This is a note to let you know that I've just added the patch titled
mei: hbm: fix client dma reply status
to my char-misc git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
in the char-misc-testing branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will be merged to the char-misc-next branch sometime soon,
after it passes testing, and the merge window is open.
If you have any questions about this process, please let me know.
From 6b0b80ac103b2a40c72a47c301745fd1f4ef4697 Mon Sep 17 00:00:00 2001
From: Alexander Usyskin <alexander.usyskin(a)intel.com>
Date: Tue, 28 Dec 2021 10:20:47 +0200
Subject: mei: hbm: fix client dma reply status
Don't blindly copy status value received from the firmware
into internal client status field,
It may be positive and ERR_PTR(ret) will translate it
into an invalid address and the caller will crash.
Put the error code into the client status on failure.
Fixes: 369aea845951 ("mei: implement client dma setup.")
Cc: <stable(a)vger.kernel.org> # v5.11+
Reported-by: Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
Tested-by: : Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
Acked-by: Tomas Winkler <tomas.winkler(a)intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com>
Link: https://lore.kernel.org/r/20211228082047.378115-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/misc/mei/hbm.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c
index be41843df75b..cebcca6d6d3e 100644
--- a/drivers/misc/mei/hbm.c
+++ b/drivers/misc/mei/hbm.c
@@ -672,10 +672,14 @@ static void mei_hbm_cl_dma_map_res(struct mei_device *dev,
if (!cl)
return;
- dev_dbg(dev->dev, "cl dma map result = %d\n", res->status);
- cl->status = res->status;
- if (!cl->status)
+ if (res->status) {
+ dev_err(dev->dev, "cl dma map failed %d\n", res->status);
+ cl->status = -EFAULT;
+ } else {
+ dev_dbg(dev->dev, "cl dma map succeeded\n");
cl->dma_mapped = 1;
+ cl->status = 0;
+ }
wake_up(&cl->wait);
}
@@ -698,10 +702,14 @@ static void mei_hbm_cl_dma_unmap_res(struct mei_device *dev,
if (!cl)
return;
- dev_dbg(dev->dev, "cl dma unmap result = %d\n", res->status);
- cl->status = res->status;
- if (!cl->status)
+ if (res->status) {
+ dev_err(dev->dev, "cl dma unmap failed %d\n", res->status);
+ cl->status = -EFAULT;
+ } else {
+ dev_dbg(dev->dev, "cl dma unmap succeeded\n");
cl->dma_mapped = 0;
+ cl->status = 0;
+ }
wake_up(&cl->wait);
}
--
2.34.1
This is the start of the stable review cycle for the 4.19.223 release.
There are 38 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 29 Dec 2021 15:13:09 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.223-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.19.223-rc1
Rémi Denis-Courmont <remi(a)remlab.net>
phonet/pep: refuse to enable an unbound pipe
Lin Ma <linma(a)zju.edu.cn>
hamradio: improve the incomplete fix to avoid NPD
Lin Ma <linma(a)zju.edu.cn>
hamradio: defer ax25 kfree after unregister_netdev
Lin Ma <linma(a)zju.edu.cn>
ax25: NPD bug when detaching AX25 device
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Do not report 'busy' status bit as alarm
Samuel Čavoj <samuel(a)cavoj.net>
Input: i8042 - enable deferred probe quirk for ASUS UM325UA
Sean Christopherson <seanjc(a)google.com>
KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
Marian Postevca <posteuca(a)mutex.one>
usb: gadget: u_ether: fix race in setting MAC address in setup phase
Chao Yu <chao(a)kernel.org>
f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
Ard Biesheuvel <ardb(a)kernel.org>
ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
Fabien Dessenne <fabien.dessenne(a)foss.st.com>
pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
Andrew Cooper <andrew.cooper3(a)citrix.com>
x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
John David Anglin <dave.anglin(a)bell.net>
parisc: Correct completer in lws start
Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
ipmi: fix initialization when workqueue allocation fails
Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
ipmi: bail out if init_srcu_struct fails
José Expósito <jose.exposito89(a)gmail.com>
Input: atmel_mxt_ts - fix double free in mxt_read_info_block
Colin Ian King <colin.i.king(a)gmail.com>
ALSA: drivers: opl3: Fix incorrect use of vp->state
Xiaoke Wang <xkernel.wang(a)foxmail.com>
ALSA: jack: Check the return value of kstrdup()
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Fix usage of CONFIG2 register in detect function
Jiasheng Jiang <jiasheng(a)iscas.ac.cn>
sfc: falcon: Check null pointer of rx_queue->page_ring
Jiasheng Jiang <jiasheng(a)iscas.ac.cn>
drivers: net: smc911x: Check for error irq
Jiasheng Jiang <jiasheng(a)iscas.ac.cn>
fjes: Check for error irq
Fernando Fernandez Mancera <ffmancera(a)riseup.net>
bonding: fix ad_actor_system option setting to default
Wu Bo <wubo40(a)huawei.com>
ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
Willem de Bruijn <willemb(a)google.com>
net: skip virtio_net_hdr_set_proto if protocol already set
Willem de Bruijn <willemb(a)google.com>
net: accept UFOv6 packages in virtio_net_hdr_to_skb
Jiasheng Jiang <jiasheng(a)iscas.ac.cn>
qlcnic: potential dereference null pointer of rx_queue->page_ring
Ignacy Gawędzki <ignacy.gawedzki(a)green-communications.fr>
netfilter: fix regression in looped (broad|multi)cast's MAC handling
José Expósito <jose.exposito89(a)gmail.com>
IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
Dongliang Mu <mudongliangabcd(a)gmail.com>
spi: change clk_disable_unprepare to clk_unprepare
Robert Marko <robert.marko(a)sartura.hr>
arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode
Benjamin Tissoires <benjamin.tissoires(a)redhat.com>
HID: holtek: fix mouse probing
Paolo Valente <paolo.valente(a)linaro.org>
block, bfq: fix use after free in bfq_bfqq_expire
Paolo Valente <paolo.valente(a)linaro.org>
block, bfq: fix queue removal from weights tree
Paolo Valente <paolo.valente(a)linaro.org>
block, bfq: fix decrement of num_active_groups
Federico Motta <federico(a)willer.it>
block, bfq: fix asymmetric scenarios detection
Federico Motta <federico(a)willer.it>
block, bfq: improve asymmetric scenarios detection
Greg Jesionowski <jesionowskigreg(a)gmail.com>
net: usb: lan78xx: add Allied Telesis AT29M2-AF
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 8 +-
Documentation/networking/bonding.txt | 11 +-
Makefile | 4 +-
arch/arm/kernel/entry-armv.S | 8 +-
.../dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 2 +-
arch/parisc/kernel/syscall.S | 2 +-
arch/x86/include/asm/pgtable.h | 4 +-
block/bfq-iosched.c | 287 +++++++++++++--------
block/bfq-iosched.h | 76 ++++--
block/bfq-wf2q.c | 56 ++--
drivers/char/ipmi/ipmi_msghandler.c | 21 +-
drivers/hid/hid-holtek-mouse.c | 15 ++
drivers/hwmon/lm90.c | 8 +-
drivers/infiniband/hw/qib/qib_user_sdma.c | 2 +-
drivers/input/serio/i8042-x86ia64io.h | 7 +
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
drivers/net/bonding/bond_options.c | 2 +-
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +-
.../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +-
drivers/net/ethernet/sfc/falcon/rx.c | 5 +-
drivers/net/ethernet/smsc/smc911x.c | 5 +
drivers/net/fjes/fjes_main.c | 5 +
drivers/net/hamradio/mkiss.c | 5 +-
drivers/net/usb/lan78xx.c | 6 +
drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +-
drivers/spi/spi-armada-3700.c | 2 +-
drivers/usb/gadget/function/u_ether.c | 15 +-
fs/f2fs/xattr.c | 9 +-
include/linux/virtio_net.h | 25 +-
net/ax25/af_ax25.c | 4 +-
net/netfilter/nfnetlink_log.c | 3 +-
net/netfilter/nfnetlink_queue.c | 3 +-
net/phonet/pep.c | 2 +
sound/core/jack.c | 4 +
sound/drivers/opl3/opl3_midi.c | 2 +-
36 files changed, 424 insertions(+), 212 deletions(-)
On Wed, 29 Dec 2021 19:17:30 +0800, Pavel Machek wrote:
> So we have !rx_queue->page_ring. But in efx_reuse_page, we do
>
> index = rx_queue->page_remove & rx_queue->page_ptr_mask;
> page = rx_queue->page_ring[index];
>
> So index is now zero, but we'll derefernce null pointer
> anyway.
Thanks for your reply.
I am so sorry to submit the wrong patch and cause the trouble.
Now there are two ways to fix it.
One is to directly return error when fails and finally cause the failure
of the efx_start_all().
But I notice that efx_start_channels() -> efx_init_rx_queue() ->
efx_init_rx_recycle_ring(), and efx_start_channels() starts many
channels.
Maybe the last channel fails without the enough memory, but the other
are success and can work regularly.
To work more efficiently, I think the second way is better that we just
check every where using rx_queue->page_ring.
In this way, we don't need to alloc and free the channels frequently and
finish most of the job.
The patch is something that likes as follow.
diff --git a/drivers/net/ethernet/sfc/rx_common.c
b/drivers/net/ethernet/sfc/rx_common.c
index 68fc7d317693..7172b5fcc104 100644
--- a/drivers/net/ethernet/sfc/rx_common.c
+++ b/drivers/net/ethernet/sfc/rx_common.c
@@ -45,6 +45,9 @@ static struct page *efx_reuse_page(struct efx_rx_queue
*rx_queue)
unsigned int index;
struct page *page;
+ if (!rx_queue->page_ring)
+ return NULL;
+
index = rx_queue->page_remove &
rx_queue->page_ptr_mask;
page = rx_queue->page_ring[index];
if (page == NULL)