633398674b78e5a ]
Send lease break notification on FILE_RENAME_INFORMATION request.
This patch fix smb2.lease.v2_epoch2 test failure.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/oplock.c | 12 +++++++-----
fs/ksmbd/smb2pdu.c | 1 +
2 files changed, 8 insertions(+), 5 deletions(-)
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -541,14 +541,12 @@ static struct oplock_info *same_client_h
continue;
}
- if (lctx->req_state != lease->state)
- lease->epoch++;
-
/* upgrading lease */
if ((atomic_read(&ci->op_count) +
atomic_read(&ci->sop_count)) == 1) {
if (lease->state != SMB2_LEASE_NONE_LE &&
lease->state == (lctx->req_state & lease->state)) {
+ lease->epoch++;
lease->state |= lctx->req_state;
if (lctx->req_state &
SMB2_LEASE_WRITE_CACHING_LE)
@@ -559,13 +557,17 @@ static struct oplock_info *same_client_h
atomic_read(&ci->sop_count)) > 1) {
if (lctx->req_state ==
(SMB2_LEASE_READ_CACHING_LE |
- SMB2_LEASE_HANDLE_CACHING_LE))
+ SMB2_LEASE_HANDLE_CACHING_LE)) {
+ lease->epoch++;
lease->state = lctx->req_state;
+ }
}
if (lctx->req_state && lease->state ==
- SMB2_LEASE_NONE_LE)
+ SMB2_LEASE_NONE_LE) {
+ lease->epoch++;
lease_none_upgrade(opinfo, lctx->req_state);
+ }
}
read_lock(&ci->m_lock);
}
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -5581,6 +5581,7 @@ static int smb2_rename(struct ksmbd_work
if (!file_info->ReplaceIfExists)
flags = RENAME_NOREPLACE;
+ smb_break_all_levII_oplock(work, fp, 0);
rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags);
out:
kfree(new_name);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 044/476] ksmbd: Add missing set_freezable() for freezable kthread
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 043/476] ksmbd: send lease break notification on FILE_RENAME_INFORMATION Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 045/476] net/smc: fix illegal rmb_desc access in SMC-D connection dump Greg Kroah-Hartman
` (441 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Namjae Jeon, Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
From: Kevin Hao <haokexin@gmail.com>
[ Upstream commit 8fb7b723924cc9306bc161f45496497aec733904 ]
The kernel thread function ksmbd_conn_handler_loop() invokes
the try_to_freeze() in its loop. But all the kernel threads are
non-freezable by default. So if we want to make a kernel thread to be
freezable, we have to invoke set_freezable() explicitly.
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/connection.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -284,6 +284,7 @@ int ksmbd_conn_handler_loop(void *p)
goto out;
conn->last_active = jiffies;
+ set_freezable();
while (ksmbd_conn_alive(conn)) {
if (try_to_freeze())
continue;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 045/476] net/smc: fix illegal rmb_desc access in SMC-D connection dump
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 044/476] ksmbd: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 046/476] tcp: make sure init the accept_queues spinlocks once Greg Kroah-Hartman
` (440 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wen Gu, Dust Li, Wenjia Zhang,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Gu <guwen@linux.alibaba.com>
[ Upstream commit dbc153fd3c142909e564bb256da087e13fbf239c ]
A crash was found when dumping SMC-D connections. It can be reproduced
by following steps:
- run nginx/wrk test:
smc_run nginx
smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
- continuously dump SMC-D connections in parallel:
watch -n 1 'smcss -D'
BUG: kernel NULL pointer dereference, address: 0000000000000030
CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55
RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x66/0x150
? exc_page_fault+0x69/0x140
? asm_exc_page_fault+0x26/0x30
? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
? __kmalloc_node_track_caller+0x35d/0x430
? __alloc_skb+0x77/0x170
smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320
__netlink_dump_start+0x1dc/0x300
smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5a/0x110
sock_diag_rcv+0x28/0x40
netlink_unicast+0x22a/0x330
netlink_sendmsg+0x1f8/0x420
__sock_sendmsg+0xb0/0xc0
____sys_sendmsg+0x24e/0x300
? copy_msghdr_from_user+0x62/0x80
___sys_sendmsg+0x7c/0xd0
? __do_fault+0x34/0x160
? do_read_fault+0x5f/0x100
? do_fault+0xb0/0x110
? __handle_mm_fault+0x2b0/0x6c0
__sys_sendmsg+0x4d/0x80
do_syscall_64+0x69/0x180
entry_SYSCALL_64_after_hwframe+0x6e/0x76
It is possible that the connection is in process of being established
when we dump it. Assumed that the connection has been registered in a
link group by smc_conn_create() but the rmb_desc has not yet been
initialized by smc_buf_create(), thus causing the illegal access to
conn->rmb_desc. So fix it by checking before dump.
Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/smc_diag.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
index c952986a6aca..d6e3fc402a6f 100644
--- a/net/smc/smc_diag.c
+++ b/net/smc/smc_diag.c
@@ -164,7 +164,7 @@ static int __smc_diag_dump(struct sock *sk, struct sk_buff *skb,
}
if (smc->conn.lgr && smc->conn.lgr->is_smcd &&
(req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
- !list_empty(&smc->conn.lgr->list)) {
+ !list_empty(&smc->conn.lgr->list) && smc->conn.rmb_desc) {
struct smc_connection *conn = &smc->conn;
struct smcd_diag_dmbinfo dinfo;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 046/476] tcp: make sure init the accept_queues spinlocks once
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 045/476] net/smc: fix illegal rmb_desc access in SMC-D connection dump Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 047/476] bnxt_en: Wait for FLR to complete during probe Greg Kroah-Hartman
` (439 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Shu, Zhengchao Shao,
Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 198bc90e0e734e5f98c3d2833e8390cac3df61b2 ]
When I run syz's reproduction C program locally, it causes the following
issue:
pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!
WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)
Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7
30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900
RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000
R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000
FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0
Call Trace:
<IRQ>
_raw_spin_unlock (kernel/locking/spinlock.c:186)
inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)
inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)
tcp_check_req (net/ipv4/tcp_minisocks.c:868)
tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
process_backlog (./include/linux/rcupdate.h:779)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6604)
__do_softirq (./arch/x86/include/asm/jump_label.h:27)
do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:381)
__dev_queue_xmit (net/core/dev.c:4374)
ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)
__release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)
release_sock (net/core/sock.c:3536)
inet_wait_for_connect (net/ipv4/af_inet.c:609)
__inet_stream_connect (net/ipv4/af_inet.c:702)
inet_stream_connect (net/ipv4/af_inet.c:748)
__sys_connect (./include/linux/file.h:45 net/socket.c:2064)
__x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)
do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
RIP: 0033:0x7fa10ff05a3d
Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89
c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48
RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d
RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640
R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20
</TASK>
The issue triggering process is analyzed as follows:
Thread A Thread B
tcp_v4_rcv //receive ack TCP packet inet_shutdown
tcp_check_req tcp_disconnect //disconnect sock
... tcp_set_state(sk, TCP_CLOSE)
inet_csk_complete_hashdance ...
inet_csk_reqsk_queue_add inet_listen //start listen
spin_lock(&queue->rskq_lock) inet_csk_listen_start
... reqsk_queue_alloc
... spin_lock_init
spin_unlock(&queue->rskq_lock) //warning
When the socket receives the ACK packet during the three-way handshake,
it will hold spinlock. And then the user actively shutdowns the socket
and listens to the socket immediately, the spinlock will be initialized.
When the socket is going to release the spinlock, a warning is generated.
Also the same issue to fastopenq.lock.
Move init spinlock to inet_create and inet_accept to make sure init the
accept_queue's spinlocks once.
Fixes: fff1f3001cc5 ("tcp: add a spinlock to protect struct request_sock_queue")
Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Reported-by: Ming Shu <sming56@aliyun.com>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240118012019.1751966-1-shaozhengchao@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_connection_sock.h | 8 ++++++++
net/core/request_sock.c | 3 ---
net/ipv4/af_inet.c | 3 +++
net/ipv4/inet_connection_sock.c | 4 ++++
4 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
index d31a18824cd5..798aad21694e 100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -335,4 +335,12 @@ static inline bool inet_csk_has_ulp(struct sock *sk)
return inet_sk(sk)->is_icsk && !!inet_csk(sk)->icsk_ulp_ops;
}
+static inline void inet_init_csk_locks(struct sock *sk)
+{
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ spin_lock_init(&icsk->icsk_accept_queue.rskq_lock);
+ spin_lock_init(&icsk->icsk_accept_queue.fastopenq.lock);
+}
+
#endif /* _INET_CONNECTION_SOCK_H */
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index f35c2e998406..63de5c635842 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -33,9 +33,6 @@
void reqsk_queue_alloc(struct request_sock_queue *queue)
{
- spin_lock_init(&queue->rskq_lock);
-
- spin_lock_init(&queue->fastopenq.lock);
queue->fastopenq.rskq_rst_head = NULL;
queue->fastopenq.rskq_rst_tail = NULL;
queue->fastopenq.qlen = 0;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index e46b11507edc..6f6c05f198da 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -327,6 +327,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
if (INET_PROTOSW_REUSE & answer_flags)
sk->sk_reuse = SK_CAN_REUSE;
+ if (INET_PROTOSW_ICSK & answer_flags)
+ inet_init_csk_locks(sk);
+
inet = inet_sk(sk);
inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index c770719797e1..da43957a5843 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -545,6 +545,10 @@ struct sock *inet_csk_accept(struct sock *sk, int flags, int *err, bool kern)
}
if (req)
reqsk_put(req);
+
+ if (newsk)
+ inet_init_csk_locks(newsk);
+
return newsk;
out_err:
newsk = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 047/476] bnxt_en: Wait for FLR to complete during probe
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 046/476] tcp: make sure init the accept_queues spinlocks once Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 048/476] vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING Greg Kroah-Hartman
` (438 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damodharam Ammepalli, Michael Chan,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Chan <michael.chan@broadcom.com>
[ Upstream commit 3c1069fa42872f95cf3c6fedf80723d391e12d57 ]
The first message to firmware may fail if the device is undergoing FLR.
The driver has some recovery logic for this failure scenario but we must
wait 100 msec for FLR to complete before proceeding. Otherwise the
recovery will always fail.
Fixes: ba02629ff6cb ("bnxt_en: log firmware status on firmware init failure")
Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Link: https://lore.kernel.org/r/20240117234515.226944-2-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 631639a19bad..3888561a5cc8 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -11925,6 +11925,11 @@ static int bnxt_fw_init_one_p1(struct bnxt *bp)
bp->fw_cap = 0;
rc = bnxt_hwrm_ver_get(bp);
+ /* FW may be unresponsive after FLR. FLR must complete within 100 msec
+ * so wait before continuing with recovery.
+ */
+ if (rc)
+ msleep(100);
bnxt_try_map_fw_health_reg(bp);
if (rc) {
rc = bnxt_try_recover_fw(bp);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 048/476] vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 047/476] bnxt_en: Wait for FLR to complete during probe Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 049/476] llc: make llc_ui_sendmsg() more robust against bonding changes Greg Kroah-Hartman
` (437 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 6c21660fe221a15c789dee2bc2fd95516bc5aeaf ]
In the vlan_changelink function, a loop is used to parse the nested
attributes IFLA_VLAN_EGRESS_QOS and IFLA_VLAN_INGRESS_QOS in order to
obtain the struct ifla_vlan_qos_mapping. These two nested attributes are
checked in the vlan_validate_qos_map function, which calls
nla_validate_nested_deprecated with the vlan_map_policy.
However, this deprecated validator applies a LIBERAL strictness, allowing
the presence of an attribute with the type IFLA_VLAN_QOS_UNSPEC.
Consequently, the loop in vlan_changelink may parse an attribute of type
IFLA_VLAN_QOS_UNSPEC and believe it carries a payload of
struct ifla_vlan_qos_mapping, which is not necessarily true.
To address this issue and ensure compatibility, this patch introduces two
type checks that skip attributes whose type is not IFLA_VLAN_QOS_MAPPING.
Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240118130306.1644001-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan_netlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
index 53b1955b027f..dca1ec705b6c 100644
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -118,12 +118,16 @@ static int vlan_changelink(struct net_device *dev, struct nlattr *tb[],
}
if (data[IFLA_VLAN_INGRESS_QOS]) {
nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) {
+ if (nla_type(attr) != IFLA_VLAN_QOS_MAPPING)
+ continue;
m = nla_data(attr);
vlan_dev_set_ingress_priority(dev, m->to, m->from);
}
}
if (data[IFLA_VLAN_EGRESS_QOS]) {
nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) {
+ if (nla_type(attr) != IFLA_VLAN_QOS_MAPPING)
+ continue;
m = nla_data(attr);
err = vlan_dev_set_egress_priority(dev, m->from, m->to);
if (err)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 049/476] llc: make llc_ui_sendmsg() more robust against bonding changes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 048/476] vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 050/476] llc: Drop support for ETH_P_TR_802_2 Greg Kroah-Hartman
` (436 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin, syzbot+2a7024e9502df538e8ef
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit dad555c816a50c6a6a8a86be1f9177673918c647 ]
syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no
headroom, but subsequently trying to push 14 bytes of Ethernet header [1]
Like some others, llc_ui_sendmsg() releases the socket lock before
calling sock_alloc_send_skb().
Then it acquires it again, but does not redo all the sanity checks
that were performed.
This fix:
- Uses LL_RESERVED_SPACE() to reserve space.
- Check all conditions again after socket lock is held again.
- Do not account Ethernet header for mtu limitation.
[1]
skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0
kernel BUG at net/core/skbuff.c:193 !
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_panic net/core/skbuff.c:189 [inline]
pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
lr : skb_panic net/core/skbuff.c:189 [inline]
lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
sp : ffff800096f97000
x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000
x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2
x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0
x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce
x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001
x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400
x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089
Call trace:
skb_panic net/core/skbuff.c:189 [inline]
skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
skb_push+0xf0/0x108 net/core/skbuff.c:2451
eth_header+0x44/0x1f8 net/ethernet/eth.c:83
dev_hard_header include/linux/netdevice.h:3188 [inline]
llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33
llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85
llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]
llc_sap_next_state net/llc/llc_sap.c:182 [inline]
llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209
llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270
llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_sendmsg+0x194/0x274 net/socket.c:767
splice_to_socket+0x7cc/0xd58 fs/splice.c:881
do_splice_from fs/splice.c:933 [inline]
direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142
splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088
do_splice_direct+0x20c/0x348 fs/splice.c:1194
do_sendfile+0x4bc/0xc70 fs/read_write.c:1254
__do_sys_sendfile64 fs/read_write.c:1322 [inline]
__se_sys_sendfile64 fs/read_write.c:1308 [inline]
__arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+2a7024e9502df538e8ef@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240118183625.4007013-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/llc/af_llc.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 8b9a10d10036..55ed3bd65eb4 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -926,14 +926,15 @@ static int llc_ui_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
*/
static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
{
+ DECLARE_SOCKADDR(struct sockaddr_llc *, addr, msg->msg_name);
struct sock *sk = sock->sk;
struct llc_sock *llc = llc_sk(sk);
- DECLARE_SOCKADDR(struct sockaddr_llc *, addr, msg->msg_name);
int flags = msg->msg_flags;
int noblock = flags & MSG_DONTWAIT;
+ int rc = -EINVAL, copied = 0, hdrlen, hh_len;
struct sk_buff *skb = NULL;
+ struct net_device *dev;
size_t size = 0;
- int rc = -EINVAL, copied = 0, hdrlen;
dprintk("%s: sending from %02X to %02X\n", __func__,
llc->laddr.lsap, llc->daddr.lsap);
@@ -953,22 +954,29 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
if (rc)
goto out;
}
- hdrlen = llc->dev->hard_header_len + llc_ui_header_len(sk, addr);
+ dev = llc->dev;
+ hh_len = LL_RESERVED_SPACE(dev);
+ hdrlen = llc_ui_header_len(sk, addr);
size = hdrlen + len;
- if (size > llc->dev->mtu)
- size = llc->dev->mtu;
+ size = min_t(size_t, size, READ_ONCE(dev->mtu));
copied = size - hdrlen;
rc = -EINVAL;
if (copied < 0)
goto out;
release_sock(sk);
- skb = sock_alloc_send_skb(sk, size, noblock, &rc);
+ skb = sock_alloc_send_skb(sk, hh_len + size, noblock, &rc);
lock_sock(sk);
if (!skb)
goto out;
- skb->dev = llc->dev;
+ if (sock_flag(sk, SOCK_ZAPPED) ||
+ llc->dev != dev ||
+ hdrlen != llc_ui_header_len(sk, addr) ||
+ hh_len != LL_RESERVED_SPACE(dev) ||
+ size > READ_ONCE(dev->mtu))
+ goto out;
+ skb->dev = dev;
skb->protocol = llc_proto_type(addr->sllc_arphrd);
- skb_reserve(skb, hdrlen);
+ skb_reserve(skb, hh_len + hdrlen);
rc = memcpy_from_msg(skb_put(skb, copied), msg, copied);
if (rc)
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 050/476] llc: Drop support for ETH_P_TR_802_2.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 049/476] llc: make llc_ui_sendmsg() more robust against bonding changes Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 051/476] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv Greg Kroah-Hartman
` (435 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b5ad66046b913bc04c6f,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit e3f9bed9bee261e3347131764e42aeedf1ffea61 ]
syzbot reported an uninit-value bug below. [0]
llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2
(0x0011), and syzbot abused the latter to trigger the bug.
write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16)
llc_conn_handler() initialises local variables {saddr,daddr}.mac
based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes
them to __llc_lookup().
However, the initialisation is done only when skb->protocol is
htons(ETH_P_802_2), otherwise, __llc_lookup_established() and
__llc_lookup_listener() will read garbage.
The missing initialisation existed prior to commit 211ed865108e
("net: delete all instances of special processing for token ring").
It removed the part to kick out the token ring stuff but forgot to
close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().
Let's remove llc_tr_packet_type and complete the deprecation.
[0]:
BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90
__llc_lookup_established+0xe9d/0xf90
__llc_lookup net/llc/llc_conn.c:611 [inline]
llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791
llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206
__netif_receive_skb_one_core net/core/dev.c:5527 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641
netif_receive_skb_internal net/core/dev.c:5727 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5786
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2020 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8ef/0x1490 fs/read_write.c:584
ksys_write+0x20f/0x4c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Local variable daddr created at:
llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783
llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206
CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Fixes: 211ed865108e ("net: delete all instances of special processing for token ring")
Reported-by: syzbot+b5ad66046b913bc04c6f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b5ad66046b913bc04c6f
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240119015515.61898-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/llc_pdu.h | 6 ++----
net/llc/llc_core.c | 7 -------
2 files changed, 2 insertions(+), 11 deletions(-)
diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h
index 49aa79c7b278..581cd37aa98b 100644
--- a/include/net/llc_pdu.h
+++ b/include/net/llc_pdu.h
@@ -262,8 +262,7 @@ static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type,
*/
static inline void llc_pdu_decode_sa(struct sk_buff *skb, u8 *sa)
{
- if (skb->protocol == htons(ETH_P_802_2))
- memcpy(sa, eth_hdr(skb)->h_source, ETH_ALEN);
+ memcpy(sa, eth_hdr(skb)->h_source, ETH_ALEN);
}
/**
@@ -275,8 +274,7 @@ static inline void llc_pdu_decode_sa(struct sk_buff *skb, u8 *sa)
*/
static inline void llc_pdu_decode_da(struct sk_buff *skb, u8 *da)
{
- if (skb->protocol == htons(ETH_P_802_2))
- memcpy(da, eth_hdr(skb)->h_dest, ETH_ALEN);
+ memcpy(da, eth_hdr(skb)->h_dest, ETH_ALEN);
}
/**
diff --git a/net/llc/llc_core.c b/net/llc/llc_core.c
index 6e387aadffce..4f16d9c88350 100644
--- a/net/llc/llc_core.c
+++ b/net/llc/llc_core.c
@@ -135,22 +135,15 @@ static struct packet_type llc_packet_type __read_mostly = {
.func = llc_rcv,
};
-static struct packet_type llc_tr_packet_type __read_mostly = {
- .type = cpu_to_be16(ETH_P_TR_802_2),
- .func = llc_rcv,
-};
-
static int __init llc_init(void)
{
dev_add_pack(&llc_packet_type);
- dev_add_pack(&llc_tr_packet_type);
return 0;
}
static void __exit llc_exit(void)
{
dev_remove_pack(&llc_packet_type);
- dev_remove_pack(&llc_tr_packet_type);
}
module_init(llc_init);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 051/476] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 050/476] llc: Drop support for ETH_P_TR_802_2 Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 052/476] tracing: Ensure visibility when inserting an element into tracing_map Greg Kroah-Hartman
` (434 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Sharath Srinivasan,
Simon Horman, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sharath Srinivasan <sharath.srinivasan@oracle.com>
[ Upstream commit 13e788deb7348cc88df34bed736c3b3b9927ea52 ]
Syzcaller UBSAN crash occurs in rds_cmsg_recv(),
which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1),
but with array size of 4 (RDS_RX_MAX_TRACES).
Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from
trace.rx_trace_pos[i] in rds_recv_track_latency(),
with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the
off-by-one bounds check in rds_recv_track_latency() to prevent
a potential crash in rds_cmsg_recv().
Found by syzcaller:
=================================================================
UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39
index 4 is out of range for type 'u64 [4]'
CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585
rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x160 net/socket.c:1066
__sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246
__do_sys_recvfrom net/socket.c:2264 [inline]
__se_sys_recvfrom net/socket.c:2260 [inline]
__x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
==================================================================
Fixes: 3289025aedc0 ("RDS: add receive message trace used by application")
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/
Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/af_rds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index b239120dd9ca..0ec0ae148349 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -419,7 +419,7 @@ static int rds_recv_track_latency(struct rds_sock *rs, sockptr_t optval,
rs->rs_rx_traces = trace.rx_traces;
for (i = 0; i < rs->rs_rx_traces; i++) {
- if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) {
+ if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) {
rs->rs_rx_traces = 0;
return -EFAULT;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 052/476] tracing: Ensure visibility when inserting an element into tracing_map
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 051/476] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 053/476] afs: Hide silly-rename files from userspace Greg Kroah-Hartman
` (433 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Tom Zanussi,
Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit 2b44760609e9eaafc9d234a6883d042fc21132a7 ]
Running the following two commands in parallel on a multi-processor
AArch64 machine can sporadically produce an unexpected warning about
duplicate histogram entries:
$ while true; do
echo hist:key=id.syscall:val=hitcount > \
/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger
cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist
sleep 0.001
done
$ stress-ng --sysbadaddr $(nproc)
The warning looks as follows:
[ 2911.172474] ------------[ cut here ]------------
[ 2911.173111] Duplicates detected: 1
[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408
[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)
[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1
[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01
[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018
[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408
[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408
[ 2911.185310] sp : ffff8000a1513900
[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001
[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008
[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180
[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff
[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8
[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731
[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c
[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8
[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000
[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480
[ 2911.194259] Call trace:
[ 2911.194626] tracing_map_sort_entries+0x3e0/0x408
[ 2911.195220] hist_show+0x124/0x800
[ 2911.195692] seq_read_iter+0x1d4/0x4e8
[ 2911.196193] seq_read+0xe8/0x138
[ 2911.196638] vfs_read+0xc8/0x300
[ 2911.197078] ksys_read+0x70/0x108
[ 2911.197534] __arm64_sys_read+0x24/0x38
[ 2911.198046] invoke_syscall+0x78/0x108
[ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8
[ 2911.199157] do_el0_svc+0x28/0x40
[ 2911.199613] el0_svc+0x40/0x178
[ 2911.200048] el0t_64_sync_handler+0x13c/0x158
[ 2911.200621] el0t_64_sync+0x1a8/0x1b0
[ 2911.201115] ---[ end trace 0000000000000000 ]---
The problem appears to be caused by CPU reordering of writes issued from
__tracing_map_insert().
The check for the presence of an element with a given key in this
function is:
val = READ_ONCE(entry->val);
if (val && keys_match(key, val->key, map->key_size)) ...
The write of a new entry is:
elt = get_free_elt(map);
memcpy(elt->key, key, map->key_size);
entry->val = elt;
The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;"
stores may become visible in the reversed order on another CPU. This
second CPU might then incorrectly determine that a new key doesn't match
an already present val->key and subsequently insert a new element,
resulting in a duplicate.
Fix the problem by adding a write barrier between
"memcpy(elt->key, key, map->key_size);" and "entry->val = elt;", and for
good measure, also use WRITE_ONCE(entry->val, elt) for publishing the
element. The sequence pairs with the mentioned "READ_ONCE(entry->val);"
and the "val->key" check which has an address dependency.
The barrier is placed on a path executed when adding an element for
a new key. Subsequent updates targeting the same key remain unaffected.
>From the user's perspective, the issue was introduced by commit
c193707dde77 ("tracing: Remove code which merges duplicates"), which
followed commit cbf4100efb8f ("tracing: Add support to detect and avoid
duplicates"). The previous code operated differently; it inherently
expected potential races which result in duplicates but merged them
later when they occurred.
Link: https://lore.kernel.org/linux-trace-kernel/20240122150928.27725-1-petr.pavlu@suse.com
Fixes: c193707dde77 ("tracing: Remove code which merges duplicates")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Acked-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/tracing_map.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c
index 9628b5571846..3edf5e515813 100644
--- a/kernel/trace/tracing_map.c
+++ b/kernel/trace/tracing_map.c
@@ -574,7 +574,12 @@ __tracing_map_insert(struct tracing_map *map, void *key, bool lookup_only)
}
memcpy(elt->key, key, map->key_size);
- entry->val = elt;
+ /*
+ * Ensure the initialization is visible and
+ * publish the elt.
+ */
+ smp_wmb();
+ WRITE_ONCE(entry->val, elt);
atomic64_inc(&map->hits);
return entry->val;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 053/476] afs: Hide silly-rename files from userspace
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 052/476] tracing: Ensure visibility when inserting an element into tracing_map Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 054/476] tcp: Add memory barrier to tcp_push() Greg Kroah-Hartman
` (432 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
linux-afs, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 57e9d49c54528c49b8bffe6d99d782ea051ea534 ]
There appears to be a race between silly-rename files being created/removed
and various userspace tools iterating over the contents of a directory,
leading to such errors as:
find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory
tar: ./include/linux/greybus/.__afs3C95: File removed before we read it
when building a kernel.
Fix afs_readdir() so that it doesn't return .__afsXXXX silly-rename files
to userspace. This doesn't stop them being looked up directly by name as
we need to be able to look them up from within the kernel as part of the
silly-rename algorithm.
Fixes: 79ddbfa500b3 ("afs: Implement sillyrename for unlink and rename")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/dir.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/afs/dir.c b/fs/afs/dir.c
index cec18f9f8bd7..106426de5027 100644
--- a/fs/afs/dir.c
+++ b/fs/afs/dir.c
@@ -492,6 +492,14 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode,
continue;
}
+ /* Don't expose silly rename entries to userspace. */
+ if (nlen > 6 &&
+ dire->u.name[0] == '.' &&
+ ctx->actor != afs_lookup_filldir &&
+ ctx->actor != afs_lookup_one_filldir &&
+ memcmp(dire->u.name, ".__afs", 6) == 0)
+ continue;
+
/* found the next entry */
if (!dir_emit(ctx, dire->u.name, nlen,
ntohl(dire->u.vnode),
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 054/476] tcp: Add memory barrier to tcp_push()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 053/476] afs: Hide silly-rename files from userspace Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 055/476] netlink: fix potential sleeping issue in mqueue_flush_file Greg Kroah-Hartman
` (431 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salvatore Dipietro, Eric Dumazet,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salvatore Dipietro <dipiets@amazon.com>
[ Upstream commit 7267e8dcad6b2f9fce05a6a06335d7040acbc2b6 ]
On CPUs with weak memory models, reads and updates performed by tcp_push
to the sk variables can get reordered leaving the socket throttled when
it should not. The tasklet running tcp_wfree() may also not observe the
memory updates in time and will skip flushing any packets throttled by
tcp_push(), delaying the sending. This can pathologically cause 40ms
extra latency due to bad interactions with delayed acks.
Adding a memory barrier in tcp_push removes the bug, similarly to the
previous commit bf06200e732d ("tcp: tsq: fix nonagle handling").
smp_mb__after_atomic() is used to not incur in unnecessary overhead
on x86 since not affected.
Patch has been tested using an AWS c7g.2xlarge instance with Ubuntu
22.04 and Apache Tomcat 9.0.83 running the basic servlet below:
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class HelloWorldServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=utf-8");
OutputStreamWriter osw = new OutputStreamWriter(response.getOutputStream(),"UTF-8");
String s = "a".repeat(3096);
osw.write(s,0,s.length());
osw.flush();
}
}
Load was applied using wrk2 (https://github.com/kinvolk/wrk2) from an AWS
c6i.8xlarge instance. Before the patch an additional 40ms latency from P99.99+
values is observed while, with the patch, the extra latency disappears.
No patch and tcp_autocorking=1
./wrk -t32 -c128 -d40s --latency -R10000 http://172.31.60.173:8080/hello/hello
...
50.000% 0.91ms
75.000% 1.13ms
90.000% 1.46ms
99.000% 1.74ms
99.900% 1.89ms
99.990% 41.95ms <<< 40+ ms extra latency
99.999% 48.32ms
100.000% 48.96ms
With patch and tcp_autocorking=1
./wrk -t32 -c128 -d40s --latency -R10000 http://172.31.60.173:8080/hello/hello
...
50.000% 0.90ms
75.000% 1.13ms
90.000% 1.45ms
99.000% 1.72ms
99.900% 1.83ms
99.990% 2.11ms <<< no 40+ ms extra latency
99.999% 2.53ms
100.000% 2.62ms
Patch has been also tested on x86 (m7i.2xlarge instance) which it is not
affected by this issue and the patch doesn't introduce any additional
delay.
Fixes: 7aa5470c2c09 ("tcp: tsq: move tsq_flags close to sk_wmem_alloc")
Signed-off-by: Salvatore Dipietro <dipiets@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240119190133.43698-1-dipiets@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 86dff7abdfd6..0659f0d9414d 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -722,6 +722,7 @@ void tcp_push(struct sock *sk, int flags, int mss_now,
if (!test_bit(TSQ_THROTTLED, &sk->sk_tsq_flags)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAUTOCORKING);
set_bit(TSQ_THROTTLED, &sk->sk_tsq_flags);
+ smp_mb__after_atomic();
}
/* It is possible TX completion already happened
* before we set TSQ_THROTTLED.
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 055/476] netlink: fix potential sleeping issue in mqueue_flush_file
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 054/476] tcp: Add memory barrier to tcp_push() Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 056/476] ipv6: init the accept_queues spinlocks in inet6_create Greg Kroah-Hartman
` (430 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 234ec0b6034b16869d45128b8cd2dc6ffe596f04 ]
I analyze the potential sleeping issue of the following processes:
Thread A Thread B
... netlink_create //ref = 1
do_mq_notify ...
sock = netlink_getsockbyfilp ... //ref = 2
info->notify_sock = sock; ...
... netlink_sendmsg
... skb = netlink_alloc_large_skb //skb->head is vmalloced
... netlink_unicast
... sk = netlink_getsockbyportid //ref = 3
... netlink_sendskb
... __netlink_sendskb
... skb_queue_tail //put skb to sk_receive_queue
... sock_put //ref = 2
... ...
... netlink_release
... deferred_put_nlk_sk //ref = 1
mqueue_flush_file
spin_lock
remove_notification
netlink_sendskb
sock_put //ref = 0
sk_free
...
__sk_destruct
netlink_sock_destruct
skb_queue_purge //get skb from sk_receive_queue
...
__skb_queue_purge_reason
kfree_skb_reason
__kfree_skb
...
skb_release_all
skb_release_head_state
netlink_skb_destructor
vfree(skb->head) //sleeping while holding spinlock
In netlink_sendmsg, if the memory pointed to by skb->head is allocated by
vmalloc, and is put to sk_receive_queue queue, also the skb is not freed.
When the mqueue executes flush, the sleeping bug will occur. Use
vfree_atomic instead of vfree in netlink_skb_destructor to solve the issue.
Fixes: c05cdb1b864f ("netlink: allow large data transfers from user-space")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://lore.kernel.org/r/20240122011807.2110357-1-shaozhengchao@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index f41e130a812f..2169a9c3da1c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -374,7 +374,7 @@ static void netlink_skb_destructor(struct sk_buff *skb)
if (is_vmalloc_addr(skb->head)) {
if (!skb->cloned ||
!atomic_dec_return(&(skb_shinfo(skb)->dataref)))
- vfree(skb->head);
+ vfree_atomic(skb->head);
skb->head = NULL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 056/476] ipv6: init the accept_queues spinlocks in inet6_create
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 055/476] netlink: fix potential sleeping issue in mqueue_flush_file Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 057/476] net/mlx5: DR, Use the right GVMI number for drop action Greg Kroah-Hartman
` (429 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Eric Dumazet,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 435e202d645c197dcfd39d7372eb2a56529b6640 ]
In commit 198bc90e0e73("tcp: make sure init the accept_queue's spinlocks
once"), the spinlocks of accept_queue are initialized only when socket is
created in the inet4 scenario. The locks are not initialized when socket
is created in the inet6 scenario. The kernel reports the following error:
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:107)
register_lock_class (kernel/locking/lockdep.c:1289)
__lock_acquire (kernel/locking/lockdep.c:5015)
lock_acquire.part.0 (kernel/locking/lockdep.c:5756)
_raw_spin_lock_bh (kernel/locking/spinlock.c:178)
inet_csk_listen_stop (net/ipv4/inet_connection_sock.c:1386)
tcp_disconnect (net/ipv4/tcp.c:2981)
inet_shutdown (net/ipv4/af_inet.c:935)
__sys_shutdown (./include/linux/file.h:32 net/socket.c:2438)
__x64_sys_shutdown (net/socket.c:2445)
do_syscall_64 (arch/x86/entry/common.c:52)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
RIP: 0033:0x7f52ecd05a3d
Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48
RSP: 002b:00007f52ecf5dde8 EFLAGS: 00000293 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00007f52ecf5e640 RCX: 00007f52ecd05a3d
RDX: 00007f52ecc8b188 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f52ecf5de20 R08: 00007ffdae45c69f R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f52ecf5e640
R13: 0000000000000000 R14: 00007f52ecc8b060 R15: 00007ffdae45c6e0
Fixes: 198bc90e0e73 ("tcp: make sure init the accept_queue's spinlocks once")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240122102001.2851701-1-shaozhengchao@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/af_inet6.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 164b130203f1..1da7fa58f714 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -198,6 +198,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
if (INET_PROTOSW_REUSE & answer_flags)
sk->sk_reuse = SK_CAN_REUSE;
+ if (INET_PROTOSW_ICSK & answer_flags)
+ inet_init_csk_locks(sk);
+
inet = inet_sk(sk);
inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 057/476] net/mlx5: DR, Use the right GVMI number for drop action
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 056/476] ipv6: init the accept_queues spinlocks in inet6_create Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 058/476] net/mlx5: DR, Replace local WIRE_PORT macro with the existing MLX5_VPORT_UPLINK Greg Kroah-Hartman
` (428 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yevgeny Kliteynik, Saeed Mahameed,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yevgeny Kliteynik <kliteyn@nvidia.com>
[ Upstream commit 5665954293f13642f9c052ead83c1e9d8cff186f ]
When FW provides ICM addresses for drop RX/TX, the provided capability
is 64 bits that contain its GVMI as well as the ICM address itself.
In case of TX DROP this GVMI is different from the GVMI that the
domain is operating on.
This patch fixes the action to use these GVMI IDs, as provided by FW.
Fixes: 9db810ed2d37 ("net/mlx5: DR, Expose steering action functionality")
Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
index 897c7f852123..380e3294df43 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
@@ -579,6 +579,7 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher,
switch (action_type) {
case DR_ACTION_TYP_DROP:
attr.final_icm_addr = nic_dmn->drop_icm_addr;
+ attr.hit_gvmi = nic_dmn->drop_icm_addr >> 48;
break;
case DR_ACTION_TYP_FT:
dest_action = action;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 058/476] net/mlx5: DR, Replace local WIRE_PORT macro with the existing MLX5_VPORT_UPLINK
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 057/476] net/mlx5: DR, Use the right GVMI number for drop action Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 059/476] net/mlx5: DR, Align mlx5dv_dr API vport action with FW behavior Greg Kroah-Hartman
` (427 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yevgeny Kliteynik, Saeed Mahameed,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yevgeny Kliteynik <kliteyn@nvidia.com>
[ Upstream commit 7ae8ac9a582088c85154970982766617c9ebf8dc ]
SW steering defines its own macro for uplink vport number.
Replace this macro with an already existing mlx5 macro.
Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Stable-dep-of: 5b2a2523eeea ("net/mlx5: DR, Can't go to uplink vport on RX rule")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 2 +-
.../net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 4 ++--
.../net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 7 +++----
4 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
index 380e3294df43..3f074d09a5fc 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
@@ -670,7 +670,7 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher,
attr.hit_gvmi = action->vport->caps->vhca_gvmi;
dest_action = action;
if (rx_rule) {
- if (action->vport->caps->num == WIRE_PORT) {
+ if (action->vport->caps->num == MLX5_VPORT_UPLINK) {
mlx5dr_dbg(dmn, "Device doesn't support Loopback on WIRE vport\n");
return -EOPNOTSUPP;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
index ea1b8ca5bf3a..fe2c2b4113f5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
@@ -171,7 +171,7 @@ static int dr_domain_query_vports(struct mlx5dr_domain *dmn)
/* Last vport is the wire port */
wire_vport = &dmn->info.caps.vports_caps[vport];
- wire_vport->num = WIRE_PORT;
+ wire_vport->num = MLX5_VPORT_UPLINK;
wire_vport->icm_address_rx = esw_caps->uplink_icm_address_rx;
wire_vport->icm_address_tx = esw_caps->uplink_icm_address_tx;
wire_vport->vport_gvmi = 0;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
index aca80efc28fa..323ea138ad99 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
@@ -1042,10 +1042,10 @@ static bool dr_rule_skip(enum mlx5dr_domain_type domain,
return false;
if (mask->misc.source_port) {
- if (rx && value->misc.source_port != WIRE_PORT)
+ if (rx && value->misc.source_port != MLX5_VPORT_UPLINK)
return true;
- if (!rx && value->misc.source_port == WIRE_PORT)
+ if (!rx && value->misc.source_port == MLX5_VPORT_UPLINK)
return true;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
index 9e2102f8bed1..175b9450c9aa 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
@@ -4,7 +4,7 @@
#ifndef _DR_TYPES_
#define _DR_TYPES_
-#include <linux/mlx5/driver.h>
+#include <linux/mlx5/vport.h>
#include <linux/refcount.h>
#include "fs_core.h"
#include "wq.h"
@@ -14,7 +14,6 @@
#define DR_RULE_MAX_STES 18
#define DR_ACTION_MAX_STES 5
-#define WIRE_PORT 0xFFFF
#define DR_STE_SVLAN 0x1
#define DR_STE_CVLAN 0x2
#define DR_SZ_MATCH_PARAM (MLX5_ST_SZ_DW_MATCH_PARAM * 4)
@@ -1116,10 +1115,10 @@ static inline struct mlx5dr_cmd_vport_cap *
mlx5dr_get_vport_cap(struct mlx5dr_cmd_caps *caps, u32 vport)
{
if (!caps->vports_caps ||
- (vport >= caps->num_vports && vport != WIRE_PORT))
+ (vport >= caps->num_vports && vport != MLX5_VPORT_UPLINK))
return NULL;
- if (vport == WIRE_PORT)
+ if (vport == MLX5_VPORT_UPLINK)
vport = caps->num_vports;
return &caps->vports_caps[vport];
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 059/476] net/mlx5: DR, Align mlx5dv_dr API vport action with FW behavior
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 058/476] net/mlx5: DR, Replace local WIRE_PORT macro with the existing MLX5_VPORT_UPLINK Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 060/476] net/mlx5: DR, Cant go to uplink vport on RX rule Greg Kroah-Hartman
` (426 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shun Hao, Alex Vesker,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shun Hao <shunh@nvidia.com>
[ Upstream commit aa818fbf8f36e8c6f3e608ea960567906c2d6112 ]
This aligns the behavior with FW when creating an FDB rule with wire
vport destination but no source port matching. Until now such rules
would fail on internal DR RX rule creation since the source and
destination are the wire vport.
The new behavior is the same as done on FW steering, if destination is
wire, we will create both TX and RX rules, but the RX packet coming from
wire will be dropped due to loopback not supported.
Signed-off-by: Shun Hao <shunh@nvidia.com>
Reviewed-by: Alex Vesker <valex@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Stable-dep-of: 5b2a2523eeea ("net/mlx5: DR, Can't go to uplink vport on RX rule")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlx5/core/steering/dr_action.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
index 3f074d09a5fc..1cd0276fc991 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
@@ -669,15 +669,9 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher,
case DR_ACTION_TYP_VPORT:
attr.hit_gvmi = action->vport->caps->vhca_gvmi;
dest_action = action;
- if (rx_rule) {
- if (action->vport->caps->num == MLX5_VPORT_UPLINK) {
- mlx5dr_dbg(dmn, "Device doesn't support Loopback on WIRE vport\n");
- return -EOPNOTSUPP;
- }
- attr.final_icm_addr = action->vport->caps->icm_address_rx;
- } else {
- attr.final_icm_addr = action->vport->caps->icm_address_tx;
- }
+ attr.final_icm_addr = rx_rule ?
+ action->vport->caps->icm_address_rx :
+ action->vport->caps->icm_address_tx;
break;
case DR_ACTION_TYP_POP_VLAN:
if (!rx_rule && !(dmn->ste_ctx->actions_caps &
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 060/476] net/mlx5: DR, Cant go to uplink vport on RX rule
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 059/476] net/mlx5: DR, Align mlx5dv_dr API vport action with FW behavior Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 061/476] net/mlx5e: fix a double-free in arfs_create_groups Greg Kroah-Hartman
` (425 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yevgeny Kliteynik, Erez Shitrit,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yevgeny Kliteynik <kliteyn@nvidia.com>
[ Upstream commit 5b2a2523eeea5f03d39a9d1ff1bad2e9f8eb98d2 ]
Go-To-Vport action on RX is not allowed when the vport is uplink.
In such case, the packet should be dropped.
Fixes: 9db810ed2d37 ("net/mlx5: DR, Expose steering action functionality")
Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
Reviewed-by: Erez Shitrit <erezsh@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/steering/dr_action.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
index 1cd0276fc991..51453d082966 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
@@ -667,11 +667,17 @@ int mlx5dr_actions_build_ste_arr(struct mlx5dr_matcher *matcher,
action->sampler->tx_icm_addr;
break;
case DR_ACTION_TYP_VPORT:
- attr.hit_gvmi = action->vport->caps->vhca_gvmi;
- dest_action = action;
- attr.final_icm_addr = rx_rule ?
- action->vport->caps->icm_address_rx :
- action->vport->caps->icm_address_tx;
+ if (unlikely(rx_rule && action->vport->caps->num == MLX5_VPORT_UPLINK)) {
+ /* can't go to uplink on RX rule - dropping instead */
+ attr.final_icm_addr = nic_dmn->drop_icm_addr;
+ attr.hit_gvmi = nic_dmn->drop_icm_addr >> 48;
+ } else {
+ attr.hit_gvmi = action->vport->caps->vhca_gvmi;
+ dest_action = action;
+ attr.final_icm_addr = rx_rule ?
+ action->vport->caps->icm_address_rx :
+ action->vport->caps->icm_address_tx;
+ }
break;
case DR_ACTION_TYP_POP_VLAN:
if (!rx_rule && !(dmn->ste_ctx->actions_caps &
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 061/476] net/mlx5e: fix a double-free in arfs_create_groups
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 060/476] net/mlx5: DR, Cant go to uplink vport on RX rule Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 062/476] net/mlx5e: fix a potential double-free in fs_any_create_groups Greg Kroah-Hartman
` (424 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Simon Horman,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit 3c6d5189246f590e4e1f167991558bdb72a4738b ]
When `in` allocated by kvzalloc fails, arfs_create_groups will free
ft->g and return an error. However, arfs_create_table, the only caller of
arfs_create_groups, will hold this error and call to
mlx5e_destroy_flow_table, in which the ft->g will be freed again.
Fixes: 1cabe6b0965e ("net/mlx5e: Create aRFS flow tables")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/en_arfs.c | 26 +++++++++++--------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
index fe5d82fa6e92..313d62d38af8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
@@ -239,11 +239,13 @@ static int arfs_create_groups(struct mlx5e_flow_table *ft,
ft->g = kcalloc(MLX5E_ARFS_NUM_GROUPS,
sizeof(*ft->g), GFP_KERNEL);
- in = kvzalloc(inlen, GFP_KERNEL);
- if (!in || !ft->g) {
- kfree(ft->g);
- kvfree(in);
+ if (!ft->g)
return -ENOMEM;
+
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in) {
+ err = -ENOMEM;
+ goto err_free_g;
}
mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria);
@@ -263,7 +265,7 @@ static int arfs_create_groups(struct mlx5e_flow_table *ft,
break;
default:
err = -EINVAL;
- goto out;
+ goto err_free_in;
}
switch (type) {
@@ -285,7 +287,7 @@ static int arfs_create_groups(struct mlx5e_flow_table *ft,
break;
default:
err = -EINVAL;
- goto out;
+ goto err_free_in;
}
MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS);
@@ -294,7 +296,7 @@ static int arfs_create_groups(struct mlx5e_flow_table *ft,
MLX5_SET_CFG(in, end_flow_index, ix - 1);
ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in);
if (IS_ERR(ft->g[ft->num_groups]))
- goto err;
+ goto err_clean_group;
ft->num_groups++;
memset(in, 0, inlen);
@@ -303,18 +305,20 @@ static int arfs_create_groups(struct mlx5e_flow_table *ft,
MLX5_SET_CFG(in, end_flow_index, ix - 1);
ft->g[ft->num_groups] = mlx5_create_flow_group(ft->t, in);
if (IS_ERR(ft->g[ft->num_groups]))
- goto err;
+ goto err_clean_group;
ft->num_groups++;
kvfree(in);
return 0;
-err:
+err_clean_group:
err = PTR_ERR(ft->g[ft->num_groups]);
ft->g[ft->num_groups] = NULL;
-out:
+err_free_in:
kvfree(in);
-
+err_free_g:
+ kfree(ft->g);
+ ft->g = NULL;
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 062/476] net/mlx5e: fix a potential double-free in fs_any_create_groups
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 061/476] net/mlx5e: fix a double-free in arfs_create_groups Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 063/476] overflow: Allow mixed type arguments Greg Kroah-Hartman
` (423 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dinghao Liu, Tariq Toukan,
Simon Horman, Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit aef855df7e1bbd5aa4484851561211500b22707e ]
When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
fs_any_create_groups() will free ft->g. However, its caller
fs_any_create_table() will free ft->g again through calling
mlx5e_destroy_flow_table(), which will lead to a double-free.
Fix this by setting ft->g to NULL in fs_any_create_groups().
Fixes: 0f575c20bf06 ("net/mlx5e: Introduce Flow Steering ANY API")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
index b26edbc53cad..05905e988431 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
@@ -435,6 +435,7 @@ static int fs_any_create_groups(struct mlx5e_flow_table *ft)
in = kvzalloc(inlen, GFP_KERNEL);
if (!in || !ft->g) {
kfree(ft->g);
+ ft->g = NULL;
kvfree(in);
return -ENOMEM;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 063/476] overflow: Allow mixed type arguments
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 062/476] net/mlx5e: fix a potential double-free in fs_any_create_groups Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 064/476] netfilter: nft_limit: reject configurations that cause integer overflow Greg Kroah-Hartman
` (422 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Gwan-gyeong Mun,
Gustavo A. R. Silva, Nick Desaulniers, linux-hardening,
Andrzej Hajda, Kees Cook
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 upstream.
When the check_[op]_overflow() helpers were introduced, all arguments
were required to be the same type to make the fallback macros simpler.
However, now that the fallback macros have been removed[1], it is fine
to allow mixed types, which makes using the helpers much more useful,
as they can be used to test for type-based overflows (e.g. adding two
large ints but storing into a u8), as would be handy in the drm core[2].
Remove the restriction, and add additional self-tests that exercise
some of the mixed-type overflow cases, and double-check for accidental
macro side-effects.
[1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
[2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Tested-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
[ dropped the test portion of the commit as that doesn't apply to
5.15.y - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/overflow.h | 72 ++++++++++++++++++++++++++---------------------
1 file changed, 41 insertions(+), 31 deletions(-)
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -51,40 +51,50 @@ static inline bool __must_check __must_c
return unlikely(overflow);
}
-/*
- * For simplicity and code hygiene, the fallback code below insists on
- * a, b and *d having the same type (similar to the min() and max()
- * macros), whereas gcc's type-generic overflow checkers accept
- * different types. Hence we don't just make check_add_overflow an
- * alias for __builtin_add_overflow, but add type checks similar to
- * below.
+/** check_add_overflow() - Calculate addition with overflow checking
+ *
+ * @a: first addend
+ * @b: second addend
+ * @d: pointer to store sum
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted addition, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * sum has overflowed or been truncated.
*/
-#define check_add_overflow(a, b, d) __must_check_overflow(({ \
- typeof(a) __a = (a); \
- typeof(b) __b = (b); \
- typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
- __builtin_add_overflow(__a, __b, __d); \
-}))
+#define check_add_overflow(a, b, d) \
+ __must_check_overflow(__builtin_add_overflow(a, b, d))
-#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
- typeof(a) __a = (a); \
- typeof(b) __b = (b); \
- typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
- __builtin_sub_overflow(__a, __b, __d); \
-}))
+/** check_sub_overflow() - Calculate subtraction with overflow checking
+ *
+ * @a: minuend; value to subtract from
+ * @b: subtrahend; value to subtract from @a
+ * @d: pointer to store difference
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted subtraction, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * difference has underflowed or been truncated.
+ */
+#define check_sub_overflow(a, b, d) \
+ __must_check_overflow(__builtin_sub_overflow(a, b, d))
-#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
- typeof(a) __a = (a); \
- typeof(b) __b = (b); \
- typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
- __builtin_mul_overflow(__a, __b, __d); \
-}))
+/** check_mul_overflow() - Calculate multiplication with overflow checking
+ *
+ * @a: first factor
+ * @b: second factor
+ * @d: pointer to store product
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted multiplication, but is not
+ * considered "safe for use" on a non-zero return value, which indicates
+ * that the product has overflowed or been truncated.
+ */
+#define check_mul_overflow(a, b, d) \
+ __must_check_overflow(__builtin_mul_overflow(a, b, d))
/** check_shl_overflow() - Calculate a left-shifted value and check overflow
*
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 064/476] netfilter: nft_limit: reject configurations that cause integer overflow
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 063/476] overflow: Allow mixed type arguments Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 065/476] netfilter: nf_tables: restrict anonymous set and map names to 16 bytes Greg Kroah-Hartman
` (421 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit c9d9eb9c53d37cdebbad56b91e40baf42d5a97aa ]
Reject bogus configs where internal token counter wraps around.
This only occurs with very very large requests, such as 17gbyte/s.
Its better to reject this rather than having incorrect ratelimit.
Fixes: d2168e849ebf ("netfilter: nft_limit: add per-byte limiting")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_limit.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 593fa07f10d5..b23a671fa9d8 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -58,17 +58,19 @@ static inline bool nft_limit_eval(struct nft_limit_priv *priv, u64 cost)
static int nft_limit_init(struct nft_limit_priv *priv,
const struct nlattr * const tb[], bool pkts)
{
+ u64 unit, tokens, rate_with_burst;
bool invert = false;
- u64 unit, tokens;
if (tb[NFTA_LIMIT_RATE] == NULL ||
tb[NFTA_LIMIT_UNIT] == NULL)
return -EINVAL;
priv->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
+ if (priv->rate == 0)
+ return -EINVAL;
+
unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
- priv->nsecs = unit * NSEC_PER_SEC;
- if (priv->rate == 0 || priv->nsecs < unit)
+ if (check_mul_overflow(unit, NSEC_PER_SEC, &priv->nsecs))
return -EOVERFLOW;
if (tb[NFTA_LIMIT_BURST])
@@ -77,18 +79,25 @@ static int nft_limit_init(struct nft_limit_priv *priv,
if (pkts && priv->burst == 0)
priv->burst = NFT_LIMIT_PKT_BURST_DEFAULT;
- if (priv->rate + priv->burst < priv->rate)
+ if (check_add_overflow(priv->rate, priv->burst, &rate_with_burst))
return -EOVERFLOW;
if (pkts) {
- tokens = div64_u64(priv->nsecs, priv->rate) * priv->burst;
+ u64 tmp = div64_u64(priv->nsecs, priv->rate);
+
+ if (check_mul_overflow(tmp, priv->burst, &tokens))
+ return -EOVERFLOW;
} else {
+ u64 tmp;
+
/* The token bucket size limits the number of tokens can be
* accumulated. tokens_max specifies the bucket size.
* tokens_max = unit * (rate + burst) / rate.
*/
- tokens = div64_u64(priv->nsecs * (priv->rate + priv->burst),
- priv->rate);
+ if (check_mul_overflow(priv->nsecs, rate_with_burst, &tmp))
+ return -EOVERFLOW;
+
+ tokens = div64_u64(tmp, priv->rate);
}
if (tb[NFTA_LIMIT_FLAGS]) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 065/476] netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 064/476] netfilter: nft_limit: reject configurations that cause integer overflow Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 066/476] netfilter: nf_tables: validate NFPROTO_* family Greg Kroah-Hartman
` (420 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b462579b2b86a8f5230543cadd3a4836be27baf7 ]
nftables has two types of sets/maps, one where userspace defines the
name, and anonymous sets/maps, where userspace defines a template name.
For the latter, kernel requires presence of exactly one "%d".
nftables uses "__set%d" and "__map%d" for this. The kernel will
expand the format specifier and replaces it with the smallest unused
number.
As-is, userspace could define a template name that allows to move
the set name past the 256 bytes upperlimit (post-expansion).
I don't see how this could be a problem, but I would prefer if userspace
cannot do this, so add a limit of 16 bytes for the '%d' template name.
16 bytes is the old total upper limit for set names that existed when
nf_tables was merged initially.
Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e2e3ccbb635f..eee9350db60e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -24,6 +24,7 @@
#include <net/sock.h>
#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
+#define NFT_SET_MAX_ANONLEN 16
unsigned int nf_tables_net_id __read_mostly;
@@ -4057,6 +4058,9 @@ static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
if (p[1] != 'd' || strchr(p + 2, '%'))
return -EINVAL;
+ if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
+ return -EINVAL;
+
inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
if (inuse == NULL)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 066/476] netfilter: nf_tables: validate NFPROTO_* family
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 065/476] netfilter: nf_tables: restrict anonymous set and map names to 16 bytes Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 067/476] net: stmmac: Wait a bit for the reset to take effect Greg Kroah-Hartman
` (419 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit d0009effa8862c20a13af4cb7475d9771b905693 ]
Several expressions explicitly refer to NF_INET_* hook definitions
from expr->ops->validate, however, family is not validated.
Bail out with EOPNOTSUPP in case they are used from unsupported
families.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Fixes: 2fa841938c64 ("netfilter: nf_tables: introduce routing expression")
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Fixes: 6c47260250fc ("netfilter: nf_tables: add xfrm expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_compat.c | 12 ++++++++++++
net/netfilter/nft_flow_offload.c | 5 +++++
net/netfilter/nft_nat.c | 5 +++++
net/netfilter/nft_rt.c | 5 +++++
net/netfilter/nft_socket.c | 5 +++++
net/netfilter/nft_synproxy.c | 7 +++++--
net/netfilter/nft_tproxy.c | 5 +++++
net/netfilter/nft_xfrm.c | 5 +++++
8 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index f69cc73c5813..3fb8d7fb21af 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -349,6 +349,12 @@ static int nft_target_validate(const struct nft_ctx *ctx,
unsigned int hook_mask = 0;
int ret;
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_BRIDGE &&
+ ctx->family != NFPROTO_ARP)
+ return -EOPNOTSUPP;
+
if (nft_is_base_chain(ctx->chain)) {
const struct nft_base_chain *basechain =
nft_base_chain(ctx->chain);
@@ -592,6 +598,12 @@ static int nft_match_validate(const struct nft_ctx *ctx,
unsigned int hook_mask = 0;
int ret;
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_BRIDGE &&
+ ctx->family != NFPROTO_ARP)
+ return -EOPNOTSUPP;
+
if (nft_is_base_chain(ctx->chain)) {
const struct nft_base_chain *basechain =
nft_base_chain(ctx->chain);
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index a5fc7213be3e..f8346497c9b4 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -357,6 +357,11 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx,
{
unsigned int hook_mask = (1 << NF_INET_FORWARD);
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
return nft_chain_validate_hooks(ctx->chain, hook_mask);
}
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index cd4eb4996aff..2e1ee7d9d9c3 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -142,6 +142,11 @@ static int nft_nat_validate(const struct nft_ctx *ctx,
struct nft_nat *priv = nft_expr_priv(expr);
int err;
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index bcd01a63e38f..f4a96164a5a1 100644
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -166,6 +166,11 @@ static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *exp
const struct nft_rt *priv = nft_expr_priv(expr);
unsigned int hooks;
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
switch (priv->key) {
case NFT_RT_NEXTHOP4:
case NFT_RT_NEXTHOP6:
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 1725e7349f3d..3c444fcb20ec 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -214,6 +214,11 @@ static int nft_socket_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
return nft_chain_validate_hooks(ctx->chain,
(1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN) |
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index 1133e06f3c40..0806813d3a76 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -186,7 +186,6 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx,
break;
#endif
case NFPROTO_INET:
- case NFPROTO_BRIDGE:
err = nf_synproxy_ipv4_init(snet, ctx->net);
if (err)
goto nf_ct_failure;
@@ -219,7 +218,6 @@ static void nft_synproxy_do_destroy(const struct nft_ctx *ctx)
break;
#endif
case NFPROTO_INET:
- case NFPROTO_BRIDGE:
nf_synproxy_ipv4_fini(snet, ctx->net);
nf_synproxy_ipv6_fini(snet, ctx->net);
break;
@@ -253,6 +251,11 @@ static int nft_synproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_FORWARD));
}
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index e9679cb4afbe..5c1ef4709c49 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -316,6 +316,11 @@ static int nft_tproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
}
diff --git a/net/netfilter/nft_xfrm.c b/net/netfilter/nft_xfrm.c
index 3553f89fd057..e96f3420947f 100644
--- a/net/netfilter/nft_xfrm.c
+++ b/net/netfilter/nft_xfrm.c
@@ -233,6 +233,11 @@ static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *e
const struct nft_xfrm *priv = nft_expr_priv(expr);
unsigned int hooks;
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
switch (priv->dir) {
case XFRM_POLICY_IN:
hooks = (1 << NF_INET_FORWARD) |
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 067/476] net: stmmac: Wait a bit for the reset to take effect
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 066/476] netfilter: nf_tables: validate NFPROTO_* family Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 068/476] net: mvpp2: clear BM pool before initialization Greg Kroah-Hartman
` (418 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Edlinger, Jiri Pirko,
Serge Semin, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
[ Upstream commit a5f5eee282a0aae80227697e1d9c811b1726d31d ]
otherwise the synopsys_id value may be read out wrong,
because the GMAC_VERSION register might still be in reset
state, for at least 1 us after the reset is de-asserted.
Add a wait for 10 us before continuing to be on the safe side.
> From what have you got that delay value?
Just try and error, with very old linux versions and old gcc versions
the synopsys_id was read out correctly most of the time (but not always),
with recent linux versions and recnet gcc versions it was read out
wrongly most of the time, but again not always.
I don't have access to the VHDL code in question, so I cannot
tell why it takes so long to get the correct values, I also do not
have more than a few hardware samples, so I cannot tell how long
this timeout must be in worst case.
Experimentally I can tell that the register is read several times
as zero immediately after the reset is de-asserted, also adding several
no-ops is not enough, adding a printk is enough, also udelay(1) seems to
be enough but I tried that not very often, and I have not access to many
hardware samples to be 100% sure about the necessary delay.
And since the udelay here is only executed once per device instance,
it seems acceptable to delay the boot for 10 us.
BTW: my hardware's synopsys id is 0x37.
Fixes: c5e4ddbdfa11 ("net: stmmac: Add support for optional reset control")
Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Link: https://lore.kernel.org/r/AS8P193MB1285A810BD78C111E7F6AA34E4752@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index ede630bfad2f..ab3ded6e0e6a 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -7096,6 +7096,9 @@ int stmmac_dvr_probe(struct device *device,
dev_err(priv->device, "unable to bring out of ahb reset: %pe\n",
ERR_PTR(ret));
+ /* Wait a bit for the reset to take effect */
+ udelay(10);
+
/* Init MAC and get the capabilities */
ret = stmmac_hw_init(priv);
if (ret)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 068/476] net: mvpp2: clear BM pool before initialization
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 067/476] net: stmmac: Wait a bit for the reset to take effect Greg Kroah-Hartman
@ 2024-02-21 13:01 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 069/476] selftests: netdevsim: fix the udp_tunnel_nic test Greg Kroah-Hartman
` (417 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenishkumar Maheshbhai Patel,
Maxime Chevallier, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenishkumar Maheshbhai Patel <jpatel2@marvell.com>
[ Upstream commit 9f538b415db862e74b8c5d3abbccfc1b2b6caa38 ]
Register value persist after booting the kernel using
kexec which results in kernel panic. Thus clear the
BM pool registers before initialisation to fix the issue.
Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Jenishkumar Maheshbhai Patel <jpatel2@marvell.com>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://lore.kernel.org/r/20240119035914.2595665-1-jpatel2@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 27 ++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 31b3ede563c0..ba44d1d9cfcd 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -614,12 +614,38 @@ static void mvpp23_bm_set_8pool_mode(struct mvpp2 *priv)
mvpp2_write(priv, MVPP22_BM_POOL_BASE_ADDR_HIGH_REG, val);
}
+/* Cleanup pool before actual initialization in the OS */
+static void mvpp2_bm_pool_cleanup(struct mvpp2 *priv, int pool_id)
+{
+ unsigned int thread = mvpp2_cpu_to_thread(priv, get_cpu());
+ u32 val;
+ int i;
+
+ /* Drain the BM from all possible residues left by firmware */
+ for (i = 0; i < MVPP2_BM_POOL_SIZE_MAX; i++)
+ mvpp2_thread_read(priv, thread, MVPP2_BM_PHY_ALLOC_REG(pool_id));
+
+ put_cpu();
+
+ /* Stop the BM pool */
+ val = mvpp2_read(priv, MVPP2_BM_POOL_CTRL_REG(pool_id));
+ val |= MVPP2_BM_STOP_MASK;
+ mvpp2_write(priv, MVPP2_BM_POOL_CTRL_REG(pool_id), val);
+}
+
static int mvpp2_bm_init(struct device *dev, struct mvpp2 *priv)
{
enum dma_data_direction dma_dir = DMA_FROM_DEVICE;
int i, err, poolnum = MVPP2_BM_POOLS_NUM;
struct mvpp2_port *port;
+ if (priv->percpu_pools)
+ poolnum = mvpp2_get_nrxqs(priv) * 2;
+
+ /* Clean up the pool state in case it contains stale state */
+ for (i = 0; i < poolnum; i++)
+ mvpp2_bm_pool_cleanup(priv, i);
+
if (priv->percpu_pools) {
for (i = 0; i < priv->port_count; i++) {
port = priv->port_list[i];
@@ -629,7 +655,6 @@ static int mvpp2_bm_init(struct device *dev, struct mvpp2 *priv)
}
}
- poolnum = mvpp2_get_nrxqs(priv) * 2;
for (i = 0; i < poolnum; i++) {
/* the pool in use */
int pn = i / (poolnum / 2);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 069/476] selftests: netdevsim: fix the udp_tunnel_nic test
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-02-21 13:01 ` [PATCH 5.15 068/476] net: mvpp2: clear BM pool before initialization Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 070/476] fjes: fix memleaks in fjes_hw_setup Greg Kroah-Hartman
` (416 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 0879020a7817e7ce636372c016b4528f541c9f4d ]
This test is missing a whole bunch of checks for interface
renaming and one ifup. Presumably it was only used on a system
with renaming disabled and NetworkManager running.
Fixes: 91f430b2c49d ("selftests: net: add a test for UDP tunnel info infra")
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240123060529.1033912-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/drivers/net/netdevsim/udp_tunnel_nic.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
index 1b08e042cf94..185b02d2d4cd 100755
--- a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
+++ b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
@@ -269,6 +269,7 @@ for port in 0 1; do
echo 1 > $NSIM_DEV_SYS/new_port
fi
NSIM_NETDEV=`get_netdev_name old_netdevs`
+ ifconfig $NSIM_NETDEV up
msg="new NIC device created"
exp0=( 0 0 0 0 )
@@ -430,6 +431,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
overflow_table0 "overflow NIC table"
@@ -487,6 +489,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
overflow_table0 "overflow NIC table"
@@ -543,6 +546,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
overflow_table0 "destroy NIC"
@@ -572,6 +576,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
msg="create VxLANs v6"
@@ -632,6 +637,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error
@@ -687,6 +693,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
msg="create VxLANs v6"
@@ -746,6 +753,7 @@ for port in 0 1; do
fi
echo $port > $NSIM_DEV_SYS/new_port
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
ifconfig $NSIM_NETDEV up
msg="create VxLANs v6"
@@ -876,6 +884,7 @@ msg="re-add a port"
echo 2 > $NSIM_DEV_SYS/del_port
echo 2 > $NSIM_DEV_SYS/new_port
+NSIM_NETDEV=`get_netdev_name old_netdevs`
check_tables
msg="replace VxLAN in overflow table"
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 070/476] fjes: fix memleaks in fjes_hw_setup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 069/476] selftests: netdevsim: fix the udp_tunnel_nic test Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 071/476] net: fec: fix the unhandled context fault from smmu Greg Kroah-Hartman
` (415 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit f6cc4b6a3ae53df425771000e9c9540cce9b7bb1 ]
In fjes_hw_setup, it allocates several memory and delay the deallocation
to the fjes_hw_exit in fjes_probe through the following call chain:
fjes_probe
|-> fjes_hw_init
|-> fjes_hw_setup
|-> fjes_hw_exit
However, when fjes_hw_setup fails, fjes_hw_exit won't be called and thus
all the resources allocated in fjes_hw_setup will be leaked. In this
patch, we free those resources in fjes_hw_setup and prevents such leaks.
Fixes: 2fcbca687702 ("fjes: platform_driver's .probe and .remove routine")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240122172445.3841883-1-alexious@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/fjes/fjes_hw.c | 37 ++++++++++++++++++++++++++++++-------
1 file changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/net/fjes/fjes_hw.c b/drivers/net/fjes/fjes_hw.c
index 065bb0a40b1d..a1405a3e294c 100644
--- a/drivers/net/fjes/fjes_hw.c
+++ b/drivers/net/fjes/fjes_hw.c
@@ -220,21 +220,25 @@ static int fjes_hw_setup(struct fjes_hw *hw)
mem_size = FJES_DEV_REQ_BUF_SIZE(hw->max_epid);
hw->hw_info.req_buf = kzalloc(mem_size, GFP_KERNEL);
- if (!(hw->hw_info.req_buf))
- return -ENOMEM;
+ if (!(hw->hw_info.req_buf)) {
+ result = -ENOMEM;
+ goto free_ep_info;
+ }
hw->hw_info.req_buf_size = mem_size;
mem_size = FJES_DEV_RES_BUF_SIZE(hw->max_epid);
hw->hw_info.res_buf = kzalloc(mem_size, GFP_KERNEL);
- if (!(hw->hw_info.res_buf))
- return -ENOMEM;
+ if (!(hw->hw_info.res_buf)) {
+ result = -ENOMEM;
+ goto free_req_buf;
+ }
hw->hw_info.res_buf_size = mem_size;
result = fjes_hw_alloc_shared_status_region(hw);
if (result)
- return result;
+ goto free_res_buf;
hw->hw_info.buffer_share_bit = 0;
hw->hw_info.buffer_unshare_reserve_bit = 0;
@@ -245,11 +249,11 @@ static int fjes_hw_setup(struct fjes_hw *hw)
result = fjes_hw_alloc_epbuf(&buf_pair->tx);
if (result)
- return result;
+ goto free_epbuf;
result = fjes_hw_alloc_epbuf(&buf_pair->rx);
if (result)
- return result;
+ goto free_epbuf;
spin_lock_irqsave(&hw->rx_status_lock, flags);
fjes_hw_setup_epbuf(&buf_pair->tx, mac,
@@ -272,6 +276,25 @@ static int fjes_hw_setup(struct fjes_hw *hw)
fjes_hw_init_command_registers(hw, ¶m);
return 0;
+
+free_epbuf:
+ for (epidx = 0; epidx < hw->max_epid ; epidx++) {
+ if (epidx == hw->my_epid)
+ continue;
+ fjes_hw_free_epbuf(&hw->ep_shm_info[epidx].tx);
+ fjes_hw_free_epbuf(&hw->ep_shm_info[epidx].rx);
+ }
+ fjes_hw_free_shared_status_region(hw);
+free_res_buf:
+ kfree(hw->hw_info.res_buf);
+ hw->hw_info.res_buf = NULL;
+free_req_buf:
+ kfree(hw->hw_info.req_buf);
+ hw->hw_info.req_buf = NULL;
+free_ep_info:
+ kfree(hw->ep_shm_info);
+ hw->ep_shm_info = NULL;
+ return result;
}
static void fjes_hw_cleanup(struct fjes_hw *hw)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 071/476] net: fec: fix the unhandled context fault from smmu
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 070/476] fjes: fix memleaks in fjes_hw_setup Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 072/476] btrfs: fix infinite directory reads Greg Kroah-Hartman
` (414 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shenwei Wang, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shenwei Wang <shenwei.wang@nxp.com>
[ Upstream commit 5e344807735023cd3a67c37a1852b849caa42620 ]
When repeatedly changing the interface link speed using the command below:
ethtool -s eth0 speed 100 duplex full
ethtool -s eth0 speed 1000 duplex full
The following errors may sometimes be reported by the ARM SMMU driver:
[ 5395.035364] fec 5b040000.ethernet eth0: Link is Down
[ 5395.039255] arm-smmu 51400000.iommu: Unhandled context fault:
fsr=0x402, iova=0x00000000, fsynr=0x100001, cbfrsynra=0x852, cb=2
[ 5398.108460] fec 5b040000.ethernet eth0: Link is Up - 100Mbps/Full -
flow control off
It is identified that the FEC driver does not properly stop the TX queue
during the link speed transitions, and this results in the invalid virtual
I/O address translations from the SMMU and causes the context faults.
Fixes: dbc64a8ea231 ("net: fec: move calls to quiesce/resume packet processing out of fec_restart()")
Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
Link: https://lore.kernel.org/r/20240123165141.2008104-1-shenwei.wang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 717d4bc5bac6..39875ccbaa0f 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1813,6 +1813,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
/* if any of the above changed restart the FEC */
if (status_change) {
+ netif_stop_queue(ndev);
napi_disable(&fep->napi);
netif_tx_lock_bh(ndev);
fec_restart(ndev);
@@ -1822,6 +1823,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
}
} else {
if (fep->link) {
+ netif_stop_queue(ndev);
napi_disable(&fep->napi);
netif_tx_lock_bh(ndev);
fec_stop(ndev);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 072/476] btrfs: fix infinite directory reads
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 071/476] net: fec: fix the unhandled context fault from smmu Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 073/476] btrfs: set last dir index to the current last index when opening dir Greg Kroah-Hartman
` (413 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable, linux-btrfs
Cc: Greg Kroah-Hartman, patches, Rob Landley, Filipe Manana,
David Sterba, Qu Wenruo, Eugeniu Rosca
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 9b378f6ad48cfa195ed868db9123c09ee7ec5ea2 upstream.
The readdir implementation currently processes always up to the last index
it finds. This however can result in an infinite loop if the directory has
a large number of entries such that they won't all fit in the given buffer
passed to the readdir callback, that is, dir_emit() returns a non-zero
value. Because in that case readdir() will be called again and if in the
meanwhile new directory entries were added and we still can't put all the
remaining entries in the buffer, we keep repeating this over and over.
The following C program and test script reproduce the problem:
$ cat /mnt/readdir_prog.c
#include <sys/types.h>
#include <dirent.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
DIR *dir = opendir(".");
struct dirent *dd;
while ((dd = readdir(dir))) {
printf("%s\n", dd->d_name);
rename(dd->d_name, "TEMPFILE");
rename("TEMPFILE", dd->d_name);
}
closedir(dir);
}
$ gcc -o /mnt/readdir_prog /mnt/readdir_prog.c
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
mkfs.btrfs -f $DEV &> /dev/null
#mkfs.xfs -f $DEV &> /dev/null
#mkfs.ext4 -F $DEV &> /dev/null
mount $DEV $MNT
mkdir $MNT/testdir
for ((i = 1; i <= 2000; i++)); do
echo -n > $MNT/testdir/file_$i
done
cd $MNT/testdir
/mnt/readdir_prog
cd /mnt
umount $MNT
This behaviour is surprising to applications and it's unlike ext4, xfs,
tmpfs, vfat and other filesystems, which always finish. In this case where
new entries were added due to renames, some file names may be reported
more than once, but this varies according to each filesystem - for example
ext4 never reported the same file more than once while xfs reports the
first 13 file names twice.
So change our readdir implementation to track the last index number when
opendir() is called and then make readdir() never process beyond that
index number. This gives the same behaviour as ext4.
Reported-by: Rob Landley <rob@landley.net>
Link: https://lore.kernel.org/linux-btrfs/2c8c55ec-04c6-e0dc-9c5c-8c7924778c35@landley.net/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217681
CC: stable@vger.kernel.org # 5.15
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ Resolve a conflict due to member changes in 96d89923fa94 ]
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Eugeniu Rosca <eugeniu.rosca@bosch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ctree.h | 1
fs/btrfs/delayed-inode.c | 5 +
fs/btrfs/delayed-inode.h | 1
fs/btrfs/inode.c | 131 ++++++++++++++++++++++++++++-------------------
4 files changed, 84 insertions(+), 54 deletions(-)
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -1361,6 +1361,7 @@ struct btrfs_drop_extents_args {
struct btrfs_file_private {
void *filldir_buf;
+ u64 last_index;
};
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1513,6 +1513,7 @@ int btrfs_inode_delayed_dir_index_count(
}
bool btrfs_readdir_get_delayed_items(struct inode *inode,
+ u64 last_index,
struct list_head *ins_list,
struct list_head *del_list)
{
@@ -1532,14 +1533,14 @@ bool btrfs_readdir_get_delayed_items(str
mutex_lock(&delayed_node->mutex);
item = __btrfs_first_delayed_insertion_item(delayed_node);
- while (item) {
+ while (item && item->key.offset <= last_index) {
refcount_inc(&item->refs);
list_add_tail(&item->readdir_list, ins_list);
item = __btrfs_next_delayed_item(item);
}
item = __btrfs_first_delayed_deletion_item(delayed_node);
- while (item) {
+ while (item && item->key.offset <= last_index) {
refcount_inc(&item->refs);
list_add_tail(&item->readdir_list, del_list);
item = __btrfs_next_delayed_item(item);
--- a/fs/btrfs/delayed-inode.h
+++ b/fs/btrfs/delayed-inode.h
@@ -123,6 +123,7 @@ void btrfs_destroy_delayed_inodes(struct
/* Used for readdir() */
bool btrfs_readdir_get_delayed_items(struct inode *inode,
+ u64 last_index,
struct list_head *ins_list,
struct list_head *del_list);
void btrfs_readdir_put_delayed_items(struct inode *inode,
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6122,6 +6122,74 @@ static struct dentry *btrfs_lookup(struc
}
/*
+ * Find the highest existing sequence number in a directory and then set the
+ * in-memory index_cnt variable to the first free sequence number.
+ */
+static int btrfs_set_inode_index_count(struct btrfs_inode *inode)
+{
+ struct btrfs_root *root = inode->root;
+ struct btrfs_key key, found_key;
+ struct btrfs_path *path;
+ struct extent_buffer *leaf;
+ int ret;
+
+ key.objectid = btrfs_ino(inode);
+ key.type = BTRFS_DIR_INDEX_KEY;
+ key.offset = (u64)-1;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+ if (ret < 0)
+ goto out;
+ /* FIXME: we should be able to handle this */
+ if (ret == 0)
+ goto out;
+ ret = 0;
+
+ if (path->slots[0] == 0) {
+ inode->index_cnt = BTRFS_DIR_START_INDEX;
+ goto out;
+ }
+
+ path->slots[0]--;
+
+ leaf = path->nodes[0];
+ btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
+
+ if (found_key.objectid != btrfs_ino(inode) ||
+ found_key.type != BTRFS_DIR_INDEX_KEY) {
+ inode->index_cnt = BTRFS_DIR_START_INDEX;
+ goto out;
+ }
+
+ inode->index_cnt = found_key.offset + 1;
+out:
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int btrfs_get_dir_last_index(struct btrfs_inode *dir, u64 *index)
+{
+ if (dir->index_cnt == (u64)-1) {
+ int ret;
+
+ ret = btrfs_inode_delayed_dir_index_count(dir);
+ if (ret) {
+ ret = btrfs_set_inode_index_count(dir);
+ if (ret)
+ return ret;
+ }
+ }
+
+ *index = dir->index_cnt;
+
+ return 0;
+}
+
+/*
* All this infrastructure exists because dir_emit can fault, and we are holding
* the tree lock when doing readdir. For now just allocate a buffer and copy
* our information into that, and then dir_emit from the buffer. This is
@@ -6133,10 +6201,17 @@ static struct dentry *btrfs_lookup(struc
static int btrfs_opendir(struct inode *inode, struct file *file)
{
struct btrfs_file_private *private;
+ u64 last_index;
+ int ret;
+
+ ret = btrfs_get_dir_last_index(BTRFS_I(inode), &last_index);
+ if (ret)
+ return ret;
private = kzalloc(sizeof(struct btrfs_file_private), GFP_KERNEL);
if (!private)
return -ENOMEM;
+ private->last_index = last_index;
private->filldir_buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
if (!private->filldir_buf) {
kfree(private);
@@ -6205,7 +6280,8 @@ static int btrfs_real_readdir(struct fil
INIT_LIST_HEAD(&ins_list);
INIT_LIST_HEAD(&del_list);
- put = btrfs_readdir_get_delayed_items(inode, &ins_list, &del_list);
+ put = btrfs_readdir_get_delayed_items(inode, private->last_index,
+ &ins_list, &del_list);
again:
key.type = BTRFS_DIR_INDEX_KEY;
@@ -6238,6 +6314,8 @@ again:
break;
if (found_key.offset < ctx->pos)
goto next;
+ if (found_key.offset > private->last_index)
+ break;
if (btrfs_should_delete_dir_index(&del_list, found_key.offset))
goto next;
di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
@@ -6372,57 +6450,6 @@ static int btrfs_update_time(struct inod
}
/*
- * find the highest existing sequence number in a directory
- * and then set the in-memory index_cnt variable to reflect
- * free sequence numbers
- */
-static int btrfs_set_inode_index_count(struct btrfs_inode *inode)
-{
- struct btrfs_root *root = inode->root;
- struct btrfs_key key, found_key;
- struct btrfs_path *path;
- struct extent_buffer *leaf;
- int ret;
-
- key.objectid = btrfs_ino(inode);
- key.type = BTRFS_DIR_INDEX_KEY;
- key.offset = (u64)-1;
-
- path = btrfs_alloc_path();
- if (!path)
- return -ENOMEM;
-
- ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
- if (ret < 0)
- goto out;
- /* FIXME: we should be able to handle this */
- if (ret == 0)
- goto out;
- ret = 0;
-
- if (path->slots[0] == 0) {
- inode->index_cnt = BTRFS_DIR_START_INDEX;
- goto out;
- }
-
- path->slots[0]--;
-
- leaf = path->nodes[0];
- btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
-
- if (found_key.objectid != btrfs_ino(inode) ||
- found_key.type != BTRFS_DIR_INDEX_KEY) {
- inode->index_cnt = BTRFS_DIR_START_INDEX;
- goto out;
- }
-
- inode->index_cnt = found_key.offset + 1;
-out:
- btrfs_free_path(path);
- return ret;
-}
-
-/*
* helper to find a free sequence number in a given directory. This current
* code is very simple, later versions will do smarter things in the btree
*/
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 073/476] btrfs: set last dir index to the current last index when opening dir
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 072/476] btrfs: fix infinite directory reads Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 074/476] btrfs: refresh dir last index during a rewinddir(3) call Greg Kroah-Hartman
` (412 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable, linux-btrfs
Cc: Greg Kroah-Hartman, patches, erosca@de.adit-jv.com,
Maksim.Paimushkin@se.bosch.com, Matthias.Thomae@de.bosch.com,
Sebastian.Unger@bosch.com, Dirk.Behme@de.bosch.com,
Eugeniu.Rosca@bosch.com, wqu@suse.com, dsterba@suse.com,
stable@vger.kernel.org, Filipe Manana, David Sterba,
Eugeniu Rosca, Filipe Manana
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 357950361cbc6d54fb68ed878265c647384684ae upstream.
When opening a directory for reading it, we set the last index where we
stop iteration to the value in struct btrfs_inode::index_cnt. That value
does not match the index of the most recently added directory entry but
it's instead the index number that will be assigned the next directory
entry.
This means that if after the call to opendir(3) new directory entries are
added, a readdir(3) call will return the first new directory entry. This
is fine because POSIX says the following [1]:
"If a file is removed from or added to the directory after the most
recent call to opendir() or rewinddir(), whether a subsequent call to
readdir() returns an entry for that file is unspecified."
For example for the test script from commit 9b378f6ad48c ("btrfs: fix
infinite directory reads"), where we have 2000 files in a directory, ext4
doesn't return any new directory entry after opendir(3), while xfs returns
the first 13 new directory entries added after the opendir(3) call.
If we move to a shorter example with an empty directory when opendir(3) is
called, and 2 files added to the directory after the opendir(3) call, then
readdir(3) on btrfs will return the first file, ext4 and xfs return the 2
files (but in a different order). A test program for this, reported by
Ian Johnson, is the following:
#include <dirent.h>
#include <stdio.h>
int main(void) {
DIR *dir = opendir("test");
FILE *file;
file = fopen("test/1", "w");
fwrite("1", 1, 1, file);
fclose(file);
file = fopen("test/2", "w");
fwrite("2", 1, 1, file);
fclose(file);
struct dirent *entry;
while ((entry = readdir(dir))) {
printf("%s\n", entry->d_name);
}
closedir(dir);
return 0;
}
To make this less odd, change the behaviour to never return new entries
that were added after the opendir(3) call. This is done by setting the
last_index field of the struct btrfs_file_private attached to the
directory's file handle with a value matching btrfs_inode::index_cnt
minus 1, since that value always matches the index of the next new
directory entry and not the index of the most recently added entry.
[1] https://pubs.opengroup.org/onlinepubs/007904875/functions/readdir_r.html
Link: https://lore.kernel.org/linux-btrfs/YR1P0S.NGASEG570GJ8@ianjohnson.dev/
CC: stable@vger.kernel.org # 6.5+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Reviewed-by: Eugeniu Rosca <eugeniu.rosca@bosch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6184,7 +6184,8 @@ static int btrfs_get_dir_last_index(stru
}
}
- *index = dir->index_cnt;
+ /* index_cnt is the index number of next new entry, so decrement it. */
+ *index = dir->index_cnt - 1;
return 0;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 074/476] btrfs: refresh dir last index during a rewinddir(3) call
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 073/476] btrfs: set last dir index to the current last index when opening dir Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 075/476] btrfs: fix race between reading a directory and adding entries to it Greg Kroah-Hartman
` (411 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable, linux-btrfs
Cc: Greg Kroah-Hartman, patches, Ian Johnson, Filipe Manana,
David Sterba, Eugeniu Rosca
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit e60aa5da14d01fed8411202dbe4adf6c44bd2a57 upstream.
When opening a directory we find what's the index of its last entry and
then store it in the directory's file handle private data (struct
btrfs_file_private::last_index), so that in the case new directory entries
are added to a directory after an opendir(3) call we don't end up in an
infinite loop (see commit 9b378f6ad48c ("btrfs: fix infinite directory
reads")) when calling readdir(3).
However once rewinddir(3) is called, POSIX states [1] that any new
directory entries added after the previous opendir(3) call, must be
returned by subsequent calls to readdir(3):
"The rewinddir() function shall reset the position of the directory
stream to which dirp refers to the beginning of the directory.
It shall also cause the directory stream to refer to the current
state of the corresponding directory, as a call to opendir() would
have done."
We currently don't refresh the last_index field of the struct
btrfs_file_private associated to the directory, so after a rewinddir(3)
we are not returning any new entries added after the opendir(3) call.
Fix this by finding the current last index of the directory when llseek
is called against the directory.
This can be reproduced by the following C program provided by Ian Johnson:
#include <dirent.h>
#include <stdio.h>
int main(void) {
DIR *dir = opendir("test");
FILE *file;
file = fopen("test/1", "w");
fwrite("1", 1, 1, file);
fclose(file);
file = fopen("test/2", "w");
fwrite("2", 1, 1, file);
fclose(file);
rewinddir(dir);
struct dirent *entry;
while ((entry = readdir(dir))) {
printf("%s\n", entry->d_name);
}
closedir(dir);
return 0;
}
Reported-by: Ian Johnson <ian@ianjohnson.dev>
Link: https://lore.kernel.org/linux-btrfs/YR1P0S.NGASEG570GJ8@ianjohnson.dev/
Fixes: 9b378f6ad48c ("btrfs: fix infinite directory reads")
CC: stable@vger.kernel.org # 6.5+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Reviewed-by: Eugeniu Rosca <eugeniu.rosca@bosch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6222,6 +6222,19 @@ static int btrfs_opendir(struct inode *i
return 0;
}
+static loff_t btrfs_dir_llseek(struct file *file, loff_t offset, int whence)
+{
+ struct btrfs_file_private *private = file->private_data;
+ int ret;
+
+ ret = btrfs_get_dir_last_index(BTRFS_I(file_inode(file)),
+ &private->last_index);
+ if (ret)
+ return ret;
+
+ return generic_file_llseek(file, offset, whence);
+}
+
struct dir_entry {
u64 ino;
u64 offset;
@@ -11087,7 +11100,7 @@ static const struct inode_operations btr
};
static const struct file_operations btrfs_dir_file_operations = {
- .llseek = generic_file_llseek,
+ .llseek = btrfs_dir_llseek,
.read = generic_read_dir,
.iterate_shared = btrfs_real_readdir,
.open = btrfs_opendir,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 075/476] btrfs: fix race between reading a directory and adding entries to it
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 074/476] btrfs: refresh dir last index during a rewinddir(3) call Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 076/476] btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted Greg Kroah-Hartman
` (410 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable, linux-btrfs
Cc: Greg Kroah-Hartman, patches, ken, syzbot+d13490c82ad5353c779d,
Filipe Manana, David Sterba, Eugeniu Rosca
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 8e7f82deb0c0386a03b62e30082574347f8b57d5 upstream.
When opening a directory (opendir(3)) or rewinding it (rewinddir(3)), we
are not holding the directory's inode locked, and this can result in later
attempting to add two entries to the directory with the same index number,
resulting in a transaction abort, with -EEXIST (-17), when inserting the
second delayed dir index. This results in a trace like the following:
Sep 11 22:34:59 myhostname kernel: BTRFS error (device dm-3): err add delayed dir index item(name: cockroach-stderr.log) into the insertion tree of the delayed node(root id: 5, inode id: 4539217, errno: -17)
Sep 11 22:34:59 myhostname kernel: ------------[ cut here ]------------
Sep 11 22:34:59 myhostname kernel: kernel BUG at fs/btrfs/delayed-inode.c:1504!
Sep 11 22:34:59 myhostname kernel: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
Sep 11 22:34:59 myhostname kernel: CPU: 0 PID: 7159 Comm: cockroach Not tainted 6.4.15-200.fc38.x86_64 #1
Sep 11 22:34:59 myhostname kernel: Hardware name: ASUS ESC500 G3/P9D WS, BIOS 2402 06/27/2018
Sep 11 22:34:59 myhostname kernel: RIP: 0010:btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: Code: eb dd 48 (...)
Sep 11 22:34:59 myhostname kernel: RSP: 0000:ffffa9980e0fbb28 EFLAGS: 00010282
Sep 11 22:34:59 myhostname kernel: RAX: 0000000000000000 RBX: ffff8b10b8f4a3c0 RCX: 0000000000000000
Sep 11 22:34:59 myhostname kernel: RDX: 0000000000000000 RSI: ffff8b177ec21540 RDI: ffff8b177ec21540
Sep 11 22:34:59 myhostname kernel: RBP: ffff8b110cf80888 R08: 0000000000000000 R09: ffffa9980e0fb938
Sep 11 22:34:59 myhostname kernel: R10: 0000000000000003 R11: ffffffff86146508 R12: 0000000000000014
Sep 11 22:34:59 myhostname kernel: R13: ffff8b1131ae5b40 R14: ffff8b10b8f4a418 R15: 00000000ffffffef
Sep 11 22:34:59 myhostname kernel: FS: 00007fb14a7fe6c0(0000) GS:ffff8b177ec00000(0000) knlGS:0000000000000000
Sep 11 22:34:59 myhostname kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 11 22:34:59 myhostname kernel: CR2: 000000c00143d000 CR3: 00000001b3b4e002 CR4: 00000000001706f0
Sep 11 22:34:59 myhostname kernel: Call Trace:
Sep 11 22:34:59 myhostname kernel: <TASK>
Sep 11 22:34:59 myhostname kernel: ? die+0x36/0x90
Sep 11 22:34:59 myhostname kernel: ? do_trap+0xda/0x100
Sep 11 22:34:59 myhostname kernel: ? btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: ? do_error_trap+0x6a/0x90
Sep 11 22:34:59 myhostname kernel: ? btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: ? exc_invalid_op+0x50/0x70
Sep 11 22:34:59 myhostname kernel: ? btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: ? asm_exc_invalid_op+0x1a/0x20
Sep 11 22:34:59 myhostname kernel: ? btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: ? btrfs_insert_delayed_dir_index+0x1da/0x260
Sep 11 22:34:59 myhostname kernel: btrfs_insert_dir_item+0x200/0x280
Sep 11 22:34:59 myhostname kernel: btrfs_add_link+0xab/0x4f0
Sep 11 22:34:59 myhostname kernel: ? ktime_get_real_ts64+0x47/0xe0
Sep 11 22:34:59 myhostname kernel: btrfs_create_new_inode+0x7cd/0xa80
Sep 11 22:34:59 myhostname kernel: btrfs_symlink+0x190/0x4d0
Sep 11 22:34:59 myhostname kernel: ? schedule+0x5e/0xd0
Sep 11 22:34:59 myhostname kernel: ? __d_lookup+0x7e/0xc0
Sep 11 22:34:59 myhostname kernel: vfs_symlink+0x148/0x1e0
Sep 11 22:34:59 myhostname kernel: do_symlinkat+0x130/0x140
Sep 11 22:34:59 myhostname kernel: __x64_sys_symlinkat+0x3d/0x50
Sep 11 22:34:59 myhostname kernel: do_syscall_64+0x5d/0x90
Sep 11 22:34:59 myhostname kernel: ? syscall_exit_to_user_mode+0x2b/0x40
Sep 11 22:34:59 myhostname kernel: ? do_syscall_64+0x6c/0x90
Sep 11 22:34:59 myhostname kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc
The race leading to the problem happens like this:
1) Directory inode X is loaded into memory, its ->index_cnt field is
initialized to (u64)-1 (at btrfs_alloc_inode());
2) Task A is adding a new file to directory X, holding its vfs inode lock,
and calls btrfs_set_inode_index() to get an index number for the entry.
Because the inode's index_cnt field is set to (u64)-1 it calls
btrfs_inode_delayed_dir_index_count() which fails because no dir index
entries were added yet to the delayed inode and then it calls
btrfs_set_inode_index_count(). This functions finds the last dir index
key and then sets index_cnt to that index value + 1. It found that the
last index key has an offset of 100. However before it assigns a value
of 101 to index_cnt...
3) Task B calls opendir(3), ending up at btrfs_opendir(), where the VFS
lock for inode X is not taken, so it calls btrfs_get_dir_last_index()
and sees index_cnt still with a value of (u64)-1. Because of that it
calls btrfs_inode_delayed_dir_index_count() which fails since no dir
index entries were added to the delayed inode yet, and then it also
calls btrfs_set_inode_index_count(). This also finds that the last
index key has an offset of 100, and before it assigns the value 101
to the index_cnt field of inode X...
4) Task A assigns a value of 101 to index_cnt. And then the code flow
goes to btrfs_set_inode_index() where it increments index_cnt from
101 to 102. Task A then creates a delayed dir index entry with a
sequence number of 101 and adds it to the delayed inode;
5) Task B assigns 101 to the index_cnt field of inode X;
6) At some later point when someone tries to add a new entry to the
directory, btrfs_set_inode_index() will return 101 again and shortly
after an attempt to add another delayed dir index key with index
number 101 will fail with -EEXIST resulting in a transaction abort.
Fix this by locking the inode at btrfs_get_dir_last_index(), which is only
only used when opening a directory or attempting to lseek on it.
Reported-by: ken <ken@bllue.org>
Link: https://lore.kernel.org/linux-btrfs/CAE6xmH+Lp=Q=E61bU+v9eWX8gYfLvu6jLYxjxjFpo3zHVPR0EQ@mail.gmail.com/
Reported-by: syzbot+d13490c82ad5353c779d@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/00000000000036e1290603e097e0@google.com/
Fixes: 9b378f6ad48c ("btrfs: fix infinite directory reads")
CC: stable@vger.kernel.org # 6.5+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Reviewed-by: Eugeniu Rosca <eugeniu.rosca@bosch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6173,21 +6173,24 @@ out:
static int btrfs_get_dir_last_index(struct btrfs_inode *dir, u64 *index)
{
- if (dir->index_cnt == (u64)-1) {
- int ret;
+ int ret = 0;
+ btrfs_inode_lock(&dir->vfs_inode, 0);
+ if (dir->index_cnt == (u64)-1) {
ret = btrfs_inode_delayed_dir_index_count(dir);
if (ret) {
ret = btrfs_set_inode_index_count(dir);
if (ret)
- return ret;
+ goto out;
}
}
/* index_cnt is the index number of next new entry, so decrement it. */
*index = dir->index_cnt - 1;
+out:
+ btrfs_inode_unlock(&dir->vfs_inode, 0);
- return 0;
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 076/476] btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 075/476] btrfs: fix race between reading a directory and adding entries to it Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 077/476] btrfs: ref-verify: free ref cache before clearing mount opt Greg Kroah-Hartman
` (409 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sweet Tea Dorminy, Anand Jain,
Omar Sandoval, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit 3324d0547861b16cf436d54abba7052e0c8aa9de upstream.
Sweet Tea spotted a race between subvolume deletion and snapshotting
that can result in the root item for the snapshot having the
BTRFS_ROOT_SUBVOL_DEAD flag set. The race is:
Thread 1 | Thread 2
----------------------------------------------|----------
btrfs_delete_subvolume |
btrfs_set_root_flags(BTRFS_ROOT_SUBVOL_DEAD)|
|btrfs_mksubvol
| down_read(subvol_sem)
| create_snapshot
| ...
| create_pending_snapshot
| copy root item from source
down_write(subvol_sem) |
This flag is only checked in send and swap activate, which this would
cause to fail mysteriously.
create_snapshot() now checks the root refs to reject a deleted
subvolume, so we can fix this by locking subvol_sem earlier so that the
BTRFS_ROOT_SUBVOL_DEAD flag and the root refs are updated atomically.
CC: stable@vger.kernel.org # 4.14+
Reported-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4501,6 +4501,8 @@ int btrfs_delete_subvolume(struct inode
u64 root_flags;
int ret;
+ down_write(&fs_info->subvol_sem);
+
/*
* Don't allow to delete a subvolume with send in progress. This is
* inside the inode lock so the error handling that has to drop the bit
@@ -4512,25 +4514,25 @@ int btrfs_delete_subvolume(struct inode
btrfs_warn(fs_info,
"attempt to delete subvolume %llu during send",
dest->root_key.objectid);
- return -EPERM;
+ ret = -EPERM;
+ goto out_up_write;
}
if (atomic_read(&dest->nr_swapfiles)) {
spin_unlock(&dest->root_item_lock);
btrfs_warn(fs_info,
"attempt to delete subvolume %llu with active swapfile",
root->root_key.objectid);
- return -EPERM;
+ ret = -EPERM;
+ goto out_up_write;
}
root_flags = btrfs_root_flags(&dest->root_item);
btrfs_set_root_flags(&dest->root_item,
root_flags | BTRFS_ROOT_SUBVOL_DEAD);
spin_unlock(&dest->root_item_lock);
- down_write(&fs_info->subvol_sem);
-
ret = may_destroy_subvol(dest);
if (ret)
- goto out_up_write;
+ goto out_undead;
btrfs_init_block_rsv(&block_rsv, BTRFS_BLOCK_RSV_TEMP);
/*
@@ -4540,7 +4542,7 @@ int btrfs_delete_subvolume(struct inode
*/
ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true);
if (ret)
- goto out_up_write;
+ goto out_undead;
trans = btrfs_start_transaction(root, 0);
if (IS_ERR(trans)) {
@@ -4606,15 +4608,17 @@ out_end_trans:
inode->i_flags |= S_DEAD;
out_release:
btrfs_subvolume_release_metadata(root, &block_rsv);
-out_up_write:
- up_write(&fs_info->subvol_sem);
+out_undead:
if (ret) {
spin_lock(&dest->root_item_lock);
root_flags = btrfs_root_flags(&dest->root_item);
btrfs_set_root_flags(&dest->root_item,
root_flags & ~BTRFS_ROOT_SUBVOL_DEAD);
spin_unlock(&dest->root_item_lock);
- } else {
+ }
+out_up_write:
+ up_write(&fs_info->subvol_sem);
+ if (!ret) {
d_invalidate(dentry);
btrfs_prune_dentries(dest);
ASSERT(dest->send_in_progress == 0);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 077/476] btrfs: ref-verify: free ref cache before clearing mount opt
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 076/476] btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 078/476] btrfs: tree-checker: fix inline ref size in error messages Greg Kroah-Hartman
` (408 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+be14ed7728594dc8bd42,
syzbot+c563a3c79927971f950f, Anand Jain, Fedor Pchelkin,
David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit f03e274a8b29d1d1c1bbd7f764766cb5ca537ab7 upstream.
As clearing REF_VERIFY mount option indicates there were some errors in a
ref-verify process, a ref cache is not relevant anymore and should be
freed.
btrfs_free_ref_cache() requires REF_VERIFY option being set so call
it just before clearing the mount option.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reported-by: syzbot+be14ed7728594dc8bd42@syzkaller.appspotmail.com
Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool")
CC: stable@vger.kernel.org # 5.4+
Closes: https://lore.kernel.org/lkml/000000000000e5a65c05ee832054@google.com/
Reported-by: syzbot+c563a3c79927971f950f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/0000000000007fe09705fdc6086c@google.com/
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ref-verify.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ref-verify.c
+++ b/fs/btrfs/ref-verify.c
@@ -883,8 +883,10 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
out_unlock:
spin_unlock(&fs_info->ref_verify_lock);
out:
- if (ret)
+ if (ret) {
+ btrfs_free_ref_cache(fs_info);
btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY);
+ }
return ret;
}
@@ -1013,8 +1015,8 @@ int btrfs_build_ref_tree(struct btrfs_fs
}
}
if (ret) {
- btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY);
btrfs_free_ref_cache(fs_info);
+ btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY);
}
btrfs_free_path(path);
return ret;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 078/476] btrfs: tree-checker: fix inline ref size in error messages
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 077/476] btrfs: ref-verify: free ref cache before clearing mount opt Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 079/476] btrfs: dont warn if discard range is not aligned to sector Greg Kroah-Hartman
` (407 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
Chung-Chiang Cheng, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chung-Chiang Cheng <cccheng@synology.com>
commit f398e70dd69e6ceea71463a5380e6118f219197e upstream.
The error message should accurately reflect the size rather than the
type.
Fixes: f82d1c7ca8ae ("btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Chung-Chiang Cheng <cccheng@synology.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-checker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1382,7 +1382,7 @@ static int check_extent_item(struct exte
if (unlikely(ptr + btrfs_extent_inline_ref_size(inline_type) > end)) {
extent_err(leaf, slot,
"inline ref item overflows extent item, ptr %lu iref size %u end %lu",
- ptr, inline_type, end);
+ ptr, btrfs_extent_inline_ref_size(inline_type), end);
return -EUCLEAN;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 079/476] btrfs: dont warn if discard range is not aligned to sector
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 078/476] btrfs: tree-checker: fix inline ref size in error messages Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 080/476] btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args Greg Kroah-Hartman
` (406 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4a4f1eba14eb5c3417d1,
Johannes Thumshirn, Anand Jain, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
commit a208b3f132b48e1f94f620024e66fea635925877 upstream.
There's a warning in btrfs_issue_discard() when the range is not aligned
to 512 bytes, originally added in 4d89d377bbb0 ("btrfs:
btrfs_issue_discard ensure offset/length are aligned to sector
boundaries"). We can't do sub-sector writes anyway so the adjustment is
the only thing that we can do and the warning is unnecessary.
CC: stable@vger.kernel.org # 4.19+
Reported-by: syzbot+4a4f1eba14eb5c3417d1@syzkaller.appspotmail.com
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1206,7 +1206,8 @@ static int btrfs_issue_discard(struct bl
u64 bytes_left, end;
u64 aligned_start = ALIGN(start, 1 << 9);
- if (WARN_ON(start != aligned_start)) {
+ /* Adjust the range to be aligned to 512B sectors if necessary. */
+ if (start != aligned_start) {
len -= aligned_start - start;
len = round_down(len, 1 << 9);
start = aligned_start;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 080/476] btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 079/476] btrfs: dont warn if discard range is not aligned to sector Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 081/476] btrfs: dont abort filesystem when attempting to snapshot deleted subvolume Greg Kroah-Hartman
` (405 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 173431b274a9a54fc10b273b46e67f46bcf62d2e upstream.
Add extra sanity check for btrfs_ioctl_defrag_range_args::flags.
This is not really to enhance fuzzing tests, but as a preparation for
future expansion on btrfs_ioctl_defrag_range_args.
In the future we're going to add new members, allowing more fine tuning
for btrfs defrag. Without the -ENONOTSUPP error, there would be no way
to detect if the kernel supports those new defrag features.
CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 4 ++++
include/uapi/linux/btrfs.h | 3 +++
2 files changed, 7 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3183,6 +3183,10 @@ static int btrfs_ioctl_defrag(struct fil
ret = -EFAULT;
goto out;
}
+ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
/* compression requires us to start the IO */
if ((range.flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {
range.flags |= BTRFS_DEFRAG_RANGE_START_IO;
--- a/include/uapi/linux/btrfs.h
+++ b/include/uapi/linux/btrfs.h
@@ -578,6 +578,9 @@ struct btrfs_ioctl_clone_range_args {
*/
#define BTRFS_DEFRAG_RANGE_COMPRESS 1
#define BTRFS_DEFRAG_RANGE_START_IO 2
+#define BTRFS_DEFRAG_RANGE_FLAGS_SUPP (BTRFS_DEFRAG_RANGE_COMPRESS | \
+ BTRFS_DEFRAG_RANGE_START_IO)
+
struct btrfs_ioctl_defrag_range_args {
/* start of the defrag operation */
__u64 start;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 081/476] btrfs: dont abort filesystem when attempting to snapshot deleted subvolume
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 080/476] btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 082/476] rbd: dont move requests to the running list on errors Greg Kroah-Hartman
` (404 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sweet Tea Dorminy, Anand Jain,
Omar Sandoval, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit 7081929ab2572920e94d70be3d332e5c9f97095a upstream.
If the source file descriptor to the snapshot ioctl refers to a deleted
subvolume, we get the following abort:
BTRFS: Transaction aborted (error -2)
WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]
Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c
CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]
RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027
RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840
RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998
R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe
R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80
FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0
Call Trace:
<TASK>
? create_pending_snapshot+0x1040/0x1190 [btrfs]
? __warn+0x81/0x130
? create_pending_snapshot+0x1040/0x1190 [btrfs]
? report_bug+0x171/0x1a0
? handle_bug+0x3a/0x70
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? create_pending_snapshot+0x1040/0x1190 [btrfs]
? create_pending_snapshot+0x1040/0x1190 [btrfs]
create_pending_snapshots+0x92/0xc0 [btrfs]
btrfs_commit_transaction+0x66b/0xf40 [btrfs]
btrfs_mksubvol+0x301/0x4d0 [btrfs]
btrfs_mksnapshot+0x80/0xb0 [btrfs]
__btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]
btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]
btrfs_ioctl+0x8a6/0x2650 [btrfs]
? kmem_cache_free+0x22/0x340
? do_sys_openat2+0x97/0xe0
__x64_sys_ioctl+0x97/0xd0
do_syscall_64+0x46/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe20abe83af
RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af
RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58
</TASK>
---[ end trace 0000000000000000 ]---
BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry
BTRFS info (device vdc: state EA): forced readonly
BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.
BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry
This happens because create_pending_snapshot() initializes the new root
item as a copy of the source root item. This includes the refs field,
which is 0 for a deleted subvolume. The call to btrfs_insert_root()
therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then
finds the root and returns -ENOENT if refs == 0, which causes
create_pending_snapshot() to abort.
Fix it by checking the source root's refs before attempting the
snapshot, but after locking subvol_sem to avoid racing with deletion.
CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -725,6 +725,9 @@ static int create_snapshot(struct btrfs_
struct btrfs_trans_handle *trans;
int ret;
+ if (btrfs_root_refs(&root->root_item) == 0)
+ return -ENOENT;
+
if (!test_bit(BTRFS_ROOT_SHAREABLE, &root->state))
return -EINVAL;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 082/476] rbd: dont move requests to the running list on errors
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 081/476] btrfs: dont abort filesystem when attempting to snapshot deleted subvolume Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 083/476] exec: Fix error handling in begin_new_exec() Greg Kroah-Hartman
` (403 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Dongsheng Yang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit ded080c86b3f99683774af0441a58fc2e3d60cae upstream.
The running list is supposed to contain requests that are pinning the
exclusive lock, i.e. those that must be flushed before exclusive lock
is released. When wake_lock_waiters() is called to handle an error,
requests on the acquiring list are failed with that error and no
flushing takes place. Briefly moving them to the running list is not
only pointless but also harmful: if exclusive lock gets acquired
before all of their state machines are scheduled and go through
rbd_lock_del_request(), we trigger
rbd_assert(list_empty(&rbd_dev->running_list));
in rbd_try_acquire_lock().
Cc: stable@vger.kernel.org
Fixes: 637cd060537d ("rbd: new exclusive lock wait/wake code")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -3454,14 +3454,15 @@ static bool rbd_lock_add_request(struct
static void rbd_lock_del_request(struct rbd_img_request *img_req)
{
struct rbd_device *rbd_dev = img_req->rbd_dev;
- bool need_wakeup;
+ bool need_wakeup = false;
lockdep_assert_held(&rbd_dev->lock_rwsem);
spin_lock(&rbd_dev->lock_lists_lock);
- rbd_assert(!list_empty(&img_req->lock_item));
- list_del_init(&img_req->lock_item);
- need_wakeup = (rbd_dev->lock_state == RBD_LOCK_STATE_RELEASING &&
- list_empty(&rbd_dev->running_list));
+ if (!list_empty(&img_req->lock_item)) {
+ list_del_init(&img_req->lock_item);
+ need_wakeup = (rbd_dev->lock_state == RBD_LOCK_STATE_RELEASING &&
+ list_empty(&rbd_dev->running_list));
+ }
spin_unlock(&rbd_dev->lock_lists_lock);
if (need_wakeup)
complete(&rbd_dev->releasing_wait);
@@ -3844,14 +3845,19 @@ static void wake_lock_waiters(struct rbd
return;
}
- list_for_each_entry(img_req, &rbd_dev->acquiring_list, lock_item) {
+ while (!list_empty(&rbd_dev->acquiring_list)) {
+ img_req = list_first_entry(&rbd_dev->acquiring_list,
+ struct rbd_img_request, lock_item);
mutex_lock(&img_req->state_mutex);
rbd_assert(img_req->state == RBD_IMG_EXCLUSIVE_LOCK);
+ if (!result)
+ list_move_tail(&img_req->lock_item,
+ &rbd_dev->running_list);
+ else
+ list_del_init(&img_req->lock_item);
rbd_img_schedule(img_req, result);
mutex_unlock(&img_req->state_mutex);
}
-
- list_splice_tail_init(&rbd_dev->acquiring_list, &rbd_dev->running_list);
}
static bool locker_equal(const struct ceph_locker *lhs,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 083/476] exec: Fix error handling in begin_new_exec()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 082/476] rbd: dont move requests to the running list on errors Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 084/476] wifi: iwlwifi: fix a memory corruption Greg Kroah-Hartman
` (402 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Edlinger, Eric W. Biederman,
Kees Cook
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
commit 84c39ec57d409e803a9bb6e4e85daf1243e0e80b upstream.
If get_unused_fd_flags() fails, the error handling is incomplete because
bprm->cred is already set to NULL, and therefore free_bprm will not
unlock the cred_guard_mutex. Note there are two error conditions which
end up here, one before and one after bprm->cred is cleared.
Fixes: b8a61c9e7b4a ("exec: Generic execfd support")
Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Link: https://lore.kernel.org/r/AS8P193MB128517ADB5EFF29E04389EDAE4752@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exec.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1410,6 +1410,9 @@ int begin_new_exec(struct linux_binprm *
out_unlock:
up_write(&me->signal->exec_update_lock);
+ if (!bprm->cred)
+ mutex_unlock(&me->signal->cred_guard_mutex);
+
out:
return retval;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 084/476] wifi: iwlwifi: fix a memory corruption
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 083/476] exec: Fix error handling in begin_new_exec() Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 085/476] hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes Greg Kroah-Hartman
` (401 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emmanuel Grumbach, Miri Korenblit,
Johannes Berg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
commit cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d upstream.
iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that
if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in
bytes, we'll write past the buffer.
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218233
Fixes: cf29c5b66b9f ("iwlwifi: dbg_ini: implement time point handling")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240111150610.2d2b8b870194.I14ed76505a5cf87304e0c9cc05cc0ae85ed3bf91@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
@@ -836,7 +836,7 @@ static int iwl_dbg_tlv_override_trig_nod
node_trig = (void *)node_tlv->data;
}
- memcpy(node_trig->data + offset, trig->data, trig_data_len);
+ memcpy((u8 *)node_trig->data + offset, trig->data, trig_data_len);
node_tlv->length = cpu_to_le32(size);
if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_CFG) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 085/476] hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 084/476] wifi: iwlwifi: fix a memory corruption Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 086/476] netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Greg Kroah-Hartman
` (400 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Kelley, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
commit 6941f67ad37d5465b75b9ffc498fcf6897a3c00e upstream.
Current code in netvsc_drv_init() incorrectly assumes that PAGE_SIZE
is 4 Kbytes, which is wrong on ARM64 with 16K or 64K page size. As a
result, the default VMBus ring buffer size on ARM64 with 64K page size
is 8 Mbytes instead of the expected 512 Kbytes. While this doesn't break
anything, a typical VM with 8 vCPUs and 8 netvsc channels wastes 120
Mbytes (8 channels * 2 ring buffers/channel * 7.5 Mbytes/ring buffer).
Unfortunately, the module parameter specifying the ring buffer size
is in units of 4 Kbyte pages. Ideally, it should be in units that
are independent of PAGE_SIZE, but backwards compatibility prevents
changing that now.
Fix this by having netvsc_drv_init() hardcode 4096 instead of using
PAGE_SIZE when calculating the ring buffer size in bytes. Also
use the VMBUS_RING_SIZE macro to ensure proper alignment when running
with page size larger than 4K.
Cc: <stable@vger.kernel.org> # 5.15.x
Fixes: 7aff79e297ee ("Drivers: hv: Enable Hyper-V code to be built on ARM64")
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Link: https://lore.kernel.org/r/20240122162028.348885-1-mhklinux@outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/netvsc_drv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -44,7 +44,7 @@
static unsigned int ring_size __ro_after_init = 128;
module_param(ring_size, uint, 0444);
-MODULE_PARM_DESC(ring_size, "Ring buffer size (# of pages)");
+MODULE_PARM_DESC(ring_size, "Ring buffer size (# of 4K pages)");
unsigned int netvsc_ring_bytes __ro_after_init;
static const u32 default_msg = NETIF_MSG_DRV | NETIF_MSG_PROBE |
@@ -2824,7 +2824,7 @@ static int __init netvsc_drv_init(void)
pr_info("Increased ring_size to %u (min allowed)\n",
ring_size);
}
- netvsc_ring_bytes = ring_size * PAGE_SIZE;
+ netvsc_ring_bytes = VMBUS_RING_SIZE(ring_size * 4096);
register_netdevice_notifier(&netvsc_netdev_notifier);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 086/476] netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 085/476] hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 087/476] netfilter: nf_tables: reject QUEUE/DROP verdict parameters Greg Kroah-Hartman
` (399 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 01acb2e8666a6529697141a6017edbf206921913 upstream.
Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER
event is reported, otherwise a stale reference to netdevice remains in
the hook list.
Fixes: 60a3815da702 ("netfilter: add inet ingress support")
Cc: stable@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_chain_filter.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -355,9 +355,10 @@ static int nf_tables_netdev_event(struct
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct nft_base_chain *basechain;
struct nftables_pernet *nft_net;
- struct nft_table *table;
struct nft_chain *chain, *nr;
+ struct nft_table *table;
struct nft_ctx ctx = {
.net = dev_net(dev),
};
@@ -369,7 +370,8 @@ static int nf_tables_netdev_event(struct
nft_net = nft_pernet(ctx.net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
- if (table->family != NFPROTO_NETDEV)
+ if (table->family != NFPROTO_NETDEV &&
+ table->family != NFPROTO_INET)
continue;
ctx.family = table->family;
@@ -378,6 +380,11 @@ static int nf_tables_netdev_event(struct
if (!nft_is_base_chain(chain))
continue;
+ basechain = nft_base_chain(chain);
+ if (table->family == NFPROTO_INET &&
+ basechain->ops.hooknum != NF_INET_INGRESS)
+ continue;
+
ctx.chain = chain;
nft_netdev_event(event, dev, &ctx);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 087/476] netfilter: nf_tables: reject QUEUE/DROP verdict parameters
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 086/476] netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 088/476] firmware: arm_scmi: Check mailbox/SMT channel for consistency Greg Kroah-Hartman
` (398 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Notselwyn, Florian Westphal,
Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream.
This reverts commit e0abdadcc6e1.
core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.
Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.
Its not clear to me why this commit was made.
NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.
If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.
Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
Cc: stable@vger.kernel.org
Reported-by: Notselwyn <notselwyn@pwning.tech>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10251,16 +10251,10 @@ static int nft_verdict_init(const struct
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
switch (data->verdict.code) {
- default:
- switch (data->verdict.code & NF_VERDICT_MASK) {
- case NF_ACCEPT:
- case NF_DROP:
- case NF_QUEUE:
- break;
- default:
- return -EINVAL;
- }
- fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ break;
case NFT_CONTINUE:
case NFT_BREAK:
case NFT_RETURN:
@@ -10295,6 +10289,8 @@ static int nft_verdict_init(const struct
data->verdict.chain = chain;
break;
+ default:
+ return -EINVAL;
}
desc->len = sizeof(data->verdict);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 088/476] firmware: arm_scmi: Check mailbox/SMT channel for consistency
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 087/476] netfilter: nf_tables: reject QUEUE/DROP verdict parameters Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 089/476] xfs: read only mounts with fsopen mount API are busted Greg Kroah-Hartman
` (397 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xinglong Yang, Cristian Marussi,
Sudeep Holla
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Marussi <cristian.marussi@arm.com>
commit 437a310b22244d4e0b78665c3042e5d1c0f45306 upstream.
On reception of a completion interrupt the shared memory area is accessed
to retrieve the message header at first and then, if the message sequence
number identifies a transaction which is still pending, the related
payload is fetched too.
When an SCMI command times out the channel ownership remains with the
platform until eventually a late reply is received and, as a consequence,
any further transmission attempt remains pending, waiting for the channel
to be relinquished by the platform.
Once that late reply is received the channel ownership is given back
to the agent and any pending request is then allowed to proceed and
overwrite the SMT area of the just delivered late reply; then the wait
for the reply to the new request starts.
It has been observed that the spurious IRQ related to the late reply can
be wrongly associated with the freshly enqueued request: when that happens
the SCMI stack in-flight lookup procedure is fooled by the fact that the
message header now present in the SMT area is related to the new pending
transaction, even though the real reply has still to arrive.
This race-condition on the A2P channel can be detected by looking at the
channel status bits: a genuine reply from the platform will have set the
channel free bit before triggering the completion IRQ.
Add a consistency check to validate such condition in the A2P ISR.
Reported-by: Xinglong Yang <xinglong.yang@cixtech.com>
Closes: https://lore.kernel.org/all/PUZPR06MB54981E6FA00D82BFDBB864FBF08DA@PUZPR06MB5498.apcprd06.prod.outlook.com/
Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
Cc: stable@vger.kernel.org # 5.15+
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Tested-by: Xinglong Yang <xinglong.yang@cixtech.com>
Link: https://lore.kernel.org/r/20231220172112.763539-1-cristian.marussi@arm.com
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/arm_scmi/common.h | 1 +
drivers/firmware/arm_scmi/mailbox.c | 14 ++++++++++++++
drivers/firmware/arm_scmi/shmem.c | 6 ++++++
3 files changed, 21 insertions(+)
--- a/drivers/firmware/arm_scmi/common.h
+++ b/drivers/firmware/arm_scmi/common.h
@@ -439,6 +439,7 @@ void shmem_fetch_notification(struct scm
void shmem_clear_channel(struct scmi_shared_mem __iomem *shmem);
bool shmem_poll_done(struct scmi_shared_mem __iomem *shmem,
struct scmi_xfer *xfer);
+bool shmem_channel_free(struct scmi_shared_mem __iomem *shmem);
/* declarations for message passing transports */
struct scmi_msg_payld;
--- a/drivers/firmware/arm_scmi/mailbox.c
+++ b/drivers/firmware/arm_scmi/mailbox.c
@@ -43,6 +43,20 @@ static void rx_callback(struct mbox_clie
{
struct scmi_mailbox *smbox = client_to_scmi_mailbox(cl);
+ /*
+ * An A2P IRQ is NOT valid when received while the platform still has
+ * the ownership of the channel, because the platform at first releases
+ * the SMT channel and then sends the completion interrupt.
+ *
+ * This addresses a possible race condition in which a spurious IRQ from
+ * a previous timed-out reply which arrived late could be wrongly
+ * associated with the next pending transaction.
+ */
+ if (cl->knows_txdone && !shmem_channel_free(smbox->shmem)) {
+ dev_warn(smbox->cinfo->dev, "Ignoring spurious A2P IRQ !\n");
+ return;
+ }
+
scmi_rx_callback(smbox->cinfo, shmem_read_header(smbox->shmem), NULL);
}
--- a/drivers/firmware/arm_scmi/shmem.c
+++ b/drivers/firmware/arm_scmi/shmem.c
@@ -99,3 +99,9 @@ bool shmem_poll_done(struct scmi_shared_
(SCMI_SHMEM_CHAN_STAT_CHANNEL_ERROR |
SCMI_SHMEM_CHAN_STAT_CHANNEL_FREE);
}
+
+bool shmem_channel_free(struct scmi_shared_mem __iomem *shmem)
+{
+ return (ioread32(&shmem->channel_status) &
+ SCMI_SHMEM_CHAN_STAT_CHANNEL_FREE);
+}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 089/476] xfs: read only mounts with fsopen mount API are busted
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 088/476] firmware: arm_scmi: Check mailbox/SMT channel for consistency Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 090/476] gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 Greg Kroah-Hartman
` (396 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Chinner, Christoph Hellwig,
Chandan Babu R
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Chinner <dchinner@redhat.com>
commit d8d222e09dab84a17bb65dda4b94d01c565f5327 upstream.
Recently xfs/513 started failing on my test machines testing "-o
ro,norecovery" mount options. This was being emitted in dmesg:
[ 9906.932724] XFS (pmem0): no-recovery mounts must be read-only.
Turns out, readonly mounts with the fsopen()/fsconfig() mount API
have been busted since day zero. It's only taken 5 years for debian
unstable to start using this "new" mount API, and shortly after this
I noticed xfs/513 had started to fail as per above.
The syscall trace is:
fsopen("xfs", FSOPEN_CLOEXEC) = 3
mount_setattr(-1, NULL, 0, NULL, 0) = -1 EINVAL (Invalid argument)
.....
fsconfig(3, FSCONFIG_SET_STRING, "source", "/dev/pmem0", 0) = 0
fsconfig(3, FSCONFIG_SET_FLAG, "ro", NULL, 0) = 0
fsconfig(3, FSCONFIG_SET_FLAG, "norecovery", NULL, 0) = 0
fsconfig(3, FSCONFIG_CMD_CREATE, NULL, NULL, 0) = -1 EINVAL (Invalid argument)
close(3) = 0
Showing that the actual mount instantiation (FSCONFIG_CMD_CREATE) is
what threw out the error.
During mount instantiation, we call xfs_fs_validate_params() which
does:
/* No recovery flag requires a read-only mount */
if (xfs_has_norecovery(mp) && !xfs_is_readonly(mp)) {
xfs_warn(mp, "no-recovery mounts must be read-only.");
return -EINVAL;
}
and xfs_is_readonly() checks internal mount flags for read only
state. This state is set in xfs_init_fs_context() from the
context superblock flag state:
/*
* Copy binary VFS mount flags we are interested in.
*/
if (fc->sb_flags & SB_RDONLY)
set_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
With the old mount API, all of the VFS specific superblock flags
had already been parsed and set before xfs_init_fs_context() is
called, so this all works fine.
However, in the brave new fsopen/fsconfig world,
xfs_init_fs_context() is called from fsopen() context, before any
VFS superblock have been set or parsed. Hence if we use fsopen(),
the internal XFS readonly state is *never set*. Hence anything that
depends on xfs_is_readonly() actually returning true for read only
mounts is broken if fsopen() has been used to mount the filesystem.
Fix this by moving this internal state initialisation to
xfs_fs_fill_super() before we attempt to validate the parameters
that have been set prior to the FSCONFIG_CMD_CREATE call being made.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Fixes: 73e5fff98b64 ("xfs: switch to use the new mount-api")
cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_super.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1436,6 +1436,18 @@ xfs_fs_fill_super(
mp->m_super = sb;
+ /*
+ * Copy VFS mount flags from the context now that all parameter parsing
+ * is guaranteed to have been completed by either the old mount API or
+ * the newer fsopen/fsconfig API.
+ */
+ if (fc->sb_flags & SB_RDONLY)
+ set_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
+ if (fc->sb_flags & SB_DIRSYNC)
+ mp->m_features |= XFS_FEAT_DIRSYNC;
+ if (fc->sb_flags & SB_SYNCHRONOUS)
+ mp->m_features |= XFS_FEAT_WSYNC;
+
error = xfs_fs_validate_params(mp);
if (error)
goto out_free_names;
@@ -1910,6 +1922,11 @@ static const struct fs_context_operation
.free = xfs_fs_free,
};
+/*
+ * WARNING: do not initialise any parameters in this function that depend on
+ * mount option parsing having already been performed as this can be called from
+ * fsopen() before any parameters have been set.
+ */
static int xfs_init_fs_context(
struct fs_context *fc)
{
@@ -1942,16 +1959,6 @@ static int xfs_init_fs_context(
mp->m_logbsize = -1;
mp->m_allocsize_log = 16; /* 64k */
- /*
- * Copy binary VFS mount flags we are interested in.
- */
- if (fc->sb_flags & SB_RDONLY)
- set_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
- if (fc->sb_flags & SB_DIRSYNC)
- mp->m_features |= XFS_FEAT_DIRSYNC;
- if (fc->sb_flags & SB_SYNCHRONOUS)
- mp->m_features |= XFS_FEAT_WSYNC;
-
fc->s_fs_info = mp;
fc->ops = &xfs_context_ops;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 090/476] gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 089/476] xfs: read only mounts with fsopen mount API are busted Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 091/476] drm: Dont unref the same fb many times by mistake due to deadlock handling Greg Kroah-Hartman
` (395 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Andy Shevchenko,
Bartosz Golaszewski, George Melikov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 805c74eac8cb306dc69b87b6b066ab4da77ceaf1 upstream.
Spurious wakeups are reported on the GPD G1619-04 which
can be absolved by programming the GPIO to ignore wakeups.
Cc: stable@vger.kernel.org
Reported-and-tested-by: George Melikov <mail@gmelikov.ru>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3073
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -1572,6 +1572,20 @@ static const struct dmi_system_id gpioli
.ignore_wake = "INT33FF:01@0",
},
},
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 0.35
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3073
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "GPD"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "G1619-04"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "PNP0C50:00@8",
+ },
+ },
{} /* Terminating entry */
};
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 091/476] drm: Dont unref the same fb many times by mistake due to deadlock handling
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 090/476] gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 092/476] drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking Greg Kroah-Hartman
` (394 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Javier Martinez Canillas
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c upstream.
If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()
we proceed to unref the fb and then retry the whole thing from the top.
But we forget to reset the fb pointer back to NULL, and so if we then
get another error during the retry, before the fb lookup, we proceed
the unref the same fb again without having gotten another reference.
The end result is that the fb will (eventually) end up being freed
while it's still in use.
Reset fb to NULL once we've unreffed it to avoid doing it again
until we've done another fb lookup.
This turned out to be pretty easy to hit on a DG2 when doing async
flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I
saw that drm_closefb() simply got stuck in a busy loop while walking
the framebuffer list. Fortunately I was able to convince it to oops
instead, and from there it was easier to track down the culprit.
Cc: stable@vger.kernel.org
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231211081625.25704-1-ville.syrjala@linux.intel.com
Acked-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_plane.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -1378,6 +1378,7 @@ retry:
out:
if (fb)
drm_framebuffer_put(fb);
+ fb = NULL;
if (plane->old_fb)
drm_framebuffer_put(plane->old_fb);
plane->old_fb = NULL;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 092/476] drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 091/476] drm: Dont unref the same fb many times by mistake due to deadlock handling Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 093/476] drm/tidss: Fix atomic_flush check Greg Kroah-Hartman
` (393 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Robert Foss
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 914437992876838662c968cb416f832110fb1093 upstream.
The i2c_master_send/recv() functions return negative error codes or the
number of bytes that were able to be sent/received. This code has
two problems. 1) Instead of checking if all the bytes were sent or
received, it checks that at least one byte was sent or received.
2) If there was a partial send/receive then we should return a negative
error code but this code returns success.
Fixes: a9fe713d7d45 ("drm/bridge: Add PTN3460 bridge driver")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Robert Foss <rfoss@kernel.org>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/0cdc2dce-ca89-451a-9774-1482ab2f4762@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/nxp-ptn3460.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/bridge/nxp-ptn3460.c
+++ b/drivers/gpu/drm/bridge/nxp-ptn3460.c
@@ -56,13 +56,13 @@ static int ptn3460_read_bytes(struct ptn
ret = i2c_master_send(ptn_bridge->client, &addr, 1);
if (ret <= 0) {
DRM_ERROR("Failed to send i2c command, ret=%d\n", ret);
- return ret;
+ return ret ?: -EIO;
}
ret = i2c_master_recv(ptn_bridge->client, buf, len);
- if (ret <= 0) {
+ if (ret != len) {
DRM_ERROR("Failed to recv i2c data, ret=%d\n", ret);
- return ret;
+ return ret < 0 ? ret : -EIO;
}
return 0;
@@ -78,9 +78,9 @@ static int ptn3460_write_byte(struct ptn
buf[1] = val;
ret = i2c_master_send(ptn_bridge->client, buf, ARRAY_SIZE(buf));
- if (ret <= 0) {
+ if (ret != ARRAY_SIZE(buf)) {
DRM_ERROR("Failed to send i2c command, ret=%d\n", ret);
- return ret;
+ return ret < 0 ? ret : -EIO;
}
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 093/476] drm/tidss: Fix atomic_flush check
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 092/476] drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 094/476] drm/bridge: nxp-ptn3460: simplify some error checking Greg Kroah-Hartman
` (392 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aradhya Bhatia, Tomi Valkeinen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit 95d4b471953411854f9c80b568da7fcf753f3801 upstream.
tidss_crtc_atomic_flush() checks if the crtc is enabled, and if not,
returns immediately as there's no reason to do any register changes.
However, the code checks for 'crtc->state->enable', which does not
reflect the actual HW state. We should instead look at the
'crtc->state->active' flag.
This causes the tidss_crtc_atomic_flush() to proceed with the flush even
if the active state is false, which then causes us to hit the
WARN_ON(!crtc->state->event) check.
Fix this by checking the active flag, and while at it, fix the related
debug print which had "active" and "needs modeset" wrong way.
Cc: <stable@vger.kernel.org>
Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
Reviewed-by: Aradhya Bhatia <a-bhatia1@ti.com>
Link: https://lore.kernel.org/r/20231109-tidss-probe-v2-10-ac91b5ea35c0@ideasonboard.com
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tidss/tidss_crtc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/tidss/tidss_crtc.c
+++ b/drivers/gpu/drm/tidss/tidss_crtc.c
@@ -172,13 +172,13 @@ static void tidss_crtc_atomic_flush(stru
struct tidss_device *tidss = to_tidss(ddev);
unsigned long flags;
- dev_dbg(ddev->dev,
- "%s: %s enabled %d, needs modeset %d, event %p\n", __func__,
- crtc->name, drm_atomic_crtc_needs_modeset(crtc->state),
- crtc->state->enable, crtc->state->event);
+ dev_dbg(ddev->dev, "%s: %s is %sactive, %s modeset, event %p\n",
+ __func__, crtc->name, crtc->state->active ? "" : "not ",
+ drm_atomic_crtc_needs_modeset(crtc->state) ? "needs" : "doesn't need",
+ crtc->state->event);
/* There is nothing to do if CRTC is not going to be enabled. */
- if (!crtc->state->enable)
+ if (!crtc->state->active)
return;
/*
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 094/476] drm/bridge: nxp-ptn3460: simplify some error checking
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 093/476] drm/tidss: Fix atomic_flush check Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 095/476] PM: core: Remove unnecessary (void *) conversions Greg Kroah-Hartman
` (391 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Dan Carpenter, Robert Foss
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 28d3d0696688154cc04983f343011d07bf0508e4 upstream.
The i2c_master_send/recv() functions return negative error codes or
they return "len" on success. So the error handling here can be written
as just normal checks for "if (ret < 0) return ret;". No need to
complicate things.
Btw, in this code the "len" parameter can never be zero, but even if
it were, then I feel like this would still be the best way to write it.
Fixes: 914437992876 ("drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking")
Suggested-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Robert Foss <rfoss@kernel.org>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/04242630-42d8-4920-8c67-24ac9db6b3c9@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/nxp-ptn3460.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/bridge/nxp-ptn3460.c
+++ b/drivers/gpu/drm/bridge/nxp-ptn3460.c
@@ -54,15 +54,15 @@ static int ptn3460_read_bytes(struct ptn
int ret;
ret = i2c_master_send(ptn_bridge->client, &addr, 1);
- if (ret <= 0) {
+ if (ret < 0) {
DRM_ERROR("Failed to send i2c command, ret=%d\n", ret);
- return ret ?: -EIO;
+ return ret;
}
ret = i2c_master_recv(ptn_bridge->client, buf, len);
- if (ret != len) {
+ if (ret < 0) {
DRM_ERROR("Failed to recv i2c data, ret=%d\n", ret);
- return ret < 0 ? ret : -EIO;
+ return ret;
}
return 0;
@@ -78,9 +78,9 @@ static int ptn3460_write_byte(struct ptn
buf[1] = val;
ret = i2c_master_send(ptn_bridge->client, buf, ARRAY_SIZE(buf));
- if (ret != ARRAY_SIZE(buf)) {
+ if (ret < 0) {
DRM_ERROR("Failed to send i2c command, ret=%d\n", ret);
- return ret < 0 ? ret : -EIO;
+ return ret;
}
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 095/476] PM: core: Remove unnecessary (void *) conversions
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 094/476] drm/bridge: nxp-ptn3460: simplify some error checking Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 096/476] PM: sleep: Fix possible deadlocks in core system-wide PM code Greg Kroah-Hartman
` (390 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li zeming, Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li zeming <zeming@nfschina.com>
[ Upstream commit 73d73f5ee7fb0c42ff87091d105bee720a9565f1 ]
Assignments from pointer variables of type (void *) do not require
explicit type casts, so remove such type cases from the code in
drivers/base/power/main.c where applicable.
Signed-off-by: Li zeming <zeming@nfschina.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: 7839d0078e0d ("PM: sleep: Fix possible deadlocks in core system-wide PM code")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 8c4819fe73d4..b4cd003d3e39 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -680,7 +680,7 @@ static bool dpm_async_fn(struct device *dev, async_func_t func)
static void async_resume_noirq(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = device_resume_noirq(dev, pm_transition, true);
@@ -819,7 +819,7 @@ static int device_resume_early(struct device *dev, pm_message_t state, bool asyn
static void async_resume_early(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = device_resume_early(dev, pm_transition, true);
@@ -983,7 +983,7 @@ static int device_resume(struct device *dev, pm_message_t state, bool async)
static void async_resume(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = device_resume(dev, pm_transition, true);
@@ -1272,7 +1272,7 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a
static void async_suspend_noirq(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = __device_suspend_noirq(dev, pm_transition, true);
@@ -1455,7 +1455,7 @@ static int __device_suspend_late(struct device *dev, pm_message_t state, bool as
static void async_suspend_late(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = __device_suspend_late(dev, pm_transition, true);
@@ -1731,7 +1731,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
static void async_suspend(void *data, async_cookie_t cookie)
{
- struct device *dev = (struct device *)data;
+ struct device *dev = data;
int error;
error = __device_suspend(dev, pm_transition, true);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 096/476] PM: sleep: Fix possible deadlocks in core system-wide PM code
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 095/476] PM: core: Remove unnecessary (void *) conversions Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 097/476] bus: mhi: host: Rename "struct mhi_tre" to "struct mhi_ring_element" Greg Kroah-Hartman
` (389 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngmin Nam, Rafael J. Wysocki,
Stanislaw Gruszka, Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 7839d0078e0d5e6cc2fa0b0dfbee71de74f1e557 ]
It is reported that in low-memory situations the system-wide resume core
code deadlocks, because async_schedule_dev() executes its argument
function synchronously if it cannot allocate memory (and not only in
that case) and that function attempts to acquire a mutex that is already
held. Executing the argument function synchronously from within
dpm_async_fn() may also be problematic for ordering reasons (it may
cause a consumer device's resume callback to be invoked before a
requisite supplier device's one, for example).
Address this by changing the code in question to use
async_schedule_dev_nocall() for scheduling the asynchronous
execution of device suspend and resume functions and to directly
run them synchronously if async_schedule_dev_nocall() returns false.
Link: https://lore.kernel.org/linux-pm/ZYvjiqX6EsL15moe@perf/
Reported-by: Youngmin Nam <youngmin.nam@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Tested-by: Youngmin Nam <youngmin.nam@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: 5.7+ <stable@vger.kernel.org> # 5.7+: 6aa09a5bccd8 async: Split async_schedule_node_domain()
Cc: 5.7+ <stable@vger.kernel.org> # 5.7+: 7d4b5d7a37bd async: Introduce async_schedule_dev_nocall()
Cc: 5.7+ <stable@vger.kernel.org> # 5.7+
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 148 ++++++++++++++++++--------------------
1 file changed, 68 insertions(+), 80 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index b4cd003d3e39..185ea0d93a5e 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -580,7 +580,7 @@ bool dev_pm_skip_resume(struct device *dev)
}
/**
- * device_resume_noirq - Execute a "noirq resume" callback for given device.
+ * __device_resume_noirq - Execute a "noirq resume" callback for given device.
* @dev: Device to handle.
* @state: PM transition of the system being carried out.
* @async: If true, the device is being resumed asynchronously.
@@ -588,7 +588,7 @@ bool dev_pm_skip_resume(struct device *dev)
* The driver of @dev will not receive interrupts while this function is being
* executed.
*/
-static int device_resume_noirq(struct device *dev, pm_message_t state, bool async)
+static void __device_resume_noirq(struct device *dev, pm_message_t state, bool async)
{
pm_callback_t callback = NULL;
const char *info = NULL;
@@ -656,7 +656,13 @@ static int device_resume_noirq(struct device *dev, pm_message_t state, bool asyn
Out:
complete_all(&dev->power.completion);
TRACE_RESUME(error);
- return error;
+
+ if (error) {
+ suspend_stats.failed_resume_noirq++;
+ dpm_save_failed_step(SUSPEND_RESUME_NOIRQ);
+ dpm_save_failed_dev(dev_name(dev));
+ pm_dev_err(dev, state, async ? " async noirq" : " noirq", error);
+ }
}
static bool is_async(struct device *dev)
@@ -669,11 +675,15 @@ static bool dpm_async_fn(struct device *dev, async_func_t func)
{
reinit_completion(&dev->power.completion);
- if (is_async(dev)) {
- get_device(dev);
- async_schedule_dev(func, dev);
+ if (!is_async(dev))
+ return false;
+
+ get_device(dev);
+
+ if (async_schedule_dev_nocall(func, dev))
return true;
- }
+
+ put_device(dev);
return false;
}
@@ -681,15 +691,19 @@ static bool dpm_async_fn(struct device *dev, async_func_t func)
static void async_resume_noirq(void *data, async_cookie_t cookie)
{
struct device *dev = data;
- int error;
-
- error = device_resume_noirq(dev, pm_transition, true);
- if (error)
- pm_dev_err(dev, pm_transition, " async", error);
+ __device_resume_noirq(dev, pm_transition, true);
put_device(dev);
}
+static void device_resume_noirq(struct device *dev)
+{
+ if (dpm_async_fn(dev, async_resume_noirq))
+ return;
+
+ __device_resume_noirq(dev, pm_transition, false);
+}
+
static void dpm_noirq_resume_devices(pm_message_t state)
{
struct device *dev;
@@ -699,14 +713,6 @@ static void dpm_noirq_resume_devices(pm_message_t state)
mutex_lock(&dpm_list_mtx);
pm_transition = state;
- /*
- * Advanced the async threads upfront,
- * in case the starting of async threads is
- * delayed by non-async resuming devices.
- */
- list_for_each_entry(dev, &dpm_noirq_list, power.entry)
- dpm_async_fn(dev, async_resume_noirq);
-
while (!list_empty(&dpm_noirq_list)) {
dev = to_device(dpm_noirq_list.next);
get_device(dev);
@@ -714,17 +720,7 @@ static void dpm_noirq_resume_devices(pm_message_t state)
mutex_unlock(&dpm_list_mtx);
- if (!is_async(dev)) {
- int error;
-
- error = device_resume_noirq(dev, state, false);
- if (error) {
- suspend_stats.failed_resume_noirq++;
- dpm_save_failed_step(SUSPEND_RESUME_NOIRQ);
- dpm_save_failed_dev(dev_name(dev));
- pm_dev_err(dev, state, " noirq", error);
- }
- }
+ device_resume_noirq(dev);
put_device(dev);
@@ -754,14 +750,14 @@ void dpm_resume_noirq(pm_message_t state)
}
/**
- * device_resume_early - Execute an "early resume" callback for given device.
+ * __device_resume_early - Execute an "early resume" callback for given device.
* @dev: Device to handle.
* @state: PM transition of the system being carried out.
* @async: If true, the device is being resumed asynchronously.
*
* Runtime PM is disabled for @dev while this function is being executed.
*/
-static int device_resume_early(struct device *dev, pm_message_t state, bool async)
+static void __device_resume_early(struct device *dev, pm_message_t state, bool async)
{
pm_callback_t callback = NULL;
const char *info = NULL;
@@ -814,21 +810,31 @@ static int device_resume_early(struct device *dev, pm_message_t state, bool asyn
pm_runtime_enable(dev);
complete_all(&dev->power.completion);
- return error;
+
+ if (error) {
+ suspend_stats.failed_resume_early++;
+ dpm_save_failed_step(SUSPEND_RESUME_EARLY);
+ dpm_save_failed_dev(dev_name(dev));
+ pm_dev_err(dev, state, async ? " async early" : " early", error);
+ }
}
static void async_resume_early(void *data, async_cookie_t cookie)
{
struct device *dev = data;
- int error;
-
- error = device_resume_early(dev, pm_transition, true);
- if (error)
- pm_dev_err(dev, pm_transition, " async", error);
+ __device_resume_early(dev, pm_transition, true);
put_device(dev);
}
+static void device_resume_early(struct device *dev)
+{
+ if (dpm_async_fn(dev, async_resume_early))
+ return;
+
+ __device_resume_early(dev, pm_transition, false);
+}
+
/**
* dpm_resume_early - Execute "early resume" callbacks for all devices.
* @state: PM transition of the system being carried out.
@@ -842,14 +848,6 @@ void dpm_resume_early(pm_message_t state)
mutex_lock(&dpm_list_mtx);
pm_transition = state;
- /*
- * Advanced the async threads upfront,
- * in case the starting of async threads is
- * delayed by non-async resuming devices.
- */
- list_for_each_entry(dev, &dpm_late_early_list, power.entry)
- dpm_async_fn(dev, async_resume_early);
-
while (!list_empty(&dpm_late_early_list)) {
dev = to_device(dpm_late_early_list.next);
get_device(dev);
@@ -857,17 +855,7 @@ void dpm_resume_early(pm_message_t state)
mutex_unlock(&dpm_list_mtx);
- if (!is_async(dev)) {
- int error;
-
- error = device_resume_early(dev, state, false);
- if (error) {
- suspend_stats.failed_resume_early++;
- dpm_save_failed_step(SUSPEND_RESUME_EARLY);
- dpm_save_failed_dev(dev_name(dev));
- pm_dev_err(dev, state, " early", error);
- }
- }
+ device_resume_early(dev);
put_device(dev);
@@ -891,12 +879,12 @@ void dpm_resume_start(pm_message_t state)
EXPORT_SYMBOL_GPL(dpm_resume_start);
/**
- * device_resume - Execute "resume" callbacks for given device.
+ * __device_resume - Execute "resume" callbacks for given device.
* @dev: Device to handle.
* @state: PM transition of the system being carried out.
* @async: If true, the device is being resumed asynchronously.
*/
-static int device_resume(struct device *dev, pm_message_t state, bool async)
+static void __device_resume(struct device *dev, pm_message_t state, bool async)
{
pm_callback_t callback = NULL;
const char *info = NULL;
@@ -978,20 +966,30 @@ static int device_resume(struct device *dev, pm_message_t state, bool async)
TRACE_RESUME(error);
- return error;
+ if (error) {
+ suspend_stats.failed_resume++;
+ dpm_save_failed_step(SUSPEND_RESUME);
+ dpm_save_failed_dev(dev_name(dev));
+ pm_dev_err(dev, state, async ? " async" : "", error);
+ }
}
static void async_resume(void *data, async_cookie_t cookie)
{
struct device *dev = data;
- int error;
- error = device_resume(dev, pm_transition, true);
- if (error)
- pm_dev_err(dev, pm_transition, " async", error);
+ __device_resume(dev, pm_transition, true);
put_device(dev);
}
+static void device_resume(struct device *dev)
+{
+ if (dpm_async_fn(dev, async_resume))
+ return;
+
+ __device_resume(dev, pm_transition, false);
+}
+
/**
* dpm_resume - Execute "resume" callbacks for non-sysdev devices.
* @state: PM transition of the system being carried out.
@@ -1011,27 +1009,17 @@ void dpm_resume(pm_message_t state)
pm_transition = state;
async_error = 0;
- list_for_each_entry(dev, &dpm_suspended_list, power.entry)
- dpm_async_fn(dev, async_resume);
-
while (!list_empty(&dpm_suspended_list)) {
dev = to_device(dpm_suspended_list.next);
+
get_device(dev);
- if (!is_async(dev)) {
- int error;
- mutex_unlock(&dpm_list_mtx);
+ mutex_unlock(&dpm_list_mtx);
+
+ device_resume(dev);
- error = device_resume(dev, state, false);
- if (error) {
- suspend_stats.failed_resume++;
- dpm_save_failed_step(SUSPEND_RESUME);
- dpm_save_failed_dev(dev_name(dev));
- pm_dev_err(dev, state, "", error);
- }
+ mutex_lock(&dpm_list_mtx);
- mutex_lock(&dpm_list_mtx);
- }
if (!list_empty(&dev->power.entry))
list_move_tail(&dev->power.entry, &dpm_prepared_list);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 097/476] bus: mhi: host: Rename "struct mhi_tre" to "struct mhi_ring_element"
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 096/476] PM: sleep: Fix possible deadlocks in core system-wide PM code Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 098/476] bus: mhi: host: Add alignment check for event ring read pointer Greg Kroah-Hartman
` (388 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Elder, Manivannan Sadhasivam,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
[ Upstream commit 84f5f31f110e5e8cd5581e8efdbf8c369e962eb9 ]
Structure "struct mhi_tre" is representing a generic MHI ring element and
not specifically a Transfer Ring Element (TRE). Fix the naming.
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20220301160308.107452-9-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: eff9704f5332 ("bus: mhi: host: Add alignment check for event ring read pointer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/mhi/host/init.c | 6 +++---
drivers/bus/mhi/host/internal.h | 2 +-
drivers/bus/mhi/host/main.c | 20 ++++++++++----------
3 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c
index 829d4fca7ddc..7ccc5cd27fd0 100644
--- a/drivers/bus/mhi/host/init.c
+++ b/drivers/bus/mhi/host/init.c
@@ -338,7 +338,7 @@ int mhi_init_dev_ctxt(struct mhi_controller *mhi_cntrl)
er_ctxt->msivec = cpu_to_le32(mhi_event->irq);
mhi_event->db_cfg.db_mode = true;
- ring->el_size = sizeof(struct mhi_tre);
+ ring->el_size = sizeof(struct mhi_ring_element);
ring->len = ring->el_size * ring->elements;
ret = mhi_alloc_aligned_ring(mhi_cntrl, ring, ring->len);
if (ret)
@@ -370,7 +370,7 @@ int mhi_init_dev_ctxt(struct mhi_controller *mhi_cntrl)
for (i = 0; i < NR_OF_CMD_RINGS; i++, mhi_cmd++, cmd_ctxt++) {
struct mhi_ring *ring = &mhi_cmd->ring;
- ring->el_size = sizeof(struct mhi_tre);
+ ring->el_size = sizeof(struct mhi_ring_element);
ring->elements = CMD_EL_PER_RING;
ring->len = ring->el_size * ring->elements;
ret = mhi_alloc_aligned_ring(mhi_cntrl, ring, ring->len);
@@ -613,7 +613,7 @@ int mhi_init_chan_ctxt(struct mhi_controller *mhi_cntrl,
buf_ring = &mhi_chan->buf_ring;
tre_ring = &mhi_chan->tre_ring;
- tre_ring->el_size = sizeof(struct mhi_tre);
+ tre_ring->el_size = sizeof(struct mhi_ring_element);
tre_ring->len = tre_ring->el_size * tre_ring->elements;
chan_ctxt = &mhi_cntrl->mhi_ctxt->chan_ctxt[mhi_chan->chan];
ret = mhi_alloc_aligned_ring(mhi_cntrl, tre_ring, tre_ring->len);
diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h
index 71f181402be9..df65bb17fdba 100644
--- a/drivers/bus/mhi/host/internal.h
+++ b/drivers/bus/mhi/host/internal.h
@@ -257,7 +257,7 @@ struct mhi_ctxt {
dma_addr_t cmd_ctxt_addr;
};
-struct mhi_tre {
+struct mhi_ring_element {
__le64 ptr;
__le32 dword[2];
};
diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c
index 0d35acb2f7c0..23bd1db94558 100644
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -556,7 +556,7 @@ static void mhi_recycle_ev_ring_element(struct mhi_controller *mhi_cntrl,
}
static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
- struct mhi_tre *event,
+ struct mhi_ring_element *event,
struct mhi_chan *mhi_chan)
{
struct mhi_ring *buf_ring, *tre_ring;
@@ -592,7 +592,7 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
case MHI_EV_CC_EOT:
{
dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event);
- struct mhi_tre *local_rp, *ev_tre;
+ struct mhi_ring_element *local_rp, *ev_tre;
void *dev_rp;
struct mhi_buf_info *buf_info;
u16 xfer_len;
@@ -695,7 +695,7 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
}
static int parse_rsc_event(struct mhi_controller *mhi_cntrl,
- struct mhi_tre *event,
+ struct mhi_ring_element *event,
struct mhi_chan *mhi_chan)
{
struct mhi_ring *buf_ring, *tre_ring;
@@ -759,12 +759,12 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl,
}
static void mhi_process_cmd_completion(struct mhi_controller *mhi_cntrl,
- struct mhi_tre *tre)
+ struct mhi_ring_element *tre)
{
dma_addr_t ptr = MHI_TRE_GET_EV_PTR(tre);
struct mhi_cmd *cmd_ring = &mhi_cntrl->mhi_cmd[PRIMARY_CMD_RING];
struct mhi_ring *mhi_ring = &cmd_ring->ring;
- struct mhi_tre *cmd_pkt;
+ struct mhi_ring_element *cmd_pkt;
struct mhi_chan *mhi_chan;
u32 chan;
@@ -797,7 +797,7 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl,
struct mhi_event *mhi_event,
u32 event_quota)
{
- struct mhi_tre *dev_rp, *local_rp;
+ struct mhi_ring_element *dev_rp, *local_rp;
struct mhi_ring *ev_ring = &mhi_event->ring;
struct mhi_event_ctxt *er_ctxt =
&mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];
@@ -967,7 +967,7 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
struct mhi_event *mhi_event,
u32 event_quota)
{
- struct mhi_tre *dev_rp, *local_rp;
+ struct mhi_ring_element *dev_rp, *local_rp;
struct mhi_ring *ev_ring = &mhi_event->ring;
struct mhi_event_ctxt *er_ctxt =
&mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];
@@ -1188,7 +1188,7 @@ int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan,
struct mhi_buf_info *info, enum mhi_flags flags)
{
struct mhi_ring *buf_ring, *tre_ring;
- struct mhi_tre *mhi_tre;
+ struct mhi_ring_element *mhi_tre;
struct mhi_buf_info *buf_info;
int eot, eob, chain, bei;
int ret;
@@ -1266,7 +1266,7 @@ int mhi_send_cmd(struct mhi_controller *mhi_cntrl,
struct mhi_chan *mhi_chan,
enum mhi_cmd_type cmd)
{
- struct mhi_tre *cmd_tre = NULL;
+ struct mhi_ring_element *cmd_tre = NULL;
struct mhi_cmd *mhi_cmd = &mhi_cntrl->mhi_cmd[PRIMARY_CMD_RING];
struct mhi_ring *ring = &mhi_cmd->ring;
struct device *dev = &mhi_cntrl->mhi_dev->dev;
@@ -1524,7 +1524,7 @@ static void mhi_mark_stale_events(struct mhi_controller *mhi_cntrl,
int chan)
{
- struct mhi_tre *dev_rp, *local_rp;
+ struct mhi_ring_element *dev_rp, *local_rp;
struct mhi_ring *ev_ring;
struct device *dev = &mhi_cntrl->mhi_dev->dev;
unsigned long flags;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 098/476] bus: mhi: host: Add alignment check for event ring read pointer
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 097/476] bus: mhi: host: Rename "struct mhi_tre" to "struct mhi_ring_element" Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 099/476] fs/pipe: move check to pipe_has_watch_queue() Greg Kroah-Hartman
` (387 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna chaitanya chundru,
Jeffrey Hugo, Manivannan Sadhasivam, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna chaitanya chundru <quic_krichai@quicinc.com>
[ Upstream commit eff9704f5332a13b08fbdbe0f84059c9e7051d5f ]
Though we do check the event ring read pointer by "is_valid_ring_ptr"
to make sure it is in the buffer range, but there is another risk the
pointer may be not aligned. Since we are expecting event ring elements
are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer
could lead to multiple issues like DoS or ring buffer memory corruption.
So add a alignment check for event ring read pointer.
Fixes: ec32332df764 ("bus: mhi: core: Sanity check values from remote device before use")
cc: stable@vger.kernel.org
Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20231031-alignment_check-v2-1-1441db7c5efd@quicinc.com
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/mhi/host/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c
index 23bd1db94558..1cb7c60594f1 100644
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -267,7 +267,8 @@ static void mhi_del_ring_element(struct mhi_controller *mhi_cntrl,
static bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr)
{
- return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len;
+ return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len &&
+ !(addr & (sizeof(struct mhi_ring_element) - 1));
}
int mhi_destroy_device(struct device *dev, void *data)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 099/476] fs/pipe: move check to pipe_has_watch_queue()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 098/476] bus: mhi: host: Add alignment check for event ring read pointer Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 100/476] pipe: wakeup wr_wait after setting max_usage Greg Kroah-Hartman
` (386 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, David Howells,
Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
[ Upstream commit b4bd6b4bac8edd61eb8f7b836969d12c0c6af165 ]
This declutters the code by reducing the number of #ifdefs and makes
the watch_queue checks simpler. This has no runtime effect; the
machine code is identical.
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Message-Id: <20230921075755.1378787-2-max.kellermann@ionos.com>
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: e95aada4cb93 ("pipe: wakeup wr_wait after setting max_usage")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pipe.c | 12 +++---------
include/linux/pipe_fs_i.h | 16 ++++++++++++++++
2 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index e08f0fe55584..1a43948c0c36 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -435,12 +435,10 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
goto out;
}
-#ifdef CONFIG_WATCH_QUEUE
- if (pipe->watch_queue) {
+ if (pipe_has_watch_queue(pipe)) {
ret = -EXDEV;
goto out;
}
-#endif
/*
* If it wasn't empty we try to merge new data into
@@ -1319,10 +1317,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
unsigned int nr_slots, size;
long ret = 0;
-#ifdef CONFIG_WATCH_QUEUE
- if (pipe->watch_queue)
+ if (pipe_has_watch_queue(pipe))
return -EBUSY;
-#endif
size = round_pipe_size(arg);
nr_slots = size >> PAGE_SHIFT;
@@ -1374,10 +1370,8 @@ struct pipe_inode_info *get_pipe_info(struct file *file, bool for_splice)
if (file->f_op != &pipefifo_fops || !pipe)
return NULL;
-#ifdef CONFIG_WATCH_QUEUE
- if (for_splice && pipe->watch_queue)
+ if (for_splice && pipe_has_watch_queue(pipe))
return NULL;
-#endif
return pipe;
}
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index d15190b3e032..0613daf8997a 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -124,6 +124,22 @@ struct pipe_buf_operations {
bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
};
+/**
+ * pipe_has_watch_queue - Check whether the pipe is a watch_queue,
+ * i.e. it was created with O_NOTIFICATION_PIPE
+ * @pipe: The pipe to check
+ *
+ * Return: true if pipe is a watch queue, false otherwise.
+ */
+static inline bool pipe_has_watch_queue(const struct pipe_inode_info *pipe)
+{
+#ifdef CONFIG_WATCH_QUEUE
+ return pipe->watch_queue != NULL;
+#else
+ return false;
+#endif
+}
+
/**
* pipe_empty - Return true if the pipe is empty
* @head: The pipe ring head pointer
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 100/476] pipe: wakeup wr_wait after setting max_usage
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 099/476] fs/pipe: move check to pipe_has_watch_queue() Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 101/476] ARM: dts: qcom: sdx55: fix USB wakeup interrupt types Greg Kroah-Hartman
` (385 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Lukas Schauer,
Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Schauer <lukas@schauer.dev>
[ Upstream commit e95aada4cb93d42e25c30a0ef9eb2923d9711d4a ]
Commit c73be61cede5 ("pipe: Add general notification queue support") a
regression was introduced that would lock up resized pipes under certain
conditions. See the reproducer in [1].
The commit resizing the pipe ring size was moved to a different
function, doing that moved the wakeup for pipe->wr_wait before actually
raising pipe->max_usage. If a pipe was full before the resize occured it
would result in the wakeup never actually triggering pipe_write.
Set @max_usage and @nr_accounted before waking writers if this isn't a
watch queue.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212295 [1]
Link: https://lore.kernel.org/r/20231201-orchideen-modewelt-e009de4562c6@brauner
Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Lukas Schauer <lukas@schauer.dev>
[Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues]
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pipe.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 1a43948c0c36..a8b8ef2dae7b 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1300,6 +1300,11 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
pipe->tail = tail;
pipe->head = head;
+ if (!pipe_has_watch_queue(pipe)) {
+ pipe->max_usage = nr_slots;
+ pipe->nr_accounted = nr_slots;
+ }
+
spin_unlock_irq(&pipe->rd_wait.lock);
/* This might have made more room for writers */
@@ -1351,8 +1356,6 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
if (ret < 0)
goto out_revert_acct;
- pipe->max_usage = nr_slots;
- pipe->nr_accounted = nr_slots;
return pipe->max_usage * PAGE_SIZE;
out_revert_acct:
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 101/476] ARM: dts: qcom: sdx55: fix USB wakeup interrupt types
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 100/476] pipe: wakeup wr_wait after setting max_usage Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 102/476] ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 Greg Kroah-Hartman
` (384 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Johan Hovold,
Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit d0ec3c4c11c3b30e1f2d344973b2a7bf0f986734 ]
The DP/DM wakeup interrupts are edge triggered and which edge to trigger
on depends on use-case and whether a Low speed or Full/High speed device
is connected.
Fixes: fea4b41022f3 ("ARM: dts: qcom: sdx55: Add USB3 and PHY support")
Cc: stable@vger.kernel.org # 5.12
Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231120164331.8116-2-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-sdx55.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom-sdx55.dtsi
index 73fa0ef6b69e..4e7381d0e205 100644
--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
+++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
@@ -422,8 +422,8 @@ usb: usb@a6f8800 {
interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
<GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 158 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 157 IRQ_TYPE_LEVEL_HIGH>;
+ <GIC_SPI 158 IRQ_TYPE_EDGE_BOTH>,
+ <GIC_SPI 157 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 102/476] ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 101/476] ARM: dts: qcom: sdx55: fix USB wakeup interrupt types Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 103/476] ARM: dts: qcom: sdx55: fix pdc #interrupt-cells Greg Kroah-Hartman
` (383 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Cercueil, Krzysztof Kozlowski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Cercueil <paul@crapouillou.net>
[ Upstream commit 84228d5e29dbc7a6be51e221000e1d122125826c ]
The kernel hangs for a good 12 seconds without any info being printed to
dmesg, very early in the boot process, if this regulator is not enabled.
Force-enable it to work around this issue, until we know more about the
underlying problem.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Fixes: 8620cc2f99b7 ("ARM: dts: exynos: Add devicetree file for the Galaxy S2")
Cc: stable@vger.kernel.org # v5.8+
Link: https://lore.kernel.org/r/20231206221556.15348-2-paul@crapouillou.net
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/exynos4210-i9100.dts | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm/boot/dts/exynos4210-i9100.dts b/arch/arm/boot/dts/exynos4210-i9100.dts
index 93880bdbcad9..8232d843bfe0 100644
--- a/arch/arm/boot/dts/exynos4210-i9100.dts
+++ b/arch/arm/boot/dts/exynos4210-i9100.dts
@@ -520,6 +520,14 @@ vtcam_reg: LDO12 {
regulator-name = "VT_CAM_1.8V";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
+
+ /*
+ * Force-enable this regulator; otherwise the
+ * kernel hangs very early in the boot process
+ * for about 12 seconds, without apparent
+ * reason.
+ */
+ regulator-always-on;
};
vcclcd_reg: LDO13 {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 103/476] ARM: dts: qcom: sdx55: fix pdc #interrupt-cells
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 102/476] ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 104/476] ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
` (382 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Johan Hovold,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit cc25bd06c16aa582596a058d375b2e3133f79b93 ]
The Qualcomm PDC interrupt controller binding expects two cells in
interrupt specifiers.
Fixes: 9d038b2e62de ("ARM: dts: qcom: Add SDX55 platform and MTP board support")
Cc: stable@vger.kernel.org # 5.12
Cc: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20231213173131.29436-2-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-sdx55.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom-sdx55.dtsi
index 4e7381d0e205..e8b4cbd39413 100644
--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
+++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
@@ -447,7 +447,7 @@ pdc: interrupt-controller@b210000 {
compatible = "qcom,sdx55-pdc", "qcom,pdc";
reg = <0x0b210000 0x30000>;
qcom,pdc-ranges = <0 179 52>;
- #interrupt-cells = <3>;
+ #interrupt-cells = <2>;
interrupt-parent = <&intc>;
interrupt-controller;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 104/476] ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 103/476] ARM: dts: qcom: sdx55: fix pdc #interrupt-cells Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 105/476] ARM: dts: qcom: sdx55: fix USB SS wakeup Greg Kroah-Hartman
` (381 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Johan Hovold,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit de95f139394a5ed82270f005bc441d2e7c1e51b7 ]
The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt
controller in order to be able to wake the system up from low-power
states and to be able to detect disconnect events, which requires
triggering on falling edges.
A recent commit updated the trigger type but failed to change the
interrupt provider as required. This leads to the current Linux driver
failing to probe instead of printing an error during suspend and USB
wakeup not working as intended.
Fixes: d0ec3c4c11c3 ("ARM: dts: qcom: sdx55: fix USB wakeup interrupt types")
Fixes: fea4b41022f3 ("ARM: dts: qcom: sdx55: Add USB3 and PHY support")
Cc: stable@vger.kernel.org # 5.12
Cc: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20231213173131.29436-3-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-sdx55.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom-sdx55.dtsi
index e8b4cbd39413..9c0d2432f105 100644
--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
+++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
@@ -420,10 +420,10 @@ usb: usb@a6f8800 {
<&gcc GCC_USB30_MASTER_CLK>;
assigned-clock-rates = <19200000>, <200000000>;
- interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 158 IRQ_TYPE_EDGE_BOTH>,
- <GIC_SPI 157 IRQ_TYPE_EDGE_BOTH>;
+ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>,
+ <&pdc 11 IRQ_TYPE_EDGE_BOTH>,
+ <&pdc 10 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
"dm_hs_phy_irq", "dp_hs_phy_irq";
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 105/476] ARM: dts: qcom: sdx55: fix USB SS wakeup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 104/476] ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 106/476] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Greg Kroah-Hartman
` (380 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Johan Hovold,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit 710dd03464e4ab5b3d329768388b165d61958577 ]
The USB SS PHY interrupt needs to be provided by the PDC interrupt
controller in order to be able to wake the system up from low-power
states.
Fixes: fea4b41022f3 ("ARM: dts: qcom: sdx55: Add USB3 and PHY support")
Cc: stable@vger.kernel.org # 5.12
Cc: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20231213173131.29436-4-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-sdx55.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom-sdx55.dtsi
index 9c0d2432f105..67159e8608ed 100644
--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
+++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
@@ -421,7 +421,7 @@ usb: usb@a6f8800 {
assigned-clock-rates = <19200000>, <200000000>;
interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>,
- <&intc GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>,
+ <&pdc 51 IRQ_TYPE_LEVEL_HIGH>,
<&pdc 11 IRQ_TYPE_EDGE_BOTH>,
<&pdc 10 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "hs_phy_irq", "ss_phy_irq",
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 106/476] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 105/476] ARM: dts: qcom: sdx55: fix USB SS wakeup Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 107/476] mm: use __pfn_to_section() instead of open coding it Greg Kroah-Hartman
` (379 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Dmitry Osipenko,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 206c857dd17d4d026de85866f1b5f0969f2a109e ]
In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
mtk_jpeg_job_timeout_work.
In mtk_jpeg_dec_device_run, if error happens in
mtk_jpeg_set_dec_dst, it will finally start the worker while
mark the job as finished by invoking v4l2_m2m_job_finish.
There are two methods to trigger the bug. If we remove the
module, it which will call mtk_jpeg_remove to make cleanup.
The possible sequence is as follows, which will cause a
use-after-free bug.
CPU0 CPU1
mtk_jpeg_dec_... |
start worker |
|mtk_jpeg_job_timeout_work
mtk_jpeg_remove |
v4l2_m2m_release |
kfree(m2m_dev); |
|
| v4l2_m2m_get_curr_priv
| m2m_dev->curr_ctx //use
If we close the file descriptor, which will call mtk_jpeg_release,
it will have a similar sequence.
Fix this bug by starting timeout worker only if started jpegdec worker
successfully. Then v4l2_m2m_job_finish will only be called in
either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.
Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
index bc84274ba87a..ba490b06ff70 100644
--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
@@ -977,13 +977,13 @@ static void mtk_jpeg_dec_device_run(void *priv)
if (ret < 0)
goto dec_end;
- schedule_delayed_work(&jpeg->job_timeout_work,
- msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC));
-
mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs);
if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb))
goto dec_end;
+ schedule_delayed_work(&jpeg->job_timeout_work,
+ msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC));
+
spin_lock_irqsave(&jpeg->hw_lock, flags);
mtk_jpeg_dec_reset(jpeg->reg_base);
mtk_jpeg_dec_set_config(jpeg->reg_base,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 107/476] mm: use __pfn_to_section() instead of open coding it
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 106/476] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage Greg Kroah-Hartman
` (378 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rolf Eike Beer, Andrew Morton,
Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
[ Upstream commit f1dc0db296bd25960273649fc6ef2ecbf5aaa0e0 ]
It is defined in the same file just a few lines above.
Link: https://lkml.kernel.org/r/4598487.Rc0NezkW7i@mobilepool36.emlix.com
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mmzone.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
index 6ba100216530..9e1485083398 100644
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -1493,7 +1493,7 @@ static inline int pfn_valid(unsigned long pfn)
if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS)
return 0;
- ms = __nr_to_section(pfn_to_section_nr(pfn));
+ ms = __pfn_to_section(pfn);
if (!valid_section(ms))
return 0;
/*
@@ -1508,7 +1508,7 @@ static inline int pfn_in_present_section(unsigned long pfn)
{
if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS)
return 0;
- return present_section(__nr_to_section(pfn_to_section_nr(pfn)));
+ return present_section(__pfn_to_section(pfn));
}
static inline unsigned long next_present_section_nr(unsigned long section_nr)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 107/476] mm: use __pfn_to_section() instead of open coding it Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-04-25 14:55 ` Donald Buczek
2024-02-21 13:02 ` [PATCH 5.15 109/476] PM / devfreq: Fix buffer overflow in trans_stat_show Greg Kroah-Hartman
` (377 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charan Teja Kalla, Aneesh Kumar K.V,
Dan Williams, David Hildenbrand, Mel Gorman, Oscar Salvador,
Vlastimil Babka, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charan Teja Kalla <quic_charante@quicinc.com>
[ Upstream commit 5ec8e8ea8b7783fab150cf86404fc38cb4db8800 ]
The below race is observed on a PFN which falls into the device memory
region with the system memory configuration where PFN's are such that
[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end
pfn contains the device memory PFN's as well, the compaction triggered
will try on the device memory PFN's too though they end up in NOP(because
pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When
from other core, the section mappings are being removed for the
ZONE_DEVICE region, that the PFN in question belongs to, on which
compaction is currently being operated is resulting into the kernel crash
with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].
compact_zone() memunmap_pages
------------- ---------------
__pageblock_pfn_to_page
......
(a)pfn_valid():
valid_section()//return true
(b)__remove_pages()->
sparse_remove_section()->
section_deactivate():
[Free the array ms->usage and set
ms->usage = NULL]
pfn_section_valid()
[Access ms->usage which
is NULL]
NOTE: From the above it can be said that the race is reduced to between
the pfn_valid()/pfn_section_valid() and the section deactivate with
SPASEMEM_VMEMAP enabled.
The commit b943f045a9af("mm/sparse: fix kernel crash with
pfn_section_valid check") tried to address the same problem by clearing
the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns
false thus ms->usage is not accessed.
Fix this issue by the below steps:
a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.
b) RCU protected read side critical section will either return NULL
when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.
c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No
attempt will be made to access ->usage after this as the
SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.
Thanks to David/Pavan for their inputs on this patch.
[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/
On Snapdragon SoC, with the mentioned memory configuration of PFN's as
[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of
issues daily while testing on a device farm.
For this particular issue below is the log. Though the below log is
not directly pointing to the pfn_section_valid(){ ms->usage;}, when we
loaded this dump on T32 lauterbach tool, it is pointing.
[ 540.578056] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
[ 540.578068] Mem abort info:
[ 540.578070] ESR = 0x0000000096000005
[ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits
[ 540.578077] SET = 0, FnV = 0
[ 540.578080] EA = 0, S1PTW = 0
[ 540.578082] FSC = 0x05: level 1 translation fault
[ 540.578085] Data abort info:
[ 540.578086] ISV = 0, ISS = 0x00000005
[ 540.578088] CM = 0, WnR = 0
[ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)
[ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c
[ 540.579454] lr : compact_zone+0x994/0x1058
[ 540.579460] sp : ffffffc03579b510
[ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c
[ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640
[ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000
[ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140
[ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff
[ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001
[ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440
[ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4
[ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000001
[ 540.579518] x2 : ffffffdebf7e3940 x1 : 0000000000235c00 x0 :0000000000235800
[ 540.579524] Call trace:
[ 540.579527] __pageblock_pfn_to_page+0x6c/0x14c
[ 540.579533] compact_zone+0x994/0x1058
[ 540.579536] try_to_compact_pages+0x128/0x378
[ 540.579540] __alloc_pages_direct_compact+0x80/0x2b0
[ 540.579544] __alloc_pages_slowpath+0x5c0/0xe10
[ 540.579547] __alloc_pages+0x250/0x2d0
[ 540.579550] __iommu_dma_alloc_noncontiguous+0x13c/0x3fc
[ 540.579561] iommu_dma_alloc+0xa0/0x320
[ 540.579565] dma_alloc_attrs+0xd4/0x108
[quic_charante@quicinc.com: use kfree_rcu() in place of synchronize_rcu(), per David]
Link: https://lkml.kernel.org/r/1698403778-20938-1-git-send-email-quic_charante@quicinc.com
Link: https://lkml.kernel.org/r/1697202267-23600-1-git-send-email-quic_charante@quicinc.com
Fixes: f46edbd1b151 ("mm/sparsemem: add helpers track active portions of a section at boot")
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mmzone.h | 14 +++++++++++---
mm/sparse.c | 17 +++++++++--------
2 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
index 9e1485083398..8b8349ffa1cd 100644
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -1287,6 +1287,7 @@ static inline unsigned long section_nr_to_pfn(unsigned long sec)
#define SUBSECTION_ALIGN_DOWN(pfn) ((pfn) & PAGE_SUBSECTION_MASK)
struct mem_section_usage {
+ struct rcu_head rcu;
#ifdef CONFIG_SPARSEMEM_VMEMMAP
DECLARE_BITMAP(subsection_map, SUBSECTIONS_PER_SECTION);
#endif
@@ -1457,7 +1458,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
{
int idx = subsection_map_index(pfn);
- return test_bit(idx, ms->usage->subsection_map);
+ return test_bit(idx, READ_ONCE(ms->usage)->subsection_map);
}
#else
static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
@@ -1481,6 +1482,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
static inline int pfn_valid(unsigned long pfn)
{
struct mem_section *ms;
+ int ret;
/*
* Ensure the upper PAGE_SHIFT bits are clear in the
@@ -1494,13 +1496,19 @@ static inline int pfn_valid(unsigned long pfn)
if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS)
return 0;
ms = __pfn_to_section(pfn);
- if (!valid_section(ms))
+ rcu_read_lock();
+ if (!valid_section(ms)) {
+ rcu_read_unlock();
return 0;
+ }
/*
* Traditionally early sections always returned pfn_valid() for
* the entire section-sized span.
*/
- return early_section(ms) || pfn_section_valid(ms, pfn);
+ ret = early_section(ms) || pfn_section_valid(ms, pfn);
+ rcu_read_unlock();
+
+ return ret;
}
#endif
diff --git a/mm/sparse.c b/mm/sparse.c
index 120bc8ea5293..27092badd15b 100644
--- a/mm/sparse.c
+++ b/mm/sparse.c
@@ -789,6 +789,13 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
if (empty) {
unsigned long section_nr = pfn_to_section_nr(pfn);
+ /*
+ * Mark the section invalid so that valid_section()
+ * return false. This prevents code from dereferencing
+ * ms->usage array.
+ */
+ ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
+
/*
* When removing an early section, the usage map is kept (as the
* usage maps of other sections fall into the same page). It
@@ -797,16 +804,10 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
* was allocated during boot.
*/
if (!PageReserved(virt_to_page(ms->usage))) {
- kfree(ms->usage);
- ms->usage = NULL;
+ kfree_rcu(ms->usage, rcu);
+ WRITE_ONCE(ms->usage, NULL);
}
memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr);
- /*
- * Mark the section invalid so that valid_section()
- * return false. This prevents code from dereferencing
- * ms->usage array.
- */
- ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 109/476] PM / devfreq: Fix buffer overflow in trans_stat_show
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 110/476] btrfs: add definition for EXTENT_TREE_V2 Greg Kroah-Hartman
` (376 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Chanwoo Choi,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Marangi <ansuelsmth@gmail.com>
[ Upstream commit 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4 ]
Fix buffer overflow in trans_stat_show().
Convert simple snprintf to the more secure scnprintf with size of
PAGE_SIZE.
Add condition checking if we are exceeding PAGE_SIZE and exit early from
loop. Also add at the end a warning that we exceeded PAGE_SIZE and that
stats is disabled.
Return -EFBIG in the case where we don't have enough space to write the
full transition table.
Also document in the ABI that this function can return -EFBIG error.
Link: https://lore.kernel.org/all/20231024183016.14648-2-ansuelsmth@gmail.com/
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218041
Fixes: e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing frequency transition information.")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/ABI/testing/sysfs-class-devfreq | 3 +
drivers/devfreq/devfreq.c | 59 +++++++++++++++++---------
2 files changed, 43 insertions(+), 19 deletions(-)
--- a/Documentation/ABI/testing/sysfs-class-devfreq
+++ b/Documentation/ABI/testing/sysfs-class-devfreq
@@ -52,6 +52,9 @@ Description:
echo 0 > /sys/class/devfreq/.../trans_stat
+ If the transition table is bigger than PAGE_SIZE, reading
+ this will return an -EFBIG error.
+
What: /sys/class/devfreq/.../available_frequencies
Date: October 2012
Contact: Nishanth Menon <nm@ti.com>
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -1653,7 +1653,7 @@ static ssize_t trans_stat_show(struct de
struct device_attribute *attr, char *buf)
{
struct devfreq *df = to_devfreq(dev);
- ssize_t len;
+ ssize_t len = 0;
int i, j;
unsigned int max_state;
@@ -1662,7 +1662,7 @@ static ssize_t trans_stat_show(struct de
max_state = df->profile->max_state;
if (max_state == 0)
- return sprintf(buf, "Not Supported.\n");
+ return scnprintf(buf, PAGE_SIZE, "Not Supported.\n");
mutex_lock(&df->lock);
if (!df->stop_polling &&
@@ -1672,33 +1672,54 @@ static ssize_t trans_stat_show(struct de
}
mutex_unlock(&df->lock);
- len = sprintf(buf, " From : To\n");
- len += sprintf(buf + len, " :");
- for (i = 0; i < max_state; i++)
- len += sprintf(buf + len, "%10lu",
- df->profile->freq_table[i]);
+ len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len, " :");
+ for (i = 0; i < max_state; i++) {
+ if (len >= PAGE_SIZE - 1)
+ break;
+ len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu",
+ df->profile->freq_table[i]);
+ }
+ if (len >= PAGE_SIZE - 1)
+ return PAGE_SIZE - 1;
- len += sprintf(buf + len, " time(ms)\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len, " time(ms)\n");
for (i = 0; i < max_state; i++) {
+ if (len >= PAGE_SIZE - 1)
+ break;
if (df->profile->freq_table[i]
== df->previous_freq) {
- len += sprintf(buf + len, "*");
+ len += scnprintf(buf + len, PAGE_SIZE - len, "*");
} else {
- len += sprintf(buf + len, " ");
+ len += scnprintf(buf + len, PAGE_SIZE - len, " ");
}
- len += sprintf(buf + len, "%10lu:",
- df->profile->freq_table[i]);
- for (j = 0; j < max_state; j++)
- len += sprintf(buf + len, "%10u",
- df->stats.trans_table[(i * max_state) + j]);
+ if (len >= PAGE_SIZE - 1)
+ break;
+
+ len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu:",
+ df->profile->freq_table[i]);
+ for (j = 0; j < max_state; j++) {
+ if (len >= PAGE_SIZE - 1)
+ break;
+ len += scnprintf(buf + len, PAGE_SIZE - len, "%10u",
+ df->stats.trans_table[(i * max_state) + j]);
+ }
+ if (len >= PAGE_SIZE - 1)
+ break;
+ len += scnprintf(buf + len, PAGE_SIZE - len, "%10llu\n", (u64)
+ jiffies64_to_msecs(df->stats.time_in_state[i]));
+ }
- len += sprintf(buf + len, "%10llu\n", (u64)
- jiffies64_to_msecs(df->stats.time_in_state[i]));
+ if (len < PAGE_SIZE - 1)
+ len += scnprintf(buf + len, PAGE_SIZE - len, "Total transition : %u\n",
+ df->stats.total_trans);
+
+ if (len >= PAGE_SIZE - 1) {
+ pr_warn_once("devfreq transition table exceeds PAGE_SIZE. Disabling\n");
+ return -EFBIG;
}
- len += sprintf(buf + len, "Total transition : %u\n",
- df->stats.total_trans);
return len;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 110/476] btrfs: add definition for EXTENT_TREE_V2
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 109/476] PM / devfreq: Fix buffer overflow in trans_stat_show Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner() Greg Kroah-Hartman
` (375 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 2c7d2a230237e7c43fa067d695937b7e484bb92a ]
This adds the initial definition of the EXTENT_TREE_V2 incompat feature
flag. This also hides the support behind CONFIG_BTRFS_DEBUG.
THIS IS A IN DEVELOPMENT FORMAT CHANGE, DO NOT USE UNLESS YOU ARE A
DEVELOPER OR A TESTER.
The format is in flux and will be added in stages, any fs will need to
be re-made between updates to the format.
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 7081929ab257 ("btrfs: don't abort filesystem when attempting to snapshot deleted subvolume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.h | 21 +++++++++++++++++++++
fs/btrfs/sysfs.c | 5 ++++-
include/uapi/linux/btrfs.h | 1 +
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 7905f178efa3..17ebcf19b444 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -282,6 +282,26 @@ struct btrfs_super_block {
#define BTRFS_FEATURE_COMPAT_RO_SAFE_SET 0ULL
#define BTRFS_FEATURE_COMPAT_RO_SAFE_CLEAR 0ULL
+#ifdef CONFIG_BTRFS_DEBUG
+/*
+ * Extent tree v2 supported only with CONFIG_BTRFS_DEBUG
+ */
+#define BTRFS_FEATURE_INCOMPAT_SUPP \
+ (BTRFS_FEATURE_INCOMPAT_MIXED_BACKREF | \
+ BTRFS_FEATURE_INCOMPAT_DEFAULT_SUBVOL | \
+ BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS | \
+ BTRFS_FEATURE_INCOMPAT_BIG_METADATA | \
+ BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO | \
+ BTRFS_FEATURE_INCOMPAT_COMPRESS_ZSTD | \
+ BTRFS_FEATURE_INCOMPAT_RAID56 | \
+ BTRFS_FEATURE_INCOMPAT_EXTENDED_IREF | \
+ BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA | \
+ BTRFS_FEATURE_INCOMPAT_NO_HOLES | \
+ BTRFS_FEATURE_INCOMPAT_METADATA_UUID | \
+ BTRFS_FEATURE_INCOMPAT_RAID1C34 | \
+ BTRFS_FEATURE_INCOMPAT_ZONED | \
+ BTRFS_FEATURE_INCOMPAT_EXTENT_TREE_V2)
+#else
#define BTRFS_FEATURE_INCOMPAT_SUPP \
(BTRFS_FEATURE_INCOMPAT_MIXED_BACKREF | \
BTRFS_FEATURE_INCOMPAT_DEFAULT_SUBVOL | \
@@ -296,6 +316,7 @@ struct btrfs_super_block {
BTRFS_FEATURE_INCOMPAT_METADATA_UUID | \
BTRFS_FEATURE_INCOMPAT_RAID1C34 | \
BTRFS_FEATURE_INCOMPAT_ZONED)
+#endif
#define BTRFS_FEATURE_INCOMPAT_SAFE_SET \
(BTRFS_FEATURE_INCOMPAT_EXTENDED_IREF)
diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
index 899dda6eb835..93a9dfbc8d13 100644
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -283,9 +283,11 @@ BTRFS_FEAT_ATTR_INCOMPAT(no_holes, NO_HOLES);
BTRFS_FEAT_ATTR_INCOMPAT(metadata_uuid, METADATA_UUID);
BTRFS_FEAT_ATTR_COMPAT_RO(free_space_tree, FREE_SPACE_TREE);
BTRFS_FEAT_ATTR_INCOMPAT(raid1c34, RAID1C34);
-/* Remove once support for zoned allocation is feature complete */
#ifdef CONFIG_BTRFS_DEBUG
+/* Remove once support for zoned allocation is feature complete */
BTRFS_FEAT_ATTR_INCOMPAT(zoned, ZONED);
+/* Remove once support for extent tree v2 is feature complete */
+BTRFS_FEAT_ATTR_INCOMPAT(extent_tree_v2, EXTENT_TREE_V2);
#endif
#ifdef CONFIG_FS_VERITY
BTRFS_FEAT_ATTR_COMPAT_RO(verity, VERITY);
@@ -314,6 +316,7 @@ static struct attribute *btrfs_supported_feature_attrs[] = {
BTRFS_FEAT_ATTR_PTR(raid1c34),
#ifdef CONFIG_BTRFS_DEBUG
BTRFS_FEAT_ATTR_PTR(zoned),
+ BTRFS_FEAT_ATTR_PTR(extent_tree_v2),
#endif
#ifdef CONFIG_FS_VERITY
BTRFS_FEAT_ATTR_PTR(verity),
diff --git a/include/uapi/linux/btrfs.h b/include/uapi/linux/btrfs.h
index 4693b6ba30a1..493b10b9fedd 100644
--- a/include/uapi/linux/btrfs.h
+++ b/include/uapi/linux/btrfs.h
@@ -310,6 +310,7 @@ struct btrfs_ioctl_fs_info_args {
#define BTRFS_FEATURE_INCOMPAT_METADATA_UUID (1ULL << 10)
#define BTRFS_FEATURE_INCOMPAT_RAID1C34 (1ULL << 11)
#define BTRFS_FEATURE_INCOMPAT_ZONED (1ULL << 12)
+#define BTRFS_FEATURE_INCOMPAT_EXTENT_TREE_V2 (1ULL << 13)
struct btrfs_ioctl_feature_flags {
__u64 compat_flags;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 110/476] btrfs: add definition for EXTENT_TREE_V2 Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 22:19 ` Wang Yugui
2024-02-21 13:02 ` [PATCH 5.15 112/476] NFSD: Add documenting comment for nfsd4_release_lockowner() Greg Kroah-Hartman
` (374 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
Refactor: Use existing helpers that other lock operations use. This
change removes several automatic variables, so re-organize the
variable declarations for readability.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 36 +++++++++++-------------------------
1 file changed, 11 insertions(+), 25 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 9b660491f393..798063b9b96f 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -7290,16 +7290,13 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
union nfsd4_op_u *u)
{
struct nfsd4_release_lockowner *rlockowner = &u->release_lockowner;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
clientid_t *clid = &rlockowner->rl_clientid;
- struct nfs4_stateowner *sop;
- struct nfs4_lockowner *lo = NULL;
struct nfs4_ol_stateid *stp;
- struct xdr_netobj *owner = &rlockowner->rl_owner;
- unsigned int hashval = ownerstr_hashval(owner);
- __be32 status;
- struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+ struct nfs4_lockowner *lo;
struct nfs4_client *clp;
- LIST_HEAD (reaplist);
+ LIST_HEAD(reaplist);
+ __be32 status;
dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n",
clid->cl_boot, clid->cl_id);
@@ -7307,30 +7304,19 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
status = set_client(clid, cstate, nn);
if (status)
return status;
-
clp = cstate->clp;
- /* Find the matching lock stateowner */
- spin_lock(&clp->cl_lock);
- list_for_each_entry(sop, &clp->cl_ownerstr_hashtbl[hashval],
- so_strhash) {
- if (sop->so_is_open_owner || !same_owner_str(sop, owner))
- continue;
-
- if (atomic_read(&sop->so_count) != 1) {
- spin_unlock(&clp->cl_lock);
- return nfserr_locks_held;
- }
-
- lo = lockowner(sop);
- nfs4_get_stateowner(sop);
- break;
- }
+ spin_lock(&clp->cl_lock);
+ lo = find_lockowner_str_locked(clp, &rlockowner->rl_owner);
if (!lo) {
spin_unlock(&clp->cl_lock);
return status;
}
-
+ if (atomic_read(&lo->lo_owner.so_count) != 2) {
+ spin_unlock(&clp->cl_lock);
+ nfs4_put_stateowner(&lo->lo_owner);
+ return nfserr_locks_held;
+ }
unhash_lockowner_locked(lo);
while (!list_empty(&lo->lo_owner.so_stateids)) {
stp = list_first_entry(&lo->lo_owner.so_stateids,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 112/476] NFSD: Add documenting comment for nfsd4_release_lockowner()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner() Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 113/476] ksmbd: fix global oob in ksmbd_nl_policy Greg Kroah-Hartman
` (373 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 043862b09cc00273e35e6c3a6389957953a34207 ]
And return explicit nfserr values that match what is documented in the
new comment / API contract.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 798063b9b96f..f8533299db1c 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -7284,6 +7284,23 @@ check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner)
return status;
}
+/**
+ * nfsd4_release_lockowner - process NFSv4.0 RELEASE_LOCKOWNER operations
+ * @rqstp: RPC transaction
+ * @cstate: NFSv4 COMPOUND state
+ * @u: RELEASE_LOCKOWNER arguments
+ *
+ * The lockowner's so_count is bumped when a lock record is added
+ * or when copying a conflicting lock. The latter case is brief,
+ * but can lead to fleeting false positives when looking for
+ * locks-in-use.
+ *
+ * Return values:
+ * %nfs_ok: lockowner released or not found
+ * %nfserr_locks_held: lockowner still in use
+ * %nfserr_stale_clientid: clientid no longer active
+ * %nfserr_expired: clientid not recognized
+ */
__be32
nfsd4_release_lockowner(struct svc_rqst *rqstp,
struct nfsd4_compound_state *cstate,
@@ -7310,7 +7327,7 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
lo = find_lockowner_str_locked(clp, &rlockowner->rl_owner);
if (!lo) {
spin_unlock(&clp->cl_lock);
- return status;
+ return nfs_ok;
}
if (atomic_read(&lo->lo_owner.so_count) != 2) {
spin_unlock(&clp->cl_lock);
@@ -7326,11 +7343,11 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
put_ol_stateid_locked(stp, &reaplist);
}
spin_unlock(&clp->cl_lock);
+
free_ol_stateid_reaplist(&reaplist);
remove_blocked_locks(lo);
nfs4_put_stateowner(&lo->lo_owner);
-
- return status;
+ return nfs_ok;
}
static inline struct nfs4_client_reclaim *
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 113/476] ksmbd: fix global oob in ksmbd_nl_policy
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 112/476] NFSD: Add documenting comment for nfsd4_release_lockowner() Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 114/476] cpufreq: intel_pstate: Drop redundant intel_pstate_get_hwp_cap() call Greg Kroah-Hartman
` (372 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Namjae Jeon, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit ebeae8adf89d9a82359f6659b1663d09beec2faa ]
Similar to a reported issue (check the commit b33fb5b801c6 ("net:
qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds
another global out-of-bounds read for policy ksmbd_nl_policy. See bug
trace below:
==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810
CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x172/0x475 mm/kasan/report.c:395
kasan_report+0xbb/0x1c0 mm/kasan/report.c:495
validate_nla lib/nlattr.c:386 [inline]
__nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
__nla_parse+0x3e/0x50 lib/nlattr.c:697
__nlmsg_parse include/net/netlink.h:748 [inline]
genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565
genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734
genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850
netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540
genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0x154/0x190 net/socket.c:734
____sys_sendmsg+0x6df/0x840 net/socket.c:2482
___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdd66a8f359
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000
</TASK>
The buggy address belongs to the variable:
ksmbd_nl_policy+0x100/0xa80
The buggy address belongs to the physical page:
page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b
flags: 0x200000000001000(reserved|node=0|zone=2)
raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9
^
ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05
ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9
==================================================================
To fix it, add a placeholder named __KSMBD_EVENT_MAX and let
KSMBD_EVENT_MAX to be its original value - 1 according to what other
netlink families do. Also change two sites that refer the
KSMBD_EVENT_MAX to correct value.
Cc: stable@vger.kernel.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/ksmbd_netlink.h | 3 ++-
fs/ksmbd/transport_ipc.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/ksmbd/ksmbd_netlink.h b/fs/ksmbd/ksmbd_netlink.h
index 821ed8e3cbee..ecffcb8a1557 100644
--- a/fs/ksmbd/ksmbd_netlink.h
+++ b/fs/ksmbd/ksmbd_netlink.h
@@ -304,7 +304,8 @@ enum ksmbd_event {
KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST,
KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE = 15,
- KSMBD_EVENT_MAX
+ __KSMBD_EVENT_MAX,
+ KSMBD_EVENT_MAX = __KSMBD_EVENT_MAX - 1
};
/*
diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c
index 9560c704033e..2c9662e32799 100644
--- a/fs/ksmbd/transport_ipc.c
+++ b/fs/ksmbd/transport_ipc.c
@@ -74,7 +74,7 @@ static int handle_unsupported_event(struct sk_buff *skb, struct genl_info *info)
static int handle_generic_event(struct sk_buff *skb, struct genl_info *info);
static int ksmbd_ipc_heartbeat_request(void);
-static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX] = {
+static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
[KSMBD_EVENT_UNSPEC] = {
.len = 0,
},
@@ -402,7 +402,7 @@ static int handle_generic_event(struct sk_buff *skb, struct genl_info *info)
return -EPERM;
#endif
- if (type >= KSMBD_EVENT_MAX) {
+ if (type > KSMBD_EVENT_MAX) {
WARN_ON(1);
return -EINVAL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 114/476] cpufreq: intel_pstate: Drop redundant intel_pstate_get_hwp_cap() call
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 113/476] ksmbd: fix global oob in ksmbd_nl_policy Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 115/476] cpufreq: intel_pstate: Refine computation of P-state for given frequency Greg Kroah-Hartman
` (371 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 458b03f81afbb27143c45d47c2d8f418b2ba2407 ]
It is not necessary to call intel_pstate_get_hwp_cap() from
intel_pstate_update_perf_limits(), because it gets called from
intel_pstate_verify_cpu_policy() which is either invoked directly
right before intel_pstate_update_perf_limits(), in
intel_cpufreq_verify_policy() in the passive mode, or called
from driver callbacks in a sequence that causes it to be followed
by an immediate intel_pstate_update_perf_limits().
Namely, in the active mode intel_cpufreq_verify_policy() is called
by intel_pstate_verify_policy() which is the ->verify() callback
routine of intel_pstate and gets called by the cpufreq core right
before intel_pstate_set_policy(), which is the driver's ->setoplicy()
callback routine, where intel_pstate_update_perf_limits() is called.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: 192cdb1c907f ("cpufreq: intel_pstate: Refine computation of P-state for given frequency")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/intel_pstate.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 736cb2cfcbb0..f2a94afb6eec 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -2332,18 +2332,14 @@ static void intel_pstate_update_perf_limits(struct cpudata *cpu,
* HWP needs some special consideration, because HWP_REQUEST uses
* abstract values to represent performance rather than pure ratios.
*/
- if (hwp_active) {
- intel_pstate_get_hwp_cap(cpu);
-
- if (cpu->pstate.scaling != perf_ctl_scaling) {
- int scaling = cpu->pstate.scaling;
- int freq;
-
- freq = max_policy_perf * perf_ctl_scaling;
- max_policy_perf = DIV_ROUND_UP(freq, scaling);
- freq = min_policy_perf * perf_ctl_scaling;
- min_policy_perf = DIV_ROUND_UP(freq, scaling);
- }
+ if (hwp_active && cpu->pstate.scaling != perf_ctl_scaling) {
+ int scaling = cpu->pstate.scaling;
+ int freq;
+
+ freq = max_policy_perf * perf_ctl_scaling;
+ max_policy_perf = DIV_ROUND_UP(freq, scaling);
+ freq = min_policy_perf * perf_ctl_scaling;
+ min_policy_perf = DIV_ROUND_UP(freq, scaling);
}
pr_debug("cpu:%d min_policy_perf:%d max_policy_perf:%d\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 115/476] cpufreq: intel_pstate: Refine computation of P-state for given frequency
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 114/476] cpufreq: intel_pstate: Drop redundant intel_pstate_get_hwp_cap() call Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 116/476] drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] Greg Kroah-Hartman
` (370 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 192cdb1c907fd8df2d764c5bb17496e415e59391 ]
On systems using HWP, if a given frequency is equal to the maximum turbo
frequency or the maximum non-turbo frequency, the HWP performance level
corresponding to it is already known and can be used directly without
any computation.
Accordingly, adjust the code to use the known HWP performance levels in
the cases mentioned above.
This also helps to avoid limiting CPU capacity artificially in some
cases when the BIOS produces the HWP_CAP numbers using a different
E-core-to-P-core performance scaling factor than expected by the kernel.
Fixes: f5c8cf2a4992 ("cpufreq: intel_pstate: hybrid: Use known scaling factor for P-cores")
Cc: 6.1+ <stable@vger.kernel.org> # 6.1+
Tested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/intel_pstate.c | 55 +++++++++++++++++++++-------------
1 file changed, 34 insertions(+), 21 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index f2a94afb6eec..dd5f4eee9ffb 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -490,6 +490,30 @@ static inline int intel_pstate_get_cppc_guaranteed(int cpu)
}
#endif /* CONFIG_ACPI_CPPC_LIB */
+static int intel_pstate_freq_to_hwp_rel(struct cpudata *cpu, int freq,
+ unsigned int relation)
+{
+ if (freq == cpu->pstate.turbo_freq)
+ return cpu->pstate.turbo_pstate;
+
+ if (freq == cpu->pstate.max_freq)
+ return cpu->pstate.max_pstate;
+
+ switch (relation) {
+ case CPUFREQ_RELATION_H:
+ return freq / cpu->pstate.scaling;
+ case CPUFREQ_RELATION_C:
+ return DIV_ROUND_CLOSEST(freq, cpu->pstate.scaling);
+ }
+
+ return DIV_ROUND_UP(freq, cpu->pstate.scaling);
+}
+
+static int intel_pstate_freq_to_hwp(struct cpudata *cpu, int freq)
+{
+ return intel_pstate_freq_to_hwp_rel(cpu, freq, CPUFREQ_RELATION_L);
+}
+
/**
* intel_pstate_hybrid_hwp_adjust - Calibrate HWP performance levels.
* @cpu: Target CPU.
@@ -507,6 +531,7 @@ static void intel_pstate_hybrid_hwp_adjust(struct cpudata *cpu)
int perf_ctl_scaling = cpu->pstate.perf_ctl_scaling;
int perf_ctl_turbo = pstate_funcs.get_turbo(cpu->cpu);
int scaling = cpu->pstate.scaling;
+ int freq;
pr_debug("CPU%d: perf_ctl_max_phys = %d\n", cpu->cpu, perf_ctl_max_phys);
pr_debug("CPU%d: perf_ctl_turbo = %d\n", cpu->cpu, perf_ctl_turbo);
@@ -520,16 +545,16 @@ static void intel_pstate_hybrid_hwp_adjust(struct cpudata *cpu)
cpu->pstate.max_freq = rounddown(cpu->pstate.max_pstate * scaling,
perf_ctl_scaling);
- cpu->pstate.max_pstate_physical =
- DIV_ROUND_UP(perf_ctl_max_phys * perf_ctl_scaling,
- scaling);
+ freq = perf_ctl_max_phys * perf_ctl_scaling;
+ cpu->pstate.max_pstate_physical = intel_pstate_freq_to_hwp(cpu, freq);
- cpu->pstate.min_freq = cpu->pstate.min_pstate * perf_ctl_scaling;
+ freq = cpu->pstate.min_pstate * perf_ctl_scaling;
+ cpu->pstate.min_freq = freq;
/*
* Cast the min P-state value retrieved via pstate_funcs.get_min() to
* the effective range of HWP performance levels.
*/
- cpu->pstate.min_pstate = DIV_ROUND_UP(cpu->pstate.min_freq, scaling);
+ cpu->pstate.min_pstate = intel_pstate_freq_to_hwp(cpu, freq);
}
static inline void update_turbo_state(void)
@@ -2333,13 +2358,12 @@ static void intel_pstate_update_perf_limits(struct cpudata *cpu,
* abstract values to represent performance rather than pure ratios.
*/
if (hwp_active && cpu->pstate.scaling != perf_ctl_scaling) {
- int scaling = cpu->pstate.scaling;
int freq;
freq = max_policy_perf * perf_ctl_scaling;
- max_policy_perf = DIV_ROUND_UP(freq, scaling);
+ max_policy_perf = intel_pstate_freq_to_hwp(cpu, freq);
freq = min_policy_perf * perf_ctl_scaling;
- min_policy_perf = DIV_ROUND_UP(freq, scaling);
+ min_policy_perf = intel_pstate_freq_to_hwp(cpu, freq);
}
pr_debug("cpu:%d min_policy_perf:%d max_policy_perf:%d\n",
@@ -2708,18 +2732,7 @@ static int intel_cpufreq_target(struct cpufreq_policy *policy,
cpufreq_freq_transition_begin(policy, &freqs);
- switch (relation) {
- case CPUFREQ_RELATION_L:
- target_pstate = DIV_ROUND_UP(freqs.new, cpu->pstate.scaling);
- break;
- case CPUFREQ_RELATION_H:
- target_pstate = freqs.new / cpu->pstate.scaling;
- break;
- default:
- target_pstate = DIV_ROUND_CLOSEST(freqs.new, cpu->pstate.scaling);
- break;
- }
-
+ target_pstate = intel_pstate_freq_to_hwp_rel(cpu, freqs.new, relation);
target_pstate = intel_cpufreq_update_pstate(policy, target_pstate, false);
freqs.new = target_pstate * cpu->pstate.scaling;
@@ -2737,7 +2750,7 @@ static unsigned int intel_cpufreq_fast_switch(struct cpufreq_policy *policy,
update_turbo_state();
- target_pstate = DIV_ROUND_UP(target_freq, cpu->pstate.scaling);
+ target_pstate = intel_pstate_freq_to_hwp(cpu, target_freq);
target_pstate = intel_cpufreq_update_pstate(policy, target_pstate, true);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 116/476] drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33]
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 115/476] cpufreq: intel_pstate: Refine computation of P-state for given frequency Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 117/476] drm/exynos: fix accidental on-stack copy of exynos_drm_plane Greg Kroah-Hartman
` (369 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Niebel, Alexander Stein,
Sam Ravnborg, Neil Armstrong, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
[ Upstream commit 45dd7df26cee741b31c25ffdd44fb8794eb45ccd ]
The DE signal is active high on this display, fill in the missing
bus_flags. This aligns panel_desc with its display_timing.
Fixes: 9a2654c0f62a ("drm/panel: Add and fill drm_panel type field")
Fixes: b3bfcdf8a3b6 ("drm/panel: simple: add Tianma TM070JVHG33")
Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://lore.kernel.org/r/20231012084208.2731650-1-alexander.stein@ew.tq-group.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231012084208.2731650-1-alexander.stein@ew.tq-group.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-simple.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index d9f1675c348e..671bd1d1ad19 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -4173,6 +4173,7 @@ static const struct panel_desc tianma_tm070jdhg30 = {
},
.bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG,
.connector_type = DRM_MODE_CONNECTOR_LVDS,
+ .bus_flags = DRM_BUS_FLAG_DE_HIGH,
};
static const struct panel_desc tianma_tm070jvhg33 = {
@@ -4185,6 +4186,7 @@ static const struct panel_desc tianma_tm070jvhg33 = {
},
.bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG,
.connector_type = DRM_MODE_CONNECTOR_LVDS,
+ .bus_flags = DRM_BUS_FLAG_DE_HIGH,
};
static const struct display_timing tianma_tm070rvhg71_timing = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 117/476] drm/exynos: fix accidental on-stack copy of exynos_drm_plane
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 116/476] drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 118/476] drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume Greg Kroah-Hartman
` (368 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Marek Szyprowski,
Inki Dae, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 960b537e91725bcb17dd1b19e48950e62d134078 ]
gcc rightfully complains about excessive stack usage in the fimd_win_set_pixfmt()
function:
drivers/gpu/drm/exynos/exynos_drm_fimd.c: In function 'fimd_win_set_pixfmt':
drivers/gpu/drm/exynos/exynos_drm_fimd.c:750:1: error: the frame size of 1032 bytes is larger than 1024 byte
drivers/gpu/drm/exynos/exynos5433_drm_decon.c: In function 'decon_win_set_pixfmt':
drivers/gpu/drm/exynos/exynos5433_drm_decon.c:381:1: error: the frame size of 1032 bytes is larger than 1024 bytes
There is really no reason to copy the large exynos_drm_plane
structure to the stack before using one of its members, so just
use a pointer instead.
Fixes: 6f8ee5c21722 ("drm/exynos: fimd: Make plane alpha configurable")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 4 ++--
drivers/gpu/drm/exynos/exynos_drm_fimd.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c
index b5001db7a95c..2f6a5995b53f 100644
--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c
+++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c
@@ -317,9 +317,9 @@ static void decon_win_set_bldmod(struct decon_context *ctx, unsigned int win,
static void decon_win_set_pixfmt(struct decon_context *ctx, unsigned int win,
struct drm_framebuffer *fb)
{
- struct exynos_drm_plane plane = ctx->planes[win];
+ struct exynos_drm_plane *plane = &ctx->planes[win];
struct exynos_drm_plane_state *state =
- to_exynos_plane_state(plane.base.state);
+ to_exynos_plane_state(plane->base.state);
unsigned int alpha = state->base.alpha;
unsigned int pixel_alpha;
unsigned long val;
diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
index c735e53939d8..f25e112a92ed 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
@@ -644,9 +644,9 @@ static void fimd_win_set_bldmod(struct fimd_context *ctx, unsigned int win,
static void fimd_win_set_pixfmt(struct fimd_context *ctx, unsigned int win,
struct drm_framebuffer *fb, int width)
{
- struct exynos_drm_plane plane = ctx->planes[win];
+ struct exynos_drm_plane *plane = &ctx->planes[win];
struct exynos_drm_plane_state *state =
- to_exynos_plane_state(plane.base.state);
+ to_exynos_plane_state(plane->base.state);
uint32_t pixel_format = fb->format->format;
unsigned int alpha = state->base.alpha;
u32 val = WINCONx_ENWIN;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 118/476] drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 117/476] drm/exynos: fix accidental on-stack copy of exynos_drm_plane Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 119/476] gpio: eic-sprd: Clear interrupt after set the interrupt type Greg Kroah-Hartman
` (367 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Marek Szyprowski,
Inki Dae, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 4050957c7c2c14aa795dbf423b4180d5ac04e113 ]
Do not forget to call clk_disable_unprepare() on the first element of
ctx->clocks array.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 8b7d3ec83aba ("drm/exynos: gsc: Convert driver to IPP v2 core API")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
index 166a80262896..8c090354fd8a 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
@@ -1346,7 +1346,7 @@ static int __maybe_unused gsc_runtime_resume(struct device *dev)
for (i = 0; i < ctx->num_clocks; i++) {
ret = clk_prepare_enable(ctx->clocks[i]);
if (ret) {
- while (--i > 0)
+ while (--i >= 0)
clk_disable_unprepare(ctx->clocks[i]);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 119/476] gpio: eic-sprd: Clear interrupt after set the interrupt type
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 118/476] drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 120/476] block: Move checking GENHD_FL_NO_PART to bdev_add_partition() Greg Kroah-Hartman
` (366 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chunyan Zhang, Wenhua Lin,
Bartosz Golaszewski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenhua Lin <Wenhua.Lin@unisoc.com>
[ Upstream commit 84aef4ed59705585d629e81d633a83b7d416f5fb ]
The raw interrupt status of eic maybe set before the interrupt is enabled,
since the eic interrupt has a latch function, which would trigger the
interrupt event once enabled it from user side. To solve this problem,
interrupts generated before setting the interrupt trigger type are ignored.
Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
Acked-by: Chunyan Zhang <zhang.lyra@gmail.com>
Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-eic-sprd.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/drivers/gpio/gpio-eic-sprd.c b/drivers/gpio/gpio-eic-sprd.c
index 865ab2b34fdd..3dfb8b6c6c71 100644
--- a/drivers/gpio/gpio-eic-sprd.c
+++ b/drivers/gpio/gpio-eic-sprd.c
@@ -318,20 +318,27 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type)
switch (flow_type) {
case IRQ_TYPE_LEVEL_HIGH:
sprd_eic_update(chip, offset, SPRD_EIC_DBNC_IEV, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_DBNC_IC, 1);
break;
case IRQ_TYPE_LEVEL_LOW:
sprd_eic_update(chip, offset, SPRD_EIC_DBNC_IEV, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_DBNC_IC, 1);
break;
case IRQ_TYPE_EDGE_RISING:
case IRQ_TYPE_EDGE_FALLING:
case IRQ_TYPE_EDGE_BOTH:
state = sprd_eic_get(chip, offset);
- if (state)
+ if (state) {
sprd_eic_update(chip, offset,
SPRD_EIC_DBNC_IEV, 0);
- else
+ sprd_eic_update(chip, offset,
+ SPRD_EIC_DBNC_IC, 1);
+ } else {
sprd_eic_update(chip, offset,
SPRD_EIC_DBNC_IEV, 1);
+ sprd_eic_update(chip, offset,
+ SPRD_EIC_DBNC_IC, 1);
+ }
break;
default:
return -ENOTSUPP;
@@ -343,20 +350,27 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type)
switch (flow_type) {
case IRQ_TYPE_LEVEL_HIGH:
sprd_eic_update(chip, offset, SPRD_EIC_LATCH_INTPOL, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_LATCH_INTCLR, 1);
break;
case IRQ_TYPE_LEVEL_LOW:
sprd_eic_update(chip, offset, SPRD_EIC_LATCH_INTPOL, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_LATCH_INTCLR, 1);
break;
case IRQ_TYPE_EDGE_RISING:
case IRQ_TYPE_EDGE_FALLING:
case IRQ_TYPE_EDGE_BOTH:
state = sprd_eic_get(chip, offset);
- if (state)
+ if (state) {
sprd_eic_update(chip, offset,
SPRD_EIC_LATCH_INTPOL, 0);
- else
+ sprd_eic_update(chip, offset,
+ SPRD_EIC_LATCH_INTCLR, 1);
+ } else {
sprd_eic_update(chip, offset,
SPRD_EIC_LATCH_INTPOL, 1);
+ sprd_eic_update(chip, offset,
+ SPRD_EIC_LATCH_INTCLR, 1);
+ }
break;
default:
return -ENOTSUPP;
@@ -370,29 +384,34 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type)
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTPOL, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_EDGE_FALLING:
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTPOL, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_EDGE_BOTH:
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_LEVEL_HIGH:
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 1);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTPOL, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_level_irq);
break;
case IRQ_TYPE_LEVEL_LOW:
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 1);
sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTPOL, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_level_irq);
break;
default:
@@ -405,29 +424,34 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type)
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTPOL, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_EDGE_FALLING:
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTPOL, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_EDGE_BOTH:
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_edge_irq);
break;
case IRQ_TYPE_LEVEL_HIGH:
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 1);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTPOL, 1);
+ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_level_irq);
break;
case IRQ_TYPE_LEVEL_LOW:
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 0);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 1);
sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTPOL, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTCLR, 1);
irq_set_handler_locked(data, handle_level_irq);
break;
default:
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 120/476] block: Move checking GENHD_FL_NO_PART to bdev_add_partition()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 119/476] gpio: eic-sprd: Clear interrupt after set the interrupt type Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 121/476] spi: bcm-qspi: fix SFDP BFPT read by usig mspi read Greg Kroah-Hartman
` (365 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Allison Karlitskaya, Li Lingfeng,
Yu Kuai, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit 7777f47f2ea64efd1016262e7b59fab34adfb869 ]
Commit 1a721de8489f ("block: don't add or resize partition on the disk
with GENHD_FL_NO_PART") prevented all operations about partitions on disks
with GENHD_FL_NO_PART in blkpg_do_ioctl() since they are meaningless.
However, it changed error code in some scenarios. So move checking
GENHD_FL_NO_PART to bdev_add_partition() to eliminate impact.
Fixes: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
Reported-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Closes: https://lore.kernel.org/all/CAOYeF9VsmqKMcQjo1k6YkGNujwN-nzfxY17N3F-CMikE1tYp+w@mail.gmail.com/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20240118130401.792757-1-lilingfeng@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/ioctl.c | 2 --
block/partitions/core.c | 5 +++++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/block/ioctl.c b/block/ioctl.c
index 0a3cf9aeec7d..7a939c178660 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -20,8 +20,6 @@ static int blkpg_do_ioctl(struct block_device *bdev,
struct blkpg_partition p;
sector_t start, length;
- if (disk->flags & GENHD_FL_NO_PART)
- return -EINVAL;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
if (copy_from_user(&p, upart, sizeof(struct blkpg_partition)))
diff --git a/block/partitions/core.c b/block/partitions/core.c
index 1ead8c001561..b6a941889bb4 100644
--- a/block/partitions/core.c
+++ b/block/partitions/core.c
@@ -463,6 +463,11 @@ int bdev_add_partition(struct gendisk *disk, int partno, sector_t start,
goto out;
}
+ if (disk->flags & GENHD_FL_NO_PART) {
+ ret = -EINVAL;
+ goto out;
+ }
+
if (partition_overlaps(disk, start, length, -1)) {
ret = -EBUSY;
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 121/476] spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 120/476] block: Move checking GENHD_FL_NO_PART to bdev_add_partition() Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 122/476] mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan Greg Kroah-Hartman
` (364 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
[ Upstream commit 574bf7bbe83794a902679846770f75a9b7f28176 ]
SFDP read shall use the mspi reads when using the bcm_qspi_exec_mem_op()
call. This fixes SFDP parameter page read failures seen with parts that
now use SFDP protocol to read the basic flash parameter table.
Fixes: 5f195ee7d830 ("spi: bcm-qspi: Implement the spi_mem interface")
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://msgid.link/r/20240109210033.43249-1-kamal.dasu@broadcom.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm-qspi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
index c79797c06cda..bca7ac570b94 100644
--- a/drivers/spi/spi-bcm-qspi.c
+++ b/drivers/spi/spi-bcm-qspi.c
@@ -19,7 +19,7 @@
#include <linux/platform_device.h>
#include <linux/slab.h>
#include <linux/spi/spi.h>
-#include <linux/spi/spi-mem.h>
+#include <linux/mtd/spi-nor.h>
#include <linux/sysfs.h>
#include <linux/types.h>
#include "spi-bcm-qspi.h"
@@ -1049,7 +1049,7 @@ static int bcm_qspi_exec_mem_op(struct spi_mem *mem,
/* non-aligned and very short transfers are handled by MSPI */
if (!IS_ALIGNED((uintptr_t)addr, 4) || !IS_ALIGNED((uintptr_t)buf, 4) ||
- len < 4)
+ len < 4 || op->cmd.opcode == SPINOR_OP_RDSFDP)
mspi_read = true;
if (!has_bspi(qspi) || mspi_read)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 122/476] mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 121/476] spi: bcm-qspi: fix SFDP BFPT read by usig mspi read Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 123/476] tick/sched: Preserve number of idle sleeps across CPU hotplug events Greg Kroah-Hartman
` (363 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xi Ruoyao, Thomas Bogendoerfer
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xi Ruoyao <xry111@xry111.site>
commit 59be5c35850171e307ca5d3d703ee9ff4096b948 upstream.
If we still own the FPU after initializing fcr31, when we are preempted
the dirty value in the FPU will be read out and stored into fcr31,
clobbering our setting. This can cause an improper floating-point
environment after execve(). For example:
zsh% cat measure.c
#include <fenv.h>
int main() { return fetestexcept(FE_INEXACT); }
zsh% cc measure.c -o measure -lm
zsh% echo $((1.0/3)) # raising FE_INEXACT
0.33333333333333331
zsh% while ./measure; do ; done
(stopped in seconds)
Call lose_fpu(0) before setting fcr31 to prevent this.
Closes: https://lore.kernel.org/linux-mips/7a6aa1bbdbbe2e63ae96ff163fab0349f58f1b9e.camel@xry111.site/
Fixes: 9b26616c8d9d ("MIPS: Respect the ISA level in FCSR handling")
Cc: stable@vger.kernel.org
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/elf.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/mips/kernel/elf.c
+++ b/arch/mips/kernel/elf.c
@@ -11,6 +11,7 @@
#include <asm/cpu-features.h>
#include <asm/cpu-info.h>
+#include <asm/fpu.h>
#ifdef CONFIG_MIPS_FP_SUPPORT
@@ -309,6 +310,11 @@ void mips_set_personality_nan(struct arc
struct cpuinfo_mips *c = &boot_cpu_data;
struct task_struct *t = current;
+ /* Do this early so t->thread.fpu.fcr31 won't be clobbered in case
+ * we are preempted before the lose_fpu(0) in start_thread.
+ */
+ lose_fpu(0);
+
t->thread.fpu.fcr31 = c->fpu_csr31;
switch (state->nan_2008) {
case 0:
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 123/476] tick/sched: Preserve number of idle sleeps across CPU hotplug events
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 122/476] mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 124/476] x86/entry/ia32: Ensure s32 is sign extended to s64 Greg Kroah-Hartman
` (362 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tim Chen, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Chen <tim.c.chen@linux.intel.com>
commit 9a574ea9069be30b835a3da772c039993c43369b upstream.
Commit 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs
CPU hotplug") preserved total idle sleep time and iowait sleeptime across
CPU hotplug events.
Similar reasoning applies to the number of idle calls and idle sleeps to
get the proper average of sleep time per idle invocation.
Preserve those fields too.
Fixes: 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug")
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240122233534.3094238-1-tim.c.chen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/tick-sched.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -1529,6 +1529,7 @@ void tick_cancel_sched_timer(int cpu)
{
struct tick_sched *ts = &per_cpu(tick_cpu_sched, cpu);
ktime_t idle_sleeptime, iowait_sleeptime;
+ unsigned long idle_calls, idle_sleeps;
# ifdef CONFIG_HIGH_RES_TIMERS
if (ts->sched_timer.base)
@@ -1537,9 +1538,13 @@ void tick_cancel_sched_timer(int cpu)
idle_sleeptime = ts->idle_sleeptime;
iowait_sleeptime = ts->iowait_sleeptime;
+ idle_calls = ts->idle_calls;
+ idle_sleeps = ts->idle_sleeps;
memset(ts, 0, sizeof(*ts));
ts->idle_sleeptime = idle_sleeptime;
ts->iowait_sleeptime = iowait_sleeptime;
+ ts->idle_calls = idle_calls;
+ ts->idle_sleeps = idle_sleeps;
}
#endif
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 124/476] x86/entry/ia32: Ensure s32 is sign extended to s64
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 123/476] tick/sched: Preserve number of idle sleeps across CPU hotplug events Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 125/476] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add Greg Kroah-Hartman
` (361 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Richard Palethorpe,
Nikolay Borisov, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Palethorpe <rpalethorpe@suse.com>
commit 56062d60f117dccfb5281869e0ab61e090baf864 upstream.
Presently ia32 registers stored in ptregs are unconditionally cast to
unsigned int by the ia32 stub. They are then cast to long when passed to
__se_sys*, but will not be sign extended.
This takes the sign of the syscall argument into account in the ia32
stub. It still casts to unsigned int to avoid implementation specific
behavior. However then casts to int or unsigned int as necessary. So that
the following cast to long sign extends the value.
This fixes the io_pgetevents02 LTP test when compiled with -m32. Presently
the systemcall io_pgetevents_time64() unexpectedly accepts -1 for the
maximum number of events.
It doesn't appear other systemcalls with signed arguments are effected
because they all have compat variants defined and wired up.
Fixes: ebeb8c82ffaf ("syscalls/x86: Use 'struct pt_regs' based syscall calling for IA32_EMULATION and x32")
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240110130122.3836513-1-nik.borisov@suse.com
Link: https://lore.kernel.org/ltp/20210921130127.24131-1-rpalethorpe@suse.com/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/syscall_wrapper.h | 25 +++++++++++++++++++++----
include/linux/syscalls.h | 1 +
2 files changed, 22 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -58,12 +58,29 @@ extern long __ia32_sys_ni_syscall(const
,,regs->di,,regs->si,,regs->dx \
,,regs->r10,,regs->r8,,regs->r9) \
+
+/* SYSCALL_PT_ARGS is Adapted from s390x */
+#define SYSCALL_PT_ARG6(m, t1, t2, t3, t4, t5, t6) \
+ SYSCALL_PT_ARG5(m, t1, t2, t3, t4, t5), m(t6, (regs->bp))
+#define SYSCALL_PT_ARG5(m, t1, t2, t3, t4, t5) \
+ SYSCALL_PT_ARG4(m, t1, t2, t3, t4), m(t5, (regs->di))
+#define SYSCALL_PT_ARG4(m, t1, t2, t3, t4) \
+ SYSCALL_PT_ARG3(m, t1, t2, t3), m(t4, (regs->si))
+#define SYSCALL_PT_ARG3(m, t1, t2, t3) \
+ SYSCALL_PT_ARG2(m, t1, t2), m(t3, (regs->dx))
+#define SYSCALL_PT_ARG2(m, t1, t2) \
+ SYSCALL_PT_ARG1(m, t1), m(t2, (regs->cx))
+#define SYSCALL_PT_ARG1(m, t1) m(t1, (regs->bx))
+#define SYSCALL_PT_ARGS(x, ...) SYSCALL_PT_ARG##x(__VA_ARGS__)
+
+#define __SC_COMPAT_CAST(t, a) \
+ (__typeof(__builtin_choose_expr(__TYPE_IS_L(t), 0, 0U))) \
+ (unsigned int)a
+
/* Mapping of registers to parameters for syscalls on i386 */
#define SC_IA32_REGS_TO_ARGS(x, ...) \
- __MAP(x,__SC_ARGS \
- ,,(unsigned int)regs->bx,,(unsigned int)regs->cx \
- ,,(unsigned int)regs->dx,,(unsigned int)regs->si \
- ,,(unsigned int)regs->di,,(unsigned int)regs->bp)
+ SYSCALL_PT_ARGS(x, __SC_COMPAT_CAST, \
+ __MAP(x, __SC_TYPE, __VA_ARGS__)) \
#define __SYS_STUB0(abi, name) \
long __##abi##_##name(const struct pt_regs *regs); \
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -122,6 +122,7 @@ enum landlock_rule_type;
#define __TYPE_IS_LL(t) (__TYPE_AS(t, 0LL) || __TYPE_AS(t, 0ULL))
#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
#define __SC_CAST(t, a) (__force t) a
+#define __SC_TYPE(t, a) t
#define __SC_ARGS(t, a) a
#define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 125/476] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 124/476] x86/entry/ia32: Ensure s32 is sign extended to s64 Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 126/476] arm64: irq: set the correct node for VMAP stack Greg Kroah-Hartman
` (360 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Michael Ellerman,
Kunwu Chan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunwu Chan <chentao@kylinos.cn>
[ Upstream commit f46c8a75263f97bda13c739ba1c90aced0d3b071 ]
kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231204023223.2447523-1-chentao@kylinos.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/init-common.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/mm/init-common.c b/arch/powerpc/mm/init-common.c
index 3a82f89827a5..4bc8f0c893a2 100644
--- a/arch/powerpc/mm/init-common.c
+++ b/arch/powerpc/mm/init-common.c
@@ -105,7 +105,7 @@ void pgtable_cache_add(unsigned int shift)
* as to leave enough 0 bits in the address to contain it. */
unsigned long minalign = max(MAX_PGTABLE_INDEX_SIZE + 1,
HUGEPD_SHIFT_MASK + 1);
- struct kmem_cache *new;
+ struct kmem_cache *new = NULL;
/* It would be nice if this was a BUILD_BUG_ON(), but at the
* moment, gcc doesn't seem to recognize is_power_of_2 as a
@@ -118,7 +118,8 @@ void pgtable_cache_add(unsigned int shift)
align = max_t(unsigned long, align, minalign);
name = kasprintf(GFP_KERNEL, "pgtable-2^%d", shift);
- new = kmem_cache_create(name, table_size, align, 0, ctor(shift));
+ if (name)
+ new = kmem_cache_create(name, table_size, align, 0, ctor(shift));
if (!new)
panic("Could not allocate pgtable cache for order %d", shift);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 126/476] arm64: irq: set the correct node for VMAP stack
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 125/476] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 127/476] drivers/perf: pmuv3: dont expose SW_INCR event in sysfs Greg Kroah-Hartman
` (359 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Huang Shijie,
Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Shijie <shijie@os.amperecomputing.com>
[ Upstream commit 75b5e0bf90bffaca4b1f19114065dc59f5cc161f ]
In current code, init_irq_stacks() will call cpu_to_node().
The cpu_to_node() depends on percpu "numa_node" which is initialized in:
arch_call_rest_init() --> rest_init() -- kernel_init()
--> kernel_init_freeable() --> smp_prepare_cpus()
But init_irq_stacks() is called in init_IRQ() which is before
arch_call_rest_init().
So in init_irq_stacks(), the cpu_to_node() does not work, it
always return 0. In NUMA, it makes the node 1 cpu accesses the IRQ stack which
is in the node 0.
This patch fixes it by:
1.) export the early_cpu_to_node(), and use it in the init_irq_stacks().
2.) change init_irq_stacks() to __init function.
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Huang Shijie <shijie@os.amperecomputing.com>
Link: https://lore.kernel.org/r/20231124031513.81548-1-shijie@os.amperecomputing.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/irq.c | 5 +++--
drivers/base/arch_numa.c | 2 +-
include/asm-generic/numa.h | 2 ++
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/irq.c b/arch/arm64/kernel/irq.c
index bda49430c9ea..dab45f19df49 100644
--- a/arch/arm64/kernel/irq.c
+++ b/arch/arm64/kernel/irq.c
@@ -19,6 +19,7 @@
#include <linux/kprobes.h>
#include <linux/scs.h>
#include <linux/seq_file.h>
+#include <asm/numa.h>
#include <linux/vmalloc.h>
#include <asm/daifflags.h>
#include <asm/vmap_stack.h>
@@ -48,13 +49,13 @@ static void init_irq_scs(void)
}
#ifdef CONFIG_VMAP_STACK
-static void init_irq_stacks(void)
+static void __init init_irq_stacks(void)
{
int cpu;
unsigned long *p;
for_each_possible_cpu(cpu) {
- p = arch_alloc_vmap_stack(IRQ_STACK_SIZE, cpu_to_node(cpu));
+ p = arch_alloc_vmap_stack(IRQ_STACK_SIZE, early_cpu_to_node(cpu));
per_cpu(irq_stack_ptr, cpu) = p;
}
}
diff --git a/drivers/base/arch_numa.c b/drivers/base/arch_numa.c
index 00fb4120a5b3..bce0902dccb4 100644
--- a/drivers/base/arch_numa.c
+++ b/drivers/base/arch_numa.c
@@ -144,7 +144,7 @@ void __init early_map_cpu_to_node(unsigned int cpu, int nid)
unsigned long __per_cpu_offset[NR_CPUS] __read_mostly;
EXPORT_SYMBOL(__per_cpu_offset);
-static int __init early_cpu_to_node(int cpu)
+int __init early_cpu_to_node(int cpu)
{
return cpu_to_node_map[cpu];
}
diff --git a/include/asm-generic/numa.h b/include/asm-generic/numa.h
index 1a3ad6d29833..c32e0cf23c90 100644
--- a/include/asm-generic/numa.h
+++ b/include/asm-generic/numa.h
@@ -35,6 +35,7 @@ int __init numa_add_memblk(int nodeid, u64 start, u64 end);
void __init numa_set_distance(int from, int to, int distance);
void __init numa_free_distance(void);
void __init early_map_cpu_to_node(unsigned int cpu, int nid);
+int __init early_cpu_to_node(int cpu);
void numa_store_cpu_info(unsigned int cpu);
void numa_add_cpu(unsigned int cpu);
void numa_remove_cpu(unsigned int cpu);
@@ -46,6 +47,7 @@ static inline void numa_add_cpu(unsigned int cpu) { }
static inline void numa_remove_cpu(unsigned int cpu) { }
static inline void arch_numa_init(void) { }
static inline void early_map_cpu_to_node(unsigned int cpu, int nid) { }
+static inline int early_cpu_to_node(int cpu) { return 0; }
#endif /* CONFIG_NUMA */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 127/476] drivers/perf: pmuv3: dont expose SW_INCR event in sysfs
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 126/476] arm64: irq: set the correct node for VMAP stack Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 128/476] powerpc: Fix build error due to is_valid_bugaddr() Greg Kroah-Hartman
` (358 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit ca6f537e459e2da4b331fe8928d1a0b0f9301f42 ]
The SW_INCR event is somewhat unusual, and depends on the specific HW
counter that it is programmed into. When programmed into PMEVCNTR<n>,
SW_INCR will count any writes to PMSWINC_EL0 with bit n set, ignoring
writes to SW_INCR with bit n clear.
Event rotation means that there's no fixed relationship between
perf_events and HW counters, so this isn't all that useful.
Further, we program PMUSERENR.{SW,EN}=={0,0}, which causes EL0 writes to
PMSWINC_EL0 to be trapped and handled as UNDEFINED, resulting in a
SIGILL to userspace.
Given that, it's not a good idea to expose SW_INCR in sysfs. Hide it as
we did for CHAIN back in commit:
4ba2578fa7b55701 ("arm64: perf: don't expose CHAIN event in sysfs")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20231204115847.2993026-1-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/perf_event.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
index b4044469527e..c77b9460d63e 100644
--- a/arch/arm64/kernel/perf_event.c
+++ b/arch/arm64/kernel/perf_event.c
@@ -168,7 +168,11 @@ armv8pmu_events_sysfs_show(struct device *dev,
PMU_EVENT_ATTR_ID(name, armv8pmu_events_sysfs_show, config)
static struct attribute *armv8_pmuv3_event_attrs[] = {
- ARMV8_EVENT_ATTR(sw_incr, ARMV8_PMUV3_PERFCTR_SW_INCR),
+ /*
+ * Don't expose the sw_incr event in /sys. It's not usable as writes to
+ * PMSWINC_EL0 will trap as PMUSERENR.{SW,EN}=={0,0} and event rotation
+ * means we don't have a fixed event<->counter relationship regardless.
+ */
ARMV8_EVENT_ATTR(l1i_cache_refill, ARMV8_PMUV3_PERFCTR_L1I_CACHE_REFILL),
ARMV8_EVENT_ATTR(l1i_tlb_refill, ARMV8_PMUV3_PERFCTR_L1I_TLB_REFILL),
ARMV8_EVENT_ATTR(l1d_cache_refill, ARMV8_PMUV3_PERFCTR_L1D_CACHE_REFILL),
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 128/476] powerpc: Fix build error due to is_valid_bugaddr()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 127/476] drivers/perf: pmuv3: dont expose SW_INCR event in sysfs Greg Kroah-Hartman
@ 2024-02-21 13:02 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 129/476] powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() Greg Kroah-Hartman
` (357 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit f8d3555355653848082c351fa90775214fb8a4fa ]
With CONFIG_GENERIC_BUG=n the build fails with:
arch/powerpc/kernel/traps.c:1442:5: error: no previous prototype for ‘is_valid_bugaddr’ [-Werror=missing-prototypes]
1442 | int is_valid_bugaddr(unsigned long addr)
| ^~~~~~~~~~~~~~~~
The prototype is only defined, and the function is only needed, when
CONFIG_GENERIC_BUG=y, so move the implementation under that.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231130114433.3053544-2-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/traps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
index fe912983ced9..f1a2a75c4757 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -1423,10 +1423,12 @@ static int emulate_instruction(struct pt_regs *regs)
return -EINVAL;
}
+#ifdef CONFIG_GENERIC_BUG
int is_valid_bugaddr(unsigned long addr)
{
return is_kernel_addr(addr);
}
+#endif
#ifdef CONFIG_MATH_EMULATION
static int emulate_math(struct pt_regs *regs)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 129/476] powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-02-21 13:02 ` [PATCH 5.15 128/476] powerpc: Fix build error due to is_valid_bugaddr() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 130/476] powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping() Greg Kroah-Hartman
` (356 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit d8c3f243d4db24675b653f0568bb65dae34e6455 ]
With NUMA=n and FA_DUMP=y or PRESERVE_FA_DUMP=y the build fails with:
arch/powerpc/kernel/fadump.c:1739:22: error: no previous prototype for ‘arch_reserved_kernel_pages’ [-Werror=missing-prototypes]
1739 | unsigned long __init arch_reserved_kernel_pages(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
The prototype for arch_reserved_kernel_pages() is in include/linux/mm.h,
but it's guarded by __HAVE_ARCH_RESERVED_KERNEL_PAGES. The powerpc
headers define __HAVE_ARCH_RESERVED_KERNEL_PAGES in asm/mmzone.h, which
is not included into the generic headers when NUMA=n.
Move the definition of __HAVE_ARCH_RESERVED_KERNEL_PAGES into asm/mmu.h
which is included regardless of NUMA=n.
Additionally the ifdef around __HAVE_ARCH_RESERVED_KERNEL_PAGES needs to
also check for CONFIG_PRESERVE_FA_DUMP.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231130114433.3053544-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/mmu.h | 4 ++++
arch/powerpc/include/asm/mmzone.h | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/include/asm/mmu.h b/arch/powerpc/include/asm/mmu.h
index 8abe8e42e045..de0bb77f54e0 100644
--- a/arch/powerpc/include/asm/mmu.h
+++ b/arch/powerpc/include/asm/mmu.h
@@ -416,5 +416,9 @@ extern void *abatron_pteptrs[2];
#include <asm/nohash/mmu.h>
#endif
+#if defined(CONFIG_FA_DUMP) || defined(CONFIG_PRESERVE_FA_DUMP)
+#define __HAVE_ARCH_RESERVED_KERNEL_PAGES
+#endif
+
#endif /* __KERNEL__ */
#endif /* _ASM_POWERPC_MMU_H_ */
diff --git a/arch/powerpc/include/asm/mmzone.h b/arch/powerpc/include/asm/mmzone.h
index 4c6c6dbd182f..3764d3585d30 100644
--- a/arch/powerpc/include/asm/mmzone.h
+++ b/arch/powerpc/include/asm/mmzone.h
@@ -42,9 +42,6 @@ u64 memory_hotplug_max(void);
#else
#define memory_hotplug_max() memblock_end_of_DRAM()
#endif /* CONFIG_NUMA */
-#ifdef CONFIG_FA_DUMP
-#define __HAVE_ARCH_RESERVED_KERNEL_PAGES
-#endif
#ifdef CONFIG_MEMORY_HOTPLUG
extern int create_section_mapping(unsigned long start, unsigned long end,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 130/476] powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 129/476] powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 131/476] x86/boot: Ignore NMIs during very early boot Greg Kroah-Hartman
` (355 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit ede66cd22441820cbd399936bf84fdc4294bc7fa ]
With CONFIG_NUMA=n the build fails with:
arch/powerpc/mm/book3s64/pgtable.c:275:15: error: no previous prototype for ‘create_section_mapping’ [-Werror=missing-prototypes]
275 | int __meminit create_section_mapping(unsigned long start, unsigned long end,
| ^~~~~~~~~~~~~~~~~~~~~~
That happens because the prototype for create_section_mapping() is in
asm/mmzone.h, but asm/mmzone.h is only included by linux/mmzone.h
when CONFIG_NUMA=y.
In fact the prototype is only needed by arch/powerpc/mm code, so move
the prototype into arch/powerpc/mm/mmu_decl.h, which also fixes the
build error.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231129131919.2528517-5-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/mmzone.h | 5 -----
arch/powerpc/mm/mmu_decl.h | 5 +++++
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/include/asm/mmzone.h b/arch/powerpc/include/asm/mmzone.h
index 3764d3585d30..da827d2d0866 100644
--- a/arch/powerpc/include/asm/mmzone.h
+++ b/arch/powerpc/include/asm/mmzone.h
@@ -43,10 +43,5 @@ u64 memory_hotplug_max(void);
#define memory_hotplug_max() memblock_end_of_DRAM()
#endif /* CONFIG_NUMA */
-#ifdef CONFIG_MEMORY_HOTPLUG
-extern int create_section_mapping(unsigned long start, unsigned long end,
- int nid, pgprot_t prot);
-#endif
-
#endif /* __KERNEL__ */
#endif /* _ASM_MMZONE_H_ */
diff --git a/arch/powerpc/mm/mmu_decl.h b/arch/powerpc/mm/mmu_decl.h
index dd1cabc2ea0f..21996b9e0a64 100644
--- a/arch/powerpc/mm/mmu_decl.h
+++ b/arch/powerpc/mm/mmu_decl.h
@@ -190,3 +190,8 @@ static inline bool debug_pagealloc_enabled_or_kfence(void)
{
return IS_ENABLED(CONFIG_KFENCE) || debug_pagealloc_enabled();
}
+
+#ifdef CONFIG_MEMORY_HOTPLUG
+int create_section_mapping(unsigned long start, unsigned long end,
+ int nid, pgprot_t prot);
+#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 131/476] x86/boot: Ignore NMIs during very early boot
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 130/476] powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 132/476] powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE Greg Kroah-Hartman
` (354 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junichi Nomura, Derek Barbosa,
Ingo Molnar, Kees Cook, Linus Torvalds, Paul E. McKenney,
Andy Lutomirski, H. Peter Anvin, Peter Zijlstra, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun'ichi Nomura <junichi.nomura@nec.com>
[ Upstream commit 78a509fba9c9b1fcb77f95b7c6be30da3d24823a ]
When there are two racing NMIs on x86, the first NMI invokes NMI handler and
the 2nd NMI is latched until IRET is executed.
If panic on NMI and panic kexec are enabled, the first NMI triggers
panic and starts booting the next kernel via kexec. Note that the 2nd
NMI is still latched. During the early boot of the next kernel, once
an IRET is executed as a result of a page fault, then the 2nd NMI is
unlatched and invokes the NMI handler.
However, NMI handler is not set up at the early stage of boot, which
results in a boot failure.
Avoid such problems by setting up a NOP handler for early NMIs.
[ mingo: Refined the changelog. ]
Signed-off-by: Jun'ichi Nomura <junichi.nomura@nec.com>
Signed-off-by: Derek Barbosa <debarbos@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/boot/compressed/ident_map_64.c | 5 +++++
arch/x86/boot/compressed/idt_64.c | 1 +
arch/x86/boot/compressed/idt_handlers_64.S | 1 +
arch/x86/boot/compressed/misc.h | 1 +
4 files changed, 8 insertions(+)
diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c
index 575d881ff86e..b72dea92cd96 100644
--- a/arch/x86/boot/compressed/ident_map_64.c
+++ b/arch/x86/boot/compressed/ident_map_64.c
@@ -357,3 +357,8 @@ void do_boot_page_fault(struct pt_regs *regs, unsigned long error_code)
*/
add_identity_map(address, end);
}
+
+void do_boot_nmi_trap(struct pt_regs *regs, unsigned long error_code)
+{
+ /* Empty handler to ignore NMI during early boot */
+}
diff --git a/arch/x86/boot/compressed/idt_64.c b/arch/x86/boot/compressed/idt_64.c
index 9b93567d663a..9620883485ac 100644
--- a/arch/x86/boot/compressed/idt_64.c
+++ b/arch/x86/boot/compressed/idt_64.c
@@ -45,6 +45,7 @@ void load_stage2_idt(void)
boot_idt_desc.address = (unsigned long)boot_idt;
set_idt_entry(X86_TRAP_PF, boot_page_fault);
+ set_idt_entry(X86_TRAP_NMI, boot_nmi_trap);
#ifdef CONFIG_AMD_MEM_ENCRYPT
set_idt_entry(X86_TRAP_VC, boot_stage2_vc);
diff --git a/arch/x86/boot/compressed/idt_handlers_64.S b/arch/x86/boot/compressed/idt_handlers_64.S
index 22890e199f5b..4d03c8562f63 100644
--- a/arch/x86/boot/compressed/idt_handlers_64.S
+++ b/arch/x86/boot/compressed/idt_handlers_64.S
@@ -70,6 +70,7 @@ SYM_FUNC_END(\name)
.code64
EXCEPTION_HANDLER boot_page_fault do_boot_page_fault error_code=1
+EXCEPTION_HANDLER boot_nmi_trap do_boot_nmi_trap error_code=0
#ifdef CONFIG_AMD_MEM_ENCRYPT
EXCEPTION_HANDLER boot_stage1_vc do_vc_no_ghcb error_code=1
diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
index 31139256859f..cea1b96c48b2 100644
--- a/arch/x86/boot/compressed/misc.h
+++ b/arch/x86/boot/compressed/misc.h
@@ -163,6 +163,7 @@ static inline void cleanup_exception_handling(void) { }
/* IDT Entry Points */
void boot_page_fault(void);
+void boot_nmi_trap(void);
void boot_stage1_vc(void);
void boot_stage2_vc(void);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 132/476] powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 131/476] x86/boot: Ignore NMIs during very early boot Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 133/476] powerpc/lib: Validate size for vector operations Greg Kroah-Hartman
` (353 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Michael Ellerman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Rothwell <sfr@canb.auug.org.au>
[ Upstream commit 0d555b57ee660d8a871781c0eebf006e855e918d ]
The linux-next build of powerpc64 allnoconfig fails with:
arch/powerpc/mm/book3s64/pgtable.c:557:5: error: no previous prototype for 'pmd_move_must_withdraw'
557 | int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
| ^~~~~~~~~~~~~~~~~~~~~~
Caused by commit:
c6345dfa6e3e ("Makefile.extrawarn: turn on missing-prototypes globally")
Fix it by moving the function definition under
CONFIG_TRANSPARENT_HUGEPAGE like the prototype. The function is only
called when CONFIG_TRANSPARENT_HUGEPAGE=y.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
[mpe: Flesh out change log from linux-next patch]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231127132809.45c2b398@canb.auug.org.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/book3s64/pgtable.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c
index 9e16c7b1a6c5..da15f28c7b13 100644
--- a/arch/powerpc/mm/book3s64/pgtable.c
+++ b/arch/powerpc/mm/book3s64/pgtable.c
@@ -459,6 +459,7 @@ void ptep_modify_prot_commit(struct vm_area_struct *vma, unsigned long addr,
set_pte_at(vma->vm_mm, addr, ptep, pte);
}
+#ifdef CONFIG_TRANSPARENT_HUGEPAGE
/*
* For hash translation mode, we use the deposited table to store hash slot
* information and they are stored at PTRS_PER_PMD offset from related pmd
@@ -480,6 +481,7 @@ int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
return true;
}
+#endif
/*
* Does the CPU support tlbie?
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 133/476] powerpc/lib: Validate size for vector operations
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 132/476] powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 134/476] x86/mce: Mark fatal MCEs page as poison to avoid panic in the kdump kernel Greg Kroah-Hartman
` (352 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao, Gustavo A. R. Silva,
Michael Ellerman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen N Rao <naveen@kernel.org>
[ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ]
Some of the fp/vmx code in sstep.c assume a certain maximum size for the
instructions being emulated. The size of those operations however is
determined separately in analyse_instr().
Add a check to validate the assumption on the maximum size of the
operations, so as to prevent any unintended kernel stack corruption.
Signed-off-by: Naveen N Rao <naveen@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Build-tested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/lib/sstep.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
index 2d39b7c246e3..ecc2e06854d7 100644
--- a/arch/powerpc/lib/sstep.c
+++ b/arch/powerpc/lib/sstep.c
@@ -529,6 +529,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -579,6 +581,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -623,6 +627,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u = {};
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
@@ -650,6 +657,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u;
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 134/476] x86/mce: Mark fatal MCEs page as poison to avoid panic in the kdump kernel
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 133/476] powerpc/lib: Validate size for vector operations Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 135/476] perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file Greg Kroah-Hartman
` (351 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youquan Song, Zhiquan Li,
Borislav Petkov (AMD),
Naoya Horiguchi, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiquan Li <zhiquan1.li@intel.com>
[ Upstream commit 9f3b130048bfa2e44a8cfb1b616f826d9d5d8188 ]
Memory errors don't happen very often, especially fatal ones. However,
in large-scale scenarios such as data centers, that probability
increases with the amount of machines present.
When a fatal machine check happens, mce_panic() is called based on the
severity grading of that error. The page containing the error is not
marked as poison.
However, when kexec is enabled, tools like makedumpfile understand when
pages are marked as poison and do not touch them so as not to cause
a fatal machine check exception again while dumping the previous
kernel's memory.
Therefore, mark the page containing the error as poisoned so that the
kexec'ed kernel can avoid accessing the page.
[ bp: Rewrite commit message and comment. ]
Co-developed-by: Youquan Song <youquan.song@intel.com>
Signed-off-by: Youquan Song <youquan.song@intel.com>
Signed-off-by: Zhiquan Li <zhiquan1.li@intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Link: https://lore.kernel.org/r/20231014051754.3759099-1-zhiquan1.li@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/mce/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
index a0727723676b..eb48729e220e 100644
--- a/arch/x86/kernel/cpu/mce/core.c
+++ b/arch/x86/kernel/cpu/mce/core.c
@@ -44,6 +44,7 @@
#include <linux/sync_core.h>
#include <linux/task_work.h>
#include <linux/hardirq.h>
+#include <linux/kexec.h>
#include <asm/intel-family.h>
#include <asm/processor.h>
@@ -274,6 +275,7 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp)
struct llist_node *pending;
struct mce_evt_llist *l;
int apei_err = 0;
+ struct page *p;
/*
* Allow instrumentation around external facilities usage. Not that it
@@ -329,6 +331,20 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp)
if (!fake_panic) {
if (panic_timeout == 0)
panic_timeout = mca_cfg.panic_timeout;
+
+ /*
+ * Kdump skips the poisoned page in order to avoid
+ * touching the error bits again. Poison the page even
+ * if the error is fatal and the machine is about to
+ * panic.
+ */
+ if (kexec_crash_loaded()) {
+ if (final && (final->status & MCI_STATUS_ADDRV)) {
+ p = pfn_to_online_page(final->addr >> PAGE_SHIFT);
+ if (p)
+ SetPageHWPoison(p);
+ }
+ }
panic(msg);
} else
pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 135/476] perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 134/476] x86/mce: Mark fatal MCEs page as poison to avoid panic in the kdump kernel Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 136/476] debugobjects: Stop accessing objects after releasing hash bucket lock Greg Kroah-Hartman
` (350 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg KH <gregkh@linuxfoundation.org>
[ Upstream commit 652ffc2104ec1f69dd4a46313888c33527145ccf ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/2023061204-decal-flyable-6090@gregkh
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 40 ++++++++++++++++++++++++++++------------
1 file changed, 28 insertions(+), 12 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index ada7ef0eb639..0e03afd82348 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11220,9 +11220,32 @@ static DEVICE_ATTR_RW(perf_event_mux_interval_ms);
static struct attribute *pmu_dev_attrs[] = {
&dev_attr_type.attr,
&dev_attr_perf_event_mux_interval_ms.attr,
+ &dev_attr_nr_addr_filters.attr,
+ NULL,
+};
+
+static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int n)
+{
+ struct device *dev = kobj_to_dev(kobj);
+ struct pmu *pmu = dev_get_drvdata(dev);
+
+ if (!pmu->nr_addr_filters)
+ return 0;
+
+ return a->mode;
+
+ return 0;
+}
+
+static struct attribute_group pmu_dev_attr_group = {
+ .is_visible = pmu_dev_is_visible,
+ .attrs = pmu_dev_attrs,
+};
+
+static const struct attribute_group *pmu_dev_groups[] = {
+ &pmu_dev_attr_group,
NULL,
};
-ATTRIBUTE_GROUPS(pmu_dev);
static int pmu_bus_running;
static struct bus_type pmu_bus = {
@@ -11258,18 +11281,11 @@ static int pmu_dev_alloc(struct pmu *pmu)
if (ret)
goto free_dev;
- /* For PMUs with address filters, throw in an extra attribute: */
- if (pmu->nr_addr_filters)
- ret = device_create_file(pmu->dev, &dev_attr_nr_addr_filters);
-
- if (ret)
- goto del_dev;
-
- if (pmu->attr_update)
+ if (pmu->attr_update) {
ret = sysfs_update_groups(&pmu->dev->kobj, pmu->attr_update);
-
- if (ret)
- goto del_dev;
+ if (ret)
+ goto del_dev;
+ }
out:
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 136/476] debugobjects: Stop accessing objects after releasing hash bucket lock
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 135/476] perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 137/476] regulator: core: Only increment use_count when enable_count changes Greg Kroah-Hartman
` (349 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrzej Hajda, Thomas Gleixner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Hajda <andrzej.hajda@intel.com>
[ Upstream commit 9bb6362652f3f4d74a87d572a91ee1b38e673ef6 ]
After release of the hashbucket lock the tracking object can be modified or
freed by a concurrent thread. Using it in such a case is error prone, even
for printing the object state:
1. T1 tries to deactivate destroyed object, debugobjects detects it,
hash bucket lock is released.
2. T2 preempts T1 and frees the tracking object.
3. The freed tracking object is allocated and initialized for a
different to be tracked kernel object.
4. T1 resumes and reports error for wrong kernel object.
Create a local copy of the tracking object before releasing the hash bucket
lock and use the local copy for reporting and fixups to prevent this.
Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20231025-debugobjects_fix-v3-1-2bc3bf7084c2@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 200 ++++++++++++++++++---------------------------
1 file changed, 78 insertions(+), 122 deletions(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index 579406c1e9ed..09fddc0ea6d3 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -593,9 +593,8 @@ static struct debug_obj *lookup_object_or_alloc(void *addr, struct debug_bucket
static void
__debug_object_init(void *addr, const struct debug_obj_descr *descr, int onstack)
{
- enum debug_obj_state state;
+ struct debug_obj *obj, o;
struct debug_bucket *db;
- struct debug_obj *obj;
unsigned long flags;
/*
@@ -621,24 +620,18 @@ __debug_object_init(void *addr, const struct debug_obj_descr *descr, int onstack
case ODEBUG_STATE_INIT:
case ODEBUG_STATE_INACTIVE:
obj->state = ODEBUG_STATE_INIT;
- break;
-
- case ODEBUG_STATE_ACTIVE:
- state = obj->state;
- raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "init");
- debug_object_fixup(descr->fixup_init, addr, state);
- return;
-
- case ODEBUG_STATE_DESTROYED:
raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "init");
return;
default:
break;
}
+ o = *obj;
raw_spin_unlock_irqrestore(&db->lock, flags);
+ debug_print_object(&o, "init");
+
+ if (o.state == ODEBUG_STATE_ACTIVE)
+ debug_object_fixup(descr->fixup_init, addr, o.state);
}
/**
@@ -679,11 +672,9 @@ EXPORT_SYMBOL_GPL(debug_object_init_on_stack);
int debug_object_activate(void *addr, const struct debug_obj_descr *descr)
{
struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr };
- enum debug_obj_state state;
struct debug_bucket *db;
struct debug_obj *obj;
unsigned long flags;
- int ret;
if (!debug_objects_enabled)
return 0;
@@ -693,49 +684,38 @@ int debug_object_activate(void *addr, const struct debug_obj_descr *descr)
raw_spin_lock_irqsave(&db->lock, flags);
obj = lookup_object_or_alloc(addr, db, descr, false, true);
- if (likely(!IS_ERR_OR_NULL(obj))) {
- bool print_object = false;
-
+ if (unlikely(!obj)) {
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ debug_objects_oom();
+ return 0;
+ } else if (likely(!IS_ERR(obj))) {
switch (obj->state) {
- case ODEBUG_STATE_INIT:
- case ODEBUG_STATE_INACTIVE:
- obj->state = ODEBUG_STATE_ACTIVE;
- ret = 0;
- break;
-
case ODEBUG_STATE_ACTIVE:
- state = obj->state;
- raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "activate");
- ret = debug_object_fixup(descr->fixup_activate, addr, state);
- return ret ? 0 : -EINVAL;
-
case ODEBUG_STATE_DESTROYED:
- print_object = true;
- ret = -EINVAL;
+ o = *obj;
break;
+ case ODEBUG_STATE_INIT:
+ case ODEBUG_STATE_INACTIVE:
+ obj->state = ODEBUG_STATE_ACTIVE;
+ fallthrough;
default:
- ret = 0;
- break;
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ return 0;
}
- raw_spin_unlock_irqrestore(&db->lock, flags);
- if (print_object)
- debug_print_object(obj, "activate");
- return ret;
}
raw_spin_unlock_irqrestore(&db->lock, flags);
+ debug_print_object(&o, "activate");
- /* If NULL the allocation has hit OOM */
- if (!obj) {
- debug_objects_oom();
- return 0;
+ switch (o.state) {
+ case ODEBUG_STATE_ACTIVE:
+ case ODEBUG_STATE_NOTAVAILABLE:
+ if (debug_object_fixup(descr->fixup_activate, addr, o.state))
+ return 0;
+ fallthrough;
+ default:
+ return -EINVAL;
}
-
- /* Object is neither static nor tracked. It's not initialized */
- debug_print_object(&o, "activate");
- ret = debug_object_fixup(descr->fixup_activate, addr, ODEBUG_STATE_NOTAVAILABLE);
- return ret ? 0 : -EINVAL;
}
EXPORT_SYMBOL_GPL(debug_object_activate);
@@ -746,10 +726,10 @@ EXPORT_SYMBOL_GPL(debug_object_activate);
*/
void debug_object_deactivate(void *addr, const struct debug_obj_descr *descr)
{
+ struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr };
struct debug_bucket *db;
struct debug_obj *obj;
unsigned long flags;
- bool print_object = false;
if (!debug_objects_enabled)
return;
@@ -761,33 +741,24 @@ void debug_object_deactivate(void *addr, const struct debug_obj_descr *descr)
obj = lookup_object(addr, db);
if (obj) {
switch (obj->state) {
+ case ODEBUG_STATE_DESTROYED:
+ break;
case ODEBUG_STATE_INIT:
case ODEBUG_STATE_INACTIVE:
case ODEBUG_STATE_ACTIVE:
- if (!obj->astate)
- obj->state = ODEBUG_STATE_INACTIVE;
- else
- print_object = true;
- break;
-
- case ODEBUG_STATE_DESTROYED:
- print_object = true;
- break;
+ if (obj->astate)
+ break;
+ obj->state = ODEBUG_STATE_INACTIVE;
+ fallthrough;
default:
- break;
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ return;
}
+ o = *obj;
}
raw_spin_unlock_irqrestore(&db->lock, flags);
- if (!obj) {
- struct debug_obj o = { .object = addr,
- .state = ODEBUG_STATE_NOTAVAILABLE,
- .descr = descr };
-
- debug_print_object(&o, "deactivate");
- } else if (print_object) {
- debug_print_object(obj, "deactivate");
- }
+ debug_print_object(&o, "deactivate");
}
EXPORT_SYMBOL_GPL(debug_object_deactivate);
@@ -798,11 +769,9 @@ EXPORT_SYMBOL_GPL(debug_object_deactivate);
*/
void debug_object_destroy(void *addr, const struct debug_obj_descr *descr)
{
- enum debug_obj_state state;
+ struct debug_obj *obj, o;
struct debug_bucket *db;
- struct debug_obj *obj;
unsigned long flags;
- bool print_object = false;
if (!debug_objects_enabled)
return;
@@ -812,32 +781,31 @@ void debug_object_destroy(void *addr, const struct debug_obj_descr *descr)
raw_spin_lock_irqsave(&db->lock, flags);
obj = lookup_object(addr, db);
- if (!obj)
- goto out_unlock;
+ if (!obj) {
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ return;
+ }
switch (obj->state) {
+ case ODEBUG_STATE_ACTIVE:
+ case ODEBUG_STATE_DESTROYED:
+ break;
case ODEBUG_STATE_NONE:
case ODEBUG_STATE_INIT:
case ODEBUG_STATE_INACTIVE:
obj->state = ODEBUG_STATE_DESTROYED;
- break;
- case ODEBUG_STATE_ACTIVE:
- state = obj->state;
+ fallthrough;
+ default:
raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "destroy");
- debug_object_fixup(descr->fixup_destroy, addr, state);
return;
-
- case ODEBUG_STATE_DESTROYED:
- print_object = true;
- break;
- default:
- break;
}
-out_unlock:
+
+ o = *obj;
raw_spin_unlock_irqrestore(&db->lock, flags);
- if (print_object)
- debug_print_object(obj, "destroy");
+ debug_print_object(&o, "destroy");
+
+ if (o.state == ODEBUG_STATE_ACTIVE)
+ debug_object_fixup(descr->fixup_destroy, addr, o.state);
}
EXPORT_SYMBOL_GPL(debug_object_destroy);
@@ -848,9 +816,8 @@ EXPORT_SYMBOL_GPL(debug_object_destroy);
*/
void debug_object_free(void *addr, const struct debug_obj_descr *descr)
{
- enum debug_obj_state state;
+ struct debug_obj *obj, o;
struct debug_bucket *db;
- struct debug_obj *obj;
unsigned long flags;
if (!debug_objects_enabled)
@@ -861,24 +828,26 @@ void debug_object_free(void *addr, const struct debug_obj_descr *descr)
raw_spin_lock_irqsave(&db->lock, flags);
obj = lookup_object(addr, db);
- if (!obj)
- goto out_unlock;
+ if (!obj) {
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ return;
+ }
switch (obj->state) {
case ODEBUG_STATE_ACTIVE:
- state = obj->state;
- raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "free");
- debug_object_fixup(descr->fixup_free, addr, state);
- return;
+ break;
default:
hlist_del(&obj->node);
raw_spin_unlock_irqrestore(&db->lock, flags);
free_object(obj);
return;
}
-out_unlock:
+
+ o = *obj;
raw_spin_unlock_irqrestore(&db->lock, flags);
+ debug_print_object(&o, "free");
+
+ debug_object_fixup(descr->fixup_free, addr, o.state);
}
EXPORT_SYMBOL_GPL(debug_object_free);
@@ -928,10 +897,10 @@ void
debug_object_active_state(void *addr, const struct debug_obj_descr *descr,
unsigned int expect, unsigned int next)
{
+ struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr };
struct debug_bucket *db;
struct debug_obj *obj;
unsigned long flags;
- bool print_object = false;
if (!debug_objects_enabled)
return;
@@ -944,28 +913,19 @@ debug_object_active_state(void *addr, const struct debug_obj_descr *descr,
if (obj) {
switch (obj->state) {
case ODEBUG_STATE_ACTIVE:
- if (obj->astate == expect)
- obj->astate = next;
- else
- print_object = true;
- break;
-
+ if (obj->astate != expect)
+ break;
+ obj->astate = next;
+ raw_spin_unlock_irqrestore(&db->lock, flags);
+ return;
default:
- print_object = true;
break;
}
+ o = *obj;
}
raw_spin_unlock_irqrestore(&db->lock, flags);
- if (!obj) {
- struct debug_obj o = { .object = addr,
- .state = ODEBUG_STATE_NOTAVAILABLE,
- .descr = descr };
-
- debug_print_object(&o, "active_state");
- } else if (print_object) {
- debug_print_object(obj, "active_state");
- }
+ debug_print_object(&o, "active_state");
}
EXPORT_SYMBOL_GPL(debug_object_active_state);
@@ -973,12 +933,10 @@ EXPORT_SYMBOL_GPL(debug_object_active_state);
static void __debug_check_no_obj_freed(const void *address, unsigned long size)
{
unsigned long flags, oaddr, saddr, eaddr, paddr, chunks;
- const struct debug_obj_descr *descr;
- enum debug_obj_state state;
+ int cnt, objs_checked = 0;
+ struct debug_obj *obj, o;
struct debug_bucket *db;
struct hlist_node *tmp;
- struct debug_obj *obj;
- int cnt, objs_checked = 0;
saddr = (unsigned long) address;
eaddr = saddr + size;
@@ -1000,12 +958,10 @@ static void __debug_check_no_obj_freed(const void *address, unsigned long size)
switch (obj->state) {
case ODEBUG_STATE_ACTIVE:
- descr = obj->descr;
- state = obj->state;
+ o = *obj;
raw_spin_unlock_irqrestore(&db->lock, flags);
- debug_print_object(obj, "free");
- debug_object_fixup(descr->fixup_free,
- (void *) oaddr, state);
+ debug_print_object(&o, "free");
+ debug_object_fixup(o.descr->fixup_free, (void *)oaddr, o.state);
goto repeat;
default:
hlist_del(&obj->node);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 137/476] regulator: core: Only increment use_count when enable_count changes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 136/476] debugobjects: Stop accessing objects after releasing hash bucket lock Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 138/476] audit: Send netlink ACK before setting connection in auditd_set Greg Kroah-Hartman
` (348 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rui Zhang, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rui Zhang <zr.zhang@vivo.com>
[ Upstream commit 7993d3a9c34f609c02171e115fd12c10e2105ff4 ]
The use_count of a regulator should only be incremented when the
enable_count changes from 0 to 1. Similarly, the use_count should
only be decremented when the enable_count changes from 1 to 0.
In the previous implementation, use_count was sometimes decremented
to 0 when some consumer called unbalanced disable,
leading to unexpected disable even the regulator is enabled by
other consumers. With this change, the use_count accurately reflects
the number of users which the regulator is enabled.
This should make things more robust in the case where a consumer does
leak references.
Signed-off-by: Rui Zhang <zr.zhang@vivo.com>
Link: https://lore.kernel.org/r/20231103074231.8031-1-zr.zhang@vivo.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 56 +++++++++++++++++++++-------------------
1 file changed, 30 insertions(+), 26 deletions(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 8ad50dc8fb35..9b1f27f87c95 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2881,7 +2881,8 @@ static int _regulator_enable(struct regulator *regulator)
/* Fallthrough on positive return values - already enabled */
}
- rdev->use_count++;
+ if (regulator->enable_count == 1)
+ rdev->use_count++;
return 0;
@@ -2956,37 +2957,40 @@ static int _regulator_disable(struct regulator *regulator)
lockdep_assert_held_once(&rdev->mutex.base);
- if (WARN(rdev->use_count <= 0,
+ if (WARN(regulator->enable_count == 0,
"unbalanced disables for %s\n", rdev_get_name(rdev)))
return -EIO;
- /* are we the last user and permitted to disable ? */
- if (rdev->use_count == 1 &&
- (rdev->constraints && !rdev->constraints->always_on)) {
-
- /* we are last user */
- if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) {
- ret = _notifier_call_chain(rdev,
- REGULATOR_EVENT_PRE_DISABLE,
- NULL);
- if (ret & NOTIFY_STOP_MASK)
- return -EINVAL;
-
- ret = _regulator_do_disable(rdev);
- if (ret < 0) {
- rdev_err(rdev, "failed to disable: %pe\n", ERR_PTR(ret));
- _notifier_call_chain(rdev,
- REGULATOR_EVENT_ABORT_DISABLE,
+ if (regulator->enable_count == 1) {
+ /* disabling last enable_count from this regulator */
+ /* are we the last user and permitted to disable ? */
+ if (rdev->use_count == 1 &&
+ (rdev->constraints && !rdev->constraints->always_on)) {
+
+ /* we are last user */
+ if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) {
+ ret = _notifier_call_chain(rdev,
+ REGULATOR_EVENT_PRE_DISABLE,
+ NULL);
+ if (ret & NOTIFY_STOP_MASK)
+ return -EINVAL;
+
+ ret = _regulator_do_disable(rdev);
+ if (ret < 0) {
+ rdev_err(rdev, "failed to disable: %pe\n", ERR_PTR(ret));
+ _notifier_call_chain(rdev,
+ REGULATOR_EVENT_ABORT_DISABLE,
+ NULL);
+ return ret;
+ }
+ _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE,
NULL);
- return ret;
}
- _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE,
- NULL);
- }
- rdev->use_count = 0;
- } else if (rdev->use_count > 1) {
- rdev->use_count--;
+ rdev->use_count = 0;
+ } else if (rdev->use_count > 1) {
+ rdev->use_count--;
+ }
}
if (ret == 0)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 138/476] audit: Send netlink ACK before setting connection in auditd_set
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 137/476] regulator: core: Only increment use_count when enable_count changes Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 139/476] ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop Greg Kroah-Hartman
` (347 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Riches, Paul Moore, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Riches <chris.riches@nutanix.com>
[ Upstream commit 022732e3d846e197539712e51ecada90ded0572a ]
When auditd_set sets the auditd_conn pointer, audit messages can
immediately be put on the socket by other kernel threads. If the backlog
is large or the rate is high, this can immediately fill the socket
buffer. If the audit daemon requested an ACK for this operation, a full
socket buffer causes the ACK to get dropped, also setting ENOBUFS on the
socket.
To avoid this race and ensure ACKs get through, fast-track the ACK in
this specific case to ensure it is sent before auditd_conn is set.
Signed-off-by: Chris Riches <chris.riches@nutanix.com>
[PM: fix some tab vs space damage]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 94ded5de9131..82b6fea46e20 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -490,15 +490,19 @@ static void auditd_conn_free(struct rcu_head *rcu)
* @pid: auditd PID
* @portid: auditd netlink portid
* @net: auditd network namespace pointer
+ * @skb: the netlink command from the audit daemon
+ * @ack: netlink ack flag, cleared if ack'd here
*
* Description:
* This function will obtain and drop network namespace references as
* necessary. Returns zero on success, negative values on failure.
*/
-static int auditd_set(struct pid *pid, u32 portid, struct net *net)
+static int auditd_set(struct pid *pid, u32 portid, struct net *net,
+ struct sk_buff *skb, bool *ack)
{
unsigned long flags;
struct auditd_connection *ac_old, *ac_new;
+ struct nlmsghdr *nlh;
if (!pid || !net)
return -EINVAL;
@@ -510,6 +514,13 @@ static int auditd_set(struct pid *pid, u32 portid, struct net *net)
ac_new->portid = portid;
ac_new->net = get_net(net);
+ /* send the ack now to avoid a race with the queue backlog */
+ if (*ack) {
+ nlh = nlmsg_hdr(skb);
+ netlink_ack(skb, nlh, 0, NULL);
+ *ack = false;
+ }
+
spin_lock_irqsave(&auditd_conn_lock, flags);
ac_old = rcu_dereference_protected(auditd_conn,
lockdep_is_held(&auditd_conn_lock));
@@ -1203,7 +1214,8 @@ static int audit_replace(struct pid *pid)
return auditd_send_unicast_skb(skb);
}
-static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
+ bool *ack)
{
u32 seq;
void *data;
@@ -1296,7 +1308,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* register a new auditd connection */
err = auditd_set(req_pid,
NETLINK_CB(skb).portid,
- sock_net(NETLINK_CB(skb).sk));
+ sock_net(NETLINK_CB(skb).sk),
+ skb, ack);
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid",
new_pid,
@@ -1541,9 +1554,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
* Parse the provided skb and deal with any messages that may be present,
* malformed skbs are discarded.
*/
-static void audit_receive(struct sk_buff *skb)
+static void audit_receive(struct sk_buff *skb)
{
struct nlmsghdr *nlh;
+ bool ack;
/*
* len MUST be signed for nlmsg_next to be able to dec it below 0
* if the nlmsg_len was not aligned
@@ -1556,9 +1570,12 @@ static void audit_receive(struct sk_buff *skb)
audit_ctl_lock();
while (nlmsg_ok(nlh, len)) {
- err = audit_receive_msg(skb, nlh);
- /* if err or if this message says it wants a response */
- if (err || (nlh->nlmsg_flags & NLM_F_ACK))
+ ack = nlh->nlmsg_flags & NLM_F_ACK;
+ err = audit_receive_msg(skb, nlh, &ack);
+
+ /* send an ack if the user asked for one and audit_receive_msg
+ * didn't already do it, or if there was an error. */
+ if (ack || err)
netlink_ack(skb, nlh, err, NULL);
nlh = nlmsg_next(nlh, &len);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 139/476] ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 138/476] audit: Send netlink ACK before setting connection in auditd_set Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 140/476] PNP: ACPI: fix fortify warning Greg Kroah-Hartman
` (346 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuluo Qiu, Celeste Liu,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuluo Qiu <qyl27@outlook.com>
[ Upstream commit 143176a46bdd3bfbe9ba2462bf94458e80d65ebf ]
The Colorful X15 AT 23 ACPI video-bus device report spurious
ACPI_VIDEO_NOTIFY_CYCLE events resulting in spurious KEY_SWITCHVIDEOMODE
events being reported to userspace (and causing trouble there) when
an external screen plugged in.
Add a quirk setting the report_key_events mask to
REPORT_BRIGHTNESS_KEY_EVENTS so that the ACPI_VIDEO_NOTIFY_CYCLE
events will be ignored, while still reporting brightness up/down
hotkey-presses to userspace normally.
Signed-off-by: Yuluo Qiu <qyl27@outlook.com>
Co-developed-by: Celeste Liu <CoelacanthusHex@gmail.com>
Signed-off-by: Celeste Liu <CoelacanthusHex@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_video.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
index 61bcdc75bee7..c8eb69d3e1d6 100644
--- a/drivers/acpi/acpi_video.c
+++ b/drivers/acpi/acpi_video.c
@@ -566,6 +566,15 @@ static const struct dmi_system_id video_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 3350"),
},
},
+ {
+ .callback = video_set_report_key_events,
+ .driver_data = (void *)((uintptr_t)REPORT_BRIGHTNESS_KEY_EVENTS),
+ .ident = "COLORFUL X15 AT 23",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "COLORFUL"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X15 AT 23"),
+ },
+ },
/*
* Some machines change the brightness themselves when a brightness
* hotkey gets pressed, despite us telling them not to. In this case
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 140/476] PNP: ACPI: fix fortify warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 139/476] ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 141/476] ACPI: extlog: fix NULL pointer dereference check Greg Kroah-Hartman
` (345 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Kees Cook,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit ba3f5058db437d919f8468db50483dd9028ff688 ]
When compiling with gcc version 14.0.0 20231126 (experimental)
and CONFIG_FORTIFY_SOURCE=y, I've noticed the following:
In file included from ./include/linux/string.h:295,
from ./include/linux/bitmap.h:12,
from ./include/linux/cpumask.h:12,
from ./arch/x86/include/asm/paravirt.h:17,
from ./arch/x86/include/asm/cpuid.h:62,
from ./arch/x86/include/asm/processor.h:19,
from ./arch/x86/include/asm/cpufeature.h:5,
from ./arch/x86/include/asm/thread_info.h:53,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:9,
from ./include/linux/preempt.h:79,
from ./include/linux/spinlock.h:56,
from ./include/linux/mmzone.h:8,
from ./include/linux/gfp.h:7,
from ./include/linux/slab.h:16,
from ./include/linux/resource_ext.h:11,
from ./include/linux/acpi.h:13,
from drivers/pnp/pnpacpi/rsparser.c:11:
In function 'fortify_memcpy_chk',
inlined from 'pnpacpi_parse_allocated_vendor' at drivers/pnp/pnpacpi/rsparser.c:158:3,
inlined from 'pnpacpi_allocated_resource' at drivers/pnp/pnpacpi/rsparser.c:249:3:
./include/linux/fortify-string.h:588:25: warning: call to '__read_overflow2_field'
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
588 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
According to the comments in include/linux/fortify-string.h, 'memcpy()',
'memmove()' and 'memset()' must not be used beyond individual struct
members to ensure that the compiler can enforce protection against
buffer overflows, and, IIUC, this also applies to partial copies from
the particular member ('vendor->byte_data' in this case). So it should
be better (and safer) to do both copies at once (and 'byte_data' of
'struct acpi_resource_vendor_typed' seems to be a good candidate for
'__counted_by(byte_length)' as well).
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pnp/pnpacpi/rsparser.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/pnp/pnpacpi/rsparser.c b/drivers/pnp/pnpacpi/rsparser.c
index da78dc77aed3..9879deb4dc0b 100644
--- a/drivers/pnp/pnpacpi/rsparser.c
+++ b/drivers/pnp/pnpacpi/rsparser.c
@@ -151,13 +151,13 @@ static int vendor_resource_matches(struct pnp_dev *dev,
static void pnpacpi_parse_allocated_vendor(struct pnp_dev *dev,
struct acpi_resource_vendor_typed *vendor)
{
- if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid, 16)) {
- u64 start, length;
+ struct { u64 start, length; } range;
- memcpy(&start, vendor->byte_data, sizeof(start));
- memcpy(&length, vendor->byte_data + 8, sizeof(length));
-
- pnp_add_mem_resource(dev, start, start + length - 1, 0);
+ if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid,
+ sizeof(range))) {
+ memcpy(&range, vendor->byte_data, sizeof(range));
+ pnp_add_mem_resource(dev, range.start, range.start +
+ range.length - 1, 0);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 141/476] ACPI: extlog: fix NULL pointer dereference check
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 140/476] PNP: ACPI: fix fortify warning Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 142/476] PM / devfreq: Synchronize devfreq_monitor_[start/stop] Greg Kroah-Hartman
` (344 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prarit Bhargava, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prarit Bhargava <prarit@redhat.com>
[ Upstream commit 72d9b9747e78979510e9aafdd32eb99c7aa30dd1 ]
The gcc plugin -fanalyzer [1] tries to detect various
patterns of incorrect behaviour. The tool reports:
drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’:
drivers/acpi/acpi_extlog.c:307:12: warning: check of ‘extlog_l1_addr’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
|
| 306 | ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
| | |
| | (1) pointer ‘extlog_l1_addr’ is dereferenced here
| 307 | if (extlog_l1_addr)
| | ~
| | |
| | (2) pointer ‘extlog_l1_addr’ is checked for NULL here but it was already dereferenced at (1)
|
Fix the NULL pointer dereference check in extlog_exit().
Link: https://gcc.gnu.org/onlinedocs/gcc-10.1.0/gcc/Static-Analyzer-Options.html # [1]
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_extlog.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c
index 088db2356998..0a84d5afd37c 100644
--- a/drivers/acpi/acpi_extlog.c
+++ b/drivers/acpi/acpi_extlog.c
@@ -308,9 +308,10 @@ static int __init extlog_init(void)
static void __exit extlog_exit(void)
{
mce_unregister_decode_chain(&extlog_mce_dec);
- ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
- if (extlog_l1_addr)
+ if (extlog_l1_addr) {
+ ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
acpi_os_unmap_iomem(extlog_l1_addr, l1_size);
+ }
if (elog_addr)
acpi_os_unmap_iomem(elog_addr, elog_size);
release_mem_region(elog_base, elog_size);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 142/476] PM / devfreq: Synchronize devfreq_monitor_[start/stop]
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 141/476] ACPI: extlog: fix NULL pointer dereference check Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 143/476] ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events Greg Kroah-Hartman
` (343 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joyyoung Huang, MyungJoo Ham,
Mukesh Ojha, Chanwoo Choi, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Ojha <quic_mojha@quicinc.com>
[ Upstream commit aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6 ]
There is a chance if a frequent switch of the governor
done in a loop result in timer list corruption where
timer cancel being done from two place one from
cancel_delayed_work_sync() and followed by expire_timers()
can be seen from the traces[1].
while true
do
echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor
echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor
done
It looks to be issue with devfreq driver where
device_monitor_[start/stop] need to synchronized so that
delayed work should get corrupted while it is either
being queued or running or being cancelled.
Let's use polling flag and devfreq lock to synchronize the
queueing the timer instance twice and work data being
corrupted.
[1]
...
..
<idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428
<idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c
<idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428
kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227
vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532
vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428
xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428
[2]
9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a
[ 9436.261664][ C4] Mem abort info:
[ 9436.261666][ C4] ESR = 0x96000044
[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits
[ 9436.261671][ C4] SET = 0, FnV = 0
[ 9436.261673][ C4] EA = 0, S1PTW = 0
[ 9436.261675][ C4] Data abort info:
[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044
[ 9436.261680][ C4] CM = 0, WnR = 1
[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges
[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0
...
[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1
[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)
[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)
[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438
[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438
[ 9436.262168][ C4] sp : ffffffc010023dd0
[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18
[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008
[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280
[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122
[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80
[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038
[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201
[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100
[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8
[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff
[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122
[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8
[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101
[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff889edc155c
[ 9436.262227][ C4] x1 : ffffff8001005200 x0 : ffffff80444f0428
[ 9436.262232][ C4] Call trace:
[ 9436.262236][ C4] expire_timers+0x9c/0x438
[ 9436.262240][ C4] __run_timers+0x1f0/0x330
[ 9436.262245][ C4] run_timer_softirq+0x28/0x58
[ 9436.262255][ C4] efi_header_end+0x168/0x5ec
[ 9436.262265][ C4] __irq_exit_rcu+0x108/0x124
[ 9436.262274][ C4] __handle_domain_irq+0x118/0x1e4
[ 9436.262282][ C4] gic_handle_irq.30369+0x6c/0x2bc
[ 9436.262286][ C4] el0_irq_naked+0x60/0x6c
Link: https://lore.kernel.org/all/1700860318-4025-1-git-send-email-quic_mojha@quicinc.com/
Reported-by: Joyyoung Huang <huangzaiyang@oppo.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/devfreq/devfreq.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -464,10 +464,14 @@ static void devfreq_monitor(struct work_
if (err)
dev_err(&devfreq->dev, "dvfs failed with (%d) error\n", err);
+ if (devfreq->stop_polling)
+ goto out;
+
queue_delayed_work(devfreq_wq, &devfreq->work,
msecs_to_jiffies(devfreq->profile->polling_ms));
- mutex_unlock(&devfreq->lock);
+out:
+ mutex_unlock(&devfreq->lock);
trace_devfreq_monitor(devfreq);
}
@@ -485,6 +489,10 @@ void devfreq_monitor_start(struct devfre
if (IS_SUPPORTED_FLAG(devfreq->governor->flags, IRQ_DRIVEN))
return;
+ mutex_lock(&devfreq->lock);
+ if (delayed_work_pending(&devfreq->work))
+ goto out;
+
switch (devfreq->profile->timer) {
case DEVFREQ_TIMER_DEFERRABLE:
INIT_DEFERRABLE_WORK(&devfreq->work, devfreq_monitor);
@@ -493,12 +501,16 @@ void devfreq_monitor_start(struct devfre
INIT_DELAYED_WORK(&devfreq->work, devfreq_monitor);
break;
default:
- return;
+ goto out;
}
if (devfreq->profile->polling_ms)
queue_delayed_work(devfreq_wq, &devfreq->work,
msecs_to_jiffies(devfreq->profile->polling_ms));
+
+out:
+ devfreq->stop_polling = false;
+ mutex_unlock(&devfreq->lock);
}
EXPORT_SYMBOL(devfreq_monitor_start);
@@ -515,6 +527,14 @@ void devfreq_monitor_stop(struct devfreq
if (IS_SUPPORTED_FLAG(devfreq->governor->flags, IRQ_DRIVEN))
return;
+ mutex_lock(&devfreq->lock);
+ if (devfreq->stop_polling) {
+ mutex_unlock(&devfreq->lock);
+ return;
+ }
+
+ devfreq->stop_polling = true;
+ mutex_unlock(&devfreq->lock);
cancel_delayed_work_sync(&devfreq->work);
}
EXPORT_SYMBOL(devfreq_monitor_stop);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 143/476] ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 142/476] PM / devfreq: Synchronize devfreq_monitor_[start/stop] Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 144/476] FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
` (342 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuai Xue, Ma Wupeng, Kefeng Wang,
Xiaofei Tan, Baolin Wang, James Morse, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
[ Upstream commit a70297d2213253853e95f5b49651f924990c6d3b ]
There are two major types of uncorrected recoverable (UCR) errors :
- Synchronous error: The error is detected and raised at the point of
the consumption in the execution flow, e.g. when a CPU tries to
access a poisoned cache line. The CPU will take a synchronous error
exception such as Synchronous External Abort (SEA) on Arm64 and
Machine Check Exception (MCE) on X86. OS requires to take action (for
example, offline failure page/kill failure thread) to recover this
uncorrectable error.
- Asynchronous error: The error is detected out of processor execution
context, e.g. when an error is detected by a background scrubber.
Some data in the memory are corrupted. But the data have not been
consumed. OS is optional to take action to recover this uncorrectable
error.
When APEI firmware first is enabled, a platform may describe one error
source for the handling of synchronous errors (e.g. MCE or SEA notification
), or for handling asynchronous errors (e.g. SCI or External Interrupt
notification). In other words, we can distinguish synchronous errors by
APEI notification. For synchronous errors, kernel will kill the current
process which accessing the poisoned page by sending SIGBUS with
BUS_MCEERR_AR. In addition, for asynchronous errors, kernel will notify the
process who owns the poisoned page by sending SIGBUS with BUS_MCEERR_AO in
early kill mode. However, the GHES driver always sets mf_flags to 0 so that
all synchronous errors are handled as asynchronous errors in memory failure.
To this end, set memory failure flags as MF_ACTION_REQUIRED on synchronous
events.
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Tested-by: Ma Wupeng <mawupeng1@huawei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Xiaofei Tan <tanxiaofei@huawei.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Reviewed-by: James Morse <james.morse@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 8678e162181f..160606af8b4f 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -99,6 +99,20 @@ static inline bool is_hest_type_generic_v2(struct ghes *ghes)
return ghes->generic->header.type == ACPI_HEST_TYPE_GENERIC_ERROR_V2;
}
+/*
+ * A platform may describe one error source for the handling of synchronous
+ * errors (e.g. MCE or SEA), or for handling asynchronous errors (e.g. SCI
+ * or External Interrupt). On x86, the HEST notifications are always
+ * asynchronous, so only SEA on ARM is delivered as a synchronous
+ * notification.
+ */
+static inline bool is_hest_sync_notify(struct ghes *ghes)
+{
+ u8 notify_type = ghes->generic->notify.type;
+
+ return notify_type == ACPI_HEST_NOTIFY_SEA;
+}
+
/*
* This driver isn't really modular, however for the time being,
* continuing to use module_param is the easiest way to remain
@@ -461,7 +475,7 @@ static bool ghes_do_memory_failure(u64 physical_addr, int flags)
}
static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata,
- int sev)
+ int sev, bool sync)
{
int flags = -1;
int sec_sev = ghes_severity(gdata->error_severity);
@@ -475,7 +489,7 @@ static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata,
(gdata->flags & CPER_SEC_ERROR_THRESHOLD_EXCEEDED))
flags = MF_SOFT_OFFLINE;
if (sev == GHES_SEV_RECOVERABLE && sec_sev == GHES_SEV_RECOVERABLE)
- flags = 0;
+ flags = sync ? MF_ACTION_REQUIRED : 0;
if (flags != -1)
return ghes_do_memory_failure(mem_err->physical_addr, flags);
@@ -483,9 +497,11 @@ static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata,
return false;
}
-static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, int sev)
+static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ int sev, bool sync)
{
struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
bool queued = false;
int sec_sev, i;
char *p;
@@ -510,7 +526,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, int s
* and don't filter out 'corrected' error here.
*/
if (is_cache && has_pa) {
- queued = ghes_do_memory_failure(err_info->physical_fault_addr, 0);
+ queued = ghes_do_memory_failure(err_info->physical_fault_addr, flags);
p += err_info->length;
continue;
}
@@ -631,6 +647,7 @@ static bool ghes_do_proc(struct ghes *ghes,
const guid_t *fru_id = &guid_null;
char *fru_text = "";
bool queued = false;
+ bool sync = is_hest_sync_notify(ghes);
sev = ghes_severity(estatus->error_severity);
apei_estatus_for_each_section(estatus, gdata) {
@@ -648,13 +665,13 @@ static bool ghes_do_proc(struct ghes *ghes,
ghes_edac_report_mem_error(sev, mem_err);
arch_apei_report_mem_error(sev, mem_err);
- queued = ghes_handle_memory_failure(gdata, sev);
+ queued = ghes_handle_memory_failure(gdata, sev, sync);
}
else if (guid_equal(sec_type, &CPER_SEC_PCIE)) {
ghes_handle_aer(gdata);
}
else if (guid_equal(sec_type, &CPER_SEC_PROC_ARM)) {
- queued = ghes_handle_arm_hw_error(gdata, sev);
+ queued = ghes_handle_arm_hw_error(gdata, sev, sync);
} else {
void *err = acpi_hest_get_payload(gdata);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 144/476] FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 143/476] ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 145/476] UBSAN: array-index-out-of-bounds in dtSplitRoot Greg Kroah-Hartman
` (341 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+39ba34a099ac2e9bd3cb,
Osama Muhammad, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Muhammad <osmtendev@gmail.com>
[ Upstream commit 9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 ]
Syzkaller reported the following issue:
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6
index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
txUpdateMap+0x342/0x9e0
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
panic+0x30f/0x770 kernel/panic.c:340
check_panic_on_warn+0x82/0xa0 kernel/panic.c:236
ubsan_epilogue lib/ubsan.c:223 [inline]
__ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
txUpdateMap+0x342/0x9e0
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
The issue is caused when the value of lp becomes greater than
CTLTREESIZE which is the max size of stree. Adding a simple check
solves this issue.
Dave:
As the function returns a void, good error handling
would require a more intrusive code reorganization, so I modified
Osama's patch at use WARN_ON_ONCE for lack of a cleaner option.
The patch is tested via syzbot.
Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb
Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 5b01026fff9b..bd2bb5724cc1 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2939,6 +2939,9 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval)
/* is the current value the same as the old value ? if so,
* there is nothing to do.
*/
+ if (WARN_ON_ONCE(lp >= CTLTREESIZE))
+ return;
+
if (tp->dmt_stree[lp] == newval)
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 145/476] UBSAN: array-index-out-of-bounds in dtSplitRoot
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 144/476] FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 146/476] jfs: fix slab-out-of-bounds Read in dtSearch Greg Kroah-Hartman
` (340 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Osama Muhammad, Dave Kleikamp,
Sasha Levin, syzbot+d4b1df2e9d4ded6488ec
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Muhammad <osmtendev@gmail.com>
[ Upstream commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 ]
Syzkaller reported the following issue:
oop0: detected capacity change from 0 to 32768
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
index -2 is out of range for type 'struct dtslot [128]'
CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
do_mkdirat+0x279/0x550 fs/namei.c:4038
__do_sys_mkdirat fs/namei.c:4053 [inline]
__se_sys_mkdirat fs/namei.c:4051 [inline]
__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcdc0113fd9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
</TASK>
The issue is caused when the value of fsi becomes less than -1.
The check to break the loop when fsi value becomes -1 is present
but syzbot was able to produce value less than -1 which cause the error.
This patch simply add the change for the values less than 0.
The patch is tested via syzbot.
Reported-and-tested-by: syzbot+d4b1df2e9d4ded6488ec@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec
Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 837d42f61464..fafcb90219cf 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -1970,7 +1970,7 @@ static int dtSplitRoot(tid_t tid,
do {
f = &rp->slot[fsi];
fsi = f->next;
- } while (fsi != -1);
+ } while (fsi >= 0);
f->next = n;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 146/476] jfs: fix slab-out-of-bounds Read in dtSearch
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 145/476] UBSAN: array-index-out-of-bounds in dtSplitRoot Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 147/476] jfs: fix array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
` (339 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Manas Ghandat, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manas Ghandat <ghandatmanas@gmail.com>
[ Upstream commit fa5492ee89463a7590a1449358002ff7ef63529f ]
Currently while searching for current page in the sorted entry table
of the page there is a out of bound access. Added a bound check to fix
the error.
Dave:
Set return code to -EIO
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@intel.com/
Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dtree.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index fafcb90219cf..a222a9d71887 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -633,6 +633,11 @@ int dtSearch(struct inode *ip, struct component_name * key, ino_t * data,
for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) {
index = base + (lim >> 1);
+ if (stbl[index] < 0) {
+ rc = -EIO;
+ goto out;
+ }
+
if (p->header.flag & BT_LEAF) {
/* uppercase leaf name to compare */
cmp =
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 147/476] jfs: fix array-index-out-of-bounds in dbAdjTree
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 146/476] jfs: fix slab-out-of-bounds Read in dtSearch Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 148/476] jfs: fix uaf in jfs_evict_inode Greg Kroah-Hartman
` (338 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+39ba34a099ac2e9bd3cb,
Manas Ghandat, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manas Ghandat <ghandatmanas@gmail.com>
[ Upstream commit 74ecdda68242b174920fe7c6133a856fb7d8559b ]
Currently there is a bound check missing in the dbAdjTree while
accessing the dmt_stree. To add the required check added the bool is_ctl
which is required to determine the size as suggest in the following
commit.
https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/
Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb
Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 60 ++++++++++++++++++++++++-----------------------
1 file changed, 31 insertions(+), 29 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index bd2bb5724cc1..3f5c14315719 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -63,10 +63,10 @@
*/
static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int nblocks);
-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval);
-static int dbBackSplit(dmtree_t * tp, int leafno);
-static int dbJoin(dmtree_t * tp, int leafno, int newval);
-static void dbAdjTree(dmtree_t * tp, int leafno, int newval);
+static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl);
+static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl);
+static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl);
+static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl);
static int dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc,
int level);
static int dbAllocAny(struct bmap * bmp, s64 nblocks, int l2nb, s64 * results);
@@ -2171,7 +2171,7 @@ static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno,
* system.
*/
if (dp->tree.stree[word] == NOFREE)
- dbBackSplit((dmtree_t *) & dp->tree, word);
+ dbBackSplit((dmtree_t *)&dp->tree, word, false);
dbAllocBits(bmp, dp, blkno, nblocks);
}
@@ -2257,7 +2257,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
* the binary system of the leaves if need be.
*/
dbSplit(tp, word, BUDMIN,
- dbMaxBud((u8 *) & dp->wmap[word]));
+ dbMaxBud((u8 *)&dp->wmap[word]), false);
word += 1;
} else {
@@ -2297,7 +2297,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
* system of the leaves to reflect the current
* allocation (size).
*/
- dbSplit(tp, word, size, NOFREE);
+ dbSplit(tp, word, size, NOFREE, false);
/* get the number of dmap words handled */
nw = BUDSIZE(size, BUDMIN);
@@ -2404,7 +2404,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
/* update the leaf for this dmap word.
*/
rc = dbJoin(tp, word,
- dbMaxBud((u8 *) & dp->wmap[word]));
+ dbMaxBud((u8 *)&dp->wmap[word]), false);
if (rc)
return rc;
@@ -2437,7 +2437,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
/* update the leaf.
*/
- rc = dbJoin(tp, word, size);
+ rc = dbJoin(tp, word, size, false);
if (rc)
return rc;
@@ -2589,16 +2589,16 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level)
* that it is at the front of a binary buddy system.
*/
if (oldval == NOFREE) {
- rc = dbBackSplit((dmtree_t *) dcp, leafno);
+ rc = dbBackSplit((dmtree_t *)dcp, leafno, true);
if (rc) {
release_metapage(mp);
return rc;
}
oldval = dcp->stree[ti];
}
- dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval);
+ dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval, true);
} else {
- rc = dbJoin((dmtree_t *) dcp, leafno, newval);
+ rc = dbJoin((dmtree_t *) dcp, leafno, newval, true);
if (rc) {
release_metapage(mp);
return rc;
@@ -2629,7 +2629,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level)
*/
if (alloc) {
dbJoin((dmtree_t *) dcp, leafno,
- oldval);
+ oldval, true);
} else {
/* the dbJoin() above might have
* caused a larger binary buddy system
@@ -2639,9 +2639,9 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level)
*/
if (dcp->stree[ti] == NOFREE)
dbBackSplit((dmtree_t *)
- dcp, leafno);
+ dcp, leafno, true);
dbSplit((dmtree_t *) dcp, leafno,
- dcp->budmin, oldval);
+ dcp->budmin, oldval, true);
}
/* release the buffer and return the error.
@@ -2689,7 +2689,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level)
*
* serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit;
*/
-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval)
+static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl)
{
int budsz;
int cursz;
@@ -2711,7 +2711,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval)
while (cursz >= splitsz) {
/* update the buddy's leaf with its new value.
*/
- dbAdjTree(tp, leafno ^ budsz, cursz);
+ dbAdjTree(tp, leafno ^ budsz, cursz, is_ctl);
/* on to the next size and buddy.
*/
@@ -2723,7 +2723,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval)
/* adjust the dmap tree to reflect the specified leaf's new
* value.
*/
- dbAdjTree(tp, leafno, newval);
+ dbAdjTree(tp, leafno, newval, is_ctl);
}
@@ -2754,7 +2754,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval)
*
* serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit;
*/
-static int dbBackSplit(dmtree_t * tp, int leafno)
+static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl)
{
int budsz, bud, w, bsz, size;
int cursz;
@@ -2805,7 +2805,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno)
* system in two.
*/
cursz = leaf[bud] - 1;
- dbSplit(tp, bud, cursz, cursz);
+ dbSplit(tp, bud, cursz, cursz, is_ctl);
break;
}
}
@@ -2833,7 +2833,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno)
*
* RETURN VALUES: none
*/
-static int dbJoin(dmtree_t * tp, int leafno, int newval)
+static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
{
int budsz, buddy;
s8 *leaf;
@@ -2888,12 +2888,12 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval)
if (leafno < buddy) {
/* leafno is the left buddy.
*/
- dbAdjTree(tp, buddy, NOFREE);
+ dbAdjTree(tp, buddy, NOFREE, is_ctl);
} else {
/* buddy is the left buddy and becomes
* leafno.
*/
- dbAdjTree(tp, leafno, NOFREE);
+ dbAdjTree(tp, leafno, NOFREE, is_ctl);
leafno = buddy;
}
@@ -2906,7 +2906,7 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval)
/* update the leaf value.
*/
- dbAdjTree(tp, leafno, newval);
+ dbAdjTree(tp, leafno, newval, is_ctl);
return 0;
}
@@ -2927,21 +2927,23 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval)
*
* RETURN VALUES: none
*/
-static void dbAdjTree(dmtree_t * tp, int leafno, int newval)
+static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
{
int lp, pp, k;
- int max;
+ int max, size;
+
+ size = is_ctl ? CTLTREESIZE : TREESIZE;
/* pick up the index of the leaf for this leafno.
*/
lp = leafno + le32_to_cpu(tp->dmt_leafidx);
+ if (WARN_ON_ONCE(lp >= size || lp < 0))
+ return;
+
/* is the current value the same as the old value ? if so,
* there is nothing to do.
*/
- if (WARN_ON_ONCE(lp >= CTLTREESIZE))
- return;
-
if (tp->dmt_stree[lp] == newval)
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 148/476] jfs: fix uaf in jfs_evict_inode
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 147/476] jfs: fix array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 149/476] pstore/ram: Fix crash when setting number of cpus to an odd number Greg Kroah-Hartman
` (337 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+01cf2dbcbe2022454388
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit e0e1958f4c365e380b17ccb35617345b31ef7bf3 ]
When the execution of diMount(ipimap) fails, the object ipimap that has been
released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs
when rcu_core() calls jfs_free_node().
Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as
ipimap.
Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_mount.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c
index aa4ff7bcaff2..55702b31ab3c 100644
--- a/fs/jfs/jfs_mount.c
+++ b/fs/jfs/jfs_mount.c
@@ -172,15 +172,15 @@ int jfs_mount(struct super_block *sb)
}
jfs_info("jfs_mount: ipimap:0x%p", ipimap);
- /* map further access of per fileset inodes by the fileset inode */
- sbi->ipimap = ipimap;
-
/* initialize fileset inode allocation map */
if ((rc = diMount(ipimap))) {
jfs_err("jfs_mount: diMount failed w/rc = %d", rc);
goto err_ipimap;
}
+ /* map further access of per fileset inodes by the fileset inode */
+ sbi->ipimap = ipimap;
+
return rc;
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 149/476] pstore/ram: Fix crash when setting number of cpus to an odd number
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 148/476] jfs: fix uaf in jfs_evict_inode Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 150/476] crypto: octeontx2 - Fix cptvf driver cleanup Greg Kroah-Hartman
` (336 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weichen Chen, Matthias Brugger,
Guilherme G. Piccoli, Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weichen Chen <weichen.chen@mediatek.com>
[ Upstream commit d49270a04623ce3c0afddbf3e984cb245aa48e9c ]
When the number of cpu cores is adjusted to 7 or other odd numbers,
the zone size will become an odd number.
The address of the zone will become:
addr of zone0 = BASE
addr of zone1 = BASE + zone_size
addr of zone2 = BASE + zone_size*2
...
The address of zone1/3/5/7 will be mapped to non-alignment va.
Eventually crashes will occur when accessing these va.
So, use ALIGN_DOWN() to make sure the zone size is even
to avoid this bug.
Signed-off-by: Weichen Chen <weichen.chen@mediatek.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Tested-by: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
Link: https://lore.kernel.org/r/20230224023632.6840-1-weichen.chen@mediatek.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index f3fa3625d772..e15b4631364a 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -519,6 +519,7 @@ static int ramoops_init_przs(const char *name,
}
zone_sz = mem_sz / *cnt;
+ zone_sz = ALIGN_DOWN(zone_sz, 2);
if (!zone_sz) {
dev_err(dev, "%s zone size == 0\n", name);
goto fail;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 150/476] crypto: octeontx2 - Fix cptvf driver cleanup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 149/476] pstore/ram: Fix crash when setting number of cpus to an odd number Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 151/476] crypto: stm32/crc32 - fix parsing list of devices Greg Kroah-Hartman
` (335 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharat Bhushan, Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharat Bhushan <bbhushan2@marvell.com>
[ Upstream commit c480a421a4faf693c38e60b0fe6e554c9a3fee02 ]
This patch fixes following cleanup issues:
- Missing instruction queue free on cleanup. This
will lead to memory leak.
- lfs->lfs_num is set to zero before cleanup, which
will lead to improper cleanup.
Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/octeontx2/otx2_cptlf.c | 6 ++++--
drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c | 3 +++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptlf.c b/drivers/crypto/marvell/octeontx2/otx2_cptlf.c
index c8350fcd60fa..dc0c25f0a11a 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptlf.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptlf.c
@@ -414,8 +414,8 @@ int otx2_cptlf_init(struct otx2_cptlfs_info *lfs, u8 eng_grp_mask, int pri,
return 0;
free_iq:
- otx2_cpt_free_instruction_queues(lfs);
cptlf_hw_cleanup(lfs);
+ otx2_cpt_free_instruction_queues(lfs);
detach_rsrcs:
otx2_cpt_detach_rsrcs_msg(lfs);
clear_lfs_num:
@@ -425,9 +425,11 @@ int otx2_cptlf_init(struct otx2_cptlfs_info *lfs, u8 eng_grp_mask, int pri,
void otx2_cptlf_shutdown(struct otx2_cptlfs_info *lfs)
{
- lfs->lfs_num = 0;
/* Cleanup LFs hardware side */
cptlf_hw_cleanup(lfs);
+ /* Free instruction queues */
+ otx2_cpt_free_instruction_queues(lfs);
/* Send request to detach LFs */
otx2_cpt_detach_rsrcs_msg(lfs);
+ lfs->lfs_num = 0;
}
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c b/drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c
index 3411e664cf50..73de61ebbbcf 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptvf_main.c
@@ -249,8 +249,11 @@ static void cptvf_lf_shutdown(struct otx2_cptlfs_info *lfs)
otx2_cptlf_unregister_interrupts(lfs);
/* Cleanup LFs software side */
lf_sw_cleanup(lfs);
+ /* Free instruction queues */
+ otx2_cpt_free_instruction_queues(lfs);
/* Send request to detach LFs */
otx2_cpt_detach_rsrcs_msg(lfs);
+ lfs->lfs_num = 0;
}
static int cptvf_lf_init(struct otx2_cptvf_dev *cptvf)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 151/476] crypto: stm32/crc32 - fix parsing list of devices
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 150/476] crypto: octeontx2 - Fix cptvf driver cleanup Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 152/476] afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu() Greg Kroah-Hartman
` (334 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Thomas Bourgoin, Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
[ Upstream commit 0eaef675b94c746900dcea7f6c41b9a103ed5d53 ]
smatch warnings:
drivers/crypto/stm32/stm32-crc32.c:108 stm32_crc_get_next_crc() warn:
can 'crc' even be NULL?
Use list_first_entry_or_null instead of list_first_entry to retrieve
the first device registered.
The function list_first_entry always return a non NULL pointer even if
the list is empty. Hence checking if the pointer returned is NULL does
not tell if the list is empty or not.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/stm32/stm32-crc32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c
index 90a920e7f664..c439be1650c8 100644
--- a/drivers/crypto/stm32/stm32-crc32.c
+++ b/drivers/crypto/stm32/stm32-crc32.c
@@ -104,7 +104,7 @@ static struct stm32_crc *stm32_crc_get_next_crc(void)
struct stm32_crc *crc;
spin_lock_bh(&crc_list.lock);
- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
+ crc = list_first_entry_or_null(&crc_list.dev_list, struct stm32_crc, list);
if (crc)
list_move_tail(&crc->list, &crc_list.dev_list);
spin_unlock_bh(&crc_list.lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 152/476] afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 151/476] crypto: stm32/crc32 - fix parsing list of devices Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 153/476] afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() Greg Kroah-Hartman
` (333 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, David Howells,
Marc Dionne, linux-afs, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 4121b4337146b64560d1e46ebec77196d9287802 ]
David Howells says:
(2) afs_lookup_volume_rcu().
There can be a lot of volumes known by a system. A thousand would
require a 10-step walk and this is drivable by remote operation, so I
think this should probably take a lock on the second pass too.
Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock()
never takes the lock.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/20231130115606.GA21571@redhat.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/callback.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/afs/callback.c b/fs/afs/callback.c
index 1b4d5809808d..e0f5dcffe4e3 100644
--- a/fs/afs/callback.c
+++ b/fs/afs/callback.c
@@ -110,13 +110,14 @@ static struct afs_volume *afs_lookup_volume_rcu(struct afs_cell *cell,
{
struct afs_volume *volume = NULL;
struct rb_node *p;
- int seq = 0;
+ int seq = 1;
do {
/* Unfortunately, rbtree walking doesn't give reliable results
* under just the RCU read lock, so we have to check for
* changes.
*/
+ seq++; /* 2 on the 1st/lockless path, otherwise odd */
read_seqbegin_or_lock(&cell->volume_lock, &seq);
p = rcu_dereference_raw(cell->volumes.rb_node);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 153/476] afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 152/476] afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 154/476] rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() Greg Kroah-Hartman
` (332 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, David Howells,
Marc Dionne, linux-afs, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 1702e0654ca9a7bcd7c7619c8a5004db58945b71 ]
David Howells says:
(5) afs_find_server().
There could be a lot of servers in the list and each server can have
multiple addresses, so I think this would be better with an exclusive
second pass.
The server list isn't likely to change all that often, but when it does
change, there's a good chance several servers are going to be
added/removed one after the other. Further, this is only going to be
used for incoming cache management/callback requests from the server,
which hopefully aren't going to happen too often - but it is remotely
drivable.
(6) afs_find_server_by_uuid().
Similarly to (5), there could be a lot of servers to search through, but
they are in a tree not a flat list, so it should be faster to process.
Again, it's not likely to change that often and, again, when it does
change it's likely to involve multiple changes. This can be driven
remotely by an incoming cache management request but is mostly going to
be driven by setting up or reconfiguring a volume's server list -
something that also isn't likely to happen often.
Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock()
never takes the lock.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/20231130115614.GA21581@redhat.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/server.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/afs/server.c b/fs/afs/server.c
index ffed828622b6..34b47218129e 100644
--- a/fs/afs/server.c
+++ b/fs/afs/server.c
@@ -27,7 +27,7 @@ struct afs_server *afs_find_server(struct afs_net *net,
const struct afs_addr_list *alist;
struct afs_server *server = NULL;
unsigned int i;
- int seq = 0, diff;
+ int seq = 1, diff;
rcu_read_lock();
@@ -35,6 +35,7 @@ struct afs_server *afs_find_server(struct afs_net *net,
if (server)
afs_unuse_server_notime(net, server, afs_server_trace_put_find_rsq);
server = NULL;
+ seq++; /* 2 on the 1st/lockless path, otherwise odd */
read_seqbegin_or_lock(&net->fs_addr_lock, &seq);
if (srx->transport.family == AF_INET6) {
@@ -90,7 +91,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu
{
struct afs_server *server = NULL;
struct rb_node *p;
- int diff, seq = 0;
+ int diff, seq = 1;
_enter("%pU", uuid);
@@ -102,7 +103,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu
if (server)
afs_unuse_server(net, server, afs_server_trace_put_uuid_rsq);
server = NULL;
-
+ seq++; /* 2 on the 1st/lockless path, otherwise odd */
read_seqbegin_or_lock(&net->fs_lock, &seq);
p = net->fs_servers.rb_node;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 154/476] rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 153/476] afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 155/476] jfs: fix array-index-out-of-bounds in diNewExt Greg Kroah-Hartman
` (331 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, David Howells,
Marc Dionne, linux-afs, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit bad1a11c0f061aa073bab785389fe04f19ba02e1 ]
rxrpc_find_service_conn_rcu() should make the "seq" counter odd on the
second pass, otherwise read_seqbegin_or_lock() never takes the lock.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/20231117164846.GA10410@redhat.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/conn_service.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/rxrpc/conn_service.c b/net/rxrpc/conn_service.c
index 6e6aa02c6f9e..249353417a18 100644
--- a/net/rxrpc/conn_service.c
+++ b/net/rxrpc/conn_service.c
@@ -31,7 +31,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer,
struct rxrpc_conn_proto k;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rb_node *p;
- unsigned int seq = 0;
+ unsigned int seq = 1;
k.epoch = sp->hdr.epoch;
k.cid = sp->hdr.cid & RXRPC_CIDMASK;
@@ -41,6 +41,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer,
* under just the RCU read lock, so we have to check for
* changes.
*/
+ seq++; /* 2 on the 1st/lockless path, otherwise odd */
read_seqbegin_or_lock(&peer->service_conn_lock, &seq);
p = rcu_dereference_raw(peer->service_conns.rb_node);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 155/476] jfs: fix array-index-out-of-bounds in diNewExt
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 154/476] rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 156/476] arch: consolidate arch_irq_work_raise prototypes Greg Kroah-Hartman
` (330 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+553d90297e6d2f50dbc7
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 49f9637aafa6e63ba686c13cb8549bf5e6920402 ]
[Syz report]
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2
index -878706688 is out of range for type 'struct iagctl[128]'
CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360
diAllocExt fs/jfs/jfs_imap.c:1949 [inline]
diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666
diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587
ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225
vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106
do_mkdirat+0x264/0x3a0 fs/namei.c:4129
__do_sys_mkdir fs/namei.c:4149 [inline]
__se_sys_mkdir fs/namei.c:4147 [inline]
__x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fcb7e6a0b57
Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57
RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140
RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[Analysis]
When the agstart is too large, it can cause agno overflow.
[Fix]
After obtaining agno, if the value is invalid, exit the subsequent process.
Reported-and-tested-by: syzbot+553d90297e6d2f50dbc7@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next
report by kernel test robot (Dan Carpenter).
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 6ed2e1d4c894..ac42f8ee553f 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -2179,6 +2179,9 @@ static int diNewExt(struct inomap * imap, struct iag * iagp, int extno)
/* get the ag and iag numbers for this iag.
*/
agno = BLKTOAG(le64_to_cpu(iagp->agstart), sbi);
+ if (agno >= MAXAG || agno < 0)
+ return -EIO;
+
iagno = le32_to_cpu(iagp->iagnum);
/* check if this is the last free extent within the
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 156/476] arch: consolidate arch_irq_work_raise prototypes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 155/476] jfs: fix array-index-out-of-bounds in diNewExt Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 157/476] s390/ptrace: handle setting of fpc register correctly Greg Kroah-Hartman
` (329 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Gordeev, Catalin Marinas,
Palmer Dabbelt, Guo Ren, Arnd Bergmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 64bac5ea17d527872121adddfee869c7a0618f8f ]
The prototype was hidden in an #ifdef on x86, which causes a warning:
kernel/irq_work.c:72:13: error: no previous prototype for 'arch_irq_work_raise' [-Werror=missing-prototypes]
Some architectures have a working prototype, while others don't.
Fix this by providing it in only one place that is always visible.
Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Palmer Dabbelt <palmer@rivosinc.com>
Acked-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/irq_work.h | 2 --
arch/csky/include/asm/irq_work.h | 2 +-
arch/powerpc/include/asm/irq_work.h | 1 -
arch/riscv/include/asm/irq_work.h | 2 +-
arch/s390/include/asm/irq_work.h | 2 --
arch/x86/include/asm/irq_work.h | 1 -
include/linux/irq_work.h | 3 +++
7 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/irq_work.h b/arch/arm64/include/asm/irq_work.h
index 81bbfa3a035b..a1020285ea75 100644
--- a/arch/arm64/include/asm/irq_work.h
+++ b/arch/arm64/include/asm/irq_work.h
@@ -2,8 +2,6 @@
#ifndef __ASM_IRQ_WORK_H
#define __ASM_IRQ_WORK_H
-extern void arch_irq_work_raise(void);
-
static inline bool arch_irq_work_has_interrupt(void)
{
return true;
diff --git a/arch/csky/include/asm/irq_work.h b/arch/csky/include/asm/irq_work.h
index 33aaf39d6f94..d39fcc1f5395 100644
--- a/arch/csky/include/asm/irq_work.h
+++ b/arch/csky/include/asm/irq_work.h
@@ -7,5 +7,5 @@ static inline bool arch_irq_work_has_interrupt(void)
{
return true;
}
-extern void arch_irq_work_raise(void);
+
#endif /* __ASM_CSKY_IRQ_WORK_H */
diff --git a/arch/powerpc/include/asm/irq_work.h b/arch/powerpc/include/asm/irq_work.h
index b8b0be8f1a07..c6d3078bd8c3 100644
--- a/arch/powerpc/include/asm/irq_work.h
+++ b/arch/powerpc/include/asm/irq_work.h
@@ -6,6 +6,5 @@ static inline bool arch_irq_work_has_interrupt(void)
{
return true;
}
-extern void arch_irq_work_raise(void);
#endif /* _ASM_POWERPC_IRQ_WORK_H */
diff --git a/arch/riscv/include/asm/irq_work.h b/arch/riscv/include/asm/irq_work.h
index b53891964ae0..b27a4d64fc6a 100644
--- a/arch/riscv/include/asm/irq_work.h
+++ b/arch/riscv/include/asm/irq_work.h
@@ -6,5 +6,5 @@ static inline bool arch_irq_work_has_interrupt(void)
{
return IS_ENABLED(CONFIG_SMP);
}
-extern void arch_irq_work_raise(void);
+
#endif /* _ASM_RISCV_IRQ_WORK_H */
diff --git a/arch/s390/include/asm/irq_work.h b/arch/s390/include/asm/irq_work.h
index 603783766d0a..f00c9f610d5a 100644
--- a/arch/s390/include/asm/irq_work.h
+++ b/arch/s390/include/asm/irq_work.h
@@ -7,6 +7,4 @@ static inline bool arch_irq_work_has_interrupt(void)
return true;
}
-void arch_irq_work_raise(void);
-
#endif /* _ASM_S390_IRQ_WORK_H */
diff --git a/arch/x86/include/asm/irq_work.h b/arch/x86/include/asm/irq_work.h
index 800ffce0db29..6b4d36c95165 100644
--- a/arch/x86/include/asm/irq_work.h
+++ b/arch/x86/include/asm/irq_work.h
@@ -9,7 +9,6 @@ static inline bool arch_irq_work_has_interrupt(void)
{
return boot_cpu_has(X86_FEATURE_APIC);
}
-extern void arch_irq_work_raise(void);
#else
static inline bool arch_irq_work_has_interrupt(void)
{
diff --git a/include/linux/irq_work.h b/include/linux/irq_work.h
index ec2a47a81e42..ee5f9120c4d7 100644
--- a/include/linux/irq_work.h
+++ b/include/linux/irq_work.h
@@ -58,6 +58,9 @@ void irq_work_sync(struct irq_work *work);
void irq_work_run(void);
bool irq_work_needs_cpu(void);
void irq_work_single(void *arg);
+
+void arch_irq_work_raise(void);
+
#else
static inline bool irq_work_needs_cpu(void) { return false; }
static inline void irq_work_run(void) { }
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 157/476] s390/ptrace: handle setting of fpc register correctly
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 156/476] arch: consolidate arch_irq_work_raise prototypes Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 158/476] KVM: s390: fix setting of fpc register Greg Kroah-Hartman
` (328 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudio Imbrenda, Heiko Carstens,
Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 8b13601d19c541158a6e18b278c00ba69ae37829 ]
If the content of the floating point control (fpc) register of a traced
process is modified with the ptrace interface the new value is tested for
validity by temporarily loading it into the fpc register.
This may lead to corruption of the fpc register of the tracing process:
if an interrupt happens while the value is temporarily loaded into the
fpc register, and within interrupt context floating point or vector
registers are used, the current fp/vx registers are saved with
save_fpu_regs() assuming they belong to user space and will be loaded into
fp/vx registers when returning to user space.
test_fp_ctl() restores the original user space fpc register value, however
it will be discarded, when returning to user space.
In result the tracer will incorrectly continue to run with the value that
was supposed to be used for the traced process.
Fix this by saving fpu register contents with save_fpu_regs() before using
test_fp_ctl().
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/ptrace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 516c21baf3ad..014ed5b27027 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -392,6 +392,7 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
/*
* floating point control reg. is in the thread structure
*/
+ save_fpu_regs();
if ((unsigned int) data != 0 ||
test_fp_ctl(data >> (BITS_PER_LONG - 32)))
return -EINVAL;
@@ -754,6 +755,7 @@ static int __poke_user_compat(struct task_struct *child,
/*
* floating point control reg. is in the thread structure
*/
+ save_fpu_regs();
if (test_fp_ctl(tmp))
return -EINVAL;
child->thread.fpu.fpc = data;
@@ -917,9 +919,7 @@ static int s390_fpregs_set(struct task_struct *target,
int rc = 0;
freg_t fprs[__NUM_FPRS];
- if (target == current)
- save_fpu_regs();
-
+ save_fpu_regs();
if (MACHINE_HAS_VX)
convert_vx_to_fp(fprs, target->thread.fpu.vxrs);
else
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 158/476] KVM: s390: fix setting of fpc register
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 157/476] s390/ptrace: handle setting of fpc register correctly Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 159/476] SUNRPC: Fix a suspicious RCU usage warning Greg Kroah-Hartman
` (327 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Borntraeger,
Claudio Imbrenda, Heiko Carstens, Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ]
kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control
(fpc) register of a guest cpu. The new value is tested for validity by
temporarily loading it into the fpc register.
This may lead to corruption of the fpc register of the host process:
if an interrupt happens while the value is temporarily loaded into the fpc
register, and within interrupt context floating point or vector registers
are used, the current fp/vx registers are saved with save_fpu_regs()
assuming they belong to user space and will be loaded into fp/vx registers
when returning to user space.
test_fp_ctl() restores the original user space / host process fpc register
value, however it will be discarded, when returning to user space.
In result the host process will incorrectly continue to run with the value
that was supposed to be used for a guest cpu.
Fix this by simply removing the test. There is another test right before
the SIE context is entered which will handles invalid values.
This results in a change of behaviour: invalid values will now be accepted
instead of that the ioctl fails with -EINVAL. This seems to be acceptable,
given that this interface is most likely not used anymore, and this is in
addition the same behaviour implemented with the memory mapped interface
(replace invalid values with zero) - see sync_regs() in kvm-s390.c.
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kvm/kvm-s390.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index eb97db59b236..5526f782249c 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -3700,10 +3700,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
vcpu_load(vcpu);
- if (test_fp_ctl(fpu->fpc)) {
- ret = -EINVAL;
- goto out;
- }
vcpu->run->s.regs.fpc = fpu->fpc;
if (MACHINE_HAS_VX)
convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs,
@@ -3711,7 +3707,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
else
memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs));
-out:
vcpu_put(vcpu);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 159/476] SUNRPC: Fix a suspicious RCU usage warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 158/476] KVM: s390: fix setting of fpc register Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 160/476] ecryptfs: Reject casefold directory inodes Greg Kroah-Hartman
` (326 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Anna Schumaker, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna Schumaker <Anna.Schumaker@Netapp.com>
[ Upstream commit 31b62908693c90d4d07db597e685d9f25a120073 ]
I received the following warning while running cthon against an ontap
server running pNFS:
[ 57.202521] =============================
[ 57.202522] WARNING: suspicious RCU usage
[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted
[ 57.202525] -----------------------------
[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!
[ 57.202527]
other info that might help us debug this:
[ 57.202528]
rcu_scheduler_active = 2, debug_locks = 1
[ 57.202529] no locks held by test5/3567.
[ 57.202530]
stack backtrace:
[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e
[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022
[ 57.202536] Call Trace:
[ 57.202537] <TASK>
[ 57.202540] dump_stack_lvl+0x77/0xb0
[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0
[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]
[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]
[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202866] write_cache_pages+0x265/0x450
[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202913] do_writepages+0xd2/0x230
[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80
[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80
[ 57.202924] filemap_write_and_wait_range+0xd9/0x170
[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
[ 57.202969] __se_sys_close+0x46/0xd0
[ 57.202972] do_syscall_64+0x68/0x100
[ 57.202975] ? do_syscall_64+0x77/0x100
[ 57.202976] ? do_syscall_64+0x77/0x100
[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 57.202982] RIP: 0033:0x7fe2b12e4a94
[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3
[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94
[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003
[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49
[ 57.202993] R10: 00007fe2b11f8300 R11: 0000000000000202 R12: 0000000000000000
[ 57.202994] R13: 00007ffe857dfd80 R14: 00007fe2b1445000 R15: 0000000000000000
[ 57.202999] </TASK>
The problem seems to be that two out of three callers aren't taking the
rcu_read_lock() before calling the list_for_each_entry_rcu() function in
rpc_xprt_switch_has_addr(). I fix this by having
rpc_xprt_switch_has_addr() unconditionaly take the rcu_read_lock(),
which is okay to do recursively in the case that the lock has already
been taken by a caller.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtmultipath.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/net/sunrpc/xprtmultipath.c b/net/sunrpc/xprtmultipath.c
index 1693f81aae37..e5c67506334e 100644
--- a/net/sunrpc/xprtmultipath.c
+++ b/net/sunrpc/xprtmultipath.c
@@ -288,8 +288,9 @@ struct rpc_xprt *xprt_iter_current_entry(struct rpc_xprt_iter *xpi)
return xprt_switch_find_current_entry(head, xpi->xpi_cursor);
}
-bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps,
- const struct sockaddr *sap)
+static
+bool __rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps,
+ const struct sockaddr *sap)
{
struct list_head *head;
struct rpc_xprt *pos;
@@ -308,6 +309,18 @@ bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps,
return false;
}
+bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps,
+ const struct sockaddr *sap)
+{
+ bool res;
+
+ rcu_read_lock();
+ res = __rpc_xprt_switch_has_addr(xps, sap);
+ rcu_read_unlock();
+
+ return res;
+}
+
static
struct rpc_xprt *xprt_switch_find_next_entry(struct list_head *head,
const struct rpc_xprt *cur)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 160/476] ecryptfs: Reject casefold directory inodes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 159/476] SUNRPC: Fix a suspicious RCU usage warning Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 161/476] ext4: fix inconsistent between segment fstrim and full fstrim Greg Kroah-Hartman
` (325 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Krisman Bertazi,
Eric Biggers, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@suse.de>
[ Upstream commit cd72c7ef5fed44272272a105b1da22810c91be69 ]
Even though it seems to be able to resolve some names of
case-insensitive directories, the lack of d_hash and d_compare means we
end up with a broken state in the d_cache. Considering it was never a
goal to support these two together, and we are preparing to use
d_revalidate in case-insensitive filesystems, which would make the
combination even more broken, reject any attempt to get a casefolded
inode from ecryptfs.
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ecryptfs/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 16d50dface59..bea4c2b0cd6b 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -76,6 +76,14 @@ static struct inode *__ecryptfs_get_inode(struct inode *lower_inode,
if (lower_inode->i_sb != ecryptfs_superblock_to_lower(sb))
return ERR_PTR(-EXDEV);
+
+ /* Reject dealing with casefold directories. */
+ if (IS_CASEFOLDED(lower_inode)) {
+ pr_err_ratelimited("%s: Can't handle casefolded directory.\n",
+ __func__);
+ return ERR_PTR(-EREMOTE);
+ }
+
if (!igrab(lower_inode))
return ERR_PTR(-ESTALE);
inode = iget5_locked(sb, (unsigned long)lower_inode,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 161/476] ext4: fix inconsistent between segment fstrim and full fstrim
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 160/476] ecryptfs: Reject casefold directory inodes Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 162/476] ext4: unify the type of flexbg_size to unsigned int Greg Kroah-Hartman
` (324 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 68da4c44b994aea797eb9821acb3a4a36015293e ]
Suppose we issue two FITRIM ioctls for ranges [0,15] and [16,31] with
mininum length of trimmed range set to 8 blocks. If we have say a range of
blocks 10-22 free, this range will not be trimmed because it straddles the
boundary of the two FITRIM ranges and neither part is big enough. This is a
bit surprising to some users that call FITRIM on smaller ranges of blocks
to limit impact on the system. Also XFS trims all free space extents that
overlap with the specified range so we are inconsistent among filesystems.
Let's change ext4_try_to_trim_range() to consider for trimming the whole
free space extent that straddles the end of specified range, not just the
part of it within the range.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231216010919.1995851-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index a82ebc746cc4..762c2f8b5b2a 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -6457,13 +6457,15 @@ static int ext4_try_to_trim_range(struct super_block *sb,
__acquires(ext4_group_lock_ptr(sb, e4b->bd_group))
__releases(ext4_group_lock_ptr(sb, e4b->bd_group))
{
- ext4_grpblk_t next, count, free_count;
+ ext4_grpblk_t next, count, free_count, last, origin_start;
bool set_trimmed = false;
void *bitmap;
+ last = ext4_last_grp_cluster(sb, e4b->bd_group);
bitmap = e4b->bd_bitmap;
- if (start == 0 && max >= ext4_last_grp_cluster(sb, e4b->bd_group))
+ if (start == 0 && max >= last)
set_trimmed = true;
+ origin_start = start;
start = max(e4b->bd_info->bb_first_free, start);
count = 0;
free_count = 0;
@@ -6472,7 +6474,10 @@ __releases(ext4_group_lock_ptr(sb, e4b->bd_group))
start = mb_find_next_zero_bit(bitmap, max + 1, start);
if (start > max)
break;
- next = mb_find_next_bit(bitmap, max + 1, start);
+
+ next = mb_find_next_bit(bitmap, last + 1, start);
+ if (origin_start == 0 && next >= last)
+ set_trimmed = true;
if ((next - start) >= minblocks) {
int ret = ext4_trim_extent(sb, start, next - start, e4b);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 162/476] ext4: unify the type of flexbg_size to unsigned int
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 161/476] ext4: fix inconsistent between segment fstrim and full fstrim Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 163/476] ext4: remove unnecessary check from alloc_flex_gd() Greg Kroah-Hartman
` (323 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 658a52344fb139f9531e7543a6e0015b630feb38 ]
The maximum value of flexbg_size is 2^31, but the maximum value of int
is (2^31 - 1), so overflow may occur when the type of flexbg_size is
declared as int.
For example, when uninit_mask is initialized in ext4_alloc_group_tables(),
if flexbg_size == 2^31, the initialized uninit_mask is incorrect, and this
may causes set_flexbg_block_bitmap() to trigger a BUG_ON().
Therefore, the flexbg_size type is declared as unsigned int to avoid
overflow and memory waste.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231023013057.2117948-2-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/resize.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index d0c41343a5c4..492683235423 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -237,7 +237,7 @@ struct ext4_new_flex_group_data {
*
* Returns NULL on failure otherwise address of the allocated structure.
*/
-static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size)
+static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size)
{
struct ext4_new_flex_group_data *flex_gd;
@@ -292,7 +292,7 @@ static void free_flex_gd(struct ext4_new_flex_group_data *flex_gd)
*/
static int ext4_alloc_group_tables(struct super_block *sb,
struct ext4_new_flex_group_data *flex_gd,
- int flexbg_size)
+ unsigned int flexbg_size)
{
struct ext4_new_group_data *group_data = flex_gd->groups;
ext4_fsblk_t start_blk;
@@ -393,12 +393,12 @@ static int ext4_alloc_group_tables(struct super_block *sb,
group = group_data[0].group;
printk(KERN_DEBUG "EXT4-fs: adding a flex group with "
- "%d groups, flexbg size is %d:\n", flex_gd->count,
+ "%u groups, flexbg size is %u:\n", flex_gd->count,
flexbg_size);
for (i = 0; i < flex_gd->count; i++) {
ext4_debug(
- "adding %s group %u: %u blocks (%d free, %d mdata blocks)\n",
+ "adding %s group %u: %u blocks (%u free, %u mdata blocks)\n",
ext4_bg_has_super(sb, group + i) ? "normal" :
"no-super", group + i,
group_data[i].blocks_count,
@@ -1577,7 +1577,7 @@ static int ext4_flex_group_add(struct super_block *sb,
static int ext4_setup_next_flex_gd(struct super_block *sb,
struct ext4_new_flex_group_data *flex_gd,
ext4_fsblk_t n_blocks_count,
- unsigned long flexbg_size)
+ unsigned int flexbg_size)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
@@ -1963,8 +1963,9 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
ext4_fsblk_t o_blocks_count;
ext4_fsblk_t n_blocks_count_retry = 0;
unsigned long last_update_time = 0;
- int err = 0, flexbg_size = 1 << sbi->s_log_groups_per_flex;
+ int err = 0;
int meta_bg;
+ unsigned int flexbg_size = ext4_flex_bg_size(sbi);
/* See if the device is actually as big as what was requested */
bh = ext4_sb_bread(sb, n_blocks_count - 1, 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 163/476] ext4: remove unnecessary check from alloc_flex_gd()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 162/476] ext4: unify the type of flexbg_size to unsigned int Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 164/476] ext4: avoid online resizing failures due to oversized flex bg Greg Kroah-Hartman
` (322 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit b099eb87de105cf07cad731ded6fb40b2675108b ]
In commit 967ac8af4475 ("ext4: fix potential integer overflow in
alloc_flex_gd()"), an overflow check is added to alloc_flex_gd() to
prevent the allocated memory from being smaller than expected due to
the overflow. However, after kmalloc() is replaced with kmalloc_array()
in commit 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()"), the
kmalloc_array() function has an overflow check, so the above problem
will not occur. Therefore, the extra check is removed.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231023013057.2117948-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/resize.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 492683235423..6dcf7406b77e 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -245,10 +245,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size)
if (flex_gd == NULL)
goto out3;
- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data))
- goto out2;
flex_gd->count = flexbg_size;
-
flex_gd->groups = kmalloc_array(flexbg_size,
sizeof(struct ext4_new_group_data),
GFP_NOFS);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 164/476] ext4: avoid online resizing failures due to oversized flex bg
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 163/476] ext4: remove unnecessary check from alloc_flex_gd() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 165/476] wifi: rt2x00: restart beacon queue when hardware reset Greg Kroah-Hartman
` (321 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 5d1935ac02ca5aee364a449a35e2977ea84509b0 ]
When we online resize an ext4 filesystem with a oversized flexbg_size,
mkfs.ext4 -F -G 67108864 $dev -b 4096 100M
mount $dev $dir
resize2fs $dev 16G
the following WARN_ON is triggered:
==================================================================
WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550
Modules linked in: sg(E)
CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314
RIP: 0010:__alloc_pages+0x411/0x550
Call Trace:
<TASK>
__kmalloc_large_node+0xa2/0x200
__kmalloc+0x16e/0x290
ext4_resize_fs+0x481/0xd80
__ext4_ioctl+0x1616/0x1d90
ext4_ioctl+0x12/0x20
__x64_sys_ioctl+0xf0/0x150
do_syscall_64+0x3b/0x90
==================================================================
This is because flexbg_size is too large and the size of the new_group_data
array to be allocated exceeds MAX_ORDER. Currently, the minimum value of
MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding
maximum number of groups that can be allocated is:
(PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845
And the value that is down-aligned to the power of 2 is 16384. Therefore,
this value is defined as MAX_RESIZE_BG, and the number of groups added
each time does not exceed this value during resizing, and is added multiple
times to complete the online resizing. The difference is that the metadata
in a flex_bg may be more dispersed.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231023013057.2117948-4-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/resize.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 6dcf7406b77e..70d4f6e3aaa7 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -227,10 +227,17 @@ struct ext4_new_flex_group_data {
in the flex group */
__u16 *bg_flags; /* block group flags of groups
in @groups */
+ ext4_group_t resize_bg; /* number of allocated
+ new_group_data */
ext4_group_t count; /* number of groups in @groups
*/
};
+/*
+ * Avoiding memory allocation failures due to too many groups added each time.
+ */
+#define MAX_RESIZE_BG 16384
+
/*
* alloc_flex_gd() allocates a ext4_new_flex_group_data with size of
* @flexbg_size.
@@ -245,14 +252,18 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size)
if (flex_gd == NULL)
goto out3;
- flex_gd->count = flexbg_size;
- flex_gd->groups = kmalloc_array(flexbg_size,
+ if (unlikely(flexbg_size > MAX_RESIZE_BG))
+ flex_gd->resize_bg = MAX_RESIZE_BG;
+ else
+ flex_gd->resize_bg = flexbg_size;
+
+ flex_gd->groups = kmalloc_array(flex_gd->resize_bg,
sizeof(struct ext4_new_group_data),
GFP_NOFS);
if (flex_gd->groups == NULL)
goto out2;
- flex_gd->bg_flags = kmalloc_array(flexbg_size, sizeof(__u16),
+ flex_gd->bg_flags = kmalloc_array(flex_gd->resize_bg, sizeof(__u16),
GFP_NOFS);
if (flex_gd->bg_flags == NULL)
goto out1;
@@ -1573,8 +1584,7 @@ static int ext4_flex_group_add(struct super_block *sb,
static int ext4_setup_next_flex_gd(struct super_block *sb,
struct ext4_new_flex_group_data *flex_gd,
- ext4_fsblk_t n_blocks_count,
- unsigned int flexbg_size)
+ ext4_fsblk_t n_blocks_count)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
@@ -1598,7 +1608,7 @@ static int ext4_setup_next_flex_gd(struct super_block *sb,
BUG_ON(last);
ext4_get_group_no_and_offset(sb, n_blocks_count - 1, &n_group, &last);
- last_group = group | (flexbg_size - 1);
+ last_group = group | (flex_gd->resize_bg - 1);
if (last_group > n_group)
last_group = n_group;
@@ -2103,8 +2113,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
/* Add flex groups. Note that a regular group is a
* flex group with 1 group.
*/
- while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count,
- flexbg_size)) {
+ while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count)) {
if (jiffies - last_update_time > HZ * 10) {
if (last_update_time)
ext4_msg(sb, KERN_INFO,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 165/476] wifi: rt2x00: restart beacon queue when hardware reset
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 164/476] ext4: avoid online resizing failures due to oversized flex bg Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 166/476] selftests/bpf: satisfy compiler by having explicit return in btf test Greg Kroah-Hartman
` (320 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Stanislaw Gruszka,
Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 ]
When a hardware reset is triggered, all registers are reset, so all
queues are forced to stop in hardware interface. However, mac80211
will not automatically stop the queue. If we don't manually stop the
beacon queue, the queue will be deadlocked and unable to start again.
This patch fixes the issue where Apple devices cannot connect to the
AP after calling ieee80211_restart_hw().
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/TYAP286MB031530EB6D98DCE4DF20766CBCA4A@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 3 +++
drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 11 +++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
index 388675d073ce..10ae5e313dda 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
@@ -101,6 +101,7 @@ void rt2x00lib_disable_radio(struct rt2x00_dev *rt2x00dev)
rt2x00link_stop_tuner(rt2x00dev);
rt2x00queue_stop_queues(rt2x00dev);
rt2x00queue_flush_queues(rt2x00dev, true);
+ rt2x00queue_stop_queue(rt2x00dev->bcn);
/*
* Disable radio.
@@ -1268,6 +1269,7 @@ int rt2x00lib_start(struct rt2x00_dev *rt2x00dev)
rt2x00dev->intf_ap_count = 0;
rt2x00dev->intf_sta_count = 0;
rt2x00dev->intf_associated = 0;
+ rt2x00dev->intf_beaconing = 0;
/* Enable the radio */
retval = rt2x00lib_enable_radio(rt2x00dev);
@@ -1294,6 +1296,7 @@ void rt2x00lib_stop(struct rt2x00_dev *rt2x00dev)
rt2x00dev->intf_ap_count = 0;
rt2x00dev->intf_sta_count = 0;
rt2x00dev->intf_associated = 0;
+ rt2x00dev->intf_beaconing = 0;
}
static inline void rt2x00lib_set_if_combinations(struct rt2x00_dev *rt2x00dev)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
index dea5babd30fe..f81b0ab0b4c5 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
@@ -598,6 +598,17 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
*/
if (changes & BSS_CHANGED_BEACON_ENABLED) {
mutex_lock(&intf->beacon_skb_mutex);
+
+ /*
+ * Clear the 'enable_beacon' flag and clear beacon because
+ * the beacon queue has been stopped after hardware reset.
+ */
+ if (test_bit(DEVICE_STATE_RESET, &rt2x00dev->flags) &&
+ intf->enable_beacon) {
+ intf->enable_beacon = false;
+ rt2x00queue_clear_beacon(rt2x00dev, vif);
+ }
+
if (!bss_conf->enable_beacon && intf->enable_beacon) {
rt2x00dev->intf_beaconing--;
intf->enable_beacon = false;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 166/476] selftests/bpf: satisfy compiler by having explicit return in btf test
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 165/476] wifi: rt2x00: restart beacon queue when hardware reset Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 167/476] selftests/bpf: Fix pyperf180 compilation failure with clang18 Greg Kroah-Hartman
` (319 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit f4c7e887324f5776eef6e6e47a90e0ac8058a7a8 ]
Some compilers complain about get_pprint_mapv_size() not returning value
in some code paths. Fix with explicit return.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231102033759.2541186-3-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/btf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/btf.c b/tools/testing/selftests/bpf/prog_tests/btf.c
index 2a04dbec510d..92080f64b5cc 100644
--- a/tools/testing/selftests/bpf/prog_tests/btf.c
+++ b/tools/testing/selftests/bpf/prog_tests/btf.c
@@ -4766,6 +4766,7 @@ static size_t get_pprint_mapv_size(enum pprint_mapv_kind_t mapv_kind)
#endif
assert(0);
+ return 0;
}
static void set_pprint_mapv(enum pprint_mapv_kind_t mapv_kind,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 167/476] selftests/bpf: Fix pyperf180 compilation failure with clang18
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 166/476] selftests/bpf: satisfy compiler by having explicit return in btf test Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 168/476] selftests/bpf: Fix issues in setup_classid_environment() Greg Kroah-Hartman
` (318 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Andrii Nakryiko,
Alan Maguire, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
[ Upstream commit 100888fb6d8a185866b1520031ee7e3182b173de ]
With latest clang18 (main branch of llvm-project repo), when building bpf selftests,
[~/work/bpf-next (master)]$ make -C tools/testing/selftests/bpf LLVM=1 -j
The following compilation error happens:
fatal error: error in backend: Branch target out of insn range
...
Stack dump:
0. Program arguments: clang -g -Wall -Werror -D__TARGET_ARCH_x86 -mlittle-endian
-I/home/yhs/work/bpf-next/tools/testing/selftests/bpf/tools/include
-I/home/yhs/work/bpf-next/tools/testing/selftests/bpf -I/home/yhs/work/bpf-next/tools/include/uapi
-I/home/yhs/work/bpf-next/tools/testing/selftests/usr/include -idirafter
/home/yhs/work/llvm-project/llvm/build.18/install/lib/clang/18/include -idirafter /usr/local/include
-idirafter /usr/include -Wno-compare-distinct-pointer-types -DENABLE_ATOMICS_TESTS -O2 --target=bpf
-c progs/pyperf180.c -mcpu=v3 -o /home/yhs/work/bpf-next/tools/testing/selftests/bpf/pyperf180.bpf.o
1. <eof> parser at end of file
2. Code generation
...
The compilation failure only happens to cpu=v2 and cpu=v3. cpu=v4 is okay
since cpu=v4 supports 32-bit branch target offset.
The above failure is due to upstream llvm patch [1] where some inlining behavior
are changed in clang18.
To workaround the issue, previously all 180 loop iterations are fully unrolled.
The bpf macro __BPF_CPU_VERSION__ (implemented in clang18 recently) is used to avoid
unrolling changes if cpu=v4. If __BPF_CPU_VERSION__ is not available and the
compiler is clang18, the unrollng amount is unconditionally reduced.
[1] https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Tested-by: Alan Maguire <alan.maguire@oracle.com>
Link: https://lore.kernel.org/bpf/20231110193644.3130906-1-yonghong.song@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/progs/pyperf180.c | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/pyperf180.c b/tools/testing/selftests/bpf/progs/pyperf180.c
index c39f559d3100..42c4a8b62e36 100644
--- a/tools/testing/selftests/bpf/progs/pyperf180.c
+++ b/tools/testing/selftests/bpf/progs/pyperf180.c
@@ -1,4 +1,26 @@
// SPDX-License-Identifier: GPL-2.0
// Copyright (c) 2019 Facebook
#define STACK_MAX_LEN 180
+
+/* llvm upstream commit at clang18
+ * https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e
+ * changed inlining behavior and caused compilation failure as some branch
+ * target distance exceeded 16bit representation which is the maximum for
+ * cpu v1/v2/v3. Macro __BPF_CPU_VERSION__ is later implemented in clang18
+ * to specify which cpu version is used for compilation. So a smaller
+ * unroll_count can be set if __BPF_CPU_VERSION__ is less than 4, which
+ * reduced some branch target distances and resolved the compilation failure.
+ *
+ * To capture the case where a developer/ci uses clang18 but the corresponding
+ * repo checkpoint does not have __BPF_CPU_VERSION__, a smaller unroll_count
+ * will be set as well to prevent potential compilation failures.
+ */
+#ifdef __BPF_CPU_VERSION__
+#if __BPF_CPU_VERSION__ < 4
+#define UNROLL_COUNT 90
+#endif
+#elif __clang_major__ == 18
+#define UNROLL_COUNT 90
+#endif
+
#include "pyperf.h"
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 168/476] selftests/bpf: Fix issues in setup_classid_environment()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 167/476] selftests/bpf: Fix pyperf180 compilation failure with clang18 Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 169/476] scsi: lpfc: Fix possible file string name overflow when updating firmware Greg Kroah-Hartman
` (317 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yafang Shao, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yafang Shao <laoar.shao@gmail.com>
[ Upstream commit 4849775587844e44d215289c425bcd70f315efe7 ]
If the net_cls subsystem is already mounted, attempting to mount it again
in setup_classid_environment() will result in a failure with the error code
EBUSY. Despite this, tmpfs will have been successfully mounted at
/sys/fs/cgroup/net_cls. Consequently, the /sys/fs/cgroup/net_cls directory
will be empty, causing subsequent setup operations to fail.
Here's an error log excerpt illustrating the issue when net_cls has already
been mounted at /sys/fs/cgroup/net_cls prior to running
setup_classid_environment():
- Before that change
$ tools/testing/selftests/bpf/test_progs --name=cgroup_v1v2
test_cgroup_v1v2:PASS:server_fd 0 nsec
test_cgroup_v1v2:PASS:client_fd 0 nsec
test_cgroup_v1v2:PASS:cgroup_fd 0 nsec
test_cgroup_v1v2:PASS:server_fd 0 nsec
run_test:PASS:skel_open 0 nsec
run_test:PASS:prog_attach 0 nsec
test_cgroup_v1v2:PASS:cgroup-v2-only 0 nsec
(cgroup_helpers.c:248: errno: No such file or directory) Opening Cgroup Procs: /sys/fs/cgroup/net_cls/cgroup.procs
(cgroup_helpers.c:540: errno: No such file or directory) Opening cgroup classid: /sys/fs/cgroup/net_cls/cgroup-test-work-dir/net_cls.classid
run_test:PASS:skel_open 0 nsec
run_test:PASS:prog_attach 0 nsec
(cgroup_helpers.c:248: errno: No such file or directory) Opening Cgroup Procs: /sys/fs/cgroup/net_cls/cgroup-test-work-dir/cgroup.procs
run_test:FAIL:join_classid unexpected error: 1 (errno 2)
test_cgroup_v1v2:FAIL:cgroup-v1v2 unexpected error: -1 (errno 2)
(cgroup_helpers.c:248: errno: No such file or directory) Opening Cgroup Procs: /sys/fs/cgroup/net_cls/cgroup.procs
#44 cgroup_v1v2:FAIL
Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
- After that change
$ tools/testing/selftests/bpf/test_progs --name=cgroup_v1v2
#44 cgroup_v1v2:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Link: https://lore.kernel.org/r/20231111090034.4248-3-laoar.shao@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/cgroup_helpers.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/bpf/cgroup_helpers.c b/tools/testing/selftests/bpf/cgroup_helpers.c
index f3daa44a8266..f63c7ee3d798 100644
--- a/tools/testing/selftests/bpf/cgroup_helpers.c
+++ b/tools/testing/selftests/bpf/cgroup_helpers.c
@@ -348,10 +348,20 @@ int setup_classid_environment(void)
return 1;
}
- if (mount("net_cls", NETCLS_MOUNT_PATH, "cgroup", 0, "net_cls") &&
- errno != EBUSY) {
- log_err("mount cgroup net_cls");
- return 1;
+ if (mount("net_cls", NETCLS_MOUNT_PATH, "cgroup", 0, "net_cls")) {
+ if (errno != EBUSY) {
+ log_err("mount cgroup net_cls");
+ return 1;
+ }
+
+ if (rmdir(NETCLS_MOUNT_PATH)) {
+ log_err("rmdir cgroup net_cls");
+ return 1;
+ }
+ if (umount(CGROUP_MOUNT_DFLT)) {
+ log_err("umount cgroup base");
+ return 1;
+ }
}
cleanup_classid_environment();
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 169/476] scsi: lpfc: Fix possible file string name overflow when updating firmware
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 168/476] selftests/bpf: Fix issues in setup_classid_environment() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 170/476] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Greg Kroah-Hartman
` (316 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Himanshu Madhani,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ]
Because file_name and phba->ModelName are both declared a size 80 bytes,
the extra ".grp" file extension could cause an overflow into file_name.
Define a ELX_FW_NAME_SIZE macro with value 84. 84 incorporates the 4 extra
characters from ".grp". file_name is changed to be declared as a char and
initialized to zeros i.e. null chars.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc.h | 1 +
drivers/scsi/lpfc/lpfc_init.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 457ff86e02b3..65ac952b767f 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -32,6 +32,7 @@
struct lpfc_sli2_slim;
#define ELX_MODEL_NAME_SIZE 80
+#define ELX_FW_NAME_SIZE 84
#define LPFC_PCI_DEV_LP 0x1
#define LPFC_PCI_DEV_OC 0x2
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 2ca4cf1b58c4..bba51ce4276a 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -14516,7 +14516,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context)
int
lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
{
- uint8_t file_name[ELX_MODEL_NAME_SIZE];
+ char file_name[ELX_FW_NAME_SIZE] = {0};
int ret;
const struct firmware *fw;
@@ -14525,7 +14525,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
LPFC_SLI_INTF_IF_TYPE_2)
return -EPERM;
- snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName);
+ scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName);
if (fw_upgrade == INT_FW_UPGRADE) {
ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_UEVENT,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 170/476] PCI: Add no PM reset quirk for NVIDIA Spectrum devices
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 169/476] scsi: lpfc: Fix possible file string name overflow when updating firmware Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 171/476] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Greg Kroah-Hartman
` (315 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Bjorn Helgaas,
Petr Machata, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 3ed48c80b28d8dcd584d6ddaf00c75b7673e1a05 ]
Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a
reset (i.e., they advertise NoSoftRst-). However, this transition does
not have any effect on the device: It continues to be operational and
network ports remain up. Advertising this support makes it seem as if a
PM reset is viable for these devices. Mark it as unavailable to skip it
when testing reset methods.
Before:
# cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method
pm bus
After:
# cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method
bus
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/quirks.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 626d9ed733f1..be43ea2a15e7 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3666,6 +3666,19 @@ static void quirk_no_pm_reset(struct pci_dev *dev)
DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_ATI, PCI_ANY_ID,
PCI_CLASS_DISPLAY_VGA, 8, quirk_no_pm_reset);
+/*
+ * Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a reset
+ * (i.e., they advertise NoSoftRst-). However, this transition does not have
+ * any effect on the device: It continues to be operational and network ports
+ * remain up. Advertising this support makes it seem as if a PM reset is viable
+ * for these devices. Mark it as unavailable to skip it when testing reset
+ * methods.
+ */
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcb84, quirk_no_pm_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf6c, quirk_no_pm_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf70, quirk_no_pm_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf80, quirk_no_pm_reset);
+
/*
* Thunderbolt controllers with broken MSI hotplug signaling:
* Entire 1st generation (Light Ridge, Eagle Ridge, Light Peak) and part
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 171/476] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 170/476] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 172/476] scsi: arcmsr: Support new PCI device IDs 1883 and 1886 Greg Kroah-Hartman
` (314 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Jay Vosburgh,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit d6b83f1e3707c4d60acfa58afd3515e17e5d5384 ]
If failed to allocate "tags" or could not find the final upper device from
start_dev's upper list in bond_verify_device_path(), only the loopback
detection of the current upper device should be affected, and the system is
no need to be panic.
So return -ENOMEM in alb_upper_dev_walk to stop walking, print some warn
information when failed to allocate memory for vlan tags in
bond_verify_device_path.
I also think that the following function calls
netdev_walk_all_upper_dev_rcu
---->>>alb_upper_dev_walk
---------->>>bond_verify_device_path
>From this way, "end device" can eventually be obtained from "start device"
in bond_verify_device_path, IS_ERR(tags) could be instead of
IS_ERR_OR_NULL(tags) in alb_upper_dev_walk.
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Link: https://lore.kernel.org/r/20231118081653.1481260-1-shaozhengchao@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_alb.c | 3 ++-
drivers/net/bonding/bond_main.c | 5 ++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
index b29393831a30..7091b018078b 100644
--- a/drivers/net/bonding/bond_alb.c
+++ b/drivers/net/bonding/bond_alb.c
@@ -973,7 +973,8 @@ static int alb_upper_dev_walk(struct net_device *upper,
if (netif_is_macvlan(upper) && !strict_match) {
tags = bond_verify_device_path(bond->dev, upper, 0);
if (IS_ERR_OR_NULL(tags))
- BUG();
+ return -ENOMEM;
+
alb_send_lp_vid(slave, upper->dev_addr,
tags[0].vlan_proto, tags[0].vlan_id);
kfree(tags);
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 9aed194d308d..1ecd0c136fc6 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2893,8 +2893,11 @@ struct bond_vlan_tag *bond_verify_device_path(struct net_device *start_dev,
if (start_dev == end_dev) {
tags = kcalloc(level + 1, sizeof(*tags), GFP_ATOMIC);
- if (!tags)
+ if (!tags) {
+ net_err_ratelimited("%s: %s: Failed to allocate tags\n",
+ __func__, start_dev->name);
return ERR_PTR(-ENOMEM);
+ }
tags[level].vlan_proto = VLAN_N_VID;
return tags;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 172/476] scsi: arcmsr: Support new PCI device IDs 1883 and 1886
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 171/476] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 173/476] ARM: dts: imx7d: Fix coresight funnel ports Greg Kroah-Hartman
` (313 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ching Huang, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: ching Huang <ching2048@areca.com.tw>
[ Upstream commit 41c8a1a1e90fa4721f856bf3cf71211fd16d6434 ]
Add support for Areca RAID controllers with PCI device IDs 1883 and 1886.
Signed-off-by: ching Huang <ching2048@areca.com.tw>
Link: https://lore.kernel.org/r/7732e743eaad57681b1552eec9c6a86c76dbe459.camel@areca.com.tw
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/arcmsr/arcmsr.h | 4 ++++
drivers/scsi/arcmsr/arcmsr_hba.c | 6 ++++++
2 files changed, 10 insertions(+)
diff --git a/drivers/scsi/arcmsr/arcmsr.h b/drivers/scsi/arcmsr/arcmsr.h
index 6ce57f031df5..3324114e6b06 100644
--- a/drivers/scsi/arcmsr/arcmsr.h
+++ b/drivers/scsi/arcmsr/arcmsr.h
@@ -77,9 +77,13 @@ struct device_attribute;
#ifndef PCI_DEVICE_ID_ARECA_1203
#define PCI_DEVICE_ID_ARECA_1203 0x1203
#endif
+#ifndef PCI_DEVICE_ID_ARECA_1883
+#define PCI_DEVICE_ID_ARECA_1883 0x1883
+#endif
#ifndef PCI_DEVICE_ID_ARECA_1884
#define PCI_DEVICE_ID_ARECA_1884 0x1884
#endif
+#define PCI_DEVICE_ID_ARECA_1886_0 0x1886
#define PCI_DEVICE_ID_ARECA_1886 0x188A
#define ARCMSR_HOURS (1000 * 60 * 60 * 4)
#define ARCMSR_MINUTES (1000 * 60 * 60)
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
index ec1a834c922d..e33298b2d51c 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -214,8 +214,12 @@ static struct pci_device_id arcmsr_device_id_table[] = {
.driver_data = ACB_ADAPTER_TYPE_A},
{PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1880),
.driver_data = ACB_ADAPTER_TYPE_C},
+ {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1883),
+ .driver_data = ACB_ADAPTER_TYPE_C},
{PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1884),
.driver_data = ACB_ADAPTER_TYPE_E},
+ {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1886_0),
+ .driver_data = ACB_ADAPTER_TYPE_F},
{PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1886),
.driver_data = ACB_ADAPTER_TYPE_F},
{0, 0}, /* Terminating entry */
@@ -4710,9 +4714,11 @@ static const char *arcmsr_info(struct Scsi_Host *host)
case PCI_DEVICE_ID_ARECA_1680:
case PCI_DEVICE_ID_ARECA_1681:
case PCI_DEVICE_ID_ARECA_1880:
+ case PCI_DEVICE_ID_ARECA_1883:
case PCI_DEVICE_ID_ARECA_1884:
type = "SAS/SATA";
break;
+ case PCI_DEVICE_ID_ARECA_1886_0:
case PCI_DEVICE_ID_ARECA_1886:
type = "NVMe/SAS/SATA";
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 173/476] ARM: dts: imx7d: Fix coresight funnel ports
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 172/476] scsi: arcmsr: Support new PCI device IDs 1883 and 1886 Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 174/476] ARM: dts: imx7s: Fix lcdif compatible Greg Kroah-Hartman
` (312 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 0d4ac04fa7c3f6dc263dba6f575a2ec7a2d4eca8 ]
imx7d uses two ports for 'in-ports', so the syntax port@<num> has to
be used. imx7d has both port and port@1 nodes present, raising these
error:
funnel@30041000: in-ports: More than one condition true in oneOf schema
funnel@30041000: Unevaluated properties are not allowed
('in-ports' was unexpected)
Fix this by also using port@0 for imx7s as well.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx7d.dtsi | 3 ---
arch/arm/boot/dts/imx7s.dtsi | 6 +++++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/imx7d.dtsi b/arch/arm/boot/dts/imx7d.dtsi
index b0bcfa9094a3..8ad3e60fd7d1 100644
--- a/arch/arm/boot/dts/imx7d.dtsi
+++ b/arch/arm/boot/dts/imx7d.dtsi
@@ -209,9 +209,6 @@
};
&ca_funnel_in_ports {
- #address-cells = <1>;
- #size-cells = <0>;
-
port@1 {
reg = <1>;
ca_funnel_in_port1: endpoint {
diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
index 406e8870c680..6cdaaacd9e36 100644
--- a/arch/arm/boot/dts/imx7s.dtsi
+++ b/arch/arm/boot/dts/imx7s.dtsi
@@ -174,7 +174,11 @@
clock-names = "apb_pclk";
ca_funnel_in_ports: in-ports {
- port {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ port@0 {
+ reg = <0>;
ca_funnel_in_port0: endpoint {
remote-endpoint = <&etm0_out_port>;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 174/476] ARM: dts: imx7s: Fix lcdif compatible
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 173/476] ARM: dts: imx7d: Fix coresight funnel ports Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 175/476] ARM: dts: imx7s: Fix nand-controller #size-cells Greg Kroah-Hartman
` (311 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 5f55da4cc37051cda600ea870ce8cf29f1297715 ]
imx7d-lcdif is compatible to imx6sx-lcdif. MXSFB_V6 supports overlay
by using LCDC_AS_CTRL register. This registers used by overlay plane:
* LCDC_AS_CTRL
* LCDC_AS_BUF
* LCDC_AS_NEXT_BUF
are listed in i.MX7D RM as well.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx7s.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
index 6cdaaacd9e36..35ee179e5ae3 100644
--- a/arch/arm/boot/dts/imx7s.dtsi
+++ b/arch/arm/boot/dts/imx7s.dtsi
@@ -802,7 +802,7 @@
};
lcdif: lcdif@30730000 {
- compatible = "fsl,imx7d-lcdif", "fsl,imx28-lcdif";
+ compatible = "fsl,imx7d-lcdif", "fsl,imx6sx-lcdif";
reg = <0x30730000 0x10000>;
interrupts = <GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 175/476] ARM: dts: imx7s: Fix nand-controller #size-cells
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 174/476] ARM: dts: imx7s: Fix lcdif compatible Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 176/476] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Greg Kroah-Hartman
` (310 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 4aadb841ed49bada1415c48c44d21f5b69e01299 ]
nand-controller.yaml bindings says #size-cells shall be set to 0.
Fixes the dtbs_check warning:
arch/arm/boot/dts/nxp/imx/imx7s-mba7.dtb: nand-controller@33002000:
#size-cells:0:0: 0 was expected
from schema $id: http://devicetree.org/schemas/mtd/gpmi-nand.yaml#
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx7s.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
index 35ee179e5ae3..5b960849c3ab 100644
--- a/arch/arm/boot/dts/imx7s.dtsi
+++ b/arch/arm/boot/dts/imx7s.dtsi
@@ -1264,7 +1264,7 @@
gpmi: nand-controller@33002000{
compatible = "fsl,imx7d-gpmi-nand";
#address-cells = <1>;
- #size-cells = <1>;
+ #size-cells = <0>;
reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
reg-names = "gpmi-nand", "bch";
interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 176/476] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 175/476] ARM: dts: imx7s: Fix nand-controller #size-cells Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 177/476] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Greg Kroah-Hartman
` (309 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minsuk Kang,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]
Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
occurs when txs->cnt, data from a URB provided by a USB device, is
bigger than the size of the array txs->txstatus, which is
HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
handling code after the check. Make the function return if that is the
case.
Found by a modified version of syzkaller.
UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
index 13 is out of range for type '__wmi_event_txstatus [12]'
Call Trace:
ath9k_htc_txstatus
ath9k_wmi_event_tasklet
tasklet_action_common
__do_softirq
irq_exit_rxu
sysvec_apic_timer_interrupt
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 672789e3c55d..d6a3f001dacb 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -652,9 +652,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event)
struct ath9k_htc_tx_event *tx_pend;
int i;
- for (i = 0; i < txs->cnt; i++) {
- WARN_ON(txs->cnt > HTC_MAX_TX_STATUS);
+ if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS))
+ return;
+ for (i = 0; i < txs->cnt; i++) {
__txs = &txs->txstatus[i];
skb = ath9k_htc_tx_get_packet(priv, __txs);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 177/476] bpf: Add map and need_defer parameters to .map_fd_put_ptr()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 176/476] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 178/476] scsi: libfc: Dont schedule abort twice Greg Kroah-Hartman
` (308 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hou Tao, Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ]
map is the pointer of outer map, and need_defer needs some explanation.
need_defer tells the implementation to defer the reference release of
the passed element and ensure that the element is still alive before
the bpf program, which may manipulate it, exits.
The following three cases will invoke map_fd_put_ptr() and different
need_defer values will be passed to these callers:
1) release the reference of the old element in the map during map update
or map deletion. The release must be deferred, otherwise the bpf
program may incur use-after-free problem, so need_defer needs to be
true.
2) release the reference of the to-be-added element in the error path of
map update. The to-be-added element is not visible to any bpf
program, so it is OK to pass false for need_defer parameter.
3) release the references of all elements in the map during map release.
Any bpf program which has access to the map must have been exited and
released, so need_defer=false will be OK.
These two parameters will be used by the following patches to fix the
potential use-after-free problem for map-in-map.
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf.h | 6 +++++-
kernel/bpf/arraymap.c | 12 +++++++-----
kernel/bpf/hashtab.c | 6 +++---
kernel/bpf/map_in_map.c | 2 +-
kernel/bpf/map_in_map.h | 2 +-
5 files changed, 17 insertions(+), 11 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 00c615fc8ec3..48f3cc3bafea 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -91,7 +91,11 @@ struct bpf_map_ops {
/* funcs called by prog_array and perf_event_array map */
void *(*map_fd_get_ptr)(struct bpf_map *map, struct file *map_file,
int fd);
- void (*map_fd_put_ptr)(void *ptr);
+ /* If need_defer is true, the implementation should guarantee that
+ * the to-be-put element is still alive before the bpf program, which
+ * may manipulate it, exists.
+ */
+ void (*map_fd_put_ptr)(struct bpf_map *map, void *ptr, bool need_defer);
int (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf);
u32 (*map_fd_sys_lookup_elem)(void *ptr);
void (*map_seq_show_elem)(struct bpf_map *map, void *key,
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 23ffb8f0b5d7..c76870bfd816 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -811,7 +811,7 @@ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file,
}
if (old_ptr)
- map->ops->map_fd_put_ptr(old_ptr);
+ map->ops->map_fd_put_ptr(map, old_ptr, true);
return 0;
}
@@ -834,7 +834,7 @@ static int fd_array_map_delete_elem(struct bpf_map *map, void *key)
}
if (old_ptr) {
- map->ops->map_fd_put_ptr(old_ptr);
+ map->ops->map_fd_put_ptr(map, old_ptr, true);
return 0;
} else {
return -ENOENT;
@@ -858,8 +858,9 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map,
return prog;
}
-static void prog_fd_array_put_ptr(void *ptr)
+static void prog_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer)
{
+ /* bpf_prog is freed after one RCU or tasks trace grace period */
bpf_prog_put(ptr);
}
@@ -1148,8 +1149,9 @@ static void *perf_event_fd_array_get_ptr(struct bpf_map *map,
return ee;
}
-static void perf_event_fd_array_put_ptr(void *ptr)
+static void perf_event_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer)
{
+ /* bpf_perf_event is freed after one RCU grace period */
bpf_event_entry_free_rcu(ptr);
}
@@ -1204,7 +1206,7 @@ static void *cgroup_fd_array_get_ptr(struct bpf_map *map,
return cgroup_get_from_fd(fd);
}
-static void cgroup_fd_array_put_ptr(void *ptr)
+static void cgroup_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer)
{
/* cgroup_put free cgrp after a rcu grace period */
cgroup_put(ptr);
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index a63c68f5945c..28b43642c059 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -857,7 +857,7 @@ static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
if (map->ops->map_fd_put_ptr) {
ptr = fd_htab_map_get_ptr(map, l);
- map->ops->map_fd_put_ptr(ptr);
+ map->ops->map_fd_put_ptr(map, ptr, true);
}
}
@@ -2330,7 +2330,7 @@ static void fd_htab_map_free(struct bpf_map *map)
hlist_nulls_for_each_entry_safe(l, n, head, hash_node) {
void *ptr = fd_htab_map_get_ptr(map, l);
- map->ops->map_fd_put_ptr(ptr);
+ map->ops->map_fd_put_ptr(map, ptr, false);
}
}
@@ -2371,7 +2371,7 @@ int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file,
ret = htab_map_update_elem(map, key, &ptr, map_flags);
if (ret)
- map->ops->map_fd_put_ptr(ptr);
+ map->ops->map_fd_put_ptr(map, ptr, false);
return ret;
}
diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c
index 5cd8f5277279..af0f15db1bf9 100644
--- a/kernel/bpf/map_in_map.c
+++ b/kernel/bpf/map_in_map.c
@@ -108,7 +108,7 @@ void *bpf_map_fd_get_ptr(struct bpf_map *map,
return inner_map;
}
-void bpf_map_fd_put_ptr(void *ptr)
+void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer)
{
/* ptr->ops->map_free() has to go through one
* rcu grace period by itself.
diff --git a/kernel/bpf/map_in_map.h b/kernel/bpf/map_in_map.h
index bcb7534afb3c..7d61602354de 100644
--- a/kernel/bpf/map_in_map.h
+++ b/kernel/bpf/map_in_map.h
@@ -13,7 +13,7 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd);
void bpf_map_meta_free(struct bpf_map *map_meta);
void *bpf_map_fd_get_ptr(struct bpf_map *map, struct file *map_file,
int ufd);
-void bpf_map_fd_put_ptr(void *ptr);
+void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer);
u32 bpf_map_fd_sys_lookup_elem(void *ptr);
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 178/476] scsi: libfc: Dont schedule abort twice
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 177/476] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 179/476] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Greg Kroah-Hartman
` (307 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Christoph Hellwig,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit b57c4db5d23b9df0118a25e2441c9288edd73710 ]
The current FC error recovery is sending up to three REC (recovery) frames
in 10 second intervals, and as a final step sending an ABTS after 30
seconds for the command itself. Unfortunately sending an ABTS is also the
action for the SCSI abort handler, and the default timeout for SCSI
commands is also 30 seconds. This causes two ABTS to be scheduled, with the
libfc one slightly earlier. The ABTS scheduled by SCSI EH then sees the
command to be already aborted, and will always return with a 'GOOD' status
irrespective on the actual result from the first ABTS. This causes the
SCSI EH abort handler to always succeed, and SCSI EH never to be engaged.
Fix this by not issuing an ABTS when a SCSI command is present for the
exchange, but rather wait for the abort scheduled from SCSI EH. And warn
if an abort is already scheduled to avoid similar errors in the future.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20231129165832.224100-2-hare@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libfc/fc_fcp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c
index 509eacd7893d..a1015a81e86e 100644
--- a/drivers/scsi/libfc/fc_fcp.c
+++ b/drivers/scsi/libfc/fc_fcp.c
@@ -270,6 +270,11 @@ static int fc_fcp_send_abort(struct fc_fcp_pkt *fsp)
if (!fsp->seq_ptr)
return -EINVAL;
+ if (fsp->state & FC_SRB_ABORT_PENDING) {
+ FC_FCP_DBG(fsp, "abort already pending\n");
+ return -EBUSY;
+ }
+
per_cpu_ptr(fsp->lp->stats, get_cpu())->FcpPktAborts++;
put_cpu();
@@ -1700,11 +1705,12 @@ static void fc_fcp_recovery(struct fc_fcp_pkt *fsp, u8 code)
fsp->status_code = code;
fsp->cdb_status = 0;
fsp->io_status = 0;
- /*
- * if this fails then we let the scsi command timer fire and
- * scsi-ml escalate.
- */
- fc_fcp_send_abort(fsp);
+ if (!fsp->cmd)
+ /*
+ * Only abort non-scsi commands; otherwise let the
+ * scsi command timer fire and scsi-ml escalate.
+ */
+ fc_fcp_send_abort(fsp);
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 179/476] scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 178/476] scsi: libfc: Dont schedule abort twice Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 180/476] bpf: Set uattr->batch.count as zero before batched update or deletion Greg Kroah-Hartman
` (306 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Christoph Hellwig,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 53122a49f49796beb2c4a1bb702303b66347e29f ]
We should set the status to FC_TIMED_OUT when a timeout error is passed to
fc_fcp_rec_error().
Signed-off-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20231129165832.224100-3-hare@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libfc/fc_fcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c
index a1015a81e86e..a6efbcc27181 100644
--- a/drivers/scsi/libfc/fc_fcp.c
+++ b/drivers/scsi/libfc/fc_fcp.c
@@ -1686,7 +1686,7 @@ static void fc_fcp_rec_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY)
fc_fcp_rec(fsp);
else
- fc_fcp_recovery(fsp, FC_ERROR);
+ fc_fcp_recovery(fsp, FC_TIMED_OUT);
break;
}
fc_fcp_unlock_pkt(fsp);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 180/476] bpf: Set uattr->batch.count as zero before batched update or deletion
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 179/476] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 181/476] ARM: dts: rockchip: fix rk3036 hdmi ports node Greg Kroah-Hartman
` (305 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hou Tao, Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit 06e5c999f10269a532304e89a6adb2fbfeb0593c ]
generic_map_{delete,update}_batch() doesn't set uattr->batch.count as
zero before it tries to allocate memory for key. If the memory
allocation fails, the value of uattr->batch.count will be incorrect.
Fix it by setting uattr->batch.count as zero beore batched update or
deletion.
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231208102355.2628918-6-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/syscall.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index dbe98040e855..64206856a05c 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1314,6 +1314,9 @@ int generic_map_delete_batch(struct bpf_map *map,
if (!max_count)
return 0;
+ if (put_user(0, &uattr->batch.count))
+ return -EFAULT;
+
key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
if (!key)
return -ENOMEM;
@@ -1372,6 +1375,9 @@ int generic_map_update_batch(struct bpf_map *map,
if (!max_count)
return 0;
+ if (put_user(0, &uattr->batch.count))
+ return -EFAULT;
+
key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
if (!key)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 181/476] ARM: dts: rockchip: fix rk3036 hdmi ports node
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 180/476] bpf: Set uattr->batch.count as zero before batched update or deletion Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 182/476] ARM: dts: imx25/27-eukrea: Fix RTC node name Greg Kroah-Hartman
` (304 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Jonker, Heiko Stuebner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit 27ded76ef0fcfcf939914532aae575cf23c221b4 ]
Fix hdmi ports node so that it matches the
rockchip,inno-hdmi.yaml binding.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/9a2afac1-ed5c-382d-02b0-b2f5f1af3abb@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/rk3036.dtsi | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
index ffa9bc7ed3d0..0af1a86f9dc4 100644
--- a/arch/arm/boot/dts/rk3036.dtsi
+++ b/arch/arm/boot/dts/rk3036.dtsi
@@ -402,12 +402,20 @@
pinctrl-0 = <&hdmi_ctl>;
status = "disabled";
- hdmi_in: port {
+ ports {
#address-cells = <1>;
#size-cells = <0>;
- hdmi_in_vop: endpoint@0 {
+
+ hdmi_in: port@0 {
reg = <0>;
- remote-endpoint = <&vop_out_hdmi>;
+
+ hdmi_in_vop: endpoint {
+ remote-endpoint = <&vop_out_hdmi>;
+ };
+ };
+
+ hdmi_out: port@1 {
+ reg = <1>;
};
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 182/476] ARM: dts: imx25/27-eukrea: Fix RTC node name
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 181/476] ARM: dts: rockchip: fix rk3036 hdmi ports node Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 183/476] ARM: dts: imx: Use flash@0,0 pattern Greg Kroah-Hartman
` (303 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit 68c711b882c262e36895547cddea2c2d56ce611d ]
Node names should be generic. Use 'rtc' as node name to fix
the following dt-schema warning:
imx25-eukrea-mbimxsd25-baseboard.dtb: pcf8563@51: $nodename:0: 'pcf8563@51' does not match '^rtc(@.*|-([0-9]|[1-9][0-9]+))?$'
from schema $id: http://devicetree.org/schemas/rtc/nxp,pcf8563.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi | 2 +-
arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi
index 0703f62d10d1..93a6e4e680b4 100644
--- a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi
+++ b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi
@@ -27,7 +27,7 @@
pinctrl-0 = <&pinctrl_i2c1>;
status = "okay";
- pcf8563@51 {
+ rtc@51 {
compatible = "nxp,pcf8563";
reg = <0x51>;
};
diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
index 74110bbcd9d4..4b83e2918b55 100644
--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
+++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
@@ -33,7 +33,7 @@
pinctrl-0 = <&pinctrl_i2c1>;
status = "okay";
- pcf8563@51 {
+ rtc@51 {
compatible = "nxp,pcf8563";
reg = <0x51>;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 183/476] ARM: dts: imx: Use flash@0,0 pattern
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 182/476] ARM: dts: imx25/27-eukrea: Fix RTC node name Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 184/476] ARM: dts: imx27: Fix sram node Greg Kroah-Hartman
` (302 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit 1e1d7cc478fb16816de09740e3c323c0c188d58f ]
Per mtd-physmap.yaml, 'nor@0,0' is not a valid node pattern.
Change it to 'flash@0,0' to fix the following dt-schema warning:
imx1-ads.dtb: nor@0,0: $nodename:0: 'nor@0,0' does not match '^(flash|.*sram|nand)(@.*)?$'
from schema $id: http://devicetree.org/schemas/mtd/mtd-physmap.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx1-ads.dts | 2 +-
arch/arm/boot/dts/imx1-apf9328.dts | 2 +-
arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +-
arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/imx1-ads.dts b/arch/arm/boot/dts/imx1-ads.dts
index 5833fb6f15d8..2c817c4a4c68 100644
--- a/arch/arm/boot/dts/imx1-ads.dts
+++ b/arch/arm/boot/dts/imx1-ads.dts
@@ -65,7 +65,7 @@
pinctrl-0 = <&pinctrl_weim>;
status = "okay";
- nor: nor@0,0 {
+ nor: flash@0,0 {
compatible = "cfi-flash";
reg = <0 0x00000000 0x02000000>;
bank-width = <4>;
diff --git a/arch/arm/boot/dts/imx1-apf9328.dts b/arch/arm/boot/dts/imx1-apf9328.dts
index 77b21aa7a146..27e72b07b517 100644
--- a/arch/arm/boot/dts/imx1-apf9328.dts
+++ b/arch/arm/boot/dts/imx1-apf9328.dts
@@ -45,7 +45,7 @@
pinctrl-0 = <&pinctrl_weim>;
status = "okay";
- nor: nor@0,0 {
+ nor: flash@0,0 {
compatible = "cfi-flash";
reg = <0 0x00000000 0x02000000>;
bank-width = <2>;
diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
index 4b83e2918b55..c7e923584878 100644
--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
+++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi
@@ -90,7 +90,7 @@
&weim {
status = "okay";
- nor: nor@0,0 {
+ nor: flash@0,0 {
#address-cells = <1>;
#size-cells = <1>;
compatible = "cfi-flash";
diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi
index 3d10273177e9..a5fdc2fd4ce5 100644
--- a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi
+++ b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi
@@ -322,7 +322,7 @@
&weim {
status = "okay";
- nor: nor@0,0 {
+ nor: flash@0,0 {
compatible = "cfi-flash";
reg = <0 0x00000000 0x02000000>;
bank-width = <2>;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 184/476] ARM: dts: imx27: Fix sram node
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 183/476] ARM: dts: imx: Use flash@0,0 pattern Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 185/476] ARM: dts: imx1: " Greg Kroah-Hartman
` (301 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit 2fb7b2a2f06bb3f8321cf26c33e4e820c5b238b6 ]
Per sram.yaml, address-cells, size-cells and ranges are mandatory.
Pass them to fix the following dt-schema warnings:
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx27.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi
index fd525c3b16fa..247617d6d41e 100644
--- a/arch/arm/boot/dts/imx27.dtsi
+++ b/arch/arm/boot/dts/imx27.dtsi
@@ -588,6 +588,9 @@
iram: sram@ffff4c00 {
compatible = "mmio-sram";
reg = <0xffff4c00 0xb400>;
+ ranges = <0 0xffff4c00 0xb400>;
+ #address-cells = <1>;
+ #size-cells = <1>;
};
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 185/476] ARM: dts: imx1: Fix sram node
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 184/476] ARM: dts: imx27: Fix sram node Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 186/476] ionic: pass opcode to devcmd_wait Greg Kroah-Hartman
` (300 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit c248e535973088ba7071ff6f26ab7951143450af ]
Per sram.yaml, address-cells, size-cells and ranges are mandatory.
The node name should be sram.
Change the node name and pass the required properties to fix the
following dt-schema warnings:
imx1-apf9328.dtb: esram@300000: $nodename:0: 'esram@300000' does not match '^sram(@.*)?'
from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
imx1-apf9328.dtb: esram@300000: '#address-cells' is a required property
from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
imx1-apf9328.dtb: esram@300000: '#size-cells' is a required property
from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
imx1-apf9328.dtb: esram@300000: 'ranges' is a required property
from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx1.dtsi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx1.dtsi b/arch/arm/boot/dts/imx1.dtsi
index 9b940987864c..8d6e900a9081 100644
--- a/arch/arm/boot/dts/imx1.dtsi
+++ b/arch/arm/boot/dts/imx1.dtsi
@@ -268,9 +268,12 @@
status = "disabled";
};
- esram: esram@300000 {
+ esram: sram@300000 {
compatible = "mmio-sram";
reg = <0x00300000 0x20000>;
+ ranges = <0 0x00300000 0x20000>;
+ #address-cells = <1>;
+ #size-cells = <1>;
};
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 186/476] ionic: pass opcode to devcmd_wait
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 185/476] ARM: dts: imx1: " Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 187/476] block/rnbd-srv: Check for unlikely string overflow Greg Kroah-Hartman
` (299 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shannon Nelson, Brett Creeley,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit 24f110240c03c6b5368f1203bac72883d511e606 ]
Don't rely on the PCI memory for the devcmd opcode because we
read a 0xff value if the PCI bus is broken, which can cause us
to report a bogus dev_cmd opcode later.
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_dev.c | 1 +
drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 +
drivers/net/ethernet/pensando/ionic/ionic_main.c | 2 +-
3 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.c b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
index b778d8264bca..f81b00c7e106 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
@@ -268,6 +268,7 @@ void ionic_dev_cmd_comp(struct ionic_dev *idev, union ionic_dev_cmd_comp *comp)
void ionic_dev_cmd_go(struct ionic_dev *idev, union ionic_dev_cmd *cmd)
{
+ idev->opcode = cmd->cmd.opcode;
memcpy_toio(&idev->dev_cmd_regs->cmd, cmd, sizeof(*cmd));
iowrite32(0, &idev->dev_cmd_regs->done);
iowrite32(1, &idev->dev_cmd_regs->doorbell);
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
index 38f38fe8f21d..1ab86eee8b5a 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h
+++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
@@ -144,6 +144,7 @@ struct ionic_dev {
bool fw_hb_ready;
bool fw_status_ready;
u8 fw_generation;
+ u8 opcode;
u64 __iomem *db_pages;
dma_addr_t phy_db_pages;
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
index 538c024afed5..7942a7f0f7b3 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
@@ -350,7 +350,7 @@ int ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds)
*/
max_wait = jiffies + (max_seconds * HZ);
try_again:
- opcode = readb(&idev->dev_cmd_regs->cmd.cmd.opcode);
+ opcode = idev->opcode;
start_time = jiffies;
do {
done = ionic_dev_cmd_done(idev);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 187/476] block/rnbd-srv: Check for unlikely string overflow
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 186/476] ionic: pass opcode to devcmd_wait Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 188/476] ARM: dts: imx25: Fix the iim compatible string Greg Kroah-Hartman
` (298 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Md. Haris Iqbal,
Jack Wang, Jens Axboe, linux-block, Kees Cook, Guoqing Jiang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41 ]
Since "dev_search_path" can technically be as large as PATH_MAX,
there was a risk of truncation when copying it and a second string
into "full_path" since it was also PATH_MAX sized. The W=1 builds were
reporting this warning:
drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':
drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]
616 | snprintf(full_path, PATH_MAX, "%s/%s",
| ^~
In function 'rnbd_srv_get_full_path',
inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096
616 | snprintf(full_path, PATH_MAX, "%s/%s",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
617 | dev_search_path, dev_name);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
To fix this, unconditionally check for truncation (as was already done
for the case where "%SESSNAME%" was present).
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202312100355.lHoJPgKy-lkp@intel.com/
Cc: Md. Haris Iqbal <haris.iqbal@ionos.com>
Cc: Jack Wang <jinpu.wang@ionos.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <linux-block@vger.kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Link: https://lore.kernel.org/r/20231212214738.work.169-kees@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rnbd/rnbd-srv.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/block/rnbd/rnbd-srv.c b/drivers/block/rnbd/rnbd-srv.c
index 1896cde8135e..86a6242d9c20 100644
--- a/drivers/block/rnbd/rnbd-srv.c
+++ b/drivers/block/rnbd/rnbd-srv.c
@@ -606,6 +606,7 @@ static char *rnbd_srv_get_full_path(struct rnbd_srv_session *srv_sess,
{
char *full_path;
char *a, *b;
+ int len;
full_path = kmalloc(PATH_MAX, GFP_KERNEL);
if (!full_path)
@@ -617,19 +618,19 @@ static char *rnbd_srv_get_full_path(struct rnbd_srv_session *srv_sess,
*/
a = strnstr(dev_search_path, "%SESSNAME%", sizeof(dev_search_path));
if (a) {
- int len = a - dev_search_path;
+ len = a - dev_search_path;
len = snprintf(full_path, PATH_MAX, "%.*s/%s/%s", len,
dev_search_path, srv_sess->sessname, dev_name);
- if (len >= PATH_MAX) {
- pr_err("Too long path: %s, %s, %s\n",
- dev_search_path, srv_sess->sessname, dev_name);
- kfree(full_path);
- return ERR_PTR(-EINVAL);
- }
} else {
- snprintf(full_path, PATH_MAX, "%s/%s",
- dev_search_path, dev_name);
+ len = snprintf(full_path, PATH_MAX, "%s/%s",
+ dev_search_path, dev_name);
+ }
+ if (len >= PATH_MAX) {
+ pr_err("Too long path: %s, %s, %s\n",
+ dev_search_path, srv_sess->sessname, dev_name);
+ kfree(full_path);
+ return ERR_PTR(-EINVAL);
}
/* eliminitate duplicated slashes */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 188/476] ARM: dts: imx25: Fix the iim compatible string
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 187/476] block/rnbd-srv: Check for unlikely string overflow Greg Kroah-Hartman
@ 2024-02-21 13:03 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 189/476] ARM: dts: imx25/27: Pass timing0 Greg Kroah-Hartman
` (297 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit f0b929f58719fc57a4926ab4fc972f185453d6a5 ]
Per imx-iim.yaml, the compatible string should only contain a single
entry.
Use it as "fsl,imx25-iim" to fix the following dt-schema warning:
imx25-karo-tx25.dtb: efuse@53ff0000: compatible: ['fsl,imx25-iim', 'fsl,imx27-iim'] is too long
from schema $id: http://devicetree.org/schemas/nvmem/imx-iim.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx25.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx25.dtsi b/arch/arm/boot/dts/imx25.dtsi
index bd8ea2ec2457..5eb79a9ffe04 100644
--- a/arch/arm/boot/dts/imx25.dtsi
+++ b/arch/arm/boot/dts/imx25.dtsi
@@ -543,7 +543,7 @@
};
iim: efuse@53ff0000 {
- compatible = "fsl,imx25-iim", "fsl,imx27-iim";
+ compatible = "fsl,imx25-iim";
reg = <0x53ff0000 0x4000>;
interrupts = <19>;
clocks = <&clks 99>;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 189/476] ARM: dts: imx25/27: Pass timing0
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2024-02-21 13:03 ` [PATCH 5.15 188/476] ARM: dts: imx25: Fix the iim compatible string Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 190/476] ARM: dts: imx27-apf27dev: Fix LED name Greg Kroah-Hartman
` (296 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit 11ab7ad6f795ae23c398a4a5c56505d3dab27c4c ]
Per display-timings.yaml, the 'timing' pattern should be used to
describe the display timings.
Change it accordingly to fix the following dt-schema warning:
imx27-apf27dev.dtb: display-timings: '800x480' does not match any of the regexes: '^timing', 'pinctrl-[0-9]+'
from schema $id: http://devicetree.org/schemas/display/panel/display-timings.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts | 2 +-
arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts | 2 +-
arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts | 2 +-
arch/arm/boot/dts/imx25-pdk.dts | 2 +-
arch/arm/boot/dts/imx27-apf27dev.dts | 2 +-
arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 2 +-
arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts
index 7d4301b22b90..1ed3fb7b9ce6 100644
--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts
+++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts
@@ -16,7 +16,7 @@
bus-width = <18>;
display-timings {
native-mode = <&qvga_timings>;
- qvga_timings: 320x240 {
+ qvga_timings: timing0 {
clock-frequency = <6500000>;
hactive = <320>;
vactive = <240>;
diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts
index 80a7f96de4c6..64b2ffac463b 100644
--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts
+++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts
@@ -16,7 +16,7 @@
bus-width = <18>;
display-timings {
native-mode = <&dvi_svga_timings>;
- dvi_svga_timings: 800x600 {
+ dvi_svga_timings: timing0 {
clock-frequency = <40000000>;
hactive = <800>;
vactive = <600>;
diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts
index 24027a1fb46d..fb074bfdaa8d 100644
--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts
+++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts
@@ -16,7 +16,7 @@
bus-width = <18>;
display-timings {
native-mode = <&dvi_vga_timings>;
- dvi_vga_timings: 640x480 {
+ dvi_vga_timings: timing0 {
clock-frequency = <31250000>;
hactive = <640>;
vactive = <480>;
diff --git a/arch/arm/boot/dts/imx25-pdk.dts b/arch/arm/boot/dts/imx25-pdk.dts
index fb66884d8a2f..59b40d13a640 100644
--- a/arch/arm/boot/dts/imx25-pdk.dts
+++ b/arch/arm/boot/dts/imx25-pdk.dts
@@ -78,7 +78,7 @@
bus-width = <18>;
display-timings {
native-mode = <&wvga_timings>;
- wvga_timings: 640x480 {
+ wvga_timings: timing0 {
hactive = <640>;
vactive = <480>;
hback-porch = <45>;
diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts
index 6f1e8ce9e76e..68fcb5ce9a9e 100644
--- a/arch/arm/boot/dts/imx27-apf27dev.dts
+++ b/arch/arm/boot/dts/imx27-apf27dev.dts
@@ -16,7 +16,7 @@
fsl,pcr = <0xfae80083>; /* non-standard but required */
display-timings {
native-mode = <&timing0>;
- timing0: 800x480 {
+ timing0: timing0 {
clock-frequency = <33000033>;
hactive = <800>;
vactive = <480>;
diff --git a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts
index 9c3ec82ec7e5..50fa0bd4c8a1 100644
--- a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts
+++ b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts
@@ -16,7 +16,7 @@
display-timings {
native-mode = <&timing0>;
- timing0: 320x240 {
+ timing0: timing0 {
clock-frequency = <6500000>;
hactive = <320>;
vactive = <240>;
diff --git a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
index 188639738dc3..7f36af150a25 100644
--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
+++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
@@ -19,7 +19,7 @@
fsl,pcr = <0xf0c88080>; /* non-standard but required */
display-timings {
native-mode = <&timing0>;
- timing0: 640x480 {
+ timing0: timing0 {
hactive = <640>;
vactive = <480>;
hback-porch = <112>;
diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts
index 344e77790152..d133b9f08b3a 100644
--- a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts
+++ b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts
@@ -19,7 +19,7 @@
display-timings {
native-mode = <&timing0>;
- timing0: 240x320 {
+ timing0: timing0 {
clock-frequency = <5500000>;
hactive = <240>;
vactive = <320>;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 190/476] ARM: dts: imx27-apf27dev: Fix LED name
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 189/476] ARM: dts: imx25/27: Pass timing0 Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 191/476] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Greg Kroah-Hartman
` (295 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit dc35e253d032b959d92e12f081db5b00db26ae64 ]
Per leds-gpio.yaml, the led names should start with 'led'.
Change it to fix the following dt-schema warning:
imx27-apf27dev.dtb: leds: 'user' does not match any of the regexes: '(^led-[0-9a-f]$|led)', 'pinctrl-[0-9]+'
from schema $id: http://devicetree.org/schemas/leds/leds-gpio.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx27-apf27dev.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts
index 68fcb5ce9a9e..3d9bb7fc3be2 100644
--- a/arch/arm/boot/dts/imx27-apf27dev.dts
+++ b/arch/arm/boot/dts/imx27-apf27dev.dts
@@ -47,7 +47,7 @@
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_gpio_leds>;
- user {
+ led-user {
label = "Heartbeat";
gpios = <&gpio6 14 GPIO_ACTIVE_HIGH>;
linux,default-trigger = "heartbeat";
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 191/476] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 190/476] ARM: dts: imx27-apf27dev: Fix LED name Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 192/476] ARM: dts: imx23/28: Fix the DMA controller node name Greg Kroah-Hartman
` (294 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit e3aa1a82fb20ee97597022f6528823a8ab82bde6 ]
The 'gpios' property to describe the SDA and SCL GPIOs is considered
deprecated according to i2c-gpio.yaml.
Switch to the preferred 'sda-gpios' and 'scl-gpios' properties.
This fixes the following schema warnings:
imx23-sansa.dtb: i2c-0: 'sda-gpios' is a required property
from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml#
imx23-sansa.dtb: i2c-0: 'scl-gpios' is a required property
from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx23-sansa.dts | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/arch/arm/boot/dts/imx23-sansa.dts b/arch/arm/boot/dts/imx23-sansa.dts
index 46057d9bf555..c2efcc20ae80 100644
--- a/arch/arm/boot/dts/imx23-sansa.dts
+++ b/arch/arm/boot/dts/imx23-sansa.dts
@@ -175,10 +175,8 @@
#address-cells = <1>;
#size-cells = <0>;
compatible = "i2c-gpio";
- gpios = <
- &gpio1 24 0 /* SDA */
- &gpio1 22 0 /* SCL */
- >;
+ sda-gpios = <&gpio1 24 0>;
+ scl-gpios = <&gpio1 22 0>;
i2c-gpio,delay-us = <2>; /* ~100 kHz */
};
@@ -186,10 +184,8 @@
#address-cells = <1>;
#size-cells = <0>;
compatible = "i2c-gpio";
- gpios = <
- &gpio0 31 0 /* SDA */
- &gpio0 30 0 /* SCL */
- >;
+ sda-gpios = <&gpio0 31 0>;
+ scl-gpios = <&gpio0 30 0>;
i2c-gpio,delay-us = <2>; /* ~100 kHz */
touch: touch@20 {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 192/476] ARM: dts: imx23/28: Fix the DMA controller node name
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 191/476] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 193/476] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path Greg Kroah-Hartman
` (293 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
[ Upstream commit 858d83ca4b50bbc8693d95cc94310e6d791fb2e6 ]
Per fsl,mxs-dma.yaml, the node name should be 'dma-controller'.
Change it to fix the following dt-schema warning.
imx28-apf28.dtb: dma-apbx@80024000: $nodename:0: 'dma-apbx@80024000' does not match '^dma-controller(@.*)?$'
from schema $id: http://devicetree.org/schemas/dma/fsl,mxs-dma.yaml#
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx23.dtsi | 2 +-
arch/arm/boot/dts/imx28.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi
index ce3d6360a7ef..b236d23f8071 100644
--- a/arch/arm/boot/dts/imx23.dtsi
+++ b/arch/arm/boot/dts/imx23.dtsi
@@ -414,7 +414,7 @@
status = "disabled";
};
- dma_apbx: dma-apbx@80024000 {
+ dma_apbx: dma-controller@80024000 {
compatible = "fsl,imx23-dma-apbx";
reg = <0x80024000 0x2000>;
interrupts = <7 5 9 26
diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi
index 10eab221bc05..7fcc0d35d31c 100644
--- a/arch/arm/boot/dts/imx28.dtsi
+++ b/arch/arm/boot/dts/imx28.dtsi
@@ -992,7 +992,7 @@
status = "disabled";
};
- dma_apbx: dma-apbx@80024000 {
+ dma_apbx: dma-controller@80024000 {
compatible = "fsl,imx28-dma-apbx";
reg = <0x80024000 0x2000>;
interrupts = <78 79 66 0
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 193/476] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 192/476] ARM: dts: imx23/28: Fix the DMA controller node name Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 194/476] block: prevent an integer overflow in bvec_try_merge_hw_page Greg Kroah-Hartman
` (292 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Florian Fainelli,
Tobias Waldekranz, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Waldekranz <tobias@waldekranz.com>
[ Upstream commit fc82a08ae795ee6b73fb6b50785f7be248bec7b5 ]
mv88e6xxx_get_stats, which collects stats from various sources,
expects all callees to return the number of stats read. If an error
occurs, 0 should be returned.
Prevent future mishaps of this kind by updating the return type to
reflect this contract.
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/chip.h | 4 ++--
drivers/net/dsa/mv88e6xxx/serdes.c | 8 ++++----
drivers/net/dsa/mv88e6xxx/serdes.h | 8 ++++----
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h
index 8271b8aa7b71..6b7307edaf17 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.h
+++ b/drivers/net/dsa/mv88e6xxx/chip.h
@@ -578,8 +578,8 @@ struct mv88e6xxx_ops {
int (*serdes_get_sset_count)(struct mv88e6xxx_chip *chip, int port);
int (*serdes_get_strings)(struct mv88e6xxx_chip *chip, int port,
uint8_t *data);
- int (*serdes_get_stats)(struct mv88e6xxx_chip *chip, int port,
- uint64_t *data);
+ size_t (*serdes_get_stats)(struct mv88e6xxx_chip *chip, int port,
+ uint64_t *data);
/* SERDES registers for ethtool */
int (*serdes_get_regs_len)(struct mv88e6xxx_chip *chip, int port);
diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c
index 6ae7a0ed9e0b..e0e1a1b07886 100644
--- a/drivers/net/dsa/mv88e6xxx/serdes.c
+++ b/drivers/net/dsa/mv88e6xxx/serdes.c
@@ -338,8 +338,8 @@ static uint64_t mv88e6352_serdes_get_stat(struct mv88e6xxx_chip *chip,
return val;
}
-int mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
- uint64_t *data)
+size_t mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
+ uint64_t *data)
{
struct mv88e6xxx_port *mv88e6xxx_port = &chip->ports[port];
struct mv88e6352_serdes_hw_stat *stat;
@@ -787,8 +787,8 @@ static uint64_t mv88e6390_serdes_get_stat(struct mv88e6xxx_chip *chip, int lane,
return reg[0] | ((u64)reg[1] << 16) | ((u64)reg[2] << 32);
}
-int mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
- uint64_t *data)
+size_t mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
+ uint64_t *data)
{
struct mv88e6390_serdes_hw_stat *stat;
int lane;
diff --git a/drivers/net/dsa/mv88e6xxx/serdes.h b/drivers/net/dsa/mv88e6xxx/serdes.h
index 8dd8ed225b45..02966e520dd6 100644
--- a/drivers/net/dsa/mv88e6xxx/serdes.h
+++ b/drivers/net/dsa/mv88e6xxx/serdes.h
@@ -163,13 +163,13 @@ irqreturn_t mv88e6393x_serdes_irq_status(struct mv88e6xxx_chip *chip, int port,
int mv88e6352_serdes_get_sset_count(struct mv88e6xxx_chip *chip, int port);
int mv88e6352_serdes_get_strings(struct mv88e6xxx_chip *chip,
int port, uint8_t *data);
-int mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
- uint64_t *data);
+size_t mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
+ uint64_t *data);
int mv88e6390_serdes_get_sset_count(struct mv88e6xxx_chip *chip, int port);
int mv88e6390_serdes_get_strings(struct mv88e6xxx_chip *chip,
int port, uint8_t *data);
-int mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
- uint64_t *data);
+size_t mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port,
+ uint64_t *data);
int mv88e6352_serdes_get_regs_len(struct mv88e6xxx_chip *chip, int port);
void mv88e6352_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 194/476] block: prevent an integer overflow in bvec_try_merge_hw_page
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 193/476] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 195/476] md: Whenassemble the array, consult the superblock of the freshest device Greg Kroah-Hartman
` (291 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Johannes Thumshirn, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 3f034c374ad55773c12dd8f3c1607328e17c0072 ]
Reordered a check to avoid a possible overflow when adding len to bv_len.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/20231204173419.782378-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/bio.c b/block/bio.c
index a0080dc55c95..92399883bc5e 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -809,7 +809,7 @@ static bool bio_try_merge_hw_seg(struct request_queue *q, struct bio *bio,
if ((addr1 | mask) != (addr2 | mask))
return false;
- if (bv->bv_len + len > queue_max_segment_size(q))
+ if (len > queue_max_segment_size(q) - bv->bv_len)
return false;
return __bio_try_merge_page(bio, page, len, offset, same_page);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 195/476] md: Whenassemble the array, consult the superblock of the freshest device
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 194/476] block: prevent an integer overflow in bvec_try_merge_hw_page Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 196/476] arm64: dts: qcom: msm8996: Fix in-ports is a required property Greg Kroah-Hartman
` (290 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Lyakas, Song Liu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Lyakas <alex.lyakas@zadara.com>
[ Upstream commit dc1cc22ed58f11d58d8553c5ec5f11cbfc3e3039 ]
Upon assembling the array, both kernel and mdadm allow the devices to have event
counter difference of 1, and still consider them as up-to-date.
However, a device whose event count is behind by 1, may in fact not be up-to-date,
and array resync with such a device may cause data corruption.
To avoid this, consult the superblock of the freshest device about the status
of a device, whose event counter is behind by 1.
Signed-off-by: Alex Lyakas <alex.lyakas@zadara.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/1702470271-16073-1-git-send-email-alex.lyakas@zadara.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 54 ++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 44 insertions(+), 10 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index aae9ec78c0e8..ff65e5eddfa1 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1162,6 +1162,7 @@ struct super_type {
struct md_rdev *refdev,
int minor_version);
int (*validate_super)(struct mddev *mddev,
+ struct md_rdev *freshest,
struct md_rdev *rdev);
void (*sync_super)(struct mddev *mddev,
struct md_rdev *rdev);
@@ -1300,8 +1301,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
/*
* validate_super for 0.90.0
+ * note: we are not using "freshest" for 0.9 superblock
*/
-static int super_90_validate(struct mddev *mddev, struct md_rdev *rdev)
+static int super_90_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev)
{
mdp_disk_t *desc;
mdp_super_t *sb = page_address(rdev->sb_page);
@@ -1816,7 +1818,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
return ret;
}
-static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
+static int super_1_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev)
{
struct mdp_superblock_1 *sb = page_address(rdev->sb_page);
__u64 ev1 = le64_to_cpu(sb->events);
@@ -1912,13 +1914,15 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
}
} else if (mddev->pers == NULL) {
/* Insist of good event counter while assembling, except for
- * spares (which don't need an event count) */
- ++ev1;
+ * spares (which don't need an event count).
+ * Similar to mdadm, we allow event counter difference of 1
+ * from the freshest device.
+ */
if (rdev->desc_nr >= 0 &&
rdev->desc_nr < le32_to_cpu(sb->max_dev) &&
(le16_to_cpu(sb->dev_roles[rdev->desc_nr]) < MD_DISK_ROLE_MAX ||
le16_to_cpu(sb->dev_roles[rdev->desc_nr]) == MD_DISK_ROLE_JOURNAL))
- if (ev1 < mddev->events)
+ if (ev1 + 1 < mddev->events)
return -EINVAL;
} else if (mddev->bitmap) {
/* If adding to array with a bitmap, then we can accept an
@@ -1939,8 +1943,38 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
rdev->desc_nr >= le32_to_cpu(sb->max_dev)) {
role = MD_DISK_ROLE_SPARE;
rdev->desc_nr = -1;
- } else
+ } else if (mddev->pers == NULL && freshest && ev1 < mddev->events) {
+ /*
+ * If we are assembling, and our event counter is smaller than the
+ * highest event counter, we cannot trust our superblock about the role.
+ * It could happen that our rdev was marked as Faulty, and all other
+ * superblocks were updated with +1 event counter.
+ * Then, before the next superblock update, which typically happens when
+ * remove_and_add_spares() removes the device from the array, there was
+ * a crash or reboot.
+ * If we allow current rdev without consulting the freshest superblock,
+ * we could cause data corruption.
+ * Note that in this case our event counter is smaller by 1 than the
+ * highest, otherwise, this rdev would not be allowed into array;
+ * both kernel and mdadm allow event counter difference of 1.
+ */
+ struct mdp_superblock_1 *freshest_sb = page_address(freshest->sb_page);
+ u32 freshest_max_dev = le32_to_cpu(freshest_sb->max_dev);
+
+ if (rdev->desc_nr >= freshest_max_dev) {
+ /* this is unexpected, better not proceed */
+ pr_warn("md: %s: rdev[%pg]: desc_nr(%d) >= freshest(%pg)->sb->max_dev(%u)\n",
+ mdname(mddev), rdev->bdev, rdev->desc_nr,
+ freshest->bdev, freshest_max_dev);
+ return -EUCLEAN;
+ }
+
+ role = le16_to_cpu(freshest_sb->dev_roles[rdev->desc_nr]);
+ pr_debug("md: %s: rdev[%pg]: role=%d(0x%x) according to freshest %pg\n",
+ mdname(mddev), rdev->bdev, role, role, freshest->bdev);
+ } else {
role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]);
+ }
switch(role) {
case MD_DISK_ROLE_SPARE: /* spare */
break;
@@ -2890,7 +2924,7 @@ static int add_bound_rdev(struct md_rdev *rdev)
* and should be added immediately.
*/
super_types[mddev->major_version].
- validate_super(mddev, rdev);
+ validate_super(mddev, NULL/*freshest*/, rdev);
if (add_journal)
mddev_suspend(mddev);
err = mddev->pers->hot_add_disk(mddev, rdev);
@@ -3809,7 +3843,7 @@ static int analyze_sbs(struct mddev *mddev)
}
super_types[mddev->major_version].
- validate_super(mddev, freshest);
+ validate_super(mddev, NULL/*freshest*/, freshest);
i = 0;
rdev_for_each_safe(rdev, tmp, mddev) {
@@ -3824,7 +3858,7 @@ static int analyze_sbs(struct mddev *mddev)
}
if (rdev != freshest) {
if (super_types[mddev->major_version].
- validate_super(mddev, rdev)) {
+ validate_super(mddev, freshest, rdev)) {
pr_warn("md: kicking non-fresh %s from array!\n",
bdevname(rdev->bdev,b));
md_kick_rdev_from_array(rdev);
@@ -6795,7 +6829,7 @@ int md_add_new_disk(struct mddev *mddev, struct mdu_disk_info_s *info)
rdev->saved_raid_disk = rdev->raid_disk;
} else
super_types[mddev->major_version].
- validate_super(mddev, rdev);
+ validate_super(mddev, NULL/*freshest*/, rdev);
if ((info->state & (1<<MD_DISK_SYNC)) &&
rdev->raid_disk != info->raid_disk) {
/* This was a hot-add request, but events doesn't
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 196/476] arm64: dts: qcom: msm8996: Fix in-ports is a required property
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 195/476] md: Whenassemble the array, consult the superblock of the freshest device Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 197/476] arm64: dts: qcom: msm8998: Fix out-ports " Greg Kroah-Hartman
` (289 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mao Jinlong,
Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mao Jinlong <quic_jinlmao@quicinc.com>
[ Upstream commit 9a6fc510a6a3ec150cb7450aec1e5f257e6fc77b ]
Add the inport of funnel@3023000 to fix 'in-ports' is a required property
warning.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Mao Jinlong <quic_jinlmao@quicinc.com>
Link: https://lore.kernel.org/r/20231210072633.4243-3-quic_jinlmao@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8996.dtsi | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index 8a7c65178507..fd9ffe8448b0 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -394,6 +394,19 @@
reg = <0x0 0x80000000 0x0 0x0>;
};
+ etm {
+ compatible = "qcom,coresight-remote-etm";
+
+ out-ports {
+ port {
+ modem_etm_out_funnel_in2: endpoint {
+ remote-endpoint =
+ <&funnel_in2_in_modem_etm>;
+ };
+ };
+ };
+ };
+
psci {
compatible = "arm,psci-1.0";
method = "smc";
@@ -2203,6 +2216,14 @@
clocks = <&rpmcc RPM_QDSS_CLK>, <&rpmcc RPM_QDSS_A_CLK>;
clock-names = "apb_pclk", "atclk";
+ in-ports {
+ port {
+ funnel_in2_in_modem_etm: endpoint {
+ remote-endpoint =
+ <&modem_etm_out_funnel_in2>;
+ };
+ };
+ };
out-ports {
port {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 197/476] arm64: dts: qcom: msm8998: Fix out-ports is a required property
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 196/476] arm64: dts: qcom: msm8996: Fix in-ports is a required property Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 198/476] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Greg Kroah-Hartman
` (288 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mao Jinlong,
Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mao Jinlong <quic_jinlmao@quicinc.com>
[ Upstream commit ae5ee3562a2519214b12228545e88a203dd68bbd ]
out-ports is a required property for coresight ETM. Add out-ports for
ETM nodes to fix the warning.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Mao Jinlong <quic_jinlmao@quicinc.com>
Link: https://lore.kernel.org/r/20231210072633.4243-4-quic_jinlmao@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8998.dtsi | 32 +++++++++++++++++----------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi
index b7d72b0d579e..7eadecba0175 100644
--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi
@@ -1863,9 +1863,11 @@
cpu = <&CPU4>;
- port{
- etm4_out: endpoint {
- remote-endpoint = <&apss_funnel_in4>;
+ out-ports {
+ port{
+ etm4_out: endpoint {
+ remote-endpoint = <&apss_funnel_in4>;
+ };
};
};
};
@@ -1880,9 +1882,11 @@
cpu = <&CPU5>;
- port{
- etm5_out: endpoint {
- remote-endpoint = <&apss_funnel_in5>;
+ out-ports {
+ port{
+ etm5_out: endpoint {
+ remote-endpoint = <&apss_funnel_in5>;
+ };
};
};
};
@@ -1897,9 +1901,11 @@
cpu = <&CPU6>;
- port{
- etm6_out: endpoint {
- remote-endpoint = <&apss_funnel_in6>;
+ out-ports {
+ port{
+ etm6_out: endpoint {
+ remote-endpoint = <&apss_funnel_in6>;
+ };
};
};
};
@@ -1914,9 +1920,11 @@
cpu = <&CPU7>;
- port{
- etm7_out: endpoint {
- remote-endpoint = <&apss_funnel_in7>;
+ out-ports {
+ port{
+ etm7_out: endpoint {
+ remote-endpoint = <&apss_funnel_in7>;
+ };
};
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 198/476] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 197/476] arm64: dts: qcom: msm8998: Fix out-ports " Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 199/476] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Greg Kroah-Hartman
` (287 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenm Chen, Ping-Ke Shih, Kalle Valo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
[ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ]
Add additional USB IDs found in the vendor driver from
https://github.com/Mange/rtl8192eu-linux-driver to support more
RTL8192EU devices.
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index be93ffa5086a..30d9a195c6fb 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -6973,6 +6973,18 @@ static const struct usb_device_id dev_table[] = {
.driver_info = (unsigned long)&rtl8192eu_fops},
{USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x818c, 0xff, 0xff, 0xff),
.driver_info = (unsigned long)&rtl8192eu_fops},
+/* D-Link DWA-131 rev C1 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3312, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* TP-Link TL-WN8200ND V2 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0126, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UM */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0100, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UH */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0104, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
#endif
{ }
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 199/476] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 198/476] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 200/476] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Greg Kroah-Hartman
` (286 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingyi Zhang, Xin Liu, Changye Wu,
Andrii Nakryiko, Daniel Borkmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyi Zhang <zhangmingyi5@huawei.com>
[ Upstream commit fc3a5534e2a8855427403113cbeb54af5837bbe0 ]
An issue occurred while reading an ELF file in libbpf.c during fuzzing:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
4206 in libbpf.c
(gdb) bt
#0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
#1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
#2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
#3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
#4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
#5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
#6 0x000000000087ad92 in tracing::span::Span::in_scope ()
#7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
#8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
#9 0x00000000005f2601 in main ()
(gdb)
scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
The scn_data is derived from the code above:
scn = elf_sec_by_idx(obj, sec_idx);
scn_data = elf_sec_data(obj, scn);
relo_sec_name = elf_sec_str(obj, shdr->sh_name);
sec_name = elf_sec_name(obj, scn);
if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
return -EINVAL;
In certain special scenarios, such as reading a malformed ELF file,
it is possible that scn_data may be a null pointer
Signed-off-by: Mingyi Zhang <zhangmingyi5@huawei.com>
Signed-off-by: Xin Liu <liuxin350@huawei.com>
Signed-off-by: Changye Wu <wuchangye@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index f87a15bbf53b..0c201f07d8ae 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3803,6 +3803,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, GElf_Shdr *shdr, Elf_Data
scn = elf_sec_by_idx(obj, sec_idx);
scn_data = elf_sec_data(obj, scn);
+ if (!scn_data)
+ return -LIBBPF_ERRNO__FORMAT;
relo_sec_name = elf_sec_str(obj, shdr->sh_name);
sec_name = elf_sec_name(obj, scn);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 200/476] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 199/476] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 201/476] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Greg Kroah-Hartman
` (285 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Tsoy, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Tsoy <alexander@tsoy.me>
commit d915a6850e27efb383cd4400caadfe47792623df upstream.
Audio control requests that sets sampling frequency sometimes fail on
this card. Adding delay between control messages eliminates that problem.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217601
Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
Link: https://lore.kernel.org/r/20240124130239.358298-1-alexander@tsoy.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1796,6 +1796,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
DEVICE_FLG(0x0763, 0x2031, /* M-Audio Fast Track C600 */
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x07fd, 0x000b, /* MOTU M Series 2nd hardware revision */
+ QUIRK_FLAG_CTL_MSG_DELAY_1M),
DEVICE_FLG(0x08bb, 0x2702, /* LineX FM Transmitter */
QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x0951, 0x16ad, /* Kingston HyperX */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 201/476] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 200/476] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 202/476] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Greg Kroah-Hartman
` (284 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Hui, Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ]
Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift().
And fix an undefined bitwise shift behavior problem.
Signed-off-by: Su Hui <suhui@nfschina.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +++---
drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
index fe9b407dc2af..71e29b103da5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
@@ -49,7 +49,7 @@ u32 rtl8723e_phy_query_rf_reg(struct ieee80211_hw *hw,
rfpath, regaddr);
}
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock(&rtlpriv->locks.rf_lock);
@@ -80,7 +80,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
original_value = rtl8723_phy_rf_serial_read(hw,
rfpath,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
@@ -89,7 +89,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
rtl8723_phy_rf_serial_write(hw, rfpath, regaddr, data);
} else {
if (bitmask != RFREG_OFFSET_MASK) {
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
index 2b9313cb93db..094cb36153f5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
@@ -41,7 +41,7 @@ u32 rtl8723be_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
spin_lock(&rtlpriv->locks.rf_lock);
original_value = rtl8723_phy_rf_serial_read(hw, rfpath, regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock(&rtlpriv->locks.rf_lock);
@@ -68,7 +68,7 @@ void rtl8723be_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path path,
if (bitmask != RFREG_OFFSET_MASK) {
original_value = rtl8723_phy_rf_serial_read(hw, path,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data = ((original_value & (~bitmask)) |
(data << bitshift));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 202/476] wifi: cfg80211: free beacon_ies when overridden from hidden BSS
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 201/476] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 203/476] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 Greg Kroah-Hartman
` (283 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Johannes Berg,
Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ]
This is a more of a cosmetic fix. The branch will only be taken if
proberesp_ies is set, which implies that beacon_ies is not set unless we
are connected to an AP that just did a channel switch. And, in that case
we should have found the BSS in the internal storage to begin with.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 4decdc2c601f..68c48970ebf7 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1808,8 +1808,12 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
list_add(&new->hidden_list,
&hidden->hidden_list);
hidden->refcount++;
+
+ ies = (void *)rcu_dereference(new->pub.beacon_ies);
rcu_assign_pointer(new->pub.beacon_ies,
hidden->pub.beacon_ies);
+ if (ies)
+ kfree_rcu(ies, rcu_head);
}
} else {
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 203/476] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 202/476] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 204/476] Bluetooth: L2CAP: Fix possible multiple reject send Greg Kroah-Hartman
` (282 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 5d192b697c7417254cdd9edc3d5e9e0364eb9045 ]
Set both WIDEBAND_SPEECH_SUPPORTED and VALID_LE_STATES quirks
for QCA2066.
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_qca.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 56b4b7248483..d10f1fe0f5fa 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1860,6 +1860,7 @@ static const struct qca_device_data qca_soc_data_wcn3998 = {
static const struct qca_device_data qca_soc_data_qca6390 = {
.soc_type = QCA_QCA6390,
.num_vregs = 0,
+ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
};
static const struct qca_device_data qca_soc_data_wcn6750 = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 204/476] Bluetooth: L2CAP: Fix possible multiple reject send
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 203/476] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 205/476] bridge: cfm: fix enum typo in br_cc_ccm_tx_parse Greg Kroah-Hartman
` (281 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frédéric Danis,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frédéric Danis <frederic.danis@collabora.com>
[ Upstream commit 96a3398b467ab8aada3df2f3a79f4b7835d068b8 ]
In case of an incomplete command or a command with a null identifier 2
reject packets will be sent, one with the identifier and one with 0.
Consuming the data of the command will prevent it.
This allows to send a reject packet for each corrupted command in a
multi-command packet.
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9f3596de90a7..850b6aab7377 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6527,7 +6527,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
if (len > skb->len || !cmd->ident) {
BT_DBG("corrupted command");
l2cap_sig_send_rej(conn, cmd->ident);
- break;
+ skb_pull(skb, len > skb->len ? skb->len : len);
+ continue;
}
err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 205/476] bridge: cfm: fix enum typo in br_cc_ccm_tx_parse
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 204/476] Bluetooth: L2CAP: Fix possible multiple reject send Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 206/476] i40e: Fix VF disable behavior to block all traffic Greg Kroah-Hartman
` (280 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Simon Horman,
Nikolay Aleksandrov, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit c2b2ee36250d967c21890cb801e24af4b6a9eaa5 ]
It appears that there is a typo in the code where the nlattr array is
being parsed with policy br_cfm_cc_ccm_tx_policy, but the instance is
being accessed via IFLA_BRIDGE_CFM_CC_RDI_INSTANCE, which is associated
with the policy br_cfm_cc_rdi_policy.
This problem was introduced by commit 2be665c3940d ("bridge: cfm: Netlink
SET configuration Interface.").
Though it seems like a harmless typo since these two enum owns the exact
same value (1 here), it is quite misleading hence fix it by using the
correct enum IFLA_BRIDGE_CFM_CC_CCM_TX_INSTANCE here.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_cfm_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/br_cfm_netlink.c b/net/bridge/br_cfm_netlink.c
index 5c4c369f8536..2faab44652e7 100644
--- a/net/bridge/br_cfm_netlink.c
+++ b/net/bridge/br_cfm_netlink.c
@@ -362,7 +362,7 @@ static int br_cc_ccm_tx_parse(struct net_bridge *br, struct nlattr *attr,
memset(&tx_info, 0, sizeof(tx_info));
- instance = nla_get_u32(tb[IFLA_BRIDGE_CFM_CC_RDI_INSTANCE]);
+ instance = nla_get_u32(tb[IFLA_BRIDGE_CFM_CC_CCM_TX_INSTANCE]);
nla_memcpy(&tx_info.dmac.addr,
tb[IFLA_BRIDGE_CFM_CC_CCM_TX_DMAC],
sizeof(tx_info.dmac.addr));
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 206/476] i40e: Fix VF disable behavior to block all traffic
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 205/476] bridge: cfm: fix enum typo in br_cc_ccm_tx_parse Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 207/476] octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry Greg Kroah-Hartman
` (279 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Jan Sokolowski,
Wojciech Drewek, Przemek Kitszel, Andrii Staikov,
Rafal Romanowski, Tony Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Staikov <andrii.staikov@intel.com>
[ Upstream commit 31deb12e85c35ddd2c037f0107d05d8674cab2c0 ]
Currently, if a VF is disabled using the
'ip link set dev $ETHX vf $VF_NUM state disable' command, the VF is still
able to receive traffic.
Fix the behavior of the 'ip link set dev $ETHX vf $VF_NUM state disable'
to completely shutdown the VF's queues making it entirely disabled and
not able to receive or send any traffic.
Modify the behavior of the 'ip link set $ETHX vf $VF_NUM state enable'
command to make a VF do reinitialization bringing the queues back up.
Co-developed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/intel/i40e/i40e_virtchnl_pf.c | 32 +++++++++++++++++++
.../ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 +
2 files changed, 33 insertions(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 4d23ff936ce4..9ff8bf346b9e 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -2603,6 +2603,14 @@ static int i40e_vc_enable_queues_msg(struct i40e_vf *vf, u8 *msg)
int aq_ret = 0;
int i;
+ if (vf->is_disabled_from_host) {
+ aq_ret = -EPERM;
+ dev_info(&pf->pdev->dev,
+ "Admin has disabled VF %d, will not enable queues\n",
+ vf->vf_id);
+ goto error_param;
+ }
+
if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) {
aq_ret = I40E_ERR_PARAM;
goto error_param;
@@ -4630,9 +4638,12 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link)
struct i40e_link_status *ls = &pf->hw.phy.link_info;
struct virtchnl_pf_event pfe;
struct i40e_hw *hw = &pf->hw;
+ struct i40e_vsi *vsi;
+ unsigned long q_map;
struct i40e_vf *vf;
int abs_vf_id;
int ret = 0;
+ int tmp;
if (test_and_set_bit(__I40E_VIRTCHNL_OP_PENDING, pf->state)) {
dev_warn(&pf->pdev->dev, "Unable to configure VFs, other operation is pending.\n");
@@ -4655,17 +4666,38 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link)
switch (link) {
case IFLA_VF_LINK_STATE_AUTO:
vf->link_forced = false;
+ vf->is_disabled_from_host = false;
+ /* reset needed to reinit VF resources */
+ i40e_vc_reset_vf(vf, true);
i40e_set_vf_link_state(vf, &pfe, ls);
break;
case IFLA_VF_LINK_STATE_ENABLE:
vf->link_forced = true;
vf->link_up = true;
+ vf->is_disabled_from_host = false;
+ /* reset needed to reinit VF resources */
+ i40e_vc_reset_vf(vf, true);
i40e_set_vf_link_state(vf, &pfe, ls);
break;
case IFLA_VF_LINK_STATE_DISABLE:
vf->link_forced = true;
vf->link_up = false;
i40e_set_vf_link_state(vf, &pfe, ls);
+
+ vsi = pf->vsi[vf->lan_vsi_idx];
+ q_map = BIT(vsi->num_queue_pairs) - 1;
+
+ vf->is_disabled_from_host = true;
+
+ /* Try to stop both Tx&Rx rings even if one of the calls fails
+ * to ensure we stop the rings even in case of errors.
+ * If any of them returns with an error then the first
+ * error that occurred will be returned.
+ */
+ tmp = i40e_ctrl_vf_tx_rings(vsi, q_map, false);
+ ret = i40e_ctrl_vf_rx_rings(vsi, q_map, false);
+
+ ret = tmp ? tmp : ret;
break;
default:
ret = -EINVAL;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
index bd497cc5303a..97e9c34d7c6c 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
@@ -98,6 +98,7 @@ struct i40e_vf {
bool link_forced;
bool link_up; /* only valid if VF link is forced */
bool spoofchk;
+ bool is_disabled_from_host; /* PF ctrl of VF enable/disable */
u16 num_vlan;
/* ADq related variables */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 207/476] octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 206/476] i40e: Fix VF disable behavior to block all traffic Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 208/476] f2fs: fix to check return value of f2fs_reserve_new_block() Greg Kroah-Hartman
` (278 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Ghosh, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suman Ghosh <sumang@marvell.com>
[ Upstream commit 4ebb1f95e0c3c3e0eec5bb21aa43097580c4b6e4 ]
As of today, the last MCAM entry was not getting allocated because of
a <= check with the max_bmap count. This patch modifies that and if the
requested entry is greater than the available entries then set it to the
max value.
Signed-off-by: Suman Ghosh <sumang@marvell.com>
Link: https://lore.kernel.org/r/20240101145042.419697-1-sumang@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index 8b16738e249f..70b4f2a3b02f 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -2625,18 +2625,17 @@ int rvu_mbox_handler_npc_mcam_alloc_entry(struct rvu *rvu,
rsp->entry = NPC_MCAM_ENTRY_INVALID;
rsp->free_count = 0;
- /* Check if ref_entry is within range */
- if (req->priority && req->ref_entry >= mcam->bmap_entries) {
- dev_err(rvu->dev, "%s: reference entry %d is out of range\n",
- __func__, req->ref_entry);
- return NPC_MCAM_INVALID_REQ;
- }
+ /* Check if ref_entry is greater that the range
+ * then set it to max value.
+ */
+ if (req->ref_entry > mcam->bmap_entries)
+ req->ref_entry = mcam->bmap_entries;
/* ref_entry can't be '0' if requested priority is high.
* Can't be last entry if requested priority is low.
*/
if ((!req->ref_entry && req->priority == NPC_MCAM_HIGHER_PRIO) ||
- ((req->ref_entry == (mcam->bmap_entries - 1)) &&
+ ((req->ref_entry == mcam->bmap_entries) &&
req->priority == NPC_MCAM_LOWER_PRIO))
return NPC_MCAM_INVALID_REQ;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 208/476] f2fs: fix to check return value of f2fs_reserve_new_block()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 207/476] octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 209/476] ALSA: hda: Refer to correct stream index at loops Greg Kroah-Hartman
` (277 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 956fa1ddc132e028f3b7d4cf17e6bfc8cb36c7fd ]
Let's check return value of f2fs_reserve_new_block() in do_recover_data()
rather than letting it fails silently.
Also refactoring check condition on return value of f2fs_reserve_new_block()
as below:
- trigger f2fs_bug_on() only for ENOSPC case;
- use do-while statement to avoid redundant codes;
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/recovery.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
index ba7eeb3c2738..da0801aa4118 100644
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -657,7 +657,16 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode,
*/
if (dest == NEW_ADDR) {
f2fs_truncate_data_blocks_range(&dn, 1);
- f2fs_reserve_new_block(&dn);
+ do {
+ err = f2fs_reserve_new_block(&dn);
+ if (err == -ENOSPC) {
+ f2fs_bug_on(sbi, 1);
+ break;
+ }
+ } while (err &&
+ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION));
+ if (err)
+ goto err;
continue;
}
@@ -665,12 +674,14 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode,
if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) {
if (src == NULL_ADDR) {
- err = f2fs_reserve_new_block(&dn);
- while (err &&
- IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION))
+ do {
err = f2fs_reserve_new_block(&dn);
- /* We should not get -ENOSPC */
- f2fs_bug_on(sbi, err);
+ if (err == -ENOSPC) {
+ f2fs_bug_on(sbi, 1);
+ break;
+ }
+ } while (err &&
+ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION));
if (err)
goto err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 209/476] ALSA: hda: Refer to correct stream index at loops
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 208/476] f2fs: fix to check return value of f2fs_reserve_new_block() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 210/476] ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument Greg Kroah-Hartman
` (276 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 26257869672fd4a06a60c2da841e15fb2cb47bbe ]
In a couple of loops over the all streams, we check the bitmap against
the loop counter. A more correct reference would be, however, the
index of each stream, instead.
This patch corrects the check of bitmaps to the stream index.
Note that this change doesn't fix anything for now; all existing
drivers set up the stream indices properly, hence the loop count is
always equal with the stream index. That said, this change is only
for consistency.
Link: https://lore.kernel.org/r/20231121154125.4888-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/hdac_stream.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
index ec95d0449bfe..c3342c9fee86 100644
--- a/sound/hda/hdac_stream.c
+++ b/sound/hda/hdac_stream.c
@@ -598,17 +598,15 @@ void snd_hdac_stream_timecounter_init(struct hdac_stream *azx_dev,
struct hdac_stream *s;
bool inited = false;
u64 cycle_last = 0;
- int i = 0;
list_for_each_entry(s, &bus->stream_list, list) {
- if (streams & (1 << i)) {
+ if ((streams & (1 << s->index))) {
azx_timecounter_init(s, inited, cycle_last);
if (!inited) {
inited = true;
cycle_last = s->tc.cycle_last;
}
}
- i++;
}
snd_pcm_gettime(runtime, &runtime->trigger_tstamp);
@@ -653,14 +651,13 @@ void snd_hdac_stream_sync(struct hdac_stream *azx_dev, bool start,
unsigned int streams)
{
struct hdac_bus *bus = azx_dev->bus;
- int i, nwait, timeout;
+ int nwait, timeout;
struct hdac_stream *s;
for (timeout = 5000; timeout; timeout--) {
nwait = 0;
- i = 0;
list_for_each_entry(s, &bus->stream_list, list) {
- if (!(streams & (1 << i++)))
+ if (!(streams & (1 << s->index)))
continue;
if (start) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 210/476] ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 209/476] ALSA: hda: Refer to correct stream index at loops Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 211/476] fast_dput(): handle underflows gracefully Greg Kroah-Hartman
` (275 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cristian Ciocaltea, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
[ Upstream commit 67c7666fe808c3a7af3cc6f9d0a3dd3acfd26115 ]
The virtual widget example makes use of an undefined SND_SOC_DAPM_NOPM
argument passed to SND_SOC_DAPM_MIXER(). Replace with the correct
SND_SOC_NOPM definition.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Link: https://lore.kernel.org/r/20231121120751.77355-1-cristian.ciocaltea@collabora.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/sound/soc/dapm.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/sound/soc/dapm.rst b/Documentation/sound/soc/dapm.rst
index 8e44107933ab..c3154ce6e1b2 100644
--- a/Documentation/sound/soc/dapm.rst
+++ b/Documentation/sound/soc/dapm.rst
@@ -234,7 +234,7 @@ corresponding soft power control. In this case it is necessary to create
a virtual widget - a widget with no control bits e.g.
::
- SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_DAPM_NOPM, 0, 0, NULL, 0),
+ SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_NOPM, 0, 0, NULL, 0),
This can be used to merge to signal paths together in software.
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 211/476] fast_dput(): handle underflows gracefully
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 210/476] ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 212/476] RDMA/IPoIB: Fix error code return in ipoib_mcast_join Greg Kroah-Hartman
` (274 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 504e08cebe1d4e1efe25f915234f646e74a364a8 ]
If refcount is less than 1, we should just warn, unlock dentry and
return true, so that the caller doesn't try to do anything else.
Taking care of that leaves the rest of "lockref_put_return() has
failed" case equivalent to "decrement refcount and rejoin the
normal slow path after the point where we grab ->d_lock".
NOTE: lockref_put_return() is strictly a fastpath thing - unlike
the rest of lockref primitives, it does not contain a fallback.
Caller (and it looks like fast_dput() is the only legitimate one
in the entire kernel) has to do that itself. Reasons for
lockref_put_return() failures:
* ->d_lock held by somebody
* refcount <= 0
* ... or an architecture not supporting lockref use of
cmpxchg - sparc, anything non-SMP, config with spinlock debugging...
We could add a fallback, but it would be a clumsy API - we'd have
to distinguish between:
(1) refcount > 1 - decremented, lock not held on return
(2) refcount < 1 - left alone, probably no sense to hold the lock
(3) refcount is 1, no cmphxcg - decremented, lock held on return
(4) refcount is 1, cmphxcg supported - decremented, lock *NOT* held
on return.
We want to return with no lock held in case (4); that's the whole point of that
thing. We very much do not want to have the fallback in case (3) return without
a lock, since the caller might have to retake it in that case.
So it wouldn't be more convenient than doing the fallback in the caller and
it would be very easy to screw up, especially since the test coverage would
suck - no way to test (3) and (4) on the same kernel build.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/dcache.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index cf871a81f4fd..422c440b492a 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -762,12 +762,12 @@ static inline bool fast_dput(struct dentry *dentry)
*/
if (unlikely(ret < 0)) {
spin_lock(&dentry->d_lock);
- if (dentry->d_lockref.count > 1) {
- dentry->d_lockref.count--;
+ if (WARN_ON_ONCE(dentry->d_lockref.count <= 0)) {
spin_unlock(&dentry->d_lock);
return true;
}
- return false;
+ dentry->d_lockref.count--;
+ goto locked;
}
/*
@@ -825,6 +825,7 @@ static inline bool fast_dput(struct dentry *dentry)
* else could have killed it and marked it dead. Either way, we
* don't need to do anything else.
*/
+locked:
if (dentry->d_lockref.count) {
spin_unlock(&dentry->d_lock);
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 212/476] RDMA/IPoIB: Fix error code return in ipoib_mcast_join
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 211/476] fast_dput(): handle underflows gracefully Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 213/476] drm/amd/display: Fix tiled display misalignment Greg Kroah-Hartman
` (273 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Wang, Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Wang <jinpu.wang@ionos.com>
[ Upstream commit 753fff78f430704548f45eda52d6d55371a52c0f ]
Return the error code in case of ib_sa_join_multicast fail.
Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
Link: https://lore.kernel.org/r/20231121130316.126364-2-jinpu.wang@ionos.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 5b3154503bf4..9e6967a40042 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -546,6 +546,7 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast)
spin_unlock_irq(&priv->lock);
complete(&mcast->done);
spin_lock_irq(&priv->lock);
+ return ret;
}
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 213/476] drm/amd/display: Fix tiled display misalignment
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 212/476] RDMA/IPoIB: Fix error code return in ipoib_mcast_join Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 214/476] f2fs: fix write pointers on zoned device after roll forward Greg Kroah-Hartman
` (272 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Hamza Mahfooz,
Meenakshikumar Somasundaram, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
[ Upstream commit c4b8394e76adba4f50a3c2696c75b214a291e24a ]
[Why]
When otg workaround is applied during clock update, otgs of
tiled display went out of sync.
[How]
To call dc_trigger_sync() after clock update to sync otgs again.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 3919e75fec16..ef151a1bc31c 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -1680,6 +1680,10 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c
wait_for_no_pipes_pending(dc, context);
/* pplib is notified if disp_num changed */
dc->hwss.optimize_bandwidth(dc, context);
+ /* Need to do otg sync again as otg could be out of sync due to otg
+ * workaround applied during clock update
+ */
+ dc_trigger_sync(dc, context);
}
if (dc->ctx->dce_version >= DCE_VERSION_MAX)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 214/476] f2fs: fix write pointers on zoned device after roll forward
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 213/476] drm/amd/display: Fix tiled display misalignment Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 215/476] drm/drm_file: fix use of uninitialized variable Greg Kroah-Hartman
` (271 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daeho Jeong, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit 9dad4d964291295ef48243d4e03972b85138bc9f ]
1. do roll forward recovery
2. update current segments pointers
3. fix the entire zones' write pointers
4. do checkpoint
Reviewed-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/recovery.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
index da0801aa4118..f07ae58d266d 100644
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -871,6 +871,8 @@ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only)
if (!err && fix_curseg_write_pointer && !f2fs_readonly(sbi->sb) &&
f2fs_sb_has_blkzoned(sbi)) {
err = f2fs_fix_curseg_write_pointer(sbi);
+ if (!err)
+ err = f2fs_check_write_pointer(sbi);
ret = err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 215/476] drm/drm_file: fix use of uninitialized variable
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 214/476] f2fs: fix write pointers on zoned device after roll forward Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 216/476] drm/framebuffer: Fix " Greg Kroah-Hartman
` (270 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Maxime Ripard,
Tomi Valkeinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 1d3062fad9c7313fff9970a88e0538a24480ffb8 ]
smatch reports:
drivers/gpu/drm/drm_file.c:967 drm_show_memory_stats() error: uninitialized symbol 'supported_status'.
'supported_status' is only set in one code path. I'm not familiar with
the code to say if that path will always be ran in real life, but
whether that is the case or not, I think it is good to initialize
'supported_status' to 0 to silence the warning (and possibly fix a bug).
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-1-c22b2444f5f5@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ed25168619fc..5062f13808f2 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -411,7 +411,7 @@ int drm_open(struct inode *inode, struct file *filp)
{
struct drm_device *dev;
struct drm_minor *minor;
- int retcode;
+ int retcode = 0;
int need_setup = 0;
minor = drm_minor_acquire(iminor(inode));
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 216/476] drm/framebuffer: Fix use of uninitialized variable
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 215/476] drm/drm_file: fix use of uninitialized variable Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 217/476] drm/mipi-dsi: Fix detach call without attach Greg Kroah-Hartman
` (269 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Maxime Ripard,
Tomi Valkeinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit f9af8f0c1dc567a5a6a6318ff324c45d80d4a60f ]
smatch reports:
drivers/gpu/drm/drm_framebuffer.c:654 drm_mode_getfb2_ioctl() error: uninitialized symbol 'ret'.
'ret' is possibly not set when there are no errors, causing the error
above. I can't say if that ever happens in real-life, but in any case I
think it is good to initialize 'ret' to 0.
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-2-c22b2444f5f5@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_framebuffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
index 07f5abc875e9..4fd018c8235c 100644
--- a/drivers/gpu/drm/drm_framebuffer.c
+++ b/drivers/gpu/drm/drm_framebuffer.c
@@ -570,7 +570,7 @@ int drm_mode_getfb2_ioctl(struct drm_device *dev,
struct drm_mode_fb_cmd2 *r = data;
struct drm_framebuffer *fb;
unsigned int i;
- int ret;
+ int ret = 0;
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 217/476] drm/mipi-dsi: Fix detach call without attach
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 216/476] drm/framebuffer: Fix " Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 218/476] media: stk1160: Fixed high volume of stk1160_dbg messages Greg Kroah-Hartman
` (268 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, H. Nikolaus Schaller, Maxime Ripard,
Sebastian Reichel, Tony Lindgren, Tomi Valkeinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 90d50b8d85834e73536fdccd5aa913b30494fef0 ]
It's been reported that DSI host driver's detach can be called without
the attach ever happening:
https://lore.kernel.org/all/20230412073954.20601-1-tony@atomide.com/
After reading the code, I think this is what happens:
We have a DSI host defined in the device tree and a DSI peripheral under
that host (i.e. an i2c device using the DSI as data bus doesn't exhibit
this behavior).
The host driver calls mipi_dsi_host_register(), which causes (via a few
functions) mipi_dsi_device_add() to be called for the DSI peripheral. So
now we have a DSI device under the host, but attach hasn't been called.
Normally the probing of the devices continues, and eventually the DSI
peripheral's driver will call mipi_dsi_attach(), attaching the
peripheral.
However, if the host driver's probe encounters an error after calling
mipi_dsi_host_register(), and before the peripheral has called
mipi_dsi_attach(), the host driver will do cleanups and return an error
from its probe function. The cleanups include calling
mipi_dsi_host_unregister().
mipi_dsi_host_unregister() will call two functions for all its DSI
peripheral devices: mipi_dsi_detach() and mipi_dsi_device_unregister().
The latter makes sense, as the device exists, but the former may be
wrong as attach has not necessarily been done.
To fix this, track the attached state of the peripheral, and only detach
from mipi_dsi_host_unregister() if the peripheral was attached.
Note that I have only tested this with a board with an i2c DSI
peripheral, not with a "pure" DSI peripheral.
However, slightly related, the unregister machinery still seems broken.
E.g. if the DSI host driver is unbound, it'll detach and unregister the
DSI peripherals. After that, when the DSI peripheral driver unbound
it'll call detach either directly or using the devm variant, leading to
a crash. And probably the driver will crash if it happens, for some
reason, to try to send a message via the DSI bus.
But that's another topic.
Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230921-dsi-detach-fix-v1-1-d0de2d1621d9@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_mipi_dsi.c | 17 +++++++++++++++--
include/drm/drm_mipi_dsi.h | 2 ++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
index d98b08c65db9..5d30ba3af456 100644
--- a/drivers/gpu/drm/drm_mipi_dsi.c
+++ b/drivers/gpu/drm/drm_mipi_dsi.c
@@ -346,7 +346,8 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv)
{
struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev);
- mipi_dsi_detach(dsi);
+ if (dsi->attached)
+ mipi_dsi_detach(dsi);
mipi_dsi_device_unregister(dsi);
return 0;
@@ -369,11 +370,18 @@ EXPORT_SYMBOL(mipi_dsi_host_unregister);
int mipi_dsi_attach(struct mipi_dsi_device *dsi)
{
const struct mipi_dsi_host_ops *ops = dsi->host->ops;
+ int ret;
if (!ops || !ops->attach)
return -ENOSYS;
- return ops->attach(dsi->host, dsi);
+ ret = ops->attach(dsi->host, dsi);
+ if (ret)
+ return ret;
+
+ dsi->attached = true;
+
+ return 0;
}
EXPORT_SYMBOL(mipi_dsi_attach);
@@ -385,9 +393,14 @@ int mipi_dsi_detach(struct mipi_dsi_device *dsi)
{
const struct mipi_dsi_host_ops *ops = dsi->host->ops;
+ if (WARN_ON(!dsi->attached))
+ return -EINVAL;
+
if (!ops || !ops->detach)
return -ENOSYS;
+ dsi->attached = false;
+
return ops->detach(dsi->host, dsi);
}
EXPORT_SYMBOL(mipi_dsi_detach);
diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
index d9af72024d66..5190fd48d318 100644
--- a/include/drm/drm_mipi_dsi.h
+++ b/include/drm/drm_mipi_dsi.h
@@ -166,6 +166,7 @@ struct mipi_dsi_device_info {
* struct mipi_dsi_device - DSI peripheral device
* @host: DSI host for this peripheral
* @dev: driver model device node for this peripheral
+ * @attached: the DSI device has been successfully attached
* @name: DSI peripheral chip type
* @channel: virtual channel assigned to the peripheral
* @format: pixel format for video mode
@@ -181,6 +182,7 @@ struct mipi_dsi_device_info {
struct mipi_dsi_device {
struct mipi_dsi_host *host;
struct device dev;
+ bool attached;
char name[DSI_DEV_NAME_SIZE];
unsigned int channel;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 218/476] media: stk1160: Fixed high volume of stk1160_dbg messages
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 217/476] drm/mipi-dsi: Fix detach call without attach Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 219/476] media: rockchip: rga: fix swizzling for RGB formats Greg Kroah-Hartman
` (267 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Potter, Ghanshyam Agrawal,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
[ Upstream commit b3695e86d25aafbe175dd51f6aaf6f68d341d590 ]
The function stk1160_dbg gets called too many times, which causes
the output to get flooded with messages. Since stk1160_dbg uses
printk, it is now replaced with printk_ratelimited.
Suggested-by: Phillip Potter <phil@philpotter.co.uk>
Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/stk1160/stk1160-video.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c
index 202b084f65a2..4cf540d1b250 100644
--- a/drivers/media/usb/stk1160/stk1160-video.c
+++ b/drivers/media/usb/stk1160/stk1160-video.c
@@ -107,8 +107,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
/*
* TODO: These stk1160_dbg are very spammy!
- * We should 1) check why we are getting them
- * and 2) add ratelimit.
+ * We should check why we are getting them.
*
* UPDATE: One of the reasons (the only one?) for getting these
* is incorrect standard (mismatch between expected and configured).
@@ -151,7 +150,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
/* Let the bug hunt begin! sanity checks! */
if (lencopy < 0) {
- stk1160_dbg("copy skipped: negative lencopy\n");
+ printk_ratelimited(KERN_DEBUG "copy skipped: negative lencopy\n");
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 219/476] media: rockchip: rga: fix swizzling for RGB formats
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 218/476] media: stk1160: Fixed high volume of stk1160_dbg messages Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 220/476] PCI: add INTEL_HDA_ARL to pci_ids.h Greg Kroah-Hartman
` (266 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Tretter, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Tretter <m.tretter@pengutronix.de>
[ Upstream commit 9e7dc39260edac180c206bb6149595a40eabae3e ]
When using 32 bit RGB formats, the RGA on the rk3568 produces wrong
colors as the wrong color channels are read or written. The reason is
that the format description for the channel swizzeling is wrong and the
wrong bits are configured. For example, when converting ARGB32 to NV12,
the alpha channel is used as blue channel.. This doesn't happen if the
color format is the same on both sides.
Fix the color_swap settings of the formats to correctly handle 32 bit
RGB formats.
For RGA_COLOR_FMT_XBGR8888, the RGA_COLOR_ALPHA_SWAP bit doesn't have an
effect. Thus, it isn't possible to handle the V4L2_PIX_FMT_XRGB32. Thus,
it is removed from the list of supported formats.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/rockchip/rga/rga.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c
index e3246344fb72..bcbbd1408b36 100644
--- a/drivers/media/platform/rockchip/rga/rga.c
+++ b/drivers/media/platform/rockchip/rga/rga.c
@@ -187,25 +187,16 @@ static int rga_setup_ctrls(struct rga_ctx *ctx)
static struct rga_fmt formats[] = {
{
.fourcc = V4L2_PIX_FMT_ARGB32,
- .color_swap = RGA_COLOR_RB_SWAP,
+ .color_swap = RGA_COLOR_ALPHA_SWAP,
.hw_format = RGA_COLOR_FMT_ABGR8888,
.depth = 32,
.uv_factor = 1,
.y_div = 1,
.x_div = 1,
},
- {
- .fourcc = V4L2_PIX_FMT_XRGB32,
- .color_swap = RGA_COLOR_RB_SWAP,
- .hw_format = RGA_COLOR_FMT_XBGR8888,
- .depth = 32,
- .uv_factor = 1,
- .y_div = 1,
- .x_div = 1,
- },
{
.fourcc = V4L2_PIX_FMT_ABGR32,
- .color_swap = RGA_COLOR_ALPHA_SWAP,
+ .color_swap = RGA_COLOR_RB_SWAP,
.hw_format = RGA_COLOR_FMT_ABGR8888,
.depth = 32,
.uv_factor = 1,
@@ -214,7 +205,7 @@ static struct rga_fmt formats[] = {
},
{
.fourcc = V4L2_PIX_FMT_XBGR32,
- .color_swap = RGA_COLOR_ALPHA_SWAP,
+ .color_swap = RGA_COLOR_RB_SWAP,
.hw_format = RGA_COLOR_FMT_XBGR8888,
.depth = 32,
.uv_factor = 1,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 220/476] PCI: add INTEL_HDA_ARL to pci_ids.h
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 219/476] media: rockchip: rga: fix swizzling for RGB formats Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 221/476] ALSA: hda: Intel: add HDA_ARL PCI ID support Greg Kroah-Hartman
` (265 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart,
Péter Ujfalusi, Kai Vehmanen, Mark Brown, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit 5ec42bf04d72fd6d0a6855810cc779e0ee31dfd7 ]
The PCI ID insertion follows the increasing order in the table, but
this hardware follows MTL (MeteorLake).
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20231204212710.185976-2-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/pci_ids.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index d2d5e854c692..2590ccda29ab 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2999,6 +2999,7 @@
#define PCI_DEVICE_ID_INTEL_82443GX_0 0x71a0
#define PCI_DEVICE_ID_INTEL_82443GX_2 0x71a2
#define PCI_DEVICE_ID_INTEL_82372FB_1 0x7601
+#define PCI_DEVICE_ID_INTEL_HDA_ARL 0x7728
#define PCI_DEVICE_ID_INTEL_SCH_LPC 0x8119
#define PCI_DEVICE_ID_INTEL_SCH_IDE 0x811a
#define PCI_DEVICE_ID_INTEL_E6XX_CU 0x8183
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 221/476] ALSA: hda: Intel: add HDA_ARL PCI ID support
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 220/476] PCI: add INTEL_HDA_ARL to pci_ids.h Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 222/476] ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL Greg Kroah-Hartman
` (264 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart,
Péter Ujfalusi, Kai Vehmanen, Mark Brown, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit a31014ebad617868c246d3985ff80d891f03711e ]
Yet another PCI ID.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20231204212710.185976-3-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_intel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 65f7e3dc4602..dd4d802c9e71 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2516,6 +2516,8 @@ static const struct pci_device_id azx_ids[] = {
.driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
{ PCI_DEVICE(0x8086, 0x4b58),
.driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
+ /* Arrow Lake */
+ { PCI_DEVICE_DATA(INTEL, HDA_ARL, AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE) },
/* Broxton-P(Apollolake) */
{ PCI_DEVICE(0x8086, 0x5a98),
.driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 222/476] ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 221/476] ALSA: hda: Intel: add HDA_ARL PCI ID support Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 223/476] media: rkisp1: Drop IRQF_SHARED Greg Kroah-Hartman
` (263 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart,
Péter Ujfalusi, Kai Vehmanen, Mark Brown, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit 7a9d6bbe8a663c817080be55d9fecf19a4a8fd8f ]
Same usual filters, SOF is required for DMIC and/or SoundWire support.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Acked-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20231204212710.185976-4-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/intel-dsp-config.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c
index 774d80f4b101..e4cd6f0c686f 100644
--- a/sound/hda/intel-dsp-config.c
+++ b/sound/hda/intel-dsp-config.c
@@ -389,6 +389,16 @@ static const struct config_entry config_table[] = {
.flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE,
.device = 0x7e28,
},
+ /* ArrowLake-S */
+ {
+ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE,
+ .device = PCI_DEVICE_ID_INTEL_HDA_ARL_S,
+ },
+ /* ArrowLake */
+ {
+ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE,
+ .device = PCI_DEVICE_ID_INTEL_HDA_ARL,
+ },
#endif
/* Lunar Lake */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 223/476] media: rkisp1: Drop IRQF_SHARED
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 222/476] ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 224/476] f2fs: fix to tag gcing flag on page during block migration Greg Kroah-Hartman
` (262 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Laurent Pinchart,
Mauro Carvalho Chehab, Sasha Levin, Adam Ford
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 85d2a31fe4d9be1555f621ead7a520d8791e0f74 ]
In all known platforms the ISP has dedicated IRQ lines, but for some
reason the driver uses IRQF_SHARED.
Supporting IRQF_SHARED properly requires handling interrupts even when
our device is disabled, and the driver does not handle this. To avoid
adding such code, and to be sure the driver won't accidentally be used
in a platform with shared interrupts, let's drop the IRQF_SHARED flag.
Link: https://lore.kernel.org/r/20231207-rkisp-irq-fix-v3-1-358a2c871a3c@ideasonboard.com
Tested-by: Adam Ford <aford173@gmail.com> #imx8mp-beacon
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
index 79cfa99f2a64..c0d732c56c1a 100644
--- a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
+++ b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
@@ -482,7 +482,7 @@ static int rkisp1_probe(struct platform_device *pdev)
if (irq < 0)
return irq;
- ret = devm_request_irq(dev, irq, rkisp1_isr, IRQF_SHARED,
+ ret = devm_request_irq(dev, irq, rkisp1_isr, 0,
dev_driver_string(dev), dev);
if (ret) {
dev_err(dev, "request irq failed: %d\n", ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 224/476] f2fs: fix to tag gcing flag on page during block migration
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 223/476] media: rkisp1: Drop IRQF_SHARED Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 225/476] drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time Greg Kroah-Hartman
` (261 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 4961acdd65c956e97c1a000c82d91a8c1cdbe44b ]
It needs to add missing gcing flag on page during block migration,
in order to garantee migrated data be persisted during checkpoint,
otherwise out-of-order persistency between data and node may cause
data corruption after SPOR.
Similar issue was fixed by commit 2d1fe8a86bf5 ("f2fs: fix to tag
gcing flag on page during file defragment").
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/compress.c | 4 +++-
fs/f2fs/file.c | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index 3982b4a7618c..7b4479d5b531 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -1037,8 +1037,10 @@ static void set_cluster_dirty(struct compress_ctx *cc)
int i;
for (i = 0; i < cc->cluster_size; i++)
- if (cc->rpages[i])
+ if (cc->rpages[i]) {
set_page_dirty(cc->rpages[i]);
+ set_page_private_gcing(cc->rpages[i]);
+ }
}
static int prepare_compress_overwrite(struct compress_ctx *cc,
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index d220c4523982..489854d841e7 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1278,6 +1278,7 @@ static int __clone_blkaddrs(struct inode *src_inode, struct inode *dst_inode,
}
f2fs_copy_page(psrc, pdst);
set_page_dirty(pdst);
+ set_page_private_gcing(pdst);
f2fs_put_page(pdst, 1);
f2fs_put_page(psrc, 1);
@@ -3981,6 +3982,7 @@ static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len)
break;
}
set_page_dirty(page);
+ set_page_private_gcing(page);
f2fs_put_page(page, 1);
f2fs_put_page(page, 0);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 225/476] drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 224/476] f2fs: fix to tag gcing flag on page during block migration Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking Greg Kroah-Hartman
` (260 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Douglas Anderson,
Marek Szyprowski, Inki Dae, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit 16ac5b21b31b439f03cdf44c153c5f5af94fb3eb ]
Based on grepping through the source code this driver appears to be
missing a call to drm_atomic_helper_shutdown() at system shutdown time
and at driver unbind time. Among other things, this means that if a
panel is in use that it won't be cleanly powered off at system
shutdown time.
The fact that we should call drm_atomic_helper_shutdown() in the case
of OS shutdown/restart and at driver remove (or unbind) time comes
straight out of the kernel doc "driver instance overview" in
drm_drv.c.
A few notes about this fix:
- When adding drm_atomic_helper_shutdown() to the unbind path, I added
it after drm_kms_helper_poll_fini() since that's when other drivers
seemed to have it.
- Technically with a previous patch, ("drm/atomic-helper:
drm_atomic_helper_shutdown(NULL) should be a noop"), we don't
actually need to check to see if our "drm" pointer is NULL before
calling drm_atomic_helper_shutdown(). We'll leave the "if" test in,
though, so that this patch can land without any dependencies. It
could potentially be removed later.
- This patch also makes sure to set the drvdata to NULL in the case of
bind errors to make sure that shutdown can't access freed data.
Suggested-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_drv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.c b/drivers/gpu/drm/exynos/exynos_drm_drv.c
index d8f1cf4d6b69..2a7f96237f95 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.c
@@ -324,6 +324,7 @@ static int exynos_drm_bind(struct device *dev)
drm_mode_config_cleanup(drm);
exynos_drm_cleanup_dma(drm);
kfree(private);
+ dev_set_drvdata(dev, NULL);
err_free_drm:
drm_dev_put(drm);
@@ -338,6 +339,7 @@ static void exynos_drm_unbind(struct device *dev)
exynos_drm_fbdev_fini(drm);
drm_kms_helper_poll_fini(drm);
+ drm_atomic_helper_shutdown(drm);
component_unbind_all(drm->dev, drm);
drm_mode_config_cleanup(drm);
@@ -375,9 +377,18 @@ static int exynos_drm_platform_remove(struct platform_device *pdev)
return 0;
}
+static void exynos_drm_platform_shutdown(struct platform_device *pdev)
+{
+ struct drm_device *drm = platform_get_drvdata(pdev);
+
+ if (drm)
+ drm_atomic_helper_shutdown(drm);
+}
+
static struct platform_driver exynos_drm_platform_driver = {
.probe = exynos_drm_platform_probe,
.remove = exynos_drm_platform_remove,
+ .shutdown = exynos_drm_platform_shutdown,
.driver = {
.name = "exynos-drm",
.pm = &exynos_drm_pm_ops,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 225/476] drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-03-08 20:21 ` Harshit Mogalapalli
2024-02-21 13:04 ` [PATCH 5.15 227/476] media: ddbridge: fix an error code problem in ddb_probe Greg Kroah-Hartman
` (259 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Vacek <neelx@redhat.com>
[ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ]
Releasing the `priv->lock` while iterating the `priv->multicast_list` in
`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to
remove the items while in the middle of iteration. If the mcast is removed
while the lock was dropped, the for loop spins forever resulting in a hard
lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):
Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)
-----------------------------------+-----------------------------------
ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)
spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)
list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)
&priv->multicast_list, list) |
ipoib_mcast_join(dev, mcast) |
spin_unlock_irq(&priv->lock) |
| spin_lock_irqsave(&priv->lock, flags)
| list_for_each_entry_safe(mcast, tmcast,
| &priv->multicast_list, list)
| list_del(&mcast->list);
| list_add_tail(&mcast->list, &remove_list)
| spin_unlock_irqrestore(&priv->lock, flags)
spin_lock_irq(&priv->lock) |
| ipoib_mcast_remove_list(&remove_list)
(Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,
`priv->multicast_list` and we keep | remove_list, list)
spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)
the other thread which is blocked |
and the list is still valid on |
it's stack.)
Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent
eventual sleeps.
Unfortunately we could not reproduce the lockup and confirm this fix but
based on the code review I think this fix should address such lockups.
crash> bc 31
PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2"
--
[exception RIP: ipoib_mcast_join_task+0x1b1]
RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002
RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000
work (&priv->mcast_task{,.work})
RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000
&mcast->list
RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000
R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00
mcast
R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8
dev priv (&priv->lock) &priv->multicast_list (aka head)
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 9e6967a40042..319d4288eddd 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -531,21 +531,17 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast)
if (test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags))
rec.join_state = SENDONLY_FULLMEMBER_JOIN;
}
- spin_unlock_irq(&priv->lock);
multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port,
- &rec, comp_mask, GFP_KERNEL,
+ &rec, comp_mask, GFP_ATOMIC,
ipoib_mcast_join_complete, mcast);
- spin_lock_irq(&priv->lock);
if (IS_ERR(multicast)) {
ret = PTR_ERR(multicast);
ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret);
/* Requeue this join task with a backoff delay */
__ipoib_mcast_schedule_join_thread(priv, mcast, 1);
clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
- spin_unlock_irq(&priv->lock);
complete(&mcast->done);
- spin_lock_irq(&priv->lock);
return ret;
}
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 227/476] media: ddbridge: fix an error code problem in ddb_probe
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 228/476] media: i2c: imx335: Fix hblank min/max values Greg Kroah-Hartman
` (258 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Hui, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 09b4195021be69af1e1936cca995712a6d0f2562 ]
Error code is assigned to 'stat', return 'stat' rather than '-1'.
Signed-off-by: Su Hui <suhui@nfschina.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/ddbridge/ddbridge-main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/pci/ddbridge/ddbridge-main.c b/drivers/media/pci/ddbridge/ddbridge-main.c
index 03dc9924fa2c..bb7fb6402d6e 100644
--- a/drivers/media/pci/ddbridge/ddbridge-main.c
+++ b/drivers/media/pci/ddbridge/ddbridge-main.c
@@ -247,7 +247,7 @@ static int ddb_probe(struct pci_dev *pdev,
ddb_unmap(dev);
pci_set_drvdata(pdev, NULL);
pci_disable_device(pdev);
- return -1;
+ return stat;
}
/****************************************************************************/
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 228/476] media: i2c: imx335: Fix hblank min/max values
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 227/476] media: ddbridge: fix an error code problem in ddb_probe Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 229/476] drm/msm/dpu: Ratelimit framedone timeout msgs Greg Kroah-Hartman
` (257 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Umang Jain, Kieran Bingham,
Sakari Ailus, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kieran Bingham <kieran.bingham@ideasonboard.com>
[ Upstream commit d7b95ad7a8d56248dfc34f861e445fad7a4004f4 ]
The V4L2_CID_HBLANK control is marked as readonly and can only be a
single value.
Set the minimum and maximum value to match the mode value.
Reviewed-by: Umang Jain <umang.jain@ideasonboard.com>
Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/imx335.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/imx335.c b/drivers/media/i2c/imx335.c
index 410d6b86feb5..780eb68b1894 100644
--- a/drivers/media/i2c/imx335.c
+++ b/drivers/media/i2c/imx335.c
@@ -971,8 +971,8 @@ static int imx335_init_controls(struct imx335 *imx335)
imx335->hblank_ctrl = v4l2_ctrl_new_std(ctrl_hdlr,
&imx335_ctrl_ops,
V4L2_CID_HBLANK,
- IMX335_REG_MIN,
- IMX335_REG_MAX,
+ mode->hblank,
+ mode->hblank,
1, mode->hblank);
if (imx335->hblank_ctrl)
imx335->hblank_ctrl->flags |= V4L2_CTRL_FLAG_READ_ONLY;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 229/476] drm/msm/dpu: Ratelimit framedone timeout msgs
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 228/476] media: i2c: imx335: Fix hblank min/max values Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 230/476] drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap Greg Kroah-Hartman
` (256 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Abhinav Kumar,
Marijn Suijten, Dmitry Baryshkov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@chromium.org>
[ Upstream commit 2b72e50c62de60ad2d6bcd86aa38d4ccbdd633f2 ]
When we start getting these, we get a *lot*. So ratelimit it to not
flood dmesg.
Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
Patchwork: https://patchwork.freedesktop.org/patch/571584/
Link: https://lore.kernel.org/r/20231211182000.218088-1-robdclark@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 5 ++++-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index 03bddd904d1a..3d5e3b77bbbe 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -46,6 +46,9 @@
(p) ? ((p)->hw_pp ? (p)->hw_pp->idx - PINGPONG_0 : -1) : -1, \
##__VA_ARGS__)
+#define DPU_ERROR_ENC_RATELIMITED(e, fmt, ...) DPU_ERROR_RATELIMITED("enc%d " fmt,\
+ (e) ? (e)->base.base.id : -1, ##__VA_ARGS__)
+
/*
* Two to anticipate panels that can do cmd/vid dynamic switching
* plan is to create all possible physical encoder types, and switch between
@@ -2126,7 +2129,7 @@ static void dpu_encoder_frame_done_timeout(struct timer_list *t)
return;
}
- DPU_ERROR_ENC(dpu_enc, "frame done timeout\n");
+ DPU_ERROR_ENC_RATELIMITED(dpu_enc, "frame done timeout\n");
event = DPU_ENCODER_FRAME_EVENT_ERROR;
trace_dpu_enc_frame_done_timeout(DRMID(drm_enc), event);
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
index 323a6bce9e64..170b3e9dd4b0 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h
@@ -52,6 +52,7 @@
} while (0)
#define DPU_ERROR(fmt, ...) pr_err("[dpu error]" fmt, ##__VA_ARGS__)
+#define DPU_ERROR_RATELIMITED(fmt, ...) pr_err_ratelimited("[dpu error]" fmt, ##__VA_ARGS__)
/**
* ktime_compare_safe - compare two ktime structures
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 230/476] drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 229/476] drm/msm/dpu: Ratelimit framedone timeout msgs Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 231/476] clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() Greg Kroah-Hartman
` (255 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang, Beyond, Christian König,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang, Beyond <Wang.Beyond@amd.com>
[ Upstream commit 94aeb4117343d072e3a35b9595bcbfc0058ee724 ]
Issue: during evict or validate happened on amdgpu_bo, the 'from' and
'to' is always same in ftrace event of amdgpu_bo_move
where calling the 'trace_amdgpu_bo_move', the comment says move_notify
is called before move happens, but actually it is called after move
happens, here the new_mem is same as bo->resource
Fix: move trace_amdgpu_bo_move from move_notify to amdgpu_bo_move
Signed-off-by: Wang, Beyond <Wang.Beyond@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 13 +------------
drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 4 +---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 +++--
3 files changed, 5 insertions(+), 17 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
index 8a0b652da4f4..5d95594a1753 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
@@ -1236,19 +1236,15 @@ int amdgpu_bo_get_metadata(struct amdgpu_bo *bo, void *buffer,
* amdgpu_bo_move_notify - notification about a memory move
* @bo: pointer to a buffer object
* @evict: if this move is evicting the buffer from the graphics address space
- * @new_mem: new information of the bufer object
*
* Marks the corresponding &amdgpu_bo buffer object as invalid, also performs
* bookkeeping.
* TTM driver callback which is called when ttm moves a buffer.
*/
-void amdgpu_bo_move_notify(struct ttm_buffer_object *bo,
- bool evict,
- struct ttm_resource *new_mem)
+void amdgpu_bo_move_notify(struct ttm_buffer_object *bo, bool evict)
{
struct amdgpu_device *adev = amdgpu_ttm_adev(bo->bdev);
struct amdgpu_bo *abo;
- struct ttm_resource *old_mem = bo->resource;
if (!amdgpu_bo_is_amdgpu_bo(bo))
return;
@@ -1265,13 +1261,6 @@ void amdgpu_bo_move_notify(struct ttm_buffer_object *bo,
/* remember the eviction */
if (evict)
atomic64_inc(&adev->num_evictions);
-
- /* update statistics */
- if (!new_mem)
- return;
-
- /* move_notify is called before move happens */
- trace_amdgpu_bo_move(abo, new_mem->mem_type, old_mem->mem_type);
}
void amdgpu_bo_get_memory(struct amdgpu_bo *bo, uint64_t *vram_mem,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h
index dc5b889828d9..0969669f1d4e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h
@@ -313,9 +313,7 @@ int amdgpu_bo_set_metadata (struct amdgpu_bo *bo, void *metadata,
int amdgpu_bo_get_metadata(struct amdgpu_bo *bo, void *buffer,
size_t buffer_size, uint32_t *metadata_size,
uint64_t *flags);
-void amdgpu_bo_move_notify(struct ttm_buffer_object *bo,
- bool evict,
- struct ttm_resource *new_mem);
+void amdgpu_bo_move_notify(struct ttm_buffer_object *bo, bool evict);
void amdgpu_bo_release_notify(struct ttm_buffer_object *bo);
vm_fault_t amdgpu_bo_fault_reserve_notify(struct ttm_buffer_object *bo);
void amdgpu_bo_fence(struct amdgpu_bo *bo, struct dma_fence *fence,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
index 51c76d6322c9..b06fb1fa411b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -554,10 +554,11 @@ static int amdgpu_bo_move(struct ttm_buffer_object *bo, bool evict,
return r;
}
+ trace_amdgpu_bo_move(abo, new_mem->mem_type, old_mem->mem_type);
out:
/* update statistics */
atomic64_add(bo->base.size, &adev->num_bytes_moved);
- amdgpu_bo_move_notify(bo, evict, new_mem);
+ amdgpu_bo_move_notify(bo, evict);
return 0;
}
@@ -1480,7 +1481,7 @@ static int amdgpu_ttm_access_memory(struct ttm_buffer_object *bo,
static void
amdgpu_bo_delete_mem_notify(struct ttm_buffer_object *bo)
{
- amdgpu_bo_move_notify(bo, false, NULL);
+ amdgpu_bo_move_notify(bo, false);
}
static struct ttm_device_funcs amdgpu_bo_driver = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 231/476] clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 230/476] drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 232/476] clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() Greg Kroah-Hartman
` (254 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Stephen Boyd, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit bfbea9e5667cfa9552c3d88f023386f017f6c308 ]
In cases where kcalloc() fails for the 'clk_data->clks' allocation, the
code path does not handle the failure gracefully, potentially leading
to a memory leak. This fix ensures proper cleanup by freeing the
allocated memory for 'clk_data' before returning.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Link: https://lore.kernel.org/r/20231210165040.3407545-1-visitorckw@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/hisilicon/clk-hi3620.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/hisilicon/clk-hi3620.c b/drivers/clk/hisilicon/clk-hi3620.c
index a3d04c7c3da8..eb9c139babc3 100644
--- a/drivers/clk/hisilicon/clk-hi3620.c
+++ b/drivers/clk/hisilicon/clk-hi3620.c
@@ -467,8 +467,10 @@ static void __init hi3620_mmc_clk_init(struct device_node *node)
return;
clk_data->clks = kcalloc(num, sizeof(*clk_data->clks), GFP_KERNEL);
- if (!clk_data->clks)
+ if (!clk_data->clks) {
+ kfree(clk_data);
return;
+ }
for (i = 0; i < num; i++) {
struct hisi_mmc_clock *mmc_clk = &hi3620_mmc_clks[i];
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 232/476] clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 231/476] clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 233/476] watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 Greg Kroah-Hartman
` (253 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Stephen Boyd, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 2fbabea626b6467eb4e6c4cb7a16523da12e43b4 ]
In cases where mapping of mpmu/apmu/apbc registers fails, the code path
does not handle the failure gracefully, potentially leading to a memory
leak. This fix ensures proper cleanup by freeing the allocated memory
for 'pxa_unit' before returning.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Link: https://lore.kernel.org/r/20231210175232.3414584-1-visitorckw@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mmp/clk-of-pxa168.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/clk/mmp/clk-of-pxa168.c b/drivers/clk/mmp/clk-of-pxa168.c
index f110c02e83cb..9674c6c06dca 100644
--- a/drivers/clk/mmp/clk-of-pxa168.c
+++ b/drivers/clk/mmp/clk-of-pxa168.c
@@ -258,18 +258,21 @@ static void __init pxa168_clk_init(struct device_node *np)
pxa_unit->mpmu_base = of_iomap(np, 0);
if (!pxa_unit->mpmu_base) {
pr_err("failed to map mpmu registers\n");
+ kfree(pxa_unit);
return;
}
pxa_unit->apmu_base = of_iomap(np, 1);
if (!pxa_unit->apmu_base) {
pr_err("failed to map apmu registers\n");
+ kfree(pxa_unit);
return;
}
pxa_unit->apbc_base = of_iomap(np, 2);
if (!pxa_unit->apbc_base) {
pr_err("failed to map apbc registers\n");
+ kfree(pxa_unit);
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 233/476] watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 232/476] clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 234/476] drm/amd/display: make flip_timestamp_in_us a 64-bit variable Greg Kroah-Hartman
` (252 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Werner Fischer, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Fischer <devlists@wefi.net>
[ Upstream commit d12971849d71781c1e4ffd1117d4878ce233d319 ]
WDTCTRL bit 3 sets the mode choice for the clock input of IT8784/IT8786.
Some motherboards require this bit to be set to 1 (= PCICLK mode),
otherwise the watchdog functionality gets broken. The BIOS of those
motherboards sets WDTCTRL bit 3 already to 1.
Instead of setting all bits of WDTCTRL to 0 by writing 0x00 to it, keep
bit 3 of it unchanged for IT8784/IT8786 chips. In this way, bit 3 keeps
the status as set by the BIOS of the motherboard.
Watchdog tests have been successful with this patch with the following
systems:
IT8784: Thomas-Krenn LES plus v2 (YANLING YL-KBRL2 V2)
IT8786: Thomas-Krenn LES plus v3 (YANLING YL-CLU L2)
IT8786: Thomas-Krenn LES network 6L v2 (YANLING YL-CLU6L)
Link: https://lore.kernel.org/all/140b264d-341f-465b-8715-dacfe84b3f71@roeck-us.net/
Signed-off-by: Werner Fischer <devlists@wefi.net>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20231213094525.11849-4-devlists@wefi.net
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/it87_wdt.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/watchdog/it87_wdt.c b/drivers/watchdog/it87_wdt.c
index bb1122909396..843f9f8e3917 100644
--- a/drivers/watchdog/it87_wdt.c
+++ b/drivers/watchdog/it87_wdt.c
@@ -255,6 +255,7 @@ static struct watchdog_device wdt_dev = {
static int __init it87_wdt_init(void)
{
u8 chip_rev;
+ u8 ctrl;
int rc;
rc = superio_enter();
@@ -313,7 +314,18 @@ static int __init it87_wdt_init(void)
superio_select(GPIO);
superio_outb(WDT_TOV1, WDTCFG);
- superio_outb(0x00, WDTCTRL);
+
+ switch (chip_type) {
+ case IT8784_ID:
+ case IT8786_ID:
+ ctrl = superio_inb(WDTCTRL);
+ ctrl &= 0x08;
+ superio_outb(ctrl, WDTCTRL);
+ break;
+ default:
+ superio_outb(0x00, WDTCTRL);
+ }
+
superio_exit();
if (timeout < 1 || timeout > max_units * 60) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 234/476] drm/amd/display: make flip_timestamp_in_us a 64-bit variable
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 233/476] watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 235/476] clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu() Greg Kroah-Hartman
` (251 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aric Cyr, Wayne Lin, Josip Pavic,
Daniel Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josip Pavic <josip.pavic@amd.com>
[ Upstream commit 6fb12518ca58412dc51054e2a7400afb41328d85 ]
[Why]
This variable currently overflows after about 71 minutes. This doesn't
cause any known functional issues but it does make debugging more
difficult.
[How]
Make it a 64-bit variable.
Reviewed-by: Aric Cyr <aric.cyr@amd.com>
Acked-by: Wayne Lin <wayne.lin@amd.com>
Signed-off-by: Josip Pavic <josip.pavic@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h
index 52355fe6994c..51df38a210e8 100644
--- a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h
@@ -417,7 +417,7 @@ struct dc_cursor_position {
};
struct dc_cursor_mi_param {
- unsigned int pixel_clk_khz;
+ unsigned long long pixel_clk_khz;
unsigned int ref_clk_khz;
struct rect viewport;
struct fixed31_32 h_scale_ratio;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 235/476] clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 234/476] drm/amd/display: make flip_timestamp_in_us a 64-bit variable Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 236/476] clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks Greg Kroah-Hartman
` (250 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Peng Fan, Abel Vesa,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 21c0efbcb45cf94724d17b040ebc03fcd4a81f22 ]
In cases where imx_clk_is_resource_owned() returns false, the code path
does not handle the failure gracefully, potentially leading to a memory
leak. This fix ensures proper cleanup by freeing the allocated memory
for 'clk_node' before returning.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/all/20231210171907.3410922-1-visitorckw@gmail.com/
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-scu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/imx/clk-scu.c b/drivers/clk/imx/clk-scu.c
index 1cee88b073fa..89a914a15d62 100644
--- a/drivers/clk/imx/clk-scu.c
+++ b/drivers/clk/imx/clk-scu.c
@@ -841,8 +841,10 @@ struct clk_hw *__imx_clk_gpr_scu(const char *name, const char * const *parent_na
if (!clk_node)
return ERR_PTR(-ENOMEM);
- if (!imx_scu_clk_is_valid(rsrc_id))
+ if (!imx_scu_clk_is_valid(rsrc_id)) {
+ kfree(clk_node);
return ERR_PTR(-EINVAL);
+ }
clk = kzalloc(sizeof(*clk), GFP_KERNEL);
if (!clk) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 236/476] clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 235/476] clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 237/476] drm/amdgpu: Let KFD sync with VM fences Greg Kroah-Hartman
` (249 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver F. Brown,
Ranjani Vaidyanathan, Alexander Stein, Abel Vesa, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 3f5f63adeea7e7aa715e101ffe4b4ac9705f9664 ]
To be compatible with SCU firmware based on 1.15 a different clock
routing for LVDS is needed.
Signed-off-by: Oliver F. Brown <oliver.brown@oss.nxp.com>
Signed-off-by: Ranjani Vaidyanathan <ranjani.vaidyanathan@nxp.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
Link: https://lore.kernel.org/r/20231218122407.2757175-1-alexander.stein@ew.tq-group.com/
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8qxp.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c
index 32df47c56621..ef560b59df11 100644
--- a/drivers/clk/imx/clk-imx8qxp.c
+++ b/drivers/clk/imx/clk-imx8qxp.c
@@ -67,6 +67,22 @@ static const char * const lcd_pxl_sels[] = {
"lcd_pxl_bypass_div_clk",
};
+static const char *const lvds0_sels[] = {
+ "clk_dummy",
+ "clk_dummy",
+ "clk_dummy",
+ "clk_dummy",
+ "mipi0_lvds_bypass_clk",
+};
+
+static const char *const lvds1_sels[] = {
+ "clk_dummy",
+ "clk_dummy",
+ "clk_dummy",
+ "clk_dummy",
+ "mipi1_lvds_bypass_clk",
+};
+
static const char * const mipi_sels[] = {
"clk_dummy",
"clk_dummy",
@@ -201,9 +217,9 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
/* MIPI-LVDS SS */
imx_clk_scu("mipi0_bypass_clk", IMX_SC_R_MIPI_0, IMX_SC_PM_CLK_BYPASS);
imx_clk_scu("mipi0_pixel_clk", IMX_SC_R_MIPI_0, IMX_SC_PM_CLK_PER);
- imx_clk_scu("mipi0_lvds_pixel_clk", IMX_SC_R_LVDS_0, IMX_SC_PM_CLK_MISC2);
imx_clk_scu("mipi0_lvds_bypass_clk", IMX_SC_R_LVDS_0, IMX_SC_PM_CLK_BYPASS);
- imx_clk_scu("mipi0_lvds_phy_clk", IMX_SC_R_LVDS_0, IMX_SC_PM_CLK_MISC3);
+ imx_clk_scu2("mipi0_lvds_pixel_clk", lvds0_sels, ARRAY_SIZE(lvds0_sels), IMX_SC_R_LVDS_0, IMX_SC_PM_CLK_MISC2);
+ imx_clk_scu2("mipi0_lvds_phy_clk", lvds0_sels, ARRAY_SIZE(lvds0_sels), IMX_SC_R_LVDS_0, IMX_SC_PM_CLK_MISC3);
imx_clk_scu2("mipi0_dsi_tx_esc_clk", mipi_sels, ARRAY_SIZE(mipi_sels), IMX_SC_R_MIPI_0, IMX_SC_PM_CLK_MST_BUS);
imx_clk_scu2("mipi0_dsi_rx_esc_clk", mipi_sels, ARRAY_SIZE(mipi_sels), IMX_SC_R_MIPI_0, IMX_SC_PM_CLK_SLV_BUS);
imx_clk_scu2("mipi0_dsi_phy_clk", mipi_sels, ARRAY_SIZE(mipi_sels), IMX_SC_R_MIPI_0, IMX_SC_PM_CLK_PHY);
@@ -213,9 +229,9 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
imx_clk_scu("mipi1_bypass_clk", IMX_SC_R_MIPI_1, IMX_SC_PM_CLK_BYPASS);
imx_clk_scu("mipi1_pixel_clk", IMX_SC_R_MIPI_1, IMX_SC_PM_CLK_PER);
- imx_clk_scu("mipi1_lvds_pixel_clk", IMX_SC_R_LVDS_1, IMX_SC_PM_CLK_MISC2);
imx_clk_scu("mipi1_lvds_bypass_clk", IMX_SC_R_LVDS_1, IMX_SC_PM_CLK_BYPASS);
- imx_clk_scu("mipi1_lvds_phy_clk", IMX_SC_R_LVDS_1, IMX_SC_PM_CLK_MISC3);
+ imx_clk_scu2("mipi1_lvds_pixel_clk", lvds1_sels, ARRAY_SIZE(lvds1_sels), IMX_SC_R_LVDS_1, IMX_SC_PM_CLK_MISC2);
+ imx_clk_scu2("mipi1_lvds_phy_clk", lvds1_sels, ARRAY_SIZE(lvds1_sels), IMX_SC_R_LVDS_1, IMX_SC_PM_CLK_MISC3);
imx_clk_scu2("mipi1_dsi_tx_esc_clk", mipi_sels, ARRAY_SIZE(mipi_sels), IMX_SC_R_MIPI_1, IMX_SC_PM_CLK_MST_BUS);
imx_clk_scu2("mipi1_dsi_rx_esc_clk", mipi_sels, ARRAY_SIZE(mipi_sels), IMX_SC_R_MIPI_1, IMX_SC_PM_CLK_SLV_BUS);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 237/476] drm/amdgpu: Let KFD sync with VM fences
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 236/476] clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 238/476] drm/amdgpu: Drop fence check in to_amdgpu_amdkfd_fence() Greg Kroah-Hartman
` (248 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling,
Christian König, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Kuehling <Felix.Kuehling@amd.com>
[ Upstream commit ec9ba4821fa52b5efdbc4cdf0a77497990655231 ]
Change the rules for amdgpu_sync_resv to let KFD synchronize with VM
fences on page table reservations. This fixes intermittent memory
corruption after evictions when using amdgpu_vm_handle_moved to update
page tables for VM mappings managed through render nodes.
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c
index 862eb3c1c4c5..494466893486 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c
@@ -208,7 +208,8 @@ static bool amdgpu_sync_test_fence(struct amdgpu_device *adev,
/* Never sync to VM updates either. */
if (fence_owner == AMDGPU_FENCE_OWNER_VM &&
- owner != AMDGPU_FENCE_OWNER_UNDEFINED)
+ owner != AMDGPU_FENCE_OWNER_UNDEFINED &&
+ owner != AMDGPU_FENCE_OWNER_KFD)
return false;
/* Ignore fences depending on the sync mode */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 238/476] drm/amdgpu: Drop fence check in to_amdgpu_amdkfd_fence()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 237/476] drm/amdgpu: Let KFD sync with VM fences Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 239/476] ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140 Greg Kroah-Hartman
` (247 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling,
Christian König, Alex Deucher, Srinivasan Shanmugam,
Felix Kuehling, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit bf2ad4fb8adca89374b54b225d494e0b1956dbea ]
Return value of container_of(...) can't be null, so null check is not
required for 'fence'. Hence drop its NULL check.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:93 to_amdgpu_amdkfd_fence() warn: can 'fence' even be NULL?
Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
index 1d0dbff87d3f..fb66e888ab3f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
@@ -90,7 +90,7 @@ struct amdgpu_amdkfd_fence *to_amdgpu_amdkfd_fence(struct dma_fence *f)
return NULL;
fence = container_of(f, struct amdgpu_amdkfd_fence, base);
- if (fence && f->ops == &amdkfd_fence_ops)
+ if (f->ops == &amdkfd_fence_ops)
return fence;
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 239/476] ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 238/476] drm/amdgpu: Drop fence check in to_amdgpu_amdkfd_fence() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 240/476] leds: trigger: panic: Dont register panic notifier if creating the trigger failed Greg Kroah-Hartman
` (246 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, bo liu, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: bo liu <bo.liu@senarytech.com>
[ Upstream commit 7aeb259086487417f0fecf66e325bee133e8813a ]
When OMTP headset plugin the headset jack of CX8070 and SN6160 sound cards,
the headset type detection circuit will recognize the headset type as CTIA.
At this point, plugout and plugin the headset will get the correct headset
type as OMTP.
The reason for the failure of headset type recognition is that the sound
card creation will enable the VREF voltage of the headset mic, which
interferes with the headset type automatic detection circuit. Plugout and
plugin the headset will restart the headset detection and get the correct
headset type.
The patch is disable the VREF voltage when the headset is not present, and
will enable the VREF voltage when the headset is present.
Signed-off-by: bo liu <bo.liu@senarytech.com>
Link: https://lore.kernel.org/r/20240108110235.3867-1-bo.liu@senarytech.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 115 ++++++++++++++++++++++++++++++++-
1 file changed, 113 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index deff4a3d7a78..0980c7de2183 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -21,6 +21,12 @@
#include "hda_jack.h"
#include "hda_generic.h"
+enum {
+ CX_HEADSET_NOPRESENT = 0,
+ CX_HEADSET_PARTPRESENT,
+ CX_HEADSET_ALLPRESENT,
+};
+
struct conexant_spec {
struct hda_gen_spec gen;
@@ -42,7 +48,8 @@ struct conexant_spec {
unsigned int gpio_led;
unsigned int gpio_mute_led_mask;
unsigned int gpio_mic_led_mask;
-
+ unsigned int headset_present_flag;
+ bool is_cx8070_sn6140;
};
@@ -164,6 +171,27 @@ static void cxt_init_gpio_led(struct hda_codec *codec)
}
}
+static void cx_fixup_headset_recog(struct hda_codec *codec)
+{
+ unsigned int mic_persent;
+
+ /* fix some headset type recognize fail issue, such as EDIFIER headset */
+ /* set micbiasd output current comparator threshold from 66% to 55%. */
+ snd_hda_codec_write(codec, 0x1c, 0, 0x320, 0x010);
+ /* set OFF voltage for DFET from -1.2V to -0.8V, set headset micbias registor
+ * value adjustment trim from 2.2K ohms to 2.0K ohms.
+ */
+ snd_hda_codec_write(codec, 0x1c, 0, 0x3b0, 0xe10);
+ /* fix reboot headset type recognize fail issue */
+ mic_persent = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
+ if (mic_persent & AC_PINSENSE_PRESENCE)
+ /* enable headset mic VREF */
+ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x24);
+ else
+ /* disable headset mic VREF */
+ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20);
+}
+
static int cx_auto_init(struct hda_codec *codec)
{
struct conexant_spec *spec = codec->spec;
@@ -174,6 +202,9 @@ static int cx_auto_init(struct hda_codec *codec)
cxt_init_gpio_led(codec);
snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
+ if (spec->is_cx8070_sn6140)
+ cx_fixup_headset_recog(codec);
+
return 0;
}
@@ -192,6 +223,77 @@ static void cx_auto_free(struct hda_codec *codec)
snd_hda_gen_free(codec);
}
+static void cx_process_headset_plugin(struct hda_codec *codec)
+{
+ unsigned int val;
+ unsigned int count = 0;
+
+ /* Wait headset detect done. */
+ do {
+ val = snd_hda_codec_read(codec, 0x1c, 0, 0xca0, 0x0);
+ if (val & 0x080) {
+ codec_dbg(codec, "headset type detect done!\n");
+ break;
+ }
+ msleep(20);
+ count++;
+ } while (count < 3);
+ val = snd_hda_codec_read(codec, 0x1c, 0, 0xcb0, 0x0);
+ if (val & 0x800) {
+ codec_dbg(codec, "headset plugin, type is CTIA\n");
+ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x24);
+ } else if (val & 0x400) {
+ codec_dbg(codec, "headset plugin, type is OMTP\n");
+ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x24);
+ } else {
+ codec_dbg(codec, "headphone plugin\n");
+ }
+}
+
+static void cx_update_headset_mic_vref(struct hda_codec *codec, unsigned int res)
+{
+ unsigned int phone_present, mic_persent, phone_tag, mic_tag;
+ struct conexant_spec *spec = codec->spec;
+
+ /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled,
+ * the node 19 can only be config to microphone or disabled.
+ * Check hp&mic tag to process headset pulgin&plugout.
+ */
+ phone_tag = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0);
+ mic_tag = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0);
+ if ((phone_tag & (res >> AC_UNSOL_RES_TAG_SHIFT)) ||
+ (mic_tag & (res >> AC_UNSOL_RES_TAG_SHIFT))) {
+ phone_present = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_PIN_SENSE, 0x0);
+ if (!(phone_present & AC_PINSENSE_PRESENCE)) {/* headphone plugout */
+ spec->headset_present_flag = CX_HEADSET_NOPRESENT;
+ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20);
+ return;
+ }
+ if (spec->headset_present_flag == CX_HEADSET_NOPRESENT) {
+ spec->headset_present_flag = CX_HEADSET_PARTPRESENT;
+ } else if (spec->headset_present_flag == CX_HEADSET_PARTPRESENT) {
+ mic_persent = snd_hda_codec_read(codec, 0x19, 0,
+ AC_VERB_GET_PIN_SENSE, 0x0);
+ /* headset is present */
+ if ((phone_present & AC_PINSENSE_PRESENCE) &&
+ (mic_persent & AC_PINSENSE_PRESENCE)) {
+ cx_process_headset_plugin(codec);
+ spec->headset_present_flag = CX_HEADSET_ALLPRESENT;
+ }
+ }
+ }
+}
+
+static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res)
+{
+ struct conexant_spec *spec = codec->spec;
+
+ if (spec->is_cx8070_sn6140)
+ cx_update_headset_mic_vref(codec, res);
+
+ snd_hda_jack_unsol_event(codec, res);
+}
+
#ifdef CONFIG_PM
static int cx_auto_suspend(struct hda_codec *codec)
{
@@ -205,7 +307,7 @@ static const struct hda_codec_ops cx_auto_patch_ops = {
.build_pcms = snd_hda_gen_build_pcms,
.init = cx_auto_init,
.free = cx_auto_free,
- .unsol_event = snd_hda_jack_unsol_event,
+ .unsol_event = cx_jack_unsol_event,
#ifdef CONFIG_PM
.suspend = cx_auto_suspend,
.check_power_status = snd_hda_gen_check_power_status,
@@ -1042,6 +1144,15 @@ static int patch_conexant_auto(struct hda_codec *codec)
codec->spec = spec;
codec->patch_ops = cx_auto_patch_ops;
+ /* init cx8070/sn6140 flag and reset headset_present_flag */
+ switch (codec->core.vendor_id) {
+ case 0x14f11f86:
+ case 0x14f11f87:
+ spec->is_cx8070_sn6140 = true;
+ spec->headset_present_flag = CX_HEADSET_NOPRESENT;
+ break;
+ }
+
cx_auto_parse_eapd(codec);
spec->gen.own_eapd_ctl = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 240/476] leds: trigger: panic: Dont register panic notifier if creating the trigger failed
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 239/476] ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140 Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 241/476] um: Fix naming clash between UML and scheduler Greg Kroah-Hartman
` (245 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit afacb21834bb02785ddb0c3ec197208803b74faa ]
It doesn't make sense to register the panic notifier if creating the
panic trigger failed.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://lore.kernel.org/r/8a61e229-5388-46c7-919a-4d18cc7362b2@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/trigger/ledtrig-panic.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/trigger/ledtrig-panic.c b/drivers/leds/trigger/ledtrig-panic.c
index 64abf2e91608..5a6b21bfeb9a 100644
--- a/drivers/leds/trigger/ledtrig-panic.c
+++ b/drivers/leds/trigger/ledtrig-panic.c
@@ -64,10 +64,13 @@ static long led_panic_blink(int state)
static int __init ledtrig_panic_init(void)
{
+ led_trigger_register_simple("panic", &trigger);
+ if (!trigger)
+ return -ENOMEM;
+
atomic_notifier_chain_register(&panic_notifier_list,
&led_trigger_panic_nb);
- led_trigger_register_simple("panic", &trigger);
panic_blink = led_panic_blink;
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 241/476] um: Fix naming clash between UML and scheduler
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 240/476] leds: trigger: panic: Dont register panic notifier if creating the trigger failed Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 242/476] um: Dont use vfprintf() for os_info() Greg Kroah-Hartman
` (244 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Ivanov, Peter Lafreniere,
Richard Weinberger, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
[ Upstream commit 541d4e4d435c8b9bfd29f70a1da4a2db97794e0a ]
__cant_sleep was already used and exported by the scheduler.
The name had to be changed to a UML specific one.
Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Reviewed-by: Peter Lafreniere <peter@n8pjl.ca>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/include/shared/kern_util.h | 2 +-
arch/um/kernel/process.c | 2 +-
arch/um/os-Linux/helper.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/um/include/shared/kern_util.h b/arch/um/include/shared/kern_util.h
index a2cfd42608a0..cb798a50e8cf 100644
--- a/arch/um/include/shared/kern_util.h
+++ b/arch/um/include/shared/kern_util.h
@@ -50,7 +50,7 @@ extern void do_uml_exitcalls(void);
* Are we disallowed to sleep? Used to choose between GFP_KERNEL and
* GFP_ATOMIC.
*/
-extern int __cant_sleep(void);
+extern int __uml_cant_sleep(void);
extern int get_current_pid(void);
extern int copy_from_user_proc(void *to, void *from, int size);
extern int cpu(void);
diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
index b3fbfca49400..4b6179a8a3e8 100644
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -218,7 +218,7 @@ void arch_cpu_idle(void)
raw_local_irq_enable();
}
-int __cant_sleep(void) {
+int __uml_cant_sleep(void) {
return in_atomic() || irqs_disabled() || in_interrupt();
/* Is in_interrupt() really needed? */
}
diff --git a/arch/um/os-Linux/helper.c b/arch/um/os-Linux/helper.c
index 32e88baf18dd..4e429a41565c 100644
--- a/arch/um/os-Linux/helper.c
+++ b/arch/um/os-Linux/helper.c
@@ -45,7 +45,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv)
unsigned long stack, sp;
int pid, fds[2], ret, n;
- stack = alloc_stack(0, __cant_sleep());
+ stack = alloc_stack(0, __uml_cant_sleep());
if (stack == 0)
return -ENOMEM;
@@ -69,7 +69,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv)
data.pre_data = pre_data;
data.argv = argv;
data.fd = fds[1];
- data.buf = __cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) :
+ data.buf = __uml_cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) :
uml_kmalloc(PATH_MAX, UM_GFP_KERNEL);
pid = clone(helper_child, (void *) sp, CLONE_VM, &data);
if (pid < 0) {
@@ -116,7 +116,7 @@ int run_helper_thread(int (*proc)(void *), void *arg, unsigned int flags,
unsigned long stack, sp;
int pid, status, err;
- stack = alloc_stack(0, __cant_sleep());
+ stack = alloc_stack(0, __uml_cant_sleep());
if (stack == 0)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 242/476] um: Dont use vfprintf() for os_info()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 241/476] um: Fix naming clash between UML and scheduler Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 243/476] um: net: Fix return type of uml_net_start_xmit() Greg Kroah-Hartman
` (243 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Richard Weinberger,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin@sipsolutions.net>
[ Upstream commit 236f9fe39b02c15fa5530b53e9cca48354394389 ]
The threads allocated inside the kernel have only a single page of
stack. Unfortunately, the vfprintf function in standard glibc may use
too much stack-space, overflowing it.
To make os_info safe to be used by helper threads, use the kernel
vscnprintf function into a smallish buffer and write out the information
to stderr.
Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/os-Linux/util.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/arch/um/os-Linux/util.c b/arch/um/os-Linux/util.c
index fc0f2a9dee5a..1dca4ffbd572 100644
--- a/arch/um/os-Linux/util.c
+++ b/arch/um/os-Linux/util.c
@@ -173,23 +173,38 @@ __uml_setup("quiet", quiet_cmd_param,
"quiet\n"
" Turns off information messages during boot.\n\n");
+/*
+ * The os_info/os_warn functions will be called by helper threads. These
+ * have a very limited stack size and using the libc formatting functions
+ * may overflow the stack.
+ * So pull in the kernel vscnprintf and use that instead with a fixed
+ * on-stack buffer.
+ */
+int vscnprintf(char *buf, size_t size, const char *fmt, va_list args);
+
void os_info(const char *fmt, ...)
{
+ char buf[256];
va_list list;
+ int len;
if (quiet_info)
return;
va_start(list, fmt);
- vfprintf(stderr, fmt, list);
+ len = vscnprintf(buf, sizeof(buf), fmt, list);
+ fwrite(buf, len, 1, stderr);
va_end(list);
}
void os_warn(const char *fmt, ...)
{
+ char buf[256];
va_list list;
+ int len;
va_start(list, fmt);
- vfprintf(stderr, fmt, list);
+ len = vscnprintf(buf, sizeof(buf), fmt, list);
+ fwrite(buf, len, 1, stderr);
va_end(list);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 243/476] um: net: Fix return type of uml_net_start_xmit()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 242/476] um: Dont use vfprintf() for os_info() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 244/476] um: time-travel: fix time corruption Greg Kroah-Hartman
` (242 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Anton Ivanov,
Nathan Chancellor, Richard Weinberger, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 7d748f60a4b82b50bf25fad1bd42d33f049f76aa ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
warning in clang aims to catch these at compile time, which reveals:
arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict]
353 | .ndo_start_xmit = uml_net_start_xmit,
| ^~~~~~~~~~~~~~~~~~
1 warning generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit()
to match the prototype's to resolve the warning. While UML does not
currently implement support for kCFI, it could in the future, which
means this warning becomes a fatal CFI failure at run time.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/
Acked-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/drivers/net_kern.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/um/drivers/net_kern.c b/arch/um/drivers/net_kern.c
index 2fc0b038ff8a..e24bc9aaff4a 100644
--- a/arch/um/drivers/net_kern.c
+++ b/arch/um/drivers/net_kern.c
@@ -204,7 +204,7 @@ static int uml_net_close(struct net_device *dev)
return 0;
}
-static int uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct uml_net_private *lp = netdev_priv(dev);
unsigned long flags;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 244/476] um: time-travel: fix time corruption
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 243/476] um: net: Fix return type of uml_net_start_xmit() Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 245/476] i3c: master: cdns: Update maximum prescaler value for i2c clock Greg Kroah-Hartman
` (241 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Whitchurch, Johannes Berg,
Richard Weinberger, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit abe4eaa8618bb36c2b33e9cdde0499296a23448c ]
In 'basic' time-travel mode (without =inf-cpu or =ext), we
still get timer interrupts. These can happen at arbitrary
points in time, i.e. while in timer_read(), which pushes
time forward just a little bit. Then, if we happen to get
the interrupt after calculating the new time to push to,
but before actually finishing that, the interrupt will set
the time to a value that's incompatible with the forward,
and we'll crash because time goes backwards when we do the
forwarding.
Fix this by reading the time_travel_time, calculating the
adjustment, and doing the adjustment all with interrupts
disabled.
Reported-by: Vincent Whitchurch <Vincent.Whitchurch@axis.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/kernel/time.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c
index fddd1dec27e6..3e270da6b6f6 100644
--- a/arch/um/kernel/time.c
+++ b/arch/um/kernel/time.c
@@ -432,9 +432,29 @@ static void time_travel_update_time(unsigned long long next, bool idle)
time_travel_del_event(&ne);
}
+static void time_travel_update_time_rel(unsigned long long offs)
+{
+ unsigned long flags;
+
+ /*
+ * Disable interrupts before calculating the new time so
+ * that a real timer interrupt (signal) can't happen at
+ * a bad time e.g. after we read time_travel_time but
+ * before we've completed updating the time.
+ */
+ local_irq_save(flags);
+ time_travel_update_time(time_travel_time + offs, false);
+ local_irq_restore(flags);
+}
+
void time_travel_ndelay(unsigned long nsec)
{
- time_travel_update_time(time_travel_time + nsec, false);
+ /*
+ * Not strictly needed to use _rel() version since this is
+ * only used in INFCPU/EXT modes, but it doesn't hurt and
+ * is more readable too.
+ */
+ time_travel_update_time_rel(nsec);
}
EXPORT_SYMBOL(time_travel_ndelay);
@@ -568,7 +588,11 @@ static void time_travel_set_start(void)
#define time_travel_time 0
#define time_travel_ext_waiting 0
-static inline void time_travel_update_time(unsigned long long ns, bool retearly)
+static inline void time_travel_update_time(unsigned long long ns, bool idle)
+{
+}
+
+static inline void time_travel_update_time_rel(unsigned long long offs)
{
}
@@ -720,9 +744,7 @@ static u64 timer_read(struct clocksource *cs)
*/
if (!irqs_disabled() && !in_interrupt() && !in_softirq() &&
!time_travel_ext_waiting)
- time_travel_update_time(time_travel_time +
- TIMER_MULTIPLIER,
- false);
+ time_travel_update_time_rel(TIMER_MULTIPLIER);
return time_travel_time / TIMER_MULTIPLIER;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 245/476] i3c: master: cdns: Update maximum prescaler value for i2c clock
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 244/476] um: time-travel: fix time corruption Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 246/476] xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import Greg Kroah-Hartman
` (240 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Shah, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshit Shah <harshitshah.opendev@gmail.com>
[ Upstream commit 374c13f9080a1b9835a5ed3e7bea93cf8e2dc262 ]
As per the Cadence IP document fixed the I2C clock divider value limit from
16 bits instead of 10 bits. Without this change setting up the I2C clock to
low frequencies will not work as the prescaler value might be greater than
10 bit number.
I3C clock divider value is 10 bits only. Updating the macro names for both.
Signed-off-by: Harshit Shah <harshitshah.opendev@gmail.com>
Link: https://lore.kernel.org/r/1703927483-28682-1-git-send-email-harshitshah.opendev@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/i3c-master-cdns.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index 4a49c75a9408..b9cfda6ae9ae 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -77,7 +77,8 @@
#define PRESCL_CTRL0 0x14
#define PRESCL_CTRL0_I2C(x) ((x) << 16)
#define PRESCL_CTRL0_I3C(x) (x)
-#define PRESCL_CTRL0_MAX GENMASK(9, 0)
+#define PRESCL_CTRL0_I3C_MAX GENMASK(9, 0)
+#define PRESCL_CTRL0_I2C_MAX GENMASK(15, 0)
#define PRESCL_CTRL1 0x18
#define PRESCL_CTRL1_PP_LOW_MASK GENMASK(15, 8)
@@ -1234,7 +1235,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m)
return -EINVAL;
pres = DIV_ROUND_UP(sysclk_rate, (bus->scl_rate.i3c * 4)) - 1;
- if (pres > PRESCL_CTRL0_MAX)
+ if (pres > PRESCL_CTRL0_I3C_MAX)
return -ERANGE;
bus->scl_rate.i3c = sysclk_rate / ((pres + 1) * 4);
@@ -1247,7 +1248,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m)
max_i2cfreq = bus->scl_rate.i2c;
pres = (sysclk_rate / (max_i2cfreq * 5)) - 1;
- if (pres > PRESCL_CTRL0_MAX)
+ if (pres > PRESCL_CTRL0_I2C_MAX)
return -ERANGE;
bus->scl_rate.i2c = sysclk_rate / ((pres + 1) * 5);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 246/476] xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 245/476] i3c: master: cdns: Update maximum prescaler value for i2c clock Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 247/476] mfd: ti_am335x_tscadc: Fix TI SoC dependencies Greg Kroah-Hartman
` (239 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Vetter, Oleksandr Tyshchenko,
Christian König, Stefano Stabellini, Juergen Gross,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
[ Upstream commit 2d2db7d40254d5fb53b11ebd703cd1ed0c5de7a1 ]
DO NOT access the underlying struct page of an sg table exported
by DMA-buf in dmabuf_imp_to_refs(), this is not allowed.
Please see drivers/dma-buf/dma-buf.c:mangle_sg_table() for details.
Fortunately, here (for special Xen device) we can avoid using
pages and calculate gfns directly from dma addresses provided by
the sg table.
Suggested-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Acked-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Daniel Vetter <daniel@ffwll.ch>
Link: https://lore.kernel.org/r/20240107103426.2038075-1-olekstysh@gmail.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/gntdev-dmabuf.c | 50 ++++++++++++++++++-------------------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c
index 4c13cbc99896..398ea69c176c 100644
--- a/drivers/xen/gntdev-dmabuf.c
+++ b/drivers/xen/gntdev-dmabuf.c
@@ -11,6 +11,7 @@
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/dma-buf.h>
+#include <linux/dma-direct.h>
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/uaccess.h>
@@ -56,7 +57,7 @@ struct gntdev_dmabuf {
/* Number of pages this buffer has. */
int nr_pages;
- /* Pages of this buffer. */
+ /* Pages of this buffer (only for dma-buf export). */
struct page **pages;
};
@@ -490,7 +491,7 @@ static int dmabuf_exp_from_refs(struct gntdev_priv *priv, int flags,
/* DMA buffer import support. */
static int
-dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs,
+dmabuf_imp_grant_foreign_access(unsigned long *gfns, u32 *refs,
int count, int domid)
{
grant_ref_t priv_gref_head;
@@ -513,7 +514,7 @@ dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs,
}
gnttab_grant_foreign_access_ref(cur_ref, domid,
- xen_page_to_gfn(pages[i]), 0);
+ gfns[i], 0);
refs[i] = cur_ref;
}
@@ -535,7 +536,6 @@ static void dmabuf_imp_end_foreign_access(u32 *refs, int count)
static void dmabuf_imp_free_storage(struct gntdev_dmabuf *gntdev_dmabuf)
{
- kfree(gntdev_dmabuf->pages);
kfree(gntdev_dmabuf->u.imp.refs);
kfree(gntdev_dmabuf);
}
@@ -555,12 +555,6 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
if (!gntdev_dmabuf->u.imp.refs)
goto fail;
- gntdev_dmabuf->pages = kcalloc(count,
- sizeof(gntdev_dmabuf->pages[0]),
- GFP_KERNEL);
- if (!gntdev_dmabuf->pages)
- goto fail;
-
gntdev_dmabuf->nr_pages = count;
for (i = 0; i < count; i++)
@@ -582,7 +576,8 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev,
struct dma_buf *dma_buf;
struct dma_buf_attachment *attach;
struct sg_table *sgt;
- struct sg_page_iter sg_iter;
+ struct sg_dma_page_iter sg_iter;
+ unsigned long *gfns;
int i;
dma_buf = dma_buf_get(fd);
@@ -630,26 +625,31 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev,
gntdev_dmabuf->u.imp.sgt = sgt;
- /* Now convert sgt to array of pages and check for page validity. */
+ gfns = kcalloc(count, sizeof(*gfns), GFP_KERNEL);
+ if (!gfns) {
+ ret = ERR_PTR(-ENOMEM);
+ goto fail_unmap;
+ }
+
+ /*
+ * Now convert sgt to array of gfns without accessing underlying pages.
+ * It is not allowed to access the underlying struct page of an sg table
+ * exported by DMA-buf, but since we deal with special Xen dma device here
+ * (not a normal physical one) look at the dma addresses in the sg table
+ * and then calculate gfns directly from them.
+ */
i = 0;
- for_each_sgtable_page(sgt, &sg_iter, 0) {
- struct page *page = sg_page_iter_page(&sg_iter);
- /*
- * Check if page is valid: this can happen if we are given
- * a page from VRAM or other resources which are not backed
- * by a struct page.
- */
- if (!pfn_valid(page_to_pfn(page))) {
- ret = ERR_PTR(-EINVAL);
- goto fail_unmap;
- }
+ for_each_sgtable_dma_page(sgt, &sg_iter, 0) {
+ dma_addr_t addr = sg_page_iter_dma_address(&sg_iter);
+ unsigned long pfn = bfn_to_pfn(XEN_PFN_DOWN(dma_to_phys(dev, addr)));
- gntdev_dmabuf->pages[i++] = page;
+ gfns[i++] = pfn_to_gfn(pfn);
}
- ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gntdev_dmabuf->pages,
+ ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gfns,
gntdev_dmabuf->u.imp.refs,
count, domid));
+ kfree(gfns);
if (IS_ERR(ret))
goto fail_end_access;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 247/476] mfd: ti_am335x_tscadc: Fix TI SoC dependencies
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 246/476] xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 248/476] mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt Greg Kroah-Hartman
` (238 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Robinson, Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Robinson <pbrobinson@gmail.com>
[ Upstream commit 284d16c456e5d4b143f375b8ccc4038ab3f4ee0f ]
The ti_am335x_tscadc is specific to some TI SoCs, update
the dependencies for those SoCs and compile testing.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Link: https://lore.kernel.org/r/20231220155643.445849-1-pbrobinson@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig
index ef550d33af92..1a790e7f6549 100644
--- a/drivers/mfd/Kconfig
+++ b/drivers/mfd/Kconfig
@@ -1377,6 +1377,7 @@ config MFD_DAVINCI_VOICECODEC
config MFD_TI_AM335X_TSCADC
tristate "TI ADC / Touch Screen chip support"
+ depends on ARCH_OMAP2PLUS || ARCH_K3 || COMPILE_TEST
select MFD_CORE
select REGMAP
select REGMAP_MMIO
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 248/476] mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 247/476] mfd: ti_am335x_tscadc: Fix TI SoC dependencies Greg Kroah-Hartman
@ 2024-02-21 13:04 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 249/476] PCI: Only override AMD USB controller if required Greg Kroah-Hartman
` (237 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaowu.ding, Viresh Kumar,
Jassi Brar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaowu.ding <xiaowu.ding@jaguarmicro.com>
[ Upstream commit ee01c0b4384d19ecc5dfa7db3fd4303f965c3eba ]
Message Handling Unit version is v2.1.
When arm_mhuv2 working with the data protocol transfer mode.
We have split one mhu into two channels, and every channel
include four channel windows, the two channels share
one gic spi interrupt.
There is a problem with the sending scenario.
The first channel will take up 0-3 channel windows, and the second
channel take up 4-7 channel windows. When the first channel send the
data, and the receiver will clear all the four channels status.
Although we only enabled the interrupt on the last channel window with
register CH_INT_EN,the register CHCOMB_INT_ST0 will be 0xf, not be 0x8.
Currently we just clear the last channel windows int status with the
data proctol mode.So after that,the CHCOMB_INT_ST0 status will be 0x7,
not be the 0x0.
Then the second channel send the data, the receiver read the
data, clear all the four channel windows status, trigger the sender
interrupt. But currently the CHCOMB_INT_ST0 register will be 0xf7,
get_irq_chan_comb function will always return the first channel.
So this patch clear all channel windows int status to avoid this interrupt
confusion.
Signed-off-by: Xiaowu.ding <xiaowu.ding@jaguarmicro.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/arm_mhuv2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mailbox/arm_mhuv2.c b/drivers/mailbox/arm_mhuv2.c
index 3af15083a25a..68f766621b9b 100644
--- a/drivers/mailbox/arm_mhuv2.c
+++ b/drivers/mailbox/arm_mhuv2.c
@@ -552,7 +552,8 @@ static irqreturn_t mhuv2_sender_interrupt(int irq, void *data)
priv = chan->con_priv;
if (!IS_PROTOCOL_DOORBELL(priv)) {
- writel_relaxed(1, &mhu->send->ch_wn[priv->ch_wn_idx + priv->windows - 1].int_clr);
+ for (i = 0; i < priv->windows; i++)
+ writel_relaxed(1, &mhu->send->ch_wn[priv->ch_wn_idx + i].int_clr);
if (chan->cl) {
mbox_chan_txdone(chan, 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 249/476] PCI: Only override AMD USB controller if required
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2024-02-21 13:04 ` [PATCH 5.15 248/476] mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 250/476] PCI: switchtec: Fix stdev_release() crash after surprise hot remove Greg Kroah-Hartman
` (236 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guilherme G. Piccoli, Bjorn Helgaas,
Huang Rui, Vicki Pfau, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guilherme G. Piccoli <gpiccoli@igalia.com>
[ Upstream commit e585a37e5061f6d5060517aed1ca4ccb2e56a34c ]
By running a Van Gogh device (Steam Deck), the following message
was noticed in the kernel log:
pci 0000:04:00.3: PCI class overridden (0x0c03fe -> 0x0c03fe) so dwc3 driver can claim this instead of xhci
Effectively this means the quirk executed but changed nothing, since the
class of this device was already the proper one (likely adjusted by newer
firmware versions).
Check and perform the override only if necessary.
Link: https://lore.kernel.org/r/20231120160531.361552-1-gpiccoli@igalia.com
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Huang Rui <ray.huang@amd.com>
Cc: Vicki Pfau <vi@endrift.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/quirks.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index be43ea2a15e7..fcdc17bbcc8e 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -604,10 +604,13 @@ static void quirk_amd_dwc_class(struct pci_dev *pdev)
{
u32 class = pdev->class;
- /* Use "USB Device (not host controller)" class */
- pdev->class = PCI_CLASS_SERIAL_USB_DEVICE;
- pci_info(pdev, "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n",
- class, pdev->class);
+ if (class != PCI_CLASS_SERIAL_USB_DEVICE) {
+ /* Use "USB Device (not host controller)" class */
+ pdev->class = PCI_CLASS_SERIAL_USB_DEVICE;
+ pci_info(pdev,
+ "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n",
+ class, pdev->class);
+ }
}
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_NL_USB,
quirk_amd_dwc_class);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 250/476] PCI: switchtec: Fix stdev_release() crash after surprise hot remove
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 249/476] PCI: Only override AMD USB controller if required Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 251/476] perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present Greg Kroah-Hartman
` (235 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Stodden, Bjorn Helgaas,
Logan Gunthorpe, Dmitry Safonov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Stodden <dns@arista.com>
[ Upstream commit df25461119d987b8c81d232cfe4411e91dcabe66 ]
A PCI device hot removal may occur while stdev->cdev is held open. The call
to stdev_release() then happens during close or exit, at a point way past
switchtec_pci_remove(). Otherwise the last ref would vanish with the
trailing put_device(), just before return.
At that later point in time, the devm cleanup has already removed the
stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
a fatal page fault, and the subsequent dma_free_coherent(), if reached,
would pass a stale &stdev->pdev->dev pointer.
Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
future accidents.
Reproducible via the script at
https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
Link: https://lore.kernel.org/r/20231122042316.91208-2-dns@arista.com
Signed-off-by: Daniel Stodden <dns@arista.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/switch/switchtec.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c
index d021ef3fb165..2a026183f06b 100644
--- a/drivers/pci/switch/switchtec.c
+++ b/drivers/pci/switch/switchtec.c
@@ -1250,13 +1250,6 @@ static void stdev_release(struct device *dev)
{
struct switchtec_dev *stdev = to_stdev(dev);
- if (stdev->dma_mrpc) {
- iowrite32(0, &stdev->mmio_mrpc->dma_en);
- flush_wc_buf(stdev);
- writeq(0, &stdev->mmio_mrpc->dma_addr);
- dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc),
- stdev->dma_mrpc, stdev->dma_mrpc_dma_addr);
- }
kfree(stdev);
}
@@ -1300,7 +1293,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev)
return ERR_PTR(-ENOMEM);
stdev->alive = true;
- stdev->pdev = pdev;
+ stdev->pdev = pci_dev_get(pdev);
INIT_LIST_HEAD(&stdev->mrpc_queue);
mutex_init(&stdev->mrpc_mutex);
stdev->mrpc_busy = 0;
@@ -1334,6 +1327,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev)
return stdev;
err_put:
+ pci_dev_put(stdev->pdev);
put_device(&stdev->dev);
return ERR_PTR(rc);
}
@@ -1586,6 +1580,18 @@ static int switchtec_init_pci(struct switchtec_dev *stdev,
return 0;
}
+static void switchtec_exit_pci(struct switchtec_dev *stdev)
+{
+ if (stdev->dma_mrpc) {
+ iowrite32(0, &stdev->mmio_mrpc->dma_en);
+ flush_wc_buf(stdev);
+ writeq(0, &stdev->mmio_mrpc->dma_addr);
+ dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc),
+ stdev->dma_mrpc, stdev->dma_mrpc_dma_addr);
+ stdev->dma_mrpc = NULL;
+ }
+}
+
static int switchtec_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *id)
{
@@ -1645,6 +1651,9 @@ static void switchtec_pci_remove(struct pci_dev *pdev)
ida_simple_remove(&switchtec_minor_ida, MINOR(stdev->dev.devt));
dev_info(&stdev->dev, "unregistered.\n");
stdev_kill(stdev);
+ switchtec_exit_pci(stdev);
+ pci_dev_put(stdev->pdev);
+ stdev->pdev = NULL;
put_device(&stdev->dev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 251/476] perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 250/476] PCI: switchtec: Fix stdev_release() crash after surprise hot remove Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 252/476] usb: hub: Replace hardcoded quirk value with BIT() macro Greg Kroah-Hartman
` (234 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, James Clark, Leo Yan,
John Garry, Mike Leach, Will Deacon, linux-arm-kernel,
Arnaldo Carvalho de Melo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Clark <james.clark@arm.com>
[ Upstream commit 2dbba30fd69b604802a9535b74bddb5bcca23793 ]
Since commit d927ef5004ef ("perf cs-etm: Add exception level consistency
check"), the exception that was added to Perf will be triggered unless
the following bugfix from OpenCSD is present:
- _Version 1.2.1_:
- __Bugfix__:
ETM4x / ETE - output of context elements to client can in some
circumstances be delayed until after subsequent atoms have been
processed leading to incorrect memory decode access via the client
callbacks. Fixed to flush context elements immediately they are
committed.
Rather than remove the assert and silently fail, just increase the
minimum version requirement to avoid hard to debug issues and
regressions.
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: James Clark <james.clark@arm.com>
Tested-by: Leo Yan <leo.yan@linaro.org>
Cc: John Garry <john.g.garry@oracle.com>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Link: https://lore.kernel.org/r/20230901133716.677499-1-james.clark@arm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/build/feature/test-libopencsd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/build/feature/test-libopencsd.c b/tools/build/feature/test-libopencsd.c
index eb6303ff446e..4cfcef9da3e4 100644
--- a/tools/build/feature/test-libopencsd.c
+++ b/tools/build/feature/test-libopencsd.c
@@ -4,9 +4,9 @@
/*
* Check OpenCSD library version is sufficient to provide required features
*/
-#define OCSD_MIN_VER ((1 << 16) | (1 << 8) | (1))
+#define OCSD_MIN_VER ((1 << 16) | (2 << 8) | (1))
#if !defined(OCSD_VER_NUM) || (OCSD_VER_NUM < OCSD_MIN_VER)
-#error "OpenCSD >= 1.1.1 is required"
+#error "OpenCSD >= 1.2.1 is required"
#endif
int main(void)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 252/476] usb: hub: Replace hardcoded quirk value with BIT() macro
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 251/476] perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 253/476] selftests/sgx: Fix linker script asserts Greg Kroah-Hartman
` (233 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hardik Gajjar, Alan Stern, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hardik Gajjar <hgajjar@de.adit-jv.com>
[ Upstream commit 6666ea93d2c422ebeb8039d11e642552da682070 ]
This patch replaces the hardcoded quirk value in the macro with
BIT().
Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20231205181829.127353-1-hgajjar@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/hub.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 4bed41ca6b0f..46fdccd10c23 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -46,8 +46,8 @@
#define USB_VENDOR_TEXAS_INSTRUMENTS 0x0451
#define USB_PRODUCT_TUSB8041_USB3 0x8140
#define USB_PRODUCT_TUSB8041_USB2 0x8142
-#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01
-#define HUB_QUIRK_DISABLE_AUTOSUSPEND 0x02
+#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND BIT(0)
+#define HUB_QUIRK_DISABLE_AUTOSUSPEND BIT(1)
#define USB_TP_TRANSMISSION_DELAY 40 /* ns */
#define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 253/476] selftests/sgx: Fix linker script asserts
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 252/476] usb: hub: Replace hardcoded quirk value with BIT() macro Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 254/476] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE Greg Kroah-Hartman
` (232 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jo Van Bulck, Dave Hansen,
Jarkko Sakkinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
[ Upstream commit 9fd552ee32c6c1e27c125016b87d295bea6faea7 ]
DEFINED only considers symbols, not section names. Hence, replace the
check for .got.plt with the _GLOBAL_OFFSET_TABLE_ symbol and remove other
(non-essential) asserts.
Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/all/20231005153854.25566-10-jo.vanbulck%40cs.kuleuven.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/sgx/test_encl.lds | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/tools/testing/selftests/sgx/test_encl.lds b/tools/testing/selftests/sgx/test_encl.lds
index a1ec64f7d91f..108bc11d1d8c 100644
--- a/tools/testing/selftests/sgx/test_encl.lds
+++ b/tools/testing/selftests/sgx/test_encl.lds
@@ -34,8 +34,4 @@ SECTIONS
}
}
-ASSERT(!DEFINED(.altinstructions), "ALTERNATIVES are not supported in enclaves")
-ASSERT(!DEFINED(.altinstr_replacement), "ALTERNATIVES are not supported in enclaves")
-ASSERT(!DEFINED(.discard.retpoline_safe), "RETPOLINE ALTERNATIVES are not supported in enclaves")
-ASSERT(!DEFINED(.discard.nospec), "RETPOLINE ALTERNATIVES are not supported in enclaves")
-ASSERT(!DEFINED(.got.plt), "Libcalls are not supported in enclaves")
+ASSERT(!DEFINED(_GLOBAL_OFFSET_TABLE_), "Libcalls through GOT are not supported in enclaves")
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 254/476] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 253/476] selftests/sgx: Fix linker script asserts Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 255/476] fs/kernfs/dir: obey S_ISGID Greg Kroah-Hartman
` (231 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Adrian Reber,
Andrei Vagin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Reber <areber@redhat.com>
[ Upstream commit e0f25b8992345aa5f113da2815f5add98738c611 ]
The capability CAP_CHECKPOINT_RESTORE was introduced to allow non-root
users to checkpoint and restore processes as non-root with CRIU.
This change extends CAP_CHECKPOINT_RESTORE to enable the CRIU option
'--shell-job' as non-root. CRIU's man-page describes the '--shell-job'
option like this:
Allow one to dump shell jobs. This implies the restored task will
inherit session and process group ID from the criu itself. This option
also allows to migrate a single external tty connection, to migrate
applications like top.
TIOCSLCKTRMIOS can only be done if the process has CAP_SYS_ADMIN and
this change extends it to CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE.
With this change it is possible to checkpoint and restore processes
which have a tty connection as non-root if CAP_CHECKPOINT_RESTORE is
set.
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Adrian Reber <areber@redhat.com>
Acked-by: Andrei Vagin <avagin@gmail.com>
Link: https://lore.kernel.org/r/20231208143656.1019-1-areber@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/tty_ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
index dac1e2568803..224f13b98312 100644
--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -786,7 +786,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file,
ret = -EFAULT;
return ret;
case TIOCSLCKTRMIOS:
- if (!capable(CAP_SYS_ADMIN))
+ if (!checkpoint_restore_ns_capable(&init_user_ns))
return -EPERM;
copy_termios_locked(real_tty, &kterm);
if (user_termios_to_kernel_termios(&kterm,
@@ -803,7 +803,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file,
ret = -EFAULT;
return ret;
case TIOCSLCKTRMIOS:
- if (!capable(CAP_SYS_ADMIN))
+ if (!checkpoint_restore_ns_capable(&init_user_ns))
return -EPERM;
copy_termios_locked(real_tty, &kterm);
if (user_termios_to_kernel_termios_1(&kterm,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 255/476] fs/kernfs/dir: obey S_ISGID
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 254/476] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 256/476] PCI: Fix 64GT/s effective data rate calculation Greg Kroah-Hartman
` (230 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Tejun Heo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
[ Upstream commit 5133bee62f0ea5d4c316d503cc0040cac5637601 ]
Handling of S_ISGID is usually done by inode_init_owner() in all other
filesystems, but kernfs doesn't use that function. In kernfs, struct
kernfs_node is the primary data structure, and struct inode is only
created from it on demand. Therefore, inode_init_owner() can't be
used and we need to imitate its behavior.
S_ISGID support is useful for the cgroup filesystem; it allows
subtrees managed by an unprivileged process to retain a certain owner
gid, which then enables sharing access to the subtree with another
unprivileged process.
--
v1 -> v2: minor coding style fix (comment)
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20231208093310.297233-2-max.kellermann@ionos.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/kernfs/dir.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 6a1cb2a182b6..36430bdf9381 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -654,6 +654,18 @@ struct kernfs_node *kernfs_new_node(struct kernfs_node *parent,
{
struct kernfs_node *kn;
+ if (parent->mode & S_ISGID) {
+ /* this code block imitates inode_init_owner() for
+ * kernfs
+ */
+
+ if (parent->iattr)
+ gid = parent->iattr->ia_gid;
+
+ if (flags & KERNFS_DIR)
+ mode |= S_ISGID;
+ }
+
kn = __kernfs_new_node(kernfs_root(parent), parent,
name, mode, uid, gid, flags);
if (kn) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 256/476] PCI: Fix 64GT/s effective data rate calculation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 255/476] fs/kernfs/dir: obey S_ISGID Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 257/476] PCI/AER: Decode Requester ID when no error info found Greg Kroah-Hartman
` (229 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit ac4f1897fa5433a1b07a625503a91b6aa9d7e643 ]
Unlike the lower rates, the PCIe 64GT/s Data Rate uses 1b/1b encoding, not
128b/130b (PCIe r6.1 sec 1.2, Table 1-1). Correct the PCIE_SPEED2MBS_ENC()
calculation to reflect that.
Link: https://lore.kernel.org/r/20240102172701.65501-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index 72280e9b23b2..2b5337980da7 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -312,7 +312,7 @@ void pci_bus_put(struct pci_bus *bus);
/* PCIe speed to Mb/s reduced by encoding overhead */
#define PCIE_SPEED2MBS_ENC(speed) \
- ((speed) == PCIE_SPEED_64_0GT ? 64000*128/130 : \
+ ((speed) == PCIE_SPEED_64_0GT ? 64000*1/1 : \
(speed) == PCIE_SPEED_32_0GT ? 32000*128/130 : \
(speed) == PCIE_SPEED_16_0GT ? 16000*128/130 : \
(speed) == PCIE_SPEED_8_0GT ? 8000*128/130 : \
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 257/476] PCI/AER: Decode Requester ID when no error info found
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 256/476] PCI: Fix 64GT/s effective data rate calculation Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback Greg Kroah-Hartman
` (228 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Jonathan Cameron,
Kuppuswamy Sathyanarayanan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 1291b716bbf969e101d517bfb8ba18d958f758b8 ]
When a device with AER detects an error, it logs error information in its
own AER Error Status registers. It may send an Error Message to the Root
Port (RCEC in the case of an RCiEP), which logs the fact that an Error
Message was received (Root Error Status) and the Requester ID of the
message source (Error Source Identification).
aer_print_port_info() prints the Requester ID from the Root Port Error
Source in the usual Linux "bb:dd.f" format, but when find_source_device()
finds no error details in the hierarchy below the Root Port, it printed the
raw Requester ID without decoding it.
Decode the Requester ID in the usual Linux format so it matches other
messages.
Sample message changes:
- pcieport 0000:00:1c.5: AER: Correctable error received: 0000:00:1c.5
- pcieport 0000:00:1c.5: AER: can't find device of ID00e5
+ pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5
+ pcieport 0000:00:1c.5: AER: found no error details for 0000:00:1c.5
Link: https://lore.kernel.org/r/20231206224231.732765-3-helgaas@kernel.org
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/aer.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c
index ca9ac8c6a202..4f7744aab6c7 100644
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -743,7 +743,7 @@ static void aer_print_port_info(struct pci_dev *dev, struct aer_err_info *info)
u8 bus = info->id >> 8;
u8 devfn = info->id & 0xff;
- pci_info(dev, "%s%s error received: %04x:%02x:%02x.%d\n",
+ pci_info(dev, "%s%s error message received from %04x:%02x:%02x.%d\n",
info->multi_error_valid ? "Multiple " : "",
aer_error_severity_string[info->severity],
pci_domain_nr(dev->bus), bus, PCI_SLOT(devfn),
@@ -931,7 +931,12 @@ static bool find_source_device(struct pci_dev *parent,
pci_walk_bus(parent->subordinate, find_device_iter, e_info);
if (!e_info->error_dev_num) {
- pci_info(parent, "can't find device of ID%04x\n", e_info->id);
+ u8 bus = e_info->id >> 8;
+ u8 devfn = e_info->id & 0xff;
+
+ pci_info(parent, "found no error details for %04x:%02x:%02x.%d\n",
+ pci_domain_nr(parent->bus), bus, PCI_SLOT(devfn),
+ PCI_FUNC(devfn));
return false;
}
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 257/476] PCI/AER: Decode Requester ID when no error info found Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 18:15 ` Hans de Goede
2024-02-21 13:05 ` [PATCH 5.15 259/476] libsubcmd: Fix memory leak in uniq() Greg Kroah-Hartman
` (227 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit b1b9f7a494400c0c39f8cd83de3aaa6111c55087 ]
The lis3lv02d_i2c driver was missing a line to set the lis3_dev's
reg_ctrl callback.
lis3_reg_ctrl(on) is called from the init callback, but due to
the missing reg_ctrl callback the regulators where never turned off
again leading to the following oops/backtrace when detaching the driver:
[ 82.313527] ------------[ cut here ]------------
[ 82.313546] WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put+0x219/0x230
...
[ 82.313695] RIP: 0010:_regulator_put+0x219/0x230
...
[ 82.314767] Call Trace:
[ 82.314770] <TASK>
[ 82.314772] ? _regulator_put+0x219/0x230
[ 82.314777] ? __warn+0x81/0x170
[ 82.314784] ? _regulator_put+0x219/0x230
[ 82.314791] ? report_bug+0x18d/0x1c0
[ 82.314801] ? handle_bug+0x3c/0x80
[ 82.314806] ? exc_invalid_op+0x13/0x60
[ 82.314812] ? asm_exc_invalid_op+0x16/0x20
[ 82.314845] ? _regulator_put+0x219/0x230
[ 82.314857] regulator_bulk_free+0x39/0x60
[ 82.314865] i2c_device_remove+0x22/0xb0
Add the missing setting of the callback so that the regulators
properly get turned off again when not used.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231224183402.95640-1-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/lis3lv02d/lis3lv02d_i2c.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
index 52555d2e824b..ab1db760ba4e 100644
--- a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
+++ b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
@@ -151,6 +151,7 @@ static int lis3lv02d_i2c_probe(struct i2c_client *client,
lis3_dev.init = lis3_i2c_init;
lis3_dev.read = lis3_i2c_read;
lis3_dev.write = lis3_i2c_write;
+ lis3_dev.reg_ctrl = lis3_reg_ctrl;
lis3_dev.irq = client->irq;
lis3_dev.ac = lis3lv02d_axis_map;
lis3_dev.pm_dev = &client->dev;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 259/476] libsubcmd: Fix memory leak in uniq()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 260/476] drm/amdkfd: Fix lock dependency warning Greg Kroah-Hartman
` (226 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Chenyuan Mi, Ingo Molnar, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit ad30469a841b50dbb541df4d6971d891f703c297 ]
uniq() will write one command name over another causing the overwritten
string to be leaked. Fix by doing a pass that removes duplicates and a
second that removes the holes.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Chenyuan Mi <cymi20@fudan.edu.cn>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20231208000515.1693746-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/subcmd/help.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c
index bf02d62a3b2b..42f57b640f11 100644
--- a/tools/lib/subcmd/help.c
+++ b/tools/lib/subcmd/help.c
@@ -50,11 +50,21 @@ void uniq(struct cmdnames *cmds)
if (!cmds->cnt)
return;
- for (i = j = 1; i < cmds->cnt; i++)
- if (strcmp(cmds->names[i]->name, cmds->names[i-1]->name))
- cmds->names[j++] = cmds->names[i];
-
+ for (i = 1; i < cmds->cnt; i++) {
+ if (!strcmp(cmds->names[i]->name, cmds->names[i-1]->name))
+ zfree(&cmds->names[i - 1]);
+ }
+ for (i = 0, j = 0; i < cmds->cnt; i++) {
+ if (cmds->names[i]) {
+ if (i == j)
+ j++;
+ else
+ cmds->names[j++] = cmds->names[i];
+ }
+ }
cmds->cnt = j;
+ while (j < i)
+ cmds->names[j++] = NULL;
}
void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 260/476] drm/amdkfd: Fix lock dependency warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 259/476] libsubcmd: Fix memory leak in uniq() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 261/476] =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= =?UTF-8?q?=20of=20size=2010"=20warnings?= Greg Kroah-Hartman
` (225 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling, Philip Yang,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Kuehling <felix.kuehling@amd.com>
[ Upstream commit 47bf0f83fc86df1bf42b385a91aadb910137c5c9 ]
======================================================
WARNING: possible circular locking dependency detected
6.5.0-kfd-fkuehlin #276 Not tainted
------------------------------------------------------
kworker/8:2/2676 is trying to acquire lock:
ffff9435aae95c88 ((work_completion)(&svm_bo->eviction_work)){+.+.}-{0:0}, at: __flush_work+0x52/0x550
but task is already holding lock:
ffff9435cd8e1720 (&svms->lock){+.+.}-{3:3}, at: svm_range_deferred_list_work+0xe8/0x340 [amdgpu]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&svms->lock){+.+.}-{3:3}:
__mutex_lock+0x97/0xd30
kfd_ioctl_alloc_memory_of_gpu+0x6d/0x3c0 [amdgpu]
kfd_ioctl+0x1b2/0x5d0 [amdgpu]
__x64_sys_ioctl+0x86/0xc0
do_syscall_64+0x39/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #1 (&mm->mmap_lock){++++}-{3:3}:
down_read+0x42/0x160
svm_range_evict_svm_bo_worker+0x8b/0x340 [amdgpu]
process_one_work+0x27a/0x540
worker_thread+0x53/0x3e0
kthread+0xeb/0x120
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x11/0x20
-> #0 ((work_completion)(&svm_bo->eviction_work)){+.+.}-{0:0}:
__lock_acquire+0x1426/0x2200
lock_acquire+0xc1/0x2b0
__flush_work+0x80/0x550
__cancel_work_timer+0x109/0x190
svm_range_bo_release+0xdc/0x1c0 [amdgpu]
svm_range_free+0x175/0x180 [amdgpu]
svm_range_deferred_list_work+0x15d/0x340 [amdgpu]
process_one_work+0x27a/0x540
worker_thread+0x53/0x3e0
kthread+0xeb/0x120
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x11/0x20
other info that might help us debug this:
Chain exists of:
(work_completion)(&svm_bo->eviction_work) --> &mm->mmap_lock --> &svms->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&svms->lock);
lock(&mm->mmap_lock);
lock(&svms->lock);
lock((work_completion)(&svm_bo->eviction_work));
I believe this cannot really lead to a deadlock in practice, because
svm_range_evict_svm_bo_worker only takes the mmap_read_lock if the BO
refcount is non-0. That means it's impossible that svm_range_bo_release
is running concurrently. However, there is no good way to annotate this.
To avoid the problem, take a BO reference in
svm_range_schedule_evict_svm_bo instead of in the worker. That way it's
impossible for a BO to get freed while eviction work is pending and the
cancel_work_sync call in svm_range_bo_release can be eliminated.
v2: Use svm_bo_ref_unless_zero and explained why that's safe. Also
removed redundant checks that are already done in
amdkfd_fence_enable_signaling.
Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
Reviewed-by: Philip Yang <philip.yang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index 2cbe8ea16f24..e2d4e2b42a7c 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -347,14 +347,9 @@ static void svm_range_bo_release(struct kref *kref)
spin_lock(&svm_bo->list_lock);
}
spin_unlock(&svm_bo->list_lock);
- if (!dma_fence_is_signaled(&svm_bo->eviction_fence->base)) {
- /* We're not in the eviction worker.
- * Signal the fence and synchronize with any
- * pending eviction work.
- */
+ if (!dma_fence_is_signaled(&svm_bo->eviction_fence->base))
+ /* We're not in the eviction worker. Signal the fence. */
dma_fence_signal(&svm_bo->eviction_fence->base);
- cancel_work_sync(&svm_bo->eviction_work);
- }
dma_fence_put(&svm_bo->eviction_fence->base);
amdgpu_bo_unref(&svm_bo->bo);
kfree(svm_bo);
@@ -2872,13 +2867,14 @@ svm_range_trigger_migration(struct mm_struct *mm, struct svm_range *prange,
int svm_range_schedule_evict_svm_bo(struct amdgpu_amdkfd_fence *fence)
{
- if (!fence)
- return -EINVAL;
-
- if (dma_fence_is_signaled(&fence->base))
- return 0;
-
- if (fence->svm_bo) {
+ /* Dereferencing fence->svm_bo is safe here because the fence hasn't
+ * signaled yet and we're under the protection of the fence->lock.
+ * After the fence is signaled in svm_range_bo_release, we cannot get
+ * here any more.
+ *
+ * Reference is dropped in svm_range_evict_svm_bo_worker.
+ */
+ if (svm_bo_ref_unless_zero(fence->svm_bo)) {
WRITE_ONCE(fence->svm_bo->evicting, 1);
schedule_work(&fence->svm_bo->eviction_work);
}
@@ -2893,8 +2889,6 @@ static void svm_range_evict_svm_bo_worker(struct work_struct *work)
struct mm_struct *mm;
svm_bo = container_of(work, struct svm_range_bo, eviction_work);
- if (!svm_bo_ref_unless_zero(svm_bo))
- return; /* svm_bo was freed while eviction was pending */
/* svm_range_bo_release destroys this worker thread. So during
* the lifetime of this thread, kfd_process and mm will be valid.
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 261/476] =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= =?UTF-8?q?=20of=20size=2010"=20warnings?=
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 260/476] drm/amdkfd: Fix lock dependency warning Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 262/476] blk-mq: fix IO hang from sbitmap wakeup race Greg Kroah-Hartman
` (224 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuan Zhuo, Zhu Yanjun,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
[ Upstream commit e3fe8d28c67bf6c291e920c6d04fa22afa14e6e4 ]
Fix the warnings when building virtio_net driver.
"
drivers/net/virtio_net.c: In function ‘init_vqs’:
drivers/net/virtio_net.c:4551:48: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 10 [-Wformat-overflow=]
4551 | sprintf(vi->rq[i].name, "input.%d", i);
| ^~
In function ‘virtnet_find_vqs’,
inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8:
drivers/net/virtio_net.c:4551:41: note: directive argument in the range [-2147483643, 65534]
4551 | sprintf(vi->rq[i].name, "input.%d", i);
| ^~~~~~~~~~
drivers/net/virtio_net.c:4551:17: note: ‘sprintf’ output between 8 and 18 bytes into a destination of size 16
4551 | sprintf(vi->rq[i].name, "input.%d", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/virtio_net.c: In function ‘init_vqs’:
drivers/net/virtio_net.c:4552:49: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 9 [-Wformat-overflow=]
4552 | sprintf(vi->sq[i].name, "output.%d", i);
| ^~
In function ‘virtnet_find_vqs’,
inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8:
drivers/net/virtio_net.c:4552:41: note: directive argument in the range [-2147483643, 65534]
4552 | sprintf(vi->sq[i].name, "output.%d", i);
| ^~~~~~~~~~~
drivers/net/virtio_net.c:4552:17: note: ‘sprintf’ output between 9 and 19 bytes into a destination of size 16
4552 | sprintf(vi->sq[i].name, "output.%d", i);
"
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://lore.kernel.org/r/20240104020902.2753599-1-yanjun.zhu@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/virtio_net.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 3eefe8171925..6a655bd442fe 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -2913,10 +2913,11 @@ static int virtnet_find_vqs(struct virtnet_info *vi)
{
vq_callback_t **callbacks;
struct virtqueue **vqs;
- int ret = -ENOMEM;
- int i, total_vqs;
const char **names;
+ int ret = -ENOMEM;
+ int total_vqs;
bool *ctx;
+ u16 i;
/* We expect 1 RX virtqueue followed by 1 TX virtqueue, followed by
* possible N-1 RX/TX queue pairs used in multiqueue mode, followed by
@@ -2953,8 +2954,8 @@ static int virtnet_find_vqs(struct virtnet_info *vi)
for (i = 0; i < vi->max_queue_pairs; i++) {
callbacks[rxq2vq(i)] = skb_recv_done;
callbacks[txq2vq(i)] = skb_xmit_done;
- sprintf(vi->rq[i].name, "input.%d", i);
- sprintf(vi->sq[i].name, "output.%d", i);
+ sprintf(vi->rq[i].name, "input.%u", i);
+ sprintf(vi->sq[i].name, "output.%u", i);
names[rxq2vq(i)] = vi->rq[i].name;
names[txq2vq(i)] = vi->sq[i].name;
if (ctx)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 262/476] blk-mq: fix IO hang from sbitmap wakeup race
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 261/476] =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= =?UTF-8?q?=20of=20size=2010"=20warnings?= Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 263/476] ceph: fix deadlock or deadcode of misusing dget() Greg Kroah-Hartman
` (223 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Kemeng Shi,
Changhui Zhong, Ming Lei, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 5266caaf5660529e3da53004b8b7174cab6374ed ]
In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered
with the following blk_mq_get_driver_tag() in case of getting driver
tag failure.
Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe
the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime
blk_mq_mark_tag_wait() can't get driver tag successfully.
This issue can be reproduced by running the following test in loop, and
fio hang can be observed in < 30min when running it on my test VM
in laptop.
modprobe -r scsi_debug
modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
--runtime=100 --numjobs=40 --time_based --name=test \
--ioengine=libaio
Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which
is just fine in case of running out of tag.
Cc: Jan Kara <jack@suse.cz>
Cc: Kemeng Shi <shikemeng@huaweicloud.com>
Reported-by: Changhui Zhong <czhong@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20240112122626.4181044-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index bbbbcd2c1941..d80ebba16778 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1176,6 +1176,22 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx,
wait->flags &= ~WQ_FLAG_EXCLUSIVE;
__add_wait_queue(wq, wait);
+ /*
+ * Add one explicit barrier since blk_mq_get_driver_tag() may
+ * not imply barrier in case of failure.
+ *
+ * Order adding us to wait queue and allocating driver tag.
+ *
+ * The pair is the one implied in sbitmap_queue_wake_up() which
+ * orders clearing sbitmap tag bits and waitqueue_active() in
+ * __sbitmap_queue_wake_up(), since waitqueue_active() is lockless
+ *
+ * Otherwise, re-order of adding wait queue and getting driver tag
+ * may cause __sbitmap_queue_wake_up() to wake up nothing because
+ * the waitqueue_active() may not observe us in wait queue.
+ */
+ smp_mb();
+
/*
* It's possible that a tag was freed in the window between the
* allocation failure and adding the hardware queue to the wait
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 263/476] ceph: fix deadlock or deadcode of misusing dget()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 262/476] blk-mq: fix IO hang from sbitmap wakeup race Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 264/476] drm/amd/powerplay: Fix kzalloc parameter ATOM_Tonga_PPM_Table in get_platform_power_management_table() Greg Kroah-Hartman
` (222 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Xiubo Li, Jeff Layton,
Ilya Dryomov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiubo Li <xiubli@redhat.com>
[ Upstream commit b493ad718b1f0357394d2cdecbf00a44a36fa085 ]
The lock order is incorrect between denty and its parent, we should
always make sure that the parent get the lock first.
But since this deadcode is never used and the parent dir will always
be set from the callers, let's just remove it.
Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/caps.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index ca92f2d2f3c7..e4e79392a2df 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -4536,12 +4536,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry,
struct inode *dir,
int mds, int drop, int unless)
{
- struct dentry *parent = NULL;
struct ceph_mds_request_release *rel = *p;
struct ceph_dentry_info *di = ceph_dentry(dentry);
int force = 0;
int ret;
+ /* This shouldn't happen */
+ BUG_ON(!dir);
+
/*
* force an record for the directory caps if we have a dentry lease.
* this is racy (can't take i_ceph_lock and d_lock together), but it
@@ -4551,14 +4553,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry,
spin_lock(&dentry->d_lock);
if (di->lease_session && di->lease_session->s_mds == mds)
force = 1;
- if (!dir) {
- parent = dget(dentry->d_parent);
- dir = d_inode(parent);
- }
spin_unlock(&dentry->d_lock);
ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force);
- dput(parent);
spin_lock(&dentry->d_lock);
if (ret && di->lease_session && di->lease_session->s_mds == mds) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 264/476] drm/amd/powerplay: Fix kzalloc parameter ATOM_Tonga_PPM_Table in get_platform_power_management_table()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 263/476] ceph: fix deadlock or deadcode of misusing dget() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 265/476] drm/amdgpu: Release adev->pm.fw before return in amdgpu_device_need_post() Greg Kroah-Hartman
` (221 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Huang, Christian König,
Alex Deucher, Srinivasan Shanmugam, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 6616b5e1999146b1304abe78232af810080c67e3 ]
In 'struct phm_ppm_table *ptr' allocation using kzalloc, an incorrect
structure type is passed to sizeof() in kzalloc, larger structure types
were used, thus using correct type 'struct phm_ppm_table' fixes the
below:
drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/process_pptables_v1_0.c:203 get_platform_power_management_table() warn: struct type mismatch 'phm_ppm_table vs _ATOM_Tonga_PPM_Table'
Cc: Eric Huang <JinHuiEric.Huang@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c
index f2a55c1413f5..17882f8dfdd3 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c
@@ -200,7 +200,7 @@ static int get_platform_power_management_table(
struct pp_hwmgr *hwmgr,
ATOM_Tonga_PPM_Table *atom_ppm_table)
{
- struct phm_ppm_table *ptr = kzalloc(sizeof(ATOM_Tonga_PPM_Table), GFP_KERNEL);
+ struct phm_ppm_table *ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
struct phm_ppt_v1_information *pp_table_information =
(struct phm_ppt_v1_information *)(hwmgr->pptable);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 265/476] drm/amdgpu: Release adev->pm.fw before return in amdgpu_device_need_post()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 264/476] drm/amd/powerplay: Fix kzalloc parameter ATOM_Tonga_PPM_Table in get_platform_power_management_table() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 266/476] drm/amdkfd: Fix node NULL check in svm_range_get_range_boundaries() Greg Kroah-Hartman
` (220 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Monk Liu, Christian König,
Alex Deucher, Srinivasan Shanmugam, Lijo Lazar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 8a44fdd3cf91debbd09b43bd2519ad2b2486ccf4 ]
In function 'amdgpu_device_need_post(struct amdgpu_device *adev)' -
'adev->pm.fw' may not be released before return.
Using the function release_firmware() to release adev->pm.fw.
Thus fixing the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1571 amdgpu_device_need_post() warn: 'adev->pm.fw' from request_firmware() not released on lines: 1554.
Cc: Monk Liu <Monk.Liu@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index 19e32f38a4c4..816dd59212c1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -1292,6 +1292,7 @@ bool amdgpu_device_need_post(struct amdgpu_device *adev)
return true;
fw_ver = *((uint32_t *)adev->pm.fw->data + 69);
+ release_firmware(adev->pm.fw);
if (fw_ver < 0x00160e00)
return true;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 266/476] drm/amdkfd: Fix node NULL check in svm_range_get_range_boundaries()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 265/476] drm/amdgpu: Release adev->pm.fw before return in amdgpu_device_need_post() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 267/476] perf: Fix the nr_addr_filters fix Greg Kroah-Hartman
` (219 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Christian König, Alex Deucher, Srinivasan Shanmugam,
Felix Kuehling, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit d7a254fad873775ce6c32b77796c81e81e6b7f2e ]
Range interval [start, last] is ordered by rb_tree, rb_prev, rb_next
return value still needs NULL check, thus modified from "node" to "rb_node".
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_svm.c:2691 svm_range_get_range_boundaries() warn: can 'node' even be NULL?
Suggested-by: Philip Yang <Philip.Yang@amd.com>
Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index e2d4e2b42a7c..7f55decc5f37 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -2325,6 +2325,7 @@ svm_range_get_range_boundaries(struct kfd_process *p, int64_t addr,
{
struct vm_area_struct *vma;
struct interval_tree_node *node;
+ struct rb_node *rb_node;
unsigned long start_limit, end_limit;
vma = find_vma(p->mm, addr << PAGE_SHIFT);
@@ -2341,16 +2342,15 @@ svm_range_get_range_boundaries(struct kfd_process *p, int64_t addr,
if (node) {
end_limit = min(end_limit, node->start);
/* Last range that ends before the fault address */
- node = container_of(rb_prev(&node->rb),
- struct interval_tree_node, rb);
+ rb_node = rb_prev(&node->rb);
} else {
/* Last range must end before addr because
* there was no range after addr
*/
- node = container_of(rb_last(&p->svms.objects.rb_root),
- struct interval_tree_node, rb);
+ rb_node = rb_last(&p->svms.objects.rb_root);
}
- if (node) {
+ if (rb_node) {
+ node = container_of(rb_node, struct interval_tree_node, rb);
if (node->last >= addr) {
WARN(1, "Overlap with prev node and page fault addr\n");
return -EFAULT;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 267/476] perf: Fix the nr_addr_filters fix
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 266/476] drm/amdkfd: Fix node NULL check in svm_range_get_range_boundaries() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 268/476] wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update Greg Kroah-Hartman
` (218 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Richter,
Peter Zijlstra (Intel),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 388a1fb7da6aaa1970c7e2a7d7fcd983a87a8484 ]
Thomas reported that commit 652ffc2104ec ("perf/core: Fix narrow
startup race when creating the perf nr_addr_filters sysfs file") made
the entire attribute group vanish, instead of only the nr_addr_filters
attribute.
Additionally a stray return.
Insufficient coffee was involved with both writing and merging the
patch.
Fixes: 652ffc2104ec ("perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file")
Reported-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Link: https://lkml.kernel.org/r/20231122100756.GP8262@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 0e03afd82348..4e5a73c7db12 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11229,12 +11229,10 @@ static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int
struct device *dev = kobj_to_dev(kobj);
struct pmu *pmu = dev_get_drvdata(dev);
- if (!pmu->nr_addr_filters)
+ if (n == 2 && !pmu->nr_addr_filters)
return 0;
return a->mode;
-
- return 0;
}
static struct attribute_group pmu_dev_attr_group = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 268/476] wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 267/476] perf: Fix the nr_addr_filters fix Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 269/476] drm: using mul_u32_u32() requires linux/math64.h Greg Kroah-Hartman
` (217 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Johannes Berg,
Sasha Levin, syzbot+864a269c27ee06b58374
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 1184950e341c11b6f82bc5b59564411d9537ab27 ]
Replace rcu_dereference() with rcu_access_pointer() since we hold
the lock here (and aren't in an RCU critical section).
Fixes: 32af9a9e1069 ("wifi: cfg80211: free beacon_ies when overridden from hidden BSS")
Reported-and-tested-by: syzbot+864a269c27ee06b58374@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://msgid.link/tencent_BF8F0DF0258C8DBF124CDDE4DD8D992DCF07@qq.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 68c48970ebf7..2898df10a72a 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1809,7 +1809,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
&hidden->hidden_list);
hidden->refcount++;
- ies = (void *)rcu_dereference(new->pub.beacon_ies);
+ ies = (void *)rcu_access_pointer(new->pub.beacon_ies);
rcu_assign_pointer(new->pub.beacon_ies,
hidden->pub.beacon_ies);
if (ies)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 269/476] drm: using mul_u32_u32() requires linux/math64.h
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 268/476] wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 270/476] scsi: isci: Fix an error code problem in isci_io_request_build() Greg Kroah-Hartman
` (216 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell,
Ville Syrjälä,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Rothwell <sfr@canb.auug.org.au>
[ Upstream commit 933a2a376fb3f22ba4774f74233571504ac56b02 ]
Some pending include file cleanups produced this error:
In file included from include/linux/kernel.h:27,
from drivers/gpu/ipu-v3/ipu-dp.c:7:
include/drm/drm_color_mgmt.h: In function 'drm_color_lut_extract':
include/drm/drm_color_mgmt.h:45:46: error: implicit declaration of function 'mul_u32_u32' [-Werror=implicit-function-declaration]
45 | return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(user_input, (1 << bit_precision) - 1),
| ^~~~~~~~~~~
Fixes: c6fbb6bca108 ("drm: Fix color LUT rounding")
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231219145734.13e40e1e@canb.auug.org.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/drm_color_mgmt.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/drm/drm_color_mgmt.h b/include/drm/drm_color_mgmt.h
index 54b2b2467bfd..ed81741036d7 100644
--- a/include/drm/drm_color_mgmt.h
+++ b/include/drm/drm_color_mgmt.h
@@ -24,6 +24,7 @@
#define __DRM_COLOR_MGMT_H__
#include <linux/ctype.h>
+#include <linux/math64.h>
#include <drm/drm_property.h>
struct drm_crtc;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 270/476] scsi: isci: Fix an error code problem in isci_io_request_build()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 269/476] drm: using mul_u32_u32() requires linux/math64.h Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 271/476] scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Greg Kroah-Hartman
` (215 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Hui, Artur Paszkiewicz,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 658365c6b0857e6a306436e315a8633937e3af42 ]
Clang static complains that Value stored to 'status' is never read. Return
'status' rather than 'SCI_SUCCESS'.
Fixes: f1f52e75939b ("isci: uplevel request infrastructure")
Signed-off-by: Su Hui <suhui@nfschina.com>
Link: https://lore.kernel.org/r/20240112041926.3924315-1-suhui@nfschina.com
Reviewed-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/isci/request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
index fcaa84a3c210..6ef40993906a 100644
--- a/drivers/scsi/isci/request.c
+++ b/drivers/scsi/isci/request.c
@@ -3390,7 +3390,7 @@ static enum sci_status isci_io_request_build(struct isci_host *ihost,
return SCI_FAILURE;
}
- return SCI_SUCCESS;
+ return status;
}
static struct isci_request *isci_request_from_tag(struct isci_host *ihost, u16 tag)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 271/476] scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 270/476] scsi: isci: Fix an error code problem in isci_io_request_build() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 272/476] selftests: net: give more time for GRO aggregation Greg Kroah-Hartman
` (214 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ewan Milne, Ming Lei,
Sathya Prakash Veerichetty, Bart Van Assche, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 4373534a9850627a2695317944898eb1283a2db0 ]
Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host
lock every time for deciding if error handler kthread needs to be waken up.
This can be too heavy in case of recovery, such as:
- N hardware queues
- queue depth is M for each hardware queue
- each scsi_host_busy() iterates over (N * M) tag/requests
If recovery is triggered in case that all requests are in-flight, each
scsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called
for the last in-flight request, scsi_host_busy() has been run for (N * M -
1) times, and request has been iterated for (N*M - 1) * (N * M) times.
If both N and M are big enough, hard lockup can be triggered on acquiring
host lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).
Fix the issue by calling scsi_host_busy() outside the host lock. We don't
need the host lock for getting busy count because host the lock never
covers that.
[mkp: Drop unnecessary 'busy' variables pointed out by Bart]
Cc: Ewan Milne <emilne@redhat.com>
Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20240112070000.4161982-1-ming.lei@redhat.com
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Sathya Prakash Veerichetty <safhya.prakash@broadcom.com>
Tested-by: Sathya Prakash Veerichetty <safhya.prakash@broadcom.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_error.c | 8 ++++----
drivers/scsi/scsi_lib.c | 2 +-
drivers/scsi/scsi_priv.h | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index f79cfd1cb3e7..ffd3d8df3d82 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -61,11 +61,11 @@ static int scsi_eh_try_stu(struct scsi_cmnd *scmd);
static enum scsi_disposition scsi_try_to_abort_cmd(struct scsi_host_template *,
struct scsi_cmnd *);
-void scsi_eh_wakeup(struct Scsi_Host *shost)
+void scsi_eh_wakeup(struct Scsi_Host *shost, unsigned int busy)
{
lockdep_assert_held(shost->host_lock);
- if (scsi_host_busy(shost) == shost->host_failed) {
+ if (busy == shost->host_failed) {
trace_scsi_eh_wakeup(shost);
wake_up_process(shost->ehandler);
SCSI_LOG_ERROR_RECOVERY(5, shost_printk(KERN_INFO, shost,
@@ -88,7 +88,7 @@ void scsi_schedule_eh(struct Scsi_Host *shost)
if (scsi_host_set_state(shost, SHOST_RECOVERY) == 0 ||
scsi_host_set_state(shost, SHOST_CANCEL_RECOVERY) == 0) {
shost->host_eh_scheduled++;
- scsi_eh_wakeup(shost);
+ scsi_eh_wakeup(shost, scsi_host_busy(shost));
}
spin_unlock_irqrestore(shost->host_lock, flags);
@@ -280,7 +280,7 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head)
spin_lock_irqsave(shost->host_lock, flags);
shost->host_failed++;
- scsi_eh_wakeup(shost);
+ scsi_eh_wakeup(shost, scsi_host_busy(shost));
spin_unlock_irqrestore(shost->host_lock, flags);
}
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 3dbfd15e6fe7..e9ab87335115 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -283,7 +283,7 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)
if (unlikely(scsi_host_in_recovery(shost))) {
spin_lock_irqsave(shost->host_lock, flags);
if (shost->host_failed || shost->host_eh_scheduled)
- scsi_eh_wakeup(shost);
+ scsi_eh_wakeup(shost, scsi_host_busy(shost));
spin_unlock_irqrestore(shost->host_lock, flags);
}
rcu_read_unlock();
diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
index b7f963149352..b650407690a8 100644
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -76,7 +76,7 @@ extern void scmd_eh_abort_handler(struct work_struct *work);
extern enum blk_eh_timer_return scsi_times_out(struct request *req);
extern int scsi_error_handler(void *host);
extern enum scsi_disposition scsi_decide_disposition(struct scsi_cmnd *cmd);
-extern void scsi_eh_wakeup(struct Scsi_Host *shost);
+extern void scsi_eh_wakeup(struct Scsi_Host *shost, unsigned int busy);
extern void scsi_eh_scmd_add(struct scsi_cmnd *);
void scsi_eh_ready_devs(struct Scsi_Host *shost,
struct list_head *work_q,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 272/476] selftests: net: give more time for GRO aggregation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 271/476] scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 273/476] ip6_tunnel: use dev_sw_netstats_rx_add() Greg Kroah-Hartman
` (213 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 89abe628375301fedb68770644df845d49018d8b ]
The gro.sh test-case relay on the gro_flush_timeout to ensure
that all the segments belonging to any given batch are properly
aggregated.
The other end, the sender is a user-space program transmitting
each packet with a separate write syscall. A busy host and/or
stracing the sender program can make the relevant segments reach
the GRO engine after the flush timeout triggers.
Give the GRO flush timeout more slack, to avoid sporadic self-tests
failures.
Fixes: 9af771d2ec04 ("selftests/net: allow GRO coalesce test on veth")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Tested-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/bffec2beab3a5672dd13ecabe4fad81d2155b367.1706206101.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/setup_veth.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/setup_veth.sh b/tools/testing/selftests/net/setup_veth.sh
index 1003ddf7b3b2..227fd1076f21 100644
--- a/tools/testing/selftests/net/setup_veth.sh
+++ b/tools/testing/selftests/net/setup_veth.sh
@@ -8,7 +8,7 @@ setup_veth_ns() {
local -r ns_mac="$4"
[[ -e /var/run/netns/"${ns_name}" ]] || ip netns add "${ns_name}"
- echo 100000 > "/sys/class/net/${ns_dev}/gro_flush_timeout"
+ echo 1000000 > "/sys/class/net/${ns_dev}/gro_flush_timeout"
ip link set dev "${ns_dev}" netns "${ns_name}" mtu 65535
ip -netns "${ns_name}" link set dev "${ns_dev}" up
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 273/476] ip6_tunnel: use dev_sw_netstats_rx_add()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 272/476] selftests: net: give more time for GRO aggregation Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 274/476] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() Greg Kroah-Hartman
` (212 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit afd2051b18404640a116fd3bb2460da214ccbda4 ]
We have a convenient helper, let's use it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_tunnel.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index a41ba4b161c4..35bd93347b8b 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -798,7 +798,6 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
struct sk_buff *skb),
bool log_ecn_err)
{
- struct pcpu_sw_netstats *tstats;
const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
int err;
@@ -858,11 +857,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
}
}
- tstats = this_cpu_ptr(tunnel->dev->tstats);
- u64_stats_update_begin(&tstats->syncp);
- tstats->rx_packets++;
- tstats->rx_bytes += skb->len;
- u64_stats_update_end(&tstats->syncp);
+ dev_sw_netstats_rx_add(tunnel->dev, skb->len);
skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev)));
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 274/476] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 273/476] ip6_tunnel: use dev_sw_netstats_rx_add() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 275/476] tcp: add sanity checks to rx zerocopy Greg Kroah-Hartman
` (211 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 8d975c15c0cd744000ca386247432d57b21f9df0 ]
syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].
Call pskb_inet_may_pull() to fix this, and initialize ipv6h
variable after this call as it can change skb->head.
[1]
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727
__ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845
ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888
gre_rcv+0x143f/0x1870
ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:461 [inline]
ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:314 [inline]
ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5532 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
netif_receive_skb_internal net/core/dev.c:5732 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5791
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2084 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x786/0x1200 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x318/0x740 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787
tun_alloc_skb drivers/net/tun.c:1531 [inline]
tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2084 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x786/0x1200 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Fixes: 0d3c703a9d17 ("ipv6: Cleanup IPv6 tunnel receive path")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240125170557.2663942-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_tunnel.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 35bd93347b8b..d370a71c9752 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -798,8 +798,8 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
struct sk_buff *skb),
bool log_ecn_err)
{
- const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
- int err;
+ const struct ipv6hdr *ipv6h;
+ int nh, err;
if ((!(tpi->flags & TUNNEL_CSUM) &&
(tunnel->parms.i_flags & TUNNEL_CSUM)) ||
@@ -831,7 +831,6 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
goto drop;
}
- ipv6h = ipv6_hdr(skb);
skb->protocol = eth_type_trans(skb, tunnel->dev);
skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
} else {
@@ -839,7 +838,23 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
skb_reset_mac_header(skb);
}
+ /* Save offset of outer header relative to skb->head,
+ * because we are going to reset the network header to the inner header
+ * and might change skb->head.
+ */
+ nh = skb_network_header(skb) - skb->head;
+
skb_reset_network_header(skb);
+
+ if (!pskb_inet_may_pull(skb)) {
+ DEV_STATS_INC(tunnel->dev, rx_length_errors);
+ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto drop;
+ }
+
+ /* Get the outer header. */
+ ipv6h = (struct ipv6hdr *)(skb->head + nh);
+
memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 275/476] tcp: add sanity checks to rx zerocopy
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 274/476] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 276/476] ixgbe: Remove non-inclusive language Greg Kroah-Hartman
` (210 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Arjun Roy,
Matthew Wilcox, linux-mm, Andrew Morton, linux-fsdevel,
David S. Miller, Sasha Levin, ZhangPeng
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 577e4432f3ac810049cb7e6b71f4d96ec7c6e894 ]
TCP rx zerocopy intent is to map pages initially allocated
from NIC drivers, not pages owned by a fs.
This patch adds to can_map_frag() these additional checks:
- Page must not be a compound one.
- page->mapping must be NULL.
This fixes the panic reported by ZhangPeng.
syzbot was able to loopback packets built with sendfile(),
mapping pages owned by an ext4 file to TCP rx zerocopy.
r3 = socket$inet_tcp(0x2, 0x1, 0x0)
mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
r4 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)
fallocate(r5, 0x0, 0x0, 0x85b8)
sendfile(r4, r5, 0x0, 0x8ba0)
getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)
Fixes: 93ab6cc69162 ("tcp: implement mmap() for zero copy receive")
Link: https://lore.kernel.org/netdev/5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com/T/
Reported-and-bisected-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Arjun Roy <arjunroy@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: linux-mm@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0659f0d9414d..626cef75afe7 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1798,7 +1798,17 @@ static skb_frag_t *skb_advance_to_frag(struct sk_buff *skb, u32 offset_skb,
static bool can_map_frag(const skb_frag_t *frag)
{
- return skb_frag_size(frag) == PAGE_SIZE && !skb_frag_off(frag);
+ struct page *page;
+
+ if (skb_frag_size(frag) != PAGE_SIZE || skb_frag_off(frag))
+ return false;
+
+ page = skb_frag_page(frag);
+
+ if (PageCompound(page) || page->mapping)
+ return false;
+
+ return true;
}
static int find_next_mappable_frag(const skb_frag_t *frag,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 276/476] ixgbe: Remove non-inclusive language
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 275/476] tcp: add sanity checks to rx zerocopy Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 277/476] ixgbe: Refactor returning internal error codes Greg Kroah-Hartman
` (209 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Skajewski, Dave Switzer,
Tony Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Skajewski <piotrx.skajewski@intel.com>
[ Upstream commit 93b067f154b3edfd3d75a272fd9433bf787e2e1d ]
Remove non-inclusive language from the driver.
Additionally correct the duplication "from from"
reported by checkpatch after the changes above.
Signed-off-by: Piotr Skajewski <piotrx.skajewski@intel.com>
Tested-by: Dave Switzer <david.switzer@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: bbc404d20d1b ("ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/intel/ixgbe/ixgbe_common.c | 36 +++++++++----------
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +--
drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 10 +++---
3 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index e90b5047e695..4c26c4b92f07 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -30,7 +30,7 @@ static s32 ixgbe_write_eeprom_buffer_bit_bang(struct ixgbe_hw *hw, u16 offset,
u16 words, u16 *data);
static s32 ixgbe_detect_eeprom_page_size_generic(struct ixgbe_hw *hw,
u16 offset);
-static s32 ixgbe_disable_pcie_master(struct ixgbe_hw *hw);
+static s32 ixgbe_disable_pcie_primary(struct ixgbe_hw *hw);
/* Base table for registers values that change by MAC */
const u32 ixgbe_mvals_8259X[IXGBE_MVALS_IDX_LIMIT] = {
@@ -746,10 +746,10 @@ s32 ixgbe_stop_adapter_generic(struct ixgbe_hw *hw)
usleep_range(1000, 2000);
/*
- * Prevent the PCI-E bus from from hanging by disabling PCI-E master
+ * Prevent the PCI-E bus from hanging by disabling PCI-E primary
* access and verify no pending requests
*/
- return ixgbe_disable_pcie_master(hw);
+ return ixgbe_disable_pcie_primary(hw);
}
/**
@@ -2506,15 +2506,15 @@ static u32 ixgbe_pcie_timeout_poll(struct ixgbe_hw *hw)
}
/**
- * ixgbe_disable_pcie_master - Disable PCI-express master access
+ * ixgbe_disable_pcie_primary - Disable PCI-express primary access
* @hw: pointer to hardware structure
*
- * Disables PCI-Express master access and verifies there are no pending
- * requests. IXGBE_ERR_MASTER_REQUESTS_PENDING is returned if master disable
- * bit hasn't caused the master requests to be disabled, else 0
- * is returned signifying master requests disabled.
+ * Disables PCI-Express primary access and verifies there are no pending
+ * requests. IXGBE_ERR_PRIMARY_REQUESTS_PENDING is returned if primary disable
+ * bit hasn't caused the primary requests to be disabled, else 0
+ * is returned signifying primary requests disabled.
**/
-static s32 ixgbe_disable_pcie_master(struct ixgbe_hw *hw)
+static s32 ixgbe_disable_pcie_primary(struct ixgbe_hw *hw)
{
u32 i, poll;
u16 value;
@@ -2523,23 +2523,23 @@ static s32 ixgbe_disable_pcie_master(struct ixgbe_hw *hw)
IXGBE_WRITE_REG(hw, IXGBE_CTRL, IXGBE_CTRL_GIO_DIS);
/* Poll for bit to read as set */
- for (i = 0; i < IXGBE_PCI_MASTER_DISABLE_TIMEOUT; i++) {
+ for (i = 0; i < IXGBE_PCI_PRIMARY_DISABLE_TIMEOUT; i++) {
if (IXGBE_READ_REG(hw, IXGBE_CTRL) & IXGBE_CTRL_GIO_DIS)
break;
usleep_range(100, 120);
}
- if (i >= IXGBE_PCI_MASTER_DISABLE_TIMEOUT) {
+ if (i >= IXGBE_PCI_PRIMARY_DISABLE_TIMEOUT) {
hw_dbg(hw, "GIO disable did not set - requesting resets\n");
goto gio_disable_fail;
}
- /* Exit if master requests are blocked */
+ /* Exit if primary requests are blocked */
if (!(IXGBE_READ_REG(hw, IXGBE_STATUS) & IXGBE_STATUS_GIO) ||
ixgbe_removed(hw->hw_addr))
return 0;
- /* Poll for master request bit to clear */
- for (i = 0; i < IXGBE_PCI_MASTER_DISABLE_TIMEOUT; i++) {
+ /* Poll for primary request bit to clear */
+ for (i = 0; i < IXGBE_PCI_PRIMARY_DISABLE_TIMEOUT; i++) {
udelay(100);
if (!(IXGBE_READ_REG(hw, IXGBE_STATUS) & IXGBE_STATUS_GIO))
return 0;
@@ -2547,13 +2547,13 @@ static s32 ixgbe_disable_pcie_master(struct ixgbe_hw *hw)
/*
* Two consecutive resets are required via CTRL.RST per datasheet
- * 5.2.5.3.2 Master Disable. We set a flag to inform the reset routine
- * of this need. The first reset prevents new master requests from
+ * 5.2.5.3.2 Primary Disable. We set a flag to inform the reset routine
+ * of this need. The first reset prevents new primary requests from
* being issued by our device. We then must wait 1usec or more for any
* remaining completions from the PCIe bus to trickle in, and then reset
* again to clear out any effects they may have had on our device.
*/
- hw_dbg(hw, "GIO Master Disable bit didn't clear - requesting resets\n");
+ hw_dbg(hw, "GIO Primary Disable bit didn't clear - requesting resets\n");
gio_disable_fail:
hw->mac.flags |= IXGBE_FLAGS_DOUBLE_RESET_REQUIRED;
@@ -2575,7 +2575,7 @@ static s32 ixgbe_disable_pcie_master(struct ixgbe_hw *hw)
}
hw_dbg(hw, "PCIe transaction pending bit also did not clear.\n");
- return IXGBE_ERR_MASTER_REQUESTS_PENDING;
+ return IXGBE_ERR_PRIMARY_REQUESTS_PENDING;
}
/**
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 819169eaebe9..985c58d8b918 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -5943,8 +5943,8 @@ void ixgbe_reset(struct ixgbe_adapter *adapter)
case IXGBE_ERR_SFP_NOT_PRESENT:
case IXGBE_ERR_SFP_NOT_SUPPORTED:
break;
- case IXGBE_ERR_MASTER_REQUESTS_PENDING:
- e_dev_err("master disable timed out\n");
+ case IXGBE_ERR_PRIMARY_REQUESTS_PENDING:
+ e_dev_err("primary disable timed out\n");
break;
case IXGBE_ERR_EEPROM_VERSION:
/* We are running on a pre-production device, log a warning */
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
index 2647937f7f4d..6da9880d766a 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -1247,7 +1247,7 @@ struct ixgbe_nvm_version {
#define IXGBE_PSRTYPE_RQPL_SHIFT 29
/* CTRL Bit Masks */
-#define IXGBE_CTRL_GIO_DIS 0x00000004 /* Global IO Master Disable bit */
+#define IXGBE_CTRL_GIO_DIS 0x00000004 /* Global IO Primary Disable bit */
#define IXGBE_CTRL_LNK_RST 0x00000008 /* Link Reset. Resets everything. */
#define IXGBE_CTRL_RST 0x04000000 /* Reset (SW) */
#define IXGBE_CTRL_RST_MASK (IXGBE_CTRL_LNK_RST | IXGBE_CTRL_RST)
@@ -1811,7 +1811,7 @@ enum {
/* STATUS Bit Masks */
#define IXGBE_STATUS_LAN_ID 0x0000000C /* LAN ID */
#define IXGBE_STATUS_LAN_ID_SHIFT 2 /* LAN ID Shift*/
-#define IXGBE_STATUS_GIO 0x00080000 /* GIO Master Enable Status */
+#define IXGBE_STATUS_GIO 0x00080000 /* GIO Primary Enable Status */
#define IXGBE_STATUS_LAN_ID_0 0x00000000 /* LAN ID 0 */
#define IXGBE_STATUS_LAN_ID_1 0x00000004 /* LAN ID 1 */
@@ -2193,8 +2193,8 @@ enum {
#define IXGBE_PCIDEVCTRL2_4_8s 0xd
#define IXGBE_PCIDEVCTRL2_17_34s 0xe
-/* Number of 100 microseconds we wait for PCI Express master disable */
-#define IXGBE_PCI_MASTER_DISABLE_TIMEOUT 800
+/* Number of 100 microseconds we wait for PCI Express primary disable */
+#define IXGBE_PCI_PRIMARY_DISABLE_TIMEOUT 800
/* RAH */
#define IXGBE_RAH_VIND_MASK 0x003C0000
@@ -3671,7 +3671,7 @@ struct ixgbe_info {
#define IXGBE_ERR_ADAPTER_STOPPED -9
#define IXGBE_ERR_INVALID_MAC_ADDR -10
#define IXGBE_ERR_DEVICE_NOT_SUPPORTED -11
-#define IXGBE_ERR_MASTER_REQUESTS_PENDING -12
+#define IXGBE_ERR_PRIMARY_REQUESTS_PENDING -12
#define IXGBE_ERR_INVALID_LINK_SETTINGS -13
#define IXGBE_ERR_AUTONEG_NOT_COMPLETE -14
#define IXGBE_ERR_RESET_FAILED -15
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 277/476] ixgbe: Refactor returning internal error codes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 276/476] ixgbe: Remove non-inclusive language Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 278/476] ixgbe: Refactor overtemp event handling Greg Kroah-Hartman
` (208 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Keller, Przemek Kitszel,
Simon Horman, Jedrzej Jagielski, Tony Nguyen, Sasha Levin,
Sunitha Mekala
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
[ Upstream commit 5795f533f30a80aa0473652876296ebc9129e33a ]
Change returning codes to the kernel ones instead of
the internal ones for the entire ixgbe driver.
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: bbc404d20d1b ("ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/intel/ixgbe/ixgbe_82598.c | 36 ++---
.../net/ethernet/intel/ixgbe/ixgbe_82599.c | 61 ++++----
.../net/ethernet/intel/ixgbe/ixgbe_common.c | 145 ++++++++----------
.../net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 26 ++--
drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c | 34 ++--
drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 1 -
drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c | 84 +++++-----
.../net/ethernet/intel/ixgbe/ixgbe_sriov.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 39 -----
drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c | 44 +++---
drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 107 +++++++------
12 files changed, 264 insertions(+), 317 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
index 95c92fe890a1..ed35e06537a0 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
@@ -123,14 +123,14 @@ static s32 ixgbe_init_phy_ops_82598(struct ixgbe_hw *hw)
if (ret_val)
return ret_val;
if (hw->phy.sfp_type == ixgbe_sfp_type_unknown)
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
/* Check to see if SFP+ module is supported */
ret_val = ixgbe_get_sfp_init_sequence_offsets(hw,
&list_offset,
&data_offset);
if (ret_val)
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
break;
default:
break;
@@ -213,7 +213,7 @@ static s32 ixgbe_get_link_capabilities_82598(struct ixgbe_hw *hw,
break;
default:
- return IXGBE_ERR_LINK_SETUP;
+ return -EIO;
}
return 0;
@@ -283,7 +283,7 @@ static s32 ixgbe_fc_enable_82598(struct ixgbe_hw *hw)
/* Validate the water mark configuration */
if (!hw->fc.pause_time)
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
/* Low water mark of zero causes XOFF floods */
for (i = 0; i < MAX_TRAFFIC_CLASS; i++) {
@@ -292,7 +292,7 @@ static s32 ixgbe_fc_enable_82598(struct ixgbe_hw *hw)
if (!hw->fc.low_water[i] ||
hw->fc.low_water[i] >= hw->fc.high_water[i]) {
hw_dbg(hw, "Invalid water mark configuration\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
}
}
@@ -369,7 +369,7 @@ static s32 ixgbe_fc_enable_82598(struct ixgbe_hw *hw)
break;
default:
hw_dbg(hw, "Flow control param set incorrectly\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
/* Set 802.3x based flow control settings. */
@@ -438,7 +438,7 @@ static s32 ixgbe_start_mac_link_82598(struct ixgbe_hw *hw,
msleep(100);
}
if (!(links_reg & IXGBE_LINKS_KX_AN_COMP)) {
- status = IXGBE_ERR_AUTONEG_NOT_COMPLETE;
+ status = -EIO;
hw_dbg(hw, "Autonegotiation did not complete.\n");
}
}
@@ -478,7 +478,7 @@ static s32 ixgbe_validate_link_ready(struct ixgbe_hw *hw)
if (timeout == IXGBE_VALIDATE_LINK_READY_TIMEOUT) {
hw_dbg(hw, "Link was indicated but link is down\n");
- return IXGBE_ERR_LINK_SETUP;
+ return -EIO;
}
return 0;
@@ -594,7 +594,7 @@ static s32 ixgbe_setup_mac_link_82598(struct ixgbe_hw *hw,
speed &= link_capabilities;
if (speed == IXGBE_LINK_SPEED_UNKNOWN)
- return IXGBE_ERR_LINK_SETUP;
+ return -EINVAL;
/* Set KX4/KX support according to speed requested */
else if (link_mode == IXGBE_AUTOC_LMS_KX4_AN ||
@@ -701,9 +701,9 @@ static s32 ixgbe_reset_hw_82598(struct ixgbe_hw *hw)
/* Init PHY and function pointers, perform SFP setup */
phy_status = hw->phy.ops.init(hw);
- if (phy_status == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (phy_status == -EOPNOTSUPP)
return phy_status;
- if (phy_status == IXGBE_ERR_SFP_NOT_PRESENT)
+ if (phy_status == -ENOENT)
goto mac_reset_top;
hw->phy.ops.reset(hw);
@@ -727,7 +727,7 @@ static s32 ixgbe_reset_hw_82598(struct ixgbe_hw *hw)
udelay(1);
}
if (ctrl & IXGBE_CTRL_RST) {
- status = IXGBE_ERR_RESET_FAILED;
+ status = -EIO;
hw_dbg(hw, "Reset polling failed to complete.\n");
}
@@ -789,7 +789,7 @@ static s32 ixgbe_set_vmdq_82598(struct ixgbe_hw *hw, u32 rar, u32 vmdq)
/* Make sure we are using a valid rar index range */
if (rar >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", rar);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
rar_high = IXGBE_READ_REG(hw, IXGBE_RAH(rar));
@@ -814,7 +814,7 @@ static s32 ixgbe_clear_vmdq_82598(struct ixgbe_hw *hw, u32 rar, u32 vmdq)
/* Make sure we are using a valid rar index range */
if (rar >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", rar);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
rar_high = IXGBE_READ_REG(hw, IXGBE_RAH(rar));
@@ -845,7 +845,7 @@ static s32 ixgbe_set_vfta_82598(struct ixgbe_hw *hw, u32 vlan, u32 vind,
u32 vftabyte;
if (vlan > 4095)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* Determine 32-bit word position in array */
regindex = (vlan >> 5) & 0x7F; /* upper seven bits */
@@ -964,7 +964,7 @@ static s32 ixgbe_read_i2c_phy_82598(struct ixgbe_hw *hw, u8 dev_addr,
gssr = IXGBE_GSSR_PHY0_SM;
if (hw->mac.ops.acquire_swfw_sync(hw, gssr) != 0)
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
if (hw->phy.type == ixgbe_phy_nl) {
/*
@@ -993,7 +993,7 @@ static s32 ixgbe_read_i2c_phy_82598(struct ixgbe_hw *hw, u8 dev_addr,
if (sfp_stat != IXGBE_I2C_EEPROM_STATUS_PASS) {
hw_dbg(hw, "EEPROM read did not pass.\n");
- status = IXGBE_ERR_SFP_NOT_PRESENT;
+ status = -ENOENT;
goto out;
}
@@ -1003,7 +1003,7 @@ static s32 ixgbe_read_i2c_phy_82598(struct ixgbe_hw *hw, u8 dev_addr,
*eeprom_data = (u8)(sfp_data >> 8);
} else {
- status = IXGBE_ERR_PHY;
+ status = -EIO;
}
out:
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
index 58ea959a4482..339e106a5732 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
@@ -117,7 +117,7 @@ static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
ret_val = hw->mac.ops.acquire_swfw_sync(hw,
IXGBE_GSSR_MAC_CSR_SM);
if (ret_val)
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
if (hw->eeprom.ops.read(hw, ++data_offset, &data_value))
goto setup_sfp_err;
@@ -144,7 +144,7 @@ static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
if (ret_val) {
hw_dbg(hw, " sfp module setup not complete\n");
- return IXGBE_ERR_SFP_SETUP_NOT_COMPLETE;
+ return -EIO;
}
}
@@ -159,7 +159,7 @@ static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
usleep_range(hw->eeprom.semaphore_delay * 1000,
hw->eeprom.semaphore_delay * 2000);
hw_err(hw, "eeprom read at offset %d failed\n", data_offset);
- return IXGBE_ERR_SFP_SETUP_NOT_COMPLETE;
+ return -EIO;
}
/**
@@ -184,7 +184,7 @@ static s32 prot_autoc_read_82599(struct ixgbe_hw *hw, bool *locked,
ret_val = hw->mac.ops.acquire_swfw_sync(hw,
IXGBE_GSSR_MAC_CSR_SM);
if (ret_val)
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
*locked = true;
}
@@ -219,7 +219,7 @@ static s32 prot_autoc_write_82599(struct ixgbe_hw *hw, u32 autoc, bool locked)
ret_val = hw->mac.ops.acquire_swfw_sync(hw,
IXGBE_GSSR_MAC_CSR_SM);
if (ret_val)
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
locked = true;
}
@@ -400,7 +400,7 @@ static s32 ixgbe_get_link_capabilities_82599(struct ixgbe_hw *hw,
break;
default:
- return IXGBE_ERR_LINK_SETUP;
+ return -EIO;
}
if (hw->phy.multispeed_fiber) {
@@ -541,7 +541,7 @@ static s32 ixgbe_start_mac_link_82599(struct ixgbe_hw *hw,
msleep(100);
}
if (!(links_reg & IXGBE_LINKS_KX_AN_COMP)) {
- status = IXGBE_ERR_AUTONEG_NOT_COMPLETE;
+ status = -EIO;
hw_dbg(hw, "Autoneg did not complete.\n");
}
}
@@ -794,7 +794,7 @@ static s32 ixgbe_setup_mac_link_82599(struct ixgbe_hw *hw,
speed &= link_capabilities;
if (speed == IXGBE_LINK_SPEED_UNKNOWN)
- return IXGBE_ERR_LINK_SETUP;
+ return -EINVAL;
/* Use stored value (EEPROM defaults) of AUTOC to find KR/KX4 support*/
if (hw->mac.orig_link_settings_stored)
@@ -861,8 +861,7 @@ static s32 ixgbe_setup_mac_link_82599(struct ixgbe_hw *hw,
msleep(100);
}
if (!(links_reg & IXGBE_LINKS_KX_AN_COMP)) {
- status =
- IXGBE_ERR_AUTONEG_NOT_COMPLETE;
+ status = -EIO;
hw_dbg(hw, "Autoneg did not complete.\n");
}
}
@@ -927,7 +926,7 @@ static s32 ixgbe_reset_hw_82599(struct ixgbe_hw *hw)
/* Identify PHY and related function pointers */
status = hw->phy.ops.init(hw);
- if (status == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (status == -EOPNOTSUPP)
return status;
/* Setup SFP module if there is one present. */
@@ -936,7 +935,7 @@ static s32 ixgbe_reset_hw_82599(struct ixgbe_hw *hw)
hw->phy.sfp_setup_needed = false;
}
- if (status == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (status == -EOPNOTSUPP)
return status;
/* Reset PHY */
@@ -974,7 +973,7 @@ static s32 ixgbe_reset_hw_82599(struct ixgbe_hw *hw)
}
if (ctrl & IXGBE_CTRL_RST_MASK) {
- status = IXGBE_ERR_RESET_FAILED;
+ status = -EIO;
hw_dbg(hw, "Reset polling failed to complete.\n");
}
@@ -1093,7 +1092,7 @@ static s32 ixgbe_fdir_check_cmd_complete(struct ixgbe_hw *hw, u32 *fdircmd)
udelay(10);
}
- return IXGBE_ERR_FDIR_CMD_INCOMPLETE;
+ return -EIO;
}
/**
@@ -1155,7 +1154,7 @@ s32 ixgbe_reinit_fdir_tables_82599(struct ixgbe_hw *hw)
}
if (i >= IXGBE_FDIR_INIT_DONE_POLL) {
hw_dbg(hw, "Flow Director Signature poll time exceeded!\n");
- return IXGBE_ERR_FDIR_REINIT_FAILED;
+ return -EIO;
}
/* Clear FDIR statistics registers (read to clear) */
@@ -1387,7 +1386,7 @@ s32 ixgbe_fdir_add_signature_filter_82599(struct ixgbe_hw *hw,
break;
default:
hw_dbg(hw, " Error on flow type input\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
/* configure FDIRCMD register */
@@ -1546,7 +1545,7 @@ s32 ixgbe_fdir_set_input_mask_82599(struct ixgbe_hw *hw,
break;
default:
hw_dbg(hw, " Error on vm pool mask\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
switch (input_mask->formatted.flow_type & IXGBE_ATR_L4TYPE_MASK) {
@@ -1555,14 +1554,14 @@ s32 ixgbe_fdir_set_input_mask_82599(struct ixgbe_hw *hw,
if (input_mask->formatted.dst_port ||
input_mask->formatted.src_port) {
hw_dbg(hw, " Error on src/dst port mask\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
break;
case IXGBE_ATR_L4TYPE_MASK:
break;
default:
hw_dbg(hw, " Error on flow type mask\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
switch (ntohs(input_mask->formatted.vlan_id) & 0xEFFF) {
@@ -1583,7 +1582,7 @@ s32 ixgbe_fdir_set_input_mask_82599(struct ixgbe_hw *hw,
break;
default:
hw_dbg(hw, " Error on VLAN mask\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
switch ((__force u16)input_mask->formatted.flex_bytes & 0xFFFF) {
@@ -1595,7 +1594,7 @@ s32 ixgbe_fdir_set_input_mask_82599(struct ixgbe_hw *hw,
break;
default:
hw_dbg(hw, " Error on flexible byte mask\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
/* Now mask VM pool and destination IPv6 - bits 5 and 2 */
@@ -1824,7 +1823,7 @@ static s32 ixgbe_identify_phy_82599(struct ixgbe_hw *hw)
/* Return error if SFP module has been detected but is not supported */
if (hw->phy.type == ixgbe_phy_sfp_unsupported)
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
return status;
}
@@ -1863,13 +1862,13 @@ static s32 ixgbe_enable_rx_dma_82599(struct ixgbe_hw *hw, u32 regval)
* Verifies that installed the firmware version is 0.6 or higher
* for SFI devices. All 82599 SFI devices should have version 0.6 or higher.
*
- * Returns IXGBE_ERR_EEPROM_VERSION if the FW is not present or
- * if the FW version is not supported.
+ * Return: -EACCES if the FW is not present or if the FW version is
+ * not supported.
**/
static s32 ixgbe_verify_fw_version_82599(struct ixgbe_hw *hw)
{
- s32 status = IXGBE_ERR_EEPROM_VERSION;
u16 fw_offset, fw_ptp_cfg_offset;
+ s32 status = -EACCES;
u16 offset;
u16 fw_version = 0;
@@ -1883,7 +1882,7 @@ static s32 ixgbe_verify_fw_version_82599(struct ixgbe_hw *hw)
goto fw_version_err;
if (fw_offset == 0 || fw_offset == 0xFFFF)
- return IXGBE_ERR_EEPROM_VERSION;
+ return -EACCES;
/* get the offset to the Pass Through Patch Configuration block */
offset = fw_offset + IXGBE_FW_PASSTHROUGH_PATCH_CONFIG_PTR;
@@ -1891,7 +1890,7 @@ static s32 ixgbe_verify_fw_version_82599(struct ixgbe_hw *hw)
goto fw_version_err;
if (fw_ptp_cfg_offset == 0 || fw_ptp_cfg_offset == 0xFFFF)
- return IXGBE_ERR_EEPROM_VERSION;
+ return -EACCES;
/* get the firmware version */
offset = fw_ptp_cfg_offset + IXGBE_FW_PATCH_VERSION_4;
@@ -1905,7 +1904,7 @@ static s32 ixgbe_verify_fw_version_82599(struct ixgbe_hw *hw)
fw_version_err:
hw_err(hw, "eeprom read at offset %d failed\n", offset);
- return IXGBE_ERR_EEPROM_VERSION;
+ return -EACCES;
}
/**
@@ -2038,7 +2037,7 @@ static s32 ixgbe_reset_pipeline_82599(struct ixgbe_hw *hw)
if (!(anlp1_reg & IXGBE_ANLP1_AN_STATE_MASK)) {
hw_dbg(hw, "auto negotiation not completed\n");
- ret_val = IXGBE_ERR_RESET_FAILED;
+ ret_val = -EIO;
goto reset_pipeline_out;
}
@@ -2087,7 +2086,7 @@ static s32 ixgbe_read_i2c_byte_82599(struct ixgbe_hw *hw, u8 byte_offset,
if (!timeout) {
hw_dbg(hw, "Driver can't access resource, acquiring I2C bus timeout.\n");
- status = IXGBE_ERR_I2C;
+ status = -EIO;
goto release_i2c_access;
}
}
@@ -2141,7 +2140,7 @@ static s32 ixgbe_write_i2c_byte_82599(struct ixgbe_hw *hw, u8 byte_offset,
if (!timeout) {
hw_dbg(hw, "Driver can't access resource, acquiring I2C bus timeout.\n");
- status = IXGBE_ERR_I2C;
+ status = -EIO;
goto release_i2c_access;
}
}
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index 4c26c4b92f07..033630d3c26e 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -124,7 +124,7 @@ s32 ixgbe_setup_fc_generic(struct ixgbe_hw *hw)
*/
if (hw->fc.strict_ieee && hw->fc.requested_mode == ixgbe_fc_rx_pause) {
hw_dbg(hw, "ixgbe_fc_rx_pause not valid in strict IEEE mode\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
/*
@@ -215,7 +215,7 @@ s32 ixgbe_setup_fc_generic(struct ixgbe_hw *hw)
break;
default:
hw_dbg(hw, "Flow control param set incorrectly\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
if (hw->mac.type != ixgbe_mac_X540) {
@@ -500,7 +500,7 @@ s32 ixgbe_read_pba_string_generic(struct ixgbe_hw *hw, u8 *pba_num,
if (pba_num == NULL) {
hw_dbg(hw, "PBA string buffer was null\n");
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
ret_val = hw->eeprom.ops.read(hw, IXGBE_PBANUM0_PTR, &data);
@@ -526,7 +526,7 @@ s32 ixgbe_read_pba_string_generic(struct ixgbe_hw *hw, u8 *pba_num,
/* we will need 11 characters to store the PBA */
if (pba_num_size < 11) {
hw_dbg(hw, "PBA string buffer too small\n");
- return IXGBE_ERR_NO_SPACE;
+ return -ENOSPC;
}
/* extract hex string from data and pba_ptr */
@@ -563,13 +563,13 @@ s32 ixgbe_read_pba_string_generic(struct ixgbe_hw *hw, u8 *pba_num,
if (length == 0xFFFF || length == 0) {
hw_dbg(hw, "NVM PBA number section invalid length\n");
- return IXGBE_ERR_PBA_SECTION;
+ return -EIO;
}
/* check if pba_num buffer is big enough */
if (pba_num_size < (((u32)length * 2) - 1)) {
hw_dbg(hw, "PBA string buffer too small\n");
- return IXGBE_ERR_NO_SPACE;
+ return -ENOSPC;
}
/* trim pba length from start of string */
@@ -805,7 +805,7 @@ s32 ixgbe_led_on_generic(struct ixgbe_hw *hw, u32 index)
u32 led_reg = IXGBE_READ_REG(hw, IXGBE_LEDCTL);
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* To turn on the LED, set mode to ON. */
led_reg &= ~IXGBE_LED_MODE_MASK(index);
@@ -826,7 +826,7 @@ s32 ixgbe_led_off_generic(struct ixgbe_hw *hw, u32 index)
u32 led_reg = IXGBE_READ_REG(hw, IXGBE_LEDCTL);
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* To turn off the LED, set mode to OFF. */
led_reg &= ~IXGBE_LED_MODE_MASK(index);
@@ -904,11 +904,8 @@ s32 ixgbe_write_eeprom_buffer_bit_bang_generic(struct ixgbe_hw *hw, u16 offset,
hw->eeprom.ops.init_params(hw);
- if (words == 0)
- return IXGBE_ERR_INVALID_ARGUMENT;
-
- if (offset + words > hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ if (words == 0 || (offset + words > hw->eeprom.word_size))
+ return -EINVAL;
/*
* The EEPROM page size cannot be queried from the chip. We do lazy
@@ -962,7 +959,7 @@ static s32 ixgbe_write_eeprom_buffer_bit_bang(struct ixgbe_hw *hw, u16 offset,
if (ixgbe_ready_eeprom(hw) != 0) {
ixgbe_release_eeprom(hw);
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
for (i = 0; i < words; i++) {
@@ -1028,7 +1025,7 @@ s32 ixgbe_write_eeprom_generic(struct ixgbe_hw *hw, u16 offset, u16 data)
hw->eeprom.ops.init_params(hw);
if (offset >= hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ return -EINVAL;
return ixgbe_write_eeprom_buffer_bit_bang(hw, offset, 1, &data);
}
@@ -1050,11 +1047,8 @@ s32 ixgbe_read_eeprom_buffer_bit_bang_generic(struct ixgbe_hw *hw, u16 offset,
hw->eeprom.ops.init_params(hw);
- if (words == 0)
- return IXGBE_ERR_INVALID_ARGUMENT;
-
- if (offset + words > hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ if (words == 0 || (offset + words > hw->eeprom.word_size))
+ return -EINVAL;
/*
* We cannot hold synchronization semaphores for too long
@@ -1099,7 +1093,7 @@ static s32 ixgbe_read_eeprom_buffer_bit_bang(struct ixgbe_hw *hw, u16 offset,
if (ixgbe_ready_eeprom(hw) != 0) {
ixgbe_release_eeprom(hw);
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
for (i = 0; i < words; i++) {
@@ -1142,7 +1136,7 @@ s32 ixgbe_read_eeprom_bit_bang_generic(struct ixgbe_hw *hw, u16 offset,
hw->eeprom.ops.init_params(hw);
if (offset >= hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ return -EINVAL;
return ixgbe_read_eeprom_buffer_bit_bang(hw, offset, 1, data);
}
@@ -1165,11 +1159,8 @@ s32 ixgbe_read_eerd_buffer_generic(struct ixgbe_hw *hw, u16 offset,
hw->eeprom.ops.init_params(hw);
- if (words == 0)
- return IXGBE_ERR_INVALID_ARGUMENT;
-
- if (offset >= hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ if (words == 0 || offset >= hw->eeprom.word_size)
+ return -EINVAL;
for (i = 0; i < words; i++) {
eerd = ((offset + i) << IXGBE_EEPROM_RW_ADDR_SHIFT) |
@@ -1262,11 +1253,8 @@ s32 ixgbe_write_eewr_buffer_generic(struct ixgbe_hw *hw, u16 offset,
hw->eeprom.ops.init_params(hw);
- if (words == 0)
- return IXGBE_ERR_INVALID_ARGUMENT;
-
- if (offset >= hw->eeprom.word_size)
- return IXGBE_ERR_EEPROM;
+ if (words == 0 || offset >= hw->eeprom.word_size)
+ return -EINVAL;
for (i = 0; i < words; i++) {
eewr = ((offset + i) << IXGBE_EEPROM_RW_ADDR_SHIFT) |
@@ -1328,7 +1316,7 @@ static s32 ixgbe_poll_eerd_eewr_done(struct ixgbe_hw *hw, u32 ee_reg)
}
udelay(5);
}
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/**
@@ -1344,7 +1332,7 @@ static s32 ixgbe_acquire_eeprom(struct ixgbe_hw *hw)
u32 i;
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM) != 0)
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
eec = IXGBE_READ_REG(hw, IXGBE_EEC(hw));
@@ -1366,7 +1354,7 @@ static s32 ixgbe_acquire_eeprom(struct ixgbe_hw *hw)
hw_dbg(hw, "Could not acquire EEPROM grant\n");
hw->mac.ops.release_swfw_sync(hw, IXGBE_GSSR_EEP_SM);
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/* Setup EEPROM for Read/Write */
@@ -1419,7 +1407,7 @@ static s32 ixgbe_get_eeprom_semaphore(struct ixgbe_hw *hw)
swsm = IXGBE_READ_REG(hw, IXGBE_SWSM(hw));
if (swsm & IXGBE_SWSM_SMBI) {
hw_dbg(hw, "Software semaphore SMBI between device drivers not granted.\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
}
@@ -1447,7 +1435,7 @@ static s32 ixgbe_get_eeprom_semaphore(struct ixgbe_hw *hw)
if (i >= timeout) {
hw_dbg(hw, "SWESMBI Software EEPROM semaphore not granted.\n");
ixgbe_release_eeprom_semaphore(hw);
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
return 0;
@@ -1503,7 +1491,7 @@ static s32 ixgbe_ready_eeprom(struct ixgbe_hw *hw)
*/
if (i >= IXGBE_EEPROM_MAX_RETRY_SPI) {
hw_dbg(hw, "SPI EEPROM Status error\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
return 0;
@@ -1715,7 +1703,7 @@ s32 ixgbe_calc_eeprom_checksum_generic(struct ixgbe_hw *hw)
for (i = IXGBE_PCIE_ANALOG_PTR; i < IXGBE_FW_PTR; i++) {
if (hw->eeprom.ops.read(hw, i, &pointer)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/* If the pointer seems invalid */
@@ -1724,7 +1712,7 @@ s32 ixgbe_calc_eeprom_checksum_generic(struct ixgbe_hw *hw)
if (hw->eeprom.ops.read(hw, pointer, &length)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
if (length == 0xFFFF || length == 0)
@@ -1733,7 +1721,7 @@ s32 ixgbe_calc_eeprom_checksum_generic(struct ixgbe_hw *hw)
for (j = pointer + 1; j <= pointer + length; j++) {
if (hw->eeprom.ops.read(hw, j, &word)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
checksum += word;
}
@@ -1786,7 +1774,7 @@ s32 ixgbe_validate_eeprom_checksum_generic(struct ixgbe_hw *hw,
* calculated checksum
*/
if (read_checksum != checksum)
- status = IXGBE_ERR_EEPROM_CHECKSUM;
+ status = -EIO;
/* If the user cares, return the calculated checksum */
if (checksum_val)
@@ -1845,7 +1833,7 @@ s32 ixgbe_set_rar_generic(struct ixgbe_hw *hw, u32 index, u8 *addr, u32 vmdq,
/* Make sure we are using a valid rar index range */
if (index >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", index);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
/* setup VMDq pool selection before this RAR gets enabled */
@@ -1897,7 +1885,7 @@ s32 ixgbe_clear_rar_generic(struct ixgbe_hw *hw, u32 index)
/* Make sure we are using a valid rar index range */
if (index >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", index);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
/*
@@ -2146,7 +2134,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
/* Validate the water mark configuration. */
if (!hw->fc.pause_time)
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
/* Low water mark of zero causes XOFF floods */
for (i = 0; i < MAX_TRAFFIC_CLASS; i++) {
@@ -2155,7 +2143,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
if (!hw->fc.low_water[i] ||
hw->fc.low_water[i] >= hw->fc.high_water[i]) {
hw_dbg(hw, "Invalid water mark configuration\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
}
}
@@ -2212,7 +2200,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
break;
default:
hw_dbg(hw, "Flow control param set incorrectly\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
/* Set 802.3x based flow control settings. */
@@ -2269,7 +2257,7 @@ s32 ixgbe_negotiate_fc(struct ixgbe_hw *hw, u32 adv_reg, u32 lp_reg,
u32 adv_sym, u32 adv_asm, u32 lp_sym, u32 lp_asm)
{
if ((!(adv_reg)) || (!(lp_reg)))
- return IXGBE_ERR_FC_NOT_NEGOTIATED;
+ return -EINVAL;
if ((adv_reg & adv_sym) && (lp_reg & lp_sym)) {
/*
@@ -2321,7 +2309,7 @@ static s32 ixgbe_fc_autoneg_fiber(struct ixgbe_hw *hw)
linkstat = IXGBE_READ_REG(hw, IXGBE_PCS1GLSTA);
if ((!!(linkstat & IXGBE_PCS1GLSTA_AN_COMPLETE) == 0) ||
(!!(linkstat & IXGBE_PCS1GLSTA_AN_TIMED_OUT) == 1))
- return IXGBE_ERR_FC_NOT_NEGOTIATED;
+ return -EIO;
pcs_anadv_reg = IXGBE_READ_REG(hw, IXGBE_PCS1GANA);
pcs_lpab_reg = IXGBE_READ_REG(hw, IXGBE_PCS1GANLP);
@@ -2353,12 +2341,12 @@ static s32 ixgbe_fc_autoneg_backplane(struct ixgbe_hw *hw)
*/
links = IXGBE_READ_REG(hw, IXGBE_LINKS);
if ((links & IXGBE_LINKS_KX_AN_COMP) == 0)
- return IXGBE_ERR_FC_NOT_NEGOTIATED;
+ return -EIO;
if (hw->mac.type == ixgbe_mac_82599EB) {
links2 = IXGBE_READ_REG(hw, IXGBE_LINKS2);
if ((links2 & IXGBE_LINKS2_AN_SUPPORTED) == 0)
- return IXGBE_ERR_FC_NOT_NEGOTIATED;
+ return -EIO;
}
/*
* Read the 10g AN autoc and LP ability registers and resolve
@@ -2407,8 +2395,8 @@ static s32 ixgbe_fc_autoneg_copper(struct ixgbe_hw *hw)
**/
void ixgbe_fc_autoneg(struct ixgbe_hw *hw)
{
- s32 ret_val = IXGBE_ERR_FC_NOT_NEGOTIATED;
ixgbe_link_speed speed;
+ s32 ret_val = -EIO;
bool link_up;
/*
@@ -2510,7 +2498,7 @@ static u32 ixgbe_pcie_timeout_poll(struct ixgbe_hw *hw)
* @hw: pointer to hardware structure
*
* Disables PCI-Express primary access and verifies there are no pending
- * requests. IXGBE_ERR_PRIMARY_REQUESTS_PENDING is returned if primary disable
+ * requests. -EALREADY is returned if primary disable
* bit hasn't caused the primary requests to be disabled, else 0
* is returned signifying primary requests disabled.
**/
@@ -2575,7 +2563,7 @@ static s32 ixgbe_disable_pcie_primary(struct ixgbe_hw *hw)
}
hw_dbg(hw, "PCIe transaction pending bit also did not clear.\n");
- return IXGBE_ERR_PRIMARY_REQUESTS_PENDING;
+ return -EALREADY;
}
/**
@@ -2600,7 +2588,7 @@ s32 ixgbe_acquire_swfw_sync(struct ixgbe_hw *hw, u32 mask)
* SW_FW_SYNC bits (not just NVM)
*/
if (ixgbe_get_eeprom_semaphore(hw))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
gssr = IXGBE_READ_REG(hw, IXGBE_GSSR);
if (!(gssr & (fwmask | swmask))) {
@@ -2620,7 +2608,7 @@ s32 ixgbe_acquire_swfw_sync(struct ixgbe_hw *hw, u32 mask)
ixgbe_release_swfw_sync(hw, gssr & (fwmask | swmask));
usleep_range(5000, 10000);
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
/**
@@ -2757,7 +2745,7 @@ s32 ixgbe_blink_led_start_generic(struct ixgbe_hw *hw, u32 index)
s32 ret_val;
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/*
* Link must be up to auto-blink the LEDs;
@@ -2803,7 +2791,7 @@ s32 ixgbe_blink_led_stop_generic(struct ixgbe_hw *hw, u32 index)
s32 ret_val;
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
ret_val = hw->mac.ops.prot_autoc_read(hw, &locked, &autoc_reg);
if (ret_val)
@@ -2963,7 +2951,7 @@ s32 ixgbe_clear_vmdq_generic(struct ixgbe_hw *hw, u32 rar, u32 vmdq)
/* Make sure we are using a valid rar index range */
if (rar >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", rar);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
mpsar_lo = IXGBE_READ_REG(hw, IXGBE_MPSAR_LO(rar));
@@ -3014,7 +3002,7 @@ s32 ixgbe_set_vmdq_generic(struct ixgbe_hw *hw, u32 rar, u32 vmdq)
/* Make sure we are using a valid rar index range */
if (rar >= rar_entries) {
hw_dbg(hw, "RAR index %d is out of range.\n", rar);
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
if (vmdq < 32) {
@@ -3091,7 +3079,7 @@ static s32 ixgbe_find_vlvf_slot(struct ixgbe_hw *hw, u32 vlan, bool vlvf_bypass)
* will simply bypass the VLVF if there are no entries present in the
* VLVF that contain our VLAN
*/
- first_empty_slot = vlvf_bypass ? IXGBE_ERR_NO_SPACE : 0;
+ first_empty_slot = vlvf_bypass ? -ENOSPC : 0;
/* add VLAN enable bit for comparison */
vlan |= IXGBE_VLVF_VIEN;
@@ -3115,7 +3103,7 @@ static s32 ixgbe_find_vlvf_slot(struct ixgbe_hw *hw, u32 vlan, bool vlvf_bypass)
if (!first_empty_slot)
hw_dbg(hw, "No space in VLVF.\n");
- return first_empty_slot ? : IXGBE_ERR_NO_SPACE;
+ return first_empty_slot ? : -ENOSPC;
}
/**
@@ -3135,7 +3123,7 @@ s32 ixgbe_set_vfta_generic(struct ixgbe_hw *hw, u32 vlan, u32 vind,
s32 vlvf_index;
if ((vlan > 4095) || (vind > 63))
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/*
* this is a 2 part operation - first the VFTA, then the
@@ -3596,7 +3584,8 @@ u8 ixgbe_calculate_checksum(u8 *buffer, u32 length)
*
* Communicates with the manageability block. On success return 0
* else returns semaphore error when encountering an error acquiring
- * semaphore or IXGBE_ERR_HOST_INTERFACE_COMMAND when command fails.
+ * semaphore, -EINVAL when incorrect parameters passed or -EIO when
+ * command fails.
*
* This function assumes that the IXGBE_GSSR_SW_MNG_SM semaphore is held
* by the caller.
@@ -3609,7 +3598,7 @@ s32 ixgbe_hic_unlocked(struct ixgbe_hw *hw, u32 *buffer, u32 length,
if (!length || length > IXGBE_HI_MAX_BLOCK_BYTE_LENGTH) {
hw_dbg(hw, "Buffer length failure buffersize-%d.\n", length);
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EINVAL;
}
/* Set bit 9 of FWSTS clearing FW reset indication */
@@ -3620,13 +3609,13 @@ s32 ixgbe_hic_unlocked(struct ixgbe_hw *hw, u32 *buffer, u32 length,
hicr = IXGBE_READ_REG(hw, IXGBE_HICR);
if (!(hicr & IXGBE_HICR_EN)) {
hw_dbg(hw, "IXGBE_HOST_EN bit disabled.\n");
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EIO;
}
/* Calculate length in DWORDs. We must be DWORD aligned */
if (length % sizeof(u32)) {
hw_dbg(hw, "Buffer length failure, not aligned to dword");
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
}
dword_len = length >> 2;
@@ -3651,7 +3640,7 @@ s32 ixgbe_hic_unlocked(struct ixgbe_hw *hw, u32 *buffer, u32 length,
/* Check command successful completion. */
if ((timeout && i == timeout) ||
!(IXGBE_READ_REG(hw, IXGBE_HICR) & IXGBE_HICR_SV))
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EIO;
return 0;
}
@@ -3671,7 +3660,7 @@ s32 ixgbe_hic_unlocked(struct ixgbe_hw *hw, u32 *buffer, u32 length,
* in these cases.
*
* Communicates with the manageability block. On success return 0
- * else return IXGBE_ERR_HOST_INTERFACE_COMMAND.
+ * else return -EIO or -EINVAL.
**/
s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, void *buffer,
u32 length, u32 timeout,
@@ -3686,7 +3675,7 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, void *buffer,
if (!length || length > IXGBE_HI_MAX_BLOCK_BYTE_LENGTH) {
hw_dbg(hw, "Buffer length failure buffersize-%d.\n", length);
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EINVAL;
}
/* Take management host interface semaphore */
status = hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_SW_MNG_SM);
@@ -3716,7 +3705,7 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, void *buffer,
if (length < round_up(buf_len, 4) + hdr_size) {
hw_dbg(hw, "Buffer not large enough for reply message.\n");
- status = IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ status = -EIO;
goto rel_out;
}
@@ -3747,8 +3736,8 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, void *buffer,
*
* Sends driver version number to firmware through the manageability
* block. On success return 0
- * else returns IXGBE_ERR_SWFW_SYNC when encountering an error acquiring
- * semaphore or IXGBE_ERR_HOST_INTERFACE_COMMAND when command fails.
+ * else returns -EBUSY when encountering an error acquiring
+ * semaphore or -EIO when command fails.
**/
s32 ixgbe_set_fw_drv_ver_generic(struct ixgbe_hw *hw, u8 maj, u8 min,
u8 build, u8 sub, __always_unused u16 len,
@@ -3784,7 +3773,7 @@ s32 ixgbe_set_fw_drv_ver_generic(struct ixgbe_hw *hw, u8 maj, u8 min,
FW_CEM_RESP_STATUS_SUCCESS)
ret_val = 0;
else
- ret_val = IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ ret_val = -EIO;
break;
}
@@ -3882,14 +3871,14 @@ static s32 ixgbe_get_ets_data(struct ixgbe_hw *hw, u16 *ets_cfg,
return status;
if ((*ets_offset == 0x0000) || (*ets_offset == 0xFFFF))
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
status = hw->eeprom.ops.read(hw, *ets_offset, ets_cfg);
if (status)
return status;
if ((*ets_cfg & IXGBE_ETS_TYPE_MASK) != IXGBE_ETS_TYPE_EMC_SHIFTED)
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
return 0;
}
@@ -3912,7 +3901,7 @@ s32 ixgbe_get_thermal_sensor_data_generic(struct ixgbe_hw *hw)
/* Only support thermal sensors attached to physical port 0 */
if ((IXGBE_READ_REG(hw, IXGBE_STATUS) & IXGBE_STATUS_LAN_ID_1))
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
status = ixgbe_get_ets_data(hw, &ets_cfg, &ets_offset);
if (status)
@@ -3972,7 +3961,7 @@ s32 ixgbe_init_thermal_sensor_thresh_generic(struct ixgbe_hw *hw)
/* Only support thermal sensors attached to physical port 0 */
if ((IXGBE_READ_REG(hw, IXGBE_STATUS) & IXGBE_STATUS_LAN_ID_1))
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
status = ixgbe_get_ets_data(hw, &ets_cfg, &ets_offset);
if (status)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
index c829cb65171c..d00b0e85f0b2 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
@@ -3338,7 +3338,7 @@ static int ixgbe_get_module_eeprom(struct net_device *dev,
{
struct ixgbe_adapter *adapter = netdev_priv(dev);
struct ixgbe_hw *hw = &adapter->hw;
- s32 status = IXGBE_ERR_PHY_ADDR_INVALID;
+ s32 status = -EFAULT;
u8 databyte = 0xFF;
int i = 0;
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 985c58d8b918..1c8e953a3e45 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -5514,7 +5514,7 @@ static int ixgbe_non_sfp_link_config(struct ixgbe_hw *hw)
{
u32 speed;
bool autoneg, link_up = false;
- int ret = IXGBE_ERR_LINK_SETUP;
+ int ret = -EIO;
if (hw->mac.ops.check_link)
ret = hw->mac.ops.check_link(hw, &speed, &link_up, false);
@@ -5940,13 +5940,13 @@ void ixgbe_reset(struct ixgbe_adapter *adapter)
err = hw->mac.ops.init_hw(hw);
switch (err) {
case 0:
- case IXGBE_ERR_SFP_NOT_PRESENT:
- case IXGBE_ERR_SFP_NOT_SUPPORTED:
+ case -ENOENT:
+ case -EOPNOTSUPP:
break;
- case IXGBE_ERR_PRIMARY_REQUESTS_PENDING:
+ case -EALREADY:
e_dev_err("primary disable timed out\n");
break;
- case IXGBE_ERR_EEPROM_VERSION:
+ case -EACCES:
/* We are running on a pre-production device, log a warning */
e_dev_warn("This device is a pre-production adapter/LOM. "
"Please be aware there may be issues associated with "
@@ -7736,10 +7736,10 @@ static void ixgbe_sfp_detection_subtask(struct ixgbe_adapter *adapter)
adapter->sfp_poll_time = jiffies + IXGBE_SFP_POLL_JIFFIES - 1;
err = hw->phy.ops.identify_sfp(hw);
- if (err == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (err == -EOPNOTSUPP)
goto sfp_out;
- if (err == IXGBE_ERR_SFP_NOT_PRESENT) {
+ if (err == -ENOENT) {
/* If no cable is present, then we need to reset
* the next time we find a good cable. */
adapter->flags2 |= IXGBE_FLAG2_SFP_NEEDS_RESET;
@@ -7765,7 +7765,7 @@ static void ixgbe_sfp_detection_subtask(struct ixgbe_adapter *adapter)
else
err = hw->mac.ops.setup_sfp(hw);
- if (err == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (err == -EOPNOTSUPP)
goto sfp_out;
adapter->flags |= IXGBE_FLAG_NEED_LINK_CONFIG;
@@ -7774,8 +7774,8 @@ static void ixgbe_sfp_detection_subtask(struct ixgbe_adapter *adapter)
sfp_out:
clear_bit(__IXGBE_IN_SFP_INIT, &adapter->state);
- if ((err == IXGBE_ERR_SFP_NOT_SUPPORTED) &&
- (adapter->netdev->reg_state == NETREG_REGISTERED)) {
+ if (err == -EOPNOTSUPP &&
+ adapter->netdev->reg_state == NETREG_REGISTERED) {
e_dev_err("failed to initialize because an unsupported "
"SFP+ module type was detected.\n");
e_dev_err("Reload the driver after installing a "
@@ -10782,9 +10782,9 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err = hw->mac.ops.reset_hw(hw);
hw->phy.reset_if_overtemp = false;
ixgbe_set_eee_capable(adapter);
- if (err == IXGBE_ERR_SFP_NOT_PRESENT) {
+ if (err == -ENOENT) {
err = 0;
- } else if (err == IXGBE_ERR_SFP_NOT_SUPPORTED) {
+ } else if (err == -EOPNOTSUPP) {
e_dev_err("failed to load because an unsupported SFP+ or QSFP module type was detected.\n");
e_dev_err("Reload the driver after installing a supported module.\n");
goto err_sw_init;
@@ -11001,7 +11001,7 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
/* reset the hardware with the new settings */
err = hw->mac.ops.start_hw(hw);
- if (err == IXGBE_ERR_EEPROM_VERSION) {
+ if (err == -EACCES) {
/* We are running on a pre-production device, log a warning */
e_dev_warn("This device is a pre-production adapter/LOM. "
"Please be aware there may be issues associated "
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c
index 5679293e53f7..fe7ef5773369 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.c
@@ -24,7 +24,7 @@ s32 ixgbe_read_mbx(struct ixgbe_hw *hw, u32 *msg, u16 size, u16 mbx_id)
size = mbx->size;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
return mbx->ops->read(hw, msg, size, mbx_id);
}
@@ -43,10 +43,10 @@ s32 ixgbe_write_mbx(struct ixgbe_hw *hw, u32 *msg, u16 size, u16 mbx_id)
struct ixgbe_mbx_info *mbx = &hw->mbx;
if (size > mbx->size)
- return IXGBE_ERR_MBX;
+ return -EINVAL;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
return mbx->ops->write(hw, msg, size, mbx_id);
}
@@ -63,7 +63,7 @@ s32 ixgbe_check_for_msg(struct ixgbe_hw *hw, u16 mbx_id)
struct ixgbe_mbx_info *mbx = &hw->mbx;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
return mbx->ops->check_for_msg(hw, mbx_id);
}
@@ -80,7 +80,7 @@ s32 ixgbe_check_for_ack(struct ixgbe_hw *hw, u16 mbx_id)
struct ixgbe_mbx_info *mbx = &hw->mbx;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
return mbx->ops->check_for_ack(hw, mbx_id);
}
@@ -97,7 +97,7 @@ s32 ixgbe_check_for_rst(struct ixgbe_hw *hw, u16 mbx_id)
struct ixgbe_mbx_info *mbx = &hw->mbx;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
return mbx->ops->check_for_rst(hw, mbx_id);
}
@@ -115,12 +115,12 @@ static s32 ixgbe_poll_for_msg(struct ixgbe_hw *hw, u16 mbx_id)
int countdown = mbx->timeout;
if (!countdown || !mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
while (mbx->ops->check_for_msg(hw, mbx_id)) {
countdown--;
if (!countdown)
- return IXGBE_ERR_MBX;
+ return -EIO;
udelay(mbx->usec_delay);
}
@@ -140,12 +140,12 @@ static s32 ixgbe_poll_for_ack(struct ixgbe_hw *hw, u16 mbx_id)
int countdown = mbx->timeout;
if (!countdown || !mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
while (mbx->ops->check_for_ack(hw, mbx_id)) {
countdown--;
if (!countdown)
- return IXGBE_ERR_MBX;
+ return -EIO;
udelay(mbx->usec_delay);
}
@@ -169,7 +169,7 @@ static s32 ixgbe_read_posted_mbx(struct ixgbe_hw *hw, u32 *msg, u16 size,
s32 ret_val;
if (!mbx->ops)
- return IXGBE_ERR_MBX;
+ return -EIO;
ret_val = ixgbe_poll_for_msg(hw, mbx_id);
if (ret_val)
@@ -197,7 +197,7 @@ static s32 ixgbe_write_posted_mbx(struct ixgbe_hw *hw, u32 *msg, u16 size,
/* exit if either we can't write or there isn't a defined timeout */
if (!mbx->ops || !mbx->timeout)
- return IXGBE_ERR_MBX;
+ return -EIO;
/* send msg */
ret_val = mbx->ops->write(hw, msg, size, mbx_id);
@@ -217,7 +217,7 @@ static s32 ixgbe_check_for_bit_pf(struct ixgbe_hw *hw, u32 mask, s32 index)
return 0;
}
- return IXGBE_ERR_MBX;
+ return -EIO;
}
/**
@@ -238,7 +238,7 @@ static s32 ixgbe_check_for_msg_pf(struct ixgbe_hw *hw, u16 vf_number)
return 0;
}
- return IXGBE_ERR_MBX;
+ return -EIO;
}
/**
@@ -259,7 +259,7 @@ static s32 ixgbe_check_for_ack_pf(struct ixgbe_hw *hw, u16 vf_number)
return 0;
}
- return IXGBE_ERR_MBX;
+ return -EIO;
}
/**
@@ -295,7 +295,7 @@ static s32 ixgbe_check_for_rst_pf(struct ixgbe_hw *hw, u16 vf_number)
return 0;
}
- return IXGBE_ERR_MBX;
+ return -EIO;
}
/**
@@ -317,7 +317,7 @@ static s32 ixgbe_obtain_mbx_lock_pf(struct ixgbe_hw *hw, u16 vf_number)
if (p2v_mailbox & IXGBE_PFMAILBOX_PFU)
return 0;
- return IXGBE_ERR_MBX;
+ return -EIO;
}
/**
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h
index a148534d7256..def067b15873 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h
@@ -7,7 +7,6 @@
#include "ixgbe_type.h"
#define IXGBE_VFMAILBOX_SIZE 16 /* 16 32 bit words - 64 bytes */
-#define IXGBE_ERR_MBX -100
#define IXGBE_VFMAILBOX 0x002FC
#define IXGBE_VFMBMEM 0x00200
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
index 123dca9ce468..20c45766c694 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
@@ -102,7 +102,7 @@ s32 ixgbe_read_i2c_combined_generic_int(struct ixgbe_hw *hw, u8 addr,
csum = ~csum;
do {
if (lock && hw->mac.ops.acquire_swfw_sync(hw, swfw_mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
ixgbe_i2c_start(hw);
/* Device Address and write indication */
if (ixgbe_out_i2c_byte_ack(hw, addr))
@@ -150,7 +150,7 @@ s32 ixgbe_read_i2c_combined_generic_int(struct ixgbe_hw *hw, u8 addr,
hw_dbg(hw, "I2C byte read combined error.\n");
} while (retry < max_retry);
- return IXGBE_ERR_I2C;
+ return -EIO;
}
/**
@@ -179,7 +179,7 @@ s32 ixgbe_write_i2c_combined_generic_int(struct ixgbe_hw *hw, u8 addr,
csum = ~csum;
do {
if (lock && hw->mac.ops.acquire_swfw_sync(hw, swfw_mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
ixgbe_i2c_start(hw);
/* Device Address and write indication */
if (ixgbe_out_i2c_byte_ack(hw, addr))
@@ -215,7 +215,7 @@ s32 ixgbe_write_i2c_combined_generic_int(struct ixgbe_hw *hw, u8 addr,
hw_dbg(hw, "I2C byte write combined error.\n");
} while (retry < max_retry);
- return IXGBE_ERR_I2C;
+ return -EIO;
}
/**
@@ -262,8 +262,8 @@ static bool ixgbe_probe_phy(struct ixgbe_hw *hw, u16 phy_addr)
**/
s32 ixgbe_identify_phy_generic(struct ixgbe_hw *hw)
{
+ u32 status = -EFAULT;
u32 phy_addr;
- u32 status = IXGBE_ERR_PHY_ADDR_INVALID;
if (!hw->phy.phy_semaphore_mask) {
if (hw->bus.lan_id)
@@ -282,7 +282,7 @@ s32 ixgbe_identify_phy_generic(struct ixgbe_hw *hw)
if (ixgbe_probe_phy(hw, phy_addr))
return 0;
else
- return IXGBE_ERR_PHY_ADDR_INVALID;
+ return -EFAULT;
}
for (phy_addr = 0; phy_addr < IXGBE_MAX_PHY_ADDR; phy_addr++) {
@@ -457,7 +457,7 @@ s32 ixgbe_reset_phy_generic(struct ixgbe_hw *hw)
if (ctrl & MDIO_CTRL1_RESET) {
hw_dbg(hw, "PHY reset polling failed to complete.\n");
- return IXGBE_ERR_RESET_FAILED;
+ return -EIO;
}
return 0;
@@ -500,7 +500,7 @@ s32 ixgbe_read_phy_reg_mdi(struct ixgbe_hw *hw, u32 reg_addr, u32 device_type,
if ((command & IXGBE_MSCA_MDI_COMMAND) != 0) {
hw_dbg(hw, "PHY address command did not complete.\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/* Address cycle complete, setup and write the read
@@ -527,7 +527,7 @@ s32 ixgbe_read_phy_reg_mdi(struct ixgbe_hw *hw, u32 reg_addr, u32 device_type,
if ((command & IXGBE_MSCA_MDI_COMMAND) != 0) {
hw_dbg(hw, "PHY read command didn't complete\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/* Read operation is complete. Get the data
@@ -559,7 +559,7 @@ s32 ixgbe_read_phy_reg_generic(struct ixgbe_hw *hw, u32 reg_addr,
phy_data);
hw->mac.ops.release_swfw_sync(hw, gssr);
} else {
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
return status;
@@ -604,7 +604,7 @@ s32 ixgbe_write_phy_reg_mdi(struct ixgbe_hw *hw, u32 reg_addr,
if ((command & IXGBE_MSCA_MDI_COMMAND) != 0) {
hw_dbg(hw, "PHY address cmd didn't complete\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/*
@@ -632,7 +632,7 @@ s32 ixgbe_write_phy_reg_mdi(struct ixgbe_hw *hw, u32 reg_addr,
if ((command & IXGBE_MSCA_MDI_COMMAND) != 0) {
hw_dbg(hw, "PHY write cmd didn't complete\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
return 0;
@@ -657,7 +657,7 @@ s32 ixgbe_write_phy_reg_generic(struct ixgbe_hw *hw, u32 reg_addr,
phy_data);
hw->mac.ops.release_swfw_sync(hw, gssr);
} else {
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
return status;
@@ -1303,7 +1303,7 @@ s32 ixgbe_reset_phy_nl(struct ixgbe_hw *hw)
if ((phy_data & MDIO_CTRL1_RESET) != 0) {
hw_dbg(hw, "PHY reset did not complete.\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/* Get init offsets */
@@ -1360,12 +1360,12 @@ s32 ixgbe_reset_phy_nl(struct ixgbe_hw *hw)
hw_dbg(hw, "SOL\n");
} else {
hw_dbg(hw, "Bad control value\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
break;
default:
hw_dbg(hw, "Bad control type\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
}
@@ -1373,7 +1373,7 @@ s32 ixgbe_reset_phy_nl(struct ixgbe_hw *hw)
err_eeprom:
hw_err(hw, "eeprom read at offset %d failed\n", data_offset);
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/**
@@ -1391,10 +1391,10 @@ s32 ixgbe_identify_module_generic(struct ixgbe_hw *hw)
return ixgbe_identify_qsfp_module_generic(hw);
default:
hw->phy.sfp_type = ixgbe_sfp_type_not_present;
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
/**
@@ -1419,7 +1419,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw)
if (hw->mac.ops.get_media_type(hw) != ixgbe_media_type_fiber) {
hw->phy.sfp_type = ixgbe_sfp_type_not_present;
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
/* LAN ID is needed for sfp_type determination */
@@ -1434,7 +1434,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw)
if (identifier != IXGBE_SFF_IDENTIFIER_SFP) {
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
status = hw->phy.ops.read_i2c_eeprom(hw,
IXGBE_SFF_1GBE_COMP_CODES,
@@ -1625,7 +1625,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw)
hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 ||
hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1)) {
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
/* Anything else 82598-based is supported */
@@ -1649,7 +1649,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw)
}
hw_dbg(hw, "SFP+ module not supported\n");
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
return 0;
@@ -1659,7 +1659,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw)
hw->phy.id = 0;
hw->phy.type = ixgbe_phy_unknown;
}
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
/**
@@ -1686,7 +1686,7 @@ static s32 ixgbe_identify_qsfp_module_generic(struct ixgbe_hw *hw)
if (hw->mac.ops.get_media_type(hw) != ixgbe_media_type_fiber_qsfp) {
hw->phy.sfp_type = ixgbe_sfp_type_not_present;
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
/* LAN ID is needed for sfp_type determination */
@@ -1700,7 +1700,7 @@ static s32 ixgbe_identify_qsfp_module_generic(struct ixgbe_hw *hw)
if (identifier != IXGBE_SFF_IDENTIFIER_QSFP_PLUS) {
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
hw->phy.id = identifier;
@@ -1768,7 +1768,7 @@ static s32 ixgbe_identify_qsfp_module_generic(struct ixgbe_hw *hw)
} else {
/* unsupported module type */
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
}
@@ -1828,7 +1828,7 @@ static s32 ixgbe_identify_qsfp_module_generic(struct ixgbe_hw *hw)
}
hw_dbg(hw, "QSFP module not supported\n");
hw->phy.type = ixgbe_phy_sfp_unsupported;
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
return 0;
}
@@ -1839,7 +1839,7 @@ static s32 ixgbe_identify_qsfp_module_generic(struct ixgbe_hw *hw)
hw->phy.id = 0;
hw->phy.type = ixgbe_phy_unknown;
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
}
/**
@@ -1859,14 +1859,14 @@ s32 ixgbe_get_sfp_init_sequence_offsets(struct ixgbe_hw *hw,
u16 sfp_type = hw->phy.sfp_type;
if (hw->phy.sfp_type == ixgbe_sfp_type_unknown)
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
if (hw->phy.sfp_type == ixgbe_sfp_type_not_present)
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
if ((hw->device_id == IXGBE_DEV_ID_82598_SR_DUAL_PORT_EM) &&
(hw->phy.sfp_type == ixgbe_sfp_type_da_cu))
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
/*
* Limiting active cables and 1G Phys must be initialized as
@@ -1887,11 +1887,11 @@ s32 ixgbe_get_sfp_init_sequence_offsets(struct ixgbe_hw *hw,
if (hw->eeprom.ops.read(hw, IXGBE_PHY_INIT_OFFSET_NL, list_offset)) {
hw_err(hw, "eeprom read at %d failed\n",
IXGBE_PHY_INIT_OFFSET_NL);
- return IXGBE_ERR_SFP_NO_INIT_SEQ_PRESENT;
+ return -EIO;
}
if ((!*list_offset) || (*list_offset == 0xFFFF))
- return IXGBE_ERR_SFP_NO_INIT_SEQ_PRESENT;
+ return -EIO;
/* Shift offset to first ID word */
(*list_offset)++;
@@ -1910,7 +1910,7 @@ s32 ixgbe_get_sfp_init_sequence_offsets(struct ixgbe_hw *hw,
goto err_phy;
if ((!*data_offset) || (*data_offset == 0xFFFF)) {
hw_dbg(hw, "SFP+ module not supported\n");
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
} else {
break;
}
@@ -1923,14 +1923,14 @@ s32 ixgbe_get_sfp_init_sequence_offsets(struct ixgbe_hw *hw,
if (sfp_id == IXGBE_PHY_INIT_END_NL) {
hw_dbg(hw, "No matching SFP+ module found\n");
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
return 0;
err_phy:
hw_err(hw, "eeprom read at offset %d failed\n", *list_offset);
- return IXGBE_ERR_PHY;
+ return -EIO;
}
/**
@@ -2025,7 +2025,7 @@ static s32 ixgbe_read_i2c_byte_generic_int(struct ixgbe_hw *hw, u8 byte_offset,
do {
if (lock && hw->mac.ops.acquire_swfw_sync(hw, swfw_mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
ixgbe_i2c_start(hw);
@@ -2141,7 +2141,7 @@ static s32 ixgbe_write_i2c_byte_generic_int(struct ixgbe_hw *hw, u8 byte_offset,
u32 swfw_mask = hw->phy.phy_semaphore_mask;
if (lock && hw->mac.ops.acquire_swfw_sync(hw, swfw_mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
do {
ixgbe_i2c_start(hw);
@@ -2383,7 +2383,7 @@ static s32 ixgbe_get_i2c_ack(struct ixgbe_hw *hw)
if (ack == 1) {
hw_dbg(hw, "I2C ack was not received.\n");
- status = IXGBE_ERR_I2C;
+ status = -EIO;
}
ixgbe_lower_i2c_clk(hw, &i2cctl);
@@ -2455,7 +2455,7 @@ static s32 ixgbe_clock_out_i2c_bit(struct ixgbe_hw *hw, bool data)
udelay(IXGBE_I2C_T_LOW);
} else {
hw_dbg(hw, "I2C data was not set to %X\n", data);
- return IXGBE_ERR_I2C;
+ return -EIO;
}
return 0;
@@ -2551,7 +2551,7 @@ static s32 ixgbe_set_i2c_data(struct ixgbe_hw *hw, u32 *i2cctl, bool data)
*i2cctl = IXGBE_READ_REG(hw, IXGBE_I2CCTL(hw));
if (data != ixgbe_get_i2c_data(hw, i2cctl)) {
hw_dbg(hw, "Error - I2C data was not set to %X.\n", data);
- return IXGBE_ERR_I2C;
+ return -EIO;
}
return 0;
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
index 5eba086690ef..0cd8bec6ae5e 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
@@ -1279,7 +1279,7 @@ static int ixgbe_rcv_msg_from_vf(struct ixgbe_adapter *adapter, u32 vf)
break;
default:
e_err(drv, "Unhandled Msg %8.8x\n", msgbuf[0]);
- retval = IXGBE_ERR_MBX;
+ retval = -EIO;
break;
}
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
index 6da9880d766a..d1685a6b0c5f 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -3658,45 +3658,6 @@ struct ixgbe_info {
const u32 *mvals;
};
-
-/* Error Codes */
-#define IXGBE_ERR_EEPROM -1
-#define IXGBE_ERR_EEPROM_CHECKSUM -2
-#define IXGBE_ERR_PHY -3
-#define IXGBE_ERR_CONFIG -4
-#define IXGBE_ERR_PARAM -5
-#define IXGBE_ERR_MAC_TYPE -6
-#define IXGBE_ERR_UNKNOWN_PHY -7
-#define IXGBE_ERR_LINK_SETUP -8
-#define IXGBE_ERR_ADAPTER_STOPPED -9
-#define IXGBE_ERR_INVALID_MAC_ADDR -10
-#define IXGBE_ERR_DEVICE_NOT_SUPPORTED -11
-#define IXGBE_ERR_PRIMARY_REQUESTS_PENDING -12
-#define IXGBE_ERR_INVALID_LINK_SETTINGS -13
-#define IXGBE_ERR_AUTONEG_NOT_COMPLETE -14
-#define IXGBE_ERR_RESET_FAILED -15
-#define IXGBE_ERR_SWFW_SYNC -16
-#define IXGBE_ERR_PHY_ADDR_INVALID -17
-#define IXGBE_ERR_I2C -18
-#define IXGBE_ERR_SFP_NOT_SUPPORTED -19
-#define IXGBE_ERR_SFP_NOT_PRESENT -20
-#define IXGBE_ERR_SFP_NO_INIT_SEQ_PRESENT -21
-#define IXGBE_ERR_NO_SAN_ADDR_PTR -22
-#define IXGBE_ERR_FDIR_REINIT_FAILED -23
-#define IXGBE_ERR_EEPROM_VERSION -24
-#define IXGBE_ERR_NO_SPACE -25
-#define IXGBE_ERR_OVERTEMP -26
-#define IXGBE_ERR_FC_NOT_NEGOTIATED -27
-#define IXGBE_ERR_FC_NOT_SUPPORTED -28
-#define IXGBE_ERR_SFP_SETUP_NOT_COMPLETE -30
-#define IXGBE_ERR_PBA_SECTION -31
-#define IXGBE_ERR_INVALID_ARGUMENT -32
-#define IXGBE_ERR_HOST_INTERFACE_COMMAND -33
-#define IXGBE_ERR_FDIR_CMD_INCOMPLETE -38
-#define IXGBE_ERR_FW_RESP_INVALID -39
-#define IXGBE_ERR_TOKEN_RETRY -40
-#define IXGBE_NOT_IMPLEMENTED 0x7FFFFFFF
-
#define IXGBE_FUSES0_GROUP(_i) (0x11158 + ((_i) * 4))
#define IXGBE_FUSES0_300MHZ BIT(5)
#define IXGBE_FUSES0_REV_MASK (3u << 6)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c
index d5cfb51ff648..15325c549d9b 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x540.c
@@ -84,7 +84,7 @@ s32 ixgbe_reset_hw_X540(struct ixgbe_hw *hw)
status = hw->mac.ops.acquire_swfw_sync(hw, swfw_mask);
if (status) {
hw_dbg(hw, "semaphore failed with %d", status);
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
ctrl = IXGBE_CTRL_RST;
@@ -103,7 +103,7 @@ s32 ixgbe_reset_hw_X540(struct ixgbe_hw *hw)
}
if (ctrl & IXGBE_CTRL_RST_MASK) {
- status = IXGBE_ERR_RESET_FAILED;
+ status = -EIO;
hw_dbg(hw, "Reset polling failed to complete.\n");
}
msleep(100);
@@ -220,7 +220,7 @@ static s32 ixgbe_read_eerd_X540(struct ixgbe_hw *hw, u16 offset, u16 *data)
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = ixgbe_read_eerd_generic(hw, offset, data);
@@ -243,7 +243,7 @@ static s32 ixgbe_read_eerd_buffer_X540(struct ixgbe_hw *hw,
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = ixgbe_read_eerd_buffer_generic(hw, offset, words, data);
@@ -264,7 +264,7 @@ static s32 ixgbe_write_eewr_X540(struct ixgbe_hw *hw, u16 offset, u16 data)
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = ixgbe_write_eewr_generic(hw, offset, data);
@@ -287,7 +287,7 @@ static s32 ixgbe_write_eewr_buffer_X540(struct ixgbe_hw *hw,
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = ixgbe_write_eewr_buffer_generic(hw, offset, words, data);
@@ -324,7 +324,7 @@ static s32 ixgbe_calc_eeprom_checksum_X540(struct ixgbe_hw *hw)
for (i = 0; i < checksum_last_word; i++) {
if (ixgbe_read_eerd_generic(hw, i, &word)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
checksum += word;
}
@@ -349,7 +349,7 @@ static s32 ixgbe_calc_eeprom_checksum_X540(struct ixgbe_hw *hw)
if (ixgbe_read_eerd_generic(hw, pointer, &length)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/* Skip pointer section if length is invalid. */
@@ -360,7 +360,7 @@ static s32 ixgbe_calc_eeprom_checksum_X540(struct ixgbe_hw *hw)
for (j = pointer + 1; j <= pointer + length; j++) {
if (ixgbe_read_eerd_generic(hw, j, &word)) {
hw_dbg(hw, "EEPROM read failed\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
checksum += word;
}
@@ -397,7 +397,7 @@ static s32 ixgbe_validate_eeprom_checksum_X540(struct ixgbe_hw *hw,
}
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = hw->eeprom.ops.calc_checksum(hw);
if (status < 0)
@@ -418,7 +418,7 @@ static s32 ixgbe_validate_eeprom_checksum_X540(struct ixgbe_hw *hw,
*/
if (read_checksum != checksum) {
hw_dbg(hw, "Invalid EEPROM checksum");
- status = IXGBE_ERR_EEPROM_CHECKSUM;
+ status = -EIO;
}
/* If the user cares, return the calculated checksum */
@@ -455,7 +455,7 @@ static s32 ixgbe_update_eeprom_checksum_X540(struct ixgbe_hw *hw)
}
if (hw->mac.ops.acquire_swfw_sync(hw, IXGBE_GSSR_EEP_SM))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = hw->eeprom.ops.calc_checksum(hw);
if (status < 0)
@@ -490,7 +490,7 @@ static s32 ixgbe_update_flash_X540(struct ixgbe_hw *hw)
s32 status;
status = ixgbe_poll_flash_update_done_X540(hw);
- if (status == IXGBE_ERR_EEPROM) {
+ if (status == -EIO) {
hw_dbg(hw, "Flash update time out\n");
return status;
}
@@ -540,7 +540,7 @@ static s32 ixgbe_poll_flash_update_done_X540(struct ixgbe_hw *hw)
return 0;
udelay(5);
}
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/**
@@ -575,7 +575,7 @@ s32 ixgbe_acquire_swfw_sync_X540(struct ixgbe_hw *hw, u32 mask)
* SW_FW_SYNC bits (not just NVM)
*/
if (ixgbe_get_swfw_sync_semaphore(hw))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
swfw_sync = IXGBE_READ_REG(hw, IXGBE_SWFW_SYNC(hw));
if (!(swfw_sync & (fwmask | swmask | hwmask))) {
@@ -599,7 +599,7 @@ s32 ixgbe_acquire_swfw_sync_X540(struct ixgbe_hw *hw, u32 mask)
* bits in the SW_FW_SYNC register.
*/
if (ixgbe_get_swfw_sync_semaphore(hw))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
swfw_sync = IXGBE_READ_REG(hw, IXGBE_SWFW_SYNC(hw));
if (swfw_sync & (fwmask | hwmask)) {
swfw_sync |= swmask;
@@ -622,11 +622,11 @@ s32 ixgbe_acquire_swfw_sync_X540(struct ixgbe_hw *hw, u32 mask)
rmask |= IXGBE_GSSR_I2C_MASK;
ixgbe_release_swfw_sync_X540(hw, rmask);
ixgbe_release_swfw_sync_semaphore(hw);
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
ixgbe_release_swfw_sync_semaphore(hw);
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
/**
@@ -680,7 +680,7 @@ static s32 ixgbe_get_swfw_sync_semaphore(struct ixgbe_hw *hw)
if (i == timeout) {
hw_dbg(hw,
"Software semaphore SMBI between device drivers not granted.\n");
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/* Now get the semaphore between SW/FW through the REGSMP bit */
@@ -697,7 +697,7 @@ static s32 ixgbe_get_swfw_sync_semaphore(struct ixgbe_hw *hw)
*/
hw_dbg(hw, "REGSMP Software NVM semaphore not granted\n");
ixgbe_release_swfw_sync_semaphore(hw);
- return IXGBE_ERR_EEPROM;
+ return -EIO;
}
/**
@@ -768,7 +768,7 @@ s32 ixgbe_blink_led_start_X540(struct ixgbe_hw *hw, u32 index)
bool link_up;
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* Link should be up in order for the blink bit in the LED control
* register to work. Force link and speed in the MAC if link is down.
@@ -804,7 +804,7 @@ s32 ixgbe_blink_led_stop_X540(struct ixgbe_hw *hw, u32 index)
u32 ledctl_reg;
if (index > 3)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* Restore the LED to its default value. */
ledctl_reg = IXGBE_READ_REG(hw, IXGBE_LEDCTL);
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index e4b50c7781ff..faa0747193a8 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -206,13 +206,13 @@ static s32 ixgbe_reset_cs4227(struct ixgbe_hw *hw)
}
if (retry == IXGBE_CS4227_RETRIES) {
hw_err(hw, "CS4227 reset did not complete\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
status = ixgbe_read_cs4227(hw, IXGBE_CS4227_EEPROM_STATUS, &value);
if (status || !(value & IXGBE_CS4227_EEPROM_LOAD_OK)) {
hw_err(hw, "CS4227 EEPROM did not load successfully\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
return 0;
@@ -350,13 +350,13 @@ static s32 ixgbe_identify_phy_x550em(struct ixgbe_hw *hw)
static s32 ixgbe_read_phy_reg_x550em(struct ixgbe_hw *hw, u32 reg_addr,
u32 device_type, u16 *phy_data)
{
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
}
static s32 ixgbe_write_phy_reg_x550em(struct ixgbe_hw *hw, u32 reg_addr,
u32 device_type, u16 phy_data)
{
- return IXGBE_NOT_IMPLEMENTED;
+ return -EOPNOTSUPP;
}
/**
@@ -463,7 +463,7 @@ s32 ixgbe_fw_phy_activity(struct ixgbe_hw *hw, u16 activity,
--retries;
} while (retries > 0);
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EIO;
}
static const struct {
@@ -511,7 +511,7 @@ static s32 ixgbe_get_phy_id_fw(struct ixgbe_hw *hw)
hw->phy.id |= phy_id_lo & IXGBE_PHY_REVISION_MASK;
hw->phy.revision = phy_id_lo & ~IXGBE_PHY_REVISION_MASK;
if (!hw->phy.id || hw->phy.id == IXGBE_PHY_REVISION_MASK)
- return IXGBE_ERR_PHY_ADDR_INVALID;
+ return -EFAULT;
hw->phy.autoneg_advertised = hw->phy.speeds_supported;
hw->phy.eee_speeds_supported = IXGBE_LINK_SPEED_100_FULL |
@@ -568,7 +568,7 @@ static s32 ixgbe_setup_fw_link(struct ixgbe_hw *hw)
if (hw->fc.strict_ieee && hw->fc.requested_mode == ixgbe_fc_rx_pause) {
hw_err(hw, "rx_pause not valid in strict IEEE mode\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
switch (hw->fc.requested_mode) {
@@ -675,7 +675,7 @@ static s32 ixgbe_iosf_wait(struct ixgbe_hw *hw, u32 *ctrl)
*ctrl = command;
if (i == IXGBE_MDIO_COMMAND_TIMEOUT) {
hw_dbg(hw, "IOSF wait timed out\n");
- return IXGBE_ERR_PHY;
+ return -EIO;
}
return 0;
@@ -715,7 +715,7 @@ static s32 ixgbe_read_iosf_sb_reg_x550(struct ixgbe_hw *hw, u32 reg_addr,
error = (command & IXGBE_SB_IOSF_CTRL_CMPL_ERR_MASK) >>
IXGBE_SB_IOSF_CTRL_CMPL_ERR_SHIFT;
hw_dbg(hw, "Failed to read, error %x\n", error);
- return IXGBE_ERR_PHY;
+ return -EIO;
}
if (!ret)
@@ -750,9 +750,9 @@ static s32 ixgbe_get_phy_token(struct ixgbe_hw *hw)
if (token_cmd.hdr.cmd_or_resp.ret_status == FW_PHY_TOKEN_OK)
return 0;
if (token_cmd.hdr.cmd_or_resp.ret_status != FW_PHY_TOKEN_RETRY)
- return IXGBE_ERR_FW_RESP_INVALID;
+ return -EIO;
- return IXGBE_ERR_TOKEN_RETRY;
+ return -EAGAIN;
}
/**
@@ -778,7 +778,7 @@ static s32 ixgbe_put_phy_token(struct ixgbe_hw *hw)
return status;
if (token_cmd.hdr.cmd_or_resp.ret_status == FW_PHY_TOKEN_OK)
return 0;
- return IXGBE_ERR_FW_RESP_INVALID;
+ return -EIO;
}
/**
@@ -942,7 +942,7 @@ static s32 ixgbe_checksum_ptr_x550(struct ixgbe_hw *hw, u16 ptr,
local_buffer = buf;
} else {
if (buffer_size < ptr)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
local_buffer = &buffer[ptr];
}
@@ -960,7 +960,7 @@ static s32 ixgbe_checksum_ptr_x550(struct ixgbe_hw *hw, u16 ptr,
}
if (buffer && ((u32)start + (u32)length > buffer_size))
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
for (i = start; length; i++, length--) {
if (i == bufsz && !buffer) {
@@ -1012,7 +1012,7 @@ static s32 ixgbe_calc_checksum_X550(struct ixgbe_hw *hw, u16 *buffer,
local_buffer = eeprom_ptrs;
} else {
if (buffer_size < IXGBE_EEPROM_LAST_WORD)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
local_buffer = buffer;
}
@@ -1148,7 +1148,7 @@ static s32 ixgbe_validate_eeprom_checksum_X550(struct ixgbe_hw *hw,
* calculated checksum
*/
if (read_checksum != checksum) {
- status = IXGBE_ERR_EEPROM_CHECKSUM;
+ status = -EIO;
hw_dbg(hw, "Invalid EEPROM checksum");
}
@@ -1203,7 +1203,7 @@ static s32 ixgbe_write_ee_hostif_X550(struct ixgbe_hw *hw, u16 offset, u16 data)
hw->mac.ops.release_swfw_sync(hw, IXGBE_GSSR_EEP_SM);
} else {
hw_dbg(hw, "write ee hostif failed to get semaphore");
- status = IXGBE_ERR_SWFW_SYNC;
+ status = -EBUSY;
}
return status;
@@ -1415,7 +1415,7 @@ static s32 ixgbe_write_iosf_sb_reg_x550(struct ixgbe_hw *hw, u32 reg_addr,
error = (command & IXGBE_SB_IOSF_CTRL_CMPL_ERR_MASK) >>
IXGBE_SB_IOSF_CTRL_CMPL_ERR_SHIFT;
hw_dbg(hw, "Failed to write, error %x\n", error);
- return IXGBE_ERR_PHY;
+ return -EIO;
}
out:
@@ -1558,7 +1558,7 @@ static s32 ixgbe_setup_ixfi_x550em(struct ixgbe_hw *hw, ixgbe_link_speed *speed)
/* iXFI is only supported with X552 */
if (mac->type != ixgbe_mac_X550EM_x)
- return IXGBE_ERR_LINK_SETUP;
+ return -EIO;
/* Disable AN and force speed to 10G Serial. */
status = ixgbe_read_iosf_sb_reg_x550(hw,
@@ -1580,7 +1580,7 @@ static s32 ixgbe_setup_ixfi_x550em(struct ixgbe_hw *hw, ixgbe_link_speed *speed)
break;
default:
/* Other link speeds are not supported by internal KR PHY. */
- return IXGBE_ERR_LINK_SETUP;
+ return -EINVAL;
}
status = ixgbe_write_iosf_sb_reg_x550(hw,
@@ -1611,7 +1611,7 @@ static s32 ixgbe_supported_sfp_modules_X550em(struct ixgbe_hw *hw, bool *linear)
{
switch (hw->phy.sfp_type) {
case ixgbe_sfp_type_not_present:
- return IXGBE_ERR_SFP_NOT_PRESENT;
+ return -ENOENT;
case ixgbe_sfp_type_da_cu_core0:
case ixgbe_sfp_type_da_cu_core1:
*linear = true;
@@ -1630,7 +1630,7 @@ static s32 ixgbe_supported_sfp_modules_X550em(struct ixgbe_hw *hw, bool *linear)
case ixgbe_sfp_type_1g_cu_core0:
case ixgbe_sfp_type_1g_cu_core1:
default:
- return IXGBE_ERR_SFP_NOT_SUPPORTED;
+ return -EOPNOTSUPP;
}
return 0;
@@ -1660,7 +1660,7 @@ ixgbe_setup_mac_link_sfp_x550em(struct ixgbe_hw *hw,
* there is no reason to configure CS4227 and SFP not present error is
* not accepted in the setup MAC link flow.
*/
- if (status == IXGBE_ERR_SFP_NOT_PRESENT)
+ if (status == -ENOENT)
return 0;
if (status)
@@ -1718,7 +1718,7 @@ static s32 ixgbe_setup_sfi_x550a(struct ixgbe_hw *hw, ixgbe_link_speed *speed)
break;
default:
/* Other link speeds are not supported by internal PHY. */
- return IXGBE_ERR_LINK_SETUP;
+ return -EINVAL;
}
status = mac->ops.write_iosf_sb_reg(hw,
@@ -1753,7 +1753,7 @@ ixgbe_setup_mac_link_sfp_n(struct ixgbe_hw *hw, ixgbe_link_speed speed,
/* If no SFP module present, then return success. Return success since
* SFP not present error is not excepted in the setup MAC link flow.
*/
- if (ret_val == IXGBE_ERR_SFP_NOT_PRESENT)
+ if (ret_val == -ENOENT)
return 0;
if (ret_val)
@@ -1803,7 +1803,7 @@ ixgbe_setup_mac_link_sfp_x550a(struct ixgbe_hw *hw, ixgbe_link_speed speed,
/* If no SFP module present, then return success. Return success since
* SFP not present error is not excepted in the setup MAC link flow.
*/
- if (ret_val == IXGBE_ERR_SFP_NOT_PRESENT)
+ if (ret_val == -ENOENT)
return 0;
if (ret_val)
@@ -1813,7 +1813,7 @@ ixgbe_setup_mac_link_sfp_x550a(struct ixgbe_hw *hw, ixgbe_link_speed speed,
ixgbe_setup_kr_speed_x550em(hw, speed);
if (hw->phy.mdio.prtad == MDIO_PRTAD_NONE)
- return IXGBE_ERR_PHY_ADDR_INVALID;
+ return -EFAULT;
/* Get external PHY SKU id */
ret_val = hw->phy.ops.read_reg(hw, IXGBE_CS4227_EFUSE_PDF_SKU,
@@ -1912,7 +1912,7 @@ static s32 ixgbe_check_link_t_X550em(struct ixgbe_hw *hw,
u16 i, autoneg_status;
if (hw->mac.ops.get_media_type(hw) != ixgbe_media_type_copper)
- return IXGBE_ERR_CONFIG;
+ return -EIO;
status = ixgbe_check_mac_link_generic(hw, speed, link_up,
link_up_wait_to_complete);
@@ -2095,9 +2095,9 @@ static s32 ixgbe_setup_sgmii_fw(struct ixgbe_hw *hw, ixgbe_link_speed speed,
*/
static void ixgbe_fc_autoneg_sgmii_x550em_a(struct ixgbe_hw *hw)
{
- s32 status = IXGBE_ERR_FC_NOT_NEGOTIATED;
u32 info[FW_PHY_ACT_DATA_COUNT] = { 0 };
ixgbe_link_speed speed;
+ s32 status = -EIO;
bool link_up;
/* AN should have completed when the cable was plugged in.
@@ -2115,7 +2115,7 @@ static void ixgbe_fc_autoneg_sgmii_x550em_a(struct ixgbe_hw *hw)
/* Check if auto-negotiation has completed */
status = ixgbe_fw_phy_activity(hw, FW_PHY_ACT_GET_LINK_INFO, &info);
if (status || !(info[0] & FW_PHY_ACT_GET_LINK_INFO_AN_COMPLETE)) {
- status = IXGBE_ERR_FC_NOT_NEGOTIATED;
+ status = -EIO;
goto out;
}
@@ -2642,7 +2642,7 @@ static s32 ixgbe_setup_internal_phy_t_x550em(struct ixgbe_hw *hw)
u16 speed;
if (hw->mac.ops.get_media_type(hw) != ixgbe_media_type_copper)
- return IXGBE_ERR_CONFIG;
+ return -EIO;
if (!(hw->mac.type == ixgbe_mac_X550EM_x &&
!(hw->phy.nw_mng_if_sel & IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE))) {
@@ -2685,7 +2685,7 @@ static s32 ixgbe_setup_internal_phy_t_x550em(struct ixgbe_hw *hw)
break;
default:
/* Internal PHY does not support anything else */
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
return ixgbe_setup_ixfi_x550em(hw, &force_speed);
@@ -2717,7 +2717,7 @@ static s32 ixgbe_led_on_t_x550em(struct ixgbe_hw *hw, u32 led_idx)
u16 phy_data;
if (led_idx >= IXGBE_X557_MAX_LED_INDEX)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* To turn on the LED, set mode to ON. */
hw->phy.ops.read_reg(hw, IXGBE_X557_LED_PROVISIONING + led_idx,
@@ -2739,7 +2739,7 @@ static s32 ixgbe_led_off_t_x550em(struct ixgbe_hw *hw, u32 led_idx)
u16 phy_data;
if (led_idx >= IXGBE_X557_MAX_LED_INDEX)
- return IXGBE_ERR_PARAM;
+ return -EINVAL;
/* To turn on the LED, set mode to ON. */
hw->phy.ops.read_reg(hw, IXGBE_X557_LED_PROVISIONING + led_idx,
@@ -2763,8 +2763,9 @@ static s32 ixgbe_led_off_t_x550em(struct ixgbe_hw *hw, u32 led_idx)
*
* Sends driver version number to firmware through the manageability
* block. On success return 0
- * else returns IXGBE_ERR_SWFW_SYNC when encountering an error acquiring
- * semaphore or IXGBE_ERR_HOST_INTERFACE_COMMAND when command fails.
+ * else returns -EBUSY when encountering an error acquiring
+ * semaphore, -EIO when command fails or -ENIVAL when incorrect
+ * params passed.
**/
static s32 ixgbe_set_fw_drv_ver_x550(struct ixgbe_hw *hw, u8 maj, u8 min,
u8 build, u8 sub, u16 len,
@@ -2775,7 +2776,7 @@ static s32 ixgbe_set_fw_drv_ver_x550(struct ixgbe_hw *hw, u8 maj, u8 min,
int i;
if (!len || !driver_ver || (len > sizeof(fw_cmd.driver_string)))
- return IXGBE_ERR_INVALID_ARGUMENT;
+ return -EINVAL;
fw_cmd.hdr.cmd = FW_CEM_CMD_DRIVER_INFO;
fw_cmd.hdr.buf_len = FW_CEM_CMD_DRIVER_INFO_LEN + len;
@@ -2800,7 +2801,7 @@ static s32 ixgbe_set_fw_drv_ver_x550(struct ixgbe_hw *hw, u8 maj, u8 min,
if (fw_cmd.hdr.cmd_or_resp.ret_status !=
FW_CEM_RESP_STATUS_SUCCESS)
- return IXGBE_ERR_HOST_INTERFACE_COMMAND;
+ return -EIO;
return 0;
}
@@ -2857,7 +2858,7 @@ static s32 ixgbe_setup_fc_x550em(struct ixgbe_hw *hw)
/* Validate the requested mode */
if (hw->fc.strict_ieee && hw->fc.requested_mode == ixgbe_fc_rx_pause) {
hw_err(hw, "ixgbe_fc_rx_pause not valid in strict IEEE mode\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
/* 10gig parts do not have a word in the EEPROM to determine the
@@ -2892,7 +2893,7 @@ static s32 ixgbe_setup_fc_x550em(struct ixgbe_hw *hw)
break;
default:
hw_err(hw, "Flow control param set incorrectly\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
switch (hw->device_id) {
@@ -2936,8 +2937,8 @@ static s32 ixgbe_setup_fc_x550em(struct ixgbe_hw *hw)
static void ixgbe_fc_autoneg_backplane_x550em_a(struct ixgbe_hw *hw)
{
u32 link_s1, lp_an_page_low, an_cntl_1;
- s32 status = IXGBE_ERR_FC_NOT_NEGOTIATED;
ixgbe_link_speed speed;
+ s32 status = -EIO;
bool link_up;
/* AN should have completed when the cable was plugged in.
@@ -2963,7 +2964,7 @@ static void ixgbe_fc_autoneg_backplane_x550em_a(struct ixgbe_hw *hw)
if (status || (link_s1 & IXGBE_KRM_LINK_S1_MAC_AN_COMPLETE) == 0) {
hw_dbg(hw, "Auto-Negotiation did not complete\n");
- status = IXGBE_ERR_FC_NOT_NEGOTIATED;
+ status = -EIO;
goto out;
}
@@ -3201,8 +3202,7 @@ static s32 ixgbe_init_phy_ops_X550em(struct ixgbe_hw *hw)
/* Identify the PHY or SFP module */
ret_val = phy->ops.identify(hw);
- if (ret_val == IXGBE_ERR_SFP_NOT_SUPPORTED ||
- ret_val == IXGBE_ERR_PHY_ADDR_INVALID)
+ if (ret_val == -EOPNOTSUPP || ret_val == -EFAULT)
return ret_val;
/* Setup function pointers based on detected hardware */
@@ -3410,8 +3410,7 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw)
/* PHY ops must be identified and initialized prior to reset */
status = hw->phy.ops.init(hw);
- if (status == IXGBE_ERR_SFP_NOT_SUPPORTED ||
- status == IXGBE_ERR_PHY_ADDR_INVALID)
+ if (status == -EOPNOTSUPP || status == -EFAULT)
return status;
/* start the external PHY */
@@ -3427,7 +3426,7 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw)
hw->phy.sfp_setup_needed = false;
}
- if (status == IXGBE_ERR_SFP_NOT_SUPPORTED)
+ if (status == -EOPNOTSUPP)
return status;
/* Reset PHY */
@@ -3451,7 +3450,7 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw)
status = hw->mac.ops.acquire_swfw_sync(hw, swfw_mask);
if (status) {
hw_dbg(hw, "semaphore failed with %d", status);
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
}
ctrl |= IXGBE_READ_REG(hw, IXGBE_CTRL);
@@ -3469,7 +3468,7 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw)
}
if (ctrl & IXGBE_CTRL_RST_MASK) {
- status = IXGBE_ERR_RESET_FAILED;
+ status = -EIO;
hw_dbg(hw, "Reset polling failed to complete.\n");
}
@@ -3565,7 +3564,7 @@ static s32 ixgbe_setup_fc_backplane_x550em_a(struct ixgbe_hw *hw)
/* Validate the requested mode */
if (hw->fc.strict_ieee && hw->fc.requested_mode == ixgbe_fc_rx_pause) {
hw_err(hw, "ixgbe_fc_rx_pause not valid in strict IEEE mode\n");
- return IXGBE_ERR_INVALID_LINK_SETTINGS;
+ return -EINVAL;
}
if (hw->fc.requested_mode == ixgbe_fc_default)
@@ -3622,7 +3621,7 @@ static s32 ixgbe_setup_fc_backplane_x550em_a(struct ixgbe_hw *hw)
break;
default:
hw_err(hw, "Flow control param set incorrectly\n");
- return IXGBE_ERR_CONFIG;
+ return -EIO;
}
status = hw->mac.ops.write_iosf_sb_reg(hw,
@@ -3718,7 +3717,7 @@ static s32 ixgbe_acquire_swfw_sync_x550em_a(struct ixgbe_hw *hw, u32 mask)
return 0;
if (hmask)
ixgbe_release_swfw_sync_X540(hw, hmask);
- if (status != IXGBE_ERR_TOKEN_RETRY)
+ if (status != -EAGAIN)
return status;
msleep(FW_PHY_TOKEN_DELAY);
}
@@ -3762,7 +3761,7 @@ static s32 ixgbe_read_phy_reg_x550a(struct ixgbe_hw *hw, u32 reg_addr,
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = hw->phy.ops.read_reg_mdi(hw, reg_addr, device_type, phy_data);
@@ -3788,7 +3787,7 @@ static s32 ixgbe_write_phy_reg_x550a(struct ixgbe_hw *hw, u32 reg_addr,
s32 status;
if (hw->mac.ops.acquire_swfw_sync(hw, mask))
- return IXGBE_ERR_SWFW_SYNC;
+ return -EBUSY;
status = ixgbe_write_phy_reg_mdi(hw, reg_addr, device_type, phy_data);
hw->mac.ops.release_swfw_sync(hw, mask);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 278/476] ixgbe: Refactor overtemp event handling
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 277/476] ixgbe: Refactor returning internal error codes Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 279/476] ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() Greg Kroah-Hartman
` (207 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Jedrzej Jagielski,
Jacob Keller, Simon Horman, Tony Nguyen, Sasha Levin,
Sunitha Mekala
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
[ Upstream commit 6c1b4af8c1b20c70dde01e58381685d6a4a1d2c8 ]
Currently ixgbe driver is notified of overheating events
via internal IXGBE_ERR_OVERTEMP error code.
Change the approach for handle_lasi() to use freshly introduced
is_overtemp function parameter which set when such event occurs.
Change check_overtemp() to bool and return true if overtemp
event occurs.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 16 +++-----
drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c | 21 +++++-----
drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 4 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 41 +++++++++++--------
5 files changed, 43 insertions(+), 41 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 1c8e953a3e45..cb9e9d70b338 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -2758,7 +2758,6 @@ static void ixgbe_check_overtemp_subtask(struct ixgbe_adapter *adapter)
{
struct ixgbe_hw *hw = &adapter->hw;
u32 eicr = adapter->interrupt_event;
- s32 rc;
if (test_bit(__IXGBE_DOWN, &adapter->state))
return;
@@ -2792,14 +2791,13 @@ static void ixgbe_check_overtemp_subtask(struct ixgbe_adapter *adapter)
}
/* Check if this is not due to overtemp */
- if (hw->phy.ops.check_overtemp(hw) != IXGBE_ERR_OVERTEMP)
+ if (!hw->phy.ops.check_overtemp(hw))
return;
break;
case IXGBE_DEV_ID_X550EM_A_1G_T:
case IXGBE_DEV_ID_X550EM_A_1G_T_L:
- rc = hw->phy.ops.check_overtemp(hw);
- if (rc != IXGBE_ERR_OVERTEMP)
+ if (!hw->phy.ops.check_overtemp(hw))
return;
break;
default:
@@ -7845,7 +7843,7 @@ static void ixgbe_service_timer(struct timer_list *t)
static void ixgbe_phy_interrupt_subtask(struct ixgbe_adapter *adapter)
{
struct ixgbe_hw *hw = &adapter->hw;
- u32 status;
+ bool overtemp;
if (!(adapter->flags2 & IXGBE_FLAG2_PHY_INTERRUPT))
return;
@@ -7855,11 +7853,9 @@ static void ixgbe_phy_interrupt_subtask(struct ixgbe_adapter *adapter)
if (!hw->phy.ops.handle_lasi)
return;
- status = hw->phy.ops.handle_lasi(&adapter->hw);
- if (status != IXGBE_ERR_OVERTEMP)
- return;
-
- e_crit(drv, "%s\n", ixgbe_overheat_msg);
+ hw->phy.ops.handle_lasi(&adapter->hw, &overtemp);
+ if (overtemp)
+ e_crit(drv, "%s\n", ixgbe_overheat_msg);
}
static void ixgbe_reset_subtask(struct ixgbe_adapter *adapter)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
index 20c45766c694..305afb82388b 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c
@@ -408,8 +408,7 @@ s32 ixgbe_reset_phy_generic(struct ixgbe_hw *hw)
return status;
/* Don't reset PHY if it's shut down due to overtemp. */
- if (!hw->phy.reset_if_overtemp &&
- (IXGBE_ERR_OVERTEMP == hw->phy.ops.check_overtemp(hw)))
+ if (!hw->phy.reset_if_overtemp && hw->phy.ops.check_overtemp(hw))
return 0;
/* Blocked by MNG FW so bail */
@@ -2621,22 +2620,24 @@ static void ixgbe_i2c_bus_clear(struct ixgbe_hw *hw)
* @hw: pointer to hardware structure
*
* Checks if the LASI temp alarm status was triggered due to overtemp
+ *
+ * Return true when an overtemp event detected, otherwise false.
**/
-s32 ixgbe_tn_check_overtemp(struct ixgbe_hw *hw)
+bool ixgbe_tn_check_overtemp(struct ixgbe_hw *hw)
{
u16 phy_data = 0;
+ u32 status;
if (hw->device_id != IXGBE_DEV_ID_82599_T3_LOM)
- return 0;
+ return false;
/* Check that the LASI temp alarm status was triggered */
- hw->phy.ops.read_reg(hw, IXGBE_TN_LASI_STATUS_REG,
- MDIO_MMD_PMAPMD, &phy_data);
-
- if (!(phy_data & IXGBE_TN_LASI_STATUS_TEMP_ALARM))
- return 0;
+ status = hw->phy.ops.read_reg(hw, IXGBE_TN_LASI_STATUS_REG,
+ MDIO_MMD_PMAPMD, &phy_data);
+ if (status)
+ return false;
- return IXGBE_ERR_OVERTEMP;
+ return !!(phy_data & IXGBE_TN_LASI_STATUS_TEMP_ALARM);
}
/** ixgbe_set_copper_phy_power - Control power for copper phy
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
index 6544c4539c0d..ef72729d7c93 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
@@ -155,7 +155,7 @@ s32 ixgbe_identify_sfp_module_generic(struct ixgbe_hw *hw);
s32 ixgbe_get_sfp_init_sequence_offsets(struct ixgbe_hw *hw,
u16 *list_offset,
u16 *data_offset);
-s32 ixgbe_tn_check_overtemp(struct ixgbe_hw *hw);
+bool ixgbe_tn_check_overtemp(struct ixgbe_hw *hw);
s32 ixgbe_read_i2c_byte_generic(struct ixgbe_hw *hw, u8 byte_offset,
u8 dev_addr, u8 *data);
s32 ixgbe_read_i2c_byte_generic_unlocked(struct ixgbe_hw *hw, u8 byte_offset,
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
index d1685a6b0c5f..7c0358e0af44 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -3502,10 +3502,10 @@ struct ixgbe_phy_operations {
s32 (*read_i2c_sff8472)(struct ixgbe_hw *, u8 , u8 *);
s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
- s32 (*check_overtemp)(struct ixgbe_hw *);
+ bool (*check_overtemp)(struct ixgbe_hw *);
s32 (*set_phy_power)(struct ixgbe_hw *, bool on);
s32 (*enter_lplu)(struct ixgbe_hw *);
- s32 (*handle_lasi)(struct ixgbe_hw *hw);
+ s32 (*handle_lasi)(struct ixgbe_hw *hw, bool *);
s32 (*read_i2c_byte_unlocked)(struct ixgbe_hw *, u8 offset, u8 addr,
u8 *value);
s32 (*write_i2c_byte_unlocked)(struct ixgbe_hw *, u8 offset, u8 addr,
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index faa0747193a8..f97d87698f23 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -600,8 +600,10 @@ static s32 ixgbe_setup_fw_link(struct ixgbe_hw *hw)
rc = ixgbe_fw_phy_activity(hw, FW_PHY_ACT_SETUP_LINK, &setup);
if (rc)
return rc;
+
if (setup[0] == FW_PHY_ACT_SETUP_LINK_RSP_DOWN)
- return IXGBE_ERR_OVERTEMP;
+ return -EIO;
+
return 0;
}
@@ -2319,18 +2321,18 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw,
* @hw: pointer to hardware structure
* @lsc: pointer to boolean flag which indicates whether external Base T
* PHY interrupt is lsc
+ * @is_overtemp: indicate whether an overtemp event encountered
*
* Determime if external Base T PHY interrupt cause is high temperature
* failure alarm or link status change.
- *
- * Return IXGBE_ERR_OVERTEMP if interrupt is high temperature
- * failure alarm, else return PHY access status.
**/
-static s32 ixgbe_get_lasi_ext_t_x550em(struct ixgbe_hw *hw, bool *lsc)
+static s32 ixgbe_get_lasi_ext_t_x550em(struct ixgbe_hw *hw, bool *lsc,
+ bool *is_overtemp)
{
u32 status;
u16 reg;
+ *is_overtemp = false;
*lsc = false;
/* Vendor alarm triggered */
@@ -2362,7 +2364,8 @@ static s32 ixgbe_get_lasi_ext_t_x550em(struct ixgbe_hw *hw, bool *lsc)
if (reg & IXGBE_MDIO_GLOBAL_ALM_1_HI_TMP_FAIL) {
/* power down the PHY in case the PHY FW didn't already */
ixgbe_set_copper_phy_power(hw, false);
- return IXGBE_ERR_OVERTEMP;
+ *is_overtemp = true;
+ return -EIO;
}
if (reg & IXGBE_MDIO_GLOBAL_ALM_1_DEV_FAULT) {
/* device fault alarm triggered */
@@ -2376,7 +2379,8 @@ static s32 ixgbe_get_lasi_ext_t_x550em(struct ixgbe_hw *hw, bool *lsc)
if (reg == IXGBE_MDIO_GLOBAL_FAULT_MSG_HI_TMP) {
/* power down the PHY in case the PHY FW didn't */
ixgbe_set_copper_phy_power(hw, false);
- return IXGBE_ERR_OVERTEMP;
+ *is_overtemp = true;
+ return -EIO;
}
}
@@ -2412,12 +2416,12 @@ static s32 ixgbe_get_lasi_ext_t_x550em(struct ixgbe_hw *hw, bool *lsc)
**/
static s32 ixgbe_enable_lasi_ext_t_x550em(struct ixgbe_hw *hw)
{
+ bool lsc, overtemp;
u32 status;
u16 reg;
- bool lsc;
/* Clear interrupt flags */
- status = ixgbe_get_lasi_ext_t_x550em(hw, &lsc);
+ status = ixgbe_get_lasi_ext_t_x550em(hw, &lsc, &overtemp);
/* Enable link status change alarm */
@@ -2496,21 +2500,20 @@ static s32 ixgbe_enable_lasi_ext_t_x550em(struct ixgbe_hw *hw)
/**
* ixgbe_handle_lasi_ext_t_x550em - Handle external Base T PHY interrupt
* @hw: pointer to hardware structure
+ * @is_overtemp: indicate whether an overtemp event encountered
*
* Handle external Base T PHY interrupt. If high temperature
* failure alarm then return error, else if link status change
* then setup internal/external PHY link
- *
- * Return IXGBE_ERR_OVERTEMP if interrupt is high temperature
- * failure alarm, else return PHY access status.
**/
-static s32 ixgbe_handle_lasi_ext_t_x550em(struct ixgbe_hw *hw)
+static s32 ixgbe_handle_lasi_ext_t_x550em(struct ixgbe_hw *hw,
+ bool *is_overtemp)
{
struct ixgbe_phy_info *phy = &hw->phy;
bool lsc;
u32 status;
- status = ixgbe_get_lasi_ext_t_x550em(hw, &lsc);
+ status = ixgbe_get_lasi_ext_t_x550em(hw, &lsc, is_overtemp);
if (status)
return status;
@@ -3138,21 +3141,23 @@ static s32 ixgbe_reset_phy_fw(struct ixgbe_hw *hw)
/**
* ixgbe_check_overtemp_fw - Check firmware-controlled PHYs for overtemp
* @hw: pointer to hardware structure
+ *
+ * Return true when an overtemp event detected, otherwise false.
*/
-static s32 ixgbe_check_overtemp_fw(struct ixgbe_hw *hw)
+static bool ixgbe_check_overtemp_fw(struct ixgbe_hw *hw)
{
u32 store[FW_PHY_ACT_DATA_COUNT] = { 0 };
s32 rc;
rc = ixgbe_fw_phy_activity(hw, FW_PHY_ACT_GET_LINK_INFO, &store);
if (rc)
- return rc;
+ return false;
if (store[0] & FW_PHY_ACT_GET_LINK_INFO_TEMP) {
ixgbe_shutdown_fw_phy(hw);
- return IXGBE_ERR_OVERTEMP;
+ return true;
}
- return 0;
+ return false;
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 279/476] ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 278/476] ixgbe: Refactor overtemp event handling Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 280/476] ipv6: Ensure natural alignment of const ipv6 loopback and router addresses Greg Kroah-Hartman
` (206 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Simon Horman,
Tony Nguyen, Sasha Levin, Pucha Himasekhar Reddy
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit bbc404d20d1b46d89b461918bc44587620eda200 ]
All error handling paths, except this one, go to 'out' where
release_swfw_sync() is called.
This call balances the acquire_swfw_sync() call done at the beginning of
the function.
Branch to the error handling path in order to correctly release some
resources in case of error.
Fixes: ae14a1d8e104 ("ixgbe: Fix IOSF SB access issues")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index f97d87698f23..1d3f99e664dc 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -717,7 +717,8 @@ static s32 ixgbe_read_iosf_sb_reg_x550(struct ixgbe_hw *hw, u32 reg_addr,
error = (command & IXGBE_SB_IOSF_CTRL_CMPL_ERR_MASK) >>
IXGBE_SB_IOSF_CTRL_CMPL_ERR_SHIFT;
hw_dbg(hw, "Failed to read, error %x\n", error);
- return -EIO;
+ ret = -EIO;
+ goto out;
}
if (!ret)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 280/476] ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 279/476] ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 281/476] llc: call sock_orphan() at release time Greg Kroah-Hartman
` (205 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helge Deller, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@kernel.org>
[ Upstream commit 60365049ccbacd101654a66ddcb299abfabd4fc5 ]
On a parisc64 kernel I sometimes notice this kernel warning:
Kernel unaligned access to 0x40ff8814 at ndisc_send_skb+0xc0/0x4d8
The address 0x40ff8814 points to the in6addr_linklocal_allrouters
variable and the warning simply means that some ipv6 function tries to
read a 64-bit word directly from the not-64-bit aligned
in6addr_linklocal_allrouters variable.
Unaligned accesses are non-critical as the architecture or exception
handlers usually will fix it up at runtime. Nevertheless it may trigger
a performance penality for some architectures. For details read the
"unaligned-memory-access" kernel documentation.
The patch below ensures that the ipv6 loopback and router addresses will
always be naturally aligned. This prevents the unaligned accesses for
all architectures.
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: 034dfc5df99eb ("ipv6: export in6addr_loopback to modules")
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/ZbNuFM1bFqoH-UoY@p100
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf_core.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index 1d4054bb345b..b2da2abfac82 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -220,19 +220,26 @@ const struct ipv6_stub *ipv6_stub __read_mostly = &(struct ipv6_stub) {
EXPORT_SYMBOL_GPL(ipv6_stub);
/* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
-const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
+const struct in6_addr in6addr_loopback __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_LOOPBACK_INIT;
EXPORT_SYMBOL(in6addr_loopback);
-const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+const struct in6_addr in6addr_any __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_ANY_INIT;
EXPORT_SYMBOL(in6addr_any);
-const struct in6_addr in6addr_linklocal_allnodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
+const struct in6_addr in6addr_linklocal_allnodes __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
EXPORT_SYMBOL(in6addr_linklocal_allnodes);
-const struct in6_addr in6addr_linklocal_allrouters = IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
+const struct in6_addr in6addr_linklocal_allrouters __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
EXPORT_SYMBOL(in6addr_linklocal_allrouters);
-const struct in6_addr in6addr_interfacelocal_allnodes = IN6ADDR_INTERFACELOCAL_ALLNODES_INIT;
+const struct in6_addr in6addr_interfacelocal_allnodes __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_INTERFACELOCAL_ALLNODES_INIT;
EXPORT_SYMBOL(in6addr_interfacelocal_allnodes);
-const struct in6_addr in6addr_interfacelocal_allrouters = IN6ADDR_INTERFACELOCAL_ALLROUTERS_INIT;
+const struct in6_addr in6addr_interfacelocal_allrouters __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_INTERFACELOCAL_ALLROUTERS_INIT;
EXPORT_SYMBOL(in6addr_interfacelocal_allrouters);
-const struct in6_addr in6addr_sitelocal_allrouters = IN6ADDR_SITELOCAL_ALLROUTERS_INIT;
+const struct in6_addr in6addr_sitelocal_allrouters __aligned(BITS_PER_LONG/8)
+ = IN6ADDR_SITELOCAL_ALLROUTERS_INIT;
EXPORT_SYMBOL(in6addr_sitelocal_allrouters);
static void snmp6_free_dev(struct inet6_dev *idev)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 281/476] llc: call sock_orphan() at release time
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 280/476] ipv6: Ensure natural alignment of const ipv6 loopback and router addresses Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 282/476] bridge: mcast: fix disabled snooping after long uptime Greg Kroah-Hartman
` (204 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Eric Biggers,
Kuniyuki Iwashima, Paolo Abeni, Sasha Levin,
syzbot+32b89eaa102b372ff76d
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit aa2b2eb3934859904c287bf5434647ba72e14c1c ]
syzbot reported an interesting trace [1] caused by a stale sk->sk_wq
pointer in a closed llc socket.
In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after
calling proto_ops::release()") Eric Biggers hinted that some protocols
are missing a sock_orphan(), we need to perform a full audit.
In net-next, I plan to clear sock->sk from sock_orphan() and
amend Eric patch to add a warning.
[1]
BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]
BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]
BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27
CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
list_empty include/linux/list.h:373 [inline]
waitqueue_active include/linux/wait.h:127 [inline]
sock_def_write_space_wfree net/core/sock.c:3384 [inline]
sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080
skb_release_all net/core/skbuff.c:1092 [inline]
napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404
e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970
e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]
e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801
__napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x956/0xe90 net/core/dev.c:6778
__do_softirq+0x21a/0x8de kernel/softirq.c:553
run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>
Allocated by task 5167:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:314 [inline]
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879
alloc_inode_sb include/linux/fs.h:3019 [inline]
sock_alloc_inode+0x25/0x1c0 net/socket.c:308
alloc_inode+0x5d/0x220 fs/inode.c:260
new_inode_pseudo+0x16/0x80 fs/inode.c:1005
sock_alloc+0x40/0x270 net/socket.c:634
__sock_create+0xbc/0x800 net/socket.c:1535
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14c/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 0:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
poison_slab_object mm/kasan/common.c:241 [inline]
__kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kmem_cache_free+0x129/0x350 mm/slub.c:4363
i_callback+0x43/0x70 fs/inode.c:249
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2433
__do_softirq+0x21a/0x8de kernel/softirq.c:553
Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:586
__call_rcu_common.constprop.0+0x9a/0x7b0 kernel/rcu/tree.c:2683
destroy_inode+0x129/0x1b0 fs/inode.c:315
iput_final fs/inode.c:1739 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1765
iput+0x5c/0x80 fs/inode.c:1755
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
dput.part.0+0x4ac/0x9a0 fs/dcache.c:845
dput+0x1f/0x30 fs/dcache.c:835
__fput+0x3b9/0xb70 fs/file_table.c:384
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff88802f4fc800
which belongs to the cache sock_inode_cache of size 1408
The buggy address is located 128 bytes inside of
freed 1408-byte region [ffff88802f4fc800, ffff88802f4fcd80)
The buggy address belongs to the physical page:
page:ffffea0000bd3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f4f8
head:ffffea0000bd3e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013b06b40 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 4956, tgid 4956 (sshd), ts 31423924727, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2407
___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
__slab_alloc_node mm/slub.c:3678 [inline]
slab_alloc_node mm/slub.c:3850 [inline]
kmem_cache_alloc_lru+0x379/0x6f0 mm/slub.c:3879
alloc_inode_sb include/linux/fs.h:3019 [inline]
sock_alloc_inode+0x25/0x1c0 net/socket.c:308
alloc_inode+0x5d/0x220 fs/inode.c:260
new_inode_pseudo+0x16/0x80 fs/inode.c:1005
sock_alloc+0x40/0x270 net/socket.c:634
__sock_create+0xbc/0x800 net/socket.c:1535
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14c/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
page_owner free stack trace missing
Memory state around the buggy address:
ffff88802f4fc780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802f4fc800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802f4fc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802f4fc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802f4fc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 43815482370c ("net: sock_def_readable() and friends RCU conversion")
Reported-and-tested-by: syzbot+32b89eaa102b372ff76d@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240126165532.3396702-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/llc/af_llc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 55ed3bd65eb4..70973bf18ee3 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -226,6 +226,8 @@ static int llc_ui_release(struct socket *sock)
}
dev_put(llc->dev);
sock_put(sk);
+ sock_orphan(sk);
+ sock->sk = NULL;
llc_sk_free(sk);
out:
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 282/476] bridge: mcast: fix disabled snooping after long uptime
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 281/476] llc: call sock_orphan() at release time Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 283/476] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Greg Kroah-Hartman
` (203 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Lüssing,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Lüssing <linus.luessing@c0d3.blue>
[ Upstream commit f5c3eb4b7251baba5cd72c9e93920e710ac8194a ]
The original idea of the delay_time check was to not apply multicast
snooping too early when an MLD querier appears. And to instead wait at
least for MLD reports to arrive before switching from flooding to group
based, MLD snooped forwarding, to avoid temporary packet loss.
However in a batman-adv mesh network it was noticed that after 248 days of
uptime 32bit MIPS based devices would start to signal that they had
stopped applying multicast snooping due to missing queriers - even though
they were the elected querier and still sending MLD queries themselves.
While time_is_before_jiffies() generally is safe against jiffies
wrap-arounds, like the code comments in jiffies.h explain, it won't
be able to track a difference larger than ULONG_MAX/2. With a 32bit
large jiffies and one jiffies tick every 10ms (CONFIG_HZ=100) on these MIPS
devices running OpenWrt this would result in a difference larger than
ULONG_MAX/2 after 248 (= 2^32/100/60/60/24/2) days and
time_is_before_jiffies() would then start to return false instead of
true. Leading to multicast snooping not being applied to multicast
packets anymore.
Fix this issue by using a proper timer_list object which won't have this
ULONG_MAX/2 difference limitation.
Fixes: b00589af3b04 ("bridge: disable snooping if there is no querier")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20240127175033.9640-1-linus.luessing@c0d3.blue
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 20 +++++++++++++++-----
net/bridge/br_private.h | 4 ++--
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index db4f2641d1cd..9765f9f9bf7f 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1607,6 +1607,10 @@ static void br_ip6_multicast_querier_expired(struct timer_list *t)
}
#endif
+static void br_multicast_query_delay_expired(struct timer_list *t)
+{
+}
+
static void br_multicast_select_own_querier(struct net_bridge_mcast *brmctx,
struct br_ip *ip,
struct sk_buff *skb)
@@ -3024,7 +3028,7 @@ br_multicast_update_query_timer(struct net_bridge_mcast *brmctx,
unsigned long max_delay)
{
if (!timer_pending(&query->timer))
- query->delay_time = jiffies + max_delay;
+ mod_timer(&query->delay_timer, jiffies + max_delay);
mod_timer(&query->timer, jiffies + brmctx->multicast_querier_interval);
}
@@ -3867,13 +3871,11 @@ void br_multicast_ctx_init(struct net_bridge *br,
brmctx->multicast_querier_interval = 255 * HZ;
brmctx->multicast_membership_interval = 260 * HZ;
- brmctx->ip4_other_query.delay_time = 0;
brmctx->ip4_querier.port_ifidx = 0;
seqcount_spinlock_init(&brmctx->ip4_querier.seq, &br->multicast_lock);
brmctx->multicast_igmp_version = 2;
#if IS_ENABLED(CONFIG_IPV6)
brmctx->multicast_mld_version = 1;
- brmctx->ip6_other_query.delay_time = 0;
brmctx->ip6_querier.port_ifidx = 0;
seqcount_spinlock_init(&brmctx->ip6_querier.seq, &br->multicast_lock);
#endif
@@ -3882,6 +3884,8 @@ void br_multicast_ctx_init(struct net_bridge *br,
br_ip4_multicast_local_router_expired, 0);
timer_setup(&brmctx->ip4_other_query.timer,
br_ip4_multicast_querier_expired, 0);
+ timer_setup(&brmctx->ip4_other_query.delay_timer,
+ br_multicast_query_delay_expired, 0);
timer_setup(&brmctx->ip4_own_query.timer,
br_ip4_multicast_query_expired, 0);
#if IS_ENABLED(CONFIG_IPV6)
@@ -3889,6 +3893,8 @@ void br_multicast_ctx_init(struct net_bridge *br,
br_ip6_multicast_local_router_expired, 0);
timer_setup(&brmctx->ip6_other_query.timer,
br_ip6_multicast_querier_expired, 0);
+ timer_setup(&brmctx->ip6_other_query.delay_timer,
+ br_multicast_query_delay_expired, 0);
timer_setup(&brmctx->ip6_own_query.timer,
br_ip6_multicast_query_expired, 0);
#endif
@@ -4023,10 +4029,12 @@ static void __br_multicast_stop(struct net_bridge_mcast *brmctx)
{
del_timer_sync(&brmctx->ip4_mc_router_timer);
del_timer_sync(&brmctx->ip4_other_query.timer);
+ del_timer_sync(&brmctx->ip4_other_query.delay_timer);
del_timer_sync(&brmctx->ip4_own_query.timer);
#if IS_ENABLED(CONFIG_IPV6)
del_timer_sync(&brmctx->ip6_mc_router_timer);
del_timer_sync(&brmctx->ip6_other_query.timer);
+ del_timer_sync(&brmctx->ip6_other_query.delay_timer);
del_timer_sync(&brmctx->ip6_own_query.timer);
#endif
}
@@ -4469,13 +4477,15 @@ int br_multicast_set_querier(struct net_bridge_mcast *brmctx, unsigned long val)
max_delay = brmctx->multicast_query_response_interval;
if (!timer_pending(&brmctx->ip4_other_query.timer))
- brmctx->ip4_other_query.delay_time = jiffies + max_delay;
+ mod_timer(&brmctx->ip4_other_query.delay_timer,
+ jiffies + max_delay);
br_multicast_start_querier(brmctx, &brmctx->ip4_own_query);
#if IS_ENABLED(CONFIG_IPV6)
if (!timer_pending(&brmctx->ip6_other_query.timer))
- brmctx->ip6_other_query.delay_time = jiffies + max_delay;
+ mod_timer(&brmctx->ip6_other_query.delay_timer,
+ jiffies + max_delay);
br_multicast_start_querier(brmctx, &brmctx->ip6_own_query);
#endif
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index bd218c2b2cd9..ff10ddeeb50f 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -77,7 +77,7 @@ struct bridge_mcast_own_query {
/* other querier */
struct bridge_mcast_other_query {
struct timer_list timer;
- unsigned long delay_time;
+ struct timer_list delay_timer;
};
/* selected querier */
@@ -1066,7 +1066,7 @@ __br_multicast_querier_exists(struct net_bridge_mcast *brmctx,
own_querier_enabled = false;
}
- return time_is_before_jiffies(querier->delay_time) &&
+ return !timer_pending(&querier->delay_timer) &&
(own_querier_enabled || timer_pending(&querier->timer));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 283/476] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 282/476] bridge: mcast: fix disabled snooping after long uptime Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 284/476] netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger Greg Kroah-Hartman
` (202 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 776d451648443f9884be4a1b4e38e8faf1c621f9 ]
Bail out on using the tunnel dst template from other than netdev family.
Add the infrastructure to check for the family in objects.
Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 14 +++++++++-----
net/netfilter/nft_tunnel.c | 1 +
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 8e9c5bc1a9e6..1e6e4af4df0a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1253,6 +1253,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
* @type: stateful object numeric type
* @owner: module owner
* @maxattr: maximum netlink attribute
+ * @family: address family for AF-specific object types
* @policy: netlink attribute policy
*/
struct nft_object_type {
@@ -1262,6 +1263,7 @@ struct nft_object_type {
struct list_head list;
u32 type;
unsigned int maxattr;
+ u8 family;
struct module *owner;
const struct nla_policy *policy;
};
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 996238f0ca54..3ad2b22886ff 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6999,11 +6999,15 @@ static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
return -1;
}
-static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
+static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
{
const struct nft_object_type *type;
list_for_each_entry(type, &nf_tables_objects, list) {
+ if (type->family != NFPROTO_UNSPEC &&
+ type->family != family)
+ continue;
+
if (objtype == type->type)
return type;
}
@@ -7011,11 +7015,11 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
}
static const struct nft_object_type *
-nft_obj_type_get(struct net *net, u32 objtype)
+nft_obj_type_get(struct net *net, u32 objtype, u8 family)
{
const struct nft_object_type *type;
- type = __nft_obj_type_get(objtype);
+ type = __nft_obj_type_get(objtype, family);
if (type != NULL && try_module_get(type->owner))
return type;
@@ -7108,7 +7112,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
return -EOPNOTSUPP;
- type = __nft_obj_type_get(objtype);
+ type = __nft_obj_type_get(objtype, family);
if (WARN_ON_ONCE(!type))
return -ENOENT;
@@ -7122,7 +7126,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
if (!nft_use_inc(&table->use))
return -EMFILE;
- type = nft_obj_type_get(net, objtype);
+ type = nft_obj_type_get(net, objtype, family);
if (IS_ERR(type)) {
err = PTR_ERR(type);
goto err_type;
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 2ee50996da8c..c8822fa8196d 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -684,6 +684,7 @@ static const struct nft_object_ops nft_tunnel_obj_ops = {
static struct nft_object_type nft_tunnel_obj_type __read_mostly = {
.type = NFT_OBJECT_TUNNEL,
+ .family = NFPROTO_NETDEV,
.ops = &nft_tunnel_obj_ops,
.maxattr = NFTA_TUNNEL_KEY_MAX,
.policy = nft_tunnel_key_policy,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 284/476] netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 283/476] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 285/476] netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Greg Kroah-Hartman
` (201 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 259eb32971e9eb24d1777a28d82730659f50fdcb ]
Module reference is bumped for each user, this should not ever happen.
But BUG_ON check should use rcu_access_pointer() instead.
If this ever happens, do WARN_ON_ONCE() instead of BUG_ON() and
consolidate pointer check under the rcu read side lock section.
Fixes: fab4085f4e24 ("netfilter: log: nf_log_packet() as real unified interface")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_log.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index edee7fa944c1..8f5362a19b15 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -193,11 +193,12 @@ void nf_logger_put(int pf, enum nf_log_type type)
return;
}
- BUG_ON(loggers[pf][type] == NULL);
-
rcu_read_lock();
logger = rcu_dereference(loggers[pf][type]);
- module_put(logger->me);
+ if (!logger)
+ WARN_ON_ONCE(1);
+ else
+ module_put(logger->me);
rcu_read_unlock();
}
EXPORT_SYMBOL_GPL(nf_logger_put);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 285/476] netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 284/476] netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 286/476] net: ipv4: fix a memleak in ip_setup_cork Greg Kroah-Hartman
` (200 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4 ]
- Disallow families other than NFPROTO_{IPV4,IPV6,INET}.
- Disallow layer 4 protocol with no ports, since destination port is a
mandatory attribute for this object.
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_ct.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index bd468e955a21..d8fd7e487e47 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1186,7 +1186,31 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
if (tb[NFTA_CT_EXPECT_L3PROTO])
priv->l3num = ntohs(nla_get_be16(tb[NFTA_CT_EXPECT_L3PROTO]));
+ switch (priv->l3num) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ if (priv->l3num != ctx->family)
+ return -EINVAL;
+
+ fallthrough;
+ case NFPROTO_INET:
+ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+
priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);
+ switch (priv->l4proto) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ case IPPROTO_DCCP:
+ case IPPROTO_SCTP:
+ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+
priv->dport = nla_get_be16(tb[NFTA_CT_EXPECT_DPORT]);
priv->timeout = nla_get_u32(tb[NFTA_CT_EXPECT_TIMEOUT]);
priv->size = nla_get_u8(tb[NFTA_CT_EXPECT_SIZE]);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 286/476] net: ipv4: fix a memleak in ip_setup_cork
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 285/476] netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 287/476] af_unix: fix lockdep positive in sk_diag_dump_icons() Greg Kroah-Hartman
` (199 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit 5dee6d6923458e26966717f2a3eae7d09fc10bf6 ]
When inetdev_valid_mtu fails, cork->opt should be freed if it is
allocated in ip_setup_cork. Otherwise there could be a memleak.
Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240129091017.2938835-1-alexious@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_output.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index a445e4e05e0d..ee4e7e7a0992 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1251,6 +1251,12 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
if (unlikely(!rt))
return -EFAULT;
+ cork->fragsize = ip_sk_use_pmtu(sk) ?
+ dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
+
+ if (!inetdev_valid_mtu(cork->fragsize))
+ return -ENETUNREACH;
+
/*
* setup for corking.
*/
@@ -1267,12 +1273,6 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
cork->addr = ipc->addr;
}
- cork->fragsize = ip_sk_use_pmtu(sk) ?
- dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
-
- if (!inetdev_valid_mtu(cork->fragsize))
- return -ENETUNREACH;
-
cork->gso_size = ipc->gso_size;
cork->dst = &rt->dst;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 287/476] af_unix: fix lockdep positive in sk_diag_dump_icons()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 286/476] net: ipv4: fix a memleak in ip_setup_cork Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 288/476] selftests: net: fix available tunnels detection Greg Kroah-Hartman
` (198 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9 ]
syzbot reported a lockdep splat [1].
Blamed commit hinted about the possible lockdep
violation, and code used unix_state_lock_nested()
in an attempt to silence lockdep.
It is not sufficient, because unix_state_lock_nested()
is already used from unix_state_double_lock().
We need to use a separate subclass.
This patch adds a distinct enumeration to make things
more explicit.
Also use swap() in unix_state_double_lock() as a clean up.
v2: add a missing inline keyword to unix_state_lock_nested()
[1]
WARNING: possible circular locking dependency detected
6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted
syz-executor.1/2542 is trying to acquire lock:
ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
but task is already holding lock:
ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&u->lock/1){+.+.}-{2:2}:
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
sk_diag_dump_icons net/unix/diag.c:87 [inline]
sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157
sk_diag_dump net/unix/diag.c:196 [inline]
unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220
netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264
__netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370
netlink_dump_start include/linux/netlink.h:338 [inline]
unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319
sock_diag_rcv_msg+0xe3/0x400
netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x39a/0x520 net/socket.c:1160
call_write_iter include/linux/fs.h:2085 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xa74/0xca0 fs/read_write.c:590
ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
-> #0 (rlock-AF_UNIX){+.+.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&u->lock/1);
lock(rlock-AF_UNIX);
lock(&u->lock/1);
lock(rlock-AF_UNIX);
*** DEADLOCK ***
1 lock held by syz-executor.1/2542:
#0: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
stack backtrace:
CPU: 1 PID: 2542 Comm: syz-executor.1 Not tainted 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
check_noncircular+0x366/0x490 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f26d887cda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f26d95a60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f26d89abf80 RCX: 00007f26d887cda9
RDX: 000000000000003e RSI: 00000000200bd000 RDI: 0000000000000004
RBP: 00007f26d88c947a R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f26d89abf80 R15: 00007ffcfe081a68
Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240130184235.1620738-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/af_unix.h | 20 ++++++++++++++------
net/unix/af_unix.c | 14 ++++++--------
net/unix/diag.c | 2 +-
3 files changed, 21 insertions(+), 15 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 7d142e8a0550..32d21983c696 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -47,12 +47,6 @@ struct scm_stat {
#define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
-#define unix_state_lock(s) spin_lock(&unix_sk(s)->lock)
-#define unix_state_unlock(s) spin_unlock(&unix_sk(s)->lock)
-#define unix_state_lock_nested(s) \
- spin_lock_nested(&unix_sk(s)->lock, \
- SINGLE_DEPTH_NESTING)
-
/* The AF_UNIX socket */
struct unix_sock {
/* WARNING: sk has to be the first member */
@@ -80,6 +74,20 @@ static inline struct unix_sock *unix_sk(const struct sock *sk)
return (struct unix_sock *)sk;
}
+#define unix_state_lock(s) spin_lock(&unix_sk(s)->lock)
+#define unix_state_unlock(s) spin_unlock(&unix_sk(s)->lock)
+enum unix_socket_lock_class {
+ U_LOCK_NORMAL,
+ U_LOCK_SECOND, /* for double locking, see unix_state_double_lock(). */
+ U_LOCK_DIAG, /* used while dumping icons, see sk_diag_dump_icons(). */
+};
+
+static inline void unix_state_lock_nested(struct sock *sk,
+ enum unix_socket_lock_class subclass)
+{
+ spin_lock_nested(&unix_sk(sk)->lock, subclass);
+}
+
#define peer_wait peer_wq.wait
long unix_inq_len(struct sock *sk);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 16b04e553a6c..265dc665c92a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1192,13 +1192,11 @@ static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
unix_state_lock(sk1);
return;
}
- if (sk1 < sk2) {
- unix_state_lock(sk1);
- unix_state_lock_nested(sk2);
- } else {
- unix_state_lock(sk2);
- unix_state_lock_nested(sk1);
- }
+ if (sk1 > sk2)
+ swap(sk1, sk2);
+
+ unix_state_lock(sk1);
+ unix_state_lock_nested(sk2, U_LOCK_SECOND);
}
static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
@@ -1426,7 +1424,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
goto out_unlock;
}
- unix_state_lock_nested(sk);
+ unix_state_lock_nested(sk, U_LOCK_SECOND);
if (sk->sk_state != st) {
unix_state_unlock(sk);
diff --git a/net/unix/diag.c b/net/unix/diag.c
index e534e327a6a5..daef19932f78 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -83,7 +83,7 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
* queue lock. With the other's queue locked it's
* OK to lock the state.
*/
- unix_state_lock_nested(req);
+ unix_state_lock_nested(req, U_LOCK_DIAG);
peer = unix_sk(req)->peer;
buf[i++] = (peer ? sock_i_ino(peer) : 0);
unix_state_unlock(req);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 288/476] selftests: net: fix available tunnels detection
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 287/476] af_unix: fix lockdep positive in sk_diag_dump_icons() Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 289/476] net: sysfs: Fix /sys/class/net/<iface> path Greg Kroah-Hartman
` (197 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Guillaume Nault,
David Ahern, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit e4e4b6d568d2549583cbda3f8ce567e586cb05da ]
The pmtu.sh test tries to detect the tunnel protocols available
in the running kernel and properly skip the unsupported cases.
In a few more complex setup, such detection is unsuccessful, as
the script currently ignores some intermediate error code at
setup time.
Before:
# which: no nettest in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin)
# TEST: vti6: PMTU exceptions (ESP-in-UDP) [FAIL]
# PMTU exception wasn't created after creating tunnel exceeding link layer MTU
# ./pmtu.sh: line 931: kill: (7543) - No such process
# ./pmtu.sh: line 931: kill: (7544) - No such process
After:
# xfrm4 not supported
# TEST: vti4: PMTU exceptions [SKIP]
Fixes: ece1278a9b81 ("selftests: net: add ESP-in-UDP PMTU test")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/cab10e75fda618e6fff8c595b632f47db58b9309.1706635101.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/pmtu.sh | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh
index 0a9d482c5058..8797f7b5fb83 100755
--- a/tools/testing/selftests/net/pmtu.sh
+++ b/tools/testing/selftests/net/pmtu.sh
@@ -698,23 +698,23 @@ setup_xfrm6() {
}
setup_xfrm4udp() {
- setup_xfrm 4 ${veth4_a_addr} ${veth4_b_addr} "encap espinudp 4500 4500 0.0.0.0"
- setup_nettest_xfrm 4 4500
+ setup_xfrm 4 ${veth4_a_addr} ${veth4_b_addr} "encap espinudp 4500 4500 0.0.0.0" && \
+ setup_nettest_xfrm 4 4500
}
setup_xfrm6udp() {
- setup_xfrm 6 ${veth6_a_addr} ${veth6_b_addr} "encap espinudp 4500 4500 0.0.0.0"
- setup_nettest_xfrm 6 4500
+ setup_xfrm 6 ${veth6_a_addr} ${veth6_b_addr} "encap espinudp 4500 4500 0.0.0.0" && \
+ setup_nettest_xfrm 6 4500
}
setup_xfrm4udprouted() {
- setup_xfrm 4 ${prefix4}.${a_r1}.1 ${prefix4}.${b_r1}.1 "encap espinudp 4500 4500 0.0.0.0"
- setup_nettest_xfrm 4 4500
+ setup_xfrm 4 ${prefix4}.${a_r1}.1 ${prefix4}.${b_r1}.1 "encap espinudp 4500 4500 0.0.0.0" && \
+ setup_nettest_xfrm 4 4500
}
setup_xfrm6udprouted() {
- setup_xfrm 6 ${prefix6}:${a_r1}::1 ${prefix6}:${b_r1}::1 "encap espinudp 4500 4500 0.0.0.0"
- setup_nettest_xfrm 6 4500
+ setup_xfrm 6 ${prefix6}:${a_r1}::1 ${prefix6}:${b_r1}::1 "encap espinudp 4500 4500 0.0.0.0" && \
+ setup_nettest_xfrm 6 4500
}
setup_routing_old() {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 289/476] net: sysfs: Fix /sys/class/net/<iface> path
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 288/476] selftests: net: fix available tunnels detection Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 290/476] arm64: irq: set the correct node for shadow call stack Greg Kroah-Hartman
` (196 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit ae3f4b44641dfff969604735a0dcbf931f383285 ]
The documentation is pointing to the wrong path for the interface.
Documentation is pointing to /sys/class/<iface>, instead of
/sys/class/net/<iface>.
Fix it by adding the `net/` directory before the interface.
Fixes: 1a02ef76acfa ("net: sysfs: add documentation entries for /sys/class/<iface>/queues")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/r/20240131102150.728960-2-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ABI/testing/sysfs-class-net-queues | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-class-net-queues b/Documentation/ABI/testing/sysfs-class-net-queues
index 978b76358661..40d5aab8452d 100644
--- a/Documentation/ABI/testing/sysfs-class-net-queues
+++ b/Documentation/ABI/testing/sysfs-class-net-queues
@@ -1,4 +1,4 @@
-What: /sys/class/<iface>/queues/rx-<queue>/rps_cpus
+What: /sys/class/net/<iface>/queues/rx-<queue>/rps_cpus
Date: March 2010
KernelVersion: 2.6.35
Contact: netdev@vger.kernel.org
@@ -8,7 +8,7 @@ Description:
network device queue. Possible values depend on the number
of available CPU(s) in the system.
-What: /sys/class/<iface>/queues/rx-<queue>/rps_flow_cnt
+What: /sys/class/net/<iface>/queues/rx-<queue>/rps_flow_cnt
Date: April 2010
KernelVersion: 2.6.35
Contact: netdev@vger.kernel.org
@@ -16,7 +16,7 @@ Description:
Number of Receive Packet Steering flows being currently
processed by this particular network device receive queue.
-What: /sys/class/<iface>/queues/tx-<queue>/tx_timeout
+What: /sys/class/net/<iface>/queues/tx-<queue>/tx_timeout
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
@@ -24,7 +24,7 @@ Description:
Indicates the number of transmit timeout events seen by this
network interface transmit queue.
-What: /sys/class/<iface>/queues/tx-<queue>/tx_maxrate
+What: /sys/class/net/<iface>/queues/tx-<queue>/tx_maxrate
Date: March 2015
KernelVersion: 4.1
Contact: netdev@vger.kernel.org
@@ -32,7 +32,7 @@ Description:
A Mbps max-rate set for the queue, a value of zero means disabled,
default is disabled.
-What: /sys/class/<iface>/queues/tx-<queue>/xps_cpus
+What: /sys/class/net/<iface>/queues/tx-<queue>/xps_cpus
Date: November 2010
KernelVersion: 2.6.38
Contact: netdev@vger.kernel.org
@@ -42,7 +42,7 @@ Description:
network device transmit queue. Possible vaules depend on the
number of available CPU(s) in the system.
-What: /sys/class/<iface>/queues/tx-<queue>/xps_rxqs
+What: /sys/class/net/<iface>/queues/tx-<queue>/xps_rxqs
Date: June 2018
KernelVersion: 4.18.0
Contact: netdev@vger.kernel.org
@@ -53,7 +53,7 @@ Description:
number of available receive queue(s) in the network device.
Default is disabled.
-What: /sys/class/<iface>/queues/tx-<queue>/byte_queue_limits/hold_time
+What: /sys/class/net/<iface>/queues/tx-<queue>/byte_queue_limits/hold_time
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
@@ -62,7 +62,7 @@ Description:
of this particular network device transmit queue.
Default value is 1000.
-What: /sys/class/<iface>/queues/tx-<queue>/byte_queue_limits/inflight
+What: /sys/class/net/<iface>/queues/tx-<queue>/byte_queue_limits/inflight
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
@@ -70,7 +70,7 @@ Description:
Indicates the number of bytes (objects) in flight on this
network device transmit queue.
-What: /sys/class/<iface>/queues/tx-<queue>/byte_queue_limits/limit
+What: /sys/class/net/<iface>/queues/tx-<queue>/byte_queue_limits/limit
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
@@ -79,7 +79,7 @@ Description:
on this network device transmit queue. This value is clamped
to be within the bounds defined by limit_max and limit_min.
-What: /sys/class/<iface>/queues/tx-<queue>/byte_queue_limits/limit_max
+What: /sys/class/net/<iface>/queues/tx-<queue>/byte_queue_limits/limit_max
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
@@ -88,7 +88,7 @@ Description:
queued on this network device transmit queue. See
include/linux/dynamic_queue_limits.h for the default value.
-What: /sys/class/<iface>/queues/tx-<queue>/byte_queue_limits/limit_min
+What: /sys/class/net/<iface>/queues/tx-<queue>/byte_queue_limits/limit_min
Date: November 2011
KernelVersion: 3.3
Contact: netdev@vger.kernel.org
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 290/476] arm64: irq: set the correct node for shadow call stack
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 289/476] net: sysfs: Fix /sys/class/net/<iface> path Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 291/476] [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability Greg Kroah-Hartman
` (195 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang Shijie, Catalin Marinas, Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Shijie <shijie@os.amperecomputing.com>
commit 7b1a09e44dc64f4f5930659b6d14a27183c00705 upstream.
The init_irq_stacks() has been changed to use the correct node:
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?id=75b5e0bf90bf
The init_irq_scs() has the same issue with init_irq_stacks():
cpu_to_node() is not initialized yet, it does not work.
This patch uses early_cpu_to_node() to set the init_irq_scs()
with the correct node.
Signed-off-by: Huang Shijie <shijie@os.amperecomputing.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20231213012046.12014-1-shijie@os.amperecomputing.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/irq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/irq.c
+++ b/arch/arm64/kernel/irq.c
@@ -45,7 +45,7 @@ static void init_irq_scs(void)
for_each_possible_cpu(cpu)
per_cpu(irq_shadow_call_stack_ptr, cpu) =
- scs_alloc(cpu_to_node(cpu));
+ scs_alloc(early_cpu_to_node(cpu));
}
#ifdef CONFIG_VMAP_STACK
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 291/476] [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 290/476] arm64: irq: set the correct node for shadow call stack Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 292/476] HID: apple: Add support for the 2021 Magic Keyboard Greg Kroah-Hartman
` (194 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Praveen Kaligineedi, Bailey Forrest,
Eric Dumazet, Jeroen de Borst, Kevin DeCabooter
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Praveen Kaligineedi <pkaligineedi@google.com>
From: Bailey Forrest <bcf@google.com>
Call skb_shinfo() after gve_prep_tso() on DQO TX path.
gve_prep_tso() calls skb_cow_head(), which may reallocate
shinfo causing a use after free.
This bug was unintentionally fixed by 'a6fb8d5a8b69
("gve: Tx path for DQO-QPL")' while adding DQO-QPL format
support in 6.6. That patch is not appropriate for stable releases.
Fixes: a57e5de476be ("gve: DQO: Add TX path")
Signed-off-by: Praveen Kaligineedi <pkaligineedi@google.com>
Signed-off-by: Bailey Forrest <bcf@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jeroen de Borst <jeroendb@google.com>
Reviewed-by: Kevin DeCabooter <decabooter@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -350,6 +350,7 @@ static void gve_tx_fill_pkt_desc_dqo(str
/* Validates and prepares `skb` for TSO.
*
* Returns header length, or < 0 if invalid.
+ * Warning : Might change skb->head (and thus skb_shinfo).
*/
static int gve_prep_tso(struct sk_buff *skb)
{
@@ -451,8 +452,8 @@ gve_tx_fill_general_ctx_desc(struct gve_
static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
struct sk_buff *skb)
{
- const struct skb_shared_info *shinfo = skb_shinfo(skb);
const bool is_gso = skb_is_gso(skb);
+ struct skb_shared_info *shinfo;
u32 desc_idx = tx->dqo_tx.tail;
struct gve_tx_pending_packet_dqo *pkt;
@@ -477,6 +478,8 @@ static int gve_tx_add_skb_no_copy_dqo(st
desc_idx = (desc_idx + 1) & tx->mask;
}
+ /* Must get after gve_prep_tso(), which can change shinfo. */
+ shinfo = skb_shinfo(skb);
gve_tx_fill_general_ctx_desc(&tx->dqo.tx_ring[desc_idx].general_ctx,
&metadata);
desc_idx = (desc_idx + 1) & tx->mask;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 292/476] HID: apple: Add support for the 2021 Magic Keyboard
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 291/476] [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 293/476] HID: apple: Add 2021 magic keyboard FN key mapping Greg Kroah-Hartman
` (193 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Henrie, Jiri Kosina, Aseda Aboagye
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Henrie <alexhenrie24@gmail.com>
commit 0cd3be51733febb4f8acb92bcf55b75fe824dd05 upstream.
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Aseda Aboagye <aaboagye@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-apple.c | 4 ++++
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-quirks.c | 1 +
3 files changed, 6 insertions(+)
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -640,6 +640,10 @@ static const struct hid_device_id apple_
.driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY),
.driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021),
+ .driver_data = APPLE_HAS_FN },
+ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021),
+ .driver_data = APPLE_HAS_FN },
{ }
};
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -174,6 +174,7 @@
#define USB_DEVICE_ID_APPLE_IRCONTROL3 0x8241
#define USB_DEVICE_ID_APPLE_IRCONTROL4 0x8242
#define USB_DEVICE_ID_APPLE_IRCONTROL5 0x8243
+#define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021 0x029c
#define USB_VENDOR_ID_ASUS 0x0486
#define USB_DEVICE_ID_ASUS_T91MT 0x0185
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -309,6 +309,7 @@ static const struct hid_device_id hid_ha
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021) },
#endif
#if IS_ENABLED(CONFIG_HID_APPLEIR)
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL) },
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 293/476] HID: apple: Add 2021 magic keyboard FN key mapping
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 292/476] HID: apple: Add support for the 2021 Magic Keyboard Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 294/476] bonding: remove print in bond_verify_device_path Greg Kroah-Hartman
` (192 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Jiri Kosina, Aseda Aboagye
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <bberg@redhat.com>
commit 531cb56972f2773c941499fcfb639cd5128dfb27 upstream.
The new 2021 apple models have a different FN key assignment. Add a new
translation table and use that for the 2021 magic keyboard.
Signed-off-by: Benjamin Berg <bberg@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Aseda Aboagye <aaboagye@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-apple.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -70,6 +70,28 @@ struct apple_key_translation {
u8 flags;
};
+static const struct apple_key_translation apple2021_fn_keys[] = {
+ { KEY_BACKSPACE, KEY_DELETE },
+ { KEY_ENTER, KEY_INSERT },
+ { KEY_F1, KEY_BRIGHTNESSDOWN, APPLE_FLAG_FKEY },
+ { KEY_F2, KEY_BRIGHTNESSUP, APPLE_FLAG_FKEY },
+ { KEY_F3, KEY_SCALE, APPLE_FLAG_FKEY },
+ { KEY_F4, KEY_SEARCH, APPLE_FLAG_FKEY },
+ { KEY_F5, KEY_MICMUTE, APPLE_FLAG_FKEY },
+ { KEY_F6, KEY_SLEEP, APPLE_FLAG_FKEY },
+ { KEY_F7, KEY_PREVIOUSSONG, APPLE_FLAG_FKEY },
+ { KEY_F8, KEY_PLAYPAUSE, APPLE_FLAG_FKEY },
+ { KEY_F9, KEY_NEXTSONG, APPLE_FLAG_FKEY },
+ { KEY_F10, KEY_MUTE, APPLE_FLAG_FKEY },
+ { KEY_F11, KEY_VOLUMEDOWN, APPLE_FLAG_FKEY },
+ { KEY_F12, KEY_VOLUMEUP, APPLE_FLAG_FKEY },
+ { KEY_UP, KEY_PAGEUP },
+ { KEY_DOWN, KEY_PAGEDOWN },
+ { KEY_LEFT, KEY_HOME },
+ { KEY_RIGHT, KEY_END },
+ { }
+};
+
static const struct apple_key_translation macbookair_fn_keys[] = {
{ KEY_BACKSPACE, KEY_DELETE },
{ KEY_ENTER, KEY_INSERT },
@@ -214,7 +236,9 @@ static int hidinput_apple_event(struct h
}
if (fnmode) {
- if (hid->product >= USB_DEVICE_ID_APPLE_WELLSPRING4_ANSI &&
+ if (hid->product == USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_2021)
+ table = apple2021_fn_keys;
+ else if (hid->product >= USB_DEVICE_ID_APPLE_WELLSPRING4_ANSI &&
hid->product <= USB_DEVICE_ID_APPLE_WELLSPRING4A_JIS)
table = macbookair_fn_keys;
else if (hid->product < 0x21d || hid->product >= 0x300)
@@ -377,6 +401,9 @@ static void apple_setup_input(struct inp
for (trans = apple_iso_keyboard; trans->from; trans++)
set_bit(trans->to, input->keybit);
+ for (trans = apple2021_fn_keys; trans->from; trans++)
+ set_bit(trans->to, input->keybit);
+
if (swap_fn_leftctrl) {
for (trans = swapped_fn_leftctrl_keys; trans->from; trans++)
set_bit(trans->to, input->keybit);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 294/476] bonding: remove print in bond_verify_device_path
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 293/476] HID: apple: Add 2021 magic keyboard FN key mapping Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 295/476] ASoC: codecs: lpass-wsa-macro: fix compander volume hack Greg Kroah-Hartman
` (191 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Zhengchao Shao,
Hangbin Liu, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
commit 486058f42a4728053ae69ebbf78e9731d8ce6f8b upstream.
As suggested by Paolo in link[1], if the memory allocation fails, the mm
layer will emit a lot warning comprising the backtrace, so remove the
print.
[1] https://lore.kernel.org/all/20231118081653.1481260-1-shaozhengchao@huawei.com/
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2893,11 +2893,8 @@ struct bond_vlan_tag *bond_verify_device
if (start_dev == end_dev) {
tags = kcalloc(level + 1, sizeof(*tags), GFP_ATOMIC);
- if (!tags) {
- net_err_ratelimited("%s: %s: Failed to allocate tags\n",
- __func__, start_dev->name);
+ if (!tags)
return ERR_PTR(-ENOMEM);
- }
tags[level].vlan_proto = VLAN_N_VID;
return tags;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 295/476] ASoC: codecs: lpass-wsa-macro: fix compander volume hack
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 294/476] bonding: remove print in bond_verify_device_path Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 296/476] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Greg Kroah-Hartman
` (190 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 46188db080bd1df7d2d28031b89e56f2fdbabd67 upstream.
The LPASS WSA macro codec driver is updating the digital gain settings
behind the back of user space on DAPM events if companding has been
enabled.
As compander control is exported to user space, this can result in the
digital gain setting being incremented (or decremented) every time the
sound server is started and the codec suspended depending on what the
UCM configuration looks like.
Soon enough playback will become distorted (or too quiet).
This is specifically a problem on the Lenovo ThinkPad X13s as this
bypasses the limit for the digital gain setting that has been set by the
machine driver.
Fix this by simply dropping the compander gain offset hack. If someone
cares about modelling the impact of the compander setting this can
possibly be done by exporting it as a volume control later.
Note that the volume registers still need to be written after enabling
clocks in order for any prior updates to take effect.
Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route")
Cc: stable@vger.kernel.org # 5.11
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://msgid.link/r/20240119112420.7446-4-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/lpass-wsa-macro.c | 7 -------
1 file changed, 7 deletions(-)
--- a/sound/soc/codecs/lpass-wsa-macro.c
+++ b/sound/soc/codecs/lpass-wsa-macro.c
@@ -1577,7 +1577,6 @@ static int wsa_macro_enable_interpolator
u16 gain_reg;
u16 reg;
int val;
- int offset_val = 0;
struct wsa_macro *wsa = snd_soc_component_get_drvdata(component);
if (w->shift == WSA_MACRO_COMP1) {
@@ -1616,10 +1615,8 @@ static int wsa_macro_enable_interpolator
CDC_WSA_RX1_RX_PATH_MIX_SEC0,
CDC_WSA_RX_PGA_HALF_DB_MASK,
CDC_WSA_RX_PGA_HALF_DB_ENABLE);
- offset_val = -2;
}
val = snd_soc_component_read(component, gain_reg);
- val += offset_val;
snd_soc_component_write(component, gain_reg, val);
wsa_macro_config_ear_spkr_gain(component, wsa,
event, gain_reg);
@@ -1647,10 +1644,6 @@ static int wsa_macro_enable_interpolator
CDC_WSA_RX1_RX_PATH_MIX_SEC0,
CDC_WSA_RX_PGA_HALF_DB_MASK,
CDC_WSA_RX_PGA_HALF_DB_DISABLE);
- offset_val = 2;
- val = snd_soc_component_read(component, gain_reg);
- val += offset_val;
- snd_soc_component_write(component, gain_reg, val);
}
wsa_macro_config_ear_spkr_gain(component, wsa,
event, gain_reg);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 296/476] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 295/476] ASoC: codecs: lpass-wsa-macro: fix compander volume hack Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 297/476] dmaengine: ti: k3-udma: Report short packet errors Greg Kroah-Hartman
` (189 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guanhua Gao, Frank Li, Vinod Koul,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guanhua Gao <guanhua.gao@nxp.com>
[ Upstream commit b73e43dcd7a8be26880ef8ff336053b29e79dbc5 ]
In case of long format of qDMA command descriptor, there are one frame
descriptor, three entries in the frame list and two data entries. So the
size of dma_pool_create for these three fields should be the same with
the total size of entries respectively, or the contents may be overwritten
by the next allocated descriptor.
Fixes: 7fdf9b05c73b ("dmaengine: fsl-dpaa2-qdma: Add NXP dpaa2 qDMA controller driver for Layerscape SoCs")
Signed-off-by: Guanhua Gao <guanhua.gao@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20240118162917.2951450-1-Frank.Li@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c b/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c
index 8dd40d00a672..6b829d347417 100644
--- a/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c
+++ b/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c
@@ -38,15 +38,17 @@ static int dpaa2_qdma_alloc_chan_resources(struct dma_chan *chan)
if (!dpaa2_chan->fd_pool)
goto err;
- dpaa2_chan->fl_pool = dma_pool_create("fl_pool", dev,
- sizeof(struct dpaa2_fl_entry),
- sizeof(struct dpaa2_fl_entry), 0);
+ dpaa2_chan->fl_pool =
+ dma_pool_create("fl_pool", dev,
+ sizeof(struct dpaa2_fl_entry) * 3,
+ sizeof(struct dpaa2_fl_entry), 0);
+
if (!dpaa2_chan->fl_pool)
goto err_fd;
dpaa2_chan->sdd_pool =
dma_pool_create("sdd_pool", dev,
- sizeof(struct dpaa2_qdma_sd_d),
+ sizeof(struct dpaa2_qdma_sd_d) * 2,
sizeof(struct dpaa2_qdma_sd_d), 0);
if (!dpaa2_chan->sdd_pool)
goto err_fl;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 297/476] dmaengine: ti: k3-udma: Report short packet errors
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 296/476] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 298/476] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Greg Kroah-Hartman
` (188 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jai Luthra, Peter Ujfalusi,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jai Luthra <j-luthra@ti.com>
[ Upstream commit bc9847c9ba134cfe3398011e343dcf6588c1c902 ]
Propagate the TR response status to the device using BCDMA
split-channels. For example CSI-RX driver should be able to check if a
frame was not transferred completely (short packet) and needs to be
discarded.
Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
Signed-off-by: Jai Luthra <j-luthra@ti.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
Link: https://lore.kernel.org/r/20240103-tr_resp_err-v1-1-2fdf6d48ab92@ti.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ti/k3-udma.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
index d796e50dfe99..698fb898847c 100644
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -3957,6 +3957,7 @@ static void udma_desc_pre_callback(struct virt_dma_chan *vc,
{
struct udma_chan *uc = to_udma_chan(&vc->chan);
struct udma_desc *d;
+ u8 status;
if (!vd)
return;
@@ -3966,12 +3967,12 @@ static void udma_desc_pre_callback(struct virt_dma_chan *vc,
if (d->metadata_size)
udma_fetch_epib(uc, d);
- /* Provide residue information for the client */
if (result) {
void *desc_vaddr = udma_curr_cppi5_desc_vaddr(d, d->desc_idx);
if (cppi5_desc_get_type(desc_vaddr) ==
CPPI5_INFO0_DESC_TYPE_VAL_HOST) {
+ /* Provide residue information for the client */
result->residue = d->residue -
cppi5_hdesc_get_pktlen(desc_vaddr);
if (result->residue)
@@ -3980,7 +3981,12 @@ static void udma_desc_pre_callback(struct virt_dma_chan *vc,
result->result = DMA_TRANS_NOERROR;
} else {
result->residue = 0;
- result->result = DMA_TRANS_NOERROR;
+ /* Propagate TR Response errors to the client */
+ status = d->hwdesc[0].tr_resp_base->status;
+ if (status)
+ result->result = DMA_TRANS_ABORTED;
+ else
+ result->result = DMA_TRANS_NOERROR;
}
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 298/476] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 297/476] dmaengine: ti: k3-udma: Report short packet errors Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 299/476] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Greg Kroah-Hartman
` (187 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 968bc1d7203d384e72afe34124a1801b7af76514 ]
This dma_alloc_coherent() is undone in the remove function, but not in the
error handling path of fsl_qdma_probe().
Switch to the managed version to fix the issue in the probe and simplify
the remove function.
Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/a0ef5d0f5a47381617ef339df776ddc68ce48173.1704621515.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/fsl-qdma.c | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/drivers/dma/fsl-qdma.c b/drivers/dma/fsl-qdma.c
index 045ead46ec8f..5cc887acb05b 100644
--- a/drivers/dma/fsl-qdma.c
+++ b/drivers/dma/fsl-qdma.c
@@ -563,11 +563,11 @@ static struct fsl_qdma_queue
/*
* Buffer for queue command
*/
- status_head->cq = dma_alloc_coherent(&pdev->dev,
- sizeof(struct fsl_qdma_format) *
- status_size,
- &status_head->bus_addr,
- GFP_KERNEL);
+ status_head->cq = dmam_alloc_coherent(&pdev->dev,
+ sizeof(struct fsl_qdma_format) *
+ status_size,
+ &status_head->bus_addr,
+ GFP_KERNEL);
if (!status_head->cq) {
devm_kfree(&pdev->dev, status_head);
return NULL;
@@ -1272,8 +1272,6 @@ static void fsl_qdma_cleanup_vchan(struct dma_device *dmadev)
static int fsl_qdma_remove(struct platform_device *pdev)
{
- int i;
- struct fsl_qdma_queue *status;
struct device_node *np = pdev->dev.of_node;
struct fsl_qdma_engine *fsl_qdma = platform_get_drvdata(pdev);
@@ -1282,11 +1280,6 @@ static int fsl_qdma_remove(struct platform_device *pdev)
of_dma_controller_free(np);
dma_async_device_unregister(&fsl_qdma->dma_dev);
- for (i = 0; i < fsl_qdma->block_number; i++) {
- status = fsl_qdma->status[i];
- dma_free_coherent(&pdev->dev, sizeof(struct fsl_qdma_format) *
- status->n_cq, status->cq, status->bus_addr);
- }
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 299/476] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 298/476] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 300/476] phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Greg Kroah-Hartman
` (186 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 3aa58cb51318e329d203857f7a191678e60bb714 ]
This dma_alloc_coherent() is undone neither in the remove function, nor in
the error handling path of fsl_qdma_probe().
Switch to the managed version to fix both issues.
Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/7f66aa14f59d32b13672dde28602b47deb294e1f.1704621515.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/fsl-qdma.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/dma/fsl-qdma.c b/drivers/dma/fsl-qdma.c
index 5cc887acb05b..69385f32e275 100644
--- a/drivers/dma/fsl-qdma.c
+++ b/drivers/dma/fsl-qdma.c
@@ -514,11 +514,11 @@ static struct fsl_qdma_queue
queue_temp = queue_head + i + (j * queue_num);
queue_temp->cq =
- dma_alloc_coherent(&pdev->dev,
- sizeof(struct fsl_qdma_format) *
- queue_size[i],
- &queue_temp->bus_addr,
- GFP_KERNEL);
+ dmam_alloc_coherent(&pdev->dev,
+ sizeof(struct fsl_qdma_format) *
+ queue_size[i],
+ &queue_temp->bus_addr,
+ GFP_KERNEL);
if (!queue_temp->cq)
return NULL;
queue_temp->block_base = fsl_qdma->block_base +
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 300/476] phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 299/476] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 301/476] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Greg Kroah-Hartman
` (185 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Yoshihiro Shimoda, Geert Uytterhoeven, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
[ Upstream commit 249abaf3bf0dd07f5ddebbb2fe2e8f4d675f074e ]
Even if device_create_file() returns error code,
rcar_gen3_phy_usb2_probe() will return zero because the "ret" is
variable shadowing.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202312161021.gOLDl48K-lkp@intel.com/
Fixes: 441a681b8843 ("phy: rcar-gen3-usb2: fix implementation for runtime PM")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20240105093703.3359949-1-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
index 9de617ca9daa..7e61c6b278a7 100644
--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c
+++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
@@ -675,8 +675,6 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev)
channel->irq = platform_get_irq_optional(pdev, 0);
channel->dr_mode = rcar_gen3_get_dr_mode(dev->of_node);
if (channel->dr_mode != USB_DR_MODE_UNKNOWN) {
- int ret;
-
channel->is_otg_channel = true;
channel->uses_otg_pins = !of_property_read_bool(dev->of_node,
"renesas,no-otg-pins");
@@ -740,8 +738,6 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev)
ret = PTR_ERR(provider);
goto error;
} else if (channel->is_otg_channel) {
- int ret;
-
ret = device_create_file(dev, &dev_attr_role);
if (ret < 0)
goto error;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 301/476] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 300/476] phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 302/476] phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Greg Kroah-Hartman
` (184 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit a22fe1d6dec7e98535b97249fdc95c2be79120bb ]
is_slave_direction() should return true when direction is DMA_DEV_TO_DEV.
Fixes: 49920bc66984 ("dmaengine: add new enum dma_transfer_direction")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20240123172842.3764529-1-Frank.Li@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dmaengine.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h
index 9000f3ffce8b..04826a793039 100644
--- a/include/linux/dmaengine.h
+++ b/include/linux/dmaengine.h
@@ -959,7 +959,8 @@ static inline int dmaengine_slave_config(struct dma_chan *chan,
static inline bool is_slave_direction(enum dma_transfer_direction direction)
{
- return (direction == DMA_MEM_TO_DEV) || (direction == DMA_DEV_TO_MEM);
+ return (direction == DMA_MEM_TO_DEV) || (direction == DMA_DEV_TO_MEM) ||
+ (direction == DMA_DEV_TO_DEV);
}
static inline struct dma_async_tx_descriptor *dmaengine_prep_slave_single(
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 302/476] phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 301/476] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 303/476] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Greg Kroah-Hartman
` (183 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Lindgren, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 7104ba0f1958adb250319e68a15eff89ec4fd36d ]
If the external phy working together with phy-omap-usb2 does not implement
send_srp(), we may still attempt to call it. This can happen on an idle
Ethernet gadget triggering a wakeup for example:
configfs-gadget.g1 gadget.0: ECM Suspend
configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup
...
Unable to handle kernel NULL pointer dereference at virtual address
00000000 when execute
...
PC is at 0x0
LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]
...
musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]
usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]
eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c
dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4
sch_direct_xmit from __dev_queue_xmit+0x334/0xd88
__dev_queue_xmit from arp_solicit+0xf0/0x268
arp_solicit from neigh_probe+0x54/0x7c
neigh_probe from __neigh_event_send+0x22c/0x47c
__neigh_event_send from neigh_resolve_output+0x14c/0x1c0
neigh_resolve_output from ip_finish_output2+0x1c8/0x628
ip_finish_output2 from ip_send_skb+0x40/0xd8
ip_send_skb from udp_send_skb+0x124/0x340
udp_send_skb from udp_sendmsg+0x780/0x984
udp_sendmsg from __sys_sendto+0xd8/0x158
__sys_sendto from ret_fast_syscall+0x0/0x58
Let's fix the issue by checking for send_srp() and set_vbus() before
calling them. For USB peripheral only cases these both could be NULL.
Fixes: 657b306a7bdf ("usb: phy: add a new driver for omap usb2 phy")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Link: https://lore.kernel.org/r/20240128120556.8848-1-tony@atomide.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/ti/phy-omap-usb2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/phy/ti/phy-omap-usb2.c b/drivers/phy/ti/phy-omap-usb2.c
index ca8532a3f193..59d3a692c725 100644
--- a/drivers/phy/ti/phy-omap-usb2.c
+++ b/drivers/phy/ti/phy-omap-usb2.c
@@ -116,7 +116,7 @@ static int omap_usb_set_vbus(struct usb_otg *otg, bool enabled)
{
struct omap_usb *phy = phy_to_omapusb(otg->usb_phy);
- if (!phy->comparator)
+ if (!phy->comparator || !phy->comparator->set_vbus)
return -ENODEV;
return phy->comparator->set_vbus(phy->comparator, enabled);
@@ -126,7 +126,7 @@ static int omap_usb_start_srp(struct usb_otg *otg)
{
struct omap_usb *phy = phy_to_omapusb(otg->usb_phy);
- if (!phy->comparator)
+ if (!phy->comparator || !phy->comparator->start_srp)
return -ENODEV;
return phy->comparator->start_srp(phy->comparator);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 303/476] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 302/476] phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 304/476] net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Greg Kroah-Hartman
` (182 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuogee Hsieh, Dmitry Baryshkov,
Abhinav Kumar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuogee Hsieh <quic_khsieh@quicinc.com>
[ Upstream commit fcccdafd91f8bdde568b86ff70848cf83f029add ]
MSA MISC0 bit 1 to 7 contains Colorimetry Indicator Field.
dp_link_get_colorimetry_config() returns wrong colorimetry value
in the DP_TEST_DYNAMIC_RANGE_CEA case in the current implementation.
Hence fix this problem by having dp_link_get_colorimetry_config()
return defined CEA RGB colorimetry value in the case of
DP_TEST_DYNAMIC_RANGE_CEA.
Changes in V2:
-- drop retrieving colorimetry from colorspace
-- drop dr = link->dp_link.test_video.test_dyn_range assignment
Changes in V3:
-- move defined MISCr0a Colorimetry vale to dp_reg.h
-- rewording commit title
-- rewording commit text to more precise describe this patch
Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/574888/
Link: https://lore.kernel.org/r/1705526010-597-1-git-send-email-quic_khsieh@quicinc.com
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_link.c | 12 +++++++-----
drivers/gpu/drm/msm/dp/dp_reg.h | 3 +++
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c
index d4d31e5bda07..0b4539be0685 100644
--- a/drivers/gpu/drm/msm/dp/dp_link.c
+++ b/drivers/gpu/drm/msm/dp/dp_link.c
@@ -7,6 +7,7 @@
#include <drm/drm_print.h>
+#include "dp_reg.h"
#include "dp_link.h"
#include "dp_panel.h"
@@ -1064,7 +1065,7 @@ int dp_link_process_request(struct dp_link *dp_link)
int dp_link_get_colorimetry_config(struct dp_link *dp_link)
{
- u32 cc;
+ u32 cc = DP_MISC0_COLORIMERY_CFG_LEGACY_RGB;
struct dp_link_private *link;
if (!dp_link) {
@@ -1078,10 +1079,11 @@ int dp_link_get_colorimetry_config(struct dp_link *dp_link)
* Unless a video pattern CTS test is ongoing, use RGB_VESA
* Only RGB_VESA and RGB_CEA supported for now
*/
- if (dp_link_is_video_pattern_requested(link))
- cc = link->dp_link.test_video.test_dyn_range;
- else
- cc = DP_TEST_DYNAMIC_RANGE_VESA;
+ if (dp_link_is_video_pattern_requested(link)) {
+ if (link->dp_link.test_video.test_dyn_range &
+ DP_TEST_DYNAMIC_RANGE_CEA)
+ cc = DP_MISC0_COLORIMERY_CFG_CEA_RGB;
+ }
return cc;
}
diff --git a/drivers/gpu/drm/msm/dp/dp_reg.h b/drivers/gpu/drm/msm/dp/dp_reg.h
index 268602803d9a..176a503ece9c 100644
--- a/drivers/gpu/drm/msm/dp/dp_reg.h
+++ b/drivers/gpu/drm/msm/dp/dp_reg.h
@@ -129,6 +129,9 @@
#define DP_MISC0_COLORIMETRY_CFG_SHIFT (0x00000001)
#define DP_MISC0_TEST_BITS_DEPTH_SHIFT (0x00000005)
+#define DP_MISC0_COLORIMERY_CFG_LEGACY_RGB (0)
+#define DP_MISC0_COLORIMERY_CFG_CEA_RGB (0x04)
+
#define REG_DP_VALID_BOUNDARY (0x00000030)
#define REG_DP_VALID_BOUNDARY_2 (0x00000034)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 304/476] net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 303/476] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 305/476] selftests: net: cut more slack for gro fwd tests Greg Kroah-Hartman
` (181 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Furong Xu, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Furong Xu <0x1207@gmail.com>
[ Upstream commit 46eba193d04f8bd717e525eb4110f3c46c12aec3 ]
Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in
XGMAC core") checks and reports safety errors, but leaves the
Data Path Parity Errors for each channel in DMA unhandled at all, lead to
a storm of interrupt.
Fix it by checking and clearing the DMA_DPP_Interrupt_Status register.
Fixes: 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core")
Signed-off-by: Furong Xu <0x1207@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/common.h | 1 +
.../net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 +
.../ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 ++++++++++++++++++-
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
index c03ac229e936..d9e8602f866d 100644
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -209,6 +209,7 @@ struct stmmac_safety_stats {
unsigned long mac_errors[32];
unsigned long mtl_errors[32];
unsigned long dma_errors[32];
+ unsigned long dma_dpp_errors[32];
};
/* Number of fields in Safety Stats */
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
index 880a75bf2eb1..e67a880ebf64 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
@@ -282,6 +282,8 @@
#define XGMAC_RXCEIE BIT(4)
#define XGMAC_TXCEIE BIT(0)
#define XGMAC_MTL_ECC_INT_STATUS 0x000010cc
+#define XGMAC_MTL_DPP_CONTROL 0x000010e0
+#define XGMAC_DDPP_DISABLE BIT(0)
#define XGMAC_MTL_TXQ_OPMODE(x) (0x00001100 + (0x80 * (x)))
#define XGMAC_TQS GENMASK(25, 16)
#define XGMAC_TQS_SHIFT 16
@@ -364,6 +366,7 @@
#define XGMAC_DCEIE BIT(1)
#define XGMAC_TCEIE BIT(0)
#define XGMAC_DMA_ECC_INT_STATUS 0x0000306c
+#define XGMAC_DMA_DPP_INT_STATUS 0x00003074
#define XGMAC_DMA_CH_CONTROL(x) (0x00003100 + (0x80 * (x)))
#define XGMAC_SPH BIT(24)
#define XGMAC_PBLx8 BIT(16)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
index c2181c277291..c24cd019460a 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -789,6 +789,43 @@ static const struct dwxgmac3_error_desc dwxgmac3_dma_errors[32]= {
{ false, "UNKNOWN", "Unknown Error" }, /* 31 */
};
+static const char * const dpp_rx_err = "Read Rx Descriptor Parity checker Error";
+static const char * const dpp_tx_err = "Read Tx Descriptor Parity checker Error";
+static const struct dwxgmac3_error_desc dwxgmac3_dma_dpp_errors[32] = {
+ { true, "TDPES0", dpp_tx_err },
+ { true, "TDPES1", dpp_tx_err },
+ { true, "TDPES2", dpp_tx_err },
+ { true, "TDPES3", dpp_tx_err },
+ { true, "TDPES4", dpp_tx_err },
+ { true, "TDPES5", dpp_tx_err },
+ { true, "TDPES6", dpp_tx_err },
+ { true, "TDPES7", dpp_tx_err },
+ { true, "TDPES8", dpp_tx_err },
+ { true, "TDPES9", dpp_tx_err },
+ { true, "TDPES10", dpp_tx_err },
+ { true, "TDPES11", dpp_tx_err },
+ { true, "TDPES12", dpp_tx_err },
+ { true, "TDPES13", dpp_tx_err },
+ { true, "TDPES14", dpp_tx_err },
+ { true, "TDPES15", dpp_tx_err },
+ { true, "RDPES0", dpp_rx_err },
+ { true, "RDPES1", dpp_rx_err },
+ { true, "RDPES2", dpp_rx_err },
+ { true, "RDPES3", dpp_rx_err },
+ { true, "RDPES4", dpp_rx_err },
+ { true, "RDPES5", dpp_rx_err },
+ { true, "RDPES6", dpp_rx_err },
+ { true, "RDPES7", dpp_rx_err },
+ { true, "RDPES8", dpp_rx_err },
+ { true, "RDPES9", dpp_rx_err },
+ { true, "RDPES10", dpp_rx_err },
+ { true, "RDPES11", dpp_rx_err },
+ { true, "RDPES12", dpp_rx_err },
+ { true, "RDPES13", dpp_rx_err },
+ { true, "RDPES14", dpp_rx_err },
+ { true, "RDPES15", dpp_rx_err },
+};
+
static void dwxgmac3_handle_dma_err(struct net_device *ndev,
void __iomem *ioaddr, bool correctable,
struct stmmac_safety_stats *stats)
@@ -800,6 +837,13 @@ static void dwxgmac3_handle_dma_err(struct net_device *ndev,
dwxgmac3_log_error(ndev, value, correctable, "DMA",
dwxgmac3_dma_errors, STAT_OFF(dma_errors), stats);
+
+ value = readl(ioaddr + XGMAC_DMA_DPP_INT_STATUS);
+ writel(value, ioaddr + XGMAC_DMA_DPP_INT_STATUS);
+
+ dwxgmac3_log_error(ndev, value, false, "DMA_DPP",
+ dwxgmac3_dma_dpp_errors,
+ STAT_OFF(dma_dpp_errors), stats);
}
static int
@@ -838,6 +882,12 @@ dwxgmac3_safety_feat_config(void __iomem *ioaddr, unsigned int asp,
value |= XGMAC_TMOUTEN; /* FSM Timeout Feature */
writel(value, ioaddr + XGMAC_MAC_FSM_CONTROL);
+ /* 5. Enable Data Path Parity Protection */
+ value = readl(ioaddr + XGMAC_MTL_DPP_CONTROL);
+ /* already enabled by default, explicit enable it again */
+ value &= ~XGMAC_DDPP_DISABLE;
+ writel(value, ioaddr + XGMAC_MTL_DPP_CONTROL);
+
return 0;
}
@@ -871,7 +921,11 @@ static int dwxgmac3_safety_feat_irq_status(struct net_device *ndev,
ret |= !corr;
}
- err = dma & (XGMAC_DEUIS | XGMAC_DECIS);
+ /* DMA_DPP_Interrupt_Status is indicated by MCSIS bit in
+ * DMA_Safety_Interrupt_Status, so we handle DMA Data Path
+ * Parity Errors here
+ */
+ err = dma & (XGMAC_DEUIS | XGMAC_DECIS | XGMAC_MCSIS);
corr = dma & XGMAC_DECIS;
if (err) {
dwxgmac3_handle_dma_err(ndev, ioaddr, corr, stats);
@@ -887,6 +941,7 @@ static const struct dwxgmac3_error {
{ dwxgmac3_mac_errors },
{ dwxgmac3_mtl_errors },
{ dwxgmac3_dma_errors },
+ { dwxgmac3_dma_dpp_errors },
};
static int dwxgmac3_safety_feat_dump(struct stmmac_safety_stats *stats,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 305/476] selftests: net: cut more slack for gro fwd tests.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 304/476] net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 306/476] selftests: net: avoid just another constant wait Greg Kroah-Hartman
` (180 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, David Ahern,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit cb9f4a30fb85e1f4f149ada595a67899adb3db19 ]
The udpgro_fwd.sh self-tests are somewhat unstable. There are
a few timing constraints the we struggle to meet on very slow
environments.
Instead of skipping the whole tests in such envs, increase the
test resilience WRT very slow hosts: increase the inter-packets
timeouts, avoid resetting the counters every second and finally
disable reduce the background traffic noise.
Tested with:
for I in $(seq 1 100); do
./tools/testing/selftests/kselftest_install/run_kselftest.sh \
-t net:udpgro_fwd.sh || exit -1
done
in a slow environment.
Fixes: a062260a9d5f ("selftests: net: add UDP GRO forwarding self-tests")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/f4b6b11064a0d39182a9ae6a853abae3e9b4426a.1706812005.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/udpgro_fwd.sh | 14 ++++++++++++--
tools/testing/selftests/net/udpgso_bench_rx.c | 2 +-
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/net/udpgro_fwd.sh b/tools/testing/selftests/net/udpgro_fwd.sh
index 1bcd82e1f662..fa5aa588e53f 100755
--- a/tools/testing/selftests/net/udpgro_fwd.sh
+++ b/tools/testing/selftests/net/udpgro_fwd.sh
@@ -36,6 +36,10 @@ create_ns() {
for ns in $NS_SRC $NS_DST; do
ip netns add $ns
ip -n $ns link set dev lo up
+
+ # disable route solicitations to decrease 'noise' traffic
+ ip netns exec $ns sysctl -qw net.ipv6.conf.default.router_solicitations=0
+ ip netns exec $ns sysctl -qw net.ipv6.conf.all.router_solicitations=0
done
ip link add name veth$SRC type veth peer name veth$DST
@@ -77,6 +81,12 @@ create_vxlan_pair() {
create_vxlan_endpoint $BASE$ns veth$ns $BM_NET_V6$((3 - $ns)) vxlan6$ns 6
ip -n $BASE$ns addr add dev vxlan6$ns $OL_NET_V6$ns/24 nodad
done
+
+ # preload neighbur cache, do avoid some noisy traffic
+ local addr_dst=$(ip -j -n $BASE$DST link show dev vxlan6$DST |jq -r '.[]["address"]')
+ local addr_src=$(ip -j -n $BASE$SRC link show dev vxlan6$SRC |jq -r '.[]["address"]')
+ ip -n $BASE$DST neigh add dev vxlan6$DST lladdr $addr_src $OL_NET_V6$SRC
+ ip -n $BASE$SRC neigh add dev vxlan6$SRC lladdr $addr_dst $OL_NET_V6$DST
}
is_ipv6() {
@@ -116,7 +126,7 @@ run_test() {
# not enable GRO
ip netns exec $NS_DST $ipt -A INPUT -p udp --dport 4789
ip netns exec $NS_DST $ipt -A INPUT -p udp --dport 8000
- ip netns exec $NS_DST ./udpgso_bench_rx -C 1000 -R 10 -n 10 -l 1300 $rx_args &
+ ip netns exec $NS_DST ./udpgso_bench_rx -C 2000 -R 100 -n 10 -l 1300 $rx_args &
local spid=$!
sleep 0.1
ip netns exec $NS_SRC ./udpgso_bench_tx $family -M 1 -s 13000 -S 1300 -D $dst
@@ -165,7 +175,7 @@ run_bench() {
# bind the sender and the receiver to different CPUs to try
# get reproducible results
ip netns exec $NS_DST bash -c "echo 2 > /sys/class/net/veth$DST/queues/rx-0/rps_cpus"
- ip netns exec $NS_DST taskset 0x2 ./udpgso_bench_rx -C 1000 -R 10 &
+ ip netns exec $NS_DST taskset 0x2 ./udpgso_bench_rx -C 2000 -R 100 &
local spid=$!
sleep 0.1
ip netns exec $NS_SRC taskset 0x1 ./udpgso_bench_tx $family -l 3 -S 1300 -D $dst
diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c
index f35a924d4a30..1cbadd267c96 100644
--- a/tools/testing/selftests/net/udpgso_bench_rx.c
+++ b/tools/testing/selftests/net/udpgso_bench_rx.c
@@ -375,7 +375,7 @@ static void do_recv(void)
do_flush_udp(fd);
tnow = gettimeofday_ms();
- if (tnow > treport) {
+ if (!cfg_expected_pkt_nr && tnow > treport) {
if (packets)
fprintf(stderr,
"%s rx: %6lu MB/s %8lu calls/s\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 306/476] selftests: net: avoid just another constant wait
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 305/476] selftests: net: cut more slack for gro fwd tests Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 307/476] tunnels: fix out of bounds access when building IPv6 PMTU error Greg Kroah-Hartman
` (179 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, David Ahern,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 691bb4e49c98a47bc643dd808453136ce78b15b4 ]
Using hard-coded constant timeout to wait for some expected
event is deemed to fail sooner or later, especially in slow
env.
Our CI has spotted another of such race:
# TEST: ipv6: cleanup of cached exceptions - nexthop objects [FAIL]
# can't delete veth device in a timely manner, PMTU dst likely leaked
Replace the crude sleep with a loop looking for the expected condition
at low interval for a much longer range.
Fixes: b3cc4f8a8a41 ("selftests: pmtu: add explicit tests for PMTU exceptions cleanup")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/fd5c745e9bb665b724473af6a9373a8c2a62b247.1706812005.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/pmtu.sh | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh
index 8797f7b5fb83..31e3d0db7a12 100755
--- a/tools/testing/selftests/net/pmtu.sh
+++ b/tools/testing/selftests/net/pmtu.sh
@@ -1795,6 +1795,13 @@ check_command() {
return 0
}
+check_running() {
+ pid=${1}
+ cmd=${2}
+
+ [ "$(cat /proc/${pid}/cmdline 2>/dev/null | tr -d '\0')" = "{cmd}" ]
+}
+
test_cleanup_vxlanX_exception() {
outer="${1}"
encap="vxlan"
@@ -1825,11 +1832,12 @@ test_cleanup_vxlanX_exception() {
${ns_a} ip link del dev veth_A-R1 &
iplink_pid=$!
- sleep 1
- if [ "$(cat /proc/${iplink_pid}/cmdline 2>/dev/null | tr -d '\0')" = "iplinkdeldevveth_A-R1" ]; then
- err " can't delete veth device in a timely manner, PMTU dst likely leaked"
- return 1
- fi
+ for i in $(seq 1 20); do
+ check_running ${iplink_pid} "iplinkdeldevveth_A-R1" || return 0
+ sleep 0.1
+ done
+ err " can't delete veth device in a timely manner, PMTU dst likely leaked"
+ return 1
}
test_cleanup_ipv6_exception() {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 307/476] tunnels: fix out of bounds access when building IPv6 PMTU error
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 306/476] selftests: net: avoid just another constant wait Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 308/476] atm: idt77252: fix a memleak in open_card_ubr0 Greg Kroah-Hartman
` (178 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoine Tenart, Jiri Pirko,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoine Tenart <atenart@kernel.org>
[ Upstream commit d75abeec401f8c86b470e7028a13fcdc87e5dd06 ]
If the ICMPv6 error is built from a non-linear skb we get the following
splat,
BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240
Read of size 4 at addr ffff88811d402c80 by task netperf/820
CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543
...
kasan_report+0xd8/0x110
do_csum+0x220/0x240
csum_partial+0xc/0x20
skb_tunnel_check_pmtu+0xeb9/0x3280
vxlan_xmit_one+0x14c2/0x4080
vxlan_xmit+0xf61/0x5c00
dev_hard_start_xmit+0xfb/0x510
__dev_queue_xmit+0x7cd/0x32a0
br_dev_queue_push_xmit+0x39d/0x6a0
Use skb_checksum instead of csum_partial who cannot deal with non-linear
SKBs.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index d3275d1ed260..50ddbd7021f0 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -332,7 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
};
skb_reset_network_header(skb);
- csum = csum_partial(icmp6h, len, 0);
+ csum = skb_checksum(skb, skb_transport_offset(skb), len, 0);
icmp6h->icmp6_cksum = csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr, len,
IPPROTO_ICMPV6, csum);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 308/476] atm: idt77252: fix a memleak in open_card_ubr0
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 307/476] tunnels: fix out of bounds access when building IPv6 PMTU error Greg Kroah-Hartman
@ 2024-02-21 13:05 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 309/476] octeontx2-pf: Fix a memleak otx2_sq_init Greg Kroah-Hartman
` (177 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Jiri Pirko,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit f3616173bf9be9bf39d131b120d6eea4e6324cb5 ]
When alloc_scq fails, card->vcs[0] (i.e. vc) should be freed. Otherwise,
in the following call chain:
idt77252_init_one
|-> idt77252_dev_open
|-> open_card_ubr0
|-> alloc_scq [failed]
|-> deinit_card
|-> vfree(card->vcs);
card->vcs is freed and card->vcs[0] is leaked.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/atm/idt77252.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
index 49cb4537344a..2daf50d4cd47 100644
--- a/drivers/atm/idt77252.c
+++ b/drivers/atm/idt77252.c
@@ -2930,6 +2930,8 @@ open_card_ubr0(struct idt77252_dev *card)
vc->scq = alloc_scq(card, vc->class);
if (!vc->scq) {
printk("%s: can't get SCQ.\n", card->name);
+ kfree(card->vcs[0]);
+ card->vcs[0] = NULL;
return -ENOMEM;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 309/476] octeontx2-pf: Fix a memleak otx2_sq_init
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2024-02-21 13:05 ` [PATCH 5.15 308/476] atm: idt77252: fix a memleak in open_card_ubr0 Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 310/476] hwmon: (aspeed-pwm-tacho) mutex for tach reading Greg Kroah-Hartman
` (176 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Jiri Pirko,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit b09b58e31b0f43d76f79b9943da3fb7c2843dcbb ]
When qmem_alloc and pfvf->hw_ops->sq_aq_init fails, sq->sg should be
freed to prevent memleak.
Fixes: c9c12d339d93 ("octeontx2-pf: Add support for PTP clock")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Acked-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
index 572c981171ba..6b024d29eaf3 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -856,8 +856,11 @@ static int otx2_sq_init(struct otx2_nic *pfvf, u16 qidx, u16 sqb_aura)
if (pfvf->ptp) {
err = qmem_alloc(pfvf->dev, &sq->timestamps, qset->sqe_cnt,
sizeof(*sq->timestamps));
- if (err)
+ if (err) {
+ kfree(sq->sg);
+ sq->sg = NULL;
return err;
+ }
}
sq->head = 0;
@@ -872,7 +875,14 @@ static int otx2_sq_init(struct otx2_nic *pfvf, u16 qidx, u16 sqb_aura)
sq->stats.bytes = 0;
sq->stats.pkts = 0;
- return pfvf->hw_ops->sq_aq_init(pfvf, qidx, sqb_aura);
+ err = pfvf->hw_ops->sq_aq_init(pfvf, qidx, sqb_aura);
+ if (err) {
+ kfree(sq->sg);
+ sq->sg = NULL;
+ return err;
+ }
+
+ return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 310/476] hwmon: (aspeed-pwm-tacho) mutex for tach reading
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 309/476] octeontx2-pf: Fix a memleak otx2_sq_init Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 311/476] hwmon: (coretemp) Fix out-of-bounds memory access Greg Kroah-Hartman
` (175 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Loic Prylli, Alexander Hansen,
Guenter Roeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Loic Prylli <lprylli@netflix.com>
[ Upstream commit 1168491e7f53581ba7b6014a39a49cfbbb722feb ]
the ASPEED_PTCR_RESULT Register can only hold the result for a
single fan input. Adding a mutex to protect the register until the
reading is done.
Signed-off-by: Loic Prylli <lprylli@netflix.com>
Signed-off-by: Alexander Hansen <alexander.hansen@9elements.com>
Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach")
Link: https://lore.kernel.org/r/121d888762a1232ef403cf35230ccf7b3887083a.1699007401.git.alexander.hansen@9elements.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/aspeed-pwm-tacho.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/hwmon/aspeed-pwm-tacho.c b/drivers/hwmon/aspeed-pwm-tacho.c
index 3cb88d6fbec0..424613e5b14f 100644
--- a/drivers/hwmon/aspeed-pwm-tacho.c
+++ b/drivers/hwmon/aspeed-pwm-tacho.c
@@ -194,6 +194,8 @@ struct aspeed_pwm_tacho_data {
u8 fan_tach_ch_source[16];
struct aspeed_cooling_device *cdev[8];
const struct attribute_group *groups[3];
+ /* protects access to shared ASPEED_PTCR_RESULT */
+ struct mutex tach_lock;
};
enum type { TYPEM, TYPEN, TYPEO };
@@ -528,6 +530,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv,
u8 fan_tach_ch_source, type, mode, both;
int ret;
+ mutex_lock(&priv->tach_lock);
+
regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0);
regmap_write(priv->regmap, ASPEED_PTCR_TRIGGER, 0x1 << fan_tach_ch);
@@ -545,6 +549,8 @@ static int aspeed_get_fan_tach_ch_rpm(struct aspeed_pwm_tacho_data *priv,
ASPEED_RPM_STATUS_SLEEP_USEC,
usec);
+ mutex_unlock(&priv->tach_lock);
+
/* return -ETIMEDOUT if we didn't get an answer. */
if (ret)
return ret;
@@ -904,6 +910,7 @@ static int aspeed_pwm_tacho_probe(struct platform_device *pdev)
priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
+ mutex_init(&priv->tach_lock);
priv->regmap = devm_regmap_init(dev, NULL, (__force void *)regs,
&aspeed_pwm_tacho_regmap_config);
if (IS_ERR(priv->regmap))
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 311/476] hwmon: (coretemp) Fix out-of-bounds memory access
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 310/476] hwmon: (aspeed-pwm-tacho) mutex for tach reading Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 312/476] hwmon: (coretemp) Fix bogus core_id to attr name mapping Greg Kroah-Hartman
` (174 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Rui, Guenter Roeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Rui <rui.zhang@intel.com>
[ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ]
Fix a bug that pdata->cpu_map[] is set before out-of-bounds check.
The problem might be triggered on systems with more than 128 cores per
package.
Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value")
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/coretemp.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
index 5b2057ce5a59..7f6615ef8c88 100644
--- a/drivers/hwmon/coretemp.c
+++ b/drivers/hwmon/coretemp.c
@@ -467,18 +467,14 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu,
if (pkg_flag) {
attr_no = PKG_SYSFS_ATTR_NO;
} else {
- index = ida_alloc(&pdata->ida, GFP_KERNEL);
+ index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL);
if (index < 0)
return index;
+
pdata->cpu_map[index] = topology_core_id(cpu);
attr_no = index + BASE_SYSFS_ATTR_NO;
}
- if (attr_no > MAX_CORE_DATA - 1) {
- err = -ERANGE;
- goto ida_free;
- }
-
tdata = init_temp_data(cpu, pkg_flag);
if (!tdata) {
err = -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 312/476] hwmon: (coretemp) Fix bogus core_id to attr name mapping
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 311/476] hwmon: (coretemp) Fix out-of-bounds memory access Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 313/476] inet: read sk->sk_family once in inet_recv_error() Greg Kroah-Hartman
` (173 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Rui, Guenter Roeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Rui <rui.zhang@intel.com>
[ Upstream commit fdaf0c8629d4524a168cb9e4ad4231875749b28c ]
Before commit 7108b80a542b ("hwmon/coretemp: Handle large core ID
value"), there is a fixed mapping between
1. cpu_core_id
2. the index in pdata->core_data[] array
3. the sysfs attr name, aka "tempX_"
The later two always equal cpu_core_id + 2.
After the commit, pdata->core_data[] index is got from ida so that it
can handle sparse core ids and support more cores within a package.
However, the commit erroneously maps the sysfs attr name to
pdata->core_data[] index instead of cpu_core_id + 2.
As a result, the code is not aligned with the comments, and brings user
visible changes in hwmon sysfs on systems with sparse core id.
For example, before commit 7108b80a542b ("hwmon/coretemp: Handle large
core ID value"),
/sys/class/hwmon/hwmon2/temp2_label:Core 0
/sys/class/hwmon/hwmon2/temp3_label:Core 1
/sys/class/hwmon/hwmon2/temp4_label:Core 2
/sys/class/hwmon/hwmon2/temp5_label:Core 3
/sys/class/hwmon/hwmon2/temp6_label:Core 4
/sys/class/hwmon/hwmon3/temp10_label:Core 8
/sys/class/hwmon/hwmon3/temp11_label:Core 9
after commit,
/sys/class/hwmon/hwmon2/temp2_label:Core 0
/sys/class/hwmon/hwmon2/temp3_label:Core 1
/sys/class/hwmon/hwmon2/temp4_label:Core 2
/sys/class/hwmon/hwmon2/temp5_label:Core 3
/sys/class/hwmon/hwmon2/temp6_label:Core 4
/sys/class/hwmon/hwmon2/temp7_label:Core 8
/sys/class/hwmon/hwmon2/temp8_label:Core 9
Restore the previous behavior and rework the code, comments and variable
names to avoid future confusions.
Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value")
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Link: https://lore.kernel.org/r/20240202092144.71180-3-rui.zhang@intel.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/coretemp.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
index 7f6615ef8c88..d67d972d18aa 100644
--- a/drivers/hwmon/coretemp.c
+++ b/drivers/hwmon/coretemp.c
@@ -380,7 +380,7 @@ static int get_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
}
static int create_core_attrs(struct temp_data *tdata, struct device *dev,
- int attr_no)
+ int index)
{
int i;
static ssize_t (*const rd_ptr[TOTAL_ATTRS]) (struct device *dev,
@@ -392,13 +392,20 @@ static int create_core_attrs(struct temp_data *tdata, struct device *dev,
};
for (i = 0; i < tdata->attr_size; i++) {
+ /*
+ * We map the attr number to core id of the CPU
+ * The attr number is always core id + 2
+ * The Pkgtemp will always show up as temp1_*, if available
+ */
+ int attr_no = tdata->is_pkg_data ? 1 : tdata->cpu_core_id + 2;
+
snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH,
"temp%d_%s", attr_no, suffixes[i]);
sysfs_attr_init(&tdata->sd_attrs[i].dev_attr.attr);
tdata->sd_attrs[i].dev_attr.attr.name = tdata->attr_name[i];
tdata->sd_attrs[i].dev_attr.attr.mode = 0444;
tdata->sd_attrs[i].dev_attr.show = rd_ptr[i];
- tdata->sd_attrs[i].index = attr_no;
+ tdata->sd_attrs[i].index = index;
tdata->attrs[i] = &tdata->sd_attrs[i].dev_attr.attr;
}
tdata->attr_group.attrs = tdata->attrs;
@@ -456,23 +463,22 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu,
struct platform_data *pdata = platform_get_drvdata(pdev);
struct cpuinfo_x86 *c = &cpu_data(cpu);
u32 eax, edx;
- int err, index, attr_no;
+ int err, index;
/*
- * Find attr number for sysfs:
- * We map the attr number to core id of the CPU
- * The attr number is always core id + 2
- * The Pkgtemp will always show up as temp1_*, if available
+ * Get the index of tdata in pdata->core_data[]
+ * tdata for package: pdata->core_data[1]
+ * tdata for core: pdata->core_data[2] .. pdata->core_data[NUM_REAL_CORES + 1]
*/
if (pkg_flag) {
- attr_no = PKG_SYSFS_ATTR_NO;
+ index = PKG_SYSFS_ATTR_NO;
} else {
index = ida_alloc_max(&pdata->ida, NUM_REAL_CORES - 1, GFP_KERNEL);
if (index < 0)
return index;
pdata->cpu_map[index] = topology_core_id(cpu);
- attr_no = index + BASE_SYSFS_ATTR_NO;
+ index += BASE_SYSFS_ATTR_NO;
}
tdata = init_temp_data(cpu, pkg_flag);
@@ -504,20 +510,20 @@ static int create_core_data(struct platform_device *pdev, unsigned int cpu,
}
}
- pdata->core_data[attr_no] = tdata;
+ pdata->core_data[index] = tdata;
/* Create sysfs interfaces */
- err = create_core_attrs(tdata, pdata->hwmon_dev, attr_no);
+ err = create_core_attrs(tdata, pdata->hwmon_dev, index);
if (err)
goto exit_free;
return 0;
exit_free:
- pdata->core_data[attr_no] = NULL;
+ pdata->core_data[index] = NULL;
kfree(tdata);
ida_free:
if (!pkg_flag)
- ida_free(&pdata->ida, index);
+ ida_free(&pdata->ida, index - BASE_SYSFS_ATTR_NO);
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 313/476] inet: read sk->sk_family once in inet_recv_error()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 312/476] hwmon: (coretemp) Fix bogus core_id to attr name mapping Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 314/476] rxrpc: Fix response to PING RESPONSE ACKs to a dead call Greg Kroah-Hartman
` (172 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Willem de Bruijn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ]
inet_recv_error() is called without holding the socket lock.
IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM
socket option and trigger a KCSAN warning.
Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/af_inet.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 6f6c05f198da..487f75993bf4 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1605,10 +1605,12 @@ EXPORT_SYMBOL(inet_current_timestamp);
int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
{
- if (sk->sk_family == AF_INET)
+ unsigned int family = READ_ONCE(sk->sk_family);
+
+ if (family == AF_INET)
return ip_recv_error(sk, msg, len, addr_len);
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == AF_INET6)
+ if (family == AF_INET6)
return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len);
#endif
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 314/476] rxrpc: Fix response to PING RESPONSE ACKs to a dead call
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 313/476] inet: read sk->sk_family once in inet_recv_error() Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 315/476] tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Greg Kroah-Hartman
` (171 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-afs, netdev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 6f769f22822aa4124b556339781b04d810f0e038 ]
Stop rxrpc from sending a DUP ACK in response to a PING RESPONSE ACK on a
dead call. We may have initiated the ping but the call may have beaten the
response to completion.
Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/conn_event.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index aab069701398..5d91ef562ff7 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -41,6 +41,14 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
_enter("%d", conn->debug_id);
+ if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) {
+ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
+ &pkt.ack, sizeof(pkt.ack)) < 0)
+ return;
+ if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE)
+ return;
+ }
+
chan = &conn->channels[channel];
/* If the last call got moved on whilst we were waiting to run, just
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 315/476] tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 314/476] rxrpc: Fix response to PING RESPONSE ACKs to a dead call Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 316/476] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC Greg Kroah-Hartman
` (170 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shigeru Yoshida, Tung Nguyen,
Paolo Abeni, Sasha Levin, syzbot+5142b87a9abc510e14fa
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ]
syzbot reported the following general protection fault [1]:
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
...
RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291
...
Call Trace:
<TASK>
tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646
tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367
netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The cause of this issue is that when tipc_nl_bearer_add() is called with
the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called
even if the bearer is not UDP.
tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that
the media_ptr field of the tipc_bearer has an udp_bearer type object, so
the function goes crazy for non-UDP bearers.
This patch fixes the issue by checking the bearer type before calling
tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().
Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast")
Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/bearer.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index dcbae29aa7e0..17e8e6e3670a 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -1088,6 +1088,12 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info)
#ifdef CONFIG_TIPC_MEDIA_UDP
if (attrs[TIPC_NLA_BEARER_UDP_OPTS]) {
+ if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) {
+ rtnl_unlock();
+ NL_SET_ERR_MSG(info->extack, "UDP option is unsupported");
+ return -EINVAL;
+ }
+
err = tipc_udp_nl_bearer_add(b,
attrs[TIPC_NLA_BEARER_UDP_OPTS]);
if (err) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 316/476] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 315/476] tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 317/476] ppp_async: limit MRU to 64K Greg Kroah-Hartman
` (169 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fa3ef895554bdbfd1183,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 1279f9d9dec2d7462823a18c29ad61359e0a007d ]
syzbot reported a warning [0] in __unix_gc() with a repro, which
creates a socketpair and sends one socket's fd to itself using the
peer.
socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],
msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,
cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],
msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1
This forms a self-cyclic reference that GC should finally untangle
but does not due to lack of MSG_OOB handling, resulting in memory
leak.
Recently, commit 11498715f266 ("af_unix: Remove io_uring code for
GC.") removed io_uring's dead code in GC and revealed the problem.
The code was executed at the final stage of GC and unconditionally
moved all GC candidates from gc_candidates to gc_inflight_list.
That papered over the reported problem by always making the following
WARN_ON_ONCE(!list_empty(&gc_candidates)) false.
The problem has been there since commit 2aab4b969002 ("af_unix: fix
struct pid leaks in OOB support") added full scm support for MSG_OOB
while fixing another bug.
To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb
if the socket still exists in gc_candidates after purging collected skb.
Then, we need to set NULL to oob_skb before calling kfree_skb() because
it calls last fput() and triggers unix_release_sock(), where we call
duplicate kfree_skb(u->oob_skb) if not NULL.
Note that the leaked socket remained being linked to a global list, so
kmemleak also could not detect it. We need to check /proc/net/protocol
to notice the unfreed socket.
[0]:
WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Modules linked in:
CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
kthread+0x2c6/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/garbage.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index dc2763540393..767b338a7a2d 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -314,6 +314,17 @@ void unix_gc(void)
/* Here we are. Hitlist is filled. Die. */
__skb_queue_purge(&hitlist);
+#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+ list_for_each_entry_safe(u, next, &gc_candidates, link) {
+ struct sk_buff *skb = u->oob_skb;
+
+ if (skb) {
+ u->oob_skb = NULL;
+ kfree_skb(skb);
+ }
+ }
+#endif
+
spin_lock(&unix_gc_lock);
/* There could be io_uring registered files, just push them back to
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 317/476] ppp_async: limit MRU to 64K
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 316/476] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 318/476] netfilter: nft_compat: reject unused compat flag Greg Kroah-Hartman
` (168 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Willem de Bruijn,
Jakub Kicinski, Sasha Levin, syzbot+c5da1f087c9e4ec6c933
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ]
syzbot triggered a warning [1] in __alloc_pages():
WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")
Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
[1]:
WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: events_unbound flush_to_ldisc
pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
sp : ffff800093967580
x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
Call trace:
__alloc_pages+0x308/0x698 mm/page_alloc.c:4543
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
__kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
__do_kmalloc_node mm/slub.c:3969 [inline]
__kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
__alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
__netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
dev_alloc_skb include/linux/skbuff.h:3248 [inline]
ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
process_one_work+0x694/0x1204 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_async.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
index 29a93d6bfe37..4a5c749ba223 100644
--- a/drivers/net/ppp/ppp_async.c
+++ b/drivers/net/ppp/ppp_async.c
@@ -471,6 +471,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg)
case PPPIOCSMRU:
if (get_user(val, p))
break;
+ if (val > U16_MAX) {
+ err = -EINVAL;
+ break;
+ }
if (val < PPP_MRU)
val = PPP_MRU;
ap->mru = val;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 318/476] netfilter: nft_compat: reject unused compat flag
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 317/476] ppp_async: limit MRU to 64K Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 319/476] netfilter: nft_compat: restrict match/target protocol to u16 Greg Kroah-Hartman
` (167 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 292781c3c5485ce33bd22b2ef1b2bed709b4d672 ]
Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL
instead.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_compat.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 07871c8a0601..62cc780a168a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -266,9 +266,11 @@ enum nft_rule_attributes {
/**
* enum nft_rule_compat_flags - nf_tables rule compat flags
*
+ * @NFT_RULE_COMPAT_F_UNUSED: unused
* @NFT_RULE_COMPAT_F_INV: invert the check result
*/
enum nft_rule_compat_flags {
+ NFT_RULE_COMPAT_F_UNUSED = (1 << 0),
NFT_RULE_COMPAT_F_INV = (1 << 1),
NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV,
};
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 3fb8d7fb21af..4ef664a2bbe6 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -212,7 +212,8 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
return -EINVAL;
flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
- if (flags & ~NFT_RULE_COMPAT_F_MASK)
+ if (flags & NFT_RULE_COMPAT_F_UNUSED ||
+ flags & ~NFT_RULE_COMPAT_F_MASK)
return -EINVAL;
if (flags & NFT_RULE_COMPAT_F_INV)
*inv = true;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 319/476] netfilter: nft_compat: restrict match/target protocol to u16
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 318/476] netfilter: nft_compat: reject unused compat flag Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 320/476] drm/amd/display: Fix multiple memory leaks reported by coverity Greg Kroah-Hartman
` (166 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit d694b754894c93fb4d71a7f3699439dec111decc ]
xt_check_{match,target} expects u16, but NFTA_RULE_COMPAT_PROTO is u32.
NLA_POLICY_MAX(NLA_BE32, 65535) cannot be used because .max in
nla_policy is s16, see 3e48be05f3c7 ("netlink: add attribute range
validation to policy").
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_compat.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 4ef664a2bbe6..64a2a5f19589 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -200,6 +200,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1]
static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
{
struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
+ u32 l4proto;
u32 flags;
int err;
@@ -218,7 +219,12 @@ static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
if (flags & NFT_RULE_COMPAT_F_INV)
*inv = true;
- *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
+ l4proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
+ if (l4proto > U16_MAX)
+ return -EINVAL;
+
+ *proto = l4proto;
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 320/476] drm/amd/display: Fix multiple memory leaks reported by coverity
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 319/476] netfilter: nft_compat: restrict match/target protocol to u16 Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 321/476] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Greg Kroah-Hartman
` (165 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurabindo Jayamohanan Pillai,
Mikita Lipski, Anson Jacob, Daniel Wheeler, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anson Jacob <Anson.Jacob@amd.com>
[ Upstream commit 7b89bf83181363a84f86da787159ddbbef505b8c ]
coccinelle patch used:
@@ expression enc1,vpg,afmt; @@
- if (!enc1 || !vpg || !afmt)
+ if (!enc1 || !vpg || !afmt) {
+ kfree(enc1);
+ kfree(vpg);
+ kfree(afmt);
return NULL;
+ }
Addresses-Coverity-ID: 1466017: ("Resource leaks")
Reviewed-by: Aurabindo Jayamohanan Pillai <Aurabindo.Pillai@amd.com>
Acked-by: Mikita Lipski <mikita.lipski@amd.com>
Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 58fca355ad37 ("drm/amd/display: Implement bounds check for stream encoder creation in DCN301")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 6 +++++-
drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 6 +++++-
drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c | 6 +++++-
drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 6 +++++-
4 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
index 735c92a5aa36..e8d4a8044d1f 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
@@ -1164,8 +1164,12 @@ struct stream_encoder *dcn30_stream_encoder_create(
vpg = dcn30_vpg_create(ctx, vpg_inst);
afmt = dcn30_afmt_create(ctx, afmt_inst);
- if (!enc1 || !vpg || !afmt)
+ if (!enc1 || !vpg || !afmt) {
+ kfree(enc1);
+ kfree(vpg);
+ kfree(afmt);
return NULL;
+ }
dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
eng_id, vpg, afmt,
diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
index dea358b01791..b6c363b462a7 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
@@ -1195,8 +1195,12 @@ struct stream_encoder *dcn301_stream_encoder_create(
vpg = dcn301_vpg_create(ctx, vpg_inst);
afmt = dcn301_afmt_create(ctx, afmt_inst);
- if (!enc1 || !vpg || !afmt)
+ if (!enc1 || !vpg || !afmt) {
+ kfree(enc1);
+ kfree(vpg);
+ kfree(afmt);
return NULL;
+ }
dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
eng_id, vpg, afmt,
diff --git a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
index 2292bb82026e..7f04042d2213 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
@@ -542,8 +542,12 @@ static struct stream_encoder *dcn302_stream_encoder_create(enum engine_id eng_id
vpg = dcn302_vpg_create(ctx, vpg_inst);
afmt = dcn302_afmt_create(ctx, afmt_inst);
- if (!enc1 || !vpg || !afmt)
+ if (!enc1 || !vpg || !afmt) {
+ kfree(enc1);
+ kfree(vpg);
+ kfree(afmt);
return NULL;
+ }
dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, eng_id, vpg, afmt, &stream_enc_regs[eng_id],
&se_shift, &se_mask);
diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
index e224c5213258..4f7bc8829b20 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
@@ -1291,8 +1291,12 @@ static struct stream_encoder *dcn31_stream_encoder_create(
vpg = dcn31_vpg_create(ctx, vpg_inst);
afmt = dcn31_afmt_create(ctx, afmt_inst);
- if (!enc1 || !vpg || !afmt)
+ if (!enc1 || !vpg || !afmt) {
+ kfree(enc1);
+ kfree(vpg);
+ kfree(afmt);
return NULL;
+ }
dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
eng_id, vpg, afmt,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 321/476] drm/amd/display: Implement bounds check for stream encoder creation in DCN301
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 320/476] drm/amd/display: Fix multiple memory leaks reported by coverity Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 322/476] netfilter: nft_ct: reject direction for ct id Greg Kroah-Hartman
` (164 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Li, Rodrigo Siqueira,
Aurabindo Pillai, Srinivasan Shanmugam, Roman Li, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 58fca355ad37dcb5f785d9095db5f748b79c5dc2 ]
'stream_enc_regs' array is an array of dcn10_stream_enc_registers
structures. The array is initialized with four elements, corresponding
to the four calls to stream_enc_regs() in the array initializer. This
means that valid indices for this array are 0, 1, 2, and 3.
The error message 'stream_enc_regs' 4 <= 5 below, is indicating that
there is an attempt to access this array with an index of 5, which is
out of bounds. This could lead to undefined behavior
Here, eng_id is used as an index to access the stream_enc_regs array. If
eng_id is 5, this would result in an out-of-bounds access on the
stream_enc_regs array.
Thus fixing Buffer overflow error in dcn301_stream_encoder_create
reported by Smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5
Fixes: 3a83e4e64bb1 ("drm/amd/display: Add dcn3.01 support to DC (v2)")
Cc: Roman Li <Roman.Li@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Roman Li <roman.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
index b6c363b462a7..a24f1c215da9 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
@@ -1195,7 +1195,7 @@ struct stream_encoder *dcn301_stream_encoder_create(
vpg = dcn301_vpg_create(ctx, vpg_inst);
afmt = dcn301_afmt_create(ctx, afmt_inst);
- if (!enc1 || !vpg || !afmt) {
+ if (!enc1 || !vpg || !afmt || eng_id >= ARRAY_SIZE(stream_enc_regs)) {
kfree(enc1);
kfree(vpg);
kfree(afmt);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 322/476] netfilter: nft_ct: reject direction for ct id
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 321/476] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 323/476] netfilter: nft_set_pipapo: store index in scratch maps Greg Kroah-Hartman
` (163 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 38ed1c7062ada30d7c11e7a7acc749bf27aa14aa ]
Direction attribute is ignored, reject it in case this ever needs to be
supported
Fixes: 3087c3f7c23b ("netfilter: nft_ct: Add ct id support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_ct.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index d8fd7e487e47..7c667629c514 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -483,6 +483,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
break;
#endif
case NFT_CT_ID:
+ if (tb[NFTA_CT_DIRECTION])
+ return -EINVAL;
+
len = sizeof(u32);
break;
default:
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 323/476] netfilter: nft_set_pipapo: store index in scratch maps
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 322/476] netfilter: nft_ct: reject direction for ct id Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 324/476] netfilter: nft_set_pipapo: add helper to release pcpu scratch area Greg Kroah-Hartman
` (162 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Brivio, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 76313d1a4aa9e30d5b43dee5efd8bcd4d8250006 ]
Pipapo needs a scratchpad area to keep state during matching.
This state can be large and thus cannot reside on stack.
Each set preallocates percpu areas for this.
On each match stage, one scratchpad half starts with all-zero and the other
is inited to all-ones.
At the end of each stage, the half that starts with all-ones is
always zero. Before next field is tested, pointers to the two halves
are swapped, i.e. resmap pointer turns into fill pointer and vice versa.
After the last field has been processed, pipapo stashes the
index toggle in a percpu variable, with assumption that next packet
will start with the all-zero half and sets all bits in the other to 1.
This isn't reliable.
There can be multiple sets and we can't be sure that the upper
and lower half of all set scratch map is always in sync (lookups
can be conditional), so one set might have swapped, but other might
not have been queried.
Thus we need to keep the index per-set-and-cpu, just like the
scratchpad.
Note that this bug fix is incomplete, there is a related issue.
avx2 and normal implementation might use slightly different areas of the
map array space due to the avx2 alignment requirements, so
m->scratch (generic/fallback implementation) and ->scratch_aligned
(avx) may partially overlap. scratch and scratch_aligned are not distinct
objects, the latter is just the aligned address of the former.
After this change, write to scratch_align->map_index may write to
scratch->map, so this issue becomes more prominent, we can set to 1
a bit in the supposedly-all-zero area of scratch->map[].
A followup patch will remove the scratch_aligned and makes generic and
avx code use the same (aligned) area.
Its done in a separate change to ease review.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 41 ++++++++++++++++++-----------
net/netfilter/nft_set_pipapo.h | 14 ++++++++--
net/netfilter/nft_set_pipapo_avx2.c | 15 +++++------
3 files changed, 44 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 4e1cc31729b8..fbd0dbf9b965 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -342,9 +342,6 @@
#include "nft_set_pipapo_avx2.h"
#include "nft_set_pipapo.h"
-/* Current working bitmap index, toggled between field matches */
-static DEFINE_PER_CPU(bool, nft_pipapo_scratch_index);
-
/**
* pipapo_refill() - For each set bit, set bits from selected mapping table item
* @map: Bitmap to be scanned for set bits
@@ -412,6 +409,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
const u32 *key, const struct nft_set_ext **ext)
{
struct nft_pipapo *priv = nft_set_priv(set);
+ struct nft_pipapo_scratch *scratch;
unsigned long *res_map, *fill_map;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
@@ -422,15 +420,17 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
local_bh_disable();
- map_index = raw_cpu_read(nft_pipapo_scratch_index);
-
m = rcu_dereference(priv->match);
if (unlikely(!m || !*raw_cpu_ptr(m->scratch)))
goto out;
- res_map = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0);
- fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max);
+ scratch = *raw_cpu_ptr(m->scratch);
+
+ map_index = scratch->map_index;
+
+ res_map = scratch->map + (map_index ? m->bsize_max : 0);
+ fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
memset(res_map, 0xff, m->bsize_max * sizeof(*res_map));
@@ -460,7 +460,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
b = pipapo_refill(res_map, f->bsize, f->rules, fill_map, f->mt,
last);
if (b < 0) {
- raw_cpu_write(nft_pipapo_scratch_index, map_index);
+ scratch->map_index = map_index;
local_bh_enable();
return false;
@@ -477,7 +477,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
* current inactive bitmap is clean and can be reused as
* *next* bitmap (not initial) for the next packet.
*/
- raw_cpu_write(nft_pipapo_scratch_index, map_index);
+ scratch->map_index = map_index;
local_bh_enable();
return true;
@@ -1114,12 +1114,12 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
int i;
for_each_possible_cpu(i) {
- unsigned long *scratch;
+ struct nft_pipapo_scratch *scratch;
#ifdef NFT_PIPAPO_ALIGN
- unsigned long *scratch_aligned;
+ void *scratch_aligned;
#endif
-
- scratch = kzalloc_node(bsize_max * sizeof(*scratch) * 2 +
+ scratch = kzalloc_node(struct_size(scratch, map,
+ bsize_max * 2) +
NFT_PIPAPO_ALIGN_HEADROOM,
GFP_KERNEL, cpu_to_node(i));
if (!scratch) {
@@ -1138,7 +1138,16 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
*per_cpu_ptr(clone->scratch, i) = scratch;
#ifdef NFT_PIPAPO_ALIGN
- scratch_aligned = NFT_PIPAPO_LT_ALIGN(scratch);
+ /* Align &scratch->map (not the struct itself): the extra
+ * %NFT_PIPAPO_ALIGN_HEADROOM bytes passed to kzalloc_node()
+ * above guarantee we can waste up to those bytes in order
+ * to align the map field regardless of its offset within
+ * the struct.
+ */
+ BUILD_BUG_ON(offsetof(struct nft_pipapo_scratch, map) > NFT_PIPAPO_ALIGN_HEADROOM);
+
+ scratch_aligned = NFT_PIPAPO_LT_ALIGN(&scratch->map);
+ scratch_aligned -= offsetof(struct nft_pipapo_scratch, map);
*per_cpu_ptr(clone->scratch_aligned, i) = scratch_aligned;
#endif
}
@@ -2132,7 +2141,7 @@ static int nft_pipapo_init(const struct nft_set *set,
m->field_count = field_count;
m->bsize_max = 0;
- m->scratch = alloc_percpu(unsigned long *);
+ m->scratch = alloc_percpu(struct nft_pipapo_scratch *);
if (!m->scratch) {
err = -ENOMEM;
goto out_scratch;
@@ -2141,7 +2150,7 @@ static int nft_pipapo_init(const struct nft_set *set,
*per_cpu_ptr(m->scratch, i) = NULL;
#ifdef NFT_PIPAPO_ALIGN
- m->scratch_aligned = alloc_percpu(unsigned long *);
+ m->scratch_aligned = alloc_percpu(struct nft_pipapo_scratch *);
if (!m->scratch_aligned) {
err = -ENOMEM;
goto out_free;
diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h
index 25a75591583e..de96e1a01dc0 100644
--- a/net/netfilter/nft_set_pipapo.h
+++ b/net/netfilter/nft_set_pipapo.h
@@ -130,6 +130,16 @@ struct nft_pipapo_field {
union nft_pipapo_map_bucket *mt;
};
+/**
+ * struct nft_pipapo_scratch - percpu data used for lookup and matching
+ * @map_index: Current working bitmap index, toggled between field matches
+ * @map: store partial matching results during lookup
+ */
+struct nft_pipapo_scratch {
+ u8 map_index;
+ unsigned long map[];
+};
+
/**
* struct nft_pipapo_match - Data used for lookup and matching
* @field_count Amount of fields in set
@@ -142,9 +152,9 @@ struct nft_pipapo_field {
struct nft_pipapo_match {
int field_count;
#ifdef NFT_PIPAPO_ALIGN
- unsigned long * __percpu *scratch_aligned;
+ struct nft_pipapo_scratch * __percpu *scratch_aligned;
#endif
- unsigned long * __percpu *scratch;
+ struct nft_pipapo_scratch * __percpu *scratch;
size_t bsize_max;
struct rcu_head rcu;
struct nft_pipapo_field f[];
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index 6f4116e72958..e608973587ee 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -71,9 +71,6 @@
#define NFT_PIPAPO_AVX2_ZERO(reg) \
asm volatile("vpxor %ymm" #reg ", %ymm" #reg ", %ymm" #reg)
-/* Current working bitmap index, toggled between field matches */
-static DEFINE_PER_CPU(bool, nft_pipapo_avx2_scratch_index);
-
/**
* nft_pipapo_avx2_prepare() - Prepare before main algorithm body
*
@@ -1122,11 +1119,12 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
const u32 *key, const struct nft_set_ext **ext)
{
struct nft_pipapo *priv = nft_set_priv(set);
- unsigned long *res, *fill, *scratch;
+ struct nft_pipapo_scratch *scratch;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
+ unsigned long *res, *fill;
bool map_index;
int i, ret = 0;
@@ -1148,10 +1146,11 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
kernel_fpu_end();
return false;
}
- map_index = raw_cpu_read(nft_pipapo_avx2_scratch_index);
- res = scratch + (map_index ? m->bsize_max : 0);
- fill = scratch + (map_index ? 0 : m->bsize_max);
+ map_index = scratch->map_index;
+
+ res = scratch->map + (map_index ? m->bsize_max : 0);
+ fill = scratch->map + (map_index ? 0 : m->bsize_max);
/* Starting map doesn't need to be set for this implementation */
@@ -1223,7 +1222,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
out:
if (i % 2)
- raw_cpu_write(nft_pipapo_avx2_scratch_index, !map_index);
+ scratch->map_index = !map_index;
kernel_fpu_end();
return ret >= 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 324/476] netfilter: nft_set_pipapo: add helper to release pcpu scratch area
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 323/476] netfilter: nft_set_pipapo: store index in scratch maps Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 325/476] netfilter: nft_set_pipapo: remove scratch_aligned pointer Greg Kroah-Hartman
` (161 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Brivio, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 47b1c03c3c1a119435480a1e73f27197dc59131d ]
After next patch simple kfree() is not enough anymore, so add
a helper for it.
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 5a8cdf6fd860 ("netfilter: nft_set_pipapo: remove scratch_aligned pointer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index fbd0dbf9b965..977bf724fb7e 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1101,6 +1101,24 @@ static void pipapo_map(struct nft_pipapo_match *m,
f->mt[map[i].to + j].e = e;
}
+/**
+ * pipapo_free_scratch() - Free per-CPU map at original (not aligned) address
+ * @m: Matching data
+ * @cpu: CPU number
+ */
+static void pipapo_free_scratch(const struct nft_pipapo_match *m, unsigned int cpu)
+{
+ struct nft_pipapo_scratch *s;
+ void *mem;
+
+ s = *per_cpu_ptr(m->scratch, cpu);
+ if (!s)
+ return;
+
+ mem = s;
+ kfree(mem);
+}
+
/**
* pipapo_realloc_scratch() - Reallocate scratch maps for partial match results
* @clone: Copy of matching data with pending insertions and deletions
@@ -1133,7 +1151,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
return -ENOMEM;
}
- kfree(*per_cpu_ptr(clone->scratch, i));
+ pipapo_free_scratch(clone, i);
*per_cpu_ptr(clone->scratch, i) = scratch;
@@ -1359,7 +1377,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
}
out_scratch_realloc:
for_each_possible_cpu(i)
- kfree(*per_cpu_ptr(new->scratch, i));
+ pipapo_free_scratch(new, i);
#ifdef NFT_PIPAPO_ALIGN
free_percpu(new->scratch_aligned);
#endif
@@ -1647,7 +1665,7 @@ static void pipapo_free_match(struct nft_pipapo_match *m)
int i;
for_each_possible_cpu(i)
- kfree(*per_cpu_ptr(m->scratch, i));
+ pipapo_free_scratch(m, i);
#ifdef NFT_PIPAPO_ALIGN
free_percpu(m->scratch_aligned);
@@ -2249,7 +2267,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
free_percpu(m->scratch_aligned);
#endif
for_each_possible_cpu(cpu)
- kfree(*per_cpu_ptr(m->scratch, cpu));
+ pipapo_free_scratch(m, cpu);
free_percpu(m->scratch);
pipapo_free_fields(m);
kfree(m);
@@ -2266,7 +2284,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
free_percpu(priv->clone->scratch_aligned);
#endif
for_each_possible_cpu(cpu)
- kfree(*per_cpu_ptr(priv->clone->scratch, cpu));
+ pipapo_free_scratch(priv->clone, cpu);
free_percpu(priv->clone->scratch);
pipapo_free_fields(priv->clone);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 325/476] netfilter: nft_set_pipapo: remove scratch_aligned pointer
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 324/476] netfilter: nft_set_pipapo: add helper to release pcpu scratch area Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 326/476] fs/ntfs3: Fix an NULL dereference bug Greg Kroah-Hartman
` (160 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Brivio, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 5a8cdf6fd860ac5e6d08d72edbcecee049a7fec4 ]
use ->scratch for both avx2 and the generic implementation.
After previous change the scratch->map member is always aligned properly
for AVX2, so we can just use scratch->map in AVX2 too.
The alignoff delta is stored in the scratchpad so we can reconstruct
the correct address to free the area again.
Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 41 +++++------------------------
net/netfilter/nft_set_pipapo.h | 6 ++---
net/netfilter/nft_set_pipapo_avx2.c | 2 +-
3 files changed, 10 insertions(+), 39 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 977bf724fb7e..e1969209b3ab 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1116,6 +1116,7 @@ static void pipapo_free_scratch(const struct nft_pipapo_match *m, unsigned int c
return;
mem = s;
+ mem -= s->align_off;
kfree(mem);
}
@@ -1135,6 +1136,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
struct nft_pipapo_scratch *scratch;
#ifdef NFT_PIPAPO_ALIGN
void *scratch_aligned;
+ u32 align_off;
#endif
scratch = kzalloc_node(struct_size(scratch, map,
bsize_max * 2) +
@@ -1153,8 +1155,6 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
pipapo_free_scratch(clone, i);
- *per_cpu_ptr(clone->scratch, i) = scratch;
-
#ifdef NFT_PIPAPO_ALIGN
/* Align &scratch->map (not the struct itself): the extra
* %NFT_PIPAPO_ALIGN_HEADROOM bytes passed to kzalloc_node()
@@ -1166,8 +1166,12 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
scratch_aligned = NFT_PIPAPO_LT_ALIGN(&scratch->map);
scratch_aligned -= offsetof(struct nft_pipapo_scratch, map);
- *per_cpu_ptr(clone->scratch_aligned, i) = scratch_aligned;
+ align_off = scratch_aligned - (void *)scratch;
+
+ scratch = scratch_aligned;
+ scratch->align_off = align_off;
#endif
+ *per_cpu_ptr(clone->scratch, i) = scratch;
}
return 0;
@@ -1321,11 +1325,6 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
if (!new->scratch)
goto out_scratch;
-#ifdef NFT_PIPAPO_ALIGN
- new->scratch_aligned = alloc_percpu(*new->scratch_aligned);
- if (!new->scratch_aligned)
- goto out_scratch;
-#endif
for_each_possible_cpu(i)
*per_cpu_ptr(new->scratch, i) = NULL;
@@ -1378,9 +1377,6 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
out_scratch_realloc:
for_each_possible_cpu(i)
pipapo_free_scratch(new, i);
-#ifdef NFT_PIPAPO_ALIGN
- free_percpu(new->scratch_aligned);
-#endif
out_scratch:
free_percpu(new->scratch);
kfree(new);
@@ -1667,11 +1663,7 @@ static void pipapo_free_match(struct nft_pipapo_match *m)
for_each_possible_cpu(i)
pipapo_free_scratch(m, i);
-#ifdef NFT_PIPAPO_ALIGN
- free_percpu(m->scratch_aligned);
-#endif
free_percpu(m->scratch);
-
pipapo_free_fields(m);
kfree(m);
@@ -2167,16 +2159,6 @@ static int nft_pipapo_init(const struct nft_set *set,
for_each_possible_cpu(i)
*per_cpu_ptr(m->scratch, i) = NULL;
-#ifdef NFT_PIPAPO_ALIGN
- m->scratch_aligned = alloc_percpu(struct nft_pipapo_scratch *);
- if (!m->scratch_aligned) {
- err = -ENOMEM;
- goto out_free;
- }
- for_each_possible_cpu(i)
- *per_cpu_ptr(m->scratch_aligned, i) = NULL;
-#endif
-
rcu_head_init(&m->rcu);
nft_pipapo_for_each_field(f, i, m) {
@@ -2207,9 +2189,6 @@ static int nft_pipapo_init(const struct nft_set *set,
return 0;
out_free:
-#ifdef NFT_PIPAPO_ALIGN
- free_percpu(m->scratch_aligned);
-#endif
free_percpu(m->scratch);
out_scratch:
kfree(m);
@@ -2263,9 +2242,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
nft_set_pipapo_match_destroy(ctx, set, m);
-#ifdef NFT_PIPAPO_ALIGN
- free_percpu(m->scratch_aligned);
-#endif
for_each_possible_cpu(cpu)
pipapo_free_scratch(m, cpu);
free_percpu(m->scratch);
@@ -2280,9 +2256,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,
if (priv->dirty)
nft_set_pipapo_match_destroy(ctx, set, m);
-#ifdef NFT_PIPAPO_ALIGN
- free_percpu(priv->clone->scratch_aligned);
-#endif
for_each_possible_cpu(cpu)
pipapo_free_scratch(priv->clone, cpu);
free_percpu(priv->clone->scratch);
diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h
index de96e1a01dc0..30a3d092cd84 100644
--- a/net/netfilter/nft_set_pipapo.h
+++ b/net/netfilter/nft_set_pipapo.h
@@ -133,10 +133,12 @@ struct nft_pipapo_field {
/**
* struct nft_pipapo_scratch - percpu data used for lookup and matching
* @map_index: Current working bitmap index, toggled between field matches
+ * @align_off: Offset to get the originally allocated address
* @map: store partial matching results during lookup
*/
struct nft_pipapo_scratch {
u8 map_index;
+ u32 align_off;
unsigned long map[];
};
@@ -144,16 +146,12 @@ struct nft_pipapo_scratch {
* struct nft_pipapo_match - Data used for lookup and matching
* @field_count Amount of fields in set
* @scratch: Preallocated per-CPU maps for partial matching results
- * @scratch_aligned: Version of @scratch aligned to NFT_PIPAPO_ALIGN bytes
* @bsize_max: Maximum lookup table bucket size of all fields, in longs
* @rcu Matching data is swapped on commits
* @f: Fields, with lookup and mapping tables
*/
struct nft_pipapo_match {
int field_count;
-#ifdef NFT_PIPAPO_ALIGN
- struct nft_pipapo_scratch * __percpu *scratch_aligned;
-#endif
struct nft_pipapo_scratch * __percpu *scratch;
size_t bsize_max;
struct rcu_head rcu;
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index e608973587ee..0d9f8e79eb00 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1141,7 +1141,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
*/
kernel_fpu_begin_mask(0);
- scratch = *raw_cpu_ptr(m->scratch_aligned);
+ scratch = *raw_cpu_ptr(m->scratch);
if (unlikely(!scratch)) {
kernel_fpu_end();
return false;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 326/476] fs/ntfs3: Fix an NULL dereference bug
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 325/476] netfilter: nft_set_pipapo: remove scratch_aligned pointer Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 327/476] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Greg Kroah-Hartman
` (159 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Konstantin Komarov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ]
The issue here is when this is called from ntfs_load_attr_list(). The
"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow
on a 64bit systems but on 32bit systems the "+ 1023" can overflow and
the result is zero. This means that the kmalloc will succeed by
returning the ZERO_SIZE_PTR and then the memcpy() will crash with an
Oops on the next line.
Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/ntfs_fs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index 510ed2ea1c48..981276500043 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -468,7 +468,7 @@ bool al_delete_le(struct ntfs_inode *ni, enum ATTR_TYPE type, CLST vcn,
int al_update(struct ntfs_inode *ni, int sync);
static inline size_t al_aligned(size_t size)
{
- return (size + 1023) & ~(size_t)1023;
+ return size_add(size, 1023) & ~(size_t)1023;
}
/* Globals from bitfunc.c */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 327/476] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 326/476] fs/ntfs3: Fix an NULL dereference bug Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 328/476] blk-iocost: Fix an UBSAN shift-out-of-bounds warning Greg Kroah-Hartman
` (158 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sathya Prakash Veerichetty,
Bart Van Assche, Ewan D. Milne, Ming Lei, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 4e6c9011990726f4d175e2cdfebe5b0b8cce4839 ]
Commit 4373534a9850 ("scsi: core: Move scsi_host_busy() out of host lock
for waking up EH handler") intended to fix a hard lockup issue triggered by
EH. The core idea was to move scsi_host_busy() out of the host lock when
processing individual commands for EH. However, a suggested style change
inadvertently caused scsi_host_busy() to remain under the host lock. Fix
this by calling scsi_host_busy() outside the lock.
Fixes: 4373534a9850 ("scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler")
Cc: Sathya Prakash Veerichetty <safhya.prakash@broadcom.com>
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20240203024521.2006455-1-ming.lei@redhat.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_error.c | 3 ++-
drivers/scsi/scsi_lib.c | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index ffd3d8df3d82..2d5dc488f511 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -276,11 +276,12 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head)
{
struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu);
struct Scsi_Host *shost = scmd->device->host;
+ unsigned int busy = scsi_host_busy(shost);
unsigned long flags;
spin_lock_irqsave(shost->host_lock, flags);
shost->host_failed++;
- scsi_eh_wakeup(shost, scsi_host_busy(shost));
+ scsi_eh_wakeup(shost, busy);
spin_unlock_irqrestore(shost->host_lock, flags);
}
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index e9ab87335115..0389bf281f4b 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -281,9 +281,11 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)
rcu_read_lock();
__clear_bit(SCMD_STATE_INFLIGHT, &cmd->state);
if (unlikely(scsi_host_in_recovery(shost))) {
+ unsigned int busy = scsi_host_busy(shost);
+
spin_lock_irqsave(shost->host_lock, flags);
if (shost->host_failed || shost->host_eh_scheduled)
- scsi_eh_wakeup(shost, scsi_host_busy(shost));
+ scsi_eh_wakeup(shost, busy);
spin_unlock_irqrestore(shost->host_lock, flags);
}
rcu_read_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 328/476] blk-iocost: Fix an UBSAN shift-out-of-bounds warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 327/476] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 329/476] drivers: lkdtm: fix clang -Wformat warning Greg Kroah-Hartman
` (157 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitão, Tejun Heo,
Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 2a427b49d02995ea4a6ff93a1432c40fa4d36821 ]
When iocg_kick_delay() is called from a CPU different than the one which set
the delay, @now may be in the past of @iocg->delay_at leading to the
following warning:
UBSAN: shift-out-of-bounds in block/blk-iocost.c:1359:23
shift exponent 18446744073709 is too large for 64-bit type 'u64' (aka 'unsigned long long')
...
Call Trace:
<TASK>
dump_stack_lvl+0x79/0xc0
__ubsan_handle_shift_out_of_bounds+0x2ab/0x300
iocg_kick_delay+0x222/0x230
ioc_rqos_merge+0x1d7/0x2c0
__rq_qos_merge+0x2c/0x80
bio_attempt_back_merge+0x83/0x190
blk_attempt_plug_merge+0x101/0x150
blk_mq_submit_bio+0x2b1/0x720
submit_bio_noacct_nocheck+0x320/0x3e0
__swap_writepage+0x2ab/0x9d0
The underflow itself doesn't really affect the behavior in any meaningful
way; however, the past timestamp may exaggerate the delay amount calculated
later in the code, which shouldn't be a material problem given the nature of
the delay mechanism.
If @now is in the past, this CPU is racing another CPU which recently set up
the delay and there's nothing this CPU can contribute w.r.t. the delay.
Let's bail early from iocg_kick_delay() in such cases.
Reported-by: Breno Leitão <leitao@debian.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 5160a5a53c0c ("blk-iocost: implement delay adjustment hysteresis")
Link: https://lore.kernel.org/r/ZVvc9L_CYk5LO1fT@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-iocost.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/blk-iocost.c b/block/blk-iocost.c
index f95feabb3ca8..645a589edda8 100644
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -1342,6 +1342,13 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now)
lockdep_assert_held(&iocg->waitq.lock);
+ /*
+ * If the delay is set by another CPU, we may be in the past. No need to
+ * change anything if so. This avoids decay calculation underflow.
+ */
+ if (time_before64(now->now, iocg->delay_at))
+ return false;
+
/* calculate the current delay in effect - 1/2 every second */
tdelta = now->now - iocg->delay_at;
if (iocg->delay)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 329/476] drivers: lkdtm: fix clang -Wformat warning
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 328/476] blk-iocost: Fix an UBSAN shift-out-of-bounds warning Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 330/476] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Greg Kroah-Hartman
` (156 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Nick Desaulniers,
Justin Stitt, Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
[ Upstream commit b4909252da9be56fe1e0a23c2c1908c5630525fa ]
When building with Clang we encounter the following warning
(ARCH=hexagon + CONFIG_FRAME_WARN=0):
| ../drivers/misc/lkdtm/bugs.c:107:3: error: format specifies type
| 'unsigned long' but the argument has type 'int' [-Werror,-Wformat]
| REC_STACK_SIZE, recur_count);
| ^~~~~~~~~~~~~~
Cast REC_STACK_SIZE to `unsigned long` to match format specifier `%lu`
as well as maintain symmetry with `#define REC_STACK_SIZE
(_AC(CONFIG_FRAME_WARN, UL) / 2)`.
Link: https://github.com/ClangBuiltLinux/linux/issues/378
Reported-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Kees Cook <keescook@chromium.org>
Fixes: 24cccab42c419 ("lkdtm/bugs: Adjust recursion test to avoid elision")
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220721215706.4153027-1-justinstitt@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/lkdtm/bugs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index fac4a811b97b..3ab8dbae96af 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -29,7 +29,7 @@ struct lkdtm_list {
#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
#define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2)
#else
-#define REC_STACK_SIZE (THREAD_SIZE / 8)
+#define REC_STACK_SIZE (THREAD_SIZE / 8UL)
#endif
#define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 330/476] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 329/476] drivers: lkdtm: fix clang -Wformat warning Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 331/476] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Greg Kroah-Hartman
` (155 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Julian Sikorski, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Sikorski <belegdol+github@gmail.com>
commit a969210066054ea109d8b7aff29a9b1c98776841 upstream.
The device fails to initialize otherwise, giving the following error:
[ 3676.671641] usb 2-1.1: 1:1: cannot get freq at ep 0x1
Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240123084935.2745-1-belegdol+github@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1759,6 +1759,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_CTL_MSG_DELAY_1M | QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x0499, 0x1509, /* Steinberg UR22 */
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x0499, 0x3108, /* Yamaha YIT-W12TX */
+ QUIRK_FLAG_GET_SAMPLE_RATE),
DEVICE_FLG(0x04d8, 0xfeea, /* Benchmark DAC1 Pre */
QUIRK_FLAG_GET_SAMPLE_RATE),
DEVICE_FLG(0x04e8, 0xa051, /* Samsung USBC Headset (AKG) */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 331/476] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 330/476] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 332/476] USB: serial: option: add Fibocom FM101-GL variant Greg Kroah-Hartman
` (154 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, JackBB Wu, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: JackBB Wu <wojackbb@gmail.com>
commit 129690fb229a20b6e563a77a2c85266acecf20bc upstream.
Add support for Dell DW5826e with USB-id 0x413c:0x8217 & 0x413c:0x8218.
It is 0x413c:0x8217
T: Bus=02 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=413c ProdID=8217 Rev= 5.04
S: Manufacturer=DELL
S: Product=COMPAL Electronics EXM-G1A
S: SerialNumber=359302940050401
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=qcserial
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=qcserial
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=qcserial
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
It is 0x413c:0x8218
T: Bus=02 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=413c ProdID=8218 Rev= 0.00
S: Manufacturer=DELL
S: Product=COMPAL Electronics EXM-G1A
S: SerialNumber=359302940050401
C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 2mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: JackBB Wu <wojackbb@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/qcserial.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -184,6 +184,8 @@ static const struct usb_device_id id_tab
{DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
{DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */
{DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */
+ {DEVICE_SWI(0x413c, 0x8217)}, /* Dell Wireless DW5826e */
+ {DEVICE_SWI(0x413c, 0x8218)}, /* Dell Wireless DW5826e QDL */
/* Huawei devices */
{DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 332/476] USB: serial: option: add Fibocom FM101-GL variant
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 331/476] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 333/476] USB: serial: cp210x: add ID for IMST iM871A-USB Greg Kroah-Hartman
` (153 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Puliang Lu, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puliang Lu <puliang.lu@fibocom.com>
commit b4a1f4eaf1d798066affc6ad040f76eb1a16e1c9 upstream.
Update the USB serial option driver support for the Fibocom
FM101-GL
LTE modules as there are actually several different variants.
- VID:PID 2cb7:01a3, FM101-GL are laptop M.2 cards (with
MBIM interfaces for /Linux/Chrome OS)
0x01a3:mbim,gnss
Here are the outputs of usb-devices:
T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=2cb7 ProdID=01a3 Rev=05.04
S: Manufacturer=Fibocom Wireless Inc.
S: Product=Fibocom FM101-GL Module
S: SerialNumber=5ccd5cd4
C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Puliang Lu <puliang.lu@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2269,6 +2269,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a2, 0xff) }, /* Fibocom FM101-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a3, 0xff) }, /* Fibocom FM101-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a4, 0xff), /* Fibocom FM101-GL (laptop MBIM) */
.driver_info = RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 333/476] USB: serial: cp210x: add ID for IMST iM871A-USB
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 332/476] USB: serial: option: add Fibocom FM101-GL variant Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 334/476] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
` (152 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leonard Dallmayr, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leonard Dallmayr <leonard.dallmayr@mailbox.org>
commit 12b17b4eb82a41977eb848048137b5908d52845c upstream.
The device IMST USB-Stick for Smart Meter is a rebranded IMST iM871A-USB
Wireless M-Bus USB-adapter. It is used to read wireless water, gas and
electricity meters.
Signed-off-by: Leonard Dallmayr <leonard.dallmayr@mailbox.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -146,6 +146,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
+ { USB_DEVICE(0x10C4, 0x87ED) }, /* IMST USB-Stick for Smart Meter */
{ USB_DEVICE(0x10C4, 0x8856) }, /* CEL EM357 ZigBee USB Stick - LR */
{ USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */
{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 334/476] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 333/476] USB: serial: cp210x: add ID for IMST iM871A-USB Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 335/476] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
` (151 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Prashanth K, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashanth K <quic_prashk@quicinc.com>
commit 817349b6d26aadd8b38283a05ce0bab106b4c765 upstream.
Upstream commit bac1ec551434 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. But the support for this quirk isn't present
in the DWC3 layer.
We will encounter this XHCI timeout/hung issue if we run iperf
loopback tests using RTL8156 ethernet adaptor on DWC3 targets
with scatter-gather enabled. This gets resolved after enabling
the XHCI_SG_TRB_CACHE_SIZE_QUIRK. This patch enables it using
the xhci device property since its needed for DWC3 controller.
In Synopsys DWC3 databook,
Table 9-3: xHCI Debug Capability Limitations
Chained TRBs greater than TRB cache size: The debug capability
driver must not create a multi-TRB TD that describes smaller
than a 1K packet that spreads across 8 or more TRBs on either
the IN TR or the OUT TR.
Cc: stable@vger.kernel.org #5.11
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-2-quic_prashk@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/host.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/host.c
+++ b/drivers/usb/dwc3/host.c
@@ -44,7 +44,7 @@ out:
int dwc3_host_init(struct dwc3 *dwc)
{
- struct property_entry props[4];
+ struct property_entry props[5];
struct platform_device *xhci;
int ret, irq;
struct resource *res;
@@ -89,6 +89,8 @@ int dwc3_host_init(struct dwc3 *dwc)
memset(props, 0, sizeof(struct property_entry) * ARRAY_SIZE(props));
+ props[prop_idx++] = PROPERTY_ENTRY_BOOL("xhci-sg-trb-cache-size-quirk");
+
if (dwc->usb3_lpm_capable)
props[prop_idx++] = PROPERTY_ENTRY_BOOL("usb3-lpm-capable");
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 335/476] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 334/476] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 336/476] hrtimer: Report offline hrtimer enqueue Greg Kroah-Hartman
` (150 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Prashanth K
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashanth K <quic_prashk@quicinc.com>
commit 520b391e3e813c1dd142d1eebb3ccfa6d08c3995 upstream.
Upstream commit bac1ec551434 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. Currently this quirk can only be set using
xhci private data. But there are some drivers like dwc3/host.c
which adds adds quirks using software node for xhci device.
Hence set this xhci quirk by iterating over device properties.
Cc: stable@vger.kernel.org # 5.11
Fixes: bac1ec551434 ("usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK")
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-3-quic_prashk@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -323,6 +323,9 @@ static int xhci_plat_probe(struct platfo
if (device_property_read_bool(tmpdev, "quirk-broken-port-ped"))
xhci->quirks |= XHCI_BROKEN_PORT_PED;
+ if (device_property_read_bool(tmpdev, "xhci-sg-trb-cache-size-quirk"))
+ xhci->quirks |= XHCI_SG_TRB_CACHE_SIZE_QUIRK;
+
device_property_read_u32(tmpdev, "imod-interval-ns",
&xhci->imod_interval);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 336/476] hrtimer: Report offline hrtimer enqueue
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 335/476] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 337/476] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Greg Kroah-Hartman
` (149 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney,
Frederic Weisbecker, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <frederic@kernel.org>
commit dad6a09f3148257ac1773cd90934d721d68ab595 upstream.
The hrtimers migration on CPU-down hotplug process has been moved
earlier, before the CPU actually goes to die. This leaves a small window
of opportunity to queue an hrtimer in a blind spot, leaving it ignored.
For example a practical case has been reported with RCU waking up a
SCHED_FIFO task right before the CPUHP_AP_IDLE_DEAD stage, queuing that
way a sched/rt timer to the local offline CPU.
Make sure such situations never go unnoticed and warn when that happens.
Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
Reported-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240129235646.3171983-4-boqun.feng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hrtimer.h | 4 +++-
kernel/time/hrtimer.c | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -197,6 +197,7 @@ enum hrtimer_base_type {
* @max_hang_time: Maximum time spent in hrtimer_interrupt
* @softirq_expiry_lock: Lock which is taken while softirq based hrtimer are
* expired
+ * @online: CPU is online from an hrtimers point of view
* @timer_waiters: A hrtimer_cancel() invocation waits for the timer
* callback to finish.
* @expires_next: absolute time of the next event, is required for remote
@@ -219,7 +220,8 @@ struct hrtimer_cpu_base {
unsigned int hres_active : 1,
in_hrtirq : 1,
hang_detected : 1,
- softirq_activated : 1;
+ softirq_activated : 1,
+ online : 1;
#ifdef CONFIG_HIGH_RES_TIMERS
unsigned int nr_events;
unsigned short nr_retries;
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1082,6 +1082,7 @@ static int enqueue_hrtimer(struct hrtime
enum hrtimer_mode mode)
{
debug_activate(timer, mode);
+ WARN_ON_ONCE(!base->cpu_base->online);
base->cpu_base->active_bases |= 1 << base->index;
@@ -2180,6 +2181,7 @@ int hrtimers_prepare_cpu(unsigned int cp
cpu_base->softirq_next_timer = NULL;
cpu_base->expires_next = KTIME_MAX;
cpu_base->softirq_expires_next = KTIME_MAX;
+ cpu_base->online = 1;
hrtimer_cpu_base_init_expiry_lock(cpu_base);
return 0;
}
@@ -2247,6 +2249,7 @@ int hrtimers_cpu_dying(unsigned int dyin
smp_call_function_single(ncpu, retrigger_next_event, NULL, 0);
raw_spin_unlock(&new_base->lock);
+ old_base->online = 0;
raw_spin_unlock(&old_base->lock);
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 337/476] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 336/476] hrtimer: Report offline hrtimer enqueue Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 338/476] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
` (148 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Werner Sembach, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Sembach <wse@tuxedocomputers.com>
commit a60e6c3918d20848906ffcdfcf72ca6a8cfbcf2e upstream.
When closing the laptop lid with an external screen connected, the mouse
pointer has a constant movement to the lower right corner. Opening the
lid again stops this movement, but after that the touchpad does no longer
register clicks.
The touchpad is connected both via i2c-hid and PS/2, the predecessor of
this device (NS70MU) has the same layout in this regard and also strange
behaviour caused by the psmouse and the i2c-hid driver fighting over
touchpad control. This fix is reusing the same workaround by just
disabling the PS/2 aux port, that is only used by the touchpad, to give the
i2c-hid driver the lone control over the touchpad.
v2: Rebased on current master
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231205163602.16106-1-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1173,6 +1173,12 @@ static const struct dmi_system_id i8042_
},
{
.matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "NS5x_7xPU"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOAUX)
+ },
+ {
+ .matches = {
DMI_MATCH(DMI_BOARD_NAME, "NJ50_70CU"),
},
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 338/476] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 337/476] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 339/476] vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman
` (147 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Hans de Goede, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 683cd8259a9b883a51973511f860976db2550a6e upstream.
After commit 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in
translated mode") the keyboard on Dell XPS 13 9350 / 9360 / 9370 models
has stopped working after a suspend/resume.
The problem appears to be that atkbd_probe() fails when called
from atkbd_reconnect() on resume, which on systems where
ATKBD_CMD_GETID is skipped can only happen by ATKBD_CMD_SETLEDS
failing. ATKBD_CMD_SETLEDS failing because ATKBD_CMD_GETID was
skipped is weird, but apparently that is what is happening.
Fix this by also skipping ATKBD_CMD_SETLEDS when skipping
ATKBD_CMD_GETID.
Fixes: 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode")
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Closes: https://lore.kernel.org/linux-input/0aa4a61f-c939-46fe-a572-08022e8931c7@molgen.mpg.de/
Closes: https://bbs.archlinux.org/viewtopic.php?pid=2146300
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218424
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2260517
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240126160724.13278-2-hdegoede@redhat.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -802,7 +802,6 @@ static int atkbd_probe(struct atkbd *atk
{
struct ps2dev *ps2dev = &atkbd->ps2dev;
unsigned char param[2];
- bool skip_getid;
/*
* Some systems, where the bit-twiddling when testing the io-lines of the
@@ -816,6 +815,11 @@ static int atkbd_probe(struct atkbd *atk
"keyboard reset failed on %s\n",
ps2dev->serio->phys);
+ if (atkbd_skip_getid(atkbd)) {
+ atkbd->id = 0xab83;
+ return 0;
+ }
+
/*
* Then we check the keyboard ID. We should get 0xab83 under normal conditions.
* Some keyboards report different values, but the first byte is always 0xab or
@@ -824,18 +828,17 @@ static int atkbd_probe(struct atkbd *atk
*/
param[0] = param[1] = 0xa5; /* initialize with invalid values */
- skip_getid = atkbd_skip_getid(atkbd);
- if (skip_getid || ps2_command(ps2dev, param, ATKBD_CMD_GETID)) {
+ if (ps2_command(ps2dev, param, ATKBD_CMD_GETID)) {
/*
- * If the get ID command was skipped or failed, we check if we can at least set
+ * If the get ID command failed, we check if we can at least set
* the LEDs on the keyboard. This should work on every keyboard out there.
* It also turns the LEDs off, which we want anyway.
*/
param[0] = 0;
if (ps2_command(ps2dev, param, ATKBD_CMD_SETLEDS))
return -1;
- atkbd->id = skip_getid ? 0xab83 : 0xabba;
+ atkbd->id = 0xabba;
return 0;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 339/476] vhost: use kzalloc() instead of kmalloc() followed by memset()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 338/476] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 340/476] clocksource: Skip watchdog check for large watchdog intervals Greg Kroah-Hartman
` (146 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prathu Baronia, Michael S. Tsirkin,
Stefano Garzarella, Ajay Kaher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prathu Baronia <prathubaronia2011@gmail.com>
commit 4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9 upstream.
Use kzalloc() to allocate new zeroed out msg node instead of
memsetting a node allocated with kmalloc().
Signed-off-by: Prathu Baronia <prathubaronia2011@gmail.com>
Message-Id: <20230522085019.42914-1-prathubaronia2011@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vhost.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2582,12 +2582,11 @@ EXPORT_SYMBOL_GPL(vhost_disable_notify);
/* Create a new message. */
struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
{
- struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
+ /* Make sure all padding within the structure is initialized. */
+ struct vhost_msg_node *node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node)
return NULL;
- /* Make sure all padding within the structure is initialized. */
- memset(&node->msg, 0, sizeof node->msg);
node->vq = vq;
node->msg.type = type;
return node;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 340/476] clocksource: Skip watchdog check for large watchdog intervals
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 339/476] vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 341/476] net: stmmac: xgmac: use #define for string constants Greg Kroah-Hartman
` (145 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Tang, Jiri Wiesner,
Thomas Gleixner, Paul E. McKenney
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Wiesner <jwiesner@suse.de>
commit 644649553508b9bacf0fc7a5bdc4f9e0165576a5 upstream.
There have been reports of the watchdog marking clocksources unstable on
machines with 8 NUMA nodes:
clocksource: timekeeping watchdog on CPU373:
Marking clocksource 'tsc' as unstable because the skew is too large:
clocksource: 'hpet' wd_nsec: 14523447520
clocksource: 'tsc' cs_nsec: 14524115132
The measured clocksource skew - the absolute difference between cs_nsec
and wd_nsec - was 668 microseconds:
cs_nsec - wd_nsec = 14524115132 - 14523447520 = 667612
The kernel used 200 microseconds for the uncertainty_margin of both the
clocksource and watchdog, resulting in a threshold of 400 microseconds (the
md variable). Both the cs_nsec and the wd_nsec value indicate that the
readout interval was circa 14.5 seconds. The observed behaviour is that
watchdog checks failed for large readout intervals on 8 NUMA node
machines. This indicates that the size of the skew was directly proportinal
to the length of the readout interval on those machines. The measured
clocksource skew, 668 microseconds, was evaluated against a threshold (the
md variable) that is suited for readout intervals of roughly
WATCHDOG_INTERVAL, i.e. HZ >> 1, which is 0.5 second.
The intention of 2e27e793e280 ("clocksource: Reduce clocksource-skew
threshold") was to tighten the threshold for evaluating skew and set the
lower bound for the uncertainty_margin of clocksources to twice
WATCHDOG_MAX_SKEW. Later in c37e85c135ce ("clocksource: Loosen clocksource
watchdog constraints"), the WATCHDOG_MAX_SKEW constant was increased to
125 microseconds to fit the limit of NTP, which is able to use a
clocksource that suffers from up to 500 microseconds of skew per second.
Both the TSC and the HPET use default uncertainty_margin. When the
readout interval gets stretched the default uncertainty_margin is no
longer a suitable lower bound for evaluating skew - it imposes a limit
that is far stricter than the skew with which NTP can deal.
The root causes of the skew being directly proportinal to the length of
the readout interval are:
* the inaccuracy of the shift/mult pairs of clocksources and the watchdog
* the conversion to nanoseconds is imprecise for large readout intervals
Prevent this by skipping the current watchdog check if the readout
interval exceeds 2 * WATCHDOG_INTERVAL. Considering the maximum readout
interval of 2 * WATCHDOG_INTERVAL, the current default uncertainty margin
(of the TSC and HPET) corresponds to a limit on clocksource skew of 250
ppm (microseconds of skew per second). To keep the limit imposed by NTP
(500 microseconds of skew per second) for all possible readout intervals,
the margins would have to be scaled so that the threshold value is
proportional to the length of the actual readout interval.
As for why the readout interval may get stretched: Since the watchdog is
executed in softirq context the expiration of the watchdog timer can get
severely delayed on account of a ksoftirqd thread not getting to run in a
timely manner. Surely, a system with such belated softirq execution is not
working well and the scheduling issue should be looked into but the
clocksource watchdog should be able to deal with it accordingly.
Fixes: 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold")
Suggested-by: Feng Tang <feng.tang@intel.com>
Signed-off-by: Jiri Wiesner <jwiesner@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Feng Tang <feng.tang@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240122172350.GA740@incl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/clocksource.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -120,6 +120,7 @@ static DECLARE_WORK(watchdog_work, clock
static DEFINE_SPINLOCK(watchdog_lock);
static int watchdog_running;
static atomic_t watchdog_reset_pending;
+static int64_t watchdog_max_interval;
static inline void clocksource_watchdog_lock(unsigned long *flags)
{
@@ -138,6 +139,7 @@ static void __clocksource_change_rating(
* Interval: 0.5sec.
*/
#define WATCHDOG_INTERVAL (HZ >> 1)
+#define WATCHDOG_INTERVAL_MAX_NS ((2 * WATCHDOG_INTERVAL) * (NSEC_PER_SEC / HZ))
static void clocksource_watchdog_work(struct work_struct *work)
{
@@ -390,8 +392,8 @@ static inline void clocksource_reset_wat
static void clocksource_watchdog(struct timer_list *unused)
{
u64 csnow, wdnow, cslast, wdlast, delta;
+ int64_t wd_nsec, cs_nsec, interval;
int next_cpu, reset_pending;
- int64_t wd_nsec, cs_nsec;
struct clocksource *cs;
enum wd_read_status read_ret;
unsigned long extra_wait = 0;
@@ -461,6 +463,27 @@ static void clocksource_watchdog(struct
if (atomic_read(&watchdog_reset_pending))
continue;
+ /*
+ * The processing of timer softirqs can get delayed (usually
+ * on account of ksoftirqd not getting to run in a timely
+ * manner), which causes the watchdog interval to stretch.
+ * Skew detection may fail for longer watchdog intervals
+ * on account of fixed margins being used.
+ * Some clocksources, e.g. acpi_pm, cannot tolerate
+ * watchdog intervals longer than a few seconds.
+ */
+ interval = max(cs_nsec, wd_nsec);
+ if (unlikely(interval > WATCHDOG_INTERVAL_MAX_NS)) {
+ if (system_state > SYSTEM_SCHEDULING &&
+ interval > 2 * watchdog_max_interval) {
+ watchdog_max_interval = interval;
+ pr_warn("Long readout interval, skipping watchdog check: cs_nsec: %lld wd_nsec: %lld\n",
+ cs_nsec, wd_nsec);
+ }
+ watchdog_timer.expires = jiffies;
+ continue;
+ }
+
/* Check the deviation from the watchdog clocksource. */
md = cs->uncertainty_margin + watchdog->uncertainty_margin;
if (abs(cs_nsec - wd_nsec) > md) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 341/476] net: stmmac: xgmac: use #define for string constants
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 340/476] clocksource: Skip watchdog check for large watchdog intervals Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 342/476] net: stmmac: xgmac: fix a typo of register name in DPP safety handling Greg Kroah-Hartman
` (144 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Hunter, kernel test robot,
Simon Horman, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
commit 1692b9775e745f84b69dc8ad0075b0855a43db4e upstream.
The cited commit introduces and uses the string constants dpp_tx_err and
dpp_rx_err. These are assigned to constant fields of the array
dwxgmac3_error_desc.
It has been reported that on GCC 6 and 7.5.0 this results in warnings
such as:
.../dwxgmac2_core.c:836:20: error: initialiser element is not constant
{ true, "TDPES0", dpp_tx_err },
I have been able to reproduce this using: GCC 7.5.0, 8.4.0, 9.4.0 and 10.5.0.
But not GCC 13.2.0.
So it seems this effects older compilers but not newer ones.
As Jon points out in his report, the minimum compiler supported by
the kernel is GCC 5.1, so it does seem that this ought to be fixed.
It is not clear to me what combination of 'const', if any, would address
this problem. So this patch takes of using #defines for the string
constants
Compile tested only.
Fixes: 46eba193d04f ("net: stmmac: xgmac: fix handling of DPP safety error for DMA channels")
Reported-by: Jon Hunter <jonathanh@nvidia.com>
Closes: https://lore.kernel.org/netdev/c25eb595-8d91-40ea-9f52-efa15ebafdbc@nvidia.com/
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402081135.lAxxBXHk-lkp@intel.com/
Signed-off-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240208-xgmac-const-v1-1-e69a1eeabfc8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 69 ++++++++++----------
1 file changed, 35 insertions(+), 34 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -789,41 +789,42 @@ static const struct dwxgmac3_error_desc
{ false, "UNKNOWN", "Unknown Error" }, /* 31 */
};
-static const char * const dpp_rx_err = "Read Rx Descriptor Parity checker Error";
-static const char * const dpp_tx_err = "Read Tx Descriptor Parity checker Error";
+#define DPP_RX_ERR "Read Rx Descriptor Parity checker Error"
+#define DPP_TX_ERR "Read Tx Descriptor Parity checker Error"
+
static const struct dwxgmac3_error_desc dwxgmac3_dma_dpp_errors[32] = {
- { true, "TDPES0", dpp_tx_err },
- { true, "TDPES1", dpp_tx_err },
- { true, "TDPES2", dpp_tx_err },
- { true, "TDPES3", dpp_tx_err },
- { true, "TDPES4", dpp_tx_err },
- { true, "TDPES5", dpp_tx_err },
- { true, "TDPES6", dpp_tx_err },
- { true, "TDPES7", dpp_tx_err },
- { true, "TDPES8", dpp_tx_err },
- { true, "TDPES9", dpp_tx_err },
- { true, "TDPES10", dpp_tx_err },
- { true, "TDPES11", dpp_tx_err },
- { true, "TDPES12", dpp_tx_err },
- { true, "TDPES13", dpp_tx_err },
- { true, "TDPES14", dpp_tx_err },
- { true, "TDPES15", dpp_tx_err },
- { true, "RDPES0", dpp_rx_err },
- { true, "RDPES1", dpp_rx_err },
- { true, "RDPES2", dpp_rx_err },
- { true, "RDPES3", dpp_rx_err },
- { true, "RDPES4", dpp_rx_err },
- { true, "RDPES5", dpp_rx_err },
- { true, "RDPES6", dpp_rx_err },
- { true, "RDPES7", dpp_rx_err },
- { true, "RDPES8", dpp_rx_err },
- { true, "RDPES9", dpp_rx_err },
- { true, "RDPES10", dpp_rx_err },
- { true, "RDPES11", dpp_rx_err },
- { true, "RDPES12", dpp_rx_err },
- { true, "RDPES13", dpp_rx_err },
- { true, "RDPES14", dpp_rx_err },
- { true, "RDPES15", dpp_rx_err },
+ { true, "TDPES0", DPP_TX_ERR },
+ { true, "TDPES1", DPP_TX_ERR },
+ { true, "TDPES2", DPP_TX_ERR },
+ { true, "TDPES3", DPP_TX_ERR },
+ { true, "TDPES4", DPP_TX_ERR },
+ { true, "TDPES5", DPP_TX_ERR },
+ { true, "TDPES6", DPP_TX_ERR },
+ { true, "TDPES7", DPP_TX_ERR },
+ { true, "TDPES8", DPP_TX_ERR },
+ { true, "TDPES9", DPP_TX_ERR },
+ { true, "TDPES10", DPP_TX_ERR },
+ { true, "TDPES11", DPP_TX_ERR },
+ { true, "TDPES12", DPP_TX_ERR },
+ { true, "TDPES13", DPP_TX_ERR },
+ { true, "TDPES14", DPP_TX_ERR },
+ { true, "TDPES15", DPP_TX_ERR },
+ { true, "RDPES0", DPP_RX_ERR },
+ { true, "RDPES1", DPP_RX_ERR },
+ { true, "RDPES2", DPP_RX_ERR },
+ { true, "RDPES3", DPP_RX_ERR },
+ { true, "RDPES4", DPP_RX_ERR },
+ { true, "RDPES5", DPP_RX_ERR },
+ { true, "RDPES6", DPP_RX_ERR },
+ { true, "RDPES7", DPP_RX_ERR },
+ { true, "RDPES8", DPP_RX_ERR },
+ { true, "RDPES9", DPP_RX_ERR },
+ { true, "RDPES10", DPP_RX_ERR },
+ { true, "RDPES11", DPP_RX_ERR },
+ { true, "RDPES12", DPP_RX_ERR },
+ { true, "RDPES13", DPP_RX_ERR },
+ { true, "RDPES14", DPP_RX_ERR },
+ { true, "RDPES15", DPP_RX_ERR },
};
static void dwxgmac3_handle_dma_err(struct net_device *ndev,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 342/476] net: stmmac: xgmac: fix a typo of register name in DPP safety handling
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 341/476] net: stmmac: xgmac: use #define for string constants Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 343/476] netfilter: nft_set_rbtree: skip end interval element from gc Greg Kroah-Hartman
` (143 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Furong Xu, Serge Semin, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Furong Xu <0x1207@gmail.com>
commit 1ce2654d87e2fb91fea83b288bd9b2641045e42a upstream.
DDPP is copied from Synopsys Data book:
DDPP: Disable Data path Parity Protection.
When it is 0x0, Data path Parity Protection is enabled.
When it is 0x1, Data path Parity Protection is disabled.
The macro name should be XGMAC_DPP_DISABLE.
Fixes: 46eba193d04f ("net: stmmac: xgmac: fix handling of DPP safety error for DMA channels")
Signed-off-by: Furong Xu <0x1207@gmail.com>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Link: https://lore.kernel.org/r/20240203053133.1129236-1-0x1207@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 2 +-
drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
@@ -283,7 +283,7 @@
#define XGMAC_TXCEIE BIT(0)
#define XGMAC_MTL_ECC_INT_STATUS 0x000010cc
#define XGMAC_MTL_DPP_CONTROL 0x000010e0
-#define XGMAC_DDPP_DISABLE BIT(0)
+#define XGMAC_DPP_DISABLE BIT(0)
#define XGMAC_MTL_TXQ_OPMODE(x) (0x00001100 + (0x80 * (x)))
#define XGMAC_TQS GENMASK(25, 16)
#define XGMAC_TQS_SHIFT 16
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -886,7 +886,7 @@ dwxgmac3_safety_feat_config(void __iomem
/* 5. Enable Data Path Parity Protection */
value = readl(ioaddr + XGMAC_MTL_DPP_CONTROL);
/* already enabled by default, explicit enable it again */
- value &= ~XGMAC_DDPP_DISABLE;
+ value &= ~XGMAC_DPP_DISABLE;
writel(value, ioaddr + XGMAC_MTL_DPP_CONTROL);
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 343/476] netfilter: nft_set_rbtree: skip end interval element from gc
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 342/476] net: stmmac: xgmac: fix a typo of register name in DPP safety handling Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 344/476] btrfs: forbid creating subvol qgroups Greg Kroah-Hartman
` (142 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, lonial con, Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0 upstream.
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.
Fixes: f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk")
Cc: stable@vger.kernel.org
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_set_rbtree.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -235,7 +235,7 @@ static void nft_rbtree_gc_remove(struct
static const struct nft_rbtree_elem *
nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv,
- struct nft_rbtree_elem *rbe, u8 genmask)
+ struct nft_rbtree_elem *rbe)
{
struct nft_set *set = (struct nft_set *)__set;
struct rb_node *prev = rb_prev(&rbe->node);
@@ -254,7 +254,7 @@ nft_rbtree_gc_elem(const struct nft_set
while (prev) {
rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
if (nft_rbtree_interval_end(rbe_prev) &&
- nft_set_elem_active(&rbe_prev->ext, genmask))
+ nft_set_elem_active(&rbe_prev->ext, NFT_GENMASK_ANY))
break;
prev = rb_prev(prev);
@@ -365,7 +365,7 @@ static int __nft_rbtree_insert(const str
nft_set_elem_active(&rbe->ext, cur_genmask)) {
const struct nft_rbtree_elem *removed_end;
- removed_end = nft_rbtree_gc_elem(set, priv, rbe, genmask);
+ removed_end = nft_rbtree_gc_elem(set, priv, rbe);
if (IS_ERR(removed_end))
return PTR_ERR(removed_end);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 344/476] btrfs: forbid creating subvol qgroups
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 343/476] netfilter: nft_set_rbtree: skip end interval element from gc Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 345/476] btrfs: do not ASSERT() if the newly created subvolume already got read Greg Kroah-Hartman
` (141 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
commit 0c309d66dacddf8ce939b891d9ead4a8e21ad6f0 upstream.
Creating a qgroup 0/subvolid leads to various races and it isn't
helpful, because you can't specify a subvol id when creating a subvol,
so you can't be sure it will be the right one. Any requirements on the
automatic subvol can be gratified by using a higher level qgroup and the
inheritance parameters of subvol creation.
Fixes: cecbb533b5fc ("btrfs: record simple quota deltas in delayed refs")
CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4338,6 +4338,11 @@ static long btrfs_ioctl_qgroup_create(st
goto out;
}
+ if (sa->create && is_fstree(sa->qgroupid)) {
+ ret = -EINVAL;
+ goto out;
+ }
+
trans = btrfs_join_transaction(root);
if (IS_ERR(trans)) {
ret = PTR_ERR(trans);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 345/476] btrfs: do not ASSERT() if the newly created subvolume already got read
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 344/476] btrfs: forbid creating subvol qgroups Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 346/476] btrfs: forbid deleting live subvol qgroup Greg Kroah-Hartman
` (140 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Filipe Manana,
Qu Wenruo, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb upstream.
[BUG]
There is a syzbot crash, triggered by the ASSERT() during subvolume
creation:
assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319
------------[ cut here ]------------
kernel BUG at fs/btrfs/disk-io.c:1319!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60
<TASK>
btrfs_get_new_fs_root+0xd3/0xf0
create_subvol+0xd02/0x1650
btrfs_mksubvol+0xe95/0x12b0
__btrfs_ioctl_snap_create+0x2f9/0x4f0
btrfs_ioctl_snap_create+0x16b/0x200
btrfs_ioctl+0x35f0/0x5cf0
__x64_sys_ioctl+0x19d/0x210
do_syscall_64+0x3f/0xe0
entry_SYSCALL_64_after_hwframe+0x63/0x6b
---[ end trace 0000000000000000 ]---
[CAUSE]
During create_subvol(), after inserting root item for the newly created
subvolume, we would trigger btrfs_get_new_fs_root() to get the
btrfs_root of that subvolume.
The idea here is, we have preallocated an anonymous device number for
the subvolume, thus we can assign it to the new subvolume.
But there is really nothing preventing things like backref walk to read
the new subvolume.
If that happens before we call btrfs_get_new_fs_root(), the subvolume
would be read out, with a new anonymous device number assigned already.
In that case, we would trigger ASSERT(), as we really expect no one to
read out that subvolume (which is not yet accessible from the fs).
But things like backref walk is still possible to trigger the read on
the subvolume.
Thus our assumption on the ASSERT() is not correct in the first place.
[FIX]
Fix it by removing the ASSERT(), and just free the @anon_dev, reset it
to 0, and continue.
If the subvolume tree is read out by something else, it should have
already get a new anon_dev assigned thus we only need to free the
preallocated one.
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Fixes: 2dfb1e43f57d ("btrfs: preallocate anon block device at first phase of snapshot creation")
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1619,8 +1619,17 @@ static struct btrfs_root *btrfs_get_root
again:
root = btrfs_lookup_fs_root(fs_info, objectid);
if (root) {
- /* Shouldn't get preallocated anon_dev for cached roots */
- ASSERT(!anon_dev);
+ /*
+ * Some other caller may have read out the newly inserted
+ * subvolume already (for things like backref walk etc). Not
+ * that common but still possible. In that case, we just need
+ * to free the anon_dev.
+ */
+ if (unlikely(anon_dev)) {
+ free_anon_bdev(anon_dev);
+ anon_dev = 0;
+ }
+
if (check_ref && btrfs_root_refs(&root->root_item) == 0) {
btrfs_put_root(root);
return ERR_PTR(-ENOENT);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 346/476] btrfs: forbid deleting live subvol qgroup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 345/476] btrfs: do not ASSERT() if the newly created subvolume already got read Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 347/476] btrfs: send: return EOPNOTSUPP on unknown flags Greg Kroah-Hartman
` (139 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
commit a8df35619948bd8363d330c20a90c9a7fbff28c0 upstream.
If a subvolume still exists, forbid deleting its qgroup 0/subvolid.
This behavior generally leads to incorrect behavior in squotas and
doesn't have a legitimate purpose.
Fixes: cecbb533b5fc ("btrfs: record simple quota deltas in delayed refs")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/qgroup.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1608,6 +1608,15 @@ out:
return ret;
}
+static bool qgroup_has_usage(struct btrfs_qgroup *qgroup)
+{
+ return (qgroup->rfer > 0 || qgroup->rfer_cmpr > 0 ||
+ qgroup->excl > 0 || qgroup->excl_cmpr > 0 ||
+ qgroup->rsv.values[BTRFS_QGROUP_RSV_DATA] > 0 ||
+ qgroup->rsv.values[BTRFS_QGROUP_RSV_META_PREALLOC] > 0 ||
+ qgroup->rsv.values[BTRFS_QGROUP_RSV_META_PERTRANS] > 0);
+}
+
int btrfs_remove_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
@@ -1627,6 +1636,11 @@ int btrfs_remove_qgroup(struct btrfs_tra
goto out;
}
+ if (is_fstree(qgroupid) && qgroup_has_usage(qgroup)) {
+ ret = -EBUSY;
+ goto out;
+ }
+
/* Check if there are no children of this qgroup */
if (!list_empty(&qgroup->members)) {
ret = -EBUSY;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 347/476] btrfs: send: return EOPNOTSUPP on unknown flags
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 346/476] btrfs: forbid deleting live subvol qgroup Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 348/476] of: unittest: Fix compile in the non-dynamic case Greg Kroah-Hartman
` (138 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
commit f884a9f9e59206a2d41f265e7e403f080d10b493 upstream.
When some ioctl flags are checked we return EOPNOTSUPP, like for
BTRFS_SCRUB_SUPPORTED_FLAGS, BTRFS_SUBVOL_CREATE_ARGS_MASK or fallocate
modes. The EINVAL is supposed to be for a supported but invalid
values or combination of options. Fix that when checking send flags so
it's consistent with the rest.
CC: stable@vger.kernel.org # 4.14+
Link: https://lore.kernel.org/linux-btrfs/CAL3q7H5rryOLzp3EKq8RTbjMHMHeaJubfpsVLF6H4qJnKCUR1w@mail.gmail.com/
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/send.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -7558,7 +7558,7 @@ long btrfs_ioctl_send(struct file *mnt_f
}
if (arg->flags & ~BTRFS_SEND_FLAG_MASK) {
- ret = -EINVAL;
+ ret = -EOPNOTSUPP;
goto out;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 348/476] of: unittest: Fix compile in the non-dynamic case
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 347/476] btrfs: send: return EOPNOTSUPP on unknown flags Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 349/476] wifi: iwlwifi: Fix some error codes Greg Kroah-Hartman
` (137 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Christian A. Ehrhardt, Rob Herring, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
[ Upstream commit 607aad1e4356c210dbef9022955a3089377909b2 ]
If CONFIG_OF_KOBJ is not set, a device_node does not contain a
kobj and attempts to access the embedded kobj via kref_read break
the compile.
Replace affected kref_read calls with a macro that reads the
refcount if it exists and returns 1 if there is no embedded kobj.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202401291740.VP219WIz-lkp@intel.com/
Fixes: 4dde83569832 ("of: Fix double free in of_parse_phandle_with_args_map")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Link: https://lore.kernel.org/r/20240129192556.403271-1-lk@c--e.de
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/of/unittest.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index 699daf0645d1..5a8d37cef0ba 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -49,6 +49,12 @@ static struct unittest_results {
failed; \
})
+#ifdef CONFIG_OF_KOBJ
+#define OF_KREF_READ(NODE) kref_read(&(NODE)->kobj.kref)
+#else
+#define OF_KREF_READ(NODE) 1
+#endif
+
/*
* Expected message may have a message level other than KERN_INFO.
* Print the expected message only if the current loglevel will allow
@@ -562,7 +568,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
pr_err("missing testcase data\n");
return;
}
- prefs[i] = kref_read(&p[i]->kobj.kref);
+ prefs[i] = OF_KREF_READ(p[i]);
}
rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells");
@@ -685,9 +691,9 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
for (i = 0; i < ARRAY_SIZE(p); ++i) {
- unittest(prefs[i] == kref_read(&p[i]->kobj.kref),
+ unittest(prefs[i] == OF_KREF_READ(p[i]),
"provider%d: expected:%d got:%d\n",
- i, prefs[i], kref_read(&p[i]->kobj.kref));
+ i, prefs[i], OF_KREF_READ(p[i]));
of_node_put(p[i]);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 349/476] wifi: iwlwifi: Fix some error codes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 348/476] of: unittest: Fix compile in the non-dynamic case Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 350/476] net: openvswitch: limit the number of recursions from action sets Greg Kroah-Hartman
` (136 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit c6ebb5b67641994de8bc486b33457fe0b681d6fe ]
This saves the error as PTR_ERR(wifi_pkg). The problem is that
"wifi_pkg" is a valid pointer, not an error pointer. Set the error code
to -EINVAL instead.
Fixes: 2a8084147bff ("iwlwifi: acpi: support reading and storing WRDS revision 1 and 2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://msgid.link/9620bb77-2d7c-4d76-b255-ad824ebf8e35@moroto.mountain
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
index 9e00d1d7e146..f0e0d4ccbc09 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
@@ -527,7 +527,7 @@ int iwl_sar_get_wrds_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 2) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
@@ -543,7 +543,7 @@ int iwl_sar_get_wrds_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 1) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
@@ -559,7 +559,7 @@ int iwl_sar_get_wrds_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 0) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
@@ -614,7 +614,7 @@ int iwl_sar_get_ewrd_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 2) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
@@ -630,7 +630,7 @@ int iwl_sar_get_ewrd_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 1) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
@@ -646,7 +646,7 @@ int iwl_sar_get_ewrd_table(struct iwl_fw_runtime *fwrt)
&tbl_rev);
if (!IS_ERR(wifi_pkg)) {
if (tbl_rev != 0) {
- ret = PTR_ERR(wifi_pkg);
+ ret = -EINVAL;
goto out_free;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 350/476] net: openvswitch: limit the number of recursions from action sets
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 349/476] wifi: iwlwifi: Fix some error codes Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 351/476] spi: ppc4xx: Drop write-only variable Greg Kroah-Hartman
` (135 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Conole, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Conole <aconole@redhat.com>
[ Upstream commit 6e2f90d31fe09f2b852de25125ca875aabd81367 ]
The ovs module allows for some actions to recursively contain an action
list for complex scenarios, such as sampling, checking lengths, etc.
When these actions are copied into the internal flow table, they are
evaluated to validate that such actions make sense, and these calls
happen recursively.
The ovs-vswitchd userspace won't emit more than 16 recursion levels
deep. However, the module has no such limit and will happily accept
limits larger than 16 levels nested. Prevent this by tracking the
number of recursions happening and manually limiting it to 16 levels
nested.
The initial implementation of the sample action would track this depth
and prevent more than 3 levels of recursion, but this was removed to
support the clone use case, rather than limited at the current userspace
limit.
Fixes: 798c166173ff ("openvswitch: Optimize sample action for the clone use cases")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240207132416.1488485-2-aconole@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 49 +++++++++++++++++++++++-----------
1 file changed, 33 insertions(+), 16 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index d77c21ff066c..1cf431d04a46 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -47,6 +47,7 @@ struct ovs_len_tbl {
#define OVS_ATTR_NESTED -1
#define OVS_ATTR_VARIABLE -2
+#define OVS_COPY_ACTIONS_MAX_DEPTH 16
static bool actions_may_change_flow(const struct nlattr *actions)
{
@@ -2514,13 +2515,15 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
const struct sw_flow_key *key,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
- u32 mpls_label_count, bool log);
+ u32 mpls_label_count, bool log,
+ u32 depth);
static int validate_and_copy_sample(struct net *net, const struct nlattr *attr,
const struct sw_flow_key *key,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
- u32 mpls_label_count, bool log, bool last)
+ u32 mpls_label_count, bool log, bool last,
+ u32 depth)
{
const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1];
const struct nlattr *probability, *actions;
@@ -2571,7 +2574,8 @@ static int validate_and_copy_sample(struct net *net, const struct nlattr *attr,
return err;
err = __ovs_nla_copy_actions(net, actions, key, sfa,
- eth_type, vlan_tci, mpls_label_count, log);
+ eth_type, vlan_tci, mpls_label_count, log,
+ depth + 1);
if (err)
return err;
@@ -2586,7 +2590,8 @@ static int validate_and_copy_dec_ttl(struct net *net,
const struct sw_flow_key *key,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
- u32 mpls_label_count, bool log)
+ u32 mpls_label_count, bool log,
+ u32 depth)
{
const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1];
int start, action_start, err, rem;
@@ -2629,7 +2634,8 @@ static int validate_and_copy_dec_ttl(struct net *net,
return action_start;
err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type,
- vlan_tci, mpls_label_count, log);
+ vlan_tci, mpls_label_count, log,
+ depth + 1);
if (err)
return err;
@@ -2643,7 +2649,8 @@ static int validate_and_copy_clone(struct net *net,
const struct sw_flow_key *key,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
- u32 mpls_label_count, bool log, bool last)
+ u32 mpls_label_count, bool log, bool last,
+ u32 depth)
{
int start, err;
u32 exec;
@@ -2663,7 +2670,8 @@ static int validate_and_copy_clone(struct net *net,
return err;
err = __ovs_nla_copy_actions(net, attr, key, sfa,
- eth_type, vlan_tci, mpls_label_count, log);
+ eth_type, vlan_tci, mpls_label_count, log,
+ depth + 1);
if (err)
return err;
@@ -3032,7 +3040,7 @@ static int validate_and_copy_check_pkt_len(struct net *net,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
u32 mpls_label_count,
- bool log, bool last)
+ bool log, bool last, u32 depth)
{
const struct nlattr *acts_if_greater, *acts_if_lesser_eq;
struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1];
@@ -3080,7 +3088,8 @@ static int validate_and_copy_check_pkt_len(struct net *net,
return nested_acts_start;
err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa,
- eth_type, vlan_tci, mpls_label_count, log);
+ eth_type, vlan_tci, mpls_label_count, log,
+ depth + 1);
if (err)
return err;
@@ -3093,7 +3102,8 @@ static int validate_and_copy_check_pkt_len(struct net *net,
return nested_acts_start;
err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa,
- eth_type, vlan_tci, mpls_label_count, log);
+ eth_type, vlan_tci, mpls_label_count, log,
+ depth + 1);
if (err)
return err;
@@ -3121,12 +3131,16 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
const struct sw_flow_key *key,
struct sw_flow_actions **sfa,
__be16 eth_type, __be16 vlan_tci,
- u32 mpls_label_count, bool log)
+ u32 mpls_label_count, bool log,
+ u32 depth)
{
u8 mac_proto = ovs_key_mac_proto(key);
const struct nlattr *a;
int rem, err;
+ if (depth > OVS_COPY_ACTIONS_MAX_DEPTH)
+ return -EOVERFLOW;
+
nla_for_each_nested(a, attr, rem) {
/* Expected argument lengths, (u32)-1 for variable length. */
static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = {
@@ -3321,7 +3335,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
err = validate_and_copy_sample(net, a, key, sfa,
eth_type, vlan_tci,
mpls_label_count,
- log, last);
+ log, last, depth);
if (err)
return err;
skip_copy = true;
@@ -3392,7 +3406,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
err = validate_and_copy_clone(net, a, key, sfa,
eth_type, vlan_tci,
mpls_label_count,
- log, last);
+ log, last, depth);
if (err)
return err;
skip_copy = true;
@@ -3406,7 +3420,8 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
eth_type,
vlan_tci,
mpls_label_count,
- log, last);
+ log, last,
+ depth);
if (err)
return err;
skip_copy = true;
@@ -3416,7 +3431,8 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
case OVS_ACTION_ATTR_DEC_TTL:
err = validate_and_copy_dec_ttl(net, a, key, sfa,
eth_type, vlan_tci,
- mpls_label_count, log);
+ mpls_label_count, log,
+ depth);
if (err)
return err;
skip_copy = true;
@@ -3456,7 +3472,8 @@ int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
(*sfa)->orig_len = nla_len(attr);
err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type,
- key->eth.vlan.tci, mpls_label_count, log);
+ key->eth.vlan.tci, mpls_label_count, log,
+ 0);
if (err)
ovs_nla_free_flow_actions(*sfa);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 351/476] spi: ppc4xx: Drop write-only variable
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 350/476] net: openvswitch: limit the number of recursions from action sets Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 352/476] ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() Greg Kroah-Hartman
` (134 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit b3aa619a8b4706f35cb62f780c14e68796b37f3f ]
Since commit 24778be20f87 ("spi: convert drivers to use
bits_per_word_mask") the bits_per_word variable is only written to. The
check that was there before isn't needed any more as the spi core
ensures that only 8 bit transfers are used, so the variable can go away
together with all assignments to it.
Fixes: 24778be20f87 ("spi: convert drivers to use bits_per_word_mask")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20240210164006.208149-8-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-ppc4xx.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
index d65f047b6c82..1179a1115137 100644
--- a/drivers/spi/spi-ppc4xx.c
+++ b/drivers/spi/spi-ppc4xx.c
@@ -166,10 +166,8 @@ static int spi_ppc4xx_setupxfer(struct spi_device *spi, struct spi_transfer *t)
int scr;
u8 cdm = 0;
u32 speed;
- u8 bits_per_word;
/* Start with the generic configuration for this device. */
- bits_per_word = spi->bits_per_word;
speed = spi->max_speed_hz;
/*
@@ -177,9 +175,6 @@ static int spi_ppc4xx_setupxfer(struct spi_device *spi, struct spi_transfer *t)
* the transfer to overwrite the generic configuration with zeros.
*/
if (t) {
- if (t->bits_per_word)
- bits_per_word = t->bits_per_word;
-
if (t->speed_hz)
speed = min(t->speed_hz, spi->max_speed_hz);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 352/476] ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 351/476] spi: ppc4xx: Drop write-only variable Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 353/476] net: sysfs: Fix /sys/class/net/<iface> path for statistics Greg Kroah-Hartman
` (133 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Khoroshilov, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
[ Upstream commit 6ef5d5b92f7117b324efaac72b3db27ae8bb3082 ]
There is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex
is left locked forever. That may lead to deadlock
when rt5645_jack_detect_work() is called for the second time.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: cdba4301adda ("ASoC: rt5650: add mutex to avoid the jack detection failure")
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/r/1707645514-21196-1-git-send-email-khoroshilov@ispras.ru
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt5645.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c
index 2fdfec505192..f903bee194d5 100644
--- a/sound/soc/codecs/rt5645.c
+++ b/sound/soc/codecs/rt5645.c
@@ -3288,6 +3288,7 @@ static void rt5645_jack_detect_work(struct work_struct *work)
report, SND_JACK_HEADPHONE);
snd_soc_jack_report(rt5645->mic_jack,
report, SND_JACK_MICROPHONE);
+ mutex_unlock(&rt5645->jd_mutex);
return;
case 4:
val = snd_soc_component_read(rt5645->component, RT5645_A_JD_CTRL1) & 0x0020;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 353/476] net: sysfs: Fix /sys/class/net/<iface> path for statistics
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 352/476] ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 354/476] MIPS: Add memory clobber to csum_ipv6_magic() inline assembler Greg Kroah-Hartman
` (132 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Andrew Lunn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 5b3fbd61b9d1f4ed2db95aaf03f9adae0373784d ]
The Documentation/ABI/testing/sysfs-class-net-statistics documentation
is pointing to the wrong path for the interface. Documentation is
pointing to /sys/class/<iface>, instead of /sys/class/net/<iface>.
Fix it by adding the `net/` directory before the interface.
Fixes: 6044f9700645 ("net: sysfs: document /sys/class/net/statistics/*")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ABI/testing/sysfs-class-net-statistics | 48 +++++++++----------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-class-net-statistics b/Documentation/ABI/testing/sysfs-class-net-statistics
index 55db27815361..53e508c6936a 100644
--- a/Documentation/ABI/testing/sysfs-class-net-statistics
+++ b/Documentation/ABI/testing/sysfs-class-net-statistics
@@ -1,4 +1,4 @@
-What: /sys/class/<iface>/statistics/collisions
+What: /sys/class/net/<iface>/statistics/collisions
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -6,7 +6,7 @@ Description:
Indicates the number of collisions seen by this network device.
This value might not be relevant with all MAC layers.
-What: /sys/class/<iface>/statistics/multicast
+What: /sys/class/net/<iface>/statistics/multicast
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -14,7 +14,7 @@ Description:
Indicates the number of multicast packets received by this
network device.
-What: /sys/class/<iface>/statistics/rx_bytes
+What: /sys/class/net/<iface>/statistics/rx_bytes
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -23,7 +23,7 @@ Description:
See the network driver for the exact meaning of when this
value is incremented.
-What: /sys/class/<iface>/statistics/rx_compressed
+What: /sys/class/net/<iface>/statistics/rx_compressed
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -32,7 +32,7 @@ Description:
network device. This value might only be relevant for interfaces
that support packet compression (e.g: PPP).
-What: /sys/class/<iface>/statistics/rx_crc_errors
+What: /sys/class/net/<iface>/statistics/rx_crc_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -41,7 +41,7 @@ Description:
by this network device. Note that the specific meaning might
depend on the MAC layer used by the interface.
-What: /sys/class/<iface>/statistics/rx_dropped
+What: /sys/class/net/<iface>/statistics/rx_dropped
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -51,7 +51,7 @@ Description:
packet processing. See the network driver for the exact
meaning of this value.
-What: /sys/class/<iface>/statistics/rx_errors
+What: /sys/class/net/<iface>/statistics/rx_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -59,7 +59,7 @@ Description:
Indicates the number of receive errors on this network device.
See the network driver for the exact meaning of this value.
-What: /sys/class/<iface>/statistics/rx_fifo_errors
+What: /sys/class/net/<iface>/statistics/rx_fifo_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -68,7 +68,7 @@ Description:
network device. See the network driver for the exact
meaning of this value.
-What: /sys/class/<iface>/statistics/rx_frame_errors
+What: /sys/class/net/<iface>/statistics/rx_frame_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -78,7 +78,7 @@ Description:
on the MAC layer protocol used. See the network driver for
the exact meaning of this value.
-What: /sys/class/<iface>/statistics/rx_length_errors
+What: /sys/class/net/<iface>/statistics/rx_length_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -87,7 +87,7 @@ Description:
error, oversized or undersized. See the network driver for the
exact meaning of this value.
-What: /sys/class/<iface>/statistics/rx_missed_errors
+What: /sys/class/net/<iface>/statistics/rx_missed_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -96,7 +96,7 @@ Description:
due to lack of capacity in the receive side. See the network
driver for the exact meaning of this value.
-What: /sys/class/<iface>/statistics/rx_nohandler
+What: /sys/class/net/<iface>/statistics/rx_nohandler
Date: February 2016
KernelVersion: 4.6
Contact: netdev@vger.kernel.org
@@ -104,7 +104,7 @@ Description:
Indicates the number of received packets that were dropped on
an inactive device by the network core.
-What: /sys/class/<iface>/statistics/rx_over_errors
+What: /sys/class/net/<iface>/statistics/rx_over_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -114,7 +114,7 @@ Description:
(e.g: larger than MTU). See the network driver for the exact
meaning of this value.
-What: /sys/class/<iface>/statistics/rx_packets
+What: /sys/class/net/<iface>/statistics/rx_packets
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -122,7 +122,7 @@ Description:
Indicates the total number of good packets received by this
network device.
-What: /sys/class/<iface>/statistics/tx_aborted_errors
+What: /sys/class/net/<iface>/statistics/tx_aborted_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -132,7 +132,7 @@ Description:
a medium collision). See the network driver for the exact
meaning of this value.
-What: /sys/class/<iface>/statistics/tx_bytes
+What: /sys/class/net/<iface>/statistics/tx_bytes
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -143,7 +143,7 @@ Description:
transmitted packets or all packets that have been queued for
transmission.
-What: /sys/class/<iface>/statistics/tx_carrier_errors
+What: /sys/class/net/<iface>/statistics/tx_carrier_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -152,7 +152,7 @@ Description:
because of carrier errors (e.g: physical link down). See the
network driver for the exact meaning of this value.
-What: /sys/class/<iface>/statistics/tx_compressed
+What: /sys/class/net/<iface>/statistics/tx_compressed
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -161,7 +161,7 @@ Description:
this might only be relevant for devices that support
compression (e.g: PPP).
-What: /sys/class/<iface>/statistics/tx_dropped
+What: /sys/class/net/<iface>/statistics/tx_dropped
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -170,7 +170,7 @@ Description:
See the driver for the exact reasons as to why the packets were
dropped.
-What: /sys/class/<iface>/statistics/tx_errors
+What: /sys/class/net/<iface>/statistics/tx_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -179,7 +179,7 @@ Description:
a network device. See the driver for the exact reasons as to
why the packets were dropped.
-What: /sys/class/<iface>/statistics/tx_fifo_errors
+What: /sys/class/net/<iface>/statistics/tx_fifo_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -188,7 +188,7 @@ Description:
FIFO error. See the driver for the exact reasons as to why the
packets were dropped.
-What: /sys/class/<iface>/statistics/tx_heartbeat_errors
+What: /sys/class/net/<iface>/statistics/tx_heartbeat_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -197,7 +197,7 @@ Description:
reported as heartbeat errors. See the driver for the exact
reasons as to why the packets were dropped.
-What: /sys/class/<iface>/statistics/tx_packets
+What: /sys/class/net/<iface>/statistics/tx_packets
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
@@ -206,7 +206,7 @@ Description:
device. See the driver for whether this reports the number of all
attempted or successful transmissions.
-What: /sys/class/<iface>/statistics/tx_window_errors
+What: /sys/class/net/<iface>/statistics/tx_window_errors
Date: April 2005
KernelVersion: 2.6.12
Contact: netdev@vger.kernel.org
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 354/476] MIPS: Add memory clobber to csum_ipv6_magic() inline assembler
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 353/476] net: sysfs: Fix /sys/class/net/<iface> path for statistics Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 355/476] i40e: Fix waiting for queues of all VSIs to be disabled Greg Kroah-Hartman
` (131 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charlie Jenkins, Palmer Dabbelt,
Guenter Roeck, Thomas Bogendoerfer, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit d55347bfe4e66dce2e1e7501e5492f4af3e315f8 ]
After 'lib: checksum: Use aligned accesses for ip_fast_csum and
csum_ipv6_magic tests' was applied, the test_csum_ipv6_magic unit test
started failing for all mips platforms, both little and bit endian.
Oddly enough, adding debug code into test_csum_ipv6_magic() made the
problem disappear.
The gcc manual says:
"The "memory" clobber tells the compiler that the assembly code performs
memory reads or writes to items other than those listed in the input
and output operands (for example, accessing the memory pointed to by one
of the input parameters)
"
This is definitely the case for csum_ipv6_magic(). Indeed, adding the
'memory' clobber fixes the problem.
Cc: Charlie Jenkins <charlie@rivosinc.com>
Cc: Palmer Dabbelt <palmer@rivosinc.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/include/asm/checksum.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/include/asm/checksum.h b/arch/mips/include/asm/checksum.h
index 1e6c1354f245..eb15339e58fd 100644
--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -244,7 +244,8 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
" .set pop"
: "=&r" (sum), "=&r" (tmp)
: "r" (saddr), "r" (daddr),
- "0" (htonl(len)), "r" (htonl(proto)), "r" (sum));
+ "0" (htonl(len)), "r" (htonl(proto)), "r" (sum)
+ : "memory");
return csum_fold(sum);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 355/476] i40e: Fix waiting for queues of all VSIs to be disabled
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 354/476] MIPS: Add memory clobber to csum_ipv6_magic() inline assembler Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 356/476] scs: add CONFIG_MMU dependency for vfree_atomic() Greg Kroah-Hartman
` (130 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Vecera, Jacob Keller,
Wojciech Drewek, Tony Nguyen, Sasha Levin,
Pucha Himasekhar Reddy
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit c73729b64bb692186da080602cd13612783f52ac ]
The function i40e_pf_wait_queues_disabled() iterates all PF's VSIs
up to 'pf->hw.func_caps.num_vsis' but this is incorrect because
the real number of VSIs can be up to 'pf->num_alloc_vsi' that
can be higher. Fix this loop.
Fixes: 69129dc39fac ("i40e: Modify Tx disable wait flow in case of DCB reconfiguration")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 10737418565f..3d2b92a952a6 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -5323,7 +5323,7 @@ static int i40e_pf_wait_queues_disabled(struct i40e_pf *pf)
{
int v, ret = 0;
- for (v = 0; v < pf->hw.func_caps.num_vsis; v++) {
+ for (v = 0; v < pf->num_alloc_vsi; v++) {
if (pf->vsi[v]) {
ret = i40e_vsi_wait_queues_disabled(pf->vsi[v]);
if (ret)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 356/476] scs: add CONFIG_MMU dependency for vfree_atomic()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 355/476] i40e: Fix waiting for queues of all VSIs to be disabled Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 357/476] tracing/trigger: Fix to return error if failed to alloc snapshot Greg Kroah-Hartman
` (129 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Holland, Sami Tolvanen,
Will Deacon, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Holland <samuel.holland@sifive.com>
commit 6f9dc684cae638dda0570154509884ee78d0f75c upstream.
The shadow call stack implementation fails to build without CONFIG_MMU:
ld.lld: error: undefined symbol: vfree_atomic
>>> referenced by scs.c
>>> kernel/scs.o:(scs_free) in archive vmlinux.a
Link: https://lkml.kernel.org/r/20240122175204.2371009-1-samuel.holland@sifive.com
Fixes: a2abe7cbd8fe ("scs: switch to vmapped shadow stacks")
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -605,6 +605,7 @@ config SHADOW_CALL_STACK
bool "Clang Shadow Call Stack"
depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK
depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
+ depends on MMU
help
This option enables Clang's Shadow Call Stack, which uses a
shadow stack to protect function return addresses from being
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 357/476] tracing/trigger: Fix to return error if failed to alloc snapshot
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 356/476] scs: add CONFIG_MMU dependency for vfree_atomic() Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 358/476] mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again Greg Kroah-Hartman
` (128 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Donnefort,
Masami Hiramatsu (Google), Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream.
Fix register_snapshot_trigger() to return error code if it failed to
allocate a snapshot instead of 0 (success). Unless that, it will register
snapshot trigger without an error.
Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.2789298642759362200.stgit@devnote2
Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation")
Cc: stable@vger.kernel.org
Cc: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_trigger.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -1161,8 +1161,10 @@ register_snapshot_trigger(char *glob, st
struct event_trigger_data *data,
struct trace_event_file *file)
{
- if (tracing_alloc_snapshot_instance(file->tr) != 0)
- return 0;
+ int ret = tracing_alloc_snapshot_instance(file->tr);
+
+ if (ret < 0)
+ return ret;
return register_trigger(glob, ops, data, file);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 358/476] mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 357/476] tracing/trigger: Fix to return error if failed to alloc snapshot Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 359/476] scsi: storvsc: Fix ring buffer size calculation Greg Kroah-Hartman
` (127 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zach OKeefe, Maxim Patlasov, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zach O'Keefe <zokeefe@google.com>
commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78 upstream.
(struct dirty_throttle_control *)->thresh is an unsigned long, but is
passed as the u32 divisor argument to div_u64(). On architectures where
unsigned long is 64 bytes, the argument will be implicitly truncated.
Use div64_u64() instead of div_u64() so that the value used in the "is
this a safe division" check is the same as the divisor.
Also, remove redundant cast of the numerator to u64, as that should happen
implicitly.
This would be difficult to exploit in memcg domain, given the ratio-based
arithmetic domain_drity_limits() uses, but is much easier in global
writeback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g.
vm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)
Link: https://lkml.kernel.org/r/20240118181954.1415197-1-zokeefe@google.com
Fixes: f6789593d5ce ("mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()")
Signed-off-by: Zach O'Keefe <zokeefe@google.com>
Cc: Maxim Patlasov <MPatlasov@parallels.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page-writeback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -1529,7 +1529,7 @@ static inline void wb_dirty_limits(struc
*/
dtc->wb_thresh = __wb_calc_thresh(dtc);
dtc->wb_bg_thresh = dtc->thresh ?
- div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0;
+ div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0;
/*
* In order to avoid the stacked BDI deadlock we need
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 359/476] scsi: storvsc: Fix ring buffer size calculation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 358/476] mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 360/476] ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32 Greg Kroah-Hartman
` (126 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Kelley, Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
commit f4469f3858352ad1197434557150b1f7086762a0 upstream.
Current code uses the specified ring buffer size (either the default of 128
Kbytes or a module parameter specified value) to encompass the one page
ring buffer header plus the actual ring itself. When the page size is 4K,
carving off one page for the header isn't significant. But when the page
size is 64K on ARM64, only half of the default 128 Kbytes is left for the
actual ring. While this doesn't break anything, the smaller ring size
could be a performance bottleneck.
Fix this by applying the VMBUS_RING_SIZE macro to the specified ring buffer
size. This macro adds a page for the header, and rounds up the size to a
page boundary, using the page size for which the kernel is built. Use this
new size for subsequent ring buffer calculations. For example, on ARM64
with 64K page size and the default ring size, this results in the actual
ring being 128 Kbytes, which is intended.
Cc: stable@vger.kernel.org # 5.15.x
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Link: https://lore.kernel.org/r/20240122170956.496436-1-mhklinux@outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/storvsc_drv.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -367,6 +367,7 @@ enum storvsc_request_type {
*/
static int storvsc_ringbuffer_size = (128 * 1024);
+static int aligned_ringbuffer_size;
static u32 max_outstanding_req_per_channel;
static int storvsc_change_queue_depth(struct scsi_device *sdev, int queue_depth);
@@ -737,8 +738,8 @@ static void handle_sc_creation(struct vm
new_sc->next_request_id_callback = storvsc_next_request_id;
ret = vmbus_open(new_sc,
- storvsc_ringbuffer_size,
- storvsc_ringbuffer_size,
+ aligned_ringbuffer_size,
+ aligned_ringbuffer_size,
(void *)&props,
sizeof(struct vmstorage_channel_properties),
storvsc_on_channel_callback, new_sc);
@@ -2033,7 +2034,7 @@ static int storvsc_probe(struct hv_devic
hv_set_drvdata(device, stor_device);
stor_device->port_number = host->host_no;
- ret = storvsc_connect_to_vsp(device, storvsc_ringbuffer_size, is_fc);
+ ret = storvsc_connect_to_vsp(device, aligned_ringbuffer_size, is_fc);
if (ret)
goto err_out1;
@@ -2226,7 +2227,7 @@ static int storvsc_resume(struct hv_devi
{
int ret;
- ret = storvsc_connect_to_vsp(hv_dev, storvsc_ringbuffer_size,
+ ret = storvsc_connect_to_vsp(hv_dev, aligned_ringbuffer_size,
hv_dev_is_fc(hv_dev));
return ret;
}
@@ -2264,8 +2265,9 @@ static int __init storvsc_drv_init(void)
* for Win7 and older hosts because it does not take into account
* the vmscsi_size_delta correction to the max request size.
*/
+ aligned_ringbuffer_size = VMBUS_RING_SIZE(storvsc_ringbuffer_size);
max_outstanding_req_per_channel =
- ((storvsc_ringbuffer_size - PAGE_SIZE) /
+ ((aligned_ringbuffer_size - PAGE_SIZE) /
ALIGN(MAX_MULTIPAGE_BUFFER_PACKET +
sizeof(struct vstor_packet) + sizeof(u64),
sizeof(u64)));
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 360/476] ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 359/476] scsi: storvsc: Fix ring buffer size calculation Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 361/476] ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx Greg Kroah-Hartman
` (125 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Senoner, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Senoner <seda18@rolmail.net>
commit efb56d84dd9c3de3c99fc396abb57c6d330038b5 upstream.
If you connect an external headset/microphone to the 3.5mm jack on the
Acer Swift 1 SF114-32 it does not recognize the microphone. This fixes
that and gives the user the ability to choose between internal and
headset mic.
Signed-off-by: David Senoner <seda18@rolmail.net>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240126155626.2304465-1-seda18@rolmail.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8905,6 +8905,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1025, 0x1247, "Acer vCopperbox", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS),
SND_PCI_QUIRK(0x1025, 0x1248, "Acer Veriton N4660G", ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1025, 0x1269, "Acer SWIFT SF314-54", ALC256_FIXUP_ACER_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x126a, "Acer Swift SF114-32", ALC256_FIXUP_ACER_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 361/476] ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 360/476] ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32 Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 362/476] HID: i2c-hid-of: fix NULL-deref on failed power up Greg Kroah-Hartman
` (124 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luka Guzenko, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Guzenko <l.guzenko@web.de>
commit f0d78972f27dc1d1d51fbace2713ad3cdc60a877 upstream.
This HP Laptop uses ALC236 codec with COEF 0x07 controlling the
mute LED. Enable existing quirk for this device.
Signed-off-by: Luka Guzenko <l.guzenko@web.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240128155704.2333812-1-l.guzenko@web.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9090,6 +9090,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x8786, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x8787, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 362/476] HID: i2c-hid-of: fix NULL-deref on failed power up
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 361/476] ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 363/476] HID: wacom: generic: Avoid reporting a serial of 0 to userspace Greg Kroah-Hartman
` (123 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Johan Hovold, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 00aab7dcb2267f2aef59447602f34501efe1a07f upstream.
A while back the I2C HID implementation was split in an ACPI and OF
part, but the new OF driver never initialises the client pointer which
is dereferenced on power-up failures.
Fixes: b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules")
Cc: stable@vger.kernel.org # 5.12
Cc: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/i2c-hid/i2c-hid-of.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hid/i2c-hid/i2c-hid-of.c
+++ b/drivers/hid/i2c-hid/i2c-hid-of.c
@@ -80,6 +80,7 @@ static int i2c_hid_of_probe(struct i2c_c
if (!ihid_of)
return -ENOMEM;
+ ihid_of->client = client;
ihid_of->ops.power_up = i2c_hid_of_power_up;
ihid_of->ops.power_down = i2c_hid_of_power_down;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 363/476] HID: wacom: generic: Avoid reporting a serial of 0 to userspace
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 362/476] HID: i2c-hid-of: fix NULL-deref on failed power up Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 364/476] HID: wacom: Do not register input devices until after hid_hw_start Greg Kroah-Hartman
` (122 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Tatsunosuke Tobita,
Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
commit ab41a31dd5e2681803642b6d08590b61867840ec upstream.
The xf86-input-wacom driver does not treat '0' as a valid serial
number and will drop any input report which contains an
MSC_SERIAL = 0 event. The kernel driver already takes care to
avoid sending any MSC_SERIAL event if the value of serial[0] == 0
(which is the case for devices that don't actually report a
serial number), but this is not quite sufficient.
Only the lower 32 bits of the serial get reported to userspace,
so if this portion of the serial is zero then there can still
be problems.
This commit allows the driver to report either the lower 32 bits
if they are non-zero or the upper 32 bits otherwise.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Fixes: f85c9dc678a5 ("HID: wacom: generic: Support tool ID and additional tool types")
CC: stable@vger.kernel.org # v4.10
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_wac.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -2551,7 +2551,14 @@ static void wacom_wac_pen_report(struct
wacom_wac->hid_data.tipswitch);
input_report_key(input, wacom_wac->tool[0], sense);
if (wacom_wac->serial[0]) {
- input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]);
+ /*
+ * xf86-input-wacom does not accept a serial number
+ * of '0'. Report the low 32 bits if possible, but
+ * if they are zero, report the upper ones instead.
+ */
+ __u32 serial_lo = wacom_wac->serial[0] & 0xFFFFFFFFu;
+ __u32 serial_hi = wacom_wac->serial[0] >> 32;
+ input_event(input, EV_MSC, MSC_SERIAL, (int)(serial_lo ? serial_lo : serial_hi));
input_report_abs(input, ABS_MISC, sense ? id : 0);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 364/476] HID: wacom: Do not register input devices until after hid_hw_start
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 363/476] HID: wacom: generic: Avoid reporting a serial of 0 to userspace Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 365/476] iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP Greg Kroah-Hartman
` (121 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, Jason Gerecke, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gerecke <killertofu@gmail.com>
commit c1d6708bf0d3dd976460d435373cf5abf21ce258 upstream.
If a input device is opened before hid_hw_start is called, events may
not be received from the hardware. In the case of USB-backed devices,
for example, the hid_hw_start function is responsible for filling in
the URB which is submitted when the input device is opened. If a device
is opened prematurely, polling will never start because the device will
not have been in the correct state to send the URB.
Because the wacom driver registers its input devices before calling
hid_hw_start, there is a window of time where a device can be opened
and end up in an inoperable state. Some ARM-based Chromebooks in particular
reliably trigger this bug.
This commit splits the wacom_register_inputs function into two pieces.
One which is responsible for setting up the allocated inputs (and runs
prior to hid_hw_start so that devices are ready for any input events
they may end up receiving) and another which only registers the devices
(and runs after hid_hw_start to ensure devices can be immediately opened
without issue). Note that the functions to initialize the LEDs and remotes
are also moved after hid_hw_start to maintain their own dependency chains.
Fixes: 7704ac937345 ("HID: wacom: implement generic HID handling for pen generic devices")
Cc: stable@vger.kernel.org # v3.18+
Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 63 ++++++++++++++++++++++++++++++++----------------
1 file changed, 43 insertions(+), 20 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2088,7 +2088,7 @@ static int wacom_allocate_inputs(struct
return 0;
}
-static int wacom_register_inputs(struct wacom *wacom)
+static int wacom_setup_inputs(struct wacom *wacom)
{
struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev;
struct wacom_wac *wacom_wac = &(wacom->wacom_wac);
@@ -2107,10 +2107,6 @@ static int wacom_register_inputs(struct
input_free_device(pen_input_dev);
wacom_wac->pen_input = NULL;
pen_input_dev = NULL;
- } else {
- error = input_register_device(pen_input_dev);
- if (error)
- goto fail;
}
error = wacom_setup_touch_input_capabilities(touch_input_dev, wacom_wac);
@@ -2119,10 +2115,6 @@ static int wacom_register_inputs(struct
input_free_device(touch_input_dev);
wacom_wac->touch_input = NULL;
touch_input_dev = NULL;
- } else {
- error = input_register_device(touch_input_dev);
- if (error)
- goto fail;
}
error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac);
@@ -2131,7 +2123,34 @@ static int wacom_register_inputs(struct
input_free_device(pad_input_dev);
wacom_wac->pad_input = NULL;
pad_input_dev = NULL;
- } else {
+ }
+
+ return 0;
+}
+
+static int wacom_register_inputs(struct wacom *wacom)
+{
+ struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev;
+ struct wacom_wac *wacom_wac = &(wacom->wacom_wac);
+ int error = 0;
+
+ pen_input_dev = wacom_wac->pen_input;
+ touch_input_dev = wacom_wac->touch_input;
+ pad_input_dev = wacom_wac->pad_input;
+
+ if (pen_input_dev) {
+ error = input_register_device(pen_input_dev);
+ if (error)
+ goto fail;
+ }
+
+ if (touch_input_dev) {
+ error = input_register_device(touch_input_dev);
+ if (error)
+ goto fail;
+ }
+
+ if (pad_input_dev) {
error = input_register_device(pad_input_dev);
if (error)
goto fail;
@@ -2387,6 +2406,20 @@ static int wacom_parse_and_register(stru
goto fail;
}
+ error = wacom_setup_inputs(wacom);
+ if (error)
+ goto fail;
+
+ if (features->type == HID_GENERIC)
+ connect_mask |= HID_CONNECT_DRIVER;
+
+ /* Regular HID work starts now */
+ error = hid_hw_start(hdev, connect_mask);
+ if (error) {
+ hid_err(hdev, "hw start failed\n");
+ goto fail;
+ }
+
error = wacom_register_inputs(wacom);
if (error)
goto fail;
@@ -2401,16 +2434,6 @@ static int wacom_parse_and_register(stru
goto fail;
}
- if (features->type == HID_GENERIC)
- connect_mask |= HID_CONNECT_DRIVER;
-
- /* Regular HID work starts now */
- error = hid_hw_start(hdev, connect_mask);
- if (error) {
- hid_err(hdev, "hw start failed\n");
- goto fail;
- }
-
if (!wireless) {
/* Note that if query fails it is not a hard failure */
wacom_query_tablet_data(wacom);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 365/476] iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 364/476] HID: wacom: Do not register input devices until after hid_hw_start Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 366/476] usb: ucsi_acpi: Fix command completion handling Greg Kroah-Hartman
` (120 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 621c6257128149e45b36ffb973a01c3f3461b893 upstream.
When als_capture_sample() is called with usage ID
HID_USAGE_SENSOR_TIME_TIMESTAMP, return 0. The HID sensor core ignores
the return value for capture_sample() callback, so return value doesn't
make difference. But correct the return value to return success instead
of -EINVAL.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20240204125617.2635574-1-srinivas.pandruvada@linux.intel.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/hid-sensor-als.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/light/hid-sensor-als.c
+++ b/drivers/iio/light/hid-sensor-als.c
@@ -228,6 +228,7 @@ static int als_capture_sample(struct hid
case HID_USAGE_SENSOR_TIME_TIMESTAMP:
als_state->timestamp = hid_sensor_convert_timestamp(&als_state->common_attributes,
*(s64 *)raw_data);
+ ret = 0;
break;
default:
break;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 366/476] usb: ucsi_acpi: Fix command completion handling
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 365/476] iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 367/476] USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT Greg Kroah-Hartman
` (119 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 2840143e393a4ddc1caab4372969ea337371168c upstream.
In case of a spurious or otherwise delayed notification it is
possible that CCI still reports the previous completion. The
UCSI spec is aware of this and provides two completion bits in
CCI, one for normal commands and one for acks. As acks and commands
alternate the notification handler can determine if the completion
bit is from the current command.
The initial UCSI code correctly handled this but the distinction
between the two completion bits was lost with the introduction of
the new API.
To fix this revive the ACK_PENDING bit for ucsi_acpi and only complete
commands if the completion bit matches.
Fixes: f56de278e8ec ("usb: typec: ucsi: acpi: Move to the new API")
Cc: stable@vger.kernel.org
Signed-off-by: "Christian A. Ehrhardt" <lk@c--e.de>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20240121204123.275441-3-lk@c--e.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_acpi.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/usb/typec/ucsi/ucsi_acpi.c
+++ b/drivers/usb/typec/ucsi/ucsi_acpi.c
@@ -70,9 +70,13 @@ static int ucsi_acpi_sync_write(struct u
const void *val, size_t val_len)
{
struct ucsi_acpi *ua = ucsi_get_drvdata(ucsi);
+ bool ack = UCSI_COMMAND(*(u64 *)val) == UCSI_ACK_CC_CI;
int ret;
- set_bit(COMMAND_PENDING, &ua->flags);
+ if (ack)
+ set_bit(ACK_PENDING, &ua->flags);
+ else
+ set_bit(COMMAND_PENDING, &ua->flags);
ret = ucsi_acpi_async_write(ucsi, offset, val, val_len);
if (ret)
@@ -82,7 +86,10 @@ static int ucsi_acpi_sync_write(struct u
ret = -ETIMEDOUT;
out_clear_bit:
- clear_bit(COMMAND_PENDING, &ua->flags);
+ if (ack)
+ clear_bit(ACK_PENDING, &ua->flags);
+ else
+ clear_bit(COMMAND_PENDING, &ua->flags);
return ret;
}
@@ -106,8 +113,10 @@ static void ucsi_acpi_notify(acpi_handle
if (UCSI_CCI_CONNECTOR(cci))
ucsi_connector_change(ua->ucsi, UCSI_CCI_CONNECTOR(cci));
- if (test_bit(COMMAND_PENDING, &ua->flags) &&
- cci & (UCSI_CCI_ACK_COMPLETE | UCSI_CCI_COMMAND_COMPLETE))
+ if (cci & UCSI_CCI_ACK_COMPLETE && test_bit(ACK_PENDING, &ua->flags))
+ complete(&ua->complete);
+ if (cci & UCSI_CCI_COMMAND_COMPLETE &&
+ test_bit(COMMAND_PENDING, &ua->flags))
complete(&ua->complete);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 367/476] USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 366/476] usb: ucsi_acpi: Fix command completion handling Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 368/476] usb: f_mass_storage: forbid async queue when shutdown happen Greg Kroah-Hartman
` (118 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit f17c34ffc792bbb520e4b61baa16b6cfc7d44b13 upstream.
The OTG 1.3 spec has the feature A_ALT_HNP_SUPPORT, which tells
a device that it is connected to the wrong port. Some devices
refuse to operate if you enable that feature, because it indicates
to them that they ought to request to be connected to another port.
According to the spec this feature may be used based only the following
three conditions:
6.5.3 a_alt_hnp_support
Setting this feature indicates to the B-device that it is connected to
an A-device port that is not capable of HNP, but that the A-device does
have an alternate port that is capable of HNP.
The A-device is required to set this feature under the following conditions:
• the A-device has multiple receptacles
• the A-device port that connects to the B-device does not support HNP
• the A-device has another port that does support HNP
A check for the third and first condition is missing. Add it.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Fixes: 7d2d641c44269 ("usb: otg: don't set a_alt_hnp_support feature for OTG 2.0 device")
Link: https://lore.kernel.org/r/20240122153545.12284-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2368,17 +2368,25 @@ static int usb_enumerate_device_otg(stru
}
} else if (desc->bLength == sizeof
(struct usb_otg_descriptor)) {
- /* Set a_alt_hnp_support for legacy otg device */
- err = usb_control_msg(udev,
- usb_sndctrlpipe(udev, 0),
- USB_REQ_SET_FEATURE, 0,
- USB_DEVICE_A_ALT_HNP_SUPPORT,
- 0, NULL, 0,
- USB_CTRL_SET_TIMEOUT);
- if (err < 0)
- dev_err(&udev->dev,
- "set a_alt_hnp_support failed: %d\n",
- err);
+ /*
+ * We are operating on a legacy OTP device
+ * These should be told that they are operating
+ * on the wrong port if we have another port that does
+ * support HNP
+ */
+ if (bus->otg_port != 0) {
+ /* Set a_alt_hnp_support for legacy otg device */
+ err = usb_control_msg(udev,
+ usb_sndctrlpipe(udev, 0),
+ USB_REQ_SET_FEATURE, 0,
+ USB_DEVICE_A_ALT_HNP_SUPPORT,
+ 0, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ if (err < 0)
+ dev_err(&udev->dev,
+ "set a_alt_hnp_support failed: %d\n",
+ err);
+ }
}
}
#endif
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 368/476] usb: f_mass_storage: forbid async queue when shutdown happen
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 367/476] USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT Greg Kroah-Hartman
@ 2024-02-21 13:06 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 369/476] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend Greg Kroah-Hartman
` (117 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, yuan linyu, Alan Stern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: yuan linyu <yuanlinyu@hihonor.com>
commit b2d2d7ea0dd09802cf5a0545bf54d8ad8987d20c upstream.
When write UDC to empty and unbind gadget driver from gadget device, it is
possible that there are many queue failures for mass storage function.
The root cause is mass storage main thread alaways try to queue request to
receive a command from host if running flag is on, on platform like dwc3,
if pull down called, it will not queue request again and return
-ESHUTDOWN, but it not affect running flag of mass storage function.
Check return code from mass storage function and clear running flag if it
is -ESHUTDOWN, also indicate start in/out transfer failure to break loops.
Cc: stable <stable@kernel.org>
Signed-off-by: yuan linyu <yuanlinyu@hihonor.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20240123034829.3848409-1-yuanlinyu@hihonor.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_mass_storage.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -543,21 +543,37 @@ static int start_transfer(struct fsg_dev
static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
{
+ int rc;
+
if (!fsg_is_set(common))
return false;
bh->state = BUF_STATE_SENDING;
- if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
+ rc = start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq);
+ if (rc) {
bh->state = BUF_STATE_EMPTY;
+ if (rc == -ESHUTDOWN) {
+ common->running = 0;
+ return false;
+ }
+ }
return true;
}
static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
{
+ int rc;
+
if (!fsg_is_set(common))
return false;
bh->state = BUF_STATE_RECEIVING;
- if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
+ rc = start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq);
+ if (rc) {
bh->state = BUF_STATE_FULL;
+ if (rc == -ESHUTDOWN) {
+ common->running = 0;
+ return false;
+ }
+ }
return true;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 369/476] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2024-02-21 13:06 ` [PATCH 5.15 368/476] usb: f_mass_storage: forbid async queue when shutdown happen Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 370/476] media: ir_toy: fix a memleak in irtoy_tx Greg Kroah-Hartman
` (116 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Uttkarsh Aggarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
commit 61a348857e869432e6a920ad8ea9132e8d44c316 upstream.
In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2:
gadget_unbind_driver dwc3_suspend_common
dwc3_gadget_stop dwc3_gadget_suspend
dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.
Cc: stable@vger.kernel.org
Fixes: 9772b47a4c29 ("usb: dwc3: gadget: Fix suspend/resume during device mode")
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
Link: https://lore.kernel.org/r/20240119094825.26530-1-quic_uaggarwa@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -4412,15 +4412,13 @@ int dwc3_gadget_suspend(struct dwc3 *dwc
unsigned long flags;
int ret;
- if (!dwc->gadget_driver)
- return 0;
-
ret = dwc3_gadget_soft_disconnect(dwc);
if (ret)
goto err;
spin_lock_irqsave(&dwc->lock, flags);
- dwc3_disconnect_gadget(dwc);
+ if (dwc->gadget_driver)
+ dwc3_disconnect_gadget(dwc);
spin_unlock_irqrestore(&dwc->lock, flags);
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 370/476] media: ir_toy: fix a memleak in irtoy_tx
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 369/476] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 371/476] powerpc/kasan: Fix addr error caused by page alignment Greg Kroah-Hartman
` (115 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhipeng Lu, Sean Young,
Mauro Carvalho Chehab, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhipeng Lu <alexious@zju.edu.cn>
[ Upstream commit dc9ceb90c4b42c6e5c6757df1d6257110433788e ]
When irtoy_command fails, buf should be freed since it is allocated by
irtoy_tx, or there is a memleak.
Fixes: 4114978dcd24 ("media: ir_toy: prevent device from hanging during transmit")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/ir_toy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c
index 53ae19fa103a..658d27d29048 100644
--- a/drivers/media/rc/ir_toy.c
+++ b/drivers/media/rc/ir_toy.c
@@ -324,6 +324,7 @@ static int irtoy_tx(struct rc_dev *rc, uint *txbuf, uint count)
sizeof(COMMAND_SMODE_EXIT), STATE_RESET);
if (err) {
dev_err(irtoy->dev, "exit sample mode: %d\n", err);
+ kfree(buf);
return err;
}
@@ -331,6 +332,7 @@ static int irtoy_tx(struct rc_dev *rc, uint *txbuf, uint count)
sizeof(COMMAND_SMODE_ENTER), STATE_COMMAND);
if (err) {
dev_err(irtoy->dev, "enter sample mode: %d\n", err);
+ kfree(buf);
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 371/476] powerpc/kasan: Fix addr error caused by page alignment
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 370/476] media: ir_toy: fix a memleak in irtoy_tx Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode Greg Kroah-Hartman
` (114 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiangfeng Xiao, Michael Ellerman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
[ Upstream commit 4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0 ]
In kasan_init_region, when k_start is not page aligned, at the begin of
for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
`va = block + k_cur - k_start` is less than block, the addr va is invalid,
because the memory address space from va to block is not alloced by
memblock_alloc, which will not be reserved by memblock_reserve later, it
will be used by other places.
As a result, memory overwriting occurs.
for example:
int __init __weak kasan_init_region(void *start, size_t size)
{
[...]
/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
block = memblock_alloc(k_end - k_start, PAGE_SIZE);
[...]
for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
/* at the begin of for loop
* block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
* va(dcd96c00) is less than block(dcd97000), va is invalid
*/
void *va = block + k_cur - k_start;
[...]
}
[...]
}
Therefore, page alignment is performed on k_start before
memblock_alloc() to ensure the validity of the VA address.
Fixes: 663c0c9496a6 ("powerpc/kasan: Fix shadow area set up for modules.")
Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/1705974359-43790-1-git-send-email-xiaojiangfeng@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/kasan/kasan_init_32.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/mm/kasan/kasan_init_32.c b/arch/powerpc/mm/kasan/kasan_init_32.c
index f3e4d069e0ba..643fc525897d 100644
--- a/arch/powerpc/mm/kasan/kasan_init_32.c
+++ b/arch/powerpc/mm/kasan/kasan_init_32.c
@@ -64,6 +64,7 @@ int __init __weak kasan_init_region(void *start, size_t size)
if (ret)
return ret;
+ k_start = k_start & PAGE_MASK;
block = memblock_alloc(k_end - k_start, PAGE_SIZE);
if (!block)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 371/476] powerpc/kasan: Fix addr error caused by page alignment Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-26 13:29 ` Jean Delvare
2024-02-21 13:07 ` [PATCH 5.15 373/476] i2c: i801: Fix block process call transactions Greg Kroah-Hartman
` (113 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Jean Delvare,
Wolfram Sang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit 1e1d6582f483a4dba4ea03445e6f2f05d9de5bcf ]
If FEATURE_BLOCK_BUFFER is set then bit SMBAUXCTL_E32B is supported
and there's no benefit in reading it back. Origin of this check
seems to be 14 yrs ago when people were not completely sure which
chip versions support the block buffer mode.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Tested-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Stable-dep-of: c1c9d0f6f7f1 ("i2c: i801: Fix block process call transactions")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-i801.c | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index 30b725d11178..8ecba1ca9236 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -519,9 +519,11 @@ static int i801_block_transaction_by_block(struct i801_priv *priv,
return -EOPNOTSUPP;
}
+ /* Set block buffer mode */
+ outb_p(inb_p(SMBAUXCTL(priv)) | SMBAUXCTL_E32B, SMBAUXCTL(priv));
+
inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */
- /* Use 32-byte buffer to process this transaction */
if (read_write == I2C_SMBUS_WRITE) {
len = data->block[0];
outb_p(len, SMBHSTDAT0(priv));
@@ -747,14 +749,6 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv,
return i801_check_post(priv, status);
}
-static int i801_set_block_buffer_mode(struct i801_priv *priv)
-{
- outb_p(inb_p(SMBAUXCTL(priv)) | SMBAUXCTL_E32B, SMBAUXCTL(priv));
- if ((inb_p(SMBAUXCTL(priv)) & SMBAUXCTL_E32B) == 0)
- return -EIO;
- return 0;
-}
-
/* Block transaction function */
static int i801_block_transaction(struct i801_priv *priv, union i2c_smbus_data *data,
char read_write, int command)
@@ -783,9 +777,8 @@ static int i801_block_transaction(struct i801_priv *priv, union i2c_smbus_data *
/* Experience has shown that the block buffer can only be used for
SMBus (not I2C) block transactions, even though the datasheet
doesn't mention this limitation. */
- if ((priv->features & FEATURE_BLOCK_BUFFER)
- && command != I2C_SMBUS_I2C_BLOCK_DATA
- && i801_set_block_buffer_mode(priv) == 0)
+ if ((priv->features & FEATURE_BLOCK_BUFFER) &&
+ command != I2C_SMBUS_I2C_BLOCK_DATA)
result = i801_block_transaction_by_block(priv, data,
read_write,
command);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 373/476] i2c: i801: Fix block process call transactions
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 374/476] modpost: trim leading spaces when processing source files list Greg Kroah-Hartman
` (112 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean Delvare, Piotr Zakowski,
Alexander Sverdlin, Andi Shyti, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare <jdelvare@suse.de>
[ Upstream commit c1c9d0f6f7f1dbf29db996bd8e166242843a5f21 ]
According to the Intel datasheets, software must reset the block
buffer index twice for block process call transactions: once before
writing the outgoing data to the buffer, and once again before
reading the incoming data from the buffer.
The driver is currently missing the second reset, causing the wrong
portion of the block buffer to be read.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Reported-by: Piotr Zakowski <piotr.zakowski@intel.com>
Closes: https://lore.kernel.org/linux-i2c/20240213120553.7b0ab120@endymion.delvare/
Fixes: 315cd67c9453 ("i2c: i801: Add Block Write-Block Read Process Call support")
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-i801.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index 8ecba1ca9236..87c2c7c84736 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -522,11 +522,10 @@ static int i801_block_transaction_by_block(struct i801_priv *priv,
/* Set block buffer mode */
outb_p(inb_p(SMBAUXCTL(priv)) | SMBAUXCTL_E32B, SMBAUXCTL(priv));
- inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */
-
if (read_write == I2C_SMBUS_WRITE) {
len = data->block[0];
outb_p(len, SMBHSTDAT0(priv));
+ inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */
for (i = 0; i < len; i++)
outb_p(data->block[i+1], SMBBLKDAT(priv));
}
@@ -542,6 +541,7 @@ static int i801_block_transaction_by_block(struct i801_priv *priv,
return -EPROTO;
data->block[0] = len;
+ inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */
for (i = 0; i < len; i++)
data->block[i + 1] = inb_p(SMBBLKDAT(priv));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 374/476] modpost: trim leading spaces when processing source files list
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 373/476] i2c: i801: Fix block process call transactions Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 375/476] mptcp: fix data re-injection from stale subflow Greg Kroah-Hartman
` (111 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Radek Krejci, Masahiro Yamada, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radek Krejci <radek.krejci@oracle.com>
[ Upstream commit 5d9a16b2a4d9e8fa028892ded43f6501bc2969e5 ]
get_line() does not trim the leading spaces, but the
parse_source_files() expects to get lines with source files paths where
the first space occurs after the file path.
Fixes: 70f30cfe5b89 ("modpost: use read_text_file() and get_line() for reading text files")
Signed-off-by: Radek Krejci <radek.krejci@oracle.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/mod/sumversion.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/scripts/mod/sumversion.c b/scripts/mod/sumversion.c
index 905c0ec291e1..e6962678032e 100644
--- a/scripts/mod/sumversion.c
+++ b/scripts/mod/sumversion.c
@@ -328,7 +328,12 @@ static int parse_source_files(const char *objfile, struct md4_ctx *md)
/* Sum all files in the same dir or subdirs. */
while ((line = get_line(&pos))) {
- char* p = line;
+ char* p;
+
+ /* trim the leading spaces away */
+ while (isspace(*line))
+ line++;
+ p = line;
if (strncmp(line, "source_", sizeof("source_")-1) == 0) {
p = strrchr(line, ' ');
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 375/476] mptcp: fix data re-injection from stale subflow
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 374/476] modpost: trim leading spaces when processing source files list Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 376/476] scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" Greg Kroah-Hartman
` (110 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0),
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit b6c620dc43ccb4e802894e54b651cf81495e9598 upstream.
When the MPTCP PM detects that a subflow is stale, all the packet
scheduler must re-inject all the mptcp-level unacked data. To avoid
acquiring unneeded locks, it first try to check if any unacked data
is present at all in the RTX queue, but such check is currently
broken, as it uses TCP-specific helper on an MPTCP socket.
Funnily enough fuzzers and static checkers are happy, as the accessed
memory still belongs to the mptcp_sock struct, and even from a
functional perspective the recovery completed successfully, as
the short-cut test always failed.
A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize
tcp_sock fast path variables") - exposed the issue, as the tcp field
reorganization makes the mptcp code always skip the re-inection.
Fix the issue dropping the bogus call: we are on a slow path, the early
optimization proved once again to be evil.
Fixes: 1e1d9d6f119c ("mptcp: handle pending data on closed subflow")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/468
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20240131-upstream-net-20240131-mptcp-ci-issues-v1-1-4c1c11e571ff@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 ---
1 file changed, 3 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2203,9 +2203,6 @@ bool __mptcp_retransmit_pending_data(str
if (__mptcp_check_fallback(mptcp_sk(sk)))
return false;
- if (tcp_rtx_and_write_queues_empty(sk))
- return false;
-
/* the closing socket has some data untransmitted and/or unacked:
* some data in the mptcp rtx queue has not really xmitted yet.
* keep it simple and re-inject the whole mptcp level rtx queue
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 376/476] scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 375/476] mptcp: fix data re-injection from stale subflow Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 377/476] Revert "drm/amd: flush any delayed gfxoff on suspend entry" Greg Kroah-Hartman
` (109 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Duncan, Hannes Reinecke,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Duncan <lduncan@suse.com>
commit 977fe773dcc7098d8eaf4ee6382cb51e13e784cb upstream.
This reverts commit 1a1975551943f681772720f639ff42fbaa746212.
This commit causes interrupts to be lost for FCoE devices, since it changed
sping locks from "bh" to "irqsave".
Instead, a work queue should be used, and will be addressed in a separate
commit.
Fixes: 1a1975551943 ("scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock")
Signed-off-by: Lee Duncan <lduncan@suse.com>
Link: https://lore.kernel.org/r/c578cdcd46b60470535c4c4a953e6a1feca0dffd.1707500786.git.lduncan@suse.com
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -319,17 +319,16 @@ static void fcoe_ctlr_announce(struct fc
{
struct fcoe_fcf *sel;
struct fcoe_fcf *fcf;
- unsigned long flags;
mutex_lock(&fip->ctlr_mutex);
- spin_lock_irqsave(&fip->ctlr_lock, flags);
+ spin_lock_bh(&fip->ctlr_lock);
kfree_skb(fip->flogi_req);
fip->flogi_req = NULL;
list_for_each_entry(fcf, &fip->fcfs, list)
fcf->flogi_sent = 0;
- spin_unlock_irqrestore(&fip->ctlr_lock, flags);
+ spin_unlock_bh(&fip->ctlr_lock);
sel = fip->sel_fcf;
if (sel && ether_addr_equal(sel->fcf_mac, fip->dest_addr))
@@ -700,7 +699,6 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
{
struct fc_frame *fp;
struct fc_frame_header *fh;
- unsigned long flags;
u16 old_xid;
u8 op;
u8 mac[ETH_ALEN];
@@ -734,11 +732,11 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
op = FIP_DT_FLOGI;
if (fip->mode == FIP_MODE_VN2VN)
break;
- spin_lock_irqsave(&fip->ctlr_lock, flags);
+ spin_lock_bh(&fip->ctlr_lock);
kfree_skb(fip->flogi_req);
fip->flogi_req = skb;
fip->flogi_req_send = 1;
- spin_unlock_irqrestore(&fip->ctlr_lock, flags);
+ spin_unlock_bh(&fip->ctlr_lock);
schedule_work(&fip->timer_work);
return -EINPROGRESS;
case ELS_FDISC:
@@ -1715,11 +1713,10 @@ static int fcoe_ctlr_flogi_send_locked(s
static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip)
{
struct fcoe_fcf *fcf;
- unsigned long flags;
int error;
mutex_lock(&fip->ctlr_mutex);
- spin_lock_irqsave(&fip->ctlr_lock, flags);
+ spin_lock_bh(&fip->ctlr_lock);
LIBFCOE_FIP_DBG(fip, "re-sending FLOGI - reselect\n");
fcf = fcoe_ctlr_select(fip);
if (!fcf || fcf->flogi_sent) {
@@ -1730,7 +1727,7 @@ static int fcoe_ctlr_flogi_retry(struct
fcoe_ctlr_solicit(fip, NULL);
error = fcoe_ctlr_flogi_send_locked(fip);
}
- spin_unlock_irqrestore(&fip->ctlr_lock, flags);
+ spin_unlock_bh(&fip->ctlr_lock);
mutex_unlock(&fip->ctlr_mutex);
return error;
}
@@ -1747,9 +1744,8 @@ static int fcoe_ctlr_flogi_retry(struct
static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip)
{
struct fcoe_fcf *fcf;
- unsigned long flags;
- spin_lock_irqsave(&fip->ctlr_lock, flags);
+ spin_lock_bh(&fip->ctlr_lock);
fcf = fip->sel_fcf;
if (!fcf || !fip->flogi_req_send)
goto unlock;
@@ -1776,7 +1772,7 @@ static void fcoe_ctlr_flogi_send(struct
} else /* XXX */
LIBFCOE_FIP_DBG(fip, "No FCF selected - defer send\n");
unlock:
- spin_unlock_irqrestore(&fip->ctlr_lock, flags);
+ spin_unlock_bh(&fip->ctlr_lock);
}
/**
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 377/476] Revert "drm/amd: flush any delayed gfxoff on suspend entry"
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 376/476] scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 378/476] lsm: fix the logic in security_inode_getsecctx() Greg Kroah-Hartman
` (108 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 916361685319098f696b798ef1560f69ed96e934 upstream.
commit ab4750332dbe ("drm/amdgpu/sdma5.2: add begin/end_use ring
callbacks") caused GFXOFF control to be used more heavily and the
codepath that was removed from commit 0dee72639533 ("drm/amd: flush any
delayed gfxoff on suspend entry") now can be exercised at suspend again.
Users report that by using GNOME to suspend the lockscreen trigger will
cause SDMA traffic and the system can deadlock.
This reverts commit 0dee726395333fea833eaaf838bc80962df886c8.
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Fixes: ab4750332dbe ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 -
drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 9 ++++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4089,7 +4089,6 @@ int amdgpu_device_suspend(struct drm_dev
amdgpu_fbdev_set_suspend(adev, 1);
cancel_delayed_work_sync(&adev->delayed_init_work);
- flush_delayed_work(&adev->gfx.gfx_off_delay_work);
amdgpu_ras_suspend(adev);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
@@ -579,8 +579,15 @@ void amdgpu_gfx_off_ctrl(struct amdgpu_d
if (adev->gfx.gfx_off_req_count == 0 &&
!adev->gfx.gfx_off_state) {
- schedule_delayed_work(&adev->gfx.gfx_off_delay_work,
+ /* If going to s2idle, no need to wait */
+ if (adev->in_s0ix) {
+ if (!amdgpu_dpm_set_powergating_by_smu(adev,
+ AMD_IP_BLOCK_TYPE_GFX, true))
+ adev->gfx.gfx_off_state = true;
+ } else {
+ schedule_delayed_work(&adev->gfx.gfx_off_delay_work,
delay);
+ }
}
} else {
if (adev->gfx.gfx_off_req_count == 0) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 378/476] lsm: fix the logic in security_inode_getsecctx()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 377/476] Revert "drm/amd: flush any delayed gfxoff on suspend entry" Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 379/476] firewire: core: correct documentation of fw_csr_string() kernel API Greg Kroah-Hartman
` (107 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Ondrej Mosnacek,
Casey Schaufler, Paul Moore
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
commit 99b817c173cd213671daecd25ca27f56b0c7c4ec upstream.
The inode_getsecctx LSM hook has previously been corrected to have
-EOPNOTSUPP instead of 0 as the default return value to fix BPF LSM
behavior. However, the call_int_hook()-generated loop in
security_inode_getsecctx() was left treating 0 as the neutral value, so
after an LSM returns 0, the loop continues to try other LSMs, and if one
of them returns a non-zero value, the function immediately returns with
said value. So in a situation where SELinux and the BPF LSMs registered
this hook, -EOPNOTSUPP would be incorrectly returned whenever SELinux
returned 0.
Fix this by open-coding the call_int_hook() loop and making it use the
correct LSM_RET_DEFAULT() value as the neutral one, similar to what
other hooks do.
Cc: stable@vger.kernel.org
Reported-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Link: https://lore.kernel.org/selinux/CAEjxPJ4ev-pasUwGx48fDhnmjBnq_Wh90jYPwRQRAqXxmOKD4Q@mail.gmail.com/
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2257983
Fixes: b36995b8609a ("lsm: fix default return value for inode_getsecctx")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/security.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/security/security.c
+++ b/security/security.c
@@ -2163,7 +2163,19 @@ EXPORT_SYMBOL(security_inode_setsecctx);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
- return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+ struct security_hook_list *hp;
+ int rc;
+
+ /*
+ * Only one module will provide a security context.
+ */
+ hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) {
+ rc = hp->hook.inode_getsecctx(inode, ctx, ctxlen);
+ if (rc != LSM_RET_DEFAULT(inode_getsecctx))
+ return rc;
+ }
+
+ return LSM_RET_DEFAULT(inode_getsecctx);
}
EXPORT_SYMBOL(security_inode_getsecctx);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 379/476] firewire: core: correct documentation of fw_csr_string() kernel API
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 378/476] lsm: fix the logic in security_inode_getsecctx() Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian Greg Kroah-Hartman
` (106 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Sakamoto
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
commit 5f9ab17394f831cb7986ec50900fa37507a127f1 upstream.
Against its current description, the kernel API can accepts all types of
directory entries.
This commit corrects the documentation.
Cc: stable@vger.kernel.org
Fixes: 3c2c58cb33b3 ("firewire: core: fw_csr_string addendum")
Link: https://lore.kernel.org/r/20240130100409.30128-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firewire/core-device.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/firewire/core-device.c
+++ b/drivers/firewire/core-device.c
@@ -100,10 +100,9 @@ static int textual_leaf_to_string(const
* @buf: where to put the string
* @size: size of @buf, in bytes
*
- * The string is taken from a minimal ASCII text descriptor leaf after
- * the immediate entry with @key. The string is zero-terminated.
- * An overlong string is silently truncated such that it and the
- * zero byte fit into @size.
+ * The string is taken from a minimal ASCII text descriptor leaf just after the entry with the
+ * @key. The string is zero-terminated. An overlong string is silently truncated such that it
+ * and the zero byte fit into @size.
*
* Returns strlen(buf) or a negative error code.
*/
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 379/476] firewire: core: correct documentation of fw_csr_string() kernel API Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 16:54 ` Nathan Chancellor
2024-02-21 13:07 ` [PATCH 5.15 381/476] nfc: nci: free rx_data_reassembly skb on NCI device cleanup Greg Kroah-Hartman
` (105 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Nathan Chancellor,
Fangrui Song, Nicolas Schier, Kees Cook, Justin Stitt
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit e3a9ee963ad8ba677ca925149812c5932b49af69 upstream.
Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works
fine for little endian platforms:
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
-00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
+00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
However, for big endian platforms, it changes the wrong byte, resulting
in an invalid ELF file type, which ld.lld rejects:
00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
-00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
+00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
Type: <unknown>: 103
ld.lld: error: .btf.vmlinux.bin.o: unknown file type
Fix this by updating the entire 16-bit e_type field rather than just a
single byte, so that everything works correctly for all platforms and
linkers.
00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
-00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
+00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
Type: REL (Relocatable file)
While in the area, update the comment to mention that binutils 2.35+
matches LLD's behavior of rejecting an ET_EXEC input, which occurred
after the comment was added.
Cc: stable@vger.kernel.org
Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
Link: https://github.com/llvm/llvm-project/pull/75643
Suggested-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Fangrui Song <maskray@google.com>
Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/link-vmlinux.sh | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
@@ -236,8 +236,13 @@ gen_btf()
${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \
--strip-all ${1} ${2} 2>/dev/null
# Change e_type to ET_REL so that it can be used to link final vmlinux.
- # Unlike GNU ld, lld does not allow an ET_EXEC input.
- printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none
+ # GNU ld 2.35+ and lld do not allow an ET_EXEC input.
+ if is_enabled CONFIG_CPU_BIG_ENDIAN; then
+ et_rel='\0\1'
+ else
+ et_rel='\1\0'
+ fi
+ printf "${et_rel}" | dd of=${2} conv=notrunc bs=1 seek=16 status=none
}
# Create ${2} .S file with all symbols from the ${1} object file
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 381/476] nfc: nci: free rx_data_reassembly skb on NCI device cleanup
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 382/476] net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Greg Kroah-Hartman
` (104 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6b7c68d9c21e4ee4251b,
Fedor Pchelkin, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c upstream.
rx_data_reassembly skb is stored during NCI data exchange for processing
fragmented packets. It is dropped only when the last fragment is processed
or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
However, the NCI device may be deallocated before that which leads to skb
leak.
As by design the rx_data_reassembly skb is bound to the NCI device and
nothing prevents the device to be freed before the skb is processed in
some way and cleaned, free it on the NCI device cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Cc: stable@vger.kernel.org
Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/nci/core.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1211,6 +1211,10 @@ void nci_free_device(struct nci_dev *nde
{
nfc_free_device(ndev->nfc_dev);
nci_hci_deallocate(ndev);
+
+ /* drop partial rx data packet if present */
+ if (ndev->rx_data_reassembly)
+ kfree_skb(ndev->rx_data_reassembly);
kfree(ndev);
}
EXPORT_SYMBOL(nci_free_device);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 382/476] net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 381/476] nfc: nci: free rx_data_reassembly skb on NCI device cleanup Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 383/476] xen-netback: properly sync TX responses Greg Kroah-Hartman
` (103 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3ae0a3f42c84074b7c8e,
Nikita Zhandarovich, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 37e8c97e539015637cb920d3e6f1e404f707a06e upstream.
Syzkaller reported [1] hitting a warning after failing to allocate
resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
not help much in this case, it might be prudent to switch to
netdev_warn_once(). At the very least it will suppress syzkaller
reports such as [1].
Just in case, use netdev_warn_once() in send_prp_supervision_frame()
for similar reasons.
[1]
HSR: Could not send supervision frame
WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
...
Call Trace:
<IRQ>
hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x764/0xb20 kernel/time/timer.c:2022
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
...
This issue is also found in older kernels (at least up to 5.10).
Cc: stable@vger.kernel.org
Reported-by: syzbot+3ae0a3f42c84074b7c8e@syzkaller.appspotmail.com
Fixes: 121c33b07b31 ("net: hsr: introduce common code for skb initialization")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -291,7 +291,7 @@ static void send_hsr_supervision_frame(s
skb = hsr_init_skb(master);
if (!skb) {
- WARN_ONCE(1, "HSR: Could not send supervision frame\n");
+ netdev_warn_once(master->dev, "HSR: Could not send supervision frame\n");
return;
}
@@ -338,7 +338,7 @@ static void send_prp_supervision_frame(s
skb = hsr_init_skb(master);
if (!skb) {
- WARN_ONCE(1, "PRP: Could not send supervision frame\n");
+ netdev_warn_once(master->dev, "PRP: Could not send supervision frame\n");
return;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 383/476] xen-netback: properly sync TX responses
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 382/476] net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 384/476] ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL Greg Kroah-Hartman
` (102 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Beulich, Paul Durrant, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
commit 7b55984c96ffe9e236eb9c82a2196e0b1f84990d upstream.
Invoking the make_tx_response() / push_tx_responses() pair with no lock
held would be acceptable only if all such invocations happened from the
same context (NAPI instance or dealloc thread). Since this isn't the
case, and since the interface "spec" also doesn't demand that multicast
operations may only be performed with no in-flight transmits,
MCAST_{ADD,DEL} processing also needs to acquire the response lock
around the invocations.
To prevent similar mistakes going forward, "downgrade" the present
functions to private helpers of just the two remaining ones using them
directly, with no forward declarations anymore. This involves renaming
what so far was make_tx_response(), for the new function of that name
to serve the new (wrapper) purpose.
While there,
- constify the txp parameters,
- correct xenvif_idx_release()'s status parameter's type,
- rename {,_}make_tx_response()'s status parameters for consistency with
xenvif_idx_release()'s.
Fixes: 210c34dcd8d9 ("xen-netback: add support for multicast control")
Cc: stable@vger.kernel.org
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Link: https://lore.kernel.org/r/980c6c3d-e10e-4459-8565-e8fbde122f00@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/xen-netback/netback.c | 84 ++++++++++++++++++--------------------
1 file changed, 40 insertions(+), 44 deletions(-)
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -104,13 +104,12 @@ bool provides_xdp_headroom = true;
module_param(provides_xdp_headroom, bool, 0644);
static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
- u8 status);
+ s8 status);
static void make_tx_response(struct xenvif_queue *queue,
- struct xen_netif_tx_request *txp,
+ const struct xen_netif_tx_request *txp,
unsigned int extra_count,
- s8 st);
-static void push_tx_responses(struct xenvif_queue *queue);
+ s8 status);
static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx);
@@ -208,13 +207,9 @@ static void xenvif_tx_err(struct xenvif_
unsigned int extra_count, RING_IDX end)
{
RING_IDX cons = queue->tx.req_cons;
- unsigned long flags;
do {
- spin_lock_irqsave(&queue->response_lock, flags);
make_tx_response(queue, txp, extra_count, XEN_NETIF_RSP_ERROR);
- push_tx_responses(queue);
- spin_unlock_irqrestore(&queue->response_lock, flags);
if (cons == end)
break;
RING_COPY_REQUEST(&queue->tx, cons++, txp);
@@ -465,12 +460,7 @@ static void xenvif_get_requests(struct x
for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS;
nr_slots--) {
if (unlikely(!txp->size)) {
- unsigned long flags;
-
- spin_lock_irqsave(&queue->response_lock, flags);
make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY);
- push_tx_responses(queue);
- spin_unlock_irqrestore(&queue->response_lock, flags);
++txp;
continue;
}
@@ -496,14 +486,8 @@ static void xenvif_get_requests(struct x
for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) {
if (unlikely(!txp->size)) {
- unsigned long flags;
-
- spin_lock_irqsave(&queue->response_lock, flags);
make_tx_response(queue, txp, 0,
XEN_NETIF_RSP_OKAY);
- push_tx_responses(queue);
- spin_unlock_irqrestore(&queue->response_lock,
- flags);
continue;
}
@@ -997,7 +981,6 @@ static void xenvif_tx_build_gops(struct
(ret == 0) ?
XEN_NETIF_RSP_OKAY :
XEN_NETIF_RSP_ERROR);
- push_tx_responses(queue);
continue;
}
@@ -1009,7 +992,6 @@ static void xenvif_tx_build_gops(struct
make_tx_response(queue, &txreq, extra_count,
XEN_NETIF_RSP_OKAY);
- push_tx_responses(queue);
continue;
}
@@ -1445,8 +1427,35 @@ int xenvif_tx_action(struct xenvif_queue
return work_done;
}
+static void _make_tx_response(struct xenvif_queue *queue,
+ const struct xen_netif_tx_request *txp,
+ unsigned int extra_count,
+ s8 status)
+{
+ RING_IDX i = queue->tx.rsp_prod_pvt;
+ struct xen_netif_tx_response *resp;
+
+ resp = RING_GET_RESPONSE(&queue->tx, i);
+ resp->id = txp->id;
+ resp->status = status;
+
+ while (extra_count-- != 0)
+ RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL;
+
+ queue->tx.rsp_prod_pvt = ++i;
+}
+
+static void push_tx_responses(struct xenvif_queue *queue)
+{
+ int notify;
+
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify);
+ if (notify)
+ notify_remote_via_irq(queue->tx_irq);
+}
+
static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
- u8 status)
+ s8 status)
{
struct pending_tx_info *pending_tx_info;
pending_ring_idx_t index;
@@ -1456,8 +1465,8 @@ static void xenvif_idx_release(struct xe
spin_lock_irqsave(&queue->response_lock, flags);
- make_tx_response(queue, &pending_tx_info->req,
- pending_tx_info->extra_count, status);
+ _make_tx_response(queue, &pending_tx_info->req,
+ pending_tx_info->extra_count, status);
/* Release the pending index before pusing the Tx response so
* its available before a new Tx request is pushed by the
@@ -1471,32 +1480,19 @@ static void xenvif_idx_release(struct xe
spin_unlock_irqrestore(&queue->response_lock, flags);
}
-
static void make_tx_response(struct xenvif_queue *queue,
- struct xen_netif_tx_request *txp,
+ const struct xen_netif_tx_request *txp,
unsigned int extra_count,
- s8 st)
+ s8 status)
{
- RING_IDX i = queue->tx.rsp_prod_pvt;
- struct xen_netif_tx_response *resp;
-
- resp = RING_GET_RESPONSE(&queue->tx, i);
- resp->id = txp->id;
- resp->status = st;
-
- while (extra_count-- != 0)
- RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL;
+ unsigned long flags;
- queue->tx.rsp_prod_pvt = ++i;
-}
+ spin_lock_irqsave(&queue->response_lock, flags);
-static void push_tx_responses(struct xenvif_queue *queue)
-{
- int notify;
+ _make_tx_response(queue, txp, extra_count, status);
+ push_tx_responses(queue);
- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify);
- if (notify)
- notify_remote_via_irq(queue->tx_irq);
+ spin_unlock_irqrestore(&queue->response_lock, flags);
}
static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 384/476] ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 383/476] xen-netback: properly sync TX responses Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 385/476] ASoC: codecs: wcd938x: handle deferred probe Greg Kroah-Hartman
` (101 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Edson Juliano Drosdeck, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
commit c7de2d9bb68a5fc71c25ff96705a80a76c8436eb upstream.
Vaio VJFE-ADL is equipped with ALC269VC, and it needs
ALC298_FIXUP_SPK_VOLUME quirk to make its headset mic work.
Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240201122114.30080-1-edson.drosdeck@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9415,6 +9415,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
SND_PCI_QUIRK(0x2782, 0x0232, "CHUWI CoreBook XPro", ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO),
+ SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME),
SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC),
SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED),
SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 385/476] ASoC: codecs: wcd938x: handle deferred probe
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 384/476] ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 386/476] ALSA: hda/cs8409: Suppress vmaster control for Dolphin models Greg Kroah-Hartman
` (100 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 086df711d9b886194481b4fbe525eb43e9ae7403 upstream.
WCD938x sound codec driver ignores return status of getting regulators
and returns EINVAL instead of EPROBE_DEFER. If regulator provider
probes after the codec, system is left without probed audio:
wcd938x_codec audio-codec: wcd938x_probe: Fail to obtain platform data
wcd938x_codec: probe of audio-codec failed with error -22
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://msgid.link/r/20240117151208.1219755-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -4573,7 +4573,7 @@ static int wcd938x_probe(struct platform
ret = wcd938x_populate_dt_data(wcd938x, dev);
if (ret) {
dev_err(dev, "%s: Fail to obtain platform data\n", __func__);
- return -EINVAL;
+ return ret;
}
ret = wcd938x_add_slave_components(wcd938x, dev, &match);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 386/476] ALSA: hda/cs8409: Suppress vmaster control for Dolphin models
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 385/476] ASoC: codecs: wcd938x: handle deferred probe Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 387/476] binder: signal epoll threads of self-work Greg Kroah-Hartman
` (99 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vitaly Rodionov, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
commit a2ed0a44d637ef9deca595054c206da7d6cbdcbc upstream.
Customer has reported an issue with specific desktop platform
where two CS42L42 codecs are connected to CS8409 HDA bridge.
If "Master Volume Control" is created then on Ubuntu OS UCM
left/right balance slider in UI audio settings has no effect.
This patch will fix this issue for a target paltform.
Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin")
Signed-off-by: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240122184710.5802-1-vitalyr@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_cs8409.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_cs8409.c
+++ b/sound/pci/hda/patch_cs8409.c
@@ -1200,6 +1200,7 @@ void dolphin_fixups(struct hda_codec *co
spec->scodecs[CS8409_CODEC1] = &dolphin_cs42l42_1;
spec->scodecs[CS8409_CODEC1]->codec = codec;
spec->num_scodecs = 2;
+ spec->gen.suppress_vmaster = 1;
codec->patch_ops = cs8409_dolphin_patch_ops;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 387/476] binder: signal epoll threads of self-work
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 386/476] ALSA: hda/cs8409: Suppress vmaster control for Dolphin models Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 388/476] misc: fastrpc: Mark all sessions as invalid in cb_remove Greg Kroah-Hartman
` (98 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arve Hjønnevåg,
Martijn Coenen, Alice Ryhl, Steven Moreland, Carlos Llamas
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 97830f3c3088638ff90b20dfba2eb4d487bf14d7 upstream.
In (e)poll mode, threads often depend on I/O events to determine when
data is ready for consumption. Within binder, a thread may initiate a
command via BINDER_WRITE_READ without a read buffer and then make use
of epoll_wait() or similar to consume any responses afterwards.
It is then crucial that epoll threads are signaled via wakeup when they
queue their own work. Otherwise, they risk waiting indefinitely for an
event leaving their work unhandled. What is worse, subsequent commands
won't trigger a wakeup either as the thread has pending work.
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Martijn Coenen <maco@android.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Steven Moreland <smoreland@google.com>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240131215347.1808751-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -450,6 +450,16 @@ binder_enqueue_thread_work_ilocked(struc
{
WARN_ON(!list_empty(&thread->waiting_thread_node));
binder_enqueue_work_ilocked(work, &thread->todo);
+
+ /* (e)poll-based threads require an explicit wakeup signal when
+ * queuing their own work; they rely on these events to consume
+ * messages without I/O block. Without it, threads risk waiting
+ * indefinitely without handling the work.
+ */
+ if (thread->looper & BINDER_LOOPER_STATE_POLL &&
+ thread->pid == current->pid && !thread->process_todo)
+ wake_up_interruptible_sync(&thread->wait);
+
thread->process_todo = true;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 388/476] misc: fastrpc: Mark all sessions as invalid in cb_remove
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 387/476] binder: signal epoll threads of self-work Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 389/476] ext4: fix double-free of blocks due to wrong extents moved_len Greg Kroah-Hartman
` (97 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ekansh Gupta
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ekansh Gupta <quic_ekangupt@quicinc.com>
commit a4e61de63e34860c36a71d1a364edba16fb6203b upstream.
In remoteproc shutdown sequence, rpmsg_remove will get called which
would depopulate all the child nodes that have been created during
rpmsg_probe. This would result in cb_remove call for all the context
banks for the remoteproc. In cb_remove function, session 0 is
getting skipped which is not correct as session 0 will never become
available again. Add changes to mark session 0 also as invalid.
Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable <stable@kernel.org>
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
Link: https://lore.kernel.org/r/20240108114833.20480-1-quic_ekangupt@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1594,7 +1594,7 @@ static int fastrpc_cb_remove(struct plat
int i;
spin_lock_irqsave(&cctx->lock, flags);
- for (i = 1; i < FASTRPC_MAX_SESSIONS; i++) {
+ for (i = 0; i < FASTRPC_MAX_SESSIONS; i++) {
if (cctx->session[i].sid == sess->sid) {
cctx->session[i].valid = false;
cctx->sesscount--;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 389/476] ext4: fix double-free of blocks due to wrong extents moved_len
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 388/476] misc: fastrpc: Mark all sessions as invalid in cb_remove Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 390/476] tracing: Fix wasted memory in saved_cmdlines logic Greg Kroah-Hartman
` (96 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Chen, xingwei lee, Baokun Li,
Jan Kara, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 55583e899a5357308274601364741a83e78d6ac4 upstream.
In ext4_move_extents(), moved_len is only updated when all moves are
successfully executed, and only discards orig_inode and donor_inode
preallocations when moved_len is not zero. When the loop fails to exit
after successfully moving some extents, moved_len is not updated and
remains at 0, so it does not discard the preallocations.
If the moved extents overlap with the preallocated extents, the
overlapped extents are freed twice in ext4_mb_release_inode_pa() and
ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4:
Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is
incremented twice. Hence when trim is executed, a zero-division bug is
triggered in mb_update_avg_fragment_size() because bb_free is not zero
and bb_fragments is zero.
Therefore, update move_len after each extent move to avoid the issue.
Reported-by: Wei Chen <harperchen1110@gmail.com>
Reported-by: xingwei lee <xrivendell7@gmail.com>
Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com
Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base")
CC: <stable@vger.kernel.org> # 3.18
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/move_extent.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -615,6 +615,7 @@ ext4_move_extents(struct file *o_filp, s
goto out;
o_end = o_start + len;
+ *moved_len = 0;
while (o_start < o_end) {
struct ext4_extent *ex;
ext4_lblk_t cur_blk, next_blk;
@@ -670,7 +671,7 @@ ext4_move_extents(struct file *o_filp, s
*/
ext4_double_up_write_data_sem(orig_inode, donor_inode);
/* Swap original branches with new branches */
- move_extent_per_page(o_filp, donor_inode,
+ *moved_len += move_extent_per_page(o_filp, donor_inode,
orig_page_index, donor_page_index,
offset_in_page, cur_len,
unwritten, &ret);
@@ -680,9 +681,6 @@ ext4_move_extents(struct file *o_filp, s
o_start += cur_len;
d_start += cur_len;
}
- *moved_len = o_start - orig_blk;
- if (*moved_len > len)
- *moved_len = len;
out:
if (*moved_len) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 390/476] tracing: Fix wasted memory in saved_cmdlines logic
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 389/476] ext4: fix double-free of blocks due to wrong extents moved_len Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 391/476] staging: iio: ad5933: fix type mismatch regression Greg Kroah-Hartman
` (95 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Vincent Donnefort, Sven Schnelle, Mete Durlu,
Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 44dc5c41b5b1267d4dd037d26afc0c4d3a568acb upstream.
While looking at improving the saved_cmdlines cache I found a huge amount
of wasted memory that should be used for the cmdlines.
The tracing data saves pids during the trace. At sched switch, if a trace
occurred, it will save the comm of the task that did the trace. This is
saved in a "cache" that maps pids to comms and exposed to user space via
the /sys/kernel/tracing/saved_cmdlines file. Currently it only caches by
default 128 comms.
The structure that uses this creates an array to store the pids using
PID_MAX_DEFAULT (which is usually set to 32768). This causes the structure
to be of the size of 131104 bytes on 64 bit machines.
In hex: 131104 = 0x20020, and since the kernel allocates generic memory in
powers of two, the kernel would allocate 0x40000 or 262144 bytes to store
this structure. That leaves 131040 bytes of wasted space.
Worse, the structure points to an allocated array to store the comm names,
which is 16 bytes times the amount of names to save (currently 128), which
is 2048 bytes. Instead of allocating a separate array, make the structure
end with a variable length string and use the extra space for that.
This is similar to a recommendation that Linus had made about eventfs_inode names:
https://lore.kernel.org/all/20240130190355.11486-5-torvalds@linux-foundation.org/
Instead of allocating a separate string array to hold the saved comms,
have the structure end with: char saved_cmdlines[]; and round up to the
next power of two over sizeof(struct saved_cmdline_buffers) + num_cmdlines * TASK_COMM_LEN
It will use this extra space for the saved_cmdline portion.
Now, instead of saving only 128 comms by default, by using this wasted
space at the end of the structure it can save over 8000 comms and even
saves space by removing the need for allocating the other array.
Link: https://lore.kernel.org/linux-trace-kernel/20240209063622.1f7b6d5f@rorschach.local.home
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Vincent Donnefort <vdonnefort@google.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Mete Durlu <meted@linux.ibm.com>
Fixes: 939c7a4f04fcd ("tracing: Introduce saved_cmdlines_size file")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 75 +++++++++++++++++++++++++--------------------------
1 file changed, 37 insertions(+), 38 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2236,7 +2236,7 @@ struct saved_cmdlines_buffer {
unsigned *map_cmdline_to_pid;
unsigned cmdline_num;
int cmdline_idx;
- char *saved_cmdlines;
+ char saved_cmdlines[];
};
static struct saved_cmdlines_buffer *savedcmd;
@@ -2250,47 +2250,58 @@ static inline void set_cmdline(int idx,
strncpy(get_saved_cmdlines(idx), cmdline, TASK_COMM_LEN);
}
-static int allocate_cmdlines_buffer(unsigned int val,
- struct saved_cmdlines_buffer *s)
+static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s)
{
+ int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN);
+
+ kfree(s->map_cmdline_to_pid);
+ free_pages((unsigned long)s, order);
+}
+
+static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val)
+{
+ struct saved_cmdlines_buffer *s;
+ struct page *page;
+ int orig_size, size;
+ int order;
+
+ /* Figure out how much is needed to hold the given number of cmdlines */
+ orig_size = sizeof(*s) + val * TASK_COMM_LEN;
+ order = get_order(orig_size);
+ size = 1 << (order + PAGE_SHIFT);
+ page = alloc_pages(GFP_KERNEL, order);
+ if (!page)
+ return NULL;
+
+ s = page_address(page);
+ memset(s, 0, sizeof(*s));
+
+ /* Round up to actual allocation */
+ val = (size - sizeof(*s)) / TASK_COMM_LEN;
+ s->cmdline_num = val;
+
s->map_cmdline_to_pid = kmalloc_array(val,
sizeof(*s->map_cmdline_to_pid),
GFP_KERNEL);
- if (!s->map_cmdline_to_pid)
- return -ENOMEM;
-
- s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL);
- if (!s->saved_cmdlines) {
- kfree(s->map_cmdline_to_pid);
- return -ENOMEM;
+ if (!s->map_cmdline_to_pid) {
+ free_saved_cmdlines_buffer(s);
+ return NULL;
}
s->cmdline_idx = 0;
- s->cmdline_num = val;
memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP,
sizeof(s->map_pid_to_cmdline));
memset(s->map_cmdline_to_pid, NO_CMDLINE_MAP,
val * sizeof(*s->map_cmdline_to_pid));
- return 0;
+ return s;
}
static int trace_create_savedcmd(void)
{
- int ret;
-
- savedcmd = kmalloc(sizeof(*savedcmd), GFP_KERNEL);
- if (!savedcmd)
- return -ENOMEM;
+ savedcmd = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT);
- ret = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT, savedcmd);
- if (ret < 0) {
- kfree(savedcmd);
- savedcmd = NULL;
- return -ENOMEM;
- }
-
- return 0;
+ return savedcmd ? 0 : -ENOMEM;
}
int is_tracing_stopped(void)
@@ -5947,26 +5958,14 @@ tracing_saved_cmdlines_size_read(struct
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
-static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s)
-{
- kfree(s->saved_cmdlines);
- kfree(s->map_cmdline_to_pid);
- kfree(s);
-}
-
static int tracing_resize_saved_cmdlines(unsigned int val)
{
struct saved_cmdlines_buffer *s, *savedcmd_temp;
- s = kmalloc(sizeof(*s), GFP_KERNEL);
+ s = allocate_cmdlines_buffer(val);
if (!s)
return -ENOMEM;
- if (allocate_cmdlines_buffer(val, s) < 0) {
- kfree(s);
- return -ENOMEM;
- }
-
preempt_disable();
arch_spin_lock(&trace_cmdline_lock);
savedcmd_temp = savedcmd;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 391/476] staging: iio: ad5933: fix type mismatch regression
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 390/476] tracing: Fix wasted memory in saved_cmdlines logic Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 392/476] iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Greg Kroah-Hartman
` (94 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Schiller, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Schiller <david.schiller@jku.at>
commit 6db053cd949fcd6254cea9f2cd5d39f7bd64379c upstream.
Commit 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse
warning") fixed a compiler warning, but introduced a bug that resulted
in one of the two 16 bit IIO channels always being zero (when both are
enabled).
This is because int is 32 bits wide on most architectures and in the
case of a little-endian machine the two most significant bytes would
occupy the buffer for the second channel as 'val' is being passed as a
void pointer to 'iio_push_to_buffers()'.
Fix by defining 'val' as u16. Tested working on ARM64.
Fixes: 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse warning")
Signed-off-by: David Schiller <david.schiller@jku.at>
Link: https://lore.kernel.org/r/20240122134916.2137957-1-david.schiller@jku.at
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
+++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
@@ -608,7 +608,7 @@ static void ad5933_work(struct work_stru
struct ad5933_state, work.work);
struct iio_dev *indio_dev = i2c_get_clientdata(st->client);
__be16 buf[2];
- int val[2];
+ u16 val[2];
unsigned char status;
int ret;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 392/476] iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 391/476] staging: iio: ad5933: fix type mismatch regression Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 393/476] iio: core: fix memleak in iio_device_register_sysfs Greg Kroah-Hartman
` (93 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhouyi Zhou, zhili.liu, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhili.liu <zhili.liu@ucas.com.cn>
commit 792595bab4925aa06532a14dd256db523eb4fa5e upstream.
Recently, we encounter kernel crash in function rm3100_common_probe
caused by out of bound access of array rm3100_samp_rates (because of
underlying hardware failures). Add boundary check to prevent out of
bound access.
Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100")
Suggested-by: Zhouyi Zhou <zhouzhouyi@gmail.com>
Signed-off-by: zhili.liu <zhili.liu@ucas.com.cn>
Link: https://lore.kernel.org/r/1704157631-3814-1-git-send-email-zhouzhouyi@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/rm3100-core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/iio/magnetometer/rm3100-core.c
+++ b/drivers/iio/magnetometer/rm3100-core.c
@@ -538,6 +538,7 @@ int rm3100_common_probe(struct device *d
struct rm3100_data *data;
unsigned int tmp;
int ret;
+ int samp_rate_index;
indio_dev = devm_iio_device_alloc(dev, sizeof(*data));
if (!indio_dev)
@@ -595,9 +596,14 @@ int rm3100_common_probe(struct device *d
ret = regmap_read(regmap, RM3100_REG_TMRC, &tmp);
if (ret < 0)
return ret;
+
+ samp_rate_index = tmp - RM3100_TMRC_OFFSET;
+ if (samp_rate_index < 0 || samp_rate_index >= RM3100_SAMP_NUM) {
+ dev_err(dev, "The value read from RM3100_REG_TMRC is invalid!\n");
+ return -EINVAL;
+ }
/* Initializing max wait time, which is double conversion time. */
- data->conversion_time = rm3100_samp_rates[tmp - RM3100_TMRC_OFFSET][2]
- * 2;
+ data->conversion_time = rm3100_samp_rates[samp_rate_index][2] * 2;
/* Cycle count values may not be what we want. */
if ((tmp - RM3100_TMRC_OFFSET) == 0)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 393/476] iio: core: fix memleak in iio_device_register_sysfs
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 392/476] iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 394/476] iio: accel: bma400: Fix a compilation problem Greg Kroah-Hartman
` (92 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dinghao Liu, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
commit 95a0d596bbd0552a78e13ced43f2be1038883c81 upstream.
When iio_device_register_sysfs_group() fails, we should
free iio_dev_opaque->chan_attr_group.attrs to prevent
potential memleak.
Fixes: 32f171724e5c ("iio: core: rework iio device group creation")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20231208073119.29283-1-dinghao.liu@zju.edu.cn
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1610,10 +1610,13 @@ static int iio_device_register_sysfs(str
ret = iio_device_register_sysfs_group(indio_dev,
&iio_dev_opaque->chan_attr_group);
if (ret)
- goto error_clear_attrs;
+ goto error_free_chan_attrs;
return 0;
+error_free_chan_attrs:
+ kfree(iio_dev_opaque->chan_attr_group.attrs);
+ iio_dev_opaque->chan_attr_group.attrs = NULL;
error_clear_attrs:
iio_free_chan_devattr_list(&iio_dev_opaque->channel_attr_list);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 394/476] iio: accel: bma400: Fix a compilation problem
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 393/476] iio: core: fix memleak in iio_device_register_sysfs Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 395/476] media: rc: bpf attach/detach requires write permission Greg Kroah-Hartman
` (91 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 4cb81840d8f29b66d9d05c6d7f360c9560f7e2f4 upstream.
The kernel fails when compiling without `CONFIG_REGMAP_I2C` but with
`CONFIG_BMA400`.
```
ld: drivers/iio/accel/bma400_i2c.o: in function `bma400_i2c_probe':
bma400_i2c.c:(.text+0x23): undefined reference to `__devm_regmap_init_i2c'
```
Link: https://download.01.org/0day-ci/archive/20240131/202401311634.FE5CBVwe-lkp@intel.com/config
Fixes: 465c811f1f20 ("iio: accel: Add driver for the BMA400")
Fixes: 9bea10642396 ("iio: accel: bma400: add support for bma400 spi")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://lore.kernel.org/r/20240131225246.14169-1-mario.limonciello@amd.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/Kconfig | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iio/accel/Kconfig
+++ b/drivers/iio/accel/Kconfig
@@ -128,10 +128,12 @@ config BMA400
config BMA400_I2C
tristate
+ select REGMAP_I2C
depends on BMA400
config BMA400_SPI
tristate
+ select REGMAP_SPI
depends on BMA400
config BMC150_ACCEL
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 395/476] media: rc: bpf attach/detach requires write permission
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 394/476] iio: accel: bma400: Fix a compilation problem Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 396/476] drm/prime: Support page array >= 4GB Greg Kroah-Hartman
` (90 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Young, Mauro Carvalho Chehab
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
commit 6a9d552483d50953320b9d3b57abdee8d436f23f upstream.
Note that bpf attach/detach also requires CAP_NET_ADMIN.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/bpf-lirc.c | 6 +++---
drivers/media/rc/lirc_dev.c | 5 ++++-
drivers/media/rc/rc-core-priv.h | 2 +-
3 files changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/media/rc/bpf-lirc.c
+++ b/drivers/media/rc/bpf-lirc.c
@@ -249,7 +249,7 @@ int lirc_prog_attach(const union bpf_att
if (attr->attach_flags)
return -EINVAL;
- rcdev = rc_dev_get_from_fd(attr->target_fd);
+ rcdev = rc_dev_get_from_fd(attr->target_fd, true);
if (IS_ERR(rcdev))
return PTR_ERR(rcdev);
@@ -274,7 +274,7 @@ int lirc_prog_detach(const union bpf_att
if (IS_ERR(prog))
return PTR_ERR(prog);
- rcdev = rc_dev_get_from_fd(attr->target_fd);
+ rcdev = rc_dev_get_from_fd(attr->target_fd, true);
if (IS_ERR(rcdev)) {
bpf_prog_put(prog);
return PTR_ERR(rcdev);
@@ -299,7 +299,7 @@ int lirc_prog_query(const union bpf_attr
if (attr->query.query_flags)
return -EINVAL;
- rcdev = rc_dev_get_from_fd(attr->query.target_fd);
+ rcdev = rc_dev_get_from_fd(attr->query.target_fd, false);
if (IS_ERR(rcdev))
return PTR_ERR(rcdev);
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -827,7 +827,7 @@ void __exit lirc_dev_exit(void)
unregister_chrdev_region(lirc_base_dev, RC_DEV_MAX);
}
-struct rc_dev *rc_dev_get_from_fd(int fd)
+struct rc_dev *rc_dev_get_from_fd(int fd, bool write)
{
struct fd f = fdget(fd);
struct lirc_fh *fh;
@@ -841,6 +841,9 @@ struct rc_dev *rc_dev_get_from_fd(int fd
return ERR_PTR(-EINVAL);
}
+ if (write && !(f.file->f_mode & FMODE_WRITE))
+ return ERR_PTR(-EPERM);
+
fh = f.file->private_data;
dev = fh->rc;
--- a/drivers/media/rc/rc-core-priv.h
+++ b/drivers/media/rc/rc-core-priv.h
@@ -325,7 +325,7 @@ void lirc_raw_event(struct rc_dev *dev,
void lirc_scancode_event(struct rc_dev *dev, struct lirc_scancode *lsc);
int lirc_register(struct rc_dev *dev);
void lirc_unregister(struct rc_dev *dev);
-struct rc_dev *rc_dev_get_from_fd(int fd);
+struct rc_dev *rc_dev_get_from_fd(int fd, bool write);
#else
static inline int lirc_dev_init(void) { return 0; }
static inline void lirc_dev_exit(void) {}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 396/476] drm/prime: Support page array >= 4GB
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 395/476] media: rc: bpf attach/detach requires write permission Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 397/476] hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove Greg Kroah-Hartman
` (89 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Christian König
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
commit b671cd3d456315f63171a670769356a196cf7fd0 upstream.
Without unsigned long typecast, the size is passed in as zero if page
array size >= 4GB, nr_pages >= 0x100000, then sg list converted will
have the first and the last chunk lost.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
CC: stable@vger.kernel.org
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230821200201.24685-1-Philip.Yang@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_prime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -825,7 +825,7 @@ struct sg_table *drm_prime_pages_to_sg(s
if (max_segment == 0)
max_segment = UINT_MAX;
err = sg_alloc_table_from_pages_segment(sg, pages, nr_pages, 0,
- nr_pages << PAGE_SHIFT,
+ (unsigned long)nr_pages << PAGE_SHIFT,
max_segment, GFP_KERNEL);
if (err) {
kfree(sg);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 397/476] hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 396/476] drm/prime: Support page array >= 4GB Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 398/476] ring-buffer: Clean ring_buffer_poll_wait() error return Greg Kroah-Hartman
` (88 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Souradeep Chakrabarti, Dexuan Cui,
Haiyang Zhang, Simon Horman, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
commit e0526ec5360a48ad3ab2e26e802b0532302a7e11 upstream.
In commit ac5047671758 ("hv_netvsc: Disable NAPI before closing the
VMBus channel"), napi_disable was getting called for all channels,
including all subchannels without confirming if they are enabled or not.
This caused hv_netvsc getting hung at napi_disable, when netvsc_probe()
has finished running but nvdev->subchan_work has not started yet.
netvsc_subchan_work() -> rndis_set_subchannel() has not created the
sub-channels and because of that netvsc_sc_open() is not running.
netvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which
netvsc_subchan_work did not run.
netif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI
cannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the
NAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the
opposite.
Now during netvsc_device_remove(), when napi_disable is called for those
subchannels, napi_disable gets stuck on infinite msleep.
This fix addresses this problem by ensuring that napi_disable() is not
getting called for non-enabled NAPI struct.
But netif_napi_del() is still necessary for these non-enabled NAPI struct
for cleanup purpose.
Call trace:
[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002
[ 654.568030] Call Trace:
[ 654.571221] <TASK>
[ 654.573790] __schedule+0x2d6/0x960
[ 654.577733] schedule+0x69/0xf0
[ 654.581214] schedule_timeout+0x87/0x140
[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20
[ 654.590291] msleep+0x2d/0x40
[ 654.593625] napi_disable+0x2b/0x80
[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]
[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]
[ 654.611101] ? do_wait_intr+0xb0/0xb0
[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]
[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]
Cc: stable@vger.kernel.org
Fixes: ac5047671758 ("hv_netvsc: Disable NAPI before closing the VMBus channel")
Signed-off-by: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
Reviewed-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/1706686551-28510-1-git-send-email-schakrabarti@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/netvsc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -710,7 +710,10 @@ void netvsc_device_remove(struct hv_devi
/* Disable NAPI and disassociate its context from the device. */
for (i = 0; i < net_device->num_chn; i++) {
/* See also vmbus_reset_channel_cb(). */
- napi_disable(&net_device->chan_table[i].napi);
+ /* only disable enabled NAPI channel */
+ if (i < ndev->real_num_rx_queues)
+ napi_disable(&net_device->chan_table[i].napi);
+
netif_napi_del(&net_device->chan_table[i].napi);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 398/476] ring-buffer: Clean ring_buffer_poll_wait() error return
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 397/476] hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 399/476] serial: max310x: set default value when reading clock ready bit Greg Kroah-Hartman
` (87 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Donnefort, Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Donnefort <vdonnefort@google.com>
commit 66bbea9ed6446b8471d365a22734dc00556c4785 upstream.
The return type for ring_buffer_poll_wait() is __poll_t. This is behind
the scenes an unsigned where we can set event bits. In case of a
non-allocated CPU, we do return instead -EINVAL (0xffffffea). Lucky us,
this ends up setting few error bits (EPOLLERR | EPOLLHUP | EPOLLNVAL), so
user-space at least is aware something went wrong.
Nonetheless, this is an incorrect code. Replace that -EINVAL with a
proper EPOLLERR to clean that output. As this doesn't change the
behaviour, there's no need to treat this change as a bug fix.
Link: https://lore.kernel.org/linux-trace-kernel/20240131140955.3322792-1-vdonnefort@google.com
Cc: stable@vger.kernel.org
Fixes: 6721cb6002262 ("ring-buffer: Do not poll non allocated cpu buffers")
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1061,7 +1061,7 @@ __poll_t ring_buffer_poll_wait(struct tr
full = 0;
} else {
if (!cpumask_test_cpu(cpu, buffer->cpumask))
- return -EINVAL;
+ return EPOLLERR;
cpu_buffer = buffer->buffers[cpu];
work = &cpu_buffer->irq_work;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 399/476] serial: max310x: set default value when reading clock ready bit
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 398/476] ring-buffer: Clean ring_buffer_poll_wait() error return Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 400/476] serial: max310x: improve crystal stable clock detection Greg Kroah-Hartman
` (86 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hugo Villeneuve
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
commit 0419373333c2f2024966d36261fd82a453281e80 upstream.
If regmap_read() returns a non-zero value, the 'val' variable can be left
uninitialized.
Clear it before calling regmap_read() to make sure we properly detect
the clock ready bit.
Fixes: 4cf9a888fd3c ("serial: max310x: Check the clock readiness")
Cc: stable@vger.kernel.org
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Link: https://lore.kernel.org/r/20240116213001.3691629-2-hugo@hugovil.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/max310x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -610,7 +610,7 @@ static u32 max310x_set_ref_clk(struct de
/* Wait for crystal */
if (xtal) {
- unsigned int val;
+ unsigned int val = 0;
msleep(10);
regmap_read(s->regmap, MAX310X_STS_IRQSTS_REG, &val);
if (!(val & MAX310X_STS_CLKREADY_BIT)) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 400/476] serial: max310x: improve crystal stable clock detection
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 399/476] serial: max310x: set default value when reading clock ready bit Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 401/476] serial: max310x: fail probe if clock crystal is unstable Greg Kroah-Hartman
` (85 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kundrát, Hugo Villeneuve
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
commit 93cd256ab224c2519e7c4e5f58bb4f1ac2bf0965 upstream.
Some people are seeing a warning similar to this when using a crystal:
max310x 11-006c: clock is not stable yet
The datasheet doesn't mention the maximum time to wait for the clock to be
stable when using a crystal, and it seems that the 10ms delay in the driver
is not always sufficient.
Jan Kundrát reported that it took three tries (each separated by 10ms) to
get a stable clock.
Modify behavior to check stable clock ready bit multiple times (20), and
waiting 10ms between each try.
Note: the first draft of the driver originally used a 50ms delay, without
checking the clock stable bit.
Then a loop with 1000 retries was implemented, each time reading the clock
stable bit.
Fixes: 4cf9a888fd3c ("serial: max310x: Check the clock readiness")
Cc: stable@vger.kernel.org
Suggested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Link: https://www.spinics.net/lists/linux-serial/msg35773.html
Link: https://lore.kernel.org/all/20240110174015.6f20195fde08e5c9e64e5675@hugovil.com/raw
Link: https://github.com/boundarydevices/linux/commit/e5dfe3e4a751392515d78051973190301a37ca9a
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Link: https://lore.kernel.org/r/20240116213001.3691629-3-hugo@hugovil.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/max310x.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -235,6 +235,10 @@
#define MAX310x_REV_MASK (0xf8)
#define MAX310X_WRITE_BIT 0x80
+/* Crystal-related definitions */
+#define MAX310X_XTAL_WAIT_RETRIES 20 /* Number of retries */
+#define MAX310X_XTAL_WAIT_DELAY_MS 10 /* Delay between retries */
+
/* MAX3107 specific */
#define MAX3107_REV_ID (0xa0)
@@ -610,12 +614,19 @@ static u32 max310x_set_ref_clk(struct de
/* Wait for crystal */
if (xtal) {
- unsigned int val = 0;
- msleep(10);
- regmap_read(s->regmap, MAX310X_STS_IRQSTS_REG, &val);
- if (!(val & MAX310X_STS_CLKREADY_BIT)) {
+ bool stable = false;
+ unsigned int try = 0, val = 0;
+
+ do {
+ msleep(MAX310X_XTAL_WAIT_DELAY_MS);
+ regmap_read(s->regmap, MAX310X_STS_IRQSTS_REG, &val);
+
+ if (val & MAX310X_STS_CLKREADY_BIT)
+ stable = true;
+ } while (!stable && (++try < MAX310X_XTAL_WAIT_RETRIES));
+
+ if (!stable)
dev_warn(dev, "clock is not stable yet\n");
- }
}
return bestfreq;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 401/476] serial: max310x: fail probe if clock crystal is unstable
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 400/476] serial: max310x: improve crystal stable clock detection Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 402/476] powerpc/64: Set task pt_regs->link to the LR value on scv entry Greg Kroah-Hartman
` (84 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kundrát, Hugo Villeneuve
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
commit 8afa6c6decea37e7cb473d2c60473f37f46cea35 upstream.
A stable clock is really required in order to use this UART, so log an
error message and bail out if the chip reports that the clock is not
stable.
Fixes: 4cf9a888fd3c ("serial: max310x: Check the clock readiness")
Cc: stable@vger.kernel.org
Suggested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Link: https://www.spinics.net/lists/linux-serial/msg35773.html
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Link: https://lore.kernel.org/r/20240116213001.3691629-4-hugo@hugovil.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/max310x.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -556,7 +556,7 @@ static int max310x_update_best_err(unsig
return 1;
}
-static u32 max310x_set_ref_clk(struct device *dev, struct max310x_port *s,
+static s32 max310x_set_ref_clk(struct device *dev, struct max310x_port *s,
unsigned long freq, bool xtal)
{
unsigned int div, clksrc, pllcfg = 0;
@@ -626,7 +626,8 @@ static u32 max310x_set_ref_clk(struct de
} while (!stable && (++try < MAX310X_XTAL_WAIT_RETRIES));
if (!stable)
- dev_warn(dev, "clock is not stable yet\n");
+ return dev_err_probe(dev, -EAGAIN,
+ "clock is not stable\n");
}
return bestfreq;
@@ -1266,7 +1267,7 @@ static int max310x_probe(struct device *
{
int i, ret, fmin, fmax, freq;
struct max310x_port *s;
- u32 uartclk = 0;
+ s32 uartclk = 0;
bool xtal;
if (IS_ERR(regmap))
@@ -1346,6 +1347,11 @@ static int max310x_probe(struct device *
}
uartclk = max310x_set_ref_clk(dev, s, freq, xtal);
+ if (uartclk < 0) {
+ ret = uartclk;
+ goto out_uart;
+ }
+
dev_dbg(dev, "Reference clock set to %i Hz\n", uartclk);
for (i = 0; i < devtype->nr; i++) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 402/476] powerpc/64: Set task pt_regs->link to the LR value on scv entry
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 401/476] serial: max310x: fail probe if clock crystal is unstable Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 403/476] x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 Greg Kroah-Hartman
` (83 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nysal Jan K.A, Naveen N Rao,
Michael Ellerman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen N Rao <naveen@kernel.org>
commit aad98efd0b121f63a2e1c221dcb4d4850128c697 upstream.
Nysal reported that userspace backtraces are missing in offcputime bcc
tool. As an example:
$ sudo ./bcc/tools/offcputime.py -uU
Tracing off-CPU time (us) of user threads by user stack... Hit Ctrl-C to end.
^C
write
- python (9107)
8
write
- sudo (9105)
9
mmap
- python (9107)
16
clock_nanosleep
- multipathd (697)
3001604
The offcputime bcc tool attaches a bpf program to a kprobe on
finish_task_switch(), which is usually hit on a syscall from userspace.
With the switch to system call vectored, we started setting
pt_regs->link to zero. This is because system call vectored behaves like
a function call with LR pointing to the system call return address, and
with no modification to SRR0/SRR1. The LR value does indicate our next
instruction, so it is being saved as pt_regs->nip, and pt_regs->link is
being set to zero. This is not a problem by itself, but BPF uses perf
callchain infrastructure for capturing stack traces, and that stores LR
as the second entry in the stack trace. perf has code to cope with the
second entry being zero, and skips over it. However, generic userspace
unwinders assume that a zero entry indicates end of the stack trace,
resulting in a truncated userspace stack trace.
Rather than fixing all userspace unwinders to ignore/skip past the
second entry, store the real LR value in pt_regs->link so that there
continues to be a valid, though duplicate entry in the stack trace.
With this change:
$ sudo ./bcc/tools/offcputime.py -uU
Tracing off-CPU time (us) of user threads by user stack... Hit Ctrl-C to end.
^C
write
write
[unknown]
[unknown]
[unknown]
[unknown]
[unknown]
PyObject_VectorcallMethod
[unknown]
[unknown]
PyObject_CallOneArg
PyFile_WriteObject
PyFile_WriteString
[unknown]
[unknown]
PyObject_Vectorcall
_PyEval_EvalFrameDefault
PyEval_EvalCode
[unknown]
[unknown]
[unknown]
_PyRun_SimpleFileObject
_PyRun_AnyFileObject
Py_RunMain
[unknown]
Py_BytesMain
[unknown]
__libc_start_main
- python (1293)
7
write
write
[unknown]
sudo_ev_loop_v1
sudo_ev_dispatch_v1
[unknown]
[unknown]
[unknown]
[unknown]
__libc_start_main
- sudo (1291)
7
syscall
syscall
bpf_open_perf_buffer_opts
[unknown]
[unknown]
[unknown]
[unknown]
_PyObject_MakeTpCall
PyObject_Vectorcall
_PyEval_EvalFrameDefault
PyEval_EvalCode
[unknown]
[unknown]
[unknown]
_PyRun_SimpleFileObject
_PyRun_AnyFileObject
Py_RunMain
[unknown]
Py_BytesMain
[unknown]
__libc_start_main
- python (1293)
11
clock_nanosleep
clock_nanosleep
nanosleep
sleep
[unknown]
[unknown]
__clone
- multipathd (698)
3001661
Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions")
Cc: stable@vger.kernel.org
Reported-by: "Nysal Jan K.A" <nysal@linux.ibm.com>
Signed-off-by: Naveen N Rao <naveen@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240202154316.395276-1-naveen@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/interrupt_64.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/kernel/interrupt_64.S
+++ b/arch/powerpc/kernel/interrupt_64.S
@@ -62,7 +62,8 @@ _ASM_NOKPROBE_SYMBOL(system_call_vectore
mr r10,r1
ld r1,PACAKSAVE(r13)
std r10,0(r1)
- std r11,_NIP(r1)
+ std r11,_LINK(r1)
+ std r11,_NIP(r1) /* Saved LR is also the next instruction */
std r12,_MSR(r1)
std r0,GPR0(r1)
std r10,GPR1(r1)
@@ -85,7 +86,6 @@ _ASM_NOKPROBE_SYMBOL(system_call_vectore
std r9,GPR13(r1)
SAVE_NVGPRS(r1)
std r11,_XER(r1)
- std r11,_LINK(r1)
std r11,_CTR(r1)
li r11,\trapnr
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 403/476] x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 402/476] powerpc/64: Set task pt_regs->link to the LR value on scv entry Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 404/476] x86/mm/ident_map: Use gbpages only where full GB page should be mapped Greg Kroah-Hartman
` (82 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksander Mazur,
Borislav Petkov (AMD),
H. Peter Anvin, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Mazur <deweloper@wp.pl>
commit f6a1892585cd19e63c4ef2334e26cd536d5b678d upstream.
The kernel built with MCRUSOE is unbootable on Transmeta Crusoe. It shows
the following error message:
This kernel requires an i686 CPU, but only detected an i586 CPU.
Unable to boot - please use a kernel appropriate for your CPU.
Remove MCRUSOE from the condition introduced in commit in Fixes, effectively
changing X86_MINIMUM_CPU_FAMILY back to 5 on that machine, which matches the
CPU family given by CPUID.
[ bp: Massage commit message. ]
Fixes: 25d76ac88821 ("x86/Kconfig: Explicitly enumerate i686-class CPUs in Kconfig")
Signed-off-by: Aleksander Mazur <deweloper@wp.pl>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: <stable@kernel.org>
Link: https://lore.kernel.org/r/20240123134309.1117782-1-deweloper@wp.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/Kconfig.cpu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/Kconfig.cpu
+++ b/arch/x86/Kconfig.cpu
@@ -379,7 +379,7 @@ config X86_CMOV
config X86_MINIMUM_CPU_FAMILY
int
default "64" if X86_64
- default "6" if X86_32 && (MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MEFFICEON || MATOM || MCRUSOE || MCORE2 || MK7 || MK8)
+ default "6" if X86_32 && (MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MEFFICEON || MATOM || MCORE2 || MK7 || MK8)
default "5" if X86_32 && X86_CMPXCHG64
default "4"
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 404/476] x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 403/476] x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 405/476] mmc: slot-gpio: Allow non-sleeping GPIO ro Greg Kroah-Hartman
` (81 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve Wahl, Dave Hansen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve Wahl <steve.wahl@hpe.com>
commit d794734c9bbfe22f86686dc2909c25f5ffe1a572 upstream.
When ident_pud_init() uses only gbpages to create identity maps, large
ranges of addresses not actually requested can be included in the
resulting table; a 4K request will map a full GB. On UV systems, this
ends up including regions that will cause hardware to halt the system
if accessed (these are marked "reserved" by BIOS). Even processor
speculation into these regions is enough to trigger the system halt.
Only use gbpages when map creation requests include the full GB page
of space. Fall back to using smaller 2M pages when only portions of a
GB page are included in the request.
No attempt is made to coalesce mapping requests. If a request requires
a map entry at the 2M (pmd) level, subsequent mapping requests within
the same 1G region will also be at the pmd level, even if adjacent or
overlapping such requests could have been combined to map a full
gbpage. Existing usage starts with larger regions and then adds
smaller regions, so this should not have any great consequence.
[ dhansen: fix up comment formatting, simplifty changelog ]
Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240126164841.170866-1-steve.wahl%40hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/ident_map.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/arch/x86/mm/ident_map.c
+++ b/arch/x86/mm/ident_map.c
@@ -26,18 +26,31 @@ static int ident_pud_init(struct x86_map
for (; addr < end; addr = next) {
pud_t *pud = pud_page + pud_index(addr);
pmd_t *pmd;
+ bool use_gbpage;
next = (addr & PUD_MASK) + PUD_SIZE;
if (next > end)
next = end;
- if (info->direct_gbpages) {
- pud_t pudval;
+ /* if this is already a gbpage, this portion is already mapped */
+ if (pud_large(*pud))
+ continue;
+
+ /* Is using a gbpage allowed? */
+ use_gbpage = info->direct_gbpages;
- if (pud_present(*pud))
- continue;
+ /* Don't use gbpage if it maps more than the requested region. */
+ /* at the begining: */
+ use_gbpage &= ((addr & ~PUD_MASK) == 0);
+ /* ... or at the end: */
+ use_gbpage &= ((next & ~PUD_MASK) == 0);
+
+ /* Never overwrite existing mappings */
+ use_gbpage &= !pud_present(*pud);
+
+ if (use_gbpage) {
+ pud_t pudval;
- addr &= PUD_MASK;
pudval = __pud((addr - info->offset) | info->page_flag);
set_pud(pud, pudval);
continue;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 405/476] mmc: slot-gpio: Allow non-sleeping GPIO ro
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 404/476] x86/mm/ident_map: Use gbpages only where full GB page should be mapped Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 406/476] ALSA: hda/conexant: Add quirk for SWS JS201D Greg Kroah-Hartman
` (80 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Stein, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
commit cc9432c4fb159a3913e0ce3173b8218cd5bad2e0 upstream.
This change uses the appropriate _cansleep or non-sleeping API for
reading GPIO read-only state. This allows users with GPIOs that
never sleepbeing called in atomic context.
Implement the same mechanism as in commit 52af318c93e97 ("mmc: Allow
non-sleeping GPIO cd").
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240206083912.2543142-1-alexander.stein@ew.tq-group.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/slot-gpio.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/slot-gpio.c
+++ b/drivers/mmc/core/slot-gpio.c
@@ -62,11 +62,15 @@ int mmc_gpio_alloc(struct mmc_host *host
int mmc_gpio_get_ro(struct mmc_host *host)
{
struct mmc_gpio *ctx = host->slot.handler_priv;
+ int cansleep;
if (!ctx || !ctx->ro_gpio)
return -ENOSYS;
- return gpiod_get_value_cansleep(ctx->ro_gpio);
+ cansleep = gpiod_cansleep(ctx->ro_gpio);
+ return cansleep ?
+ gpiod_get_value_cansleep(ctx->ro_gpio) :
+ gpiod_get_value(ctx->ro_gpio);
}
EXPORT_SYMBOL(mmc_gpio_get_ro);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 406/476] ALSA: hda/conexant: Add quirk for SWS JS201D
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 405/476] mmc: slot-gpio: Allow non-sleeping GPIO ro Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 407/476] nilfs2: fix data corruption in dsync block recovery for small block sizes Greg Kroah-Hartman
` (79 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, bo liu, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: bo liu <bo.liu@senarytech.com>
commit 4639c5021029d49fd2f97fa8d74731f167f98919 upstream.
The SWS JS201D need a different pinconfig from windows driver.
Add a quirk to use a specific pinconfig to SWS JS201D.
Signed-off-by: bo liu <bo.liu@senarytech.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240205013802.51907-1-bo.liu@senarytech.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_conexant.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -344,6 +344,7 @@ enum {
CXT_FIXUP_HP_ZBOOK_MUTE_LED,
CXT_FIXUP_HEADSET_MIC,
CXT_FIXUP_HP_MIC_NO_PRESENCE,
+ CXT_PINCFG_SWS_JS201D,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -841,6 +842,17 @@ static const struct hda_pintbl cxt_pincf
{}
};
+/* SuoWoSi/South-holding JS201D with sn6140 */
+static const struct hda_pintbl cxt_pincfg_sws_js201d[] = {
+ { 0x16, 0x03211040 }, /* hp out */
+ { 0x17, 0x91170110 }, /* SPK/Class_D */
+ { 0x18, 0x95a70130 }, /* Internal mic */
+ { 0x19, 0x03a11020 }, /* Headset Mic */
+ { 0x1a, 0x40f001f0 }, /* Not used */
+ { 0x21, 0x40f001f0 }, /* Not used */
+ {}
+};
+
static const struct hda_fixup cxt_fixups[] = {
[CXT_PINCFG_LENOVO_X200] = {
.type = HDA_FIXUP_PINS,
@@ -996,6 +1008,10 @@ static const struct hda_fixup cxt_fixups
.chained = true,
.chain_id = CXT_FIXUP_HEADSET_MIC,
},
+ [CXT_PINCFG_SWS_JS201D] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = cxt_pincfg_sws_js201d,
+ },
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -1069,6 +1085,7 @@ static const struct snd_pci_quirk cxt506
SND_PCI_QUIRK(0x103c, 0x8457, "HP Z2 G4 mini", CXT_FIXUP_HP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x8458, "HP Z2 G4 mini premium", CXT_FIXUP_HP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
+ SND_PCI_QUIRK(0x14f1, 0x0265, "SWS JS201D", CXT_PINCFG_SWS_JS201D),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo T410", CXT_PINCFG_LENOVO_TP410),
@@ -1109,6 +1126,7 @@ static const struct hda_model_fixup cxt5
{ .id = CXT_FIXUP_HP_ZBOOK_MUTE_LED, .name = "hp-zbook-mute-led" },
{ .id = CXT_FIXUP_HP_MIC_NO_PRESENCE, .name = "hp-mic-fix" },
{ .id = CXT_PINCFG_LENOVO_NOTEBOOK, .name = "lenovo-20149" },
+ { .id = CXT_PINCFG_SWS_JS201D, .name = "sws-js201d" },
{}
};
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 407/476] nilfs2: fix data corruption in dsync block recovery for small block sizes
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 406/476] ALSA: hda/conexant: Add quirk for SWS JS201D Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 408/476] nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() Greg Kroah-Hartman
` (78 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 67b8bcbaed4777871bb0dcc888fb02a614a98ab1 upstream.
The helper function nilfs_recovery_copy_block() of
nilfs_recovery_dsync_blocks(), which recovers data from logs created by
data sync writes during a mount after an unclean shutdown, incorrectly
calculates the on-page offset when copying repair data to the file's page
cache. In environments where the block size is smaller than the page
size, this flaw can cause data corruption and leak uninitialized memory
bytes during the recovery process.
Fix these issues by correcting this byte offset calculation on the page.
Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/recovery.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/nilfs2/recovery.c
+++ b/fs/nilfs2/recovery.c
@@ -472,9 +472,10 @@ static int nilfs_prepare_segment_for_rec
static int nilfs_recovery_copy_block(struct the_nilfs *nilfs,
struct nilfs_recovery_block *rb,
- struct page *page)
+ loff_t pos, struct page *page)
{
struct buffer_head *bh_org;
+ size_t from = pos & ~PAGE_MASK;
void *kaddr;
bh_org = __bread(nilfs->ns_bdev, rb->blocknr, nilfs->ns_blocksize);
@@ -482,7 +483,7 @@ static int nilfs_recovery_copy_block(str
return -EIO;
kaddr = kmap_atomic(page);
- memcpy(kaddr + bh_offset(bh_org), bh_org->b_data, bh_org->b_size);
+ memcpy(kaddr + from, bh_org->b_data, bh_org->b_size);
kunmap_atomic(kaddr);
brelse(bh_org);
return 0;
@@ -521,7 +522,7 @@ static int nilfs_recover_dsync_blocks(st
goto failed_inode;
}
- err = nilfs_recovery_copy_block(nilfs, rb, page);
+ err = nilfs_recovery_copy_block(nilfs, rb, pos, page);
if (unlikely(err))
goto failed_page;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 408/476] nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 407/476] nilfs2: fix data corruption in dsync block recovery for small block sizes Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 409/476] crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked Greg Kroah-Hartman
` (77 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+ee2ae68da3b22d04cd8d, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 38296afe3c6ee07319e01bb249aa4bb47c07b534 upstream.
Syzbot reported a hang issue in migrate_pages_batch() called by mbind()
and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
While migrate_pages_batch() locks a folio and waits for the writeback to
complete, the log writer thread that should bring the writeback to
completion picks up the folio being written back in
nilfs_lookup_dirty_data_buffers() that it calls for subsequent log
creation and was trying to lock the folio. Thus causing a deadlock.
In the first place, it is unexpected that folios/pages in the middle of
writeback will be updated and become dirty. Nilfs2 adds a checksum to
verify the validity of the log being written and uses it for recovery at
mount, so data changes during writeback are suppressed. Since this is
broken, an unclean shutdown could potentially cause recovery to fail.
Investigation revealed that the root cause is that the wait for writeback
completion in nilfs_page_mkwrite() is conditional, and if the backing
device does not require stable writes, data may be modified without
waiting.
Fix these issues by making nilfs_page_mkwrite() wait for writeback to
finish regardless of the stable write requirement of the backing device.
Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com
Fixes: 1d1d1a767206 ("mm: only enforce stable page writes if the backing device requires it")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+ee2ae68da3b22d04cd8d@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/00000000000047d819061004ad6c@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/file.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/file.c
+++ b/fs/nilfs2/file.c
@@ -105,7 +105,13 @@ static vm_fault_t nilfs_page_mkwrite(str
nilfs_transaction_commit(inode->i_sb);
mapped:
- wait_for_stable_page(page);
+ /*
+ * Since checksumming including data blocks is performed to determine
+ * the validity of the log to be written and used for recovery, it is
+ * necessary to wait for writeback to finish here, regardless of the
+ * stable write requirement of the backing device.
+ */
+ wait_on_page_writeback(page);
out:
sb_end_pagefault(inode->i_sb);
return block_page_mkwrite_return(ret);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 409/476] crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 408/476] nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 410/476] nfp: use correct macro for LengthSelect in BAR config Greg Kroah-Hartman
` (76 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Kim Phillips,
Liam Merwick, John Allen, Herbert Xu
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Phillips <kim.phillips@amd.com>
commit ccb88e9549e7cfd8bcd511c538f437e20026e983 upstream.
The SEV platform device can be shutdown with a null psp_master,
e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:
[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)
[ 137.162647] ccp 0000:23:00.1: no command queues available
[ 137.170598] ccp 0000:23:00.1: sev enabled
[ 137.174645] ccp 0000:23:00.1: psp enabled
[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]
[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311
[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180
[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c
[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e
[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0
[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66
[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28
[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8
[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000
[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0
[ 137.182693] Call Trace:
[ 137.182693] <TASK>
[ 137.182693] ? show_regs+0x6c/0x80
[ 137.182693] ? __die_body+0x24/0x70
[ 137.182693] ? die_addr+0x4b/0x80
[ 137.182693] ? exc_general_protection+0x126/0x230
[ 137.182693] ? asm_exc_general_protection+0x2b/0x30
[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180
[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80
[ 137.182693] sev_dev_destroy+0x49/0x100
[ 137.182693] psp_dev_destroy+0x47/0xb0
[ 137.182693] sp_destroy+0xbb/0x240
[ 137.182693] sp_pci_remove+0x45/0x60
[ 137.182693] pci_device_remove+0xaa/0x1d0
[ 137.182693] device_remove+0xc7/0x170
[ 137.182693] really_probe+0x374/0xbe0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] __driver_probe_device+0x199/0x460
[ 137.182693] driver_probe_device+0x4e/0xd0
[ 137.182693] __driver_attach+0x191/0x3d0
[ 137.182693] ? __pfx___driver_attach+0x10/0x10
[ 137.182693] bus_for_each_dev+0x100/0x190
[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10
[ 137.182693] ? __kasan_check_read+0x15/0x20
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? _raw_spin_unlock+0x27/0x50
[ 137.182693] driver_attach+0x41/0x60
[ 137.182693] bus_add_driver+0x2a8/0x580
[ 137.182693] driver_register+0x141/0x480
[ 137.182693] __pci_register_driver+0x1d6/0x2a0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0
[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
[ 137.182693] sp_pci_init+0x22/0x30
[ 137.182693] sp_mod_init+0x14/0x30
[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
[ 137.182693] do_one_initcall+0xd1/0x470
[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10
[ 137.182693] ? parameq+0x80/0xf0
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] ? __kmalloc+0x3b0/0x4e0
[ 137.182693] ? kernel_init_freeable+0x92d/0x1050
[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190
[ 137.182693] ? srso_return_thunk+0x5/0x5f
[ 137.182693] kernel_init_freeable+0xa64/0x1050
[ 137.182693] ? __pfx_kernel_init+0x10/0x10
[ 137.182693] kernel_init+0x24/0x160
[ 137.182693] ? __switch_to_asm+0x3e/0x70
[ 137.182693] ret_from_fork+0x40/0x80
[ 137.182693] ? __pfx_kernel_init+0x10/0x10
[ 137.182693] ret_from_fork_asm+0x1b/0x30
[ 137.182693] </TASK>
[ 137.182693] Modules linked in:
[ 137.538483] ---[ end trace 0000000000000000 ]---
Fixes: 1b05ece0c931 ("crypto: ccp - During shutdown, check SEV data pointer before using")
Cc: stable@vger.kernel.org
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Acked-by: John Allen <john.allen@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -323,10 +323,16 @@ EXPORT_SYMBOL_GPL(sev_platform_init);
static int __sev_platform_shutdown_locked(int *error)
{
- struct sev_device *sev = psp_master->sev_data;
+ struct psp_device *psp = psp_master;
+ struct sev_device *sev;
int ret;
- if (!sev || sev->state == SEV_STATE_UNINIT)
+ if (!psp || !psp->sev_data)
+ return 0;
+
+ sev = psp->sev_data;
+
+ if (sev->state == SEV_STATE_UNINIT)
return 0;
ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 410/476] nfp: use correct macro for LengthSelect in BAR config
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 409/476] crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 411/476] nfp: flower: prevent re-adding mac index for bonded port Greg Kroah-Hartman
` (75 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Basilio, Louis Peens,
David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Basilio <daniel.basilio@corigine.com>
commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream.
The 1st and 2nd expansion BAR configuration registers are configured,
when the driver starts up, in variables 'barcfg_msix_general' and
'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
from bit 0, which is incorrect. The 'LengthSelect' field should
start from bit 27.
This has largely gone un-noticed because
NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
Cc: stable@vger.kernel.org # 4.11+
Signed-off-by: Daniel Basilio <daniel.basilio@corigine.com>
Signed-off-by: Louis Peens <louis.peens@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
@@ -542,11 +542,13 @@ static int enable_bars(struct nfp6000_pc
const u32 barcfg_msix_general =
NFP_PCIE_BAR_PCIE2CPP_MapType(
NFP_PCIE_BAR_PCIE2CPP_MapType_GENERAL) |
- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT;
+ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
+ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT);
const u32 barcfg_msix_xpb =
NFP_PCIE_BAR_PCIE2CPP_MapType(
NFP_PCIE_BAR_PCIE2CPP_MapType_BULK) |
- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT |
+ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
+ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT) |
NFP_PCIE_BAR_PCIE2CPP_Target_BaseAddress(
NFP_CPP_TARGET_ISLAND_XPB);
const u32 barcfg_explicit[4] = {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 411/476] nfp: flower: prevent re-adding mac index for bonded port
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 410/476] nfp: use correct macro for LengthSelect in BAR config Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 412/476] wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() Greg Kroah-Hartman
` (74 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel de Villiers, Louis Peens,
David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel de Villiers <daniel.devilliers@corigine.com>
commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream.
When physical ports are reset (either through link failure or manually
toggled down and up again) that are slaved to a Linux bond with a tunnel
endpoint IP address on the bond device, not all tunnel packets arriving
on the bond port are decapped as expected.
The bond dev assigns the same MAC address to itself and each of its
slaves. When toggling a slave device, the same MAC address is therefore
offloaded to the NFP multiple times with different indexes.
The issue only occurs when re-adding the shared mac. The
nfp_tunnel_add_shared_mac() function has a conditional check early on
that checks if a mac entry already exists and if that mac entry is
global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
case of a bonded device (For example br-ex), the mac index is obtained,
and no new index is assigned.
We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
check if the port belongs to the LAG along with the existing checks to
prevent a new global mac index from being re-assigned to the slave port.
Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs")
CC: stable@vger.kernel.org # 5.1+
Signed-off-by: Daniel de Villiers <daniel.devilliers@corigine.com>
Signed-off-by: Louis Peens <louis.peens@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
@@ -927,7 +927,7 @@ nfp_tunnel_add_shared_mac(struct nfp_app
u16 nfp_mac_idx = 0;
entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr);
- if (entry && nfp_tunnel_is_mac_idx_global(entry->index)) {
+ if (entry && (nfp_tunnel_is_mac_idx_global(entry->index) || netif_is_lag_port(netdev))) {
if (entry->bridge_count ||
!nfp_flower_is_supported_bridge(netdev)) {
nfp_tunnel_offloaded_macs_inc_ref_and_link(entry,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 412/476] wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 411/476] nfp: flower: prevent re-adding mac index for bonded port Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 413/476] irqchip/irq-brcmstb-l2: Add write memory barrier before exit Greg Kroah-Hartman
` (73 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 upstream.
This pointer can change here since the SKB can change, so we
actually later open-coded IEEE80211_SKB_CB() again. Reload
the pointer where needed, so the monitor-mode case using it
gets fixed, and then use info-> later as well.
Cc: stable@vger.kernel.org
Fixes: 531682159092 ("mac80211: fix VLAN handling with TXQs")
Link: https://msgid.link/20240131164910.b54c28d583bc.I29450cec84ea6773cff5d9c16ff92b836c331471@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/tx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3746,6 +3746,7 @@ begin:
goto begin;
skb = __skb_dequeue(&tx.skbs);
+ info = IEEE80211_SKB_CB(skb);
if (!skb_queue_empty(&tx.skbs)) {
spin_lock_bh(&fq->lock);
@@ -3790,7 +3791,7 @@ begin:
}
encap_out:
- IEEE80211_SKB_CB(skb)->control.vif = vif;
+ info->control.vif = vif;
if (vif &&
wiphy_ext_feature_isset(local->hw.wiphy, NL80211_EXT_FEATURE_AQL)) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 413/476] irqchip/irq-brcmstb-l2: Add write memory barrier before exit
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 412/476] wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 414/476] irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update Greg Kroah-Hartman
` (72 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Thomas Gleixner, Marc Zyngier
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream.
It was observed on Broadcom devices that use GIC v3 architecture L1
interrupt controllers as the parent of brcmstb-l2 interrupt controllers
that the deactivation of the parent interrupt could happen before the
brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the
interrupt only to find that no L2 interrupt was pending. The result was a
spurious interrupt invoking handle_bad_irq() with its associated
messaging. While this did not create a functional problem it is a waste of
cycles.
The hazard exists because the memory mapped bus writes to the brcmstb-l2
registers are buffered and the GIC v3 architecture uses a very efficient
system register write to deactivate the interrupt.
Add a write memory barrier prior to invoking chained_irq_exit() to
introduce a dsb(st) on those systems to ensure the system register write
cannot be executed until the memory mapped writes are visible to the
system.
[ florian: Added Fixes tag ]
Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-brcmstb-l2.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/irqchip/irq-brcmstb-l2.c
+++ b/drivers/irqchip/irq-brcmstb-l2.c
@@ -2,7 +2,7 @@
/*
* Generic Broadcom Set Top Box Level 2 Interrupt controller driver
*
- * Copyright (C) 2014-2017 Broadcom
+ * Copyright (C) 2014-2024 Broadcom
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
@@ -113,6 +113,9 @@ static void brcmstb_l2_intc_irq_handle(s
generic_handle_domain_irq(b->domain, irq);
} while (status);
out:
+ /* Don't ack parent before all device writes are done */
+ wmb();
+
chained_irq_exit(chip, desc);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 414/476] irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 413/476] irqchip/irq-brcmstb-l2: Add write memory barrier before exit Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 415/476] net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
` (71 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunkun Jiang, Marc Zyngier, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 upstream.
When updating the affinity of a VPE, the VMOVP command is currently skipped
if the two CPUs are part of the same VPE affinity.
But this is wrong, as the doorbell corresponding to this VPE is still
delivered on the 'old' CPU, which screws up the balancing. Furthermore,
offlining that 'old' CPU results in doorbell interrupts generated for this
VPE being discarded.
The harsh reality is that VMOVP cannot be elided when a set_affinity()
request occurs. It needs to be obeyed, and if an optimisation is to be
made, it is at the point where the affinity change request is made (such as
in KVM).
Drop the VMOVP elision altogether, and only use the vpe_table_mask
to try and stay within the same ITS affinity group if at all possible.
Fixes: dd3f050a216e (irqchip/gic-v4.1: Implement the v4.1 flavour of VMOVP)
Reported-by: Kunkun Jiang <jiangkunkun@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240213101206.2137483-4-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3800,8 +3800,9 @@ static int its_vpe_set_affinity(struct i
bool force)
{
struct its_vpe *vpe = irq_data_get_irq_chip_data(d);
- int from, cpu = cpumask_first(mask_val);
+ struct cpumask common, *table_mask;
unsigned long flags;
+ int from, cpu;
/*
* Changing affinity is mega expensive, so let's be as lazy as
@@ -3817,19 +3818,22 @@ static int its_vpe_set_affinity(struct i
* taken on any vLPI handling path that evaluates vpe->col_idx.
*/
from = vpe_to_cpuid_lock(vpe, &flags);
- if (from == cpu)
- goto out;
-
- vpe->col_idx = cpu;
+ table_mask = gic_data_rdist_cpu(from)->vpe_table_mask;
/*
- * GICv4.1 allows us to skip VMOVP if moving to a cpu whose RD
- * is sharing its VPE table with the current one.
+ * If we are offered another CPU in the same GICv4.1 ITS
+ * affinity, pick this one. Otherwise, any CPU will do.
*/
- if (gic_data_rdist_cpu(cpu)->vpe_table_mask &&
- cpumask_test_cpu(from, gic_data_rdist_cpu(cpu)->vpe_table_mask))
+ if (table_mask && cpumask_and(&common, mask_val, table_mask))
+ cpu = cpumask_test_cpu(from, &common) ? from : cpumask_first(&common);
+ else
+ cpu = cpumask_first(mask_val);
+
+ if (from == cpu)
goto out;
+ vpe->col_idx = cpu;
+
its_send_vmovp(vpe);
its_vpe_db_proxy_move(vpe, from, cpu);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 415/476] net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 414/476] irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 416/476] s390/qeth: Fix potential loss of L3-IP@ in case of network issues Greg Kroah-Hartman
` (70 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sinthu Raja, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sinthu Raja <sinthu.raja@ti.com>
commit bc4ce46b1e3d1da4309405cd4afc7c0fcddd0b90 upstream.
The below commit introduced a WARN when phy state is not in the states:
PHY_HALTED, PHY_READY and PHY_UP.
commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
When cpsw resumes, there have port in PHY_NOLINK state, so the below
warning comes out. Set mac_managed_pm be true to tell mdio that the phy
resume/suspend is managed by the mac, to fix the following warning:
WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144
CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1
Hardware name: Generic AM33XX (Flattened Device Tree)
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x24/0x2c
dump_stack_lvl from __warn+0x84/0x15c
__warn from warn_slowpath_fmt+0x1a8/0x1c8
warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144
mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140
dpm_run_callback from device_resume+0xb8/0x2b8
device_resume from dpm_resume+0x144/0x314
dpm_resume from dpm_resume_end+0x14/0x20
dpm_resume_end from suspend_devices_and_enter+0xd0/0x924
suspend_devices_and_enter from pm_suspend+0x2e0/0x33c
pm_suspend from state_store+0x74/0xd0
state_store from kernfs_fop_write_iter+0x104/0x1ec
kernfs_fop_write_iter from vfs_write+0x1b8/0x358
vfs_write from ksys_write+0x78/0xf8
ksys_write from ret_fast_syscall+0x0/0x54
Exception stack(0xe094dfa8 to 0xe094dff0)
dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001
dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000
dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66
Cc: <stable@vger.kernel.org> # v6.0+
Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
Signed-off-by: Sinthu Raja <sinthu.raja@ti.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/ti/cpsw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
index ea85c6dd5484..c0a5abd8d9a8 100644
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
@@ -631,6 +631,8 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv)
}
}
+ phy->mac_managed_pm = true;
+
slave->phy = phy;
phy_attached_info(slave->phy);
--
2.43.2
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 416/476] s390/qeth: Fix potential loss of L3-IP@ in case of network issues
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 415/476] net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 417/476] net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
` (69 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Winter <wintera@linux.ibm.com>
commit 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a upstream.
Symptom:
In case of a bad cable connection (e.g. dirty optics) a fast sequence of
network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth
interface. In case of a second DOWN while recovery is still ongoing, it
can happen that the IP@ of a Layer3 qeth interface is lost and will not
be recovered by the second UP.
Problem:
When registration of IP addresses with Layer 3 qeth devices fails, (e.g.
because of bad address format) the respective IP address is deleted from
its hash-table in the driver. If registration fails because of a ENETDOWN
condition, the address should stay in the hashtable, so a subsequent
recovery can restore it.
3caa4af834df ("qeth: keep ip-address after LAN_OFFLINE failure")
fixes this for registration failures during normal operation, but not
during recovery.
Solution:
Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For
consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE,
i.e. for some reason the card already/still has this address registered.
Fixes: 4a71df50047f ("qeth: new qeth device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://lore.kernel.org/r/20240206085849.2902775-1-wintera@linux.ibm.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/net/qeth_l3_main.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -254,9 +254,10 @@ static void qeth_l3_clear_ip_htable(stru
if (!recover) {
hash_del(&addr->hnode);
kfree(addr);
- continue;
+ } else {
+ /* prepare for recovery */
+ addr->disp_flag = QETH_DISP_ADDR_ADD;
}
- addr->disp_flag = QETH_DISP_ADDR_ADD;
}
mutex_unlock(&card->ip_lock);
@@ -277,9 +278,11 @@ static void qeth_l3_recover_ip(struct qe
if (addr->disp_flag == QETH_DISP_ADDR_ADD) {
rc = qeth_l3_register_addr_entry(card, addr);
- if (!rc) {
+ if (!rc || rc == -EADDRINUSE || rc == -ENETDOWN) {
+ /* keep it in the records */
addr->disp_flag = QETH_DISP_ADDR_DO_NOTHING;
} else {
+ /* bad address */
hash_del(&addr->hnode);
kfree(addr);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 417/476] net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 416/476] s390/qeth: Fix potential loss of L3-IP@ in case of network issues Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 418/476] ceph: prevent use-after-free in encode_cap_msg() Greg Kroah-Hartman
` (68 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sinthu Raja, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sinthu Raja <sinthu.raja@ti.com>
commit 9def04e759caa5a3d741891037ae99f81e2fff01 upstream.
The below commit introduced a WARN when phy state is not in the states:
PHY_HALTED, PHY_READY and PHY_UP.
commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
When cpsw_new resumes, there have port in PHY_NOLINK state, so the below
warning comes out. Set mac_managed_pm be true to tell mdio that the phy
resume/suspend is managed by the mac, to fix the following warning:
WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144
CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1
Hardware name: Generic AM33XX (Flattened Device Tree)
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x24/0x2c
dump_stack_lvl from __warn+0x84/0x15c
__warn from warn_slowpath_fmt+0x1a8/0x1c8
warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144
mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140
dpm_run_callback from device_resume+0xb8/0x2b8
device_resume from dpm_resume+0x144/0x314
dpm_resume from dpm_resume_end+0x14/0x20
dpm_resume_end from suspend_devices_and_enter+0xd0/0x924
suspend_devices_and_enter from pm_suspend+0x2e0/0x33c
pm_suspend from state_store+0x74/0xd0
state_store from kernfs_fop_write_iter+0x104/0x1ec
kernfs_fop_write_iter from vfs_write+0x1b8/0x358
vfs_write from ksys_write+0x78/0xf8
ksys_write from ret_fast_syscall+0x0/0x54
Exception stack(0xe094dfa8 to 0xe094dff0)
dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001
dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000
dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66
Cc: <stable@vger.kernel.org> # v6.0+
Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
Signed-off-by: Sinthu Raja <sinthu.raja@ti.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/ti/cpsw_new.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -772,6 +772,9 @@ static void cpsw_slave_open(struct cpsw_
slave->slave_num);
return;
}
+
+ phy->mac_managed_pm = true;
+
slave->phy = phy;
phy_attached_info(slave->phy);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 418/476] ceph: prevent use-after-free in encode_cap_msg()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 417/476] net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 419/476] mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE Greg Kroah-Hartman
` (67 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rishabh Dave, Jeff Layton, Xiubo Li,
Ilya Dryomov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rishabh Dave <ridave@redhat.com>
commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef upstream.
In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
implies before the refcount could be increment here, it was freed.
In same file, in "handle_cap_grant()" refcount is decremented by this
line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
occurred and resource was freed by the latter line before the former
line could increment it.
encode_cap_msg() is called by __send_cap() and __send_cap() is called by
ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
the refcount must be increased to prevent "use after free" error.
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/59259
Signed-off-by: Rishabh Dave <ridave@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/caps.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1390,7 +1390,7 @@ static void __prep_cap(struct cap_msg_ar
if (flushing & CEPH_CAP_XATTR_EXCL) {
arg->old_xattr_buf = __ceph_build_xattrs_blob(ci);
arg->xattr_version = ci->i_xattrs.version;
- arg->xattr_buf = ci->i_xattrs.blob;
+ arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob);
} else {
arg->xattr_buf = NULL;
arg->old_xattr_buf = NULL;
@@ -1456,6 +1456,7 @@ static void __send_cap(struct cap_msg_ar
encode_cap_msg(msg, arg);
ceph_con_send(&arg->session->s_con, msg);
ceph_buffer_put(arg->old_xattr_buf);
+ ceph_buffer_put(arg->xattr_buf);
if (arg->wake)
wake_up_all(&ci->i_cap_wq);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 419/476] mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 418/476] ceph: prevent use-after-free in encode_cap_msg() Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 420/476] of: property: fix typo in io-channels Greg Kroah-Hartman
` (66 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prakash Sangappa, Muchun Song,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prakash Sangappa <prakash.sangappa@oracle.com>
commit e656c7a9e59607d1672d85ffa9a89031876ffe67 upstream.
For shared memory of type SHM_HUGETLB, hugetlb pages are reserved in
shmget() call. If SHM_NORESERVE flags is specified then the hugetlb pages
are not reserved. However when the shared memory is attached with the
shmat() call the hugetlb pages are getting reserved incorrectly for
SHM_HUGETLB shared memory created with SHM_NORESERVE which is a bug.
-------------------------------
Following test shows the issue.
$cat shmhtb.c
int main()
{
int shmflags = 0660 | IPC_CREAT | SHM_HUGETLB | SHM_NORESERVE;
int shmid;
shmid = shmget(SKEY, SHMSZ, shmflags);
if (shmid < 0)
{
printf("shmat: shmget() failed, %d\n", errno);
return 1;
}
printf("After shmget()\n");
system("cat /proc/meminfo | grep -i hugepages_");
shmat(shmid, NULL, 0);
printf("\nAfter shmat()\n");
system("cat /proc/meminfo | grep -i hugepages_");
shmctl(shmid, IPC_RMID, NULL);
return 0;
}
#sysctl -w vm.nr_hugepages=20
#./shmhtb
After shmget()
HugePages_Total: 20
HugePages_Free: 20
HugePages_Rsvd: 0
HugePages_Surp: 0
After shmat()
HugePages_Total: 20
HugePages_Free: 20
HugePages_Rsvd: 5 <--
HugePages_Surp: 0
--------------------------------
Fix is to ensure that hugetlb pages are not reserved for SHM_HUGETLB shared
memory in the shmat() call.
Link: https://lkml.kernel.org/r/1706040282-12388-1-git-send-email-prakash.sangappa@oracle.com
Signed-off-by: Prakash Sangappa <prakash.sangappa@oracle.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hugetlbfs/inode.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -135,6 +135,7 @@ static int hugetlbfs_file_mmap(struct fi
loff_t len, vma_len;
int ret;
struct hstate *h = hstate_file(file);
+ vm_flags_t vm_flags;
/*
* vma address alignment (but not the pgoff alignment) has
@@ -176,10 +177,20 @@ static int hugetlbfs_file_mmap(struct fi
file_accessed(file);
ret = -ENOMEM;
+
+ vm_flags = vma->vm_flags;
+ /*
+ * for SHM_HUGETLB, the pages are reserved in the shmget() call so skip
+ * reserving here. Note: only for SHM hugetlbfs file, the inode
+ * flag S_PRIVATE is set.
+ */
+ if (inode->i_flags & S_PRIVATE)
+ vm_flags |= VM_NORESERVE;
+
if (!hugetlb_reserve_pages(inode,
vma->vm_pgoff >> huge_page_order(h),
len >> huge_page_shift(h), vma,
- vma->vm_flags))
+ vm_flags))
goto out;
ret = 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 420/476] of: property: fix typo in io-channels
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 419/476] mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 421/476] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock Greg Kroah-Hartman
` (65 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sa, Saravana Kannan,
Jonathan Cameron, Rob Herring
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
commit 8f7e917907385e112a845d668ae2832f41e64bf5 upstream.
The property is io-channels and not io-channel. This was effectively
preventing the devlink creation.
Fixes: 8e12257dead7 ("of: property: Add device link support for iommus, mboxes and io-channels")
Cc: stable@vger.kernel.org
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Reviewed-by: Saravana Kannan <saravanak@google.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://lore.kernel.org/r/20240123-iio-backend-v7-1-1bff236b8693@analog.com
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/property.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/of/property.c
+++ b/drivers/of/property.c
@@ -1270,7 +1270,7 @@ DEFINE_SIMPLE_PROP(clocks, "clocks", "#c
DEFINE_SIMPLE_PROP(interconnects, "interconnects", "#interconnect-cells")
DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells")
DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells")
-DEFINE_SIMPLE_PROP(io_channels, "io-channel", "#io-channel-cells")
+DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells")
DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL)
DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells")
DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells")
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 421/476] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 420/476] of: property: fix typo in io-channels Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 422/476] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Greg Kroah-Hartman
` (64 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1591462f226d9cbf0564,
Ziqi Zhao, Oleksij Rempel, Marc Kleine-Budde
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziqi Zhao <astrajoan@yahoo.com>
commit 6cdedc18ba7b9dacc36466e27e3267d201948c8d upstream.
The following 3 locks would race against each other, causing the
deadlock situation in the Syzbot bug report:
- j1939_socks_lock
- active_session_list_lock
- sk_session_queue_lock
A reasonable fix is to change j1939_socks_lock to an rwlock, since in
the rare situations where a write lock is required for the linked list
that j1939_socks_lock is protecting, the code does not attempt to
acquire any more locks. This would break the circular lock dependency,
where, for example, the current thread already locks j1939_socks_lock
and attempts to acquire sk_session_queue_lock, and at the same time,
another thread attempts to acquire j1939_socks_lock while holding
sk_session_queue_lock.
NOTE: This patch along does not fix the unregister_netdevice bug
reported by Syzbot; instead, it solves a deadlock situation to prepare
for one or more further patches to actually fix the Syzbot bug, which
appears to be a reference counting problem within the j1939 codebase.
Reported-by: <syzbot+1591462f226d9cbf0564@syzkaller.appspotmail.com>
Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com
[mkl: remove unrelated newline change]
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/j1939-priv.h | 2 +-
net/can/j1939/main.c | 2 +-
net/can/j1939/socket.c | 24 ++++++++++++------------
3 files changed, 14 insertions(+), 14 deletions(-)
--- a/net/can/j1939/j1939-priv.h
+++ b/net/can/j1939/j1939-priv.h
@@ -86,7 +86,7 @@ struct j1939_priv {
unsigned int tp_max_packet_size;
/* lock for j1939_socks list */
- spinlock_t j1939_socks_lock;
+ rwlock_t j1939_socks_lock;
struct list_head j1939_socks;
struct kref rx_kref;
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -270,7 +270,7 @@ struct j1939_priv *j1939_netdev_start(st
return ERR_PTR(-ENOMEM);
j1939_tp_init(priv);
- spin_lock_init(&priv->j1939_socks_lock);
+ rwlock_init(&priv->j1939_socks_lock);
INIT_LIST_HEAD(&priv->j1939_socks);
mutex_lock(&j1939_netdev_lock);
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -80,16 +80,16 @@ static void j1939_jsk_add(struct j1939_p
jsk->state |= J1939_SOCK_BOUND;
j1939_priv_get(priv);
- spin_lock_bh(&priv->j1939_socks_lock);
+ write_lock_bh(&priv->j1939_socks_lock);
list_add_tail(&jsk->list, &priv->j1939_socks);
- spin_unlock_bh(&priv->j1939_socks_lock);
+ write_unlock_bh(&priv->j1939_socks_lock);
}
static void j1939_jsk_del(struct j1939_priv *priv, struct j1939_sock *jsk)
{
- spin_lock_bh(&priv->j1939_socks_lock);
+ write_lock_bh(&priv->j1939_socks_lock);
list_del_init(&jsk->list);
- spin_unlock_bh(&priv->j1939_socks_lock);
+ write_unlock_bh(&priv->j1939_socks_lock);
j1939_priv_put(priv);
jsk->state &= ~J1939_SOCK_BOUND;
@@ -329,13 +329,13 @@ bool j1939_sk_recv_match(struct j1939_pr
struct j1939_sock *jsk;
bool match = false;
- spin_lock_bh(&priv->j1939_socks_lock);
+ read_lock_bh(&priv->j1939_socks_lock);
list_for_each_entry(jsk, &priv->j1939_socks, list) {
match = j1939_sk_recv_match_one(jsk, skcb);
if (match)
break;
}
- spin_unlock_bh(&priv->j1939_socks_lock);
+ read_unlock_bh(&priv->j1939_socks_lock);
return match;
}
@@ -344,11 +344,11 @@ void j1939_sk_recv(struct j1939_priv *pr
{
struct j1939_sock *jsk;
- spin_lock_bh(&priv->j1939_socks_lock);
+ read_lock_bh(&priv->j1939_socks_lock);
list_for_each_entry(jsk, &priv->j1939_socks, list) {
j1939_sk_recv_one(jsk, skb);
}
- spin_unlock_bh(&priv->j1939_socks_lock);
+ read_unlock_bh(&priv->j1939_socks_lock);
}
static void j1939_sk_sock_destruct(struct sock *sk)
@@ -1078,12 +1078,12 @@ void j1939_sk_errqueue(struct j1939_sess
}
/* spread RX notifications to all sockets subscribed to this session */
- spin_lock_bh(&priv->j1939_socks_lock);
+ read_lock_bh(&priv->j1939_socks_lock);
list_for_each_entry(jsk, &priv->j1939_socks, list) {
if (j1939_sk_recv_match_one(jsk, &session->skcb))
__j1939_sk_errqueue(session, &jsk->sk, type);
}
- spin_unlock_bh(&priv->j1939_socks_lock);
+ read_unlock_bh(&priv->j1939_socks_lock);
};
void j1939_sk_send_loop_abort(struct sock *sk, int err)
@@ -1271,7 +1271,7 @@ void j1939_sk_netdev_event_netdown(struc
struct j1939_sock *jsk;
int error_code = ENETDOWN;
- spin_lock_bh(&priv->j1939_socks_lock);
+ read_lock_bh(&priv->j1939_socks_lock);
list_for_each_entry(jsk, &priv->j1939_socks, list) {
jsk->sk.sk_err = error_code;
if (!sock_flag(&jsk->sk, SOCK_DEAD))
@@ -1279,7 +1279,7 @@ void j1939_sk_netdev_event_netdown(struc
j1939_sk_queue_drop_all(priv, jsk, error_code);
}
- spin_unlock_bh(&priv->j1939_socks_lock);
+ read_unlock_bh(&priv->j1939_socks_lock);
}
static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 422/476] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 421/476] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 423/476] pmdomain: core: Move the unused cleanup to a _sync initcall Greg Kroah-Hartman
` (63 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sili Luo, Oleksij Rempel, Marc Kleine-Budde
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream.
Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
modifies jsk->filters while receiving packets.
Following trace was seen on affected system:
==================================================================
BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
Read of size 4 at addr ffff888012144014 by task j1939/350
CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
print_report+0xd3/0x620
? kasan_complete_mode_report_info+0x7d/0x200
? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
kasan_report+0xc2/0x100
? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
__asan_load4+0x84/0xb0
j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
j1939_sk_recv+0x20b/0x320 [can_j1939]
? __kasan_check_write+0x18/0x20
? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
? j1939_simple_recv+0x69/0x280 [can_j1939]
? j1939_ac_recv+0x5e/0x310 [can_j1939]
j1939_can_recv+0x43f/0x580 [can_j1939]
? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
? raw_rcv+0x42/0x3c0 [can_raw]
? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
can_rcv_filter+0x11f/0x350 [can]
can_receive+0x12f/0x190 [can]
? __pfx_can_rcv+0x10/0x10 [can]
can_rcv+0xdd/0x130 [can]
? __pfx_can_rcv+0x10/0x10 [can]
__netif_receive_skb_one_core+0x13d/0x150
? __pfx___netif_receive_skb_one_core+0x10/0x10
? __kasan_check_write+0x18/0x20
? _raw_spin_lock_irq+0x8c/0xe0
__netif_receive_skb+0x23/0xb0
process_backlog+0x107/0x260
__napi_poll+0x69/0x310
net_rx_action+0x2a1/0x580
? __pfx_net_rx_action+0x10/0x10
? __pfx__raw_spin_lock+0x10/0x10
? handle_irq_event+0x7d/0xa0
__do_softirq+0xf3/0x3f8
do_softirq+0x53/0x80
</IRQ>
<TASK>
__local_bh_enable_ip+0x6e/0x70
netif_rx+0x16b/0x180
can_send+0x32b/0x520 [can]
? __pfx_can_send+0x10/0x10 [can]
? __check_object_size+0x299/0x410
raw_sendmsg+0x572/0x6d0 [can_raw]
? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
? apparmor_socket_sendmsg+0x2f/0x40
? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
sock_sendmsg+0xef/0x100
sock_write_iter+0x162/0x220
? __pfx_sock_write_iter+0x10/0x10
? __rtnl_unlock+0x47/0x80
? security_file_permission+0x54/0x320
vfs_write+0x6ba/0x750
? __pfx_vfs_write+0x10/0x10
? __fget_light+0x1ca/0x1f0
? __rcu_read_unlock+0x5b/0x280
ksys_write+0x143/0x170
? __pfx_ksys_write+0x10/0x10
? __kasan_check_read+0x15/0x20
? fpregs_assert_state_consistent+0x62/0x70
__x64_sys_write+0x47/0x60
do_syscall_64+0x60/0x90
? do_syscall_64+0x6d/0x90
? irqentry_exit+0x3f/0x50
? exc_page_fault+0x79/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Allocated by task 348:
kasan_save_stack+0x2a/0x50
kasan_set_track+0x29/0x40
kasan_save_alloc_info+0x1f/0x30
__kasan_kmalloc+0xb5/0xc0
__kmalloc_node_track_caller+0x67/0x160
j1939_sk_setsockopt+0x284/0x450 [can_j1939]
__sys_setsockopt+0x15c/0x2f0
__x64_sys_setsockopt+0x6b/0x80
do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 349:
kasan_save_stack+0x2a/0x50
kasan_set_track+0x29/0x40
kasan_save_free_info+0x2f/0x50
__kasan_slab_free+0x12e/0x1c0
__kmem_cache_free+0x1b9/0x380
kfree+0x7a/0x120
j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
__sys_setsockopt+0x15c/0x2f0
__x64_sys_setsockopt+0x6b/0x80
do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
Reported-by: Sili Luo <rootlab@huawei.com>
Suggested-by: Sili Luo <rootlab@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/j1939-priv.h | 1 +
net/can/j1939/socket.c | 22 ++++++++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
--- a/net/can/j1939/j1939-priv.h
+++ b/net/can/j1939/j1939-priv.h
@@ -301,6 +301,7 @@ struct j1939_sock {
int ifindex;
struct j1939_addr addr;
+ spinlock_t filters_lock;
struct j1939_filter *filters;
int nfilters;
pgn_t pgn_rx_filter;
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1
static bool j1939_sk_match_filter(struct j1939_sock *jsk,
const struct j1939_sk_buff_cb *skcb)
{
- const struct j1939_filter *f = jsk->filters;
- int nfilter = jsk->nfilters;
+ const struct j1939_filter *f;
+ int nfilter;
+
+ spin_lock_bh(&jsk->filters_lock);
+
+ f = jsk->filters;
+ nfilter = jsk->nfilters;
if (!nfilter)
/* receive all when no filters are assigned */
- return true;
+ goto filter_match_found;
for (; nfilter; ++f, --nfilter) {
if ((skcb->addr.pgn & f->pgn_mask) != f->pgn)
@@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct
continue;
if ((skcb->addr.src_name & f->name_mask) != f->name)
continue;
- return true;
+ goto filter_match_found;
}
+
+ spin_unlock_bh(&jsk->filters_lock);
return false;
+
+filter_match_found:
+ spin_unlock_bh(&jsk->filters_lock);
+ return true;
}
static bool j1939_sk_recv_match_one(struct j1939_sock *jsk,
@@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk
atomic_set(&jsk->skb_pending, 0);
spin_lock_init(&jsk->sk_session_queue_lock);
INIT_LIST_HEAD(&jsk->sk_session_queue);
+ spin_lock_init(&jsk->filters_lock);
/* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */
sock_set_flag(sk, SOCK_RCU_FREE);
@@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct so
}
lock_sock(&jsk->sk);
+ spin_lock_bh(&jsk->filters_lock);
ofilters = jsk->filters;
jsk->filters = filters;
jsk->nfilters = count;
+ spin_unlock_bh(&jsk->filters_lock);
release_sock(&jsk->sk);
kfree(ofilters);
return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 423/476] pmdomain: core: Move the unused cleanup to a _sync initcall
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 422/476] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 424/476] tracing: Inform kmemleak of saved_cmdlines allocation Greg Kroah-Hartman
` (62 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream.
The unused clock cleanup uses the _sync initcall to give all users at
earlier initcalls time to probe. Do the same to avoid leaving some PDs
dangling at "on" (which actually happened on qcom!).
Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains")
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -1044,7 +1044,7 @@ static int __init genpd_power_off_unused
return 0;
}
-late_initcall(genpd_power_off_unused);
+late_initcall_sync(genpd_power_off_unused);
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 424/476] tracing: Inform kmemleak of saved_cmdlines allocation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 423/476] pmdomain: core: Move the unused cleanup to a _sync initcall Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 425/476] af_unix: Fix task hung while purging oob_skb in GC Greg Kroah-Hartman
` (61 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Catalin Marinas, Kalle Valo, Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 2394ac4145ea91b92271e675a09af2a9ea6840b7 upstream.
The allocation of the struct saved_cmdlines_buffer structure changed from:
s = kmalloc(sizeof(*s), GFP_KERNEL);
s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL);
to:
orig_size = sizeof(*s) + val * TASK_COMM_LEN;
order = get_order(orig_size);
size = 1 << (order + PAGE_SHIFT);
page = alloc_pages(GFP_KERNEL, order);
if (!page)
return NULL;
s = page_address(page);
memset(s, 0, sizeof(*s));
s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL);
Where that s->saved_cmdlines allocation looks to be a dangling allocation
to kmemleak. That's because kmemleak only keeps track of kmalloc()
allocations. For allocations that use page_alloc() directly, the kmemleak
needs to be explicitly informed about it.
Add kmemleak_alloc() and kmemleak_free() around the page allocation so
that it doesn't give the following false positive:
unreferenced object 0xffff8881010c8000 (size 32760):
comm "swapper", pid 0, jiffies 4294667296
hex dump (first 32 bytes):
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
backtrace (crc ae6ec1b9):
[<ffffffff86722405>] kmemleak_alloc+0x45/0x80
[<ffffffff8414028d>] __kmalloc_large_node+0x10d/0x190
[<ffffffff84146ab1>] __kmalloc+0x3b1/0x4c0
[<ffffffff83ed7103>] allocate_cmdlines_buffer+0x113/0x230
[<ffffffff88649c34>] tracer_alloc_buffers.isra.0+0x124/0x460
[<ffffffff8864a174>] early_trace_init+0x14/0xa0
[<ffffffff885dd5ae>] start_kernel+0x12e/0x3c0
[<ffffffff885f5758>] x86_64_start_reservations+0x18/0x30
[<ffffffff885f582b>] x86_64_start_kernel+0x7b/0x80
[<ffffffff83a001c3>] secondary_startup_64_no_verify+0x15e/0x16b
Link: https://lore.kernel.org/linux-trace-kernel/87r0hfnr9r.fsf@kernel.org/
Link: https://lore.kernel.org/linux-trace-kernel/20240214112046.09a322d6@gandalf.local.home
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 44dc5c41b5b1 ("tracing: Fix wasted memory in saved_cmdlines logic")
Reported-by: Kalle Valo <kvalo@kernel.org>
Tested-by: Kalle Valo <kvalo@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -40,6 +40,7 @@
#include <linux/ctype.h>
#include <linux/init.h>
#include <linux/panic_notifier.h>
+#include <linux/kmemleak.h>
#include <linux/poll.h>
#include <linux/nmi.h>
#include <linux/fs.h>
@@ -2255,6 +2256,7 @@ static void free_saved_cmdlines_buffer(s
int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN);
kfree(s->map_cmdline_to_pid);
+ kmemleak_free(s);
free_pages((unsigned long)s, order);
}
@@ -2274,6 +2276,7 @@ static struct saved_cmdlines_buffer *all
return NULL;
s = page_address(page);
+ kmemleak_alloc(s, size, 1, GFP_KERNEL);
memset(s, 0, sizeof(*s));
/* Round up to actual allocation */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 425/476] af_unix: Fix task hung while purging oob_skb in GC.
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 424/476] tracing: Inform kmemleak of saved_cmdlines allocation Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 426/476] dma-buf: add dma_fence_timestamp helper Greg Kroah-Hartman
` (60 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4fa4a2d1f5a5ee06f006,
Kuniyuki Iwashima, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit 25236c91b5ab4a26a56ba2e79b8060cf4e047839 upstream.
syzbot reported a task hung; at the same time, GC was looping infinitely
in list_for_each_entry_safe() for OOB skb. [0]
syzbot demonstrated that the list_for_each_entry_safe() was not actually
safe in this case.
A single skb could have references for multiple sockets. If we free such
a skb in the list_for_each_entry_safe(), the current and next sockets could
be unlinked in a single iteration.
unix_notinflight() uses list_del_init() to unlink the socket, so the
prefetched next socket forms a loop itself and list_for_each_entry_safe()
never stops.
Here, we must use while() and make sure we always fetch the first socket.
[0]:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207
Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74
RSP: 0018:ffffc900033efa58 EFLAGS: 00000283
RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189
RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70
RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c
R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800
R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
unix_gc+0x563/0x13b0 net/unix/garbage.c:319
unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683
unix_release+0x91/0xf0 net/unix/af_unix.c:1064
__sock_release+0xb0/0x270 net/socket.c:659
sock_close+0x1c/0x30 net/socket.c:1421
__fput+0x270/0xb80 fs/file_table.c:376
task_work_run+0x14f/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f9d6cbdac09
Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.
RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0
R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
</TASK>
Reported-by: syzbot+4fa4a2d1f5a5ee06f006@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4fa4a2d1f5a5ee06f006
Fixes: 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240209220453.96053-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/garbage.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -315,10 +315,11 @@ void unix_gc(void)
__skb_queue_purge(&hitlist);
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
- list_for_each_entry_safe(u, next, &gc_candidates, link) {
- struct sk_buff *skb = u->oob_skb;
+ while (!list_empty(&gc_candidates)) {
+ u = list_entry(gc_candidates.next, struct unix_sock, link);
+ if (u->oob_skb) {
+ struct sk_buff *skb = u->oob_skb;
- if (skb) {
u->oob_skb = NULL;
kfree_skb(skb);
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 426/476] dma-buf: add dma_fence_timestamp helper
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 425/476] af_unix: Fix task hung while purging oob_skb in GC Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
` (59 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunxiang Li, Christian König,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit b83ce9cb4a465b8f9a3fa45561b721a9551f60e3 ]
When a fence signals there is a very small race window where the timestamp
isn't updated yet. sync_file solves this by busy waiting for the
timestamp to appear, but on other ocassions didn't handled this
correctly.
Provide a dma_fence_timestamp() helper function for this and use it in
all appropriate cases.
Another alternative would be to grab the spinlock when that happens.
v2 by teddy: add a wait parameter to wait for the timestamp to show up, in case
the accurate timestamp is needed and/or the timestamp is not based on
ktime (e.g. hw timestamp)
v3 chk: drop the parameter again for unified handling
Signed-off-by: Yunxiang Li <Yunxiang.Li@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 1774baa64f93 ("drm/scheduler: Change scheduled fence track v2")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
CC: stable@vger.kernel.org
Link: https://patchwork.freedesktop.org/patch/msgid/20230929104725.2358-1-christian.koenig@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/dma-fence-unwrap.c | 176 +++++++++++++++++++++++++
drivers/dma-buf/sync_file.c | 9 +-
drivers/gpu/drm/scheduler/sched_main.c | 3 +-
include/linux/dma-fence.h | 19 +++
4 files changed, 199 insertions(+), 8 deletions(-)
create mode 100644 drivers/dma-buf/dma-fence-unwrap.c
diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c
new file mode 100644
index 000000000000..628af51c81af
--- /dev/null
+++ b/drivers/dma-buf/dma-fence-unwrap.c
@@ -0,0 +1,176 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * dma-fence-util: misc functions for dma_fence objects
+ *
+ * Copyright (C) 2022 Advanced Micro Devices, Inc.
+ * Authors:
+ * Christian König <christian.koenig@amd.com>
+ */
+
+#include <linux/dma-fence.h>
+#include <linux/dma-fence-array.h>
+#include <linux/dma-fence-chain.h>
+#include <linux/dma-fence-unwrap.h>
+#include <linux/slab.h>
+
+/* Internal helper to start new array iteration, don't use directly */
+static struct dma_fence *
+__dma_fence_unwrap_array(struct dma_fence_unwrap *cursor)
+{
+ cursor->array = dma_fence_chain_contained(cursor->chain);
+ cursor->index = 0;
+ return dma_fence_array_first(cursor->array);
+}
+
+/**
+ * dma_fence_unwrap_first - return the first fence from fence containers
+ * @head: the entrypoint into the containers
+ * @cursor: current position inside the containers
+ *
+ * Unwraps potential dma_fence_chain/dma_fence_array containers and return the
+ * first fence.
+ */
+struct dma_fence *dma_fence_unwrap_first(struct dma_fence *head,
+ struct dma_fence_unwrap *cursor)
+{
+ cursor->chain = dma_fence_get(head);
+ return __dma_fence_unwrap_array(cursor);
+}
+EXPORT_SYMBOL_GPL(dma_fence_unwrap_first);
+
+/**
+ * dma_fence_unwrap_next - return the next fence from a fence containers
+ * @cursor: current position inside the containers
+ *
+ * Continue unwrapping the dma_fence_chain/dma_fence_array containers and return
+ * the next fence from them.
+ */
+struct dma_fence *dma_fence_unwrap_next(struct dma_fence_unwrap *cursor)
+{
+ struct dma_fence *tmp;
+
+ ++cursor->index;
+ tmp = dma_fence_array_next(cursor->array, cursor->index);
+ if (tmp)
+ return tmp;
+
+ cursor->chain = dma_fence_chain_walk(cursor->chain);
+ return __dma_fence_unwrap_array(cursor);
+}
+EXPORT_SYMBOL_GPL(dma_fence_unwrap_next);
+
+/* Implementation for the dma_fence_merge() marco, don't use directly */
+struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences,
+ struct dma_fence **fences,
+ struct dma_fence_unwrap *iter)
+{
+ struct dma_fence_array *result;
+ struct dma_fence *tmp, **array;
+ ktime_t timestamp;
+ unsigned int i;
+ size_t count;
+
+ count = 0;
+ timestamp = ns_to_ktime(0);
+ for (i = 0; i < num_fences; ++i) {
+ dma_fence_unwrap_for_each(tmp, &iter[i], fences[i]) {
+ if (!dma_fence_is_signaled(tmp)) {
+ ++count;
+ } else {
+ ktime_t t = dma_fence_timestamp(tmp);
+
+ if (ktime_after(t, timestamp))
+ timestamp = t;
+ }
+ }
+ }
+
+ /*
+ * If we couldn't find a pending fence just return a private signaled
+ * fence with the timestamp of the last signaled one.
+ */
+ if (count == 0)
+ return dma_fence_allocate_private_stub(timestamp);
+
+ array = kmalloc_array(count, sizeof(*array), GFP_KERNEL);
+ if (!array)
+ return NULL;
+
+ /*
+ * This trashes the input fence array and uses it as position for the
+ * following merge loop. This works because the dma_fence_merge()
+ * wrapper macro is creating this temporary array on the stack together
+ * with the iterators.
+ */
+ for (i = 0; i < num_fences; ++i)
+ fences[i] = dma_fence_unwrap_first(fences[i], &iter[i]);
+
+ count = 0;
+ do {
+ unsigned int sel;
+
+restart:
+ tmp = NULL;
+ for (i = 0; i < num_fences; ++i) {
+ struct dma_fence *next;
+
+ while (fences[i] && dma_fence_is_signaled(fences[i]))
+ fences[i] = dma_fence_unwrap_next(&iter[i]);
+
+ next = fences[i];
+ if (!next)
+ continue;
+
+ /*
+ * We can't guarantee that inpute fences are ordered by
+ * context, but it is still quite likely when this
+ * function is used multiple times. So attempt to order
+ * the fences by context as we pass over them and merge
+ * fences with the same context.
+ */
+ if (!tmp || tmp->context > next->context) {
+ tmp = next;
+ sel = i;
+
+ } else if (tmp->context < next->context) {
+ continue;
+
+ } else if (dma_fence_is_later(tmp, next)) {
+ fences[i] = dma_fence_unwrap_next(&iter[i]);
+ goto restart;
+ } else {
+ fences[sel] = dma_fence_unwrap_next(&iter[sel]);
+ goto restart;
+ }
+ }
+
+ if (tmp) {
+ array[count++] = dma_fence_get(tmp);
+ fences[sel] = dma_fence_unwrap_next(&iter[sel]);
+ }
+ } while (tmp);
+
+ if (count == 0) {
+ tmp = dma_fence_allocate_private_stub(ktime_get());
+ goto return_tmp;
+ }
+
+ if (count == 1) {
+ tmp = array[0];
+ goto return_tmp;
+ }
+
+ result = dma_fence_array_create(count, array,
+ dma_fence_context_alloc(1),
+ 1, false);
+ if (!result) {
+ tmp = NULL;
+ goto return_tmp;
+ }
+ return &result->base;
+
+return_tmp:
+ kfree(array);
+ return tmp;
+}
+EXPORT_SYMBOL_GPL(__dma_fence_unwrap_merge);
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index 394e6e1e9686..875ae4b3b047 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -384,13 +384,10 @@ static int sync_fill_fence_info(struct dma_fence *fence,
sizeof(info->driver_name));
info->status = dma_fence_get_status(fence);
- while (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) &&
- !test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags))
- cpu_relax();
info->timestamp_ns =
- test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags) ?
- ktime_to_ns(fence->timestamp) :
- ktime_set(0, 0);
+ dma_fence_is_signaled(fence) ?
+ ktime_to_ns(dma_fence_timestamp(fence)) :
+ ktime_set(0, 0);
return info->status;
}
diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index 67382621b429..e827e8a83c4e 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -698,8 +698,7 @@ drm_sched_get_cleanup_job(struct drm_gpu_scheduler *sched)
typeof(*next), list);
if (next)
next->s_fence->scheduled.timestamp =
- job->s_fence->finished.timestamp;
-
+ dma_fence_timestamp(&job->s_fence->finished);
} else {
job = NULL;
/* queue timeout for next job */
diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h
index 6ffb4b2c6371..9d276655cc25 100644
--- a/include/linux/dma-fence.h
+++ b/include/linux/dma-fence.h
@@ -551,6 +551,25 @@ static inline void dma_fence_set_error(struct dma_fence *fence,
fence->error = error;
}
+/**
+ * dma_fence_timestamp - helper to get the completion timestamp of a fence
+ * @fence: fence to get the timestamp from.
+ *
+ * After a fence is signaled the timestamp is updated with the signaling time,
+ * but setting the timestamp can race with tasks waiting for the signaling. This
+ * helper busy waits for the correct timestamp to appear.
+ */
+static inline ktime_t dma_fence_timestamp(struct dma_fence *fence)
+{
+ if (WARN_ON(!test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)))
+ return ktime_get();
+
+ while (!test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags))
+ cpu_relax();
+
+ return fence->timestamp;
+}
+
signed long dma_fence_wait_timeout(struct dma_fence *,
bool intr, signed long timeout);
signed long dma_fence_wait_any_timeout(struct dma_fence **fences,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 426/476] dma-buf: add dma_fence_timestamp helper Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 14:17 ` Alvin Šipraga
2024-02-21 13:07 ` [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset Greg Kroah-Hartman
` (58 subsequent siblings)
485 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrejs Cainikovs,
Alvin Šipraga, Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
[ Upstream commit 255ca28a659d3cfb069f73c7644853ed93aecdb0 ]
Some WiFi/Bluetooth modules might have different host connection
options, allowing to either use SDIO for both WiFi and Bluetooth,
or SDIO for WiFi and UART for Bluetooth. It is possible to detect
whether a module has SDIO-SDIO or SDIO-UART connection by reading
its host strap register.
This change introduces a way to automatically select appropriate
firmware depending of the connection method, and removes a need
of symlinking or overwriting the original firmware file with a
required one.
Host strap register used in this commit comes from the NXP driver [1]
hosted at Code Aurora.
[1] https://source.codeaurora.org/external/imx/linux-imx/tree/drivers/net/wireless/nxp/mxm_wifiex/wlan_src/mlinux/moal_sdio_mmc.c?h=rel_imx_5.4.70_2.3.2&id=688b67b2c7220b01521ffe560da7eee33042c7bd#n1274
Signed-off-by: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
Reviewed-by: Alvin Šipraga <alsi@bang-olufsen.dk>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220422090313.125857-2-andrejs.cainikovs@toradex.com
Stable-dep-of: 1c5d463c0770 ("wifi: mwifiex: add extra delay for firmware ready")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/sdio.c | 21 ++++++++++++++++++++-
drivers/net/wireless/marvell/mwifiex/sdio.h | 5 +++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
index b09e60fedeb1..016065a56e6c 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
@@ -182,6 +182,9 @@ static const struct mwifiex_sdio_card_reg mwifiex_reg_sd8997 = {
.host_int_rsr_reg = 0x4,
.host_int_status_reg = 0x0C,
.host_int_mask_reg = 0x08,
+ .host_strap_reg = 0xF4,
+ .host_strap_mask = 0x01,
+ .host_strap_value = 0x00,
.status_reg_0 = 0xE8,
.status_reg_1 = 0xE9,
.sdio_int_mask = 0xff,
@@ -283,6 +286,9 @@ static const struct mwifiex_sdio_card_reg mwifiex_reg_sd8987 = {
.host_int_rsr_reg = 0x4,
.host_int_status_reg = 0x0C,
.host_int_mask_reg = 0x08,
+ .host_strap_reg = 0xF4,
+ .host_strap_mask = 0x01,
+ .host_strap_value = 0x00,
.status_reg_0 = 0xE8,
.status_reg_1 = 0xE9,
.sdio_int_mask = 0xff,
@@ -537,6 +543,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id)
struct mwifiex_sdio_device *data = (void *)id->driver_data;
card->firmware = data->firmware;
+ card->firmware_sdiouart = data->firmware_sdiouart;
card->reg = data->reg;
card->max_ports = data->max_ports;
card->mp_agg_pkt_limit = data->mp_agg_pkt_limit;
@@ -2440,6 +2447,7 @@ static int mwifiex_register_dev(struct mwifiex_adapter *adapter)
int ret;
struct sdio_mmc_card *card = adapter->card;
struct sdio_func *func = card->func;
+ const char *firmware = card->firmware;
/* save adapter pointer in card */
card->adapter = adapter;
@@ -2456,7 +2464,18 @@ static int mwifiex_register_dev(struct mwifiex_adapter *adapter)
return ret;
}
- strcpy(adapter->fw_name, card->firmware);
+ /* Select correct firmware (sdsd or sdiouart) firmware based on the strapping
+ * option
+ */
+ if (card->firmware_sdiouart) {
+ u8 val;
+
+ mwifiex_read_reg(adapter, card->reg->host_strap_reg, &val);
+ if ((val & card->reg->host_strap_mask) == card->reg->host_strap_value)
+ firmware = card->firmware_sdiouart;
+ }
+ strcpy(adapter->fw_name, firmware);
+
if (card->fw_dump_enh) {
adapter->mem_type_mapping_tbl = generic_mem_type_map;
adapter->num_mem_types = 1;
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.h b/drivers/net/wireless/marvell/mwifiex/sdio.h
index 5648512c9300..ad2c28cbb630 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.h
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.h
@@ -196,6 +196,9 @@ struct mwifiex_sdio_card_reg {
u8 host_int_rsr_reg;
u8 host_int_status_reg;
u8 host_int_mask_reg;
+ u8 host_strap_reg;
+ u8 host_strap_mask;
+ u8 host_strap_value;
u8 status_reg_0;
u8 status_reg_1;
u8 sdio_int_mask;
@@ -241,6 +244,7 @@ struct sdio_mmc_card {
struct completion fw_done;
const char *firmware;
+ const char *firmware_sdiouart;
const struct mwifiex_sdio_card_reg *reg;
u8 max_ports;
u8 mp_agg_pkt_limit;
@@ -274,6 +278,7 @@ struct sdio_mmc_card {
struct mwifiex_sdio_device {
const char *firmware;
+ const char *firmware_sdiouart;
const struct mwifiex_sdio_card_reg *reg;
u8 max_ports;
u8 mp_agg_pkt_limit;
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
@ 2024-02-21 13:07 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready Greg Kroah-Hartman
` (57 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit bba047f15851c8b053221f1b276eb7682d59f755 ]
The Marvell SD8978 (aka NXP IW416) uses identical registers as SD8987,
so reuse the existing mwifiex_reg_sd8987 definition.
Note that mwifiex_reg_sd8977 and mwifiex_reg_sd8997 are likewise
identical, save for the fw_dump_ctrl register: They define it as 0xf0
whereas mwifiex_reg_sd8987 defines it as 0xf9. I've verified that
0xf9 is the correct value on SD8978. NXP's out-of-tree driver uses
0xf9 for all of them, so there's a chance that 0xf0 is not correct
in the mwifiex_reg_sd8977 and mwifiex_reg_sd8997 definitions. I cannot
test that for lack of hardware, hence am leaving it as is.
NXP has only released a firmware which runs Bluetooth over UART.
Perhaps Bluetooth over SDIO is unsupported by this chipset.
Consequently, only an "sdiouart" firmware image is referenced, not an
alternative "sdsd" image.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/536b4f17a72ca460ad1b07045757043fb0778988.1674827105.git.lukas@wunner.de
Stable-dep-of: 1c5d463c0770 ("wifi: mwifiex: add extra delay for firmware ready")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../bindings/net/wireless/marvell-8xxx.txt | 4 ++-
drivers/net/wireless/marvell/mwifiex/Kconfig | 5 ++--
drivers/net/wireless/marvell/mwifiex/sdio.c | 25 +++++++++++++++++--
drivers/net/wireless/marvell/mwifiex/sdio.h | 1 +
include/linux/mmc/sdio_ids.h | 1 +
5 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/Documentation/devicetree/bindings/net/wireless/marvell-8xxx.txt b/Documentation/devicetree/bindings/net/wireless/marvell-8xxx.txt
index 9bf9bbac16e2..cdc303caf5f4 100644
--- a/Documentation/devicetree/bindings/net/wireless/marvell-8xxx.txt
+++ b/Documentation/devicetree/bindings/net/wireless/marvell-8xxx.txt
@@ -1,4 +1,4 @@
-Marvell 8787/8897/8997 (sd8787/sd8897/sd8997/pcie8997) SDIO/PCIE devices
+Marvell 8787/8897/8978/8997 (sd8787/sd8897/sd8978/sd8997/pcie8997) SDIO/PCIE devices
------
This node provides properties for controlling the Marvell SDIO/PCIE wireless device.
@@ -10,7 +10,9 @@ Required properties:
- compatible : should be one of the following:
* "marvell,sd8787"
* "marvell,sd8897"
+ * "marvell,sd8978"
* "marvell,sd8997"
+ * "nxp,iw416"
* "pci11ab,2b42"
* "pci1b4b,2b42"
diff --git a/drivers/net/wireless/marvell/mwifiex/Kconfig b/drivers/net/wireless/marvell/mwifiex/Kconfig
index 2b4ff2b78a7e..b182f7155d66 100644
--- a/drivers/net/wireless/marvell/mwifiex/Kconfig
+++ b/drivers/net/wireless/marvell/mwifiex/Kconfig
@@ -10,13 +10,14 @@ config MWIFIEX
mwifiex.
config MWIFIEX_SDIO
- tristate "Marvell WiFi-Ex Driver for SD8786/SD8787/SD8797/SD8887/SD8897/SD8977/SD8987/SD8997"
+ tristate "Marvell WiFi-Ex Driver for SD8786/SD8787/SD8797/SD8887/SD8897/SD8977/SD8978/SD8987/SD8997"
depends on MWIFIEX && MMC
select FW_LOADER
select WANT_DEV_COREDUMP
help
This adds support for wireless adapters based on Marvell
- 8786/8787/8797/8887/8897/8977/8987/8997 chipsets with SDIO interface.
+ 8786/8787/8797/8887/8897/8977/8978/8987/8997 chipsets with
+ SDIO interface. SD8978 is also known as NXP IW416.
If you choose to build it as a module, it will be called
mwifiex_sdio.
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
index 016065a56e6c..919f1bae61dc 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
@@ -275,7 +275,7 @@ static const struct mwifiex_sdio_card_reg mwifiex_reg_sd8887 = {
0x68, 0x69, 0x6a},
};
-static const struct mwifiex_sdio_card_reg mwifiex_reg_sd8987 = {
+static const struct mwifiex_sdio_card_reg mwifiex_reg_sd89xx = {
.start_rd_port = 0,
.start_wr_port = 0,
.base_0_reg = 0xF8,
@@ -406,6 +406,22 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8977 = {
.can_ext_scan = true,
};
+static const struct mwifiex_sdio_device mwifiex_sdio_sd8978 = {
+ .firmware_sdiouart = SD8978_SDIOUART_FW_NAME,
+ .reg = &mwifiex_reg_sd89xx,
+ .max_ports = 32,
+ .mp_agg_pkt_limit = 16,
+ .tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_4K,
+ .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_MAX,
+ .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_MAX,
+ .supports_sdio_new_mode = true,
+ .has_control_mask = false,
+ .can_dump_fw = true,
+ .fw_dump_enh = true,
+ .can_auto_tdls = false,
+ .can_ext_scan = true,
+};
+
static const struct mwifiex_sdio_device mwifiex_sdio_sd8997 = {
.firmware = SD8997_DEFAULT_FW_NAME,
.reg = &mwifiex_reg_sd8997,
@@ -439,7 +455,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8887 = {
static const struct mwifiex_sdio_device mwifiex_sdio_sd8987 = {
.firmware = SD8987_DEFAULT_FW_NAME,
- .reg = &mwifiex_reg_sd8987,
+ .reg = &mwifiex_reg_sd89xx,
.max_ports = 32,
.mp_agg_pkt_limit = 16,
.tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K,
@@ -493,7 +509,9 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = {
static const struct of_device_id mwifiex_sdio_of_match_table[] __maybe_unused = {
{ .compatible = "marvell,sd8787" },
{ .compatible = "marvell,sd8897" },
+ { .compatible = "marvell,sd8978" },
{ .compatible = "marvell,sd8997" },
+ { .compatible = "nxp,iw416" },
{ }
};
@@ -931,6 +949,8 @@ static const struct sdio_device_id mwifiex_ids[] = {
.driver_data = (unsigned long)&mwifiex_sdio_sd8801},
{SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, SDIO_DEVICE_ID_MARVELL_8977_WLAN),
.driver_data = (unsigned long)&mwifiex_sdio_sd8977},
+ {SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, SDIO_DEVICE_ID_MARVELL_8978_WLAN),
+ .driver_data = (unsigned long)&mwifiex_sdio_sd8978},
{SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, SDIO_DEVICE_ID_MARVELL_8987_WLAN),
.driver_data = (unsigned long)&mwifiex_sdio_sd8987},
{SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, SDIO_DEVICE_ID_MARVELL_8997_WLAN),
@@ -3175,5 +3195,6 @@ MODULE_FIRMWARE(SD8797_DEFAULT_FW_NAME);
MODULE_FIRMWARE(SD8897_DEFAULT_FW_NAME);
MODULE_FIRMWARE(SD8887_DEFAULT_FW_NAME);
MODULE_FIRMWARE(SD8977_DEFAULT_FW_NAME);
+MODULE_FIRMWARE(SD8978_SDIOUART_FW_NAME);
MODULE_FIRMWARE(SD8987_DEFAULT_FW_NAME);
MODULE_FIRMWARE(SD8997_DEFAULT_FW_NAME);
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.h b/drivers/net/wireless/marvell/mwifiex/sdio.h
index ad2c28cbb630..e9a9de566cc8 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.h
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.h
@@ -37,6 +37,7 @@
#define SD8887_DEFAULT_FW_NAME "mrvl/sd8887_uapsta.bin"
#define SD8801_DEFAULT_FW_NAME "mrvl/sd8801_uapsta.bin"
#define SD8977_DEFAULT_FW_NAME "mrvl/sdsd8977_combo_v2.bin"
+#define SD8978_SDIOUART_FW_NAME "mrvl/sdiouartiw416_combo_v0.bin"
#define SD8987_DEFAULT_FW_NAME "mrvl/sd8987_uapsta.bin"
#define SD8997_DEFAULT_FW_NAME "mrvl/sdsd8997_combo_v4.bin"
diff --git a/include/linux/mmc/sdio_ids.h b/include/linux/mmc/sdio_ids.h
index a85c9f0bd470..d1524c5e49a1 100644
--- a/include/linux/mmc/sdio_ids.h
+++ b/include/linux/mmc/sdio_ids.h
@@ -101,6 +101,7 @@
#define SDIO_DEVICE_ID_MARVELL_8977_BT 0x9146
#define SDIO_DEVICE_ID_MARVELL_8987_WLAN 0x9149
#define SDIO_DEVICE_ID_MARVELL_8987_BT 0x914a
+#define SDIO_DEVICE_ID_MARVELL_8978_WLAN 0x9159
#define SDIO_VENDOR_ID_MEDIATEK 0x037a
#define SDIO_DEVICE_ID_MEDIATEK_MT7663 0x7663
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2024-02-21 13:07 ` [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 430/476] bus: moxtet: Add spi device table Greg Kroah-Hartman
` (56 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lin, Francesco Dolcini,
Brian Norris, Kalle Valo, Sasha Levin, Marcel Ziswiler
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lin <yu-hao.lin@nxp.com>
[ Upstream commit 1c5d463c0770c6fa2037511a24fb17966fd07d97 ]
For SDIO IW416, due to a bug, FW may return ready before complete full
initialization. Command timeout may occur at driver load after reboot.
Workaround by adding 100ms delay at checking FW status.
Signed-off-by: David Lin <yu-hao.lin@nxp.com>
Cc: stable@vger.kernel.org
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Acked-by: Brian Norris <briannorris@chromium.org>
Tested-by: Marcel Ziswiler <marcel.ziswiler@toradex.com> # Verdin AM62 (IW416)
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231208234029.2197-1-yu-hao.lin@nxp.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/sdio.c | 19 +++++++++++++++++++
drivers/net/wireless/marvell/mwifiex/sdio.h | 2 ++
2 files changed, 21 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
index 919f1bae61dc..dd4bfb7d71ee 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
@@ -343,6 +343,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8786 = {
.can_dump_fw = false,
.can_auto_tdls = false,
.can_ext_scan = false,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8787 = {
@@ -358,6 +359,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8787 = {
.can_dump_fw = false,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8797 = {
@@ -373,6 +375,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8797 = {
.can_dump_fw = false,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8897 = {
@@ -388,6 +391,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8897 = {
.can_dump_fw = true,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8977 = {
@@ -404,6 +408,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8977 = {
.fw_dump_enh = true,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8978 = {
@@ -420,6 +425,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8978 = {
.fw_dump_enh = true,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = true,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8997 = {
@@ -436,6 +442,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8997 = {
.fw_dump_enh = true,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8887 = {
@@ -451,6 +458,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8887 = {
.can_dump_fw = false,
.can_auto_tdls = true,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8987 = {
@@ -467,6 +475,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8987 = {
.fw_dump_enh = true,
.can_auto_tdls = true,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static const struct mwifiex_sdio_device mwifiex_sdio_sd8801 = {
@@ -482,6 +491,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8801 = {
.can_dump_fw = false,
.can_auto_tdls = false,
.can_ext_scan = true,
+ .fw_ready_extra_delay = false,
};
static struct memory_type_mapping generic_mem_type_map[] = {
@@ -574,6 +584,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id)
card->fw_dump_enh = data->fw_dump_enh;
card->can_auto_tdls = data->can_auto_tdls;
card->can_ext_scan = data->can_ext_scan;
+ card->fw_ready_extra_delay = data->fw_ready_extra_delay;
INIT_WORK(&card->work, mwifiex_sdio_work);
}
@@ -777,6 +788,7 @@ mwifiex_sdio_read_fw_status(struct mwifiex_adapter *adapter, u16 *dat)
static int mwifiex_check_fw_status(struct mwifiex_adapter *adapter,
u32 poll_num)
{
+ struct sdio_mmc_card *card = adapter->card;
int ret = 0;
u16 firmware_stat;
u32 tries;
@@ -794,6 +806,13 @@ static int mwifiex_check_fw_status(struct mwifiex_adapter *adapter,
ret = -1;
}
+ if (card->fw_ready_extra_delay &&
+ firmware_stat == FIRMWARE_READY_SDIO)
+ /* firmware might pretend to be ready, when it's not.
+ * Wait a little bit more as a workaround.
+ */
+ msleep(100);
+
return ret;
}
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.h b/drivers/net/wireless/marvell/mwifiex/sdio.h
index e9a9de566cc8..8f11fed8eae9 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.h
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.h
@@ -269,6 +269,7 @@ struct sdio_mmc_card {
bool fw_dump_enh;
bool can_auto_tdls;
bool can_ext_scan;
+ bool fw_ready_extra_delay;
struct mwifiex_sdio_mpa_tx mpa_tx;
struct mwifiex_sdio_mpa_rx mpa_rx;
@@ -292,6 +293,7 @@ struct mwifiex_sdio_device {
bool fw_dump_enh;
bool can_auto_tdls;
bool can_ext_scan;
+ bool fw_ready_extra_delay;
};
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 430/476] bus: moxtet: Add spi device table
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat Greg Kroah-Hartman
` (55 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sjoerd Simons, Marek Behún,
Gregory CLEMENT, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sjoerd Simons <sjoerd@collabora.com>
[ Upstream commit aaafe88d5500ba18b33be72458439367ef878788 ]
The moxtet module fails to auto-load on. Add a SPI id table to
allow it to do so.
Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/moxtet.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c
index fd87a59837fa..fbf0818933be 100644
--- a/drivers/bus/moxtet.c
+++ b/drivers/bus/moxtet.c
@@ -832,6 +832,12 @@ static int moxtet_remove(struct spi_device *spi)
return 0;
}
+static const struct spi_device_id moxtet_spi_ids[] = {
+ { "moxtet" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, moxtet_spi_ids);
+
static const struct of_device_id moxtet_dt_ids[] = {
{ .compatible = "cznic,moxtet" },
{},
@@ -843,6 +849,7 @@ static struct spi_driver moxtet_spi_driver = {
.name = "moxtet",
.of_match_table = moxtet_dt_ids,
},
+ .id_table = moxtet_spi_ids,
.probe = moxtet_probe,
.remove = moxtet_remove,
};
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 430/476] bus: moxtet: Add spi device table Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 432/476] crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init Greg Kroah-Hartman
` (54 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lin, kernel test robot,
Dan Carpenter, Brian Norris, Kalle Valo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lin <yu-hao.lin@nxp.com>
[ Upstream commit 3df95e265924ac898c1a38a0c01846dd0bd3b354 ]
Variable firmware_stat is possible to be used without initialization.
Signed-off-by: David Lin <yu-hao.lin@nxp.com>
Fixes: 1c5d463c0770 ("wifi: mwifiex: add extra delay for firmware ready")
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202312192236.ZflaWYCw-lkp@intel.com/
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231221015511.1032128-1-yu-hao.lin@nxp.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/sdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
index dd4bfb7d71ee..45f46a445a6c 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
@@ -790,7 +790,7 @@ static int mwifiex_check_fw_status(struct mwifiex_adapter *adapter,
{
struct sdio_mmc_card *card = adapter->card;
int ret = 0;
- u16 firmware_stat;
+ u16 firmware_stat = 0;
u32 tries;
for (tries = 0; tries < poll_num; tries++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 432/476] crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 433/476] usb: dwc3: gadget: Wait for ep0 xfers to complete during dequeue Greg Kroah-Hartman
` (53 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianjia Zhang, Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[ Upstream commit ba3c5574203034781ac4231acf117da917efcd2a ]
When the mpi_ec_ctx structure is initialized, some fields are not
cleared, causing a crash when referencing the field when the
structure was released. Initially, this issue was ignored because
memory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.
For example, this error will be triggered when calculating the
Za value for SM2 separately.
Fixes: d58bb7e55a8a ("lib/mpi: Introduce ec implementation to MPI library")
Cc: stable@vger.kernel.org # v6.5
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/mpi/ec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/mpi/ec.c b/lib/mpi/ec.c
index 40f5908e57a4..e16dca1e23d5 100644
--- a/lib/mpi/ec.c
+++ b/lib/mpi/ec.c
@@ -584,6 +584,9 @@ void mpi_ec_init(struct mpi_ec_ctx *ctx, enum gcry_mpi_ec_models model,
ctx->a = mpi_copy(a);
ctx->b = mpi_copy(b);
+ ctx->d = NULL;
+ ctx->t.two_inv_p = NULL;
+
ctx->t.p_barrett = use_barrett > 0 ? mpi_barrett_init(ctx->p, 0) : NULL;
mpi_ec_get_reset(ctx);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 433/476] usb: dwc3: gadget: Wait for ep0 xfers to complete during dequeue
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 432/476] crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 434/476] usb: dwc3: ep0: Dont prepare beyond Setup stage Greg Kroah-Hartman
` (52 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
[ Upstream commit e4cf6580ac740f766dae26203bd6311d353dcd42 ]
If a Setup packet is received but yet to DMA out, the controller will
not process the End Transfer command of any endpoint. Polling of its
DEPCMD.CmdAct may block setting up TRB for Setup packet, causing a
command timeout.
This may occur if the driver doesn’t service the completion interrupt of
the control status stage yet due to system latency, then it won’t
prepare TRB and start the transfer for the next Setup Stage. To the host
side, the control transfer had completed, and the host can send a new
Setup packet at this point.
In the meanwhile, if the driver receives an async call to dequeue a
request (triggering End Transfer) to any endpoint, then the driver will
service that End transfer first, blocking the control status stage
completion handler. Since no TRB is available for the Setup stage, the
Setup packet can’t be DMA’ed out and the End Transfer gets hung.
The driver must not block setting up of the Setup stage. So track and
only issue the End Transfer command only when there’s Setup TRB prepared
so that the controller can DMA out the Setup packet. Delay the End
transfer command if there's no Setup TRB available. This is applicable to
all DWC_usb3x IPs.
Co-developed-by: Wesley Cheng <quic_wcheng@quicinc.com>
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20220309205402.4467-1-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/core.h | 1 +
drivers/usb/dwc3/ep0.c | 14 ++++++++++++++
drivers/usb/dwc3/gadget.c | 20 +++++++++++++++-----
drivers/usb/dwc3/gadget.h | 1 +
4 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
index 3dcb5b744f7c..d64f7edc70c1 100644
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -722,6 +722,7 @@ struct dwc3_ep {
#define DWC3_EP_FIRST_STREAM_PRIMED BIT(10)
#define DWC3_EP_PENDING_CLEAR_STALL BIT(11)
#define DWC3_EP_TXFIFO_RESIZED BIT(12)
+#define DWC3_EP_DELAY_STOP BIT(13)
/* This last one is specific to EP0 */
#define DWC3_EP0_DIR_IN BIT(31)
diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
index 52f2bfae46bc..34cb8662e129 100644
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -274,6 +274,7 @@ void dwc3_ep0_out_start(struct dwc3 *dwc)
{
struct dwc3_ep *dep;
int ret;
+ int i;
complete(&dwc->ep0_in_setup);
@@ -282,6 +283,19 @@ void dwc3_ep0_out_start(struct dwc3 *dwc)
DWC3_TRBCTL_CONTROL_SETUP, false);
ret = dwc3_ep0_start_trans(dep);
WARN_ON(ret < 0);
+ for (i = 2; i < DWC3_ENDPOINTS_NUM; i++) {
+ struct dwc3_ep *dwc3_ep;
+
+ dwc3_ep = dwc->eps[i];
+ if (!dwc3_ep)
+ continue;
+
+ if (!(dwc3_ep->flags & DWC3_EP_DELAY_STOP))
+ continue;
+
+ dwc3_ep->flags &= ~DWC3_EP_DELAY_STOP;
+ dwc3_stop_active_transfer(dwc3_ep, true, true);
+ }
}
static struct dwc3_ep *dwc3_wIndex_to_dep(struct dwc3 *dwc, __le16 wIndex_le)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 6188193e5ef4..3a663d71d791 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -641,9 +641,6 @@ static int dwc3_gadget_set_ep_config(struct dwc3_ep *dep, unsigned int action)
return dwc3_send_gadget_ep_cmd(dep, DWC3_DEPCMD_SETEPCONFIG, ¶ms);
}
-static void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
- bool interrupt);
-
/**
* dwc3_gadget_calc_tx_fifo_size - calculates the txfifo size value
* @dwc: pointer to the DWC3 context
@@ -1891,6 +1888,7 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req)
*/
if ((dep->flags & DWC3_EP_END_TRANSFER_PENDING) ||
(dep->flags & DWC3_EP_WEDGE) ||
+ (dep->flags & DWC3_EP_DELAY_STOP) ||
(dep->flags & DWC3_EP_STALL)) {
dep->flags |= DWC3_EP_DELAY_START;
return 0;
@@ -2031,6 +2029,16 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
if (r == req) {
struct dwc3_request *t;
+ /*
+ * If a Setup packet is received but yet to DMA out, the controller will
+ * not process the End Transfer command of any endpoint. Polling of its
+ * DEPCMD.CmdAct may block setting up TRB for Setup packet, causing a
+ * timeout. Delay issuing the End Transfer command until the Setup TRB is
+ * prepared.
+ */
+ if (dwc->ep0state != EP0_SETUP_PHASE && !dwc->delayed_status)
+ dep->flags |= DWC3_EP_DELAY_STOP;
+
/* wait until it is processed */
dwc3_stop_active_transfer(dep, true, true);
@@ -2114,7 +2122,8 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
list_for_each_entry_safe(req, tmp, &dep->started_list, list)
dwc3_gadget_move_cancelled_request(req, DWC3_REQUEST_STATUS_STALLED);
- if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) {
+ if (dep->flags & DWC3_EP_END_TRANSFER_PENDING ||
+ (dep->flags & DWC3_EP_DELAY_STOP)) {
dep->flags |= DWC3_EP_PENDING_CLEAR_STALL;
return 0;
}
@@ -3630,10 +3639,11 @@ static void dwc3_reset_gadget(struct dwc3 *dwc)
}
}
-static void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
+void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
bool interrupt)
{
if (!(dep->flags & DWC3_EP_TRANSFER_STARTED) ||
+ (dep->flags & DWC3_EP_DELAY_STOP) ||
(dep->flags & DWC3_EP_END_TRANSFER_PENDING))
return;
diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h
index 77df4b6d6c13..f763380e672e 100644
--- a/drivers/usb/dwc3/gadget.h
+++ b/drivers/usb/dwc3/gadget.h
@@ -116,6 +116,7 @@ int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request,
gfp_t gfp_flags);
int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol);
void dwc3_ep0_send_delayed_status(struct dwc3 *dwc);
+void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force, bool interrupt);
/**
* dwc3_gadget_ep_get_transfer_index - Gets transfer index from HW
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 434/476] usb: dwc3: ep0: Dont prepare beyond Setup stage
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 433/476] usb: dwc3: gadget: Wait for ep0 xfers to complete during dequeue Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 435/476] usb: dwc3: gadget: Only End Transfer for ep0 data phase Greg Kroah-Hartman
` (51 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
[ Upstream commit c96683798e272366866a5c0ce3073c0b5a256db7 ]
Since we can't guarantee that the host won't send new Setup packet
before going through the device-initiated disconnect, don't prepare
beyond the Setup stage and keep the device in EP0_SETUP_PHASE. This
ensures that the device-initated disconnect sequence can go through
gracefully. Note that the controller won't service the End Transfer
command if it can't DMA out the Setup packet.
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/6bacec56ecabb2c6e49a09cedfcac281fdc97de0.1650593829.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/ep0.c | 2 +-
drivers/usb/dwc3/gadget.c | 29 +++++++++++++++++------------
2 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
index 34cb8662e129..624de23782b5 100644
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -816,7 +816,7 @@ static void dwc3_ep0_inspect_setup(struct dwc3 *dwc,
int ret = -EINVAL;
u32 len;
- if (!dwc->gadget_driver)
+ if (!dwc->gadget_driver || !dwc->connected)
goto out;
trace_dwc3_ctrl_req(ctrl);
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 3a663d71d791..2afe6784f1df 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2472,6 +2472,23 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
spin_lock_irqsave(&dwc->lock, flags);
dwc->connected = false;
+ /*
+ * Per databook, when we want to stop the gadget, if a control transfer
+ * is still in process, complete it and get the core into setup phase.
+ */
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
+ int ret;
+
+ reinit_completion(&dwc->ep0_in_setup);
+
+ spin_unlock_irqrestore(&dwc->lock, flags);
+ ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
+ msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
+ spin_lock_irqsave(&dwc->lock, flags);
+ if (ret == 0)
+ dev_warn(dwc->dev, "timed out waiting for SETUP phase\n");
+ }
+
/*
* In the Synopsys DesignWare Cores USB3 Databook Rev. 3.30a
* Section 4.1.8 Table 4-7, it states that for a device-initiated
@@ -2516,18 +2533,6 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)
is_on = !!is_on;
dwc->softconnect = is_on;
- /*
- * Per databook, when we want to stop the gadget, if a control transfer
- * is still in process, complete it and get the core into setup phase.
- */
- if (!is_on && dwc->ep0state != EP0_SETUP_PHASE) {
- reinit_completion(&dwc->ep0_in_setup);
-
- ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
- msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
- if (ret == 0)
- dev_warn(dwc->dev, "timed out waiting for SETUP phase\n");
- }
/*
* Avoid issuing a runtime resume if the device is already in the
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 435/476] usb: dwc3: gadget: Only End Transfer for ep0 data phase
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 434/476] usb: dwc3: ep0: Dont prepare beyond Setup stage Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 436/476] usb: dwc3: gadget: Delay issuing End Transfer Greg Kroah-Hartman
` (50 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
[ Upstream commit ace17b6ee4f92ab0375d12a1b42494f8590a96b6 ]
The driver shouldn't be able to issue End Transfer to the control
endpoint at anytime. Typically we should only do so in error cases such
as invalid/unexpected direction of Data Phase as described in the
control transfer flow of the programming guide. It _may_ end started
data phase during controller deinitialization from soft disconnect or
driver removal. However, that should not happen because the driver
should be maintained in EP0_SETUP_PHASE during driver tear-down. On
soft-connect, the controller should be reset from a soft-reset and there
should be no issue starting the control endpoint.
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/3c6643678863a26702e4115e9e19d7d94a30d49c.1650593829.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 2afe6784f1df..4d830ba7d824 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3647,6 +3647,17 @@ static void dwc3_reset_gadget(struct dwc3 *dwc)
void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
bool interrupt)
{
+ struct dwc3 *dwc = dep->dwc;
+
+ /*
+ * Only issue End Transfer command to the control endpoint of a started
+ * Data Phase. Typically we should only do so in error cases such as
+ * invalid/unexpected direction as described in the control transfer
+ * flow of the programming guide.
+ */
+ if (dep->number <= 1 && dwc->ep0state != EP0_DATA_PHASE)
+ return;
+
if (!(dep->flags & DWC3_EP_TRANSFER_STARTED) ||
(dep->flags & DWC3_EP_DELAY_STOP) ||
(dep->flags & DWC3_EP_END_TRANSFER_PENDING))
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 436/476] usb: dwc3: gadget: Delay issuing End Transfer
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 435/476] usb: dwc3: gadget: Only End Transfer for ep0 data phase Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 437/476] usb: dwc3: Fix ep0 handling when getting reset while doing control transfer Greg Kroah-Hartman
` (49 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
[ Upstream commit f66eef8fb8989a7193cafc3870f7c7b2b97f16cb ]
If the controller hasn't DMA'ed the Setup data from its fifo, it won't
process the End Transfer command. Polling for the command completion may
block the driver from servicing the Setup phase and cause a timeout.
Previously we only check and delay issuing End Transfer in the case of
endpoint dequeue. Let's do that for all End Transfer scenarios.
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/2fcf3b5d90068d549589a57a27a79f76c6769b04.1650593829.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 4d830ba7d824..5cf2fb165a56 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2029,16 +2029,6 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
if (r == req) {
struct dwc3_request *t;
- /*
- * If a Setup packet is received but yet to DMA out, the controller will
- * not process the End Transfer command of any endpoint. Polling of its
- * DEPCMD.CmdAct may block setting up TRB for Setup packet, causing a
- * timeout. Delay issuing the End Transfer command until the Setup TRB is
- * prepared.
- */
- if (dwc->ep0state != EP0_SETUP_PHASE && !dwc->delayed_status)
- dep->flags |= DWC3_EP_DELAY_STOP;
-
/* wait until it is processed */
dwc3_stop_active_transfer(dep, true, true);
@@ -3663,6 +3653,18 @@ void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
(dep->flags & DWC3_EP_END_TRANSFER_PENDING))
return;
+ /*
+ * If a Setup packet is received but yet to DMA out, the controller will
+ * not process the End Transfer command of any endpoint. Polling of its
+ * DEPCMD.CmdAct may block setting up TRB for Setup packet, causing a
+ * timeout. Delay issuing the End Transfer command until the Setup TRB is
+ * prepared.
+ */
+ if (dwc->ep0state != EP0_SETUP_PHASE && !dwc->delayed_status) {
+ dep->flags |= DWC3_EP_DELAY_STOP;
+ return;
+ }
+
/*
* NOTICE: We are violating what the Databook says about the
* EndTransfer command. Ideally we would _always_ wait for the
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 437/476] usb: dwc3: Fix ep0 handling when getting reset while doing control transfer
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 436/476] usb: dwc3: gadget: Delay issuing End Transfer Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 438/476] usb: dwc3: gadget: Force sending delayed status during soft disconnect Greg Kroah-Hartman
` (48 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mayank Rana, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mayank Rana <quic_mrana@quicinc.com>
[ Upstream commit 9d778f0c5f95ca5aa2ff628ea281978697e8d89b ]
According to the databook ep0 should be in setup phase during reset.
If host issues reset between control transfers, ep0 will be in an
invalid state. Fix this by issuing stall and restart on ep0 if it
is not in setup phase.
Also SW needs to complete pending control transfer and setup core for
next setup stage as per data book. Hence check ep0 state during reset
interrupt handling and make sure active transfers on ep0 out/in
endpoint are stopped by queuing ENDXFER command for that endpoint and
restart ep0 out again to receive next setup packet.
Signed-off-by: Mayank Rana <quic_mrana@quicinc.com>
Link: https://lore.kernel.org/r/1651693001-29891-1-git-send-email-quic_mrana@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/ep0.c | 11 ++++++++---
drivers/usb/dwc3/gadget.c | 27 +++++++++++++++++++++++++--
drivers/usb/dwc3/gadget.h | 2 ++
3 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
index 624de23782b5..f402c66039af 100644
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -218,7 +218,7 @@ int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request,
return ret;
}
-static void dwc3_ep0_stall_and_restart(struct dwc3 *dwc)
+void dwc3_ep0_stall_and_restart(struct dwc3 *dwc)
{
struct dwc3_ep *dep;
@@ -1090,13 +1090,18 @@ void dwc3_ep0_send_delayed_status(struct dwc3 *dwc)
__dwc3_ep0_do_control_status(dwc, dwc->eps[direction]);
}
-static void dwc3_ep0_end_control_data(struct dwc3 *dwc, struct dwc3_ep *dep)
+void dwc3_ep0_end_control_data(struct dwc3 *dwc, struct dwc3_ep *dep)
{
struct dwc3_gadget_ep_cmd_params params;
u32 cmd;
int ret;
- if (!dep->resource_index)
+ /*
+ * For status/DATA OUT stage, TRB will be queued on ep0 out
+ * endpoint for which resource index is zero. Hence allow
+ * queuing ENDXFER command for ep0 out endpoint.
+ */
+ if (!dep->resource_index && dep->number)
return;
cmd = DWC3_DEPCMD_ENDTRANSFER;
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 5cf2fb165a56..b978e42ace75 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -869,12 +869,13 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
reg |= DWC3_DALEPENA_EP(dep->number);
dwc3_writel(dwc->regs, DWC3_DALEPENA, reg);
+ dep->trb_dequeue = 0;
+ dep->trb_enqueue = 0;
+
if (usb_endpoint_xfer_control(desc))
goto out;
/* Initialize the TRB ring */
- dep->trb_dequeue = 0;
- dep->trb_enqueue = 0;
memset(dep->trb_pool, 0,
sizeof(struct dwc3_trb) * DWC3_TRB_NUM);
@@ -2702,6 +2703,7 @@ static int __dwc3_gadget_start(struct dwc3 *dwc)
/* begin to receive SETUP packets */
dwc->ep0state = EP0_SETUP_PHASE;
+ dwc->ep0_bounced = false;
dwc->link_state = DWC3_LINK_STATE_SS_DIS;
dwc->delayed_status = false;
dwc3_ep0_out_start(dwc);
@@ -3790,6 +3792,27 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
}
dwc3_reset_gadget(dwc);
+
+ /*
+ * From SNPS databook section 8.1.2, the EP0 should be in setup
+ * phase. So ensure that EP0 is in setup phase by issuing a stall
+ * and restart if EP0 is not in setup phase.
+ */
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
+ unsigned int dir;
+
+ dir = !!dwc->ep0_expect_in;
+ if (dwc->ep0state == EP0_DATA_PHASE)
+ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
+ else
+ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
+
+ dwc->eps[0]->trb_enqueue = 0;
+ dwc->eps[1]->trb_enqueue = 0;
+
+ dwc3_ep0_stall_and_restart(dwc);
+ }
+
/*
* In the Synopsis DesignWare Cores USB3 Databook Rev. 3.30a
* Section 4.1.2 Table 4-2, it states that during a USB reset, the SW
diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h
index f763380e672e..55a56cf67d73 100644
--- a/drivers/usb/dwc3/gadget.h
+++ b/drivers/usb/dwc3/gadget.h
@@ -110,6 +110,8 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
void dwc3_ep0_interrupt(struct dwc3 *dwc,
const struct dwc3_event_depevt *event);
void dwc3_ep0_out_start(struct dwc3 *dwc);
+void dwc3_ep0_end_control_data(struct dwc3 *dwc, struct dwc3_ep *dep);
+void dwc3_ep0_stall_and_restart(struct dwc3 *dwc);
int __dwc3_gadget_ep0_set_halt(struct usb_ep *ep, int value);
int dwc3_gadget_ep0_set_halt(struct usb_ep *ep, int value);
int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request,
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 438/476] usb: dwc3: gadget: Force sending delayed status during soft disconnect
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 437/476] usb: dwc3: Fix ep0 handling when getting reset while doing control transfer Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 439/476] usb: dwc3: gadget: Submit endxfer command if delayed during disconnect Greg Kroah-Hartman
` (47 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit e1ee843488d58099a89979627ef85d5bd6c5cacd ]
If any function drivers request for a delayed status phase, this leads to a
SETUP transfer timeout error, since the function may take longer to process
the DATA stage. This eventually results in end transfer timeouts, as there
is a pending SETUP transaction.
In addition, allow the DWC3_EP_DELAY_STOP to be set for if there is a
delayed status requested. Ocasionally, a host may abort the current SETUP
transaction, by issuing a subsequent SETUP token. In those situations, it
would result in an endxfer timeout as well.
Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20220817182359.13550-3-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index b978e42ace75..ba1b2e70b351 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2470,6 +2470,9 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
if (dwc->ep0state != EP0_SETUP_PHASE) {
int ret;
+ if (dwc->delayed_status)
+ dwc3_ep0_send_delayed_status(dwc);
+
reinit_completion(&dwc->ep0_in_setup);
spin_unlock_irqrestore(&dwc->lock, flags);
@@ -3662,7 +3665,7 @@ void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
* timeout. Delay issuing the End Transfer command until the Setup TRB is
* prepared.
*/
- if (dwc->ep0state != EP0_SETUP_PHASE && !dwc->delayed_status) {
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
dep->flags |= DWC3_EP_DELAY_STOP;
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 439/476] usb: dwc3: gadget: Submit endxfer command if delayed during disconnect
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 438/476] usb: dwc3: gadget: Force sending delayed status during soft disconnect Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 440/476] usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive Greg Kroah-Hartman
` (46 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 8422b769fa46bd429dc0f324012629a4691f0dd9 ]
During a cable disconnect sequence, if ep0state is not in the SETUP phase,
then nothing will trigger any pending end transfer commands. Force
stopping of any pending SETUP transaction, and move back to the SETUP
phase.
Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20220901193625.8727-6-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index ba1b2e70b351..c61b6f49701a 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3739,13 +3739,24 @@ static void dwc3_gadget_disconnect_interrupt(struct dwc3 *dwc)
reg &= ~DWC3_DCTL_INITU2ENA;
dwc3_gadget_dctl_write_safe(dwc, reg);
+ dwc->connected = false;
+
dwc3_disconnect_gadget(dwc);
dwc->gadget->speed = USB_SPEED_UNKNOWN;
dwc->setup_packet_pending = false;
usb_gadget_set_state(dwc->gadget, USB_STATE_NOTATTACHED);
- dwc->connected = false;
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
+ unsigned int dir;
+
+ dir = !!dwc->ep0_expect_in;
+ if (dwc->ep0state == EP0_DATA_PHASE)
+ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
+ else
+ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
+ dwc3_ep0_stall_and_restart(dwc);
+ }
}
static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 440/476] usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 439/476] usb: dwc3: gadget: Submit endxfer command if delayed during disconnect Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 441/476] usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API Greg Kroah-Hartman
` (45 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 02435a739b81ae24aff5d6e930efef9458e2af3c ]
It was observed that there are hosts that may complete pending SETUP
transactions before the stop active transfers and controller halt occurs,
leading to lingering endxfer commands on DEPs on subsequent pullup/gadget
start iterations.
dwc3_gadget_ep_disable name=ep8in flags=0x3009 direction=1
dwc3_gadget_ep_disable name=ep4in flags=1 direction=1
dwc3_gadget_ep_disable name=ep3out flags=1 direction=0
usb_gadget_disconnect deactivated=0 connected=0 ret=0
The sequence shows that the USB gadget disconnect (dwc3_gadget_pullup(0))
routine completed successfully, allowing for the USB gadget to proceed with
a USB gadget connect. However, if this occurs the system runs into an
issue where:
BUG: spinlock already unlocked on CPU
spin_bug+0x0
dwc3_remove_requests+0x278
dwc3_ep0_out_start+0xb0
__dwc3_gadget_start+0x25c
This is due to the pending endxfers, leading to gadget start (w/o lock
held) to execute the remove requests, which will unlock the dwc3
spinlock as part of giveback.
To mitigate this, resolve the pending endxfers on the pullup disable
path by re-locating the SETUP phase check after stop active transfers, since
that is where the DWC3_EP_DELAY_STOP is potentially set. This also allows
for handling of a host that may be unresponsive by using the completion
timeout to trigger the stall and restart for EP0.
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230413195742.11821-2-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 49 +++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 17 deletions(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index c61b6f49701a..a74ac44c6cd8 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2459,29 +2459,17 @@ static int __dwc3_gadget_start(struct dwc3 *dwc);
static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
{
unsigned long flags;
+ int ret;
spin_lock_irqsave(&dwc->lock, flags);
dwc->connected = false;
/*
- * Per databook, when we want to stop the gadget, if a control transfer
- * is still in process, complete it and get the core into setup phase.
+ * Attempt to end pending SETUP status phase, and not wait for the
+ * function to do so.
*/
- if (dwc->ep0state != EP0_SETUP_PHASE) {
- int ret;
-
- if (dwc->delayed_status)
- dwc3_ep0_send_delayed_status(dwc);
-
- reinit_completion(&dwc->ep0_in_setup);
-
- spin_unlock_irqrestore(&dwc->lock, flags);
- ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
- msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
- spin_lock_irqsave(&dwc->lock, flags);
- if (ret == 0)
- dev_warn(dwc->dev, "timed out waiting for SETUP phase\n");
- }
+ if (dwc->delayed_status)
+ dwc3_ep0_send_delayed_status(dwc);
/*
* In the Synopsys DesignWare Cores USB3 Databook Rev. 3.30a
@@ -2494,6 +2482,33 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
__dwc3_gadget_stop(dwc);
spin_unlock_irqrestore(&dwc->lock, flags);
+ /*
+ * Per databook, when we want to stop the gadget, if a control transfer
+ * is still in process, complete it and get the core into setup phase.
+ * In case the host is unresponsive to a SETUP transaction, forcefully
+ * stall the transfer, and move back to the SETUP phase, so that any
+ * pending endxfers can be executed.
+ */
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
+ reinit_completion(&dwc->ep0_in_setup);
+
+ ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
+ msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
+ if (ret == 0) {
+ unsigned int dir;
+
+ dev_warn(dwc->dev, "wait for SETUP phase timed out\n");
+ spin_lock_irqsave(&dwc->lock, flags);
+ dir = !!dwc->ep0_expect_in;
+ if (dwc->ep0state == EP0_DATA_PHASE)
+ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
+ else
+ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
+ dwc3_ep0_stall_and_restart(dwc);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+ }
+ }
+
/*
* Note: if the GEVNTCOUNT indicates events in the event buffer, the
* driver needs to acknowledge them before the controller can halt.
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 441/476] usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 440/476] usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 442/476] usb: dwc3: gadget: Handle EP0 request dequeuing properly Greg Kroah-Hartman
` (44 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 8f40fc0808137c157dd408d2632e63bfca2aecdb ]
Several sequences utilize the same routine for forcing the control endpoint
back into the SETUP phase. This is required, because those operations need
to ensure that EP0 is back in the default state.
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230420212759.29429-3-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 730e12fbec53 ("usb: dwc3: gadget: Handle EP0 request dequeuing properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 53 ++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 32 deletions(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index a74ac44c6cd8..7704e2444b4b 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -139,6 +139,24 @@ int dwc3_gadget_set_link_state(struct dwc3 *dwc, enum dwc3_link_state state)
return -ETIMEDOUT;
}
+static void dwc3_ep0_reset_state(struct dwc3 *dwc)
+{
+ unsigned int dir;
+
+ if (dwc->ep0state != EP0_SETUP_PHASE) {
+ dir = !!dwc->ep0_expect_in;
+ if (dwc->ep0state == EP0_DATA_PHASE)
+ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
+ else
+ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
+
+ dwc->eps[0]->trb_enqueue = 0;
+ dwc->eps[1]->trb_enqueue = 0;
+
+ dwc3_ep0_stall_and_restart(dwc);
+ }
+}
+
/**
* dwc3_ep_inc_trb - increment a trb index.
* @index: Pointer to the TRB index to increment.
@@ -2495,16 +2513,9 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
if (ret == 0) {
- unsigned int dir;
-
dev_warn(dwc->dev, "wait for SETUP phase timed out\n");
spin_lock_irqsave(&dwc->lock, flags);
- dir = !!dwc->ep0_expect_in;
- if (dwc->ep0state == EP0_DATA_PHASE)
- dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
- else
- dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
- dwc3_ep0_stall_and_restart(dwc);
+ dwc3_ep0_reset_state(dwc);
spin_unlock_irqrestore(&dwc->lock, flags);
}
}
@@ -3762,16 +3773,7 @@ static void dwc3_gadget_disconnect_interrupt(struct dwc3 *dwc)
dwc->setup_packet_pending = false;
usb_gadget_set_state(dwc->gadget, USB_STATE_NOTATTACHED);
- if (dwc->ep0state != EP0_SETUP_PHASE) {
- unsigned int dir;
-
- dir = !!dwc->ep0_expect_in;
- if (dwc->ep0state == EP0_DATA_PHASE)
- dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
- else
- dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
- dwc3_ep0_stall_and_restart(dwc);
- }
+ dwc3_ep0_reset_state(dwc);
}
static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
@@ -3827,20 +3829,7 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
* phase. So ensure that EP0 is in setup phase by issuing a stall
* and restart if EP0 is not in setup phase.
*/
- if (dwc->ep0state != EP0_SETUP_PHASE) {
- unsigned int dir;
-
- dir = !!dwc->ep0_expect_in;
- if (dwc->ep0state == EP0_DATA_PHASE)
- dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
- else
- dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
-
- dwc->eps[0]->trb_enqueue = 0;
- dwc->eps[1]->trb_enqueue = 0;
-
- dwc3_ep0_stall_and_restart(dwc);
- }
+ dwc3_ep0_reset_state(dwc);
/*
* In the Synopsis DesignWare Cores USB3 Databook Rev. 3.30a
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 442/476] usb: dwc3: gadget: Handle EP0 request dequeuing properly
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 441/476] usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 443/476] usb: dwc3: gadget: Queue PM runtime idle on disconnect event Greg Kroah-Hartman
` (43 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Wesley Cheng, Thinh Nguyen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 730e12fbec53ab59dd807d981a204258a4cfb29a ]
Current EP0 dequeue path will share the same as other EPs. However, there
are some special considerations that need to be made for EP0 transfers:
- EP0 transfers never transition into the started_list
- EP0 only has one active request at a time
In case there is a vendor specific control message for a function over USB
FFS, then there is no guarantee on the timeline which the DATA/STATUS stage
is responded to. While this occurs, any attempt to end transfers on
non-control EPs will end up having the DWC3_EP_DELAY_STOP flag set, and
defer issuing of the end transfer command. If the USB FFS application
decides to timeout the control transfer, or if USB FFS AIO path exits, the
USB FFS driver will issue a call to usb_ep_dequeue() for the ep0 request.
In case of the AIO exit path, the AIO FS blocks until all pending USB
requests utilizing the AIO path is completed. However, since the dequeue
of ep0 req does not happen properly, all non-control EPs with the
DWC3_EP_DELAY_STOP flag set will not be handled, and the AIO exit path will
be stuck waiting for the USB FFS data endpoints to receive a completion
callback.
Fix is to utilize dwc3_ep0_reset_state() in the dequeue API to ensure EP0
is brought back to the SETUP state, and ensures that any deferred end
transfer commands are handled. This also will end any active transfers
on EP0, compared to the previous implementation which directly called
giveback only.
Fixes: fcd2def66392 ("usb: dwc3: gadget: Refactor dwc3_gadget_ep_dequeue")
Cc: stable <stable@kernel.org>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20231206201814.32664-1-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 7704e2444b4b..d472dab16889 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2039,7 +2039,17 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
list_for_each_entry(r, &dep->pending_list, list) {
if (r == req) {
- dwc3_gadget_giveback(dep, req, -ECONNRESET);
+ /*
+ * Explicitly check for EP0/1 as dequeue for those
+ * EPs need to be handled differently. Control EP
+ * only deals with one USB req, and giveback will
+ * occur during dwc3_ep0_stall_and_restart(). EP0
+ * requests are never added to started_list.
+ */
+ if (dep->number > 1)
+ dwc3_gadget_giveback(dep, req, -ECONNRESET);
+ else
+ dwc3_ep0_reset_state(dwc);
goto out;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 443/476] usb: dwc3: gadget: Queue PM runtime idle on disconnect event
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 442/476] usb: dwc3: gadget: Handle EP0 request dequeuing properly Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 444/476] serial: 8250_exar: Fill in rs485_supported Greg Kroah-Hartman
` (42 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wesley Cheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
[ Upstream commit 3c7af52c7616c3aa6dacd2336ec748d4a65df8f4 ]
There is a scenario where DWC3 runtime suspend is blocked due to the
dwc->connected flag still being true while PM usage_count is zero after
DWC3 giveback is completed and the USB gadget session is being terminated.
This leads to a case where nothing schedules a PM runtime idle for the
device.
The exact condition is seen with the following sequence:
1. USB bus reset is issued by the host
2. Shortly after, or concurrently, a USB PD DR SWAP request is received
(sink->source)
3. USB bus reset event handler runs and issues
dwc3_stop_active_transfers(), and pending transfer are stopped
4. DWC3 usage_count decremented to 0, and runtime idle occurs while
dwc->connected == true, returns -EBUSY
5. DWC3 disconnect event seen, dwc->connected set to false due to DR
swap handling
6. No runtime idle after this point
Address this by issuing an asynchronous PM runtime idle call after the
disconnect event is completed, as it modifies the dwc->connected flag,
which is what blocks the initial runtime idle.
Fixes: fc8bb91bc83e ("usb: dwc3: implement runtime PM")
Cc: <stable@vger.kernel.org>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20240103214946.2596-1-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index d472dab16889..8bd063f4eff2 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3784,6 +3784,13 @@ static void dwc3_gadget_disconnect_interrupt(struct dwc3 *dwc)
usb_gadget_set_state(dwc->gadget, USB_STATE_NOTATTACHED);
dwc3_ep0_reset_state(dwc);
+
+ /*
+ * Request PM idle to address condition where usage count is
+ * already decremented to zero, but waiting for the disconnect
+ * interrupt to set dwc->connected to FALSE.
+ */
+ pm_request_idle(dwc->dev);
}
static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 444/476] serial: 8250_exar: Fill in rs485_supported
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 443/476] usb: dwc3: gadget: Queue PM runtime idle on disconnect event Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 445/476] serial: 8250_exar: Set missing rs485_supported flag Greg Kroah-Hartman
` (41 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 59c221f8e1269278161313048c71929c9950b2c4 ]
Add information on supported serial_rs485 features.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20220606100433.13793-8-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 0c2a5f471ce5 ("serial: 8250_exar: Set missing rs485_supported flag")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 0b1976ceb01f..24878d5a6a05 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -123,6 +123,7 @@ struct exar8250;
struct exar8250_platform {
int (*rs485_config)(struct uart_port *, struct serial_rs485 *);
+ const struct serial_rs485 *rs485_supported;
int (*register_gpio)(struct pci_dev *, struct uart_8250_port *);
void (*unregister_gpio)(struct uart_8250_port *);
};
@@ -441,10 +442,15 @@ static int generic_rs485_config(struct uart_port *port,
return 0;
}
+static const struct serial_rs485 generic_rs485_supported = {
+ .flags = SER_RS485_ENABLED,
+};
+
static const struct exar8250_platform exar8250_default_platform = {
.register_gpio = xr17v35x_register_gpio,
.unregister_gpio = xr17v35x_unregister_gpio,
.rs485_config = generic_rs485_config,
+ .rs485_supported = &generic_rs485_supported,
};
static int iot2040_rs485_config(struct uart_port *port,
@@ -480,6 +486,10 @@ static int iot2040_rs485_config(struct uart_port *port,
return generic_rs485_config(port, rs485);
}
+static const struct serial_rs485 iot2040_rs485_supported = {
+ .flags = SER_RS485_ENABLED | SER_RS485_RX_DURING_TX | SER_RS485_TERMINATE_BUS,
+};
+
static const struct property_entry iot2040_gpio_properties[] = {
PROPERTY_ENTRY_U32("exar,first-pin", 10),
PROPERTY_ENTRY_U32("ngpios", 1),
@@ -508,6 +518,7 @@ static int iot2040_register_gpio(struct pci_dev *pcidev,
static const struct exar8250_platform iot2040_platform = {
.rs485_config = iot2040_rs485_config,
+ .rs485_supported = &iot2040_rs485_supported,
.register_gpio = iot2040_register_gpio,
.unregister_gpio = xr17v35x_unregister_gpio,
};
@@ -550,6 +561,7 @@ pci_xr17v35x_setup(struct exar8250 *priv, struct pci_dev *pcidev,
port->port.uartclk = baud * 16;
port->port.rs485_config = platform->rs485_config;
+ port->port.rs485_supported = platform->rs485_supported;
/*
* Setup the UART clock for the devices on expansion slot to
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 445/476] serial: 8250_exar: Set missing rs485_supported flag
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 444/476] serial: 8250_exar: Fill in rs485_supported Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 446/476] fbdev/defio: Early-out if page is already enlisted Greg Kroah-Hartman
` (40 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Lino Sanfilippo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
[ Upstream commit 0c2a5f471ce58bca8f8ab5fcb911aff91eaaa5eb ]
The UART supports an auto-RTS mode in which the RTS pin is automatically
activated during transmission. So mark this mode as being supported even
if RTS is not controlled by the driver but the UART.
Also the serial core expects now at least one of both modes rts-on-send or
rts-after-send to be supported. This is since during sanitization
unsupported flags are deleted from a RS485 configuration set by userspace.
However if the configuration ends up with both flags unset, the core prints
a warning since it considers such a configuration invalid (see
uart_sanitize_serial_rs485()).
Cc: <stable@vger.kernel.org>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
Link: https://lore.kernel.org/r/20240103061818.564-8-l.sanfilippo@kunbus.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 24878d5a6a05..ada9666f5988 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -443,7 +443,7 @@ static int generic_rs485_config(struct uart_port *port,
}
static const struct serial_rs485 generic_rs485_supported = {
- .flags = SER_RS485_ENABLED,
+ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND,
};
static const struct exar8250_platform exar8250_default_platform = {
@@ -487,7 +487,8 @@ static int iot2040_rs485_config(struct uart_port *port,
}
static const struct serial_rs485 iot2040_rs485_supported = {
- .flags = SER_RS485_ENABLED | SER_RS485_RX_DURING_TX | SER_RS485_TERMINATE_BUS,
+ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND |
+ SER_RS485_RX_DURING_TX | SER_RS485_TERMINATE_BUS,
};
static const struct property_entry iot2040_gpio_properties[] = {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 446/476] fbdev/defio: Early-out if page is already enlisted
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 445/476] serial: 8250_exar: Set missing rs485_supported flag Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 447/476] fbdev: Dont sort deferred-I/O pages by default Greg Kroah-Hartman
` (39 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Sam Ravnborg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 105a940416fc622406653b6fe54732897642dfbc ]
Return early if a page is already in the list of dirty pages for
deferred I/O. This can be detected if the page's list head is not
empty. Keep the list head initialized while the page is not enlisted
to make this work reliably.
v2:
* update comment and fix spelling (Sam)
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20220211094640.21632-2-tzimmermann@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fb_defio.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 0708e214c5a3..95264a621221 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -59,6 +59,7 @@ static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
printk(KERN_ERR "no mapping available\n");
BUG_ON(!page->mapping);
+ INIT_LIST_HEAD(&page->lru);
page->index = vmf->pgoff;
vmf->page = page;
@@ -118,17 +119,24 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
*/
lock_page(page);
+ /*
+ * This check is to catch the case where a new process could start
+ * writing to the same page through a new PTE. This new access
+ * can cause a call to .page_mkwrite even if the original process'
+ * PTE is marked writable.
+ *
+ * TODO: The lru field is owned by the page cache; hence the name.
+ * We dequeue in fb_deferred_io_work() after flushing the
+ * page's content into video memory. Instead of lru, fbdefio
+ * should have it's own field.
+ */
+ if (!list_empty(&page->lru))
+ goto page_already_added;
+
/* we loop through the pagelist before adding in order
to keep the pagelist sorted */
list_for_each_entry(cur, &fbdefio->pagelist, lru) {
- /* this check is to catch the case where a new
- process could start writing to the same page
- through a new pte. this new access can cause the
- mkwrite even when the original ps's pte is marked
- writable */
- if (unlikely(cur == page))
- goto page_already_added;
- else if (cur->index > page->index)
+ if (cur->index > page->index)
break;
}
@@ -190,7 +198,7 @@ static void fb_deferred_io_work(struct work_struct *work)
/* clear the list */
list_for_each_safe(node, next, &fbdefio->pagelist) {
- list_del(node);
+ list_del_init(node);
}
mutex_unlock(&fbdefio->lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 447/476] fbdev: Dont sort deferred-I/O pages by default
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 446/476] fbdev/defio: Early-out if page is already enlisted Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 448/476] fbdev: defio: fix the pagelist corruption Greg Kroah-Hartman
` (38 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Sam Ravnborg,
Andy Shevchenko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 8c30e2d81bfddc5ab9f6b04db1c0f7d6ca7bdf46 ]
Fbdev's deferred I/O sorts all dirty pages by default, which incurs a
significant overhead. Make the sorting step optional and update the few
drivers that require it. Use a FIFO list by default.
Most fbdev drivers with deferred I/O build a bounding rectangle around
the dirty pages or simply flush the whole screen. The only two affected
DRM drivers, generic fbdev and vmwgfx, both use a bounding rectangle.
In those cases, the exact order of the pages doesn't matter. The other
drivers look at the page index or handle pages one-by-one. The patch
sets the sort_pagelist flag for those, even though some of them would
probably work correctly without sorting. Driver maintainers should update
their driver accordingly.
Sorting pages by memory offset for deferred I/O performs an implicit
bubble-sort step on the list of dirty pages. The algorithm goes through
the list of dirty pages and inserts each new page according to its
index field. Even worse, list traversal always starts at the first
entry. As video memory is most likely updated scanline by scanline, the
algorithm traverses through the complete list for each updated page.
For example, with 1024x768x32bpp each page covers exactly one scanline.
Writing a single screen update from top to bottom requires updating
768 pages. With an average list length of 384 entries, a screen update
creates (768 * 384 =) 294912 compare operation.
Fix this by making the sorting step opt-in and update the few drivers
that require it. All other drivers work with unsorted page lists. Pages
are appended to the list. Therefore, in the common case of writing the
framebuffer top to bottom, pages are still sorted by offset, which may
have a positive effect on performance.
Playing a video [1] in mplayer's benchmark mode shows the difference
(i7-4790, FullHD, simpledrm, kernel with debugging).
mplayer -benchmark -nosound -vo fbdev ./big_buck_bunny_720p_stereo.ogg
With sorted page lists:
BENCHMARKs: VC: 32.960s VO: 73.068s A: 0.000s Sys: 2.413s = 108.441s
BENCHMARK%: VC: 30.3947% VO: 67.3802% A: 0.0000% Sys: 2.2251% = 100.0000%
With unsorted page lists:
BENCHMARKs: VC: 31.005s VO: 42.889s A: 0.000s Sys: 2.256s = 76.150s
BENCHMARK%: VC: 40.7156% VO: 56.3219% A: 0.0000% Sys: 2.9625% = 100.0000%
VC shows the overhead of video decoding, VO shows the overhead of the
video output. Using unsorted page lists reduces the benchmark's run time
by ~32s/~25%.
v2:
* Make sorted pagelists the special case (Sam)
* Comment on drivers' use of pagelist (Sam)
* Warn about the overhead in comment
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://download.blender.org/peach/bigbuckbunny_movies/big_buck_bunny_720p_stereo.ogg # [1]
Link: https://patchwork.freedesktop.org/patch/msgid/20220211094640.21632-3-tzimmermann@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/fbtft/fbtft-core.c | 1 +
drivers/video/fbdev/broadsheetfb.c | 1 +
drivers/video/fbdev/core/fb_defio.c | 24 +++++++++++++++++-------
drivers/video/fbdev/metronomefb.c | 1 +
drivers/video/fbdev/udlfb.c | 1 +
include/linux/fb.h | 1 +
6 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 1690358b8f01..52b19ec580a4 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -654,6 +654,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
fbops->fb_blank = fbtft_fb_blank;
fbdefio->delay = HZ / fps;
+ fbdefio->sort_pagelist = true;
fbdefio->deferred_io = fbtft_deferred_io;
fb_deferred_io_init(info);
diff --git a/drivers/video/fbdev/broadsheetfb.c b/drivers/video/fbdev/broadsheetfb.c
index fd66f4d4a621..b9054f658838 100644
--- a/drivers/video/fbdev/broadsheetfb.c
+++ b/drivers/video/fbdev/broadsheetfb.c
@@ -1059,6 +1059,7 @@ static const struct fb_ops broadsheetfb_ops = {
static struct fb_deferred_io broadsheetfb_defio = {
.delay = HZ/4,
+ .sort_pagelist = true,
.deferred_io = broadsheetfb_dpy_deferred_io,
};
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 95264a621221..bead69f39ffc 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -92,7 +92,7 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
struct page *page = vmf->page;
struct fb_info *info = vmf->vma->vm_private_data;
struct fb_deferred_io *fbdefio = info->fbdefio;
- struct page *cur;
+ struct list_head *pos = &fbdefio->pagelist;
/* this is a callback we get when userspace first tries to
write to the page. we schedule a workqueue. that workqueue
@@ -133,14 +133,24 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
if (!list_empty(&page->lru))
goto page_already_added;
- /* we loop through the pagelist before adding in order
- to keep the pagelist sorted */
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
- if (cur->index > page->index)
- break;
+ if (unlikely(fbdefio->sort_pagelist)) {
+ /*
+ * We loop through the pagelist before adding in order to
+ * keep the pagelist sorted. This has significant overhead
+ * of O(n^2) with n being the number of written pages. If
+ * possible, drivers should try to work with unsorted page
+ * lists instead.
+ */
+ struct page *cur;
+
+ list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ if (cur->index > page->index)
+ break;
+ }
+ pos = &cur->lru;
}
- list_add_tail(&page->lru, &cur->lru);
+ list_add_tail(&page->lru, pos);
page_already_added:
mutex_unlock(&fbdefio->lock);
diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
index 952826557a0c..af858dd23ea6 100644
--- a/drivers/video/fbdev/metronomefb.c
+++ b/drivers/video/fbdev/metronomefb.c
@@ -568,6 +568,7 @@ static const struct fb_ops metronomefb_ops = {
static struct fb_deferred_io metronomefb_defio = {
.delay = HZ,
+ .sort_pagelist = true,
.deferred_io = metronomefb_dpy_deferred_io,
};
diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index 0de7b867714a..8603898bf37e 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -982,6 +982,7 @@ static int dlfb_ops_open(struct fb_info *info, int user)
if (fbdefio) {
fbdefio->delay = DL_DEFIO_WRITE_DELAY;
+ fbdefio->sort_pagelist = true;
fbdefio->deferred_io = dlfb_dpy_deferred_io;
}
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 3d7306c9a706..9a77ab615c36 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -204,6 +204,7 @@ struct fb_pixmap {
struct fb_deferred_io {
/* delay between mkwrite and deferred handler */
unsigned long delay;
+ bool sort_pagelist; /* sort pagelist by offset */
struct mutex lock; /* mutex that protects the page list */
struct list_head pagelist; /* list of touched pages */
/* callback */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 448/476] fbdev: defio: fix the pagelist corruption
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 447/476] fbdev: Dont sort deferred-I/O pages by default Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 449/476] fbdev: Track deferred-I/O pages in pageref struct Greg Kroah-Hartman
` (37 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuansheng Liu, Thomas Zimmermann,
Geert Uytterhoeven, Javier Martinez Canillas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuansheng Liu <chuansheng.liu@intel.com>
[ Upstream commit 856082f021a28221db2c32bd0531614a8382be67 ]
Easily hit the below list corruption:
==
list_add corruption. prev->next should be next (ffffffffc0ceb090), but
was ffffec604507edc8. (prev=ffffec604507edc8).
WARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26
__list_add_valid+0x53/0x80
CPU: 65 PID: 3959 Comm: fbdev Tainted: G U
RIP: 0010:__list_add_valid+0x53/0x80
Call Trace:
<TASK>
fb_deferred_io_mkwrite+0xea/0x150
do_page_mkwrite+0x57/0xc0
do_wp_page+0x278/0x2f0
__handle_mm_fault+0xdc2/0x1590
handle_mm_fault+0xdd/0x2c0
do_user_addr_fault+0x1d3/0x650
exc_page_fault+0x77/0x180
? asm_exc_page_fault+0x8/0x30
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x7fd98fc8fad1
==
Figure out the race happens when one process is adding &page->lru into
the pagelist tail in fb_deferred_io_mkwrite(), another process is
re-initializing the same &page->lru in fb_deferred_io_fault(), which is
not protected by the lock.
This fix is to init all the page lists one time during initialization,
it not only fixes the list corruption, but also avoids INIT_LIST_HEAD()
redundantly.
V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Fixes: 105a940416fc ("fbdev/defio: Early-out if page is already enlisted")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220318005003.51810-1-chuansheng.liu@intel.com
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fb_defio.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index bead69f39ffc..0da3dfe35233 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -59,7 +59,6 @@ static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
printk(KERN_ERR "no mapping available\n");
BUG_ON(!page->mapping);
- INIT_LIST_HEAD(&page->lru);
page->index = vmf->pgoff;
vmf->page = page;
@@ -216,6 +215,8 @@ static void fb_deferred_io_work(struct work_struct *work)
void fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct page *page;
+ unsigned int i;
BUG_ON(!fbdefio);
mutex_init(&fbdefio->lock);
@@ -223,6 +224,12 @@ void fb_deferred_io_init(struct fb_info *info)
INIT_LIST_HEAD(&fbdefio->pagelist);
if (fbdefio->delay == 0) /* set a default of 1 s */
fbdefio->delay = HZ;
+
+ /* initialize all the page lists one time */
+ for (i = 0; i < info->fix.smem_len; i += PAGE_SIZE) {
+ page = fb_deferred_io_page(info, i);
+ INIT_LIST_HEAD(&page->lru);
+ }
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 449/476] fbdev: Track deferred-I/O pages in pageref struct
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 448/476] fbdev: defio: fix the pagelist corruption Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 450/476] fbdev: Rename pagelist to pagereflist for deferred I/O Greg Kroah-Hartman
` (36 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann,
Javier Martinez Canillas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 56c134f7f1b58be08bdb0ca8372474a4a5165f31 ]
Store the per-page state for fbdev's deferred I/O in struct
fb_deferred_io_pageref. Maintain a list of pagerefs for the pages
that have to be written back to video memory. Update all affected
drivers.
As with pages before, fbdev acquires a pageref when an mmaped page
of the framebuffer is being written to. It holds the pageref in a
list of all currently written pagerefs until it flushes the written
pages to video memory. Writeback occurs periodically. After writeback
fbdev releases all pagerefs and builds up a new dirty list until the
next writeback occurs.
Using pagerefs has a number of benefits.
For pages of the framebuffer, the deferred I/O code used struct
page.lru as an entry into the list of dirty pages. The lru field is
owned by the page cache, which makes deferred I/O incompatible with
some memory pages (e.g., most notably DRM's GEM SHMEM allocator).
struct fb_deferred_io_pageref now provides an entry into a list of
dirty framebuffer pages, freeing lru for use with the page cache.
Drivers also assumed that struct page.index is the page offset into
the framebuffer. This is not true for DRM buffers, which are located
at various offset within a mapped area. struct fb_deferred_io_pageref
explicitly stores an offset into the framebuffer. struct page.index
is now only the page offset into the mapped area.
These changes will allow DRM to use fbdev deferred I/O without an
intermediate shadow buffer.
v3:
* use pageref->offset for sorting
* fix grammar in comment
v2:
* minor fixes in commit message
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220429100834.18898-3-tzimmermann@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_fb_helper.c | 6 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 5 +-
drivers/staging/fbtft/fbtft-core.c | 5 +-
drivers/video/fbdev/broadsheetfb.c | 5 +-
drivers/video/fbdev/core/fb_defio.c | 156 ++++++++++++++++---------
drivers/video/fbdev/hyperv_fb.c | 5 +-
drivers/video/fbdev/metronomefb.c | 5 +-
drivers/video/fbdev/sh_mobile_lcdcfb.c | 6 +-
drivers/video/fbdev/smscufx.c | 5 +-
drivers/video/fbdev/udlfb.c | 5 +-
drivers/video/fbdev/xen-fbfront.c | 5 +-
include/linux/fb.h | 11 +-
12 files changed, 145 insertions(+), 74 deletions(-)
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 3d9c0444df40..888ec6135544 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -692,13 +692,13 @@ void drm_fb_helper_deferred_io(struct fb_info *info,
struct list_head *pagelist)
{
unsigned long start, end, min, max;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
u32 y1, y2;
min = ULONG_MAX;
max = 0;
- list_for_each_entry(page, pagelist, lru) {
- start = page->index << PAGE_SHIFT;
+ list_for_each_entry(pageref, pagelist, list) {
+ start = pageref->offset;
end = start + PAGE_SIZE - 1;
min = min(min, start);
max = max(max, end);
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
index f18ed03a8b2d..1f20e3c958ef 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -322,12 +322,13 @@ static void vmw_deferred_io(struct fb_info *info,
struct vmw_fb_par *par = info->par;
unsigned long start, end, min, max;
unsigned long flags;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
int y1, y2;
min = ULONG_MAX;
max = 0;
- list_for_each_entry(page, pagelist, lru) {
+ list_for_each_entry(pageref, pagelist, list) {
+ struct page *page = pageref->page;
start = page->index << PAGE_SHIFT;
end = start + PAGE_SIZE - 1;
min = min(min, start);
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 52b19ec580a4..5c52b5ff9f51 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -326,7 +326,7 @@ static void fbtft_deferred_io(struct fb_info *info, struct list_head *pagelist)
{
struct fbtft_par *par = info->par;
unsigned int dirty_lines_start, dirty_lines_end;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
unsigned long index;
unsigned int y_low = 0, y_high = 0;
int count = 0;
@@ -340,7 +340,8 @@ static void fbtft_deferred_io(struct fb_info *info, struct list_head *pagelist)
spin_unlock(&par->dirty_lock);
/* Mark display lines as dirty */
- list_for_each_entry(page, pagelist, lru) {
+ list_for_each_entry(pageref, pagelist, list) {
+ struct page *page = pageref->page;
count++;
index = page->index << PAGE_SHIFT;
y_low = index / info->fix.line_length;
diff --git a/drivers/video/fbdev/broadsheetfb.c b/drivers/video/fbdev/broadsheetfb.c
index b9054f658838..2ca753d27f76 100644
--- a/drivers/video/fbdev/broadsheetfb.c
+++ b/drivers/video/fbdev/broadsheetfb.c
@@ -934,7 +934,7 @@ static void broadsheetfb_dpy_deferred_io(struct fb_info *info,
{
u16 y1 = 0, h = 0;
int prev_index = -1;
- struct page *cur;
+ struct fb_deferred_io_pageref *pageref;
struct fb_deferred_io *fbdefio = info->fbdefio;
int h_inc;
u16 yres = info->var.yres;
@@ -944,7 +944,8 @@ static void broadsheetfb_dpy_deferred_io(struct fb_info *info,
h_inc = DIV_ROUND_UP(PAGE_SIZE , xres);
/* walk the written page list and swizzle the data */
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ struct page *cur = pageref->page;
if (prev_index < 0) {
/* just starting so assign first page */
y1 = (cur->index << PAGE_SHIFT) / xres;
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 0da3dfe35233..a79af3b5faf3 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -36,6 +36,60 @@ static struct page *fb_deferred_io_page(struct fb_info *info, unsigned long offs
return page;
}
+static struct fb_deferred_io_pageref *fb_deferred_io_pageref_get(struct fb_info *info,
+ unsigned long offset,
+ struct page *page)
+{
+ struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct list_head *pos = &fbdefio->pagelist;
+ unsigned long pgoff = offset >> PAGE_SHIFT;
+ struct fb_deferred_io_pageref *pageref, *cur;
+
+ if (WARN_ON_ONCE(pgoff >= info->npagerefs))
+ return NULL; /* incorrect allocation size */
+
+ /* 1:1 mapping between pageref and page offset */
+ pageref = &info->pagerefs[pgoff];
+
+ /*
+ * This check is to catch the case where a new process could start
+ * writing to the same page through a new PTE. This new access
+ * can cause a call to .page_mkwrite even if the original process'
+ * PTE is marked writable.
+ */
+ if (!list_empty(&pageref->list))
+ goto pageref_already_added;
+
+ pageref->page = page;
+ pageref->offset = pgoff << PAGE_SHIFT;
+
+ if (unlikely(fbdefio->sort_pagelist)) {
+ /*
+ * We loop through the list of pagerefs before adding in
+ * order to keep the pagerefs sorted. This has significant
+ * overhead of O(n^2) with n being the number of written
+ * pages. If possible, drivers should try to work with
+ * unsorted page lists instead.
+ */
+ list_for_each_entry(cur, &info->fbdefio->pagelist, list) {
+ if (cur->offset > pageref->offset)
+ break;
+ }
+ pos = &cur->list;
+ }
+
+ list_add_tail(&pageref->list, pos);
+
+pageref_already_added:
+ return pageref;
+}
+
+static void fb_deferred_io_pageref_put(struct fb_deferred_io_pageref *pageref,
+ struct fb_info *info)
+{
+ list_del_init(&pageref->list);
+}
+
/* this is to find and return the vmalloc-ed fb pages */
static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
{
@@ -59,7 +113,7 @@ static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
printk(KERN_ERR "no mapping available\n");
BUG_ON(!page->mapping);
- page->index = vmf->pgoff;
+ page->index = vmf->pgoff; /* for page_mkclean() */
vmf->page = page;
return 0;
@@ -91,7 +145,11 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
struct page *page = vmf->page;
struct fb_info *info = vmf->vma->vm_private_data;
struct fb_deferred_io *fbdefio = info->fbdefio;
- struct list_head *pos = &fbdefio->pagelist;
+ struct fb_deferred_io_pageref *pageref;
+ unsigned long offset;
+ vm_fault_t ret;
+
+ offset = (vmf->address - vmf->vma->vm_start);
/* this is a callback we get when userspace first tries to
write to the page. we schedule a workqueue. that workqueue
@@ -108,6 +166,12 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
if (fbdefio->first_io && list_empty(&fbdefio->pagelist))
fbdefio->first_io(info);
+ pageref = fb_deferred_io_pageref_get(info, offset, page);
+ if (WARN_ON_ONCE(!pageref)) {
+ ret = VM_FAULT_OOM;
+ goto err_mutex_unlock;
+ }
+
/*
* We want the page to remain locked from ->page_mkwrite until
* the PTE is marked dirty to avoid page_mkclean() being called
@@ -116,47 +180,17 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
* Do this by locking the page here and informing the caller
* about it with VM_FAULT_LOCKED.
*/
- lock_page(page);
-
- /*
- * This check is to catch the case where a new process could start
- * writing to the same page through a new PTE. This new access
- * can cause a call to .page_mkwrite even if the original process'
- * PTE is marked writable.
- *
- * TODO: The lru field is owned by the page cache; hence the name.
- * We dequeue in fb_deferred_io_work() after flushing the
- * page's content into video memory. Instead of lru, fbdefio
- * should have it's own field.
- */
- if (!list_empty(&page->lru))
- goto page_already_added;
-
- if (unlikely(fbdefio->sort_pagelist)) {
- /*
- * We loop through the pagelist before adding in order to
- * keep the pagelist sorted. This has significant overhead
- * of O(n^2) with n being the number of written pages. If
- * possible, drivers should try to work with unsorted page
- * lists instead.
- */
- struct page *cur;
-
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
- if (cur->index > page->index)
- break;
- }
- pos = &cur->lru;
- }
-
- list_add_tail(&page->lru, pos);
+ lock_page(pageref->page);
-page_already_added:
mutex_unlock(&fbdefio->lock);
/* come back after delay to process the deferred IO */
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
return VM_FAULT_LOCKED;
+
+err_mutex_unlock:
+ mutex_unlock(&fbdefio->lock);
+ return ret;
}
static const struct vm_operations_struct fb_deferred_io_vm_ops = {
@@ -188,15 +222,14 @@ int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma)
/* workqueue callback */
static void fb_deferred_io_work(struct work_struct *work)
{
- struct fb_info *info = container_of(work, struct fb_info,
- deferred_work.work);
- struct list_head *node, *next;
- struct page *cur;
+ struct fb_info *info = container_of(work, struct fb_info, deferred_work.work);
+ struct fb_deferred_io_pageref *pageref, *next;
struct fb_deferred_io *fbdefio = info->fbdefio;
/* here we mkclean the pages, then do all deferred IO */
mutex_lock(&fbdefio->lock);
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ struct page *cur = pageref->page;
lock_page(cur);
page_mkclean(cur);
unlock_page(cur);
@@ -206,30 +239,48 @@ static void fb_deferred_io_work(struct work_struct *work)
fbdefio->deferred_io(info, &fbdefio->pagelist);
/* clear the list */
- list_for_each_safe(node, next, &fbdefio->pagelist) {
- list_del_init(node);
- }
+ list_for_each_entry_safe(pageref, next, &fbdefio->pagelist, list)
+ fb_deferred_io_pageref_put(pageref, info);
+
mutex_unlock(&fbdefio->lock);
}
-void fb_deferred_io_init(struct fb_info *info)
+int fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
- struct page *page;
- unsigned int i;
+ struct fb_deferred_io_pageref *pagerefs;
+ unsigned long npagerefs, i;
+ int ret;
BUG_ON(!fbdefio);
+
+ if (WARN_ON(!info->fix.smem_len))
+ return -EINVAL;
+
mutex_init(&fbdefio->lock);
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
INIT_LIST_HEAD(&fbdefio->pagelist);
if (fbdefio->delay == 0) /* set a default of 1 s */
fbdefio->delay = HZ;
- /* initialize all the page lists one time */
- for (i = 0; i < info->fix.smem_len; i += PAGE_SIZE) {
- page = fb_deferred_io_page(info, i);
- INIT_LIST_HEAD(&page->lru);
+ npagerefs = DIV_ROUND_UP(info->fix.smem_len, PAGE_SIZE);
+
+ /* alloc a page ref for each page of the display memory */
+ pagerefs = kvcalloc(npagerefs, sizeof(*pagerefs), GFP_KERNEL);
+ if (!pagerefs) {
+ ret = -ENOMEM;
+ goto err;
}
+ for (i = 0; i < npagerefs; ++i)
+ INIT_LIST_HEAD(&pagerefs[i].list);
+ info->npagerefs = npagerefs;
+ info->pagerefs = pagerefs;
+
+ return 0;
+
+err:
+ mutex_destroy(&fbdefio->lock);
+ return ret;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
@@ -256,6 +307,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
page->mapping = NULL;
}
+ kvfree(info->pagerefs);
mutex_destroy(&fbdefio->lock);
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
index de865e197c8d..704ba7ee13c6 100644
--- a/drivers/video/fbdev/hyperv_fb.c
+++ b/drivers/video/fbdev/hyperv_fb.c
@@ -424,7 +424,7 @@ static void synthvid_deferred_io(struct fb_info *p,
struct list_head *pagelist)
{
struct hvfb_par *par = p->par;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
unsigned long start, end;
int y1, y2, miny, maxy;
@@ -437,7 +437,8 @@ static void synthvid_deferred_io(struct fb_info *p,
* in synthvid_update function by clamping the y2
* value to yres.
*/
- list_for_each_entry(page, pagelist, lru) {
+ list_for_each_entry(pageref, pagelist, list) {
+ struct page *page = pageref->page;
start = page->index << PAGE_SHIFT;
end = start + PAGE_SIZE - 1;
y1 = start / p->fix.line_length;
diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
index af858dd23ea6..74672539ee7b 100644
--- a/drivers/video/fbdev/metronomefb.c
+++ b/drivers/video/fbdev/metronomefb.c
@@ -469,12 +469,13 @@ static void metronomefb_dpy_deferred_io(struct fb_info *info,
struct list_head *pagelist)
{
u16 cksum;
- struct page *cur;
+ struct fb_deferred_io_pageref *pageref;
struct fb_deferred_io *fbdefio = info->fbdefio;
struct metronomefb_par *par = info->par;
/* walk the written page list and swizzle the data */
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ struct page *cur = pageref->page;
cksum = metronomefb_dpy_update_page(par,
(cur->index << PAGE_SHIFT));
par->metromem_img_csum -= par->csum_table[cur->index];
diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
index aa4ebe3192ec..b6b5ce3505c0 100644
--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
+++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
@@ -440,13 +440,15 @@ static int sh_mobile_lcdc_sginit(struct fb_info *info,
{
struct sh_mobile_lcdc_chan *ch = info->par;
unsigned int nr_pages_max = ch->fb_size >> PAGE_SHIFT;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
int nr_pages = 0;
sg_init_table(ch->sglist, nr_pages_max);
- list_for_each_entry(page, pagelist, lru)
+ list_for_each_entry(pageref, pagelist, list) {
+ struct page *page = pageref->page;
sg_set_page(&ch->sglist[nr_pages++], page, PAGE_SIZE, 0);
+ }
return nr_pages;
}
diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c
index b3295cd7fd4f..bf3d151abd6f 100644
--- a/drivers/video/fbdev/smscufx.c
+++ b/drivers/video/fbdev/smscufx.c
@@ -956,7 +956,7 @@ static void ufx_ops_fillrect(struct fb_info *info,
static void ufx_dpy_deferred_io(struct fb_info *info,
struct list_head *pagelist)
{
- struct page *cur;
+ struct fb_deferred_io_pageref *pageref;
struct fb_deferred_io *fbdefio = info->fbdefio;
struct ufx_data *dev = info->par;
@@ -967,9 +967,10 @@ static void ufx_dpy_deferred_io(struct fb_info *info,
return;
/* walk the written page list and render each to device */
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ list_for_each_entry(pageref, &fbdefio->pagelist, list) {
/* create a rectangle of full screen width that encloses the
* entire dirty framebuffer page */
+ struct page *cur = pageref->page;
const int x = 0;
const int width = dev->info->var.xres;
const int y = (cur->index << PAGE_SHIFT) / (width * 2);
diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index 8603898bf37e..c187163fe580 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -783,7 +783,7 @@ static void dlfb_ops_fillrect(struct fb_info *info,
static void dlfb_dpy_deferred_io(struct fb_info *info,
struct list_head *pagelist)
{
- struct page *cur;
+ struct fb_deferred_io_pageref *pageref;
struct fb_deferred_io *fbdefio = info->fbdefio;
struct dlfb_data *dlfb = info->par;
struct urb *urb;
@@ -810,7 +810,8 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
cmd = urb->transfer_buffer;
/* walk the written page list and render each to device */
- list_for_each_entry(cur, &fbdefio->pagelist, lru) {
+ list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ struct page *cur = pageref->page;
if (dlfb_render_hline(dlfb, &urb, (char *) info->fix.smem_start,
&cmd, cur->index << PAGE_SHIFT,
diff --git a/drivers/video/fbdev/xen-fbfront.c b/drivers/video/fbdev/xen-fbfront.c
index 5ec51445bee8..00d9502ee25a 100644
--- a/drivers/video/fbdev/xen-fbfront.c
+++ b/drivers/video/fbdev/xen-fbfront.c
@@ -185,13 +185,14 @@ static void xenfb_deferred_io(struct fb_info *fb_info,
struct list_head *pagelist)
{
struct xenfb_info *info = fb_info->par;
- struct page *page;
+ struct fb_deferred_io_pageref *pageref;
unsigned long beg, end;
int y1, y2, miny, maxy;
miny = INT_MAX;
maxy = 0;
- list_for_each_entry(page, pagelist, lru) {
+ list_for_each_entry(pageref, pagelist, list) {
+ struct page *page = pageref->page;
beg = page->index << PAGE_SHIFT;
end = beg + PAGE_SIZE - 1;
y1 = beg / fb_info->fix.line_length;
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 9a77ab615c36..768de6534a82 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -201,6 +201,13 @@ struct fb_pixmap {
};
#ifdef CONFIG_FB_DEFERRED_IO
+struct fb_deferred_io_pageref {
+ struct page *page;
+ unsigned long offset;
+ /* private */
+ struct list_head list;
+};
+
struct fb_deferred_io {
/* delay between mkwrite and deferred handler */
unsigned long delay;
@@ -469,6 +476,8 @@ struct fb_info {
#endif
#ifdef CONFIG_FB_DEFERRED_IO
struct delayed_work deferred_work;
+ unsigned long npagerefs;
+ struct fb_deferred_io_pageref *pagerefs;
struct fb_deferred_io *fbdefio;
#endif
@@ -662,7 +671,7 @@ static inline void __fb_pad_aligned_buffer(u8 *dst, u32 d_pitch,
/* drivers/video/fb_defio.c */
int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma);
-extern void fb_deferred_io_init(struct fb_info *info);
+extern int fb_deferred_io_init(struct fb_info *info);
extern void fb_deferred_io_open(struct fb_info *info,
struct inode *inode,
struct file *file);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 450/476] fbdev: Rename pagelist to pagereflist for deferred I/O
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 449/476] fbdev: Track deferred-I/O pages in pageref struct Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 451/476] fbdev: Fix invalid page access after closing deferred I/O devices Greg Kroah-Hartman
` (35 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Ravnborg, Thomas Zimmermann,
Javier Martinez Canillas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit e80eec1b871a2acb8f5c92db4c237e9ae6dd322b ]
Rename various instances of pagelist to pagereflist. The list now
stores pageref structures, so the new name is more appropriate.
In their write-back helpers, several fbdev drivers refer to the
pageref list in struct fb_deferred_io instead of using the one
supplied as argument to the function. Convert them over to the
supplied one. It's the same instance, so no change of behavior
occurs.
v4:
* fix commit message (Javier)
Suggested-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220429100834.18898-5-tzimmermann@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_fb_helper.c | 7 +++----
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 5 ++---
drivers/hid/hid-picolcd_fb.c | 2 +-
drivers/staging/fbtft/fbtft-core.c | 10 +++++-----
drivers/video/fbdev/broadsheetfb.c | 12 +++++-------
drivers/video/fbdev/core/fb_defio.c | 18 +++++++++---------
drivers/video/fbdev/hecubafb.c | 3 +--
drivers/video/fbdev/hyperv_fb.c | 5 ++---
drivers/video/fbdev/metronomefb.c | 12 +++++-------
drivers/video/fbdev/sh_mobile_lcdcfb.c | 16 +++++++---------
drivers/video/fbdev/smscufx.c | 8 +++-----
drivers/video/fbdev/ssd1307fb.c | 3 +--
drivers/video/fbdev/udlfb.c | 8 +++-----
drivers/video/fbdev/xen-fbfront.c | 5 ++---
include/drm/drm_fb_helper.h | 3 +--
include/linux/fb.h | 6 +++---
16 files changed, 53 insertions(+), 70 deletions(-)
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 888ec6135544..82960d5d4e73 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -683,13 +683,12 @@ static void drm_fb_helper_damage(struct fb_info *info, u32 x, u32 y,
/**
* drm_fb_helper_deferred_io() - fbdev deferred_io callback function
* @info: fb_info struct pointer
- * @pagelist: list of mmap framebuffer pages that have to be flushed
+ * @pagereflist: list of mmap framebuffer pages that have to be flushed
*
* This function is used as the &fb_deferred_io.deferred_io
* callback function for flushing the fbdev mmap writes.
*/
-void drm_fb_helper_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+void drm_fb_helper_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
unsigned long start, end, min, max;
struct fb_deferred_io_pageref *pageref;
@@ -697,7 +696,7 @@ void drm_fb_helper_deferred_io(struct fb_info *info,
min = ULONG_MAX;
max = 0;
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
start = pageref->offset;
end = start + PAGE_SIZE - 1;
min = min(min, start);
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
index 1f20e3c958ef..79b08e927f76 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -316,8 +316,7 @@ static int vmw_fb_pan_display(struct fb_var_screeninfo *var,
return 0;
}
-static void vmw_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void vmw_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
struct vmw_fb_par *par = info->par;
unsigned long start, end, min, max;
@@ -327,7 +326,7 @@ static void vmw_deferred_io(struct fb_info *info,
min = ULONG_MAX;
max = 0;
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *page = pageref->page;
start = page->index << PAGE_SHIFT;
end = start + PAGE_SIZE - 1;
diff --git a/drivers/hid/hid-picolcd_fb.c b/drivers/hid/hid-picolcd_fb.c
index 33c102a60992..8a0d1365cd72 100644
--- a/drivers/hid/hid-picolcd_fb.c
+++ b/drivers/hid/hid-picolcd_fb.c
@@ -432,7 +432,7 @@ static const struct fb_ops picolcdfb_ops = {
/* Callback from deferred IO workqueue */
-static void picolcd_fb_deferred_io(struct fb_info *info, struct list_head *pagelist)
+static void picolcd_fb_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
picolcd_fb_update(info);
}
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 5c52b5ff9f51..7aec35ae5cd5 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -322,7 +322,7 @@ static void fbtft_mkdirty(struct fb_info *info, int y, int height)
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
}
-static void fbtft_deferred_io(struct fb_info *info, struct list_head *pagelist)
+static void fbtft_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
struct fbtft_par *par = info->par;
unsigned int dirty_lines_start, dirty_lines_end;
@@ -340,7 +340,7 @@ static void fbtft_deferred_io(struct fb_info *info, struct list_head *pagelist)
spin_unlock(&par->dirty_lock);
/* Mark display lines as dirty */
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *page = pageref->page;
count++;
index = page->index << PAGE_SHIFT;
@@ -654,9 +654,9 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
fbops->fb_setcolreg = fbtft_fb_setcolreg;
fbops->fb_blank = fbtft_fb_blank;
- fbdefio->delay = HZ / fps;
- fbdefio->sort_pagelist = true;
- fbdefio->deferred_io = fbtft_deferred_io;
+ fbdefio->delay = HZ / fps;
+ fbdefio->sort_pagereflist = true;
+ fbdefio->deferred_io = fbtft_deferred_io;
fb_deferred_io_init(info);
snprintf(info->fix.id, sizeof(info->fix.id), "%s", dev->driver->name);
diff --git a/drivers/video/fbdev/broadsheetfb.c b/drivers/video/fbdev/broadsheetfb.c
index 2ca753d27f76..8b953d20ccdc 100644
--- a/drivers/video/fbdev/broadsheetfb.c
+++ b/drivers/video/fbdev/broadsheetfb.c
@@ -929,13 +929,11 @@ static void broadsheetfb_dpy_update(struct broadsheetfb_par *par)
}
/* this is called back from the deferred io workqueue */
-static void broadsheetfb_dpy_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void broadsheetfb_dpy_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
u16 y1 = 0, h = 0;
int prev_index = -1;
struct fb_deferred_io_pageref *pageref;
- struct fb_deferred_io *fbdefio = info->fbdefio;
int h_inc;
u16 yres = info->var.yres;
u16 xres = info->var.xres;
@@ -944,7 +942,7 @@ static void broadsheetfb_dpy_deferred_io(struct fb_info *info,
h_inc = DIV_ROUND_UP(PAGE_SIZE , xres);
/* walk the written page list and swizzle the data */
- list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *cur = pageref->page;
if (prev_index < 0) {
/* just starting so assign first page */
@@ -1059,9 +1057,9 @@ static const struct fb_ops broadsheetfb_ops = {
};
static struct fb_deferred_io broadsheetfb_defio = {
- .delay = HZ/4,
- .sort_pagelist = true,
- .deferred_io = broadsheetfb_dpy_deferred_io,
+ .delay = HZ/4,
+ .sort_pagereflist = true,
+ .deferred_io = broadsheetfb_dpy_deferred_io,
};
static int broadsheetfb_probe(struct platform_device *dev)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index a79af3b5faf3..5faeca61d3dd 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -41,7 +41,7 @@ static struct fb_deferred_io_pageref *fb_deferred_io_pageref_get(struct fb_info
struct page *page)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
- struct list_head *pos = &fbdefio->pagelist;
+ struct list_head *pos = &fbdefio->pagereflist;
unsigned long pgoff = offset >> PAGE_SHIFT;
struct fb_deferred_io_pageref *pageref, *cur;
@@ -63,7 +63,7 @@ static struct fb_deferred_io_pageref *fb_deferred_io_pageref_get(struct fb_info
pageref->page = page;
pageref->offset = pgoff << PAGE_SHIFT;
- if (unlikely(fbdefio->sort_pagelist)) {
+ if (unlikely(fbdefio->sort_pagereflist)) {
/*
* We loop through the list of pagerefs before adding in
* order to keep the pagerefs sorted. This has significant
@@ -71,7 +71,7 @@ static struct fb_deferred_io_pageref *fb_deferred_io_pageref_get(struct fb_info
* pages. If possible, drivers should try to work with
* unsorted page lists instead.
*/
- list_for_each_entry(cur, &info->fbdefio->pagelist, list) {
+ list_for_each_entry(cur, &fbdefio->pagereflist, list) {
if (cur->offset > pageref->offset)
break;
}
@@ -163,7 +163,7 @@ static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
mutex_lock(&fbdefio->lock);
/* first write in this cycle, notify the driver */
- if (fbdefio->first_io && list_empty(&fbdefio->pagelist))
+ if (fbdefio->first_io && list_empty(&fbdefio->pagereflist))
fbdefio->first_io(info);
pageref = fb_deferred_io_pageref_get(info, offset, page);
@@ -228,18 +228,18 @@ static void fb_deferred_io_work(struct work_struct *work)
/* here we mkclean the pages, then do all deferred IO */
mutex_lock(&fbdefio->lock);
- list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ list_for_each_entry(pageref, &fbdefio->pagereflist, list) {
struct page *cur = pageref->page;
lock_page(cur);
page_mkclean(cur);
unlock_page(cur);
}
- /* driver's callback with pagelist */
- fbdefio->deferred_io(info, &fbdefio->pagelist);
+ /* driver's callback with pagereflist */
+ fbdefio->deferred_io(info, &fbdefio->pagereflist);
/* clear the list */
- list_for_each_entry_safe(pageref, next, &fbdefio->pagelist, list)
+ list_for_each_entry_safe(pageref, next, &fbdefio->pagereflist, list)
fb_deferred_io_pageref_put(pageref, info);
mutex_unlock(&fbdefio->lock);
@@ -259,7 +259,7 @@ int fb_deferred_io_init(struct fb_info *info)
mutex_init(&fbdefio->lock);
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
- INIT_LIST_HEAD(&fbdefio->pagelist);
+ INIT_LIST_HEAD(&fbdefio->pagereflist);
if (fbdefio->delay == 0) /* set a default of 1 s */
fbdefio->delay = HZ;
diff --git a/drivers/video/fbdev/hecubafb.c b/drivers/video/fbdev/hecubafb.c
index 00d77105161a..bd6b0dec414b 100644
--- a/drivers/video/fbdev/hecubafb.c
+++ b/drivers/video/fbdev/hecubafb.c
@@ -115,8 +115,7 @@ static void hecubafb_dpy_update(struct hecubafb_par *par)
}
/* this is called back from the deferred io workqueue */
-static void hecubafb_dpy_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void hecubafb_dpy_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
hecubafb_dpy_update(info->par);
}
diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
index 704ba7ee13c6..6a881cfd7f5c 100644
--- a/drivers/video/fbdev/hyperv_fb.c
+++ b/drivers/video/fbdev/hyperv_fb.c
@@ -420,8 +420,7 @@ static void hvfb_docopy(struct hvfb_par *par,
}
/* Deferred IO callback */
-static void synthvid_deferred_io(struct fb_info *p,
- struct list_head *pagelist)
+static void synthvid_deferred_io(struct fb_info *p, struct list_head *pagereflist)
{
struct hvfb_par *par = p->par;
struct fb_deferred_io_pageref *pageref;
@@ -437,7 +436,7 @@ static void synthvid_deferred_io(struct fb_info *p,
* in synthvid_update function by clamping the y2
* value to yres.
*/
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *page = pageref->page;
start = page->index << PAGE_SHIFT;
end = start + PAGE_SIZE - 1;
diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
index 74672539ee7b..b8df0bb7cabc 100644
--- a/drivers/video/fbdev/metronomefb.c
+++ b/drivers/video/fbdev/metronomefb.c
@@ -465,16 +465,14 @@ static u16 metronomefb_dpy_update_page(struct metronomefb_par *par, int index)
}
/* this is called back from the deferred io workqueue */
-static void metronomefb_dpy_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void metronomefb_dpy_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
u16 cksum;
struct fb_deferred_io_pageref *pageref;
- struct fb_deferred_io *fbdefio = info->fbdefio;
struct metronomefb_par *par = info->par;
/* walk the written page list and swizzle the data */
- list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *cur = pageref->page;
cksum = metronomefb_dpy_update_page(par,
(cur->index << PAGE_SHIFT));
@@ -568,9 +566,9 @@ static const struct fb_ops metronomefb_ops = {
};
static struct fb_deferred_io metronomefb_defio = {
- .delay = HZ,
- .sort_pagelist = true,
- .deferred_io = metronomefb_dpy_deferred_io,
+ .delay = HZ,
+ .sort_pagereflist = true,
+ .deferred_io = metronomefb_dpy_deferred_io,
};
static int metronomefb_probe(struct platform_device *dev)
diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
index b6b5ce3505c0..e33c016c5428 100644
--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
+++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
@@ -435,8 +435,7 @@ static struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
.read_data = lcdc_sys_read_data,
};
-static int sh_mobile_lcdc_sginit(struct fb_info *info,
- struct list_head *pagelist)
+static int sh_mobile_lcdc_sginit(struct fb_info *info, struct list_head *pagereflist)
{
struct sh_mobile_lcdc_chan *ch = info->par;
unsigned int nr_pages_max = ch->fb_size >> PAGE_SHIFT;
@@ -445,7 +444,7 @@ static int sh_mobile_lcdc_sginit(struct fb_info *info,
sg_init_table(ch->sglist, nr_pages_max);
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *page = pageref->page;
sg_set_page(&ch->sglist[nr_pages++], page, PAGE_SIZE, 0);
}
@@ -453,8 +452,7 @@ static int sh_mobile_lcdc_sginit(struct fb_info *info,
return nr_pages;
}
-static void sh_mobile_lcdc_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void sh_mobile_lcdc_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
struct sh_mobile_lcdc_chan *ch = info->par;
const struct sh_mobile_lcdc_panel_cfg *panel = &ch->cfg->panel_cfg;
@@ -463,7 +461,7 @@ static void sh_mobile_lcdc_deferred_io(struct fb_info *info,
sh_mobile_lcdc_clk_on(ch->lcdc);
/*
- * It's possible to get here without anything on the pagelist via
+ * It's possible to get here without anything on the pagereflist via
* sh_mobile_lcdc_deferred_io_touch() or via a userspace fsync()
* invocation. In the former case, the acceleration routines are
* stepped in to when using the framebuffer console causing the
@@ -473,12 +471,12 @@ static void sh_mobile_lcdc_deferred_io(struct fb_info *info,
* acceleration routines have their own methods for writing in
* that still need to be updated.
*
- * The fsync() and empty pagelist case could be optimized for,
+ * The fsync() and empty pagereflist case could be optimized for,
* but we don't bother, as any application exhibiting such
* behaviour is fundamentally broken anyways.
*/
- if (!list_empty(pagelist)) {
- unsigned int nr_pages = sh_mobile_lcdc_sginit(info, pagelist);
+ if (!list_empty(pagereflist)) {
+ unsigned int nr_pages = sh_mobile_lcdc_sginit(info, pagereflist);
/* trigger panel update */
dma_map_sg(ch->lcdc->dev, ch->sglist, nr_pages, DMA_TO_DEVICE);
diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c
index bf3d151abd6f..14e4e106d26b 100644
--- a/drivers/video/fbdev/smscufx.c
+++ b/drivers/video/fbdev/smscufx.c
@@ -953,12 +953,10 @@ static void ufx_ops_fillrect(struct fb_info *info,
* Touching ANY framebuffer memory that triggers a page fault
* in fb_defio will cause a deadlock, when it also tries to
* grab the same mutex. */
-static void ufx_dpy_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void ufx_dpy_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
- struct fb_deferred_io_pageref *pageref;
- struct fb_deferred_io *fbdefio = info->fbdefio;
struct ufx_data *dev = info->par;
+ struct fb_deferred_io_pageref *pageref;
if (!fb_defio)
return;
@@ -967,7 +965,7 @@ static void ufx_dpy_deferred_io(struct fb_info *info,
return;
/* walk the written page list and render each to device */
- list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
/* create a rectangle of full screen width that encloses the
* entire dirty framebuffer page */
struct page *cur = pageref->page;
diff --git a/drivers/video/fbdev/ssd1307fb.c b/drivers/video/fbdev/ssd1307fb.c
index 1e2f71c2f8a8..7acf7c0b263e 100644
--- a/drivers/video/fbdev/ssd1307fb.c
+++ b/drivers/video/fbdev/ssd1307fb.c
@@ -370,8 +370,7 @@ static const struct fb_ops ssd1307fb_ops = {
.fb_imageblit = ssd1307fb_imageblit,
};
-static void ssd1307fb_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void ssd1307fb_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
ssd1307fb_update_display(info->par);
}
diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index c187163fe580..12bd5a7318e1 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -780,11 +780,9 @@ static void dlfb_ops_fillrect(struct fb_info *info,
* in fb_defio will cause a deadlock, when it also tries to
* grab the same mutex.
*/
-static void dlfb_dpy_deferred_io(struct fb_info *info,
- struct list_head *pagelist)
+static void dlfb_dpy_deferred_io(struct fb_info *info, struct list_head *pagereflist)
{
struct fb_deferred_io_pageref *pageref;
- struct fb_deferred_io *fbdefio = info->fbdefio;
struct dlfb_data *dlfb = info->par;
struct urb *urb;
char *cmd;
@@ -810,7 +808,7 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
cmd = urb->transfer_buffer;
/* walk the written page list and render each to device */
- list_for_each_entry(pageref, &fbdefio->pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *cur = pageref->page;
if (dlfb_render_hline(dlfb, &urb, (char *) info->fix.smem_start,
@@ -983,7 +981,7 @@ static int dlfb_ops_open(struct fb_info *info, int user)
if (fbdefio) {
fbdefio->delay = DL_DEFIO_WRITE_DELAY;
- fbdefio->sort_pagelist = true;
+ fbdefio->sort_pagereflist = true;
fbdefio->deferred_io = dlfb_dpy_deferred_io;
}
diff --git a/drivers/video/fbdev/xen-fbfront.c b/drivers/video/fbdev/xen-fbfront.c
index 00d9502ee25a..37e3f226f78c 100644
--- a/drivers/video/fbdev/xen-fbfront.c
+++ b/drivers/video/fbdev/xen-fbfront.c
@@ -181,8 +181,7 @@ static void xenfb_refresh(struct xenfb_info *info,
xenfb_do_update(info, x1, y1, x2 - x1 + 1, y2 - y1 + 1);
}
-static void xenfb_deferred_io(struct fb_info *fb_info,
- struct list_head *pagelist)
+static void xenfb_deferred_io(struct fb_info *fb_info, struct list_head *pagereflist)
{
struct xenfb_info *info = fb_info->par;
struct fb_deferred_io_pageref *pageref;
@@ -191,7 +190,7 @@ static void xenfb_deferred_io(struct fb_info *fb_info,
miny = INT_MAX;
maxy = 0;
- list_for_each_entry(pageref, pagelist, list) {
+ list_for_each_entry(pageref, pagereflist, list) {
struct page *page = pageref->page;
beg = page->index << PAGE_SHIFT;
end = beg + PAGE_SIZE - 1;
diff --git a/include/drm/drm_fb_helper.h b/include/drm/drm_fb_helper.h
index 3af4624368d8..329607ca65c0 100644
--- a/include/drm/drm_fb_helper.h
+++ b/include/drm/drm_fb_helper.h
@@ -229,8 +229,7 @@ void drm_fb_helper_fill_info(struct fb_info *info,
struct drm_fb_helper *fb_helper,
struct drm_fb_helper_surface_size *sizes);
-void drm_fb_helper_deferred_io(struct fb_info *info,
- struct list_head *pagelist);
+void drm_fb_helper_deferred_io(struct fb_info *info, struct list_head *pagereflist);
ssize_t drm_fb_helper_sys_read(struct fb_info *info, char __user *buf,
size_t count, loff_t *ppos);
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 768de6534a82..b322d30f6225 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -211,9 +211,9 @@ struct fb_deferred_io_pageref {
struct fb_deferred_io {
/* delay between mkwrite and deferred handler */
unsigned long delay;
- bool sort_pagelist; /* sort pagelist by offset */
- struct mutex lock; /* mutex that protects the page list */
- struct list_head pagelist; /* list of touched pages */
+ bool sort_pagereflist; /* sort pagelist by offset */
+ struct mutex lock; /* mutex that protects the pageref list */
+ struct list_head pagereflist; /* list of pagerefs for touched pages */
/* callback */
void (*first_io)(struct fb_info *info);
void (*deferred_io)(struct fb_info *info, struct list_head *pagelist);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 451/476] fbdev: Fix invalid page access after closing deferred I/O devices
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 450/476] fbdev: Rename pagelist to pagereflist for deferred I/O Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 452/476] fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release() Greg Kroah-Hartman
` (34 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Takashi Iwai,
Miko Larsson, Thomas Zimmermann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 3efc61d95259956db25347e2a9562c3e54546e20 ]
When a fbdev with deferred I/O is once opened and closed, the dirty
pages still remain queued in the pageref list, and eventually later
those may be processed in the delayed work. This may lead to a
corruption of pages, hitting an Oops.
This patch makes sure to cancel the delayed work and clean up the
pageref list at closing the device for addressing the bug. A part of
the cleanup code is factored out as a new helper function that is
called from the common fb_release().
Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Miko Larsson <mikoxyzzz@gmail.com>
Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20230129082856.22113-1-tiwai@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fb_defio.c | 10 +++++++++-
drivers/video/fbdev/core/fbmem.c | 4 ++++
include/linux/fb.h | 1 +
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 5faeca61d3dd..b3f41f432ec2 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -292,7 +292,7 @@ void fb_deferred_io_open(struct fb_info *info,
}
EXPORT_SYMBOL_GPL(fb_deferred_io_open);
-void fb_deferred_io_cleanup(struct fb_info *info)
+void fb_deferred_io_release(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
struct page *page;
@@ -306,6 +306,14 @@ void fb_deferred_io_cleanup(struct fb_info *info)
page = fb_deferred_io_page(info, i);
page->mapping = NULL;
}
+}
+EXPORT_SYMBOL_GPL(fb_deferred_io_release);
+
+void fb_deferred_io_cleanup(struct fb_info *info)
+{
+ struct fb_deferred_io *fbdefio = info->fbdefio;
+
+ fb_deferred_io_release(info);
kvfree(info->pagerefs);
mutex_destroy(&fbdefio->lock);
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 1b288a613a6e..ec7a883715e3 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1454,6 +1454,10 @@ __releases(&info->lock)
struct fb_info * const info = file->private_data;
lock_fb_info(info);
+#if IS_ENABLED(CONFIG_FB_DEFERRED_IO)
+ if (info->fbdefio)
+ fb_deferred_io_release(info);
+#endif
if (info->fbops->fb_release)
info->fbops->fb_release(info,1);
module_put(info->fbops->owner);
diff --git a/include/linux/fb.h b/include/linux/fb.h
index b322d30f6225..433cddf8442b 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -675,6 +675,7 @@ extern int fb_deferred_io_init(struct fb_info *info);
extern void fb_deferred_io_open(struct fb_info *info,
struct inode *inode,
struct file *file);
+extern void fb_deferred_io_release(struct fb_info *info);
extern void fb_deferred_io_cleanup(struct fb_info *info);
extern int fb_deferred_io_fsync(struct file *file, loff_t start,
loff_t end, int datasync);
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 452/476] fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 451/476] fbdev: Fix invalid page access after closing deferred I/O devices Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 453/476] fbdev: flush deferred IO before closing Greg Kroah-Hartman
` (33 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Patrik Jakobsson,
Thomas Zimmermann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit fe9ae05cfbe587dda724fcf537c00bc2f287da62 ]
The recent fix for the deferred I/O by the commit
3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices")
caused a regression when the same fb device is opened/closed while
it's being used. It resulted in a frozen screen even if something
is redrawn there after the close. The breakage is because the patch
was made under a wrong assumption of a single open; in the current
code, fb_deferred_io_release() cleans up the page mapping of the
pageref list and it calls cancel_delayed_work_sync() unconditionally,
where both are no correct behavior for multiple opens.
This patch adds a refcount for the opens of the device, and applies
the cleanup only when all files get closed.
As both fb_deferred_io_open() and _close() are called always in the
fb_info lock (mutex), it's safe to use the normal int for the
refcounting.
Also, a useless BUG_ON() is dropped.
Fixes: 3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20230308105012.1845-1-tiwai@suse.de
Stable-dep-of: 33cd6ea9c067 ("fbdev: flush deferred IO before closing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fb_defio.c | 17 +++++++++++++----
include/linux/fb.h | 1 +
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index b3f41f432ec2..7e76e53b83d5 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -288,17 +288,18 @@ void fb_deferred_io_open(struct fb_info *info,
struct inode *inode,
struct file *file)
{
+ struct fb_deferred_io *fbdefio = info->fbdefio;
+
file->f_mapping->a_ops = &fb_deferred_io_aops;
+ fbdefio->open_count++;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_open);
-void fb_deferred_io_release(struct fb_info *info)
+static void fb_deferred_io_lastclose(struct fb_info *info)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
struct page *page;
int i;
- BUG_ON(!fbdefio);
cancel_delayed_work_sync(&info->deferred_work);
/* clear out the mapping that we setup */
@@ -307,13 +308,21 @@ void fb_deferred_io_release(struct fb_info *info)
page->mapping = NULL;
}
}
+
+void fb_deferred_io_release(struct fb_info *info)
+{
+ struct fb_deferred_io *fbdefio = info->fbdefio;
+
+ if (!--fbdefio->open_count)
+ fb_deferred_io_lastclose(info);
+}
EXPORT_SYMBOL_GPL(fb_deferred_io_release);
void fb_deferred_io_cleanup(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
- fb_deferred_io_release(info);
+ fb_deferred_io_lastclose(info);
kvfree(info->pagerefs);
mutex_destroy(&fbdefio->lock);
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 433cddf8442b..b79a833524ef 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -212,6 +212,7 @@ struct fb_deferred_io {
/* delay between mkwrite and deferred handler */
unsigned long delay;
bool sort_pagereflist; /* sort pagelist by offset */
+ int open_count; /* number of opened files; protected by fb_info lock */
struct mutex lock; /* mutex that protects the pageref list */
struct list_head pagereflist; /* list of pagerefs for touched pages */
/* callback */
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 453/476] fbdev: flush deferred IO before closing
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 452/476] fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release() Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 454/476] scripts/decode_stacktrace.sh: support old bash version Greg Kroah-Hartman
` (32 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, Sebastian Andrzej Siewior,
Helge Deller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit 33cd6ea9c0673517cdb06ad5c915c6f22e9615fc ]
When framebuffer gets closed, the queued deferred IO gets cancelled. This
can cause some last display data to vanish. This is problematic for users
who send a still image to the framebuffer, then close the file: the image
may never appear.
To ensure none of display data get lost, flush the queued deferred IO
first before closing.
Another possible solution is to delete the cancel_delayed_work_sync()
instead. The difference is that the display may appear some time after
closing. However, the clearing of page mapping after this needs to be
removed too, because the page mapping is used by the deferred work. It is
not completely obvious whether it is okay to not clear the page mapping.
For a patch intended for stable trees, go with the simple and obvious
solution.
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: stable@vger.kernel.org
Signed-off-by: Nam Cao <namcao@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fb_defio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 7e76e53b83d5..1f12c2043603 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -300,7 +300,7 @@ static void fb_deferred_io_lastclose(struct fb_info *info)
struct page *page;
int i;
- cancel_delayed_work_sync(&info->deferred_work);
+ flush_delayed_work(&info->deferred_work);
/* clear out the mapping that we setup */
for (i = 0 ; i < info->fix.smem_len; i += PAGE_SIZE) {
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 454/476] scripts/decode_stacktrace.sh: support old bash version
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 453/476] fbdev: flush deferred IO before closing Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 455/476] scripts: decode_stacktrace: demangle Rust symbols Greg Kroah-Hartman
` (31 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Schspa Shi, Stephen Boyd,
Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Schspa Shi <schspa@gmail.com>
[ Upstream commit 3af8acf6aff2a98731522b52927429760f0b8006 ]
Old bash version don't support associative array variables. Avoid to use
associative array variables to avoid error.
Without this, old bash version will report error as fellowing
[ 15.954042] Kernel panic - not syncing: sysrq triggered crash
[ 15.955252] CPU: 1 PID: 167 Comm: sh Not tainted 5.18.0-rc1-00208-gb7d075db2fd5 #4
[ 15.956472] Hardware name: Hobot J5 Virtual development board (DT)
[ 15.957856] Call trace:
./scripts/decode_stacktrace.sh: line 128: ,dump_backtrace: syntax error: operand expected (error token is ",dump_backtrace")
Link: https://lkml.kernel.org/r/20220409180331.24047-1-schspa@gmail.com
Signed-off-by: Schspa Shi <schspa@gmail.com>
Cc: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: efbd63983533 ("scripts/decode_stacktrace.sh: optionally use LLVM utilities")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/decode_stacktrace.sh | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
index 5fbad61fe490..7075e26ab2c4 100755
--- a/scripts/decode_stacktrace.sh
+++ b/scripts/decode_stacktrace.sh
@@ -45,8 +45,13 @@ else
fi
fi
-declare -A cache
-declare -A modcache
+declare aarray_support=true
+declare -A cache 2>/dev/null
+if [[ $? != 0 ]]; then
+ aarray_support=false
+else
+ declare -A modcache
+fi
find_module() {
if [[ -n $debuginfod ]] ; then
@@ -97,7 +102,7 @@ parse_symbol() {
if [[ $module == "" ]] ; then
local objfile=$vmlinux
- elif [[ "${modcache[$module]+isset}" == "isset" ]]; then
+ elif [[ $aarray_support == true && "${modcache[$module]+isset}" == "isset" ]]; then
local objfile=${modcache[$module]}
else
local objfile=$(find_module)
@@ -105,7 +110,9 @@ parse_symbol() {
echo "WARNING! Modules path isn't set, but is needed to parse this symbol" >&2
return
fi
- modcache[$module]=$objfile
+ if [[ $aarray_support == true ]]; then
+ modcache[$module]=$objfile
+ fi
fi
# Remove the englobing parenthesis
@@ -125,7 +132,7 @@ parse_symbol() {
# Use 'nm vmlinux' to figure out the base address of said symbol.
# It's actually faster to call it every time than to load it
# all into bash.
- if [[ "${cache[$module,$name]+isset}" == "isset" ]]; then
+ if [[ $aarray_support == true && "${cache[$module,$name]+isset}" == "isset" ]]; then
local base_addr=${cache[$module,$name]}
else
local base_addr=$(nm "$objfile" 2>/dev/null | awk '$3 == "'$name'" && ($2 == "t" || $2 == "T") {print $1; exit}')
@@ -133,7 +140,9 @@ parse_symbol() {
# address not found
return
fi
- cache[$module,$name]="$base_addr"
+ if [[ $aarray_support == true ]]; then
+ cache[$module,$name]="$base_addr"
+ fi
fi
# Let's start doing the math to get the exact address into the
# symbol. First, strip out the symbol total length.
@@ -149,11 +158,13 @@ parse_symbol() {
# Pass it to addr2line to get filename and line number
# Could get more than one result
- if [[ "${cache[$module,$address]+isset}" == "isset" ]]; then
+ if [[ $aarray_support == true && "${cache[$module,$address]+isset}" == "isset" ]]; then
local code=${cache[$module,$address]}
else
local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address" 2>/dev/null)
- cache[$module,$address]=$code
+ if [[ $aarray_support == true ]]; then
+ cache[$module,$address]=$code
+ fi
fi
# addr2line doesn't return a proper error code if it fails, so
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 455/476] scripts: decode_stacktrace: demangle Rust symbols
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 454/476] scripts/decode_stacktrace.sh: support old bash version Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 456/476] scripts/decode_stacktrace.sh: optionally use LLVM utilities Greg Kroah-Hartman
` (30 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Alex Gaynor,
Wedson Almeida Filho, Miguel Ojeda, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit 99115db4ecc87af73415939439ec604ea0531e6f ]
Recent versions of both Binutils (`c++filt`) and LLVM (`llvm-cxxfilt`)
provide Rust v0 mangling support.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Co-developed-by: Alex Gaynor <alex.gaynor@gmail.com>
Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-developed-by: Wedson Almeida Filho <wedsonaf@google.com>
Signed-off-by: Wedson Almeida Filho <wedsonaf@google.com>
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Stable-dep-of: efbd63983533 ("scripts/decode_stacktrace.sh: optionally use LLVM utilities")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/decode_stacktrace.sh | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
index 7075e26ab2c4..564c5632e1a2 100755
--- a/scripts/decode_stacktrace.sh
+++ b/scripts/decode_stacktrace.sh
@@ -8,6 +8,14 @@ usage() {
echo " $0 -r <release> | <vmlinux> [<base path>|auto] [<modules path>]"
}
+# Try to find a Rust demangler
+if type llvm-cxxfilt >/dev/null 2>&1 ; then
+ cppfilt=llvm-cxxfilt
+elif type c++filt >/dev/null 2>&1 ; then
+ cppfilt=c++filt
+ cppfilt_opts=-i
+fi
+
if [[ $1 == "-r" ]] ; then
vmlinux=""
basepath="auto"
@@ -180,6 +188,12 @@ parse_symbol() {
# In the case of inlines, move everything to same line
code=${code//$'\n'/' '}
+ # Demangle if the name looks like a Rust symbol and if
+ # we got a Rust demangler
+ if [[ $name =~ ^_R && $cppfilt != "" ]] ; then
+ name=$("$cppfilt" "$cppfilt_opts" "$name")
+ fi
+
# Replace old address with pretty line numbers
symbol="$segment$name ($code)"
}
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 456/476] scripts/decode_stacktrace.sh: optionally use LLVM utilities
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 455/476] scripts: decode_stacktrace: demangle Rust symbols Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 457/476] netfilter: ipset: fix performance regression in swap operation Greg Kroah-Hartman
` (29 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Llamas, Nick Desaulniers,
Elliot Berman, Justin Stitt, Will Deacon, John Stultz,
Masahiro Yamada, Nathan Chancellor, Tom Rix, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
[ Upstream commit efbd6398353315b7018e6943e41fee9ec35e875f ]
GNU's addr2line can have problems parsing a vmlinux built with LLVM,
particularly when LTO was used. In order to decode the traces correctly
this patch adds the ability to switch to LLVM's utilities readelf and
addr2line. The same approach is followed by Will in [1].
Before:
$ scripts/decode_stacktrace.sh vmlinux < kernel.log
[17716.240635] Call trace:
[17716.240646] skb_cow_data (??:?)
[17716.240654] esp6_input (ld-temp.o:?)
[17716.240666] xfrm_input (ld-temp.o:?)
[17716.240674] xfrm6_rcv (??:?)
[...]
After:
$ LLVM=1 scripts/decode_stacktrace.sh vmlinux < kernel.log
[17716.240635] Call trace:
[17716.240646] skb_cow_data (include/linux/skbuff.h:2172 net/core/skbuff.c:4503)
[17716.240654] esp6_input (net/ipv6/esp6.c:977)
[17716.240666] xfrm_input (net/xfrm/xfrm_input.c:659)
[17716.240674] xfrm6_rcv (net/ipv6/xfrm6_input.c:172)
[...]
Note that one could set CROSS_COMPILE=llvm- instead to hack around this
issue. However, doing so can break the decodecode routine as it will
force the selection of other LLVM utilities down the line e.g. llvm-as.
[1] https://lore.kernel.org/all/20230914131225.13415-3-will@kernel.org/
Link: https://lkml.kernel.org/r/20230929034836.403735-1-cmllamas@google.com
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Elliot Berman <quic_eberman@quicinc.com>
Tested-by: Justin Stitt <justinstitt@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: John Stultz <jstultz@google.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Tom Rix <trix@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/decode_stacktrace.sh | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
index 564c5632e1a2..bfe5a4082d8e 100755
--- a/scripts/decode_stacktrace.sh
+++ b/scripts/decode_stacktrace.sh
@@ -16,6 +16,21 @@ elif type c++filt >/dev/null 2>&1 ; then
cppfilt_opts=-i
fi
+UTIL_SUFFIX=
+if [[ -z ${LLVM:-} ]]; then
+ UTIL_PREFIX=${CROSS_COMPILE:-}
+else
+ UTIL_PREFIX=llvm-
+ if [[ ${LLVM} == */ ]]; then
+ UTIL_PREFIX=${LLVM}${UTIL_PREFIX}
+ elif [[ ${LLVM} == -* ]]; then
+ UTIL_SUFFIX=${LLVM}
+ fi
+fi
+
+READELF=${UTIL_PREFIX}readelf${UTIL_SUFFIX}
+ADDR2LINE=${UTIL_PREFIX}addr2line${UTIL_SUFFIX}
+
if [[ $1 == "-r" ]] ; then
vmlinux=""
basepath="auto"
@@ -75,7 +90,7 @@ find_module() {
if [[ "$modpath" != "" ]] ; then
for fn in $(find "$modpath" -name "${module//_/[-_]}.ko*") ; do
- if readelf -WS "$fn" | grep -qwF .debug_line ; then
+ if ${READELF} -WS "$fn" | grep -qwF .debug_line ; then
echo $fn
return
fi
@@ -169,7 +184,7 @@ parse_symbol() {
if [[ $aarray_support == true && "${cache[$module,$address]+isset}" == "isset" ]]; then
local code=${cache[$module,$address]}
else
- local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address" 2>/dev/null)
+ local code=$(${ADDR2LINE} -i -e "$objfile" "$address" 2>/dev/null)
if [[ $aarray_support == true ]]; then
cache[$module,$address]=$code
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 506+ messages in thread
* [PATCH 5.15 457/476] netfilter: ipset: fix performance regression in swap operation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 456/476] scripts/decode_stacktrace.sh: optionally use LLVM utilities Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 458/476] hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range() Greg Kroah-Hartman
` (28 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ale Crismani, David Wang,
Jozsef Kadlecsik, Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jozsef Kadlecsik <kadlec@netfilter.org>
commit 97f7cf1cd80eeed3b7c808b7c12463295c751001 upstream.
The patch "netfilter: ipset: fix race condition between swap/destroy
and kernel side add/del/test", commit 28628fa9 fixes a race condition.
But the synchronize_rcu() added to the swap function unnecessarily slows
it down: it can safely be moved to destroy and use call_rcu() instead.
Eric Dumazet pointed out that simply calling the destroy functions as
rcu callback does not work: sets with timeout use garbage collectors
which need cancelling at destroy which can wait. Therefore the destroy
functions are split into two: cancelling garbage collectors safely at
executing the command received by netlink and moving the remaining
part only into the rcu callback.
Link: https://lore.kernel.org/lkml/C0829B10-EAA6-4809-874E-E1E9C05A8D84@automattic.com/
Fixes: 28628fa952fe ("netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test")
Reported-by: Ale Crismani <ale.crismani@automattic.com>
Reported-by: David Wang <00107082@163.com>
Tested-by: David Wang <00107082@163.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/netfilter/ipset/ip_set.h | 4 +++
net/netfilter/ipset/ip_set_bitmap_gen.h | 14 +++++++++---
net/netfilter/ipset/ip_set_core.c | 37 ++++++++++++++++++++++++--------
net/netfilter/ipset/ip_set_hash_gen.h | 15 ++++++++++--
net/netfilter/ipset/ip_set_list_set.c | 13 ++++++++---
5 files changed, 65 insertions(+), 18 deletions(-)
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -186,6 +186,8 @@ struct ip_set_type_variant {
/* Return true if "b" set is the same as "a"
* according to the create set parameters */
bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
+ /* Cancel ongoing garbage collectors before destroying the set*/
+ void (*cancel_gc)(struct ip_set *set);
/* Region-locking is used */
bool region_lock;
};
@@ -242,6 +244,8 @@ extern void ip_set_type_unregister(struc
/* A generic IP set */
struct ip_set {
+ /* For call_cru in destroy */
+ struct rcu_head rcu;
/* The name of the set */
char name[IPSET_MAXNAMELEN];
/* Lock protecting the set data */
--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -28,6 +28,7 @@
#define mtype_del IPSET_TOKEN(MTYPE, _del)
#define mtype_list IPSET_TOKEN(MTYPE, _list)
#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
+#define mtype_cancel_gc IPSET_TOKEN(MTYPE, _cancel_gc)
#define mtype MTYPE
#define get_ext(set, map, id) ((map)->extensions + ((set)->dsize * (id)))
@@ -57,9 +58,6 @@ mtype_destroy(struct ip_set *set)
{
struct mtype *map = set->data;
- if (SET_WITH_TIMEOUT(set))
- del_timer_sync(&map->gc);
-
if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
mtype_ext_cleanup(set);
ip_set_free(map->members);
@@ -288,6 +286,15 @@ mtype_gc(struct timer_list *t)
add_timer(&map->gc);
}
+static void
+mtype_cancel_gc(struct ip_set *set)
+{
+ struct mtype *map = set->data;
+
+ if (SET_WITH_TIMEOUT(set))
+ del_timer_sync(&map->gc);
+}
+
static const struct ip_set_type_variant mtype = {
.kadt = mtype_kadt,
.uadt = mtype_uadt,
@@ -301,6 +308,7 @@ static const struct ip_set_type_variant
.head = mtype_head,
.list = mtype_list,
.same_set = mtype_same_set,
+ .cancel_gc = mtype_cancel_gc,
};
#endif /* __IP_SET_BITMAP_IP_GEN_H */
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1184,6 +1184,14 @@ ip_set_destroy_set(struct ip_set *set)
kfree(set);
}
+static void
+ip_set_destroy_set_rcu(struct rcu_head *head)
+{
+ struct ip_set *set = container_of(head, struct ip_set, rcu);
+
+ ip_set_destroy_set(set);
+}
+
static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,
const struct nlattr * const attr[])
{
@@ -1195,8 +1203,6 @@ static int ip_set_destroy(struct sk_buff
if (unlikely(protocol_min_failed(attr)))
return -IPSET_ERR_PROTOCOL;
- /* Must wait for flush to be really finished in list:set */
- rcu_barrier();
/* Commands are serialized and references are
* protected by the ip_set_ref_lock.
@@ -1208,8 +1214,10 @@ static int ip_set_destroy(struct sk_buff
* counter, so if it's already zero, we can proceed
* without holding the lock.
*/
- read_lock_bh(&ip_set_ref_lock);
if (!attr[IPSET_ATTR_SETNAME]) {
+ /* Must wait for flush to be really finished in list:set */
+ rcu_barrier();
+ read_lock_bh(&ip_set_ref_lock);
for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i);
if (s && (s->ref || s->ref_netlink)) {
@@ -1223,6 +1231,8 @@ static int ip_set_destroy(struct sk_buff
s = ip_set(inst, i);
if (s) {
ip_set(inst, i) = NULL;
+ /* Must cancel garbage collectors */
+ s->variant->cancel_gc(s);
ip_set_destroy_set(s);
}
}
@@ -1230,6 +1240,9 @@ static int ip_set_destroy(struct sk_buff
inst->is_destroyed = false;
} else {
u32 flags = flag_exist(info->nlh);
+ u16 features = 0;
+
+ read_lock_bh(&ip_set_ref_lock);
s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
&i);
if (!s) {
@@ -1240,10 +1253,16 @@ static int ip_set_destroy(struct sk_buff
ret = -IPSET_ERR_BUSY;
goto out;
}
+ features = s->type->features;
ip_set(inst, i) = NULL;
read_unlock_bh(&ip_set_ref_lock);
-
- ip_set_destroy_set(s);
+ if (features & IPSET_TYPE_NAME) {
+ /* Must wait for flush to be really finished */
+ rcu_barrier();
+ }
+ /* Must cancel garbage collectors */
+ s->variant->cancel_gc(s);
+ call_rcu(&s->rcu, ip_set_destroy_set_rcu);
}
return 0;
out:
@@ -1396,9 +1415,6 @@ static int ip_set_swap(struct sk_buff *s
ip_set(inst, to_id) = from;
write_unlock_bh(&ip_set_ref_lock);
- /* Make sure all readers of the old set pointers are completed. */
- synchronize_rcu();
-
return 0;
}
@@ -2409,8 +2425,11 @@ ip_set_fini(void)
{
nf_unregister_sockopt(&so_set);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
-
unregister_pernet_subsys(&ip_set_net_ops);
+
+ /* Wait for call_rcu() in destroy */
+ rcu_barrier();
+
pr_debug("these are the famous last words\n");
}
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -210,6 +210,7 @@ htable_size(u8 hbits)
#undef mtype_gc_do
#undef mtype_gc
#undef mtype_gc_init
+#undef mtype_cancel_gc
#undef mtype_variant
#undef mtype_data_match
@@ -254,6 +255,7 @@ htable_size(u8 hbits)
#define mtype_gc_do IPSET_TOKEN(MTYPE, _gc_do)
#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
#define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
+#define mtype_cancel_gc IPSET_TOKEN(MTYPE, _cancel_gc)
#define mtype_variant IPSET_TOKEN(MTYPE, _variant)
#define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
@@ -437,9 +439,6 @@ mtype_destroy(struct ip_set *set)
struct htype *h = set->data;
struct list_head *l, *lt;
- if (SET_WITH_TIMEOUT(set))
- cancel_delayed_work_sync(&h->gc.dwork);
-
mtype_ahash_destroy(set, ipset_dereference_nfnl(h->table), true);
list_for_each_safe(l, lt, &h->ad) {
list_del(l);
@@ -586,6 +585,15 @@ mtype_gc_init(struct htable_gc *gc)
queue_delayed_work(system_power_efficient_wq, &gc->dwork, HZ);
}
+static void
+mtype_cancel_gc(struct ip_set *set)
+{
+ struct htype *h = set->data;
+
+ if (SET_WITH_TIMEOUT(set))
+ cancel_delayed_work_sync(&h->gc.dwork);
+}
+
static int
mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
struct ip_set_ext *mext, u32 flags);
@@ -1416,6 +1424,7 @@ static const struct ip_set_type_variant
.uref = mtype_uref,
.resize = mtype_resize,
.same_set = mtype_same_set,
+ .cancel_gc = mtype_cancel_gc,
.region_lock = true,
};
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -426,9 +426,6 @@ list_set_destroy(struct ip_set *set)
struct list_set *map = set->data;
struct set_elem *e, *n;
- if (SET_WITH_TIMEOUT(set))
- del_timer_sync(&map->gc);
-
list_for_each_entry_safe(e, n, &map->members, list) {
list_del(&e->list);
ip_set_put_byindex(map->net, e->id);
@@ -545,6 +542,15 @@ list_set_same_set(const struct ip_set *a
a->extensions == b->extensions;
}
+static void
+list_set_cancel_gc(struct ip_set *set)
+{
+ struct list_set *map = set->data;
+
+ if (SET_WITH_TIMEOUT(set))
+ del_timer_sync(&map->gc);
+}
+
static const struct ip_set_type_variant set_variant = {
.kadt = list_set_kadt,
.uadt = list_set_uadt,
@@ -558,6 +564,7 @@ static const struct ip_set_type_variant
.head = list_set_head,
.list = list_set_list,
.same_set = list_set_same_set,
+ .cancel_gc = list_set_cancel_gc,
};
static void
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 458/476] hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 457/476] netfilter: ipset: fix performance regression in swap operation Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 459/476] net: prevent mss overflow in skb_segment() Greg Kroah-Hartman
` (27 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davidlohr Bueso, Thomas Gleixner,
Felix Moessbauer
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
commit 0c52310f260014d95c1310364379772cb74cf82d upstream.
While in theory the timer can be triggered before expires + delta, for the
cases of RT tasks they really have no business giving any lenience for
extra slack time, so override any passed value by the user and always use
zero for schedule_hrtimeout_range() calls. Furthermore, this is similar to
what the nanosleep(2) family already does with current->timer_slack_ns.
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20230123173206.6764-3-dave@stgolabs.net
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/hrtimer.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -2266,7 +2266,7 @@ void __init hrtimers_init(void)
/**
* schedule_hrtimeout_range_clock - sleep until timeout
* @expires: timeout value (ktime_t)
- * @delta: slack in expires timeout (ktime_t)
+ * @delta: slack in expires timeout (ktime_t) for SCHED_OTHER tasks
* @mode: timer mode
* @clock_id: timer clock to be used
*/
@@ -2293,6 +2293,13 @@ schedule_hrtimeout_range_clock(ktime_t *
return -EINTR;
}
+ /*
+ * Override any slack passed by the user if under
+ * rt contraints.
+ */
+ if (rt_task(current))
+ delta = 0;
+
hrtimer_init_sleeper_on_stack(&t, clock_id, mode);
hrtimer_set_expires_range_ns(&t.timer, *expires, delta);
hrtimer_sleeper_start_expires(&t, mode);
@@ -2312,7 +2319,7 @@ EXPORT_SYMBOL_GPL(schedule_hrtimeout_ran
/**
* schedule_hrtimeout_range - sleep until timeout
* @expires: timeout value (ktime_t)
- * @delta: slack in expires timeout (ktime_t)
+ * @delta: slack in expires timeout (ktime_t) for SCHED_OTHER tasks
* @mode: timer mode
*
* Make the current task sleep until the given expiry time has
@@ -2320,7 +2327,8 @@ EXPORT_SYMBOL_GPL(schedule_hrtimeout_ran
* the current task state has been set (see set_current_state()).
*
* The @delta argument gives the kernel the freedom to schedule the
- * actual wakeup to a time that is both power and performance friendly.
+ * actual wakeup to a time that is both power and performance friendly
+ * for regular (non RT/DL) tasks.
* The kernel give the normal best effort behavior for "@expires+@delta",
* but may decide to fire the timer earlier, but no earlier than @expires.
*
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 459/476] net: prevent mss overflow in skb_segment()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 458/476] hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range() Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 460/476] netfilter: ipset: Missing gc cancellations fixed Greg Kroah-Hartman
` (26 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Marcelo Ricardo Leitner, Willem de Bruijn, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 23d05d563b7e7b0314e65c8e882bc27eac2da8e7 upstream.
Once again syzbot is able to crash the kernel in skb_segment() [1]
GSO_BY_FRAGS is a forbidden value, but unfortunately the following
computation in skb_segment() can reach it quite easily :
mss = mss * partial_segs;
65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
a bad final result.
Make sure to limit segmentation so that the new mss value is smaller
than GSO_BY_FRAGS.
[1]
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
__skb_gso_segment+0x339/0x710 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
packet_xmit+0x257/0x380 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8692032aa9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4079,8 +4079,9 @@ struct sk_buff *skb_segment(struct sk_bu
/* GSO partial only requires that we trim off any excess that
* doesn't fit into an MSS sized block, so take care of that
* now.
+ * Cap len to not accidentally hit GSO_BY_FRAGS.
*/
- partial_segs = len / mss;
+ partial_segs = min(len, GSO_BY_FRAGS - 1U) / mss;
if (partial_segs > 1)
mss *= partial_segs;
else
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 460/476] netfilter: ipset: Missing gc cancellations fixed
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 459/476] net: prevent mss overflow in skb_segment() Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 461/476] sched/membarrier: reduce the ability to hammer on sys_membarrier Greg Kroah-Hartman
` (25 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+52bbc0ad036f6f0d4a25,
Brad Spengler,
Стас
Ничипорович,
Jozsef Kadlecsik, Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jozsef Kadlecsik <kadlec@netfilter.org>
commit 27c5a095e2518975e20a10102908ae8231699879 upstream.
The patch fdb8e12cc2cc ("netfilter: ipset: fix performance regression
in swap operation") missed to add the calls to gc cancellations
at the error path of create operations and at module unload. Also,
because the half of the destroy operations now executed by a
function registered by call_rcu(), neither NFNL_SUBSYS_IPSET mutex
or rcu read lock is held and therefore the checking of them results
false warnings.
Fixes: 97f7cf1cd80e ("netfilter: ipset: fix performance regression in swap operation")
Reported-by: syzbot+52bbc0ad036f6f0d4a25@syzkaller.appspotmail.com
Reported-by: Brad Spengler <spender@grsecurity.net>
Reported-by: Стас Ничипорович <stasn77@gmail.com>
Tested-by: Brad Spengler <spender@grsecurity.net>
Tested-by: Стас Ничипорович <stasn77@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipset/ip_set_core.c | 2 ++
net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1156,6 +1156,7 @@ static int ip_set_create(struct sk_buff
return ret;
cleanup:
+ set->variant->cancel_gc(set);
set->variant->destroy(set);
put_out:
module_put(set->type->me);
@@ -2378,6 +2379,7 @@ ip_set_net_exit(struct net *net)
set = ip_set(inst, i);
if (set) {
ip_set(inst, i) = NULL;
+ set->variant->cancel_gc(set);
ip_set_destroy_set(set);
}
}
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -419,7 +419,7 @@ mtype_ahash_destroy(struct ip_set *set,
u32 i;
for (i = 0; i < jhash_size(t->htable_bits); i++) {
- n = __ipset_dereference(hbucket(t, i));
+ n = (__force struct hbucket *)hbucket(t, i);
if (!n)
continue;
if (set->extensions & IPSET_EXT_DESTROY && ext_destroy)
@@ -439,7 +439,7 @@ mtype_destroy(struct ip_set *set)
struct htype *h = set->data;
struct list_head *l, *lt;
- mtype_ahash_destroy(set, ipset_dereference_nfnl(h->table), true);
+ mtype_ahash_destroy(set, (__force struct htable *)h->table, true);
list_for_each_safe(l, lt, &h->ad) {
list_del(l);
kfree(l);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 461/476] sched/membarrier: reduce the ability to hammer on sys_membarrier
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 460/476] netfilter: ipset: Missing gc cancellations fixed Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 462/476] nilfs2: fix potential bug in end_buffer_async_write Greg Kroah-Hartman
` (24 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Linus Torvalds,
Mathieu Desnoyers
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linuxfoundation.org>
commit 944d5fe50f3f03daacfea16300e656a1691c4a23 upstream.
On some systems, sys_membarrier can be very expensive, causing overall
slowdowns for everything. So put a lock on the path in order to
serialize the accesses to prevent the ability for this to be called at
too high of a frequency and saturate the machine.
Reviewed-and-tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Borislav Petkov <bp@alien8.de>
Fixes: 22e4ebb97582 ("membarrier: Provide expedited private command")
Fixes: c5f58bd58f43 ("membarrier: Provide GLOBAL_EXPEDITED command")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ converted to explicit mutex_*() calls - cleanup.h is not in this stable
branch - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/membarrier.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/kernel/sched/membarrier.c
+++ b/kernel/sched/membarrier.c
@@ -162,6 +162,8 @@
| MEMBARRIER_PRIVATE_EXPEDITED_SYNC_CORE_BITMASK \
| MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK)
+static DEFINE_MUTEX(membarrier_ipi_mutex);
+
static void ipi_mb(void *info)
{
smp_mb(); /* IPIs should be serializing but paranoid. */
@@ -259,6 +261,7 @@ static int membarrier_global_expedited(v
if (!zalloc_cpumask_var(&tmpmask, GFP_KERNEL))
return -ENOMEM;
+ mutex_lock(&membarrier_ipi_mutex);
cpus_read_lock();
rcu_read_lock();
for_each_online_cpu(cpu) {
@@ -304,6 +307,8 @@ static int membarrier_global_expedited(v
* rq->curr modification in scheduler.
*/
smp_mb(); /* exit from system call is not a mb */
+ mutex_unlock(&membarrier_ipi_mutex);
+
return 0;
}
@@ -347,6 +352,7 @@ static int membarrier_private_expedited(
if (cpu_id < 0 && !zalloc_cpumask_var(&tmpmask, GFP_KERNEL))
return -ENOMEM;
+ mutex_lock(&membarrier_ipi_mutex);
cpus_read_lock();
if (cpu_id >= 0) {
@@ -419,6 +425,7 @@ out:
* rq->curr modification in scheduler.
*/
smp_mb(); /* exit from system call is not a mb */
+ mutex_unlock(&membarrier_ipi_mutex);
return 0;
}
@@ -460,6 +467,7 @@ static int sync_runqueues_membarrier_sta
* between threads which are users of @mm has its membarrier state
* updated.
*/
+ mutex_lock(&membarrier_ipi_mutex);
cpus_read_lock();
rcu_read_lock();
for_each_online_cpu(cpu) {
@@ -476,6 +484,7 @@ static int sync_runqueues_membarrier_sta
free_cpumask_var(tmpmask);
cpus_read_unlock();
+ mutex_unlock(&membarrier_ipi_mutex);
return 0;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 462/476] nilfs2: fix potential bug in end_buffer_async_write
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 461/476] sched/membarrier: reduce the ability to hammer on sys_membarrier Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 463/476] nilfs2: replace WARN_ONs for invalid DAT metadata block requests Greg Kroah-Hartman
` (23 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+5c04210f7c7f897c1e7f, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream.
According to a syzbot report, end_buffer_async_write(), which handles the
completion of block device writes, may detect abnormal condition of the
buffer async_write flag and cause a BUG_ON failure when using nilfs2.
Nilfs2 itself does not use end_buffer_async_write(). But, the async_write
flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue
with race condition of competition between segments for dirty blocks") as
a means of resolving double list insertion of dirty blocks in
nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the
resulting crash.
This modification is safe as long as it is used for file data and b-tree
node blocks where the page caches are independent. However, it was
irrelevant and redundant to also introduce async_write for segment summary
and super root blocks that share buffers with the backing device. This
led to the possibility that the BUG_ON check in end_buffer_async_write
would fail as described above, if independent writebacks of the backing
device occurred in parallel.
The use of async_write for segment summary buffers has already been
removed in a previous change.
Fix this issue by removing the manipulation of the async_write flag for
the remaining super root block buffer.
Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com
Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+5c04210f7c7f897c1e7f@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/segment.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -1702,7 +1702,6 @@ static void nilfs_segctor_prepare_write(
list_for_each_entry(bh, &segbuf->sb_payload_buffers,
b_assoc_buffers) {
- set_buffer_async_write(bh);
if (bh == segbuf->sb_super_root) {
if (bh->b_page != bd_page) {
lock_page(bd_page);
@@ -1713,6 +1712,7 @@ static void nilfs_segctor_prepare_write(
}
break;
}
+ set_buffer_async_write(bh);
if (bh->b_page != fs_page) {
nilfs_begin_page_io(fs_page);
fs_page = bh->b_page;
@@ -1798,7 +1798,6 @@ static void nilfs_abort_logs(struct list
list_for_each_entry(bh, &segbuf->sb_payload_buffers,
b_assoc_buffers) {
- clear_buffer_async_write(bh);
if (bh == segbuf->sb_super_root) {
clear_buffer_uptodate(bh);
if (bh->b_page != bd_page) {
@@ -1807,6 +1806,7 @@ static void nilfs_abort_logs(struct list
}
break;
}
+ clear_buffer_async_write(bh);
if (bh->b_page != fs_page) {
nilfs_end_page_io(fs_page, err);
fs_page = bh->b_page;
@@ -1894,8 +1894,9 @@ static void nilfs_segctor_complete_write
BIT(BH_Delay) | BIT(BH_NILFS_Volatile) |
BIT(BH_NILFS_Redirected));
- set_mask_bits(&bh->b_state, clear_bits, set_bits);
if (bh == segbuf->sb_super_root) {
+ set_buffer_uptodate(bh);
+ clear_buffer_dirty(bh);
if (bh->b_page != bd_page) {
end_page_writeback(bd_page);
bd_page = bh->b_page;
@@ -1903,6 +1904,7 @@ static void nilfs_segctor_complete_write
update_sr = true;
break;
}
+ set_mask_bits(&bh->b_state, clear_bits, set_bits);
if (bh->b_page != fs_page) {
nilfs_end_page_io(fs_page, 0);
fs_page = bh->b_page;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 463/476] nilfs2: replace WARN_ONs for invalid DAT metadata block requests
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 462/476] nilfs2: fix potential bug in end_buffer_async_write Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 464/476] dm: limit the number of targets and parameter size area Greg Kroah-Hartman
` (22 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+5d5d25f90f195a3cfcb4, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 5124a0a549857c4b87173280e192eea24dea72ad upstream.
If DAT metadata file block access fails due to corruption of the DAT file
or abnormal virtual block numbers held by b-trees or inodes, a kernel
warning is generated.
This replaces the WARN_ONs by error output, so that a kernel, booted with
panic_on_warn, does not panic. This patch also replaces the detected
return code -ENOENT with another internal code -EINVAL to notify the bmap
layer of metadata corruption. When the bmap layer sees -EINVAL, it
handles the abnormal situation with nilfs_bmap_convert_error() and finally
returns code -EIO as it should.
Link: https://lkml.kernel.org/r/0000000000005cc3d205ea23ddcf@google.com
Link: https://lkml.kernel.org/r/20230126164114.6911-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: <syzbot+5d5d25f90f195a3cfcb4@syzkaller.appspotmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/dat.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
--- a/fs/nilfs2/dat.c
+++ b/fs/nilfs2/dat.c
@@ -40,8 +40,21 @@ static inline struct nilfs_dat_info *NIL
static int nilfs_dat_prepare_entry(struct inode *dat,
struct nilfs_palloc_req *req, int create)
{
- return nilfs_palloc_get_entry_block(dat, req->pr_entry_nr,
- create, &req->pr_entry_bh);
+ int ret;
+
+ ret = nilfs_palloc_get_entry_block(dat, req->pr_entry_nr,
+ create, &req->pr_entry_bh);
+ if (unlikely(ret == -ENOENT)) {
+ nilfs_err(dat->i_sb,
+ "DAT doesn't have a block to manage vblocknr = %llu",
+ (unsigned long long)req->pr_entry_nr);
+ /*
+ * Return internal code -EINVAL to notify bmap layer of
+ * metadata corruption.
+ */
+ ret = -EINVAL;
+ }
+ return ret;
}
static void nilfs_dat_commit_entry(struct inode *dat,
@@ -123,11 +136,7 @@ static void nilfs_dat_commit_free(struct
int nilfs_dat_prepare_start(struct inode *dat, struct nilfs_palloc_req *req)
{
- int ret;
-
- ret = nilfs_dat_prepare_entry(dat, req, 0);
- WARN_ON(ret == -ENOENT);
- return ret;
+ return nilfs_dat_prepare_entry(dat, req, 0);
}
void nilfs_dat_commit_start(struct inode *dat, struct nilfs_palloc_req *req,
@@ -154,10 +163,8 @@ int nilfs_dat_prepare_end(struct inode *
int ret;
ret = nilfs_dat_prepare_entry(dat, req, 0);
- if (ret < 0) {
- WARN_ON(ret == -ENOENT);
+ if (ret < 0)
return ret;
- }
kaddr = kmap_atomic(req->pr_entry_bh->b_page);
entry = nilfs_palloc_block_get_entry(dat, req->pr_entry_nr,
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 464/476] dm: limit the number of targets and parameter size area
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 463/476] nilfs2: replace WARN_ONs for invalid DAT metadata block requests Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 465/476] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata Greg Kroah-Hartman
` (21 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Mike Snitzer, He Gao
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit bd504bcfec41a503b32054da5472904b404341a4 upstream.
The kvmalloc function fails with a warning if the size is larger than
INT_MAX. The warning was triggered by a syscall testing robot.
In order to avoid the warning, this commit limits the number of targets to
1048576 and the size of the parameter area to 1073741824.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: He Gao <hegao@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-core.h | 2 ++
drivers/md/dm-ioctl.c | 3 ++-
drivers/md/dm-table.c | 9 +++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-core.h
+++ b/drivers/md/dm-core.h
@@ -21,6 +21,8 @@
#include "dm-ima.h"
#define DM_RESERVED_MAX_IOS 1024
+#define DM_MAX_TARGETS 1048576
+#define DM_MAX_TARGET_PARAMS 1024
struct dm_kobject_holder {
struct kobject kobj;
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1859,7 +1859,8 @@ static int copy_params(struct dm_ioctl _
if (copy_from_user(param_kernel, user, minimum_data_size))
return -EFAULT;
- if (param_kernel->data_size < minimum_data_size)
+ if (unlikely(param_kernel->data_size < minimum_data_size) ||
+ unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS))
return -EINVAL;
secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG;
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -126,7 +126,12 @@ static int alloc_targets(struct dm_table
int dm_table_create(struct dm_table **result, fmode_t mode,
unsigned num_targets, struct mapped_device *md)
{
- struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
+ struct dm_table *t;
+
+ if (num_targets > DM_MAX_TARGETS)
+ return -EOVERFLOW;
+
+ t = kzalloc(sizeof(*t), GFP_KERNEL);
if (!t)
return -ENOMEM;
@@ -140,7 +145,7 @@ int dm_table_create(struct dm_table **re
if (!num_targets) {
kfree(t);
- return -ENOMEM;
+ return -EOVERFLOW;
}
if (alloc_targets(t, num_targets)) {
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 465/476] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 464/476] dm: limit the number of targets and parameter size area Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 466/476] PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() Greg Kroah-Hartman
` (20 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Easwar Hariharan, Anshuman Khandual,
Mark Rutland, Marc Zyngier, Oliver Upton, Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Easwar Hariharan <eahariha@linux.microsoft.com>
commit fb091ff394792c018527b3211bbdfae93ea4ac02 upstream.
Add the MIDR value of Microsoft Azure Cobalt 100, which is a Microsoft
implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and therefore
suffers from all the same errata.
CC: stable@vger.kernel.org # 5.15+
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20240214175522.2457857-1-eahariha@linux.microsoft.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 7 +++++++
arch/arm64/include/asm/cputype.h | 4 ++++
arch/arm64/kernel/cpu_errata.c | 3 +++
3 files changed, 14 insertions(+)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -198,3 +198,10 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Fujitsu | A64FX | E#010001 | FUJITSU_ERRATUM_010001 |
+----------------+-----------------+-----------------+-----------------------------+
++----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #2139208 | ARM64_ERRATUM_2139208 |
++----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #2067961 | ARM64_ERRATUM_2067961 |
++----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 |
++----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -61,6 +61,7 @@
#define ARM_CPU_IMP_HISI 0x48
#define ARM_CPU_IMP_APPLE 0x61
#define ARM_CPU_IMP_AMPERE 0xC0
+#define ARM_CPU_IMP_MICROSOFT 0x6D
#define ARM_CPU_PART_AEM_V8 0xD0F
#define ARM_CPU_PART_FOUNDATION 0xD00
@@ -116,6 +117,8 @@
#define AMPERE_CPU_PART_AMPERE1 0xAC3
+#define MICROSOFT_CPU_PART_AZURE_COBALT_100 0xD49 /* Based on r0p0 of ARM Neoverse N2 */
+
#define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53)
#define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
#define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72)
@@ -157,6 +160,7 @@
#define MIDR_APPLE_M1_ICESTORM MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M1_ICESTORM)
#define MIDR_APPLE_M1_FIRESTORM MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M1_FIRESTORM)
#define MIDR_AMPERE1 MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1)
+#define MIDR_MICROSOFT_AZURE_COBALT_100 MIDR_CPU_MODEL(ARM_CPU_IMP_MICROSOFT, MICROSOFT_CPU_PART_AZURE_COBALT_100)
/* Fujitsu Erratum 010001 affects A64FX 1.0 and 1.1, (v0r0 and v1r0) */
#define MIDR_FUJITSU_ERRATUM_010001 MIDR_FUJITSU_A64FX
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -367,6 +367,7 @@ static struct midr_range broken_aarch32_
static const struct midr_range trbe_overwrite_fill_mode_cpus[] = {
#ifdef CONFIG_ARM64_ERRATUM_2139208
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
#endif
#ifdef CONFIG_ARM64_ERRATUM_2119858
MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
@@ -379,6 +380,7 @@ static const struct midr_range trbe_over
static const struct midr_range tsb_flush_fail_cpus[] = {
#ifdef CONFIG_ARM64_ERRATUM_2067961
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
#endif
#ifdef CONFIG_ARM64_ERRATUM_2054223
MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
@@ -391,6 +393,7 @@ static const struct midr_range tsb_flush
static struct midr_range trbe_write_out_of_range_cpus[] = {
#ifdef CONFIG_ARM64_ERRATUM_2253138
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
#endif
#ifdef CONFIG_ARM64_ERRATUM_2224489
MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 466/476] PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 465/476] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 467/476] drm/msm/dsi: Enable runtime PM Greg Kroah-Hartman
` (19 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Douglas Anderson,
Ulf Hansson, Rafael J. Wysocki, Amit Pundir
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit b4060db9251f919506e4d672737c6b8ab9a84701 ]
The PM Runtime docs say:
Drivers in ->remove() callback should undo the runtime PM changes done
in ->probe(). Usually this means calling pm_runtime_disable(),
pm_runtime_dont_use_autosuspend() etc.
>From grepping code, it's clear that many people aren't aware of the
need to call pm_runtime_dont_use_autosuspend().
When brainstorming solutions, one idea that came up was to leverage
the new-ish devm_pm_runtime_enable() function. The idea here is that:
* When the devm action is called we know that the driver is being
removed. It's the perfect time to undo the use_autosuspend.
* The code of pm_runtime_dont_use_autosuspend() already handles the
case of being called when autosuspend wasn't enabled.
Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: 3d07a411b4fa ("drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/runtime.c | 5 +++++
include/linux/pm_runtime.h | 4 ++++
2 files changed, 9 insertions(+)
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1479,11 +1479,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_enable);
static void pm_runtime_disable_action(void *data)
{
+ pm_runtime_dont_use_autosuspend(data);
pm_runtime_disable(data);
}
/**
* devm_pm_runtime_enable - devres-enabled version of pm_runtime_enable.
+ *
+ * NOTE: this will also handle calling pm_runtime_dont_use_autosuspend() for
+ * you at driver exit time if needed.
+ *
* @dev: Device to handle.
*/
int devm_pm_runtime_enable(struct device *dev)
--- a/include/linux/pm_runtime.h
+++ b/include/linux/pm_runtime.h
@@ -542,6 +542,10 @@ static inline void pm_runtime_disable(st
* Allow the runtime PM autosuspend mechanism to be used for @dev whenever
* requested (or "autosuspend" will be handled as direct runtime-suspend for
* it).
+ *
+ * NOTE: It's important to undo this with pm_runtime_dont_use_autosuspend()
+ * at driver exit time unless your driver initially enabled pm_runtime
+ * with devm_pm_runtime_enable() (which handles it for you).
*/
static inline void pm_runtime_use_autosuspend(struct device *dev)
{
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 467/476] drm/msm/dsi: Enable runtime PM
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 466/476] PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 468/476] Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack" Greg Kroah-Hartman
` (18 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Amit Pundir
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit 6ab502bc1cf3147ea1d8540d04b83a7a4cb6d1f1 ]
Some devices power the DSI PHY/PLL through a power rail that we model
as a GENPD. Enable runtime PM to make it suspendable.
Change-Id: I70b04b7fbf75ccf508ab2dcbe393dbb2be6e4eaa
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/543352/
Link: https://lore.kernel.org/r/20230620-topic-dsiphy_rpm-v2-2-a11a751f34f0@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Stable-dep-of: 3d07a411b4fa ("drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
@@ -752,6 +752,10 @@ static int dsi_phy_driver_probe(struct p
goto fail;
}
+ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ return ret;
+
/* PLL init will call into clk_register which requires
* register access, so we need to enable power and ahb clock.
*/
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 468/476] Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack"
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 467/476] drm/msm/dsi: Enable runtime PM Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 469/476] net: bcmgenet: Fix EEE implementation Greg Kroah-Hartman
` (17 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Samasth Norway Ananda
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
This reverts commit 3eefb2fbf4ec1c1ff239b8b65e6e78aae335e4a6.
libbpf support for "tc" progs doesn't exist for the linux-5.15.y tree.
This commit was backported too far back in upstream, to a kernel where
the libbpf support was not there for the test.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/bpf/prog_tests/tailcalls.c | 55 ------------------
tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c | 42 -------------
2 files changed, 97 deletions(-)
delete mode 100644 tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c
--- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c
+++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c
@@ -810,59 +810,6 @@ out:
bpf_object__close(obj);
}
-#include "tailcall_bpf2bpf6.skel.h"
-
-/* Tail call counting works even when there is data on stack which is
- * not aligned to 8 bytes.
- */
-static void test_tailcall_bpf2bpf_6(void)
-{
- struct tailcall_bpf2bpf6 *obj;
- int err, map_fd, prog_fd, main_fd, data_fd, i, val;
- LIBBPF_OPTS(bpf_test_run_opts, topts,
- .data_in = &pkt_v4,
- .data_size_in = sizeof(pkt_v4),
- .repeat = 1,
- );
-
- obj = tailcall_bpf2bpf6__open_and_load();
- if (!ASSERT_OK_PTR(obj, "open and load"))
- return;
-
- main_fd = bpf_program__fd(obj->progs.entry);
- if (!ASSERT_GE(main_fd, 0, "entry prog fd"))
- goto out;
-
- map_fd = bpf_map__fd(obj->maps.jmp_table);
- if (!ASSERT_GE(map_fd, 0, "jmp_table map fd"))
- goto out;
-
- prog_fd = bpf_program__fd(obj->progs.classifier_0);
- if (!ASSERT_GE(prog_fd, 0, "classifier_0 prog fd"))
- goto out;
-
- i = 0;
- err = bpf_map_update_elem(map_fd, &i, &prog_fd, BPF_ANY);
- if (!ASSERT_OK(err, "jmp_table map update"))
- goto out;
-
- err = bpf_prog_test_run_opts(main_fd, &topts);
- ASSERT_OK(err, "entry prog test run");
- ASSERT_EQ(topts.retval, 0, "tailcall retval");
-
- data_fd = bpf_map__fd(obj->maps.bss);
- if (!ASSERT_GE(data_fd, 0, "bss map fd"))
- goto out;
-
- i = 0;
- err = bpf_map_lookup_elem(data_fd, &i, &val);
- ASSERT_OK(err, "bss map lookup");
- ASSERT_EQ(val, 1, "done flag is set");
-
-out:
- tailcall_bpf2bpf6__destroy(obj);
-}
-
void test_tailcalls(void)
{
if (test__start_subtest("tailcall_1"))
@@ -885,6 +832,4 @@ void test_tailcalls(void)
test_tailcall_bpf2bpf_4(false);
if (test__start_subtest("tailcall_bpf2bpf_5"))
test_tailcall_bpf2bpf_4(true);
- if (test__start_subtest("tailcall_bpf2bpf_6"))
- test_tailcall_bpf2bpf_6();
}
--- a/tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c
+++ /dev/null
@@ -1,42 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-
-#define __unused __attribute__((unused))
-
-struct {
- __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
- __uint(max_entries, 1);
- __uint(key_size, sizeof(__u32));
- __uint(value_size, sizeof(__u32));
-} jmp_table SEC(".maps");
-
-int done = 0;
-
-SEC("tc")
-int classifier_0(struct __sk_buff *skb __unused)
-{
- done = 1;
- return 0;
-}
-
-static __noinline
-int subprog_tail(struct __sk_buff *skb)
-{
- /* Don't propagate the constant to the caller */
- volatile int ret = 1;
-
- bpf_tail_call_static(skb, &jmp_table, 0);
- return ret;
-}
-
-SEC("tc")
-int entry(struct __sk_buff *skb)
-{
- /* Have data on stack which size is not a multiple of 8 */
- volatile char arr[1] = {};
-
- return subprog_tail(skb);
-}
-
-char __license[] SEC("license") = "GPL";
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 469/476] net: bcmgenet: Fix EEE implementation
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 468/476] Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack" Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 470/476] fs/ntfs3: Add null pointer checks Greg Kroah-Hartman
` (16 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Russell King (Oracle),
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
commit a9f31047baca57d47440c879cf259b86f900260c upstream.
We had a number of short comings:
- EEE must be re-evaluated whenever the state machine detects a link
change as wight be switching from a link partner with EEE
enabled/disabled
- tx_lpi_enabled controls whether EEE should be enabled/disabled for the
transmit path, which applies to the TBUF block
- We do not need to forcibly enable EEE upon system resume, as the PHY
state machine will trigger a link event that will do that, too
Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support")
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++--------------
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +++
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 ++++++
3 files changed, 17 insertions(+), 14 deletions(-)
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1248,7 +1248,8 @@ static void bcmgenet_get_ethtool_stats(s
}
}
-static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable)
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
+ bool tx_lpi_enabled)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL;
@@ -1268,7 +1269,7 @@ static void bcmgenet_eee_enable_set(stru
/* Enable EEE and switch to a 27Mhz clock automatically */
reg = bcmgenet_readl(priv->base + off);
- if (enable)
+ if (tx_lpi_enabled)
reg |= TBUF_EEE_EN | TBUF_PM_EN;
else
reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
@@ -1289,6 +1290,7 @@ static void bcmgenet_eee_enable_set(stru
priv->eee.eee_enabled = enable;
priv->eee.eee_active = enable;
+ priv->eee.tx_lpi_enabled = tx_lpi_enabled;
}
static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e)
@@ -1304,6 +1306,7 @@ static int bcmgenet_get_eee(struct net_d
e->eee_enabled = p->eee_enabled;
e->eee_active = p->eee_active;
+ e->tx_lpi_enabled = p->tx_lpi_enabled;
e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER);
return phy_ethtool_get_eee(dev->phydev, e);
@@ -1313,7 +1316,6 @@ static int bcmgenet_set_eee(struct net_d
{
struct bcmgenet_priv *priv = netdev_priv(dev);
struct ethtool_eee *p = &priv->eee;
- int ret = 0;
if (GENET_IS_V1(priv))
return -EOPNOTSUPP;
@@ -1324,16 +1326,11 @@ static int bcmgenet_set_eee(struct net_d
p->eee_enabled = e->eee_enabled;
if (!p->eee_enabled) {
- bcmgenet_eee_enable_set(dev, false);
+ bcmgenet_eee_enable_set(dev, false, false);
} else {
- ret = phy_init_eee(dev->phydev, 0);
- if (ret) {
- netif_err(priv, hw, dev, "EEE initialization failed\n");
- return ret;
- }
-
+ p->eee_active = phy_init_eee(dev->phydev, false) >= 0;
bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
- bcmgenet_eee_enable_set(dev, true);
+ bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled);
}
return phy_ethtool_set_eee(dev->phydev, e);
@@ -4219,9 +4216,6 @@ static int bcmgenet_resume(struct device
if (!device_may_wakeup(d))
phy_resume(dev->phydev);
- if (priv->eee.eee_enabled)
- bcmgenet_eee_enable_set(dev, true);
-
bcmgenet_netif_start(dev);
netif_device_attach(dev);
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -701,4 +701,7 @@ int bcmgenet_wol_power_down_cfg(struct b
void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv,
enum bcmgenet_power_mode mode);
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
+ bool tx_lpi_enabled);
+
#endif /* __BCMGENET_H__ */
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -25,6 +25,7 @@
#include "bcmgenet.h"
+
/* setup netdev link state when PHY link status change and
* update UMAC and RGMII block when link up
*/
@@ -102,6 +103,11 @@ void bcmgenet_mii_setup(struct net_devic
reg |= CMD_TX_EN | CMD_RX_EN;
}
bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+
+ priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0;
+ bcmgenet_eee_enable_set(dev,
+ priv->eee.eee_enabled && priv->eee.eee_active,
+ priv->eee.tx_lpi_enabled);
} else {
/* done if nothing has changed */
if (!status_changed)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 470/476] fs/ntfs3: Add null pointer checks
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 469/476] net: bcmgenet: Fix EEE implementation Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 471/476] smb3: Replace smb2pdu 1-element arrays with flex-arrays Greg Kroah-Hartman
` (15 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Doebel, Bjoern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit fc4992458e0aa2d2e82a25c922e6ac36c2d91083 upstream.
Added null pointer checks in function ntfs_security_init.
Also added le32_to_cpu in functions ntfs_security_init and indx_read.
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Cc: "Doebel, Bjoern" <doebel@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/fsntfs.c | 16 ++++++++++------
fs/ntfs3/index.c | 3 ++-
2 files changed, 12 insertions(+), 7 deletions(-)
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -1872,10 +1872,12 @@ int ntfs_security_init(struct ntfs_sb_in
goto out;
}
- root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
- if (root_sdh->type != ATTR_ZERO ||
+ if(!(root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) ||
+ root_sdh->type != ATTR_ZERO ||
root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH ||
- offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) {
+ offsetof(struct INDEX_ROOT, ihdr) +
+ le32_to_cpu(root_sdh->ihdr.used) >
+ le32_to_cpu(attr->res.data_size)) {
err = -EINVAL;
goto out;
}
@@ -1891,10 +1893,12 @@ int ntfs_security_init(struct ntfs_sb_in
goto out;
}
- root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
- if (root_sii->type != ATTR_ZERO ||
+ if(!(root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) ||
+ root_sii->type != ATTR_ZERO ||
root_sii->rule != NTFS_COLLATION_TYPE_UINT ||
- offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) {
+ offsetof(struct INDEX_ROOT, ihdr) +
+ le32_to_cpu(root_sii->ihdr.used) >
+ le32_to_cpu(attr->res.data_size)) {
err = -EINVAL;
goto out;
}
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1106,7 +1106,8 @@ ok:
}
/* check for index header length */
- if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) {
+ if (offsetof(struct INDEX_BUFFER, ihdr) + le32_to_cpu(ib->ihdr.used) >
+ bytes) {
err = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 471/476] smb3: Replace smb2pdu 1-element arrays with flex-arrays
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 470/476] fs/ntfs3: Add null pointer checks Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 472/476] staging: fbtft: core: set smem_len before fb_deferred_io_init call Greg Kroah-Hartman
` (14 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve French, Paulo Alcantara,
Ronnie Sahlberg, Shyam Prasad N, Tom Talpey, Namjae Jeon,
Sergey Senozhatsky, linux-cifs, samba-technical, Kees Cook,
Steve French, Vasiliy Kovalev
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit eb3e28c1e89b4984308777231887e41aa8a0151f upstream.
The kernel is globally removing the ambiguous 0-length and 1-element
arrays in favor of flexible arrays, so that we can gain both compile-time
and run-time array bounds checking[1].
Replace the trailing 1-element array with a flexible array in the
following structures:
struct smb2_err_rsp
struct smb2_tree_connect_req
struct smb2_negotiate_rsp
struct smb2_sess_setup_req
struct smb2_sess_setup_rsp
struct smb2_read_req
struct smb2_read_rsp
struct smb2_write_req
struct smb2_write_rsp
struct smb2_query_directory_req
struct smb2_query_directory_rsp
struct smb2_set_info_req
struct smb2_change_notify_rsp
struct smb2_create_rsp
struct smb2_query_info_req
struct smb2_query_info_rsp
Replace the trailing 1-element array with a flexible array, but leave
the existing structure padding:
struct smb2_file_all_info
struct smb2_lock_req
Adjust all related size calculations to match the changes to sizeof().
No machine code output or .data section differences are produced after
these changes.
[1] For lots of details, see both:
https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
https://people.kernel.org/kees/bounded-flexible-arrays-in-c
Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@cjr.nz>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2misc.c | 2 +-
fs/cifs/smb2ops.c | 14 +++++++-------
fs/cifs/smb2pdu.c | 13 ++++++-------
fs/cifs/smb2pdu.h | 42 ++++++++++++++++++++++++------------------
4 files changed, 38 insertions(+), 33 deletions(-)
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -113,7 +113,7 @@ static __u32 get_neg_ctxt_len(struct smb
} else if (nc_offset + 1 == non_ctxlen) {
cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n");
size_of_pad_before_neg_ctxts = 0;
- } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE)
+ } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1)
/* has padding, but no SPNEGO blob */
size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1;
else
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -5826,7 +5826,7 @@ struct smb_version_values smb20_values =
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5848,7 +5848,7 @@ struct smb_version_values smb21_values =
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5869,7 +5869,7 @@ struct smb_version_values smb3any_values
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5890,7 +5890,7 @@ struct smb_version_values smbdefault_val
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5911,7 +5911,7 @@ struct smb_version_values smb30_values =
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5932,7 +5932,7 @@ struct smb_version_values smb302_values
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
@@ -5953,7 +5953,7 @@ struct smb_version_values smb311_values
.header_size = sizeof(struct smb2_sync_hdr),
.header_preamble_size = 0,
.max_header_size = MAX_SMB2_HDR_SIZE,
- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
+ .read_rsp_size = sizeof(struct smb2_read_rsp),
.lock_cmd = SMB2_LOCK,
.cap_unix = 0,
.cap_nt_find = SMB2_NT_FIND,
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1327,7 +1327,7 @@ SMB2_sess_sendreceive(struct SMB2_sess_d
/* Testing shows that buffer offset must be at location of Buffer[0] */
req->SecurityBufferOffset =
- cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 1 /* pad */);
+ cpu_to_le16(sizeof(struct smb2_sess_setup_req));
req->SecurityBufferLength = cpu_to_le16(sess_data->iov[1].iov_len);
memset(&rqst, 0, sizeof(struct smb_rqst));
@@ -1826,8 +1826,7 @@ SMB2_tcon(const unsigned int xid, struct
iov[0].iov_len = total_len - 1;
/* Testing shows that buffer offset must be at location of Buffer[0] */
- req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req)
- - 1 /* pad */);
+ req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req));
req->PathLength = cpu_to_le16(unc_path_len - 2);
iov[1].iov_base = unc_path;
iov[1].iov_len = unc_path_len;
@@ -4748,7 +4747,7 @@ int SMB2_query_directory_init(const unsi
memcpy(bufptr, &asteriks, len);
req->FileNameOffset =
- cpu_to_le16(sizeof(struct smb2_query_directory_req) - 1);
+ cpu_to_le16(sizeof(struct smb2_query_directory_req));
req->FileNameLength = cpu_to_le16(len);
/*
* BB could be 30 bytes or so longer if we used SMB2 specific
@@ -4945,7 +4944,7 @@ SMB2_set_info_init(struct cifs_tcon *tco
req->AdditionalInformation = cpu_to_le32(additional_info);
req->BufferOffset =
- cpu_to_le16(sizeof(struct smb2_set_info_req) - 1);
+ cpu_to_le16(sizeof(struct smb2_set_info_req));
req->BufferLength = cpu_to_le32(*size);
memcpy(req->Buffer, *data, *size);
@@ -5177,9 +5176,9 @@ build_qfs_info_req(struct kvec *iov, str
req->VolatileFileId = volatile_fid;
/* 1 for pad */
req->InputBufferOffset =
- cpu_to_le16(sizeof(struct smb2_query_info_req) - 1);
+ cpu_to_le16(sizeof(struct smb2_query_info_req));
req->OutputBufferLength = cpu_to_le32(
- outbuf_len + sizeof(struct smb2_query_info_rsp) - 1);
+ outbuf_len + sizeof(struct smb2_query_info_rsp));
iov->iov_base = (char *)req;
iov->iov_len = total_len;
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -218,7 +218,7 @@ struct smb2_err_rsp {
__le16 StructureSize;
__le16 Reserved; /* MBZ */
__le32 ByteCount; /* even if zero, at least one byte follows */
- __u8 ErrorData[1]; /* variable length */
+ __u8 ErrorData[]; /* variable length */
} __packed;
#define SYMLINK_ERROR_TAG 0x4c4d5953
@@ -487,7 +487,7 @@ struct smb2_negotiate_rsp {
__le16 SecurityBufferOffset;
__le16 SecurityBufferLength;
__le32 NegotiateContextOffset; /* Pre:SMB3.1.1 was reserved/ignored */
- __u8 Buffer[1]; /* variable length GSS security buffer */
+ __u8 Buffer[]; /* variable length GSS security buffer */
} __packed;
/* Flags */
@@ -504,7 +504,7 @@ struct smb2_sess_setup_req {
__le16 SecurityBufferOffset;
__le16 SecurityBufferLength;
__u64 PreviousSessionId;
- __u8 Buffer[1]; /* variable length GSS security buffer */
+ __u8 Buffer[]; /* variable length GSS security buffer */
} __packed;
/* Currently defined SessionFlags */
@@ -517,7 +517,7 @@ struct smb2_sess_setup_rsp {
__le16 SessionFlags;
__le16 SecurityBufferOffset;
__le16 SecurityBufferLength;
- __u8 Buffer[1]; /* variable length GSS security buffer */
+ __u8 Buffer[]; /* variable length GSS security buffer */
} __packed;
struct smb2_logoff_req {
@@ -543,7 +543,7 @@ struct smb2_tree_connect_req {
__le16 Flags; /* Reserved MBZ for dialects prior to SMB3.1.1 */
__le16 PathOffset;
__le16 PathLength;
- __u8 Buffer[1]; /* variable length */
+ __u8 Buffer[]; /* variable length */
} __packed;
/* See MS-SMB2 section 2.2.9.2 */
@@ -852,7 +852,7 @@ struct smb2_create_rsp {
__u64 VolatileFileId; /* opaque endianness */
__le32 CreateContextsOffset;
__le32 CreateContextsLength;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
struct create_context {
@@ -1313,7 +1313,7 @@ struct smb2_read_plain_req {
__le32 RemainingBytes;
__le16 ReadChannelInfoOffset;
__le16 ReadChannelInfoLength;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
/* Read flags */
@@ -1328,7 +1328,7 @@ struct smb2_read_rsp {
__le32 DataLength;
__le32 DataRemaining;
__u32 Flags;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
/* For write request Flags field below the following flags are defined: */
@@ -1348,7 +1348,7 @@ struct smb2_write_req {
__le16 WriteChannelInfoOffset;
__le16 WriteChannelInfoLength;
__le32 Flags;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
struct smb2_write_rsp {
@@ -1359,7 +1359,7 @@ struct smb2_write_rsp {
__le32 DataLength;
__le32 DataRemaining;
__u32 Reserved2;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
/* notify flags */
@@ -1395,7 +1395,7 @@ struct smb2_change_notify_rsp {
__le16 StructureSize; /* Must be 9 */
__le16 OutputBufferOffset;
__le32 OutputBufferLength;
- __u8 Buffer[1]; /* array of file notify structs */
+ __u8 Buffer[]; /* array of file notify structs */
} __packed;
#define SMB2_LOCKFLAG_SHARED_LOCK 0x0001
@@ -1422,7 +1422,10 @@ struct smb2_lock_req {
__u64 PersistentFileId; /* opaque endianness */
__u64 VolatileFileId; /* opaque endianness */
/* Followed by at least one */
- struct smb2_lock_element locks[1];
+ union {
+ struct smb2_lock_element lock;
+ DECLARE_FLEX_ARRAY(struct smb2_lock_element, locks);
+ };
} __packed;
struct smb2_lock_rsp {
@@ -1478,7 +1481,7 @@ struct smb2_query_directory_req {
__le16 FileNameOffset;
__le16 FileNameLength;
__le32 OutputBufferLength;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
struct smb2_query_directory_rsp {
@@ -1486,7 +1489,7 @@ struct smb2_query_directory_rsp {
__le16 StructureSize; /* Must be 9 */
__le16 OutputBufferOffset;
__le32 OutputBufferLength;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
/* Possible InfoType values */
@@ -1527,7 +1530,7 @@ struct smb2_query_info_req {
__le32 Flags;
__u64 PersistentFileId; /* opaque endianness */
__u64 VolatileFileId; /* opaque endianness */
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
struct smb2_query_info_rsp {
@@ -1535,7 +1538,7 @@ struct smb2_query_info_rsp {
__le16 StructureSize; /* Must be 9 */
__le16 OutputBufferOffset;
__le32 OutputBufferLength;
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
/*
@@ -1558,7 +1561,7 @@ struct smb2_set_info_req {
__le32 AdditionalInformation;
__u64 PersistentFileId; /* opaque endianness */
__u64 VolatileFileId; /* opaque endianness */
- __u8 Buffer[1];
+ __u8 Buffer[];
} __packed;
struct smb2_set_info_rsp {
@@ -1761,7 +1764,10 @@ struct smb2_file_all_info { /* data bloc
__le32 Mode;
__le32 AlignmentRequirement;
__le32 FileNameLength;
- char FileName[1];
+ union {
+ char __pad; /* Legacy structure padding */
+ DECLARE_FLEX_ARRAY(char, FileName);
+ };
} __packed; /* level 18 Query */
struct smb2_file_eof_info { /* encoding of request for level 10 */
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 472/476] staging: fbtft: core: set smem_len before fb_deferred_io_init call
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 471/476] smb3: Replace smb2pdu 1-element arrays with flex-arrays Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 473/476] usb: dwc3: gadget: Dont delay End Transfer on delayed_status Greg Kroah-Hartman
` (13 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Suti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Suti <peter.suti@streamunlimited.com>
commit 81e878887ff82a7dd42f22951391069a5d520627 upstream.
The fbtft_framebuffer_alloc() calls fb_deferred_io_init() before
initializing info->fix.smem_len. It is set to zero by the
framebuffer_alloc() function. It will trigger a WARN_ON() at the
start of fb_deferred_io_init() and the function will not do anything.
Fixes: 856082f021a2 ("fbdev: defio: fix the pagelist corruption")
Signed-off-by: Peter Suti <peter.suti@streamunlimited.com>
Link: https://lore.kernel.org/r/20220727073550.1491126-1-peter.suti@streamunlimited.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/fbtft/fbtft-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -657,7 +657,6 @@ struct fb_info *fbtft_framebuffer_alloc(
fbdefio->delay = HZ / fps;
fbdefio->sort_pagereflist = true;
fbdefio->deferred_io = fbtft_deferred_io;
- fb_deferred_io_init(info);
snprintf(info->fix.id, sizeof(info->fix.id), "%s", dev->driver->name);
info->fix.type = FB_TYPE_PACKED_PIXELS;
@@ -668,6 +667,7 @@ struct fb_info *fbtft_framebuffer_alloc(
info->fix.line_length = width * bpp / 8;
info->fix.accel = FB_ACCEL_NONE;
info->fix.smem_len = vmem_size;
+ fb_deferred_io_init(info);
info->var.rotate = pdata->rotate;
info->var.xres = width;
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 473/476] usb: dwc3: gadget: Dont delay End Transfer on delayed_status
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 472/476] staging: fbtft: core: set smem_len before fb_deferred_io_init call Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 474/476] usb: dwc3: gadget: Execute gadget stop after halting the controller Greg Kroah-Hartman
` (12 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 4db0fbb601361767144e712beb96704b966339f5 upstream.
The gadget driver may wait on the request completion when it sets the
USB_GADGET_DELAYED_STATUS. Make sure that the End Transfer command can
go through if the dwc->delayed_status is set so that the request can
complete. When the delayed_status is set, the Setup packet is already
processed, and the next phase should be either Data or Status. It's
unlikely that the host would cancel the control transfer and send a new
Setup packet during End Transfer command. But if that's the case, we can
try again when ep0state returns to EP0_SETUP_PHASE.
Fixes: e1ee843488d5 ("usb: dwc3: gadget: Force sending delayed status during soft disconnect")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/3f9f59e5d74efcbaee444cf4b30ef639cc7b124e.1666146954.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1680,6 +1680,16 @@ static int __dwc3_stop_active_transfer(s
cmd |= DWC3_DEPCMD_PARAM(dep->resource_index);
memset(¶ms, 0, sizeof(params));
ret = dwc3_send_gadget_ep_cmd(dep, cmd, ¶ms);
+ /*
+ * If the End Transfer command was timed out while the device is
+ * not in SETUP phase, it's possible that an incoming Setup packet
+ * may prevent the command's completion. Let's retry when the
+ * ep0state returns to EP0_SETUP_PHASE.
+ */
+ if (ret == -ETIMEDOUT && dep->dwc->ep0state != EP0_SETUP_PHASE) {
+ dep->flags |= DWC3_EP_DELAY_STOP;
+ return 0;
+ }
WARN_ON_ONCE(ret);
dep->resource_index = 0;
@@ -3701,7 +3711,7 @@ void dwc3_stop_active_transfer(struct dw
* timeout. Delay issuing the End Transfer command until the Setup TRB is
* prepared.
*/
- if (dwc->ep0state != EP0_SETUP_PHASE) {
+ if (dwc->ep0state != EP0_SETUP_PHASE && !dwc->delayed_status) {
dep->flags |= DWC3_EP_DELAY_STOP;
return;
}
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 474/476] usb: dwc3: gadget: Execute gadget stop after halting the controller
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 473/476] usb: dwc3: gadget: Dont delay End Transfer on delayed_status Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 475/476] media: Revert "media: rkisp1: Drop IRQF_SHARED" Greg Kroah-Hartman
` (11 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Wesley Cheng
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Cheng <quic_wcheng@quicinc.com>
commit 39674be56fba1cd3a03bf4617f523a35f85fd2c1 upstream.
Do not call gadget stop until the poll for controller halt is
completed. DEVTEN is cleared as part of gadget stop, so the intention to
allow ep0 events to continue while waiting for controller halt is not
happening.
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230420212759.29429-2-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2517,7 +2517,6 @@ static int dwc3_gadget_soft_disconnect(s
* bit.
*/
dwc3_stop_active_transfers(dwc);
- __dwc3_gadget_stop(dwc);
spin_unlock_irqrestore(&dwc->lock, flags);
/*
@@ -2547,7 +2546,19 @@ static int dwc3_gadget_soft_disconnect(s
* remaining event generated by the controller while polling for
* DSTS.DEVCTLHLT.
*/
- return dwc3_gadget_run_stop(dwc, false);
+ ret = dwc3_gadget_run_stop(dwc, false);
+
+ /*
+ * Stop the gadget after controller is halted, so that if needed, the
+ * events to update EP0 state can still occur while the run/stop
+ * routine polls for the halted state. DEVTEN is cleared as part of
+ * gadget stop.
+ */
+ spin_lock_irqsave(&dwc->lock, flags);
+ __dwc3_gadget_stop(dwc);
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
+ return ret;
}
static int dwc3_gadget_soft_connect(struct dwc3 *dwc)
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 475/476] media: Revert "media: rkisp1: Drop IRQF_SHARED"
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 474/476] usb: dwc3: gadget: Execute gadget stop after halting the controller Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 476/476] usb: dwc3: gadget: Ignore End Transfer delay on teardown Greg Kroah-Hartman
` (10 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Rudenko, Tomi Valkeinen,
Laurent Pinchart, Mauro Carvalho Chehab
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit a107d643b2a3382e0a2d2c4ef08bf8c6bff4561d upstream.
This reverts commit 85d2a31fe4d9be1555f621ead7a520d8791e0f74.
The rkisp1 does share interrupt lines on some platforms, after all. Thus
we need to revert this, and implement a fix for the rkisp1 shared irq
handling in a follow-up patch.
Closes: https://lore.kernel.org/all/87o7eo8vym.fsf@gmail.com/
Link: https://lore.kernel.org/r/20231218-rkisp-shirq-fix-v1-1-173007628248@ideasonboard.com
Reported-by: Mikhail Rudenko <mike.rudenko@gmail.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
+++ b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
@@ -482,7 +482,7 @@ static int rkisp1_probe(struct platform_
if (irq < 0)
return irq;
- ret = devm_request_irq(dev, irq, rkisp1_isr, 0,
+ ret = devm_request_irq(dev, irq, rkisp1_isr, IRQF_SHARED,
dev_driver_string(dev), dev);
if (ret) {
dev_err(dev, "request irq failed: %d\n", ret);
^ permalink raw reply [flat|nested] 506+ messages in thread
* [PATCH 5.15 476/476] usb: dwc3: gadget: Ignore End Transfer delay on teardown
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 475/476] media: Revert "media: rkisp1: Drop IRQF_SHARED" Greg Kroah-Hartman
@ 2024-02-21 13:08 ` Greg Kroah-Hartman
2024-02-21 19:48 ` [PATCH 5.15 000/476] 5.15.149-rc1 review Jon Hunter
` (9 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-21 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit c4e3ef5685393c5051b52cf1e94b8891d49793ab upstream.
If we delay sending End Transfer for Setup TRB to be prepared, we need
to check if the End Transfer was in preparation for a driver
teardown/soft-disconnect. In those cases, just send the End Transfer
command without delay.
In the case of soft-disconnect, there's a very small chance the command
may not go through immediately. But should it happen, the Setup TRB will
be prepared during the polling of the controller halted state, allowing
the command to go through then.
In the case of disabling endpoint due to reconfiguration (e.g.
set_interface(alt-setting) or usb reset), then it's driven by the host.
Typically the host wouldn't immediately cancel the control request and
send another control transfer to trigger the End Transfer command
timeout.
Fixes: 4db0fbb60136 ("usb: dwc3: gadget: Don't delay End Transfer on delayed_status")
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/f1617a323e190b9cc408fb8b65456e32b5814113.1670546756.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1701,6 +1701,7 @@ static int __dwc3_stop_active_transfer(s
dep->flags |= DWC3_EP_END_TRANSFER_PENDING;
}
+ dep->flags &= ~DWC3_EP_DELAY_STOP;
return ret;
}
@@ -3710,8 +3711,10 @@ void dwc3_stop_active_transfer(struct dw
if (dep->number <= 1 && dwc->ep0state != EP0_DATA_PHASE)
return;
+ if (interrupt && (dep->flags & DWC3_EP_DELAY_STOP))
+ return;
+
if (!(dep->flags & DWC3_EP_TRANSFER_STARTED) ||
- (dep->flags & DWC3_EP_DELAY_STOP) ||
(dep->flags & DWC3_EP_END_TRANSFER_PENDING))
return;
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping
2024-02-21 13:07 ` [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
@ 2024-02-21 14:17 ` Alvin Šipraga
2024-02-22 8:33 ` Greg Kroah-Hartman
0 siblings, 1 reply; 506+ messages in thread
From: Alvin Šipraga @ 2024-02-21 14:17 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Andrejs Cainikovs, Kalle Valo, Sasha Levin
Hi Greg,
On Wed, Feb 21, 2024 at 02:07:58PM +0100, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
- [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
- [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset Greg Kroah-Hartman
Both of the above are marked as stable-deps of this one:
- [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready Greg Kroah-Hartman
but they are not at all relevant, so I think patches 427 and 428 should
be dropped. But patch 429 is OK for stable as long as 431 is included:
- [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat Greg Kroah-Hartman
Kind regards,
Alvin
>
> ------------------
>
> From: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
>
> [ Upstream commit 255ca28a659d3cfb069f73c7644853ed93aecdb0 ]
>
> Some WiFi/Bluetooth modules might have different host connection
> options, allowing to either use SDIO for both WiFi and Bluetooth,
> or SDIO for WiFi and UART for Bluetooth. It is possible to detect
> whether a module has SDIO-SDIO or SDIO-UART connection by reading
> its host strap register.
>
> This change introduces a way to automatically select appropriate
> firmware depending of the connection method, and removes a need
> of symlinking or overwriting the original firmware file with a
> required one.
>
> Host strap register used in this commit comes from the NXP driver [1]
> hosted at Code Aurora.
>
> [1] https://source.codeaurora.org/external/imx/linux-imx/tree/drivers/net/wireless/nxp/mxm_wifiex/wlan_src/mlinux/moal_sdio_mmc.c?h=rel_imx_5.4.70_2.3.2&id=688b67b2c7220b01521ffe560da7eee33042c7bd#n1274
>
> Signed-off-by: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
> Reviewed-by: Alvin Šipraga <alsi@bang-olufsen.dk>
> Signed-off-by: Kalle Valo <kvalo@kernel.org>
> Link: https://lore.kernel.org/r/20220422090313.125857-2-andrejs.cainikovs@toradex.com
> Stable-dep-of: 1c5d463c0770 ("wifi: mwifiex: add extra delay for firmware ready")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
[...]
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian
2024-02-21 13:07 ` [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian Greg Kroah-Hartman
@ 2024-02-21 16:54 ` Nathan Chancellor
2024-02-22 8:27 ` Greg Kroah-Hartman
0 siblings, 1 reply; 506+ messages in thread
From: Nathan Chancellor @ 2024-02-21 16:54 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Masahiro Yamada, Fangrui Song, Nicolas Schier,
Kees Cook, Justin Stitt
Hi Greg,
On Wed, Feb 21, 2024 at 02:07:11PM +0100, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Nathan Chancellor <nathan@kernel.org>
>
> commit e3a9ee963ad8ba677ca925149812c5932b49af69 upstream.
>
> Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
> changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works
> fine for little endian platforms:
>
> 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> -00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
> +00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
>
> However, for big endian platforms, it changes the wrong byte, resulting
> in an invalid ELF file type, which ld.lld rejects:
>
> 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> +00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
>
> Type: <unknown>: 103
>
> ld.lld: error: .btf.vmlinux.bin.o: unknown file type
>
> Fix this by updating the entire 16-bit e_type field rather than just a
> single byte, so that everything works correctly for all platforms and
> linkers.
>
> 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> +00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
>
> Type: REL (Relocatable file)
>
> While in the area, update the comment to mention that binutils 2.35+
> matches LLD's behavior of rejecting an ET_EXEC input, which occurred
> after the comment was added.
>
> Cc: stable@vger.kernel.org
> Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
> Link: https://github.com/llvm/llvm-project/pull/75643
> Suggested-by: Masahiro Yamada <masahiroy@kernel.org>
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> Reviewed-by: Fangrui Song <maskray@google.com>
> Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: Justin Stitt <justinstitt@google.com>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> scripts/link-vmlinux.sh | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> --- a/scripts/link-vmlinux.sh
> +++ b/scripts/link-vmlinux.sh
> @@ -236,8 +236,13 @@ gen_btf()
> ${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \
> --strip-all ${1} ${2} 2>/dev/null
> # Change e_type to ET_REL so that it can be used to link final vmlinux.
> - # Unlike GNU ld, lld does not allow an ET_EXEC input.
> - printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none
> + # GNU ld 2.35+ and lld do not allow an ET_EXEC input.
> + if is_enabled CONFIG_CPU_BIG_ENDIAN; then
You may have missed my mail on the email saying this had been applied (I
didn't cc a lore list so no link):
I do not think this backport is correct for trees that do not have
commit 7d153696e5db ("kbuild: do not include include/config/auto.conf
from shell scripts"), even if it applies cleanly, as is_enabled() is not
available.
I think this diff should be squashed in to the patch for 5.15 and
earlier, you can add
[nathan: Fix silent conflict due to lack of 7d153696e5db in older trees]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
to the resulting patch if you would like.
Cheers,
Nathan
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
index 007bb773b222..5a5a0cfad69d 100755
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
@@ -237,7 +237,7 @@ gen_btf()
--strip-all ${1} ${2} 2>/dev/null
# Change e_type to ET_REL so that it can be used to link final vmlinux.
# GNU ld 2.35+ and lld do not allow an ET_EXEC input.
- if is_enabled CONFIG_CPU_BIG_ENDIAN; then
+ if [ -n "${CONFIG_CPU_BIG_ENDIAN}" ]; then
et_rel='\0\1'
else
et_rel='\1\0'
^ permalink raw reply related [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
2024-02-21 13:05 ` [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback Greg Kroah-Hartman
@ 2024-02-21 18:15 ` Hans de Goede
0 siblings, 0 replies; 506+ messages in thread
From: Hans de Goede @ 2024-02-21 18:15 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Sasha Levin
Hi Greg,
On 2/21/24 14:05, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
This is known to cause a regression (WARN triggering on suspend,
possible panic if panic-on-warn is set).
A fix for the regression is pending:
https://lore.kernel.org/regressions/20240220190035.53402-1-hdegoede@redhat.com/T/#u
but it has not been merged yet, so please hold of on merging this
patch until you can apply both at once.
I see that you are also planning to apply this to other stable
branches. I'm not sure if this is necessary but to be safe
I'll copy and paste this reply to the emails for the other stable
branches.
Regards,
Hans
>
> ------------------
>
> From: Hans de Goede <hdegoede@redhat.com>
>
> [ Upstream commit b1b9f7a494400c0c39f8cd83de3aaa6111c55087 ]
>
> The lis3lv02d_i2c driver was missing a line to set the lis3_dev's
> reg_ctrl callback.
>
> lis3_reg_ctrl(on) is called from the init callback, but due to
> the missing reg_ctrl callback the regulators where never turned off
> again leading to the following oops/backtrace when detaching the driver:
>
> [ 82.313527] ------------[ cut here ]------------
> [ 82.313546] WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put+0x219/0x230
> ...
> [ 82.313695] RIP: 0010:_regulator_put+0x219/0x230
> ...
> [ 82.314767] Call Trace:
> [ 82.314770] <TASK>
> [ 82.314772] ? _regulator_put+0x219/0x230
> [ 82.314777] ? __warn+0x81/0x170
> [ 82.314784] ? _regulator_put+0x219/0x230
> [ 82.314791] ? report_bug+0x18d/0x1c0
> [ 82.314801] ? handle_bug+0x3c/0x80
> [ 82.314806] ? exc_invalid_op+0x13/0x60
> [ 82.314812] ? asm_exc_invalid_op+0x16/0x20
> [ 82.314845] ? _regulator_put+0x219/0x230
> [ 82.314857] regulator_bulk_free+0x39/0x60
> [ 82.314865] i2c_device_remove+0x22/0xb0
>
> Add the missing setting of the callback so that the regulators
> properly get turned off again when not used.
>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Link: https://lore.kernel.org/r/20231224183402.95640-1-hdegoede@redhat.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/misc/lis3lv02d/lis3lv02d_i2c.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
> index 52555d2e824b..ab1db760ba4e 100644
> --- a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
> +++ b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c
> @@ -151,6 +151,7 @@ static int lis3lv02d_i2c_probe(struct i2c_client *client,
> lis3_dev.init = lis3_i2c_init;
> lis3_dev.read = lis3_i2c_read;
> lis3_dev.write = lis3_i2c_write;
> + lis3_dev.reg_ctrl = lis3_reg_ctrl;
> lis3_dev.irq = client->irq;
> lis3_dev.ac = lis3lv02d_axis_map;
> lis3_dev.pm_dev = &client->dev;
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2024-02-21 13:08 ` [PATCH 5.15 476/476] usb: dwc3: gadget: Ignore End Transfer delay on teardown Greg Kroah-Hartman
@ 2024-02-21 19:48 ` Jon Hunter
2024-02-21 23:43 ` Shuah Khan
` (8 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Jon Hunter @ 2024-02-21 19:48 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, linux-tegra,
stable
On Wed, 21 Feb 2024 14:00:51 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.15:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
94 tests: 94 pass, 0 fail
Linux version: 5.15.149-rc1-gae70058cf980
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-21 13:02 ` [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner() Greg Kroah-Hartman
@ 2024-02-21 22:19 ` Wang Yugui
2024-02-22 6:12 ` Greg Kroah-Hartman
0 siblings, 1 reply; 506+ messages in thread
From: Wang Yugui @ 2024-02-21 22:19 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Chuck Lever, Sasha Levin
Hi,
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Chuck Lever <chuck.lever@oracle.com>
>
> [ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
>
> Refactor: Use existing helpers that other lock operations use. This
> change removes several automatic variables, so re-organize the
> variable declarations for readability.
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
"nfsd: fix RELEASE_LOCKOWNER" is yet not in 5.15.149-rc1?
or I missed something?
Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2024/02/22
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2024-02-21 19:48 ` [PATCH 5.15 000/476] 5.15.149-rc1 review Jon Hunter
@ 2024-02-21 23:43 ` Shuah Khan
2024-02-21 23:58 ` Florian Fainelli
` (7 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Shuah Khan @ 2024-02-21 23:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, Shuah Khan
On 2/21/24 06:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2024-02-21 23:43 ` Shuah Khan
@ 2024-02-21 23:58 ` Florian Fainelli
2024-02-22 9:06 ` Shreeya Patel
` (6 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Florian Fainelli @ 2024-02-21 23:58 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, allen.lkml
On 2/21/24 05:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-21 22:19 ` Wang Yugui
@ 2024-02-22 6:12 ` Greg Kroah-Hartman
2024-02-22 13:02 ` Wang Yugui
0 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-22 6:12 UTC (permalink / raw)
To: Wang Yugui; +Cc: stable, patches, Chuck Lever, Sasha Levin
On Thu, Feb 22, 2024 at 06:19:12AM +0800, Wang Yugui wrote:
> Hi,
>
>
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Chuck Lever <chuck.lever@oracle.com>
> >
> > [ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
> >
> > Refactor: Use existing helpers that other lock operations use. This
> > change removes several automatic variables, so re-organize the
> > variable declarations for readability.
> >
> > Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> > Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>
> "nfsd: fix RELEASE_LOCKOWNER" is yet not in 5.15.149-rc1?
> or I missed something?
Good catch, you are correct! I'll go drop this, and the other nfsd
"dep-of" commit in this queue, and in the 5.10 and 5.4 queues.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian
2024-02-21 16:54 ` Nathan Chancellor
@ 2024-02-22 8:27 ` Greg Kroah-Hartman
0 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-22 8:27 UTC (permalink / raw)
To: Nathan Chancellor
Cc: stable, patches, Masahiro Yamada, Fangrui Song, Nicolas Schier,
Kees Cook, Justin Stitt
On Wed, Feb 21, 2024 at 09:54:24AM -0700, Nathan Chancellor wrote:
> Hi Greg,
>
> On Wed, Feb 21, 2024 at 02:07:11PM +0100, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Nathan Chancellor <nathan@kernel.org>
> >
> > commit e3a9ee963ad8ba677ca925149812c5932b49af69 upstream.
> >
> > Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
> > changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works
> > fine for little endian platforms:
> >
> > 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> > -00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
> > +00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................|
> >
> > However, for big endian platforms, it changes the wrong byte, resulting
> > in an invalid ELF file type, which ld.lld rejects:
> >
> > 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> > -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> > +00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> >
> > Type: <unknown>: 103
> >
> > ld.lld: error: .btf.vmlinux.bin.o: unknown file type
> >
> > Fix this by updating the entire 16-bit e_type field rather than just a
> > single byte, so that everything works correctly for all platforms and
> > linkers.
> >
> > 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
> > -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> > +00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................|
> >
> > Type: REL (Relocatable file)
> >
> > While in the area, update the comment to mention that binutils 2.35+
> > matches LLD's behavior of rejecting an ET_EXEC input, which occurred
> > after the comment was added.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
> > Link: https://github.com/llvm/llvm-project/pull/75643
> > Suggested-by: Masahiro Yamada <masahiroy@kernel.org>
> > Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> > Reviewed-by: Fangrui Song <maskray@google.com>
> > Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> > Reviewed-by: Justin Stitt <justinstitt@google.com>
> > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > scripts/link-vmlinux.sh | 9 +++++++--
> > 1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > --- a/scripts/link-vmlinux.sh
> > +++ b/scripts/link-vmlinux.sh
> > @@ -236,8 +236,13 @@ gen_btf()
> > ${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \
> > --strip-all ${1} ${2} 2>/dev/null
> > # Change e_type to ET_REL so that it can be used to link final vmlinux.
> > - # Unlike GNU ld, lld does not allow an ET_EXEC input.
> > - printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none
> > + # GNU ld 2.35+ and lld do not allow an ET_EXEC input.
> > + if is_enabled CONFIG_CPU_BIG_ENDIAN; then
>
> You may have missed my mail on the email saying this had been applied (I
> didn't cc a lore list so no link):
Ick, I did get it but it got lost in the shuffle, my fault.
> I do not think this backport is correct for trees that do not have
> commit 7d153696e5db ("kbuild: do not include include/config/auto.conf
> from shell scripts"), even if it applies cleanly, as is_enabled() is not
> available.
>
> I think this diff should be squashed in to the patch for 5.15 and
> earlier, you can add
>
> [nathan: Fix silent conflict due to lack of 7d153696e5db in older trees]
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
>
> to the resulting patch if you would like.
I'll go add that now, thanks for catching this!
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping
2024-02-21 14:17 ` Alvin Šipraga
@ 2024-02-22 8:33 ` Greg Kroah-Hartman
0 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-22 8:33 UTC (permalink / raw)
To: Alvin Šipraga
Cc: stable, patches, Andrejs Cainikovs, Kalle Valo, Sasha Levin
On Wed, Feb 21, 2024 at 02:17:48PM +0000, Alvin Šipraga wrote:
> Hi Greg,
>
> On Wed, Feb 21, 2024 at 02:07:58PM +0100, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
>
> - [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
> - [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset Greg Kroah-Hartman
>
> Both of the above are marked as stable-deps of this one:
>
> - [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready Greg Kroah-Hartman
>
> but they are not at all relevant, so I think patches 427 and 428 should
> be dropped.
But if they are dropped, then this commit does not apply! Which is why
they were added.
> But patch 429 is OK for stable as long as 431 is included:
>
> - [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat Greg Kroah-Hartman
I'll just drop all of these and if you think they should be applied,
I'll take some working backports please.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2024-02-21 23:58 ` Florian Fainelli
@ 2024-02-22 9:06 ` Shreeya Patel
2024-02-22 11:49 ` Naresh Kamboju
` (5 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Shreeya Patel @ 2024-02-22 9:06 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml,
Gustavo Padovan, kernelci-regressions mailing list
On Wednesday, February 21, 2024 18:30 IST, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
KernelCI report for stable-rc/linux-5.15.y for this week.
## stable-rc HEAD for linux-5.15.y:
Date: 2024-02-21
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/log/?h=ae70058cf980fe792e8438b4b2c5a1e6b648aada
## Build failures:
No build failures seen for the stable-rc/linux-5.15.y commit head \o/
## Boot failures:
No **new** boot failures seen for the stable-rc/linux-5.15.y commit head \o/
Tested-by: kernelci.org bot <bot@kernelci.org>
Thanks,
Shreeya Patel
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2024-02-22 9:06 ` Shreeya Patel
@ 2024-02-22 11:49 ` Naresh Kamboju
2024-02-22 19:22 ` Harshit Mogalapalli
` (4 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Naresh Kamboju @ 2024-02-22 11:49 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, Beyond,
Christian König, Alex Deucher, Sasha Levin, Felix Kuehling,
Srinivasan Shanmugam, Mario Limonciello
On Wed, 21 Feb 2024 at 18:55, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
The i386 allmodconfig builds failed on stable-rc 5.15, 5.10 and 5.4.
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
ERROR: modpost: "__udivdi3" [drivers/gpu/drm/amd/amdgpu/amdgpu.ko] undefined!
make[2]: *** [/builds/linux/scripts/Makefile.modpost:133:
modules-only.symvers] Error 1
Steps to reproduce:
tuxmake --runtime podman --target-arch i386 --toolchain gcc-12
--kconfig allmodconfig
Links:
- https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.148-477-gae70058cf980/testrun/22797307/suite/build/test/gcc-12-allmodconfig/log
- https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.148-477-gae70058cf980/testrun/22797307/suite/build/test/gcc-12-allmodconfig/details/
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-22 6:12 ` Greg Kroah-Hartman
@ 2024-02-22 13:02 ` Wang Yugui
2024-02-22 13:06 ` Greg Kroah-Hartman
2024-02-22 13:33 ` Chuck Lever III
0 siblings, 2 replies; 506+ messages in thread
From: Wang Yugui @ 2024-02-22 13:02 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Chuck Lever, Sasha Levin
Hi,
> On Thu, Feb 22, 2024 at 06:19:12AM +0800, Wang Yugui wrote:
> > Hi,
> >
> >
> > > 5.15-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Chuck Lever <chuck.lever@oracle.com>
> > >
> > > [ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
> > >
> > > Refactor: Use existing helpers that other lock operations use. This
> > > change removes several automatic variables, so re-organize the
> > > variable declarations for readability.
> > >
> > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> > > Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> >
> >
> > "nfsd: fix RELEASE_LOCKOWNER" is yet not in 5.15.149-rc1?
> > or I missed something?
>
> Good catch, you are correct! I'll go drop this, and the other nfsd
> "dep-of" commit in this queue, and in the 5.10 and 5.4 queues.
Will we add "nfsd: fix RELEASE_LOCKOWNER" to 5.15.y later?
It seems that at least 5.15.y need "nfsd: fix RELEASE_LOCKOWNER".
Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2024/02/22
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-22 13:02 ` Wang Yugui
@ 2024-02-22 13:06 ` Greg Kroah-Hartman
2024-02-22 13:33 ` Chuck Lever III
1 sibling, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-22 13:06 UTC (permalink / raw)
To: Wang Yugui; +Cc: stable, patches, Chuck Lever, Sasha Levin
On Thu, Feb 22, 2024 at 09:02:05PM +0800, Wang Yugui wrote:
> Hi,
>
> > On Thu, Feb 22, 2024 at 06:19:12AM +0800, Wang Yugui wrote:
> > > Hi,
> > >
> > >
> > > > 5.15-stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Chuck Lever <chuck.lever@oracle.com>
> > > >
> > > > [ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
> > > >
> > > > Refactor: Use existing helpers that other lock operations use. This
> > > > change removes several automatic variables, so re-organize the
> > > > variable declarations for readability.
> > > >
> > > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> > > > Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > >
> > >
> > > "nfsd: fix RELEASE_LOCKOWNER" is yet not in 5.15.149-rc1?
> > > or I missed something?
> >
> > Good catch, you are correct! I'll go drop this, and the other nfsd
> > "dep-of" commit in this queue, and in the 5.10 and 5.4 queues.
>
> Will we add "nfsd: fix RELEASE_LOCKOWNER" to 5.15.y later?
>
> It seems that at least 5.15.y need "nfsd: fix RELEASE_LOCKOWNER".
If someone sends a properly tested and backported series, sure!
thanks,
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner()
2024-02-22 13:02 ` Wang Yugui
2024-02-22 13:06 ` Greg Kroah-Hartman
@ 2024-02-22 13:33 ` Chuck Lever III
1 sibling, 0 replies; 506+ messages in thread
From: Chuck Lever III @ 2024-02-22 13:33 UTC (permalink / raw)
To: Wang Yugui; +Cc: Greg Kroah-Hartman, linux-stable, patches, Sasha Levin
> On Feb 22, 2024, at 8:02 AM, Wang Yugui <wangyugui@e16-tech.com> wrote:
>
> Hi,
>
>> On Thu, Feb 22, 2024 at 06:19:12AM +0800, Wang Yugui wrote:
>>> Hi,
>>>
>>>
>>>> 5.15-stable review patch. If anyone has any objections, please let me know.
>>>>
>>>> ------------------
>>>>
>>>> From: Chuck Lever <chuck.lever@oracle.com>
>>>>
>>>> [ Upstream commit bd8fdb6e545f950f4654a9a10d7e819ad48146e5 ]
>>>>
>>>> Refactor: Use existing helpers that other lock operations use. This
>>>> change removes several automatic variables, so re-organize the
>>>> variable declarations for readability.
>>>>
>>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>>>> Stable-dep-of: edcf9725150e ("nfsd: fix RELEASE_LOCKOWNER")
>>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>>
>>>
>>> "nfsd: fix RELEASE_LOCKOWNER" is yet not in 5.15.149-rc1?
>>> or I missed something?
>>
>> Good catch, you are correct! I'll go drop this, and the other nfsd
>> "dep-of" commit in this queue, and in the 5.10 and 5.4 queues.
>
> Will we add "nfsd: fix RELEASE_LOCKOWNER" to 5.15.y later?
>
> It seems that at least 5.15.y need "nfsd: fix RELEASE_LOCKOWNER".
Hi Wang-
I asked Greg and Sasha to hold off on that one (and its follow-on
fix) until I can get them properly tested with 5.15.y (and 5.10.y).
--
Chuck Lever
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2024-02-22 11:49 ` Naresh Kamboju
@ 2024-02-22 19:22 ` Harshit Mogalapalli
2024-02-22 20:27 ` Allen
` (3 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Harshit Mogalapalli @ 2024-02-22 19:22 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, Vegard Nossum, Darren Kenny
Hi Greg,
On 21/02/24 18:30, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
Built and boot tested on x86_64 and aarch64.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2024-02-22 19:22 ` Harshit Mogalapalli
@ 2024-02-22 20:27 ` Allen
2024-02-22 23:13 ` Ron Economos
` (2 subsequent siblings)
485 siblings, 0 replies; 506+ messages in thread
From: Allen @ 2024-02-22 20:27 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my x86_64 and ARM64 test systems. No errors or
regressions.
Tested-by: Allen Pais <apais@linux.microsoft.com>
Thanks.
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2024-02-22 20:27 ` Allen
@ 2024-02-22 23:13 ` Ron Economos
2024-02-23 1:24 ` Kelsey Steele
2024-04-25 22:46 ` Guenter Roeck
485 siblings, 0 replies; 506+ messages in thread
From: Ron Economos @ 2024-02-22 23:13 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml
On 2/21/24 5:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2024-02-22 23:13 ` Ron Economos
@ 2024-02-23 1:24 ` Kelsey Steele
2024-04-25 22:46 ` Guenter Roeck
485 siblings, 0 replies; 506+ messages in thread
From: Kelsey Steele @ 2024-02-23 1:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
On Wed, Feb 21, 2024 at 02:00:51PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
No regressions found on WSL (x86 and arm64).
Built, booted, and reviewed dmesg.
Thank you.
Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode
2024-02-21 13:07 ` [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode Greg Kroah-Hartman
@ 2024-02-26 13:29 ` Jean Delvare
2024-02-26 14:56 ` Greg Kroah-Hartman
0 siblings, 1 reply; 506+ messages in thread
From: Jean Delvare @ 2024-02-26 13:29 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Heiner Kallweit, Wolfram Sang, Sasha Levin
On Wed, 21 Feb 2024 14:07:03 +0100, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Heiner Kallweit <hkallweit1@gmail.com>
>
> [ Upstream commit 1e1d6582f483a4dba4ea03445e6f2f05d9de5bcf ]
>
> If FEATURE_BLOCK_BUFFER is set then bit SMBAUXCTL_E32B is supported
> and there's no benefit in reading it back. Origin of this check
> seems to be 14 yrs ago when people were not completely sure which
> chip versions support the block buffer mode.
>
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> Reviewed-by: Jean Delvare <jdelvare@suse.de>
> Tested-by: Jean Delvare <jdelvare@suse.de>
> Signed-off-by: Wolfram Sang <wsa@kernel.org>
> Stable-dep-of: c1c9d0f6f7f1 ("i2c: i801: Fix block process call transactions")
There is no functional dependency between these 2 commits. The context
change which causes the second commit to fail to apply without the
first commit is trivial to fix. I can provide a patch for version 5.15
and older. I think it is preferable to backporting an extra patch which
wouldn't otherwise qualify for stable trees.
--
Jean Delvare
SUSE L3 Support
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode
2024-02-26 13:29 ` Jean Delvare
@ 2024-02-26 14:56 ` Greg Kroah-Hartman
2024-02-26 15:54 ` Jean Delvare
0 siblings, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-02-26 14:56 UTC (permalink / raw)
To: Jean Delvare; +Cc: stable, patches, Heiner Kallweit, Wolfram Sang, Sasha Levin
On Mon, Feb 26, 2024 at 02:29:35PM +0100, Jean Delvare wrote:
> On Wed, 21 Feb 2024 14:07:03 +0100, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Heiner Kallweit <hkallweit1@gmail.com>
> >
> > [ Upstream commit 1e1d6582f483a4dba4ea03445e6f2f05d9de5bcf ]
> >
> > If FEATURE_BLOCK_BUFFER is set then bit SMBAUXCTL_E32B is supported
> > and there's no benefit in reading it back. Origin of this check
> > seems to be 14 yrs ago when people were not completely sure which
> > chip versions support the block buffer mode.
> >
> > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> > Reviewed-by: Jean Delvare <jdelvare@suse.de>
> > Tested-by: Jean Delvare <jdelvare@suse.de>
> > Signed-off-by: Wolfram Sang <wsa@kernel.org>
> > Stable-dep-of: c1c9d0f6f7f1 ("i2c: i801: Fix block process call transactions")
>
> There is no functional dependency between these 2 commits. The context
> change which causes the second commit to fail to apply without the
> first commit is trivial to fix. I can provide a patch for version 5.15
> and older. I think it is preferable to backporting an extra patch which
> wouldn't otherwise qualify for stable trees.
This is already in a released kernel. We can revert them, if you want
us to, is it worth it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode
2024-02-26 14:56 ` Greg Kroah-Hartman
@ 2024-02-26 15:54 ` Jean Delvare
0 siblings, 0 replies; 506+ messages in thread
From: Jean Delvare @ 2024-02-26 15:54 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Heiner Kallweit, Wolfram Sang, Sasha Levin
On Mon, 26 Feb 2024 15:56:47 +0100, Greg Kroah-Hartman wrote:
> On Mon, Feb 26, 2024 at 02:29:35PM +0100, Jean Delvare wrote:
> > On Wed, 21 Feb 2024 14:07:03 +0100, Greg Kroah-Hartman wrote:
> > > 5.15-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Heiner Kallweit <hkallweit1@gmail.com>
> > >
> > > [ Upstream commit 1e1d6582f483a4dba4ea03445e6f2f05d9de5bcf ]
> > >
> > > If FEATURE_BLOCK_BUFFER is set then bit SMBAUXCTL_E32B is supported
> > > and there's no benefit in reading it back. Origin of this check
> > > seems to be 14 yrs ago when people were not completely sure which
> > > chip versions support the block buffer mode.
> > >
> > > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> > > Reviewed-by: Jean Delvare <jdelvare@suse.de>
> > > Tested-by: Jean Delvare <jdelvare@suse.de>
> > > Signed-off-by: Wolfram Sang <wsa@kernel.org>
> > > Stable-dep-of: c1c9d0f6f7f1 ("i2c: i801: Fix block process call transactions")
> >
> > There is no functional dependency between these 2 commits. The context
> > change which causes the second commit to fail to apply without the
> > first commit is trivial to fix. I can provide a patch for version 5.15
> > and older. I think it is preferable to backporting an extra patch which
> > wouldn't otherwise qualify for stable trees.
>
> This is already in a released kernel. We can revert them, if you want
> us to, is it worth it?
Oops, I'm just back from vacation and did not realize this was already
released. Let it be then, no big deal.
--
Jean Delvare
SUSE L3 Support
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking
2024-02-21 13:04 ` [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking Greg Kroah-Hartman
@ 2024-03-08 20:21 ` Harshit Mogalapalli
0 siblings, 0 replies; 506+ messages in thread
From: Harshit Mogalapalli @ 2024-03-08 20:21 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Sasha Levin, Vegard Nossum, Darren Kenny
Hi Greg and Sasha,
On 21/02/24 18:34, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Daniel Vacek <neelx@redhat.com>
>
> [ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ]
>
> Releasing the `priv->lock` while iterating the `priv->multicast_list` in
> `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to
> remove the items while in the middle of iteration. If the mcast is removed
> while the lock was dropped, the for loop spins forever resulting in a hard
> lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):
>
> Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)
> -----------------------------------+-----------------------------------
> ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)
> spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)
> list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)
> &priv->multicast_list, list) |
> ipoib_mcast_join(dev, mcast) |
> spin_unlock_irq(&priv->lock) |
> | spin_lock_irqsave(&priv->lock, flags)
> | list_for_each_entry_safe(mcast, tmcast,
> | &priv->multicast_list, list)
> | list_del(&mcast->list);
> | list_add_tail(&mcast->list, &remove_list)
> | spin_unlock_irqrestore(&priv->lock, flags)
> spin_lock_irq(&priv->lock) |
> | ipoib_mcast_remove_list(&remove_list)
> (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,
> `priv->multicast_list` and we keep | remove_list, list)
> spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)
> the other thread which is blocked |
> and the list is still valid on |
> it's stack.)
>
> Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent
> eventual sleeps.
> Unfortunately we could not reproduce the lockup and confirm this fix but
> based on the code review I think this fix should address such lockups.
>
> crash> bc 31
> PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2"
> --
> [exception RIP: ipoib_mcast_join_task+0x1b1]
> RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002
> RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000
> work (&priv->mcast_task{,.work})
> RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000
> &mcast->list
> RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000
> R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00
> mcast
> R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8
> dev priv (&priv->lock) &priv->multicast_list (aka head)
> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
>
Due to "---" in the upstream commit, part of the commit message(along
with original SOB) got trimmed, just letting you know so that stable
scripts could be improved in catching those.
5.15.y commit:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ed790bd0903e
upstream commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f973e211b3b1c6d36f7c6a
Thanks,
Harshit
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
> index 9e6967a40042..319d4288eddd 100644
> --- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
> +++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
> @@ -531,21 +531,17 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast)
> if (test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags))
> rec.join_state = SENDONLY_FULLMEMBER_JOIN;
> }
> - spin_unlock_irq(&priv->lock);
>
> multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port,
> - &rec, comp_mask, GFP_KERNEL,
> + &rec, comp_mask, GFP_ATOMIC,
> ipoib_mcast_join_complete, mcast);
> - spin_lock_irq(&priv->lock);
> if (IS_ERR(multicast)) {
> ret = PTR_ERR(multicast);
> ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret);
> /* Requeue this join task with a backoff delay */
> __ipoib_mcast_schedule_join_thread(priv, mcast, 1);
> clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
> - spin_unlock_irq(&priv->lock);
> complete(&mcast->done);
> - spin_lock_irq(&priv->lock);
> return ret;
> }
> return 0;
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage
2024-02-21 13:02 ` [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage Greg Kroah-Hartman
@ 2024-04-25 14:55 ` Donald Buczek
2024-04-25 15:00 ` Donald Buczek
2024-04-27 14:24 ` Greg Kroah-Hartman
0 siblings, 2 replies; 506+ messages in thread
From: Donald Buczek @ 2024-04-25 14:55 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Charan Teja Kalla, Aneesh Kumar K.V, Dan Williams,
David Hildenbrand, Mel Gorman, Oscar Salvador, Vlastimil Babka,
Andrew Morton, Sasha Levin, it+linux
On 2/21/24 14:02, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Charan Teja Kalla <quic_charante@quicinc.com>
>
> [ Upstream commit 5ec8e8ea8b7783fab150cf86404fc38cb4db8800 ]
>
> The below race is observed on a PFN which falls into the device memory
> region with the system memory configuration where PFN's are such that
> [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end
> pfn contains the device memory PFN's as well, the compaction triggered
> will try on the device memory PFN's too though they end up in NOP(because
> pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When
> from other core, the section mappings are being removed for the
> ZONE_DEVICE region, that the PFN in question belongs to, on which
> compaction is currently being operated is resulting into the kernel crash
> with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].
>
> compact_zone() memunmap_pages
> ------------- ---------------
> __pageblock_pfn_to_page
> ......
> (a)pfn_valid():
> valid_section()//return true
> (b)__remove_pages()->
> sparse_remove_section()->
> section_deactivate():
> [Free the array ms->usage and set
> ms->usage = NULL]
> pfn_section_valid()
> [Access ms->usage which
> is NULL]
>
> NOTE: From the above it can be said that the race is reduced to between
> the pfn_valid()/pfn_section_valid() and the section deactivate with
> SPASEMEM_VMEMAP enabled.
>
> The commit b943f045a9af("mm/sparse: fix kernel crash with
> pfn_section_valid check") tried to address the same problem by clearing
> the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns
> false thus ms->usage is not accessed.
>
> Fix this issue by the below steps:
>
> a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.
>
> b) RCU protected read side critical section will either return NULL
> when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.
>
> c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No
> attempt will be made to access ->usage after this as the
> SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.
>
> Thanks to David/Pavan for their inputs on this patch.
>
> [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/
>
> On Snapdragon SoC, with the mentioned memory configuration of PFN's as
> [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of
> issues daily while testing on a device farm.
>
> For this particular issue below is the log. Though the below log is
> not directly pointing to the pfn_section_valid(){ ms->usage;}, when we
> loaded this dump on T32 lauterbach tool, it is pointing.
>
> [ 540.578056] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000000
> [ 540.578068] Mem abort info:
> [ 540.578070] ESR = 0x0000000096000005
> [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 540.578077] SET = 0, FnV = 0
> [ 540.578080] EA = 0, S1PTW = 0
> [ 540.578082] FSC = 0x05: level 1 translation fault
> [ 540.578085] Data abort info:
> [ 540.578086] ISV = 0, ISS = 0x00000005
> [ 540.578088] CM = 0, WnR = 0
> [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)
> [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c
> [ 540.579454] lr : compact_zone+0x994/0x1058
> [ 540.579460] sp : ffffffc03579b510
> [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c
> [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640
> [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000
> [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140
> [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff
> [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001
> [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440
> [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4
> [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000001
> [ 540.579518] x2 : ffffffdebf7e3940 x1 : 0000000000235c00 x0 :0000000000235800
> [ 540.579524] Call trace:
> [ 540.579527] __pageblock_pfn_to_page+0x6c/0x14c
> [ 540.579533] compact_zone+0x994/0x1058
> [ 540.579536] try_to_compact_pages+0x128/0x378
> [ 540.579540] __alloc_pages_direct_compact+0x80/0x2b0
> [ 540.579544] __alloc_pages_slowpath+0x5c0/0xe10
> [ 540.579547] __alloc_pages+0x250/0x2d0
> [ 540.579550] __iommu_dma_alloc_noncontiguous+0x13c/0x3fc
> [ 540.579561] iommu_dma_alloc+0xa0/0x320
> [ 540.579565] dma_alloc_attrs+0xd4/0x108
>
> [quic_charante@quicinc.com: use kfree_rcu() in place of synchronize_rcu(), per David]
> Link: https://lkml.kernel.org/r/1698403778-20938-1-git-send-email-quic_charante@quicinc.com
> Link: https://lkml.kernel.org/r/1697202267-23600-1-git-send-email-quic_charante@quicinc.com
> Fixes: f46edbd1b151 ("mm/sparsemem: add helpers track active portions of a section at boot")
> Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Mel Gorman <mgorman@techsingularity.net>
> Cc: Oscar Salvador <osalvador@suse.de>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> include/linux/mmzone.h | 14 +++++++++++---
> mm/sparse.c | 17 +++++++++--------
> 2 files changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
> index 9e1485083398..8b8349ffa1cd 100644
> --- a/include/linux/mmzone.h
> +++ b/include/linux/mmzone.h
> @@ -1287,6 +1287,7 @@ static inline unsigned long section_nr_to_pfn(unsigned long sec)
> #define SUBSECTION_ALIGN_DOWN(pfn) ((pfn) & PAGE_SUBSECTION_MASK)
>
> struct mem_section_usage {
> + struct rcu_head rcu;
> #ifdef CONFIG_SPARSEMEM_VMEMMAP
> DECLARE_BITMAP(subsection_map, SUBSECTIONS_PER_SECTION);
> #endif
> @@ -1457,7 +1458,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
> {
> int idx = subsection_map_index(pfn);
>
> - return test_bit(idx, ms->usage->subsection_map);
> + return test_bit(idx, READ_ONCE(ms->usage)->subsection_map);
> }
> #else
> static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
> @@ -1481,6 +1482,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
> static inline int pfn_valid(unsigned long pfn)
> {
> struct mem_section *ms;
> + int ret;
>
> /*
> * Ensure the upper PAGE_SHIFT bits are clear in the
> @@ -1494,13 +1496,19 @@ static inline int pfn_valid(unsigned long pfn)
> if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS)
> return 0;
> ms = __pfn_to_section(pfn);
> - if (!valid_section(ms))
> + rcu_read_lock();
> + if (!valid_section(ms)) {
> + rcu_read_unlock();
> return 0;
> + }
> /*
> * Traditionally early sections always returned pfn_valid() for
> * the entire section-sized span.
> */
> - return early_section(ms) || pfn_section_valid(ms, pfn);
> + ret = early_section(ms) || pfn_section_valid(ms, pfn);
> + rcu_read_unlock();
> +
> + return ret;
> }
> #endif
>
> diff --git a/mm/sparse.c b/mm/sparse.c
> index 120bc8ea5293..27092badd15b 100644
> --- a/mm/sparse.c
> +++ b/mm/sparse.c
> @@ -789,6 +789,13 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
> if (empty) {
> unsigned long section_nr = pfn_to_section_nr(pfn);
>
> + /*
> + * Mark the section invalid so that valid_section()
> + * return false. This prevents code from dereferencing
> + * ms->usage array.
> + */
> + ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
> +
> /*
> * When removing an early section, the usage map is kept (as the
> * usage maps of other sections fall into the same page). It
> @@ -797,16 +804,10 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
> * was allocated during boot.
> */
> if (!PageReserved(virt_to_page(ms->usage))) {
> - kfree(ms->usage);
> - ms->usage = NULL;
> + kfree_rcu(ms->usage, rcu);
> + WRITE_ONCE(ms->usage, NULL);
> }
> memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr);
> - /*
> - * Mark the section invalid so that valid_section()
> - * return false. This prevents code from dereferencing
> - * ms->usage array.
> - */
> - ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
> }
>
> /*
Maybe this is already known, but just FYI I wanted to drop the note that for some
reasons I don't understand, this patch prevents me from compiling the proprietary
Nvidia Unix driver with versions 510.108.03 and 535.104.05 in the 5.15 series.
No problems with the 6.5 series, although the patch is included there as well.
linux-5.15.155 , nvidia 535.104.05 :
make -j $(nproc) CC=gcc SYSSRC=/scratch/local/linux clean && make -j $(nproc) CC=gcc SYSSRC=/scratch/local/linux V=2 modules
[...]
MODPOST /scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers - due to target missing
ERROR: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'rcu_read_unlock_strict'
make[2]: *** [scripts/Makefile.modpost:133: /scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers] Error 1
make[2]: *** Deleting file '/scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers'
make[1]: *** [Makefile:1826: modules] Error 2
make[1]: Leaving directory '/scratch/local/linux'
make: *** [Makefile:82: modules] Error 2
With fd117d03cefd15 ("mm/sparsemem: fix race in accessing memory_section->usage") reverted,
the build completes.
Best
Donald
--
Donald Buczek
buczek@molgen.mpg.de
Tel: +49 30 8413 1433
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage
2024-04-25 14:55 ` Donald Buczek
@ 2024-04-25 15:00 ` Donald Buczek
2024-04-27 14:24 ` Greg Kroah-Hartman
1 sibling, 0 replies; 506+ messages in thread
From: Donald Buczek @ 2024-04-25 15:00 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Charan Teja Kalla, Aneesh Kumar K.V, Dan Williams,
David Hildenbrand, Mel Gorman, Oscar Salvador, Vlastimil Babka,
Andrew Morton, Sasha Levin, it+linux
On 4/25/24 16:55, Donald Buczek wrote:
> On 2/21/24 14:02, Greg Kroah-Hartman wrote:
>> 5.15-stable review patch. If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Charan Teja Kalla <quic_charante@quicinc.com>
>>
>> [ Upstream commit 5ec8e8ea8b7783fab150cf86404fc38cb4db8800 ]
>>
>> The below race is observed on a PFN which falls into the device memory
>> region with the system memory configuration where PFN's are such that
>> [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end
>> pfn contains the device memory PFN's as well, the compaction triggered
>> will try on the device memory PFN's too though they end up in NOP(because
>> pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When
>> from other core, the section mappings are being removed for the
>> ZONE_DEVICE region, that the PFN in question belongs to, on which
>> compaction is currently being operated is resulting into the kernel crash
>> with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].
>>
>> compact_zone() memunmap_pages
>> ------------- ---------------
>> __pageblock_pfn_to_page
>> ......
>> (a)pfn_valid():
>> valid_section()//return true
>> (b)__remove_pages()->
>> sparse_remove_section()->
>> section_deactivate():
>> [Free the array ms->usage and set
>> ms->usage = NULL]
>> pfn_section_valid()
>> [Access ms->usage which
>> is NULL]
>>
>> NOTE: From the above it can be said that the race is reduced to between
>> the pfn_valid()/pfn_section_valid() and the section deactivate with
>> SPASEMEM_VMEMAP enabled.
>>
>> The commit b943f045a9af("mm/sparse: fix kernel crash with
>> pfn_section_valid check") tried to address the same problem by clearing
>> the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns
>> false thus ms->usage is not accessed.
>>
>> Fix this issue by the below steps:
>>
>> a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.
>>
>> b) RCU protected read side critical section will either return NULL
>> when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.
>>
>> c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No
>> attempt will be made to access ->usage after this as the
>> SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.
>>
>> Thanks to David/Pavan for their inputs on this patch.
>>
>> [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/
>>
>> On Snapdragon SoC, with the mentioned memory configuration of PFN's as
>> [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of
>> issues daily while testing on a device farm.
>>
>> For this particular issue below is the log. Though the below log is
>> not directly pointing to the pfn_section_valid(){ ms->usage;}, when we
>> loaded this dump on T32 lauterbach tool, it is pointing.
>>
>> [ 540.578056] Unable to handle kernel NULL pointer dereference at
>> virtual address 0000000000000000
>> [ 540.578068] Mem abort info:
>> [ 540.578070] ESR = 0x0000000096000005
>> [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits
>> [ 540.578077] SET = 0, FnV = 0
>> [ 540.578080] EA = 0, S1PTW = 0
>> [ 540.578082] FSC = 0x05: level 1 translation fault
>> [ 540.578085] Data abort info:
>> [ 540.578086] ISV = 0, ISS = 0x00000005
>> [ 540.578088] CM = 0, WnR = 0
>> [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)
>> [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c
>> [ 540.579454] lr : compact_zone+0x994/0x1058
>> [ 540.579460] sp : ffffffc03579b510
>> [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c
>> [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640
>> [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000
>> [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140
>> [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff
>> [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001
>> [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440
>> [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4
>> [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000001
>> [ 540.579518] x2 : ffffffdebf7e3940 x1 : 0000000000235c00 x0 :0000000000235800
>> [ 540.579524] Call trace:
>> [ 540.579527] __pageblock_pfn_to_page+0x6c/0x14c
>> [ 540.579533] compact_zone+0x994/0x1058
>> [ 540.579536] try_to_compact_pages+0x128/0x378
>> [ 540.579540] __alloc_pages_direct_compact+0x80/0x2b0
>> [ 540.579544] __alloc_pages_slowpath+0x5c0/0xe10
>> [ 540.579547] __alloc_pages+0x250/0x2d0
>> [ 540.579550] __iommu_dma_alloc_noncontiguous+0x13c/0x3fc
>> [ 540.579561] iommu_dma_alloc+0xa0/0x320
>> [ 540.579565] dma_alloc_attrs+0xd4/0x108
>>
>> [quic_charante@quicinc.com: use kfree_rcu() in place of synchronize_rcu(), per David]
>> Link: https://lkml.kernel.org/r/1698403778-20938-1-git-send-email-quic_charante@quicinc.com
>> Link: https://lkml.kernel.org/r/1697202267-23600-1-git-send-email-quic_charante@quicinc.com
>> Fixes: f46edbd1b151 ("mm/sparsemem: add helpers track active portions of a section at boot")
>> Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
>> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
>> Cc: Dan Williams <dan.j.williams@intel.com>
>> Cc: David Hildenbrand <david@redhat.com>
>> Cc: Mel Gorman <mgorman@techsingularity.net>
>> Cc: Oscar Salvador <osalvador@suse.de>
>> Cc: Vlastimil Babka <vbabka@suse.cz>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>> include/linux/mmzone.h | 14 +++++++++++---
>> mm/sparse.c | 17 +++++++++--------
>> 2 files changed, 20 insertions(+), 11 deletions(-)
>>
>> diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
>> index 9e1485083398..8b8349ffa1cd 100644
>> --- a/include/linux/mmzone.h
>> +++ b/include/linux/mmzone.h
>> @@ -1287,6 +1287,7 @@ static inline unsigned long section_nr_to_pfn(unsigned long sec)
>> #define SUBSECTION_ALIGN_DOWN(pfn) ((pfn) & PAGE_SUBSECTION_MASK)
>>
>> struct mem_section_usage {
>> + struct rcu_head rcu;
>> #ifdef CONFIG_SPARSEMEM_VMEMMAP
>> DECLARE_BITMAP(subsection_map, SUBSECTIONS_PER_SECTION);
>> #endif
>> @@ -1457,7 +1458,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
>> {
>> int idx = subsection_map_index(pfn);
>>
>> - return test_bit(idx, ms->usage->subsection_map);
>> + return test_bit(idx, READ_ONCE(ms->usage)->subsection_map);
>> }
>> #else
>> static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
>> @@ -1481,6 +1482,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
>> static inline int pfn_valid(unsigned long pfn)
>> {
>> struct mem_section *ms;
>> + int ret;
>>
>> /*
>> * Ensure the upper PAGE_SHIFT bits are clear in the
>> @@ -1494,13 +1496,19 @@ static inline int pfn_valid(unsigned long pfn)
>> if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS)
>> return 0;
>> ms = __pfn_to_section(pfn);
>> - if (!valid_section(ms))
>> + rcu_read_lock();
>> + if (!valid_section(ms)) {
>> + rcu_read_unlock();
>> return 0;
>> + }
>> /*
>> * Traditionally early sections always returned pfn_valid() for
>> * the entire section-sized span.
>> */
>> - return early_section(ms) || pfn_section_valid(ms, pfn);
>> + ret = early_section(ms) || pfn_section_valid(ms, pfn);
>> + rcu_read_unlock();
>> +
>> + return ret;
>> }
>> #endif
>>
>> diff --git a/mm/sparse.c b/mm/sparse.c
>> index 120bc8ea5293..27092badd15b 100644
>> --- a/mm/sparse.c
>> +++ b/mm/sparse.c
>> @@ -789,6 +789,13 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
>> if (empty) {
>> unsigned long section_nr = pfn_to_section_nr(pfn);
>>
>> + /*
>> + * Mark the section invalid so that valid_section()
>> + * return false. This prevents code from dereferencing
>> + * ms->usage array.
>> + */
>> + ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
>> +
>> /*
>> * When removing an early section, the usage map is kept (as the
>> * usage maps of other sections fall into the same page). It
>> @@ -797,16 +804,10 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
>> * was allocated during boot.
>> */
>> if (!PageReserved(virt_to_page(ms->usage))) {
>> - kfree(ms->usage);
>> - ms->usage = NULL;
>> + kfree_rcu(ms->usage, rcu);
>> + WRITE_ONCE(ms->usage, NULL);
>> }
>> memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr);
>> - /*
>> - * Mark the section invalid so that valid_section()
>> - * return false. This prevents code from dereferencing
>> - * ms->usage array.
>> - */
>> - ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
>> }
>>
>> /*
>
> Maybe this is already known, but just FYI I wanted to drop the note that for some
> reasons I don't understand, this patch prevents me from compiling the proprietary
> Nvidia Unix driver with versions 510.108.03 and 535.104.05 in the 5.15 series.
> No problems with the 6.5 series, although the patch is included there as well.
>
> linux-5.15.155 , nvidia 535.104.05 :
>
> make -j $(nproc) CC=gcc SYSSRC=/scratch/local/linux clean && make -j $(nproc) CC=gcc SYSSRC=/scratch/local/linux V=2 modules
> [...]
> MODPOST /scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers - due to target missing
> ERROR: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'rcu_read_unlock_strict'
> make[2]: *** [scripts/Makefile.modpost:133: /scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers] Error 1
> make[2]: *** Deleting file '/scratch/local/bee-buczek/nvidia/test_535-104-05/kernel/Module.symvers'
> make[1]: *** [Makefile:1826: modules] Error 2
> make[1]: Leaving directory '/scratch/local/linux'
> make: *** [Makefile:82: modules] Error 2
>
>
> With fd117d03cefd15 ("mm/sparsemem: fix race in accessing memory_section->usage") reverted,
> the build completes.
Sorry, that was my revert patch. Its b448de2459b6d6 ("mm/sparsemem: fix race in accessing memory_section->usage").
D.
>
> Best
> Donald
--
Donald Buczek
buczek@molgen.mpg.de
Tel: +49 30 8413 1433
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2024-02-23 1:24 ` Kelsey Steele
@ 2024-04-25 22:46 ` Guenter Roeck
2024-04-26 8:44 ` Greg Kroah-Hartman
485 siblings, 1 reply; 506+ messages in thread
From: Guenter Roeck @ 2024-04-25 22:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, dianders, briannorris, momohatt,
Herbert Xu
Hi,
On 2/21/24 05:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.149 release.
> There are 476 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> Anything received after that time might be too late.
>
[ ... ]
> Herbert Xu <herbert@gondor.apana.org.au>
> crypto: api - Disallow identical driver names
>
This patch results in a severe performance regression on arm64 systems;
there is more than 50% throughput loss on some sequential read tests.
The problem affects v5.15.y and older kernel branches.
Analysis shows that v5.15.y and older kernel _do_ try to register the same
crypto algorithm twice, once through
__crypto_register_alg
crypto_register_alg
crypto_register_skciphers
aes_init
and then again through
__crypto_register_alg
crypto_register_alg
crypto_register_skcipher
simd_skcipher_create_compat
aes_init
After above patch was applied, the second registration fails, resulting
in the regression.
The problem is not seen in later kernels due to commit 676e508122d9
("crypto: arm64/aes-ce - stop using SIMD helper for skciphers"). Applying this
commit or reverting above commit fixes the regression in v5.15.y and older.
Thanks is due to Momoko Hattori for reporting the problem and finding the
offending patch, Doug Anderson for finding the duplicate registration attempt,
and Brian Norris for finding the fix. I copied them on this e-mail in case
there are further questions.
Thanks,
Guenter
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 000/476] 5.15.149-rc1 review
2024-04-25 22:46 ` Guenter Roeck
@ 2024-04-26 8:44 ` Greg Kroah-Hartman
0 siblings, 0 replies; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-26 8:44 UTC (permalink / raw)
To: Guenter Roeck
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, dianders, briannorris, momohatt,
Herbert Xu
On Thu, Apr 25, 2024 at 03:46:18PM -0700, Guenter Roeck wrote:
> Hi,
>
> On 2/21/24 05:00, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.15.149 release.
> > There are 476 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 23 Feb 2024 12:59:02 +0000.
> > Anything received after that time might be too late.
> >
> [ ... ]
>
> > Herbert Xu <herbert@gondor.apana.org.au>
> > crypto: api - Disallow identical driver names
> >
>
> This patch results in a severe performance regression on arm64 systems;
> there is more than 50% throughput loss on some sequential read tests.
> The problem affects v5.15.y and older kernel branches.
>
> Analysis shows that v5.15.y and older kernel _do_ try to register the same
> crypto algorithm twice, once through
>
> __crypto_register_alg
> crypto_register_alg
> crypto_register_skciphers
> aes_init
>
> and then again through
>
> __crypto_register_alg
> crypto_register_alg
> crypto_register_skcipher
> simd_skcipher_create_compat
> aes_init
>
> After above patch was applied, the second registration fails, resulting
> in the regression.
>
> The problem is not seen in later kernels due to commit 676e508122d9
> ("crypto: arm64/aes-ce - stop using SIMD helper for skciphers"). Applying this
> commit or reverting above commit fixes the regression in v5.15.y and older.
>
> Thanks is due to Momoko Hattori for reporting the problem and finding the
> offending patch, Doug Anderson for finding the duplicate registration attempt,
> and Brian Norris for finding the fix. I copied them on this e-mail in case
> there are further questions.
Thanks for the report. I got a report that this breaks some android
systems as well due to some FIPS crypto code that happens to duplicate
the names as well. I think reverting it makes sense and I'll queue that
up for the next round of releases.
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage
2024-04-25 14:55 ` Donald Buczek
2024-04-25 15:00 ` Donald Buczek
@ 2024-04-27 14:24 ` Greg Kroah-Hartman
2024-04-27 19:37 ` Donald Buczek
1 sibling, 1 reply; 506+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-27 14:24 UTC (permalink / raw)
To: Donald Buczek
Cc: stable, patches, Charan Teja Kalla, Aneesh Kumar K.V,
Dan Williams, David Hildenbrand, Mel Gorman, Oscar Salvador,
Vlastimil Babka, Andrew Morton, Sasha Levin, it+linux
On Thu, Apr 25, 2024 at 04:55:35PM +0200, Donald Buczek wrote:
> Maybe this is already known, but just FYI I wanted to drop the note that for some
> reasons I don't understand, this patch prevents me from compiling the proprietary
> Nvidia Unix driver with versions 510.108.03 and 535.104.05 in the 5.15 series.
For obvious reasons, we do not, and can not, care one bit about closed
source kernel modules or any other sort of kernel code that is outside
of our kernel tree. The companies involved in doing stuff like this
take full responsibility for keeping their code up to date, all the
while forcing you to be the one that violates the license of the kernel.
In other words, please ask them for support for stuff like this, they
are the ones you are paying money to for support for this type of thing,
and the ones that are putting you at risk of legal issues, and there's
nothing that we could do about it even if we wanted to.
best of luck,
greg k-h
^ permalink raw reply [flat|nested] 506+ messages in thread
* Re: [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage
2024-04-27 14:24 ` Greg Kroah-Hartman
@ 2024-04-27 19:37 ` Donald Buczek
0 siblings, 0 replies; 506+ messages in thread
From: Donald Buczek @ 2024-04-27 19:37 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Charan Teja Kalla, Aneesh Kumar K.V,
Dan Williams, David Hildenbrand, Mel Gorman, Oscar Salvador,
Vlastimil Babka, Andrew Morton, Sasha Levin, it+linux
On 4/27/24 16:24, Greg Kroah-Hartman wrote:
> On Thu, Apr 25, 2024 at 04:55:35PM +0200, Donald Buczek wrote:
>> Maybe this is already known, but just FYI I wanted to drop the note that for some
>> reasons I don't understand, this patch prevents me from compiling the proprietary
>> Nvidia Unix driver with versions 510.108.03 and 535.104.05 in the 5.15 series.
>
> For obvious reasons, we do not, and can not, care one bit about closed
> source kernel modules or any other sort of kernel code that is outside
> of our kernel tree. The companies involved in doing stuff like this
> take full responsibility for keeping their code up to date, all the
> while forcing you to be the one that violates the license of the kernel.
>
> In other words, please ask them for support for stuff like this, they
> are the ones you are paying money to for support for this type of thing,
> and the ones that are putting you at risk of legal issues, and there's
> nothing that we could do about it even if we wanted to.
Really? Did I ask anything? Wasn't "just FYI" not clear enough? Maybe you
are not interested, but maybe somebody else is. And if you think my mail
is just noise, why did you reply at all?
Best
Donald
> best of luck,
>
> greg k-h
--
Donald Buczek
buczek@molgen.mpg.de
Tel: +49 30 8413 1433
^ permalink raw reply [flat|nested] 506+ messages in thread
end of thread, other threads:[~2024-04-27 19:38 UTC | newest]
Thread overview: 506+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-21 13:00 [PATCH 5.15 000/476] 5.15.149-rc1 review Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 001/476] ksmbd: free ppace array on error in parse_dacl Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 002/476] ksmbd: dont allow O_TRUNC open on read-only share Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 003/476] ksmbd: validate mech token in session setup Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 004/476] ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 005/476] ksmbd: only v2 leases handle the directory Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 006/476] iio: adc: ad7091r: Set alert bit in config register Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 007/476] iio: adc: ad7091r: Allow users to configure device events Greg Kroah-Hartman
2024-02-21 13:00 ` [PATCH 5.15 008/476] iio: adc: ad7091r: Enable internal vref if external vref is not supplied Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 009/476] dmaengine: fix NULL pointer in channel unregistration function Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 010/476] scsi: ufs: core: Simplify power management during async scan Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 011/476] scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 012/476] iio:adc:ad7091r: Move exports into IIO_AD7091R namespace Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 013/476] ext4: allow for the last group to be marked as trimmed Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 014/476] btrfs: sysfs: validate scrub_speed_max value Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 015/476] crypto: api - Disallow identical driver names Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 016/476] PM: hibernate: Enforce ordering during image compression/decompression Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 017/476] hwrng: core - Fix page fault dead lock on mmap-ed hwrng Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 018/476] crypto: s390/aes - Fix buffer overread in CTR mode Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 019/476] media: imx355: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 020/476] rpmsg: virtio: Free driver_override when rpmsg_remove() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 021/476] media: ov9734: Enable runtime PM before registering async sub-device Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 022/476] mips: Fix max_mapnr being uninitialized on early stages Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 023/476] bus: mhi: host: Drop chan lock before queuing buffers Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 024/476] bus: mhi: host: Add spinlock to protect WP access when queueing TREs Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 025/476] parisc/firmware: Fix F-extend for PDC addresses Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 026/476] async: Split async_schedule_node_domain() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 027/476] async: Introduce async_schedule_dev_nocall() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 028/476] arm64: dts: qcom: sc7180: fix USB wakeup interrupt types Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 029/476] arm64: dts: qcom: sdm845: " Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 030/476] arm64: dts: qcom: sm8150: " Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 031/476] arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 032/476] lsm: new security_file_ioctl_compat() hook Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 033/476] scripts/get_abi: fix source path leak Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 034/476] mmc: core: Use mrq.sbc in close-ended ffu Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 035/476] mmc: mmc_spi: remove custom DMA mapped buffers Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 036/476] rtc: Adjust failure return code for cmos_set_alarm() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 037/476] nouveau/vmm: dont set addr on the fail path to avoid warning Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 038/476] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 039/476] rename(): fix the locking of subdirectories Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 040/476] ksmbd: set v2 lease version on lease upgrade Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 041/476] ksmbd: fix potential circular locking issue in smb2_set_ea() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 042/476] ksmbd: dont increment epoch if current state and request state are same Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 043/476] ksmbd: send lease break notification on FILE_RENAME_INFORMATION Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 044/476] ksmbd: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 045/476] net/smc: fix illegal rmb_desc access in SMC-D connection dump Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 046/476] tcp: make sure init the accept_queues spinlocks once Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 047/476] bnxt_en: Wait for FLR to complete during probe Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 048/476] vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 049/476] llc: make llc_ui_sendmsg() more robust against bonding changes Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 050/476] llc: Drop support for ETH_P_TR_802_2 Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 051/476] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 052/476] tracing: Ensure visibility when inserting an element into tracing_map Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 053/476] afs: Hide silly-rename files from userspace Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 054/476] tcp: Add memory barrier to tcp_push() Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 055/476] netlink: fix potential sleeping issue in mqueue_flush_file Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 056/476] ipv6: init the accept_queues spinlocks in inet6_create Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 057/476] net/mlx5: DR, Use the right GVMI number for drop action Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 058/476] net/mlx5: DR, Replace local WIRE_PORT macro with the existing MLX5_VPORT_UPLINK Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 059/476] net/mlx5: DR, Align mlx5dv_dr API vport action with FW behavior Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 060/476] net/mlx5: DR, Cant go to uplink vport on RX rule Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 061/476] net/mlx5e: fix a double-free in arfs_create_groups Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 062/476] net/mlx5e: fix a potential double-free in fs_any_create_groups Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 063/476] overflow: Allow mixed type arguments Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 064/476] netfilter: nft_limit: reject configurations that cause integer overflow Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 065/476] netfilter: nf_tables: restrict anonymous set and map names to 16 bytes Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 066/476] netfilter: nf_tables: validate NFPROTO_* family Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 067/476] net: stmmac: Wait a bit for the reset to take effect Greg Kroah-Hartman
2024-02-21 13:01 ` [PATCH 5.15 068/476] net: mvpp2: clear BM pool before initialization Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 069/476] selftests: netdevsim: fix the udp_tunnel_nic test Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 070/476] fjes: fix memleaks in fjes_hw_setup Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 071/476] net: fec: fix the unhandled context fault from smmu Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 072/476] btrfs: fix infinite directory reads Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 073/476] btrfs: set last dir index to the current last index when opening dir Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 074/476] btrfs: refresh dir last index during a rewinddir(3) call Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 075/476] btrfs: fix race between reading a directory and adding entries to it Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 076/476] btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 077/476] btrfs: ref-verify: free ref cache before clearing mount opt Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 078/476] btrfs: tree-checker: fix inline ref size in error messages Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 079/476] btrfs: dont warn if discard range is not aligned to sector Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 080/476] btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 081/476] btrfs: dont abort filesystem when attempting to snapshot deleted subvolume Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 082/476] rbd: dont move requests to the running list on errors Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 083/476] exec: Fix error handling in begin_new_exec() Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 084/476] wifi: iwlwifi: fix a memory corruption Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 085/476] hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 086/476] netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 087/476] netfilter: nf_tables: reject QUEUE/DROP verdict parameters Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 088/476] firmware: arm_scmi: Check mailbox/SMT channel for consistency Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 089/476] xfs: read only mounts with fsopen mount API are busted Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 090/476] gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 091/476] drm: Dont unref the same fb many times by mistake due to deadlock handling Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 092/476] drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 093/476] drm/tidss: Fix atomic_flush check Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 094/476] drm/bridge: nxp-ptn3460: simplify some error checking Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 095/476] PM: core: Remove unnecessary (void *) conversions Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 096/476] PM: sleep: Fix possible deadlocks in core system-wide PM code Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 097/476] bus: mhi: host: Rename "struct mhi_tre" to "struct mhi_ring_element" Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 098/476] bus: mhi: host: Add alignment check for event ring read pointer Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 099/476] fs/pipe: move check to pipe_has_watch_queue() Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 100/476] pipe: wakeup wr_wait after setting max_usage Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 101/476] ARM: dts: qcom: sdx55: fix USB wakeup interrupt types Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 102/476] ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 103/476] ARM: dts: qcom: sdx55: fix pdc #interrupt-cells Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 104/476] ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 105/476] ARM: dts: qcom: sdx55: fix USB SS wakeup Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 106/476] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 107/476] mm: use __pfn_to_section() instead of open coding it Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 108/476] mm/sparsemem: fix race in accessing memory_section->usage Greg Kroah-Hartman
2024-04-25 14:55 ` Donald Buczek
2024-04-25 15:00 ` Donald Buczek
2024-04-27 14:24 ` Greg Kroah-Hartman
2024-04-27 19:37 ` Donald Buczek
2024-02-21 13:02 ` [PATCH 5.15 109/476] PM / devfreq: Fix buffer overflow in trans_stat_show Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 110/476] btrfs: add definition for EXTENT_TREE_V2 Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 111/476] NFSD: Modernize nfsd4_release_lockowner() Greg Kroah-Hartman
2024-02-21 22:19 ` Wang Yugui
2024-02-22 6:12 ` Greg Kroah-Hartman
2024-02-22 13:02 ` Wang Yugui
2024-02-22 13:06 ` Greg Kroah-Hartman
2024-02-22 13:33 ` Chuck Lever III
2024-02-21 13:02 ` [PATCH 5.15 112/476] NFSD: Add documenting comment for nfsd4_release_lockowner() Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 113/476] ksmbd: fix global oob in ksmbd_nl_policy Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 114/476] cpufreq: intel_pstate: Drop redundant intel_pstate_get_hwp_cap() call Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 115/476] cpufreq: intel_pstate: Refine computation of P-state for given frequency Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 116/476] drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 117/476] drm/exynos: fix accidental on-stack copy of exynos_drm_plane Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 118/476] drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 119/476] gpio: eic-sprd: Clear interrupt after set the interrupt type Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 120/476] block: Move checking GENHD_FL_NO_PART to bdev_add_partition() Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 121/476] spi: bcm-qspi: fix SFDP BFPT read by usig mspi read Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 122/476] mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 123/476] tick/sched: Preserve number of idle sleeps across CPU hotplug events Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 124/476] x86/entry/ia32: Ensure s32 is sign extended to s64 Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 125/476] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 126/476] arm64: irq: set the correct node for VMAP stack Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 127/476] drivers/perf: pmuv3: dont expose SW_INCR event in sysfs Greg Kroah-Hartman
2024-02-21 13:02 ` [PATCH 5.15 128/476] powerpc: Fix build error due to is_valid_bugaddr() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 129/476] powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 130/476] powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 131/476] x86/boot: Ignore NMIs during very early boot Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 132/476] powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 133/476] powerpc/lib: Validate size for vector operations Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 134/476] x86/mce: Mark fatal MCEs page as poison to avoid panic in the kdump kernel Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 135/476] perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 136/476] debugobjects: Stop accessing objects after releasing hash bucket lock Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 137/476] regulator: core: Only increment use_count when enable_count changes Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 138/476] audit: Send netlink ACK before setting connection in auditd_set Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 139/476] ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 140/476] PNP: ACPI: fix fortify warning Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 141/476] ACPI: extlog: fix NULL pointer dereference check Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 142/476] PM / devfreq: Synchronize devfreq_monitor_[start/stop] Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 143/476] ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 144/476] FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 145/476] UBSAN: array-index-out-of-bounds in dtSplitRoot Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 146/476] jfs: fix slab-out-of-bounds Read in dtSearch Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 147/476] jfs: fix array-index-out-of-bounds in dbAdjTree Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 148/476] jfs: fix uaf in jfs_evict_inode Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 149/476] pstore/ram: Fix crash when setting number of cpus to an odd number Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 150/476] crypto: octeontx2 - Fix cptvf driver cleanup Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 151/476] crypto: stm32/crc32 - fix parsing list of devices Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 152/476] afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 153/476] afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 154/476] rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 155/476] jfs: fix array-index-out-of-bounds in diNewExt Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 156/476] arch: consolidate arch_irq_work_raise prototypes Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 157/476] s390/ptrace: handle setting of fpc register correctly Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 158/476] KVM: s390: fix setting of fpc register Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 159/476] SUNRPC: Fix a suspicious RCU usage warning Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 160/476] ecryptfs: Reject casefold directory inodes Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 161/476] ext4: fix inconsistent between segment fstrim and full fstrim Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 162/476] ext4: unify the type of flexbg_size to unsigned int Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 163/476] ext4: remove unnecessary check from alloc_flex_gd() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 164/476] ext4: avoid online resizing failures due to oversized flex bg Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 165/476] wifi: rt2x00: restart beacon queue when hardware reset Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 166/476] selftests/bpf: satisfy compiler by having explicit return in btf test Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 167/476] selftests/bpf: Fix pyperf180 compilation failure with clang18 Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 168/476] selftests/bpf: Fix issues in setup_classid_environment() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 169/476] scsi: lpfc: Fix possible file string name overflow when updating firmware Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 170/476] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 171/476] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 172/476] scsi: arcmsr: Support new PCI device IDs 1883 and 1886 Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 173/476] ARM: dts: imx7d: Fix coresight funnel ports Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 174/476] ARM: dts: imx7s: Fix lcdif compatible Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 175/476] ARM: dts: imx7s: Fix nand-controller #size-cells Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 176/476] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 177/476] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 178/476] scsi: libfc: Dont schedule abort twice Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 179/476] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 180/476] bpf: Set uattr->batch.count as zero before batched update or deletion Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 181/476] ARM: dts: rockchip: fix rk3036 hdmi ports node Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 182/476] ARM: dts: imx25/27-eukrea: Fix RTC node name Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 183/476] ARM: dts: imx: Use flash@0,0 pattern Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 184/476] ARM: dts: imx27: Fix sram node Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 185/476] ARM: dts: imx1: " Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 186/476] ionic: pass opcode to devcmd_wait Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 187/476] block/rnbd-srv: Check for unlikely string overflow Greg Kroah-Hartman
2024-02-21 13:03 ` [PATCH 5.15 188/476] ARM: dts: imx25: Fix the iim compatible string Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 189/476] ARM: dts: imx25/27: Pass timing0 Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 190/476] ARM: dts: imx27-apf27dev: Fix LED name Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 191/476] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 192/476] ARM: dts: imx23/28: Fix the DMA controller node name Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 193/476] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 194/476] block: prevent an integer overflow in bvec_try_merge_hw_page Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 195/476] md: Whenassemble the array, consult the superblock of the freshest device Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 196/476] arm64: dts: qcom: msm8996: Fix in-ports is a required property Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 197/476] arm64: dts: qcom: msm8998: Fix out-ports " Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 198/476] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 199/476] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 200/476] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 201/476] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 202/476] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 203/476] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 204/476] Bluetooth: L2CAP: Fix possible multiple reject send Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 205/476] bridge: cfm: fix enum typo in br_cc_ccm_tx_parse Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 206/476] i40e: Fix VF disable behavior to block all traffic Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 207/476] octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 208/476] f2fs: fix to check return value of f2fs_reserve_new_block() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 209/476] ALSA: hda: Refer to correct stream index at loops Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 210/476] ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 211/476] fast_dput(): handle underflows gracefully Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 212/476] RDMA/IPoIB: Fix error code return in ipoib_mcast_join Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 213/476] drm/amd/display: Fix tiled display misalignment Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 214/476] f2fs: fix write pointers on zoned device after roll forward Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 215/476] drm/drm_file: fix use of uninitialized variable Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 216/476] drm/framebuffer: Fix " Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 217/476] drm/mipi-dsi: Fix detach call without attach Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 218/476] media: stk1160: Fixed high volume of stk1160_dbg messages Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 219/476] media: rockchip: rga: fix swizzling for RGB formats Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 220/476] PCI: add INTEL_HDA_ARL to pci_ids.h Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 221/476] ALSA: hda: Intel: add HDA_ARL PCI ID support Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 222/476] ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 223/476] media: rkisp1: Drop IRQF_SHARED Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 224/476] f2fs: fix to tag gcing flag on page during block migration Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 225/476] drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 226/476] IB/ipoib: Fix mcast list locking Greg Kroah-Hartman
2024-03-08 20:21 ` Harshit Mogalapalli
2024-02-21 13:04 ` [PATCH 5.15 227/476] media: ddbridge: fix an error code problem in ddb_probe Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 228/476] media: i2c: imx335: Fix hblank min/max values Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 229/476] drm/msm/dpu: Ratelimit framedone timeout msgs Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 230/476] drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 231/476] clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 232/476] clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 233/476] watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 234/476] drm/amd/display: make flip_timestamp_in_us a 64-bit variable Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 235/476] clk: imx: scu: Fix memory leak in __imx_clk_gpr_scu() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 236/476] clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 237/476] drm/amdgpu: Let KFD sync with VM fences Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 238/476] drm/amdgpu: Drop fence check in to_amdgpu_amdkfd_fence() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 239/476] ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140 Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 240/476] leds: trigger: panic: Dont register panic notifier if creating the trigger failed Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 241/476] um: Fix naming clash between UML and scheduler Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 242/476] um: Dont use vfprintf() for os_info() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 243/476] um: net: Fix return type of uml_net_start_xmit() Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 244/476] um: time-travel: fix time corruption Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 245/476] i3c: master: cdns: Update maximum prescaler value for i2c clock Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 246/476] xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 247/476] mfd: ti_am335x_tscadc: Fix TI SoC dependencies Greg Kroah-Hartman
2024-02-21 13:04 ` [PATCH 5.15 248/476] mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 249/476] PCI: Only override AMD USB controller if required Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 250/476] PCI: switchtec: Fix stdev_release() crash after surprise hot remove Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 251/476] perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 252/476] usb: hub: Replace hardcoded quirk value with BIT() macro Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 253/476] selftests/sgx: Fix linker script asserts Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 254/476] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 255/476] fs/kernfs/dir: obey S_ISGID Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 256/476] PCI: Fix 64GT/s effective data rate calculation Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 257/476] PCI/AER: Decode Requester ID when no error info found Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 258/476] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback Greg Kroah-Hartman
2024-02-21 18:15 ` Hans de Goede
2024-02-21 13:05 ` [PATCH 5.15 259/476] libsubcmd: Fix memory leak in uniq() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 260/476] drm/amdkfd: Fix lock dependency warning Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 261/476] =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= =?UTF-8?q?=20of=20size=2010"=20warnings?= Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 262/476] blk-mq: fix IO hang from sbitmap wakeup race Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 263/476] ceph: fix deadlock or deadcode of misusing dget() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 264/476] drm/amd/powerplay: Fix kzalloc parameter ATOM_Tonga_PPM_Table in get_platform_power_management_table() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 265/476] drm/amdgpu: Release adev->pm.fw before return in amdgpu_device_need_post() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 266/476] drm/amdkfd: Fix node NULL check in svm_range_get_range_boundaries() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 267/476] perf: Fix the nr_addr_filters fix Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 268/476] wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 269/476] drm: using mul_u32_u32() requires linux/math64.h Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 270/476] scsi: isci: Fix an error code problem in isci_io_request_build() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 271/476] scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 272/476] selftests: net: give more time for GRO aggregation Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 273/476] ip6_tunnel: use dev_sw_netstats_rx_add() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 274/476] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 275/476] tcp: add sanity checks to rx zerocopy Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 276/476] ixgbe: Remove non-inclusive language Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 277/476] ixgbe: Refactor returning internal error codes Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 278/476] ixgbe: Refactor overtemp event handling Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 279/476] ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 280/476] ipv6: Ensure natural alignment of const ipv6 loopback and router addresses Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 281/476] llc: call sock_orphan() at release time Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 282/476] bridge: mcast: fix disabled snooping after long uptime Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 283/476] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 284/476] netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 285/476] netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 286/476] net: ipv4: fix a memleak in ip_setup_cork Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 287/476] af_unix: fix lockdep positive in sk_diag_dump_icons() Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 288/476] selftests: net: fix available tunnels detection Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 289/476] net: sysfs: Fix /sys/class/net/<iface> path Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 290/476] arm64: irq: set the correct node for shadow call stack Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 291/476] [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 292/476] HID: apple: Add support for the 2021 Magic Keyboard Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 293/476] HID: apple: Add 2021 magic keyboard FN key mapping Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 294/476] bonding: remove print in bond_verify_device_path Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 295/476] ASoC: codecs: lpass-wsa-macro: fix compander volume hack Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 296/476] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 297/476] dmaengine: ti: k3-udma: Report short packet errors Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 298/476] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 299/476] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 300/476] phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 301/476] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 302/476] phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 303/476] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 304/476] net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 305/476] selftests: net: cut more slack for gro fwd tests Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 306/476] selftests: net: avoid just another constant wait Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 307/476] tunnels: fix out of bounds access when building IPv6 PMTU error Greg Kroah-Hartman
2024-02-21 13:05 ` [PATCH 5.15 308/476] atm: idt77252: fix a memleak in open_card_ubr0 Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 309/476] octeontx2-pf: Fix a memleak otx2_sq_init Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 310/476] hwmon: (aspeed-pwm-tacho) mutex for tach reading Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 311/476] hwmon: (coretemp) Fix out-of-bounds memory access Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 312/476] hwmon: (coretemp) Fix bogus core_id to attr name mapping Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 313/476] inet: read sk->sk_family once in inet_recv_error() Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 314/476] rxrpc: Fix response to PING RESPONSE ACKs to a dead call Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 315/476] tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 316/476] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 317/476] ppp_async: limit MRU to 64K Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 318/476] netfilter: nft_compat: reject unused compat flag Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 319/476] netfilter: nft_compat: restrict match/target protocol to u16 Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 320/476] drm/amd/display: Fix multiple memory leaks reported by coverity Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 321/476] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 322/476] netfilter: nft_ct: reject direction for ct id Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 323/476] netfilter: nft_set_pipapo: store index in scratch maps Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 324/476] netfilter: nft_set_pipapo: add helper to release pcpu scratch area Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 325/476] netfilter: nft_set_pipapo: remove scratch_aligned pointer Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 326/476] fs/ntfs3: Fix an NULL dereference bug Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 327/476] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 328/476] blk-iocost: Fix an UBSAN shift-out-of-bounds warning Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 329/476] drivers: lkdtm: fix clang -Wformat warning Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 330/476] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 331/476] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 332/476] USB: serial: option: add Fibocom FM101-GL variant Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 333/476] USB: serial: cp210x: add ID for IMST iM871A-USB Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 334/476] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 335/476] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 336/476] hrtimer: Report offline hrtimer enqueue Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 337/476] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 338/476] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 339/476] vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 340/476] clocksource: Skip watchdog check for large watchdog intervals Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 341/476] net: stmmac: xgmac: use #define for string constants Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 342/476] net: stmmac: xgmac: fix a typo of register name in DPP safety handling Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 343/476] netfilter: nft_set_rbtree: skip end interval element from gc Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 344/476] btrfs: forbid creating subvol qgroups Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 345/476] btrfs: do not ASSERT() if the newly created subvolume already got read Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 346/476] btrfs: forbid deleting live subvol qgroup Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 347/476] btrfs: send: return EOPNOTSUPP on unknown flags Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 348/476] of: unittest: Fix compile in the non-dynamic case Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 349/476] wifi: iwlwifi: Fix some error codes Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 350/476] net: openvswitch: limit the number of recursions from action sets Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 351/476] spi: ppc4xx: Drop write-only variable Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 352/476] ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 353/476] net: sysfs: Fix /sys/class/net/<iface> path for statistics Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 354/476] MIPS: Add memory clobber to csum_ipv6_magic() inline assembler Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 355/476] i40e: Fix waiting for queues of all VSIs to be disabled Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 356/476] scs: add CONFIG_MMU dependency for vfree_atomic() Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 357/476] tracing/trigger: Fix to return error if failed to alloc snapshot Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 358/476] mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 359/476] scsi: storvsc: Fix ring buffer size calculation Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 360/476] ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32 Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 361/476] ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 362/476] HID: i2c-hid-of: fix NULL-deref on failed power up Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 363/476] HID: wacom: generic: Avoid reporting a serial of 0 to userspace Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 364/476] HID: wacom: Do not register input devices until after hid_hw_start Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 365/476] iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 366/476] usb: ucsi_acpi: Fix command completion handling Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 367/476] USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT Greg Kroah-Hartman
2024-02-21 13:06 ` [PATCH 5.15 368/476] usb: f_mass_storage: forbid async queue when shutdown happen Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 369/476] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 370/476] media: ir_toy: fix a memleak in irtoy_tx Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 371/476] powerpc/kasan: Fix addr error caused by page alignment Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 372/476] i2c: i801: Remove i801_set_block_buffer_mode Greg Kroah-Hartman
2024-02-26 13:29 ` Jean Delvare
2024-02-26 14:56 ` Greg Kroah-Hartman
2024-02-26 15:54 ` Jean Delvare
2024-02-21 13:07 ` [PATCH 5.15 373/476] i2c: i801: Fix block process call transactions Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 374/476] modpost: trim leading spaces when processing source files list Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 375/476] mptcp: fix data re-injection from stale subflow Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 376/476] scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 377/476] Revert "drm/amd: flush any delayed gfxoff on suspend entry" Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 378/476] lsm: fix the logic in security_inode_getsecctx() Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 379/476] firewire: core: correct documentation of fw_csr_string() kernel API Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 380/476] kbuild: Fix changing ELF file type for output of gen_btf for big endian Greg Kroah-Hartman
2024-02-21 16:54 ` Nathan Chancellor
2024-02-22 8:27 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 381/476] nfc: nci: free rx_data_reassembly skb on NCI device cleanup Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 382/476] net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 383/476] xen-netback: properly sync TX responses Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 384/476] ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 385/476] ASoC: codecs: wcd938x: handle deferred probe Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 386/476] ALSA: hda/cs8409: Suppress vmaster control for Dolphin models Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 387/476] binder: signal epoll threads of self-work Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 388/476] misc: fastrpc: Mark all sessions as invalid in cb_remove Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 389/476] ext4: fix double-free of blocks due to wrong extents moved_len Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 390/476] tracing: Fix wasted memory in saved_cmdlines logic Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 391/476] staging: iio: ad5933: fix type mismatch regression Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 392/476] iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 393/476] iio: core: fix memleak in iio_device_register_sysfs Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 394/476] iio: accel: bma400: Fix a compilation problem Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 395/476] media: rc: bpf attach/detach requires write permission Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 396/476] drm/prime: Support page array >= 4GB Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 397/476] hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 398/476] ring-buffer: Clean ring_buffer_poll_wait() error return Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 399/476] serial: max310x: set default value when reading clock ready bit Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 400/476] serial: max310x: improve crystal stable clock detection Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 401/476] serial: max310x: fail probe if clock crystal is unstable Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 402/476] powerpc/64: Set task pt_regs->link to the LR value on scv entry Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 403/476] x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 404/476] x86/mm/ident_map: Use gbpages only where full GB page should be mapped Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 405/476] mmc: slot-gpio: Allow non-sleeping GPIO ro Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 406/476] ALSA: hda/conexant: Add quirk for SWS JS201D Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 407/476] nilfs2: fix data corruption in dsync block recovery for small block sizes Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 408/476] nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 409/476] crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 410/476] nfp: use correct macro for LengthSelect in BAR config Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 411/476] nfp: flower: prevent re-adding mac index for bonded port Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 412/476] wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 413/476] irqchip/irq-brcmstb-l2: Add write memory barrier before exit Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 414/476] irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 415/476] net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 416/476] s390/qeth: Fix potential loss of L3-IP@ in case of network issues Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 417/476] net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 418/476] ceph: prevent use-after-free in encode_cap_msg() Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 419/476] mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 420/476] of: property: fix typo in io-channels Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 421/476] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 422/476] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 423/476] pmdomain: core: Move the unused cleanup to a _sync initcall Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 424/476] tracing: Inform kmemleak of saved_cmdlines allocation Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 425/476] af_unix: Fix task hung while purging oob_skb in GC Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 426/476] dma-buf: add dma_fence_timestamp helper Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 427/476] mwifiex: Select firmware based on strapping Greg Kroah-Hartman
2024-02-21 14:17 ` Alvin Šipraga
2024-02-22 8:33 ` Greg Kroah-Hartman
2024-02-21 13:07 ` [PATCH 5.15 428/476] wifi: mwifiex: Support SD8978 chipset Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 429/476] wifi: mwifiex: add extra delay for firmware ready Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 430/476] bus: moxtet: Add spi device table Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 431/476] wifi: mwifiex: fix uninitialized firmware_stat Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 432/476] crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 433/476] usb: dwc3: gadget: Wait for ep0 xfers to complete during dequeue Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 434/476] usb: dwc3: ep0: Dont prepare beyond Setup stage Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 435/476] usb: dwc3: gadget: Only End Transfer for ep0 data phase Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 436/476] usb: dwc3: gadget: Delay issuing End Transfer Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 437/476] usb: dwc3: Fix ep0 handling when getting reset while doing control transfer Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 438/476] usb: dwc3: gadget: Force sending delayed status during soft disconnect Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 439/476] usb: dwc3: gadget: Submit endxfer command if delayed during disconnect Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 440/476] usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 441/476] usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 442/476] usb: dwc3: gadget: Handle EP0 request dequeuing properly Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 443/476] usb: dwc3: gadget: Queue PM runtime idle on disconnect event Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 444/476] serial: 8250_exar: Fill in rs485_supported Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 445/476] serial: 8250_exar: Set missing rs485_supported flag Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 446/476] fbdev/defio: Early-out if page is already enlisted Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 447/476] fbdev: Dont sort deferred-I/O pages by default Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 448/476] fbdev: defio: fix the pagelist corruption Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 449/476] fbdev: Track deferred-I/O pages in pageref struct Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 450/476] fbdev: Rename pagelist to pagereflist for deferred I/O Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 451/476] fbdev: Fix invalid page access after closing deferred I/O devices Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 452/476] fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release() Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 453/476] fbdev: flush deferred IO before closing Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 454/476] scripts/decode_stacktrace.sh: support old bash version Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 455/476] scripts: decode_stacktrace: demangle Rust symbols Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 456/476] scripts/decode_stacktrace.sh: optionally use LLVM utilities Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 457/476] netfilter: ipset: fix performance regression in swap operation Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 458/476] hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range() Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 459/476] net: prevent mss overflow in skb_segment() Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 460/476] netfilter: ipset: Missing gc cancellations fixed Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 461/476] sched/membarrier: reduce the ability to hammer on sys_membarrier Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 462/476] nilfs2: fix potential bug in end_buffer_async_write Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 463/476] nilfs2: replace WARN_ONs for invalid DAT metadata block requests Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 464/476] dm: limit the number of targets and parameter size area Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 465/476] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 466/476] PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 467/476] drm/msm/dsi: Enable runtime PM Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 468/476] Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack" Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 469/476] net: bcmgenet: Fix EEE implementation Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 470/476] fs/ntfs3: Add null pointer checks Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 471/476] smb3: Replace smb2pdu 1-element arrays with flex-arrays Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 472/476] staging: fbtft: core: set smem_len before fb_deferred_io_init call Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 473/476] usb: dwc3: gadget: Dont delay End Transfer on delayed_status Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 474/476] usb: dwc3: gadget: Execute gadget stop after halting the controller Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 475/476] media: Revert "media: rkisp1: Drop IRQF_SHARED" Greg Kroah-Hartman
2024-02-21 13:08 ` [PATCH 5.15 476/476] usb: dwc3: gadget: Ignore End Transfer delay on teardown Greg Kroah-Hartman
2024-02-21 19:48 ` [PATCH 5.15 000/476] 5.15.149-rc1 review Jon Hunter
2024-02-21 23:43 ` Shuah Khan
2024-02-21 23:58 ` Florian Fainelli
2024-02-22 9:06 ` Shreeya Patel
2024-02-22 11:49 ` Naresh Kamboju
2024-02-22 19:22 ` Harshit Mogalapalli
2024-02-22 20:27 ` Allen
2024-02-22 23:13 ` Ron Economos
2024-02-23 1:24 ` Kelsey Steele
2024-04-25 22:46 ` Guenter Roeck
2024-04-26 8:44 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).