April 2024 - Linux-stable-mirror

[PATCH] init: fix allocated page overlapping with PTR_ERR

by Nam Cao

There is nothing preventing kernel memory allocators from allocating a page that overlaps with PTR_ERR(), except for architecture-specific code that setup memblock. It was discovered that RISCV architecture doesn't setup memblock corectly, leading to a page overlapping with PTR_ERR() being allocated, and subsequently crashing the kernel (link in Close: ) The reported crash has nothing to do with PTR_ERR(): the last page (at address 0xfffff000) being allocated leads to an unexpected arithmetic overflow in ext4; but still, this page shouldn't be allocated in the first place. Because PTR_ERR() is an architecture-independent thing, we shouldn't ask every single architecture to set this up. There may be other architectures beside RISCV that have the same problem. Fix this one and for all by reserving the physical memory page that may be mapped to the last virtual memory page as part of low memory. Unfortunately, this means if there is actual memory at this reserved location, that memory will become inaccessible. However, if this page is not reserved, it can only be accessed as high memory, so this doesn't matter if high memory is not supported. Even if high memory is supported, it is still only one page. Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong… Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: <stable(a)vger.kernel.org> # all versions --- init/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/init/main.c b/init/main.c index 881f6230ee59..f8d2793c4641 100644 --- a/init/main.c +++ b/init/main.c @@ -900,6 +900,7 @@ void start_kernel(void) page_address_init(); pr_notice("%s", linux_banner); early_security_init(); + memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */ setup_arch(&command_line); setup_boot_config(); setup_command_line(command_line); -- 2.39.2

1 year

5
11
0 0

[PATCH v2] ext4: fix i_data_sem unlock order in ext4_ind_migrate()

by Mikhail Ukhin

Fuzzing reports a possible deadlock in jbd2_log_wait_commit. The problem occurs in ext4_ind_migrate due to an incorrect order of unlocking of the journal and write semaphores - the order of unlocking must be the reverse of the order of locking. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Reviewed-by: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> Signed-off-by: Mikhail Ukhin <mish.uxin2012(a)yandex.ru> --- v2: New addresses have been added and Ritesh Harjani has been noted as a reviewer. fs/ext4/migrate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c index b0ea646454ac..59290356aa5b 100644 --- a/fs/ext4/migrate.c +++ b/fs/ext4/migrate.c @@ -663,8 +663,8 @@ int ext4_ind_migrate(struct inode *inode) if (unlikely(ret2 && !ret)) ret = ret2; errout: - ext4_journal_stop(handle); up_write(&EXT4_I(inode)->i_data_sem); + ext4_journal_stop(handle); out_unlock: percpu_up_write(&sbi->s_writepages_rwsem); return ret; -- 2.25.1

1 year

3
2
0 0

[PATCH AUTOSEL 4.19 1/7] tools/power turbostat: Fix added raw MSR output

by Sasha Levin

From: Doug Smythies <dsmythies(a)telus.net> [ Upstream commit e5f4e68eed85fa8495d78cd966eecc2b27bb9e53 ] When using --Summary mode, added MSRs in raw mode always print zeros. Print the actual register contents. Example, with patch: note the added column: --add msr0x64f,u32,package,raw,REASON Where: 0x64F is MSR_CORE_PERF_LIMIT_REASONS Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON 0.00 4800 35 1.42 0.76 0x00000000 0.00 4801 34 1.42 0.76 0x00000000 80.08 4531 66 108.17 107.52 0x08000000 98.69 4530 66 133.21 132.54 0x08000000 99.28 4505 66 128.26 127.60 0x0c000400 99.65 4486 68 124.91 124.25 0x0c000400 99.63 4483 68 124.90 124.25 0x0c000400 79.34 4481 41 99.80 99.13 0x0c000000 0.00 4801 41 1.40 0.73 0x0c000000 Where, for the test processor (i5-10600K): PKG Limit #1: 125.000 Watts, 8.000000 sec MSR bit 26 = log; bit 10 = status PKG Limit #2: 136.000 Watts, 0.002441 sec MSR bit 27 = log; bit 11 = status Example, without patch: Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON 0.01 4800 35 1.43 0.77 0x00000000 0.00 4801 35 1.39 0.73 0x00000000 83.49 4531 66 112.71 112.06 0x00000000 98.69 4530 68 133.35 132.69 0x00000000 99.31 4500 67 127.96 127.30 0x00000000 99.63 4483 69 124.91 124.25 0x00000000 99.61 4481 69 124.90 124.25 0x00000000 99.61 4481 71 124.92 124.25 0x00000000 59.35 4479 42 75.03 74.37 0x00000000 0.00 4800 42 1.39 0.73 0x00000000 0.00 4801 42 1.42 0.76 0x00000000 c000000 [lenb: simplified patch to apply only to package scope] Signed-off-by: Doug Smythies <dsmythies(a)telus.net> Signed-off-by: Len Brown <len.brown(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/x86/turbostat/turbostat.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c index 2233cf722c692..0eeb339482c06 100644 --- a/tools/power/x86/turbostat/turbostat.c +++ b/tools/power/x86/turbostat/turbostat.c @@ -1524,9 +1524,10 @@ int sum_counters(struct thread_data *t, struct core_data *c, average.packages.rapl_dram_perf_status += p->rapl_dram_perf_status; for (i = 0, mp = sys.pp; mp; i++, mp = mp->next) { - if (mp->format == FORMAT_RAW) - continue; - average.packages.counter[i] += p->counter[i]; + if ((mp->format == FORMAT_RAW) && (topo.num_packages == 0)) + average.packages.counter[i] = p->counter[i]; + else + average.packages.counter[i] += p->counter[i]; } return 0; } -- 2.43.0

1 year

2
8
0 0

filtering stable patches in lore queries

by Jason A. Donenfeld

Hi, Greg and Sasha add the "X-stable: review" to their patch bombs, with the intention that people will be able to filter these out should they desire to do so. For example, I usually want all threads that match code I care about, but I don't regularly want to see thousand-patch stable series. So this header is helpful. However, I'm not able to formulate a query for lore (to pass to `lei q`) that will match on negating it. The idea would be to exclude the thread if the parent has this header. It looks like public inbox might only index on some headers, but can't generically search all? I'm not sure how it works, but queries only seem to half way work when searching for that header. In the meantime, I've been using this ugly bash script, which gets the job done, but means I have to download everything locally first: #!/bin/bash PWD="${BASH_SOURCE[0]}" PWD="${PWD%/*}" set -e cd "$PWD" echo "[+] Syncing new mail" >&2 lei up "$PWD" echo "[+] Cleaning up stable patch bombs" >&2 mapfile -d $'\0' -t parents < <(grep -F -x -Z -r -l 'X-stable: review' cur tmp new) { [[ -f stable-message-ids ]] && cat stable-message-ids [[ ${#parents[@]} -gt 0 ]] && sed -n 's/^Message-ID: <$.*$>$/\1/p' "${parents[@]}" } | sort -u > stable-message-ids.new mv stable-message-ids.new stable-message-ids [[ -s stable-message-ids ]] || exit 0 mapfile -d $'\0' -t children < <(grep -F -Z -r -l -f - cur tmp new < stable-message-ids) total=$(( ${#parents[@]} + ${#children[@]} )) [[ $total -gt 0 ]] || exit 0 echo "# rm <...$total messages...>" >&2 rm -f "${parents[@]}" "${children[@]}" This results in something like: zx2c4@thinkpad ~/Projects/lkml $ ./update.bash [+] Syncing new mail # https://lore.kernel.org/all/ limiting ... # /usr/bin/curl -gSf -s -d '' https://lore.kernel.org/all/?x=m&t=1&q=(... [+] Cleaning up stable patch bombs # rm <...24593 messages...> It works, but it'd be nice to not even download these messages in the first place. Since I'm deleting message I don't want, I have to keep track of the message IDs of those deleted messages with the stable header in case replies come in later. That's some book keeping, sheesh! Any thoughts on this workflow? Jason

1 year

3
5
0 0

[PATCH AUTOSEL 5.4 1/8] fs/9p: only translate RWX permissions for plain 9P2000

by Sasha Levin

From: Joakim Sindholt <opensource(a)zhasha.com> [ Upstream commit cd25e15e57e68a6b18dc9323047fe9c68b99290b ] Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. Signed-off-by: Joakim Sindholt <opensource(a)zhasha.com> Signed-off-by: Eric Van Hensbergen <ericvh(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/9p/vfs_inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index b82423a72f685..b1107b424bf64 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -86,7 +86,7 @@ static int p9mode2perm(struct v9fs_session_info *v9ses, int res; int mode = stat->mode; - res = mode & S_IALLUGO; + res = mode & 0777; /* S_IRWXUGO */ if (v9fs_proto_dotu(v9ses)) { if ((mode & P9_DMSETUID) == P9_DMSETUID) res |= S_ISUID; -- 2.43.0

1 year

2
9
0 0

[PATCH v1] usb: typec: tcpm: unregister existing source caps before re-registration

by Amit Sunil Dhamne

Check and unregister existing source caps in tcpm_register_source_caps function before registering new ones. This change fixes following warning when port partner resends source caps after negotiating PD contract for the purpose of re-negotiation. [ 343.135030][ T151] sysfs: cannot create duplicate filename '/devices/virtual/usb_power_delivery/pd1/source-capabilities' [ 343.135071][ T151] Call trace: [ 343.135076][ T151] dump_backtrace+0xe8/0x108 [ 343.135099][ T151] show_stack+0x18/0x24 [ 343.135106][ T151] dump_stack_lvl+0x50/0x6c [ 343.135119][ T151] dump_stack+0x18/0x24 [ 343.135126][ T151] sysfs_create_dir_ns+0xe0/0x140 [ 343.135137][ T151] kobject_add_internal+0x228/0x424 [ 343.135146][ T151] kobject_add+0x94/0x10c [ 343.135152][ T151] device_add+0x1b0/0x4c0 [ 343.135187][ T151] device_register+0x20/0x34 [ 343.135195][ T151] usb_power_delivery_register_capabilities+0x90/0x20c [ 343.135209][ T151] tcpm_pd_rx_handler+0x9f0/0x15b8 [ 343.135216][ T151] kthread_worker_fn+0x11c/0x260 [ 343.135227][ T151] kthread+0x114/0x1bc [ 343.135235][ T151] ret_from_fork+0x10/0x20 [ 343.135265][ T151] kobject: kobject_add_internal failed for source-capabilities with -EEXIST, don't try to register things with the same name in the same directory. Fixes: 8203d26905ee ("usb: typec: tcpm: Register USB Power Delivery Capabilities") Cc: linux-usb(a)vger.kernel.org Cc: stable(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Mark Brown <broonie(a)kernel.org> Signed-off-by: Amit Sunil Dhamne <amitsd(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index ab6ed6111ed0..d8eb89f4f0c3 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -2996,7 +2996,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { }; - struct usb_power_delivery_capabilities *cap; + struct usb_power_delivery_capabilities *cap = port->partner_source_caps; if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -3006,6 +3006,9 @@ static int tcpm_register_source_caps(struct tcpm_port *port) memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); caps.role = TYPEC_SOURCE; + if (cap) + usb_power_delivery_unregister_capabilities(cap); + cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap); base-commit: 0d31ea587709216d88183fe4ca0c8aba5e0205b8 -- 2.44.0.769.g3c40516874-goog

1 year

3
3
0 0

[PATCH] nvme-pci: Add quirk for broken MSIs

by Sean Anderson

Sandisk SN530 NVMe drives have broken MSIs. On systems without MSI-X support, all commands time out resulting in the following message: nvme nvme0: I/O tag 12 (100c) QID 0 timeout, completion polled These timeouts cause the boot to take an excessively-long time (over 20 minutes) while the initial command queue is flushed. Address this by adding a quirk for drives with buggy MSIs. The lspci output for this device (recorded on a system with MSI-X support) is: 02:00.0 Non-Volatile memory controller: Sandisk Corp Device 5008 (rev 01) (prog-if 02 [NVM Express]) Subsystem: Sandisk Corp Device 5008 Flags: bus master, fast devsel, latency 0, IRQ 16, NUMA node 0 Memory at f7e00000 (64-bit, non-prefetchable) [size=16K] Memory at f7e04000 (64-bit, non-prefetchable) [size=256] Capabilities: [80] Power Management version 3 Capabilities: [90] MSI: Enable- Count=1/32 Maskable- 64bit+ Capabilities: [b0] MSI-X: Enable+ Count=17 Masked- Capabilities: [c0] Express Endpoint, MSI 00 Capabilities: [100] Advanced Error Reporting Capabilities: [150] Device Serial Number 00-00-00-00-00-00-00-00 Capabilities: [1b8] Latency Tolerance Reporting Capabilities: [300] Secondary PCI Express Capabilities: [900] L1 PM Substates Kernel driver in use: nvme Kernel modules: nvme Cc: <stable(a)vger.kernel.org> Signed-off-by: Sean Anderson <sean.anderson(a)linux.dev> --- drivers/nvme/host/nvme.h | 5 +++++ drivers/nvme/host/pci.c | 14 +++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h index 7b87763e2f8a..738719085e05 100644 --- a/drivers/nvme/host/nvme.h +++ b/drivers/nvme/host/nvme.h @@ -162,6 +162,11 @@ enum nvme_quirks { * Disables simple suspend/resume path. */ NVME_QUIRK_FORCE_NO_SIMPLE_SUSPEND = (1 << 20), + + /* + * MSI (but not MSI-X) interrupts are broken and never fire. + */ + NVME_QUIRK_BROKEN_MSI = (1 << 21), }; /* diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index e6267a6aa380..d1f0fa2e7c96 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -2218,6 +2218,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) .priv = dev, }; unsigned int irq_queues, poll_queues; + unsigned int flags = PCI_IRQ_ALL_TYPES | PCI_IRQ_AFFINITY; /* * Poll queues don't need interrupts, but we need at least one I/O queue @@ -2241,8 +2242,10 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues) irq_queues = 1; if (!(dev->ctrl.quirks & NVME_QUIRK_SINGLE_VECTOR)) irq_queues += (nr_io_queues - poll_queues); - return pci_alloc_irq_vectors_affinity(pdev, 1, irq_queues, - PCI_IRQ_ALL_TYPES | PCI_IRQ_AFFINITY, &affd); + if (dev->ctrl.quirks & NVME_QUIRK_BROKEN_MSI) + flags &= ~PCI_IRQ_MSI; + return pci_alloc_irq_vectors_affinity(pdev, 1, irq_queues, flags, + &affd); } static unsigned int nvme_max_io_queues(struct nvme_dev *dev) @@ -2471,6 +2474,7 @@ static int nvme_pci_enable(struct nvme_dev *dev) { int result = -ENOMEM; struct pci_dev *pdev = to_pci_dev(dev->dev); + unsigned int flags = PCI_IRQ_ALL_TYPES; if (pci_enable_device_mem(pdev)) return result; @@ -2487,7 +2491,9 @@ static int nvme_pci_enable(struct nvme_dev *dev) * interrupts. Pre-enable a single MSIX or MSI vec for setup. We'll * adjust this later. */ - result = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES); + if (dev->ctrl.quirks & NVME_QUIRK_BROKEN_MSI) + flags &= ~PCI_IRQ_MSI; + result = pci_alloc_irq_vectors(pdev, 1, 1, flags); if (result < 0) goto disable; @@ -3381,6 +3387,8 @@ static const struct pci_device_id nvme_id_table[] = { .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY | NVME_QUIRK_DISABLE_WRITE_ZEROES| NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x15b7, 0x5008), /* Sandisk SN530 */ + .driver_data = NVME_QUIRK_BROKEN_MSI }, { PCI_DEVICE(0x1987, 0x5012), /* Phison E12 */ .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5016), /* Phison E16 */ -- 2.35.1.1320.gc452695387.dirty

1 year

3
5
0 0

[PATCH v2] drivers/i915/intel_bios: Fix parsing backlight BDB data

by Karthikeyan Ramasubramanian

Starting BDB version 239, hdr_dpcd_refresh_timeout is introduced to backlight BDB data. Commit 700034566d68 ("drm/i915/bios: Define more BDB contents") updated the backlight BDB data accordingly. This broke the parsing of backlight BDB data in VBT for versions 236 - 238 (both inclusive) and hence the backlight controls are not responding on units with the concerned BDB version. backlight_control information has been present in backlight BDB data from at least BDB version 191 onwards, if not before. Hence this patch extracts the backlight_control information for BDB version 191 or newer. Tested on Chromebooks using Jasperlake SoC (reports bdb->version = 236). Tested on Chromebooks using Raptorlake SoC (reports bdb->version = 251). Fixes: 700034566d68 ("drm/i915/bios: Define more BDB contents") Cc: stable(a)vger.kernel.org Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Signed-off-by: Karthikeyan Ramasubramanian <kramasub(a)chromium.org> --- Changes in v2: - removed checking the block size of the backlight BDB data drivers/gpu/drm/i915/display/intel_bios.c | 19 ++++--------------- drivers/gpu/drm/i915/display/intel_vbt_defs.h | 5 ----- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index aa169b0055e97..8c1eb05fe77d2 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -1042,22 +1042,11 @@ parse_lfp_backlight(struct drm_i915_private *i915, panel->vbt.backlight.type = INTEL_BACKLIGHT_DISPLAY_DDI; panel->vbt.backlight.controller = 0; if (i915->display.vbt.version >= 191) { - size_t exp_size; + const struct lfp_backlight_control_method *method; - if (i915->display.vbt.version >= 236) - exp_size = sizeof(struct bdb_lfp_backlight_data); - else if (i915->display.vbt.version >= 234) - exp_size = EXP_BDB_LFP_BL_DATA_SIZE_REV_234; - else - exp_size = EXP_BDB_LFP_BL_DATA_SIZE_REV_191; - - if (get_blocksize(backlight_data) >= exp_size) { - const struct lfp_backlight_control_method *method; - - method = &backlight_data->backlight_control[panel_type]; - panel->vbt.backlight.type = method->type; - panel->vbt.backlight.controller = method->controller; - } + method = &backlight_data->backlight_control[panel_type]; + panel->vbt.backlight.type = method->type; + panel->vbt.backlight.controller = method->controller; } panel->vbt.backlight.pwm_freq_hz = entry->pwm_freq_hz; diff --git a/drivers/gpu/drm/i915/display/intel_vbt_defs.h b/drivers/gpu/drm/i915/display/intel_vbt_defs.h index a9f44abfc9fc2..b50cd0dcabda9 100644 --- a/drivers/gpu/drm/i915/display/intel_vbt_defs.h +++ b/drivers/gpu/drm/i915/display/intel_vbt_defs.h @@ -897,11 +897,6 @@ struct lfp_brightness_level { u16 reserved; } __packed; -#define EXP_BDB_LFP_BL_DATA_SIZE_REV_191 \ - offsetof(struct bdb_lfp_backlight_data, brightness_level) -#define EXP_BDB_LFP_BL_DATA_SIZE_REV_234 \ - offsetof(struct bdb_lfp_backlight_data, brightness_precision_bits) - struct bdb_lfp_backlight_data { u8 entry_size; struct lfp_backlight_data_entry data[16]; -- 2.44.0.rc0.258.g7320e95886-goog

1 year

2
2
0 0

[PATCH v4] i2c: acpi: Unbind mux adapters before delete

by Hamish Martin

There is an issue with ACPI overlay table removal specifically related to I2C multiplexers. Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an existing I2C bus. When this table is loaded we see the creation of a device for the overall PCA9548 chip and 8 further devices - one i2c_adapter each for the mux channels. These are all bound to their ACPI equivalents via an eventual invocation of acpi_bind_one(). When we unload the SSDT overlay we run into the problem. The ACPI devices are deleted as normal via acpi_device_del_work_fn() and the acpi_device_del_list. However, the following warning and stack trace is output as the deletion does not go smoothly: ------------[ cut here ]------------ kernfs: can not remove 'physical_node', no directory WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1 Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023 Workqueue: kacpi_hotplug acpi_device_del_work_fn RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000 RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780 RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50 R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8 FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0 Call Trace: <TASK> ? kernfs_remove_by_name_ns+0xb9/0xc0 ? __warn+0x7c/0x130 ? kernfs_remove_by_name_ns+0xb9/0xc0 ? report_bug+0x171/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? kernfs_remove_by_name_ns+0xb9/0xc0 ? kernfs_remove_by_name_ns+0xb9/0xc0 acpi_unbind_one+0x108/0x180 device_del+0x18b/0x490 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f device_unregister+0xd/0x30 i2c_del_adapter.part.0+0x1bf/0x250 i2c_mux_del_adapters+0xa1/0xe0 i2c_device_remove+0x1e/0x80 device_release_driver_internal+0x19a/0x200 bus_remove_device+0xbf/0x100 device_del+0x157/0x490 ? __pfx_device_match_fwnode+0x10/0x10 ? srso_return_thunk+0x5/0x5f device_unregister+0xd/0x30 i2c_acpi_notify+0x10f/0x140 notifier_call_chain+0x58/0xd0 blocking_notifier_call_chain+0x3a/0x60 acpi_device_del_work_fn+0x85/0x1d0 process_one_work+0x134/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe3/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> ---[ end trace 0000000000000000 ]--- ... repeated 7 more times, 1 for each channel of the mux ... The issue is that the binding of the ACPI devices to their peer I2C adapters is not correctly cleaned up. Digging deeper into the issue we see that the deletion order is such that the ACPI devices matching the mux channel i2c adapters are deleted first during the SSDT overlay removal. For each of the channels we see a call to i2c_acpi_notify() with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not actually i2c_clients, nothing is done for them. Later on, after each of the mux channels has been dealt with, we come to delete the i2c_client representing the PCA9548 device. This is the call stack we see above, whereby the kernel cleans up the i2c_client including destruction of the mux and its channel adapters. At this point we do attempt to unbind from the ACPI peers but those peers no longer exist and so we hit the kernfs errors. The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But, given that the life cycle of the adapters is linked to the i2c_client, instead of deleting the i2c_adapters during the i2c_acpi_notify(), we just trigger unbinding of the ACPI device from the adapter device, and allow the clean up of the adapter to continue in the way it always has. Signed-off-by: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> Reviewed-by: Mika Westerberg <mika.westerberg(a)linux.intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)kernel.org> Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications") Cc: <stable(a)vger.kernel.org> # v4.8+ --- Notes: v4: Resolve Build failure noted by: Linux Kernel Functional Testing <lkft(a)linaro.org>, and kernel test robot <lkp(a)intel.com> These failures led to revert of the v3 version of this patch that had been accepted earlier. v3: Add reviewed by tags (Mika Westerberg and Andi Shyti) and Fixes tag. v2: Moved long problem description from cover letter to commit description at Mika's suggestion drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c index d6037a328669..14ae0cfc325e 100644 --- a/drivers/i2c/i2c-core-acpi.c +++ b/drivers/i2c/i2c-core-acpi.c @@ -445,6 +445,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); } +static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev) +{ + return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev)); +} + static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, void *arg) { @@ -471,11 +476,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, break; client = i2c_acpi_find_client_by_adev(adev); - if (!client) - break; + if (client) { + i2c_unregister_device(client); + put_device(&client->dev); + } + + adapter = i2c_acpi_find_adapter_by_adev(adev); + if (adapter) { + acpi_unbind_one(&adapter->dev); + put_device(&adapter->dev); + } - i2c_unregister_device(client); - put_device(&client->dev); break; } -- 2.43.2

1 year

4
3
0 0

[PATCH 5.4 000/107] 5.4.275-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.275 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 May 2024 10:30:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.275-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.275-rc1 Randy Dunlap <rdunlap(a)infradead.org> serial: core: fix kernel-doc for uart_port_unlock_irqrestore() Yick Xie <yick.xie(a)gmail.com> udp: preserve the connected status if only UDP cmsg Mikulas Patocka <mpatocka(a)redhat.com> dm: limit the number of targets and parameter size area Matthew Wilcox (Oracle) <willy(a)infradead.org> bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS Nam Cao <namcao(a)linutronix.de> HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: smbus: fix NULL function pointer dereference Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> idma64: Don't try to serve interrupts when device is powered off Arnd Bergmann <arnd(a)arndb.de> dmaengine: owl: fix register access functions Eric Dumazet <edumazet(a)google.com> tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Clean up kernel listener's reqsk in inet_twsk_purge() Arnd Bergmann <arnd(a)arndb.de> mtd: diskonchip: work around ubsan link failure Andrey Ryabinin <ryabinin.a.a(a)gmail.com> stackdepot: respect __GFP_NOLOCKDEP allocation flag Peter Münster <pm(a)a16n.net> net: b44: set pause params only when interface is up Rahul Rameshbabu <rrameshbabu(a)nvidia.com> ethernet: Add helper for assigning packet type when dest address does not match device address Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Prevent double free on error Mukul Joshi <mukul.joshi(a)amd.com> drm/amdgpu: Fix leak when GPU memory allocation fails Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: fix information leak in btrfs_ioctl_logical_to_ino() WangYuli <wangyuli(a)uniontech.com> Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Nathan Chancellor <nathan(a)kernel.org> Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() Robin H. Johnson <robbat2(a)gentoo.org> tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together Robin H. Johnson <robbat2(a)gentoo.org> tracing: Show size of requested perf buffer Shifeng Li <lishifeng(a)sangfor.com.cn> net/mlx5e: Fix a race in command alloc flow Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "crypto: api - Disallow identical driver names" xinhui pan <xinhui.pan(a)amd.com> drm/amdgpu: validate the parameters of bo mapping operations more clearly Chia-I Wu <olvaffe(a)gmail.com> amdgpu: validate offset_in_bo of drm_amdgpu_gem_va Rajneesh Bhardwaj <rajneesh.bhardwaj(a)amd.com> drm/amdgpu: restrict bo mapping within gpu address limits Emil Kronborg <emil.kronborg(a)protonmail.com> serial: mxs-auart: add spinlock around changing cts state Thomas Gleixner <tglx(a)linutronix.de> serial: core: Provide port lock wrappers Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). Sudheer Mogilappagari <sudheer.mogilappagari(a)intel.com> iavf: Fix TC config comparison with existing adapter TC config Sindhu Devale <sindhu.devale(a)intel.com> i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix incorrect list API usage Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix warning during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Rate limit error message Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work Hyunwoo Kim <v4bel(a)theori.io> net: openvswitch: Fix Use-After-Free in ovs_ct_exit Ismael Luceno <iluceno(a)suse.de> ipvs: Fix checksumming on GSO of SCTP packets Hyunwoo Kim <v4bel(a)theori.io> net: gtp: Fix Use-After-Free in gtp_dellink Eric Dumazet <edumazet(a)google.com> net: usb: ax88179_178a: stop lying about skb->truesize Paul Geurts <paul_geurts(a)live.nl> NFC: trf7970a: disable all regulators on removal Ido Schimmel <idosch(a)nvidia.com> mlxsw: core: Unregister EMAD trap using FORWARD action David Bauer <mail(a)david-bauer.net> vxlan: drop packets from invalid src-address Alexey Brodkin <Alexey.Brodkin(a)synopsys.com> ARC: [plat-hsdk]: Remove misplaced interrupt-cells property Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt2712: fix validation errors Biao Huang <biao.huang(a)mediatek.com> arm64: dts: mt2712: add ethernet device node Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix IR nodename Ikjoon Jang <ikjn(a)chromium.org> arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg Quentin Schulz <quentin.schulz(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: fix alphabetical ordering RK3399 puma Vitaly Kuznetsov <vkuznets(a)redhat.com> KVM: async_pf: Cleanup kvm_setup_async_pf() Jeongjun Park <aha310510(a)gmail.com> nilfs2: fix OOB in nilfs_set_de_type Dave Airlie <airlied(a)redhat.com> nouveau: fix instmem race condition around ptr stores Alan Stern <stern(a)rowland.harvard.edu> fs: sysfs: Fix reference leak in sysfs_break_active_protection() Samuel Thibault <samuel.thibault(a)ens-lyon.org> speakup: Avoid crash on very long word Kai-Heng Feng <kai.heng.feng(a)canonical.com> usb: Disable USB3 LPM at shutdown Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: host: Fix dereference issue in DDMA completion flow. Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: cdc-wdm: close race between read and workqueue" Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 rmnet compositions Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add Rolling RW101-GL and RW135-GL support Jerry Meng <jerry-meng(a)foxmail.com> USB: serial: option: support Quectel EM060K sub-models Coia Prant <coiaprant(a)gmail.com> USB: serial: option: add Lonsung U8300/U9300 product Chuanhong Guo <gch981213(a)gmail.com> USB: serial: option: add support for Fibocom FM650/FG650 bolan wang <bolan.wang(a)fibocom.com> USB: serial: option: add Fibocom FM135-GL variants Finn Thain <fthain(a)linux-m68k.org> serial/pmac_zilog: Remove flawed mitigation for rx irq flood Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: vmk80xx: fix incomplete endpoint checking Carlos Llamas <cmllamas(a)google.com> binder: check offset alignment in binder_get_object() Eric Biggers <ebiggers(a)google.com> x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ Stephen Boyd <sboyd(a)kernel.org> clk: Get runtime PM before walking tree during disable_unused Stephen Boyd <sboyd(a)kernel.org> clk: Initialize struct clk_core kref earlier Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: Print an info line before disabling unused clocks Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: remove extra empty line Stephen Boyd <sboyd(a)kernel.org> clk: Mark 'all_lists' as const Stephen Boyd <sboyd(a)kernel.org> clk: Remove prepare_lock hold assertion in __clk_release() Mikhail Kobuk <m.kobuk(a)ispras.ru> drm: nv04: Fix out of bounds access Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Fix port number for counter query in multi-port configuration Yanjun.Zhu <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix the problem "mutex_destroy missing" Lei Chen <lei.chen(a)smartx.com> tun: limit printing rate when illegal packet received by tun dev Ziyang Xuan <william.xuanziyang(a)huawei.com> netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Siddh Raman Pant <siddh.raman.pant(a)oracle.com> Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" Zheng Yejian <zhengyejian1(a)huawei.com> kprobes: Fix possible use-after-free issue on kprobe registration Yuanhe Shu <xiangzao(a)linux.alibaba.com> selftests/ftrace: Limit length in subsystem-enable tests Boris Burkov <boris(a)bur.io> btrfs: record delayed inode root in transaction Adam Dunlap <acdunlap(a)google.com> x86/apic: Force native_apic_mem_read() to use the MOV instruction John Stultz <jstultz(a)google.com> selftests: timers: Fix abs() warning in posix_timers test Gavin Shan <gshan(a)redhat.com> vhost: Add smp_rmb() in vhost_vq_avail_empty() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/client: Fully protect modes[] with dev->mode_config.mutex Boris Burkov <boris(a)bur.io> btrfs: qgroup: correctly model root qgroup rsv in convert David Arinzon <darinzon(a)amazon.com> net: ena: Fix potential sign extension issue Michal Luczaj <mhal(a)rbox.co> af_unix: Fix garbage collector racing against connect() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Do not use atomic ops for unix_sk(sk)->inflight. Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Properly link new fs rules into the tree Jiri Benc <jbenc(a)redhat.com> ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Arnd Bergmann <arnd(a)arndb.de> ipv4/route: avoid unused-but-set-variable warning Arnd Bergmann <arnd(a)arndb.de> ipv6: fib: hide unused 'pn' variable Eric Dumazet <edumazet(a)google.com> geneve: fix header validation in geneve[6]_xmit_skb Petr Tesarik <petr(a)tesarici.cz> u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix unwanted error log on timeout policy probing Arnd Bergmann <arnd(a)arndb.de> nouveau: fix function cast warning Dmitry Antipov <dmantipov(a)yandex.ru> Bluetooth: Fix memory leak in hci_req_sync_complete() Sven Eckelmann <sven(a)narfation.org> batman-adv: Avoid infinite loop trying to resize local TT ------------- Diffstat: Makefile | 4 +- arch/arc/boot/dts/hsdk.dts | 1 - arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 78 ++++++++++- arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 68 ++++++++- arch/arm64/boot/dts/mediatek/mt7622.dtsi | 7 +- arch/arm64/boot/dts/mediatek/mt8183.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 29 +++- arch/x86/include/asm/apic.h | 3 +- arch/x86/kernel/cpu/cpuid-deps.c | 6 +- crypto/algapi.c | 1 - drivers/android/binder.c | 4 +- drivers/bluetooth/btusb.c | 2 + drivers/clk/clk.c | 154 ++++++++++++++++----- drivers/dma/idma64.c | 4 + drivers/dma/owl-dma.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 70 ++++++---- drivers/gpu/drm/drm_client_modeset.c | 3 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +- .../gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c | 7 +- drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c | 7 +- drivers/hid/i2c-hid/i2c-hid-core.c | 8 -- drivers/i2c/i2c-core-base.c | 12 +- drivers/infiniband/hw/mlx5/mad.c | 3 +- drivers/infiniband/sw/rxe/rxe.c | 2 + drivers/irqchip/irq-gic-v3-its.c | 9 +- drivers/md/dm-core.h | 2 + drivers/md/dm-ioctl.c | 3 +- drivers/md/dm-table.c | 9 +- drivers/mtd/nand/raw/diskonchip.c | 4 +- drivers/net/ethernet/amazon/ena/ena_com.c | 2 +- drivers/net/ethernet/broadcom/b44.c | 14 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/iavf/iavf_main.c | 30 +++- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 +- drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 54 ++++++-- drivers/net/geneve.c | 4 +- drivers/net/gtp.c | 3 +- drivers/net/tun.c | 18 +-- drivers/net/usb/ax88179_178a.c | 11 +- drivers/net/vxlan.c | 4 + drivers/nfc/trf7970a.c | 42 +++--- drivers/staging/comedi/drivers/vmk80xx.c | 35 ++--- drivers/staging/speakup/main.c | 2 +- drivers/tty/serial/mxs-auart.c | 8 +- drivers/tty/serial/pmac_zilog.c | 14 -- drivers/usb/class/cdc-wdm.c | 6 +- drivers/usb/core/port.c | 4 +- drivers/usb/dwc2/hcd_ddma.c | 4 +- drivers/usb/serial/option.c | 40 ++++++ drivers/vhost/vhost.c | 14 +- fs/btrfs/backref.c | 12 +- fs/btrfs/delayed-inode.c | 3 + fs/btrfs/qgroup.c | 2 + fs/nilfs2/dir.c | 2 +- fs/sysfs/file.c | 2 + include/linux/etherdevice.h | 25 ++++ include/linux/serial_core.h | 79 +++++++++++ include/linux/trace_events.h | 2 +- include/linux/u64_stats_sync.h | 6 +- include/net/addrconf.h | 4 + include/net/af_unix.h | 5 +- include/net/ip_tunnels.h | 33 +++++ kernel/bounds.c | 2 +- kernel/kprobes.c | 18 ++- kernel/trace/trace_event_perf.c | 3 +- kernel/trace/trace_events_trigger.c | 6 +- lib/stackdepot.c | 4 +- net/batman-adv/translation-table.c | 2 +- net/bluetooth/hci_request.c | 4 +- net/bluetooth/l2cap_sock.c | 7 +- net/bluetooth/sco.c | 7 +- net/ethernet/eth.c | 12 +- net/ipv4/inet_timewait_sock.c | 34 +++-- net/ipv4/route.c | 4 +- net/ipv4/udp.c | 5 +- net/ipv6/addrconf.c | 7 +- net/ipv6/ip6_fib.c | 7 +- net/ipv6/udp.c | 5 +- net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 +- net/netfilter/nf_tables_api.c | 8 +- net/openvswitch/conntrack.c | 9 +- net/unix/af_unix.c | 4 +- net/unix/garbage.c | 35 +++-- net/unix/scm.c | 8 +- .../ftrace/test.d/event/subsystem-enable.tc | 6 +- tools/testing/selftests/timers/posix_timers.c | 2 +- virt/kvm/async_pf.c | 19 +-- 90 files changed, 906 insertions(+), 340 deletions(-)

1 year

5
113
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2024