December 2022 - Linux-stable-mirror

[PATCH v4 1/2] ceph: switch to vfs_inode_has_locks() to fix file lock bug

by xiubli＠redhat.com

From: Xiubo Li <xiubli(a)redhat.com> For the POSIX locks they are using the same owner, which is the thread id. And multiple POSIX locks could be merged into single one, so when checking whether the 'file' has locks may fail. For a file where some openers use locking and others don't is a really odd usage pattern though. Locks are like stoplights -- they only work if everyone pays attention to them. Just switch ceph_get_caps() to check whether any locks are set on the inode. If there are POSIX/OFD/FLOCK locks on the file at the time, we should set CHECK_FILELOCK, regardless of what fd was used to set the lock. Cc: stable(a)vger.kernel.org Fixes: ff5d913dfc71 ("ceph: return -EIO if read/write against filp that lost file locks") Cc: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> --- fs/ceph/caps.c | 2 +- fs/ceph/locks.c | 4 ---- fs/ceph/super.h | 1 - 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 065e9311b607..948136f81fc8 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -2964,7 +2964,7 @@ int ceph_get_caps(struct file *filp, int need, int want, loff_t endoff, int *got while (true) { flags &= CEPH_FILE_MODE_MASK; - if (atomic_read(&fi->num_locks)) + if (vfs_inode_has_locks(inode)) flags |= CHECK_FILELOCK; _got = 0; ret = try_get_cap_refs(inode, need, want, endoff, diff --git a/fs/ceph/locks.c b/fs/ceph/locks.c index 3e2843e86e27..b191426bf880 100644 --- a/fs/ceph/locks.c +++ b/fs/ceph/locks.c @@ -32,18 +32,14 @@ void __init ceph_flock_init(void) static void ceph_fl_copy_lock(struct file_lock *dst, struct file_lock *src) { - struct ceph_file_info *fi = dst->fl_file->private_data; struct inode *inode = file_inode(dst->fl_file); atomic_inc(&ceph_inode(inode)->i_filelock_ref); - atomic_inc(&fi->num_locks); } static void ceph_fl_release_lock(struct file_lock *fl) { - struct ceph_file_info *fi = fl->fl_file->private_data; struct inode *inode = file_inode(fl->fl_file); struct ceph_inode_info *ci = ceph_inode(inode); - atomic_dec(&fi->num_locks); if (atomic_dec_and_test(&ci->i_filelock_ref)) { /* clear error when all locks are released */ spin_lock(&ci->i_ceph_lock); diff --git a/fs/ceph/super.h b/fs/ceph/super.h index 14454f464029..e7662ff6f149 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -804,7 +804,6 @@ struct ceph_file_info { struct list_head rw_contexts; u32 filp_gen; - atomic_t num_locks; }; struct ceph_dir_file_info { -- 2.31.1

2 years

1
0
0 0

[PATCH 4.9 00/31] 4.9.336-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.336 release. There are 31 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 Dec 2022 13:08:57 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.336-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.336-rc1 Dan Carpenter <error27(a)gmail.com> net: mvneta: Fix an out of bounds check Yang Yingliang <yangyingliang(a)huawei.com> net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() Juergen Gross <jgross(a)suse.com> xen/netback: fix build warning Zhang Changzhong <zhangchangzhong(a)huawei.com> ethernet: aeroflex: fix potential skb leak in greth_init_rings() YueHaibing <yuehaibing(a)huawei.com> tipc: Fix potential OOB in tipc_link_proto_rcv() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Kees Cook <keescook(a)chromium.org> NFC: nci: Bounds check struct nfc_target arrays Dan Carpenter <error27(a)gmail.com> net: mvneta: Prevent out of bounds read in mvneta_config_rss() Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Fix invalid logic in reading of MISTAT register Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Add parentheses to fix precedence Wei Yongjun <weiyongjun1(a)huawei.com> mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Wang ShaoBo <bobo.shaobowang(a)huawei.com> Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Akihiko Odaki <akihiko.odaki(a)daynix.com> igb: Allocate MSI-X vector when testing Akihiko Odaki <akihiko.odaki(a)daynix.com> e1000e: Fix TX dispatch condition Xiongfeng Wang <wangxiongfeng2(a)huawei.com> gpio: amd8111: Fix PCI device reference count leak Ziyang Xuan <william.xuanziyang(a)huawei.com> ieee802154: cc2520: Fix error return code in cc2520_hw_init() ZhangPeng <zhangpeng362(a)huawei.com> HID: core: fix shift-out-of-bounds in hid_report_raw_event Anastasia Belova <abelova(a)astralinux.ru> HID: hid-lg4ff: Add check for empty lbuf Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-dv-timings.c: fix too strict blanking sanity checks Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Fix voltage switch delay Masahiro Yamada <yamada.masahiro(a)socionext.com> mmc: sdhci: use FIELD_GET for preset value bit masks Connor Shu <Connor.Shu(a)ibm.com> rcutorture: Automatically create initrd directory Juergen Gross <jgross(a)suse.com> xen/netback: don't call kfree_skb() with interrupts disabled Juergen Gross <jgross(a)suse.com> xen/netback: do some code cleanup Ross Lagerwall <ross.lagerwall(a)citrix.com> xen/netback: Ensure protocol headers don't fall in the non-linear area Srinivasa Rao Mandadapu <quic_srivasam(a)quicinc.com> ASoC: soc-pcm: Add NULL check in BE reparenting Kees Cook <keescook(a)chromium.org> ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Tomislav Novak <tnovak(a)fb.com> ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: fix ir-receiver node names Sebastian Reichel <sebastian.reichel(a)collabora.com> arm: dts: rockchip: fix node name for hym8563 rtc ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3036-evb.dts | 2 +- arch/arm/boot/dts/rk3188-radxarock.dts | 2 +- arch/arm/boot/dts/rk3288-evb-act8846.dts | 2 +- arch/arm/boot/dts/rk3288-firefly.dtsi | 2 +- arch/arm/boot/dts/rk3288-miqi.dts | 2 +- arch/arm/boot/dts/rk3288-rock2-square.dts | 2 +- arch/arm/include/asm/perf_event.h | 2 +- drivers/gpio/gpio-amd8111.c | 4 + drivers/hid/hid-core.c | 3 + drivers/hid/hid-lg4ff.c | 6 + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 +- drivers/mmc/host/sdhci.c | 73 +++++-- drivers/mmc/host/sdhci.h | 12 +- drivers/net/ethernet/aeroflex/greth.c | 1 + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- drivers/net/ethernet/intel/e1000e/netdev.c | 4 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 + drivers/net/ethernet/marvell/mvneta.c | 2 +- drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 +- drivers/net/ieee802154/cc2520.c | 2 +- drivers/net/plip/plip.c | 4 +- drivers/net/xen-netback/common.h | 14 +- drivers/net/xen-netback/interface.c | 22 +- drivers/net/xen-netback/netback.c | 229 ++++++++++++--------- drivers/net/xen-netback/rx.c | 10 +- net/bluetooth/6lowpan.c | 1 + net/mac802154/iface.c | 1 + net/nfc/nci/ntf.c | 6 + net/tipc/link.c | 4 +- sound/core/seq/seq_memory.c | 11 +- sound/soc/soc-pcm.c | 2 + tools/testing/selftests/rcutorture/bin/kvm.sh | 8 + tools/testing/selftests/rcutorture/bin/mkinitrd.sh | 60 ++++++ 35 files changed, 342 insertions(+), 185 deletions(-)

2 years

7
38
0 0

[PATCH 4.14 00/38] 4.14.302-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.302 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 Dec 2022 13:08:57 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.302-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.302-rc1 Dan Carpenter <error27(a)gmail.com> net: mvneta: Fix an out of bounds check Eric Dumazet <edumazet(a)google.com> ipv6: avoid use-after-free in ip6_fragment() Yang Yingliang <yangyingliang(a)huawei.com> net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() Juergen Gross <jgross(a)suse.com> xen/netback: fix build warning Zhang Changzhong <zhangchangzhong(a)huawei.com> ethernet: aeroflex: fix potential skb leak in greth_init_rings() YueHaibing <yuehaibing(a)huawei.com> tipc: Fix potential OOB in tipc_link_proto_rcv() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: fix "snps,axi-config" node property parsing Kees Cook <keescook(a)chromium.org> NFC: nci: Bounds check struct nfc_target arrays Dan Carpenter <error27(a)gmail.com> net: mvneta: Prevent out of bounds read in mvneta_config_rss() Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Fix invalid logic in reading of MISTAT register Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Add parentheses to fix precedence Wei Yongjun <weiyongjun1(a)huawei.com> mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Wang ShaoBo <bobo.shaobowang(a)huawei.com> Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Akihiko Odaki <akihiko.odaki(a)daynix.com> igb: Allocate MSI-X vector when testing Akihiko Odaki <akihiko.odaki(a)daynix.com> e1000e: Fix TX dispatch condition Xiongfeng Wang <wangxiongfeng2(a)huawei.com> gpio: amd8111: Fix PCI device reference count leak Hauke Mehrtens <hauke(a)hauke-m.de> ca8210: Fix crash by zero initializing data Ziyang Xuan <william.xuanziyang(a)huawei.com> ieee802154: cc2520: Fix error return code in cc2520_hw_init() ZhangPeng <zhangpeng362(a)huawei.com> HID: core: fix shift-out-of-bounds in hid_report_raw_event Anastasia Belova <abelova(a)astralinux.ru> HID: hid-lg4ff: Add check for empty lbuf Thomas Huth <thuth(a)redhat.com> KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field Tejun Heo <tj(a)kernel.org> memcg: fix possible use-after-free in memcg_write_event_control() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-dv-timings.c: fix too strict blanking sanity checks Connor Shu <Connor.Shu(a)ibm.com> rcutorture: Automatically create initrd directory Juergen Gross <jgross(a)suse.com> xen/netback: don't call kfree_skb() with interrupts disabled Juergen Gross <jgross(a)suse.com> xen/netback: do some code cleanup Ross Lagerwall <ross.lagerwall(a)citrix.com> xen/netback: Ensure protocol headers don't fall in the non-linear area Davide Tronchin <davide.tronchin.94(a)gmail.com> net: usb: qmi_wwan: add u-blox 0x1342 composition Andreas Kemnade <andreas(a)kemnade.info> regulator: twl6030: fix get status of twl6032 regulators Srinivasa Rao Mandadapu <quic_srivasam(a)quicinc.com> ASoC: soc-pcm: Add NULL check in BE reparenting Kees Cook <keescook(a)chromium.org> ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 Giulio Benetti <giulio.benetti(a)benettiengineering.com> ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation Tomislav Novak <tnovak(a)fb.com> ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: fix ir-receiver node names Sebastian Reichel <sebastian.reichel(a)collabora.com> arm: dts: rockchip: fix node name for hym8563 rtc ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3036-evb.dts | 2 +- arch/arm/boot/dts/rk3188-radxarock.dts | 2 +- arch/arm/boot/dts/rk3188.dtsi | 1 - arch/arm/boot/dts/rk3288-evb-act8846.dts | 2 +- arch/arm/boot/dts/rk3288-firefly.dtsi | 2 +- arch/arm/boot/dts/rk3288-miqi.dts | 2 +- arch/arm/boot/dts/rk3288-rock2-square.dts | 2 +- arch/arm/boot/dts/rk3xxx.dtsi | 7 + arch/arm/include/asm/perf_event.h | 2 +- arch/arm/include/asm/pgtable-nommu.h | 6 - arch/arm/include/asm/pgtable.h | 16 +- arch/arm/mm/nommu.c | 19 ++ arch/s390/kvm/vsie.c | 4 +- drivers/gpio/gpio-amd8111.c | 4 + drivers/hid/hid-core.c | 3 + drivers/hid/hid-lg4ff.c | 6 + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 +- drivers/net/ethernet/aeroflex/greth.c | 1 + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- drivers/net/ethernet/intel/e1000e/netdev.c | 4 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 + drivers/net/ethernet/marvell/mvneta.c | 2 +- drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +- drivers/net/ieee802154/ca8210.c | 2 +- drivers/net/ieee802154/cc2520.c | 2 +- drivers/net/plip/plip.c | 4 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/xen-netback/common.h | 14 +- drivers/net/xen-netback/interface.c | 22 +- drivers/net/xen-netback/netback.c | 229 ++++++++++++--------- drivers/net/xen-netback/rx.c | 10 +- drivers/regulator/twl6030-regulator.c | 15 +- include/linux/cgroup.h | 1 + kernel/cgroup/cgroup-internal.h | 1 - mm/memcontrol.c | 15 +- net/bluetooth/6lowpan.c | 1 + net/ipv6/ip6_output.c | 5 + net/mac802154/iface.c | 1 + net/nfc/nci/ntf.c | 6 + net/tipc/link.c | 4 +- sound/core/seq/seq_memory.c | 11 +- sound/soc/soc-pcm.c | 2 + tools/testing/selftests/rcutorture/bin/kvm.sh | 8 + tools/testing/selftests/rcutorture/bin/mkinitrd.sh | 60 ++++++ 47 files changed, 350 insertions(+), 193 deletions(-)

2 years

4
41
0 0

[PATCH 1/1] crypto: ccp - Allocate TEE ring and cmd buffer using DMA APIs

by Rijo Thomas

For AMD Secure Processor (ASP) to map and access TEE ring buffer, the ring buffer address sent by host to ASP must be a real physical address and the pages must be physically contiguous. In a virtualized environment though, when the driver is running in a guest VM, the pages allocated by __get_free_pages() may not be contiguous in the host (or machine) physical address space. Guests will see a guest (or pseudo) physical address and not the actual host (or machine) physical address. The TEE running on ASP cannot decipher pseudo physical addresses. It needs host or machine physical address. To resolve this problem, use DMA APIs for allocating buffers that must be shared with TEE. This will ensure that the pages are contiguous in host (or machine) address space. If the DMA handle is an IOVA, translate it into a physical address before sending it to ASP. This patch also exports two APIs (one for buffer allocation and another to free the buffer). This API can be used by AMD-TEE driver to share buffers with TEE. Fixes: 33960acccfbd ("crypto: ccp - add TEE support for Raven Ridge") Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas(a)amd.com> Co-developed-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Signed-off-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy(a)amd.com> --- drivers/crypto/ccp/psp-dev.c | 6 +- drivers/crypto/ccp/tee-dev.c | 116 ++++++++++++++++++++++------------- drivers/crypto/ccp/tee-dev.h | 9 +-- include/linux/psp-tee.h | 47 ++++++++++++++ 4 files changed, 127 insertions(+), 51 deletions(-) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index c9c741ac8442..2b86158d7435 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -161,13 +161,13 @@ int psp_dev_init(struct sp_device *sp) goto e_err; } + if (sp->set_psp_master_device) + sp->set_psp_master_device(sp); + ret = psp_init(psp); if (ret) goto e_irq; - if (sp->set_psp_master_device) - sp->set_psp_master_device(sp); - /* Enable interrupt */ iowrite32(-1, psp->io_regs + psp->vdata->inten_reg); diff --git a/drivers/crypto/ccp/tee-dev.c b/drivers/crypto/ccp/tee-dev.c index 5c9d47f3be37..1631d9851e54 100644 --- a/drivers/crypto/ccp/tee-dev.c +++ b/drivers/crypto/ccp/tee-dev.c @@ -12,8 +12,9 @@ #include <linux/mutex.h> #include <linux/delay.h> #include <linux/slab.h> +#include <linux/dma-direct.h> +#include <linux/iommu.h> #include <linux/gfp.h> -#include <linux/psp-sev.h> #include <linux/psp-tee.h> #include "psp-dev.h" @@ -21,25 +22,64 @@ static bool psp_dead; +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp) +{ + struct psp_device *psp = psp_get_master_device(); + struct dma_buffer *dma_buf; + struct iommu_domain *dom; + + if (!psp || !size) + return NULL; + + dma_buf = kzalloc(sizeof(*dma_buf), GFP_KERNEL); + if (!dma_buf) + return NULL; + + dma_buf->vaddr = dma_alloc_coherent(psp->dev, size, &dma_buf->dma, gfp); + if (!dma_buf->vaddr || !dma_buf->dma) { + kfree(dma_buf); + return NULL; + } + + dma_buf->size = size; + + dom = iommu_get_domain_for_dev(psp->dev); + if (dom) + dma_buf->paddr = iommu_iova_to_phys(dom, dma_buf->dma); + else + dma_buf->paddr = dma_buf->dma; + + return dma_buf; +} +EXPORT_SYMBOL(psp_tee_alloc_dmabuf); + +void psp_tee_free_dmabuf(struct dma_buffer *dma_buf) +{ + struct psp_device *psp = psp_get_master_device(); + + if (!psp || !dma_buf) + return; + + dma_free_coherent(psp->dev, dma_buf->size, + dma_buf->vaddr, dma_buf->dma); + + kfree(dma_buf); +} +EXPORT_SYMBOL(psp_tee_free_dmabuf); + static int tee_alloc_ring(struct psp_tee_device *tee, int ring_size) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - void *start_addr; if (!ring_size) return -EINVAL; - /* We need actual physical address instead of DMA address, since - * Trusted OS running on AMD Secure Processor will map this region - */ - start_addr = (void *)__get_free_pages(GFP_KERNEL, get_order(ring_size)); - if (!start_addr) + rb_mgr->ring_buf = psp_tee_alloc_dmabuf(ring_size, + GFP_KERNEL | __GFP_ZERO); + if (!rb_mgr->ring_buf) { + dev_err(tee->dev, "ring allocation failed\n"); return -ENOMEM; - - memset(start_addr, 0x0, ring_size); - rb_mgr->ring_start = start_addr; - rb_mgr->ring_size = ring_size; - rb_mgr->ring_pa = __psp_pa(start_addr); + } mutex_init(&rb_mgr->mutex); return 0; @@ -49,15 +89,8 @@ static void tee_free_ring(struct psp_tee_device *tee) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - if (!rb_mgr->ring_start) - return; + psp_tee_free_dmabuf(rb_mgr->ring_buf); - free_pages((unsigned long)rb_mgr->ring_start, - get_order(rb_mgr->ring_size)); - - rb_mgr->ring_start = NULL; - rb_mgr->ring_size = 0; - rb_mgr->ring_pa = 0; mutex_destroy(&rb_mgr->mutex); } @@ -81,35 +114,36 @@ static int tee_wait_cmd_poll(struct psp_tee_device *tee, unsigned int timeout, return -ETIMEDOUT; } -static -struct tee_init_ring_cmd *tee_alloc_cmd_buffer(struct psp_tee_device *tee) +struct dma_buffer *tee_alloc_cmd_buffer(struct psp_tee_device *tee) { struct tee_init_ring_cmd *cmd; + struct dma_buffer *cmd_buffer; - cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); - if (!cmd) + cmd_buffer = psp_tee_alloc_dmabuf(sizeof(*cmd), + GFP_KERNEL | __GFP_ZERO); + if (!cmd_buffer) return NULL; - cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_pa); - cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_pa); - cmd->size = tee->rb_mgr.ring_size; + cmd = (struct tee_init_ring_cmd *)cmd_buffer->vaddr; + cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->size = tee->rb_mgr.ring_buf->size; dev_dbg(tee->dev, "tee: ring address: high = 0x%x low = 0x%x size = %u\n", cmd->hi_addr, cmd->low_addr, cmd->size); - return cmd; + return cmd_buffer; } -static inline void tee_free_cmd_buffer(struct tee_init_ring_cmd *cmd) +static inline void tee_free_cmd_buffer(struct dma_buffer *cmd_buffer) { - kfree(cmd); + psp_tee_free_dmabuf(cmd_buffer); } static int tee_init_ring(struct psp_tee_device *tee) { int ring_size = MAX_RING_BUFFER_ENTRIES * sizeof(struct tee_ring_cmd); - struct tee_init_ring_cmd *cmd; - phys_addr_t cmd_buffer; + struct dma_buffer *cmd_buffer; unsigned int reg; int ret; @@ -123,21 +157,19 @@ static int tee_init_ring(struct psp_tee_device *tee) tee->rb_mgr.wptr = 0; - cmd = tee_alloc_cmd_buffer(tee); - if (!cmd) { + cmd_buffer = tee_alloc_cmd_buffer(tee); + if (!cmd_buffer) { tee_free_ring(tee); return -ENOMEM; } - cmd_buffer = __psp_pa((void *)cmd); - /* Send command buffer details to Trusted OS by writing to * CPU-PSP message registers */ - iowrite32(lower_32_bits(cmd_buffer), + iowrite32(lower_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_lo_reg); - iowrite32(upper_32_bits(cmd_buffer), + iowrite32(upper_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_hi_reg); iowrite32(TEE_RING_INIT_CMD, tee->io_regs + tee->vdata->cmdresp_reg); @@ -157,7 +189,7 @@ static int tee_init_ring(struct psp_tee_device *tee) } free_buf: - tee_free_cmd_buffer(cmd); + tee_free_cmd_buffer(cmd_buffer); return ret; } @@ -167,7 +199,7 @@ static void tee_destroy_ring(struct psp_tee_device *tee) unsigned int reg; int ret; - if (!tee->rb_mgr.ring_start) + if (!tee->rb_mgr.ring_buf->vaddr) return; if (psp_dead) @@ -256,7 +288,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, do { /* Get pointer to ring buffer command entry */ cmd = (struct tee_ring_cmd *) - (tee->rb_mgr.ring_start + tee->rb_mgr.wptr); + (tee->rb_mgr.ring_buf->vaddr + tee->rb_mgr.wptr); rptr = ioread32(tee->io_regs + tee->vdata->ring_rptr_reg); @@ -305,7 +337,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, /* Update local copy of write pointer */ tee->rb_mgr.wptr += sizeof(struct tee_ring_cmd); - if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_size) + if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_buf->size) tee->rb_mgr.wptr = 0; /* Trigger interrupt to Trusted OS */ diff --git a/drivers/crypto/ccp/tee-dev.h b/drivers/crypto/ccp/tee-dev.h index 49d26158b71e..9238487ee8bf 100644 --- a/drivers/crypto/ccp/tee-dev.h +++ b/drivers/crypto/ccp/tee-dev.h @@ -16,6 +16,7 @@ #include <linux/device.h> #include <linux/mutex.h> +#include <linux/psp-tee.h> #define TEE_DEFAULT_TIMEOUT 10 #define MAX_BUFFER_SIZE 988 @@ -48,17 +49,13 @@ struct tee_init_ring_cmd { /** * struct ring_buf_manager - Helper structure to manage ring buffer. - * @ring_start: starting address of ring buffer - * @ring_size: size of ring buffer in bytes - * @ring_pa: physical address of ring buffer * @wptr: index to the last written entry in ring buffer + * @ring_buf: ring buffer allocated using DMA api */ struct ring_buf_manager { struct mutex mutex; /* synchronizes access to ring buffer */ - void *ring_start; - u32 ring_size; - phys_addr_t ring_pa; u32 wptr; + struct dma_buffer *ring_buf; }; struct psp_tee_device { diff --git a/include/linux/psp-tee.h b/include/linux/psp-tee.h index cb0c95d6d76b..c0fa922f24d4 100644 --- a/include/linux/psp-tee.h +++ b/include/linux/psp-tee.h @@ -13,6 +13,7 @@ #include <linux/types.h> #include <linux/errno.h> +#include <linux/dma-mapping.h> /* This file defines the Trusted Execution Environment (TEE) interface commands * and the API exported by AMD Secure Processor driver to communicate with @@ -40,6 +41,20 @@ enum tee_cmd_id { TEE_CMD_ID_UNMAP_SHARED_MEM, }; +/** + * struct dma_buffer - Structure for a DMA buffer. + * @dma: DMA buffer address + * @paddr: Physical address of DMA buffer + * @vaddr: CPU virtual address of DMA buffer + * @size: Size of DMA buffer in bytes + */ +struct dma_buffer { + dma_addr_t dma; + phys_addr_t paddr; + void *vaddr; + unsigned long size; +}; + #ifdef CONFIG_CRYPTO_DEV_SP_PSP /** * psp_tee_process_cmd() - Process command in Trusted Execution Environment @@ -75,6 +90,28 @@ int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, size_t len, */ int psp_check_tee_status(void); +/** + * psp_tee_alloc_dmabuf() - Allocates memory of requested size and flags using + * dma_alloc_coherent() API. + * + * This function can be used to allocate a shared memory region between the + * host and PSP TEE. + * + * Returns: + * non-NULL a valid pointer to struct dma_buffer + * NULL on failure + */ +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp); + +/** + * psp_tee_free_dmabuf() - Deallocates memory using dma_free_coherent() API. + * + * This function can be used to release shared memory region between host + * and PSP TEE. + * + */ +void psp_tee_free_dmabuf(struct dma_buffer *dma_buffer); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, @@ -87,5 +124,15 @@ static inline int psp_check_tee_status(void) { return -ENODEV; } + +static inline +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp) +{ + return NULL; +} + +static inline void psp_tee_free_dmabuf(struct dma_buffer *dma_buffer) +{ +} #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_TEE_H_ */ -- 2.25.1

2 years

4
9
0 0

[PATCH] pipe: avoid creating empty pipe buffers

by Wiktor Garbacz

pipe_write cannot be called on notification pipes so post_one_notification cannot race it. Locking and second pipe_full check are thus redundant. This fixes an issue where pipe write could unexpectedly block: // Assume there is no reader or reader polls and uses FIONREAD ioctl // to read all the available bytes. for (int i = 0; i < PIPE_DEF_BUFFERS+1; ++i) { write(pipe_fd, buf_that_efaults, PAGE_SIZE); } // Never reached Fixes: a194dfe6e6f6 ("pipe: Rearrange sequence in pipe_write() to preallocate slot") Cc: stable(a)vger.kernel.org Signed-off-by: Wiktor Garbacz <wiktorg(a)google.com> --- fs/pipe.c | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) diff --git a/fs/pipe.c b/fs/pipe.c index 42c7ff41c2db..87356a2823cf 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -501,43 +501,26 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) pipe->tmp_page = page; } - /* Allocate a slot in the ring in advance and attach an - * empty buffer. If we fault or otherwise fail to use - * it, either the reader will consume it or it'll still - * be there for the next write. - */ - spin_lock_irq(&pipe->rd_wait.lock); - - head = pipe->head; - if (pipe_full(head, pipe->tail, pipe->max_usage)) { - spin_unlock_irq(&pipe->rd_wait.lock); - continue; + copied = copy_page_from_iter(page, 0, PAGE_SIZE, from); + if (unlikely(copied < PAGE_SIZE && iov_iter_count(from))) { + if (!ret) + ret = -EFAULT; + break; } - - pipe->head = head + 1; - spin_unlock_irq(&pipe->rd_wait.lock); + ret += copied; /* Insert it into the buffer array */ - buf = &pipe->bufs[head & mask]; buf->page = page; buf->ops = &anon_pipe_buf_ops; buf->offset = 0; - buf->len = 0; + buf->len = copied; if (is_packetized(filp)) buf->flags = PIPE_BUF_FLAG_PACKET; else buf->flags = PIPE_BUF_FLAG_CAN_MERGE; pipe->tmp_page = NULL; - - copied = copy_page_from_iter(page, 0, PAGE_SIZE, from); - if (unlikely(copied < PAGE_SIZE && iov_iter_count(from))) { - if (!ret) - ret = -EFAULT; - break; - } - ret += copied; - buf->offset = 0; - buf->len = copied; + head++; + pipe->head = head; if (!iov_iter_count(from)) break; -- 2.39.0.rc1.256.g54fd8350bd-goog

2 years

1
0
0 0

Project Funding.

by Andrew Schneider

Good day, Attn: Ceo/Owner. We are currently funding existing and pre-existing projects at an affordable rate. Business Loans and Expansion Capital is also welcome upon review of your project(s) brief/literature. If interested, never hesitate to contact us for further correspondence. Regards. Andrew Schneider Senior Portfolio Director Aivon Funding Group Limited.

2 years

1
0
0 0

[PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

by Biju Das

The value returned by usb_role_switch_get() can be NULL and it leads to NULL pointer crash. This patch fixes this issue by adding NULL check for the role switch handle. [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT) [ 25.344991] Workqueue: events_unbound deferred_probe_work_func [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3] [ 25.370986] sp : ffff80000a4b3a40 [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000 [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178 [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000 [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020 [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000 [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001 [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770 [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590 [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4 [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218 [ 25.445942] Call trace: [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] [ 25.460908] usb_role_switch_set_role+0x44/0xa4 [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] [ 25.475621] i2c_device_probe+0x338/0x384 Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- This issue triggered on RZ/G2E board, where there is no USB3 firmware and it returned a null role switch handle. v1->v2: * Make it as individual patch * Added Cc tag --- drivers/usb/typec/hd3ss3220.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 100644 --- a/drivers/usb/typec/hd3ss3220.c +++ b/drivers/usb/typec/hd3ss3220.c @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client, hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); } - if (IS_ERR(hd3ss3220->role_sw)) { + if (!hd3ss3220->role_sw) { + ret = -ENODEV; + goto err_put_fwnode; + } else if (IS_ERR(hd3ss3220->role_sw)) { ret = PTR_ERR(hd3ss3220->role_sw); goto err_put_fwnode; } -- 2.25.1

2 years

2
6
0 0

[PATCH stable 4.14.y] block: unhash blkdev part inode when the part is deleted

by Ming Lei

v5.11 changes the blkdev lookup mechanism completely since commit 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"), and small part of the change is to unhash part bdev inode when deleting partition. Turns out this kind of change does fix one nasty issue in case of BLOCK_EXT_MAJOR: 1) when one partition is deleted & closed, disk_put_part() is always called before bdput(bdev), see blkdev_put(); so the part's devt can be freed & re-used before the inode is dropped 2) then new partition with same devt can be created just before the inode in 1) is dropped, then the old inode/bdev structurein 1) is re-used for this new partition, this way causes use-after-free and kernel panic. It isn't possible to backport the whole big patchset of "merge struct block_device and struct hd_struct v4" for addressing this issue. https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/ So fixes it by unhashing part bdev in delete_partition(), and this way is actually aligned with v5.11+'s behavior. Backported from the following 5.10.y commit: 5f2f77560591 ("block: unhash blkdev part inode when the part is deleted") Reported-by: Shiwei Cui <cuishw(a)inspur.com> Tested-by: Shiwei Cui <cuishw(a)inspur.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Jan Kara <jack(a)suse.cz> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/partition-generic.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/block/partition-generic.c b/block/partition-generic.c index db57cced9b98..68bd04d044b9 100644 --- a/block/partition-generic.c +++ b/block/partition-generic.c @@ -270,6 +270,7 @@ void delete_partition(struct gendisk *disk, int partno) struct disk_part_tbl *ptbl = rcu_dereference_protected(disk->part_tbl, 1); struct hd_struct *part; + struct block_device *bdev; if (partno >= ptbl->len) return; @@ -283,6 +284,11 @@ void delete_partition(struct gendisk *disk, int partno) kobject_put(part->holder_dir); device_del(part_to_dev(part)); + bdev = bdget(part_devt(part)); + if (bdev) { + remove_inode_hash(bdev->bd_inode); + bdput(bdev); + } hd_struct_kill(part); } -- 2.38.1

2 years

2
1
0 0

[PATCH stable 5.4.y/4.19.y] block: unhash blkdev part inode when the part is deleted

by Ming Lei

v5.11 changes the blkdev lookup mechanism completely since commit 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"), and small part of the change is to unhash part bdev inode when deleting partition. Turns out this kind of change does fix one nasty issue in case of BLOCK_EXT_MAJOR: 1) when one partition is deleted & closed, disk_put_part() is always called before bdput(bdev), see blkdev_put(); so the part's devt can be freed & re-used before the inode is dropped 2) then new partition with same devt can be created just before the inode in 1) is dropped, then the old inode/bdev structurein 1) is re-used for this new partition, this way causes use-after-free and kernel panic. It isn't possible to backport the whole big patchset of "merge struct block_device and struct hd_struct v4" for addressing this issue. https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/ So fixes it by unhashing part bdev in delete_partition(), and this way is actually aligned with v5.11+'s behavior. Backported from the following 5.10.y commit: 5f2f77560591 ("block: unhash blkdev part inode when the part is deleted") Reported-by: Shiwei Cui <cuishw(a)inspur.com> Tested-by: Shiwei Cui <cuishw(a)inspur.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Jan Kara <jack(a)suse.cz> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/partition-generic.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/block/partition-generic.c b/block/partition-generic.c index aee643ce13d1..e69452c1f5ad 100644 --- a/block/partition-generic.c +++ b/block/partition-generic.c @@ -272,6 +272,7 @@ void delete_partition(struct gendisk *disk, int partno) struct disk_part_tbl *ptbl = rcu_dereference_protected(disk->part_tbl, 1); struct hd_struct *part; + struct block_device *bdev; if (partno >= ptbl->len) return; @@ -292,6 +293,12 @@ void delete_partition(struct gendisk *disk, int partno) * "in-use" until we really free the gendisk. */ blk_invalidate_devt(part_devt(part)); + + bdev = bdget(part_devt(part)); + if (bdev) { + remove_inode_hash(bdev->bd_inode); + bdput(bdev); + } hd_struct_kill(part); } -- 2.38.1

2 years

2
1
0 0

[PATCH v2 10/13] arm64: dts: qcom: sm8450: Fix the base addresses of LLCC banks

by Manivannan Sadhasivam

The LLCC block has several banks each with a different base address and holes in between. So it is not a correct approach to cover these banks with a single offset/size. Instead, the individual bank's base address needs to be specified in devicetree with the exact size. Also, let's get rid of reg-names property as it is not needed anymore. The driver is expected to parse the reg field based on index to get the addresses of each LLCC banks. Cc: <stable(a)vger.kernel.org> # 5.18 Fixes: 1dc3e50eb680 ("arm64: dts: qcom: sm8450: Add LLCC/system-cache-controller node") Reported-by: Parikshit Pareek <quic_ppareek(a)quicinc.com> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- arch/arm64/boot/dts/qcom/sm8450.dtsi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi index 570475040d95..30685857021a 100644 --- a/arch/arm64/boot/dts/qcom/sm8450.dtsi +++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi @@ -3640,8 +3640,9 @@ gem_noc: interconnect@19100000 { system-cache-controller@19200000 { compatible = "qcom,sm8450-llcc"; - reg = <0 0x19200000 0 0x580000>, <0 0x19a00000 0 0x80000>; - reg-names = "llcc_base", "llcc_broadcast_base"; + reg = <0 0x19200000 0 0x80000>, <0 0x19600000 0 0x80000>, + <0 0x19300000 0 0x80000>, <0 0x19700000 0 0x80000>, + <0 0x19a00000 0 0x80000>; interrupts = <GIC_SPI 266 IRQ_TYPE_LEVEL_HIGH>; }; -- 2.25.1

2 years

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2022