* [PATCH 4.19 000/175] 4.19.312-rc1 review
@ 2024-04-11 9:53 Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 001/175] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
` (180 more replies)
0 siblings, 181 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
This is the start of the stable review cycle for the 4.19.312 release.
There are 175 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.19.312-rc1
Geert Uytterhoeven <geert@linux-m68k.org>
initramfs: fix populate_initrd_image() section mismatch
Hangbin Liu <liuhangbin@gmail.com>
ip_gre: do not report erspan version on GRE interface
William Tu <u9012063@gmail.com>
erspan: Check IFLA_GRE_ERSPAN_VER is set.
Vasiliy Kovalev <kovalev@altlinux.org>
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: btintel: Fixe build regression
David Hildenbrand <david@redhat.com>
x86/mm/pat: fix VM_PAT handling in COW mappings
David Hildenbrand <david@redhat.com>
virtio: reenable config if freezing device failed
Guo Mengqi <guomengqi3@huawei.com>
drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()
Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
Roman Smirnov <r.smirnov@omp.ru>
fbmon: prevent division by zero in fb_videomode_from_videomode()
Aleksandr Burakov <a.burakov@rosalinux.ru>
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
Colin Ian King <colin.i.king@gmail.com>
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
Petre Rodan <petre.rodan@subdimension.ro>
tools: iio: replace seekdir() in iio_generic_buffer
Ricardo B. Marliere <ricardo@marliere.net>
ktest: force $buildonly = 1 for 'make_warnings_file' test type
Gergo Koteles <soyer@irl.hu>
Input: allocate keycode for Display refresh rate toggle
Roman Smirnov <r.smirnov@omp.ru>
block: prevent division by zero in blk_rq_stat_sum()
Dai Ngo <dai.ngo@oracle.com>
SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
Aric Cyr <aric.cyr@amd.com>
drm/amd/display: Fix nanosec stat overflow
Arnd Bergmann <arnd@arndb.de>
media: sta2x11: fix irq handler cast
Alex Henrie <alexhenrie24@gmail.com>
isofs: handle CDs with bad root inode but good Joliet root directory
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
sysv: don't call sb_bread() with pointers_lock held
Kunwu Chan <chentao@kylinos.cn>
Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
Edward Adam Davis <eadavis@qq.com>
Bluetooth: btintel: Fix null ptr deref in btintel_read_version
David Sterba <dsterba@suse.com>
btrfs: send: handle path ref underflow in header iterate_inode_ref()
David Sterba <dsterba@suse.com>
btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
David Sterba <dsterba@suse.com>
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
Johan Jonker <jbx6244@gmail.com>
arm64: dts: rockchip: fix rk3399 hdmi ports node
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Markus Elfring <elfring@users.sourceforge.net>
batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data()
Dmitry Antipov <dmantipov@yandex.ru>
wifi: ath9k: fix LNA selection in ath_ant_try_scan()
I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
Arnd Bergmann <arnd@arndb.de>
ata: sata_mv: Fix PCI device ID table declaration compilation warning
Arnd Bergmann <arnd@arndb.de>
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
Stephen Lee <slee08177@gmail.com>
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
Eric Dumazet <edumazet@google.com>
erspan: make sure erspan_base_hdr is present in skb->head
William Tu <u9012063@gmail.com>
erspan: Add type I version 0 support.
John Sperbeck <jsperbeck@google.com>
init: open /initrd.image with O_LARGEFILE
Christoph Hellwig <hch@lst.de>
initramfs: switch initramfs unpacking to struct file based APIs
Christoph Hellwig <hch@lst.de>
fs: add a vfs_fchmod helper
Christoph Hellwig <hch@lst.de>
fs: add a vfs_fchown helper
Christoph Hellwig <hch@lst.de>
initramfs: factor out a helper to populate the initrd image
Dan Carpenter <dan.carpenter@linaro.org>
staging: vc04_services: fix information leak in create_component()
Arnd Bergmann <arnd@arndb.de>
staging: vc04_services: changen strncpy() to strscpy_pad()
Dave Stevenson <dave.stevenson@raspberrypi.org>
staging: mmal-vchiq: Fix client_component for 64 bit kernel
Dave Stevenson <dave.stevenson@raspberrypi.org>
staging: mmal-vchiq: Allocate and free components as required
Dave Stevenson <dave.stevenson@raspberrypi.org>
staging: mmal-vchiq: Avoid use of bool in structures
Aleksandr Loktionov <aleksandr.loktionov@intel.com>
i40e: fix vf may be used uninitialized in this function warning
Kuniyuki Iwashima <kuniyu@amazon.com>
ipv6: Fix infinite recursion in fib6_dump_done().
Jakub Kicinski <kuba@kernel.org>
selftests: reuseaddr_conflict: add missing new line at the end of the output
Piotr Wejman <piotrwejman90@gmail.com>
net: stmmac: fix rx queue priority assignment
Eric Dumazet <edumazet@google.com>
net/sched: act_skbmod: prevent kernel-infoleak
Ziyang Xuan <william.xuanziyang@huawei.com>
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
Vlastimil Babka <vbabka@suse.cz>
mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
Ingo Molnar <mingo@kernel.org>
Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
Mahmoud Adam <mngyadam@amazon.com>
net/rds: fix possible cp null dereference
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: disallow timeout for anonymous sets
Bastien Nocera <hadess@hadess.net>
Bluetooth: Fix TOCTOU in HCI debugfs implementation
Hui Wang <hui.wang@canonical.com>
Bluetooth: hci_event: set the conn encrypted before conn establishes
Heiner Kallweit <hkallweit1@gmail.com>
r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d
Eric Dumazet <edumazet@google.com>
tcp: properly terminate timers for kernel sockets
Geliang Tang <geliangtang@gmail.com>
mptcp: add sk_stop_timer_sync helper
Ryosuke Yasuoka <ryasuoka@redhat.com>
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
Alan Stern <stern@rowland.harvard.edu>
USB: core: Fix deadlock in usb_deauthorize_interface()
Muhammad Usama Anjum <usama.anjum@collabora.com>
scsi: lpfc: Correct size for wqe for memset()
Christoph Niedermaier <cniedermaier@dh-electronics.com>
drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check()
Thomas Gleixner <tglx@linutronix.de>
timers: Move clearing of base::timer_running under base:: Lock
Kim Phillips <kim.phillips@amd.com>
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
Quinn Tran <qutran@marvell.com>
scsi: qla2xxx: Fix command flush on cable pull
yuan linyu <yuanlinyu@hihonor.com>
usb: udc: remove warning when queue disabled ep
Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
usb: dwc2: gadget: LPM flow fix
Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
usb: dwc2: host: Fix ISOC flow in DDMA mode
Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
usb: dwc2: host: Fix hibernation flow
Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
usb: dwc2: host: Fix remote wakeup from hibernation
Zhong Jinghua <zhongjinghua@huawei.com>
loop: loop_set_status_from_info() check before assignment
Siddh Raman Pant <code@siddh.me>
loop: Check for overflow while configuring loop
Martijn Coenen <maco@android.com>
loop: Factor out configuring loop from status
Nathan Chancellor <nathan@kernel.org>
powerpc: xor_vmx: Add '-mhard-float' to CFLAGS
Tim Schumacher <timschumi@gmx.de>
efivarfs: Request at most 512 bytes for variable names
Yang Jihong <yangjihong1@huawei.com>
perf/core: Fix reentry problem in perf_output_read_group()
Holger Hoffstätte <holger.hoffstaette@googlemail.com>
loop: properly observe rotational flag of underlying device
Martijn Coenen <maco@android.com>
loop: Refactor loop_set_status() size calculation
Martijn Coenen <maco@android.com>
loop: Factor out setting loop device size
Martijn Coenen <maco@android.com>
loop: Remove sector_t truncation checks
Martijn Coenen <maco@android.com>
loop: Call loop_config_discard() only after new config is applied
Genjian Zhang <zhanggenjian@kylinos.cn>
Revert "loop: Check for overflow while configuring loop"
Goldwyn Rodrigues <rgoldwyn@suse.com>
btrfs: allocate btrfs_ioctl_defrag_range_args on stack
John Ogness <john.ogness@linutronix.de>
printk: Update @console_may_schedule in console_trylock_spinning()
Bart Van Assche <bvanassche@acm.org>
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
Duoming Zhou <duoming@zju.edu.cn>
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
Oliver Neukum <oneukum@suse.com>
usb: cdc-wdm: close race between read and workqueue
Max Filippov <jcmvbkbc@gmail.com>
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
Felix Fietkau <nbd@nbd.name>
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
Zi Yan <ziy@nvidia.com>
mm/migrate: set swap entry values of THP tail pages properly.
Liu Shixin <liushixin2@huawei.com>
mm/memory-failure: fix an incorrect use of tail pages
Yangxi Xiang <xyangxi5@gmail.com>
vt: fix memory overlapping when deleting chars in the buffer
Nicolas Pitre <nico@fluxnic.net>
vt: fix unicode buffer corruption when deleting characters
Sherry Sun <sherry.sun@nxp.com>
tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: port: Don't try to peer unused USB ports based on location
Krishna Kurapati <quic_kriskura@quicinc.com>
usb: gadget: ncm: Fix handling of zero block length packets
Alan Stern <stern@rowland.harvard.edu>
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
Nathan Chancellor <nathan@kernel.org>
xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: reject constant set with timeout
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: disallow anonymous set with timeout flag
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Prevent timers rescheduling during deletion
Conrad Kostecki <conikost@gentoo.org>
ahci: asm1064: asm1166: don't limit reported ports
Andrey Jr. Melnikov <temnota.am@gmail.com>
ahci: asm1064: correct count of reported ports
Borislav Petkov (AMD) <bp@alien8.de>
x86/CPU/AMD: Update the Zenbleed microcode revisions
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: prevent kernel bug at submit_bh_wbc()
Joe Perches <joe@perches.com>
nilfs2: use a more common logging style
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
Qiang Zhang <qiang4.zhang@intel.com>
memtest: use {READ,WRITE}_ONCE in memory scanning
Jani Nikula <jani.nikula@intel.com>
drm/vc4: hdmi: do not return negative values from .get_modes()
Jani Nikula <jani.nikula@intel.com>
drm/imx/ipuv3: do not return negative values from .get_modes()
Boris Brezillon <boris.brezillon@collabora.com>
drm/imx: pd: Use bus format/flags provided by the bridge when available
Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: fix reference counting on zcrypt card objects
Sean Anderson <sean.anderson@linux.dev>
soc: fsl: qbman: Use raw spinlock for cgr_lock
Sean Anderson <sean.anderson@seco.com>
soc: fsl: qbman: Add CGR update function
Sean Anderson <sean.anderson@seco.com>
soc: fsl: qbman: Add helper for sanity checking cgr ops
Sean Anderson <sean.anderson@linux.dev>
soc: fsl: qbman: Always disable interrupts when taking cgr_lock
Alex Williamson <alex.williamson@redhat.com>
vfio/platform: Disable virqfds on cleanup
Nathan Chancellor <nathan@kernel.org>
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
Samuel Thibault <samuel.thibault@ens-lyon.org>
speakup: Fix 8bit characters from direct synth
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
slimbus: core: Remove usage of the deprecated ida_simple_xx() API
Maximilian Heyne <mheyne@amazon.de>
ext4: fix corruption during on-line resize
Josua Mayer <josua@solid-run.com>
hwmon: (amc6821) add of_match table
Dominique Martinet <dominique.martinet@atmark-techno.com>
mmc: core: Fix switch on gp3 partition
Yu Kuai <yukuai3@huawei.com>
dm-raid: fix lockdep waring in "pers->hot_add_disk"
Song Liu <song@kernel.org>
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PCI/PM: Drain runtime-idle callbacks before driver removal
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
PCI: Drop pci_device_remove() test of pci_dev->driver
Miklos Szeredi <mszeredi@redhat.com>
fuse: don't unhash root
Wolfram Sang <wsa+renesas@sang-engineering.com>
mmc: tmio: avoid concurrent runs of mmc_request_done()
Qingliang Li <qingliang.li@mediatek.com>
PM: sleep: wakeirq: fix wake irq warning in system suspend
Toru Katagiri <Toru.Katagiri@tdk.com>
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
Aurélien Jacobs <aurel@gnuage.org>
USB: serial: option: add MeiG Smart SLM320 product
Christian Häggström <christian.haggstrom@orexplore.com>
USB: serial: cp210x: add ID for MGP Instruments PDS100
Cameron Williams <cang1@live.co.uk>
USB: serial: add device ID for VeriFone adapter
Daniel Vogelbacher <daniel@chaospixel.com>
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
Michael Ellerman <mpe@ellerman.id.au>
powerpc/fsl: Fix mfpmr build errors with newer binutils
Gabor Juhos <j4g8y7@gmail.com>
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
Gabor Juhos <j4g8y7@gmail.com>
clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
Gabor Juhos <j4g8y7@gmail.com>
clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays
Maulik Shah <quic_mkshah@quicinc.com>
PM: suspend: Set mem_sleep_current during kernel command line setup
Guenter Roeck <linux@roeck-us.net>
parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
Guenter Roeck <linux@roeck-us.net>
parisc: Fix csum_ipv6_magic on 64-bit systems
Guenter Roeck <linux@roeck-us.net>
parisc: Fix csum_ipv6_magic on 32-bit systems
Guenter Roeck <linux@roeck-us.net>
parisc: Fix ip_fast_csum
Helge Deller <deller@gmx.de>
parisc: Do not hardcode registers in checksum functions
Zhang Yi <yi.zhang@huawei.com>
ubi: correct the calculation of fastmap size
Richard Weinberger <richard@nod.at>
ubi: Check for too small LEB size in VTBL code
Matthew Wilcox (Oracle) <willy@infradead.org>
ubifs: Set page uptodate in the correct place
Jan Kara <jack@suse.cz>
fat: fix uninitialized field in nostale filehandles
Damian Muszynski <damian.muszynski@intel.com>
crypto: qat - resolve race condition during AER recovery
Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
crypto: qat - fix double free during reset
Randy Dunlap <rdunlap@infradead.org>
sparc: vDSO: fix return value of __setup handler
Randy Dunlap <rdunlap@infradead.org>
sparc64: NMI watchdog: fix return value of __setup handler
Sean Christopherson <seanjc@google.com>
KVM: Always flush async #PF workqueue when vCPU is being destroyed
Gui-Dong Han <2045gemini@gmail.com>
media: xc4000: Fix atomicity violation in xc4000_get_frequency
Duje Mihanović <duje.mihanovic@skole.hr>
arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
Lubomir Rintel <lkundrak@v3.sk>
ARM: dts: mmp2-brownstone: Don't redeclare phandle references
Roberto Sassu <roberto.sassu@huawei.com>
smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
Roberto Sassu <roberto.sassu@huawei.com>
smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
Zheng Wang <zyytlz.wz@163.com>
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
Thomas Gleixner <tglx@linutronix.de>
timers: Rename del_timer_sync() to timer_delete_sync()
Thomas Gleixner <tglx@linutronix.de>
timers: Use del_timer_sync() even on UP
Thomas Gleixner <tglx@linutronix.de>
timers: Update kernel-doc for various functions
Anna-Maria Gleixner <anna-maria@linutronix.de>
timers: Prepare support for PREEMPT_RT
Anna-Maria Gleixner <anna-maria@linutronix.de>
timer/trace: Improve timer tracing
Anna-Maria Gleixner <anna-maria@linutronix.de>
timer/trace: Replace deprecated vsprintf pointer extension %pf by %ps
Borislav Petkov <bp@suse.de>
x86/bugs: Use sysfs_emit()
Kim Phillips <kim.phillips@amd.com>
x86/cpu: Support AMD Automatic IBRS
Lin Yujun <linyujun809@huawei.com>
Documentation/hw-vuln: Update spectre doc
-------------
Diffstat:
Documentation/admin-guide/hw-vuln/spectre.rst | 18 +-
Documentation/admin-guide/kernel-parameters.txt | 6 +-
Makefile | 4 +-
arch/arm/boot/dts/mmp2-brownstone.dts | 330 ++++++++++-----------
arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 +-
arch/parisc/include/asm/checksum.h | 107 +++----
arch/powerpc/include/asm/reg_fsl_emb.h | 11 +-
arch/powerpc/lib/Makefile | 2 +-
arch/sparc/kernel/nmi.c | 2 +-
arch/sparc/vdso/vma.c | 7 +-
arch/x86/include/asm/cpufeatures.h | 2 +
arch/x86/include/asm/msr-index.h | 2 +
arch/x86/kernel/cpu/amd.c | 10 +-
arch/x86/kernel/cpu/bugs.c | 117 ++++----
arch/x86/kernel/cpu/common.c | 17 +-
arch/x86/mm/ident_map.c | 23 +-
arch/x86/mm/pat.c | 50 +++-
block/blk-stat.c | 2 +-
drivers/ata/ahci.c | 5 -
drivers/ata/sata_mv.c | 63 ++--
drivers/ata/sata_sx4.c | 6 +-
drivers/base/power/wakeirq.c | 4 +-
drivers/block/loop.c | 206 ++++++++-----
drivers/bluetooth/btintel.c | 2 +-
drivers/clk/qcom/gcc-ipq8074.c | 2 +
drivers/clk/qcom/mmcc-apq8084.c | 2 +
drivers/clk/qcom/mmcc-msm8974.c | 2 +
drivers/crypto/qat/qat_common/adf_aer.c | 23 +-
drivers/firmware/efi/vars.c | 17 +-
.../gpu/drm/amd/display/modules/inc/mod_stats.h | 4 +-
drivers/gpu/drm/imx/parallel-display.c | 172 +++++++++--
drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +-
drivers/gpu/drm/vkms/vkms_drv.c | 2 +-
drivers/hwmon/amc6821.c | 11 +
drivers/input/rmi4/rmi_driver.c | 6 +-
drivers/md/dm-raid.c | 2 +
drivers/md/raid5.c | 12 +
drivers/media/pci/sta2x11/sta2x11_vip.c | 9 +-
drivers/media/tuners/xc4000.c | 4 +-
drivers/misc/vmw_vmci/vmci_datagram.c | 6 +-
drivers/mmc/core/block.c | 10 +-
drivers/mmc/host/tmio_mmc_core.c | 2 +
drivers/mtd/ubi/fastmap.c | 7 +-
drivers/mtd/ubi/vtbl.c | 6 +
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 34 +--
drivers/net/ethernet/realtek/r8169_main.c | 9 +
drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 40 ++-
.../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 38 ++-
drivers/net/wireless/ath/ath9k/antenna.c | 2 +-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +-
drivers/pci/pci-driver.c | 23 +-
drivers/s390/crypto/zcrypt_api.c | 2 +
drivers/scsi/lpfc/lpfc_nportdisc.c | 6 +-
drivers/scsi/lpfc/lpfc_nvmet.c | 2 +-
drivers/scsi/qla2xxx/qla_target.c | 10 +
drivers/slimbus/core.c | 4 +-
drivers/soc/fsl/qbman/qman.c | 98 ++++--
drivers/staging/comedi/drivers/comedi_test.c | 30 +-
drivers/staging/speakup/synth.c | 4 +-
.../vc04_services/bcm2835-camera/mmal-vchiq.c | 52 ++--
.../vc04_services/bcm2835-camera/mmal-vchiq.h | 6 +-
drivers/tty/n_gsm.c | 3 +
drivers/tty/serial/fsl_lpuart.c | 7 +-
drivers/tty/vt/vt.c | 4 +-
drivers/usb/class/cdc-wdm.c | 6 +-
drivers/usb/core/port.c | 5 +-
drivers/usb/core/sysfs.c | 16 +-
drivers/usb/dwc2/core.h | 14 +
drivers/usb/dwc2/core_intr.c | 63 ++--
drivers/usb/dwc2/gadget.c | 4 +
drivers/usb/dwc2/hcd.c | 47 ++-
drivers/usb/dwc2/hcd_ddma.c | 17 +-
drivers/usb/dwc2/hw.h | 2 +-
drivers/usb/gadget/function/f_ncm.c | 2 +-
drivers/usb/gadget/udc/core.c | 4 +-
drivers/usb/host/sl811-hcd.c | 2 +
drivers/usb/serial/cp210x.c | 4 +
drivers/usb/serial/ftdi_sio.c | 2 +
drivers/usb/serial/ftdi_sio_ids.h | 6 +
drivers/usb/serial/option.c | 6 +
drivers/usb/storage/isd200.c | 23 +-
drivers/vfio/platform/vfio_platform_irq.c | 5 +-
drivers/video/fbdev/core/fbmon.c | 7 +-
drivers/video/fbdev/via/accel.c | 4 +-
drivers/virtio/virtio.c | 10 +-
fs/aio.c | 8 +-
fs/btrfs/export.c | 9 +-
fs/btrfs/ioctl.c | 25 +-
fs/btrfs/send.c | 10 +-
fs/btrfs/volumes.c | 12 +-
fs/exec.c | 1 +
fs/ext4/resize.c | 3 +-
fs/fat/nfs.c | 6 +
fs/fuse/fuse_i.h | 1 -
fs/fuse/inode.c | 7 +-
fs/isofs/inode.c | 18 +-
fs/nilfs2/alloc.c | 38 +--
fs/nilfs2/btree.c | 51 ++--
fs/nilfs2/cpfile.c | 10 +-
fs/nilfs2/dat.c | 14 +-
fs/nilfs2/direct.c | 23 +-
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/ifile.c | 4 +-
fs/nilfs2/inode.c | 31 +-
fs/nilfs2/ioctl.c | 37 ++-
fs/nilfs2/mdt.c | 2 +-
fs/nilfs2/namei.c | 6 +-
fs/nilfs2/nilfs.h | 9 +
fs/nilfs2/page.c | 11 +-
fs/nilfs2/recovery.c | 32 +-
fs/nilfs2/segbuf.c | 2 +-
fs/nilfs2/segment.c | 38 +--
fs/nilfs2/sufile.c | 29 +-
fs/nilfs2/super.c | 57 ++--
fs/nilfs2/sysfs.c | 29 +-
fs/nilfs2/the_nilfs.c | 85 +++---
fs/open.c | 38 ++-
fs/sysv/itree.c | 10 +-
fs/ubifs/file.c | 13 +-
include/linux/fs.h | 3 +
include/linux/gfp.h | 9 +
include/linux/sunrpc/sched.h | 2 +-
include/linux/timer.h | 18 +-
include/net/erspan.h | 19 +-
include/net/inet_connection_sock.h | 1 +
include/net/sock.h | 9 +
include/soc/fsl/qman.h | 9 +
include/trace/events/timer.h | 17 +-
include/uapi/linux/input-event-codes.h | 1 +
init/initramfs.c | 75 +++--
kernel/events/core.c | 9 +
kernel/power/suspend.c | 1 +
kernel/printk/printk.c | 6 +
kernel/time/timer.c | 282 +++++++++++++-----
mm/compaction.c | 7 +-
mm/memory-failure.c | 2 +-
mm/memory.c | 4 +
mm/memtest.c | 4 +-
mm/migrate.c | 6 +-
mm/page_alloc.c | 10 +-
mm/vmscan.c | 5 +-
net/batman-adv/distributed-arp-table.c | 3 +-
net/bluetooth/hci_debugfs.c | 64 ++--
net/bluetooth/hci_event.c | 25 ++
net/core/sock.c | 7 +
net/ipv4/inet_connection_sock.c | 14 +
net/ipv4/ip_gre.c | 104 +++++--
net/ipv4/tcp.c | 2 +
net/ipv6/ip6_fib.c | 14 +-
net/ipv6/ip6_gre.c | 3 +
net/mac80211/cfg.c | 5 +-
net/netfilter/nf_tables_api.c | 22 +-
net/nfc/nci/core.c | 5 +
net/rds/rdma.c | 2 +-
net/sched/act_skbmod.c | 10 +-
net/xfrm/xfrm_user.c | 3 +
scripts/Makefile.extrawarn | 2 +
security/smack/smack_lsm.c | 12 +-
sound/pci/hda/patch_realtek.c | 9 +-
sound/sh/aica.c | 17 +-
sound/soc/soc-ops.c | 2 +-
tools/iio/iio_utils.c | 2 +-
.../x86_energy_perf_policy.c | 1 +
tools/testing/ktest/ktest.pl | 1 +
tools/testing/selftests/net/reuseaddr_conflict.c | 2 +-
virt/kvm/async_pf.c | 31 +-
166 files changed, 2248 insertions(+), 1220 deletions(-)
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 001/175] Documentation/hw-vuln: Update spectre doc
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 002/175] x86/cpu: Support AMD Automatic IBRS Greg Kroah-Hartman
` (179 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lin Yujun, Jonathan Corbet
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Yujun <linyujun809@huawei.com>
commit 06cb31cc761823ef444ba4e1df11347342a6e745 upstream.
commit 7c693f54c873691 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
adds the "ibrs " option in
Documentation/admin-guide/kernel-parameters.txt but omits it to
Documentation/admin-guide/hw-vuln/spectre.rst, add it.
Signed-off-by: Lin Yujun <linyujun809@huawei.com>
Link: https://lore.kernel.org/r/20220830123614.23007-1-linyujun809@huawei.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/hw-vuln/spectre.rst | 1 +
1 file changed, 1 insertion(+)
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -625,6 +625,7 @@ kernel command line.
eibrs enhanced IBRS
eibrs,retpoline enhanced IBRS + Retpolines
eibrs,lfence enhanced IBRS + LFENCE
+ ibrs use IBRS to protect kernel
Not specifying this option is equivalent to
spectre_v2=auto.
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 002/175] x86/cpu: Support AMD Automatic IBRS
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 001/175] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 003/175] x86/bugs: Use sysfs_emit() Greg Kroah-Hartman
` (178 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Borislav Petkov (AMD),
Sean Christopherson, Dave Hansen
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Phillips <kim.phillips@amd.com>
commit e7862eda309ecfccc36bb5558d937ed3ace07f3f upstream.
The AMD Zen4 core supports a new feature called Automatic IBRS.
It is a "set-and-forget" feature that means that, like Intel's Enhanced IBRS,
h/w manages its IBRS mitigation resources automatically across CPL transitions.
The feature is advertised by CPUID_Fn80000021_EAX bit 8 and is enabled by
setting MSR C000_0080 (EFER) bit 21.
Enable Automatic IBRS by default if the CPU feature is present. It typically
provides greater performance over the incumbent generic retpolines mitigation.
Reuse the SPECTRE_V2_EIBRS spectre_v2_mitigation enum. AMD Automatic IBRS and
Intel Enhanced IBRS have similar enablement. Add NO_EIBRS_PBRSB to
cpu_vuln_whitelist, since AMD Automatic IBRS isn't affected by PBRSB-eIBRS.
The kernel command line option spectre_v2=eibrs is used to select AMD Automatic
IBRS, if available.
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Sean Christopherson <seanjc@google.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lore.kernel.org/r/20230124163319.2277355-8-kim.phillips@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/hw-vuln/spectre.rst | 6 +++---
Documentation/admin-guide/kernel-parameters.txt | 6 +++---
arch/x86/include/asm/cpufeatures.h | 2 ++
arch/x86/include/asm/msr-index.h | 2 ++
arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++--------
arch/x86/kernel/cpu/common.c | 17 ++++++++++-------
6 files changed, 32 insertions(+), 21 deletions(-)
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -622,9 +622,9 @@ kernel command line.
retpoline,generic Retpolines
retpoline,lfence LFENCE; indirect branch
retpoline,amd alias for retpoline,lfence
- eibrs enhanced IBRS
- eibrs,retpoline enhanced IBRS + Retpolines
- eibrs,lfence enhanced IBRS + LFENCE
+ eibrs Enhanced/Auto IBRS
+ eibrs,retpoline Enhanced/Auto IBRS + Retpolines
+ eibrs,lfence Enhanced/Auto IBRS + LFENCE
ibrs use IBRS to protect kernel
Not specifying this option is equivalent to
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4403,9 +4403,9 @@
retpoline,generic - Retpolines
retpoline,lfence - LFENCE; indirect branch
retpoline,amd - alias for retpoline,lfence
- eibrs - enhanced IBRS
- eibrs,retpoline - enhanced IBRS + Retpolines
- eibrs,lfence - enhanced IBRS + LFENCE
+ eibrs - Enhanced/Auto IBRS
+ eibrs,retpoline - Enhanced/Auto IBRS + Retpolines
+ eibrs,lfence - Enhanced/Auto IBRS + LFENCE
ibrs - use IBRS to protect kernel
Not specifying this option is equivalent to
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -369,6 +369,8 @@
#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */
+#define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */
+
/*
* BUG word(s)
*/
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -30,6 +30,7 @@
#define _EFER_SVME 12 /* Enable virtualization */
#define _EFER_LMSLE 13 /* Long Mode Segment Limit Enable */
#define _EFER_FFXSR 14 /* Enable Fast FXSAVE/FXRSTOR */
+#define _EFER_AUTOIBRS 21 /* Enable Automatic IBRS */
#define EFER_SCE (1<<_EFER_SCE)
#define EFER_LME (1<<_EFER_LME)
@@ -38,6 +39,7 @@
#define EFER_SVME (1<<_EFER_SVME)
#define EFER_LMSLE (1<<_EFER_LMSLE)
#define EFER_FFXSR (1<<_EFER_FFXSR)
+#define EFER_AUTOIBRS (1<<_EFER_AUTOIBRS)
/* Intel MSRs. Some also available on other CPUs */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1187,9 +1187,9 @@ static const char * const spectre_v2_str
[SPECTRE_V2_NONE] = "Vulnerable",
[SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
[SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
- [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS",
- [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE",
- [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines",
+ [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS",
+ [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE",
+ [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines",
[SPECTRE_V2_IBRS] = "Mitigation: IBRS",
};
@@ -1258,7 +1258,7 @@ static enum spectre_v2_mitigation_cmd __
cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
!boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
- pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n",
+ pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
mitigation_options[i].option);
return SPECTRE_V2_CMD_AUTO;
}
@@ -1437,8 +1437,12 @@ static void __init spectre_v2_select_mit
pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
if (spectre_v2_in_ibrs_mode(mode)) {
- x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
- update_spec_ctrl(x86_spec_ctrl_base);
+ if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
+ msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
+ } else {
+ x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
+ update_spec_ctrl(x86_spec_ctrl_base);
+ }
}
switch (mode) {
@@ -1522,8 +1526,8 @@ static void __init spectre_v2_select_mit
/*
* Retpoline protects the kernel, but doesn't protect firmware. IBRS
* and Enhanced IBRS protect firmware too, so enable IBRS around
- * firmware calls only when IBRS / Enhanced IBRS aren't otherwise
- * enabled.
+ * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't
+ * otherwise enabled.
*
* Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
* the user might select retpoline on the kernel command line and if
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1025,7 +1025,7 @@ static const __initconst struct x86_cpu_
VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
/* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB),
{}
};
@@ -1133,8 +1133,16 @@ static void __init cpu_set_bug_bits(stru
!cpu_has(c, X86_FEATURE_AMD_SSB_NO))
setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
- if (ia32_cap & ARCH_CAP_IBRS_ALL)
+ /*
+ * AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature
+ * flag and protect from vendor-specific bugs via the whitelist.
+ */
+ if ((ia32_cap & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) {
setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
+ if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
+ !(ia32_cap & ARCH_CAP_PBRSB_NO))
+ setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
+ }
if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) &&
!(ia32_cap & ARCH_CAP_MDS_NO)) {
@@ -1196,11 +1204,6 @@ static void __init cpu_set_bug_bits(stru
setup_force_cpu_bug(X86_BUG_RETBLEED);
}
- if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) &&
- !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
- !(ia32_cap & ARCH_CAP_PBRSB_NO))
- setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
-
/*
* Check if CPU is vulnerable to GDS. If running in a virtual machine on
* an affected processor, the VMM may have disabled the use of GATHER by
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 003/175] x86/bugs: Use sysfs_emit()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 001/175] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 002/175] x86/cpu: Support AMD Automatic IBRS Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 004/175] timer/trace: Replace deprecated vsprintf pointer extension %pf by %ps Greg Kroah-Hartman
` (177 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Borislav Petkov
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit 1d30800c0c0ae1d086ffad2bdf0ba4403370f132 upstream.
Those mitigations are very talkative; use the printing helper which pays
attention to the buffer size.
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/r/20220809153419.10182-1-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/bugs.c | 82 ++++++++++++++++++++++-----------------------
1 file changed, 41 insertions(+), 41 deletions(-)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2137,69 +2137,69 @@ static const char * const l1tf_vmx_state
static ssize_t l1tf_show_state(char *buf)
{
if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
- return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
+ return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
(l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
sched_smt_active())) {
- return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
- l1tf_vmx_states[l1tf_vmx_mitigation]);
+ return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
+ l1tf_vmx_states[l1tf_vmx_mitigation]);
}
- return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
- l1tf_vmx_states[l1tf_vmx_mitigation],
- sched_smt_active() ? "vulnerable" : "disabled");
+ return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
+ l1tf_vmx_states[l1tf_vmx_mitigation],
+ sched_smt_active() ? "vulnerable" : "disabled");
}
static ssize_t itlb_multihit_show_state(char *buf)
{
if (itlb_multihit_kvm_mitigation)
- return sprintf(buf, "KVM: Mitigation: Split huge pages\n");
+ return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");
else
- return sprintf(buf, "KVM: Vulnerable\n");
+ return sysfs_emit(buf, "KVM: Vulnerable\n");
}
#else
static ssize_t l1tf_show_state(char *buf)
{
- return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
+ return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
}
static ssize_t itlb_multihit_show_state(char *buf)
{
- return sprintf(buf, "Processor vulnerable\n");
+ return sysfs_emit(buf, "Processor vulnerable\n");
}
#endif
static ssize_t mds_show_state(char *buf)
{
if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
- return sprintf(buf, "%s; SMT Host state unknown\n",
- mds_strings[mds_mitigation]);
+ return sysfs_emit(buf, "%s; SMT Host state unknown\n",
+ mds_strings[mds_mitigation]);
}
if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
- return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
- (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
- sched_smt_active() ? "mitigated" : "disabled"));
+ return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
+ (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
+ sched_smt_active() ? "mitigated" : "disabled"));
}
- return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
- sched_smt_active() ? "vulnerable" : "disabled");
+ return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
+ sched_smt_active() ? "vulnerable" : "disabled");
}
static ssize_t tsx_async_abort_show_state(char *buf)
{
if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
(taa_mitigation == TAA_MITIGATION_OFF))
- return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
+ return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]);
if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
- return sprintf(buf, "%s; SMT Host state unknown\n",
- taa_strings[taa_mitigation]);
+ return sysfs_emit(buf, "%s; SMT Host state unknown\n",
+ taa_strings[taa_mitigation]);
}
- return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
- sched_smt_active() ? "vulnerable" : "disabled");
+ return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
+ sched_smt_active() ? "vulnerable" : "disabled");
}
static ssize_t mmio_stale_data_show_state(char *buf)
@@ -2267,33 +2267,33 @@ static char *pbrsb_eibrs_state(void)
static ssize_t spectre_v2_show_state(char *buf)
{
if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
- return sprintf(buf, "Vulnerable: LFENCE\n");
+ return sysfs_emit(buf, "Vulnerable: LFENCE\n");
if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
- return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
+ return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
if (sched_smt_active() && unprivileged_ebpf_enabled() &&
spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
- return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
+ return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
- return sprintf(buf, "%s%s%s%s%s%s%s\n",
- spectre_v2_strings[spectre_v2_enabled],
- ibpb_state(),
- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
- stibp_state(),
- boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
- pbrsb_eibrs_state(),
- spectre_v2_module_string());
+ return sysfs_emit(buf, "%s%s%s%s%s%s%s\n",
+ spectre_v2_strings[spectre_v2_enabled],
+ ibpb_state(),
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
+ stibp_state(),
+ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
+ pbrsb_eibrs_state(),
+ spectre_v2_module_string());
}
static ssize_t srbds_show_state(char *buf)
{
- return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
+ return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]);
}
static ssize_t retbleed_show_state(char *buf)
{
- return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
+ return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
}
static ssize_t gds_show_state(char *buf)
@@ -2305,26 +2305,26 @@ static ssize_t cpu_show_common(struct de
char *buf, unsigned int bug)
{
if (!boot_cpu_has_bug(bug))
- return sprintf(buf, "Not affected\n");
+ return sysfs_emit(buf, "Not affected\n");
switch (bug) {
case X86_BUG_CPU_MELTDOWN:
if (boot_cpu_has(X86_FEATURE_PTI))
- return sprintf(buf, "Mitigation: PTI\n");
+ return sysfs_emit(buf, "Mitigation: PTI\n");
if (hypervisor_is_type(X86_HYPER_XEN_PV))
- return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
+ return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
break;
case X86_BUG_SPECTRE_V1:
- return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
+ return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
case X86_BUG_SPECTRE_V2:
return spectre_v2_show_state(buf);
case X86_BUG_SPEC_STORE_BYPASS:
- return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
+ return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]);
case X86_BUG_L1TF:
if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
@@ -2357,7 +2357,7 @@ static ssize_t cpu_show_common(struct de
break;
}
- return sprintf(buf, "Vulnerable\n");
+ return sysfs_emit(buf, "Vulnerable\n");
}
ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 004/175] timer/trace: Replace deprecated vsprintf pointer extension %pf by %ps
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 003/175] x86/bugs: Use sysfs_emit() Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 005/175] timer/trace: Improve timer tracing Greg Kroah-Hartman
` (176 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna-Maria Gleixner,
Thomas Gleixner, fweisbec, peterz, Steven Rostedt, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
[ Upstream commit 6849cbb0f9a8dbc1ba56e9abc6955613103e01e3 ]
Since commit 04b8eb7a4ccd ("symbol lookup: introduce
dereference_symbol_descriptor()") %pf is deprecated, because %ps is smart
enough to handle function pointer dereference on platforms where such a
dereference is required.
While at it add proper line breaks to stay in the 80 character limit.
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: fweisbec@gmail.com
Cc: peterz@infradead.org
Cc: Steven Rostedt <rostedt@goodmis.org>
Link: https://lkml.kernel.org/r/20190321120921.16463-4-anna-maria@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/timer.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index 350b046e7576c..8f6240854e28f 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -73,7 +73,7 @@ TRACE_EVENT(timer_start,
__entry->flags = flags;
),
- TP_printk("timer=%p function=%pf expires=%lu [timeout=%ld] cpu=%u idx=%u flags=%s",
+ TP_printk("timer=%p function=%ps expires=%lu [timeout=%ld] cpu=%u idx=%u flags=%s",
__entry->timer, __entry->function, __entry->expires,
(long)__entry->expires - __entry->now,
__entry->flags & TIMER_CPUMASK,
@@ -105,7 +105,8 @@ TRACE_EVENT(timer_expire_entry,
__entry->function = timer->function;
),
- TP_printk("timer=%p function=%pf now=%lu", __entry->timer, __entry->function,__entry->now)
+ TP_printk("timer=%p function=%ps now=%lu",
+ __entry->timer, __entry->function, __entry->now)
);
/**
@@ -210,7 +211,7 @@ TRACE_EVENT(hrtimer_start,
__entry->mode = mode;
),
- TP_printk("hrtimer=%p function=%pf expires=%llu softexpires=%llu "
+ TP_printk("hrtimer=%p function=%ps expires=%llu softexpires=%llu "
"mode=%s", __entry->hrtimer, __entry->function,
(unsigned long long) __entry->expires,
(unsigned long long) __entry->softexpires,
@@ -243,7 +244,8 @@ TRACE_EVENT(hrtimer_expire_entry,
__entry->function = hrtimer->function;
),
- TP_printk("hrtimer=%p function=%pf now=%llu", __entry->hrtimer, __entry->function,
+ TP_printk("hrtimer=%p function=%ps now=%llu",
+ __entry->hrtimer, __entry->function,
(unsigned long long) __entry->now)
);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 005/175] timer/trace: Improve timer tracing
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 004/175] timer/trace: Replace deprecated vsprintf pointer extension %pf by %ps Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 006/175] timers: Prepare support for PREEMPT_RT Greg Kroah-Hartman
` (175 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna-Maria Gleixner,
Thomas Gleixner, fweisbec, peterz, Steven Rostedt, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
[ Upstream commit f28d3d5346e97e60c81f933ac89ccf015430e5cf ]
Timers are added to the timer wheel off by one. This is required in
case a timer is queued directly before incrementing jiffies to prevent
early timer expiry.
When reading a timer trace and relying only on the expiry time of the timer
in the timer_start trace point and on the now in the timer_expiry_entry
trace point, it seems that the timer fires late. With the current
timer_expiry_entry trace point information only now=jiffies is printed but
not the value of base->clk. This makes it impossible to draw a conclusion
to the index of base->clk and makes it impossible to examine timer problems
without additional trace points.
Therefore add the base->clk value to the timer_expire_entry trace
point, to be able to calculate the index the timer base is located at
during collecting expired timers.
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: fweisbec@gmail.com
Cc: peterz@infradead.org
Cc: Steven Rostedt <rostedt@goodmis.org>
Link: https://lkml.kernel.org/r/20190321120921.16463-5-anna-maria@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/timer.h | 11 +++++++----
kernel/time/timer.c | 17 +++++++++++++----
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index 8f6240854e28f..295517f109d71 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -89,24 +89,27 @@ TRACE_EVENT(timer_start,
*/
TRACE_EVENT(timer_expire_entry,
- TP_PROTO(struct timer_list *timer),
+ TP_PROTO(struct timer_list *timer, unsigned long baseclk),
- TP_ARGS(timer),
+ TP_ARGS(timer, baseclk),
TP_STRUCT__entry(
__field( void *, timer )
__field( unsigned long, now )
__field( void *, function)
+ __field( unsigned long, baseclk )
),
TP_fast_assign(
__entry->timer = timer;
__entry->now = jiffies;
__entry->function = timer->function;
+ __entry->baseclk = baseclk;
),
- TP_printk("timer=%p function=%ps now=%lu",
- __entry->timer, __entry->function, __entry->now)
+ TP_printk("timer=%p function=%ps now=%lu baseclk=%lu",
+ __entry->timer, __entry->function, __entry->now,
+ __entry->baseclk)
);
/**
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index a6e88d9bb931c..140662c2b41e1 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1311,7 +1311,9 @@ int del_timer_sync(struct timer_list *timer)
EXPORT_SYMBOL(del_timer_sync);
#endif
-static void call_timer_fn(struct timer_list *timer, void (*fn)(struct timer_list *))
+static void call_timer_fn(struct timer_list *timer,
+ void (*fn)(struct timer_list *),
+ unsigned long baseclk)
{
int count = preempt_count();
@@ -1334,7 +1336,7 @@ static void call_timer_fn(struct timer_list *timer, void (*fn)(struct timer_list
*/
lock_map_acquire(&lockdep_map);
- trace_timer_expire_entry(timer);
+ trace_timer_expire_entry(timer, baseclk);
fn(timer);
trace_timer_expire_exit(timer);
@@ -1355,6 +1357,13 @@ static void call_timer_fn(struct timer_list *timer, void (*fn)(struct timer_list
static void expire_timers(struct timer_base *base, struct hlist_head *head)
{
+ /*
+ * This value is required only for tracing. base->clk was
+ * incremented directly before expire_timers was called. But expiry
+ * is related to the old base->clk value.
+ */
+ unsigned long baseclk = base->clk - 1;
+
while (!hlist_empty(head)) {
struct timer_list *timer;
void (*fn)(struct timer_list *);
@@ -1368,11 +1377,11 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
if (timer->flags & TIMER_IRQSAFE) {
raw_spin_unlock(&base->lock);
- call_timer_fn(timer, fn);
+ call_timer_fn(timer, fn, baseclk);
raw_spin_lock(&base->lock);
} else {
raw_spin_unlock_irq(&base->lock);
- call_timer_fn(timer, fn);
+ call_timer_fn(timer, fn, baseclk);
raw_spin_lock_irq(&base->lock);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 006/175] timers: Prepare support for PREEMPT_RT
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 005/175] timer/trace: Improve timer tracing Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 007/175] timers: Update kernel-doc for various functions Greg Kroah-Hartman
` (174 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna-Maria Gleixner,
Sebastian Andrzej Siewior, Thomas Gleixner,
Peter Zijlstra (Intel),
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
[ Upstream commit 030dcdd197d77374879bb5603d091eee7d8aba80 ]
When PREEMPT_RT is enabled, the soft interrupt thread can be preempted. If
the soft interrupt thread is preempted in the middle of a timer callback,
then calling del_timer_sync() can lead to two issues:
- If the caller is on a remote CPU then it has to spin wait for the timer
handler to complete. This can result in unbound priority inversion.
- If the caller originates from the task which preempted the timer
handler on the same CPU, then spin waiting for the timer handler to
complete is never going to end.
To avoid these issues, add a new lock to the timer base which is held
around the execution of the timer callbacks. If del_timer_sync() detects
that the timer callback is currently running, it blocks on the expiry
lock. When the callback is finished, the expiry lock is dropped by the
softirq thread which wakes up the waiter and the system makes progress.
This addresses both the priority inversion and the life lock issues.
This mechanism is not used for timers which are marked IRQSAFE as for those
preemption is disabled accross the callback and therefore this situation
cannot happen. The callbacks for such timers need to be individually
audited for RT compliance.
The same issue can happen in virtual machines when the vCPU which runs a
timer callback is scheduled out. If a second vCPU of the same guest calls
del_timer_sync() it will spin wait for the other vCPU to be scheduled back
in. The expiry lock mechanism would avoid that. It'd be trivial to enable
this when paravirt spinlocks are enabled in a guest, but it's not clear
whether this is an actual problem in the wild, so for now it's an RT only
mechanism.
As the softirq thread can be preempted with PREEMPT_RT=y, the SMP variant
of del_timer_sync() needs to be used on UP as well.
[ tglx: Refactored it for mainline ]
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20190726185753.832418500@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/timer.h | 2 +-
kernel/time/timer.c | 103 ++++++++++++++++++++++++++++++++++++++----
2 files changed, 96 insertions(+), 9 deletions(-)
diff --git a/include/linux/timer.h b/include/linux/timer.h
index 7b066fd38248b..8e027cb10df01 100644
--- a/include/linux/timer.h
+++ b/include/linux/timer.h
@@ -172,7 +172,7 @@ extern void add_timer(struct timer_list *timer);
extern int try_to_del_timer_sync(struct timer_list *timer);
-#ifdef CONFIG_SMP
+#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
extern int del_timer_sync(struct timer_list *timer);
#else
# define del_timer_sync(t) del_timer(t)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 140662c2b41e1..2f5565ed27063 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -198,6 +198,10 @@ EXPORT_SYMBOL(jiffies_64);
struct timer_base {
raw_spinlock_t lock;
struct timer_list *running_timer;
+#ifdef CONFIG_PREEMPT_RT
+ spinlock_t expiry_lock;
+ atomic_t timer_waiters;
+#endif
unsigned long clk;
unsigned long next_expiry;
unsigned int cpu;
@@ -1245,7 +1249,78 @@ int try_to_del_timer_sync(struct timer_list *timer)
}
EXPORT_SYMBOL(try_to_del_timer_sync);
-#ifdef CONFIG_SMP
+#ifdef CONFIG_PREEMPT_RT
+static __init void timer_base_init_expiry_lock(struct timer_base *base)
+{
+ spin_lock_init(&base->expiry_lock);
+}
+
+static inline void timer_base_lock_expiry(struct timer_base *base)
+{
+ spin_lock(&base->expiry_lock);
+}
+
+static inline void timer_base_unlock_expiry(struct timer_base *base)
+{
+ spin_unlock(&base->expiry_lock);
+}
+
+/*
+ * The counterpart to del_timer_wait_running().
+ *
+ * If there is a waiter for base->expiry_lock, then it was waiting for the
+ * timer callback to finish. Drop expiry_lock and reaquire it. That allows
+ * the waiter to acquire the lock and make progress.
+ */
+static void timer_sync_wait_running(struct timer_base *base)
+{
+ if (atomic_read(&base->timer_waiters)) {
+ spin_unlock(&base->expiry_lock);
+ spin_lock(&base->expiry_lock);
+ }
+}
+
+/*
+ * This function is called on PREEMPT_RT kernels when the fast path
+ * deletion of a timer failed because the timer callback function was
+ * running.
+ *
+ * This prevents priority inversion, if the softirq thread on a remote CPU
+ * got preempted, and it prevents a life lock when the task which tries to
+ * delete a timer preempted the softirq thread running the timer callback
+ * function.
+ */
+static void del_timer_wait_running(struct timer_list *timer)
+{
+ u32 tf;
+
+ tf = READ_ONCE(timer->flags);
+ if (!(tf & TIMER_MIGRATING)) {
+ struct timer_base *base = get_timer_base(tf);
+
+ /*
+ * Mark the base as contended and grab the expiry lock,
+ * which is held by the softirq across the timer
+ * callback. Drop the lock immediately so the softirq can
+ * expire the next timer. In theory the timer could already
+ * be running again, but that's more than unlikely and just
+ * causes another wait loop.
+ */
+ atomic_inc(&base->timer_waiters);
+ spin_lock_bh(&base->expiry_lock);
+ atomic_dec(&base->timer_waiters);
+ spin_unlock_bh(&base->expiry_lock);
+ }
+}
+#else
+static inline void timer_base_init_expiry_lock(struct timer_base *base) { }
+static inline void timer_base_lock_expiry(struct timer_base *base) { }
+static inline void timer_base_unlock_expiry(struct timer_base *base) { }
+static inline void timer_sync_wait_running(struct timer_base *base) { }
+static inline void del_timer_wait_running(struct timer_list *timer) { }
+#endif
+
+#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
/**
* del_timer_sync - deactivate a timer and wait for the handler to finish.
* @timer: the timer to be deactivated
@@ -1284,6 +1359,8 @@ EXPORT_SYMBOL(try_to_del_timer_sync);
*/
int del_timer_sync(struct timer_list *timer)
{
+ int ret;
+
#ifdef CONFIG_LOCKDEP
unsigned long flags;
@@ -1301,12 +1378,17 @@ int del_timer_sync(struct timer_list *timer)
* could lead to deadlock.
*/
WARN_ON(in_irq() && !(timer->flags & TIMER_IRQSAFE));
- for (;;) {
- int ret = try_to_del_timer_sync(timer);
- if (ret >= 0)
- return ret;
- cpu_relax();
- }
+
+ do {
+ ret = try_to_del_timer_sync(timer);
+
+ if (unlikely(ret < 0)) {
+ del_timer_wait_running(timer);
+ cpu_relax();
+ }
+ } while (ret < 0);
+
+ return ret;
}
EXPORT_SYMBOL(del_timer_sync);
#endif
@@ -1378,10 +1460,13 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
if (timer->flags & TIMER_IRQSAFE) {
raw_spin_unlock(&base->lock);
call_timer_fn(timer, fn, baseclk);
+ base->running_timer = NULL;
raw_spin_lock(&base->lock);
} else {
raw_spin_unlock_irq(&base->lock);
call_timer_fn(timer, fn, baseclk);
+ base->running_timer = NULL;
+ timer_sync_wait_running(base);
raw_spin_lock_irq(&base->lock);
}
}
@@ -1678,6 +1763,7 @@ static inline void __run_timers(struct timer_base *base)
if (!time_after_eq(jiffies, base->clk))
return;
+ timer_base_lock_expiry(base);
raw_spin_lock_irq(&base->lock);
/*
@@ -1704,8 +1790,8 @@ static inline void __run_timers(struct timer_base *base)
while (levels--)
expire_timers(base, heads + levels);
}
- base->running_timer = NULL;
raw_spin_unlock_irq(&base->lock);
+ timer_base_unlock_expiry(base);
}
/*
@@ -1950,6 +2036,7 @@ static void __init init_timer_cpu(int cpu)
base->cpu = cpu;
raw_spin_lock_init(&base->lock);
base->clk = jiffies;
+ timer_base_init_expiry_lock(base);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 007/175] timers: Update kernel-doc for various functions
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 006/175] timers: Prepare support for PREEMPT_RT Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 008/175] timers: Use del_timer_sync() even on UP Greg Kroah-Hartman
` (173 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Guenter Roeck,
Jacob Keller, Anna-Maria Behnsen, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 14f043f1340bf30bc60af127bff39f55889fef26 ]
The kernel-doc of timer related functions is partially uncomprehensible
word salad. Rewrite it to make it useful.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.828703870@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/timer.c | 148 +++++++++++++++++++++++++++-----------------
1 file changed, 90 insertions(+), 58 deletions(-)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 2f5565ed27063..f63efe259ae46 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1078,14 +1078,16 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option
}
/**
- * mod_timer_pending - modify a pending timer's timeout
- * @timer: the pending timer to be modified
- * @expires: new timeout in jiffies
+ * mod_timer_pending - Modify a pending timer's timeout
+ * @timer: The pending timer to be modified
+ * @expires: New absolute timeout in jiffies
*
- * mod_timer_pending() is the same for pending timers as mod_timer(),
- * but will not re-activate and modify already deleted timers.
+ * mod_timer_pending() is the same for pending timers as mod_timer(), but
+ * will not activate inactive timers.
*
- * It is useful for unserialized use of timers.
+ * Return:
+ * * %0 - The timer was inactive and not modified
+ * * %1 - The timer was active and requeued to expire at @expires
*/
int mod_timer_pending(struct timer_list *timer, unsigned long expires)
{
@@ -1094,24 +1096,27 @@ int mod_timer_pending(struct timer_list *timer, unsigned long expires)
EXPORT_SYMBOL(mod_timer_pending);
/**
- * mod_timer - modify a timer's timeout
- * @timer: the timer to be modified
- * @expires: new timeout in jiffies
- *
- * mod_timer() is a more efficient way to update the expire field of an
- * active timer (if the timer is inactive it will be activated)
+ * mod_timer - Modify a timer's timeout
+ * @timer: The timer to be modified
+ * @expires: New absolute timeout in jiffies
*
* mod_timer(timer, expires) is equivalent to:
*
* del_timer(timer); timer->expires = expires; add_timer(timer);
*
+ * mod_timer() is more efficient than the above open coded sequence. In
+ * case that the timer is inactive, the del_timer() part is a NOP. The
+ * timer is in any case activated with the new expiry time @expires.
+ *
* Note that if there are multiple unserialized concurrent users of the
* same timer, then mod_timer() is the only safe way to modify the timeout,
* since add_timer() cannot modify an already running timer.
*
- * The function returns whether it has modified a pending timer or not.
- * (ie. mod_timer() of an inactive timer returns 0, mod_timer() of an
- * active timer returns 1.)
+ * Return:
+ * * %0 - The timer was inactive and started
+ * * %1 - The timer was active and requeued to expire at @expires or
+ * the timer was active and not modified because @expires did
+ * not change the effective expiry time
*/
int mod_timer(struct timer_list *timer, unsigned long expires)
{
@@ -1122,11 +1127,18 @@ EXPORT_SYMBOL(mod_timer);
/**
* timer_reduce - Modify a timer's timeout if it would reduce the timeout
* @timer: The timer to be modified
- * @expires: New timeout in jiffies
+ * @expires: New absolute timeout in jiffies
*
* timer_reduce() is very similar to mod_timer(), except that it will only
- * modify a running timer if that would reduce the expiration time (it will
- * start a timer that isn't running).
+ * modify an enqueued timer if that would reduce the expiration time. If
+ * @timer is not enqueued it starts the timer.
+ *
+ * Return:
+ * * %0 - The timer was inactive and started
+ * * %1 - The timer was active and requeued to expire at @expires or
+ * the timer was active and not modified because @expires
+ * did not change the effective expiry time such that the
+ * timer would expire earlier than already scheduled
*/
int timer_reduce(struct timer_list *timer, unsigned long expires)
{
@@ -1135,18 +1147,21 @@ int timer_reduce(struct timer_list *timer, unsigned long expires)
EXPORT_SYMBOL(timer_reduce);
/**
- * add_timer - start a timer
- * @timer: the timer to be added
+ * add_timer - Start a timer
+ * @timer: The timer to be started
*
- * The kernel will do a ->function(@timer) callback from the
- * timer interrupt at the ->expires point in the future. The
- * current time is 'jiffies'.
+ * Start @timer to expire at @timer->expires in the future. @timer->expires
+ * is the absolute expiry time measured in 'jiffies'. When the timer expires
+ * timer->function(timer) will be invoked from soft interrupt context.
*
- * The timer's ->expires, ->function fields must be set prior calling this
- * function.
+ * The @timer->expires and @timer->function fields must be set prior
+ * to calling this function.
+ *
+ * If @timer->expires is already in the past @timer will be queued to
+ * expire at the next timer tick.
*
- * Timers with an ->expires field in the past will be executed in the next
- * timer tick.
+ * This can only operate on an inactive timer. Attempts to invoke this on
+ * an active timer are rejected with a warning.
*/
void add_timer(struct timer_list *timer)
{
@@ -1156,11 +1171,13 @@ void add_timer(struct timer_list *timer)
EXPORT_SYMBOL(add_timer);
/**
- * add_timer_on - start a timer on a particular CPU
- * @timer: the timer to be added
- * @cpu: the CPU to start it on
+ * add_timer_on - Start a timer on a particular CPU
+ * @timer: The timer to be started
+ * @cpu: The CPU to start it on
+ *
+ * Same as add_timer() except that it starts the timer on the given CPU.
*
- * This is not very scalable on SMP. Double adds are not possible.
+ * See add_timer() for further details.
*/
void add_timer_on(struct timer_list *timer, int cpu)
{
@@ -1195,15 +1212,18 @@ void add_timer_on(struct timer_list *timer, int cpu)
EXPORT_SYMBOL_GPL(add_timer_on);
/**
- * del_timer - deactivate a timer.
- * @timer: the timer to be deactivated
- *
- * del_timer() deactivates a timer - this works on both active and inactive
- * timers.
- *
- * The function returns whether it has deactivated a pending timer or not.
- * (ie. del_timer() of an inactive timer returns 0, del_timer() of an
- * active timer returns 1.)
+ * del_timer - Deactivate a timer.
+ * @timer: The timer to be deactivated
+ *
+ * The function only deactivates a pending timer, but contrary to
+ * del_timer_sync() it does not take into account whether the timer's
+ * callback function is concurrently executed on a different CPU or not.
+ * It neither prevents rearming of the timer. If @timer can be rearmed
+ * concurrently then the return value of this function is meaningless.
+ *
+ * Return:
+ * * %0 - The timer was not pending
+ * * %1 - The timer was pending and deactivated
*/
int del_timer(struct timer_list *timer)
{
@@ -1225,10 +1245,19 @@ EXPORT_SYMBOL(del_timer);
/**
* try_to_del_timer_sync - Try to deactivate a timer
- * @timer: timer to delete
+ * @timer: Timer to deactivate
+ *
+ * This function tries to deactivate a timer. On success the timer is not
+ * queued and the timer callback function is not running on any CPU.
*
- * This function tries to deactivate a timer. Upon successful (ret >= 0)
- * exit the timer is not queued and the handler is not running on any CPU.
+ * This function does not guarantee that the timer cannot be rearmed right
+ * after dropping the base lock. That needs to be prevented by the calling
+ * code if necessary.
+ *
+ * Return:
+ * * %0 - The timer was not pending
+ * * %1 - The timer was pending and deactivated
+ * * %-1 - The timer callback function is running on a different CPU
*/
int try_to_del_timer_sync(struct timer_list *timer)
{
@@ -1322,23 +1351,19 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
/**
- * del_timer_sync - deactivate a timer and wait for the handler to finish.
- * @timer: the timer to be deactivated
- *
- * This function only differs from del_timer() on SMP: besides deactivating
- * the timer it also makes sure the handler has finished executing on other
- * CPUs.
+ * del_timer_sync - Deactivate a timer and wait for the handler to finish.
+ * @timer: The timer to be deactivated
*
* Synchronization rules: Callers must prevent restarting of the timer,
* otherwise this function is meaningless. It must not be called from
* interrupt contexts unless the timer is an irqsafe one. The caller must
- * not hold locks which would prevent completion of the timer's
- * handler. The timer's handler must not call add_timer_on(). Upon exit the
- * timer is not queued and the handler is not running on any CPU.
+ * not hold locks which would prevent completion of the timer's callback
+ * function. The timer's handler must not call add_timer_on(). Upon exit
+ * the timer is not queued and the handler is not running on any CPU.
*
- * Note: For !irqsafe timers, you must not hold locks that are held in
- * interrupt context while calling this function. Even if the lock has
- * nothing to do with the timer in question. Here's why::
+ * For !irqsafe timers, the caller must not hold locks that are held in
+ * interrupt context. Even if the lock has nothing to do with the timer in
+ * question. Here's why::
*
* CPU0 CPU1
* ---- ----
@@ -1352,10 +1377,17 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
* while (base->running_timer == mytimer);
*
* Now del_timer_sync() will never return and never release somelock.
- * The interrupt on the other CPU is waiting to grab somelock but
- * it has interrupted the softirq that CPU0 is waiting to finish.
+ * The interrupt on the other CPU is waiting to grab somelock but it has
+ * interrupted the softirq that CPU0 is waiting to finish.
+ *
+ * This function cannot guarantee that the timer is not rearmed again by
+ * some concurrent or preempting code, right after it dropped the base
+ * lock. If there is the possibility of a concurrent rearm then the return
+ * value of the function is meaningless.
*
- * The function returns whether it has deactivated a pending timer or not.
+ * Return:
+ * * %0 - The timer was not pending
+ * * %1 - The timer was pending and deactivated
*/
int del_timer_sync(struct timer_list *timer)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 008/175] timers: Use del_timer_sync() even on UP
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 007/175] timers: Update kernel-doc for various functions Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 009/175] timers: Rename del_timer_sync() to timer_delete_sync() Greg Kroah-Hartman
` (172 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt, Thomas Gleixner,
Guenter Roeck, Jacob Keller, Anna-Maria Behnsen, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 168f6b6ffbeec0b9333f3582e4cf637300858db5 ]
del_timer_sync() is assumed to be pointless on uniprocessor systems and can
be mapped to del_timer() because in theory del_timer() can never be invoked
while the timer callback function is executed.
This is not entirely true because del_timer() can be invoked from interrupt
context and therefore hit in the middle of a running timer callback.
Contrary to that del_timer_sync() is not allowed to be invoked from
interrupt context unless the affected timer is marked with TIMER_IRQSAFE.
del_timer_sync() has proper checks in place to detect such a situation.
Give up on the UP optimization and make del_timer_sync() unconditionally
available.
Co-developed-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201624.888306160@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/timer.h | 7 +------
kernel/time/timer.c | 2 --
2 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/include/linux/timer.h b/include/linux/timer.h
index 8e027cb10df01..a9c20a7ead305 100644
--- a/include/linux/timer.h
+++ b/include/linux/timer.h
@@ -171,12 +171,7 @@ extern int timer_reduce(struct timer_list *timer, unsigned long expires);
extern void add_timer(struct timer_list *timer);
extern int try_to_del_timer_sync(struct timer_list *timer);
-
-#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
- extern int del_timer_sync(struct timer_list *timer);
-#else
-# define del_timer_sync(t) del_timer(t)
-#endif
+extern int del_timer_sync(struct timer_list *timer);
#define del_singleshot_timer_sync(t) del_timer_sync(t)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index f63efe259ae46..489bb01796de4 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1349,7 +1349,6 @@ static inline void timer_sync_wait_running(struct timer_base *base) { }
static inline void del_timer_wait_running(struct timer_list *timer) { }
#endif
-#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
/**
* del_timer_sync - Deactivate a timer and wait for the handler to finish.
* @timer: The timer to be deactivated
@@ -1423,7 +1422,6 @@ int del_timer_sync(struct timer_list *timer)
return ret;
}
EXPORT_SYMBOL(del_timer_sync);
-#endif
static void call_timer_fn(struct timer_list *timer,
void (*fn)(struct timer_list *),
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 009/175] timers: Rename del_timer_sync() to timer_delete_sync()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 008/175] timers: Use del_timer_sync() even on UP Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 010/175] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Greg Kroah-Hartman
` (171 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Guenter Roeck,
Steven Rostedt (Google),
Jacob Keller, Anna-Maria Behnsen, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 9b13df3fb64ee95e2397585404e442afee2c7d4f ]
The timer related functions do not have a strict timer_ prefixed namespace
which is really annoying.
Rename del_timer_sync() to timer_delete_sync() and provide del_timer_sync()
as a wrapper. Document that del_timer_sync() is not for new code.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.954785441@linutronix.de
Stable-dep-of: 0f7352557a35 ("wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/timer.h | 15 ++++++++++++++-
kernel/time/timer.c | 18 +++++++++---------
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/include/linux/timer.h b/include/linux/timer.h
index a9c20a7ead305..aef40cac2add8 100644
--- a/include/linux/timer.h
+++ b/include/linux/timer.h
@@ -171,7 +171,20 @@ extern int timer_reduce(struct timer_list *timer, unsigned long expires);
extern void add_timer(struct timer_list *timer);
extern int try_to_del_timer_sync(struct timer_list *timer);
-extern int del_timer_sync(struct timer_list *timer);
+extern int timer_delete_sync(struct timer_list *timer);
+
+/**
+ * del_timer_sync - Delete a pending timer and wait for a running callback
+ * @timer: The timer to be deleted
+ *
+ * See timer_delete_sync() for detailed explanation.
+ *
+ * Do not use in new code. Use timer_delete_sync() instead.
+ */
+static inline int del_timer_sync(struct timer_list *timer)
+{
+ return timer_delete_sync(timer);
+}
#define del_singleshot_timer_sync(t) del_timer_sync(t)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 489bb01796de4..e3120af29f533 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1037,7 +1037,7 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option
/*
* We are trying to schedule the timer on the new base.
* However we can't change timer's base while it is running,
- * otherwise del_timer_sync() can't detect that the timer's
+ * otherwise timer_delete_sync() can't detect that the timer's
* handler yet has not finished. This also guarantees that the
* timer is serialized wrt itself.
*/
@@ -1216,7 +1216,7 @@ EXPORT_SYMBOL_GPL(add_timer_on);
* @timer: The timer to be deactivated
*
* The function only deactivates a pending timer, but contrary to
- * del_timer_sync() it does not take into account whether the timer's
+ * timer_delete_sync() it does not take into account whether the timer's
* callback function is concurrently executed on a different CPU or not.
* It neither prevents rearming of the timer. If @timer can be rearmed
* concurrently then the return value of this function is meaningless.
@@ -1350,7 +1350,7 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
#endif
/**
- * del_timer_sync - Deactivate a timer and wait for the handler to finish.
+ * timer_delete_sync - Deactivate a timer and wait for the handler to finish.
* @timer: The timer to be deactivated
*
* Synchronization rules: Callers must prevent restarting of the timer,
@@ -1372,10 +1372,10 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
* spin_lock_irq(somelock);
* <IRQ>
* spin_lock(somelock);
- * del_timer_sync(mytimer);
+ * timer_delete_sync(mytimer);
* while (base->running_timer == mytimer);
*
- * Now del_timer_sync() will never return and never release somelock.
+ * Now timer_delete_sync() will never return and never release somelock.
* The interrupt on the other CPU is waiting to grab somelock but it has
* interrupted the softirq that CPU0 is waiting to finish.
*
@@ -1388,7 +1388,7 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
* * %0 - The timer was not pending
* * %1 - The timer was pending and deactivated
*/
-int del_timer_sync(struct timer_list *timer)
+int timer_delete_sync(struct timer_list *timer)
{
int ret;
@@ -1421,7 +1421,7 @@ int del_timer_sync(struct timer_list *timer)
return ret;
}
-EXPORT_SYMBOL(del_timer_sync);
+EXPORT_SYMBOL(timer_delete_sync);
static void call_timer_fn(struct timer_list *timer,
void (*fn)(struct timer_list *),
@@ -1443,8 +1443,8 @@ static void call_timer_fn(struct timer_list *timer,
#endif
/*
* Couple the lock chain with the lock chain at
- * del_timer_sync() by acquiring the lock_map around the fn()
- * call here and in del_timer_sync().
+ * timer_delete_sync() by acquiring the lock_map around the fn()
+ * call here and in timer_delete_sync().
*/
lock_map_acquire(&lockdep_map);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 010/175] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 009/175] timers: Rename del_timer_sync() to timer_delete_sync() Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 011/175] smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() Greg Kroah-Hartman
` (170 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Arend van Spriel,
Kalle Valo, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 0f7352557a35ab7888bc7831411ec8a3cbe20d78 ]
This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233
In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:
->brcmf_usb_probe
->brcmf_usb_probe_cb
->brcmf_attach
->brcmf_bus_started
->brcmf_cfg80211_attach
->wl_init_priv
->brcmf_init_escan
->INIT_WORK(&cfg->escan_timeout_work,
brcmf_cfg80211_escan_timeout_worker);
If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :
brcmf_usb_disconnect
->brcmf_usb_disconnect_cb
->brcmf_detach
->brcmf_cfg80211_detach
->kfree(cfg);
While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.
Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Cc: stable@vger.kernel.org
[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20240107072504.392713-1-arend.vanspriel@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 1827be85f115f..fe8f1134a5f3e 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -690,8 +690,7 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
scan_request = cfg->scan_request;
cfg->scan_request = NULL;
- if (timer_pending(&cfg->escan_timeout))
- del_timer_sync(&cfg->escan_timeout);
+ timer_delete_sync(&cfg->escan_timeout);
if (fw_abort) {
/* Do a scan abort to stop the driver's scan engine */
@@ -7093,6 +7092,7 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
wiphy_unregister(cfg->wiphy);
kfree(cfg->ops);
wl_deinit_priv(cfg);
+ cancel_work_sync(&cfg->escan_timeout_work);
brcmf_free_wiphy(cfg->wiphy);
kfree(cfg);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 011/175] smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 010/175] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 012/175] smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() Greg Kroah-Hartman
` (169 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Sassu, Casey Schaufler, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roberto Sassu <roberto.sassu@huawei.com>
[ Upstream commit 9c82169208dde516510aaba6bbd8b13976690c5d ]
Since the SMACK64TRANSMUTE xattr makes sense only for directories, enforce
this restriction in smack_inode_setxattr().
Cc: stable@vger.kernel.org
Fixes: 5c6d1125f8db ("Smack: Transmute labels on specified directories") # v2.6.38.x
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smack_lsm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 128a5f464740e..2f2dc49f53dff 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1341,7 +1341,8 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
check_star = 1;
} else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
check_priv = 1;
- if (size != TRANS_TRUE_SIZE ||
+ if (!S_ISDIR(d_backing_inode(dentry)->i_mode) ||
+ size != TRANS_TRUE_SIZE ||
strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
rc = -EINVAL;
} else
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 012/175] smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 011/175] smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 013/175] ARM: dts: mmp2-brownstone: Dont redeclare phandle references Greg Kroah-Hartman
` (168 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Sassu, Casey Schaufler, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roberto Sassu <roberto.sassu@huawei.com>
[ Upstream commit ac02f007d64eb2769d0bde742aac4d7a5fc6e8a5 ]
If the SMACK64TRANSMUTE xattr is provided, and the inode is a directory,
update the in-memory inode flags by setting SMK_INODE_TRANSMUTE.
Cc: stable@vger.kernel.org
Fixes: 5c6d1125f8db ("Smack: Transmute labels on specified directories") # v2.6.38.x
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smack_lsm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 2f2dc49f53dff..d9bff4ba7f2e8 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2802,6 +2802,15 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (value == NULL || size > SMK_LONGLABEL || size == 0)
return -EINVAL;
+ if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) {
+ if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE ||
+ strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
+ return -EINVAL;
+
+ nsp->smk_flags |= SMK_INODE_TRANSMUTE;
+ return 0;
+ }
+
skp = smk_import_entry(value, size);
if (IS_ERR(skp))
return PTR_ERR(skp);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 013/175] ARM: dts: mmp2-brownstone: Dont redeclare phandle references
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 012/175] smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 014/175] arm: dts: marvell: Fix maxium->maxim typo in brownstone dts Greg Kroah-Hartman
` (167 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lubomir Rintel, Rob Herring, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lubomir Rintel <lkundrak@v3.sk>
[ Upstream commit 5a56cf3e8738f5d31d8c024d0c62a4c2bfe76fb2 ]
Extend the nodes by their phandle references instead of recreating the
tree and declaring references of the same names.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Reviewed-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20200320174107.29406-5-lkundrak@v3.sk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 831e0cd4f9ee ("arm: dts: marvell: Fix maxium->maxim typo in brownstone dts")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mmp2-brownstone.dts | 332 +++++++++++++-------------
1 file changed, 165 insertions(+), 167 deletions(-)
diff --git a/arch/arm/boot/dts/mmp2-brownstone.dts b/arch/arm/boot/dts/mmp2-brownstone.dts
index 350208c5e1ed2..0fdcc2edcf4b6 100644
--- a/arch/arm/boot/dts/mmp2-brownstone.dts
+++ b/arch/arm/boot/dts/mmp2-brownstone.dts
@@ -21,176 +21,174 @@ chosen {
memory {
reg = <0x00000000 0x08000000>;
};
+};
+
+&uart3 {
+ status = "okay";
+};
- soc {
- apb@d4000000 {
- uart3: uart@d4018000 {
- status = "okay";
- };
- twsi1: i2c@d4011000 {
- status = "okay";
- pmic: max8925@3c {
- compatible = "maxium,max8925";
- reg = <0x3c>;
- interrupts = <1>;
- interrupt-parent = <&intcmux4>;
- interrupt-controller;
- #interrupt-cells = <1>;
- maxim,tsc-irq = <0>;
+&twsi1 {
+ status = "okay";
+ pmic: max8925@3c {
+ compatible = "maxium,max8925";
+ reg = <0x3c>;
+ interrupts = <1>;
+ interrupt-parent = <&intcmux4>;
+ interrupt-controller;
+ #interrupt-cells = <1>;
+ maxim,tsc-irq = <0>;
- regulators {
- SDV1 {
- regulator-min-microvolt = <637500>;
- regulator-max-microvolt = <1425000>;
- regulator-boot-on;
- regulator-always-on;
- };
- SDV2 {
- regulator-min-microvolt = <650000>;
- regulator-max-microvolt = <2225000>;
- regulator-boot-on;
- regulator-always-on;
- };
- SDV3 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO1 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO2 {
- regulator-min-microvolt = <650000>;
- regulator-max-microvolt = <2250000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO3 {
- regulator-min-microvolt = <650000>;
- regulator-max-microvolt = <2250000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO4 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO5 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO6 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO7 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO8 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO9 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO10 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- };
- LDO11 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO12 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO13 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO14 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO15 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO16 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO17 {
- regulator-min-microvolt = <650000>;
- regulator-max-microvolt = <2250000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO18 {
- regulator-min-microvolt = <650000>;
- regulator-max-microvolt = <2250000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO19 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- LDO20 {
- regulator-min-microvolt = <750000>;
- regulator-max-microvolt = <3900000>;
- regulator-boot-on;
- regulator-always-on;
- };
- };
- backlight {
- maxim,max8925-dual-string = <0>;
- };
- charger {
- batt-detect = <0>;
- topoff-threshold = <1>;
- fast-charge = <7>;
- no-temp-support = <0>;
- no-insert-detect = <0>;
- };
- };
- };
- rtc: rtc@d4010000 {
- status = "okay";
+ regulators {
+ SDV1 {
+ regulator-min-microvolt = <637500>;
+ regulator-max-microvolt = <1425000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ SDV2 {
+ regulator-min-microvolt = <650000>;
+ regulator-max-microvolt = <2225000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ SDV3 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO1 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO2 {
+ regulator-min-microvolt = <650000>;
+ regulator-max-microvolt = <2250000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO3 {
+ regulator-min-microvolt = <650000>;
+ regulator-max-microvolt = <2250000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO4 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO5 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO6 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO7 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO8 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO9 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO10 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
};
+ LDO11 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO12 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO13 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO14 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO15 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO16 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO17 {
+ regulator-min-microvolt = <650000>;
+ regulator-max-microvolt = <2250000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO18 {
+ regulator-min-microvolt = <650000>;
+ regulator-max-microvolt = <2250000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO19 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ LDO20 {
+ regulator-min-microvolt = <750000>;
+ regulator-max-microvolt = <3900000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+ };
+ backlight {
+ maxim,max8925-dual-string = <0>;
+ };
+ charger {
+ batt-detect = <0>;
+ topoff-threshold = <1>;
+ fast-charge = <7>;
+ no-temp-support = <0>;
+ no-insert-detect = <0>;
};
};
};
+
+&rtc {
+ status = "okay";
+};
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 014/175] arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 013/175] ARM: dts: mmp2-brownstone: Dont redeclare phandle references Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 015/175] media: xc4000: Fix atomicity violation in xc4000_get_frequency Greg Kroah-Hartman
` (166 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duje Mihanović,
Krzysztof Kozlowski, Andrew Lunn, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duje Mihanović <duje.mihanovic@skole.hr>
[ Upstream commit 831e0cd4f9ee15a4f02ae10b67e7fdc10eb2b4fc ]
Fix an obvious spelling error in the PMIC compatible in the MMP2
Brownstone DTS file.
Fixes: 58f1193e6210 ("mfd: max8925: Add dts")
Cc: <stable@vger.kernel.org>
Signed-off-by: Duje Mihanović <duje.mihanovic@skole.hr>
Reported-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Closes: https://lore.kernel.org/linux-devicetree/1410884282-18041-1-git-send-email-k.kozlowski@samsung.com/
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20240125-brownstone-typo-fix-v2-1-45bc48a0c81c@skole.hr
[krzysztof: Just 10 years to take a patch, not bad! Rephrased commit
msg]
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mmp2-brownstone.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/mmp2-brownstone.dts b/arch/arm/boot/dts/mmp2-brownstone.dts
index 0fdcc2edcf4b6..f12d5aa773f30 100644
--- a/arch/arm/boot/dts/mmp2-brownstone.dts
+++ b/arch/arm/boot/dts/mmp2-brownstone.dts
@@ -30,7 +30,7 @@ &uart3 {
&twsi1 {
status = "okay";
pmic: max8925@3c {
- compatible = "maxium,max8925";
+ compatible = "maxim,max8925";
reg = <0x3c>;
interrupts = <1>;
interrupt-parent = <&intcmux4>;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 015/175] media: xc4000: Fix atomicity violation in xc4000_get_frequency
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 014/175] arm: dts: marvell: Fix maxium->maxim typo in brownstone dts Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 016/175] KVM: Always flush async #PF workqueue when vCPU is being destroyed Greg Kroah-Hartman
` (165 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, BassCheck, Gui-Dong Han,
Hans Verkuil, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <2045gemini@gmail.com>
[ Upstream commit 36d503ad547d1c75758a6fcdbec2806f1b6aeb41 ]
In xc4000_get_frequency():
*freq = priv->freq_hz + priv->freq_offset;
The code accesses priv->freq_hz and priv->freq_offset without holding any
lock.
In xc4000_set_params():
// Code that updates priv->freq_hz and priv->freq_offset
...
xc4000_get_frequency() and xc4000_set_params() may execute concurrently,
risking inconsistent reads of priv->freq_hz and priv->freq_offset. Since
these related data may update during reading, it can result in incorrect
frequency calculation, leading to atomicity violations.
This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 6.2.
To address this issue, it is proposed to add a mutex lock pair in
xc4000_get_frequency() to ensure atomicity. With this patch applied, our
tool no longer reports the possible bug, with the kernel configuration
allyesconfig for x86_64. Due to the lack of associated hardware, we cannot
test the patch in runtime testing, and just verify it according to the
code logic.
[1] https://sites.google.com/view/basscheck/
Fixes: 4c07e32884ab ("[media] xc4000: Fix get_frequency()")
Cc: stable@vger.kernel.org
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/tuners/xc4000.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/tuners/xc4000.c b/drivers/media/tuners/xc4000.c
index 0ef8f054a7950..6017602aead62 100644
--- a/drivers/media/tuners/xc4000.c
+++ b/drivers/media/tuners/xc4000.c
@@ -1527,10 +1527,10 @@ static int xc4000_get_frequency(struct dvb_frontend *fe, u32 *freq)
{
struct xc4000_priv *priv = fe->tuner_priv;
+ mutex_lock(&priv->lock);
*freq = priv->freq_hz + priv->freq_offset;
if (debug) {
- mutex_lock(&priv->lock);
if ((priv->cur_fw.type
& (BASE | FM | DTV6 | DTV7 | DTV78 | DTV8)) == BASE) {
u16 snr = 0;
@@ -1541,8 +1541,8 @@ static int xc4000_get_frequency(struct dvb_frontend *fe, u32 *freq)
return 0;
}
}
- mutex_unlock(&priv->lock);
}
+ mutex_unlock(&priv->lock);
dprintk(1, "%s()\n", __func__);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 016/175] KVM: Always flush async #PF workqueue when vCPU is being destroyed
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 015/175] media: xc4000: Fix atomicity violation in xc4000_get_frequency Greg Kroah-Hartman
@ 2024-04-11 9:53 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 017/175] sparc64: NMI watchdog: fix return value of __setup handler Greg Kroah-Hartman
` (164 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Matlack, Xu Yilun,
Vitaly Kuznetsov, Sean Christopherson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 3d75b8aa5c29058a512db29da7cbee8052724157 ]
Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its
completion queue, e.g. when a VM and all its vCPUs is being destroyed.
KVM must ensure that none of its workqueue callbacks is running when the
last reference to the KVM _module_ is put. Gifting a reference to the
associated VM prevents the workqueue callback from dereferencing freed
vCPU/VM memory, but does not prevent the KVM module from being unloaded
before the callback completes.
Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from
async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will
result in deadlock. async_pf_execute() can't return until kvm_put_kvm()
finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:
WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]
Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass
CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: events async_pf_execute [kvm]
RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]
Call Trace:
<TASK>
async_pf_execute+0x198/0x260 [kvm]
process_one_work+0x145/0x2d0
worker_thread+0x27e/0x3a0
kthread+0xba/0xe0
ret_from_fork+0x2d/0x50
ret_from_fork_asm+0x11/0x20
</TASK>
---[ end trace 0000000000000000 ]---
INFO: task kworker/8:1:251 blocked for more than 120 seconds.
Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000
Workqueue: events async_pf_execute [kvm]
Call Trace:
<TASK>
__schedule+0x33f/0xa40
schedule+0x53/0xc0
schedule_timeout+0x12a/0x140
__wait_for_common+0x8d/0x1d0
__flush_work.isra.0+0x19f/0x2c0
kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]
kvm_arch_destroy_vm+0x78/0x1b0 [kvm]
kvm_put_kvm+0x1c1/0x320 [kvm]
async_pf_execute+0x198/0x260 [kvm]
process_one_work+0x145/0x2d0
worker_thread+0x27e/0x3a0
kthread+0xba/0xe0
ret_from_fork+0x2d/0x50
ret_from_fork_asm+0x11/0x20
</TASK>
If kvm_clear_async_pf_completion_queue() actually flushes the workqueue,
then there's no need to gift async_pf_execute() a reference because all
invocations of async_pf_execute() will be forced to complete before the
vCPU and its VM are destroyed/freed. And that in turn fixes the module
unloading bug as __fput() won't do module_put() on the last vCPU reference
until the vCPU has been freed, e.g. if closing the vCPU file also puts the
last reference to the KVM module.
Note that kvm_check_async_pf_completion() may also take the work item off
the completion queue and so also needs to flush the work queue, as the
work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting
on the workqueue could theoretically delay a vCPU due to waiting for the
work to complete, but that's a very, very small chance, and likely a very
small delay. kvm_arch_async_page_present_queued() unconditionally makes a
new request, i.e. will effectively delay entering the guest, so the
remaining work is really just:
trace_kvm_async_pf_completed(addr, cr2_or_gpa);
__kvm_vcpu_wake_up(vcpu);
mmput(mm);
and mmput() can't drop the last reference to the page tables if the vCPU is
still alive, i.e. the vCPU won't get stuck tearing down page tables.
Add a helper to do the flushing, specifically to deal with "wakeup all"
work items, as they aren't actually work items, i.e. are never placed in a
workqueue. Trying to flush a bogus workqueue entry rightly makes
__flush_work() complain (kudos to whoever added that sanity check).
Note, commit 5f6de5cbebee ("KVM: Prevent module exit until all VMs are
freed") *tried* to fix the module refcounting issue by having VMs grab a
reference to the module, but that only made the bug slightly harder to hit
as it gave async_pf_execute() a bit more time to complete before the KVM
module could be unloaded.
Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20240110011533.503302-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
virt/kvm/async_pf.c | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c
index c9861c2315e8e..3e17f8c7432c1 100644
--- a/virt/kvm/async_pf.c
+++ b/virt/kvm/async_pf.c
@@ -110,7 +110,27 @@ static void async_pf_execute(struct work_struct *work)
swake_up_one(&vcpu->wq);
mmput(mm);
- kvm_put_kvm(vcpu->kvm);
+}
+
+static void kvm_flush_and_free_async_pf_work(struct kvm_async_pf *work)
+{
+ /*
+ * The async #PF is "done", but KVM must wait for the work item itself,
+ * i.e. async_pf_execute(), to run to completion. If KVM is a module,
+ * KVM must ensure *no* code owned by the KVM (the module) can be run
+ * after the last call to module_put(). Note, flushing the work item
+ * is always required when the item is taken off the completion queue.
+ * E.g. even if the vCPU handles the item in the "normal" path, the VM
+ * could be terminated before async_pf_execute() completes.
+ *
+ * Wake all events skip the queue and go straight done, i.e. don't
+ * need to be flushed (but sanity check that the work wasn't queued).
+ */
+ if (work->wakeup_all)
+ WARN_ON_ONCE(work->work.func);
+ else
+ flush_work(&work->work);
+ kmem_cache_free(async_pf_cache, work);
}
void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu)
@@ -137,7 +157,6 @@ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu)
#else
if (cancel_work_sync(&work->work)) {
mmput(work->mm);
- kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */
kmem_cache_free(async_pf_cache, work);
}
#endif
@@ -149,7 +168,10 @@ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu)
list_first_entry(&vcpu->async_pf.done,
typeof(*work), link);
list_del(&work->link);
- kmem_cache_free(async_pf_cache, work);
+
+ spin_unlock(&vcpu->async_pf.lock);
+ kvm_flush_and_free_async_pf_work(work);
+ spin_lock(&vcpu->async_pf.lock);
}
spin_unlock(&vcpu->async_pf.lock);
@@ -173,7 +195,7 @@ void kvm_check_async_pf_completion(struct kvm_vcpu *vcpu)
list_del(&work->queue);
vcpu->async_pf.queued--;
- kmem_cache_free(async_pf_cache, work);
+ kvm_flush_and_free_async_pf_work(work);
}
}
@@ -202,7 +224,6 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
work->arch = *arch;
work->mm = current->mm;
mmget(work->mm);
- kvm_get_kvm(work->vcpu->kvm);
/* this can't really happen otherwise gfn_to_pfn_async
would succeed */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 017/175] sparc64: NMI watchdog: fix return value of __setup handler
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-04-11 9:53 ` [PATCH 4.19 016/175] KVM: Always flush async #PF workqueue when vCPU is being destroyed Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 018/175] sparc: vDSO: " Greg Kroah-Hartman
` (163 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Igor Zhbanov,
David S. Miller, sparclinux, Sam Ravnborg, Andrew Morton,
Arnd Bergmann, Andreas Larsson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 3ed7c61e49d65dacb96db798c0ab6fcd55a1f20f ]
__setup() handlers should return 1 to obsolete_checksetup() in
init/main.c to indicate that the boot option has been handled.
A return of 0 causes the boot option/value to be listed as an Unknown
kernel parameter and added to init's (limited) argument or environment
strings. Also, error return codes don't mean anything to
obsolete_checksetup() -- only non-zero (usually 1) or zero.
So return 1 from setup_nmi_watchdog().
Fixes: e5553a6d0442 ("sparc64: Implement NMI watchdog on capable cpus.")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <izh1979@gmail.com>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Cc: "David S. Miller" <davem@davemloft.net>
Cc: sparclinux@vger.kernel.org
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20240211052802.22612-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/kernel/nmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/kernel/nmi.c b/arch/sparc/kernel/nmi.c
index 8babbeb30adf9..1f356928a06d5 100644
--- a/arch/sparc/kernel/nmi.c
+++ b/arch/sparc/kernel/nmi.c
@@ -273,7 +273,7 @@ static int __init setup_nmi_watchdog(char *str)
if (!strncmp(str, "panic", 5))
panic_on_timeout = 1;
- return 0;
+ return 1;
}
__setup("nmi_watchdog=", setup_nmi_watchdog);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 018/175] sparc: vDSO: fix return value of __setup handler
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 017/175] sparc64: NMI watchdog: fix return value of __setup handler Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 019/175] crypto: qat - fix double free during reset Greg Kroah-Hartman
` (162 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Igor Zhbanov,
David S. Miller, sparclinux, Dan Carpenter, Nick Alcock,
Sam Ravnborg, Andrew Morton, Arnd Bergmann, Andreas Larsson,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 5378f00c935bebb846b1fdb0e79cb76c137c56b5 ]
__setup() handlers should return 1 to obsolete_checksetup() in
init/main.c to indicate that the boot option has been handled.
A return of 0 causes the boot option/value to be listed as an Unknown
kernel parameter and added to init's (limited) argument or environment
strings. Also, error return codes don't mean anything to
obsolete_checksetup() -- only non-zero (usually 1) or zero.
So return 1 from vdso_setup().
Fixes: 9a08862a5d2e ("vDSO for sparc")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <izh1979@gmail.com>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Cc: "David S. Miller" <davem@davemloft.net>
Cc: sparclinux@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Nick Alcock <nick.alcock@oracle.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20240211052808.22635-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/vdso/vma.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/arch/sparc/vdso/vma.c b/arch/sparc/vdso/vma.c
index 5eaff3c1aa0c7..1869e4b36db21 100644
--- a/arch/sparc/vdso/vma.c
+++ b/arch/sparc/vdso/vma.c
@@ -262,9 +262,8 @@ static __init int vdso_setup(char *s)
unsigned long val;
err = kstrtoul(s, 10, &val);
- if (err)
- return err;
- vdso_enabled = val;
- return 0;
+ if (!err)
+ vdso_enabled = val;
+ return 1;
}
__setup("vdso=", vdso_setup);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 019/175] crypto: qat - fix double free during reset
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 018/175] sparc: vDSO: " Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 020/175] crypto: qat - resolve race condition during AER recovery Greg Kroah-Hartman
` (161 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Svyatoslav Pankratov,
Giovanni Cabiddu, Herbert Xu, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
[ Upstream commit 01aed663e6c421aeafc9c330bda630976b50a764 ]
There is no need to free the reset_data structure if the recovery is
unsuccessful and the reset is synchronous. The function
adf_dev_aer_schedule_reset() handles the cleanup properly. Only
asynchronous resets require such structure to be freed inside the reset
worker.
Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
Signed-off-by: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 7d42e097607c ("crypto: qat - resolve race condition during AER recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/qat/qat_common/adf_aer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/qat/qat_common/adf_aer.c b/drivers/crypto/qat/qat_common/adf_aer.c
index 9225d060e18f4..44b91cb73dd19 100644
--- a/drivers/crypto/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/qat/qat_common/adf_aer.c
@@ -139,7 +139,8 @@ static void adf_device_reset_worker(struct work_struct *work)
if (adf_dev_init(accel_dev) || adf_dev_start(accel_dev)) {
/* The device hanged and we can't restart it so stop here */
dev_err(&GET_DEV(accel_dev), "Restart device failed\n");
- kfree(reset_data);
+ if (reset_data->mode == ADF_DEV_RESET_ASYNC)
+ kfree(reset_data);
WARN(1, "QAT: device restart failed. Device is unusable\n");
return;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 020/175] crypto: qat - resolve race condition during AER recovery
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 019/175] crypto: qat - fix double free during reset Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 021/175] fat: fix uninitialized field in nostale filehandles Greg Kroah-Hartman
` (160 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damian Muszynski, Giovanni Cabiddu,
Herbert Xu, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damian Muszynski <damian.muszynski@intel.com>
[ Upstream commit 7d42e097607c4d246d99225bf2b195b6167a210c ]
During the PCI AER system's error recovery process, the kernel driver
may encounter a race condition with freeing the reset_data structure's
memory. If the device restart will take more than 10 seconds the function
scheduling that restart will exit due to a timeout, and the reset_data
structure will be freed. However, this data structure is used for
completion notification after the restart is completed, which leads
to a UAF bug.
This results in a KFENCE bug notice.
BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]
Use-after-free read at 0x00000000bc56fddf (in kfence-#142):
adf_device_reset_worker+0x38/0xa0 [intel_qat]
process_one_work+0x173/0x340
To resolve this race condition, the memory associated to the container
of the work_struct is freed on the worker if the timeout expired,
otherwise on the function that schedules the worker.
The timeout detection can be done by checking if the caller is
still waiting for completion or not by using completion_done() function.
Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
Cc: <stable@vger.kernel.org>
Signed-off-by: Damian Muszynski <damian.muszynski@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/qat/qat_common/adf_aer.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/qat/qat_common/adf_aer.c b/drivers/crypto/qat/qat_common/adf_aer.c
index 44b91cb73dd19..7242a1ee86de7 100644
--- a/drivers/crypto/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/qat/qat_common/adf_aer.c
@@ -139,7 +139,8 @@ static void adf_device_reset_worker(struct work_struct *work)
if (adf_dev_init(accel_dev) || adf_dev_start(accel_dev)) {
/* The device hanged and we can't restart it so stop here */
dev_err(&GET_DEV(accel_dev), "Restart device failed\n");
- if (reset_data->mode == ADF_DEV_RESET_ASYNC)
+ if (reset_data->mode == ADF_DEV_RESET_ASYNC ||
+ completion_done(&reset_data->compl))
kfree(reset_data);
WARN(1, "QAT: device restart failed. Device is unusable\n");
return;
@@ -147,11 +148,19 @@ static void adf_device_reset_worker(struct work_struct *work)
adf_dev_restarted_notify(accel_dev);
clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
- /* The dev is back alive. Notify the caller if in sync mode */
- if (reset_data->mode == ADF_DEV_RESET_SYNC)
- complete(&reset_data->compl);
- else
+ /*
+ * The dev is back alive. Notify the caller if in sync mode
+ *
+ * If device restart will take a more time than expected,
+ * the schedule_reset() function can timeout and exit. This can be
+ * detected by calling the completion_done() function. In this case
+ * the reset_data structure needs to be freed here.
+ */
+ if (reset_data->mode == ADF_DEV_RESET_ASYNC ||
+ completion_done(&reset_data->compl))
kfree(reset_data);
+ else
+ complete(&reset_data->compl);
}
static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev,
@@ -184,8 +193,9 @@ static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev,
dev_err(&GET_DEV(accel_dev),
"Reset device timeout expired\n");
ret = -EFAULT;
+ } else {
+ kfree(reset_data);
}
- kfree(reset_data);
return ret;
}
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 021/175] fat: fix uninitialized field in nostale filehandles
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 020/175] crypto: qat - resolve race condition during AER recovery Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 022/175] ubifs: Set page uptodate in the correct place Greg Kroah-Hartman
` (159 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3ce5dea5b1539ff36769,
Jan Kara, OGAWA Hirofumi, Amir Goldstein, Andrew Morton,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit fde2497d2bc3a063d8af88b258dbadc86bd7b57c ]
When fat_encode_fh_nostale() encodes file handle without a parent it
stores only first 10 bytes of the file handle. However the length of the
file handle must be a multiple of 4 so the file handle is actually 12
bytes long and the last two bytes remain uninitialized. This is not
great at we potentially leak uninitialized information with the handle
to userspace. Properly initialize the full handle length.
Link: https://lkml.kernel.org/r/20240205122626.13701-1-jack@suse.cz
Reported-by: syzbot+3ce5dea5b1539ff36769@syzkaller.appspotmail.com
Fixes: ea3983ace6b7 ("fat: restructure export_operations")
Signed-off-by: Jan Kara <jack@suse.cz>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fat/nfs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/fat/nfs.c b/fs/fat/nfs.c
index eb192656fba27..f442a8d2f114b 100644
--- a/fs/fat/nfs.c
+++ b/fs/fat/nfs.c
@@ -139,6 +139,12 @@ fat_encode_fh_nostale(struct inode *inode, __u32 *fh, int *lenp,
fid->parent_i_gen = parent->i_generation;
type = FILEID_FAT_WITH_PARENT;
*lenp = FAT_FID_SIZE_WITH_PARENT;
+ } else {
+ /*
+ * We need to initialize this field because the fh is actually
+ * 12 bytes long
+ */
+ fid->parent_i_pos_hi = 0;
}
return type;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 022/175] ubifs: Set page uptodate in the correct place
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 021/175] fat: fix uninitialized field in nostale filehandles Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 023/175] ubi: Check for too small LEB size in VTBL code Greg Kroah-Hartman
` (158 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Zhihao Cheng, Richard Weinberger, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 723012cab779eee8228376754e22c6594229bf8f ]
Page cache reads are lockless, so setting the freshly allocated page
uptodate before we've overwritten it with the data it's supposed to have
in it will allow a simultaneous reader to see old data. Move the call
to SetPageUptodate into ubifs_write_end(), which is after we copied the
new data into the page.
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ubifs/file.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
index fca3b7f483c79..e373e5d057fd4 100644
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -274,9 +274,6 @@ static int write_begin_slow(struct address_space *mapping,
return err;
}
}
-
- SetPageUptodate(page);
- ClearPageError(page);
}
if (PagePrivate(page))
@@ -475,9 +472,6 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping,
return err;
}
}
-
- SetPageUptodate(page);
- ClearPageError(page);
}
err = allocate_budget(c, page, ui, appending);
@@ -487,10 +481,8 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping,
* If we skipped reading the page because we were going to
* write all of it, then it is not up to date.
*/
- if (skipped_read) {
+ if (skipped_read)
ClearPageChecked(page);
- ClearPageUptodate(page);
- }
/*
* Budgeting failed which means it would have to force
* write-back but didn't, because we set the @fast flag in the
@@ -581,6 +573,9 @@ static int ubifs_write_end(struct file *file, struct address_space *mapping,
goto out;
}
+ if (len == PAGE_SIZE)
+ SetPageUptodate(page);
+
if (!PagePrivate(page)) {
SetPagePrivate(page);
atomic_long_inc(&c->dirty_pg_cnt);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 023/175] ubi: Check for too small LEB size in VTBL code
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 022/175] ubifs: Set page uptodate in the correct place Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 024/175] ubi: correct the calculation of fastmap size Greg Kroah-Hartman
` (157 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Richard Weinberger,
Zhihao Cheng, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
[ Upstream commit 68a24aba7c593eafa8fd00f2f76407b9b32b47a9 ]
If the LEB size is smaller than a volume table record we cannot
have volumes.
In this case abort attaching.
Cc: Chenyuan Yang <cy54@illinois.edu>
Cc: stable@vger.kernel.org
Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Reported-by: Chenyuan Yang <cy54@illinois.edu>
Closes: https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/ubi/vtbl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
index 1bc82154bb18f..634ec95a1e71a 100644
--- a/drivers/mtd/ubi/vtbl.c
+++ b/drivers/mtd/ubi/vtbl.c
@@ -804,6 +804,12 @@ int ubi_read_volume_table(struct ubi_device *ubi, struct ubi_attach_info *ai)
* The number of supported volumes is limited by the eraseblock size
* and by the UBI_MAX_VOLUMES constant.
*/
+
+ if (ubi->leb_size < UBI_VTBL_RECORD_SIZE) {
+ ubi_err(ubi, "LEB size too small for a volume record");
+ return -EINVAL;
+ }
+
ubi->vtbl_slots = ubi->leb_size / UBI_VTBL_RECORD_SIZE;
if (ubi->vtbl_slots > UBI_MAX_VOLUMES)
ubi->vtbl_slots = UBI_MAX_VOLUMES;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 024/175] ubi: correct the calculation of fastmap size
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 023/175] ubi: Check for too small LEB size in VTBL code Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 025/175] parisc: Do not hardcode registers in checksum functions Greg Kroah-Hartman
` (156 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Zhihao Cheng,
Richard Weinberger, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 7f174ae4f39e8475adcc09d26c5a43394689ad6c ]
Now that the calculation of fastmap size in ubi_calc_fm_size() is
incorrect since it miss each user volume's ubi_fm_eba structure and the
Internal UBI volume info. Let's correct the calculation.
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/ubi/fastmap.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index d45c1d6587d18..e24fc0131d794 100644
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -95,9 +95,10 @@ size_t ubi_calc_fm_size(struct ubi_device *ubi)
sizeof(struct ubi_fm_scan_pool) +
sizeof(struct ubi_fm_scan_pool) +
(ubi->peb_count * sizeof(struct ubi_fm_ec)) +
- (sizeof(struct ubi_fm_eba) +
- (ubi->peb_count * sizeof(__be32))) +
- sizeof(struct ubi_fm_volhdr) * UBI_MAX_VOLUMES;
+ ((sizeof(struct ubi_fm_eba) +
+ sizeof(struct ubi_fm_volhdr)) *
+ (UBI_MAX_VOLUMES + UBI_INT_VOL_COUNT)) +
+ (ubi->peb_count * sizeof(__be32));
return roundup(size, ubi->leb_size);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 025/175] parisc: Do not hardcode registers in checksum functions
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 024/175] ubi: correct the calculation of fastmap size Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 026/175] parisc: Fix ip_fast_csum Greg Kroah-Hartman
` (155 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
[ Upstream commit 52b2d91752a82d9350981eb3b3ffc4b325c84ba9 ]
Do not hardcode processor registers r19 to r22 as scratch registers.
Instead let the compiler decide, which may give better optimization
results when the functions get inlined.
Signed-off-by: Helge Deller <deller@gmx.de>
Stable-dep-of: a2abae8f0b63 ("parisc: Fix ip_fast_csum")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/include/asm/checksum.h | 101 +++++++++++++++--------------
1 file changed, 52 insertions(+), 49 deletions(-)
diff --git a/arch/parisc/include/asm/checksum.h b/arch/parisc/include/asm/checksum.h
index 3cbf1f1c1188e..c1c22819a04d1 100644
--- a/arch/parisc/include/asm/checksum.h
+++ b/arch/parisc/include/asm/checksum.h
@@ -42,31 +42,32 @@ extern __wsum csum_partial_copy_from_user(const void __user *src,
static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl)
{
unsigned int sum;
+ unsigned long t0, t1, t2;
__asm__ __volatile__ (
" ldws,ma 4(%1), %0\n"
" addib,<= -4, %2, 2f\n"
"\n"
-" ldws 4(%1), %%r20\n"
-" ldws 8(%1), %%r21\n"
-" add %0, %%r20, %0\n"
-" ldws,ma 12(%1), %%r19\n"
-" addc %0, %%r21, %0\n"
-" addc %0, %%r19, %0\n"
-"1: ldws,ma 4(%1), %%r19\n"
+" ldws 4(%1), %4\n"
+" ldws 8(%1), %5\n"
+" add %0, %4, %0\n"
+" ldws,ma 12(%1), %3\n"
+" addc %0, %5, %0\n"
+" addc %0, %3, %0\n"
+"1: ldws,ma 4(%1), %3\n"
" addib,< 0, %2, 1b\n"
-" addc %0, %%r19, %0\n"
+" addc %0, %3, %0\n"
"\n"
-" extru %0, 31, 16, %%r20\n"
-" extru %0, 15, 16, %%r21\n"
-" addc %%r20, %%r21, %0\n"
-" extru %0, 15, 16, %%r21\n"
-" add %0, %%r21, %0\n"
+" extru %0, 31, 16, %4\n"
+" extru %0, 15, 16, %5\n"
+" addc %4, %5, %0\n"
+" extru %0, 15, 16, %5\n"
+" add %0, %5, %0\n"
" subi -1, %0, %0\n"
"2:\n"
- : "=r" (sum), "=r" (iph), "=r" (ihl)
+ : "=r" (sum), "=r" (iph), "=r" (ihl), "=r" (t0), "=r" (t1), "=r" (t2)
: "1" (iph), "2" (ihl)
- : "r19", "r20", "r21", "memory");
+ : "memory");
return (__force __sum16)sum;
}
@@ -126,6 +127,10 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
__u32 len, __u8 proto,
__wsum sum)
{
+ unsigned long t0, t1, t2, t3;
+
+ len += proto; /* add 16-bit proto + len */
+
__asm__ __volatile__ (
#if BITS_PER_LONG > 32
@@ -136,20 +141,19 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
** Try to keep 4 registers with "live" values ahead of the ALU.
*/
-" ldd,ma 8(%1), %%r19\n" /* get 1st saddr word */
-" ldd,ma 8(%2), %%r20\n" /* get 1st daddr word */
-" add %8, %3, %3\n"/* add 16-bit proto + len */
-" add %%r19, %0, %0\n"
-" ldd,ma 8(%1), %%r21\n" /* 2cd saddr */
-" ldd,ma 8(%2), %%r22\n" /* 2cd daddr */
-" add,dc %%r20, %0, %0\n"
-" add,dc %%r21, %0, %0\n"
-" add,dc %%r22, %0, %0\n"
+" ldd,ma 8(%1), %4\n" /* get 1st saddr word */
+" ldd,ma 8(%2), %5\n" /* get 1st daddr word */
+" add %4, %0, %0\n"
+" ldd,ma 8(%1), %6\n" /* 2nd saddr */
+" ldd,ma 8(%2), %7\n" /* 2nd daddr */
+" add,dc %5, %0, %0\n"
+" add,dc %6, %0, %0\n"
+" add,dc %7, %0, %0\n"
" add,dc %3, %0, %0\n" /* fold in proto+len | carry bit */
-" extrd,u %0, 31, 32, %%r19\n" /* copy upper half down */
-" depdi 0, 31, 32, %0\n" /* clear upper half */
-" add %%r19, %0, %0\n" /* fold into 32-bits */
-" addc 0, %0, %0\n" /* add carry */
+" extrd,u %0, 31, 32, %4\n"/* copy upper half down */
+" depdi 0, 31, 32, %0\n"/* clear upper half */
+" add %4, %0, %0\n" /* fold into 32-bits */
+" addc 0, %0, %0\n" /* add carry */
#else
@@ -158,30 +162,29 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
** Insn stream is serialized on the carry bit here too.
** result from the previous operation (eg r0 + x)
*/
-
-" ldw,ma 4(%1), %%r19\n" /* get 1st saddr word */
-" ldw,ma 4(%2), %%r20\n" /* get 1st daddr word */
-" add %8, %3, %3\n" /* add 16-bit proto + len */
-" add %%r19, %0, %0\n"
-" ldw,ma 4(%1), %%r21\n" /* 2cd saddr */
-" addc %%r20, %0, %0\n"
-" ldw,ma 4(%2), %%r22\n" /* 2cd daddr */
-" addc %%r21, %0, %0\n"
-" ldw,ma 4(%1), %%r19\n" /* 3rd saddr */
-" addc %%r22, %0, %0\n"
-" ldw,ma 4(%2), %%r20\n" /* 3rd daddr */
-" addc %%r19, %0, %0\n"
-" ldw,ma 4(%1), %%r21\n" /* 4th saddr */
-" addc %%r20, %0, %0\n"
-" ldw,ma 4(%2), %%r22\n" /* 4th daddr */
-" addc %%r21, %0, %0\n"
-" addc %%r22, %0, %0\n"
+" ldw,ma 4(%1), %4\n" /* get 1st saddr word */
+" ldw,ma 4(%2), %5\n" /* get 1st daddr word */
+" add %4, %0, %0\n"
+" ldw,ma 4(%1), %6\n" /* 2nd saddr */
+" addc %5, %0, %0\n"
+" ldw,ma 4(%2), %7\n" /* 2nd daddr */
+" addc %6, %0, %0\n"
+" ldw,ma 4(%1), %4\n" /* 3rd saddr */
+" addc %7, %0, %0\n"
+" ldw,ma 4(%2), %5\n" /* 3rd daddr */
+" addc %4, %0, %0\n"
+" ldw,ma 4(%1), %6\n" /* 4th saddr */
+" addc %5, %0, %0\n"
+" ldw,ma 4(%2), %7\n" /* 4th daddr */
+" addc %6, %0, %0\n"
+" addc %7, %0, %0\n"
" addc %3, %0, %0\n" /* fold in proto+len, catch carry */
#endif
- : "=r" (sum), "=r" (saddr), "=r" (daddr), "=r" (len)
- : "0" (sum), "1" (saddr), "2" (daddr), "3" (len), "r" (proto)
- : "r19", "r20", "r21", "r22", "memory");
+ : "=r" (sum), "=r" (saddr), "=r" (daddr), "=r" (len),
+ "=r" (t0), "=r" (t1), "=r" (t2), "=r" (t3)
+ : "0" (sum), "1" (saddr), "2" (daddr), "3" (len)
+ : "memory");
return csum_fold(sum);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 026/175] parisc: Fix ip_fast_csum
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 025/175] parisc: Do not hardcode registers in checksum functions Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 027/175] parisc: Fix csum_ipv6_magic on 32-bit systems Greg Kroah-Hartman
` (154 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Palmer Dabbelt, Guenter Roeck,
Charlie Jenkins, Helge Deller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit a2abae8f0b638c31bb9799d9dd847306e0d005bd ]
IP checksum unit tests report the following error when run on hppa/hppa64.
# test_ip_fast_csum: ASSERTION FAILED at lib/checksum_kunit.c:463
Expected ( u64)csum_result == ( u64)expected, but
( u64)csum_result == 33754 (0x83da)
( u64)expected == 10946 (0x2ac2)
not ok 4 test_ip_fast_csum
0x83da is the expected result if the IP header length is 20 bytes. 0x2ac2
is the expected result if the IP header length is 24 bytes. The test fails
with an IP header length of 24 bytes. It appears that ip_fast_csum()
always returns the checksum for a 20-byte header, no matter how long
the header actually is.
Code analysis shows a suspicious assembler sequence in ip_fast_csum().
" addc %0, %3, %0\n"
"1: ldws,ma 4(%1), %3\n"
" addib,< 0, %2, 1b\n" <---
While my understanding of HPPA assembler is limited, it does not seem
to make much sense to subtract 0 from a register and to expect the result
to ever be negative. Subtracting 1 from the length parameter makes more
sense. On top of that, the operation should be repeated if and only if
the result is still > 0, so change the suspicious instruction to
" addib,> -1, %2, 1b\n"
The IP checksum unit test passes after this change.
Cc: Palmer Dabbelt <palmer@rivosinc.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/include/asm/checksum.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/parisc/include/asm/checksum.h b/arch/parisc/include/asm/checksum.h
index c1c22819a04d1..7efcd901b9656 100644
--- a/arch/parisc/include/asm/checksum.h
+++ b/arch/parisc/include/asm/checksum.h
@@ -55,7 +55,7 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl)
" addc %0, %5, %0\n"
" addc %0, %3, %0\n"
"1: ldws,ma 4(%1), %3\n"
-" addib,< 0, %2, 1b\n"
+" addib,> -1, %2, 1b\n"
" addc %0, %3, %0\n"
"\n"
" extru %0, 31, 16, %4\n"
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 027/175] parisc: Fix csum_ipv6_magic on 32-bit systems
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 026/175] parisc: Fix ip_fast_csum Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 028/175] parisc: Fix csum_ipv6_magic on 64-bit systems Greg Kroah-Hartman
` (153 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Palmer Dabbelt, Guenter Roeck,
Charlie Jenkins, Helge Deller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 4408ba75e4ba80c91fde7e10bccccf388f5c09be ]
Calculating the IPv6 checksum on 32-bit systems missed overflows when
adding the proto+len fields into the checksum. This results in the
following unit test failure.
# test_csum_ipv6_magic: ASSERTION FAILED at lib/checksum_kunit.c:506
Expected ( u64)csum_result == ( u64)expected, but
( u64)csum_result == 46722 (0xb682)
( u64)expected == 46721 (0xb681)
not ok 5 test_csum_ipv6_magic
This is probably rarely seen in the real world because proto+len are
usually small values which will rarely result in overflows when calculating
the checksum. However, the unit test code uses large values for the length
field, causing the test to fail.
Fix the problem by adding the missing carry into the final checksum.
Cc: Palmer Dabbelt <palmer@rivosinc.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/include/asm/checksum.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/parisc/include/asm/checksum.h b/arch/parisc/include/asm/checksum.h
index 7efcd901b9656..0a02639514505 100644
--- a/arch/parisc/include/asm/checksum.h
+++ b/arch/parisc/include/asm/checksum.h
@@ -178,7 +178,8 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
" ldw,ma 4(%2), %7\n" /* 4th daddr */
" addc %6, %0, %0\n"
" addc %7, %0, %0\n"
-" addc %3, %0, %0\n" /* fold in proto+len, catch carry */
+" addc %3, %0, %0\n" /* fold in proto+len */
+" addc 0, %0, %0\n" /* add carry */
#endif
: "=r" (sum), "=r" (saddr), "=r" (daddr), "=r" (len),
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 028/175] parisc: Fix csum_ipv6_magic on 64-bit systems
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 027/175] parisc: Fix csum_ipv6_magic on 32-bit systems Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 029/175] parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds Greg Kroah-Hartman
` (152 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Palmer Dabbelt, Guenter Roeck,
Charlie Jenkins, Helge Deller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 4b75b12d70506e31fc02356bbca60f8d5ca012d0 ]
hppa 64-bit systems calculates the IPv6 checksum using 64-bit add
operations. The last add folds protocol and length fields into the 64-bit
result. While unlikely, this operation can overflow. The overflow can be
triggered with a code sequence such as the following.
/* try to trigger massive overflows */
memset(tmp_buf, 0xff, sizeof(struct in6_addr));
csum_result = csum_ipv6_magic((struct in6_addr *)tmp_buf,
(struct in6_addr *)tmp_buf,
0xffff, 0xff, 0xffffffff);
Fix the problem by adding any overflows from the final add operation into
the calculated checksum. Fortunately, we can do this without additional
cost by replacing the add operation used to fold the checksum into 32 bit
with "add,dc" to add in the missing carry.
Cc: Palmer Dabbelt <palmer@rivosinc.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/include/asm/checksum.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/parisc/include/asm/checksum.h b/arch/parisc/include/asm/checksum.h
index 0a02639514505..7861d365ba1e2 100644
--- a/arch/parisc/include/asm/checksum.h
+++ b/arch/parisc/include/asm/checksum.h
@@ -152,8 +152,8 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
" add,dc %3, %0, %0\n" /* fold in proto+len | carry bit */
" extrd,u %0, 31, 32, %4\n"/* copy upper half down */
" depdi 0, 31, 32, %0\n"/* clear upper half */
-" add %4, %0, %0\n" /* fold into 32-bits */
-" addc 0, %0, %0\n" /* add carry */
+" add,dc %4, %0, %0\n" /* fold into 32-bits, plus carry */
+" addc 0, %0, %0\n" /* add final carry */
#else
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 029/175] parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 028/175] parisc: Fix csum_ipv6_magic on 64-bit systems Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 030/175] PM: suspend: Set mem_sleep_current during kernel command line setup Greg Kroah-Hartman
` (151 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helge Deller, Guenter Roeck, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 0568b6f0d863643db2edcc7be31165740c89fa82 ]
IPv6 checksum tests with unaligned addresses on 64-bit builds result
in unexpected failures.
Expected expected == csum_result, but
expected == 46591 (0xb5ff)
csum_result == 46381 (0xb52d)
with alignment offset 1
Oddly enough, the problem disappeared after adding test code into
the beginning of csum_ipv6_magic().
As it turns out, the 'sum' parameter of csum_ipv6_magic() is declared as
__wsum, which is a 32-bit variable. However, it is treated as 64-bit
variable in the 64-bit assembler code. Tests showed that the upper 32 bit
of the register used to pass the variable are _not_ cleared when entering
the function. This can result in checksum calculation errors.
Clearing the upper 32 bit of 'sum' as first operation in the assembler
code fixes the problem.
Acked-by: Helge Deller <deller@gmx.de>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/include/asm/checksum.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/parisc/include/asm/checksum.h b/arch/parisc/include/asm/checksum.h
index 7861d365ba1e2..ef34e8f839d55 100644
--- a/arch/parisc/include/asm/checksum.h
+++ b/arch/parisc/include/asm/checksum.h
@@ -141,6 +141,7 @@ static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
** Try to keep 4 registers with "live" values ahead of the ALU.
*/
+" depdi 0, 31, 32, %0\n"/* clear upper half of incoming checksum */
" ldd,ma 8(%1), %4\n" /* get 1st saddr word */
" ldd,ma 8(%2), %5\n" /* get 1st daddr word */
" add %4, %0, %0\n"
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 030/175] PM: suspend: Set mem_sleep_current during kernel command line setup
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 029/175] parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 031/175] clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays Greg Kroah-Hartman
` (150 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maulik Shah, Rafael J. Wysocki, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maulik Shah <quic_mkshah@quicinc.com>
[ Upstream commit 9bc4ffd32ef8943f5c5a42c9637cfd04771d021b ]
psci_init_system_suspend() invokes suspend_set_ops() very early during
bootup even before kernel command line for mem_sleep_default is setup.
This leads to kernel command line mem_sleep_default=s2idle not working
as mem_sleep_current gets changed to deep via suspend_set_ops() and never
changes back to s2idle.
Set mem_sleep_current along with mem_sleep_default during kernel command
line setup as default suspend mode.
Fixes: faf7ec4a92c0 ("drivers: firmware: psci: add system suspend support")
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Maulik Shah <quic_mkshah@quicinc.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/suspend.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/power/suspend.c b/kernel/power/suspend.c
index 0bd595a0b6103..7a080015a1b3c 100644
--- a/kernel/power/suspend.c
+++ b/kernel/power/suspend.c
@@ -202,6 +202,7 @@ static int __init mem_sleep_default_setup(char *str)
if (mem_sleep_labels[state] &&
!strcmp(str, mem_sleep_labels[state])) {
mem_sleep_default = state;
+ mem_sleep_current = state;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 031/175] clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 030/175] PM: suspend: Set mem_sleep_current during kernel command line setup Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 032/175] clk: qcom: mmcc-apq8084: " Greg Kroah-Hartman
` (149 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Stephen Boyd,
Bjorn Andersson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 1040ef5ed95d6fd2628bad387d78a61633e09429 ]
The frequency table arrays are supposed to be terminated with an
empty element. Add such entry to the end of the arrays where it
is missing in order to avoid possible out-of-bound access when
the table is traversed by functions like qcom_find_freq() or
qcom_find_freq_floor().
Only compile tested.
Fixes: 9607f6224b39 ("clk: qcom: ipq8074: add PCIE, USB and SDCC clocks")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240229-freq-table-terminator-v1-3-074334f0905c@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-ipq8074.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c
index eff38d22738c4..e38a1f87263b8 100644
--- a/drivers/clk/qcom/gcc-ipq8074.c
+++ b/drivers/clk/qcom/gcc-ipq8074.c
@@ -980,6 +980,7 @@ static struct clk_rcg2 pcie0_axi_clk_src = {
static const struct freq_tbl ftbl_pcie_aux_clk_src[] = {
F(19200000, P_XO, 1, 0, 0),
+ { }
};
static struct clk_rcg2 pcie0_aux_clk_src = {
@@ -1085,6 +1086,7 @@ static const struct freq_tbl ftbl_sdcc_ice_core_clk_src[] = {
F(19200000, P_XO, 1, 0, 0),
F(160000000, P_GPLL0, 5, 0, 0),
F(308570000, P_GPLL6, 3.5, 0, 0),
+ { }
};
static struct clk_rcg2 sdcc1_ice_core_clk_src = {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 032/175] clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 031/175] clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 033/175] clk: qcom: mmcc-msm8974: " Greg Kroah-Hartman
` (148 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Stephen Boyd,
Bjorn Andersson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit a903cfd38d8dee7e754fb89fd1bebed99e28003d ]
The frequency table arrays are supposed to be terminated with an
empty element. Add such entry to the end of the arrays where it
is missing in order to avoid possible out-of-bound access when
the table is traversed by functions like qcom_find_freq() or
qcom_find_freq_floor().
Only compile tested.
Fixes: 2b46cd23a5a2 ("clk: qcom: Add APQ8084 Multimedia Clock Controller (MMCC) support")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240229-freq-table-terminator-v1-6-074334f0905c@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/mmcc-apq8084.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/qcom/mmcc-apq8084.c b/drivers/clk/qcom/mmcc-apq8084.c
index 4ce1d7c88377f..36a40b0ddfa1f 100644
--- a/drivers/clk/qcom/mmcc-apq8084.c
+++ b/drivers/clk/qcom/mmcc-apq8084.c
@@ -341,6 +341,7 @@ static struct freq_tbl ftbl_mmss_axi_clk[] = {
F(333430000, P_MMPLL1, 3.5, 0, 0),
F(400000000, P_MMPLL0, 2, 0, 0),
F(466800000, P_MMPLL1, 2.5, 0, 0),
+ { }
};
static struct clk_rcg2 mmss_axi_clk_src = {
@@ -365,6 +366,7 @@ static struct freq_tbl ftbl_ocmemnoc_clk[] = {
F(150000000, P_GPLL0, 4, 0, 0),
F(228570000, P_MMPLL0, 3.5, 0, 0),
F(320000000, P_MMPLL0, 2.5, 0, 0),
+ { }
};
static struct clk_rcg2 ocmemnoc_clk_src = {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 033/175] clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 032/175] clk: qcom: mmcc-apq8084: " Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 034/175] powerpc/fsl: Fix mfpmr build errors with newer binutils Greg Kroah-Hartman
` (147 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Stephen Boyd,
Bjorn Andersson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96 ]
The frequency table arrays are supposed to be terminated with an
empty element. Add such entry to the end of the arrays where it
is missing in order to avoid possible out-of-bound access when
the table is traversed by functions like qcom_find_freq() or
qcom_find_freq_floor().
Only compile tested.
Fixes: d8b212014e69 ("clk: qcom: Add support for MSM8974's multimedia clock controller (MMCC)")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240229-freq-table-terminator-v1-7-074334f0905c@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/mmcc-msm8974.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/qcom/mmcc-msm8974.c b/drivers/clk/qcom/mmcc-msm8974.c
index 91818516c3e0c..124d21f19e2c7 100644
--- a/drivers/clk/qcom/mmcc-msm8974.c
+++ b/drivers/clk/qcom/mmcc-msm8974.c
@@ -291,6 +291,7 @@ static struct freq_tbl ftbl_mmss_axi_clk[] = {
F(291750000, P_MMPLL1, 4, 0, 0),
F(400000000, P_MMPLL0, 2, 0, 0),
F(466800000, P_MMPLL1, 2.5, 0, 0),
+ { }
};
static struct clk_rcg2 mmss_axi_clk_src = {
@@ -315,6 +316,7 @@ static struct freq_tbl ftbl_ocmemnoc_clk[] = {
F(150000000, P_GPLL0, 4, 0, 0),
F(291750000, P_MMPLL1, 4, 0, 0),
F(400000000, P_MMPLL0, 2, 0, 0),
+ { }
};
static struct clk_rcg2 ocmemnoc_clk_src = {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 034/175] powerpc/fsl: Fix mfpmr build errors with newer binutils
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 033/175] clk: qcom: mmcc-msm8974: " Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 035/175] USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB Greg Kroah-Hartman
` (146 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan-Benedict Glaw, Michael Ellerman,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit 5f491356b7149564ab22323ccce79c8d595bfd0c ]
Binutils 2.38 complains about the use of mfpmr when building
ppc6xx_defconfig:
CC arch/powerpc/kernel/pmc.o
{standard input}: Assembler messages:
{standard input}:45: Error: unrecognized opcode: `mfpmr'
{standard input}:56: Error: unrecognized opcode: `mtpmr'
This is because by default the kernel is built with -mcpu=powerpc, and
the mt/mfpmr instructions are not defined.
It can be avoided by enabling CONFIG_E300C3_CPU, but just adding that to
the defconfig will leave open the possibility of randconfig failures.
So add machine directives around the mt/mfpmr instructions to tell
binutils how to assemble them.
Cc: stable@vger.kernel.org
Reported-by: Jan-Benedict Glaw <jbglaw@lug-owl.de>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240229122521.762431-3-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/reg_fsl_emb.h | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/include/asm/reg_fsl_emb.h b/arch/powerpc/include/asm/reg_fsl_emb.h
index a21f529c43d96..8359c06d92d9f 100644
--- a/arch/powerpc/include/asm/reg_fsl_emb.h
+++ b/arch/powerpc/include/asm/reg_fsl_emb.h
@@ -12,9 +12,16 @@
#ifndef __ASSEMBLY__
/* Performance Monitor Registers */
#define mfpmr(rn) ({unsigned int rval; \
- asm volatile("mfpmr %0," __stringify(rn) \
+ asm volatile(".machine push; " \
+ ".machine e300; " \
+ "mfpmr %0," __stringify(rn) ";" \
+ ".machine pop; " \
: "=r" (rval)); rval;})
-#define mtpmr(rn, v) asm volatile("mtpmr " __stringify(rn) ",%0" : : "r" (v))
+#define mtpmr(rn, v) asm volatile(".machine push; " \
+ ".machine e300; " \
+ "mtpmr " __stringify(rn) ",%0; " \
+ ".machine pop; " \
+ : : "r" (v))
#endif /* __ASSEMBLY__ */
/* Freescale Book E Performance Monitor APU Registers */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 035/175] USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 034/175] powerpc/fsl: Fix mfpmr build errors with newer binutils Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 036/175] USB: serial: add device ID for VeriFone adapter Greg Kroah-Hartman
` (145 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Vogelbacher, Johan Hovold,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Vogelbacher <daniel@chaospixel.com>
[ Upstream commit 3fb7bc4f3a98c48981318b87cf553c5f115fd5ca ]
The GMC IR-USB adapter cable utilizes a FTDI FT232R chip.
Add VID/PID for this adapter so it can be used as serial device via
ftdi_sio.
Signed-off-by: Daniel Vogelbacher <daniel@chaospixel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 6d4c572807a41..755cbc9525a1b 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1045,6 +1045,8 @@ static const struct usb_device_id id_table_combined[] = {
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ /* GMC devices */
+ { USB_DEVICE(GMC_VID, GMC_Z216C_PID) },
{ } /* Terminating entry */
};
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index 9a0f9fc991246..b2aec1106678a 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1599,3 +1599,9 @@
#define UBLOX_VID 0x1546
#define UBLOX_C099F9P_ZED_PID 0x0502
#define UBLOX_C099F9P_ODIN_PID 0x0503
+
+/*
+ * GMC devices
+ */
+#define GMC_VID 0x1cd7
+#define GMC_Z216C_PID 0x0217 /* GMC Z216C Adapter IR-USB */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 036/175] USB: serial: add device ID for VeriFone adapter
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 035/175] USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 037/175] USB: serial: cp210x: add ID for MGP Instruments PDS100 Greg Kroah-Hartman
` (144 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cameron Williams, Johan Hovold, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Williams <cang1@live.co.uk>
[ Upstream commit cda704809797a8a86284f9df3eef5e62ec8a3175 ]
Add device ID for a (probably fake) CP2102 UART device.
lsusb -v output:
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 [unknown]
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x11ca VeriFone Inc
idProduct 0x0212 Verifone USB to Printer
bcdDevice 1.00
iManufacturer 1 Silicon Labs
iProduct 2 Verifone USB to Printer
iSerial 3 0001
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0 [unknown]
bInterfaceProtocol 0
iInterface 2 Verifone USB to Printer
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)
Signed-off-by: Cameron Williams <cang1@live.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index b58ca66dc3aed..9901fd79b8a21 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -178,6 +178,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0xF004) }, /* Elan Digital Systems USBcount50 */
{ USB_DEVICE(0x10C5, 0xEA61) }, /* Silicon Labs MobiData GPRS USB Modem */
{ USB_DEVICE(0x10CE, 0xEA6A) }, /* Silicon Labs MobiData GPRS USB Modem 100EU */
+ { USB_DEVICE(0x11CA, 0x0212) }, /* Verifone USB to Printer (UART, CP2102) */
{ USB_DEVICE(0x12B8, 0xEC60) }, /* Link G4 ECU */
{ USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
{ USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 037/175] USB: serial: cp210x: add ID for MGP Instruments PDS100
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 036/175] USB: serial: add device ID for VeriFone adapter Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 038/175] USB: serial: option: add MeiG Smart SLM320 product Greg Kroah-Hartman
` (143 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Häggström,
Johan Hovold, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Häggström <christian.haggstrom@orexplore.com>
[ Upstream commit a0d9d868491a362d421521499d98308c8e3a0398 ]
The radiation meter has the text MGP Instruments PDS-100G or PDS-100GN
produced by Mirion Technologies. Tested by forcing the driver
association with
echo 10c4 863c > /sys/bus/usb-serial/drivers/cp210x/new_id
and then setting the serial port in 115200 8N1 mode. The device
announces ID_USB_VENDOR_ENC=Silicon\x20Labs and ID_USB_MODEL_ENC=PDS100
Signed-off-by: Christian Häggström <christian.haggstrom@orexplore.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 9901fd79b8a21..4bebe0f3c201a 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -145,6 +145,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
+ { USB_DEVICE(0x10C4, 0x863C) }, /* MGP Instruments PDS100 */
{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
{ USB_DEVICE(0x10C4, 0x87ED) }, /* IMST USB-Stick for Smart Meter */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 038/175] USB: serial: option: add MeiG Smart SLM320 product
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 037/175] USB: serial: cp210x: add ID for MGP Instruments PDS100 Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 039/175] USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M Greg Kroah-Hartman
` (142 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurélien Jacobs, Johan Hovold,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aurélien Jacobs <aurel@gnuage.org>
[ Upstream commit 46809c51565b83881aede6cdf3b0d25254966a41 ]
Update the USB serial option driver to support MeiG Smart SLM320.
ID 2dee:4d41 UNISOC UNISOC-8910
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2dee ProdID=4d41 Rev=00.00
S: Manufacturer=UNISOC
S: Product=UNISOC-8910
C: #Ifs= 8 Cfg#= 1 Atr=e0 MxPwr=400mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Tested successfully a PPP LTE connection using If#= 0.
Not sure of the purpose of every other serial interfaces.
Signed-off-by: Aurélien Jacobs <aurel@gnuage.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 5014f45c7c6a0..7f4baceb540cd 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -613,6 +613,11 @@ static void option_instat_callback(struct urb *urb);
/* Luat Air72*U series based on UNISOC UIS8910 uses UNISOC's vendor ID */
#define LUAT_PRODUCT_AIR720U 0x4e00
+/* MeiG Smart Technology products */
+#define MEIGSMART_VENDOR_ID 0x2dee
+/* MeiG Smart SLM320 based on UNISOC UIS8910 */
+#define MEIGSMART_PRODUCT_SLM320 0x4d41
+
/* Device flags */
/* Highest interface number which can be used with NCTRL() and RSVD() */
@@ -2282,6 +2287,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 039/175] USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 038/175] USB: serial: option: add MeiG Smart SLM320 product Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 040/175] PM: sleep: wakeirq: fix wake irq warning in system suspend Greg Kroah-Hartman
` (141 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Toru Katagiri, Johan Hovold, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toru Katagiri <Toru.Katagiri@tdk.com>
[ Upstream commit b1a8da9ff1395c4879b4bd41e55733d944f3d613 ]
TDK NC0110013M and MM0110113M have custom USB IDs for CP210x,
so we need to add them to the driver.
Signed-off-by: Toru Katagiri <Toru.Katagiri@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 4bebe0f3c201a..4686cf7c6b0a6 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -57,6 +57,8 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */
{ USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
{ USB_DEVICE(0x0489, 0xE003) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
+ { USB_DEVICE(0x04BF, 0x1301) }, /* TDK Corporation NC0110013M - Network Controller */
+ { USB_DEVICE(0x04BF, 0x1303) }, /* TDK Corporation MM0110113M - i3 Micro Module */
{ USB_DEVICE(0x0745, 0x1000) }, /* CipherLab USB CCD Barcode Scanner 1000 */
{ USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 040/175] PM: sleep: wakeirq: fix wake irq warning in system suspend
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 039/175] USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 041/175] mmc: tmio: avoid concurrent runs of mmc_request_done() Greg Kroah-Hartman
` (140 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dhruva Gole, Qingliang Li,
Johan Hovold, Rafael J. Wysocki, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingliang Li <qingliang.li@mediatek.com>
[ Upstream commit e7a7681c859643f3f2476b2a28a494877fd89442 ]
When driver uses pm_runtime_force_suspend() as the system suspend callback
function and registers the wake irq with reverse enable ordering, the wake
irq will be re-enabled when entering system suspend, triggering an
'Unbalanced enable for IRQ xxx' warning. In this scenario, the call
sequence during system suspend is as follows:
suspend_devices_and_enter()
-> dpm_suspend_start()
-> dpm_run_callback()
-> pm_runtime_force_suspend()
-> dev_pm_enable_wake_irq_check()
-> dev_pm_enable_wake_irq_complete()
-> suspend_enter()
-> dpm_suspend_noirq()
-> device_wakeup_arm_wake_irqs()
-> dev_pm_arm_wake_irq()
To fix this issue, complete the setting of WAKE_IRQ_DEDICATED_ENABLED flag
in dev_pm_enable_wake_irq_complete() to avoid redundant irq enablement.
Fixes: 8527beb12087 ("PM: sleep: wakeirq: fix wake irq arming")
Reviewed-by: Dhruva Gole <d-gole@ti.com>
Signed-off-by: Qingliang Li <qingliang.li@mediatek.com>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Cc: 5.16+ <stable@vger.kernel.org> # 5.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/wakeirq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/base/power/wakeirq.c b/drivers/base/power/wakeirq.c
index e7ba514999163..bc3637b45cbf7 100644
--- a/drivers/base/power/wakeirq.c
+++ b/drivers/base/power/wakeirq.c
@@ -376,8 +376,10 @@ void dev_pm_enable_wake_irq_complete(struct device *dev)
return;
if (wirq->status & WAKE_IRQ_DEDICATED_MANAGED &&
- wirq->status & WAKE_IRQ_DEDICATED_REVERSE)
+ wirq->status & WAKE_IRQ_DEDICATED_REVERSE) {
enable_irq(wirq->irq);
+ wirq->status |= WAKE_IRQ_DEDICATED_ENABLED;
+ }
}
/**
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 041/175] mmc: tmio: avoid concurrent runs of mmc_request_done()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 040/175] PM: sleep: wakeirq: fix wake irq warning in system suspend Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 042/175] fuse: dont unhash root Greg Kroah-Hartman
` (139 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dirk Behme, Wolfram Sang,
Ulf Hansson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit e8d1b41e69d72c62865bebe8f441163ec00b3d44 ]
With the to-be-fixed commit, the reset_work handler cleared 'host->mrq'
outside of the spinlock protected critical section. That leaves a small
race window during execution of 'tmio_mmc_reset()' where the done_work
handler could grab a pointer to the now invalid 'host->mrq'. Both would
use it to call mmc_request_done() causing problems (see link below).
However, 'host->mrq' cannot simply be cleared earlier inside the
critical section. That would allow new mrqs to come in asynchronously
while the actual reset of the controller still needs to be done. So,
like 'tmio_mmc_set_ios()', an ERR_PTR is used to prevent new mrqs from
coming in but still avoiding concurrency between work handlers.
Reported-by: Dirk Behme <dirk.behme@de.bosch.com>
Closes: https://lore.kernel.org/all/20240220061356.3001761-1-dirk.behme@de.bosch.com/
Fixes: df3ef2d3c92c ("mmc: protect the tmio_mmc driver against a theoretical race")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Dirk Behme <dirk.behme@de.bosch.com>
Reviewed-by: Dirk Behme <dirk.behme@de.bosch.com>
Cc: stable@vger.kernel.org # 3.0+
Link: https://lore.kernel.org/r/20240305104423.3177-2-wsa+renesas@sang-engineering.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/tmio_mmc_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mmc/host/tmio_mmc_core.c b/drivers/mmc/host/tmio_mmc_core.c
index f819757e125e0..ae8913e5adc70 100644
--- a/drivers/mmc/host/tmio_mmc_core.c
+++ b/drivers/mmc/host/tmio_mmc_core.c
@@ -213,6 +213,8 @@ static void tmio_mmc_reset_work(struct work_struct *work)
else
mrq->cmd->error = -ETIMEDOUT;
+ /* No new calls yet, but disallow concurrent tmio_mmc_done_work() */
+ host->mrq = ERR_PTR(-EBUSY);
host->cmd = NULL;
host->data = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 042/175] fuse: dont unhash root
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 041/175] mmc: tmio: avoid concurrent runs of mmc_request_done() Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 043/175] PCI: Drop pci_device_remove() test of pci_dev->driver Greg Kroah-Hartman
` (138 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit b1fe686a765e6c0d71811d825b5a1585a202b777 ]
The root inode is assumed to be always hashed. Do not unhash the root
inode even if it is marked BAD.
Fixes: 5d069dbe8aaf ("fuse: fix bad inode")
Cc: <stable@vger.kernel.org> # v5.11
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/fuse_i.h | 1 -
fs/fuse/inode.c | 7 +++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 1c754a02fb06b..aa0a5e3960909 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -706,7 +706,6 @@ static inline u64 get_node_id(struct inode *inode)
static inline void fuse_make_bad(struct inode *inode)
{
- remove_inode_hash(inode);
set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);
}
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 3b51c881baf8c..a67769c357b2d 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -324,8 +324,11 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid,
} else if ((inode->i_mode ^ attr->mode) & S_IFMT) {
/* Inode has changed type, any I/O on the old should fail */
fuse_make_bad(inode);
- iput(inode);
- goto retry;
+ if (inode != d_inode(sb->s_root)) {
+ remove_inode_hash(inode);
+ iput(inode);
+ goto retry;
+ }
}
fi = get_fuse_inode(inode);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 043/175] PCI: Drop pci_device_remove() test of pci_dev->driver
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 042/175] fuse: dont unhash root Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 044/175] PCI/PM: Drain runtime-idle callbacks before driver removal Greg Kroah-Hartman
` (137 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Bjorn Helgaas, Christoph Hellwig, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 097d9d414433315122f759ee6c2d8a7417a8ff0f ]
When the driver core calls pci_device_remove(), there is a driver bound
to the device, so pci_dev->driver is never NULL.
Remove the unnecessary test of pci_dev->driver.
Link: https://lore.kernel.org/r/20211004125935.2300113-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Stable-dep-of: 9d5286d4e7f6 ("PCI/PM: Drain runtime-idle callbacks before driver removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci-driver.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 78ae1cab9af70..2e5402b09c1ad 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -439,16 +439,14 @@ static int pci_device_remove(struct device *dev)
struct pci_dev *pci_dev = to_pci_dev(dev);
struct pci_driver *drv = pci_dev->driver;
- if (drv) {
- if (drv->remove) {
- pm_runtime_get_sync(dev);
- drv->remove(pci_dev);
- pm_runtime_put_noidle(dev);
- }
- pcibios_free_irq(pci_dev);
- pci_dev->driver = NULL;
- pci_iov_remove(pci_dev);
+ if (drv->remove) {
+ pm_runtime_get_sync(dev);
+ drv->remove(pci_dev);
+ pm_runtime_put_noidle(dev);
}
+ pcibios_free_irq(pci_dev);
+ pci_dev->driver = NULL;
+ pci_iov_remove(pci_dev);
/* Undo the runtime PM settings in local_pci_probe() */
pm_runtime_put_sync(dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 044/175] PCI/PM: Drain runtime-idle callbacks before driver removal
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 043/175] PCI: Drop pci_device_remove() test of pci_dev->driver Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 045/175] Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" Greg Kroah-Hartman
` (136 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai-Heng Feng, Rafael J. Wysocki,
Bjorn Helgaas, Ricky Wu, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 9d5286d4e7f68beab450deddbb6a32edd5ecf4bf ]
A race condition between the .runtime_idle() callback and the .remove()
callback in the rtsx_pcr PCI driver leads to a kernel crash due to an
unhandled page fault [1].
The problem is that rtsx_pci_runtime_idle() is not expected to be running
after pm_runtime_get_sync() has been called, but the latter doesn't really
guarantee that. It only guarantees that the suspend and resume callbacks
will not be running when it returns.
However, if a .runtime_idle() callback is already running when
pm_runtime_get_sync() is called, the latter will notice that the runtime PM
status of the device is RPM_ACTIVE and it will return right away without
waiting for the former to complete. In fact, it cannot wait for
.runtime_idle() to complete because it may be called from that callback (it
arguably does not make much sense to do that, but it is not strictly
prohibited).
Thus in general, whoever is providing a .runtime_idle() callback needs
to protect it from running in parallel with whatever code runs after
pm_runtime_get_sync(). [Note that .runtime_idle() will not start after
pm_runtime_get_sync() has returned, but it may continue running then if it
has started earlier.]
One way to address that race condition is to call pm_runtime_barrier()
after pm_runtime_get_sync() (not before it, because a nonzero value of the
runtime PM usage counter is necessary to prevent runtime PM callbacks from
being invoked) to wait for the .runtime_idle() callback to complete should
it be running at that point. A suitable place for doing that is in
pci_device_remove() which calls pm_runtime_get_sync() before removing the
driver, so it may as well call pm_runtime_barrier() subsequently, which
will prevent the race in question from occurring, not just in the rtsx_pcr
driver, but in any PCI drivers providing .runtime_idle() callbacks.
Link: https://lore.kernel.org/lkml/20240229062201.49500-1-kai.heng.feng@canonical.com/ # [1]
Link: https://lore.kernel.org/r/5761426.DvuYhMxLoT@kreacher
Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Ricky Wu <ricky_wu@realtek.com>
Acked-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci-driver.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 2e5402b09c1ad..031908e42fb54 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -441,6 +441,13 @@ static int pci_device_remove(struct device *dev)
if (drv->remove) {
pm_runtime_get_sync(dev);
+ /*
+ * If the driver provides a .runtime_idle() callback and it has
+ * started to run already, it may continue to run in parallel
+ * with the code below, so wait until all of the runtime PM
+ * activity has completed.
+ */
+ pm_runtime_barrier(dev);
drv->remove(pci_dev);
pm_runtime_put_noidle(dev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 045/175] Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 044/175] PCI/PM: Drain runtime-idle callbacks before driver removal Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 046/175] dm-raid: fix lockdep waring in "pers->hot_add_disk" Greg Kroah-Hartman
` (135 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Moulding, Junxiao Bi, Yu Kuai,
Song Liu, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Song Liu <song@kernel.org>
[ Upstream commit 3445139e3a594be77eff48bc17eff67cf983daed ]
This reverts commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d.
The original set [1][2] was expected to undo a suboptimal fix in [2], and
replace it with a better fix [1]. However, as reported by Dan Moulding [2]
causes an issue with raid5 with journal device.
Revert [2] for now to close the issue. We will follow up on another issue
reported by Juxiao Bi, as [2] is expected to fix it. We believe this is a
good trade-off, because the latter issue happens less freqently.
In the meanwhile, we will NOT revert [1], as it contains the right logic.
[1] commit d6e035aad6c0 ("md: bypass block throttle for superblock update")
[2] commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"")
Reported-by: Dan Moulding <dan@danm.net>
Closes: https://lore.kernel.org/linux-raid/20240123005700.9302-1-dan@danm.net/
Fixes: bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"")
Cc: stable@vger.kernel.org # v5.19+
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20240125082131.788600-1-song@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid5.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index e2fcc09a18cdb..b98abe927d06b 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -44,6 +44,7 @@
*/
#include <linux/blkdev.h>
+#include <linux/delay.h>
#include <linux/kthread.h>
#include <linux/raid/pq.h>
#include <linux/async_tx.h>
@@ -6329,7 +6330,18 @@ static void raid5d(struct md_thread *thread)
spin_unlock_irq(&conf->device_lock);
md_check_recovery(mddev);
spin_lock_irq(&conf->device_lock);
+
+ /*
+ * Waiting on MD_SB_CHANGE_PENDING below may deadlock
+ * seeing md_check_recovery() is needed to clear
+ * the flag when using mdmon.
+ */
+ continue;
}
+
+ wait_event_lock_irq(mddev->sb_wait,
+ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags),
+ conf->device_lock);
}
pr_debug("%d stripes handled\n", handled);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 046/175] dm-raid: fix lockdep waring in "pers->hot_add_disk"
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 045/175] Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 047/175] mmc: core: Fix switch on gp3 partition Greg Kroah-Hartman
` (134 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Xiao Ni, Mike Snitzer,
Song Liu, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 95009ae904b1e9dca8db6f649f2d7c18a6e42c75 ]
The lockdep assert is added by commit a448af25becf ("md/raid10: remove
rcu protection to access rdev from conf") in print_conf(). And I didn't
notice that dm-raid is calling "pers->hot_add_disk" without holding
'reconfig_mutex'.
"pers->hot_add_disk" read and write many fields that is protected by
'reconfig_mutex', and raid_resume() already grab the lock in other
contex. Hence fix this problem by protecting "pers->host_add_disk"
with the lock.
Fixes: 9092c02d9435 ("DM RAID: Add ability to restore transiently failed devices on resume")
Fixes: a448af25becf ("md/raid10: remove rcu protection to access rdev from conf")
Cc: stable@vger.kernel.org # v6.7+
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Xiao Ni <xni@redhat.com>
Acked-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240305072306.2562024-10-yukuai1@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-raid.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index 1759134fce824..2a8746f9c6d87 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -4023,7 +4023,9 @@ static void raid_resume(struct dm_target *ti)
* Take this opportunity to check whether any failed
* devices are reachable again.
*/
+ mddev_lock_nointr(mddev);
attempt_restore_of_faulty_devices(rs);
+ mddev_unlock(mddev);
}
if (test_and_clear_bit(RT_FLAG_RS_SUSPENDED, &rs->runtime_flags)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 047/175] mmc: core: Fix switch on gp3 partition
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 046/175] dm-raid: fix lockdep waring in "pers->hot_add_disk" Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 048/175] hwmon: (amc6821) add of_match table Greg Kroah-Hartman
` (133 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ramirez-Ortiz,
Dominique Martinet, Linus Walleij, Ulf Hansson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dominique Martinet <dominique.martinet@atmark-techno.com>
[ Upstream commit 4af59a8df5ea930038cd3355e822f5eedf4accc1 ]
Commit e7794c14fd73 ("mmc: rpmb: fixes pause retune on all RPMB
partitions.") added a mask check for 'part_type', but the mask used was
wrong leading to the code intended for rpmb also being executed for GP3.
On some MMCs (but not all) this would make gp3 partition inaccessible:
armadillo:~# head -c 1 < /dev/mmcblk2gp3
head: standard input: I/O error
armadillo:~# dmesg -c
[ 422.976583] mmc2: running CQE recovery
[ 423.058182] mmc2: running CQE recovery
[ 423.137607] mmc2: running CQE recovery
[ 423.137802] blk_update_request: I/O error, dev mmcblk2gp3, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 4 prio class 0
[ 423.237125] mmc2: running CQE recovery
[ 423.318206] mmc2: running CQE recovery
[ 423.397680] mmc2: running CQE recovery
[ 423.397837] blk_update_request: I/O error, dev mmcblk2gp3, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[ 423.408287] Buffer I/O error on dev mmcblk2gp3, logical block 0, async page read
the part_type values of interest here are defined as follow:
main 0
boot0 1
boot1 2
rpmb 3
gp0 4
gp1 5
gp2 6
gp3 7
so mask with EXT_CSD_PART_CONFIG_ACC_MASK (7) to correctly identify rpmb
Fixes: e7794c14fd73 ("mmc: rpmb: fixes pause retune on all RPMB partitions.")
Cc: stable@vger.kernel.org
Cc: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20240306-mmc-partswitch-v1-1-bf116985d950@codewreck.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/block.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
index ef9422917e1ca..c3b329946429c 100644
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -851,10 +851,11 @@ static const struct block_device_operations mmc_bdops = {
static int mmc_blk_part_switch_pre(struct mmc_card *card,
unsigned int part_type)
{
- const unsigned int mask = EXT_CSD_PART_CONFIG_ACC_RPMB;
+ const unsigned int mask = EXT_CSD_PART_CONFIG_ACC_MASK;
+ const unsigned int rpmb = EXT_CSD_PART_CONFIG_ACC_RPMB;
int ret = 0;
- if ((part_type & mask) == mask) {
+ if ((part_type & mask) == rpmb) {
if (card->ext_csd.cmdq_en) {
ret = mmc_cmdq_disable(card);
if (ret)
@@ -869,10 +870,11 @@ static int mmc_blk_part_switch_pre(struct mmc_card *card,
static int mmc_blk_part_switch_post(struct mmc_card *card,
unsigned int part_type)
{
- const unsigned int mask = EXT_CSD_PART_CONFIG_ACC_RPMB;
+ const unsigned int mask = EXT_CSD_PART_CONFIG_ACC_MASK;
+ const unsigned int rpmb = EXT_CSD_PART_CONFIG_ACC_RPMB;
int ret = 0;
- if ((part_type & mask) == mask) {
+ if ((part_type & mask) == rpmb) {
mmc_retune_unpause(card->host);
if (card->reenable_cmdq && !card->ext_csd.cmdq_en)
ret = mmc_cmdq_enable(card);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 048/175] hwmon: (amc6821) add of_match table
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 047/175] mmc: core: Fix switch on gp3 partition Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 049/175] ext4: fix corruption during on-line resize Greg Kroah-Hartman
` (132 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Guenter Roeck, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 3f003fda98a7a8d5f399057d92e6ed56b468657c ]
Add of_match table for "ti,amc6821" compatible string.
This fixes automatic driver loading by userspace when using device-tree,
and if built as a module like major linux distributions do.
While devices probe just fine with i2c_device_id table, userspace can't
match the "ti,amc6821" compatible string from dt with the plain
"amc6821" device id. As a result, the kernel module can not be loaded.
Cc: stable@vger.kernel.org
Signed-off-by: Josua Mayer <josua@solid-run.com>
Link: https://lore.kernel.org/r/20240307-amc6821-of-match-v1-1-5f40464a3110@solid-run.com
[groeck: Cleaned up patch description]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/amc6821.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/hwmon/amc6821.c b/drivers/hwmon/amc6821.c
index 46b4e35fd5555..b562337df7b3c 100644
--- a/drivers/hwmon/amc6821.c
+++ b/drivers/hwmon/amc6821.c
@@ -1003,10 +1003,21 @@ static const struct i2c_device_id amc6821_id[] = {
MODULE_DEVICE_TABLE(i2c, amc6821_id);
+static const struct of_device_id __maybe_unused amc6821_of_match[] = {
+ {
+ .compatible = "ti,amc6821",
+ .data = (void *)amc6821,
+ },
+ { }
+};
+
+MODULE_DEVICE_TABLE(of, amc6821_of_match);
+
static struct i2c_driver amc6821_driver = {
.class = I2C_CLASS_HWMON,
.driver = {
.name = "amc6821",
+ .of_match_table = of_match_ptr(amc6821_of_match),
},
.probe = amc6821_probe,
.id_table = amc6821_id,
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 049/175] ext4: fix corruption during on-line resize
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 048/175] hwmon: (amc6821) add of_match table Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 050/175] slimbus: core: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
` (131 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Heyne, Srivathsa Dara,
Theodore Tso, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Heyne <mheyne@amazon.de>
[ Upstream commit a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc ]
We observed a corruption during on-line resize of a file system that is
larger than 16 TiB with 4k block size. With having more then 2^32 blocks
resize_inode is turned off by default by mke2fs. The issue can be
reproduced on a smaller file system for convenience by explicitly
turning off resize_inode. An on-line resize across an 8 GiB boundary (the
size of a meta block group in this setup) then leads to a corruption:
dev=/dev/<some_dev> # should be >= 16 GiB
mkdir -p /corruption
/sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))
mount -t ext4 $dev /corruption
dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))
sha1sum /corruption/test
# 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test
/sbin/resize2fs $dev $((2*2**21))
# drop page cache to force reload the block from disk
echo 1 > /proc/sys/vm/drop_caches
sha1sum /corruption/test
# 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test
2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per
block group and 2^6 are the number of block groups that make a meta
block group.
The last checksum might be different depending on how the file is laid
out across the physical blocks. The actual corruption occurs at physical
block 63*2^15 = 2064384 which would be the location of the backup of the
meta block group's block descriptor. During the on-line resize the file
system will be converted to meta_bg starting at s_first_meta_bg which is
2 in the example - meaning all block groups after 16 GiB. However, in
ext4_flex_group_add we might add block groups that are not part of the
first meta block group yet. In the reproducer we achieved this by
substracting the size of a whole block group from the point where the
meta block group would start. This must be considered when updating the
backup block group descriptors to follow the non-meta_bg layout. The fix
is to add a test whether the group to add is already part of the meta
block group or not.
Fixes: 01f795f9e0d67 ("ext4: add online resizing support for meta_bg and 64-bit file systems")
Cc: <stable@vger.kernel.org>
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Tested-by: Srivathsa Dara <srivathsa.d.dara@oracle.com>
Reviewed-by: Srivathsa Dara <srivathsa.d.dara@oracle.com>
Link: https://lore.kernel.org/r/20240215155009.94493-1-mheyne@amazon.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/resize.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 97af09d6e7e6c..7d615c00b632b 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1567,7 +1567,8 @@ static int ext4_flex_group_add(struct super_block *sb,
int gdb_num = group / EXT4_DESC_PER_BLOCK(sb);
int gdb_num_end = ((group + flex_gd->count - 1) /
EXT4_DESC_PER_BLOCK(sb));
- int meta_bg = ext4_has_feature_meta_bg(sb);
+ int meta_bg = ext4_has_feature_meta_bg(sb) &&
+ gdb_num >= le32_to_cpu(es->s_first_meta_bg);
sector_t padding_blocks = meta_bg ? 0 : sbi->s_sbh->b_blocknr -
ext4_group_first_block_no(sb, 0);
sector_t old_gdb = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 050/175] slimbus: core: Remove usage of the deprecated ida_simple_xx() API
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 049/175] ext4: fix corruption during on-line resize Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 051/175] speakup: Fix 8bit characters from direct synth Greg Kroah-Hartman
` (130 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Christophe JAILLET,
Srinivas Kandagatla, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 89ffa4cccec54467446f141a79b9e36893079fb8 ]
ida_alloc() and ida_free() should be preferred to the deprecated
ida_simple_get() and ida_simple_remove().
Note that the upper limit of ida_simple_get() is exclusive, but the one of
ida_alloc_range() is inclusive. So change this change allows one more
device. Previously address 0xFE was never used.
Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support")
Cc: Stable@vger.kernel.org
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20240224114137.85781-2-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/slimbus/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c
index 3e63e4ce45b04..6270b4165644b 100644
--- a/drivers/slimbus/core.c
+++ b/drivers/slimbus/core.c
@@ -409,8 +409,8 @@ static int slim_device_alloc_laddr(struct slim_device *sbdev,
if (ret < 0)
goto err;
} else if (report_present) {
- ret = ida_simple_get(&ctrl->laddr_ida,
- 0, SLIM_LA_MANAGER - 1, GFP_KERNEL);
+ ret = ida_alloc_max(&ctrl->laddr_ida,
+ SLIM_LA_MANAGER - 1, GFP_KERNEL);
if (ret < 0)
goto err;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 051/175] speakup: Fix 8bit characters from direct synth
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 050/175] slimbus: core: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 052/175] kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 Greg Kroah-Hartman
` (129 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Samuel Thibault, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
[ Upstream commit b6c8dafc9d86eb77e502bb018ec4105e8d2fbf78 ]
When userland echoes 8bit characters to /dev/synth with e.g.
echo -e '\xe9' > /dev/synth
synth_write would get characters beyond 0x7f, and thus negative when
char is signed. When given to synth_buffer_add which takes a u16, this
would sign-extend and produce a U+ffxy character rather than U+xy.
Users thus get garbled text instead of accents in their output.
Let's fix this by making sure that we read unsigned characters.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Fixes: 89fc2ae80bb1 ("speakup: extend synth buffer to 16bit unicode characters")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240204155736.2oh4ot7tiaa2wpbh@begin
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/speakup/synth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/speakup/synth.c b/drivers/staging/speakup/synth.c
index 3568bfb89912c..b5944e7bdbf67 100644
--- a/drivers/staging/speakup/synth.c
+++ b/drivers/staging/speakup/synth.c
@@ -208,8 +208,10 @@ void spk_do_flush(void)
wake_up_process(speakup_task);
}
-void synth_write(const char *buf, size_t count)
+void synth_write(const char *_buf, size_t count)
{
+ const unsigned char *buf = (const unsigned char *) _buf;
+
while (count--)
synth_buffer_add(*buf++);
synth_start();
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 052/175] kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 051/175] speakup: Fix 8bit characters from direct synth Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 053/175] vfio/platform: Disable virqfds on cleanup Greg Kroah-Hartman
` (128 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Nathan Chancellor,
Arnd Bergmann, Masahiro Yamada, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 75b5ab134bb5f657ef7979a59106dce0657e8d87 ]
Clang enables -Wenum-enum-conversion and -Wenum-compare-conditional
under -Wenum-conversion. A recent change in Clang strengthened these
warnings and they appear frequently in common builds, primarily due to
several instances in common headers but there are quite a few drivers
that have individual instances as well.
include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
509 | item];
| ~~~~
drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:955:24: warning: conditional expression between different enumeration types ('enum iwl_mac_beacon_flags' and 'enum iwl_mac_beacon_flags_v1') [-Wenum-compare-conditional]
955 | flags |= is_new_rate ? IWL_MAC_BEACON_CCK
| ^ ~~~~~~~~~~~~~~~~~~
956 | : IWL_MAC_BEACON_CCK_V1;
| ~~~~~~~~~~~~~~~~~~~~~
drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:1120:21: warning: conditional expression between different enumeration types ('enum iwl_mac_beacon_flags' and 'enum iwl_mac_beacon_flags_v1') [-Wenum-compare-conditional]
1120 | 0) > 10 ?
| ^
1121 | IWL_MAC_BEACON_FILS :
| ~~~~~~~~~~~~~~~~~~~
1122 | IWL_MAC_BEACON_FILS_V1;
| ~~~~~~~~~~~~~~~~~~~~~~
Doing arithmetic between or returning two different types of enums could
be a bug, so each of the instance of the warning needs to be evaluated.
Unfortunately, as mentioned above, there are many instances of this
warning in many different configurations, which can break the build when
CONFIG_WERROR is enabled.
To avoid introducing new instances of the warnings while cleaning up the
disruption for the majority of users, disable these warnings for the
default build while leaving them on for W=1 builds.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2002
Link: https://github.com/llvm/llvm-project/commit/8c2ae42b3e1c6aa7c18f873edcebff7c0b45a37e
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 2 ++
1 file changed, 2 insertions(+)
--git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn
index e15cd63428ba7..c2e41daf373f8 100644
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -75,5 +75,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, uninitialized)
KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast)
KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access)
KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict)
+KBUILD_CFLAGS += -Wno-enum-compare-conditional
+KBUILD_CFLAGS += -Wno-enum-enum-conversion
endif
endif
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 053/175] vfio/platform: Disable virqfds on cleanup
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 052/175] kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 054/175] soc: fsl: qbman: Always disable interrupts when taking cgr_lock Greg Kroah-Hartman
` (127 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Auger, Kevin Tian,
Alex Williamson, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
[ Upstream commit fcdc0d3d40bc26c105acf8467f7d9018970944ae ]
irqfds for mask and unmask that are not specifically disabled by the
user are leaked. Remove any irqfds during cleanup
Cc: Eric Auger <eric.auger@redhat.com>
Cc: <stable@vger.kernel.org>
Fixes: a7fa7c77cf15 ("vfio/platform: implement IRQ masking/unmasking via an eventfd")
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20240308230557.805580-6-alex.williamson@redhat.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/platform/vfio_platform_irq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/platform/vfio_platform_irq.c b/drivers/vfio/platform/vfio_platform_irq.c
index 46d4750f43a8d..c53a9b4438733 100644
--- a/drivers/vfio/platform/vfio_platform_irq.c
+++ b/drivers/vfio/platform/vfio_platform_irq.c
@@ -329,8 +329,11 @@ void vfio_platform_irq_cleanup(struct vfio_platform_device *vdev)
{
int i;
- for (i = 0; i < vdev->num_irqs; i++)
+ for (i = 0; i < vdev->num_irqs; i++) {
+ vfio_virqfd_disable(&vdev->irqs[i].mask);
+ vfio_virqfd_disable(&vdev->irqs[i].unmask);
vfio_set_trigger(vdev, i, -1, NULL);
+ }
vdev->num_irqs = 0;
kfree(vdev->irqs);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 054/175] soc: fsl: qbman: Always disable interrupts when taking cgr_lock
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 053/175] vfio/platform: Disable virqfds on cleanup Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 055/175] soc: fsl: qbman: Add helper for sanity checking cgr ops Greg Kroah-Hartman
` (126 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Camelia Groza,
Vladimir Oltean, David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
[ Upstream commit 584c2a9184a33a40fceee838f856de3cffa19be3 ]
smp_call_function_single disables IRQs when executing the callback. To
prevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.
This is already done by qman_update_cgr and qman_delete_cgr; fix the
other lockers.
Fixes: 96f413f47677 ("soc/fsl/qbman: fix issue in qman_delete_cgr_safe()")
CC: stable@vger.kernel.org
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: Camelia Groza <camelia.groza@nxp.com>
Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/fsl/qbman/qman.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
index d7bf456fd10e4..17f72d7ed3103 100644
--- a/drivers/soc/fsl/qbman/qman.c
+++ b/drivers/soc/fsl/qbman/qman.c
@@ -1369,11 +1369,11 @@ static void qm_congestion_task(struct work_struct *work)
union qm_mc_result *mcr;
struct qman_cgr *cgr;
- spin_lock(&p->cgr_lock);
+ spin_lock_irq(&p->cgr_lock);
qm_mc_start(&p->p);
qm_mc_commit(&p->p, QM_MCC_VERB_QUERYCONGESTION);
if (!qm_mc_result_timeout(&p->p, &mcr)) {
- spin_unlock(&p->cgr_lock);
+ spin_unlock_irq(&p->cgr_lock);
dev_crit(p->config->dev, "QUERYCONGESTION timeout\n");
qman_p_irqsource_add(p, QM_PIRQ_CSCI);
return;
@@ -1389,7 +1389,7 @@ static void qm_congestion_task(struct work_struct *work)
list_for_each_entry(cgr, &p->cgr_cbs, node)
if (cgr->cb && qman_cgrs_get(&c, cgr->cgrid))
cgr->cb(p, cgr, qman_cgrs_get(&rr, cgr->cgrid));
- spin_unlock(&p->cgr_lock);
+ spin_unlock_irq(&p->cgr_lock);
qman_p_irqsource_add(p, QM_PIRQ_CSCI);
}
@@ -2346,7 +2346,7 @@ int qman_create_cgr(struct qman_cgr *cgr, u32 flags,
preempt_enable();
cgr->chan = p->config->channel;
- spin_lock(&p->cgr_lock);
+ spin_lock_irq(&p->cgr_lock);
if (opts) {
struct qm_mcc_initcgr local_opts = *opts;
@@ -2383,7 +2383,7 @@ int qman_create_cgr(struct qman_cgr *cgr, u32 flags,
qman_cgrs_get(&p->cgrs[1], cgr->cgrid))
cgr->cb(p, cgr, 1);
out:
- spin_unlock(&p->cgr_lock);
+ spin_unlock_irq(&p->cgr_lock);
put_affine_portal();
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 055/175] soc: fsl: qbman: Add helper for sanity checking cgr ops
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 054/175] soc: fsl: qbman: Always disable interrupts when taking cgr_lock Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 056/175] soc: fsl: qbman: Add CGR update function Greg Kroah-Hartman
` (125 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Camelia Groza,
David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@seco.com>
[ Upstream commit d0e17a4653cebc2c8a20251c837dd1fcec5014d9 ]
This breaks out/combines get_affine_portal and the cgr sanity check in
preparation for the next commit. No functional change intended.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Acked-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: fbec4e7fed89 ("soc: fsl: qbman: Use raw spinlock for cgr_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/fsl/qbman/qman.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
index 17f72d7ed3103..24ca4bedcaa6e 100644
--- a/drivers/soc/fsl/qbman/qman.c
+++ b/drivers/soc/fsl/qbman/qman.c
@@ -2389,13 +2389,8 @@ int qman_create_cgr(struct qman_cgr *cgr, u32 flags,
}
EXPORT_SYMBOL(qman_create_cgr);
-int qman_delete_cgr(struct qman_cgr *cgr)
+static struct qman_portal *qman_cgr_get_affine_portal(struct qman_cgr *cgr)
{
- unsigned long irqflags;
- struct qm_mcr_querycgr cgr_state;
- struct qm_mcc_initcgr local_opts;
- int ret = 0;
- struct qman_cgr *i;
struct qman_portal *p = get_affine_portal();
if (cgr->chan != p->config->channel) {
@@ -2403,10 +2398,25 @@ int qman_delete_cgr(struct qman_cgr *cgr)
dev_err(p->config->dev, "CGR not owned by current portal");
dev_dbg(p->config->dev, " create 0x%x, delete 0x%x\n",
cgr->chan, p->config->channel);
-
- ret = -EINVAL;
- goto put_portal;
+ put_affine_portal();
+ return NULL;
}
+
+ return p;
+}
+
+int qman_delete_cgr(struct qman_cgr *cgr)
+{
+ unsigned long irqflags;
+ struct qm_mcr_querycgr cgr_state;
+ struct qm_mcc_initcgr local_opts;
+ int ret = 0;
+ struct qman_cgr *i;
+ struct qman_portal *p = qman_cgr_get_affine_portal(cgr);
+
+ if (!p)
+ return -EINVAL;
+
memset(&local_opts, 0, sizeof(struct qm_mcc_initcgr));
spin_lock_irqsave(&p->cgr_lock, irqflags);
list_del(&cgr->node);
@@ -2434,7 +2444,6 @@ int qman_delete_cgr(struct qman_cgr *cgr)
list_add(&cgr->node, &p->cgr_cbs);
release_lock:
spin_unlock_irqrestore(&p->cgr_lock, irqflags);
-put_portal:
put_affine_portal();
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 056/175] soc: fsl: qbman: Add CGR update function
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 055/175] soc: fsl: qbman: Add helper for sanity checking cgr ops Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 057/175] soc: fsl: qbman: Use raw spinlock for cgr_lock Greg Kroah-Hartman
` (124 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Camelia Groza,
David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@seco.com>
[ Upstream commit 914f8b228ede709274b8c80514b352248ec9da00 ]
This adds a function to update a CGR with new parameters. qman_create_cgr
can almost be used for this (with flags=0), but it's not suitable because
it also registers the callback function. The _safe variant was modeled off
of qman_cgr_delete_safe. However, we handle multiple arguments and a return
value.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Acked-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: fbec4e7fed89 ("soc: fsl: qbman: Use raw spinlock for cgr_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/fsl/qbman/qman.c | 48 ++++++++++++++++++++++++++++++++++++
include/soc/fsl/qman.h | 9 +++++++
2 files changed, 57 insertions(+)
diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
index 24ca4bedcaa6e..4d0853ead7ddf 100644
--- a/drivers/soc/fsl/qbman/qman.c
+++ b/drivers/soc/fsl/qbman/qman.c
@@ -2474,6 +2474,54 @@ void qman_delete_cgr_safe(struct qman_cgr *cgr)
}
EXPORT_SYMBOL(qman_delete_cgr_safe);
+static int qman_update_cgr(struct qman_cgr *cgr, struct qm_mcc_initcgr *opts)
+{
+ int ret;
+ unsigned long irqflags;
+ struct qman_portal *p = qman_cgr_get_affine_portal(cgr);
+
+ if (!p)
+ return -EINVAL;
+
+ spin_lock_irqsave(&p->cgr_lock, irqflags);
+ ret = qm_modify_cgr(cgr, 0, opts);
+ spin_unlock_irqrestore(&p->cgr_lock, irqflags);
+ put_affine_portal();
+ return ret;
+}
+
+struct update_cgr_params {
+ struct qman_cgr *cgr;
+ struct qm_mcc_initcgr *opts;
+ int ret;
+};
+
+static void qman_update_cgr_smp_call(void *p)
+{
+ struct update_cgr_params *params = p;
+
+ params->ret = qman_update_cgr(params->cgr, params->opts);
+}
+
+int qman_update_cgr_safe(struct qman_cgr *cgr, struct qm_mcc_initcgr *opts)
+{
+ struct update_cgr_params params = {
+ .cgr = cgr,
+ .opts = opts,
+ };
+
+ preempt_disable();
+ if (qman_cgr_cpus[cgr->cgrid] != smp_processor_id())
+ smp_call_function_single(qman_cgr_cpus[cgr->cgrid],
+ qman_update_cgr_smp_call, ¶ms,
+ true);
+ else
+ params.ret = qman_update_cgr(cgr, opts);
+ preempt_enable();
+ return params.ret;
+}
+EXPORT_SYMBOL(qman_update_cgr_safe);
+
/* Cleanup FQs */
static int _qm_mr_consume_and_match_verb(struct qm_portal *p, int v)
diff --git a/include/soc/fsl/qman.h b/include/soc/fsl/qman.h
index 597783b8a3a07..b67f2e83bbef9 100644
--- a/include/soc/fsl/qman.h
+++ b/include/soc/fsl/qman.h
@@ -1159,6 +1159,15 @@ int qman_delete_cgr(struct qman_cgr *cgr);
*/
void qman_delete_cgr_safe(struct qman_cgr *cgr);
+/**
+ * qman_update_cgr_safe - Modifies a congestion group object from any CPU
+ * @cgr: the 'cgr' object to modify
+ * @opts: state of the CGR settings
+ *
+ * This will select the proper CPU and modify the CGR settings.
+ */
+int qman_update_cgr_safe(struct qman_cgr *cgr, struct qm_mcc_initcgr *opts);
+
/**
* qman_query_cgr_congested - Queries CGR's congestion status
* @cgr: the 'cgr' object to query
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 057/175] soc: fsl: qbman: Use raw spinlock for cgr_lock
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 056/175] soc: fsl: qbman: Add CGR update function Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 058/175] s390/zcrypt: fix reference counting on zcrypt card objects Greg Kroah-Hartman
` (123 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Steffen Trumtrar,
Sean Anderson, Camelia Groza, David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
[ Upstream commit fbec4e7fed89b579f2483041fabf9650fb0dd6bc ]
smp_call_function always runs its callback in hard IRQ context, even on
PREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock
for cgr_lock to ensure we aren't waiting on a sleeping task.
Although this bug has existed for a while, it was not apparent until
commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth on rate change")
which invokes smp_call_function_single via qman_update_cgr_safe every
time a link goes up or down.
Fixes: 96f413f47677 ("soc/fsl/qbman: fix issue in qman_delete_cgr_safe()")
CC: stable@vger.kernel.org
Reported-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Closes: https://lore.kernel.org/all/20230323153935.nofnjucqjqnz34ej@skbuf/
Reported-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Closes: https://lore.kernel.org/linux-arm-kernel/87wmsyvclu.fsf@pengutronix.de/
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: Camelia Groza <camelia.groza@nxp.com>
Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/fsl/qbman/qman.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
index 4d0853ead7ddf..ce08ce98142da 100644
--- a/drivers/soc/fsl/qbman/qman.c
+++ b/drivers/soc/fsl/qbman/qman.c
@@ -976,7 +976,7 @@ struct qman_portal {
/* linked-list of CSCN handlers. */
struct list_head cgr_cbs;
/* list lock */
- spinlock_t cgr_lock;
+ raw_spinlock_t cgr_lock;
struct work_struct congestion_work;
struct work_struct mr_work;
char irqname[MAX_IRQNAME];
@@ -1194,7 +1194,7 @@ static int qman_create_portal(struct qman_portal *portal,
/* if the given mask is NULL, assume all CGRs can be seen */
qman_cgrs_fill(&portal->cgrs[0]);
INIT_LIST_HEAD(&portal->cgr_cbs);
- spin_lock_init(&portal->cgr_lock);
+ raw_spin_lock_init(&portal->cgr_lock);
INIT_WORK(&portal->congestion_work, qm_congestion_task);
INIT_WORK(&portal->mr_work, qm_mr_process_task);
portal->bits = 0;
@@ -1369,11 +1369,14 @@ static void qm_congestion_task(struct work_struct *work)
union qm_mc_result *mcr;
struct qman_cgr *cgr;
- spin_lock_irq(&p->cgr_lock);
+ /*
+ * FIXME: QM_MCR_TIMEOUT is 10ms, which is too long for a raw spinlock!
+ */
+ raw_spin_lock_irq(&p->cgr_lock);
qm_mc_start(&p->p);
qm_mc_commit(&p->p, QM_MCC_VERB_QUERYCONGESTION);
if (!qm_mc_result_timeout(&p->p, &mcr)) {
- spin_unlock_irq(&p->cgr_lock);
+ raw_spin_unlock_irq(&p->cgr_lock);
dev_crit(p->config->dev, "QUERYCONGESTION timeout\n");
qman_p_irqsource_add(p, QM_PIRQ_CSCI);
return;
@@ -1389,7 +1392,7 @@ static void qm_congestion_task(struct work_struct *work)
list_for_each_entry(cgr, &p->cgr_cbs, node)
if (cgr->cb && qman_cgrs_get(&c, cgr->cgrid))
cgr->cb(p, cgr, qman_cgrs_get(&rr, cgr->cgrid));
- spin_unlock_irq(&p->cgr_lock);
+ raw_spin_unlock_irq(&p->cgr_lock);
qman_p_irqsource_add(p, QM_PIRQ_CSCI);
}
@@ -2346,7 +2349,7 @@ int qman_create_cgr(struct qman_cgr *cgr, u32 flags,
preempt_enable();
cgr->chan = p->config->channel;
- spin_lock_irq(&p->cgr_lock);
+ raw_spin_lock_irq(&p->cgr_lock);
if (opts) {
struct qm_mcc_initcgr local_opts = *opts;
@@ -2383,7 +2386,7 @@ int qman_create_cgr(struct qman_cgr *cgr, u32 flags,
qman_cgrs_get(&p->cgrs[1], cgr->cgrid))
cgr->cb(p, cgr, 1);
out:
- spin_unlock_irq(&p->cgr_lock);
+ raw_spin_unlock_irq(&p->cgr_lock);
put_affine_portal();
return ret;
}
@@ -2418,7 +2421,7 @@ int qman_delete_cgr(struct qman_cgr *cgr)
return -EINVAL;
memset(&local_opts, 0, sizeof(struct qm_mcc_initcgr));
- spin_lock_irqsave(&p->cgr_lock, irqflags);
+ raw_spin_lock_irqsave(&p->cgr_lock, irqflags);
list_del(&cgr->node);
/*
* If there are no other CGR objects for this CGRID in the list,
@@ -2443,7 +2446,7 @@ int qman_delete_cgr(struct qman_cgr *cgr)
/* add back to the list */
list_add(&cgr->node, &p->cgr_cbs);
release_lock:
- spin_unlock_irqrestore(&p->cgr_lock, irqflags);
+ raw_spin_unlock_irqrestore(&p->cgr_lock, irqflags);
put_affine_portal();
return ret;
}
@@ -2483,9 +2486,9 @@ static int qman_update_cgr(struct qman_cgr *cgr, struct qm_mcc_initcgr *opts)
if (!p)
return -EINVAL;
- spin_lock_irqsave(&p->cgr_lock, irqflags);
+ raw_spin_lock_irqsave(&p->cgr_lock, irqflags);
ret = qm_modify_cgr(cgr, 0, opts);
- spin_unlock_irqrestore(&p->cgr_lock, irqflags);
+ raw_spin_unlock_irqrestore(&p->cgr_lock, irqflags);
put_affine_portal();
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 058/175] s390/zcrypt: fix reference counting on zcrypt card objects
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 057/175] soc: fsl: qbman: Use raw spinlock for cgr_lock Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 059/175] drm/imx: pd: Use bus format/flags provided by the bridge when available Greg Kroah-Hartman
` (122 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harald Freudenberger,
Holger Dengler, Heiko Carstens, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Freudenberger <freude@linux.ibm.com>
[ Upstream commit 50ed48c80fecbe17218afed4f8bed005c802976c ]
Tests with hot-plugging crytpo cards on KVM guests with debug
kernel build revealed an use after free for the load field of
the struct zcrypt_card. The reason was an incorrect reference
handling of the zcrypt card object which could lead to a free
of the zcrypt card object while it was still in use.
This is an example of the slab message:
kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
kernel: kmalloc_trace+0x3f2/0x470
kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]
kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
kernel: ap_device_probe+0x15c/0x290
kernel: really_probe+0xd2/0x468
kernel: driver_probe_device+0x40/0xf0
kernel: __device_attach_driver+0xc0/0x140
kernel: bus_for_each_drv+0x8c/0xd0
kernel: __device_attach+0x114/0x198
kernel: bus_probe_device+0xb4/0xc8
kernel: device_add+0x4d2/0x6e0
kernel: ap_scan_adapter+0x3d0/0x7c0
kernel: ap_scan_bus+0x5a/0x3b0
kernel: ap_scan_bus_wq_callback+0x40/0x60
kernel: process_one_work+0x26e/0x620
kernel: worker_thread+0x21c/0x440
kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
kernel: kfree+0x37e/0x418
kernel: zcrypt_card_put+0x54/0x80 [zcrypt]
kernel: ap_device_remove+0x4c/0xe0
kernel: device_release_driver_internal+0x1c4/0x270
kernel: bus_remove_device+0x100/0x188
kernel: device_del+0x164/0x3c0
kernel: device_unregister+0x30/0x90
kernel: ap_scan_adapter+0xc8/0x7c0
kernel: ap_scan_bus+0x5a/0x3b0
kernel: ap_scan_bus_wq_callback+0x40/0x60
kernel: process_one_work+0x26e/0x620
kernel: worker_thread+0x21c/0x440
kernel: kthread+0x150/0x168
kernel: __ret_from_fork+0x3c/0x58
kernel: ret_from_fork+0xa/0x30
kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........
kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.
kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........
kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
kernel: Call Trace:
kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8
kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590
kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
kernel: [<00000000c9b919dc>] ext4_htree_fill_tree+0x134/0x400
kernel: [<00000000c9b4b3d0>] ext4_dx_readdir+0x160/0x2f0
kernel: [<00000000c9b4bedc>] ext4_readdir+0x5f4/0x760
kernel: [<00000000c9a7efc4>] iterate_dir+0xb4/0x280
kernel: [<00000000c9a7f1ea>] __do_sys_getdents64+0x5a/0x120
kernel: [<00000000ca5d6946>] __do_syscall+0x256/0x310
kernel: [<00000000ca5eea10>] system_call+0x70/0x98
kernel: INFO: lockdep is turned off.
kernel: FIX kmalloc-96: Restoring Poison 0x00000000885a7512-0x00000000885a7513=0x6b
kernel: FIX kmalloc-96: Marking all objects used
The fix is simple: Before use of the queue not only the queue object
but also the card object needs to increase it's reference count
with a call to zcrypt_card_get(). Similar after use of the queue
not only the queue but also the card object's reference count is
decreased with zcrypt_card_put().
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/crypto/zcrypt_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
index b7cb897cd83e0..3a47e622db10e 100644
--- a/drivers/s390/crypto/zcrypt_api.c
+++ b/drivers/s390/crypto/zcrypt_api.c
@@ -158,6 +158,7 @@ static inline struct zcrypt_queue *zcrypt_pick_queue(struct zcrypt_card *zc,
{
if (!zq || !try_module_get(zq->queue->ap_dev.drv->driver.owner))
return NULL;
+ zcrypt_card_get(zc);
zcrypt_queue_get(zq);
get_device(&zq->queue->ap_dev.device);
atomic_add(weight, &zc->load);
@@ -177,6 +178,7 @@ static inline void zcrypt_drop_queue(struct zcrypt_card *zc,
atomic_sub(weight, &zq->load);
put_device(&zq->queue->ap_dev.device);
zcrypt_queue_put(zq);
+ zcrypt_card_put(zc);
module_put(mod);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 059/175] drm/imx: pd: Use bus format/flags provided by the bridge when available
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 058/175] s390/zcrypt: fix reference counting on zcrypt card objects Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 060/175] drm/imx/ipuv3: do not return negative values from .get_modes() Greg Kroah-Hartman
` (121 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Brezillon, Philipp Zabel, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Brezillon <boris.brezillon@collabora.com>
[ Upstream commit fe141cedc4333e3b76307f096e02b2c1e60f65d5 ]
Now that bridges can expose the bus format/flags they expect, we can
use those instead of the relying on the display_info provided by the
connector (which is only valid if the encoder is directly connected
to bridge element driving the panel/display).
We also explicitly expose the bus formats supported by our encoder by
filling encoder->output_bus_caps with proper info.
v10:
* Add changelog to the commit message
* Use kmalloc() instead of kcalloc()
* Add a dev_warn() when unsupported flags are requested
v8 -> v9:
* No changes
v7:
* Add an imx_pd_format_supported() helper (suggested by Philipp)
* Simplify imx_pd_bridge_atomic_get_output_bus_fmts() (suggested by Philipp)
* Simplify imx_pd_bridge_atomic_get_input_bus_fmts()
* Explicitly set the duplicate/destro_state() and reset() hooks
v4 -> v6:
* Patch was not part of the series
v3 (all suggested by Philipp):
* Adjust to match core changes
* Propagate output format to input format
* Pick a default value when output_fmt = _FIXED
* Add missing BGR888 and GBR888 fmts to imx_pd_bus_fmts[]
v2:
* Adjust things to match the new bus-format negotiation infra
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20200128135514.108171-8-boris.brezillon@collabora.com
Stable-dep-of: c2da9ada6496 ("drm/imx/ipuv3: do not return negative values from .get_modes()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imx/parallel-display.c | 176 +++++++++++++++++++++----
1 file changed, 151 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
index e9dff31b377c4..a96d99cbec4d0 100644
--- a/drivers/gpu/drm/imx/parallel-display.c
+++ b/drivers/gpu/drm/imx/parallel-display.c
@@ -29,6 +29,7 @@
struct imx_parallel_display {
struct drm_connector connector;
struct drm_encoder encoder;
+ struct drm_bridge bridge;
struct device *dev;
void *edid;
int edid_len;
@@ -36,7 +37,7 @@ struct imx_parallel_display {
u32 bus_flags;
struct drm_display_mode mode;
struct drm_panel *panel;
- struct drm_bridge *bridge;
+ struct drm_bridge *next_bridge;
};
static inline struct imx_parallel_display *con_to_imxpd(struct drm_connector *c)
@@ -49,6 +50,11 @@ static inline struct imx_parallel_display *enc_to_imxpd(struct drm_encoder *e)
return container_of(e, struct imx_parallel_display, encoder);
}
+static inline struct imx_parallel_display *bridge_to_imxpd(struct drm_bridge *b)
+{
+ return container_of(b, struct imx_parallel_display, bridge);
+}
+
static int imx_pd_connector_get_modes(struct drm_connector *connector)
{
struct imx_parallel_display *imxpd = con_to_imxpd(connector);
@@ -99,37 +105,148 @@ static struct drm_encoder *imx_pd_connector_best_encoder(
return &imxpd->encoder;
}
-static void imx_pd_encoder_enable(struct drm_encoder *encoder)
+static void imx_pd_bridge_enable(struct drm_bridge *bridge)
{
- struct imx_parallel_display *imxpd = enc_to_imxpd(encoder);
+ struct imx_parallel_display *imxpd = bridge_to_imxpd(bridge);
drm_panel_prepare(imxpd->panel);
drm_panel_enable(imxpd->panel);
}
-static void imx_pd_encoder_disable(struct drm_encoder *encoder)
+static void imx_pd_bridge_disable(struct drm_bridge *bridge)
{
- struct imx_parallel_display *imxpd = enc_to_imxpd(encoder);
+ struct imx_parallel_display *imxpd = bridge_to_imxpd(bridge);
drm_panel_disable(imxpd->panel);
drm_panel_unprepare(imxpd->panel);
}
-static int imx_pd_encoder_atomic_check(struct drm_encoder *encoder,
- struct drm_crtc_state *crtc_state,
- struct drm_connector_state *conn_state)
+static const u32 imx_pd_bus_fmts[] = {
+ MEDIA_BUS_FMT_RGB888_1X24,
+ MEDIA_BUS_FMT_BGR888_1X24,
+ MEDIA_BUS_FMT_GBR888_1X24,
+ MEDIA_BUS_FMT_RGB666_1X18,
+ MEDIA_BUS_FMT_RGB666_1X24_CPADHI,
+ MEDIA_BUS_FMT_RGB565_1X16,
+};
+
+static u32 *
+imx_pd_bridge_atomic_get_output_bus_fmts(struct drm_bridge *bridge,
+ struct drm_bridge_state *bridge_state,
+ struct drm_crtc_state *crtc_state,
+ struct drm_connector_state *conn_state,
+ unsigned int *num_output_fmts)
{
- struct imx_crtc_state *imx_crtc_state = to_imx_crtc_state(crtc_state);
struct drm_display_info *di = &conn_state->connector->display_info;
- struct imx_parallel_display *imxpd = enc_to_imxpd(encoder);
+ struct imx_parallel_display *imxpd = bridge_to_imxpd(bridge);
+ u32 *output_fmts;
- if (!imxpd->bus_format && di->num_bus_formats) {
- imx_crtc_state->bus_flags = di->bus_flags;
- imx_crtc_state->bus_format = di->bus_formats[0];
- } else {
- imx_crtc_state->bus_flags = imxpd->bus_flags;
- imx_crtc_state->bus_format = imxpd->bus_format;
+ if (!imxpd->bus_format && !di->num_bus_formats) {
+ *num_output_fmts = ARRAY_SIZE(imx_pd_bus_fmts);
+ return kmemdup(imx_pd_bus_fmts, sizeof(imx_pd_bus_fmts),
+ GFP_KERNEL);
+ }
+
+ *num_output_fmts = 1;
+ output_fmts = kmalloc(sizeof(*output_fmts), GFP_KERNEL);
+ if (!output_fmts)
+ return NULL;
+
+ if (!imxpd->bus_format && di->num_bus_formats)
+ output_fmts[0] = di->bus_formats[0];
+ else
+ output_fmts[0] = imxpd->bus_format;
+
+ return output_fmts;
+}
+
+static bool imx_pd_format_supported(u32 output_fmt)
+{
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(imx_pd_bus_fmts); i++) {
+ if (imx_pd_bus_fmts[i] == output_fmt)
+ return true;
+ }
+
+ return false;
+}
+
+static u32 *
+imx_pd_bridge_atomic_get_input_bus_fmts(struct drm_bridge *bridge,
+ struct drm_bridge_state *bridge_state,
+ struct drm_crtc_state *crtc_state,
+ struct drm_connector_state *conn_state,
+ u32 output_fmt,
+ unsigned int *num_input_fmts)
+{
+ struct imx_parallel_display *imxpd = bridge_to_imxpd(bridge);
+ u32 *input_fmts;
+
+ /*
+ * If the next bridge does not support bus format negotiation, let's
+ * use the static bus format definition (imxpd->bus_format) if it's
+ * specified, RGB888 when it's not.
+ */
+ if (output_fmt == MEDIA_BUS_FMT_FIXED)
+ output_fmt = imxpd->bus_format ? : MEDIA_BUS_FMT_RGB888_1X24;
+
+ /* Now make sure the requested output format is supported. */
+ if ((imxpd->bus_format && imxpd->bus_format != output_fmt) ||
+ !imx_pd_format_supported(output_fmt)) {
+ *num_input_fmts = 0;
+ return NULL;
+ }
+
+ *num_input_fmts = 1;
+ input_fmts = kmalloc(sizeof(*input_fmts), GFP_KERNEL);
+ if (!input_fmts)
+ return NULL;
+
+ input_fmts[0] = output_fmt;
+ return input_fmts;
+}
+
+static int imx_pd_bridge_atomic_check(struct drm_bridge *bridge,
+ struct drm_bridge_state *bridge_state,
+ struct drm_crtc_state *crtc_state,
+ struct drm_connector_state *conn_state)
+{
+ struct imx_crtc_state *imx_crtc_state = to_imx_crtc_state(crtc_state);
+ struct drm_display_info *di = &conn_state->connector->display_info;
+ struct imx_parallel_display *imxpd = bridge_to_imxpd(bridge);
+ struct drm_bridge_state *next_bridge_state = NULL;
+ struct drm_bridge *next_bridge;
+ u32 bus_flags, bus_fmt;
+
+ next_bridge = drm_bridge_get_next_bridge(bridge);
+ if (next_bridge)
+ next_bridge_state = drm_atomic_get_new_bridge_state(crtc_state->state,
+ next_bridge);
+
+ if (next_bridge_state)
+ bus_flags = next_bridge_state->input_bus_cfg.flags;
+ else if (!imxpd->bus_format && di->num_bus_formats)
+ bus_flags = di->bus_flags;
+ else
+ bus_flags = imxpd->bus_flags;
+
+ bus_fmt = bridge_state->input_bus_cfg.format;
+ if (!imx_pd_format_supported(bus_fmt))
+ return -EINVAL;
+
+ if (bus_flags &
+ ~(DRM_BUS_FLAG_DE_LOW | DRM_BUS_FLAG_DE_HIGH |
+ DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE |
+ DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE)) {
+ dev_warn(imxpd->dev, "invalid bus_flags (%x)\n", bus_flags);
+ return -EINVAL;
}
+
+ bridge_state->output_bus_cfg.flags = bus_flags;
+ bridge_state->input_bus_cfg.flags = bus_flags;
+ imx_crtc_state->bus_flags = bus_flags;
+ imx_crtc_state->bus_format = bridge_state->input_bus_cfg.format;
imx_crtc_state->di_hsync_pin = 2;
imx_crtc_state->di_vsync_pin = 3;
@@ -153,10 +270,15 @@ static const struct drm_encoder_funcs imx_pd_encoder_funcs = {
.destroy = imx_drm_encoder_destroy,
};
-static const struct drm_encoder_helper_funcs imx_pd_encoder_helper_funcs = {
- .enable = imx_pd_encoder_enable,
- .disable = imx_pd_encoder_disable,
- .atomic_check = imx_pd_encoder_atomic_check,
+static const struct drm_bridge_funcs imx_pd_bridge_funcs = {
+ .enable = imx_pd_bridge_enable,
+ .disable = imx_pd_bridge_disable,
+ .atomic_reset = drm_atomic_helper_bridge_reset,
+ .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state,
+ .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state,
+ .atomic_check = imx_pd_bridge_atomic_check,
+ .atomic_get_input_bus_fmts = imx_pd_bridge_atomic_get_input_bus_fmts,
+ .atomic_get_output_bus_fmts = imx_pd_bridge_atomic_get_output_bus_fmts,
};
static int imx_pd_register(struct drm_device *drm,
@@ -176,11 +298,13 @@ static int imx_pd_register(struct drm_device *drm,
*/
imxpd->connector.dpms = DRM_MODE_DPMS_OFF;
- drm_encoder_helper_add(encoder, &imx_pd_encoder_helper_funcs);
drm_encoder_init(drm, encoder, &imx_pd_encoder_funcs,
DRM_MODE_ENCODER_NONE, NULL);
- if (!imxpd->bridge) {
+ imxpd->bridge.funcs = &imx_pd_bridge_funcs;
+ drm_bridge_attach(encoder, &imxpd->bridge, NULL);
+
+ if (!imxpd->next_bridge) {
drm_connector_helper_add(&imxpd->connector,
&imx_pd_connector_helper_funcs);
drm_connector_init(drm, &imxpd->connector,
@@ -191,8 +315,9 @@ static int imx_pd_register(struct drm_device *drm,
if (imxpd->panel)
drm_panel_attach(imxpd->panel, &imxpd->connector);
- if (imxpd->bridge) {
- ret = drm_bridge_attach(encoder, imxpd->bridge, NULL);
+ if (imxpd->next_bridge) {
+ ret = drm_bridge_attach(encoder, imxpd->next_bridge,
+ &imxpd->bridge);
if (ret < 0) {
dev_err(imxpd->dev, "failed to attach bridge: %d\n",
ret);
@@ -237,7 +362,8 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
imxpd->bus_format = bus_format;
/* port@1 is the output port */
- ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
+ ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel,
+ &imxpd->next_bridge);
if (ret && ret != -ENODEV)
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 060/175] drm/imx/ipuv3: do not return negative values from .get_modes()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 059/175] drm/imx: pd: Use bus format/flags provided by the bridge when available Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 061/175] drm/vc4: hdmi: " Greg Kroah-Hartman
` (120 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Zabel, Thomas Zimmermann,
Jani Nikula, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
[ Upstream commit c2da9ada64962fcd2e6395ed9987b9874ea032d3 ]
The .get_modes() hooks aren't supposed to return negative error
codes. Return 0 for no modes, whatever the reason.
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: stable@vger.kernel.org
Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/311f6eec96d47949b16a670529f4d89fcd97aefa.1709913674.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imx/parallel-display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
index a96d99cbec4d0..290f68b9adfea 100644
--- a/drivers/gpu/drm/imx/parallel-display.c
+++ b/drivers/gpu/drm/imx/parallel-display.c
@@ -78,14 +78,14 @@ static int imx_pd_connector_get_modes(struct drm_connector *connector)
int ret;
if (!mode)
- return -EINVAL;
+ return 0;
ret = of_get_drm_display_mode(np, &imxpd->mode,
&imxpd->bus_flags,
OF_USE_NATIVE_MODE);
if (ret) {
drm_mode_destroy(connector->dev, mode);
- return ret;
+ return 0;
}
drm_mode_copy(mode, &imxpd->mode);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 061/175] drm/vc4: hdmi: do not return negative values from .get_modes()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 060/175] drm/imx/ipuv3: do not return negative values from .get_modes() Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 062/175] memtest: use {READ,WRITE}_ONCE in memory scanning Greg Kroah-Hartman
` (119 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Thomas Zimmermann,
Jani Nikula, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
[ Upstream commit abf493988e380f25242c1023275c68bd3579c9ce ]
The .get_modes() hooks aren't supposed to return negative error
codes. Return 0 for no modes, whatever the reason.
Cc: Maxime Ripard <mripard@kernel.org>
Cc: stable@vger.kernel.org
Acked-by: Maxime Ripard <mripard@kernel.org>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/dcda6d4003e2c6192987916b35c7304732800e08.1709913674.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
index 1161662664577..013dfc63c824e 100644
--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
@@ -276,7 +276,7 @@ static int vc4_hdmi_connector_get_modes(struct drm_connector *connector)
edid = drm_get_edid(connector, vc4->hdmi->ddc);
cec_s_phys_addr_from_edid(vc4->hdmi->cec_adap, edid);
if (!edid)
- return -ENODEV;
+ return 0;
vc4_encoder->hdmi_monitor = drm_detect_hdmi_monitor(edid);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 062/175] memtest: use {READ,WRITE}_ONCE in memory scanning
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 061/175] drm/vc4: hdmi: " Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 063/175] nilfs2: fix failure to detect DAT corruption in btree and direct mappings Greg Kroah-Hartman
` (118 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiang Zhang, Bill Wendling,
Justin Stitt, Nathan Chancellor, Nick Desaulniers, Andrew Morton,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Zhang <qiang4.zhang@intel.com>
[ Upstream commit 82634d7e24271698e50a3ec811e5f50de790a65f ]
memtest failed to find bad memory when compiled with clang. So use
{WRITE,READ}_ONCE to access memory to avoid compiler over optimization.
Link: https://lkml.kernel.org/r/20240312080422.691222-1-qiang4.zhang@intel.com
Signed-off-by: Qiang Zhang <qiang4.zhang@intel.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/memtest.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/memtest.c b/mm/memtest.c
index f53ace709ccd8..d407373f225b4 100644
--- a/mm/memtest.c
+++ b/mm/memtest.c
@@ -46,10 +46,10 @@ static void __init memtest(u64 pattern, phys_addr_t start_phys, phys_addr_t size
last_bad = 0;
for (p = start; p < end; p++)
- *p = pattern;
+ WRITE_ONCE(*p, pattern);
for (p = start; p < end; p++, start_phys_aligned += incr) {
- if (*p == pattern)
+ if (READ_ONCE(*p) == pattern)
continue;
if (start_phys_aligned == last_bad + incr) {
last_bad += incr;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 063/175] nilfs2: fix failure to detect DAT corruption in btree and direct mappings
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 062/175] memtest: use {READ,WRITE}_ONCE in memory scanning Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 064/175] nilfs2: use a more common logging style Greg Kroah-Hartman
` (117 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+cfed5b56649bddf80d6e, Andrew Morton, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit f2f26b4a84a0ef41791bd2d70861c8eac748f4ba ]
Patch series "nilfs2: fix kernel bug at submit_bh_wbc()".
This resolves a kernel BUG reported by syzbot. Since there are two
flaws involved, I've made each one a separate patch.
The first patch alone resolves the syzbot-reported bug, but I think
both fixes should be sent to stable, so I've tagged them as such.
This patch (of 2):
Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data
to a nilfs2 file system whose metadata is corrupted.
There are two flaws involved in this issue.
The first flaw is that when nilfs_get_block() locates a data block using
btree or direct mapping, if the disk address translation routine
nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata
corruption, it can be passed back to nilfs_get_block(). This causes
nilfs_get_block() to misidentify an existing block as non-existent,
causing both data block lookup and insertion to fail inconsistently.
The second flaw is that nilfs_get_block() returns a successful status in
this inconsistent state. This causes the caller __block_write_begin_int()
or others to request a read even though the buffer is not mapped,
resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()
failing.
This fixes the first issue by changing the return value to code -EINVAL
when a conversion using DAT fails with code -ENOENT, avoiding the
conflicting condition that leads to the kernel bug described above. Here,
code -EINVAL indicates that metadata corruption was detected during the
block lookup, which will be properly handled as a file system error and
converted to -EIO when passing through the nilfs2 bmap layer.
Link: https://lkml.kernel.org/r/20240313105827.5296-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20240313105827.5296-2-konishi.ryusuke@gmail.com
Fixes: c3a7abf06ce7 ("nilfs2: support contiguous lookup of blocks")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+cfed5b56649bddf80d6e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cfed5b56649bddf80d6e
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/btree.c | 9 +++++++--
fs/nilfs2/direct.c | 9 +++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
index a0e37530dcf30..1ab5db17e8248 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -724,7 +724,7 @@ static int nilfs_btree_lookup_contig(const struct nilfs_bmap *btree,
dat = nilfs_bmap_get_dat(btree);
ret = nilfs_dat_translate(dat, ptr, &blocknr);
if (ret < 0)
- goto out;
+ goto dat_error;
ptr = blocknr;
}
cnt = 1;
@@ -743,7 +743,7 @@ static int nilfs_btree_lookup_contig(const struct nilfs_bmap *btree,
if (dat) {
ret = nilfs_dat_translate(dat, ptr2, &blocknr);
if (ret < 0)
- goto out;
+ goto dat_error;
ptr2 = blocknr;
}
if (ptr2 != ptr + cnt || ++cnt == maxblocks)
@@ -782,6 +782,11 @@ static int nilfs_btree_lookup_contig(const struct nilfs_bmap *btree,
out:
nilfs_btree_free_path(path);
return ret;
+
+ dat_error:
+ if (ret == -ENOENT)
+ ret = -EINVAL; /* Notify bmap layer of metadata corruption */
+ goto out;
}
static void nilfs_btree_promote_key(struct nilfs_bmap *btree,
diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
index 533e24ea3a88d..8d769c5dd5dc6 100644
--- a/fs/nilfs2/direct.c
+++ b/fs/nilfs2/direct.c
@@ -66,7 +66,7 @@ static int nilfs_direct_lookup_contig(const struct nilfs_bmap *direct,
dat = nilfs_bmap_get_dat(direct);
ret = nilfs_dat_translate(dat, ptr, &blocknr);
if (ret < 0)
- return ret;
+ goto dat_error;
ptr = blocknr;
}
@@ -79,7 +79,7 @@ static int nilfs_direct_lookup_contig(const struct nilfs_bmap *direct,
if (dat) {
ret = nilfs_dat_translate(dat, ptr2, &blocknr);
if (ret < 0)
- return ret;
+ goto dat_error;
ptr2 = blocknr;
}
if (ptr2 != ptr + cnt)
@@ -87,6 +87,11 @@ static int nilfs_direct_lookup_contig(const struct nilfs_bmap *direct,
}
*ptrp = ptr;
return cnt;
+
+ dat_error:
+ if (ret == -ENOENT)
+ ret = -EINVAL; /* Notify bmap layer of metadata corruption */
+ return ret;
}
static __u64
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 064/175] nilfs2: use a more common logging style
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 063/175] nilfs2: fix failure to detect DAT corruption in btree and direct mappings Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 065/175] nilfs2: prevent kernel bug at submit_bh_wbc() Greg Kroah-Hartman
` (116 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Perches, Ryusuke Konishi,
Andrew Morton, Linus Torvalds, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Perches <joe@perches.com>
[ Upstream commit a1d0747a393a079631130d61faa2a61027d1c789 ]
Add macros for nilfs_<level>(sb, fmt, ...) and convert the uses of
'nilfs_msg(sb, KERN_<LEVEL>, ...)' to 'nilfs_<level>(sb, ...)' so nilfs2
uses a logging style more like the typical kernel logging style.
Miscellanea:
o Realign arguments for these uses
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Link: http://lkml.kernel.org/r/1595860111-3920-4-git-send-email-konishi.ryusuke@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 269cdf353b5b ("nilfs2: prevent kernel bug at submit_bh_wbc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/alloc.c | 38 +++++++++----------
fs/nilfs2/btree.c | 42 ++++++++++-----------
fs/nilfs2/cpfile.c | 10 ++---
fs/nilfs2/dat.c | 14 +++----
fs/nilfs2/direct.c | 14 ++++---
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/ifile.c | 4 +-
fs/nilfs2/inode.c | 29 +++++++--------
fs/nilfs2/ioctl.c | 37 +++++++++----------
fs/nilfs2/mdt.c | 2 +-
fs/nilfs2/namei.c | 6 +--
fs/nilfs2/nilfs.h | 9 +++++
fs/nilfs2/page.c | 11 +++---
fs/nilfs2/recovery.c | 32 +++++++---------
fs/nilfs2/segbuf.c | 2 +-
fs/nilfs2/segment.c | 38 +++++++++----------
fs/nilfs2/sufile.c | 29 +++++++--------
fs/nilfs2/super.c | 57 ++++++++++++++---------------
fs/nilfs2/sysfs.c | 29 +++++++--------
fs/nilfs2/the_nilfs.c | 85 ++++++++++++++++++++-----------------------
20 files changed, 239 insertions(+), 251 deletions(-)
diff --git a/fs/nilfs2/alloc.c b/fs/nilfs2/alloc.c
index bbd82f650e93e..279d945d4ebee 100644
--- a/fs/nilfs2/alloc.c
+++ b/fs/nilfs2/alloc.c
@@ -614,10 +614,10 @@ void nilfs_palloc_commit_free_entry(struct inode *inode,
lock = nilfs_mdt_bgl_lock(inode, group);
if (!nilfs_clear_bit_atomic(lock, group_offset, bitmap))
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "%s (ino=%lu): entry number %llu already freed",
- __func__, inode->i_ino,
- (unsigned long long)req->pr_entry_nr);
+ nilfs_warn(inode->i_sb,
+ "%s (ino=%lu): entry number %llu already freed",
+ __func__, inode->i_ino,
+ (unsigned long long)req->pr_entry_nr);
else
nilfs_palloc_group_desc_add_entries(desc, lock, 1);
@@ -655,10 +655,10 @@ void nilfs_palloc_abort_alloc_entry(struct inode *inode,
lock = nilfs_mdt_bgl_lock(inode, group);
if (!nilfs_clear_bit_atomic(lock, group_offset, bitmap))
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "%s (ino=%lu): entry number %llu already freed",
- __func__, inode->i_ino,
- (unsigned long long)req->pr_entry_nr);
+ nilfs_warn(inode->i_sb,
+ "%s (ino=%lu): entry number %llu already freed",
+ __func__, inode->i_ino,
+ (unsigned long long)req->pr_entry_nr);
else
nilfs_palloc_group_desc_add_entries(desc, lock, 1);
@@ -764,10 +764,10 @@ int nilfs_palloc_freev(struct inode *inode, __u64 *entry_nrs, size_t nitems)
do {
if (!nilfs_clear_bit_atomic(lock, group_offset,
bitmap)) {
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "%s (ino=%lu): entry number %llu already freed",
- __func__, inode->i_ino,
- (unsigned long long)entry_nrs[j]);
+ nilfs_warn(inode->i_sb,
+ "%s (ino=%lu): entry number %llu already freed",
+ __func__, inode->i_ino,
+ (unsigned long long)entry_nrs[j]);
} else {
n++;
}
@@ -809,10 +809,10 @@ int nilfs_palloc_freev(struct inode *inode, __u64 *entry_nrs, size_t nitems)
ret = nilfs_palloc_delete_entry_block(inode,
last_nrs[k]);
if (ret && ret != -ENOENT)
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "error %d deleting block that object (entry=%llu, ino=%lu) belongs to",
- ret, (unsigned long long)last_nrs[k],
- inode->i_ino);
+ nilfs_warn(inode->i_sb,
+ "error %d deleting block that object (entry=%llu, ino=%lu) belongs to",
+ ret, (unsigned long long)last_nrs[k],
+ inode->i_ino);
}
desc_kaddr = kmap_atomic(desc_bh->b_page);
@@ -827,9 +827,9 @@ int nilfs_palloc_freev(struct inode *inode, __u64 *entry_nrs, size_t nitems)
if (nfree == nilfs_palloc_entries_per_group(inode)) {
ret = nilfs_palloc_delete_bitmap_block(inode, group);
if (ret && ret != -ENOENT)
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "error %d deleting bitmap block of group=%lu, ino=%lu",
- ret, group, inode->i_ino);
+ nilfs_warn(inode->i_sb,
+ "error %d deleting bitmap block of group=%lu, ino=%lu",
+ ret, group, inode->i_ino);
}
}
return 0;
diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
index 1ab5db17e8248..4905b7cd7bf33 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -352,10 +352,10 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node,
(flags & NILFS_BTREE_NODE_ROOT) ||
nchildren < 0 ||
nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) {
- nilfs_msg(inode->i_sb, KERN_CRIT,
- "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d",
- inode->i_ino, (unsigned long long)blocknr, level,
- flags, nchildren);
+ nilfs_crit(inode->i_sb,
+ "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d",
+ inode->i_ino, (unsigned long long)blocknr, level,
+ flags, nchildren);
ret = 1;
}
return ret;
@@ -382,9 +382,9 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
level >= NILFS_BTREE_LEVEL_MAX ||
nchildren < 0 ||
nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
- nilfs_msg(inode->i_sb, KERN_CRIT,
- "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d",
- inode->i_ino, level, flags, nchildren);
+ nilfs_crit(inode->i_sb,
+ "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d",
+ inode->i_ino, level, flags, nchildren);
ret = 1;
}
return ret;
@@ -451,10 +451,10 @@ static int nilfs_btree_bad_node(const struct nilfs_bmap *btree,
{
if (unlikely(nilfs_btree_node_get_level(node) != level)) {
dump_stack();
- nilfs_msg(btree->b_inode->i_sb, KERN_CRIT,
- "btree level mismatch (ino=%lu): %d != %d",
- btree->b_inode->i_ino,
- nilfs_btree_node_get_level(node), level);
+ nilfs_crit(btree->b_inode->i_sb,
+ "btree level mismatch (ino=%lu): %d != %d",
+ btree->b_inode->i_ino,
+ nilfs_btree_node_get_level(node), level);
return 1;
}
return 0;
@@ -519,7 +519,7 @@ static int __nilfs_btree_get_block(const struct nilfs_bmap *btree, __u64 ptr,
out_no_wait:
if (!buffer_uptodate(bh)) {
- nilfs_msg(btree->b_inode->i_sb, KERN_ERR,
+ nilfs_err(btree->b_inode->i_sb,
"I/O error reading b-tree node block (ino=%lu, blocknr=%llu)",
btree->b_inode->i_ino, (unsigned long long)ptr);
brelse(bh);
@@ -2094,10 +2094,10 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
if (ret < 0) {
if (unlikely(ret == -ENOENT))
- nilfs_msg(btree->b_inode->i_sb, KERN_CRIT,
- "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
- btree->b_inode->i_ino,
- (unsigned long long)key, level);
+ nilfs_crit(btree->b_inode->i_sb,
+ "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
+ btree->b_inode->i_ino,
+ (unsigned long long)key, level);
goto out;
}
@@ -2134,11 +2134,11 @@ static void nilfs_btree_add_dirty_buffer(struct nilfs_bmap *btree,
if (level < NILFS_BTREE_LEVEL_NODE_MIN ||
level >= NILFS_BTREE_LEVEL_MAX) {
dump_stack();
- nilfs_msg(btree->b_inode->i_sb, KERN_WARNING,
- "invalid btree level: %d (key=%llu, ino=%lu, blocknr=%llu)",
- level, (unsigned long long)key,
- btree->b_inode->i_ino,
- (unsigned long long)bh->b_blocknr);
+ nilfs_warn(btree->b_inode->i_sb,
+ "invalid btree level: %d (key=%llu, ino=%lu, blocknr=%llu)",
+ level, (unsigned long long)key,
+ btree->b_inode->i_ino,
+ (unsigned long long)bh->b_blocknr);
return;
}
diff --git a/fs/nilfs2/cpfile.c b/fs/nilfs2/cpfile.c
index 8d41311b5db4b..86d4d850d1305 100644
--- a/fs/nilfs2/cpfile.c
+++ b/fs/nilfs2/cpfile.c
@@ -322,7 +322,7 @@ int nilfs_cpfile_delete_checkpoints(struct inode *cpfile,
int ret, ncps, nicps, nss, count, i;
if (unlikely(start == 0 || start > end)) {
- nilfs_msg(cpfile->i_sb, KERN_ERR,
+ nilfs_err(cpfile->i_sb,
"cannot delete checkpoints: invalid range [%llu, %llu)",
(unsigned long long)start, (unsigned long long)end);
return -EINVAL;
@@ -376,7 +376,7 @@ int nilfs_cpfile_delete_checkpoints(struct inode *cpfile,
cpfile, cno);
if (ret == 0)
continue;
- nilfs_msg(cpfile->i_sb, KERN_ERR,
+ nilfs_err(cpfile->i_sb,
"error %d deleting checkpoint block",
ret);
break;
@@ -981,12 +981,10 @@ int nilfs_cpfile_read(struct super_block *sb, size_t cpsize,
int err;
if (cpsize > sb->s_blocksize) {
- nilfs_msg(sb, KERN_ERR,
- "too large checkpoint size: %zu bytes", cpsize);
+ nilfs_err(sb, "too large checkpoint size: %zu bytes", cpsize);
return -EINVAL;
} else if (cpsize < NILFS_MIN_CHECKPOINT_SIZE) {
- nilfs_msg(sb, KERN_ERR,
- "too small checkpoint size: %zu bytes", cpsize);
+ nilfs_err(sb, "too small checkpoint size: %zu bytes", cpsize);
return -EINVAL;
}
diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c
index b9c759addd50e..c47e1f6f23a82 100644
--- a/fs/nilfs2/dat.c
+++ b/fs/nilfs2/dat.c
@@ -354,11 +354,11 @@ int nilfs_dat_move(struct inode *dat, __u64 vblocknr, sector_t blocknr)
kaddr = kmap_atomic(entry_bh->b_page);
entry = nilfs_palloc_block_get_entry(dat, vblocknr, entry_bh, kaddr);
if (unlikely(entry->de_blocknr == cpu_to_le64(0))) {
- nilfs_msg(dat->i_sb, KERN_CRIT,
- "%s: invalid vblocknr = %llu, [%llu, %llu)",
- __func__, (unsigned long long)vblocknr,
- (unsigned long long)le64_to_cpu(entry->de_start),
- (unsigned long long)le64_to_cpu(entry->de_end));
+ nilfs_crit(dat->i_sb,
+ "%s: invalid vblocknr = %llu, [%llu, %llu)",
+ __func__, (unsigned long long)vblocknr,
+ (unsigned long long)le64_to_cpu(entry->de_start),
+ (unsigned long long)le64_to_cpu(entry->de_end));
kunmap_atomic(kaddr);
brelse(entry_bh);
return -EINVAL;
@@ -485,11 +485,11 @@ int nilfs_dat_read(struct super_block *sb, size_t entry_size,
int err;
if (entry_size > sb->s_blocksize) {
- nilfs_msg(sb, KERN_ERR, "too large DAT entry size: %zu bytes",
+ nilfs_err(sb, "too large DAT entry size: %zu bytes",
entry_size);
return -EINVAL;
} else if (entry_size < NILFS_MIN_DAT_ENTRY_SIZE) {
- nilfs_msg(sb, KERN_ERR, "too small DAT entry size: %zu bytes",
+ nilfs_err(sb, "too small DAT entry size: %zu bytes",
entry_size);
return -EINVAL;
}
diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
index 8d769c5dd5dc6..7faf8c285d6c9 100644
--- a/fs/nilfs2/direct.c
+++ b/fs/nilfs2/direct.c
@@ -333,16 +333,18 @@ static int nilfs_direct_assign(struct nilfs_bmap *bmap,
key = nilfs_bmap_data_get_key(bmap, *bh);
if (unlikely(key > NILFS_DIRECT_KEY_MAX)) {
- nilfs_msg(bmap->b_inode->i_sb, KERN_CRIT,
- "%s (ino=%lu): invalid key: %llu", __func__,
- bmap->b_inode->i_ino, (unsigned long long)key);
+ nilfs_crit(bmap->b_inode->i_sb,
+ "%s (ino=%lu): invalid key: %llu",
+ __func__,
+ bmap->b_inode->i_ino, (unsigned long long)key);
return -EINVAL;
}
ptr = nilfs_direct_get_ptr(bmap, key);
if (unlikely(ptr == NILFS_BMAP_INVALID_PTR)) {
- nilfs_msg(bmap->b_inode->i_sb, KERN_CRIT,
- "%s (ino=%lu): invalid pointer: %llu", __func__,
- bmap->b_inode->i_ino, (unsigned long long)ptr);
+ nilfs_crit(bmap->b_inode->i_sb,
+ "%s (ino=%lu): invalid pointer: %llu",
+ __func__,
+ bmap->b_inode->i_ino, (unsigned long long)ptr);
return -EINVAL;
}
diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c
index cef46650102e7..b0077f5f71124 100644
--- a/fs/nilfs2/gcinode.c
+++ b/fs/nilfs2/gcinode.c
@@ -143,7 +143,7 @@ int nilfs_gccache_wait_and_mark_dirty(struct buffer_head *bh)
if (!buffer_uptodate(bh)) {
struct inode *inode = bh->b_page->mapping->host;
- nilfs_msg(inode->i_sb, KERN_ERR,
+ nilfs_err(inode->i_sb,
"I/O error reading %s block for GC (ino=%lu, vblocknr=%llu)",
buffer_nilfs_node(bh) ? "node" : "data",
inode->i_ino, (unsigned long long)bh->b_blocknr);
diff --git a/fs/nilfs2/ifile.c b/fs/nilfs2/ifile.c
index 4140d232cadc0..02727ed3a7c6a 100644
--- a/fs/nilfs2/ifile.c
+++ b/fs/nilfs2/ifile.c
@@ -142,8 +142,8 @@ int nilfs_ifile_get_inode_block(struct inode *ifile, ino_t ino,
err = nilfs_palloc_get_entry_block(ifile, ino, 0, out_bh);
if (unlikely(err))
- nilfs_msg(sb, KERN_WARNING, "error %d reading inode: ino=%lu",
- err, (unsigned long)ino);
+ nilfs_warn(sb, "error %d reading inode: ino=%lu",
+ err, (unsigned long)ino);
return err;
}
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index ea94dc21af0c9..83dbfd9d25323 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -107,10 +107,10 @@ int nilfs_get_block(struct inode *inode, sector_t blkoff,
* However, the page having this block must
* be locked in this case.
*/
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "%s (ino=%lu): a race condition while inserting a data block at offset=%llu",
- __func__, inode->i_ino,
- (unsigned long long)blkoff);
+ nilfs_warn(inode->i_sb,
+ "%s (ino=%lu): a race condition while inserting a data block at offset=%llu",
+ __func__, inode->i_ino,
+ (unsigned long long)blkoff);
err = 0;
}
nilfs_transaction_abort(inode->i_sb);
@@ -862,9 +862,8 @@ static void nilfs_truncate_bmap(struct nilfs_inode_info *ii,
goto repeat;
failed:
- nilfs_msg(ii->vfs_inode.i_sb, KERN_WARNING,
- "error %d truncating bmap (ino=%lu)", ret,
- ii->vfs_inode.i_ino);
+ nilfs_warn(ii->vfs_inode.i_sb, "error %d truncating bmap (ino=%lu)",
+ ret, ii->vfs_inode.i_ino);
}
void nilfs_truncate(struct inode *inode)
@@ -1097,9 +1096,9 @@ int nilfs_set_file_dirty(struct inode *inode, unsigned int nr_dirty)
* This will happen when somebody is freeing
* this inode.
*/
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "cannot set file dirty (ino=%lu): the file is being freed",
- inode->i_ino);
+ nilfs_warn(inode->i_sb,
+ "cannot set file dirty (ino=%lu): the file is being freed",
+ inode->i_ino);
spin_unlock(&nilfs->ns_inode_lock);
return -EINVAL; /*
* NILFS_I_DIRTY may remain for
@@ -1128,9 +1127,9 @@ int __nilfs_mark_inode_dirty(struct inode *inode, int flags)
err = nilfs_load_inode_block(inode, &ibh);
if (unlikely(err)) {
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "cannot mark inode dirty (ino=%lu): error %d loading inode block",
- inode->i_ino, err);
+ nilfs_warn(inode->i_sb,
+ "cannot mark inode dirty (ino=%lu): error %d loading inode block",
+ inode->i_ino, err);
return err;
}
nilfs_update_inode(inode, ibh, flags);
@@ -1156,8 +1155,8 @@ void nilfs_dirty_inode(struct inode *inode, int flags)
struct nilfs_mdt_info *mdi = NILFS_MDT(inode);
if (is_bad_inode(inode)) {
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "tried to mark bad_inode dirty. ignored.");
+ nilfs_warn(inode->i_sb,
+ "tried to mark bad_inode dirty. ignored.");
dump_stack();
return;
}
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index dfb2083b8ce1c..ecb5e4cf058b5 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -574,25 +574,25 @@ static int nilfs_ioctl_move_inode_block(struct inode *inode,
if (unlikely(ret < 0)) {
if (ret == -ENOENT)
- nilfs_msg(inode->i_sb, KERN_CRIT,
- "%s: invalid virtual block address (%s): ino=%llu, cno=%llu, offset=%llu, blocknr=%llu, vblocknr=%llu",
- __func__, vdesc->vd_flags ? "node" : "data",
- (unsigned long long)vdesc->vd_ino,
- (unsigned long long)vdesc->vd_cno,
- (unsigned long long)vdesc->vd_offset,
- (unsigned long long)vdesc->vd_blocknr,
- (unsigned long long)vdesc->vd_vblocknr);
+ nilfs_crit(inode->i_sb,
+ "%s: invalid virtual block address (%s): ino=%llu, cno=%llu, offset=%llu, blocknr=%llu, vblocknr=%llu",
+ __func__, vdesc->vd_flags ? "node" : "data",
+ (unsigned long long)vdesc->vd_ino,
+ (unsigned long long)vdesc->vd_cno,
+ (unsigned long long)vdesc->vd_offset,
+ (unsigned long long)vdesc->vd_blocknr,
+ (unsigned long long)vdesc->vd_vblocknr);
return ret;
}
if (unlikely(!list_empty(&bh->b_assoc_buffers))) {
- nilfs_msg(inode->i_sb, KERN_CRIT,
- "%s: conflicting %s buffer: ino=%llu, cno=%llu, offset=%llu, blocknr=%llu, vblocknr=%llu",
- __func__, vdesc->vd_flags ? "node" : "data",
- (unsigned long long)vdesc->vd_ino,
- (unsigned long long)vdesc->vd_cno,
- (unsigned long long)vdesc->vd_offset,
- (unsigned long long)vdesc->vd_blocknr,
- (unsigned long long)vdesc->vd_vblocknr);
+ nilfs_crit(inode->i_sb,
+ "%s: conflicting %s buffer: ino=%llu, cno=%llu, offset=%llu, blocknr=%llu, vblocknr=%llu",
+ __func__, vdesc->vd_flags ? "node" : "data",
+ (unsigned long long)vdesc->vd_ino,
+ (unsigned long long)vdesc->vd_cno,
+ (unsigned long long)vdesc->vd_offset,
+ (unsigned long long)vdesc->vd_blocknr,
+ (unsigned long long)vdesc->vd_vblocknr);
brelse(bh);
return -EEXIST;
}
@@ -842,8 +842,7 @@ int nilfs_ioctl_prepare_clean_segments(struct the_nilfs *nilfs,
return 0;
failed:
- nilfs_msg(nilfs->ns_sb, KERN_ERR, "error %d preparing GC: %s", ret,
- msg);
+ nilfs_err(nilfs->ns_sb, "error %d preparing GC: %s", ret, msg);
return ret;
}
@@ -952,7 +951,7 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
ret = nilfs_ioctl_move_blocks(inode->i_sb, &argv[0], kbufs[0]);
if (ret < 0) {
- nilfs_msg(inode->i_sb, KERN_ERR,
+ nilfs_err(inode->i_sb,
"error %d preparing GC: cannot read source blocks",
ret);
} else {
diff --git a/fs/nilfs2/mdt.c b/fs/nilfs2/mdt.c
index 7c9055d767d16..e80ef2c0a785c 100644
--- a/fs/nilfs2/mdt.c
+++ b/fs/nilfs2/mdt.c
@@ -199,7 +199,7 @@ static int nilfs_mdt_read_block(struct inode *inode, unsigned long block,
out_no_wait:
err = -EIO;
if (!buffer_uptodate(first_bh)) {
- nilfs_msg(inode->i_sb, KERN_ERR,
+ nilfs_err(inode->i_sb,
"I/O error reading meta-data file (ino=%lu, block-offset=%lu)",
inode->i_ino, block);
goto failed_bh;
diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c
index 9fe6d4ab74f01..a6ec7961d4f5a 100644
--- a/fs/nilfs2/namei.c
+++ b/fs/nilfs2/namei.c
@@ -272,9 +272,9 @@ static int nilfs_do_unlink(struct inode *dir, struct dentry *dentry)
goto out;
if (!inode->i_nlink) {
- nilfs_msg(inode->i_sb, KERN_WARNING,
- "deleting nonexistent file (ino=%lu), %d",
- inode->i_ino, inode->i_nlink);
+ nilfs_warn(inode->i_sb,
+ "deleting nonexistent file (ino=%lu), %d",
+ inode->i_ino, inode->i_nlink);
set_nlink(inode, 1);
}
err = nilfs_delete_entry(de, page);
diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h
index cca30f0f965c5..d8dc6e546febe 100644
--- a/fs/nilfs2/nilfs.h
+++ b/fs/nilfs2/nilfs.h
@@ -321,6 +321,15 @@ void __nilfs_error(struct super_block *sb, const char *function,
#endif /* CONFIG_PRINTK */
+#define nilfs_crit(sb, fmt, ...) \
+ nilfs_msg(sb, KERN_CRIT, fmt, ##__VA_ARGS__)
+#define nilfs_err(sb, fmt, ...) \
+ nilfs_msg(sb, KERN_ERR, fmt, ##__VA_ARGS__)
+#define nilfs_warn(sb, fmt, ...) \
+ nilfs_msg(sb, KERN_WARNING, fmt, ##__VA_ARGS__)
+#define nilfs_info(sb, fmt, ...) \
+ nilfs_msg(sb, KERN_INFO, fmt, ##__VA_ARGS__)
+
extern struct nilfs_super_block *
nilfs_read_super_block(struct super_block *, u64, int, struct buffer_head **);
extern int nilfs_store_magic_and_option(struct super_block *,
diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index e5fee7fac9154..762dd277099eb 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -401,9 +401,8 @@ void nilfs_clear_dirty_page(struct page *page, bool silent)
BUG_ON(!PageLocked(page));
if (!silent)
- nilfs_msg(sb, KERN_WARNING,
- "discard dirty page: offset=%lld, ino=%lu",
- page_offset(page), inode->i_ino);
+ nilfs_warn(sb, "discard dirty page: offset=%lld, ino=%lu",
+ page_offset(page), inode->i_ino);
ClearPageUptodate(page);
ClearPageMappedToDisk(page);
@@ -419,9 +418,9 @@ void nilfs_clear_dirty_page(struct page *page, bool silent)
do {
lock_buffer(bh);
if (!silent)
- nilfs_msg(sb, KERN_WARNING,
- "discard dirty block: blocknr=%llu, size=%zu",
- (u64)bh->b_blocknr, bh->b_size);
+ nilfs_warn(sb,
+ "discard dirty block: blocknr=%llu, size=%zu",
+ (u64)bh->b_blocknr, bh->b_size);
set_mask_bits(&bh->b_state, clear_bits, 0);
unlock_buffer(bh);
diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c
index 18feb9c7c7066..0923231e9e605 100644
--- a/fs/nilfs2/recovery.c
+++ b/fs/nilfs2/recovery.c
@@ -51,7 +51,7 @@ static int nilfs_warn_segment_error(struct super_block *sb, int err)
switch (err) {
case NILFS_SEG_FAIL_IO:
- nilfs_msg(sb, KERN_ERR, "I/O error reading segment");
+ nilfs_err(sb, "I/O error reading segment");
return -EIO;
case NILFS_SEG_FAIL_MAGIC:
msg = "Magic number mismatch";
@@ -72,10 +72,10 @@ static int nilfs_warn_segment_error(struct super_block *sb, int err)
msg = "No super root in the last segment";
break;
default:
- nilfs_msg(sb, KERN_ERR, "unrecognized segment error %d", err);
+ nilfs_err(sb, "unrecognized segment error %d", err);
return -EINVAL;
}
- nilfs_msg(sb, KERN_WARNING, "invalid segment: %s", msg);
+ nilfs_warn(sb, "invalid segment: %s", msg);
return -EINVAL;
}
@@ -544,10 +544,10 @@ static int nilfs_recover_dsync_blocks(struct the_nilfs *nilfs,
put_page(page);
failed_inode:
- nilfs_msg(sb, KERN_WARNING,
- "error %d recovering data block (ino=%lu, block-offset=%llu)",
- err, (unsigned long)rb->ino,
- (unsigned long long)rb->blkoff);
+ nilfs_warn(sb,
+ "error %d recovering data block (ino=%lu, block-offset=%llu)",
+ err, (unsigned long)rb->ino,
+ (unsigned long long)rb->blkoff);
if (!err2)
err2 = err;
next:
@@ -670,8 +670,7 @@ static int nilfs_do_roll_forward(struct the_nilfs *nilfs,
}
if (nsalvaged_blocks) {
- nilfs_msg(sb, KERN_INFO, "salvaged %lu blocks",
- nsalvaged_blocks);
+ nilfs_info(sb, "salvaged %lu blocks", nsalvaged_blocks);
ri->ri_need_recovery = NILFS_RECOVERY_ROLLFORWARD_DONE;
}
out:
@@ -682,7 +681,7 @@ static int nilfs_do_roll_forward(struct the_nilfs *nilfs,
confused:
err = -EINVAL;
failed:
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"error %d roll-forwarding partial segment at blocknr = %llu",
err, (unsigned long long)pseg_start);
goto out;
@@ -704,8 +703,8 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs,
set_buffer_dirty(bh);
err = sync_dirty_buffer(bh);
if (unlikely(err))
- nilfs_msg(nilfs->ns_sb, KERN_WARNING,
- "buffer sync write failed during post-cleaning of recovery.");
+ nilfs_warn(nilfs->ns_sb,
+ "buffer sync write failed during post-cleaning of recovery.");
brelse(bh);
}
@@ -740,8 +739,7 @@ int nilfs_salvage_orphan_logs(struct the_nilfs *nilfs,
err = nilfs_attach_checkpoint(sb, ri->ri_cno, true, &root);
if (unlikely(err)) {
- nilfs_msg(sb, KERN_ERR,
- "error %d loading the latest checkpoint", err);
+ nilfs_err(sb, "error %d loading the latest checkpoint", err);
return err;
}
@@ -752,8 +750,7 @@ int nilfs_salvage_orphan_logs(struct the_nilfs *nilfs,
if (ri->ri_need_recovery == NILFS_RECOVERY_ROLLFORWARD_DONE) {
err = nilfs_prepare_segment_for_recovery(nilfs, sb, ri);
if (unlikely(err)) {
- nilfs_msg(sb, KERN_ERR,
- "error %d preparing segment for recovery",
+ nilfs_err(sb, "error %d preparing segment for recovery",
err);
goto failed;
}
@@ -767,8 +764,7 @@ int nilfs_salvage_orphan_logs(struct the_nilfs *nilfs,
nilfs_detach_log_writer(sb);
if (unlikely(err)) {
- nilfs_msg(sb, KERN_ERR,
- "error %d writing segment for recovery",
+ nilfs_err(sb, "error %d writing segment for recovery",
err);
goto failed;
}
diff --git a/fs/nilfs2/segbuf.c b/fs/nilfs2/segbuf.c
index e72466fc8ca93..9f435879a0487 100644
--- a/fs/nilfs2/segbuf.c
+++ b/fs/nilfs2/segbuf.c
@@ -511,7 +511,7 @@ static int nilfs_segbuf_wait(struct nilfs_segment_buffer *segbuf)
} while (--segbuf->sb_nbio > 0);
if (unlikely(atomic_read(&segbuf->sb_err) > 0)) {
- nilfs_msg(segbuf->sb_super, KERN_ERR,
+ nilfs_err(segbuf->sb_super,
"I/O error writing log (start-blocknr=%llu, block-count=%lu) in segment %llu",
(unsigned long long)segbuf->sb_pseg_start,
segbuf->sb_sum.nblocks,
diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index 7d1860d33723e..d4610f71d21b7 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -158,7 +158,7 @@ static int nilfs_prepare_segment_lock(struct super_block *sb,
* it is saved and will be restored on
* nilfs_transaction_commit().
*/
- nilfs_msg(sb, KERN_WARNING, "journal info from a different FS");
+ nilfs_warn(sb, "journal info from a different FS");
save = current->journal_info;
}
if (!ti) {
@@ -1983,9 +1983,9 @@ static int nilfs_segctor_collect_dirty_files(struct nilfs_sc_info *sci,
err = nilfs_ifile_get_inode_block(
ifile, ii->vfs_inode.i_ino, &ibh);
if (unlikely(err)) {
- nilfs_msg(sci->sc_super, KERN_WARNING,
- "log writer: error %d getting inode block (ino=%lu)",
- err, ii->vfs_inode.i_ino);
+ nilfs_warn(sci->sc_super,
+ "log writer: error %d getting inode block (ino=%lu)",
+ err, ii->vfs_inode.i_ino);
return err;
}
spin_lock(&nilfs->ns_inode_lock);
@@ -2495,7 +2495,7 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
if (likely(!err))
break;
- nilfs_msg(sb, KERN_WARNING, "error %d cleaning segments", err);
+ nilfs_warn(sb, "error %d cleaning segments", err);
set_current_state(TASK_INTERRUPTIBLE);
schedule_timeout(sci->sc_interval);
}
@@ -2503,9 +2503,9 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
int ret = nilfs_discard_segments(nilfs, sci->sc_freesegs,
sci->sc_nfreesegs);
if (ret) {
- nilfs_msg(sb, KERN_WARNING,
- "error %d on discard request, turning discards off for the device",
- ret);
+ nilfs_warn(sb,
+ "error %d on discard request, turning discards off for the device",
+ ret);
nilfs_clear_opt(nilfs, DISCARD);
}
}
@@ -2586,9 +2586,9 @@ static int nilfs_segctor_thread(void *arg)
/* start sync. */
sci->sc_task = current;
wake_up(&sci->sc_wait_task); /* for nilfs_segctor_start_thread() */
- nilfs_msg(sci->sc_super, KERN_INFO,
- "segctord starting. Construction interval = %lu seconds, CP frequency < %lu seconds",
- sci->sc_interval / HZ, sci->sc_mjcp_freq / HZ);
+ nilfs_info(sci->sc_super,
+ "segctord starting. Construction interval = %lu seconds, CP frequency < %lu seconds",
+ sci->sc_interval / HZ, sci->sc_mjcp_freq / HZ);
spin_lock(&sci->sc_state_lock);
loop:
@@ -2661,8 +2661,8 @@ static int nilfs_segctor_start_thread(struct nilfs_sc_info *sci)
if (IS_ERR(t)) {
int err = PTR_ERR(t);
- nilfs_msg(sci->sc_super, KERN_ERR,
- "error %d creating segctord thread", err);
+ nilfs_err(sci->sc_super, "error %d creating segctord thread",
+ err);
return err;
}
wait_event(sci->sc_wait_task, sci->sc_task != NULL);
@@ -2772,14 +2772,14 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)
nilfs_segctor_write_out(sci);
if (!list_empty(&sci->sc_dirty_files)) {
- nilfs_msg(sci->sc_super, KERN_WARNING,
- "disposed unprocessed dirty file(s) when stopping log writer");
+ nilfs_warn(sci->sc_super,
+ "disposed unprocessed dirty file(s) when stopping log writer");
nilfs_dispose_list(nilfs, &sci->sc_dirty_files, 1);
}
if (!list_empty(&sci->sc_iput_queue)) {
- nilfs_msg(sci->sc_super, KERN_WARNING,
- "disposed unprocessed inode(s) in iput queue when stopping log writer");
+ nilfs_warn(sci->sc_super,
+ "disposed unprocessed inode(s) in iput queue when stopping log writer");
nilfs_dispose_list(nilfs, &sci->sc_iput_queue, 1);
}
@@ -2858,8 +2858,8 @@ void nilfs_detach_log_writer(struct super_block *sb)
spin_lock(&nilfs->ns_inode_lock);
if (!list_empty(&nilfs->ns_dirty_files)) {
list_splice_init(&nilfs->ns_dirty_files, &garbage_list);
- nilfs_msg(sb, KERN_WARNING,
- "disposed unprocessed dirty file(s) when detaching log writer");
+ nilfs_warn(sb,
+ "disposed unprocessed dirty file(s) when detaching log writer");
}
spin_unlock(&nilfs->ns_inode_lock);
up_write(&nilfs->ns_segctor_sem);
diff --git a/fs/nilfs2/sufile.c b/fs/nilfs2/sufile.c
index 4626540008c13..379db0c54227f 100644
--- a/fs/nilfs2/sufile.c
+++ b/fs/nilfs2/sufile.c
@@ -171,9 +171,9 @@ int nilfs_sufile_updatev(struct inode *sufile, __u64 *segnumv, size_t nsegs,
down_write(&NILFS_MDT(sufile)->mi_sem);
for (seg = segnumv; seg < segnumv + nsegs; seg++) {
if (unlikely(*seg >= nilfs_sufile_get_nsegments(sufile))) {
- nilfs_msg(sufile->i_sb, KERN_WARNING,
- "%s: invalid segment number: %llu",
- __func__, (unsigned long long)*seg);
+ nilfs_warn(sufile->i_sb,
+ "%s: invalid segment number: %llu",
+ __func__, (unsigned long long)*seg);
nerr++;
}
}
@@ -230,9 +230,8 @@ int nilfs_sufile_update(struct inode *sufile, __u64 segnum, int create,
int ret;
if (unlikely(segnum >= nilfs_sufile_get_nsegments(sufile))) {
- nilfs_msg(sufile->i_sb, KERN_WARNING,
- "%s: invalid segment number: %llu",
- __func__, (unsigned long long)segnum);
+ nilfs_warn(sufile->i_sb, "%s: invalid segment number: %llu",
+ __func__, (unsigned long long)segnum);
return -EINVAL;
}
down_write(&NILFS_MDT(sufile)->mi_sem);
@@ -410,9 +409,8 @@ void nilfs_sufile_do_cancel_free(struct inode *sufile, __u64 segnum,
kaddr = kmap_atomic(su_bh->b_page);
su = nilfs_sufile_block_get_segment_usage(sufile, segnum, su_bh, kaddr);
if (unlikely(!nilfs_segment_usage_clean(su))) {
- nilfs_msg(sufile->i_sb, KERN_WARNING,
- "%s: segment %llu must be clean", __func__,
- (unsigned long long)segnum);
+ nilfs_warn(sufile->i_sb, "%s: segment %llu must be clean",
+ __func__, (unsigned long long)segnum);
kunmap_atomic(kaddr);
return;
}
@@ -468,9 +466,8 @@ void nilfs_sufile_do_free(struct inode *sufile, __u64 segnum,
kaddr = kmap_atomic(su_bh->b_page);
su = nilfs_sufile_block_get_segment_usage(sufile, segnum, su_bh, kaddr);
if (nilfs_segment_usage_clean(su)) {
- nilfs_msg(sufile->i_sb, KERN_WARNING,
- "%s: segment %llu is already clean",
- __func__, (unsigned long long)segnum);
+ nilfs_warn(sufile->i_sb, "%s: segment %llu is already clean",
+ __func__, (unsigned long long)segnum);
kunmap_atomic(kaddr);
return;
}
@@ -1213,12 +1210,12 @@ int nilfs_sufile_read(struct super_block *sb, size_t susize,
int err;
if (susize > sb->s_blocksize) {
- nilfs_msg(sb, KERN_ERR,
- "too large segment usage size: %zu bytes", susize);
+ nilfs_err(sb, "too large segment usage size: %zu bytes",
+ susize);
return -EINVAL;
} else if (susize < NILFS_MIN_SEGMENT_USAGE_SIZE) {
- nilfs_msg(sb, KERN_ERR,
- "too small segment usage size: %zu bytes", susize);
+ nilfs_err(sb, "too small segment usage size: %zu bytes",
+ susize);
return -EINVAL;
}
diff --git a/fs/nilfs2/super.c b/fs/nilfs2/super.c
index 99bcb4ab47a61..6d33eecff2619 100644
--- a/fs/nilfs2/super.c
+++ b/fs/nilfs2/super.c
@@ -106,7 +106,7 @@ static void nilfs_set_error(struct super_block *sb)
*
* This implements the body of nilfs_error() macro. Normally,
* nilfs_error() should be used. As for sustainable errors such as a
- * single-shot I/O error, nilfs_msg() should be used instead.
+ * single-shot I/O error, nilfs_err() should be used instead.
*
* Callers should not add a trailing newline since this will do it.
*/
@@ -186,8 +186,7 @@ static int nilfs_sync_super(struct super_block *sb, int flag)
}
if (unlikely(err)) {
- nilfs_msg(sb, KERN_ERR, "unable to write superblock: err=%d",
- err);
+ nilfs_err(sb, "unable to write superblock: err=%d", err);
if (err == -EIO && nilfs->ns_sbh[1]) {
/*
* sbp[0] points to newer log than sbp[1],
@@ -257,7 +256,7 @@ struct nilfs_super_block **nilfs_prepare_super(struct super_block *sb,
sbp[1]->s_magic == cpu_to_le16(NILFS_SUPER_MAGIC)) {
memcpy(sbp[0], sbp[1], nilfs->ns_sbsize);
} else {
- nilfs_msg(sb, KERN_CRIT, "superblock broke");
+ nilfs_crit(sb, "superblock broke");
return NULL;
}
} else if (sbp[1] &&
@@ -367,9 +366,9 @@ static int nilfs_move_2nd_super(struct super_block *sb, loff_t sb2off)
offset = sb2off & (nilfs->ns_blocksize - 1);
nsbh = sb_getblk(sb, newblocknr);
if (!nsbh) {
- nilfs_msg(sb, KERN_WARNING,
- "unable to move secondary superblock to block %llu",
- (unsigned long long)newblocknr);
+ nilfs_warn(sb,
+ "unable to move secondary superblock to block %llu",
+ (unsigned long long)newblocknr);
ret = -EIO;
goto out;
}
@@ -563,7 +562,7 @@ int nilfs_attach_checkpoint(struct super_block *sb, __u64 cno, int curr_mnt,
up_read(&nilfs->ns_segctor_sem);
if (unlikely(err)) {
if (err == -ENOENT || err == -EINVAL) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"Invalid checkpoint (checkpoint number=%llu)",
(unsigned long long)cno);
err = -EINVAL;
@@ -661,8 +660,7 @@ static int nilfs_statfs(struct dentry *dentry, struct kstatfs *buf)
err = nilfs_ifile_count_free_inodes(root->ifile,
&nmaxinodes, &nfreeinodes);
if (unlikely(err)) {
- nilfs_msg(sb, KERN_WARNING,
- "failed to count free inodes: err=%d", err);
+ nilfs_warn(sb, "failed to count free inodes: err=%d", err);
if (err == -ERANGE) {
/*
* If nilfs_palloc_count_max_entries() returns
@@ -794,7 +792,7 @@ static int parse_options(char *options, struct super_block *sb, int is_remount)
break;
case Opt_snapshot:
if (is_remount) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"\"%s\" option is invalid for remount",
p);
return 0;
@@ -810,8 +808,7 @@ static int parse_options(char *options, struct super_block *sb, int is_remount)
nilfs_clear_opt(nilfs, DISCARD);
break;
default:
- nilfs_msg(sb, KERN_ERR,
- "unrecognized mount option \"%s\"", p);
+ nilfs_err(sb, "unrecognized mount option \"%s\"", p);
return 0;
}
}
@@ -847,10 +844,10 @@ static int nilfs_setup_super(struct super_block *sb, int is_mount)
mnt_count = le16_to_cpu(sbp[0]->s_mnt_count);
if (nilfs->ns_mount_state & NILFS_ERROR_FS) {
- nilfs_msg(sb, KERN_WARNING, "mounting fs with errors");
+ nilfs_warn(sb, "mounting fs with errors");
#if 0
} else if (max_mnt_count >= 0 && mnt_count >= max_mnt_count) {
- nilfs_msg(sb, KERN_WARNING, "maximal mount count reached");
+ nilfs_warn(sb, "maximal mount count reached");
#endif
}
if (!max_mnt_count)
@@ -913,7 +910,7 @@ int nilfs_check_feature_compatibility(struct super_block *sb,
features = le64_to_cpu(sbp->s_feature_incompat) &
~NILFS_FEATURE_INCOMPAT_SUPP;
if (features) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"couldn't mount because of unsupported optional features (%llx)",
(unsigned long long)features);
return -EINVAL;
@@ -921,7 +918,7 @@ int nilfs_check_feature_compatibility(struct super_block *sb,
features = le64_to_cpu(sbp->s_feature_compat_ro) &
~NILFS_FEATURE_COMPAT_RO_SUPP;
if (!sb_rdonly(sb) && features) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"couldn't mount RDWR because of unsupported optional features (%llx)",
(unsigned long long)features);
return -EINVAL;
@@ -940,12 +937,12 @@ static int nilfs_get_root_dentry(struct super_block *sb,
inode = nilfs_iget(sb, root, NILFS_ROOT_INO);
if (IS_ERR(inode)) {
ret = PTR_ERR(inode);
- nilfs_msg(sb, KERN_ERR, "error %d getting root inode", ret);
+ nilfs_err(sb, "error %d getting root inode", ret);
goto out;
}
if (!S_ISDIR(inode->i_mode) || !inode->i_blocks || !inode->i_size) {
iput(inode);
- nilfs_msg(sb, KERN_ERR, "corrupt root inode");
+ nilfs_err(sb, "corrupt root inode");
ret = -EINVAL;
goto out;
}
@@ -973,7 +970,7 @@ static int nilfs_get_root_dentry(struct super_block *sb,
return ret;
failed_dentry:
- nilfs_msg(sb, KERN_ERR, "error %d getting root dentry", ret);
+ nilfs_err(sb, "error %d getting root dentry", ret);
goto out;
}
@@ -993,7 +990,7 @@ static int nilfs_attach_snapshot(struct super_block *s, __u64 cno,
ret = (ret == -ENOENT) ? -EINVAL : ret;
goto out;
} else if (!ret) {
- nilfs_msg(s, KERN_ERR,
+ nilfs_err(s,
"The specified checkpoint is not a snapshot (checkpoint number=%llu)",
(unsigned long long)cno);
ret = -EINVAL;
@@ -1002,7 +999,7 @@ static int nilfs_attach_snapshot(struct super_block *s, __u64 cno,
ret = nilfs_attach_checkpoint(s, cno, false, &root);
if (ret) {
- nilfs_msg(s, KERN_ERR,
+ nilfs_err(s,
"error %d while loading snapshot (checkpoint number=%llu)",
ret, (unsigned long long)cno);
goto out;
@@ -1099,7 +1096,7 @@ nilfs_fill_super(struct super_block *sb, void *data, int silent)
cno = nilfs_last_cno(nilfs);
err = nilfs_attach_checkpoint(sb, cno, true, &fsroot);
if (err) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"error %d while loading last checkpoint (checkpoint number=%llu)",
err, (unsigned long long)cno);
goto failed_unload;
@@ -1162,8 +1159,8 @@ static int nilfs_remount(struct super_block *sb, int *flags, char *data)
err = -EINVAL;
if (!nilfs_valid_fs(nilfs)) {
- nilfs_msg(sb, KERN_WARNING,
- "couldn't remount because the filesystem is in an incomplete recovery state");
+ nilfs_warn(sb,
+ "couldn't remount because the filesystem is in an incomplete recovery state");
goto restore_opts;
}
@@ -1193,9 +1190,9 @@ static int nilfs_remount(struct super_block *sb, int *flags, char *data)
~NILFS_FEATURE_COMPAT_RO_SUPP;
up_read(&nilfs->ns_sem);
if (features) {
- nilfs_msg(sb, KERN_WARNING,
- "couldn't remount RDWR because of unsupported optional features (%llx)",
- (unsigned long long)features);
+ nilfs_warn(sb,
+ "couldn't remount RDWR because of unsupported optional features (%llx)",
+ (unsigned long long)features);
err = -EROFS;
goto restore_opts;
}
@@ -1254,7 +1251,7 @@ static int nilfs_parse_snapshot_option(const char *option,
return 0;
parse_error:
- nilfs_msg(NULL, KERN_ERR, "invalid option \"%s\": %s", option, msg);
+ nilfs_err(NULL, "invalid option \"%s\": %s", option, msg);
return 1;
}
@@ -1357,7 +1354,7 @@ nilfs_mount(struct file_system_type *fs_type, int flags,
} else if (!sd.cno) {
if (nilfs_tree_is_busy(s->s_root)) {
if ((flags ^ s->s_flags) & SB_RDONLY) {
- nilfs_msg(s, KERN_ERR,
+ nilfs_err(s,
"the device already has a %s mount.",
sb_rdonly(s) ? "read-only" : "read/write");
err = -EBUSY;
diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c
index 28a2db3b1787f..57afd06db62de 100644
--- a/fs/nilfs2/sysfs.c
+++ b/fs/nilfs2/sysfs.c
@@ -261,8 +261,8 @@ nilfs_checkpoints_checkpoints_number_show(struct nilfs_checkpoints_attr *attr,
err = nilfs_cpfile_get_stat(nilfs->ns_cpfile, &cpstat);
up_read(&nilfs->ns_segctor_sem);
if (err < 0) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "unable to get checkpoint stat: err=%d", err);
+ nilfs_err(nilfs->ns_sb, "unable to get checkpoint stat: err=%d",
+ err);
return err;
}
@@ -284,8 +284,8 @@ nilfs_checkpoints_snapshots_number_show(struct nilfs_checkpoints_attr *attr,
err = nilfs_cpfile_get_stat(nilfs->ns_cpfile, &cpstat);
up_read(&nilfs->ns_segctor_sem);
if (err < 0) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "unable to get checkpoint stat: err=%d", err);
+ nilfs_err(nilfs->ns_sb, "unable to get checkpoint stat: err=%d",
+ err);
return err;
}
@@ -403,8 +403,8 @@ nilfs_segments_dirty_segments_show(struct nilfs_segments_attr *attr,
err = nilfs_sufile_get_stat(nilfs->ns_sufile, &sustat);
up_read(&nilfs->ns_segctor_sem);
if (err < 0) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "unable to get segment stat: err=%d", err);
+ nilfs_err(nilfs->ns_sb, "unable to get segment stat: err=%d",
+ err);
return err;
}
@@ -777,15 +777,15 @@ nilfs_superblock_sb_update_frequency_store(struct nilfs_superblock_attr *attr,
err = kstrtouint(skip_spaces(buf), 0, &val);
if (err) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "unable to convert string: err=%d", err);
+ nilfs_err(nilfs->ns_sb, "unable to convert string: err=%d",
+ err);
return err;
}
if (val < NILFS_SB_FREQ) {
val = NILFS_SB_FREQ;
- nilfs_msg(nilfs->ns_sb, KERN_WARNING,
- "superblock update frequency cannot be lesser than 10 seconds");
+ nilfs_warn(nilfs->ns_sb,
+ "superblock update frequency cannot be lesser than 10 seconds");
}
down_write(&nilfs->ns_sem);
@@ -988,8 +988,7 @@ int nilfs_sysfs_create_device_group(struct super_block *sb)
nilfs->ns_dev_subgroups = kzalloc(devgrp_size, GFP_KERNEL);
if (unlikely(!nilfs->ns_dev_subgroups)) {
err = -ENOMEM;
- nilfs_msg(sb, KERN_ERR,
- "unable to allocate memory for device group");
+ nilfs_err(sb, "unable to allocate memory for device group");
goto failed_create_device_group;
}
@@ -1098,15 +1097,13 @@ int __init nilfs_sysfs_init(void)
nilfs_kset = kset_create_and_add(NILFS_ROOT_GROUP_NAME, NULL, fs_kobj);
if (!nilfs_kset) {
err = -ENOMEM;
- nilfs_msg(NULL, KERN_ERR,
- "unable to create sysfs entry: err=%d", err);
+ nilfs_err(NULL, "unable to create sysfs entry: err=%d", err);
goto failed_sysfs_init;
}
err = sysfs_create_group(&nilfs_kset->kobj, &nilfs_feature_attr_group);
if (unlikely(err)) {
- nilfs_msg(NULL, KERN_ERR,
- "unable to create feature group: err=%d", err);
+ nilfs_err(NULL, "unable to create feature group: err=%d", err);
goto cleanup_sysfs_init;
}
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index c8d869bc25b0c..0480034644aa7 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -183,7 +183,7 @@ static int nilfs_store_log_cursor(struct the_nilfs *nilfs,
nilfs_get_segnum_of_block(nilfs, nilfs->ns_last_pseg);
nilfs->ns_cno = nilfs->ns_last_cno + 1;
if (nilfs->ns_segnum >= nilfs->ns_nsegments) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
+ nilfs_err(nilfs->ns_sb,
"pointed segment number is out of range: segnum=%llu, nsegments=%lu",
(unsigned long long)nilfs->ns_segnum,
nilfs->ns_nsegments);
@@ -210,12 +210,12 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
int err;
if (!valid_fs) {
- nilfs_msg(sb, KERN_WARNING, "mounting unchecked fs");
+ nilfs_warn(sb, "mounting unchecked fs");
if (s_flags & SB_RDONLY) {
- nilfs_msg(sb, KERN_INFO,
- "recovery required for readonly filesystem");
- nilfs_msg(sb, KERN_INFO,
- "write access will be enabled during recovery");
+ nilfs_info(sb,
+ "recovery required for readonly filesystem");
+ nilfs_info(sb,
+ "write access will be enabled during recovery");
}
}
@@ -230,12 +230,11 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
goto scan_error;
if (!nilfs_valid_sb(sbp[1])) {
- nilfs_msg(sb, KERN_WARNING,
- "unable to fall back to spare super block");
+ nilfs_warn(sb,
+ "unable to fall back to spare super block");
goto scan_error;
}
- nilfs_msg(sb, KERN_INFO,
- "trying rollback from an earlier position");
+ nilfs_info(sb, "trying rollback from an earlier position");
/*
* restore super block with its spare and reconfigure
@@ -248,9 +247,9 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
/* verify consistency between two super blocks */
blocksize = BLOCK_SIZE << le32_to_cpu(sbp[0]->s_log_block_size);
if (blocksize != nilfs->ns_blocksize) {
- nilfs_msg(sb, KERN_WARNING,
- "blocksize differs between two super blocks (%d != %d)",
- blocksize, nilfs->ns_blocksize);
+ nilfs_warn(sb,
+ "blocksize differs between two super blocks (%d != %d)",
+ blocksize, nilfs->ns_blocksize);
goto scan_error;
}
@@ -269,8 +268,7 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
err = nilfs_load_super_root(nilfs, sb, ri.ri_super_root);
if (unlikely(err)) {
- nilfs_msg(sb, KERN_ERR, "error %d while loading super root",
- err);
+ nilfs_err(sb, "error %d while loading super root", err);
goto failed;
}
@@ -285,28 +283,28 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
__u64 features;
if (nilfs_test_opt(nilfs, NORECOVERY)) {
- nilfs_msg(sb, KERN_INFO,
- "norecovery option specified, skipping roll-forward recovery");
+ nilfs_info(sb,
+ "norecovery option specified, skipping roll-forward recovery");
goto skip_recovery;
}
features = le64_to_cpu(nilfs->ns_sbp[0]->s_feature_compat_ro) &
~NILFS_FEATURE_COMPAT_RO_SUPP;
if (features) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"couldn't proceed with recovery because of unsupported optional features (%llx)",
(unsigned long long)features);
err = -EROFS;
goto failed_unload;
}
if (really_read_only) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"write access unavailable, cannot proceed");
err = -EROFS;
goto failed_unload;
}
sb->s_flags &= ~SB_RDONLY;
} else if (nilfs_test_opt(nilfs, NORECOVERY)) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"recovery cancelled because norecovery option was specified for a read/write mount");
err = -EINVAL;
goto failed_unload;
@@ -322,12 +320,12 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
up_write(&nilfs->ns_sem);
if (err) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"error %d updating super block. recovery unfinished.",
err);
goto failed_unload;
}
- nilfs_msg(sb, KERN_INFO, "recovery complete");
+ nilfs_info(sb, "recovery complete");
skip_recovery:
nilfs_clear_recovery_info(&ri);
@@ -335,7 +333,7 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
return 0;
scan_error:
- nilfs_msg(sb, KERN_ERR, "error %d while searching super root", err);
+ nilfs_err(sb, "error %d while searching super root", err);
goto failed;
failed_unload:
@@ -399,7 +397,7 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
u64 nsegments, nblocks;
if (le32_to_cpu(sbp->s_rev_level) < NILFS_MIN_SUPP_REV) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
+ nilfs_err(nilfs->ns_sb,
"unsupported revision (superblock rev.=%d.%d, current rev.=%d.%d). Please check the version of mkfs.nilfs(2).",
le32_to_cpu(sbp->s_rev_level),
le16_to_cpu(sbp->s_minor_rev_level),
@@ -412,13 +410,11 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
nilfs->ns_inode_size = le16_to_cpu(sbp->s_inode_size);
if (nilfs->ns_inode_size > nilfs->ns_blocksize) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "too large inode size: %d bytes",
+ nilfs_err(nilfs->ns_sb, "too large inode size: %d bytes",
nilfs->ns_inode_size);
return -EINVAL;
} else if (nilfs->ns_inode_size < NILFS_MIN_INODE_SIZE) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "too small inode size: %d bytes",
+ nilfs_err(nilfs->ns_sb, "too small inode size: %d bytes",
nilfs->ns_inode_size);
return -EINVAL;
}
@@ -427,8 +423,7 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment);
if (nilfs->ns_blocks_per_segment < NILFS_SEG_MIN_BLOCKS) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
- "too short segment: %lu blocks",
+ nilfs_err(nilfs->ns_sb, "too short segment: %lu blocks",
nilfs->ns_blocks_per_segment);
return -EINVAL;
}
@@ -438,7 +433,7 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
le32_to_cpu(sbp->s_r_segments_percentage);
if (nilfs->ns_r_segments_percentage < 1 ||
nilfs->ns_r_segments_percentage > 99) {
- nilfs_msg(nilfs->ns_sb, KERN_ERR,
+ nilfs_err(nilfs->ns_sb,
"invalid reserved segments percentage: %lu",
nilfs->ns_r_segments_percentage);
return -EINVAL;
@@ -580,16 +575,16 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
if (!sbp[0]) {
if (!sbp[1]) {
- nilfs_msg(sb, KERN_ERR, "unable to read superblock");
+ nilfs_err(sb, "unable to read superblock");
return -EIO;
}
- nilfs_msg(sb, KERN_WARNING,
- "unable to read primary superblock (blocksize = %d)",
- blocksize);
+ nilfs_warn(sb,
+ "unable to read primary superblock (blocksize = %d)",
+ blocksize);
} else if (!sbp[1]) {
- nilfs_msg(sb, KERN_WARNING,
- "unable to read secondary superblock (blocksize = %d)",
- blocksize);
+ nilfs_warn(sb,
+ "unable to read secondary superblock (blocksize = %d)",
+ blocksize);
}
/*
@@ -611,14 +606,14 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
}
if (!valid[swp]) {
nilfs_release_super_block(nilfs);
- nilfs_msg(sb, KERN_ERR, "couldn't find nilfs on the device");
+ nilfs_err(sb, "couldn't find nilfs on the device");
return -EINVAL;
}
if (!valid[!swp])
- nilfs_msg(sb, KERN_WARNING,
- "broken superblock, retrying with spare superblock (blocksize = %d)",
- blocksize);
+ nilfs_warn(sb,
+ "broken superblock, retrying with spare superblock (blocksize = %d)",
+ blocksize);
if (swp)
nilfs_swap_super_block(nilfs);
@@ -652,7 +647,7 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
blocksize = sb_min_blocksize(sb, NILFS_MIN_BLOCK_SIZE);
if (!blocksize) {
- nilfs_msg(sb, KERN_ERR, "unable to set blocksize");
+ nilfs_err(sb, "unable to set blocksize");
err = -EINVAL;
goto out;
}
@@ -671,7 +666,7 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
blocksize = BLOCK_SIZE << le32_to_cpu(sbp->s_log_block_size);
if (blocksize < NILFS_MIN_BLOCK_SIZE ||
blocksize > NILFS_MAX_BLOCK_SIZE) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"couldn't mount because of unsupported filesystem blocksize %d",
blocksize);
err = -EINVAL;
@@ -681,7 +676,7 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
int hw_blocksize = bdev_logical_block_size(sb->s_bdev);
if (blocksize < hw_blocksize) {
- nilfs_msg(sb, KERN_ERR,
+ nilfs_err(sb,
"blocksize %d too small for device (sector-size = %d)",
blocksize, hw_blocksize);
err = -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 065/175] nilfs2: prevent kernel bug at submit_bh_wbc()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 064/175] nilfs2: use a more common logging style Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 066/175] x86/CPU/AMD: Update the Zenbleed microcode revisions Greg Kroah-Hartman
` (115 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Andrew Morton, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 269cdf353b5bdd15f1a079671b0f889113865f20 ]
Fix a bug where nilfs_get_block() returns a successful status when
searching and inserting the specified block both fail inconsistently. If
this inconsistent behavior is not due to a previously fixed bug, then an
unexpected race is occurring, so return a temporary error -EAGAIN instead.
This prevents callers such as __block_write_begin_int() from requesting a
read into a buffer that is not mapped, which would cause the BUG_ON check
for the BH_Mapped flag in submit_bh_wbc() to fail.
Link: https://lkml.kernel.org/r/20240313105827.5296-3-konishi.ryusuke@gmail.com
Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 83dbfd9d25323..530edb813add8 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -111,7 +111,7 @@ int nilfs_get_block(struct inode *inode, sector_t blkoff,
"%s (ino=%lu): a race condition while inserting a data block at offset=%llu",
__func__, inode->i_ino,
(unsigned long long)blkoff);
- err = 0;
+ err = -EAGAIN;
}
nilfs_transaction_abort(inode->i_sb);
goto out;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 066/175] x86/CPU/AMD: Update the Zenbleed microcode revisions
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 065/175] nilfs2: prevent kernel bug at submit_bh_wbc() Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 067/175] ahci: asm1064: correct count of reported ports Greg Kroah-Hartman
` (114 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov (AMD),
stable, Linus Torvalds, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov (AMD) <bp@alien8.de>
[ Upstream commit 5c84b051bd4e777cf37aaff983277e58c99618d5 ]
Update them to the correct revision numbers.
Fixes: 522b1d69219d ("x86/cpu/amd: Add a Zenbleed fix")
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/amd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 5b75a4ff6802c..3f6188477e014 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -988,11 +988,11 @@ static bool cpu_has_zenbleed_microcode(void)
u32 good_rev = 0;
switch (boot_cpu_data.x86_model) {
- case 0x30 ... 0x3f: good_rev = 0x0830107a; break;
- case 0x60 ... 0x67: good_rev = 0x0860010b; break;
- case 0x68 ... 0x6f: good_rev = 0x08608105; break;
- case 0x70 ... 0x7f: good_rev = 0x08701032; break;
- case 0xa0 ... 0xaf: good_rev = 0x08a00008; break;
+ case 0x30 ... 0x3f: good_rev = 0x0830107b; break;
+ case 0x60 ... 0x67: good_rev = 0x0860010c; break;
+ case 0x68 ... 0x6f: good_rev = 0x08608107; break;
+ case 0x70 ... 0x7f: good_rev = 0x08701033; break;
+ case 0xa0 ... 0xaf: good_rev = 0x08a00009; break;
default:
return false;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 067/175] ahci: asm1064: correct count of reported ports
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 066/175] x86/CPU/AMD: Update the Zenbleed microcode revisions Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 068/175] ahci: asm1064: asm1166: dont limit " Greg Kroah-Hartman
` (113 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Jr. Melnikov, Niklas Cassel,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Jr. Melnikov <temnota.am@gmail.com>
[ Upstream commit 9815e39617541ef52d0dfac4be274ad378c6dc09 ]
The ASM1064 SATA host controller always reports wrongly,
that it has 24 ports. But in reality, it only has four ports.
before:
ahci 0000:04:00.0: SSS flag set, parallel bus scan disabled
ahci 0000:04:00.0: AHCI 0001.0301 32 slots 24 ports 6 Gbps 0xffff0f impl SATA mode
ahci 0000:04:00.0: flags: 64bit ncq sntf stag pm led only pio sxs deso sadm sds apst
after:
ahci 0000:04:00.0: ASM1064 has only four ports
ahci 0000:04:00.0: forcing port_map 0xffff0f -> 0xf
ahci 0000:04:00.0: SSS flag set, parallel bus scan disabled
ahci 0000:04:00.0: AHCI 0001.0301 32 slots 24 ports 6 Gbps 0xf impl SATA mode
ahci 0000:04:00.0: flags: 64bit ncq sntf stag pm led only pio sxs deso sadm sds apst
Signed-off-by: "Andrey Jr. Melnikov" <temnota.am@gmail.com>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Stable-dep-of: 6cd8adc3e189 ("ahci: asm1064: asm1166: don't limit reported ports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index abdfd440987b4..6b1562fed85ed 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -634,9 +634,17 @@ MODULE_PARM_DESC(mobile_lpm_policy, "Default LPM policy for mobile chipsets");
static void ahci_pci_save_initial_config(struct pci_dev *pdev,
struct ahci_host_priv *hpriv)
{
- if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && pdev->device == 0x1166) {
- dev_info(&pdev->dev, "ASM1166 has only six ports\n");
- hpriv->saved_port_map = 0x3f;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA) {
+ switch (pdev->device) {
+ case 0x1166:
+ dev_info(&pdev->dev, "ASM1166 has only six ports\n");
+ hpriv->saved_port_map = 0x3f;
+ break;
+ case 0x1064:
+ dev_info(&pdev->dev, "ASM1064 has only four ports\n");
+ hpriv->saved_port_map = 0xf;
+ break;
+ }
}
if (pdev->vendor == PCI_VENDOR_ID_JMICRON && pdev->device == 0x2361) {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 068/175] ahci: asm1064: asm1166: dont limit reported ports
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 067/175] ahci: asm1064: correct count of reported ports Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 069/175] comedi: comedi_test: Prevent timers rescheduling during deletion Greg Kroah-Hartman
` (112 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt, Conrad Kostecki,
Hans de Goede, Niklas Cassel, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conrad Kostecki <conikost@gentoo.org>
[ Upstream commit 6cd8adc3e18960f6e59d797285ed34ef473cc896 ]
Previously, patches have been added to limit the reported count of SATA
ports for asm1064 and asm1166 SATA controllers, as those controllers do
report more ports than physically having.
While it is allowed to report more ports than physically having in CAP.NP,
it is not allowed to report more ports than physically having in the PI
(Ports Implemented) register, which is what these HBAs do.
(This is a AHCI spec violation.)
Unfortunately, it seems that the PMP implementation in these ASMedia HBAs
is also violating the AHCI and SATA-IO PMP specification.
What these HBAs do is that they do not report that they support PMP
(CAP.SPM (Supports Port Multiplier) is not set).
Instead, they have decided to add extra "virtual" ports in the PI register
that is used if a port multiplier is connected to any of the physical
ports of the HBA.
Enumerating the devices behind the PMP as specified in the AHCI and
SATA-IO specifications, by using PMP READ and PMP WRITE commands to the
physical ports of the HBA is not possible, you have to use the "virtual"
ports.
This is of course bad, because this gives us no way to detect the device
and vendor ID of the PMP actually connected to the HBA, which means that
we can not apply the proper PMP quirks for the PMP that is connected to
the HBA.
Limiting the port map will thus stop these controllers from working with
SATA Port Multipliers.
This patch reverts both patches for asm1064 and asm1166, so old behavior
is restored and SATA PMP will work again, but it will also reintroduce the
(minutes long) extra boot time for the ASMedia controllers that do not
have a PMP connected (either on the PCIe card itself, or an external PMP).
However, a longer boot time for some, is the lesser evil compared to some
other users not being able to detect their drives at all.
Fixes: 0077a504e1a4 ("ahci: asm1166: correct count of reported ports")
Fixes: 9815e3961754 ("ahci: asm1064: correct count of reported ports")
Cc: stable@vger.kernel.org
Reported-by: Matt <cryptearth@googlemail.com>
Signed-off-by: Conrad Kostecki <conikost@gentoo.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
[cassel: rewrote commit message]
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 6b1562fed85ed..ab3ea47ecce3a 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -634,19 +634,6 @@ MODULE_PARM_DESC(mobile_lpm_policy, "Default LPM policy for mobile chipsets");
static void ahci_pci_save_initial_config(struct pci_dev *pdev,
struct ahci_host_priv *hpriv)
{
- if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA) {
- switch (pdev->device) {
- case 0x1166:
- dev_info(&pdev->dev, "ASM1166 has only six ports\n");
- hpriv->saved_port_map = 0x3f;
- break;
- case 0x1064:
- dev_info(&pdev->dev, "ASM1064 has only four ports\n");
- hpriv->saved_port_map = 0xf;
- break;
- }
- }
-
if (pdev->vendor == PCI_VENDOR_ID_JMICRON && pdev->device == 0x2361) {
dev_info(&pdev->dev, "JMB361 has only one port\n");
hpriv->force_port_map = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 069/175] comedi: comedi_test: Prevent timers rescheduling during deletion
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 068/175] ahci: asm1064: asm1166: dont limit " Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 070/175] netfilter: nf_tables: disallow anonymous set with timeout flag Greg Kroah-Hartman
` (111 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit f53641a6e849034a44bf80f50245a75d7a376025 upstream.
The comedi_test devices have a couple of timers (ai_timer and ao_timer)
that can be started to simulate hardware interrupts. Their expiry
functions normally reschedule the timer. The driver code calls either
del_timer_sync() or del_timer() to delete the timers from the queue, but
does not currently prevent the timers from rescheduling themselves so
synchronized deletion may be ineffective.
Add a couple of boolean members (one for each timer: ai_timer_enable and
ao_timer_enable) to the device private data structure to indicate
whether the timers are allowed to reschedule themselves. Set the member
to true when adding the timer to the queue, and to false when deleting
the timer from the queue in the waveform_ai_cancel() and
waveform_ao_cancel() functions.
The del_timer_sync() function is also called from the waveform_detach()
function, but the timer enable members will already be set to false when
that function is called, so no change is needed there.
Fixes: 403fe7f34e33 ("staging: comedi: comedi_test: fix timer race conditions")
Cc: stable@vger.kernel.org # 4.4+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20240214100747.16203-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/comedi/drivers/comedi_test.c | 30 +++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
--- a/drivers/staging/comedi/drivers/comedi_test.c
+++ b/drivers/staging/comedi/drivers/comedi_test.c
@@ -87,6 +87,8 @@ struct waveform_private {
struct comedi_device *dev; /* parent comedi device */
u64 ao_last_scan_time; /* time of previous AO scan in usec */
unsigned int ao_scan_period; /* AO scan period in usec */
+ bool ai_timer_enable:1; /* should AI timer be running? */
+ bool ao_timer_enable:1; /* should AO timer be running? */
unsigned short ao_loopbacks[N_CHANS];
};
@@ -236,8 +238,12 @@ static void waveform_ai_timer(struct tim
time_increment = devpriv->ai_convert_time - now;
else
time_increment = 1;
- mod_timer(&devpriv->ai_timer,
- jiffies + usecs_to_jiffies(time_increment));
+ spin_lock(&dev->spinlock);
+ if (devpriv->ai_timer_enable) {
+ mod_timer(&devpriv->ai_timer,
+ jiffies + usecs_to_jiffies(time_increment));
+ }
+ spin_unlock(&dev->spinlock);
}
overrun:
@@ -393,9 +399,12 @@ static int waveform_ai_cmd(struct comedi
* Seem to need an extra jiffy here, otherwise timer expires slightly
* early!
*/
+ spin_lock_bh(&dev->spinlock);
+ devpriv->ai_timer_enable = true;
devpriv->ai_timer.expires =
jiffies + usecs_to_jiffies(devpriv->ai_convert_period) + 1;
add_timer(&devpriv->ai_timer);
+ spin_unlock_bh(&dev->spinlock);
return 0;
}
@@ -404,6 +413,9 @@ static int waveform_ai_cancel(struct com
{
struct waveform_private *devpriv = dev->private;
+ spin_lock_bh(&dev->spinlock);
+ devpriv->ai_timer_enable = false;
+ spin_unlock_bh(&dev->spinlock);
if (in_softirq()) {
/* Assume we were called from the timer routine itself. */
del_timer(&devpriv->ai_timer);
@@ -495,8 +507,12 @@ static void waveform_ao_timer(struct tim
unsigned int time_inc = devpriv->ao_last_scan_time +
devpriv->ao_scan_period - now;
- mod_timer(&devpriv->ao_timer,
- jiffies + usecs_to_jiffies(time_inc));
+ spin_lock(&dev->spinlock);
+ if (devpriv->ao_timer_enable) {
+ mod_timer(&devpriv->ao_timer,
+ jiffies + usecs_to_jiffies(time_inc));
+ }
+ spin_unlock(&dev->spinlock);
}
underrun:
@@ -517,9 +533,12 @@ static int waveform_ao_inttrig_start(str
async->inttrig = NULL;
devpriv->ao_last_scan_time = ktime_to_us(ktime_get());
+ spin_lock_bh(&dev->spinlock);
+ devpriv->ao_timer_enable = true;
devpriv->ao_timer.expires =
jiffies + usecs_to_jiffies(devpriv->ao_scan_period);
add_timer(&devpriv->ao_timer);
+ spin_unlock_bh(&dev->spinlock);
return 1;
}
@@ -604,6 +623,9 @@ static int waveform_ao_cancel(struct com
struct waveform_private *devpriv = dev->private;
s->async->inttrig = NULL;
+ spin_lock_bh(&dev->spinlock);
+ devpriv->ao_timer_enable = false;
+ spin_unlock_bh(&dev->spinlock);
if (in_softirq()) {
/* Assume we were called from the timer routine itself. */
del_timer(&devpriv->ao_timer);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 070/175] netfilter: nf_tables: disallow anonymous set with timeout flag
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 069/175] comedi: comedi_test: Prevent timers rescheduling during deletion Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 071/175] netfilter: nf_tables: reject constant set with timeout Greg Kroah-Hartman
` (110 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, lonial con, Pablo Neira Ayuso
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 16603605b667b70da974bea8216c93e7db043bf1 upstream.
Anonymous sets are never used with timeout from userspace, reject this.
Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.
Cc: stable@vger.kernel.org
Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3560,6 +3560,9 @@ static int nf_tables_newset(struct net *
if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
(NFT_SET_EVAL | NFT_SET_OBJECT))
return -EOPNOTSUPP;
+ if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
+ (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
+ return -EOPNOTSUPP;
}
dtype = 0;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 071/175] netfilter: nf_tables: reject constant set with timeout
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 070/175] netfilter: nf_tables: disallow anonymous set with timeout flag Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 072/175] xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Greg Kroah-Hartman
` (109 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 5f4fc4bd5cddb4770ab120ce44f02695c4505562 upstream.
This set combination is weird: it allows for elements to be
added/deleted, but once bound to the rule it cannot be updated anymore.
Eventually, all elements expire, leading to an empty set which cannot
be updated anymore. Reject this flags combination.
Cc: stable@vger.kernel.org
Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3563,6 +3563,9 @@ static int nf_tables_newset(struct net *
if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
(NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
return -EOPNOTSUPP;
+ if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
+ (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
+ return -EOPNOTSUPP;
}
dtype = 0;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 072/175] xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 071/175] netfilter: nf_tables: reject constant set with timeout Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 073/175] ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform Greg Kroah-Hartman
` (108 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook,
Steffen Klassert
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 1a807e46aa93ebad1dfbed4f82dc3bf779423a6e upstream.
After a couple recent changes in LLVM, there is a warning (or error with
CONFIG_WERROR=y or W=e) from the compile time fortify source routines,
specifically the memset() in copy_to_user_tmpl().
In file included from net/xfrm/xfrm_user.c:14:
...
include/linux/fortify-string.h:438:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
438 | __write_overflow_field(p_size_field, size);
| ^
1 error generated.
While ->xfrm_nr has been validated against XFRM_MAX_DEPTH when its value
is first assigned in copy_templates() by calling validate_tmpl() first
(so there should not be any issue in practice), LLVM/clang cannot really
deduce that across the boundaries of these functions. Without that
knowledge, it cannot assume that the loop stops before i is greater than
XFRM_MAX_DEPTH, which would indeed result a stack buffer overflow in the
memset().
To make the bounds of ->xfrm_nr clear to the compiler and add additional
defense in case copy_to_user_tmpl() is ever used in a path where
->xfrm_nr has not been properly validated against XFRM_MAX_DEPTH first,
add an explicit bound check and early return, which clears up the
warning.
Cc: stable@vger.kernel.org
Link: https://github.com/ClangBuiltLinux/linux/issues/1985
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1703,6 +1703,9 @@ static int copy_to_user_tmpl(struct xfrm
if (xp->xfrm_nr == 0)
return 0;
+ if (xp->xfrm_nr > XFRM_MAX_DEPTH)
+ return -ENOBUFS;
+
for (i = 0; i < xp->xfrm_nr; i++) {
struct xfrm_user_tmpl *up = &vec[i];
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 073/175] ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 072/175] xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 074/175] USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command Greg Kroah-Hartman
` (107 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kailang Yang, Takashi Iwai
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kailang Yang <kailang@realtek.com>
commit d397b6e56151099cf3b1f7bfccb204a6a8591720 upstream.
Headset Mic will no show at resume back.
This patch will fix this issue.
Fixes: d7f32791a9fc ("ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform")
Cc: <stable@vger.kernel.org>
Signed-off-by: Kailang Yang <kailang@realtek.com>
Link: https://lore.kernel.org/r/4713d48a372e47f98bba0c6120fd8254@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8593,8 +8593,7 @@ static void alc897_hp_automute_hook(stru
snd_hda_gen_hp_automute(codec, jack);
vref = spec->gen.hp_jack_present ? (PIN_HP | AC_PINCTL_VREF_100) : PIN_HP;
- snd_hda_codec_write(codec, 0x1b, 0, AC_VERB_SET_PIN_WIDGET_CONTROL,
- vref);
+ snd_hda_set_pin_ctl(codec, 0x1b, vref);
}
static void alc897_fixup_lenovo_headset_mic(struct hda_codec *codec,
@@ -8603,6 +8602,10 @@ static void alc897_fixup_lenovo_headset_
struct alc_spec *spec = codec->spec;
if (action == HDA_FIXUP_ACT_PRE_PROBE) {
spec->gen.hp_automute_hook = alc897_hp_automute_hook;
+ spec->no_shutup_pins = 1;
+ }
+ if (action == HDA_FIXUP_ACT_PROBE) {
+ snd_hda_set_pin_ctl_cache(codec, 0x1a, PIN_IN | AC_PINCTL_VREF_100);
}
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 074/175] USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 073/175] ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 075/175] usb: gadget: ncm: Fix handling of zero block length packets Greg Kroah-Hartman
` (106 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
PrasannaKumar Muralidharan, Martin K. Petersen,
syzbot+28748250ab47a8f04100
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 014bcf41d946b36a8f0b8e9b5d9529efbb822f49 upstream.
The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values
in the ATA ID information to calculate cylinder and head values when
creating a CDB for READ or WRITE commands. The calculation involves
division and modulus operations, which will cause a crash if either of
these values is 0. While this never happens with a genuine device, it
could happen with a flawed or subversive emulation, as reported by the
syzbot fuzzer.
Protect against this possibility by refusing to bind to the device if
either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID
information is 0. This requires isd200_Initialization() to return a
negative error code when initialization fails; currently it always
returns 0 (even when there is an error).
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+28748250ab47a8f04100@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-usb/0000000000003eb868061245ba7f@google.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: PrasannaKumar Muralidharan <prasannatsmkumar@gmail.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Link: https://lore.kernel.org/r/b1e605ea-333f-4ac0-9511-da04f411763e@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/isd200.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/usb/storage/isd200.c
+++ b/drivers/usb/storage/isd200.c
@@ -1104,7 +1104,7 @@ static void isd200_dump_driveid(struct u
static int isd200_get_inquiry_data( struct us_data *us )
{
struct isd200_info *info = (struct isd200_info *)us->extra;
- int retStatus = ISD200_GOOD;
+ int retStatus;
u16 *id = info->id;
usb_stor_dbg(us, "Entering isd200_get_inquiry_data\n");
@@ -1136,6 +1136,13 @@ static int isd200_get_inquiry_data( stru
isd200_fix_driveid(id);
isd200_dump_driveid(us, id);
+ /* Prevent division by 0 in isd200_scsi_to_ata() */
+ if (id[ATA_ID_HEADS] == 0 || id[ATA_ID_SECTORS] == 0) {
+ usb_stor_dbg(us, " Invalid ATA Identify data\n");
+ retStatus = ISD200_ERROR;
+ goto Done;
+ }
+
memset(&info->InquiryData, 0, sizeof(info->InquiryData));
/* Standard IDE interface only supports disks */
@@ -1201,6 +1208,7 @@ static int isd200_get_inquiry_data( stru
}
}
+ Done:
usb_stor_dbg(us, "Leaving isd200_get_inquiry_data %08X\n", retStatus);
return(retStatus);
@@ -1480,22 +1488,27 @@ static int isd200_init_info(struct us_da
static int isd200_Initialization(struct us_data *us)
{
+ int rc = 0;
+
usb_stor_dbg(us, "ISD200 Initialization...\n");
/* Initialize ISD200 info struct */
- if (isd200_init_info(us) == ISD200_ERROR) {
+ if (isd200_init_info(us) < 0) {
usb_stor_dbg(us, "ERROR Initializing ISD200 Info struct\n");
+ rc = -ENOMEM;
} else {
/* Get device specific data */
- if (isd200_get_inquiry_data(us) != ISD200_GOOD)
+ if (isd200_get_inquiry_data(us) != ISD200_GOOD) {
usb_stor_dbg(us, "ISD200 Initialization Failure\n");
- else
+ rc = -EINVAL;
+ } else {
usb_stor_dbg(us, "ISD200 Initialization complete\n");
+ }
}
- return 0;
+ return rc;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 075/175] usb: gadget: ncm: Fix handling of zero block length packets
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 074/175] USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 076/175] usb: port: Dont try to peer unused USB ports based on location Greg Kroah-Hartman
` (105 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Kurapati, Maciej Żenczykowski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Kurapati <quic_kriskura@quicinc.com>
commit f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70 upstream.
While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX
set to 65536, it has been observed that we receive short packets,
which come at interval of 5-10 seconds sometimes and have block
length zero but still contain 1-2 valid datagrams present.
According to the NCM spec:
"If wBlockLength = 0x0000, the block is terminated by a
short packet. In this case, the USB transfer must still
be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If
exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,
and the size is a multiple of wMaxPacketSize for the
given pipe, then no ZLP shall be sent.
wBlockLength= 0x0000 must be used with extreme care, because
of the possibility that the host and device may get out of
sync, and because of test issues.
wBlockLength = 0x0000 allows the sender to reduce latency by
starting to send a very large NTB, and then shortening it when
the sender discovers that there’s not sufficient data to justify
sending a large NTB"
However, there is a potential issue with the current implementation,
as it checks for the occurrence of multiple NTBs in a single
giveback by verifying if the leftover bytes to be processed is zero
or not. If the block length reads zero, we would process the same
NTB infintely because the leftover bytes is never zero and it leads
to a crash. Fix this by bailing out if block length reads zero.
Cc: stable@vger.kernel.org
Fixes: 427694cfaafa ("usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call")
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Link: https://lore.kernel.org/r/20240228115441.2105585-1-quic_kriskura@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1357,7 +1357,7 @@ parse_ntb:
if (to_process == 1 &&
(*(unsigned char *)(ntb_ptr + block_len) == 0x00)) {
to_process--;
- } else if (to_process > 0) {
+ } else if ((to_process > 0) && (block_len != 0)) {
ntb_ptr = (unsigned char *)(ntb_ptr + block_len);
goto parse_ntb;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 076/175] usb: port: Dont try to peer unused USB ports based on location
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 075/175] usb: gadget: ncm: Fix handling of zero block length packets Greg Kroah-Hartman
@ 2024-04-11 9:54 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 077/175] tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled Greg Kroah-Hartman
` (104 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Menzel, Mathias Nyman
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 69c63350e573367f9c8594162288cffa8a26d0d1 upstream.
Unused USB ports may have bogus location data in ACPI PLD tables.
This causes port peering failures as these unused USB2 and USB3 ports
location may match.
Due to these failures the driver prints a
"usb: port power management may be unreliable" warning, and
unnecessarily blocks port power off during runtime suspend.
This was debugged on a couple DELL systems where the unused ports
all returned zeroes in their location data.
Similar bugreports exist for other systems.
Don't try to peer or match ports that have connect type set to
USB_PORT_NOT_USED.
Fixes: 3bfd659baec8 ("usb: find internal hub tier mismatch via acpi")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218465
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218486
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Link: https://lore.kernel.org/linux-usb/5406d361-f5b7-4309-b0e6-8c94408f7d75@molgen.mpg.de
Cc: stable@vger.kernel.org # v3.16+
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218490
Link: https://lore.kernel.org/r/20240222233343.71856-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/port.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/port.c
+++ b/drivers/usb/core/port.c
@@ -431,7 +431,7 @@ static int match_location(struct usb_dev
struct usb_hub *peer_hub = usb_hub_to_struct_hub(peer_hdev);
struct usb_device *hdev = to_usb_device(port_dev->dev.parent->parent);
- if (!peer_hub)
+ if (!peer_hub || port_dev->connect_type == USB_PORT_NOT_USED)
return 0;
hcd = bus_to_hcd(hdev->bus);
@@ -442,7 +442,8 @@ static int match_location(struct usb_dev
for (port1 = 1; port1 <= peer_hdev->maxchild; port1++) {
peer = peer_hub->ports[port1 - 1];
- if (peer && peer->location == port_dev->location) {
+ if (peer && peer->connect_type != USB_PORT_NOT_USED &&
+ peer->location == port_dev->location) {
link_peers_report(port_dev, peer);
return 1; /* done */
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 077/175] tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-04-11 9:54 ` [PATCH 4.19 076/175] usb: port: Dont try to peer unused USB ports based on location Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 078/175] vt: fix unicode buffer corruption when deleting characters Greg Kroah-Hartman
` (103 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Sherry Sun, Alexander Sverdlin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
commit 74cb7e0355fae9641f825afa389d3fba3b617714 upstream.
If the remote uart device is not connected or not enabled after booting
up, the CTS line is high by default. At this time, if we enable the flow
control when opening the device(for example, using “stty -F /dev/ttyLP4
crtscts” command), there will be a pending idle preamble(first writing 0
and then writing 1 to UARTCTRL_TE will queue an idle preamble) that
cannot be sent out, resulting in the uart port fail to close(waiting for
TX empty), so the user space stty will have to wait for a long time or
forever.
This is an LPUART IP bug(idle preamble has higher priority than CTS),
here add a workaround patch to enable TX CTS after enabling UARTCTRL_TE,
so that the idle preamble does not get stuck due to CTS is deasserted.
Fixes: 380c966c093e ("tty: serial: fsl_lpuart: add 32-bit register interface support")
Cc: stable <stable@kernel.org>
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://lore.kernel.org/r/20240305015706.1050769-1-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1753,9 +1753,12 @@ lpuart32_set_termios(struct uart_port *p
UARTCTRL);
lpuart32_serial_setbrg(sport, baud);
- lpuart32_write(&sport->port, modem, UARTMODIR);
- lpuart32_write(&sport->port, ctrl, UARTCTRL);
+ /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */
+ lpuart32_write(&sport->port, modem & ~UARTMODIR_TXCTSE, UARTMODIR);
/* restore control register */
+ lpuart32_write(&sport->port, ctrl, UARTCTRL);
+ /* re-enable the CTS if needed */
+ lpuart32_write(&sport->port, modem, UARTMODIR);
spin_unlock_irqrestore(&sport->port.lock, flags);
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 078/175] vt: fix unicode buffer corruption when deleting characters
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 077/175] tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 079/175] vt: fix memory overlapping when deleting chars in the buffer Greg Kroah-Hartman
` (102 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Pitre, stable
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <nico@fluxnic.net>
commit 1581dafaf0d34bc9c428a794a22110d7046d186d upstream.
This is the same issue that was fixed for the VGA text buffer in commit
39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the
buffer"). The cure is also the same i.e. replace memcpy() with memmove()
due to the overlaping buffers.
Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Fixes: 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition")
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/sn184on2-3p0q-0qrq-0218-895349s4753o@syhkavp.arg
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -405,7 +405,7 @@ static void vc_uniscr_delete(struct vc_d
char32_t *ln = uniscr->lines[vc->vc_y];
unsigned int x = vc->vc_x, cols = vc->vc_cols;
- memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));
+ memmove(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));
memset32(&ln[cols - nr], ' ', nr);
}
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 079/175] vt: fix memory overlapping when deleting chars in the buffer
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 078/175] vt: fix unicode buffer corruption when deleting characters Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 080/175] mm/memory-failure: fix an incorrect use of tail pages Greg Kroah-Hartman
` (101 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Yangxi Xiang, Kuntal Nayak
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yangxi Xiang <xyangxi5@gmail.com>
commit 39cdb68c64d84e71a4a717000b6e5de208ee60cc upstream.
A memory overlapping copy occurs when deleting a long line. This memory
overlapping copy can cause data corruption when scr_memcpyw is optimized
to memcpy because memcpy does not ensure its behavior if the destination
buffer overlaps with the source buffer. The line buffer is not always
broken, because the memcpy utilizes the hardware acceleration, whose
result is not deterministic.
Fix this problem by using replacing the scr_memcpyw with scr_memmovew.
Fixes: 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition")
Cc: stable <stable@kernel.org>
Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>
Link: https://lore.kernel.org/r/20220628093322.5688-1-xyangxi5@gmail.com
[ KN: vc_state is not a separate structure in LTS v4.19, v5.4. Adjusted the patch
accordingly by using vc_x instead of state.x for backport. ]
Signed-off-by: Kuntal Nayak <kuntal.nayak@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -855,7 +855,7 @@ static void delete_char(struct vc_data *
unsigned short *p = (unsigned short *) vc->vc_pos;
vc_uniscr_delete(vc, nr);
- scr_memcpyw(p, p + nr, (vc->vc_cols - vc->vc_x - nr) * 2);
+ scr_memmovew(p, p + nr, (vc->vc_cols - vc->vc_x - nr) * 2);
scr_memsetw(p + vc->vc_cols - vc->vc_x - nr, vc->vc_video_erase_char,
nr * 2);
vc->vc_need_wrap = 0;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 080/175] mm/memory-failure: fix an incorrect use of tail pages
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 079/175] vt: fix memory overlapping when deleting chars in the buffer Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 081/175] mm/migrate: set swap entry values of THP tail pages properly Greg Kroah-Hartman
` (100 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Shixin <liushixin2@huawei.com>
When backport commit c79c5a0a00a9 to 4.19-stable, there is a mistake change.
The head page instead of tail page should be passed to try_to_unmap(),
otherwise unmap will failed as follows.
Memory failure: 0x121c10: failed to unmap page (mapcount=1)
Memory failure: 0x121c10: recovery action for unmapping failed page: Ignored
Fixes: c6f50413f2aa ("mm/memory-failure: check the mapcount of the precise page")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1033,7 +1033,7 @@ static bool hwpoison_user_mappings(struc
if (kill)
collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED);
- unmap_success = try_to_unmap(p, ttu);
+ unmap_success = try_to_unmap(hpage, ttu);
if (!unmap_success)
pr_err("Memory failure: %#lx: failed to unmap page (mapcount=%d)\n",
pfn, page_mapcount(p));
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 081/175] mm/migrate: set swap entry values of THP tail pages properly.
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 080/175] mm/memory-failure: fix an incorrect use of tail pages Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 082/175] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes Greg Kroah-Hartman
` (99 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zi Yan, David Hildenbrand
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zi Yan <ziy@nvidia.com>
The tail pages in a THP can have swap entry information stored in their
private field. When migrating to a new page, all tail pages of the new
page need to update ->private to avoid future data corruption.
This fix is stable-only, since after commit 07e09c483cbe ("mm/huge_memory:
work on folio->swap instead of page->private when splitting folio"),
subpages of a swapcached THP no longer requires the maintenance.
Adding THPs to the swapcache was introduced in commit
38d8b4e6bdc87 ("mm, THP, swap: delay splitting THP during swap out"),
where each subpage of a THP added to the swapcache had its own swapcache
entry and required the ->private field to point to the correct swapcache
entry. Later, when THP migration functionality was implemented in commit
616b8371539a6 ("mm: thp: enable thp migration in generic path"),
it initially did not handle the subpages of swapcached THPs, failing to
update their ->private fields or replace the subpage pointers in the
swapcache. Subsequently, commit e71769ae5260 ("mm: enable thp migration
for shmem thp") addressed the swapcache update aspect. This patch fixes
the update of subpage ->private fields.
Closes: https://lore.kernel.org/linux-mm/1707814102-22682-1-git-send-email-quic_charante@quicinc.com/
Fixes: 616b8371539a ("mm: thp: enable thp migration in generic path")
Signed-off-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/migrate.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -514,8 +514,12 @@ int migrate_page_move_mapping(struct add
if (PageSwapBacked(page)) {
__SetPageSwapBacked(newpage);
if (PageSwapCache(page)) {
+ int i;
+
SetPageSwapCache(newpage);
- set_page_private(newpage, page_private(page));
+ for (i = 0; i < (1 << compound_order(page)); i++)
+ set_page_private(newpage + i,
+ page_private(page + i));
}
} else {
VM_BUG_ON_PAGE(PageSwapCache(page), page);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 082/175] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 081/175] mm/migrate: set swap entry values of THP tail pages properly Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 083/175] exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() Greg Kroah-Hartman
` (98 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ranygh, Felix Fietkau, Johannes Berg
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.
When moving a station out of a VLAN and deleting the VLAN afterwards, the
fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
after the VLAN change.
Cc: stable@vger.kernel.org
Reported-by: ranygh@riseup.net
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/cfg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1548,15 +1548,14 @@ static int ieee80211_change_station(stru
}
if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
- sta->sdata->u.vlan.sta) {
- ieee80211_clear_fast_rx(sta);
+ sta->sdata->u.vlan.sta)
RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
- }
if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
ieee80211_vif_dec_num_mcast(sta->sdata);
sta->sdata = vlansdata;
+ ieee80211_check_fast_rx(sta);
ieee80211_check_fast_xmit(sta);
if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 083/175] exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 082/175] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 084/175] usb: cdc-wdm: close race between read and workqueue Greg Kroah-Hartman
` (97 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Max Filippov, Kees Cook
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream.
In NOMMU kernel the value of linux_binprm::p is the offset inside the
temporary program arguments array maintained in separate pages in the
linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p
thus must be adjusted when that array is copied to the user stack.
Without that adjustment the value passed by the NOMMU kernel to the ELF
program in the AT_EXECFN entry of the aux array doesn't make any sense
and it may break programs that try to access memory pointed to by that
entry.
Adjust linux_binprm::exec before the successful return from the
transfer_args_to_stack().
Cc: <stable@vger.kernel.org>
Fixes: b6a2fea39318 ("mm: variable length argument support")
Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exec.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -823,6 +823,7 @@ int transfer_args_to_stack(struct linux_
goto out;
}
+ bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
*sp_location = sp;
out:
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 084/175] usb: cdc-wdm: close race between read and workqueue
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 083/175] exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 085/175] ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs Greg Kroah-Hartman
` (96 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 339f83612f3a569b194680768b22bf113c26a29d upstream.
wdm_read() cannot race with itself. However, in
service_outstanding_interrupt() it can race with the
workqueue, which can be triggered by error handling.
Hence we need to make sure that the WDM_RESPONDING
flag is not just only set but tested.
Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -471,6 +471,7 @@ out_free_mem:
static int service_outstanding_interrupt(struct wdm_device *desc)
{
int rv = 0;
+ int used;
/* submit read urb only if the device is waiting for it */
if (!desc->resp_count || !--desc->resp_count)
@@ -485,7 +486,10 @@ static int service_outstanding_interrupt
goto out;
}
- set_bit(WDM_RESPONDING, &desc->flags);
+ used = test_and_set_bit(WDM_RESPONDING, &desc->flags);
+ if (used)
+ goto out;
+
spin_unlock_irq(&desc->iuspin);
rv = usb_submit_urb(desc->response, GFP_KERNEL);
spin_lock_irq(&desc->iuspin);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 085/175] ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 084/175] usb: cdc-wdm: close race between read and workqueue Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 086/175] fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion Greg Kroah-Hartman
` (95 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Duoming Zhou
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 051e0840ffa8ab25554d6b14b62c9ab9e4901457 upstream.
The dreamcastcard->timer could schedule the spu_dma_work and the
spu_dma_work could also arm the dreamcastcard->timer.
When the snd_pcm_substream is closing, the aica_channel will be
deallocated. But it could still be dereferenced in the worker
thread. The reason is that del_timer() will return directly
regardless of whether the timer handler is running or not and
the worker could be rescheduled in the timer handler. As a result,
the UAF bug will happen. The racy situation is shown below:
(Thread 1) | (Thread 2)
snd_aicapcm_pcm_close() |
... | run_spu_dma() //worker
| mod_timer()
flush_work() |
del_timer() | aica_period_elapsed() //timer
kfree(dreamcastcard->channel) | schedule_work()
| run_spu_dma() //worker
... | dreamcastcard->channel-> //USE
In order to mitigate this bug and other possible corner cases,
call mod_timer() conditionally in run_spu_dma(), then implement
PCM sync_stop op to cancel both the timer and worker. The sync_stop
op will be called from PCM core appropriately when needed.
Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Message-ID: <20240326094238.95442-1-duoming@zju.edu.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/sh/aica.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/sound/sh/aica.c
+++ b/sound/sh/aica.c
@@ -295,7 +295,8 @@ static void run_spu_dma(struct work_stru
dreamcastcard->clicks++;
if (unlikely(dreamcastcard->clicks >= AICA_PERIOD_NUMBER))
dreamcastcard->clicks %= AICA_PERIOD_NUMBER;
- mod_timer(&dreamcastcard->timer, jiffies + 1);
+ if (snd_pcm_running(dreamcastcard->substream))
+ mod_timer(&dreamcastcard->timer, jiffies + 1);
}
}
@@ -307,6 +308,8 @@ static void aica_period_elapsed(struct t
/*timer function - so cannot sleep */
int play_period;
struct snd_pcm_runtime *runtime;
+ if (!snd_pcm_running(substream))
+ return;
runtime = substream->runtime;
dreamcastcard = substream->pcm->private_data;
/* Have we played out an additional period? */
@@ -367,12 +370,19 @@ static int snd_aicapcm_pcm_open(struct s
return 0;
}
+static int snd_aicapcm_pcm_sync_stop(struct snd_pcm_substream *substream)
+{
+ struct snd_card_aica *dreamcastcard = substream->pcm->private_data;
+
+ del_timer_sync(&dreamcastcard->timer);
+ cancel_work_sync(&dreamcastcard->spu_dma_work);
+ return 0;
+}
+
static int snd_aicapcm_pcm_close(struct snd_pcm_substream
*substream)
{
struct snd_card_aica *dreamcastcard = substream->pcm->private_data;
- flush_work(&(dreamcastcard->spu_dma_work));
- del_timer(&dreamcastcard->timer);
dreamcastcard->substream = NULL;
kfree(dreamcastcard->channel);
spu_disable();
@@ -438,6 +448,7 @@ static const struct snd_pcm_ops snd_aica
.prepare = snd_aicapcm_pcm_prepare,
.trigger = snd_aicapcm_pcm_trigger,
.pointer = snd_aicapcm_pcm_pointer,
+ .sync_stop = snd_aicapcm_pcm_sync_stop,
};
/* TO DO: set up to handle more than one pcm instance */
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 086/175] fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 085/175] ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 087/175] printk: Update @console_may_schedule in console_trylock_spinning() Greg Kroah-Hartman
` (94 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Benjamin LaHaise,
Eric Biggers, Christoph Hellwig, Avi Kivity, Sandeep Dhavale,
Jens Axboe, Kent Overstreet, Bart Van Assche, Christian Brauner
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
commit 961ebd120565cb60cebe21cb634fbc456022db4a upstream.
The first kiocb_set_cancel_fn() argument may point at a struct kiocb
that is not embedded inside struct aio_kiocb. With the current code,
depending on the compiler, the req->ki_ctx read happens either before
the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such
that it is guaranteed that the IOCB_AIO_RW test happens first.
Reported-by: Eric Biggers <ebiggers@kernel.org>
Cc: Benjamin LaHaise <ben@communityfibre.ca>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Avi Kivity <avi@scylladb.com>
Cc: Sandeep Dhavale <dhavale@google.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: stable@vger.kernel.org
Fixes: b820de741ae4 ("fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20240304235715.3790858-1-bvanassche@acm.org
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/aio.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -562,8 +562,8 @@ static int aio_setup_ring(struct kioctx
void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel)
{
- struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw);
- struct kioctx *ctx = req->ki_ctx;
+ struct aio_kiocb *req;
+ struct kioctx *ctx;
unsigned long flags;
/*
@@ -573,9 +573,13 @@ void kiocb_set_cancel_fn(struct kiocb *i
if (!(iocb->ki_flags & IOCB_AIO_RW))
return;
+ req = container_of(iocb, struct aio_kiocb, rw);
+
if (WARN_ON_ONCE(!list_empty(&req->ki_list)))
return;
+ ctx = req->ki_ctx;
+
spin_lock_irqsave(&ctx->ctx_lock, flags);
list_add_tail(&req->ki_list, &ctx->active_reqs);
req->ki_cancel = cancel;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 087/175] printk: Update @console_may_schedule in console_trylock_spinning()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 086/175] fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 088/175] btrfs: allocate btrfs_ioctl_defrag_range_args on stack Greg Kroah-Hartman
` (93 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Ojha, John Ogness,
Petr Mladek, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ogness <john.ogness@linutronix.de>
[ Upstream commit 8076972468584d4a21dab9aa50e388b3ea9ad8c7 ]
console_trylock_spinning() may takeover the console lock from a
schedulable context. Update @console_may_schedule to make sure it
reflects a trylock acquire.
Reported-by: Mukesh Ojha <quic_mojha@quicinc.com>
Closes: https://lore.kernel.org/lkml/20240222090538.23017-1-quic_mojha@quicinc.com
Fixes: dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes")
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/875xybmo2z.fsf@jogness.linutronix.de
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/printk/printk.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 2ba16c426ba5d..66c78dfd17925 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1732,6 +1732,12 @@ static int console_trylock_spinning(void)
*/
mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_);
+ /*
+ * Update @console_may_schedule for trylock because the previous
+ * owner may have been schedulable.
+ */
+ console_may_schedule = 0;
+
return 1;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 088/175] btrfs: allocate btrfs_ioctl_defrag_range_args on stack
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 087/175] printk: Update @console_may_schedule in console_trylock_spinning() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 089/175] Revert "loop: Check for overflow while configuring loop" Greg Kroah-Hartman
` (92 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anand Jain, Goldwyn Rodrigues,
David Sterba, Maximilian Heyne
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
commit c853a5783ebe123847886d432354931874367292 upstream.
Instead of using kmalloc() to allocate btrfs_ioctl_defrag_range_args,
allocate btrfs_ioctl_defrag_range_args on stack, the size is reasonably
small and ioctls are called in process context.
sizeof(btrfs_ioctl_defrag_range_args) = 48
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ This patch is needed to fix a memory leak of "range" that was
introduced when commit 173431b274a9 ("btrfs: defrag: reject unknown
flags of btrfs_ioctl_defrag_range_args") was backported to kernels
lacking this patch. Now with these two patches applied in reverse order,
range->flags needed to change back to range.flags.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2992,7 +2992,7 @@ static int btrfs_ioctl_defrag(struct fil
{
struct inode *inode = file_inode(file);
struct btrfs_root *root = BTRFS_I(inode)->root;
- struct btrfs_ioctl_defrag_range_args *range;
+ struct btrfs_ioctl_defrag_range_args range = {0};
int ret;
ret = mnt_want_write_file(file);
@@ -3024,37 +3024,28 @@ static int btrfs_ioctl_defrag(struct fil
goto out;
}
- range = kzalloc(sizeof(*range), GFP_KERNEL);
- if (!range) {
- ret = -ENOMEM;
- goto out;
- }
-
if (argp) {
- if (copy_from_user(range, argp,
- sizeof(*range))) {
+ if (copy_from_user(&range, argp, sizeof(range))) {
ret = -EFAULT;
- kfree(range);
goto out;
}
- if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
+ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
ret = -EOPNOTSUPP;
goto out;
}
/* compression requires us to start the IO */
- if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {
- range->flags |= BTRFS_DEFRAG_RANGE_START_IO;
- range->extent_thresh = (u32)-1;
+ if ((range.flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {
+ range.flags |= BTRFS_DEFRAG_RANGE_START_IO;
+ range.extent_thresh = (u32)-1;
}
} else {
/* the rest are all set to zero by kzalloc */
- range->len = (u64)-1;
+ range.len = (u64)-1;
}
ret = btrfs_defrag_file(file_inode(file), file,
- range, BTRFS_OLDEST_GENERATION, 0);
+ &range, BTRFS_OLDEST_GENERATION, 0);
if (ret > 0)
ret = 0;
- kfree(range);
break;
default:
ret = -EINVAL;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 089/175] Revert "loop: Check for overflow while configuring loop"
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 088/175] btrfs: allocate btrfs_ioctl_defrag_range_args on stack Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 090/175] loop: Call loop_config_discard() only after new config is applied Greg Kroah-Hartman
` (91 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, k2ci, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Genjian Zhang <zhanggenjian@kylinos.cn>
This reverts commit 2035c770bfdbcc82bd52e05871a7c82db9529e0f.
This patch lost a unlock loop_ctl_mutex in loop_get_status(...),
which caused syzbot to report a UAF issue.The upstream patch does not
have this issue. Therefore, we revert this patch and directly apply
the upstream patch later on.
Risk use-after-free as reported by syzbot:
[ 174.437352] BUG: KASAN: use-after-free in __mutex_lock.isra.10+0xbc4/0xc30
[ 174.437772] Read of size 4 at addr ffff8880bac49ab8 by task syz-executor.0/13897
[ 174.438205]
[ 174.438306] CPU: 1 PID: 13897 Comm: syz-executor.0 Not tainted 4.19.306 #1
[ 174.438712] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1kylin1 04/01/2014
[ 174.439236] Call Trace:
[ 174.439392] dump_stack+0x94/0xc7
[ 174.439596] ? __mutex_lock.isra.10+0xbc4/0xc30
[ 174.439881] print_address_description+0x60/0x229
[ 174.440165] ? __mutex_lock.isra.10+0xbc4/0xc30
[ 174.440436] kasan_report.cold.6+0x241/0x2fd
[ 174.440696] __mutex_lock.isra.10+0xbc4/0xc30
[ 174.440959] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 174.441272] ? mutex_trylock+0xa0/0xa0
[ 174.441500] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 174.441816] ? kobject_get_unless_zero+0x129/0x1c0
[ 174.442106] ? kset_unregister+0x30/0x30
[ 174.442351] ? find_symbol_in_section+0x310/0x310
[ 174.442634] ? __mutex_lock_slowpath+0x10/0x10
[ 174.442901] mutex_lock_killable+0xb0/0xf0
[ 174.443149] ? __mutex_lock_killable_slowpath+0x10/0x10
[ 174.443465] ? __mutex_lock_slowpath+0x10/0x10
[ 174.443732] ? _cond_resched+0x10/0x20
[ 174.443966] ? kobject_get+0x54/0xa0
[ 174.444190] lo_open+0x16/0xc0
[ 174.444382] __blkdev_get+0x273/0x10f0
[ 174.444612] ? lo_fallocate.isra.20+0x150/0x150
[ 174.444886] ? bdev_disk_changed+0x190/0x190
[ 174.445146] ? path_init+0x1030/0x1030
[ 174.445371] ? do_syscall_64+0x9a/0x2d0
[ 174.445608] ? deref_stack_reg+0xab/0xe0
[ 174.445852] blkdev_get+0x97/0x880
[ 174.446061] ? walk_component+0x297/0xdc0
[ 174.446303] ? __blkdev_get+0x10f0/0x10f0
[ 174.446547] ? __fsnotify_inode_delete+0x20/0x20
[ 174.446822] blkdev_open+0x1bd/0x240
[ 174.447040] do_dentry_open+0x448/0xf80
[ 174.447274] ? blkdev_get_by_dev+0x60/0x60
[ 174.447522] ? __x64_sys_fchdir+0x1a0/0x1a0
[ 174.447775] ? inode_permission+0x86/0x320
[ 174.448022] path_openat+0xa83/0x3ed0
[ 174.448248] ? path_mountpoint+0xb50/0xb50
[ 174.448495] ? kasan_kmalloc+0xbf/0xe0
[ 174.448723] ? kmem_cache_alloc+0xbc/0x1b0
[ 174.448971] ? getname_flags+0xc4/0x560
[ 174.449203] ? do_sys_open+0x1ce/0x3f0
[ 174.449432] ? do_syscall_64+0x9a/0x2d0
[ 174.449706] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 174.450022] ? __d_alloc+0x2a/0xa50
[ 174.450232] ? kasan_unpoison_shadow+0x30/0x40
[ 174.450510] ? should_fail+0x117/0x6c0
[ 174.450737] ? timespec64_trunc+0xc1/0x150
[ 174.450986] ? inode_init_owner+0x2e0/0x2e0
[ 174.451237] ? timespec64_trunc+0xc1/0x150
[ 174.451484] ? inode_init_owner+0x2e0/0x2e0
[ 174.451736] do_filp_open+0x197/0x270
[ 174.451959] ? may_open_dev+0xd0/0xd0
[ 174.452182] ? kasan_unpoison_shadow+0x30/0x40
[ 174.452448] ? kasan_kmalloc+0xbf/0xe0
[ 174.452672] ? __alloc_fd+0x1a3/0x4b0
[ 174.452895] do_sys_open+0x2c7/0x3f0
[ 174.453114] ? filp_open+0x60/0x60
[ 174.453320] do_syscall_64+0x9a/0x2d0
[ 174.453541] ? prepare_exit_to_usermode+0xf3/0x170
[ 174.453832] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 174.454136] RIP: 0033:0x41edee
[ 174.454321] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 c7 c0 a4 af 0b 01 8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c5
[ 174.455404] RSP: 002b:00007ffd2501fbd0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 174.455854] RAX: ffffffffffffffda RBX: 00007ffd2501fc90 RCX: 000000000041edee
[ 174.456273] RDX: 0000000000000002 RSI: 00007ffd2501fcd0 RDI: 00000000ffffff9c
[ 174.456698] RBP: 0000000000000003 R08: 0000000000000001 R09: 00007ffd2501f9a7
[ 174.457116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
[ 174.457535] R13: 0000000000565e48 R14: 00007ffd2501fcd0 R15: 0000000000400510
[ 174.457955]
[ 174.458052] Allocated by task 945:
[ 174.458261] kasan_kmalloc+0xbf/0xe0
[ 174.458478] kmem_cache_alloc_node+0xb4/0x1d0
[ 174.458743] copy_process.part.57+0x14b0/0x7010
[ 174.459017] _do_fork+0x197/0x980
[ 174.459218] kernel_thread+0x2f/0x40
[ 174.459438] call_usermodehelper_exec_work+0xa8/0x240
[ 174.459742] process_one_work+0x933/0x13b0
[ 174.459986] worker_thread+0x8c/0x1000
[ 174.460212] kthread+0x343/0x410
[ 174.460408] ret_from_fork+0x35/0x40
[ 174.460621]
[ 174.460716] Freed by task 22902:
[ 174.460913] __kasan_slab_free+0x125/0x170
[ 174.461159] kmem_cache_free+0x6e/0x1b0
[ 174.461391] __put_task_struct+0x1c4/0x440
[ 174.461636] delayed_put_task_struct+0x135/0x170
[ 174.461915] rcu_process_callbacks+0x578/0x15c0
[ 174.462184] __do_softirq+0x175/0x60e
[ 174.462403]
[ 174.462501] The buggy address belongs to the object at ffff8880bac49a80
[ 174.462501] which belongs to the cache task_struct of size 3264
[ 174.463235] The buggy address is located 56 bytes inside of
[ 174.463235] 3264-byte region [ffff8880bac49a80, ffff8880bac4a740)
[ 174.463923] The buggy address belongs to the page:
[ 174.464210] page:ffffea0002eb1200 count:1 mapcount:0 mapping:ffff888188ca0a00 index:0x0 compound_mapcount: 0
[ 174.464784] flags: 0x100000000008100(slab|head)
[ 174.465079] raw: 0100000000008100 ffffea0002eaa400 0000000400000004 ffff888188ca0a00
[ 174.465533] raw: 0000000000000000 0000000000090009 00000001ffffffff 0000000000000000
[ 174.465988] page dumped because: kasan: bad access detected
[ 174.466321]
[ 174.466322] Memory state around the buggy address:
[ 174.466325] ffff8880bac49980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.466327] ffff8880bac49a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 174.466329] >ffff8880bac49a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.466329] ^
[ 174.466331] ffff8880bac49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.466333] ffff8880bac49b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.466333] ==================================================================
[ 174.466338] Disabling lock debugging due to kernel taint
Reported-by: k2ci <kernel-bot@kylinos.cn>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1351,11 +1351,6 @@ loop_get_status(struct loop_device *lo,
info->lo_number = lo->lo_number;
info->lo_offset = lo->lo_offset;
info->lo_sizelimit = lo->lo_sizelimit;
-
- /* loff_t vars have been assigned __u64 */
- if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
- return -EOVERFLOW;
-
info->lo_flags = lo->lo_flags;
memcpy(info->lo_file_name, lo->lo_file_name, LO_NAME_SIZE);
memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 090/175] loop: Call loop_config_discard() only after new config is applied
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 089/175] Revert "loop: Check for overflow while configuring loop" Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 091/175] loop: Remove sector_t truncation checks Greg Kroah-Hartman
` (90 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martijn Coenen, Christoph Hellwig,
Bob Liu, Bart Van Assche, Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
[ Upstream commit 7c5014b0987a30e4989c90633c198aced454c0ec ]
loop_set_status() calls loop_config_discard() to configure discard for
the loop device; however, the discard configuration depends on whether
the loop device uses encryption, and when we call it the encryption
configuration has not been updated yet. Move the call down so we apply
the correct discard configuration based on the new configuration.
Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bob Liu <bob.liu@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1286,8 +1286,6 @@ loop_set_status(struct loop_device *lo,
}
}
- loop_config_discard(lo);
-
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
@@ -1311,6 +1309,8 @@ loop_set_status(struct loop_device *lo,
lo->lo_key_owner = uid;
}
+ loop_config_discard(lo);
+
/* update dio if lo_offset or transfer is changed */
__loop_update_dio(lo, lo->use_dio);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 091/175] loop: Remove sector_t truncation checks
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 090/175] loop: Call loop_config_discard() only after new config is applied Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-26 16:56 ` Ben Hutchings
2024-04-11 9:55 ` [PATCH 4.19 092/175] loop: Factor out setting loop device size Greg Kroah-Hartman
` (89 subsequent siblings)
180 siblings, 1 reply; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martijn Coenen, Christoph Hellwig,
Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
[ Upstream commit 083a6a50783ef54256eec3499e6575237e0e3d53 ]
sector_t is now always u64, so we don't need to check for truncation.
Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 21 +++++++--------------
1 file changed, 7 insertions(+), 14 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -225,24 +225,20 @@ static void __loop_update_dio(struct loo
blk_mq_unfreeze_queue(lo->lo_queue);
}
-static int
+static void
figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
{
loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
- sector_t x = (sector_t)size;
struct block_device *bdev = lo->lo_device;
- if (unlikely((loff_t)x != size))
- return -EFBIG;
if (lo->lo_offset != offset)
lo->lo_offset = offset;
if (lo->lo_sizelimit != sizelimit)
lo->lo_sizelimit = sizelimit;
- set_capacity(lo->lo_disk, x);
+ set_capacity(lo->lo_disk, size);
bd_set_size(bdev, (loff_t)get_capacity(bdev->bd_disk) << 9);
/* let user-space know about the new size */
kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
- return 0;
}
static inline int
@@ -972,10 +968,8 @@ static int loop_set_fd(struct loop_devic
!file->f_op->write_iter)
lo_flags |= LO_FLAGS_READ_ONLY;
- error = -EFBIG;
size = get_loop_size(lo, file);
- if ((loff_t)(sector_t)size != size)
- goto out_unlock;
+
error = loop_prepare_queue(lo);
if (error)
goto out_unlock;
@@ -1280,10 +1274,7 @@ loop_set_status(struct loop_device *lo,
lo->lo_device->bd_inode->i_mapping->nrpages);
goto out_unfreeze;
}
- if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) {
- err = -EFBIG;
- goto out_unfreeze;
- }
+ figure_loop_size(lo, info->lo_offset, info->lo_sizelimit);
}
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
@@ -1486,7 +1477,9 @@ static int loop_set_capacity(struct loop
if (unlikely(lo->lo_state != Lo_bound))
return -ENXIO;
- return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
+ figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
+
+ return 0;
}
static int loop_set_dio(struct loop_device *lo, unsigned long arg)
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 092/175] loop: Factor out setting loop device size
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 091/175] loop: Remove sector_t truncation checks Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 093/175] loop: Refactor loop_set_status() size calculation Greg Kroah-Hartman
` (88 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martijn Coenen, Christoph Hellwig,
Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
[ Upstream commit 5795b6f5607f7e4db62ddea144727780cb351a9b ]
This code is used repeatedly.
Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -225,20 +225,35 @@ static void __loop_update_dio(struct loo
blk_mq_unfreeze_queue(lo->lo_queue);
}
+/**
+ * loop_set_size() - sets device size and notifies userspace
+ * @lo: struct loop_device to set the size for
+ * @size: new size of the loop device
+ *
+ * Callers must validate that the size passed into this function fits into
+ * a sector_t, eg using loop_validate_size()
+ */
+static void loop_set_size(struct loop_device *lo, loff_t size)
+{
+ struct block_device *bdev = lo->lo_device;
+
+ set_capacity(lo->lo_disk, size);
+ bd_set_size(bdev, size << SECTOR_SHIFT);
+ /* let user-space know about the new size */
+ kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
+}
+
static void
figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
{
loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
- struct block_device *bdev = lo->lo_device;
if (lo->lo_offset != offset)
lo->lo_offset = offset;
if (lo->lo_sizelimit != sizelimit)
lo->lo_sizelimit = sizelimit;
- set_capacity(lo->lo_disk, size);
- bd_set_size(bdev, (loff_t)get_capacity(bdev->bd_disk) << 9);
- /* let user-space know about the new size */
- kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
+
+ loop_set_size(lo, size);
}
static inline int
@@ -992,11 +1007,8 @@ static int loop_set_fd(struct loop_devic
blk_queue_write_cache(lo->lo_queue, true, false);
loop_update_dio(lo);
- set_capacity(lo->lo_disk, size);
- bd_set_size(bdev, size << 9);
loop_sysfs_init(lo);
- /* let user-space know about the new size */
- kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
+ loop_set_size(lo, size);
set_blocksize(bdev, S_ISBLK(inode->i_mode) ?
block_size(inode->i_bdev) : PAGE_SIZE);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 093/175] loop: Refactor loop_set_status() size calculation
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 092/175] loop: Factor out setting loop device size Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 094/175] loop: properly observe rotational flag of underlying device Greg Kroah-Hartman
` (87 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martijn Coenen, Christoph Hellwig,
Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
[ Upstream commit b0bd158dd630bd47640e0e418c062cda1e0da5ad ]
figure_loop_size() calculates the loop size based on the passed in
parameters, but at the same time it updates the offset and sizelimit
parameters in the loop device configuration. That is a somewhat
unexpected side effect of a function with this name, and it is only only
needed by one of the two callers of this function - loop_set_status().
Move the lo_offset and lo_sizelimit assignment back into loop_set_status(),
and use the newly factored out functions to validate and apply the newly
calculated size. This allows us to get rid of figure_loop_size() in a
follow-up commit.
Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 37 +++++++++++++++++++------------------
1 file changed, 19 insertions(+), 18 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -248,11 +248,6 @@ figure_loop_size(struct loop_device *lo,
{
loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
- if (lo->lo_offset != offset)
- lo->lo_offset = offset;
- if (lo->lo_sizelimit != sizelimit)
- lo->lo_sizelimit = sizelimit;
-
loop_set_size(lo, size);
}
@@ -1225,6 +1220,7 @@ loop_set_status(struct loop_device *lo,
kuid_t uid = current_uid();
struct block_device *bdev;
bool partscan = false;
+ bool size_changed = false;
err = mutex_lock_killable(&loop_ctl_mutex);
if (err)
@@ -1246,6 +1242,7 @@ loop_set_status(struct loop_device *lo,
if (lo->lo_offset != info->lo_offset ||
lo->lo_sizelimit != info->lo_sizelimit) {
+ size_changed = true;
sync_blockdev(lo->lo_device);
invalidate_bdev(lo->lo_device);
}
@@ -1253,6 +1250,15 @@ loop_set_status(struct loop_device *lo,
/* I/O need to be drained during transfer transition */
blk_mq_freeze_queue(lo->lo_queue);
+ if (size_changed && lo->lo_device->bd_inode->i_mapping->nrpages) {
+ /* If any pages were dirtied after invalidate_bdev(), try again */
+ err = -EAGAIN;
+ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
+ __func__, lo->lo_number, lo->lo_file_name,
+ lo->lo_device->bd_inode->i_mapping->nrpages);
+ goto out_unfreeze;
+ }
+
err = loop_release_xfer(lo);
if (err)
goto out_unfreeze;
@@ -1276,19 +1282,8 @@ loop_set_status(struct loop_device *lo,
if (err)
goto out_unfreeze;
- if (lo->lo_offset != info->lo_offset ||
- lo->lo_sizelimit != info->lo_sizelimit) {
- /* kill_bdev should have truncated all the pages */
- if (lo->lo_device->bd_inode->i_mapping->nrpages) {
- err = -EAGAIN;
- pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
- __func__, lo->lo_number, lo->lo_file_name,
- lo->lo_device->bd_inode->i_mapping->nrpages);
- goto out_unfreeze;
- }
- figure_loop_size(lo, info->lo_offset, info->lo_sizelimit);
- }
-
+ lo->lo_offset = info->lo_offset;
+ lo->lo_sizelimit = info->lo_sizelimit;
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
@@ -1312,6 +1307,12 @@ loop_set_status(struct loop_device *lo,
lo->lo_key_owner = uid;
}
+ if (size_changed) {
+ loff_t new_size = get_size(lo->lo_offset, lo->lo_sizelimit,
+ lo->lo_backing_file);
+ loop_set_size(lo, new_size);
+ }
+
loop_config_discard(lo);
/* update dio if lo_offset or transfer is changed */
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 094/175] loop: properly observe rotational flag of underlying device
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 093/175] loop: Refactor loop_set_status() size calculation Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 095/175] perf/core: Fix reentry problem in perf_output_read_group() Greg Kroah-Hartman
` (86 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Axboe, linux-block, holger,
Holger Hoffst�tte, Gwendal Grignou, Benjamin Gordon,
Guenter Roeck, Genjian Zhang
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 2600 bytes --]
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
[ Upstream commit 56a85fd8376ef32458efb6ea97a820754e12f6bb ]
The loop driver always declares the rotational flag of its device as
rotational, even when the device of the mapped file is nonrotational,
as is the case with SSDs or on tmpfs. This can confuse filesystem tools
which are SSD-aware; in my case I frequently forget to tell mkfs.btrfs
that my loop device on tmpfs is nonrotational, and that I really don't
need any automatic metadata redundancy.
The attached patch fixes this by introspecting the rotational flag of the
mapped file's underlying block device, if it exists. If the mapped file's
filesystem has no associated block device - as is the case on e.g. tmpfs -
we assume nonrotational storage. If there is a better way to identify such
non-devices I'd love to hear them.
Cc: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org
Cc: holger@applied-asynchrony.com
Signed-off-by: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Benjamin Gordon <bmgordon@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -940,6 +940,24 @@ static int loop_prepare_queue(struct loo
return 0;
}
+static void loop_update_rotational(struct loop_device *lo)
+{
+ struct file *file = lo->lo_backing_file;
+ struct inode *file_inode = file->f_mapping->host;
+ struct block_device *file_bdev = file_inode->i_sb->s_bdev;
+ struct request_queue *q = lo->lo_queue;
+ bool nonrot = true;
+
+ /* not all filesystems (e.g. tmpfs) have a sb->s_bdev */
+ if (file_bdev)
+ nonrot = blk_queue_nonrot(bdev_get_queue(file_bdev));
+
+ if (nonrot)
+ blk_queue_flag_set(QUEUE_FLAG_NONROT, q);
+ else
+ blk_queue_flag_clear(QUEUE_FLAG_NONROT, q);
+}
+
static int loop_set_fd(struct loop_device *lo, fmode_t mode,
struct block_device *bdev, unsigned int arg)
{
@@ -1001,6 +1019,7 @@ static int loop_set_fd(struct loop_devic
if (!(lo_flags & LO_FLAGS_READ_ONLY) && file->f_op->fsync)
blk_queue_write_cache(lo->lo_queue, true, false);
+ loop_update_rotational(lo);
loop_update_dio(lo);
loop_sysfs_init(lo);
loop_set_size(lo, size);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 095/175] perf/core: Fix reentry problem in perf_output_read_group()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 094/175] loop: properly observe rotational flag of underlying device Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 096/175] efivarfs: Request at most 512 bytes for variable names Greg Kroah-Hartman
` (85 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Jihong, Peter Zijlstra (Intel),
Thadeu Lima de Souza Cascardo
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Jihong <yangjihong1@huawei.com>
commit 6b959ba22d34ca793ffdb15b5715457c78e38b1a upstream.
perf_output_read_group may respond to IPI request of other cores and invoke
__perf_install_in_context function. As a result, hwc configuration is modified.
causing inconsistency and unexpected consequences.
Interrupts are not disabled when perf_output_read_group reads PMU counter.
In this case, IPI request may be received from other cores.
As a result, PMU configuration is modified and an error occurs when
reading PMU counter:
CPU0 CPU1
__se_sys_perf_event_open
perf_install_in_context
perf_output_read_group smp_call_function_single
for_each_sibling_event(sub, leader) { generic_exec_single
if ((sub != event) && remote_function
(sub->state == PERF_EVENT_STATE_ACTIVE)) |
<enter IPI handler: __perf_install_in_context> <----RAISE IPI-----+
__perf_install_in_context
ctx_resched
event_sched_out
armpmu_del
...
hwc->idx = -1; // event->hwc.idx is set to -1
...
<exit IPI>
sub->pmu->read(sub);
armpmu_read
armv8pmu_read_counter
armv8pmu_read_hw_counter
int idx = event->hw.idx; // idx = -1
u64 val = armv8pmu_read_evcntr(idx);
u32 counter = ARMV8_IDX_TO_COUNTER(idx); // invalid counter = 30
read_pmevcntrn(counter) // undefined instruction
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20220902082918.179248-1-yangjihong1@huawei.com
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6253,9 +6253,16 @@ static void perf_output_read_group(struc
{
struct perf_event *leader = event->group_leader, *sub;
u64 read_format = event->attr.read_format;
+ unsigned long flags;
u64 values[6];
int n = 0;
+ /*
+ * Disabling interrupts avoids all counter scheduling
+ * (context switches, timer based rotation and IPIs).
+ */
+ local_irq_save(flags);
+
values[n++] = 1 + leader->nr_siblings;
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED)
@@ -6291,6 +6298,8 @@ static void perf_output_read_group(struc
__output_copy(handle, values, n * sizeof(u64));
}
+
+ local_irq_restore(flags);
}
#define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 096/175] efivarfs: Request at most 512 bytes for variable names
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 095/175] perf/core: Fix reentry problem in perf_output_read_group() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 097/175] powerpc: xor_vmx: Add -mhard-float to CFLAGS Greg Kroah-Hartman
` (84 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tim Schumacher, Ard Biesheuvel
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Schumacher <timschumi@gmx.de>
commit f45812cc23fb74bef62d4eb8a69fe7218f4b9f2a upstream.
Work around a quirk in a few old (2011-ish) UEFI implementations, where
a call to `GetNextVariableName` with a buffer size larger than 512 bytes
will always return EFI_INVALID_PARAMETER.
There is some lore around EFI variable names being up to 1024 bytes in
size, but this has no basis in the UEFI specification, and the upper
bounds are typically platform specific, and apply to the entire variable
(name plus payload).
Given that Linux does not permit creating files with names longer than
NAME_MAX (255) bytes, 512 bytes (== 256 UTF-16 characters) is a
reasonable limit.
Cc: <stable@vger.kernel.org> # 6.1+
Signed-off-by: Tim Schumacher <timschumi@gmx.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
[timschumi@gmx.de: adjusted diff for changed context and code move]
Signed-off-by: Tim Schumacher <timschumi@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/vars.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -440,7 +440,7 @@ int efivar_init(int (*func)(efi_char16_t
void *data, bool duplicates, struct list_head *head)
{
const struct efivar_operations *ops;
- unsigned long variable_name_size = 1024;
+ unsigned long variable_name_size = 512;
efi_char16_t *variable_name;
efi_status_t status;
efi_guid_t vendor_guid;
@@ -463,12 +463,13 @@ int efivar_init(int (*func)(efi_char16_t
}
/*
- * Per EFI spec, the maximum storage allocated for both
- * the variable name and variable data is 1024 bytes.
+ * A small set of old UEFI implementations reject sizes
+ * above a certain threshold, the lowest seen in the wild
+ * is 512.
*/
do {
- variable_name_size = 1024;
+ variable_name_size = 512;
status = ops->get_next_variable(&variable_name_size,
variable_name,
@@ -512,9 +513,13 @@ int efivar_init(int (*func)(efi_char16_t
break;
case EFI_NOT_FOUND:
break;
+ case EFI_BUFFER_TOO_SMALL:
+ pr_warn("efivars: Variable name size exceeds maximum (%lu > 512)\n",
+ variable_name_size);
+ status = EFI_NOT_FOUND;
+ break;
default:
- printk(KERN_WARNING "efivars: get_next_variable: status=%lx\n",
- status);
+ pr_warn("efivars: get_next_variable: status=%lx\n", status);
status = EFI_NOT_FOUND;
break;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 097/175] powerpc: xor_vmx: Add -mhard-float to CFLAGS
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 096/175] efivarfs: Request at most 512 bytes for variable names Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 098/175] loop: Factor out configuring loop from status Greg Kroah-Hartman
` (83 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Michael Ellerman
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 35f20786c481d5ced9283ff42de5c69b65e5ed13 upstream.
arch/powerpc/lib/xor_vmx.o is built with '-msoft-float' (from the main
powerpc Makefile) and '-maltivec' (from its CFLAGS), which causes an
error when building with clang after a recent change in main:
error: option '-msoft-float' cannot be specified with '-maltivec'
make[6]: *** [scripts/Makefile.build:243: arch/powerpc/lib/xor_vmx.o] Error 1
Explicitly add '-mhard-float' before '-maltivec' in xor_vmx.o's CFLAGS
to override the previous inclusion of '-msoft-float' (as the last option
wins), which matches how other areas of the kernel use '-maltivec', such
as AMDGPU.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/1986
Link: https://github.com/llvm/llvm-project/commit/4792f912b232141ecba4cbae538873be3c28556c
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240127-ppc-xor_vmx-drop-msoft-float-v1-1-f24140e81376@kernel.org
[nathan: Fixed conflicts due to lack of 04e85bbf71c9 in older trees]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/lib/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/lib/Makefile
+++ b/arch/powerpc/lib/Makefile
@@ -46,6 +46,6 @@ obj-$(CONFIG_PPC_LIB_RHEAP) += rheap.o
obj-$(CONFIG_FTR_FIXUP_SELFTEST) += feature-fixups-test.o
obj-$(CONFIG_ALTIVEC) += xor_vmx.o xor_vmx_glue.o
-CFLAGS_xor_vmx.o += -maltivec $(call cc-option,-mabi=altivec)
+CFLAGS_xor_vmx.o += -mhard-float -maltivec $(call cc-option,-mabi=altivec)
obj-$(CONFIG_PPC64) += $(obj64-y)
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 098/175] loop: Factor out configuring loop from status
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 097/175] powerpc: xor_vmx: Add -mhard-float to CFLAGS Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 099/175] loop: Check for overflow while configuring loop Greg Kroah-Hartman
` (82 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martijn Coenen, Christoph Hellwig,
Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@android.com>
[ Upstream commit 0c3796c244598122a5d59d56f30d19390096817f ]
Factor out this code into a separate function, so it can be reused by
other code more easily.
Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 117 +++++++++++++++++++++++++++++----------------------
1 file changed, 67 insertions(+), 50 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1231,75 +1231,43 @@ static int loop_clr_fd(struct loop_devic
return __loop_clr_fd(lo, false);
}
+/**
+ * loop_set_status_from_info - configure device from loop_info
+ * @lo: struct loop_device to configure
+ * @info: struct loop_info64 to configure the device with
+ *
+ * Configures the loop device parameters according to the passed
+ * in loop_info64 configuration.
+ */
static int
-loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+loop_set_status_from_info(struct loop_device *lo,
+ const struct loop_info64 *info)
{
int err;
struct loop_func_table *xfer;
kuid_t uid = current_uid();
- struct block_device *bdev;
- bool partscan = false;
- bool size_changed = false;
- err = mutex_lock_killable(&loop_ctl_mutex);
- if (err)
- return err;
- if (lo->lo_encrypt_key_size &&
- !uid_eq(lo->lo_key_owner, uid) &&
- !capable(CAP_SYS_ADMIN)) {
- err = -EPERM;
- goto out_unlock;
- }
- if (lo->lo_state != Lo_bound) {
- err = -ENXIO;
- goto out_unlock;
- }
- if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE) {
- err = -EINVAL;
- goto out_unlock;
- }
-
- if (lo->lo_offset != info->lo_offset ||
- lo->lo_sizelimit != info->lo_sizelimit) {
- size_changed = true;
- sync_blockdev(lo->lo_device);
- invalidate_bdev(lo->lo_device);
- }
-
- /* I/O need to be drained during transfer transition */
- blk_mq_freeze_queue(lo->lo_queue);
-
- if (size_changed && lo->lo_device->bd_inode->i_mapping->nrpages) {
- /* If any pages were dirtied after invalidate_bdev(), try again */
- err = -EAGAIN;
- pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
- __func__, lo->lo_number, lo->lo_file_name,
- lo->lo_device->bd_inode->i_mapping->nrpages);
- goto out_unfreeze;
- }
+ if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE)
+ return -EINVAL;
err = loop_release_xfer(lo);
if (err)
- goto out_unfreeze;
+ return err;
if (info->lo_encrypt_type) {
unsigned int type = info->lo_encrypt_type;
- if (type >= MAX_LO_CRYPT) {
- err = -EINVAL;
- goto out_unfreeze;
- }
+ if (type >= MAX_LO_CRYPT)
+ return -EINVAL;
xfer = xfer_funcs[type];
- if (xfer == NULL) {
- err = -EINVAL;
- goto out_unfreeze;
- }
+ if (xfer == NULL)
+ return -EINVAL;
} else
xfer = NULL;
err = loop_init_xfer(lo, xfer, info);
if (err)
- goto out_unfreeze;
+ return err;
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
@@ -1326,6 +1294,55 @@ loop_set_status(struct loop_device *lo,
lo->lo_key_owner = uid;
}
+ return 0;
+}
+
+static int
+loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+{
+ int err;
+ struct block_device *bdev;
+ kuid_t uid = current_uid();
+ bool partscan = false;
+ bool size_changed = false;
+
+ err = mutex_lock_killable(&loop_ctl_mutex);
+ if (err)
+ return err;
+ if (lo->lo_encrypt_key_size &&
+ !uid_eq(lo->lo_key_owner, uid) &&
+ !capable(CAP_SYS_ADMIN)) {
+ err = -EPERM;
+ goto out_unlock;
+ }
+ if (lo->lo_state != Lo_bound) {
+ err = -ENXIO;
+ goto out_unlock;
+ }
+
+ if (lo->lo_offset != info->lo_offset ||
+ lo->lo_sizelimit != info->lo_sizelimit) {
+ size_changed = true;
+ sync_blockdev(lo->lo_device);
+ invalidate_bdev(lo->lo_device);
+ }
+
+ /* I/O need to be drained during transfer transition */
+ blk_mq_freeze_queue(lo->lo_queue);
+
+ if (size_changed && lo->lo_device->bd_inode->i_mapping->nrpages) {
+ /* If any pages were dirtied after invalidate_bdev(), try again */
+ err = -EAGAIN;
+ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
+ __func__, lo->lo_number, lo->lo_file_name,
+ lo->lo_device->bd_inode->i_mapping->nrpages);
+ goto out_unfreeze;
+ }
+
+ err = loop_set_status_from_info(lo, info);
+ if (err)
+ goto out_unfreeze;
+
if (size_changed) {
loff_t new_size = get_size(lo->lo_offset, lo->lo_sizelimit,
lo->lo_backing_file);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 099/175] loop: Check for overflow while configuring loop
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 098/175] loop: Factor out configuring loop from status Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 100/175] loop: loop_set_status_from_info() check before assignment Greg Kroah-Hartman
` (81 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Siddh Raman Pant, Christoph Hellwig, Jens Axboe, Genjian Zhang,
syzbot+a8e049cd3abd342936b6
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddh Raman Pant <code@siddh.me>
[ Upstream commit c490a0b5a4f36da3918181a8acdc6991d967c5f3 ]
The userspace can configure a loop using an ioctl call, wherein
a configuration of type loop_config is passed (see lo_ioctl()'s
case on line 1550 of drivers/block/loop.c). This proceeds to call
loop_configure() which in turn calls loop_set_status_from_info()
(see line 1050 of loop.c), passing &config->info which is of type
loop_info64*. This function then sets the appropriate values, like
the offset.
loop_device has lo_offset of type loff_t (see line 52 of loop.c),
which is typdef-chained to long long, whereas loop_info64 has
lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h).
The function directly copies offset from info to the device as
follows (See line 980 of loop.c):
lo->lo_offset = info->lo_offset;
This results in an overflow, which triggers a warning in iomap_iter()
due to a call to iomap_iter_done() which has:
WARN_ON_ONCE(iter->iomap.offset > iter->pos);
Thus, check for negative value during loop_set_status_from_info().
Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e
Reported-and-tested-by: syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Siddh Raman Pant <code@siddh.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220823160810.181275-1-code@siddh.me
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1271,6 +1271,11 @@ loop_set_status_from_info(struct loop_de
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
+
+ /* loff_t vars have been assigned __u64 */
+ if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
+ return -EOVERFLOW;
+
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 100/175] loop: loop_set_status_from_info() check before assignment
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 099/175] loop: Check for overflow while configuring loop Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 101/175] usb: dwc2: host: Fix remote wakeup from hibernation Greg Kroah-Hartman
` (80 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhong Jinghua, Chaitanya Kulkarni,
Jens Axboe, Genjian Zhang
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhong Jinghua <zhongjinghua@huawei.com>
[ Upstream commit 9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa ]
In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should
be checked before reassignment, because if an overflow error occurs, the
original correct value will be changed to the wrong value, and it will not
be changed back.
More, the original patch did not solve the problem, the value was set and
ioctl returned an error, but the subsequent io used the value in the loop
driver, which still caused an alarm:
loop_handle_cmd
do_req_filebacked
loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset;
lo_rw_aio
cmd->iocb.ki_pos = pos
Fixes: c490a0b5a4f3 ("loop: Check for overflow while configuring loop")
Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Link: https://lore.kernel.org/r/20230221095027.3656193-1-zhongjinghua@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1269,13 +1269,13 @@ loop_set_status_from_info(struct loop_de
if (err)
return err;
+ /* Avoid assigning overflow values */
+ if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX)
+ return -EOVERFLOW;
+
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
- /* loff_t vars have been assigned __u64 */
- if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
- return -EOVERFLOW;
-
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 101/175] usb: dwc2: host: Fix remote wakeup from hibernation
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 100/175] loop: loop_set_status_from_info() check before assignment Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 102/175] usb: dwc2: host: Fix hibernation flow Greg Kroah-Hartman
` (79 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minas Harutyunyan
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
commit bae2bc73a59c200db53b6c15fb26bb758e2c6108 upstream.
Starting from core v4.30a changed order of programming
GPWRDN_PMUACTV to 0 in case of exit from hibernation on
remote wakeup signaling from device.
Fixes: c5c403dc4336 ("usb: dwc2: Add host/device hibernation functions")
CC: stable@vger.kernel.org
Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Link: https://lore.kernel.org/r/99385ec55ce73445b6fbd0f471c9bd40eb1c9b9e.1708939799.git.Minas.Harutyunyan@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/core.h | 1 +
drivers/usb/dwc2/hcd.c | 17 +++++++++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -1052,6 +1052,7 @@ struct dwc2_hsotg {
bool needs_byte_swap;
/* DWC OTG HW Release versions */
+#define DWC2_CORE_REV_4_30a 0x4f54430a
#define DWC2_CORE_REV_2_71a 0x4f54271a
#define DWC2_CORE_REV_2_72a 0x4f54272a
#define DWC2_CORE_REV_2_80a 0x4f54280a
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -5684,10 +5684,12 @@ int dwc2_host_exit_hibernation(struct dw
dwc2_writel(hsotg, hr->hcfg, HCFG);
/* De-assert Wakeup Logic */
- gpwrdn = dwc2_readl(hsotg, GPWRDN);
- gpwrdn &= ~GPWRDN_PMUACTV;
- dwc2_writel(hsotg, gpwrdn, GPWRDN);
- udelay(10);
+ if (!(rem_wakeup && hsotg->hw_params.snpsid >= DWC2_CORE_REV_4_30a)) {
+ gpwrdn = dwc2_readl(hsotg, GPWRDN);
+ gpwrdn &= ~GPWRDN_PMUACTV;
+ dwc2_writel(hsotg, gpwrdn, GPWRDN);
+ udelay(10);
+ }
hprt0 = hr->hprt0;
hprt0 |= HPRT0_PWR;
@@ -5712,6 +5714,13 @@ int dwc2_host_exit_hibernation(struct dw
hprt0 |= HPRT0_RES;
dwc2_writel(hsotg, hprt0, HPRT0);
+ /* De-assert Wakeup Logic */
+ if ((rem_wakeup && hsotg->hw_params.snpsid >= DWC2_CORE_REV_4_30a)) {
+ gpwrdn = dwc2_readl(hsotg, GPWRDN);
+ gpwrdn &= ~GPWRDN_PMUACTV;
+ dwc2_writel(hsotg, gpwrdn, GPWRDN);
+ udelay(10);
+ }
/* Wait for Resume time and then program HPRT again */
mdelay(100);
hprt0 &= ~HPRT0_RES;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 102/175] usb: dwc2: host: Fix hibernation flow
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 101/175] usb: dwc2: host: Fix remote wakeup from hibernation Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 103/175] usb: dwc2: host: Fix ISOC flow in DDMA mode Greg Kroah-Hartman
` (78 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minas Harutyunyan
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
commit 3c7b9856a82227db01a20171d2e24c7ce305d59b upstream.
Added to backup/restore registers HFLBADDR, HCCHARi, HCSPLTi,
HCTSIZi, HCDMAi and HCDMABi.
Fixes: 58e52ff6a6c3 ("usb: dwc2: Move register save and restore functions")
Fixes: d17ee77b3044 ("usb: dwc2: add controller hibernation support")
CC: stable@vger.kernel.org
Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Link: https://lore.kernel.org/r/c2d10ee6098b9b009a8e94191e046004747d3bdd.1708945444.git.Minas.Harutyunyan@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/core.h | 12 ++++++++++++
drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++--
2 files changed, 28 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -716,8 +716,14 @@ struct dwc2_dregs_backup {
* struct dwc2_hregs_backup - Holds host registers state before
* entering partial power down
* @hcfg: Backup of HCFG register
+ * @hflbaddr: Backup of HFLBADDR register
* @haintmsk: Backup of HAINTMSK register
+ * @hcchar: Backup of HCCHAR register
+ * @hcsplt: Backup of HCSPLT register
* @hcintmsk: Backup of HCINTMSK register
+ * @hctsiz: Backup of HCTSIZ register
+ * @hdma: Backup of HCDMA register
+ * @hcdmab: Backup of HCDMAB register
* @hprt0: Backup of HPTR0 register
* @hfir: Backup of HFIR register
* @hptxfsiz: Backup of HPTXFSIZ register
@@ -725,8 +731,14 @@ struct dwc2_dregs_backup {
*/
struct dwc2_hregs_backup {
u32 hcfg;
+ u32 hflbaddr;
u32 haintmsk;
+ u32 hcchar[MAX_EPS_CHANNELS];
+ u32 hcsplt[MAX_EPS_CHANNELS];
u32 hcintmsk[MAX_EPS_CHANNELS];
+ u32 hctsiz[MAX_EPS_CHANNELS];
+ u32 hcidma[MAX_EPS_CHANNELS];
+ u32 hcidmab[MAX_EPS_CHANNELS];
u32 hprt0;
u32 hfir;
u32 hptxfsiz;
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -5480,9 +5480,16 @@ int dwc2_backup_host_registers(struct dw
/* Backup Host regs */
hr = &hsotg->hr_backup;
hr->hcfg = dwc2_readl(hsotg, HCFG);
+ hr->hflbaddr = dwc2_readl(hsotg, HFLBADDR);
hr->haintmsk = dwc2_readl(hsotg, HAINTMSK);
- for (i = 0; i < hsotg->params.host_channels; ++i)
+ for (i = 0; i < hsotg->params.host_channels; ++i) {
+ hr->hcchar[i] = dwc2_readl(hsotg, HCCHAR(i));
+ hr->hcsplt[i] = dwc2_readl(hsotg, HCSPLT(i));
hr->hcintmsk[i] = dwc2_readl(hsotg, HCINTMSK(i));
+ hr->hctsiz[i] = dwc2_readl(hsotg, HCTSIZ(i));
+ hr->hcidma[i] = dwc2_readl(hsotg, HCDMA(i));
+ hr->hcidmab[i] = dwc2_readl(hsotg, HCDMAB(i));
+ }
hr->hprt0 = dwc2_read_hprt0(hsotg);
hr->hfir = dwc2_readl(hsotg, HFIR);
@@ -5516,10 +5523,17 @@ int dwc2_restore_host_registers(struct d
hr->valid = false;
dwc2_writel(hsotg, hr->hcfg, HCFG);
+ dwc2_writel(hsotg, hr->hflbaddr, HFLBADDR);
dwc2_writel(hsotg, hr->haintmsk, HAINTMSK);
- for (i = 0; i < hsotg->params.host_channels; ++i)
+ for (i = 0; i < hsotg->params.host_channels; ++i) {
+ dwc2_writel(hsotg, hr->hcchar[i], HCCHAR(i));
+ dwc2_writel(hsotg, hr->hcsplt[i], HCSPLT(i));
dwc2_writel(hsotg, hr->hcintmsk[i], HCINTMSK(i));
+ dwc2_writel(hsotg, hr->hctsiz[i], HCTSIZ(i));
+ dwc2_writel(hsotg, hr->hcidma[i], HCDMA(i));
+ dwc2_writel(hsotg, hr->hcidmab[i], HCDMAB(i));
+ }
dwc2_writel(hsotg, hr->hprt0, HPRT0);
dwc2_writel(hsotg, hr->hfir, HFIR);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 103/175] usb: dwc2: host: Fix ISOC flow in DDMA mode
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 102/175] usb: dwc2: host: Fix hibernation flow Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 104/175] usb: dwc2: gadget: LPM flow fix Greg Kroah-Hartman
` (77 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minas Harutyunyan
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
commit b258e42688501cadb1a6dd658d6f015df9f32d8f upstream.
Fixed ISOC completion flow in DDMA mode. Added isoc
descriptor actual length value and update urb's start_frame
value.
Fixed initialization of ISOC DMA descriptors flow.
Fixes: 56f5b1cff22a ("staging: Core files for the DWC2 driver")
Fixes: 20f2eb9c4cf8 ("staging: dwc2: add microframe scheduler from downstream Pi kernel")
Fixes: c17b337c1ea4 ("usb: dwc2: host: program descriptor for next frame")
Fixes: dc4c76e7b22c ("staging: HCD descriptor DMA support for the DWC2 driver")
Fixes: 762d3a1a9cd7 ("usb: dwc2: host: process all completed urbs")
CC: stable@vger.kernel.org
Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Link: https://lore.kernel.org/r/a8b1e1711cc6cabfb45d92ede12e35445c66f06c.1708944698.git.Minas.Harutyunyan@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/hcd.c | 12 ++++++++++--
drivers/usb/dwc2/hcd_ddma.c | 17 +++++++++++------
drivers/usb/dwc2/hw.h | 2 +-
3 files changed, 22 insertions(+), 9 deletions(-)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -2929,8 +2929,11 @@ enum dwc2_transaction_type dwc2_hcd_sele
hsotg->available_host_channels--;
}
qh = list_entry(qh_ptr, struct dwc2_qh, qh_list_entry);
- if (dwc2_assign_and_init_hc(hsotg, qh))
+ if (dwc2_assign_and_init_hc(hsotg, qh)) {
+ if (hsotg->params.uframe_sched)
+ hsotg->available_host_channels++;
break;
+ }
/*
* Move the QH from the periodic ready schedule to the
@@ -2963,8 +2966,11 @@ enum dwc2_transaction_type dwc2_hcd_sele
hsotg->available_host_channels--;
}
- if (dwc2_assign_and_init_hc(hsotg, qh))
+ if (dwc2_assign_and_init_hc(hsotg, qh)) {
+ if (hsotg->params.uframe_sched)
+ hsotg->available_host_channels++;
break;
+ }
/*
* Move the QH from the non-periodic inactive schedule to the
@@ -4320,6 +4326,8 @@ void dwc2_host_complete(struct dwc2_hsot
urb->actual_length);
if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
+ if (!hsotg->params.dma_desc_enable)
+ urb->start_frame = qtd->qh->start_active_frame;
urb->error_count = dwc2_hcd_urb_get_error_count(qtd->urb);
for (i = 0; i < urb->number_of_packets; ++i) {
urb->iso_frame_desc[i].actual_length =
--- a/drivers/usb/dwc2/hcd_ddma.c
+++ b/drivers/usb/dwc2/hcd_ddma.c
@@ -589,7 +589,7 @@ static void dwc2_init_isoc_dma_desc(stru
idx = qh->td_last;
inc = qh->host_interval;
hsotg->frame_number = dwc2_hcd_get_frame_number(hsotg);
- cur_idx = dwc2_frame_list_idx(hsotg->frame_number);
+ cur_idx = idx;
next_idx = dwc2_desclist_idx_inc(qh->td_last, inc, qh->dev_speed);
/*
@@ -896,6 +896,8 @@ static int dwc2_cmpl_host_isoc_dma_desc(
{
struct dwc2_dma_desc *dma_desc;
struct dwc2_hcd_iso_packet_desc *frame_desc;
+ u16 frame_desc_idx;
+ struct urb *usb_urb = qtd->urb->priv;
u16 remain = 0;
int rc = 0;
@@ -908,8 +910,11 @@ static int dwc2_cmpl_host_isoc_dma_desc(
DMA_FROM_DEVICE);
dma_desc = &qh->desc_list[idx];
+ frame_desc_idx = (idx - qtd->isoc_td_first) & (usb_urb->number_of_packets - 1);
- frame_desc = &qtd->urb->iso_descs[qtd->isoc_frame_index_last];
+ frame_desc = &qtd->urb->iso_descs[frame_desc_idx];
+ if (idx == qtd->isoc_td_first)
+ usb_urb->start_frame = dwc2_hcd_get_frame_number(hsotg);
dma_desc->buf = (u32)(qtd->urb->dma + frame_desc->offset);
if (chan->ep_is_in)
remain = (dma_desc->status & HOST_DMA_ISOC_NBYTES_MASK) >>
@@ -930,7 +935,7 @@ static int dwc2_cmpl_host_isoc_dma_desc(
frame_desc->status = 0;
}
- if (++qtd->isoc_frame_index == qtd->urb->packet_count) {
+ if (++qtd->isoc_frame_index == usb_urb->number_of_packets) {
/*
* urb->status is not used for isoc transfers here. The
* individual frame_desc status are used instead.
@@ -1035,11 +1040,11 @@ static void dwc2_complete_isoc_xfer_ddma
return;
idx = dwc2_desclist_idx_inc(idx, qh->host_interval,
chan->speed);
- if (!rc)
+ if (rc == 0)
continue;
- if (rc == DWC2_CMPL_DONE)
- break;
+ if (rc == DWC2_CMPL_DONE || rc == DWC2_CMPL_STOP)
+ goto stop_scan;
/* rc == DWC2_CMPL_STOP */
--- a/drivers/usb/dwc2/hw.h
+++ b/drivers/usb/dwc2/hw.h
@@ -701,7 +701,7 @@
#define TXSTS_QTOP_TOKEN_MASK (0x3 << 25)
#define TXSTS_QTOP_TOKEN_SHIFT 25
#define TXSTS_QTOP_TERMINATE BIT(24)
-#define TXSTS_QSPCAVAIL_MASK (0xff << 16)
+#define TXSTS_QSPCAVAIL_MASK (0x7f << 16)
#define TXSTS_QSPCAVAIL_SHIFT 16
#define TXSTS_FSPCAVAIL_MASK (0xffff << 0)
#define TXSTS_FSPCAVAIL_SHIFT 0
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 104/175] usb: dwc2: gadget: LPM flow fix
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 103/175] usb: dwc2: host: Fix ISOC flow in DDMA mode Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 105/175] usb: udc: remove warning when queue disabled ep Greg Kroah-Hartman
` (76 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minas Harutyunyan
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
commit 5d69a3b54e5a630c90d82a4c2bdce3d53dc78710 upstream.
Added functionality to exit from L1 state by device initiation
using remote wakeup signaling, in case when function driver queuing
request while core in L1 state.
Fixes: 273d576c4d41 ("usb: dwc2: gadget: Add functionality to exit from LPM L1 state")
Fixes: 88b02f2cb1e1 ("usb: dwc2: Add core state checking")
CC: stable@vger.kernel.org
Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Link: https://lore.kernel.org/r/b4d9de5382375dddbf7ef6049d9a82066ad87d5d.1710166393.git.Minas.Harutyunyan@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/core.h | 1
drivers/usb/dwc2/core_intr.c | 65 ++++++++++++++++++++++++++++---------------
drivers/usb/dwc2/gadget.c | 4 ++
3 files changed, 48 insertions(+), 22 deletions(-)
--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -1295,6 +1295,7 @@ int dwc2_backup_global_registers(struct
int dwc2_restore_global_registers(struct dwc2_hsotg *hsotg);
void dwc2_enable_acg(struct dwc2_hsotg *hsotg);
+void dwc2_wakeup_from_lpm_l1(struct dwc2_hsotg *hsotg, bool remotewakeup);
/* This function should be called on every hardware interrupt. */
irqreturn_t dwc2_handle_common_intr(int irq, void *dev);
--- a/drivers/usb/dwc2/core_intr.c
+++ b/drivers/usb/dwc2/core_intr.c
@@ -349,10 +349,11 @@ static void dwc2_handle_session_req_intr
* @hsotg: Programming view of DWC_otg controller
*
*/
-static void dwc2_wakeup_from_lpm_l1(struct dwc2_hsotg *hsotg)
+void dwc2_wakeup_from_lpm_l1(struct dwc2_hsotg *hsotg, bool remotewakeup)
{
u32 glpmcfg;
- u32 i = 0;
+ u32 pcgctl;
+ u32 dctl;
if (hsotg->lx_state != DWC2_L1) {
dev_err(hsotg->dev, "Core isn't in DWC2_L1 state\n");
@@ -361,37 +362,57 @@ static void dwc2_wakeup_from_lpm_l1(stru
glpmcfg = dwc2_readl(hsotg, GLPMCFG);
if (dwc2_is_device_mode(hsotg)) {
- dev_dbg(hsotg->dev, "Exit from L1 state\n");
+ dev_dbg(hsotg->dev, "Exit from L1 state, remotewakeup=%d\n", remotewakeup);
glpmcfg &= ~GLPMCFG_ENBLSLPM;
- glpmcfg &= ~GLPMCFG_HIRD_THRES_EN;
+ glpmcfg &= ~GLPMCFG_HIRD_THRES_MASK;
dwc2_writel(hsotg, glpmcfg, GLPMCFG);
- do {
- glpmcfg = dwc2_readl(hsotg, GLPMCFG);
-
- if (!(glpmcfg & (GLPMCFG_COREL1RES_MASK |
- GLPMCFG_L1RESUMEOK | GLPMCFG_SLPSTS)))
- break;
+ pcgctl = dwc2_readl(hsotg, PCGCTL);
+ pcgctl &= ~PCGCTL_ENBL_SLEEP_GATING;
+ dwc2_writel(hsotg, pcgctl, PCGCTL);
+
+ glpmcfg = dwc2_readl(hsotg, GLPMCFG);
+ if (glpmcfg & GLPMCFG_ENBESL) {
+ glpmcfg |= GLPMCFG_RSTRSLPSTS;
+ dwc2_writel(hsotg, glpmcfg, GLPMCFG);
+ }
- udelay(1);
- } while (++i < 200);
+ if (remotewakeup) {
+ if (dwc2_hsotg_wait_bit_set(hsotg, GLPMCFG, GLPMCFG_L1RESUMEOK, 1000)) {
+ dev_warn(hsotg->dev, "%s: timeout GLPMCFG_L1RESUMEOK\n", __func__);
+ goto fail;
+ return;
+ }
+
+ dctl = dwc2_readl(hsotg, DCTL);
+ dctl |= DCTL_RMTWKUPSIG;
+ dwc2_writel(hsotg, dctl, DCTL);
+
+ if (dwc2_hsotg_wait_bit_set(hsotg, GINTSTS, GINTSTS_WKUPINT, 1000)) {
+ dev_warn(hsotg->dev, "%s: timeout GINTSTS_WKUPINT\n", __func__);
+ goto fail;
+ return;
+ }
+ }
- if (i == 200) {
- dev_err(hsotg->dev, "Failed to exit L1 sleep state in 200us.\n");
+ glpmcfg = dwc2_readl(hsotg, GLPMCFG);
+ if (glpmcfg & GLPMCFG_COREL1RES_MASK || glpmcfg & GLPMCFG_SLPSTS ||
+ glpmcfg & GLPMCFG_L1RESUMEOK) {
+ goto fail;
return;
}
- dwc2_gadget_init_lpm(hsotg);
+
+ /* Inform gadget to exit from L1 */
+ call_gadget(hsotg, resume);
+ /* Change to L0 state */
+ hsotg->lx_state = DWC2_L0;
+ hsotg->bus_suspended = false;
+fail: dwc2_gadget_init_lpm(hsotg);
} else {
/* TODO */
dev_err(hsotg->dev, "Host side LPM is not supported.\n");
return;
}
-
- /* Change to L0 state */
- hsotg->lx_state = DWC2_L0;
-
- /* Inform gadget to exit from L1 */
- call_gadget(hsotg, resume);
}
/*
@@ -412,7 +433,7 @@ static void dwc2_handle_wakeup_detected_
dev_dbg(hsotg->dev, "%s lxstate = %d\n", __func__, hsotg->lx_state);
if (hsotg->lx_state == DWC2_L1) {
- dwc2_wakeup_from_lpm_l1(hsotg);
+ dwc2_wakeup_from_lpm_l1(hsotg, false);
return;
}
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -1308,6 +1308,10 @@ static int dwc2_hsotg_ep_queue(struct us
ep->name, req, req->length, req->buf, req->no_interrupt,
req->zero, req->short_not_ok);
+ if (hs->lx_state == DWC2_L1) {
+ dwc2_wakeup_from_lpm_l1(hs, true);
+ }
+
/* Prevent new request submission when controller is suspended */
if (hs->lx_state != DWC2_L0) {
dev_dbg(hs->dev, "%s: submit request only in active state\n",
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 105/175] usb: udc: remove warning when queue disabled ep
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 104/175] usb: dwc2: gadget: LPM flow fix Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 106/175] scsi: qla2xxx: Fix command flush on cable pull Greg Kroah-Hartman
` (75 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, yuan linyu
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: yuan linyu <yuanlinyu@hihonor.com>
commit 2a587a035214fa1b5ef598aea0b81848c5b72e5e upstream.
It is possible trigger below warning message from mass storage function,
WARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104
pc : usb_ep_queue+0x7c/0x104
lr : fsg_main_thread+0x494/0x1b3c
Root cause is mass storage function try to queue request from main thread,
but other thread may already disable ep when function disable.
As there is no function failure in the driver, in order to avoid effort
to fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable@vger.kernel.org
Signed-off-by: yuan linyu <yuanlinyu@hihonor.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20240315020144.2715575-1-yuanlinyu@hihonor.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -273,7 +273,9 @@ int usb_ep_queue(struct usb_ep *ep,
{
int ret = 0;
- if (WARN_ON_ONCE(!ep->enabled && ep->address)) {
+ if (!ep->enabled && ep->address) {
+ pr_debug("USB gadget: queue request to disabled ep 0x%x (%s)\n",
+ ep->address, ep->name);
ret = -ESHUTDOWN;
goto out;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 106/175] scsi: qla2xxx: Fix command flush on cable pull
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 105/175] usb: udc: remove warning when queue disabled ep Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 107/175] x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled Greg Kroah-Hartman
` (74 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quinn Tran, Nilesh Javali,
Himanshu Madhani, Martin K. Petersen
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quinn Tran <qutran@marvell.com>
commit a27d4d0e7de305def8a5098a614053be208d1aa1 upstream.
System crash due to command failed to flush back to SCSI layer.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1
Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]
RIP: 0010:__wake_up_common+0x4c/0x190
Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75
RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8
R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
__wake_up_common_lock+0x7c/0xc0
qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]
qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0
? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]
qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.
? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]
qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1
? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]
qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0
? __switch_to+0x10c/0x450
? process_one_work+0x1a7/0x360
qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.
? worker_thread+0x1ce/0x390
? create_worker+0x1a0/0x1a0
qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70
? kthread+0x10a/0x120
qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8
? set_kthread_struct+0x40/0x40
qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.
? ret_from_fork+0x1f/0x40
qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout
The system was under memory stress where driver was not able to allocate an
SRB to carry out error recovery of cable pull. The failure to flush causes
upper layer to start modifying scsi_cmnd. When the system frees up some
memory, the subsequent cable pull trigger another command flush. At this
point the driver access a null pointer when attempting to DMA unmap the
SGL.
Add a check to make sure commands are flush back on session tear down to
prevent the null pointer access.
Cc: stable@vger.kernel.org
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://lore.kernel.org/r/20240227164127.36465-7-njavali@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_target.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -1037,6 +1037,16 @@ void qlt_free_session_done(struct work_s
"%s: sess %p logout completed\n", __func__, sess);
}
+ /* check for any straggling io left behind */
+ if (!(sess->flags & FCF_FCP2_DEVICE) &&
+ qla2x00_eh_wait_for_pending_commands(sess->vha, sess->d_id.b24, 0, WAIT_TARGET)) {
+ ql_log(ql_log_warn, vha, 0x3027,
+ "IO not return. Resetting.\n");
+ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
+ qla2xxx_wake_dpc(vha);
+ qla2x00_wait_for_chip_reset(vha);
+ }
+
if (sess->logo_ack_needed) {
sess->logo_ack_needed = 0;
qla24xx_async_notify_ack(vha, sess,
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 107/175] x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 106/175] scsi: qla2xxx: Fix command flush on cable pull Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 108/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
` (73 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Kim Phillips,
Borislav Petkov (AMD)
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Phillips <kim.phillips@amd.com>
commit fd470a8beed88440b160d690344fbae05a0b9b1b upstream.
Unlike Intel's Enhanced IBRS feature, AMD's Automatic IBRS does not
provide protection to processes running at CPL3/user mode, see section
"Extended Feature Enable Register (EFER)" in the APM v2 at
https://bugzilla.kernel.org/attachment.cgi?id=304652
Explicitly enable STIBP to protect against cross-thread CPL3
branch target injections on systems with Automatic IBRS enabled.
Also update the relevant documentation.
Fixes: e7862eda309e ("x86/cpu: Support AMD Automatic IBRS")
Reported-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230720194727.67022-1-kim.phillips@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/hw-vuln/spectre.rst | 11 +++++++----
arch/x86/kernel/cpu/bugs.c | 15 +++++++++------
2 files changed, 16 insertions(+), 10 deletions(-)
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -484,11 +484,14 @@ Spectre variant 2
Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at
boot, by setting the IBRS bit, and they're automatically protected against
- Spectre v2 variant attacks, including cross-thread branch target injections
- on SMT systems (STIBP). In other words, eIBRS enables STIBP too.
+ Spectre v2 variant attacks.
- Legacy IBRS systems clear the IBRS bit on exit to userspace and
- therefore explicitly enable STIBP for that
+ On Intel's enhanced IBRS systems, this includes cross-thread branch target
+ injections on SMT systems (STIBP). In other words, Intel eIBRS enables
+ STIBP, too.
+
+ AMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear
+ the IBRS bit on exit to userspace, therefore both explicitly enable STIBP.
The retpoline mitigation is turned on by default on vulnerable
CPUs. It can be forced on or off by the administrator
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1153,19 +1153,21 @@ spectre_v2_user_select_mitigation(void)
}
/*
- * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
+ * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
* is not required.
*
- * Enhanced IBRS also protects against cross-thread branch target
+ * Intel's Enhanced IBRS also protects against cross-thread branch target
* injection in user-mode as the IBRS bit remains always set which
* implicitly enables cross-thread protections. However, in legacy IBRS
* mode, the IBRS bit is set only on kernel entry and cleared on return
- * to userspace. This disables the implicit cross-thread protection,
- * so allow for STIBP to be selected in that case.
+ * to userspace. AMD Automatic IBRS also does not protect userspace.
+ * These modes therefore disable the implicit cross-thread protection,
+ * so allow for STIBP to be selected in those cases.
*/
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
!smt_possible ||
- spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
+ !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
return;
/*
@@ -2221,7 +2223,8 @@ static ssize_t mmio_stale_data_show_stat
static char *stibp_state(void)
{
- if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
+ !boot_cpu_has(X86_FEATURE_AUTOIBRS))
return "";
switch (spectre_v2_user_stibp) {
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 108/175] timers: Move clearing of base::timer_running under base:: Lock
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 107/175] x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 109/175] drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() Greg Kroah-Hartman
` (72 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+aa7c2385d46c5eba0b89,
syzbot+abea4558531bae1ba9fe, Thomas Gleixner,
Sebastian Andrzej Siewior
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit bb7262b295472eb6858b5c49893954794027cd84 upstream.
syzbot reported KCSAN data races vs. timer_base::timer_running being set to
NULL without holding base::lock in expire_timers().
This looks innocent and most reads are clearly not problematic, but
Frederic identified an issue which is:
int data = 0;
void timer_func(struct timer_list *t)
{
data = 1;
}
CPU 0 CPU 1
------------------------------ --------------------------
base = lock_timer_base(timer, &flags); raw_spin_unlock(&base->lock);
if (base->running_timer != timer) call_timer_fn(timer, fn, baseclk);
ret = detach_if_pending(timer, base, true); base->running_timer = NULL;
raw_spin_unlock_irqrestore(&base->lock, flags); raw_spin_lock(&base->lock);
x = data;
If the timer has previously executed on CPU 1 and then CPU 0 can observe
base->running_timer == NULL and returns, assuming the timer has completed,
but it's not guaranteed on all architectures. The comment for
del_timer_sync() makes that guarantee. Moving the assignment under
base->lock prevents this.
For non-RT kernel it's performance wise completely irrelevant whether the
store happens before or after taking the lock. For an RT kernel moving the
store under the lock requires an extra unlock/lock pair in the case that
there is a waiter for the timer, but that's not the end of the world.
Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com
Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com
Fixes: 030dcdd197d7 ("timers: Prepare support for PREEMPT_RT")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/87lfea7gw8.fsf@nanos.tec.linutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/timer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1304,8 +1304,10 @@ static inline void timer_base_unlock_exp
static void timer_sync_wait_running(struct timer_base *base)
{
if (atomic_read(&base->timer_waiters)) {
+ raw_spin_unlock_irq(&base->lock);
spin_unlock(&base->expiry_lock);
spin_lock(&base->expiry_lock);
+ raw_spin_lock_irq(&base->lock);
}
}
@@ -1490,14 +1492,14 @@ static void expire_timers(struct timer_b
if (timer->flags & TIMER_IRQSAFE) {
raw_spin_unlock(&base->lock);
call_timer_fn(timer, fn, baseclk);
- base->running_timer = NULL;
raw_spin_lock(&base->lock);
+ base->running_timer = NULL;
} else {
raw_spin_unlock_irq(&base->lock);
call_timer_fn(timer, fn, baseclk);
+ raw_spin_lock_irq(&base->lock);
base->running_timer = NULL;
timer_sync_wait_running(base);
- raw_spin_lock_irq(&base->lock);
}
}
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 109/175] drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 108/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 110/175] scsi: lpfc: Correct size for wqe for memset() Greg Kroah-Hartman
` (71 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable, dri-devel
Cc: Greg Kroah-Hartman, patches, Christoph Niedermaier, Marek Vasut,
Boris Brezillon, Philipp Zabel, David Airlie, Daniel Vetter,
Shawn Guo, Sascha Hauer, Pengutronix Kernel Team, Fabio Estevam,
NXP Linux Team, linux-arm-kernel, Max Krummenacher,
Maarten Lankhorst
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Niedermaier <cniedermaier@dh-electronics.com>
commit 6061806a863e8b65b109eb06a280041cc7525442 upstream.
If display timings were read from the devicetree using
of_get_display_timing() and pixelclk-active is defined
there, the flag DISPLAY_FLAGS_SYNC_POSEDGE/NEGEDGE is
automatically generated. Through the function
drm_bus_flags_from_videomode() e.g. called in the
panel-simple driver this flag got into the bus flags,
but then in imx_pd_bridge_atomic_check() the bus flag
check failed and will not initialize the display. The
original commit fe141cedc433 does not explain why this
check was introduced. So remove the bus flags check,
because it stops the initialization of the display with
valid bus flags.
Fixes: fe141cedc433 ("drm/imx: pd: Use bus format/flags provided by the bridge when available")
Signed-off-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Boris Brezillon <boris.brezillon@collabora.com>
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: linux-arm-kernel@lists.infradead.org
To: dri-devel@lists.freedesktop.org
Tested-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220201113643.4638-1-cniedermaier@dh-electronics.com
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/imx/parallel-display.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/gpu/drm/imx/parallel-display.c
+++ b/drivers/gpu/drm/imx/parallel-display.c
@@ -235,14 +235,6 @@ static int imx_pd_bridge_atomic_check(st
if (!imx_pd_format_supported(bus_fmt))
return -EINVAL;
- if (bus_flags &
- ~(DRM_BUS_FLAG_DE_LOW | DRM_BUS_FLAG_DE_HIGH |
- DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE |
- DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE)) {
- dev_warn(imxpd->dev, "invalid bus_flags (%x)\n", bus_flags);
- return -EINVAL;
- }
-
bridge_state->output_bus_cfg.flags = bus_flags;
bridge_state->input_bus_cfg.flags = bus_flags;
imx_crtc_state->bus_flags = bus_flags;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 110/175] scsi: lpfc: Correct size for wqe for memset()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 109/175] drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 111/175] USB: core: Fix deadlock in usb_deauthorize_interface() Greg Kroah-Hartman
` (70 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum,
AngeloGioacchino Del Regno, Justin Tee, Martin K. Petersen
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
commit 28d41991182c210ec1654f8af2e140ef4cc73f20 upstream.
The wqe is of type lpfc_wqe128. It should be memset with the same type.
Fixes: 6c621a2229b0 ("scsi: lpfc: Separate NVMET RQ buffer posting from IO resources SGL/iocbq/context")
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/20240304090649.833953-1-usama.anjum@collabora.com
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Justin Tee <justintee8345@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc_nvmet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/lpfc/lpfc_nvmet.c
+++ b/drivers/scsi/lpfc/lpfc_nvmet.c
@@ -1308,7 +1308,7 @@ lpfc_nvmet_setup_io_context(struct lpfc_
wqe = &nvmewqe->wqe;
/* Initialize WQE */
- memset(wqe, 0, sizeof(union lpfc_wqe));
+ memset(wqe, 0, sizeof(*wqe));
ctx_buf->iocbq->context1 = NULL;
spin_lock(&phba->sli4_hba.sgl_list_lock);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 111/175] USB: core: Fix deadlock in usb_deauthorize_interface()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 110/175] scsi: lpfc: Correct size for wqe for memset() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 112/175] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet Greg Kroah-Hartman
` (69 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 80ba43e9f799cbdd83842fc27db667289b3150f5 upstream.
Among the attribute file callback routines in
drivers/usb/core/sysfs.c, the interface_authorized_store() function is
the only one which acquires a device lock on an ancestor device: It
calls usb_deauthorize_interface(), which locks the interface's parent
USB device.
The will lead to deadlock if another process already owns that lock
and tries to remove the interface, whether through a configuration
change or because the device has been disconnected. As part of the
removal procedure, device_del() waits for all ongoing sysfs attribute
callbacks to complete. But usb_deauthorize_interface() can't complete
until the device lock has been released, and the lock won't be
released until the removal has finished.
The mechanism provided by sysfs to prevent this kind of deadlock is
to use the sysfs_break_active_protection() function, which tells sysfs
not to wait for the attribute callback.
Reported-and-tested by: Yue Sun <samsun1006219@gmail.com>
Reported by: xingwei lee <xrivendell7@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/CAEkJfYO6jRVC8Tfrd_R=cjO0hguhrV31fDPrLrNOOHocDkPoAA@mail.gmail.com/#r
Fixes: 310d2b4124c0 ("usb: interface authorization: SysFS part of USB interface authorization")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1c37eea1-9f56-4534-b9d8-b443438dc869@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/sysfs.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -1069,14 +1069,24 @@ static ssize_t interface_authorized_stor
{
struct usb_interface *intf = to_usb_interface(dev);
bool val;
+ struct kernfs_node *kn;
if (strtobool(buf, &val) != 0)
return -EINVAL;
- if (val)
+ if (val) {
usb_authorize_interface(intf);
- else
- usb_deauthorize_interface(intf);
+ } else {
+ /*
+ * Prevent deadlock if another process is concurrently
+ * trying to unregister intf.
+ */
+ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr);
+ if (kn) {
+ usb_deauthorize_interface(intf);
+ sysfs_unbreak_active_protection(kn);
+ }
+ }
return count;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 112/175] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 111/175] USB: core: Fix deadlock in usb_deauthorize_interface() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 113/175] mptcp: add sk_stop_timer_sync helper Greg Kroah-Hartman
` (68 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryosuke Yasuoka, Jeremy Cline,
Krzysztof Kozlowski, David S. Miller, Sasha Levin,
syzbot+7ea9413ea6749baf5574, syzbot+29b5ca705d2e0f4a44d2
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryosuke Yasuoka <ryasuoka@redhat.com>
[ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ]
syzbot reported the following uninit-value access issue [1][2]:
nci_rx_work() parses and processes received packet. When the payload
length is zero, each message type handler reads uninitialized payload
and KMSAN detects this issue. The receipt of a packet with a zero-size
payload is considered unexpected, and therefore, such packets should be
silently discarded.
This patch resolved this issue by checking payload size before calling
each message type handler codes.
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1]
Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2]
Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: Jeremy Cline <jeremy@jcline.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 2e885b7a02a15..1f863ccf21211 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1511,6 +1511,11 @@ static void nci_rx_work(struct work_struct *work)
nfc_send_to_raw_sock(ndev->nfc_dev, skb,
RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);
+ if (!nci_plen(skb->data)) {
+ kfree_skb(skb);
+ break;
+ }
+
/* Process frame */
switch (nci_mt(skb->data)) {
case NCI_MT_RSP_PKT:
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 113/175] mptcp: add sk_stop_timer_sync helper
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 112/175] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 114/175] tcp: properly terminate timers for kernel sockets Greg Kroah-Hartman
` (67 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Geliang Tang,
Mat Martineau, David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <geliangtang@gmail.com>
[ Upstream commit 08b81d873126b413cda511b1ea1cbb0e99938bbd ]
This patch added a new helper sk_stop_timer_sync, it deactivates a timer
like sk_stop_timer, but waits for the handler to finish.
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 151c9c724d05 ("tcp: properly terminate timers for kernel sockets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 2 ++
net/core/sock.c | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/include/net/sock.h b/include/net/sock.h
index 81888513b3b93..8eea17a41c1ca 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2194,6 +2194,8 @@ void sk_reset_timer(struct sock *sk, struct timer_list *timer,
void sk_stop_timer(struct sock *sk, struct timer_list *timer);
+void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer);
+
int __sk_queue_drop_skb(struct sock *sk, struct sk_buff_head *sk_queue,
struct sk_buff *skb, unsigned int flags,
void (*destructor)(struct sock *sk,
diff --git a/net/core/sock.c b/net/core/sock.c
index 62d169bcfcfa1..eaa6f1ca414d0 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2804,6 +2804,13 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer)
}
EXPORT_SYMBOL(sk_stop_timer);
+void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer)
+{
+ if (del_timer_sync(timer))
+ __sock_put(sk);
+}
+EXPORT_SYMBOL(sk_stop_timer_sync);
+
void sock_init_data(struct socket *sock, struct sock *sk)
{
sk_init_common(sk);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 114/175] tcp: properly terminate timers for kernel sockets
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 113/175] mptcp: add sk_stop_timer_sync helper Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 115/175] r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d Greg Kroah-Hartman
` (66 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Eric Dumazet,
Tetsuo Handa, Jakub Kicinski, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada ]
We had various syzbot reports about tcp timers firing after
the corresponding netns has been dismantled.
Fortunately Josef Bacik could trigger the issue more often,
and could test a patch I wrote two years ago.
When TCP sockets are closed, we call inet_csk_clear_xmit_timers()
to 'stop' the timers.
inet_csk_clear_xmit_timers() can be called from any context,
including when socket lock is held.
This is the reason it uses sk_stop_timer(), aka del_timer().
This means that ongoing timers might finish much later.
For user sockets, this is fine because each running timer
holds a reference on the socket, and the user socket holds
a reference on the netns.
For kernel sockets, we risk that the netns is freed before
timer can complete, because kernel sockets do not hold
reference on the netns.
This patch adds inet_csk_clear_xmit_timers_sync() function
that using sk_stop_timer_sync() to make sure all timers
are terminated before the kernel socket is released.
Modules using kernel sockets close them in their netns exit()
handler.
Also add sock_not_owned_by_me() helper to get LOCKDEP
support : inet_csk_clear_xmit_timers_sync() must not be called
while socket lock is held.
It is very possible we can revert in the future commit
3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
which attempted to solve the issue in rds only.
(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)
We probably can remove the check_net() tests from
tcp_out_of_resources() and __tcp_close() in the future.
Reported-by: Josef Bacik <josef@toxicpanda.com>
Closes: https://lore.kernel.org/netdev/20240314210740.GA2823176@perftesting/
Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
Fixes: 8a68173691f0 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
Link: https://lore.kernel.org/bpf/CANn89i+484ffqb93aQm1N-tjxxvb3WDKX0EbD7318RwRgsatjw@mail.gmail.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Josef Bacik <josef@toxicpanda.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/r/20240322135732.1535772-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_connection_sock.h | 1 +
include/net/sock.h | 7 +++++++
net/ipv4/inet_connection_sock.c | 14 ++++++++++++++
net/ipv4/tcp.c | 2 ++
4 files changed, 24 insertions(+)
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
index da8a582ab032e..6141fe1932c8f 100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -177,6 +177,7 @@ void inet_csk_init_xmit_timers(struct sock *sk,
void (*delack_handler)(struct timer_list *),
void (*keepalive_handler)(struct timer_list *));
void inet_csk_clear_xmit_timers(struct sock *sk);
+void inet_csk_clear_xmit_timers_sync(struct sock *sk);
static inline void inet_csk_schedule_ack(struct sock *sk)
{
diff --git a/include/net/sock.h b/include/net/sock.h
index 8eea17a41c1ca..b5a929a4bc74d 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1589,6 +1589,13 @@ static inline void sock_owned_by_me(const struct sock *sk)
#endif
}
+static inline void sock_not_owned_by_me(const struct sock *sk)
+{
+#ifdef CONFIG_LOCKDEP
+ WARN_ON_ONCE(lockdep_sock_is_held(sk) && debug_locks);
+#endif
+}
+
static inline bool sock_owned_by_user(const struct sock *sk)
{
sock_owned_by_me(sk);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 7392a744c677e..17a900c85aa66 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -557,6 +557,20 @@ void inet_csk_clear_xmit_timers(struct sock *sk)
}
EXPORT_SYMBOL(inet_csk_clear_xmit_timers);
+void inet_csk_clear_xmit_timers_sync(struct sock *sk)
+{
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ /* ongoing timer handlers need to acquire socket lock. */
+ sock_not_owned_by_me(sk);
+
+ icsk->icsk_pending = icsk->icsk_ack.pending = 0;
+
+ sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);
+ sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);
+ sk_stop_timer_sync(sk, &sk->sk_timer);
+}
+
void inet_csk_delete_keepalive_timer(struct sock *sk)
{
sk_stop_timer(sk, &sk->sk_timer);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3df973d22295c..54d6058dcb5cc 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2514,6 +2514,8 @@ void tcp_close(struct sock *sk, long timeout)
lock_sock(sk);
__tcp_close(sk, timeout);
release_sock(sk);
+ if (!sk->sk_net_refcnt)
+ inet_csk_clear_xmit_timers_sync(sk);
sock_put(sk);
}
EXPORT_SYMBOL(tcp_close);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 115/175] r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 114/175] tcp: properly terminate timers for kernel sockets Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 116/175] Bluetooth: hci_event: set the conn encrypted before conn establishes Greg Kroah-Hartman
` (65 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Simon Horman,
Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
commit 5d872c9f46bd2ea3524af3c2420a364a13667135 upstream.
On some boards with this chip version the BIOS is buggy and misses
to reset the PHY page selector. This results in the PHY ID read
accessing registers on a different page, returning a more or
less random value. Fix this by resetting the page selector first.
Fixes: f1e911d5d0df ("r8169: add basic phylib support")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/64f2055e-98b8-45ec-8568-665e3d54d4e6@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -7303,6 +7303,15 @@ static int r8169_mdio_register(struct rt
struct mii_bus *new_bus;
int ret;
+ /* On some boards with this chip version the BIOS is buggy and misses
+ * to reset the PHY page selector. This results in the PHY ID read
+ * accessing registers on a different page, returning a more or
+ * less random value. Fix this by resetting the page selector first.
+ */
+ if (tp->mac_version == RTL_GIGA_MAC_VER_25 ||
+ tp->mac_version == RTL_GIGA_MAC_VER_26)
+ r8169_mdio_write(tp, 0x1f, 0);
+
new_bus = devm_mdiobus_alloc(&pdev->dev);
if (!new_bus)
return -ENOMEM;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 116/175] Bluetooth: hci_event: set the conn encrypted before conn establishes
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 115/175] r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 117/175] Bluetooth: Fix TOCTOU in HCI debugfs implementation Greg Kroah-Hartman
` (64 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Luiz Augusto von Dentz,
Hui Wang, Luiz Augusto von Dentz
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hui Wang <hui.wang@canonical.com>
commit c569242cd49287d53b73a94233db40097d838535 upstream.
We have a BT headset (Lenovo Thinkplus XT99), the pairing and
connecting has no problem, once this headset is paired, bluez will
remember this device and will auto re-connect it whenever the device
is powered on. The auto re-connecting works well with Windows and
Android, but with Linux, it always fails. Through debugging, we found
at the rfcomm connection stage, the bluetooth stack reports
"Connection refused - security block (0x0003)".
For this device, the re-connecting negotiation process is different
from other BT headsets, it sends the Link_KEY_REQUEST command before
the CONNECT_REQUEST completes, and it doesn't send ENCRYPT_CHANGE
command during the negotiation. When the device sends the "connect
complete" to hci, the ev->encr_mode is 1.
So here in the conn_complete_evt(), if ev->encr_mode is 1, link type
is ACL and HCI_CONN_ENCRYPT is not set, we set HCI_CONN_ENCRYPT to
this conn, and update conn->enc_key_size accordingly.
After this change, this BT headset could re-connect with Linux
successfully. This is the btmon log after applying the patch, after
receiving the "Connect Complete" with "Encryption: Enabled", will send
the command to read encryption key size:
> HCI Event: Connect Request (0x04) plen 10
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Class: 0x240404
Major class: Audio/Video (headset, speaker, stereo, video, vcr)
Minor class: Wearable Headset Device
Rendering (Printing, Speaker)
Audio (Speaker, Microphone, Headset)
Link type: ACL (0x01)
...
> HCI Event: Link Key Request (0x17) plen 6
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Link key: ${32-hex-digits-key}
...
> HCI Event: Connect Complete (0x03) plen 11
Status: Success (0x00)
Handle: 256
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Link type: ACL (0x01)
Encryption: Enabled (0x01)
< HCI Command: Read Encryption Key... (0x05|0x0008) plen 2
Handle: 256
< ACL Data TX: Handle 256 flags 0x00 dlen 10
L2CAP: Information Request (0x0a) ident 1 len 2
Type: Extended features supported (0x0002)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 1
Status: Success (0x00)
Handle: 256
Key size: 16
Cc: stable@vger.kernel.org
Link: https://github.com/bluez/bluez/issues/704
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2453,6 +2453,31 @@ static void hci_conn_complete_evt(struct
if (test_bit(HCI_ENCRYPT, &hdev->flags))
set_bit(HCI_CONN_ENCRYPT, &conn->flags);
+ /* "Link key request" completed ahead of "connect request" completes */
+ if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
+ ev->link_type == ACL_LINK) {
+ struct link_key *key;
+ struct hci_cp_read_enc_key_size cp;
+
+ key = hci_find_link_key(hdev, &ev->bdaddr);
+ if (key) {
+ set_bit(HCI_CONN_ENCRYPT, &conn->flags);
+
+ if (!(hdev->commands[20] & 0x10)) {
+ conn->enc_key_size = HCI_LINK_KEY_SIZE;
+ } else {
+ cp.handle = cpu_to_le16(conn->handle);
+ if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
+ sizeof(cp), &cp)) {
+ bt_dev_err(hdev, "sending read key size failed");
+ conn->enc_key_size = HCI_LINK_KEY_SIZE;
+ }
+ }
+
+ hci_encrypt_cfm(conn, ev->status);
+ }
+ }
+
/* Get remote features */
if (conn->type == ACL_LINK) {
struct hci_cp_read_remote_features cp;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 117/175] Bluetooth: Fix TOCTOU in HCI debugfs implementation
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 116/175] Bluetooth: hci_event: set the conn encrypted before conn establishes Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 118/175] netfilter: nf_tables: disallow timeout for anonymous sets Greg Kroah-Hartman
` (63 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Bastien Nocera,
Luiz Augusto von Dentz
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Nocera <hadess@hadess.net>
commit 7835fcfd132eb88b87e8eb901f88436f63ab60f7 upstream.
struct hci_dev members conn_info_max_age, conn_info_min_age,
le_conn_max_interval, le_conn_min_interval, le_adv_max_interval,
and le_adv_min_interval can be modified from the HCI core code, as well
through debugfs.
The debugfs implementation, that's only available to privileged users,
will check for boundaries, making sure that the minimum value being set
is strictly above the maximum value that already exists, and vice-versa.
However, as both minimum and maximum values can be changed concurrently
to us modifying them, we need to make sure that the value we check is
the value we end up using.
For example, with ->conn_info_max_age set to 10, conn_info_min_age_set()
gets called from vfs handlers to set conn_info_min_age to 8.
In conn_info_min_age_set(), this goes through:
if (val == 0 || val > hdev->conn_info_max_age)
return -EINVAL;
Concurrently, conn_info_max_age_set() gets called to set to set the
conn_info_max_age to 7:
if (val == 0 || val > hdev->conn_info_max_age)
return -EINVAL;
That check will also pass because we used the old value (10) for
conn_info_max_age.
After those checks that both passed, the struct hci_dev access
is mutex-locked, disabling concurrent access, but that does not matter
because the invalid value checks both passed, and we'll end up with
conn_info_min_age = 8 and conn_info_max_age = 7
To fix this problem, we need to lock the structure access before so the
check and assignment are not interrupted.
This fix was originally devised by the BassCheck[1] team, and
considered the problem to be an atomicity one. This isn't the case as
there aren't any concerns about the variable changing while we check it,
but rather after we check it parallel to another change.
This patch fixes CVE-2024-24858 and CVE-2024-24857.
[1] https://sites.google.com/view/basscheck/
Co-developed-by: Gui-Dong Han <2045gemini@gmail.com>
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Link: https://lore.kernel.org/linux-bluetooth/20231222161317.6255-1-2045gemini@gmail.com/
Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24858
Link: https://lore.kernel.org/linux-bluetooth/20231222162931.6553-1-2045gemini@gmail.com/
Link: https://lore.kernel.org/linux-bluetooth/20231222162310.6461-1-2045gemini@gmail.com/
Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24857
Fixes: 31ad169148df ("Bluetooth: Add conn info lifetime parameters to debugfs")
Fixes: 729a1051da6f ("Bluetooth: Expose default LE advertising interval via debugfs")
Fixes: 71c3b60ec6d2 ("Bluetooth: Move BR/EDR debugfs file creation into hci_debugfs.c")
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_debugfs.c | 48 +++++++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 16 deletions(-)
--- a/net/bluetooth/hci_debugfs.c
+++ b/net/bluetooth/hci_debugfs.c
@@ -200,10 +200,12 @@ static int conn_info_min_age_set(void *d
{
struct hci_dev *hdev = data;
- if (val == 0 || val > hdev->conn_info_max_age)
+ hci_dev_lock(hdev);
+ if (val == 0 || val > hdev->conn_info_max_age) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->conn_info_min_age = val;
hci_dev_unlock(hdev);
@@ -228,10 +230,12 @@ static int conn_info_max_age_set(void *d
{
struct hci_dev *hdev = data;
- if (val == 0 || val < hdev->conn_info_min_age)
+ hci_dev_lock(hdev);
+ if (val == 0 || val < hdev->conn_info_min_age) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->conn_info_max_age = val;
hci_dev_unlock(hdev);
@@ -479,10 +483,12 @@ static int sniff_min_interval_set(void *
{
struct hci_dev *hdev = data;
- if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
+ hci_dev_lock(hdev);
+ if (val == 0 || val % 2 || val > hdev->sniff_max_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->sniff_min_interval = val;
hci_dev_unlock(hdev);
@@ -507,10 +513,12 @@ static int sniff_max_interval_set(void *
{
struct hci_dev *hdev = data;
- if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
+ hci_dev_lock(hdev);
+ if (val == 0 || val % 2 || val < hdev->sniff_min_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->sniff_max_interval = val;
hci_dev_unlock(hdev);
@@ -749,10 +757,12 @@ static int conn_min_interval_set(void *d
{
struct hci_dev *hdev = data;
- if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval)
+ hci_dev_lock(hdev);
+ if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->le_conn_min_interval = val;
hci_dev_unlock(hdev);
@@ -777,10 +787,12 @@ static int conn_max_interval_set(void *d
{
struct hci_dev *hdev = data;
- if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval)
+ hci_dev_lock(hdev);
+ if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->le_conn_max_interval = val;
hci_dev_unlock(hdev);
@@ -889,10 +901,12 @@ static int adv_min_interval_set(void *da
{
struct hci_dev *hdev = data;
- if (val < 0x0020 || val > 0x4000 || val > hdev->le_adv_max_interval)
+ hci_dev_lock(hdev);
+ if (val < 0x0020 || val > 0x4000 || val > hdev->le_adv_max_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->le_adv_min_interval = val;
hci_dev_unlock(hdev);
@@ -917,10 +931,12 @@ static int adv_max_interval_set(void *da
{
struct hci_dev *hdev = data;
- if (val < 0x0020 || val > 0x4000 || val < hdev->le_adv_min_interval)
+ hci_dev_lock(hdev);
+ if (val < 0x0020 || val > 0x4000 || val < hdev->le_adv_min_interval) {
+ hci_dev_unlock(hdev);
return -EINVAL;
+ }
- hci_dev_lock(hdev);
hdev->le_adv_max_interval = val;
hci_dev_unlock(hdev);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 118/175] netfilter: nf_tables: disallow timeout for anonymous sets
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 117/175] Bluetooth: Fix TOCTOU in HCI debugfs implementation Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 119/175] net/rds: fix possible cp null dereference Greg Kroah-Hartman
` (62 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Keerthana K
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream.
Never used from userspace, disallow these parameters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Keerthana: code surrounding the patch is different
because nft_set_desc is not present in v4.19-v5.10]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3607,6 +3607,9 @@ static int nf_tables_newset(struct net *
if (!(flags & NFT_SET_TIMEOUT))
return -EINVAL;
+ if (flags & NFT_SET_ANONYMOUS)
+ return -EOPNOTSUPP;
+
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
if (err)
return err;
@@ -3615,6 +3618,10 @@ static int nf_tables_newset(struct net *
if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
if (!(flags & NFT_SET_TIMEOUT))
return -EINVAL;
+
+ if (flags & NFT_SET_ANONYMOUS)
+ return -EOPNOTSUPP;
+
gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 119/175] net/rds: fix possible cp null dereference
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 118/175] netfilter: nf_tables: disallow timeout for anonymous sets Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 120/175] Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." Greg Kroah-Hartman
` (61 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahmoud Adam, Simon Horman, Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahmoud Adam <mngyadam@amazon.com>
commit 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b upstream.
cp might be null, calling cp->cp_conn would produce null dereference
[Simon Horman adds:]
Analysis:
* cp is a parameter of __rds_rdma_map and is not reassigned.
* The following call-sites pass a NULL cp argument to __rds_rdma_map()
- rds_get_mr()
- rds_get_mr_for_dest
* Prior to the code above, the following assumes that cp may be NULL
(which is indicative, but could itself be unnecessary)
trans_private = rs->rs_transport->get_mr(
sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
args->vec.addr, args->vec.bytes,
need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);
* The code modified by this patch is guarded by IS_ERR(trans_private),
where trans_private is assigned as per the previous point in this analysis.
The only implementation of get_mr that I could locate is rds_ib_get_mr()
which can return an ERR_PTR if the conn (4th) argument is NULL.
* ret is set to PTR_ERR(trans_private).
rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
Thus ret may be -ENODEV in which case the code in question will execute.
Conclusion:
* cp may be NULL at the point where this patch adds a check;
this patch does seem to address a possible bug
Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down")
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240326153132.55580-1-mngyadam@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -279,7 +279,7 @@ static int __rds_rdma_map(struct rds_soc
kfree(sg);
ret = PTR_ERR(trans_private);
/* Trigger connection so that its ready for the next retry */
- if (ret == -ENODEV)
+ if (ret == -ENODEV && cp)
rds_conn_connect_if_down(cp->cp_conn);
goto out;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 120/175] Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 119/175] net/rds: fix possible cp null dereference Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 121/175] mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Greg Kroah-Hartman
` (60 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Russ Anderson,
Steve Wahl, Dave Hansen
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
commit c567f2948f57bdc03ed03403ae0234085f376b7d upstream.
This reverts commit d794734c9bbfe22f86686dc2909c25f5ffe1a572.
While the original change tries to fix a bug, it also unintentionally broke
existing systems, see the regressions reported at:
https://lore.kernel.org/all/3a1b9909-45ac-4f97-ad68-d16ef1ce99db@pavinjoseph.com/
Since d794734c9bbf was also marked for -stable, let's back it out before
causing more damage.
Note that due to another upstream change the revert was not 100% automatic:
0a845e0f6348 mm/treewide: replace pud_large() with pud_leaf()
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Cc: Russ Anderson <rja@hpe.com>
Cc: Steve Wahl <steve.wahl@hpe.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lore.kernel.org/all/3a1b9909-45ac-4f97-ad68-d16ef1ce99db@pavinjoseph.com/
Fixes: d794734c9bbf ("x86/mm/ident_map: Use gbpages only where full GB page should be mapped.")
Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/ident_map.c | 23 +++++------------------
1 file changed, 5 insertions(+), 18 deletions(-)
--- a/arch/x86/mm/ident_map.c
+++ b/arch/x86/mm/ident_map.c
@@ -26,31 +26,18 @@ static int ident_pud_init(struct x86_map
for (; addr < end; addr = next) {
pud_t *pud = pud_page + pud_index(addr);
pmd_t *pmd;
- bool use_gbpage;
next = (addr & PUD_MASK) + PUD_SIZE;
if (next > end)
next = end;
- /* if this is already a gbpage, this portion is already mapped */
- if (pud_large(*pud))
- continue;
-
- /* Is using a gbpage allowed? */
- use_gbpage = info->direct_gbpages;
-
- /* Don't use gbpage if it maps more than the requested region. */
- /* at the begining: */
- use_gbpage &= ((addr & ~PUD_MASK) == 0);
- /* ... or at the end: */
- use_gbpage &= ((next & ~PUD_MASK) == 0);
-
- /* Never overwrite existing mappings */
- use_gbpage &= !pud_present(*pud);
-
- if (use_gbpage) {
+ if (info->direct_gbpages) {
pud_t pudval;
+ if (pud_present(*pud))
+ continue;
+
+ addr &= PUD_MASK;
pudval = __pud((addr - info->offset) | info->page_flag);
set_pud(pud, pudval);
continue;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 121/175] mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 120/175] Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 122/175] netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() Greg Kroah-Hartman
` (59 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlastimil Babka, Sven van Ashbrook,
Karthikeyan Ramasubramanian, Brian Geffon, Curtis Malainey,
Jaroslav Kysela, Mel Gorman, Michal Hocko, Takashi Iwai,
Andrew Morton
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlastimil Babka <vbabka@suse.cz>
commit 803de9000f334b771afacb6ff3e78622916668b0 upstream.
Sven reports an infinite loop in __alloc_pages_slowpath() for costly order
__GFP_RETRY_MAYFAIL allocations that are also GFP_NOIO. Such combination
can happen in a suspend/resume context where a GFP_KERNEL allocation can
have __GFP_IO masked out via gfp_allowed_mask.
Quoting Sven:
1. try to do a "costly" allocation (order > PAGE_ALLOC_COSTLY_ORDER)
with __GFP_RETRY_MAYFAIL set.
2. page alloc's __alloc_pages_slowpath tries to get a page from the
freelist. This fails because there is nothing free of that costly
order.
3. page alloc tries to reclaim by calling __alloc_pages_direct_reclaim,
which bails out because a zone is ready to be compacted; it pretends
to have made a single page of progress.
4. page alloc tries to compact, but this always bails out early because
__GFP_IO is not set (it's not passed by the snd allocator, and even
if it were, we are suspending so the __GFP_IO flag would be cleared
anyway).
5. page alloc believes reclaim progress was made (because of the
pretense in item 3) and so it checks whether it should retry
compaction. The compaction retry logic thinks it should try again,
because:
a) reclaim is needed because of the early bail-out in item 4
b) a zonelist is suitable for compaction
6. goto 2. indefinite stall.
(end quote)
The immediate root cause is confusing the COMPACT_SKIPPED returned from
__alloc_pages_direct_compact() (step 4) due to lack of __GFP_IO to be
indicating a lack of order-0 pages, and in step 5 evaluating that in
should_compact_retry() as a reason to retry, before incrementing and
limiting the number of retries. There are however other places that
wrongly assume that compaction can happen while we lack __GFP_IO.
To fix this, introduce gfp_compaction_allowed() to abstract the __GFP_IO
evaluation and switch the open-coded test in try_to_compact_pages() to use
it.
Also use the new helper in:
- compaction_ready(), which will make reclaim not bail out in step 3, so
there's at least one attempt to actually reclaim, even if chances are
small for a costly order
- in_reclaim_compaction() which will make should_continue_reclaim()
return false and we don't over-reclaim unnecessarily
- in __alloc_pages_slowpath() to set a local variable can_compact,
which is then used to avoid retrying reclaim/compaction for costly
allocations (step 5) if we can't compact and also to skip the early
compaction attempt that we do in some cases
Link: https://lkml.kernel.org/r/20240221114357.13655-2-vbabka@suse.cz
Fixes: 3250845d0526 ("Revert "mm, oom: prevent premature OOM killer invocation for high order request"")
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sven van Ashbrook <svenva@chromium.org>
Closes: https://lore.kernel.org/all/CAG-rBihs_xMKb3wrMO1%2B-%2Bp4fowP9oy1pa_OTkfxBzPUVOZF%2Bg@mail.gmail.com/
Tested-by: Karthikeyan Ramasubramanian <kramasub@chromium.org>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Curtis Malainey <cujomalainey@chromium.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/gfp.h | 9 +++++++++
mm/compaction.c | 7 +------
mm/page_alloc.c | 10 ++++++----
mm/vmscan.c | 5 ++++-
4 files changed, 20 insertions(+), 11 deletions(-)
--- a/include/linux/gfp.h
+++ b/include/linux/gfp.h
@@ -608,6 +608,15 @@ static inline bool pm_suspended_storage(
}
#endif /* CONFIG_PM_SLEEP */
+/*
+ * Check if the gfp flags allow compaction - GFP_NOIO is a really
+ * tricky context because the migration might require IO.
+ */
+static inline bool gfp_compaction_allowed(gfp_t gfp_mask)
+{
+ return IS_ENABLED(CONFIG_COMPACTION) && (gfp_mask & __GFP_IO);
+}
+
#if (defined(CONFIG_MEMORY_ISOLATION) && defined(CONFIG_COMPACTION)) || defined(CONFIG_CMA)
/* The below functions must be run on a range from a single zone. */
extern int alloc_contig_range(unsigned long start, unsigned long end,
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1751,16 +1751,11 @@ enum compact_result try_to_compact_pages
unsigned int alloc_flags, const struct alloc_context *ac,
enum compact_priority prio)
{
- int may_perform_io = gfp_mask & __GFP_IO;
struct zoneref *z;
struct zone *zone;
enum compact_result rc = COMPACT_SKIPPED;
- /*
- * Check if the GFP flags allow compaction - GFP_NOIO is really
- * tricky context because the migration might require IO
- */
- if (!may_perform_io)
+ if (!gfp_compaction_allowed(gfp_mask))
return COMPACT_SKIPPED;
trace_mm_compaction_try_to_compact_pages(order, gfp_mask, prio);
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -4099,6 +4099,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u
struct alloc_context *ac)
{
bool can_direct_reclaim = gfp_mask & __GFP_DIRECT_RECLAIM;
+ bool can_compact = gfp_compaction_allowed(gfp_mask);
const bool costly_order = order > PAGE_ALLOC_COSTLY_ORDER;
struct page *page = NULL;
unsigned int alloc_flags;
@@ -4164,7 +4165,7 @@ restart:
* Don't try this for allocations that are allowed to ignore
* watermarks, as the ALLOC_NO_WATERMARKS attempt didn't yet happen.
*/
- if (can_direct_reclaim &&
+ if (can_direct_reclaim && can_compact &&
(costly_order ||
(order > 0 && ac->migratetype != MIGRATE_MOVABLE))
&& !gfp_pfmemalloc_allowed(gfp_mask)) {
@@ -4251,9 +4252,10 @@ retry:
/*
* Do not retry costly high order allocations unless they are
- * __GFP_RETRY_MAYFAIL
+ * __GFP_RETRY_MAYFAIL and we can compact
*/
- if (costly_order && !(gfp_mask & __GFP_RETRY_MAYFAIL))
+ if (costly_order && (!can_compact ||
+ !(gfp_mask & __GFP_RETRY_MAYFAIL)))
goto nopage;
if (should_reclaim_retry(gfp_mask, order, ac, alloc_flags,
@@ -4266,7 +4268,7 @@ retry:
* implementation of the compaction depends on the sufficient amount
* of free memory (see __compaction_suitable)
*/
- if (did_some_progress > 0 &&
+ if (did_some_progress > 0 && can_compact &&
should_compact_retry(ac, order, alloc_flags,
compact_result, &compact_priority,
&compaction_retries))
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2595,7 +2595,7 @@ static void shrink_node_memcg(struct pgl
/* Use reclaim/compaction for costly allocs or under memory pressure */
static bool in_reclaim_compaction(struct scan_control *sc)
{
- if (IS_ENABLED(CONFIG_COMPACTION) && sc->order &&
+ if (gfp_compaction_allowed(sc->gfp_mask) && sc->order &&
(sc->order > PAGE_ALLOC_COSTLY_ORDER ||
sc->priority < DEF_PRIORITY - 2))
return true;
@@ -2869,6 +2869,9 @@ static inline bool compaction_ready(stru
unsigned long watermark;
enum compact_result suitable;
+ if (!gfp_compaction_allowed(sc->gfp_mask))
+ return false;
+
suitable = compaction_suitable(zone, sc->order, 0, sc->reclaim_idx);
if (suitable == COMPACT_SUCCESS)
/* Allocation should succeed already. Don't reclaim. */
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 122/175] netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 121/175] mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 123/175] net/sched: act_skbmod: prevent kernel-infoleak Greg Kroah-Hartman
` (58 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyang Xuan, Pablo Neira Ayuso
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyang Xuan <william.xuanziyang@huawei.com>
commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream.
nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
And thhere is not any protection when iterate over nf_tables_flowtables
list in __nft_flowtable_type_get(). Therefore, there is pertential
data-race of nf_tables_flowtables list entry.
Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
nft_flowtable_type_get() to protect the entire type query process.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5721,11 +5721,12 @@ static int nf_tables_flowtable_parse_hoo
return err;
}
+/* call under rcu_read_lock */
static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
{
const struct nf_flowtable_type *type;
- list_for_each_entry(type, &nf_tables_flowtables, list) {
+ list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
if (family == type->family)
return type;
}
@@ -5737,9 +5738,13 @@ nft_flowtable_type_get(struct net *net,
{
const struct nf_flowtable_type *type;
+ rcu_read_lock();
type = __nft_flowtable_type_get(family);
- if (type != NULL && try_module_get(type->owner))
+ if (type != NULL && try_module_get(type->owner)) {
+ rcu_read_unlock();
return type;
+ }
+ rcu_read_unlock();
lockdep_nfnl_nft_mutex_not_held();
#ifdef CONFIG_MODULES
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 123/175] net/sched: act_skbmod: prevent kernel-infoleak
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 122/175] netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 124/175] net: stmmac: fix rx queue priority assignment Greg Kroah-Hartman
` (57 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit d313eb8b77557a6d5855f42d2234bd592c7b50dd upstream.
syzbot found that tcf_skbmod_dump() was copying four bytes
from kernel stack to user space [1].
The issue here is that 'struct tc_skbmod' has a four bytes hole.
We need to clear the structure before filling fields.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
copy_to_iter include/linux/uio.h:196 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x2c4/0x340 net/socket.c:1068
__sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
__do_sys_recvfrom net/socket.c:2260 [inline]
__se_sys_recvfrom net/socket.c:2256 [inline]
__x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was stored to memory at:
pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
nlmsg_unicast include/net/netlink.h:1144 [inline]
nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
tcf_add_notify net/sched/act_api.c:2048 [inline]
tcf_action_add net/sched/act_api.c:2071 [inline]
tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was stored to memory at:
__nla_put lib/nlattr.c:1041 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1099
tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
tcf_action_dump_old net/sched/act_api.c:1191 [inline]
tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
tcf_add_notify net/sched/act_api.c:2042 [inline]
tcf_action_add net/sched/act_api.c:2071 [inline]
tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Local variable opt created at:
tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
tcf_action_dump_old net/sched/act_api.c:1191 [inline]
tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
Bytes 188-191 of 248 are uninitialized
Memory access of size 248 starts at ffff888117697680
Data copied to user address 00007ffe56d855f0
Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20240403130908.93421-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_skbmod.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -210,13 +210,13 @@ static int tcf_skbmod_dump(struct sk_buf
struct tcf_skbmod *d = to_skbmod(a);
unsigned char *b = skb_tail_pointer(skb);
struct tcf_skbmod_params *p;
- struct tc_skbmod opt = {
- .index = d->tcf_index,
- .refcnt = refcount_read(&d->tcf_refcnt) - ref,
- .bindcnt = atomic_read(&d->tcf_bindcnt) - bind,
- };
+ struct tc_skbmod opt;
struct tcf_t t;
+ memset(&opt, 0, sizeof(opt));
+ opt.index = d->tcf_index;
+ opt.refcnt = refcount_read(&d->tcf_refcnt) - ref,
+ opt.bindcnt = atomic_read(&d->tcf_bindcnt) - bind;
spin_lock_bh(&d->tcf_lock);
opt.action = d->tcf_action;
p = rcu_dereference_protected(d->skbmod_p,
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 124/175] net: stmmac: fix rx queue priority assignment
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 123/175] net/sched: act_skbmod: prevent kernel-infoleak Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 125/175] selftests: reuseaddr_conflict: add missing new line at the end of the output Greg Kroah-Hartman
` (56 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Piotr Wejman, Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Wejman <piotrwejman90@gmail.com>
commit b3da86d432b7cd65b025a11f68613e333d2483db upstream.
The driver should ensure that same priority is not mapped to multiple
rx queues. From DesignWare Cores Ethernet Quality-of-Service
Databook, section 17.1.29 MAC_RxQ_Ctrl2:
"[...]The software must ensure that the content of this field is
mutually exclusive to the PSRQ fields for other queues, that is,
the same priority is not mapped to multiple Rx queues[...]"
Previously rx_queue_priority() function was:
- clearing all priorities from a queue
- adding new priorities to that queue
After this patch it will:
- first assign new priorities to a queue
- then remove those priorities from all other queues
- keep other priorities previously assigned to that queue
Fixes: a8f5102af2a7 ("net: stmmac: TX and RX queue priority configuration")
Fixes: 2142754f8b9c ("net: stmmac: Add MAC related callbacks for XGMAC2")
Signed-off-by: Piotr Wejman <piotrwejman90@gmail.com>
Link: https://lore.kernel.org/r/20240401192239.33942-1-piotrwejman90@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 40 +++++++++++++++-----
drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 38 +++++++++++++++----
2 files changed, 62 insertions(+), 16 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -84,19 +84,41 @@ static void dwmac4_rx_queue_priority(str
u32 prio, u32 queue)
{
void __iomem *ioaddr = hw->pcsr;
- u32 base_register;
- u32 value;
+ u32 clear_mask = 0;
+ u32 ctrl2, ctrl3;
+ int i;
- base_register = (queue < 4) ? GMAC_RXQ_CTRL2 : GMAC_RXQ_CTRL3;
- if (queue >= 4)
- queue -= 4;
+ ctrl2 = readl(ioaddr + GMAC_RXQ_CTRL2);
+ ctrl3 = readl(ioaddr + GMAC_RXQ_CTRL3);
+
+ /* The software must ensure that the same priority
+ * is not mapped to multiple Rx queues
+ */
+ for (i = 0; i < 4; i++)
+ clear_mask |= ((prio << GMAC_RXQCTRL_PSRQX_SHIFT(i)) &
+ GMAC_RXQCTRL_PSRQX_MASK(i));
- value = readl(ioaddr + base_register);
+ ctrl2 &= ~clear_mask;
+ ctrl3 &= ~clear_mask;
- value &= ~GMAC_RXQCTRL_PSRQX_MASK(queue);
- value |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
+ /* First assign new priorities to a queue, then
+ * clear them from others queues
+ */
+ if (queue < 4) {
+ ctrl2 |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
GMAC_RXQCTRL_PSRQX_MASK(queue);
- writel(value, ioaddr + base_register);
+
+ writel(ctrl2, ioaddr + GMAC_RXQ_CTRL2);
+ writel(ctrl3, ioaddr + GMAC_RXQ_CTRL3);
+ } else {
+ queue -= 4;
+
+ ctrl3 |= (prio << GMAC_RXQCTRL_PSRQX_SHIFT(queue)) &
+ GMAC_RXQCTRL_PSRQX_MASK(queue);
+
+ writel(ctrl3, ioaddr + GMAC_RXQ_CTRL3);
+ writel(ctrl2, ioaddr + GMAC_RXQ_CTRL2);
+ }
}
static void dwmac4_tx_queue_priority(struct mac_device_info *hw,
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -103,17 +103,41 @@ static void dwxgmac2_rx_queue_prio(struc
u32 queue)
{
void __iomem *ioaddr = hw->pcsr;
- u32 value, reg;
+ u32 clear_mask = 0;
+ u32 ctrl2, ctrl3;
+ int i;
- reg = (queue < 4) ? XGMAC_RXQ_CTRL2 : XGMAC_RXQ_CTRL3;
- if (queue >= 4)
+ ctrl2 = readl(ioaddr + XGMAC_RXQ_CTRL2);
+ ctrl3 = readl(ioaddr + XGMAC_RXQ_CTRL3);
+
+ /* The software must ensure that the same priority
+ * is not mapped to multiple Rx queues
+ */
+ for (i = 0; i < 4; i++)
+ clear_mask |= ((prio << XGMAC_PSRQ_SHIFT(i)) &
+ XGMAC_PSRQ(i));
+
+ ctrl2 &= ~clear_mask;
+ ctrl3 &= ~clear_mask;
+
+ /* First assign new priorities to a queue, then
+ * clear them from others queues
+ */
+ if (queue < 4) {
+ ctrl2 |= (prio << XGMAC_PSRQ_SHIFT(queue)) &
+ XGMAC_PSRQ(queue);
+
+ writel(ctrl2, ioaddr + XGMAC_RXQ_CTRL2);
+ writel(ctrl3, ioaddr + XGMAC_RXQ_CTRL3);
+ } else {
queue -= 4;
- value = readl(ioaddr + reg);
- value &= ~XGMAC_PSRQ(queue);
- value |= (prio << XGMAC_PSRQ_SHIFT(queue)) & XGMAC_PSRQ(queue);
+ ctrl3 |= (prio << XGMAC_PSRQ_SHIFT(queue)) &
+ XGMAC_PSRQ(queue);
- writel(value, ioaddr + reg);
+ writel(ctrl3, ioaddr + XGMAC_RXQ_CTRL3);
+ writel(ctrl2, ioaddr + XGMAC_RXQ_CTRL2);
+ }
}
static void dwxgmac2_prog_mtl_rx_algorithms(struct mac_device_info *hw,
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 125/175] selftests: reuseaddr_conflict: add missing new line at the end of the output
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 124/175] net: stmmac: fix rx queue priority assignment Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 126/175] ipv6: Fix infinite recursion in fib6_dump_done() Greg Kroah-Hartman
` (55 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 31974122cfdeaf56abc18d8ab740d580d9833e90 upstream.
The netdev CI runs in a VM and captures serial, so stdout and
stderr get combined. Because there's a missing new line in
stderr the test ends up corrupting KTAP:
# Successok 1 selftests: net: reuseaddr_conflict
which should have been:
# Success
ok 1 selftests: net: reuseaddr_conflict
Fixes: 422d8dc6fd3a ("selftest: add a reuseaddr test")
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/20240329160559.249476-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/reuseaddr_conflict.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/net/reuseaddr_conflict.c
+++ b/tools/testing/selftests/net/reuseaddr_conflict.c
@@ -109,6 +109,6 @@ int main(void)
fd1 = open_port(0, 1);
if (fd1 >= 0)
error(1, 0, "Was allowed to create an ipv4 reuseport on an already bound non-reuseport socket with no ipv6");
- fprintf(stderr, "Success");
+ fprintf(stderr, "Success\n");
return 0;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 126/175] ipv6: Fix infinite recursion in fib6_dump_done().
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 125/175] selftests: reuseaddr_conflict: add missing new line at the end of the output Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 127/175] i40e: fix vf may be used uninitialized in this function warning Greg Kroah-Hartman
` (54 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Kuniyuki Iwashima,
Eric Dumazet, David Ahern, Jakub Kicinski
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae upstream.
syzkaller reported infinite recursive calls of fib6_dump_done() during
netlink socket destruction. [1]
>From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
the response was generated. The following recvmmsg() resumed the dump
for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
to the fault injection. [0]
12:01:34 executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, ... snip ...)
recvmmsg(r0, ... snip ...) (fail_nth: 8)
Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped
receiving the response halfway through, and finally netlink_sock_destruct()
called nlk_sk(sk)->cb.done().
fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
itself recursively and hitting the stack guard page.
To avoid the issue, let's set the destructor after kzalloc().
[0]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117)
should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
should_failslab (mm/slub.c:3733)
kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
rtnl_dump_all (net/core/rtnetlink.c:4029)
netlink_dump (net/netlink/af_netlink.c:2269)
netlink_recvmsg (net/netlink/af_netlink.c:1988)
____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
___sys_recvmsg (net/socket.c:2846)
do_recvmmsg (net/socket.c:2943)
__x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
[1]:
BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<#DF>
</#DF>
<TASK>
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
...
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
netlink_sock_destruct (net/netlink/af_netlink.c:401)
__sk_destruct (net/core/sock.c:2177 (discriminator 2))
sk_destruct (net/core/sock.c:2224)
__sk_free (net/core/sock.c:2235)
sk_free (net/core/sock.c:2246)
process_one_work (kernel/workqueue.c:3259)
worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
Modules linked in:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_fib.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -587,19 +587,19 @@ static int inet6_dump_fib(struct sk_buff
if (!w) {
/* New dump:
*
- * 1. hook callback destructor.
- */
- cb->args[3] = (long)cb->done;
- cb->done = fib6_dump_done;
-
- /*
- * 2. allocate and initialize walker.
+ * 1. allocate and initialize walker.
*/
w = kzalloc(sizeof(*w), GFP_ATOMIC);
if (!w)
return -ENOMEM;
w->func = fib6_dump_node;
cb->args[2] = (long)w;
+
+ /* 2. hook callback destructor.
+ */
+ cb->args[3] = (long)cb->done;
+ cb->done = fib6_dump_done;
+
}
arg.skb = skb;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 127/175] i40e: fix vf may be used uninitialized in this function warning
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 126/175] ipv6: Fix infinite recursion in fib6_dump_done() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 128/175] staging: mmal-vchiq: Avoid use of bool in structures Greg Kroah-Hartman
` (53 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Arkadiusz Kubalewski, Przemek Kitszel, Paul Menzel,
Rafal Romanowski, Tony Nguyen
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
commit f37c4eac99c258111d414d31b740437e1925b8e8 upstream.
To fix the regression introduced by commit 52424f974bc5, which causes
servers hang in very hard to reproduce conditions with resets races.
Using two sources for the information is the root cause.
In this function before the fix bumping v didn't mean bumping vf
pointer. But the code used this variables interchangeably, so stale vf
could point to different/not intended vf.
Remove redundant "v" variable and iterate via single VF pointer across
whole function instead to guarantee VF pointer validity.
Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF")
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 34 +++++++++------------
1 file changed, 16 insertions(+), 18 deletions(-)
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -1317,8 +1317,8 @@ bool i40e_reset_all_vfs(struct i40e_pf *
{
struct i40e_hw *hw = &pf->hw;
struct i40e_vf *vf;
- int i, v;
u32 reg;
+ int i;
/* If we don't have any VFs, then there is nothing to reset */
if (!pf->num_alloc_vfs)
@@ -1329,11 +1329,10 @@ bool i40e_reset_all_vfs(struct i40e_pf *
return false;
/* Begin reset on all VFs at once */
- for (v = 0; v < pf->num_alloc_vfs; v++) {
- vf = &pf->vf[v];
+ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) {
/* If VF is being reset no need to trigger reset again */
if (!test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
- i40e_trigger_vf_reset(&pf->vf[v], flr);
+ i40e_trigger_vf_reset(vf, flr);
}
/* HW requires some time to make sure it can flush the FIFO for a VF
@@ -1342,14 +1341,13 @@ bool i40e_reset_all_vfs(struct i40e_pf *
* the VFs using a simple iterator that increments once that VF has
* finished resetting.
*/
- for (i = 0, v = 0; i < 10 && v < pf->num_alloc_vfs; i++) {
+ for (i = 0, vf = &pf->vf[0]; i < 10 && vf < &pf->vf[pf->num_alloc_vfs]; ++i) {
usleep_range(10000, 20000);
/* Check each VF in sequence, beginning with the VF to fail
* the previous check.
*/
- while (v < pf->num_alloc_vfs) {
- vf = &pf->vf[v];
+ while (vf < &pf->vf[pf->num_alloc_vfs]) {
if (!test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) {
reg = rd32(hw, I40E_VPGEN_VFRSTAT(vf->vf_id));
if (!(reg & I40E_VPGEN_VFRSTAT_VFRD_MASK))
@@ -1359,7 +1357,7 @@ bool i40e_reset_all_vfs(struct i40e_pf *
/* If the current VF has finished resetting, move on
* to the next VF in sequence.
*/
- v++;
+ ++vf;
}
}
@@ -1369,39 +1367,39 @@ bool i40e_reset_all_vfs(struct i40e_pf *
/* Display a warning if at least one VF didn't manage to reset in
* time, but continue on with the operation.
*/
- if (v < pf->num_alloc_vfs)
+ if (vf < &pf->vf[pf->num_alloc_vfs])
dev_err(&pf->pdev->dev, "VF reset check timeout on VF %d\n",
- pf->vf[v].vf_id);
+ vf->vf_id);
usleep_range(10000, 20000);
/* Begin disabling all the rings associated with VFs, but do not wait
* between each VF.
*/
- for (v = 0; v < pf->num_alloc_vfs; v++) {
+ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) {
/* On initial reset, we don't have any queues to disable */
- if (pf->vf[v].lan_vsi_idx == 0)
+ if (vf->lan_vsi_idx == 0)
continue;
/* If VF is reset in another thread just continue */
if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
continue;
- i40e_vsi_stop_rings_no_wait(pf->vsi[pf->vf[v].lan_vsi_idx]);
+ i40e_vsi_stop_rings_no_wait(pf->vsi[vf->lan_vsi_idx]);
}
/* Now that we've notified HW to disable all of the VF rings, wait
* until they finish.
*/
- for (v = 0; v < pf->num_alloc_vfs; v++) {
+ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) {
/* On initial reset, we don't have any queues to disable */
- if (pf->vf[v].lan_vsi_idx == 0)
+ if (vf->lan_vsi_idx == 0)
continue;
/* If VF is reset in another thread just continue */
if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
continue;
- i40e_vsi_wait_queues_disabled(pf->vsi[pf->vf[v].lan_vsi_idx]);
+ i40e_vsi_wait_queues_disabled(pf->vsi[vf->lan_vsi_idx]);
}
/* Hw may need up to 50ms to finish disabling the RX queues. We
@@ -1410,12 +1408,12 @@ bool i40e_reset_all_vfs(struct i40e_pf *
mdelay(50);
/* Finish the reset on each VF */
- for (v = 0; v < pf->num_alloc_vfs; v++) {
+ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) {
/* If VF is reset in another thread just continue */
if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
continue;
- i40e_cleanup_reset_vf(&pf->vf[v]);
+ i40e_cleanup_reset_vf(vf);
}
i40e_flush(hw);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 128/175] staging: mmal-vchiq: Avoid use of bool in structures
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 127/175] i40e: fix vf may be used uninitialized in this function warning Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 129/175] staging: mmal-vchiq: Allocate and free components as required Greg Kroah-Hartman
` (52 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Stefan Wahren,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.org>
[ Upstream commit 640e77466e69d9c28de227bc76881f5501f532ca ]
Fixes up a checkpatch error "Avoid using bool structure members
because of possible alignment issues".
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../vc04_services/bcm2835-camera/mmal-vchiq.c | 12 ++++++------
.../vc04_services/bcm2835-camera/mmal-vchiq.h | 4 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index daa2b96565529..00c943516ba38 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -845,9 +845,9 @@ static int port_info_get(struct vchiq_mmal_instance *instance,
goto release_msg;
if (rmsg->u.port_info_get_reply.port.is_enabled == 0)
- port->enabled = false;
+ port->enabled = 0;
else
- port->enabled = true;
+ port->enabled = 1;
/* copy the values out of the message */
port->handle = rmsg->u.port_info_get_reply.port_handle;
@@ -1283,7 +1283,7 @@ static int port_disable(struct vchiq_mmal_instance *instance,
if (!port->enabled)
return 0;
- port->enabled = false;
+ port->enabled = 0;
ret = port_action_port(instance, port,
MMAL_MSG_PORT_ACTION_TYPE_DISABLE);
@@ -1335,7 +1335,7 @@ static int port_enable(struct vchiq_mmal_instance *instance,
if (ret)
goto done;
- port->enabled = true;
+ port->enabled = 1;
if (port->buffer_cb) {
/* send buffer headers to videocore */
@@ -1502,7 +1502,7 @@ int vchiq_mmal_port_connect_tunnel(struct vchiq_mmal_instance *instance,
pr_err("failed disconnecting src port\n");
goto release_unlock;
}
- src->connected->enabled = false;
+ src->connected->enabled = 0;
src->connected = NULL;
}
@@ -1746,7 +1746,7 @@ int vchiq_mmal_component_disable(struct vchiq_mmal_instance *instance,
ret = disable_component(instance, component);
if (ret == 0)
- component->enabled = false;
+ component->enabled = 0;
mutex_unlock(&instance->vchiq_mutex);
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
index b0ee1716525b4..b3c231e619c90 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
@@ -47,7 +47,7 @@ typedef void (*vchiq_mmal_buffer_cb)(
unsigned long length, u32 mmal_flags, s64 dts, s64 pts);
struct vchiq_mmal_port {
- bool enabled;
+ u32 enabled:1;
u32 handle;
u32 type; /* port type, cached to use on port info set */
u32 index; /* port index, cached to use on port info set */
@@ -81,7 +81,7 @@ struct vchiq_mmal_port {
};
struct vchiq_mmal_component {
- bool enabled;
+ u32 enabled:1;
u32 handle; /* VideoCore handle for component */
u32 inputs; /* Number of input ports */
u32 outputs; /* Number of output ports */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 129/175] staging: mmal-vchiq: Allocate and free components as required
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 128/175] staging: mmal-vchiq: Avoid use of bool in structures Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 130/175] staging: mmal-vchiq: Fix client_component for 64 bit kernel Greg Kroah-Hartman
` (51 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Jacopo Mondi,
Nicolas Saenz Julienne, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.org>
[ Upstream commit 8c589e1794a31e9a381916b0280260ab601e4d6e ]
The existing code assumed that there would only ever be 4 components,
and never freed the entries once used.
Allow arbitrary creation and destruction of components.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Link: https://lore.kernel.org/r/20200623164235.29566-3-nsaenzjulienne@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../vc04_services/bcm2835-camera/mmal-vchiq.c | 29 ++++++++++++-------
.../vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index 00c943516ba38..4f128c75c0f6c 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -31,8 +31,11 @@
#define USE_VCHIQ_ARM
#include "interface/vchi/vchi.h"
-/* maximum number of components supported */
-#define VCHIQ_MMAL_MAX_COMPONENTS 4
+/*
+ * maximum number of components supported.
+ * This matches the maximum permitted by default on the VPU
+ */
+#define VCHIQ_MMAL_MAX_COMPONENTS 64
/*#define FULL_MSG_DUMP 1*/
@@ -165,8 +168,6 @@ struct vchiq_mmal_instance {
/* protect accesses to context_map */
struct mutex context_map_lock;
- /* component to use next */
- int component_idx;
struct vchiq_mmal_component component[VCHIQ_MMAL_MAX_COMPONENTS];
};
@@ -1607,18 +1608,24 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
{
int ret;
int idx; /* port index */
- struct vchiq_mmal_component *component;
+ struct vchiq_mmal_component *component = NULL;
if (mutex_lock_interruptible(&instance->vchiq_mutex))
return -EINTR;
- if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) {
+ for (idx = 0; idx < VCHIQ_MMAL_MAX_COMPONENTS; idx++) {
+ if (!instance->component[idx].in_use) {
+ component = &instance->component[idx];
+ component->in_use = 1;
+ break;
+ }
+ }
+
+ if (!component) {
ret = -EINVAL; /* todo is this correct error? */
goto unlock;
}
- component = &instance->component[instance->component_idx];
-
ret = create_component(instance, component, name);
if (ret < 0)
goto unlock;
@@ -1666,8 +1673,6 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
goto release_component;
}
- instance->component_idx++;
-
*component_out = component;
mutex_unlock(&instance->vchiq_mutex);
@@ -1677,6 +1682,8 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
release_component:
destroy_component(instance, component);
unlock:
+ if (component)
+ component->in_use = 0;
mutex_unlock(&instance->vchiq_mutex);
return ret;
@@ -1698,6 +1705,8 @@ int vchiq_mmal_component_finalise(struct vchiq_mmal_instance *instance,
ret = destroy_component(instance, component);
+ component->in_use = 0;
+
mutex_unlock(&instance->vchiq_mutex);
return ret;
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
index b3c231e619c90..ee5eb6d4d080d 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
@@ -81,6 +81,7 @@ struct vchiq_mmal_port {
};
struct vchiq_mmal_component {
+ u32 in_use:1;
u32 enabled:1;
u32 handle; /* VideoCore handle for component */
u32 inputs; /* Number of input ports */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 130/175] staging: mmal-vchiq: Fix client_component for 64 bit kernel
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 129/175] staging: mmal-vchiq: Allocate and free components as required Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 131/175] staging: vc04_services: changen strncpy() to strscpy_pad() Greg Kroah-Hartman
` (50 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Jacopo Mondi,
Nicolas Saenz Julienne, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.org>
[ Upstream commit 22e64b486adc4785542f8002c3af4c895490f841 ]
The MMAL client_component field is used with the event
mechanism to allow the client to identify the component for
which the event is generated.
The field is only 32bits in size, therefore we can't use a
pointer to the component in a 64 bit kernel.
Component handles are already held in an array per VCHI
instance, so use the array index as the client_component handle
to avoid having to create a new IDR for this purpose.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Link: https://lore.kernel.org/r/20200629150945.10720-5-nsaenzjulienne@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 8 +++++++-
drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index 4f128c75c0f6c..2794df22224ad 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -920,7 +920,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
/* build component create message */
m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
- m.u.component_create.client_component = (u32)(unsigned long)component;
+ m.u.component_create.client_component = component->client_component;
strncpy(m.u.component_create.name, name,
sizeof(m.u.component_create.name));
@@ -1626,6 +1626,12 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
goto unlock;
}
+ /* We need a handle to reference back to our component structure.
+ * Use the array index in instance->component rather than rolling
+ * another IDR.
+ */
+ component->client_component = idx;
+
ret = create_component(instance, component, name);
if (ret < 0)
goto unlock;
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
index ee5eb6d4d080d..d20d5182577d6 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
@@ -91,6 +91,7 @@ struct vchiq_mmal_component {
struct vchiq_mmal_port input[MAX_PORT_COUNT]; /* input ports */
struct vchiq_mmal_port output[MAX_PORT_COUNT]; /* output ports */
struct vchiq_mmal_port clock[MAX_PORT_COUNT]; /* clock ports */
+ u32 client_component; /* Used to ref back to client struct */
};
int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 131/175] staging: vc04_services: changen strncpy() to strscpy_pad()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 130/175] staging: mmal-vchiq: Fix client_component for 64 bit kernel Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 132/175] staging: vc04_services: fix information leak in create_component() Greg Kroah-Hartman
` (49 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Dan Carpenter, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf ]
gcc-14 warns about this strncpy() that results in a non-terminated
string for an overflow:
In file included from include/linux/string.h:369,
from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20:
In function 'strncpy',
inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2:
include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation]
Change it to strscpy_pad(), which produces a properly terminated and
zero-padded string.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index 2794df22224ad..5d1fb582fde60 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -921,8 +921,8 @@ static int create_component(struct vchiq_mmal_instance *instance,
/* build component create message */
m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
m.u.component_create.client_component = component->client_component;
- strncpy(m.u.component_create.name, name,
- sizeof(m.u.component_create.name));
+ strscpy_pad(m.u.component_create.name, name,
+ sizeof(m.u.component_create.name));
ret = send_synchronous_mmal_msg(instance, &m,
sizeof(m.u.component_create),
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 132/175] staging: vc04_services: fix information leak in create_component()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 131/175] staging: vc04_services: changen strncpy() to strscpy_pad() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 133/175] initramfs: factor out a helper to populate the initrd image Greg Kroah-Hartman
` (48 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit f37e76abd614b68987abc8e5c22d986013349771 ]
The m.u.component_create.pid field is for debugging and in the mainline
kernel it's not used anything. However, it still needs to be set to
something to prevent disclosing uninitialized stack data. Set it to
zero.
Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index 5d1fb582fde60..a6ba608fed938 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -923,6 +923,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
m.u.component_create.client_component = component->client_component;
strscpy_pad(m.u.component_create.name, name,
sizeof(m.u.component_create.name));
+ m.u.component_create.pid = 0;
ret = send_synchronous_mmal_msg(instance, &m,
sizeof(m.u.component_create),
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 133/175] initramfs: factor out a helper to populate the initrd image
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 132/175] staging: vc04_services: fix information leak in create_component() Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 134/175] fs: add a vfs_fchown helper Greg Kroah-Hartman
` (47 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Mike Rapoport,
Steven Price, Alexander Viro, Guan Xuetao, Russell King,
Will Deacon, Andrew Morton, Linus Torvalds, Sasha Levin,
Catalin Marinas, Geert Uytterhoeven
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 7c184ecd262fe64fe8cf4e099e0f7cefe88d88b2 ]
This will allow for cleaner code sharing in the caller.
Link: http://lkml.kernel.org/r/20190213174621.29297-5-hch@lst.de
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com> [arm64]
Cc: Geert Uytterhoeven <geert@linux-m68k.org> [m68k]
Cc: Steven Price <steven.price@arm.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Guan Xuetao <gxt@pku.edu.cn>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/initramfs.c | 40 +++++++++++++++++++++++-----------------
1 file changed, 23 insertions(+), 17 deletions(-)
diff --git a/init/initramfs.c b/init/initramfs.c
index dab8d63459f63..7103edf44436c 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -599,6 +599,28 @@ static void __init clean_rootfs(void)
}
#endif
+#ifdef CONFIG_BLK_DEV_RAM
+static void populate_initrd_image(char *err)
+{
+ ssize_t written;
+ int fd;
+
+ unpack_to_rootfs(__initramfs_start, __initramfs_size);
+
+ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
+ err);
+ fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
+ if (fd < 0)
+ return;
+
+ written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start);
+ if (written != initrd_end - initrd_start)
+ pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
+ written, initrd_end - initrd_start);
+ ksys_close(fd);
+}
+#endif /* CONFIG_BLK_DEV_RAM */
+
static int __init populate_rootfs(void)
{
/* Load the built in initramfs */
@@ -608,7 +630,6 @@ static int __init populate_rootfs(void)
/* If available load the bootloader supplied initrd */
if (initrd_start && !IS_ENABLED(CONFIG_INITRAMFS_FORCE)) {
#ifdef CONFIG_BLK_DEV_RAM
- int fd;
printk(KERN_INFO "Trying to unpack rootfs image as initramfs...\n");
err = unpack_to_rootfs((char *)initrd_start,
initrd_end - initrd_start);
@@ -616,22 +637,7 @@ static int __init populate_rootfs(void)
goto done;
clean_rootfs();
- unpack_to_rootfs(__initramfs_start, __initramfs_size);
-
- printk(KERN_INFO "rootfs image is not initramfs (%s)"
- "; looks like an initrd\n", err);
- fd = ksys_open("/initrd.image",
- O_WRONLY|O_CREAT, 0700);
- if (fd >= 0) {
- ssize_t written = xwrite(fd, (char *)initrd_start,
- initrd_end - initrd_start);
-
- if (written != initrd_end - initrd_start)
- pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
- written, initrd_end - initrd_start);
-
- ksys_close(fd);
- }
+ populate_initrd_image(err);
done:
/* empty statement */;
#else
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 134/175] fs: add a vfs_fchown helper
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 133/175] initramfs: factor out a helper to populate the initrd image Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 135/175] fs: add a vfs_fchmod helper Greg Kroah-Hartman
` (46 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Linus Torvalds,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit c04011fe8cbd80af1be6e12b53193bf3846750d7 ]
Add a helper for struct file based chown operations. To be used by
the initramfs code soon.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/open.c | 29 +++++++++++++++++------------
include/linux/fs.h | 2 ++
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index 76996f920ebf5..e072e86003f56 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -707,23 +707,28 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
AT_SYMLINK_NOFOLLOW);
}
+int vfs_fchown(struct file *file, uid_t user, gid_t group)
+{
+ int error;
+
+ error = mnt_want_write_file(file);
+ if (error)
+ return error;
+ audit_file(file);
+ error = chown_common(&file->f_path, user, group);
+ mnt_drop_write_file(file);
+ return error;
+}
+
int ksys_fchown(unsigned int fd, uid_t user, gid_t group)
{
struct fd f = fdget(fd);
int error = -EBADF;
- if (!f.file)
- goto out;
-
- error = mnt_want_write_file(f.file);
- if (error)
- goto out_fput;
- audit_file(f.file);
- error = chown_common(&f.file->f_path, user, group);
- mnt_drop_write_file(f.file);
-out_fput:
- fdput(f);
-out:
+ if (f.file) {
+ error = vfs_fchown(f.file, user, group);
+ fdput(f);
+ }
return error;
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index e2c87c056742c..7d93d22ad1062 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1660,6 +1660,8 @@ int vfs_mkobj(struct dentry *, umode_t,
int (*f)(struct dentry *, umode_t, void *),
void *);
+int vfs_fchown(struct file *file, uid_t user, gid_t group);
+
extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 135/175] fs: add a vfs_fchmod helper
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 134/175] fs: add a vfs_fchown helper Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 136/175] initramfs: switch initramfs unpacking to struct file based APIs Greg Kroah-Hartman
` (45 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Linus Torvalds,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 9e96c8c0e94eea2f69a9705f5d0f51928ea26c17 ]
Add a helper for struct file based chmode operations. To be used by
the initramfs code soon.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/open.c | 9 +++++++--
include/linux/fs.h | 1 +
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index e072e86003f56..fc634ab5af0d6 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -569,14 +569,19 @@ static int chmod_common(const struct path *path, umode_t mode)
return error;
}
+int vfs_fchmod(struct file *file, umode_t mode)
+{
+ audit_file(file);
+ return chmod_common(&file->f_path, mode);
+}
+
int ksys_fchmod(unsigned int fd, umode_t mode)
{
struct fd f = fdget(fd);
int err = -EBADF;
if (f.file) {
- audit_file(f.file);
- err = chmod_common(&f.file->f_path, mode);
+ err = vfs_fchmod(f.file, mode);
fdput(f);
}
return err;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7d93d22ad1062..95e35e0740117 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1661,6 +1661,7 @@ int vfs_mkobj(struct dentry *, umode_t,
void *);
int vfs_fchown(struct file *file, uid_t user, gid_t group);
+int vfs_fchmod(struct file *file, umode_t mode);
extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 136/175] initramfs: switch initramfs unpacking to struct file based APIs
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 135/175] fs: add a vfs_fchmod helper Greg Kroah-Hartman
@ 2024-04-11 9:55 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 137/175] init: open /initrd.image with O_LARGEFILE Greg Kroah-Hartman
` (44 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Linus Torvalds,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit bf6419e4d5440c6d414a320506c5488857a5b001 ]
There is no good reason to mess with file descriptors from in-kernel
code, switch the initramfs unpacking to struct file based write
instead.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/initramfs.c | 47 ++++++++++++++++++++++++++---------------------
1 file changed, 26 insertions(+), 21 deletions(-)
diff --git a/init/initramfs.c b/init/initramfs.c
index 7103edf44436c..e378d15a949e0 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -11,13 +11,14 @@
#include <linux/utime.h>
#include <linux/file.h>
-static ssize_t __init xwrite(int fd, const char *p, size_t count)
+static ssize_t __init xwrite(struct file *file, const char *p, size_t count,
+ loff_t *pos)
{
ssize_t out = 0;
/* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
while (count) {
- ssize_t rv = ksys_write(fd, p, count);
+ ssize_t rv = kernel_write(file, p, count, pos);
if (rv < 0) {
if (rv == -EINTR || rv == -EAGAIN)
@@ -315,7 +316,8 @@ static int __init maybe_link(void)
return 0;
}
-static __initdata int wfd;
+static __initdata struct file *wfile;
+static __initdata loff_t wfile_pos;
static int __init do_name(void)
{
@@ -332,16 +334,17 @@ static int __init do_name(void)
int openflags = O_WRONLY|O_CREAT;
if (ml != 1)
openflags |= O_TRUNC;
- wfd = ksys_open(collected, openflags, mode);
-
- if (wfd >= 0) {
- ksys_fchown(wfd, uid, gid);
- ksys_fchmod(wfd, mode);
- if (body_len)
- ksys_ftruncate(wfd, body_len);
- vcollected = kstrdup(collected, GFP_KERNEL);
- state = CopyFile;
- }
+ wfile = filp_open(collected, openflags, mode);
+ if (IS_ERR(wfile))
+ return 0;
+ wfile_pos = 0;
+
+ vfs_fchown(wfile, uid, gid);
+ vfs_fchmod(wfile, mode);
+ if (body_len)
+ vfs_truncate(&wfile->f_path, body_len);
+ vcollected = kstrdup(collected, GFP_KERNEL);
+ state = CopyFile;
}
} else if (S_ISDIR(mode)) {
ksys_mkdir(collected, mode);
@@ -363,16 +366,16 @@ static int __init do_name(void)
static int __init do_copy(void)
{
if (byte_count >= body_len) {
- if (xwrite(wfd, victim, body_len) != body_len)
+ if (xwrite(wfile, victim, body_len, &wfile_pos) != body_len)
error("write error");
- ksys_close(wfd);
+ fput(wfile);
do_utime(vcollected, mtime);
kfree(vcollected);
eat(body_len);
state = SkipIt;
return 0;
} else {
- if (xwrite(wfd, victim, byte_count) != byte_count)
+ if (xwrite(wfile, victim, byte_count, &wfile_pos) != byte_count)
error("write error");
body_len -= byte_count;
eat(byte_count);
@@ -603,21 +606,23 @@ static void __init clean_rootfs(void)
static void populate_initrd_image(char *err)
{
ssize_t written;
- int fd;
+ struct file *file;
+ loff_t pos = 0;
unpack_to_rootfs(__initramfs_start, __initramfs_size);
printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
err);
- fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
- if (fd < 0)
+ file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
+ if (IS_ERR(file))
return;
- written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start);
+ written = xwrite(file, (char *)initrd_start, initrd_end - initrd_start,
+ &pos);
if (written != initrd_end - initrd_start)
pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
written, initrd_end - initrd_start);
- ksys_close(fd);
+ fput(file);
}
#endif /* CONFIG_BLK_DEV_RAM */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 137/175] init: open /initrd.image with O_LARGEFILE
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-04-11 9:55 ` [PATCH 4.19 136/175] initramfs: switch initramfs unpacking to struct file based APIs Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 138/175] erspan: Add type I version 0 support Greg Kroah-Hartman
` (43 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Sperbeck, Jens Axboe,
Nick Desaulniers, Peter Zijlstra, Thomas Gleixner, Andrew Morton,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Sperbeck <jsperbeck@google.com>
[ Upstream commit 4624b346cf67400ef46a31771011fb798dd2f999 ]
If initrd data is larger than 2Gb, we'll eventually fail to write to the
/initrd.image file when we hit that limit, unless O_LARGEFILE is set.
Link: https://lkml.kernel.org/r/20240317221522.896040-1-jsperbeck@google.com
Signed-off-by: John Sperbeck <jsperbeck@google.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/initramfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init/initramfs.c b/init/initramfs.c
index e378d15a949e0..6b49c5ae78c7a 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -613,7 +613,7 @@ static void populate_initrd_image(char *err)
printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
err);
- file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
+ file = filp_open("/initrd.image", O_WRONLY|O_CREAT|O_LARGEFILE, 0700);
if (IS_ERR(file))
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 138/175] erspan: Add type I version 0 support.
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 137/175] init: open /initrd.image with O_LARGEFILE Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 139/175] erspan: make sure erspan_base_hdr is present in skb->head Greg Kroah-Hartman
` (42 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Tu, David S. Miller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Tu <u9012063@gmail.com>
[ Upstream commit f989d546a2d5a9f001f6f8be49d98c10ab9b1897 ]
The Type I ERSPAN frame format is based on the barebones
IP + GRE(4-byte) encapsulation on top of the raw mirrored frame.
Both type I and II use 0x88BE as protocol type. Unlike type II
and III, no sequence number or key is required.
To creat a type I erspan tunnel device:
$ ip link add dev erspan11 type erspan \
local 172.16.1.100 remote 172.16.1.200 \
erspan_ver 0
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 17af420545a7 ("erspan: make sure erspan_base_hdr is present in skb->head")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/erspan.h | 19 +++++++++++++--
net/ipv4/ip_gre.c | 58 ++++++++++++++++++++++++++++++++------------
2 files changed, 60 insertions(+), 17 deletions(-)
diff --git a/include/net/erspan.h b/include/net/erspan.h
index b39643ef4c95f..0d9e86bd98934 100644
--- a/include/net/erspan.h
+++ b/include/net/erspan.h
@@ -2,7 +2,19 @@
#define __LINUX_ERSPAN_H
/*
- * GRE header for ERSPAN encapsulation (8 octets [34:41]) -- 8 bytes
+ * GRE header for ERSPAN type I encapsulation (4 octets [34:37])
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |0|0|0|0|0|00000|000000000|00000| Protocol Type for ERSPAN |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * The Type I ERSPAN frame format is based on the barebones IP + GRE
+ * encapsulation (as described above) on top of the raw mirrored frame.
+ * There is no extra ERSPAN header.
+ *
+ *
+ * GRE header for ERSPAN type II and II encapsulation (8 octets [34:41])
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -43,7 +55,7 @@
* | Platform Specific Info |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*
- * GRE proto ERSPAN type II = 0x88BE, type III = 0x22EB
+ * GRE proto ERSPAN type I/II = 0x88BE, type III = 0x22EB
*/
#include <uapi/linux/erspan.h>
@@ -139,6 +151,9 @@ static inline u8 get_hwid(const struct erspan_md2 *md2)
static inline int erspan_hdr_len(int version)
{
+ if (version == 0)
+ return 0;
+
return sizeof(struct erspan_base_hdr) +
(version == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE);
}
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 38c8db78cda19..d1e90bfa84c11 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -251,6 +251,15 @@ static void gre_err(struct sk_buff *skb, u32 info)
ipgre_err(skb, info, &tpi);
}
+static bool is_erspan_type1(int gre_hdr_len)
+{
+ /* Both ERSPAN type I (version 0) and type II (version 1) use
+ * protocol 0x88BE, but the type I has only 4-byte GRE header,
+ * while type II has 8-byte.
+ */
+ return gre_hdr_len == 4;
+}
+
static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
int gre_hdr_len)
{
@@ -265,17 +274,26 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
int len;
itn = net_generic(net, erspan_net_id);
-
iph = ip_hdr(skb);
- ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
- ver = ershdr->ver;
-
- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
- tpi->flags | TUNNEL_KEY,
- iph->saddr, iph->daddr, tpi->key);
+ if (is_erspan_type1(gre_hdr_len)) {
+ ver = 0;
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+ tpi->flags | TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ } else {
+ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
+ ver = ershdr->ver;
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+ tpi->flags | TUNNEL_KEY,
+ iph->saddr, iph->daddr, tpi->key);
+ }
if (tunnel) {
- len = gre_hdr_len + erspan_hdr_len(ver);
+ if (is_erspan_type1(gre_hdr_len))
+ len = gre_hdr_len;
+ else
+ len = gre_hdr_len + erspan_hdr_len(ver);
+
if (unlikely(!pskb_may_pull(skb, len)))
return PACKET_REJECT;
@@ -746,7 +764,10 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
}
/* Push ERSPAN header */
- if (tunnel->erspan_ver == 1) {
+ if (tunnel->erspan_ver == 0) {
+ proto = htons(ETH_P_ERSPAN);
+ tunnel->parms.o_flags &= ~TUNNEL_SEQ;
+ } else if (tunnel->erspan_ver == 1) {
erspan_build_header(skb, ntohl(tunnel->parms.o_key),
tunnel->index,
truncate, true);
@@ -1156,7 +1177,10 @@ static int erspan_validate(struct nlattr *tb[], struct nlattr *data[],
if (ret)
return ret;
- /* ERSPAN should only have GRE sequence and key flag */
+ if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0)
+ return 0;
+
+ /* ERSPAN type II/III should only have GRE sequence and key flag */
if (data[IFLA_GRE_OFLAGS])
flags |= nla_get_be16(data[IFLA_GRE_OFLAGS]);
if (data[IFLA_GRE_IFLAGS])
@@ -1264,7 +1288,7 @@ static int erspan_netlink_parms(struct net_device *dev,
if (data[IFLA_GRE_ERSPAN_VER]) {
t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
- if (t->erspan_ver != 1 && t->erspan_ver != 2)
+ if (t->erspan_ver > 2)
return -EINVAL;
}
@@ -1349,7 +1373,11 @@ static int erspan_tunnel_init(struct net_device *dev)
{
struct ip_tunnel *tunnel = netdev_priv(dev);
- tunnel->tun_hlen = 8;
+ if (tunnel->erspan_ver == 0)
+ tunnel->tun_hlen = 4; /* 4-byte GRE hdr. */
+ else
+ tunnel->tun_hlen = 8; /* 8-byte GRE hdr. */
+
tunnel->parms.iph.protocol = IPPROTO_GRE;
tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
erspan_hdr_len(tunnel->erspan_ver);
@@ -1552,8 +1580,8 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
struct ip_tunnel_parm *p = &t->parms;
__be16 o_flags = p->o_flags;
- if (t->erspan_ver == 1 || t->erspan_ver == 2) {
- if (!t->collect_md)
+ if (t->erspan_ver <= 2) {
+ if (t->erspan_ver != 0 && !t->collect_md)
o_flags |= TUNNEL_KEY;
if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
@@ -1562,7 +1590,7 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
if (t->erspan_ver == 1) {
if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
goto nla_put_failure;
- } else {
+ } else if (t->erspan_ver == 2) {
if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
goto nla_put_failure;
if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 139/175] erspan: make sure erspan_base_hdr is present in skb->head
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 138/175] erspan: Add type I version 0 support Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 140/175] ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw Greg Kroah-Hartman
` (41 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1c1cf138518bf0c53d68,
Eric Dumazet, Lorenzo Bianconi, Jakub Kicinski, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 17af420545a750f763025149fa7b833a4fc8b8f0 ]
syzbot reported a problem in ip6erspan_rcv() [1]
Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
sure erspan_base_hdr is present in skb linear part (skb->head)
before getting @ver field from it.
Add the missing pskb_may_pull() calls.
v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
because skb->head might have changed.
[1]
BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
pskb_may_pull include/linux/skbuff.h:2756 [inline]
ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:460 [inline]
ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:314 [inline]
ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5538 [inline]
__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
netif_receive_skb_internal net/core/dev.c:5738 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5798
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
tun_alloc_skb drivers/net/tun.c:1525 [inline]
tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_gre.c | 5 +++++
net/ipv6/ip6_gre.c | 3 +++
2 files changed, 8 insertions(+)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d1e90bfa84c11..6d4b6815aa347 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -281,8 +281,13 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
tpi->flags | TUNNEL_NO_KEY,
iph->saddr, iph->daddr, 0);
} else {
+ if (unlikely(!pskb_may_pull(skb,
+ gre_hdr_len + sizeof(*ershdr))))
+ return PACKET_REJECT;
+
ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
ver = ershdr->ver;
+ iph = ip_hdr(skb);
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
tpi->flags | TUNNEL_KEY,
iph->saddr, iph->daddr, tpi->key);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index aa8ada354a399..58e1fc8e41241 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -551,6 +551,9 @@ static int ip6erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
struct ip6_tnl *tunnel;
u8 ver;
+ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
+ return PACKET_REJECT;
+
ipv6h = ipv6_hdr(skb);
ershdr = (struct erspan_base_hdr *)skb->data;
ver = ershdr->ver;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 140/175] ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 139/175] erspan: make sure erspan_base_hdr is present in skb->head Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 141/175] ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit Greg Kroah-Hartman
` (40 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Lee, Mark Brown, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Lee <slee08177@gmail.com>
[ Upstream commit fc563aa900659a850e2ada4af26b9d7a3de6c591 ]
In snd_soc_info_volsw(), mask is generated by figuring out the index of
the most significant bit set in max and converting the index to a
bitmask through bit shift 1. Unintended wraparound occurs when max is an
integer value with msb bit set. Since the bit shift value 1 is treated
as an integer type, the left shift operation will wraparound and set
mask to 0 instead of all 1's. In order to fix this, we type cast 1 as
`1ULL` to prevent the wraparound.
Fixes: 7077148fb50a ("ASoC: core: Split ops out of soc-core.c")
Signed-off-by: Stephen Lee <slee08177@gmail.com>
Link: https://msgid.link/r/20240326010131.6211-1-slee08177@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index e01f3bf3ef171..08ed973b2d975 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -252,7 +252,7 @@ int snd_soc_get_volsw(struct snd_kcontrol *kcontrol,
int max = mc->max;
int min = mc->min;
int sign_bit = mc->sign_bit;
- unsigned int mask = (1 << fls(max)) - 1;
+ unsigned int mask = (1ULL << fls(max)) - 1;
unsigned int invert = mc->invert;
int val;
int ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 141/175] ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 140/175] ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 142/175] ata: sata_mv: Fix PCI device ID table declaration compilation warning Greg Kroah-Hartman
` (39 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Damien Le Moal, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 52f80bb181a9a1530ade30bc18991900bbb9697f ]
gcc warns about a memcpy() with overlapping pointers because of an
incorrect size calculation:
In file included from include/linux/string.h:369,
from drivers/ata/sata_sx4.c:66:
In function 'memcpy_fromio',
inlined from 'pdc20621_get_from_dimm.constprop' at drivers/ata/sata_sx4.c:962:2:
include/linux/fortify-string.h:97:33: error: '__builtin_memcpy' accessing 4294934464 bytes at offsets 0 and [16, 16400] overlaps 6442385281 bytes at offset -2147450817 [-Werror=restrict]
97 | #define __underlying_memcpy __builtin_memcpy
| ^
include/linux/fortify-string.h:620:9: note: in expansion of macro '__underlying_memcpy'
620 | __underlying_##op(p, q, __fortify_size); \
| ^~~~~~~~~~~~~
include/linux/fortify-string.h:665:26: note: in expansion of macro '__fortify_memcpy_chk'
665 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
| ^~~~~~~~~~~~~~~~~~~~
include/asm-generic/io.h:1184:9: note: in expansion of macro 'memcpy'
1184 | memcpy(buffer, __io_virt(addr), size);
| ^~~~~~
The problem here is the overflow of an unsigned 32-bit number to a
negative that gets converted into a signed 'long', keeping a large
positive number.
Replace the complex calculation with a more readable min() variant
that avoids the warning.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sx4.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
index 0d742457925ec..f217ac8e17b15 100644
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -1020,8 +1020,7 @@ static void pdc20621_get_from_dimm(struct ata_host *host, void *psource,
offset -= (idx * window_size);
idx++;
- dist = ((long) (window_size - (offset + size))) >= 0 ? size :
- (long) (window_size - offset);
+ dist = min(size, window_size - offset);
memcpy_fromio(psource, dimm_mmio + offset / 4, dist);
psource += dist;
@@ -1069,8 +1068,7 @@ static void pdc20621_put_to_dimm(struct ata_host *host, void *psource,
readl(mmio + PDC_DIMM_WINDOW_CTLR);
offset -= (idx * window_size);
idx++;
- dist = ((long)(s32)(window_size - (offset + size))) >= 0 ? size :
- (long) (window_size - offset);
+ dist = min(size, window_size - offset);
memcpy_toio(dimm_mmio + offset / 4, psource, dist);
writel(0x01, mmio + PDC_GENERAL_CTLR);
readl(mmio + PDC_GENERAL_CTLR);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 142/175] ata: sata_mv: Fix PCI device ID table declaration compilation warning
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 141/175] ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 143/175] ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone Greg Kroah-Hartman
` (38 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Damien Le Moal, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 3137b83a90646917c90951d66489db466b4ae106 ]
Building with W=1 shows a warning for an unused variable when CONFIG_PCI
is diabled:
drivers/ata/sata_mv.c:790:35: error: unused variable 'mv_pci_tbl' [-Werror,-Wunused-const-variable]
static const struct pci_device_id mv_pci_tbl[] = {
Move the table into the same block that containsn the pci_driver
definition.
Fixes: 7bb3c5290ca0 ("sata_mv: Remove PCI dependency")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_mv.c | 63 +++++++++++++++++++++----------------------
1 file changed, 31 insertions(+), 32 deletions(-)
diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
index 84ea284502d53..001656642fffa 100644
--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -796,37 +796,6 @@ static const struct ata_port_info mv_port_info[] = {
},
};
-static const struct pci_device_id mv_pci_tbl[] = {
- { PCI_VDEVICE(MARVELL, 0x5040), chip_504x },
- { PCI_VDEVICE(MARVELL, 0x5041), chip_504x },
- { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 },
- { PCI_VDEVICE(MARVELL, 0x5081), chip_508x },
- /* RocketRAID 1720/174x have different identifiers */
- { PCI_VDEVICE(TTI, 0x1720), chip_6042 },
- { PCI_VDEVICE(TTI, 0x1740), chip_6042 },
- { PCI_VDEVICE(TTI, 0x1742), chip_6042 },
-
- { PCI_VDEVICE(MARVELL, 0x6040), chip_604x },
- { PCI_VDEVICE(MARVELL, 0x6041), chip_604x },
- { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 },
- { PCI_VDEVICE(MARVELL, 0x6080), chip_608x },
- { PCI_VDEVICE(MARVELL, 0x6081), chip_608x },
-
- { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x },
-
- /* Adaptec 1430SA */
- { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 },
-
- /* Marvell 7042 support */
- { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 },
-
- /* Highpoint RocketRAID PCIe series */
- { PCI_VDEVICE(TTI, 0x2300), chip_7042 },
- { PCI_VDEVICE(TTI, 0x2310), chip_7042 },
-
- { } /* terminate list */
-};
-
static const struct mv_hw_ops mv5xxx_ops = {
.phy_errata = mv5_phy_errata,
.enable_leds = mv5_enable_leds,
@@ -4320,6 +4289,36 @@ static int mv_pci_init_one(struct pci_dev *pdev,
static int mv_pci_device_resume(struct pci_dev *pdev);
#endif
+static const struct pci_device_id mv_pci_tbl[] = {
+ { PCI_VDEVICE(MARVELL, 0x5040), chip_504x },
+ { PCI_VDEVICE(MARVELL, 0x5041), chip_504x },
+ { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 },
+ { PCI_VDEVICE(MARVELL, 0x5081), chip_508x },
+ /* RocketRAID 1720/174x have different identifiers */
+ { PCI_VDEVICE(TTI, 0x1720), chip_6042 },
+ { PCI_VDEVICE(TTI, 0x1740), chip_6042 },
+ { PCI_VDEVICE(TTI, 0x1742), chip_6042 },
+
+ { PCI_VDEVICE(MARVELL, 0x6040), chip_604x },
+ { PCI_VDEVICE(MARVELL, 0x6041), chip_604x },
+ { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 },
+ { PCI_VDEVICE(MARVELL, 0x6080), chip_608x },
+ { PCI_VDEVICE(MARVELL, 0x6081), chip_608x },
+
+ { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x },
+
+ /* Adaptec 1430SA */
+ { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 },
+
+ /* Marvell 7042 support */
+ { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 },
+
+ /* Highpoint RocketRAID PCIe series */
+ { PCI_VDEVICE(TTI, 0x2300), chip_7042 },
+ { PCI_VDEVICE(TTI, 0x2310), chip_7042 },
+
+ { } /* terminate list */
+};
static struct pci_driver mv_pci_driver = {
.name = DRV_NAME,
@@ -4332,6 +4331,7 @@ static struct pci_driver mv_pci_driver = {
#endif
};
+MODULE_DEVICE_TABLE(pci, mv_pci_tbl);
/* move to PCI layer or libata core? */
static int pci_go_64(struct pci_dev *pdev)
@@ -4534,7 +4534,6 @@ static void __exit mv_exit(void)
MODULE_AUTHOR("Brett Russ");
MODULE_DESCRIPTION("SCSI low-level driver for Marvell SATA controllers");
MODULE_LICENSE("GPL v2");
-MODULE_DEVICE_TABLE(pci, mv_pci_tbl);
MODULE_VERSION(DRV_VERSION);
MODULE_ALIAS("platform:" DRV_NAME);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 143/175] ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 142/175] ata: sata_mv: Fix PCI device ID table declaration compilation warning Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 144/175] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Greg Kroah-Hartman
` (37 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, I Gede Agastya Darma Laksana, Takashi Iwai
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
commit 1576f263ee2147dc395531476881058609ad3d38 upstream.
This patch addresses an issue with the Panasonic CF-SZ6's existing quirk,
specifically its headset microphone functionality. Previously, the quirk
used ALC269_FIXUP_HEADSET_MODE, which does not support the CF-SZ6's design
of a single 3.5mm jack for both mic and audio output effectively. The
device uses pin 0x19 for the headset mic without jack detection.
Following verification on the CF-SZ6 and discussions with the original
patch author, i determined that the update to
ALC269_FIXUP_ASPIRE_HEADSET_MIC is the appropriate solution. This change
is custom-designed for the CF-SZ6's unique hardware setup, which includes
a single 3.5mm jack for both mic and audio output, connecting the headset
microphone to pin 0x19 without the use of jack detection.
Fixes: 0fca97a29b83 ("ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk")
Signed-off-by: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
Cc: <stable@vger.kernel.org>
Message-ID: <20240401174602.14133-1-gedeagas22@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7218,7 +7218,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE),
- SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
+ SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC),
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 144/175] wifi: ath9k: fix LNA selection in ath_ant_try_scan()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 143/175] ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 145/175] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Greg Kroah-Hartman
` (36 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit d6b27eb997ef9a2aa51633b3111bc4a04748e6d3 ]
In 'ath_ant_try_scan()', (most likely) the 2nd LNA's signal
strength should be used in comparison against RSSI when
selecting first LNA as the main one. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20231211172502.25202-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/antenna.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath9k/antenna.c b/drivers/net/wireless/ath/ath9k/antenna.c
index a3668433dc02b..deac6184dd016 100644
--- a/drivers/net/wireless/ath/ath9k/antenna.c
+++ b/drivers/net/wireless/ath/ath9k/antenna.c
@@ -643,7 +643,7 @@ static void ath_ant_try_scan(struct ath_ant_comb *antcomb,
conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1;
conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_PLUS_LNA2;
} else if (antcomb->rssi_sub >
- antcomb->rssi_lna1) {
+ antcomb->rssi_lna2) {
/* set to A-B */
conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1;
conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_MINUS_LNA2;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 145/175] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 144/175] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 146/175] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Greg Kroah-Hartman
` (35 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Elfring, Sven Eckelmann,
Simon Wunderlich, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring <elfring@users.sourceforge.net>
[ Upstream commit ffc15626c861f811f9778914be004fcf43810a91 ]
The kfree() function was called in one case by
the batadv_dat_forward_data() function during error handling
even if the passed variable contained a null pointer.
This issue was detected by using the Coccinelle software.
* Thus return directly after a batadv_dat_select_candidates() call failed
at the beginning.
* Delete the label “out” which became unnecessary with this refactoring.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Acked-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/distributed-arp-table.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index af380dc877e31..6930d414138e1 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -648,7 +648,7 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
cand = batadv_dat_select_candidates(bat_priv, ip, vid);
if (!cand)
- goto out;
+ return ret;
batadv_dbg(BATADV_DBG_DAT, bat_priv, "DHT_SEND for %pI4\n", &ip);
@@ -692,7 +692,6 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
batadv_orig_node_put(cand[i].orig_node);
}
-out:
kfree(cand);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 146/175] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 145/175] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 147/175] arm64: dts: rockchip: fix rk3399 hdmi ports node Greg Kroah-Hartman
` (34 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Vegard Nossum,
Gustavo A. R. Silva, Harshit Mogalapalli, Kees Cook,
Dan Carpenter, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ]
Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.
memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)
WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
Some code commentry, based on my understanding:
544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size
memcpy(&dg_info->msg, dg, dg_size);
Destination = dg_info->msg ---> this is a 24 byte
structure(struct vmci_datagram)
Source = dg --> this is a 24 byte structure (struct vmci_datagram)
Size = dg_size = 24 + payload_size
{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.
35 struct delayed_datagram_info {
36 struct datagram_entry *entry;
37 struct work_struct work;
38 bool in_dg_host_queue;
39 /* msg and msg_payload must be together. */
40 struct vmci_datagram msg;
41 u8 msg_payload[];
42 };
So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.
One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.
Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."
Reported-by: syzkaller <syzkaller@googlegroups.com>
Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c
index 8a4b6bbe1beed..275542e8b2ad9 100644
--- a/drivers/misc/vmw_vmci/vmci_datagram.c
+++ b/drivers/misc/vmw_vmci/vmci_datagram.c
@@ -242,7 +242,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg)
dg_info->in_dg_host_queue = true;
dg_info->entry = dst_entry;
- memcpy(&dg_info->msg, dg, dg_size);
+ dg_info->msg = *dg;
+ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
INIT_WORK(&dg_info->work, dg_delayed_dispatch);
schedule_work(&dg_info->work);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 147/175] arm64: dts: rockchip: fix rk3399 hdmi ports node
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 146/175] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 148/175] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Greg Kroah-Hartman
` (33 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Jonker, Heiko Stuebner, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ]
Fix rk3399 hdmi ports node so that it matches the
rockchip,dw-hdmi.yaml binding.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
index 5a60faa8e9998..f19d43021a4e7 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
@@ -1683,6 +1683,7 @@ simple-audio-card,codec {
hdmi: hdmi@ff940000 {
compatible = "rockchip,rk3399-dw-hdmi";
reg = <0x0 0xff940000 0x0 0x20000>;
+ reg-io-width = <4>;
interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH 0>;
clocks = <&cru PCLK_HDMI_CTRL>,
<&cru SCLK_HDMI_SFR>,
@@ -1691,13 +1692,16 @@ hdmi: hdmi@ff940000 {
<&cru PLL_VPLL>;
clock-names = "iahb", "isfr", "cec", "grf", "vpll";
power-domains = <&power RK3399_PD_HDCP>;
- reg-io-width = <4>;
rockchip,grf = <&grf>;
#sound-dai-cells = <0>;
status = "disabled";
ports {
- hdmi_in: port {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ hdmi_in: port@0 {
+ reg = <0>;
#address-cells = <1>;
#size-cells = <0>;
@@ -1710,6 +1714,10 @@ hdmi_in_vopl: endpoint@1 {
remote-endpoint = <&vopl_out_hdmi>;
};
};
+
+ hdmi_out: port@1 {
+ reg = <1>;
+ };
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 148/175] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 147/175] arm64: dts: rockchip: fix rk3399 hdmi ports node Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 149/175] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Greg Kroah-Hartman
` (32 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samasth Norway Ananda,
Rafael J. Wysocki, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
[ Upstream commit f85450f134f0b4ca7e042dc3dc89155656a2299d ]
In function get_pkg_num() if fopen_or_die() succeeds it returns a file
pointer to be used. But fclose() is never called before returning from
the function.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
index 2aba622d1c5aa..470d03e143422 100644
--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
+++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
@@ -1112,6 +1112,7 @@ unsigned int get_pkg_num(int cpu)
retval = fscanf(fp, "%d\n", &pkg);
if (retval != 1)
errx(1, "%s: failed to parse", pathname);
+ fclose(fp);
return pkg;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 149/175] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 148/175] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 150/175] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Greg Kroah-Hartman
` (31 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 7411055db5ce64f836aaffd422396af0075fdc99 ]
The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,
as it could be caused only by two impossible conditions:
- at first the search key is set up to look for a chunk tree item, with
offset -1, this is an inexact search and the key->offset will contain
the correct offset upon a successful search, a valid chunk tree item
cannot have an offset -1
- after first successful search, the found_key corresponds to a chunk
item, the offset is decremented by 1 before the next loop, it's
impossible to find a chunk item there due to alignment and size
constraints
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ceced5e56c5a9..30b5646b2c0de 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -2948,7 +2948,17 @@ static int btrfs_relocate_sys_chunks(struct btrfs_fs_info *fs_info)
mutex_unlock(&fs_info->delete_unused_bgs_mutex);
goto error;
}
- BUG_ON(ret == 0); /* Corruption */
+ if (ret == 0) {
+ /*
+ * On the first search we would find chunk tree with
+ * offset -1, which is not possible. On subsequent
+ * loops this would find an existing item on an invalid
+ * offset (one less than the previous one, wrong
+ * alignment and size).
+ */
+ ret = -EUCLEAN;
+ goto error;
+ }
ret = btrfs_previous_item(chunk_root, path, key.objectid,
key.type);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 150/175] btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 149/175] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 151/175] btrfs: send: handle path ref underflow in header iterate_inode_ref() Greg Kroah-Hartman
` (30 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Anand Jain,
David Sterba, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 26b66d1d366a375745755ca7365f67110bbf6bd5 ]
The get_parent handler looks up a parent of a given dentry, this can be
either a subvolume or a directory. The search is set up with offset -1
but it's never expected to find such item, as it would break allowed
range of inode number or a root id. This means it's a corruption (ext4
also returns this error code).
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/export.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c
index ecc33e3a3c063..01e9a5afc33bf 100644
--- a/fs/btrfs/export.c
+++ b/fs/btrfs/export.c
@@ -182,8 +182,15 @@ struct dentry *btrfs_get_parent(struct dentry *child)
ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
if (ret < 0)
goto fail;
+ if (ret == 0) {
+ /*
+ * Key with offset of -1 found, there would have to exist an
+ * inode with such number or a root with such id.
+ */
+ ret = -EUCLEAN;
+ goto fail;
+ }
- BUG_ON(ret == 0); /* Key with offset of -1 found */
if (path->slots[0] == 0) {
ret = -ENOENT;
goto fail;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 151/175] btrfs: send: handle path ref underflow in header iterate_inode_ref()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 150/175] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 152/175] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Greg Kroah-Hartman
` (29 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 3c6ee34c6f9cd12802326da26631232a61743501 ]
Change BUG_ON to proper error handling if building the path buffer
fails. The pointers are not printed so we don't accidentally leak kernel
addresses.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 0c86409a316e8..e3b6ca9176afe 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -958,7 +958,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path,
ret = PTR_ERR(start);
goto out;
}
- BUG_ON(start < p->buf);
+ if (unlikely(start < p->buf)) {
+ btrfs_err(root->fs_info,
+ "send: path ref buffer underflow for key (%llu %u %llu)",
+ found_key->objectid,
+ found_key->type,
+ found_key->offset);
+ ret = -EINVAL;
+ goto out;
+ }
}
p->start = start;
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 152/175] Bluetooth: btintel: Fix null ptr deref in btintel_read_version
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 151/175] btrfs: send: handle path ref underflow in header iterate_inode_ref() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 153/175] Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Greg Kroah-Hartman
` (28 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis,
Luiz Augusto von Dentz, Sasha Levin, syzbot+830d9e3fa61968246abd
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ]
If hci_cmd_sync_complete() is triggered and skb is NULL, then
hdev->req_skb is NULL, which will cause this issue.
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index 5270d55132015..6a3c0ad9f10ce 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -355,7 +355,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 153/175] Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 152/175] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 154/175] sysv: dont call sb_bread() with pointers_lock held Greg Kroah-Hartman
` (27 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunwu Chan, Dmitry Torokhov, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunwu Chan <chentao@kylinos.cn>
[ Upstream commit bc4996184d56cfaf56d3811ac2680c8a0e2af56e ]
While input core can work with input->phys set to NULL userspace might
depend on it, so better fail probing if allocation fails. The system must
be in a pretty bad shape for it to happen anyway.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Link: https://lore.kernel.org/r/20240117073124.143636-1-chentao@kylinos.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/rmi4/rmi_driver.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index ac6a20f7afdfa..0da814b41e72b 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -1199,7 +1199,11 @@ static int rmi_driver_probe(struct device *dev)
}
rmi_driver_set_input_params(rmi_dev, data->input);
data->input->phys = devm_kasprintf(dev, GFP_KERNEL,
- "%s/input0", dev_name(dev));
+ "%s/input0", dev_name(dev));
+ if (!data->input->phys) {
+ retval = -ENOMEM;
+ goto err;
+ }
}
retval = rmi_init_functions(data);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 154/175] sysv: dont call sb_bread() with pointers_lock held
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 153/175] Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 155/175] scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() Greg Kroah-Hartman
` (26 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Al Viro, Tetsuo Handa,
Christian Brauner, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit f123dc86388cb669c3d6322702dc441abc35c31e ]
syzbot is reporting sleep in atomic context in SysV filesystem [1], for
sb_bread() is called with rw_spinlock held.
A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug
and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by
"Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12.
Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the
former bug by moving pointers_lock lock to the callers, but instead
introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made
this problem easier to hit).
Al Viro suggested that why not to do like get_branch()/get_block()/
find_shared() in Minix filesystem does. And doing like that is almost a
revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch()
from with find_shared() is called without write_lock(&pointers_lock).
Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKURA.ne.jp
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/sysv/itree.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index e3d1673b8ec97..ef9bcfeec21ad 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh)
return (sysv_zone_t*)((char*)bh->b_data + bh->b_size);
}
-/*
- * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock)
- */
static Indirect *get_branch(struct inode *inode,
int depth,
int offsets[],
@@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode,
bh = sb_bread(sb, block);
if (!bh)
goto failure;
+ read_lock(&pointers_lock);
if (!verify_chain(chain, p))
goto changed;
add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets);
+ read_unlock(&pointers_lock);
if (!p->key)
goto no_block;
}
return NULL;
changed:
+ read_unlock(&pointers_lock);
brelse(bh);
*err = -EAGAIN;
goto no_block;
@@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b
goto out;
reread:
- read_lock(&pointers_lock);
partial = get_branch(inode, depth, offsets, chain, &err);
- read_unlock(&pointers_lock);
/* Simplest case - block found, no allocation needed */
if (!partial) {
@@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode,
*top = 0;
for (k = depth; k > 1 && !offsets[k-1]; k--)
;
+ partial = get_branch(inode, k, offsets, chain, &err);
write_lock(&pointers_lock);
- partial = get_branch(inode, k, offsets, chain, &err);
if (!partial)
partial = chain + k-1;
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 155/175] scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 154/175] sysv: dont call sb_bread() with pointers_lock held Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 156/175] isofs: handle CDs with bad root inode but good Joliet root directory Greg Kroah-Hartman
` (25 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Himanshu Madhani,
Martin K. Petersen, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 2ae917d4bcab80ab304b774d492e2fcd6c52c06b ]
The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an
unsuccessful status. In such cases, the elsiocb is not issued, the
completion is not called, and thus the elsiocb resource is leaked.
Check return value after calling lpfc_sli4_resume_rpi() and conditionally
release the elsiocb resource.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20240131185112.149731-3-justintee8345@gmail.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_nportdisc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index f666518d84b0a..0890c2e38eeca 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -601,8 +601,10 @@ lpfc_rcv_padisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
/* Save the ELS cmd */
elsiocb->drvrTimeout = cmd;
- lpfc_sli4_resume_rpi(ndlp,
- lpfc_mbx_cmpl_resume_rpi, elsiocb);
+ if (lpfc_sli4_resume_rpi(ndlp,
+ lpfc_mbx_cmpl_resume_rpi,
+ elsiocb))
+ kfree(elsiocb);
goto out;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 156/175] isofs: handle CDs with bad root inode but good Joliet root directory
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 155/175] scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 157/175] media: sta2x11: fix irq handler cast Greg Kroah-Hartman
` (24 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Henrie, Jan Kara, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Henrie <alexhenrie24@gmail.com>
[ Upstream commit 4243bf80c79211a8ca2795401add9c4a3b1d37ca ]
I have a CD copy of the original Tom Clancy's Ghost Recon game from
2001. The disc mounts without error on Windows, but on Linux mounting
fails with the message "isofs_fill_super: get root inode failed". The
error originates in isofs_read_inode, which returns -EIO because de_len
is 0. The superblock on this disc appears to be intentionally corrupt as
a form of copy protection.
When the root inode is unusable, instead of giving up immediately, try
to continue with the Joliet file table. This fixes the Ghost Recon CD
and probably other copy-protected CDs too.
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20240208022134.451490-1-alexhenrie24@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/isofs/inode.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
index 6e4e2cfd40b9e..aec11a7676c9e 100644
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -910,8 +910,22 @@ static int isofs_fill_super(struct super_block *s, void *data, int silent)
* we then decide whether to use the Joliet descriptor.
*/
inode = isofs_iget(s, sbi->s_firstdatazone, 0);
- if (IS_ERR(inode))
- goto out_no_root;
+
+ /*
+ * Fix for broken CDs with a corrupt root inode but a correct Joliet
+ * root directory.
+ */
+ if (IS_ERR(inode)) {
+ if (joliet_level && sbi->s_firstdatazone != first_data_zone) {
+ printk(KERN_NOTICE
+ "ISOFS: root inode is unusable. "
+ "Disabling Rock Ridge and switching to Joliet.");
+ sbi->s_rock = 0;
+ inode = NULL;
+ } else {
+ goto out_no_root;
+ }
+ }
/*
* Fix for broken CDs with Rock Ridge and empty ISO root directory but
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 157/175] media: sta2x11: fix irq handler cast
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 156/175] isofs: handle CDs with bad root inode but good Joliet root directory Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 158/175] drm/amd/display: Fix nanosec stat overflow Greg Kroah-Hartman
` (23 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Hans Verkuil, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 3de49ae81c3a0f83a554ecbce4c08e019f30168e ]
clang-16 warns about casting incompatible function pointers:
drivers/media/pci/sta2x11/sta2x11_vip.c:1057:6: error: cast from 'irqreturn_t (*)(int, struct sta2x11_vip *)' (aka 'enum irqreturn (*)(int, struct sta2x11_vip *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
Change the prototype of the irq handler to the regular version with a
local variable to adjust the argument type.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil: update argument documentation]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/sta2x11/sta2x11_vip.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/media/pci/sta2x11/sta2x11_vip.c b/drivers/media/pci/sta2x11/sta2x11_vip.c
index 1858efedaf1a4..33d6c95b36130 100644
--- a/drivers/media/pci/sta2x11/sta2x11_vip.c
+++ b/drivers/media/pci/sta2x11/sta2x11_vip.c
@@ -780,7 +780,7 @@ static const struct video_device video_dev_template = {
/**
* vip_irq - interrupt routine
* @irq: Number of interrupt ( not used, correct number is assumed )
- * @vip: local data structure containing all information
+ * @data: local data structure containing all information
*
* check for both frame interrupts set ( top and bottom ).
* check FIFO overflow, but limit number of log messages after open.
@@ -790,8 +790,9 @@ static const struct video_device video_dev_template = {
*
* IRQ_HANDLED, interrupt done.
*/
-static irqreturn_t vip_irq(int irq, struct sta2x11_vip *vip)
+static irqreturn_t vip_irq(int irq, void *data)
{
+ struct sta2x11_vip *vip = data;
unsigned int status;
status = reg_read(vip, DVP_ITS);
@@ -1073,9 +1074,7 @@ static int sta2x11_vip_init_one(struct pci_dev *pdev,
spin_lock_init(&vip->slock);
- ret = request_irq(pdev->irq,
- (irq_handler_t) vip_irq,
- IRQF_SHARED, KBUILD_MODNAME, vip);
+ ret = request_irq(pdev->irq, vip_irq, IRQF_SHARED, KBUILD_MODNAME, vip);
if (ret) {
dev_err(&pdev->dev, "request_irq failed\n");
ret = -ENODEV;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 158/175] drm/amd/display: Fix nanosec stat overflow
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 157/175] media: sta2x11: fix irq handler cast Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 159/175] SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Greg Kroah-Hartman
` (22 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Daniel Wheeler,
Aric Cyr, Alex Deucher, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aric Cyr <aric.cyr@amd.com>
[ Upstream commit 14d68acfd04b39f34eea7bea65dda652e6db5bf6 ]
[Why]
Nanosec stats can overflow on long running systems potentially causing
statistic logging issues.
[How]
Use 64bit types for nanosec stats to ensure no overflow.
Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Aric Cyr <aric.cyr@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/modules/inc/mod_stats.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
index 3812094b52e8f..88b312c3eb43a 100644
--- a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
+++ b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
@@ -51,10 +51,10 @@ void mod_stats_update_event(struct mod_stats *mod_stats,
unsigned int length);
void mod_stats_update_flip(struct mod_stats *mod_stats,
- unsigned long timestamp_in_ns);
+ unsigned long long timestamp_in_ns);
void mod_stats_update_vupdate(struct mod_stats *mod_stats,
- unsigned long timestamp_in_ns);
+ unsigned long long timestamp_in_ns);
void mod_stats_update_freesync(struct mod_stats *mod_stats,
unsigned int v_total_min,
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 159/175] SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 158/175] drm/amd/display: Fix nanosec stat overflow Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 160/175] block: prevent division by zero in blk_rq_stat_sum() Greg Kroah-Hartman
` (21 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dai Ngo, Jeff Layton,
Trond Myklebust, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
[ Upstream commit 2c35f43b5a4b9cdfaa6fdd946f5a212615dac8eb ]
When the NFS client is under extreme load the rpc_wait_queue.qlen counter
can be overflowed. Here is an instant of the backlog queue overflow in a
real world environment shown by drgn helper:
rpc_task_stats(rpc_clnt):
-------------------------
rpc_clnt: 0xffff92b65d2bae00
rpc_xprt: 0xffff9275db64f000
Queue: sending[64887] pending[524] backlog[30441] binding[0]
XMIT task: 0xffff925c6b1d8e98
WRITE: 750654
__dta_call_status_580: 65463
__dta_call_transmit_status_579: 1
call_reserveresult: 685189
nfs_client_init_is_complete: 1
COMMIT: 584
call_reserveresult: 573
__dta_call_status_580: 11
ACCESS: 1
__dta_call_status_580: 1
GETATTR: 10
__dta_call_status_580: 4
call_reserveresult: 6
751249 tasks for server 111.222.333.444
Total tasks: 751249
count_rpc_wait_queues(xprt):
----------------------------
**** rpc_xprt: 0xffff9275db64f000 num_reqs: 65511
wait_queue: xprt_binding[0] cnt: 0
wait_queue: xprt_binding[1] cnt: 0
wait_queue: xprt_binding[2] cnt: 0
wait_queue: xprt_binding[3] cnt: 0
rpc_wait_queue[xprt_binding].qlen: 0 maxpriority: 0
wait_queue: xprt_sending[0] cnt: 0
wait_queue: xprt_sending[1] cnt: 64887
wait_queue: xprt_sending[2] cnt: 0
wait_queue: xprt_sending[3] cnt: 0
rpc_wait_queue[xprt_sending].qlen: 64887 maxpriority: 3
wait_queue: xprt_pending[0] cnt: 524
wait_queue: xprt_pending[1] cnt: 0
wait_queue: xprt_pending[2] cnt: 0
wait_queue: xprt_pending[3] cnt: 0
rpc_wait_queue[xprt_pending].qlen: 524 maxpriority: 0
wait_queue: xprt_backlog[0] cnt: 0
wait_queue: xprt_backlog[1] cnt: 685801
wait_queue: xprt_backlog[2] cnt: 0
wait_queue: xprt_backlog[3] cnt: 0
rpc_wait_queue[xprt_backlog].qlen: 30441 maxpriority: 3 [task cnt mismatch]
There is no effect on operations when this overflow occurs. However
it causes confusion when trying to diagnose the performance problem.
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sunrpc/sched.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
index 96837ae07822b..ca0a568fd8244 100644
--- a/include/linux/sunrpc/sched.h
+++ b/include/linux/sunrpc/sched.h
@@ -190,7 +190,7 @@ struct rpc_wait_queue {
unsigned char maxpriority; /* maximum priority (0 if queue is not a priority queue) */
unsigned char priority; /* current priority */
unsigned char nr; /* # tasks remaining for cookie */
- unsigned short qlen; /* total # tasks waiting in queue */
+ unsigned int qlen; /* total # tasks waiting in queue */
struct rpc_timer timer_list;
#if IS_ENABLED(CONFIG_SUNRPC_DEBUG) || IS_ENABLED(CONFIG_TRACEPOINTS)
const char * name;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 160/175] block: prevent division by zero in blk_rq_stat_sum()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 159/175] SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 161/175] Input: allocate keycode for Display refresh rate toggle Greg Kroah-Hartman
` (20 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Smirnov, Sergey Shtylyov,
Jens Axboe, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
[ Upstream commit 93f52fbeaf4b676b21acfe42a5152620e6770d02 ]
The expression dst->nr_samples + src->nr_samples may
have zero value on overflow. It is necessary to add
a check to avoid division by zero.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Link: https://lore.kernel.org/r/20240305134509.23108-1-r.smirnov@omp.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-stat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-stat.c b/block/blk-stat.c
index 7587b1c3caaf5..507ac714423bd 100644
--- a/block/blk-stat.c
+++ b/block/blk-stat.c
@@ -27,7 +27,7 @@ void blk_rq_stat_init(struct blk_rq_stat *stat)
/* src is a per-cpu stat, mean isn't initialized */
void blk_rq_stat_sum(struct blk_rq_stat *dst, struct blk_rq_stat *src)
{
- if (!src->nr_samples)
+ if (dst->nr_samples + src->nr_samples <= dst->nr_samples)
return;
dst->min = min(dst->min, src->min);
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 161/175] Input: allocate keycode for Display refresh rate toggle
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 160/175] block: prevent division by zero in blk_rq_stat_sum() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 162/175] ktest: force $buildonly = 1 for make_warnings_file test type Greg Kroah-Hartman
` (19 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gergo Koteles, Dmitry Torokhov,
Ilpo Järvinen, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gergo Koteles <soyer@irl.hu>
[ Upstream commit cfeb98b95fff25c442f78a6f616c627bc48a26b7 ]
Newer Lenovo Yogas and Legions with 60Hz/90Hz displays send a wmi event
when Fn + R is pressed. This is intended for use to switch between the
two refresh rates.
Allocate a new KEY_REFRESH_RATE_TOGGLE keycode for it.
Signed-off-by: Gergo Koteles <soyer@irl.hu>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://lore.kernel.org/r/15a5d08c84cf4d7b820de34ebbcf8ae2502fb3ca.1710065750.git.soyer@irl.hu
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/input-event-codes.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
index 1c011379a9967..76b524895dea6 100644
--- a/include/uapi/linux/input-event-codes.h
+++ b/include/uapi/linux/input-event-codes.h
@@ -596,6 +596,7 @@
#define KEY_ALS_TOGGLE 0x230 /* Ambient light sensor */
#define KEY_ROTATE_LOCK_TOGGLE 0x231 /* Display rotation lock */
+#define KEY_REFRESH_RATE_TOGGLE 0x232 /* Display refresh rate toggle */
#define KEY_BUTTONCONFIG 0x240 /* AL Button Configuration */
#define KEY_TASKMANAGER 0x241 /* AL Task/Project Manager */
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 162/175] ktest: force $buildonly = 1 for make_warnings_file test type
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 161/175] Input: allocate keycode for Display refresh rate toggle Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 163/175] tools: iio: replace seekdir() in iio_generic_buffer Greg Kroah-Hartman
` (18 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Ricardo B. Marliere,
Steven Rostedt, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marliere <ricardo@marliere.net>
[ Upstream commit 07283c1873a4d0eaa0e822536881bfdaea853910 ]
The test type "make_warnings_file" should have no mandatory configuration
parameters other than the ones required by the "build" test type, because
its purpose is to create a file with build warnings that may or may not be
used by other subsequent tests. Currently, the only way to use it as a
stand-alone test is by setting POWER_CYCLE, CONSOLE, SSH_USER,
BUILD_TARGET, TARGET_IMAGE, REBOOT_TYPE and GRUB_MENU.
Link: https://lkml.kernel.org/r/20240315-ktest-v2-1-c5c20a75f6a3@marliere.net
Cc: John Hawley <warthog9@eaglescrag.net>
Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 128a7fe45a1e3..a29d9e125b00b 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -765,6 +765,7 @@ sub set_value {
if ($lvalue =~ /^(TEST|BISECT|CONFIG_BISECT)_TYPE(\[.*\])?$/ &&
$prvalue !~ /^(config_|)bisect$/ &&
$prvalue !~ /^build$/ &&
+ $prvalue !~ /^make_warnings_file$/ &&
$buildonly) {
# Note if a test is something other than build, then we
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 163/175] tools: iio: replace seekdir() in iio_generic_buffer
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 162/175] ktest: force $buildonly = 1 for make_warnings_file test type Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 164/175] usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined Greg Kroah-Hartman
` (17 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petre Rodan, Jonathan Cameron, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petre Rodan <petre.rodan@subdimension.ro>
[ Upstream commit 4e6500bfa053dc133021f9c144261b77b0ba7dc8 ]
Replace seekdir() with rewinddir() in order to fix a localized glibc bug.
One of the glibc patches that stable Gentoo is using causes an improper
directory stream positioning bug on 32bit arm. That in turn ends up as a
floating point exception in iio_generic_buffer.
The attached patch provides a fix by using an equivalent function which
should not cause trouble for other distros and is easier to reason about
in general as it obviously always goes back to to the start.
https://sourceware.org/bugzilla/show_bug.cgi?id=31212
Signed-off-by: Petre Rodan <petre.rodan@subdimension.ro>
Link: https://lore.kernel.org/r/20240108103224.3986-1-petre.rodan@subdimension.ro
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/iio/iio_utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c
index d174487b2f226..1ef51c7e7b04f 100644
--- a/tools/iio/iio_utils.c
+++ b/tools/iio/iio_utils.c
@@ -376,7 +376,7 @@ int build_channel_array(const char *device_dir,
goto error_close_dir;
}
- seekdir(dp, 0);
+ rewinddir(dp);
while (ent = readdir(dp), ent) {
if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
"_en") == 0) {
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 164/175] usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 163/175] tools: iio: replace seekdir() in iio_generic_buffer Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 165/175] fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 Greg Kroah-Hartman
` (16 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
[ Upstream commit 12f371e2b6cb4b79c788f1f073992e115f4ca918 ]
Function checkdone is only required if QUIRK2 is defined, so add
appropriate #if / #endif around the function.
Cleans up clang scan build warning:
drivers/usb/host/sl811-hcd.c:588:18: warning: unused function
'checkdone' [-Wunused-function]
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20240307111351.1982382-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/sl811-hcd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c
index 6dedefada92b1..873300e8cd277 100644
--- a/drivers/usb/host/sl811-hcd.c
+++ b/drivers/usb/host/sl811-hcd.c
@@ -585,6 +585,7 @@ done(struct sl811 *sl811, struct sl811h_ep *ep, u8 bank)
finish_request(sl811, ep, urb, urbstat);
}
+#ifdef QUIRK2
static inline u8 checkdone(struct sl811 *sl811)
{
u8 ctl;
@@ -616,6 +617,7 @@ static inline u8 checkdone(struct sl811 *sl811)
#endif
return irqstat;
}
+#endif
static irqreturn_t sl811h_irq(struct usb_hcd *hcd)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 165/175] fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 164/175] usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 166/175] fbmon: prevent division by zero in fb_videomode_from_videomode() Greg Kroah-Hartman
` (15 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Burakov, Helge Deller,
Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Burakov <a.burakov@rosalinux.ru>
[ Upstream commit bc87bb342f106a0402186bcb588fcbe945dced4b ]
There are some actions with value 'tmp' but 'dst_addr' is checked instead.
It is obvious that a copy-paste error was made here and the value
of variable 'tmp' should be checked here.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/via/accel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/via/accel.c b/drivers/video/fbdev/via/accel.c
index eb3615c69987e..f542b01568df9 100644
--- a/drivers/video/fbdev/via/accel.c
+++ b/drivers/video/fbdev/via/accel.c
@@ -129,7 +129,7 @@ static int hw_bitblt_1(void __iomem *engine, u8 op, u32 width, u32 height,
if (op != VIA_BITBLT_FILL) {
tmp = src_mem ? 0 : src_addr;
- if (dst_addr & 0xE0000007) {
+ if (tmp & 0xE0000007) {
printk(KERN_WARNING "hw_bitblt_1: Unsupported source "
"address %X\n", tmp);
return -EINVAL;
@@ -274,7 +274,7 @@ static int hw_bitblt_2(void __iomem *engine, u8 op, u32 width, u32 height,
writel(tmp, engine + 0x18);
tmp = src_mem ? 0 : src_addr;
- if (dst_addr & 0xE0000007) {
+ if (tmp & 0xE0000007) {
printk(KERN_WARNING "hw_bitblt_2: Unsupported source "
"address %X\n", tmp);
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 166/175] fbmon: prevent division by zero in fb_videomode_from_videomode()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 165/175] fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 167/175] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Greg Kroah-Hartman
` (14 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Smirnov, Sergey Shtylyov,
Helge Deller, Sasha Levin
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
[ Upstream commit c2d953276b8b27459baed1277a4fdd5dd9bd4126 ]
The expression htotal * vtotal can have a zero value on
overflow. It is necessary to prevent division by zero like in
fb_var_to_videomode().
Found by Linux Verification Center (linuxtesting.org) with Svace.
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbmon.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/video/fbdev/core/fbmon.c b/drivers/video/fbdev/core/fbmon.c
index 8607439d69328..e4040fb860bbc 100644
--- a/drivers/video/fbdev/core/fbmon.c
+++ b/drivers/video/fbdev/core/fbmon.c
@@ -1309,7 +1309,7 @@ int fb_get_mode(int flags, u32 val, struct fb_var_screeninfo *var, struct fb_inf
int fb_videomode_from_videomode(const struct videomode *vm,
struct fb_videomode *fbmode)
{
- unsigned int htotal, vtotal;
+ unsigned int htotal, vtotal, total;
fbmode->xres = vm->hactive;
fbmode->left_margin = vm->hback_porch;
@@ -1342,8 +1342,9 @@ int fb_videomode_from_videomode(const struct videomode *vm,
vtotal = vm->vactive + vm->vfront_porch + vm->vback_porch +
vm->vsync_len;
/* prevent division by zero */
- if (htotal && vtotal) {
- fbmode->refresh = vm->pixelclock / (htotal * vtotal);
+ total = htotal * vtotal;
+ if (total) {
+ fbmode->refresh = vm->pixelclock / total;
/* a mode must have htotal and vtotal != 0 or it is invalid */
} else {
fbmode->refresh = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 195+ messages in thread
* [PATCH 4.19 167/175] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 166/175] fbmon: prevent division by zero in fb_videomode_from_videomode() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 168/175] drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put() Greg Kroah-Hartman
` (13 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
commit 67c37756898a5a6b2941a13ae7260c89b54e0d88 upstream.
Any unprivileged user can attach N_GSM0710 ldisc, but it requires
CAP_NET_ADMIN to create a GSM network anyway.
Require initial namespace CAP_NET_ADMIN to do that.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com
From: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_gsm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -2435,6 +2435,9 @@ static int gsmld_open(struct tty_struct
struct gsm_mux *gsm;
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (tty->ops->write == NULL)
return -EINVAL;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 168/175] drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 167/175] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 169/175] virtio: reenable config if freezing device failed Greg Kroah-Hartman
` (12 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, guomengqi3
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guo Mengqi <guomengqi3@huawei.com>
commit 73a82b22963d ("drm/atomic: Fix potential use-after-free
in nonblocking commits") introduced drm_dev_get/put() to
drm_atomic_helper_shutdown(). And this cause problem in vkms driver exit
process.
vkms_exit()
drm_dev_put()
vkms_release()
drm_atomic_helper_shutdown()
drm_dev_get()
drm_dev_put()
vkms_release() ------ use after free
Using 5.4 stable x86 image on qemu, below stacktrace can be triggered by
load and unload vkms.ko.
root:~ # insmod vkms.ko
[ 76.957802] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 76.961490] [drm] Driver supports precise vblank timestamp query.
[ 76.964416] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 0
root:~ # rmmod vkms.ko
[ 79.650202] refcount_t: addition on 0; use-after-free.
[ 79.650249] WARNING: CPU: 2 PID: 3533 at ../lib/refcount.c:25 refcount_warn_saturate+0xcf/0xf0
[ 79.654241] Modules linked in: vkms(-)
[ 79.654249] CPU: 2 PID: 3533 Comm: rmmod Not tainted 5.4.273 #4
[ 79.654251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 79.654262] RIP: 0010:refcount_warn_saturate+0xcf/0xf0
...
[ 79.654296] Call Trace:
[ 79.654462] ? __warn+0x80/0xd0
[ 79.654473] ? refcount_warn_saturate+0xcf/0xf0
[ 79.654481] ? report_bug+0xb6/0x130
[ 79.654484] ? refcount_warn_saturate+0xcf/0xf0
[ 79.654489] ? fixup_bug.part.12+0x13/0x30
[ 79.654492] ? do_error_trap+0x90/0xb0
[ 79.654495] ? do_invalid_op+0x31/0x40
[ 79.654497] ? refcount_warn_saturate+0xcf/0xf0
[ 79.654504] ? invalid_op+0x1e/0x30
[ 79.654508] ? refcount_warn_saturate+0xcf/0xf0
[ 79.654516] drm_atomic_state_init+0x68/0xb0
[ 79.654543] drm_atomic_state_alloc+0x43/0x60
[ 79.654551] drm_atomic_helper_disable_all+0x13/0x180
[ 79.654562] drm_atomic_helper_shutdown+0x5f/0xb0
[ 79.654571] vkms_release+0x18/0x40 [vkms]
[ 79.654575] vkms_exit+0x29/0xc00 [vkms]
[ 79.654582] __x64_sys_delete_module+0x155/0x220
[ 79.654592] do_syscall_64+0x43/0x120
[ 79.654603] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 79.654619] ---[ end trace ce0c02f57ea6bf73 ]---
It seems that the proper unload sequence is:
drm_atomic_helper_shutdown();
drm_dev_put();
Just put drm_atomic_helper_shutdown() before drm_dev_put()
should solve the problem.
Note that vkms exit code is refactored by commit 53d77aaa3f76
("drm/vkms: Use devm_drm_dev_alloc") in tags/v5.10-rc1.
So this bug only exists on 4.19 and 5.4.
Fixes: 380c7ceabdde ("drm/atomic: Fix potential use-after-free in nonblocking commits")
Fixes: 2ead1be54b22 ("drm/vkms: Fix connector leak at the module removal")
Signed-off-by: Guo Mengqi <guomengqi3@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vkms/vkms_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/vkms/vkms_drv.c
+++ b/drivers/gpu/drm/vkms/vkms_drv.c
@@ -39,7 +39,6 @@ static void vkms_release(struct drm_devi
struct vkms_device *vkms = container_of(dev, struct vkms_device, drm);
platform_device_unregister(vkms->platform);
- drm_atomic_helper_shutdown(&vkms->drm);
drm_mode_config_cleanup(&vkms->drm);
drm_dev_fini(&vkms->drm);
}
@@ -137,6 +136,7 @@ static void __exit vkms_exit(void)
}
drm_dev_unregister(&vkms_device->drm);
+ drm_atomic_helper_shutdown(&vkms_device->drm);
drm_dev_put(&vkms_device->drm);
kfree(vkms_device);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 169/175] virtio: reenable config if freezing device failed
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 168/175] drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 170/175] x86/mm/pat: fix VM_PAT handling in COW mappings Greg Kroah-Hartman
` (11 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Michael S. Tsirkin,
Jason Wang, Xuan Zhuo, David Hildenbrand
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit 310227f42882c52356b523e2f4e11690eebcd2ab upstream.
Currently, we don't reenable the config if freezing the device failed.
For example, virtio-mem currently doesn't support suspend+resume, and
trying to freeze the device will always fail. Afterwards, the device
will no longer respond to resize requests, because it won't get notified
about config changes.
Let's fix this by re-enabling the config if freezing fails.
Fixes: 22b7050a024d ("virtio: defer config changed notifications")
Cc: <stable@kernel.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20240213135425.795001-1-david@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virtio/virtio.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -376,13 +376,19 @@ EXPORT_SYMBOL_GPL(unregister_virtio_devi
int virtio_device_freeze(struct virtio_device *dev)
{
struct virtio_driver *drv = drv_to_virtio(dev->dev.driver);
+ int ret;
virtio_config_disable(dev);
dev->failed = dev->config->get_status(dev) & VIRTIO_CONFIG_S_FAILED;
- if (drv && drv->freeze)
- return drv->freeze(dev);
+ if (drv && drv->freeze) {
+ ret = drv->freeze(dev);
+ if (ret) {
+ virtio_config_enable(dev);
+ return ret;
+ }
+ }
return 0;
}
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 170/175] x86/mm/pat: fix VM_PAT handling in COW mappings
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 169/175] virtio: reenable config if freezing device failed Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 171/175] Bluetooth: btintel: Fixe build regression Greg Kroah-Hartman
` (10 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Wupeng Ma,
Ingo Molnar, Dave Hansen, Andy Lutomirski, Peter Zijlstra,
Thomas Gleixner, Borislav Petkov, H. Peter Anvin, Andrew Morton
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit 04c35ab3bdae7fefbd7c7a7355f29fa03a035221 upstream.
PAT handling won't do the right thing in COW mappings: the first PTE (or,
in fact, all PTEs) can be replaced during write faults to point at anon
folios. Reliably recovering the correct PFN and cachemode using
follow_phys() from PTEs will not work in COW mappings.
Using follow_phys(), we might just get the address+protection of the anon
folio (which is very wrong), or fail on swap/nonswap entries, failing
follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and
track_pfn_copy(), not properly calling free_pfn_range().
In free_pfn_range(), we either wouldn't call memtype_free() or would call
it with the wrong range, possibly leaking memory.
To fix that, let's update follow_phys() to refuse returning anon folios,
and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings
if we run into that.
We will now properly handle untrack_pfn() with COW mappings, where we
don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if
the first page was replaced by an anon folio, though: we'd have to store
the cachemode in the VMA to make this work, likely growing the VMA size.
For now, lets keep it simple and let track_pfn_copy() just fail in that
case: it would have failed in the past with swap/nonswap entries already,
and it would have done the wrong thing with anon folios.
Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():
<--- C reproducer --->
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <liburing.h>
int main(void)
{
struct io_uring_params p = {};
int ring_fd;
size_t size;
char *map;
ring_fd = io_uring_setup(1, &p);
if (ring_fd < 0) {
perror("io_uring_setup");
return 1;
}
size = p.sq_off.array + p.sq_entries * sizeof(unsigned);
/* Map the submission queue ring MAP_PRIVATE */
map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
ring_fd, IORING_OFF_SQ_RING);
if (map == MAP_FAILED) {
perror("mmap");
return 1;
}
/* We have at least one page. Let's COW it. */
*map = 0;
pause();
return 0;
}
<--- C reproducer --->
On a system with 16 GiB RAM and swap configured:
# ./iouring &
# memhog 16G
# killall iouring
[ 301.552930] ------------[ cut here ]------------
[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100
[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g
[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1
[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4
[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100
[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000
[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282
[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047
[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200
[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000
[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000
[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000
[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000
[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0
[ 301.565725] PKRU: 55555554
[ 301.565944] Call Trace:
[ 301.566148] <TASK>
[ 301.566325] ? untrack_pfn+0xf4/0x100
[ 301.566618] ? __warn+0x81/0x130
[ 301.566876] ? untrack_pfn+0xf4/0x100
[ 301.567163] ? report_bug+0x171/0x1a0
[ 301.567466] ? handle_bug+0x3c/0x80
[ 301.567743] ? exc_invalid_op+0x17/0x70
[ 301.568038] ? asm_exc_invalid_op+0x1a/0x20
[ 301.568363] ? untrack_pfn+0xf4/0x100
[ 301.568660] ? untrack_pfn+0x65/0x100
[ 301.568947] unmap_single_vma+0xa6/0xe0
[ 301.569247] unmap_vmas+0xb5/0x190
[ 301.569532] exit_mmap+0xec/0x340
[ 301.569801] __mmput+0x3e/0x130
[ 301.570051] do_exit+0x305/0xaf0
...
Link: https://lkml.kernel.org/r/20240403212131.929421-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reported-by: Wupeng Ma <mawupeng1@huawei.com>
Closes: https://lkml.kernel.org/r/20240227122814.3781907-1-mawupeng1@huawei.com
Fixes: b1a86e15dc03 ("x86, pat: remove the dependency on 'vm_pgoff' in track/untrack pfn vma routines")
Fixes: 5899329b1910 ("x86: PAT: implement track/untrack of pfnmap regions for x86 - v3")
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/pat.c | 50 ++++++++++++++++++++++++++++++++++++--------------
mm/memory.c | 4 ++++
2 files changed, 40 insertions(+), 14 deletions(-)
--- a/arch/x86/mm/pat.c
+++ b/arch/x86/mm/pat.c
@@ -33,6 +33,7 @@
#include "pat_internal.h"
#include "mm_internal.h"
+#include "../../mm/internal.h" /* is_cow_mapping() */
#undef pr_fmt
#define pr_fmt(fmt) "" fmt
@@ -954,6 +955,38 @@ static void free_pfn_range(u64 paddr, un
free_memtype(paddr, paddr + size);
}
+static int get_pat_info(struct vm_area_struct *vma, resource_size_t *paddr,
+ pgprot_t *pgprot)
+{
+ unsigned long prot;
+
+ VM_WARN_ON_ONCE(!(vma->vm_flags & VM_PAT));
+
+ /*
+ * We need the starting PFN and cachemode used for track_pfn_remap()
+ * that covered the whole VMA. For most mappings, we can obtain that
+ * information from the page tables. For COW mappings, we might now
+ * suddenly have anon folios mapped and follow_phys() will fail.
+ *
+ * Fallback to using vma->vm_pgoff, see remap_pfn_range_notrack(), to
+ * detect the PFN. If we need the cachemode as well, we're out of luck
+ * for now and have to fail fork().
+ */
+ if (!follow_phys(vma, vma->vm_start, 0, &prot, paddr)) {
+ if (pgprot)
+ *pgprot = __pgprot(prot);
+ return 0;
+ }
+ if (is_cow_mapping(vma->vm_flags)) {
+ if (pgprot)
+ return -EINVAL;
+ *paddr = (resource_size_t)vma->vm_pgoff << PAGE_SHIFT;
+ return 0;
+ }
+ WARN_ON_ONCE(1);
+ return -EINVAL;
+}
+
/*
* track_pfn_copy is called when vma that is covering the pfnmap gets
* copied through copy_page_range().
@@ -964,20 +997,13 @@ static void free_pfn_range(u64 paddr, un
int track_pfn_copy(struct vm_area_struct *vma)
{
resource_size_t paddr;
- unsigned long prot;
unsigned long vma_size = vma->vm_end - vma->vm_start;
pgprot_t pgprot;
if (vma->vm_flags & VM_PAT) {
- /*
- * reserve the whole chunk covered by vma. We need the
- * starting address and protection from pte.
- */
- if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) {
- WARN_ON_ONCE(1);
+ if (get_pat_info(vma, &paddr, &pgprot))
return -EINVAL;
- }
- pgprot = __pgprot(prot);
+ /* reserve the whole chunk covered by vma. */
return reserve_pfn_range(paddr, vma_size, &pgprot, 1);
}
@@ -1052,7 +1078,6 @@ void untrack_pfn(struct vm_area_struct *
unsigned long size)
{
resource_size_t paddr;
- unsigned long prot;
if (vma && !(vma->vm_flags & VM_PAT))
return;
@@ -1060,11 +1085,8 @@ void untrack_pfn(struct vm_area_struct *
/* free the chunk starting from pfn or the whole chunk */
paddr = (resource_size_t)pfn << PAGE_SHIFT;
if (!paddr && !size) {
- if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) {
- WARN_ON_ONCE(1);
+ if (get_pat_info(vma, &paddr, NULL))
return;
- }
-
size = vma->vm_end - vma->vm_start;
}
free_pfn_range(paddr, size);
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4612,6 +4612,10 @@ int follow_phys(struct vm_area_struct *v
goto out;
pte = *ptep;
+ /* Never return PFNs of anon folios in COW mappings. */
+ if (vm_normal_page(vma, address, pte))
+ goto unlock;
+
if ((flags & FOLL_WRITE) && !pte_write(pte))
goto unlock;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 171/175] Bluetooth: btintel: Fixe build regression
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 170/175] x86/mm/pat: fix VM_PAT handling in COW mappings Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 172/175] VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Greg Kroah-Hartman
` (9 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd upstream.
This fixes the following build regression:
drivers-bluetooth-btintel.c-btintel_read_version()-warn:
passing-zero-to-PTR_ERR
Fixes: b79e04091010 ("Bluetooth: btintel: Fix null ptr deref in btintel_read_version")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btintel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -355,13 +355,13 @@ int btintel_read_version(struct hci_dev
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR_OR_NULL(skb)) {
+ if (IS_ERR(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
}
- if (skb->len != sizeof(*ver)) {
+ if (!skb || skb->len != sizeof(*ver)) {
bt_dev_err(hdev, "Intel version event size mismatch");
kfree_skb(skb);
return -EILSEQ;
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 172/175] VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 171/175] Bluetooth: btintel: Fixe build regression Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 173/175] erspan: Check IFLA_GRE_ERSPAN_VER is set Greg Kroah-Hartman
` (8 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vasiliy Kovalev, Kees Cook
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit e606e4b71798cc1df20e987dde2468e9527bd376 upstream.
The changes are similar to those given in the commit 19b070fefd0d
("VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()").
Fix filling of the msg and msg_payload in dg_info struct, which prevents a
possible "detected field-spanning write" of memcpy warning that is issued
by the tracking mechanism __fortify_memcpy_chk.
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://lore.kernel.org/r/20240219105315.76955-1-kovalev@altlinux.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/misc/vmw_vmci/vmci_datagram.c
+++ b/drivers/misc/vmw_vmci/vmci_datagram.c
@@ -386,7 +386,8 @@ int vmci_datagram_invoke_guest_handler(s
dg_info->in_dg_host_queue = false;
dg_info->entry = dst_entry;
- memcpy(&dg_info->msg, dg, VMCI_DG_SIZE(dg));
+ dg_info->msg = *dg;
+ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
INIT_WORK(&dg_info->work, dg_delayed_dispatch);
schedule_work(&dg_info->work);
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 173/175] erspan: Check IFLA_GRE_ERSPAN_VER is set.
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 172/175] VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 174/175] ip_gre: do not report erspan version on GRE interface Greg Kroah-Hartman
` (7 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, William Tu,
Eric Dumazet, David S. Miller
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Tu <u9012063@gmail.com>
commit 51fa960d3b5163b1af22efdebcabfccc5d615ad6 upstream.
Add a check to make sure the IFLA_GRE_ERSPAN_VER is provided by users.
Fixes: f989d546a2d5 ("erspan: Add type I version 0 support.")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: William Tu <u9012063@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_gre.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1182,7 +1182,8 @@ static int erspan_validate(struct nlattr
if (ret)
return ret;
- if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0)
+ if (data[IFLA_GRE_ERSPAN_VER] &&
+ nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0)
return 0;
/* ERSPAN type II/III should only have GRE sequence and key flag */
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 174/175] ip_gre: do not report erspan version on GRE interface
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 173/175] erspan: Check IFLA_GRE_ERSPAN_VER is set Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 175/175] initramfs: fix populate_initrd_image() section mismatch Greg Kroah-Hartman
` (6 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianlin Shi, Hangbin Liu,
William Tu, Paolo Abeni
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit ee496694b9eea651ae1aa4c4667d886cdf74aa3b upstream.
Although the type I ERSPAN is based on the barebones IP + GRE
encapsulation and no extra ERSPAN header. Report erspan version on GRE
interface looks unreasonable. Fix this by separating the erspan and gre
fill info.
IPv6 GRE does not have this info as IPv6 only supports erspan version
1 and 2.
Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes: f989d546a2d5 ("erspan: Add type I version 0 support.")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: William Tu <u9012063@gmail.com>
Link: https://lore.kernel.org/r/20221203032858.3130339-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_gre.c | 48 +++++++++++++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 19 deletions(-)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1586,24 +1586,6 @@ static int ipgre_fill_info(struct sk_buf
struct ip_tunnel_parm *p = &t->parms;
__be16 o_flags = p->o_flags;
- if (t->erspan_ver <= 2) {
- if (t->erspan_ver != 0 && !t->collect_md)
- o_flags |= TUNNEL_KEY;
-
- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
- goto nla_put_failure;
-
- if (t->erspan_ver == 1) {
- if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
- goto nla_put_failure;
- } else if (t->erspan_ver == 2) {
- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
- goto nla_put_failure;
- if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
- goto nla_put_failure;
- }
- }
-
if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) ||
nla_put_be16(skb, IFLA_GRE_IFLAGS,
gre_tnl_flags_to_gre_flags(p->i_flags)) ||
@@ -1644,6 +1626,34 @@ nla_put_failure:
return -EMSGSIZE;
}
+static int erspan_fill_info(struct sk_buff *skb, const struct net_device *dev)
+{
+ struct ip_tunnel *t = netdev_priv(dev);
+
+ if (t->erspan_ver <= 2) {
+ if (t->erspan_ver != 0 && !t->collect_md)
+ t->parms.o_flags |= TUNNEL_KEY;
+
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+ goto nla_put_failure;
+
+ if (t->erspan_ver == 1) {
+ if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+ goto nla_put_failure;
+ } else if (t->erspan_ver == 2) {
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+ goto nla_put_failure;
+ if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+ goto nla_put_failure;
+ }
+ }
+
+ return ipgre_fill_info(skb, dev);
+
+nla_put_failure:
+ return -EMSGSIZE;
+}
+
static void erspan_setup(struct net_device *dev)
{
struct ip_tunnel *t = netdev_priv(dev);
@@ -1722,7 +1732,7 @@ static struct rtnl_link_ops erspan_link_
.changelink = erspan_changelink,
.dellink = ip_tunnel_dellink,
.get_size = ipgre_get_size,
- .fill_info = ipgre_fill_info,
+ .fill_info = erspan_fill_info,
.get_link_net = ip_tunnel_get_link_net,
};
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19 175/175] initramfs: fix populate_initrd_image() section mismatch
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 174/175] ip_gre: do not report erspan version on GRE interface Greg Kroah-Hartman
@ 2024-04-11 9:56 ` Greg Kroah-Hartman
2024-04-11 12:02 ` [PATCH 4.19 000/175] 4.19.312-rc1 review Pavel Machek
` (5 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-11 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Christoph Hellwig, Andrew Morton, Linus Torvalds
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit 4ada1e810038e9dbc20e40b524e05ee1a9d31f98 upstream.
With gcc-4.6.3:
WARNING: vmlinux.o(.text.unlikely+0x140): Section mismatch in reference from the function populate_initrd_image() to the variable .init.ramfs.info:__initramfs_size
The function populate_initrd_image() references
the variable __init __initramfs_size.
This is often because populate_initrd_image lacks a __init
annotation or the annotation of __initramfs_size is wrong.
WARNING: vmlinux.o(.text.unlikely+0x14c): Section mismatch in reference from the function populate_initrd_image() to the function .init.text:unpack_to_rootfs()
The function populate_initrd_image() references
the function __init unpack_to_rootfs().
This is often because populate_initrd_image lacks a __init
annotation or the annotation of unpack_to_rootfs is wrong.
WARNING: vmlinux.o(.text.unlikely+0x198): Section mismatch in reference from the function populate_initrd_image() to the function .init.text:xwrite()
The function populate_initrd_image() references
the function __init xwrite().
This is often because populate_initrd_image lacks a __init
annotation or the annotation of xwrite is wrong.
Indeed, if the compiler decides not to inline populate_initrd_image(), a
warning is generated.
Fix this by adding the missing __init annotations.
Link: http://lkml.kernel.org/r/20190617074340.12779-1-geert@linux-m68k.org
Fixes: 7c184ecd262fe64f ("initramfs: factor out a helper to populate the initrd image")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
init/initramfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -603,7 +603,7 @@ static void __init clean_rootfs(void)
#endif
#ifdef CONFIG_BLK_DEV_RAM
-static void populate_initrd_image(char *err)
+static void __init populate_initrd_image(char *err)
{
ssize_t written;
struct file *file;
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2024-04-11 9:56 ` [PATCH 4.19 175/175] initramfs: fix populate_initrd_image() section mismatch Greg Kroah-Hartman
@ 2024-04-11 12:02 ` Pavel Machek
2024-04-11 14:20 ` Naresh Kamboju
` (4 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Pavel Machek @ 2024-04-11 12:02 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
[-- Attachment #1: Type: text/plain, Size: 666 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.19.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2024-04-11 12:02 ` [PATCH 4.19 000/175] 4.19.312-rc1 review Pavel Machek
@ 2024-04-11 14:20 ` Naresh Kamboju
2024-04-12 8:29 ` Greg Kroah-Hartman
2024-04-11 23:56 ` Shuah Khan
` (3 subsequent siblings)
180 siblings, 1 reply; 195+ messages in thread
From: Naresh Kamboju @ 2024-04-11 14:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, imx,
dri-devel
On Thu, 11 Apr 2024 at 15:30, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
The arm imx_v6_v7_defconfig build failed with gcc-12 and clang on Linux
stable-rc linux-4.19.y.
Regressions:
- arm
* gcc-12-imx_v6_v7_defconfig - failed
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Build log:
----
drivers/gpu/drm/imx/parallel-display.c: In function
'imx_pd_bridge_atomic_check':
drivers/gpu/drm/imx/parallel-display.c:222:23: error: implicit
declaration of function 'drm_bridge_get_next_bridge'
[-Werror=implicit-function-declaration]
222 | next_bridge = drm_bridge_get_next_bridge(bridge);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
Links:
- https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.311-176-gf0cf5f6110a7/testrun/23411280/suite/build/test/gcc-12-imx_v6_v7_defconfig/details/
- https://storage.tuxsuite.com/public/linaro/lkft/builds/2ex1v6eevudbi33g4ozA7hJ4fvs/
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2024-04-11 14:20 ` Naresh Kamboju
@ 2024-04-11 23:56 ` Shuah Khan
2024-04-12 8:03 ` Jon Hunter
` (2 subsequent siblings)
180 siblings, 0 replies; 195+ messages in thread
From: Shuah Khan @ 2024-04-11 23:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Shuah Khan
On 4/11/24 03:53, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2024-04-11 23:56 ` Shuah Khan
@ 2024-04-12 8:03 ` Jon Hunter
2024-04-12 10:11 ` Harshit Mogalapalli
2024-04-12 19:46 ` Pavel Machek
180 siblings, 0 replies; 195+ messages in thread
From: Jon Hunter @ 2024-04-12 8:03 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
linux-tegra, stable
On Thu, 11 Apr 2024 11:53:43 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v4.19:
10 builds: 10 pass, 0 fail
20 boots: 20 pass, 0 fail
37 tests: 37 pass, 0 fail
Linux version: 4.19.312-rc1-gf0cf5f6110a7
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 14:20 ` Naresh Kamboju
@ 2024-04-12 8:29 ` Greg Kroah-Hartman
0 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-12 8:29 UTC (permalink / raw)
To: Naresh Kamboju
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, imx,
dri-devel
On Thu, Apr 11, 2024 at 07:50:57PM +0530, Naresh Kamboju wrote:
> On Thu, 11 Apr 2024 at 15:30, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 4.19.312 release.
> > There are 175 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
>
> The arm imx_v6_v7_defconfig build failed with gcc-12 and clang on Linux
> stable-rc linux-4.19.y.
>
> Regressions:
> - arm
> * gcc-12-imx_v6_v7_defconfig - failed
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> Build log:
> ----
> drivers/gpu/drm/imx/parallel-display.c: In function
> 'imx_pd_bridge_atomic_check':
> drivers/gpu/drm/imx/parallel-display.c:222:23: error: implicit
> declaration of function 'drm_bridge_get_next_bridge'
> [-Werror=implicit-function-declaration]
> 222 | next_bridge = drm_bridge_get_next_bridge(bridge);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> Links:
> - https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.311-176-gf0cf5f6110a7/testrun/23411280/suite/build/test/gcc-12-imx_v6_v7_defconfig/details/
> - https://storage.tuxsuite.com/public/linaro/lkft/builds/2ex1v6eevudbi33g4ozA7hJ4fvs/
Offending commit now dropped, thanks!
greg k-h
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2024-04-12 8:03 ` Jon Hunter
@ 2024-04-12 10:11 ` Harshit Mogalapalli
2024-04-12 19:46 ` Pavel Machek
180 siblings, 0 replies; 195+ messages in thread
From: Harshit Mogalapalli @ 2024-04-12 10:11 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Vegard Nossum, Darren Kenny
Hi Greg,
On 11/04/24 15:23, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000.
> Anything received after that time might be too late.
>
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.312-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2024-04-12 10:11 ` Harshit Mogalapalli
@ 2024-04-12 19:46 ` Pavel Machek
2024-04-12 20:02 ` Thomas Gleixner
` (3 more replies)
180 siblings, 4 replies; 195+ messages in thread
From: Pavel Machek @ 2024-04-12 19:46 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, maco,
tglx, christophe.jaillet, sean.anderson
[-- Attachment #1: Type: text/plain, Size: 1412 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.19.312 release.
> There are 175 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
> Martijn Coenen <maco@android.com>
> loop: Remove sector_t truncation checks
AFAICT, in 4.19, sector_t is not guaranteed to be u64, see
include/linux/types.h. So we can't take this.
> Thomas Gleixner <tglx@linutronix.de>
> timers: Move clearing of base::timer_running under base:: Lock
AFAICT, we don't have those NULL assignments in expire_timers in
4.19. Can someone doublecheck this? We also don't support PREEMPT_RT
there.
> Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> slimbus: core: Remove usage of the deprecated ida_simple_xx() API
AFAICT this is just a cleanup. We should not need this.
> Sean Anderson <sean.anderson@linux.dev>
> soc: fsl: qbman: Use raw spinlock for cgr_lock
As we don't have commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth
on rate change") in 4.19, we should not really need this. Plus, 10msec
under raw spinlock is quite evil, such kernel is not realtime any
more. We should not be doing that.
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 19:46 ` Pavel Machek
@ 2024-04-12 20:02 ` Thomas Gleixner
2024-04-13 5:43 ` Greg Kroah-Hartman
2024-04-12 20:10 ` Sean Anderson
` (2 subsequent siblings)
3 siblings, 1 reply; 195+ messages in thread
From: Thomas Gleixner @ 2024-04-12 20:02 UTC (permalink / raw)
To: Pavel Machek, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, maco,
christophe.jaillet, sean.anderson
On Fri, Apr 12 2024 at 21:46, Pavel Machek wrote:
>> Thomas Gleixner <tglx@linutronix.de>
>> timers: Move clearing of base::timer_running under base:: Lock
>
> AFAICT, we don't have those NULL assignments in expire_timers in
> 4.19. Can someone doublecheck this? We also don't support PREEMPT_RT
> there.
This has nothing to do with RT.
But yes, 4.19 has the original bass::running_timer clearing which
happens at the end of handling all expired timer callbacks and that
actually happens with base->lock held.
So right, 4.19 is not affected by this.
Thanks,
tglx
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 19:46 ` Pavel Machek
2024-04-12 20:02 ` Thomas Gleixner
@ 2024-04-12 20:10 ` Sean Anderson
2024-04-12 20:18 ` Sean Anderson
2024-04-12 20:15 ` *** SPAM *** " Marion & Christophe JAILLET
2024-04-13 5:39 ` Greg Kroah-Hartman
3 siblings, 1 reply; 195+ messages in thread
From: Sean Anderson @ 2024-04-12 20:10 UTC (permalink / raw)
To: Pavel Machek, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, allen.lkml, broonie, maco, tglx,
christophe.jaillet
On 4/12/24 15:46, Pavel Machek wrote:
>> Sean Anderson <sean.anderson@linux.dev>
>> soc: fsl: qbman: Use raw spinlock for cgr_lock
>
> As we don't have commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth
> on rate change") in 4.19, we should not really need this. Plus, 10msec
> under raw spinlock is quite evil, such kernel is not realtime any
> more. We should not be doing that.
Patches welcome :)
At some point I will try and revisit this.
--Sean
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: *** SPAM *** Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 19:46 ` Pavel Machek
2024-04-12 20:02 ` Thomas Gleixner
2024-04-12 20:10 ` Sean Anderson
@ 2024-04-12 20:15 ` Marion & Christophe JAILLET
2024-04-13 5:39 ` Greg Kroah-Hartman
3 siblings, 0 replies; 195+ messages in thread
From: Marion & Christophe JAILLET @ 2024-04-12 20:15 UTC (permalink / raw)
To: Pavel Machek, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, allen.lkml, broonie, maco, tglx,
sean.anderson
Le 12/04/2024 à 21:46, Pavel Machek a écrit :
>> Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>> slimbus: core: Remove usage of the deprecated ida_simple_xx() API
> AFAICT this is just a cleanup. We should not need this.
>
Not exactly.
As stated in the commit: "this change allows one more device. Previously
address 0xFE was never used."
I don't use slimbus, so I'll let people with more knowledge than me
about this driver decide if it should be backported or not, but from my
point of view, it is a valid fix.
But, unless s.o. complained that this extra device address was needed in
a RL scenario, I would say that the patch should not be backported,
because: "better safe than sorry".
CJ
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 20:10 ` Sean Anderson
@ 2024-04-12 20:18 ` Sean Anderson
0 siblings, 0 replies; 195+ messages in thread
From: Sean Anderson @ 2024-04-12 20:18 UTC (permalink / raw)
To: Pavel Machek, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, allen.lkml, broonie, maco, tglx,
christophe.jaillet
On 4/12/24 16:10, Sean Anderson wrote:
> On 4/12/24 15:46, Pavel Machek wrote:
>>> Sean Anderson <sean.anderson@linux.dev>
>>> soc: fsl: qbman: Use raw spinlock for cgr_lock
>>
>> As we don't have commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth
>> on rate change") in 4.19, we should not really need this.
Sorry, I missed this the first time around, but this bug will still
occur (just much more rarely) without this commit.
--Sean
> Plus, 10msec
>> under raw spinlock is quite evil, such kernel is not realtime any
>> more. We should not be doing that.
>
> Patches welcome :)
>
> At some point I will try and revisit this.
>
> --Sean
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 19:46 ` Pavel Machek
` (2 preceding siblings ...)
2024-04-12 20:15 ` *** SPAM *** " Marion & Christophe JAILLET
@ 2024-04-13 5:39 ` Greg Kroah-Hartman
2024-04-30 6:30 ` Genjian
3 siblings, 1 reply; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-13 5:39 UTC (permalink / raw)
To: Pavel Machek, Genjian Zhang
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, allen.lkml, broonie, maco, tglx,
christophe.jaillet, sean.anderson
On Fri, Apr 12, 2024 at 09:46:46PM +0200, Pavel Machek wrote:
> Hi!
>
> > This is the start of the stable review cycle for the 4.19.312 release.
> > There are 175 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
>
> > Martijn Coenen <maco@android.com>
> > loop: Remove sector_t truncation checks
>
> AFAICT, in 4.19, sector_t is not guaranteed to be u64, see
> include/linux/types.h. So we can't take this.
It's more helpful if you cc: the people on the commit that you are
asking about, so that they can explain why they asked for it, or did the
backport.
Genjian, any thoughts about this one?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-12 20:02 ` Thomas Gleixner
@ 2024-04-13 5:43 ` Greg Kroah-Hartman
0 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-13 5:43 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Pavel Machek, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie, maco,
christophe.jaillet, sean.anderson
On Fri, Apr 12, 2024 at 10:02:47PM +0200, Thomas Gleixner wrote:
> On Fri, Apr 12 2024 at 21:46, Pavel Machek wrote:
> >> Thomas Gleixner <tglx@linutronix.de>
> >> timers: Move clearing of base::timer_running under base:: Lock
> >
> > AFAICT, we don't have those NULL assignments in expire_timers in
> > 4.19. Can someone doublecheck this? We also don't support PREEMPT_RT
> > there.
>
> This has nothing to do with RT.
>
> But yes, 4.19 has the original bass::running_timer clearing which
> happens at the end of handling all expired timer callbacks and that
> actually happens with base->lock held.
>
> So right, 4.19 is not affected by this.
Now dropped, thanks.
greg k-h
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 091/175] loop: Remove sector_t truncation checks
2024-04-11 9:55 ` [PATCH 4.19 091/175] loop: Remove sector_t truncation checks Greg Kroah-Hartman
@ 2024-04-26 16:56 ` Ben Hutchings
2024-04-29 11:10 ` Greg Kroah-Hartman
0 siblings, 1 reply; 195+ messages in thread
From: Ben Hutchings @ 2024-04-26 16:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Martijn Coenen, Christoph Hellwig, Jens Axboe, Genjian Zhang
[-- Attachment #1: Type: text/plain, Size: 3108 bytes --]
On Thu, 2024-04-11 at 11:55 +0200, Greg Kroah-Hartman wrote:
> 4.19-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Martijn Coenen <maco@android.com>
>
> [ Upstream commit 083a6a50783ef54256eec3499e6575237e0e3d53 ]
>
> sector_t is now always u64, so we don't need to check for truncation.
This needs to be reverted for 4.19, because sector_t wasn't always u64
until 5.2.
Ben.
> Signed-off-by: Martijn Coenen <maco@android.com>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/block/loop.c | 21 +++++++--------------
> 1 file changed, 7 insertions(+), 14 deletions(-)
>
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -225,24 +225,20 @@ static void __loop_update_dio(struct loo
> blk_mq_unfreeze_queue(lo->lo_queue);
> }
>
> -static int
> +static void
> figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
> {
> loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
> - sector_t x = (sector_t)size;
> struct block_device *bdev = lo->lo_device;
>
> - if (unlikely((loff_t)x != size))
> - return -EFBIG;
> if (lo->lo_offset != offset)
> lo->lo_offset = offset;
> if (lo->lo_sizelimit != sizelimit)
> lo->lo_sizelimit = sizelimit;
> - set_capacity(lo->lo_disk, x);
> + set_capacity(lo->lo_disk, size);
> bd_set_size(bdev, (loff_t)get_capacity(bdev->bd_disk) << 9);
> /* let user-space know about the new size */
> kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
> - return 0;
> }
>
> static inline int
> @@ -972,10 +968,8 @@ static int loop_set_fd(struct loop_devic
> !file->f_op->write_iter)
> lo_flags |= LO_FLAGS_READ_ONLY;
>
> - error = -EFBIG;
> size = get_loop_size(lo, file);
> - if ((loff_t)(sector_t)size != size)
> - goto out_unlock;
> +
> error = loop_prepare_queue(lo);
> if (error)
> goto out_unlock;
> @@ -1280,10 +1274,7 @@ loop_set_status(struct loop_device *lo,
> lo->lo_device->bd_inode->i_mapping->nrpages);
> goto out_unfreeze;
> }
> - if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) {
> - err = -EFBIG;
> - goto out_unfreeze;
> - }
> + figure_loop_size(lo, info->lo_offset, info->lo_sizelimit);
> }
>
> memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
> @@ -1486,7 +1477,9 @@ static int loop_set_capacity(struct loop
> if (unlikely(lo->lo_state != Lo_bound))
> return -ENXIO;
>
> - return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
> + figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
> +
> + return 0;
> }
>
> static int loop_set_dio(struct loop_device *lo, unsigned long arg)
>
>
>
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 091/175] loop: Remove sector_t truncation checks
2024-04-26 16:56 ` Ben Hutchings
@ 2024-04-29 11:10 ` Greg Kroah-Hartman
2024-04-29 21:37 ` Ben Hutchings
0 siblings, 1 reply; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-29 11:10 UTC (permalink / raw)
To: Ben Hutchings
Cc: stable, patches, Martijn Coenen, Christoph Hellwig, Jens Axboe,
Genjian Zhang
On Fri, Apr 26, 2024 at 06:56:40PM +0200, Ben Hutchings wrote:
> On Thu, 2024-04-11 at 11:55 +0200, Greg Kroah-Hartman wrote:
> > 4.19-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Martijn Coenen <maco@android.com>
> >
> > [ Upstream commit 083a6a50783ef54256eec3499e6575237e0e3d53 ]
> >
> > sector_t is now always u64, so we don't need to check for truncation.
>
> This needs to be reverted for 4.19, because sector_t wasn't always u64
> until 5.2.
Ah, ick. Ok, let me go revert all of these, that should also solve the
build issue for Alpha that Guenter was reporting.
thanks for letting me know.
greg k-h
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 091/175] loop: Remove sector_t truncation checks
2024-04-29 11:10 ` Greg Kroah-Hartman
@ 2024-04-29 21:37 ` Ben Hutchings
2024-04-29 21:40 ` [PATCH 4.19] Revert "loop: Remove sector_t truncation checks" Ben Hutchings
0 siblings, 1 reply; 195+ messages in thread
From: Ben Hutchings @ 2024-04-29 21:37 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Martijn Coenen, Christoph Hellwig, Jens Axboe,
Genjian Zhang
[-- Attachment #1: Type: text/plain, Size: 1051 bytes --]
On Mon, 2024-04-29 at 13:10 +0200, Greg Kroah-Hartman wrote:
> On Fri, Apr 26, 2024 at 06:56:40PM +0200, Ben Hutchings wrote:
> > On Thu, 2024-04-11 at 11:55 +0200, Greg Kroah-Hartman wrote:
> > > 4.19-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Martijn Coenen <maco@android.com>
> > >
> > > [ Upstream commit 083a6a50783ef54256eec3499e6575237e0e3d53 ]
> > >
> > > sector_t is now always u64, so we don't need to check for truncation.
> >
> > This needs to be reverted for 4.19, because sector_t wasn't always u64
> > until 5.2.
>
> Ah, ick. Ok, let me go revert all of these,
I don't think it's necessary to go that far. I'll send a patch to
revert just this.
> that should also solve the build issue for Alpha that Guenter was reporting.
That's a separate issue, I think.
> thanks for letting me know.
Ben.
--
Ben Hutchings
The Peter principle: In a hierarchy, every employee tends to rise to
their level of incompetence.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 195+ messages in thread
* [PATCH 4.19] Revert "loop: Remove sector_t truncation checks"
2024-04-29 21:37 ` Ben Hutchings
@ 2024-04-29 21:40 ` Ben Hutchings
2024-04-30 7:50 ` Greg Kroah-Hartman
0 siblings, 1 reply; 195+ messages in thread
From: Ben Hutchings @ 2024-04-29 21:40 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Martijn Coenen, Christoph Hellwig, Jens Axboe,
Genjian Zhang
[-- Attachment #1: Type: text/plain, Size: 2719 bytes --]
This reverts commit f92a3b0d003b9f7eb1f452598966a08802183f47, which
was commit 083a6a50783ef54256eec3499e6575237e0e3d53 upstream. In 4.19
there is still an option to use 32-bit sector_t on 32-bit
architectures, so we need to keep checking for truncation.
Since loop_set_status() was refactored by subsequent patches, this
reintroduces its truncation check in loop_set_status_from_info()
instead.
I tested that the loop ioctl operations have the expected behaviour on
x86_64, x86_32 with CONFIG_LBDAF=y, and (the special case) x86_32 with
CONFIG_LBDAF=n.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/loop.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 6050b039e4d2..860dac8b3f9a 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -243,12 +243,16 @@ static void loop_set_size(struct loop_device *lo, loff_t size)
kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
}
-static void
+static int
figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
{
loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
+ sector_t x = (sector_t)size;
+ if (unlikely((loff_t)x != size))
+ return -EFBIG;
loop_set_size(lo, size);
+ return 0;
}
static inline int
@@ -996,7 +1000,10 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
!file->f_op->write_iter)
lo_flags |= LO_FLAGS_READ_ONLY;
+ error = -EFBIG;
size = get_loop_size(lo, file);
+ if ((loff_t)(sector_t)size != size)
+ goto out_unlock;
error = loop_prepare_queue(lo);
if (error)
@@ -1246,6 +1253,7 @@ loop_set_status_from_info(struct loop_device *lo,
int err;
struct loop_func_table *xfer;
kuid_t uid = current_uid();
+ loff_t new_size;
if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE)
return -EINVAL;
@@ -1273,6 +1281,11 @@ loop_set_status_from_info(struct loop_device *lo,
if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX)
return -EOVERFLOW;
+ new_size = get_size(info->lo_offset, info->lo_sizelimit,
+ lo->lo_backing_file);
+ if ((loff_t)(sector_t)new_size != new_size)
+ return -EFBIG;
+
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
@@ -1531,9 +1544,7 @@ static int loop_set_capacity(struct loop_device *lo)
if (unlikely(lo->lo_state != Lo_bound))
return -ENXIO;
- figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
-
- return 0;
+ return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
}
static int loop_set_dio(struct loop_device *lo, unsigned long arg)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19 000/175] 4.19.312-rc1 review
2024-04-13 5:39 ` Greg Kroah-Hartman
@ 2024-04-30 6:30 ` Genjian
0 siblings, 0 replies; 195+ messages in thread
From: Genjian @ 2024-04-30 6:30 UTC (permalink / raw)
To: gregkh
Cc: akpm, allen.lkml, broonie, christophe.jaillet, conor, f.fainelli,
jonathanh, linux-kernel, linux, lkft-triage, maco, patches,
patches, pavel, rwarsow, sean.anderson, shuah, srw, stable,
sudipm.mukherjee, tglx, torvalds, zhanggenjian
> On Fri, Apr 12, 2024 at 09:46:46PM +0200, Pavel Machek wrote:
> > Hi!
> >
> > > This is the start of the stable review cycle for the 4.19.312 release.
> > > There are 175 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> >
> > > Martijn Coenen <maco@android.com>
> > > loop: Remove sector_t truncation checks
> >
> > AFAICT, in 4.19, sector_t is not guaranteed to be u64, see
> > include/linux/types.h. So we can't take this.
>
> It's more helpful if you cc: the people on the commit that you are
> asking about, so that they can explain why they asked for it, or did the
> backport.
>
> Genjian, any thoughts about this one?
>
> thanks,
>
> greg k-h
This one was aimed at resolving merge conflicts with subsequent patches and had no other reason. Indeed, this patch is not suitable for 4.19. I'm sorry for the omission.
thanks,
Genjian
^ permalink raw reply [flat|nested] 195+ messages in thread
* Re: [PATCH 4.19] Revert "loop: Remove sector_t truncation checks"
2024-04-29 21:40 ` [PATCH 4.19] Revert "loop: Remove sector_t truncation checks" Ben Hutchings
@ 2024-04-30 7:50 ` Greg Kroah-Hartman
0 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2024-04-30 7:50 UTC (permalink / raw)
To: Ben Hutchings
Cc: stable, patches, Martijn Coenen, Christoph Hellwig, Jens Axboe,
Genjian Zhang
On Mon, Apr 29, 2024 at 11:40:53PM +0200, Ben Hutchings wrote:
> This reverts commit f92a3b0d003b9f7eb1f452598966a08802183f47, which
> was commit 083a6a50783ef54256eec3499e6575237e0e3d53 upstream. In 4.19
> there is still an option to use 32-bit sector_t on 32-bit
> architectures, so we need to keep checking for truncation.
>
> Since loop_set_status() was refactored by subsequent patches, this
> reintroduces its truncation check in loop_set_status_from_info()
> instead.
>
> I tested that the loop ioctl operations have the expected behaviour on
> x86_64, x86_32 with CONFIG_LBDAF=y, and (the special case) x86_32 with
> CONFIG_LBDAF=n.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> drivers/block/loop.c | 19 +++++++++++++++----
> 1 file changed, 15 insertions(+), 4 deletions(-)
Thanks, both reverts now queued up.
greg k-h
^ permalink raw reply [flat|nested] 195+ messages in thread
end of thread, other threads:[~2024-04-30 7:50 UTC | newest]
Thread overview: 195+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-11 9:53 [PATCH 4.19 000/175] 4.19.312-rc1 review Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 001/175] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 002/175] x86/cpu: Support AMD Automatic IBRS Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 003/175] x86/bugs: Use sysfs_emit() Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 004/175] timer/trace: Replace deprecated vsprintf pointer extension %pf by %ps Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 005/175] timer/trace: Improve timer tracing Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 006/175] timers: Prepare support for PREEMPT_RT Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 007/175] timers: Update kernel-doc for various functions Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 008/175] timers: Use del_timer_sync() even on UP Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 009/175] timers: Rename del_timer_sync() to timer_delete_sync() Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 010/175] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 011/175] smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 012/175] smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 013/175] ARM: dts: mmp2-brownstone: Dont redeclare phandle references Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 014/175] arm: dts: marvell: Fix maxium->maxim typo in brownstone dts Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 015/175] media: xc4000: Fix atomicity violation in xc4000_get_frequency Greg Kroah-Hartman
2024-04-11 9:53 ` [PATCH 4.19 016/175] KVM: Always flush async #PF workqueue when vCPU is being destroyed Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 017/175] sparc64: NMI watchdog: fix return value of __setup handler Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 018/175] sparc: vDSO: " Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 019/175] crypto: qat - fix double free during reset Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 020/175] crypto: qat - resolve race condition during AER recovery Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 021/175] fat: fix uninitialized field in nostale filehandles Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 022/175] ubifs: Set page uptodate in the correct place Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 023/175] ubi: Check for too small LEB size in VTBL code Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 024/175] ubi: correct the calculation of fastmap size Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 025/175] parisc: Do not hardcode registers in checksum functions Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 026/175] parisc: Fix ip_fast_csum Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 027/175] parisc: Fix csum_ipv6_magic on 32-bit systems Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 028/175] parisc: Fix csum_ipv6_magic on 64-bit systems Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 029/175] parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 030/175] PM: suspend: Set mem_sleep_current during kernel command line setup Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 031/175] clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 032/175] clk: qcom: mmcc-apq8084: " Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 033/175] clk: qcom: mmcc-msm8974: " Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 034/175] powerpc/fsl: Fix mfpmr build errors with newer binutils Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 035/175] USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 036/175] USB: serial: add device ID for VeriFone adapter Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 037/175] USB: serial: cp210x: add ID for MGP Instruments PDS100 Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 038/175] USB: serial: option: add MeiG Smart SLM320 product Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 039/175] USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 040/175] PM: sleep: wakeirq: fix wake irq warning in system suspend Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 041/175] mmc: tmio: avoid concurrent runs of mmc_request_done() Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 042/175] fuse: dont unhash root Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 043/175] PCI: Drop pci_device_remove() test of pci_dev->driver Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 044/175] PCI/PM: Drain runtime-idle callbacks before driver removal Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 045/175] Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 046/175] dm-raid: fix lockdep waring in "pers->hot_add_disk" Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 047/175] mmc: core: Fix switch on gp3 partition Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 048/175] hwmon: (amc6821) add of_match table Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 049/175] ext4: fix corruption during on-line resize Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 050/175] slimbus: core: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 051/175] speakup: Fix 8bit characters from direct synth Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 052/175] kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 053/175] vfio/platform: Disable virqfds on cleanup Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 054/175] soc: fsl: qbman: Always disable interrupts when taking cgr_lock Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 055/175] soc: fsl: qbman: Add helper for sanity checking cgr ops Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 056/175] soc: fsl: qbman: Add CGR update function Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 057/175] soc: fsl: qbman: Use raw spinlock for cgr_lock Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 058/175] s390/zcrypt: fix reference counting on zcrypt card objects Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 059/175] drm/imx: pd: Use bus format/flags provided by the bridge when available Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 060/175] drm/imx/ipuv3: do not return negative values from .get_modes() Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 061/175] drm/vc4: hdmi: " Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 062/175] memtest: use {READ,WRITE}_ONCE in memory scanning Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 063/175] nilfs2: fix failure to detect DAT corruption in btree and direct mappings Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 064/175] nilfs2: use a more common logging style Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 065/175] nilfs2: prevent kernel bug at submit_bh_wbc() Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 066/175] x86/CPU/AMD: Update the Zenbleed microcode revisions Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 067/175] ahci: asm1064: correct count of reported ports Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 068/175] ahci: asm1064: asm1166: dont limit " Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 069/175] comedi: comedi_test: Prevent timers rescheduling during deletion Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 070/175] netfilter: nf_tables: disallow anonymous set with timeout flag Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 071/175] netfilter: nf_tables: reject constant set with timeout Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 072/175] xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 073/175] ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 074/175] USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 075/175] usb: gadget: ncm: Fix handling of zero block length packets Greg Kroah-Hartman
2024-04-11 9:54 ` [PATCH 4.19 076/175] usb: port: Dont try to peer unused USB ports based on location Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 077/175] tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 078/175] vt: fix unicode buffer corruption when deleting characters Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 079/175] vt: fix memory overlapping when deleting chars in the buffer Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 080/175] mm/memory-failure: fix an incorrect use of tail pages Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 081/175] mm/migrate: set swap entry values of THP tail pages properly Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 082/175] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 083/175] exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 084/175] usb: cdc-wdm: close race between read and workqueue Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 085/175] ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 086/175] fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 087/175] printk: Update @console_may_schedule in console_trylock_spinning() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 088/175] btrfs: allocate btrfs_ioctl_defrag_range_args on stack Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 089/175] Revert "loop: Check for overflow while configuring loop" Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 090/175] loop: Call loop_config_discard() only after new config is applied Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 091/175] loop: Remove sector_t truncation checks Greg Kroah-Hartman
2024-04-26 16:56 ` Ben Hutchings
2024-04-29 11:10 ` Greg Kroah-Hartman
2024-04-29 21:37 ` Ben Hutchings
2024-04-29 21:40 ` [PATCH 4.19] Revert "loop: Remove sector_t truncation checks" Ben Hutchings
2024-04-30 7:50 ` Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 092/175] loop: Factor out setting loop device size Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 093/175] loop: Refactor loop_set_status() size calculation Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 094/175] loop: properly observe rotational flag of underlying device Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 095/175] perf/core: Fix reentry problem in perf_output_read_group() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 096/175] efivarfs: Request at most 512 bytes for variable names Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 097/175] powerpc: xor_vmx: Add -mhard-float to CFLAGS Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 098/175] loop: Factor out configuring loop from status Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 099/175] loop: Check for overflow while configuring loop Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 100/175] loop: loop_set_status_from_info() check before assignment Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 101/175] usb: dwc2: host: Fix remote wakeup from hibernation Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 102/175] usb: dwc2: host: Fix hibernation flow Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 103/175] usb: dwc2: host: Fix ISOC flow in DDMA mode Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 104/175] usb: dwc2: gadget: LPM flow fix Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 105/175] usb: udc: remove warning when queue disabled ep Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 106/175] scsi: qla2xxx: Fix command flush on cable pull Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 107/175] x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 108/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 109/175] drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 110/175] scsi: lpfc: Correct size for wqe for memset() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 111/175] USB: core: Fix deadlock in usb_deauthorize_interface() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 112/175] nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 113/175] mptcp: add sk_stop_timer_sync helper Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 114/175] tcp: properly terminate timers for kernel sockets Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 115/175] r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 116/175] Bluetooth: hci_event: set the conn encrypted before conn establishes Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 117/175] Bluetooth: Fix TOCTOU in HCI debugfs implementation Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 118/175] netfilter: nf_tables: disallow timeout for anonymous sets Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 119/175] net/rds: fix possible cp null dereference Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 120/175] Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 121/175] mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 122/175] netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 123/175] net/sched: act_skbmod: prevent kernel-infoleak Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 124/175] net: stmmac: fix rx queue priority assignment Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 125/175] selftests: reuseaddr_conflict: add missing new line at the end of the output Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 126/175] ipv6: Fix infinite recursion in fib6_dump_done() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 127/175] i40e: fix vf may be used uninitialized in this function warning Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 128/175] staging: mmal-vchiq: Avoid use of bool in structures Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 129/175] staging: mmal-vchiq: Allocate and free components as required Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 130/175] staging: mmal-vchiq: Fix client_component for 64 bit kernel Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 131/175] staging: vc04_services: changen strncpy() to strscpy_pad() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 132/175] staging: vc04_services: fix information leak in create_component() Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 133/175] initramfs: factor out a helper to populate the initrd image Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 134/175] fs: add a vfs_fchown helper Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 135/175] fs: add a vfs_fchmod helper Greg Kroah-Hartman
2024-04-11 9:55 ` [PATCH 4.19 136/175] initramfs: switch initramfs unpacking to struct file based APIs Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 137/175] init: open /initrd.image with O_LARGEFILE Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 138/175] erspan: Add type I version 0 support Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 139/175] erspan: make sure erspan_base_hdr is present in skb->head Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 140/175] ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 141/175] ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 142/175] ata: sata_mv: Fix PCI device ID table declaration compilation warning Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 143/175] ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 144/175] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 145/175] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 146/175] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 147/175] arm64: dts: rockchip: fix rk3399 hdmi ports node Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 148/175] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 149/175] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 150/175] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 151/175] btrfs: send: handle path ref underflow in header iterate_inode_ref() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 152/175] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 153/175] Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 154/175] sysv: dont call sb_bread() with pointers_lock held Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 155/175] scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 156/175] isofs: handle CDs with bad root inode but good Joliet root directory Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 157/175] media: sta2x11: fix irq handler cast Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 158/175] drm/amd/display: Fix nanosec stat overflow Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 159/175] SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 160/175] block: prevent division by zero in blk_rq_stat_sum() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 161/175] Input: allocate keycode for Display refresh rate toggle Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 162/175] ktest: force $buildonly = 1 for make_warnings_file test type Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 163/175] tools: iio: replace seekdir() in iio_generic_buffer Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 164/175] usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 165/175] fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 166/175] fbmon: prevent division by zero in fb_videomode_from_videomode() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 167/175] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 168/175] drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 169/175] virtio: reenable config if freezing device failed Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 170/175] x86/mm/pat: fix VM_PAT handling in COW mappings Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 171/175] Bluetooth: btintel: Fixe build regression Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 172/175] VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 173/175] erspan: Check IFLA_GRE_ERSPAN_VER is set Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 174/175] ip_gre: do not report erspan version on GRE interface Greg Kroah-Hartman
2024-04-11 9:56 ` [PATCH 4.19 175/175] initramfs: fix populate_initrd_image() section mismatch Greg Kroah-Hartman
2024-04-11 12:02 ` [PATCH 4.19 000/175] 4.19.312-rc1 review Pavel Machek
2024-04-11 14:20 ` Naresh Kamboju
2024-04-12 8:29 ` Greg Kroah-Hartman
2024-04-11 23:56 ` Shuah Khan
2024-04-12 8:03 ` Jon Hunter
2024-04-12 10:11 ` Harshit Mogalapalli
2024-04-12 19:46 ` Pavel Machek
2024-04-12 20:02 ` Thomas Gleixner
2024-04-13 5:43 ` Greg Kroah-Hartman
2024-04-12 20:10 ` Sean Anderson
2024-04-12 20:18 ` Sean Anderson
2024-04-12 20:15 ` *** SPAM *** " Marion & Christophe JAILLET
2024-04-13 5:39 ` Greg Kroah-Hartman
2024-04-30 6:30 ` Genjian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).