July 2024 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.9.8 release. There are 222 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 04 Jul 2024 17:01:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.9.8-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.9.8-rc1 David Howells <dhowells(a)redhat.com> netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait David Howells <dhowells(a)redhat.com> netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid Yao Xingtao <yaoxt.fnst(a)fujitsu.com> cxl/region: check interleave capability Alison Schofield <alison.schofield(a)intel.com> cxl/region: Avoid null pointer dereference in region lookup Alison Schofield <alison.schofield(a)intel.com> cxl/region: Move cxl_dpa_to_region() work to the region driver Alex Bee <knaerzche(a)gmail.com> arm64: dts: rockchip: Add sound-dai-cells for RK3368 Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B Mark Brown <broonie(a)kernel.org> reset: gpio: Fix missing gpiolib dependency for GPIO reset controller FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E Li Ming <ming4.li(a)intel.com> cxl/mem: Fix no cxl_nvd during pmem region auto-assembling Dan Williams <dan.j.williams(a)intel.com> cxl/region: Convert cxl_pmem_region_alloc to scope-based resource management FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A FUKAUMI Naoki <naoki(a)radxa.com> Revert "arm64: dts: rockchip: remove redundant cd-gpios from rk3588 sdmmc nodes" Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Hsin-Te Yuan <yuanhsinte(a)chromium.org> arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on rk3399-gru Heiko Stuebner <heiko.stuebner(a)cherry.de> arm64: dts: rockchip: set correct pwm0 pinctrl on rk3588-tiger Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Fix error message to not describe the previous error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Fix calculation of prescaler yangge <yangge1116(a)126.com> mm/page_alloc: Separate THP PCP into movable and non-movable categories Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: sfp: enhance quirk for Fibrestore 2.5G copper SFP module" Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: btree_gc can now handle unknown btrees Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix setting of downgrade recovery passes/errors Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix bch2_sb_downgrade_update() Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix sb-downgrade validation Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix sb_field_downgrade validation Arnd Bergmann <arnd(a)arndb.de> syscalls: fix sys_fanotify_mark prototype Arnd Bergmann <arnd(a)arndb.de> syscalls: fix compat_sys_io_pgetevents_time64 usage Arnd Bergmann <arnd(a)arndb.de> ftruncate: pass a signed offset Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Fix double free on error Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models Niklas Cassel <cassel(a)kernel.org> ata: ahci: Clean up sysfs file on error Vitor Soares <vitor.soares(a)toradex.com> can: mcp251xfd: fix infinite loop when xmit fails Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't accept TT entries for out-of-spec VIDs Jens Axboe <axboe(a)kernel.dk> io_uring: signal SQPOLL task_work with TWA_SIGNAL_NO_IPI Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: fix parsing of vram_info Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is present Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix potential UAF by revoke of fence registers Julia Zhang <julia.zhang(a)amd.com> drm/amdgpu: avoid using null object of framebuffer Thomas Zimmermann <tzimmermann(a)suse.de> drm/fbdev-dma: Only set smem_start is enable per module option Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Jann Horn <jannh(a)google.com> drm/drm_file: Fix pid refcounting race Arnd Bergmann <arnd(a)arndb.de> hexagon: fix fadvise64_64 calling conventions Arnd Bergmann <arnd(a)arndb.de> csky, hexagon: fix broken sys_sync_file_range Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix initial free space detection Arnd Bergmann <arnd(a)arndb.de> sh: rework sync_file_range ABI Dragan Simic <dsimic(a)manjaro.org> kbuild: Install dtb files as 0644 in Makefile.dtbinst Huacai Chen <chenhuacai(a)kernel.org> irqchip/loongson-liointc: Set different ISRs for different cores Yuntao Wang <ytcoode(a)gmail.com> cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() Huacai Chen <chenhuacai(a)kernel.org> cpu: Fix broken cmdline "nosmp" and "maxcpus=0" Huacai Chen <chenhuacai(a)kernel.org> irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing Nathan Chancellor <nathan(a)kernel.org> nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[] Mostafa Saleh <smostafa(a)google.com> PCI/MSI: Fix UAF in msi_capability_init Oleksij Rempel <o.rempel(a)pengutronix.de> net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Oleksij Rempel <o.rempel(a)pengutronix.de> net: can: j1939: recover socket queue on CAN bus error during BAM transmission Shigeru Yoshida <syoshida(a)redhat.com> net: can: j1939: Initialize unused data in j1939_send_one() Jean-Michel Hautbois <jeanmichel.hautbois(a)yoseli.org> tty: mcf: MCF54418 has 10 UARTS Nathan Chancellor <nathan(a)kernel.org> tty: mxser: Remove __counted_by from mxser_board.ports[] Dirk Su <dirk.su(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665 G11. Jonas Gorski <jonas.gorski(a)gmail.com> serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited() Jonas Gorski <jonas.gorski(a)gmail.com> serial: core: introduce uart_port_tx_limited_flags() Stefan Eichenberger <stefan.eichenberger(a)toradex.com> serial: imx: set receiver level before starting uart Udit Kumar <u-kumar1(a)ti.com> serial: 8250_omap: Implementation of Errata i2310 Crescent Hsieh <crescentcy.hsieh(a)moxa.com> tty: serial: 8250: Fix port count mismatch with the device Doug Brown <doug(a)schmorgal.com> Revert "serial: core: only stop transmit when HW fifo is empty" Jos Wang <joswang(a)lenovo.com> usb: dwc3: core: Workaround for CSR read timeout Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> usb: ucsi: stm32: fix command completion handling Ferry Toth <ftoth(a)exalondelft.nl> Revert "usb: gadget: u_ether: Replace netif_stop_queue with netif_device_detach" Ferry Toth <ftoth(a)exalondelft.nl> Revert "usb: gadget: u_ether: Re-attach netif device to mirror detachment" Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: ucsi: glink: fix child node release in probe function Jeremy Kerr <jk(a)codeconstruct.com.au> usb: gadget: aspeed_udc: fix device address configuration Meng Li <Meng.Li(a)windriver.com> usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix endpoint checking in cxacru_bind() Dan Carpenter <dan.carpenter(a)linaro.org> usb: musb: da8xx: fix a resource leak in probe() Oliver Neukum <oneukum(a)suse.com> usb: gadget: printer: fix races against disable Oliver Neukum <oneukum(a)suse.com> usb: gadget: printer: SS+ support Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> net: usb: ax88179_178a: improve link status logs Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix sensor data read operation Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix overflows in compensate() functions Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix calibration data variable Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix pressure value output Alexander Sverdlin <alexander.sverdlin(a)siemens.com> iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF Fernando Yang <hagisf(a)usp.br> iio: adc: ad7266: Fix variable checking bug Dimitri Fedrau <dima.fedrau(a)gmail.com> iio: humidity: hdc3020: fix hysteresis representation Niklas Cassel <cassel(a)kernel.org> ata,scsi: libata-core: Do not leak memory for ata_port struct members Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Fix null pointer dereference on error Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: testunit: discard write requests while old command is running Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: testunit: don't erase registers after STOP Masahiro Yamada <masahiroy(a)kernel.org> kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n Thayne Harbaugh <thayne(a)mastodonlabs.com> kbuild: Fix build target deb-pkg: ln: failed to create hard link Mark-PK Tsai <mark-pk.tsai(a)mediatek.com> kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates David Lechner <dlechner(a)baylibre.com> counter: ti-eqep: enable clock at probe Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix backchannel reply, again Sean Anderson <sean.anderson(a)linux.dev> iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not invert write-protect twice Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos Linus Walleij <linus.walleij(a)linaro.org> Revert "mmc: moxart-mmc: Use sg_miter for PIO" Andrew Bresticker <abrestic(a)rivosinc.com> mm/memory: don't require head page for do_set_pmd() Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> mm: fix incorrect vbq reference in purge_fragmented_block Andrey Konovalov <andreyknvl(a)gmail.com> kasan: fix bad call to unpoison_slab_object Christoph Hellwig <hch(a)lst.de> nfs: drop the incorrect assertion in nfs_swap_rw() Jan Kara <jack(a)suse.cz> ocfs2: fix DIO failure due to insufficient transaction credits Johan Hovold <johan+linaro(a)kernel.org> pinctrl: qcom: spmi-gpio: drop broken pm8008 support Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> Revert "MIPS: pci: lantiq: restore reset gpio polarity" Arnd Bergmann <arnd(a)arndb.de> parisc: use generic sys_fanotify_mark implementation Linus Torvalds <torvalds(a)linux-foundation.org> x86: stop playing stack games in profile_pc() Kees Cook <kees(a)kernel.org> randomize_kstack: Remove non-functional per-arch entropy filtering David Arcari <darcari(a)redhat.com> tools/power turbostat: option '-n' is ambiguous Kent Gibson <warthog618(a)gmail.com> gpiolib: cdev: Ignore reconfiguration without direction Kent Gibson <warthog618(a)gmail.com> gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Fix GT feature enablement again Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Invalidate cache before removing device from domain list Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Introduce per device DTE update function Andy Chiu <andy.chiu(a)sifive.com> riscv: stacktrace: convert arch_stack_walk() to noinstr Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Fix pci state save during mode-1 reset Jesse Taube <jesse(a)rivosinc.com> RISC-V: fix vector insn load/store width mask NeilBrown <neilb(a)suse.de> nfsd: initialise nfsd_info.mutex early. Zenghui Yu <yuzenghui(a)huawei.com> arm64: Clear the initial ID map correctly before remapping Aleksandr Mishin <amishin(a)t-argos.ru> gpio: davinci: Validate the obtained number of IRQs Liu Ying <victor.liu(a)nxp.com> drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA Hannes Reinecke <hare(a)kernel.org> nvmet: make 'tsas' attribute idempotent for RDMA Hannes Reinecke <hare(a)suse.de> nvme: fixup comment for nvme RDMA Provider Type Hannes Reinecke <hare(a)kernel.org> nvmet: do not return 'reserved' for empty TSAS values Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe: Check pat.ops before dumping PAT settings Erick Archer <erick.archer(a)outlook.com> drm/radeon/radeon_display: Decrease the size of allocated memory Stefan Berger <stefanb(a)linux.ibm.com> evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix NULL pointer dereference in gfs2_log_flush Andrew Davis <afd(a)ti.com> soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong PASID Tiezhu Yang <yangtiezhu(a)loongson.cn> irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for IRQ_LOONGARCH_CPU Ricardo Ribalda <ribalda(a)chromium.org> media: dvbdev: Initialize sbuf Oswald Buddenhagen <oswald.buddenhagen(a)gmx.de> ALSA: emux: improve patch ioctl data validation Joachim Vandersmissen <git(a)jvdsn.com> crypto: ecdh - explicitly zeroize private_key Chia-Yuan Li <leo.li(a)realtek.com> wifi: rtw89: download firmware with five times retry Dawei Li <dawei.li(a)shingroup.cn> net/dpaa2: Avoid explicit cpumask var allocation on stack Dawei Li <dawei.li(a)shingroup.cn> net/iucv: Avoid explicit cpumask var allocation on stack Wenchao Hao <haowenchao2(a)huawei.com> RDMA/restrack: Fix potential invalid address access Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> drm/xe/xe_devcoredump: Check NULL before assignments Martin KaFai Lau <martin.lau(a)kernel.org> bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode Anton Protopopov <aspsk(a)isovalent.com> bpf: Add a check for struct bpf_fib_lookup size Muhammad Ahmed <ahmed.ahmed(a)amd.com> drm/amd/display: Skip pipe if the pipe idx not set properly Johannes Berg <johannes.berg(a)intel.com> wifi: ieee80211: check for NULL in ieee80211_mle_size_ok() Denis Arefev <arefev(a)swemel.ru> mtd: partitions: redboot: Added conversion of operands to a larger type Sherry Wang <Yao.Wang1(a)amd.com> drm/amd/display: correct hostvm flag Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init Uros Bizjak <ubizjak(a)gmail.com> x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup Maxime Coquelin <maxime.coquelin(a)redhat.com> vduse: Temporarily fail if control queue feature requested Maxime Coquelin <maxime.coquelin(a)redhat.com> vduse: validate block features only with block devices Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Fix potential integer overflow in page size calculation Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Christophe Leroy <christophe.leroy(a)csgroup.eu> bpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro() Christophe Leroy <christophe.leroy(a)csgroup.eu> bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Ma Ke <make24(a)iscas.ac.cn> net: mana: Fix possible double free in error handling path Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Don't stop recv() at consumed ex-OOB skb. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Stop recv(MSG_PEEK) at consumed OOB skb. Yunseong Kim <yskelg(a)gmail.com> tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix missing MSB in MIDI2 SPP conversion Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO Shannon Nelson <shannon.nelson(a)amd.com> ionic: use dev_consume_skb_any outside of napi Arnd Bergmann <arnd(a)arndb.de> powerpc: restore some missing spu syscalls Arnd Bergmann <arnd(a)arndb.de> parisc: use correct compat recv/recvfrom syscalls Arnd Bergmann <arnd(a)arndb.de> sparc: fix compat recv/recvfrom syscalls Arnd Bergmann <arnd(a)arndb.de> sparc: fix old compat_sys_select() Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: fix wrong register write when masking interrupt Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages luoxuanqiang <luoxuanqiang(a)kylinos.cn> Fix race for duplicate reqsk on identical SYN Filipe Manana <fdmanana(a)suse.com> btrfs: use NOFS context when getting inodes during logging and log replay Jianguo Wu <wujianguo(a)chinatelecom.cn> netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link Daniil Dulov <d.dulov(a)aladdin.ru> xdp: Remove WARN() from __xdp_reg_mem_model() Alexei Starovoitov <ast(a)kernel.org> bpf: Fix may_goto with negative offset. Jan Sokolowski <jan.sokolowski(a)intel.com> ice: Rebuild TC queues on VSI queue reconfiguration Enguerrand de Ribaucourt <enguerrand.de-ribaucourt(a)savoirfairelinux.com> net: dsa: microchip: use collision based back pressure mode Enguerrand de Ribaucourt <enguerrand.de-ribaucourt(a)savoirfairelinux.com> net: phy: micrel: add Microchip KSZ 9477 to the device table Nick Child <nnac123(a)linux.ibm.com> ibmvnic: Free any outstanding tx skbs during scrq reset Guillaume Nault <gnault(a)redhat.com> vxlan: Pull inner IP header in vxlan_xmit_one(). Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overrunning reservations in ringbuf Alexei Starovoitov <ast(a)kernel.org> bpf: Fix the corner case with may_goto and jump to the 1st insn. Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems Ido Schimmel <idosch(a)nvidia.com> mlxsw: pci: Fix driver initialization with Spectrum-4 Taehee Yoo <ap420073(a)gmail.com> ionic: fix kernel panic due to multi-buffer handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect software timestamping report Xin Long <lucien.xin(a)gmail.com> openvswitch: get related ct labels from its master if it is not confirmed Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: fix initial port flush problem Elinor Montmasson <elinor.montmasson(a)savoirfairelinux.com> ASoC: fsl-asoc-card: set priv->pdev before using it Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: acp: move chip->flag variable assignment Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: acp: add a null check for chip_pdev structure Alexei Starovoitov <ast(a)kernel.org> bpf: Fix remap of arena. Halil Pasic <pasic(a)linux.ibm.com> s390/virtio_ccw: Fix config change notifications Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Add missing virt_to_phys() for directed DIBV Yonghong Song <yonghong.song(a)linux.dev> bpf: Add missed var_off setting in coerce_subreg_to_size_sx() Yonghong Song <yonghong.song(a)linux.dev> bpf: Add missed var_off setting in set_sext32_default_val() Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-lpass-dai: close graph on prepare errors Wenchao Hao <haowenchao22(a)gmail.com> workqueue: Increase worker desc's length to 32 Andrei Simion <andrei.simion(a)microchip.com> ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init Hsin-Te Yuan <yuanhsinte(a)chromium.org> ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision Alibek Omarov <a1ba.omarov(a)gmail.com> ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: cs42l43: Increase default type detect time and button delay Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Refuse too small period requests Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: stm32: Calculate prescaler with a division instead of a loop Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: stm32: Fix for settings using period > UINT32_MAX Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: stm32: Improve precision of calculation in .apply() Martin Schiller <ms(a)dev.tdt.de> MIPS: pci: lantiq: restore reset gpio polarity Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: use dedicated pinctrl type for RK3328 Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Hagar Hemdan <hagarhem(a)amazon.com> pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER John Keeping <jkeeping(a)inmusicbrands.com> Input: ili210x - fix ili251x_read_touch_data() return value Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> pinctrl: renesas: rzg2l: Use spin_{lock,unlock}_irq{save,restore} Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: Ack also failed Get Error commands Christian A. Ehrhardt <lk(a)c--e.de> usb: typec: ucsi: Never send a lone connector change ack ------------- Diffstat: Documentation/kbuild/modules.rst | 8 +- Makefile | 4 +- arch/arm/boot/dts/rockchip/rk3066a.dtsi | 1 + arch/arm/net/bpf_jit_32.c | 25 +- arch/arm64/boot/dts/rockchip/rk3308-rock-pi-s.dts | 18 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 4 +- arch/arm64/boot/dts/rockchip/rk3368.dtsi | 3 + arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi | 2 +- .../boot/dts/rockchip/rk3588-orangepi-5-plus.dts | 1 + .../arm64/boot/dts/rockchip/rk3588-quartzpro64.dts | 1 + arch/arm64/boot/dts/rockchip/rk3588-rock-5b.dts | 1 + arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 5 + arch/arm64/boot/dts/rockchip/rk3588s-coolpi-4b.dts | 4 +- arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts | 2 + arch/arm64/include/asm/unistd32.h | 2 +- arch/arm64/kernel/pi/map_kernel.c | 2 +- arch/arm64/kernel/syscall.c | 16 +- arch/csky/include/uapi/asm/unistd.h | 1 + arch/hexagon/include/asm/syscalls.h | 6 + arch/hexagon/include/uapi/asm/unistd.h | 1 + arch/hexagon/kernel/syscalltab.c | 7 + arch/loongarch/net/bpf_jit.c | 22 +- arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +- arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- arch/mips/net/bpf_jit_comp.c | 3 +- arch/parisc/Kconfig | 1 + arch/parisc/kernel/sys_parisc32.c | 9 - arch/parisc/kernel/syscalls/syscall.tbl | 6 +- arch/parisc/net/bpf_jit_core.c | 8 +- arch/powerpc/kernel/syscalls/syscall.tbl | 6 +- arch/riscv/include/asm/insn.h | 2 +- arch/riscv/kernel/stacktrace.c | 2 +- arch/s390/include/asm/entry-common.h | 2 +- arch/s390/kernel/syscalls/syscall.tbl | 2 +- arch/s390/net/bpf_jit_comp.c | 6 +- arch/s390/pci/pci_irq.c | 2 +- arch/sh/kernel/sys_sh32.c | 11 + arch/sh/kernel/syscalls/syscall.tbl | 3 +- arch/sparc/kernel/sys32.S | 221 -------------- arch/sparc/kernel/syscalls/syscall.tbl | 8 +- arch/sparc/net/bpf_jit_comp_64.c | 6 +- arch/x86/entry/syscalls/syscall_32.tbl | 2 +- arch/x86/include/asm/entry-common.h | 15 +- arch/x86/kernel/fpu/core.c | 4 +- arch/x86/kernel/time.c | 20 +- arch/x86/net/bpf_jit_comp32.c | 3 +- crypto/ecdh.c | 2 + drivers/ata/ahci.c | 17 +- drivers/ata/libata-core.c | 32 +- drivers/counter/ti-eqep.c | 6 + drivers/cpufreq/intel_pstate.c | 13 +- drivers/cxl/core/core.h | 7 + drivers/cxl/core/hdm.c | 13 + drivers/cxl/core/memdev.c | 44 --- drivers/cxl/core/pmem.c | 16 +- drivers/cxl/core/region.c | 182 ++++++++++-- drivers/cxl/cxl.h | 6 +- drivers/cxl/cxlmem.h | 10 + drivers/cxl/mem.c | 17 +- drivers/gpio/gpio-davinci.c | 5 + drivers/gpio/gpiolib-cdev.c | 28 +- drivers/gpu/drm/amd/amdgpu/amdgpu_atomfirmware.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 18 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c | 5 + .../display/dc/link/protocols/link_dp_capability.c | 10 +- .../amd/display/dc/resource/dcn31/dcn31_resource.c | 2 +- drivers/gpu/drm/amd/display/include/dpcd_defs.h | 5 + drivers/gpu/drm/drm_fb_helper.c | 6 +- drivers/gpu/drm/drm_fbdev_dma.c | 5 +- drivers/gpu/drm/drm_file.c | 8 +- drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 1 + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 6 + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +- drivers/gpu/drm/panel/panel-simple.c | 1 + drivers/gpu/drm/radeon/radeon.h | 1 - drivers/gpu/drm/radeon/radeon_display.c | 8 +- drivers/gpu/drm/xe/xe_devcoredump.c | 10 +- drivers/gpu/drm/xe/xe_pat.c | 2 +- drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 5 + drivers/gpu/drm/xe/xe_ttm_vram_mgr.c | 2 +- drivers/i2c/i2c-slave-testunit.c | 5 +- drivers/iio/accel/Kconfig | 2 + drivers/iio/adc/ad7266.c | 2 + drivers/iio/adc/xilinx-ams.c | 8 +- drivers/iio/chemical/bme680.h | 2 + drivers/iio/chemical/bme680_core.c | 62 +++- drivers/iio/humidity/hdc3020.c | 323 ++++++++++++++++----- drivers/infiniband/core/restrack.c | 51 +--- drivers/input/touchscreen/ili210x.c | 4 +- drivers/iommu/amd/amd_iommu.h | 1 + drivers/iommu/amd/init.c | 1 + drivers/iommu/amd/iommu.c | 34 ++- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 3 + drivers/irqchip/Kconfig | 2 +- drivers/irqchip/irq-loongson-eiointc.c | 5 +- drivers/irqchip/irq-loongson-liointc.c | 4 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/mmc/host/moxart-mmc.c | 78 ++--- drivers/mmc/host/sdhci-brcmstb.c | 4 + drivers/mmc/host/sdhci-pci-core.c | 11 +- drivers/mmc/host/sdhci-pci-o2micro.c | 41 +-- drivers/mmc/host/sdhci.c | 25 +- drivers/mtd/parsers/redboot.c | 2 +- drivers/net/bonding/bond_main.c | 3 + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 14 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c | 55 +++- drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 5 + drivers/net/dsa/microchip/ksz9477.c | 10 +- drivers/net/dsa/microchip/ksz9477_reg.h | 1 + drivers/net/dsa/microchip/ksz_common.c | 2 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +- drivers/net/ethernet/ibm/ibmvnic.c | 6 + drivers/net/ethernet/intel/ice/ice_main.c | 10 +- drivers/net/ethernet/mellanox/mlxsw/pci.c | 18 +- drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 20 +- drivers/net/ethernet/microsoft/mana/mana_en.c | 2 + drivers/net/ethernet/pensando/ionic/ionic_dev.h | 4 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 55 ++-- drivers/net/phy/micrel.c | 1 + drivers/net/phy/sfp.c | 18 +- drivers/net/usb/ax88179_178a.c | 6 +- drivers/net/vxlan/vxlan_core.c | 9 +- drivers/net/wireless/realtek/rtw89/fw.c | 27 +- drivers/nvme/target/configfs.c | 41 ++- drivers/nvme/target/fc.c | 2 +- drivers/pci/msi/msi.c | 10 +- drivers/pinctrl/core.c | 2 +- drivers/pinctrl/pinctrl-rockchip.c | 68 ++++- drivers/pinctrl/pinctrl-rockchip.h | 1 + drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 1 - drivers/pinctrl/renesas/pinctrl-rzg2l.c | 4 +- drivers/pwm/pwm-stm32.c | 62 ++-- drivers/reset/Kconfig | 1 + drivers/s390/virtio/virtio_ccw.c | 4 +- drivers/scsi/libsas/sas_ata.c | 6 +- drivers/scsi/libsas/sas_discover.c | 2 +- drivers/soc/ti/wkup_m3_ipc.c | 7 +- drivers/tty/mxser.c | 2 +- drivers/tty/serial/8250/8250_omap.c | 25 +- drivers/tty/serial/8250/8250_pci.c | 13 +- drivers/tty/serial/bcm63xx_uart.c | 7 +- drivers/tty/serial/imx.c | 4 +- drivers/tty/serial/mcf.c | 2 +- drivers/usb/atm/cxacru.c | 14 + drivers/usb/dwc3/core.c | 26 +- drivers/usb/gadget/function/f_printer.c | 40 ++- drivers/usb/gadget/function/u_ether.c | 4 +- drivers/usb/gadget/udc/aspeed_udc.c | 4 +- drivers/usb/musb/da8xx.c | 8 +- drivers/usb/typec/ucsi/ucsi.c | 55 ++-- drivers/usb/typec/ucsi/ucsi_glink.c | 5 +- drivers/usb/typec/ucsi/ucsi_stm32g0.c | 19 +- drivers/vdpa/vdpa_user/vduse_dev.c | 14 +- fs/bcachefs/bcachefs.h | 44 +-- fs/bcachefs/btree_gc.c | 15 +- fs/bcachefs/btree_gc.h | 48 ++- fs/bcachefs/btree_gc_types.h | 29 ++ fs/bcachefs/ec.c | 2 +- fs/bcachefs/sb-downgrade.c | 17 +- fs/bcachefs/super-io.c | 12 +- fs/btrfs/free-space-cache.c | 2 +- fs/btrfs/tree-log.c | 43 ++- fs/gfs2/log.c | 3 +- fs/gfs2/super.c | 4 + fs/netfs/buffered_write.c | 12 +- fs/nfs/direct.c | 2 - fs/nfsd/nfsctl.c | 2 + fs/nfsd/nfssvc.c | 1 - fs/ocfs2/aops.c | 5 + fs/ocfs2/journal.c | 17 ++ fs/ocfs2/journal.h | 2 + fs/ocfs2/ocfs2_trace.h | 2 + fs/open.c | 4 +- include/linux/compat.h | 2 +- include/linux/filter.h | 10 +- include/linux/ieee80211.h | 2 +- include/linux/libata.h | 1 + include/linux/mmzone.h | 9 +- include/linux/nvme.h | 6 +- include/linux/serial_core.h | 21 +- include/linux/syscalls.h | 8 +- include/linux/workqueue.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/netfilter/nf_tables.h | 5 + include/trace/events/qdisc.h | 2 +- include/uapi/asm-generic/unistd.h | 2 +- io_uring/io_uring.c | 4 +- kernel/bpf/arena.c | 16 +- kernel/bpf/core.c | 6 +- kernel/bpf/ringbuf.c | 31 +- kernel/bpf/verifier.c | 69 ++++- kernel/cpu.c | 11 +- kernel/sys_ni.c | 2 +- mm/kasan/common.c | 2 +- mm/memory.c | 3 +- mm/page_alloc.c | 9 +- mm/vmalloc.c | 21 +- net/batman-adv/originator.c | 27 ++ net/can/j1939/main.c | 6 +- net/can/j1939/transport.c | 21 +- net/core/filter.c | 3 + net/core/xdp.c | 4 +- net/dccp/ipv4.c | 7 +- net/dccp/ipv6.c | 7 +- net/ipv4/inet_connection_sock.c | 17 +- net/ipv4/tcp_input.c | 45 ++- net/iucv/iucv.c | 26 +- net/netfilter/nf_hooks_lwtunnel.c | 3 + net/netfilter/nf_tables_api.c | 8 +- net/netfilter/nft_lookup.c | 3 +- net/openvswitch/conntrack.c | 7 +- net/sunrpc/svc.c | 5 +- net/unix/af_unix.c | 37 ++- scripts/Makefile.dtbinst | 2 +- scripts/Makefile.package | 2 +- scripts/package/kernel.spec | 8 +- security/integrity/evm/evm_main.c | 12 +- sound/core/seq/seq_ump_convert.c | 10 +- sound/pci/hda/patch_realtek.c | 3 + sound/soc/amd/acp/acp-i2s.c | 8 - sound/soc/amd/acp/acp-pci.c | 12 +- sound/soc/atmel/atmel-classd.c | 7 +- sound/soc/codecs/cs42l43-jack.c | 4 +- sound/soc/fsl/fsl-asoc-card.c | 3 +- sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 10 +- sound/soc/mediatek/mt8195/mt8195-mt6359.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 32 +- sound/soc/rockchip/rockchip_i2s_tdm.c | 13 +- sound/synth/emux/soundfont.c | 17 +- tools/power/x86/turbostat/turbostat.c | 2 +- tools/testing/cxl/test/cxl.c | 4 + 234 files changed, 2103 insertions(+), 1184 deletions(-)

9 months, 3 weeks

15
238
0 0

[GIT PULL] Kselftest fixes for v6.10

by Mickaël Salaün

Hi Linus, This PR fixes a few kselftests [1]. This has been in linux-next for a week and rebased to add Mark Brown's Tested-by. The race condition found while writing this fix is not new and seems specific to UML's hostfs (I also tested against ext4 and btrfs without being able to trigger this issue). Feel free to take this PR if you see fit. Regards, Mickaël [1] https://lore.kernel.org/r/9341d4db-5e21-418c-bf9e-9ae2da7877e1@sirena.org.uk -- The following changes since commit f2661062f16b2de5d7b6a5c42a9a5c96326b8454: Linux 6.10-rc5 (2024-06-23 17:08:54 -0400) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/kselftest-fix-2024-07-04 for you to fetch changes up to 130e42806773013e9cf32d211922c935ae2df86c: selftests/harness: Fix tests timeout and race condition (2024-06-28 16:06:03 +0200) ---------------------------------------------------------------- Fix Kselftests timeout and race condition ---------------------------------------------------------------- Mickaël Salaün (1): selftests/harness: Fix tests timeout and race condition tools/testing/selftests/kselftest_harness.h | 43 ++++++++++++++++------------- 1 file changed, 24 insertions(+), 19 deletions(-)

9 months, 3 weeks

2
1
0 0

[PATCH v4 3/3] tpm: Address !chip->auth in tpm_buf_append_hmac_session*()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm_buf_hmac_session*(). Thus, address !chip->auth in tpm_buf_hmac_session*() and remove the fallback implementation for !TCG_TPM2_HMAC. Cc: stable(a)vger.kernel.org # v6.9+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API") Tested-by: Michael Ellerman <mpe(a)ellerman.id.au> # ppc Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: * Address: https://lore.kernel.org/linux-integrity/CAHk-=wiM=Cyw-07EkbAH66pE50VzJiT3bV… * Added tested-by from Michael Ellerman. v3: * Address: https://lore.kernel.org/linux-integrity/922603265d61011dbb23f18a04525ae973b… v2: * Use auth in place of chip->auth. --- drivers/char/tpm/tpm2-sessions.c | 186 ++++++++++++++++++------------- include/linux/tpm.h | 68 ++++------- 2 files changed, 130 insertions(+), 124 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index b3ed35e7ec00..2281d55df545 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -272,6 +272,110 @@ void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, } EXPORT_SYMBOL_GPL(tpm_buf_append_name); +/** + * tpm_buf_append_hmac_session() - Append a TPM session element + * @chip: the TPM chip structure + * @buf: The buffer to be appended + * @attributes: The session attributes + * @passphrase: The session authority (NULL if none) + * @passphrase_len: The length of the session authority (0 if none) + * + * This fills in a session structure in the TPM command buffer, except + * for the HMAC which cannot be computed until the command buffer is + * complete. The type of session is controlled by the @attributes, + * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the + * session won't terminate after tpm_buf_check_hmac_response(), + * TPM2_SA_DECRYPT which means this buffers first parameter should be + * encrypted with a session key and TPM2_SA_ENCRYPT, which means the + * response buffer's first parameter needs to be decrypted (confusing, + * but the defines are written from the point of view of the TPM). + * + * Any session appended by this command must be finalized by calling + * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect + * and the TPM will reject the command. + * + * As with most tpm_buf operations, success is assumed because failure + * will be caused by an incorrect programming model and indicated by a + * kernel message. + */ +void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, + u8 attributes, u8 *passphrase, + int passphrase_len) +{ +#ifdef CONFIG_TCG_TPM2_HMAC + u8 nonce[SHA256_DIGEST_SIZE]; + struct tpm2_auth *auth; + u32 len; +#endif + + if (!tpm2_chip_auth(chip)) { + /* offset tells us where the sessions area begins */ + int offset = buf->handles * 4 + TPM_HEADER_SIZE; + u32 len = 9 + passphrase_len; + + if (tpm_buf_length(buf) != offset) { + /* not the first session so update the existing length */ + len += get_unaligned_be32(&buf->data[offset]); + put_unaligned_be32(len, &buf->data[offset]); + } else { + tpm_buf_append_u32(buf, len); + } + /* auth handle */ + tpm_buf_append_u32(buf, TPM2_RS_PW); + /* nonce */ + tpm_buf_append_u16(buf, 0); + /* attributes */ + tpm_buf_append_u8(buf, 0); + /* passphrase */ + tpm_buf_append_u16(buf, passphrase_len); + tpm_buf_append(buf, passphrase, passphrase_len); + return; + } + +#ifdef CONFIG_TCG_TPM2_HMAC + /* + * The Architecture Guide requires us to strip trailing zeros + * before computing the HMAC + */ + while (passphrase && passphrase_len > 0 && passphrase[passphrase_len - 1] == '\0') + passphrase_len--; + + auth = chip->auth; + auth->attrs = attributes; + auth->passphrase_len = passphrase_len; + if (passphrase_len) + memcpy(auth->passphrase, passphrase, passphrase_len); + + if (auth->session != tpm_buf_length(buf)) { + /* we're not the first session */ + len = get_unaligned_be32(&buf->data[auth->session]); + if (4 + len + auth->session != tpm_buf_length(buf)) { + WARN(1, "session length mismatch, cannot append"); + return; + } + + /* add our new session */ + len += 9 + 2 * SHA256_DIGEST_SIZE; + put_unaligned_be32(len, &buf->data[auth->session]); + } else { + tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE); + } + + /* random number for our nonce */ + get_random_bytes(nonce, sizeof(nonce)); + memcpy(auth->our_nonce, nonce, sizeof(nonce)); + tpm_buf_append_u32(buf, auth->handle); + /* our new nonce */ + tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); + tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); + tpm_buf_append_u8(buf, auth->attrs); + /* and put a placeholder for the hmac */ + tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); + tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); +#endif +} +EXPORT_SYMBOL_GPL(tpm_buf_append_hmac_session); + #ifdef CONFIG_TCG_TPM2_HMAC static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, @@ -457,82 +561,6 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) crypto_free_kpp(kpp); } -/** - * tpm_buf_append_hmac_session() - Append a TPM session element - * @chip: the TPM chip structure - * @buf: The buffer to be appended - * @attributes: The session attributes - * @passphrase: The session authority (NULL if none) - * @passphrase_len: The length of the session authority (0 if none) - * - * This fills in a session structure in the TPM command buffer, except - * for the HMAC which cannot be computed until the command buffer is - * complete. The type of session is controlled by the @attributes, - * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the - * session won't terminate after tpm_buf_check_hmac_response(), - * TPM2_SA_DECRYPT which means this buffers first parameter should be - * encrypted with a session key and TPM2_SA_ENCRYPT, which means the - * response buffer's first parameter needs to be decrypted (confusing, - * but the defines are written from the point of view of the TPM). - * - * Any session appended by this command must be finalized by calling - * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect - * and the TPM will reject the command. - * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. - */ -void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, - u8 attributes, u8 *passphrase, - int passphrase_len) -{ - u8 nonce[SHA256_DIGEST_SIZE]; - u32 len; - struct tpm2_auth *auth = chip->auth; - - /* - * The Architecture Guide requires us to strip trailing zeros - * before computing the HMAC - */ - while (passphrase && passphrase_len > 0 - && passphrase[passphrase_len - 1] == '\0') - passphrase_len--; - - auth->attrs = attributes; - auth->passphrase_len = passphrase_len; - if (passphrase_len) - memcpy(auth->passphrase, passphrase, passphrase_len); - - if (auth->session != tpm_buf_length(buf)) { - /* we're not the first session */ - len = get_unaligned_be32(&buf->data[auth->session]); - if (4 + len + auth->session != tpm_buf_length(buf)) { - WARN(1, "session length mismatch, cannot append"); - return; - } - - /* add our new session */ - len += 9 + 2 * SHA256_DIGEST_SIZE; - put_unaligned_be32(len, &buf->data[auth->session]); - } else { - tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE); - } - - /* random number for our nonce */ - get_random_bytes(nonce, sizeof(nonce)); - memcpy(auth->our_nonce, nonce, sizeof(nonce)); - tpm_buf_append_u32(buf, auth->handle); - /* our new nonce */ - tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); - tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); - tpm_buf_append_u8(buf, auth->attrs); - /* and put a placeholder for the hmac */ - tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); - tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); -} -EXPORT_SYMBOL(tpm_buf_append_hmac_session); - /** * tpm_buf_fill_hmac_session() - finalize the session HMAC * @chip: the TPM chip structure @@ -563,6 +591,9 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u8 cphash[SHA256_DIGEST_SIZE]; struct sha256_state sctx; + if (!auth) + return; + /* save the command code in BE format */ auth->ordinal = head->ordinal; @@ -721,6 +752,9 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, u32 cc = be32_to_cpu(auth->ordinal); int parm_len, len, i, handles; + if (!auth) + return rc; + if (auth->session >= TPM_HEADER_SIZE) { WARN(1, "tpm session not filled correctly\n"); goto out; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 4d3071e885a0..e93ee8d936a9 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -502,10 +502,6 @@ static inline struct tpm2_auth *tpm2_chip_auth(struct tpm_chip *chip) void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle, u8 *name); - -#ifdef CONFIG_TCG_TPM2_HMAC - -int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -515,9 +511,27 @@ static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, u8 *passphrase, int passphraselen) { - tpm_buf_append_hmac_session(chip, buf, attributes, passphrase, - passphraselen); + struct tpm_header *head; + int offset; + + if (tpm2_chip_auth(chip)) { + tpm_buf_append_hmac_session(chip, buf, attributes, passphrase, passphraselen); + } else { + offset = buf->handles * 4 + TPM_HEADER_SIZE; + head = (struct tpm_header *)buf->data; + + /* + * If the only sessions are optional, the command tag must change to + * TPM2_ST_NO_SESSIONS. + */ + if (tpm_buf_length(buf) == offset) + head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); + } } + +#ifdef CONFIG_TCG_TPM2_HMAC + +int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, int rc); @@ -532,48 +546,6 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_append_hmac_session(struct tpm_chip *chip, - struct tpm_buf *buf, - u8 attributes, u8 *passphrase, - int passphraselen) -{ - /* offset tells us where the sessions area begins */ - int offset = buf->handles * 4 + TPM_HEADER_SIZE; - u32 len = 9 + passphraselen; - - if (tpm_buf_length(buf) != offset) { - /* not the first session so update the existing length */ - len += get_unaligned_be32(&buf->data[offset]); - put_unaligned_be32(len, &buf->data[offset]); - } else { - tpm_buf_append_u32(buf, len); - } - /* auth handle */ - tpm_buf_append_u32(buf, TPM2_RS_PW); - /* nonce */ - tpm_buf_append_u16(buf, 0); - /* attributes */ - tpm_buf_append_u8(buf, 0); - /* passphrase */ - tpm_buf_append_u16(buf, passphraselen); - tpm_buf_append(buf, passphrase, passphraselen); -} -static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, - struct tpm_buf *buf, - u8 attributes, - u8 *passphrase, - int passphraselen) -{ - int offset = buf->handles * 4 + TPM_HEADER_SIZE; - struct tpm_header *head = (struct tpm_header *) buf->data; - - /* - * if the only sessions are optional, the command tag - * must change to TPM2_ST_NO_SESSIONS - */ - if (tpm_buf_length(buf) == offset) - head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); -} static inline void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) { -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH v4 2/3] tpm: Address !chip->auth in tpm_buf_append_name()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm_buf_append_name(). Thus, address !chip->auth in tpm_buf_append_name() and remove the fallback implementation for !TCG_TPM2_HMAC. Cc: stable(a)vger.kernel.org # v6.10+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append") Tested-by: Michael Ellerman <mpe(a)ellerman.id.au> # ppc Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: * Address: https://lore.kernel.org/linux-integrity/CAHk-=wiM=Cyw-07EkbAH66pE50VzJiT3bV… * Added tested-by from Michael Ellerman. v3: * Address: https://lore.kernel.org/linux-integrity/922603265d61011dbb23f18a04525ae973b… v2: * N/A --- drivers/char/tpm/Makefile | 2 +- drivers/char/tpm/tpm2-sessions.c | 219 +++++++++++++++++-------------- include/linux/tpm.h | 21 +-- 3 files changed, 131 insertions(+), 111 deletions(-) diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 4c695b0388f3..9bb142c75243 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -16,8 +16,8 @@ tpm-y += eventlog/common.o tpm-y += eventlog/tpm1.o tpm-y += eventlog/tpm2.o tpm-y += tpm-buf.o +tpm-y += tpm2-sessions.o -tpm-$(CONFIG_TCG_TPM2_HMAC) += tpm2-sessions.o tpm-$(CONFIG_ACPI) += tpm_ppi.o eventlog/acpi.o tpm-$(CONFIG_EFI) += eventlog/efi.o tpm-$(CONFIG_OF) += eventlog/of.o diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 2f1d96a5a5a7..b3ed35e7ec00 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -83,9 +83,6 @@ #define AES_KEY_BYTES AES_KEYSIZE_128 #define AES_KEY_BITS (AES_KEY_BYTES*8) -static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, - u32 *handle, u8 *name); - /* * This is the structure that carries all the auth information (like * session handle, nonces, session key and auth) from use to use it is @@ -148,6 +145,7 @@ struct tpm2_auth { u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE]; }; +#ifdef CONFIG_TCG_TPM2_HMAC /* * Name Size based on TPM algorithm (assumes no hash bigger than 255) */ @@ -163,6 +161,122 @@ static u8 name_size(const u8 *name) return size_map[alg] + 2; } +static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) +{ + struct tpm_header *head = (struct tpm_header *)buf->data; + off_t offset = TPM_HEADER_SIZE; + u32 tot_len = be32_to_cpu(head->length); + u32 val; + + /* we're starting after the header so adjust the length */ + tot_len -= TPM_HEADER_SIZE; + + /* skip public */ + val = tpm_buf_read_u16(buf, &offset); + if (val > tot_len) + return -EINVAL; + offset += val; + /* name */ + val = tpm_buf_read_u16(buf, &offset); + if (val != name_size(&buf->data[offset])) + return -EINVAL; + memcpy(name, &buf->data[offset], val); + /* forget the rest */ + return 0; +} + +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) +{ + struct tpm_buf buf; + int rc; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); + if (rc) + return rc; + + tpm_buf_append_u32(&buf, handle); + rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); + if (rc == TPM2_RC_SUCCESS) + rc = tpm2_parse_read_public(name, &buf); + + tpm_buf_destroy(&buf); + + return rc; +} +#endif /* CONFIG_TCG_TPM2_HMAC */ + +/** + * tpm_buf_append_name() - add a handle area to the buffer + * @chip: the TPM chip structure + * @buf: The buffer to be appended + * @handle: The handle to be appended + * @name: The name of the handle (may be NULL) + * + * In order to compute session HMACs, we need to know the names of the + * objects pointed to by the handles. For most objects, this is simply + * the actual 4 byte handle or an empty buf (in these cases @name + * should be NULL) but for volatile objects, permanent objects and NV + * areas, the name is defined as the hash (according to the name + * algorithm which should be set to sha256) of the public area to + * which the two byte algorithm id has been appended. For these + * objects, the @name pointer should point to this. If a name is + * required but @name is NULL, then TPM2_ReadPublic() will be called + * on the handle to obtain the name. + * + * As with most tpm_buf operations, success is assumed because failure + * will be caused by an incorrect programming model and indicated by a + * kernel message. + */ +void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name) +{ +#ifdef CONFIG_TCG_TPM2_HMAC + enum tpm2_mso_type mso = tpm2_handle_mso(handle); + struct tpm2_auth *auth; + int slot; +#endif + + if (!tpm2_chip_auth(chip)) { + tpm_buf_append_u32(buf, handle); + /* count the number of handles in the upper bits of flags */ + buf->handles++; + return; + } + +#ifdef CONFIG_TCG_TPM2_HMAC + slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4; + if (slot >= AUTH_MAX_NAMES) { + dev_err(&chip->dev, "TPM: too many handles\n"); + return; + } + auth = chip->auth; + WARN(auth->session != tpm_buf_length(buf), + "name added in wrong place\n"); + tpm_buf_append_u32(buf, handle); + auth->session += 4; + + if (mso == TPM2_MSO_PERSISTENT || + mso == TPM2_MSO_VOLATILE || + mso == TPM2_MSO_NVRAM) { + if (!name) + tpm2_read_public(chip, handle, auth->name[slot]); + } else { + if (name) + dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); + } + + auth->name_h[slot] = handle; + if (name) + memcpy(auth->name[slot], name, name_size(name)); +#endif +} +EXPORT_SYMBOL_GPL(tpm_buf_append_name); + +#ifdef CONFIG_TCG_TPM2_HMAC + +static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, + u32 *handle, u8 *name); + /* * It turns out the crypto hmac(sha256) is hard for us to consume * because it assumes a fixed key and the TPM seems to change the key @@ -567,104 +681,6 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) } EXPORT_SYMBOL(tpm_buf_fill_hmac_session); -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) -{ - struct tpm_header *head = (struct tpm_header *)buf->data; - off_t offset = TPM_HEADER_SIZE; - u32 tot_len = be32_to_cpu(head->length); - u32 val; - - /* we're starting after the header so adjust the length */ - tot_len -= TPM_HEADER_SIZE; - - /* skip public */ - val = tpm_buf_read_u16(buf, &offset); - if (val > tot_len) - return -EINVAL; - offset += val; - /* name */ - val = tpm_buf_read_u16(buf, &offset); - if (val != name_size(&buf->data[offset])) - return -EINVAL; - memcpy(name, &buf->data[offset], val); - /* forget the rest */ - return 0; -} - -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) -{ - struct tpm_buf buf; - int rc; - - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); - if (rc) - return rc; - - tpm_buf_append_u32(&buf, handle); - rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_read_public(name, &buf); - - tpm_buf_destroy(&buf); - - return rc; -} - -/** - * tpm_buf_append_name() - add a handle area to the buffer - * @chip: the TPM chip structure - * @buf: The buffer to be appended - * @handle: The handle to be appended - * @name: The name of the handle (may be NULL) - * - * In order to compute session HMACs, we need to know the names of the - * objects pointed to by the handles. For most objects, this is simply - * the actual 4 byte handle or an empty buf (in these cases @name - * should be NULL) but for volatile objects, permanent objects and NV - * areas, the name is defined as the hash (according to the name - * algorithm which should be set to sha256) of the public area to - * which the two byte algorithm id has been appended. For these - * objects, the @name pointer should point to this. If a name is - * required but @name is NULL, then TPM2_ReadPublic() will be called - * on the handle to obtain the name. - * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. - */ -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name) -{ - enum tpm2_mso_type mso = tpm2_handle_mso(handle); - struct tpm2_auth *auth = chip->auth; - int slot; - - slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE)/4; - if (slot >= AUTH_MAX_NAMES) { - dev_err(&chip->dev, "TPM: too many handles\n"); - return; - } - WARN(auth->session != tpm_buf_length(buf), - "name added in wrong place\n"); - tpm_buf_append_u32(buf, handle); - auth->session += 4; - - if (mso == TPM2_MSO_PERSISTENT || - mso == TPM2_MSO_VOLATILE || - mso == TPM2_MSO_NVRAM) { - if (!name) - tpm2_read_public(chip, handle, auth->name[slot]); - } else { - if (name) - dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); - } - - auth->name_h[slot] = handle; - if (name) - memcpy(auth->name[slot], name, name_size(name)); -} -EXPORT_SYMBOL(tpm_buf_append_name); - /** * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness * @chip: the TPM chip structure @@ -1311,3 +1327,4 @@ int tpm2_sessions_init(struct tpm_chip *chip) return rc; } +#endif /* CONFIG_TCG_TPM2_HMAC */ diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 21a67dc9efe8..4d3071e885a0 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -490,11 +490,22 @@ static inline void tpm_buf_append_empty_auth(struct tpm_buf *buf, u32 handle) { } #endif + +static inline struct tpm2_auth *tpm2_chip_auth(struct tpm_chip *chip) +{ #ifdef CONFIG_TCG_TPM2_HMAC + return chip->auth; +#else + return NULL; +#endif +} -int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle, u8 *name); + +#ifdef CONFIG_TCG_TPM2_HMAC + +int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -521,14 +532,6 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_append_name(struct tpm_chip *chip, - struct tpm_buf *buf, - u32 handle, u8 *name) -{ - tpm_buf_append_u32(buf, handle); - /* count the number of handles in the upper bits of flags */ - buf->handles++; -} static inline void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH v4 1/3] tpm: Address !chip->auth in tpm2_*_auth_session()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm2_*_auth_session(). Thus, address !chip->auth in tpm2_*_auth_session(). Cc: stable(a)vger.kernel.org # v6.9+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Tested-by: Michael Ellerman <mpe(a)ellerman.id.au> # ppc Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: * Added tested-by from Michael Ellerman. v3: * No changes. v2: * Use dev_warn_once() instead of pr_warn_once(). --- drivers/char/tpm/tpm2-sessions.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 907ac9956a78..2f1d96a5a5a7 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -824,8 +824,13 @@ EXPORT_SYMBOL(tpm_buf_check_hmac_response); */ void tpm2_end_auth_session(struct tpm_chip *chip) { - tpm2_flush_context(chip, chip->auth->handle); - memzero_explicit(chip->auth, sizeof(*chip->auth)); + struct tpm2_auth *auth = chip->auth; + + if (!auth) + return; + + tpm2_flush_context(chip, auth->handle); + memzero_explicit(auth, sizeof(*auth)); } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -907,6 +912,11 @@ int tpm2_start_auth_session(struct tpm_chip *chip) int rc; u32 null_key; + if (!auth) { + dev_warn_once(&chip->dev, "auth session is not active\n"); + return 0; + } + rc = tpm2_load_null(chip, &null_key); if (rc) goto out; -- 2.45.2

9 months, 3 weeks

1
0
0 0

+ mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: yangge <yangge1116(a)126.com> Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch Date: Wed, 3 Jul 2024 20:02:33 +0800 If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual virtual machine with device passthrough, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But the current code will cause the migration failure due to unexpected page refcounts, and eventually cause the virtual machine fail to start. If a page is added in LRU batch, its refcount increases one, remove the page from LRU batch decreases one. Page migration requires the page is not referenced by others except page mapping. Before migrating a page, we should try to drain the page from LRU batch in case the page is in it, however, folio_test_lru() is not sufficient to tell whether the page is in LRU batch or not, if the page is in LRU batch, the migration will fail. To solve the problem above, we modify the logic of adding to LRU batch. Before adding a page to LRU batch, we clear the LRU flag of the page so that we can check whether the page is in LRU batch by folio_test_lru(page). It's quite valuable, because likely we don't want to blindly drain the LRU batch simply because there is some unexpected reference on a page, as described above. This change makes the LRU flag of a page invisible for longer, which may impact some programs. For example, as long as a page is on a LRU batch, we cannot isolate it, and we cannot check if it's an LRU page. Further, a page can now only be on exactly one LRU batch. This doesn't seem to matter much, because a new page is allocated from buddy and added to the lru batch, or be isolated, it's LRU flag may also be invisible for a long time. Link: https://lkml.kernel.org/r/1720075944-27201-1-git-send-email-yangge1116@126.… Link: https://lkml.kernel.org/r/1720008153-16035-1-git-send-email-yangge1116@126.… Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: yangge <yangge1116(a)126.com> Cc: Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap.c | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) --- a/mm/swap.c~mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch +++ a/mm/swap.c @@ -212,10 +212,6 @@ static void folio_batch_move_lru(struct for (i = 0; i < folio_batch_count(fbatch); i++) { struct folio *folio = fbatch->folios[i]; - /* block memcg migration while the folio moves between lru */ - if (move_fn != lru_add_fn && !folio_test_clear_lru(folio)) - continue; - folio_lruvec_relock_irqsave(folio, &lruvec, &flags); move_fn(lruvec, folio); @@ -256,11 +252,16 @@ static void lru_move_tail_fn(struct lruv void folio_rotate_reclaimable(struct folio *folio) { if (!folio_test_locked(folio) && !folio_test_dirty(folio) && - !folio_test_unevictable(folio) && folio_test_lru(folio)) { + !folio_test_unevictable(folio)) { struct folio_batch *fbatch; unsigned long flags; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock_irqsave(&lru_rotate.lock, flags); fbatch = this_cpu_ptr(&lru_rotate.fbatch); folio_batch_add_and_move(fbatch, folio, lru_move_tail_fn); @@ -353,11 +354,15 @@ static void folio_activate_drain(int cpu void folio_activate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_active(folio) && - !folio_test_unevictable(folio)) { + if (!folio_test_active(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.activate); folio_batch_add_and_move(fbatch, folio, folio_activate_fn); @@ -701,6 +706,11 @@ void deactivate_file_folio(struct folio return; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate_file); folio_batch_add_and_move(fbatch, folio, lru_deactivate_file_fn); @@ -717,11 +727,16 @@ void deactivate_file_folio(struct folio */ void folio_deactivate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_unevictable(folio) && - (folio_test_active(folio) || lru_gen_enabled())) { + if (!folio_test_unevictable(folio) && (folio_test_active(folio) || + lru_gen_enabled())) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate); folio_batch_add_and_move(fbatch, folio, lru_deactivate_fn); @@ -738,12 +753,16 @@ void folio_deactivate(struct folio *foli */ void folio_mark_lazyfree(struct folio *folio) { - if (folio_test_lru(folio) && folio_test_anon(folio) && - folio_test_swapbacked(folio) && !folio_test_swapcache(folio) && - !folio_test_unevictable(folio)) { + if (folio_test_anon(folio) && folio_test_swapbacked(folio) && + !folio_test_swapcache(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_lazyfree); folio_batch_add_and_move(fbatch, folio, lru_lazyfree_fn); _ Patches currently in -mm which might be from yangge1116(a)126.com are mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch

9 months, 3 weeks

1
0
0 0

+ mm-fix-khugepaged-activation-policy.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix khugepaged activation policy has been added to the -mm mm-unstable branch. Its filename is mm-fix-khugepaged-activation-policy.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: fix khugepaged activation policy Date: Thu, 4 Jul 2024 10:10:50 +0100 Since the introduction of mTHP, the docuementation has stated that khugepaged would be enabled when any mTHP size is enabled, and disabled when all mTHP sizes are disabled. There are 2 problems with this; 1. this is not what was implemented by the code and 2. this is not the desirable behavior. Desirable behavior is for khugepaged to be enabled when any PMD-sized THP is enabled, anon or file. (Note that file THP is still controlled by the top-level control so we must always consider that, as well as the PMD-size mTHP control for anon). khugepaged only supports collapsing to PMD-sized THP so there is no value in enabling it when PMD-sized THP is disabled. So let's change the code and documentation to reflect this policy. Further, per-size enabled control modification events were not previously forwarded to khugepaged to give it an opportunity to start or stop. Consequently the following was resulting in khugepaged eroneously not being activated: echo never > /sys/kernel/mm/transparent_hugepage/enabled echo always > /sys/kernel/mm/transparent_hugepage/hugepages-2048kB/enabled Link: https://lkml.kernel.org/r/20240704091051.2411934-1-ryan.roberts@arm.com Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Fixes: 3485b88390b0 ("mm: thp: introduce multi-size THP sysfs interface") Closes: https://lore.kernel.org/linux-mm/7a0bbe69-1e3d-4263-b206-da007791a5c4@redha… Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Lance Yang <ioworker0(a)gmail.com> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Documentation/admin-guide/mm/transhuge.rst | 11 +++++------ include/linux/huge_mm.h | 15 ++++++++------- mm/huge_memory.c | 7 +++++++ mm/khugepaged.c | 13 ++++++------- 4 files changed, 26 insertions(+), 20 deletions(-) --- a/Documentation/admin-guide/mm/transhuge.rst~mm-fix-khugepaged-activation-policy +++ a/Documentation/admin-guide/mm/transhuge.rst @@ -202,12 +202,11 @@ PMD-mappable transparent hugepage:: cat /sys/kernel/mm/transparent_hugepage/hpage_pmd_size -khugepaged will be automatically started when one or more hugepage -sizes are enabled (either by directly setting "always" or "madvise", -or by setting "inherit" while the top-level enabled is set to "always" -or "madvise"), and it'll be automatically shutdown when the last -hugepage size is disabled (either by directly setting "never", or by -setting "inherit" while the top-level enabled is set to "never"). +khugepaged will be automatically started when PMD-sized THP is enabled +(either of the per-size anon control or the top-level control are set +to "always" or "madvise"), and it'll be automatically shutdown when +PMD-sized THP is disabled (when both the per-size anon control and the +top-level control are "never") Khugepaged controls ------------------- --- a/include/linux/huge_mm.h~mm-fix-khugepaged-activation-policy +++ a/include/linux/huge_mm.h @@ -128,16 +128,17 @@ static inline bool hugepage_global_alway (1<<TRANSPARENT_HUGEPAGE_FLAG); } -static inline bool hugepage_flags_enabled(void) +static inline bool hugepage_pmd_enabled(void) { /* - * We cover both the anon and the file-backed case here; we must return - * true if globally enabled, even when all anon sizes are set to never. - * So we don't need to look at huge_anon_orders_inherit. + * We cover both the anon and the file-backed case here; file-backed + * hugepages, when configured in, are determined by the global control. + * Anon pmd-sized hugepages are determined by the pmd-size control. */ - return hugepage_global_enabled() || - READ_ONCE(huge_anon_orders_always) || - READ_ONCE(huge_anon_orders_madvise); + return (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && hugepage_global_enabled()) || + test_bit(PMD_ORDER, &huge_anon_orders_always) || + test_bit(PMD_ORDER, &huge_anon_orders_madvise) || + (test_bit(PMD_ORDER, &huge_anon_orders_inherit) && hugepage_global_enabled()); } static inline int highest_order(unsigned long orders) --- a/mm/huge_memory.c~mm-fix-khugepaged-activation-policy +++ a/mm/huge_memory.c @@ -502,6 +502,13 @@ static ssize_t thpsize_enabled_store(str } else ret = -EINVAL; + if (ret > 0) { + int err; + + err = start_stop_khugepaged(); + if (err) + ret = err; + } return ret; } --- a/mm/khugepaged.c~mm-fix-khugepaged-activation-policy +++ a/mm/khugepaged.c @@ -449,7 +449,7 @@ void khugepaged_enter_vma(struct vm_area unsigned long vm_flags) { if (!test_bit(MMF_VM_HUGEPAGE, &vma->vm_mm->flags) && - hugepage_flags_enabled()) { + hugepage_pmd_enabled()) { if (thp_vma_allowable_order(vma, vm_flags, TVA_ENFORCE_SYSFS, PMD_ORDER)) __khugepaged_enter(vma->vm_mm); @@ -2462,8 +2462,7 @@ breakouterloop_mmap_lock: static int khugepaged_has_work(void) { - return !list_empty(&khugepaged_scan.mm_head) && - hugepage_flags_enabled(); + return !list_empty(&khugepaged_scan.mm_head) && hugepage_pmd_enabled(); } static int khugepaged_wait_event(void) @@ -2536,7 +2535,7 @@ static void khugepaged_wait_work(void) return; } - if (hugepage_flags_enabled()) + if (hugepage_pmd_enabled()) wait_event_freezable(khugepaged_wait, khugepaged_wait_event()); } @@ -2567,7 +2566,7 @@ static void set_recommended_min_free_kby int nr_zones = 0; unsigned long recommended_min; - if (!hugepage_flags_enabled()) { + if (!hugepage_pmd_enabled()) { calculate_min_free_kbytes(); goto update_wmarks; } @@ -2617,7 +2616,7 @@ int start_stop_khugepaged(void) int err = 0; mutex_lock(&khugepaged_mutex); - if (hugepage_flags_enabled()) { + if (hugepage_pmd_enabled()) { if (!khugepaged_thread) khugepaged_thread = kthread_run(khugepaged, NULL, "khugepaged"); @@ -2643,7 +2642,7 @@ fail: void khugepaged_min_free_kbytes_update(void) { mutex_lock(&khugepaged_mutex); - if (hugepage_flags_enabled() && khugepaged_thread) + if (hugepage_pmd_enabled() && khugepaged_thread) set_recommended_min_free_kbytes(); mutex_unlock(&khugepaged_mutex); } _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are mm-fix-khugepaged-activation-policy.patch

9 months, 3 weeks

1
0
0 0

[tip: timers/core] timers/migration: Do not rely always on group->parent

by tip-bot2 for Anna-Maria Behnsen

The following commit has been merged into the timers/core branch of tip: Commit-ID: cabe7ebd57a0bfd0ef8e74f0c70423ae8d4d9171 Gitweb: https://git.kernel.org/tip/cabe7ebd57a0bfd0ef8e74f0c70423ae8d4d9171 Author: Anna-Maria Behnsen <anna-maria(a)linutronix.de> AuthorDate: Mon, 01 Jul 2024 12:18:37 +02:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 04 Jul 2024 20:22:21 +02:00 timers/migration: Do not rely always on group->parent When reading group->parent without holding the group lock it is racy against CPUs coming online the first time and thereby creating another level of the hierarchy. This is not a problem when this value is read once to decide whether to abort a propagation or not. The worst outcome is an unnecessary/early CPU wake up. But it is racy when reading it several times during a single 'action' (like activation, deactivation, checking for remote timer expiry,...) and relying on the consitency of this value without holding the lock. This happens at the moment e.g. in tmigr_inactive_up() which is also calling tmigr_udpate_events(). Code relys on group->parent not to change during this 'action'. Update parent struct member description to explain the above only once. Remove parent pointer checks when they are not mandatory (like update of data->childmask). Remove a warning, which would be nice but the trigger of this warning is not reliable and add expand the data structure member description instead. Expand a comment, why it is safe to rely on parent pointer here (inside hierarchy update). Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model") Reported-by: Borislav Petkov <bp(a)alien8.de> Signed-off-by: Anna-Maria Behnsen <anna-maria(a)linutronix.de> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240701-tmigr-fixes-v3-1-25cd5de318fb@linutronix… --- kernel/time/timer_migration.c | 33 +++++++++++++++------------------ kernel/time/timer_migration.h | 12 +++++++++++- 2 files changed, 26 insertions(+), 19 deletions(-) diff --git a/kernel/time/timer_migration.c b/kernel/time/timer_migration.c index 8441311..d91efe1 100644 --- a/kernel/time/timer_migration.c +++ b/kernel/time/timer_migration.c @@ -507,7 +507,14 @@ static void walk_groups(up_f up, void *data, struct tmigr_cpu *tmc) * (get_next_timer_interrupt()) * @firstexp: Contains the first event expiry information when last * active CPU of hierarchy is on the way to idle to make - * sure CPU will be back in time. + * sure CPU will be back in time. It is updated in top + * level group only. Be aware, there could occur a new top + * level of the hierarchy between the 'top level call' in + * tmigr_update_events() and the check for the parent group + * in walk_groups(). Then @firstexp might contain a value + * != KTIME_MAX even if it was not the final top + * level. This is not a problem, as the worst outcome is a + * CPU which might wake up a little early. * @evt: Pointer to tmigr_event which needs to be queued (of idle * child group) * @childmask: childmask of child group @@ -649,7 +656,7 @@ static bool tmigr_active_up(struct tmigr_group *group, } while (!atomic_try_cmpxchg(&group->migr_state, &curstate.state, newstate.state)); - if ((walk_done == false) && group->parent) + if (walk_done == false) data->childmask = group->childmask; /* @@ -1317,20 +1324,9 @@ static bool tmigr_inactive_up(struct tmigr_group *group, /* Event Handling */ tmigr_update_events(group, child, data); - if (group->parent && (walk_done == false)) + if (walk_done == false) data->childmask = group->childmask; - /* - * data->firstexp was set by tmigr_update_events() and contains the - * expiry of the first global event which needs to be handled. It - * differs from KTIME_MAX if: - * - group is the top level group and - * - group is idle (which means CPU was the last active CPU in the - * hierarchy) and - * - there is a pending event in the hierarchy - */ - WARN_ON_ONCE(data->firstexp != KTIME_MAX && group->parent); - trace_tmigr_group_set_cpu_inactive(group, newstate, childmask); return walk_done; @@ -1552,10 +1548,11 @@ static void tmigr_connect_child_parent(struct tmigr_group *child, data.childmask = child->childmask; /* - * There is only one new level per time. When connecting the - * child and the parent and set the child active when the parent - * is inactive, the parent needs to be the uppermost - * level. Otherwise there went something wrong! + * There is only one new level per time (which is protected by + * tmigr_mutex). When connecting the child and the parent and + * set the child active when the parent is inactive, the parent + * needs to be the uppermost level. Otherwise there went + * something wrong! */ WARN_ON(!tmigr_active_up(parent, child, &data) && parent->parent); } diff --git a/kernel/time/timer_migration.h b/kernel/time/timer_migration.h index 6c37d94..494f68c 100644 --- a/kernel/time/timer_migration.h +++ b/kernel/time/timer_migration.h @@ -22,7 +22,17 @@ struct tmigr_event { * struct tmigr_group - timer migration hierarchy group * @lock: Lock protecting the event information and group hierarchy * information during setup - * @parent: Pointer to the parent group + * @parent: Pointer to the parent group. Pointer is updated when a + * new hierarchy level is added because of a CPU coming + * online the first time. Once it is set, the pointer will + * not be removed or updated. When accessing parent pointer + * lock less to decide whether to abort a propagation or + * not, it is not a problem. The worst outcome is an + * unnecessary/early CPU wake up. But do not access parent + * pointer several times in the same 'action' (like + * activation, deactivation, check for remote expiry,...) + * without holding the lock as it is not ensured that value + * will not change. * @groupevt: Next event of the group which is only used when the * group is !active. The group event is then queued into * the parent timer queue.

9 months, 3 weeks

1
0
0 0

[tip: timers/core] timers/migration: Move hierarchy setup into cpuhotplug prepare callback

by tip-bot2 for Anna-Maria Behnsen

The following commit has been merged into the timers/core branch of tip: Commit-ID: 8cdb61838ee5c63556773ea2eed24deab6b15257 Gitweb: https://git.kernel.org/tip/8cdb61838ee5c63556773ea2eed24deab6b15257 Author: Anna-Maria Behnsen <anna-maria(a)linutronix.de> AuthorDate: Wed, 03 Jul 2024 22:28:39 +02:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 04 Jul 2024 20:22:22 +02:00 timers/migration: Move hierarchy setup into cpuhotplug prepare callback When a CPU comes online the first time, it is possible that a new top level group will be created. In general all propagation is done from the bottom to top. This minimizes complexity and prevents possible races. But when a new top level group is created, the formely top level group needs to be connected to the new level. This is the only time, when the direction to propagate changes is changed: the changes are propagated from top (new top level group) to bottom (formerly top level group). This introduces two races (see (A) and (B)) as reported by Frederic: (A) This race happens, when marking the formely top level group as active, but the last active CPU of the formerly top level group goes idle. Then it's likely that formerly group is no longer active, but marked nevertheless as active in new top level group: [GRP0:0] migrator = 0 active = 0 nextevt = KTIME_MAX / \ 0 1 .. 7 active idle 0) Hierarchy has for now only 8 CPUs and CPU 0 is the only active CPU. [GRP1:0] migrator = TMIGR_NONE active = NONE nextevt = KTIME_MAX \ [GRP0:0] [GRP0:1] migrator = 0 migrator = TMIGR_NONE active = 0 active = NONE nextevt = KTIME_MAX nextevt = KTIME_MAX / \ 0 1 .. 7 8 active idle !online 1) CPU 8 is booting and creates a new group in first level GRP0:1 and therefore also a new top group GRP1:0. For now the setup code proceeded only until the connected between GRP0:1 to the new top group. The connection between CPU8 and GRP0:1 is not yet established and CPU 8 is still !online. [GRP1:0] migrator = TMIGR_NONE active = NONE nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = 0 migrator = TMIGR_NONE active = 0 active = NONE nextevt = KTIME_MAX nextevt = KTIME_MAX / \ 0 1 .. 7 8 active idle !online 2) Setup code now connects GRP0:0 to GRP1:0 and observes while in tmigr_connect_child_parent() that GRP0:0 is not TMIGR_NONE. So it prepares to call tmigr_active_up() on it. It hasn't done it yet. [GRP1:0] migrator = TMIGR_NONE active = NONE nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = TMIGR_NONE active = NONE active = NONE nextevt = KTIME_MAX nextevt = KTIME_MAX / \ 0 1 .. 7 8 idle idle !online 3) CPU 0 goes idle. Since GRP0:0->parent has been updated by CPU 8 with GRP0:0->lock held, CPU 0 observes GRP1:0 after calling tmigr_update_events() and it propagates the change to the top (no change there and no wakeup programmed since there is no timer). [GRP1:0] migrator = GRP0:0 active = GRP0:0 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = TMIGR_NONE active = NONE active = NONE nextevt = KTIME_MAX nextevt = KTIME_MAX / \ 0 1 .. 7 8 idle idle !online 4) Now the setup code finally calls tmigr_active_up() to and sets GRP0:0 active in GRP1:0 [GRP1:0] migrator = GRP0:0 active = GRP0:0, GRP0:1 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = 8 active = NONE active = 8 nextevt = KTIME_MAX nextevt = KTIME_MAX / \ | 0 1 .. 7 8 idle idle active 5) Now CPU 8 is connected with GRP0:1 and CPU 8 calls tmigr_active_up() out of tmigr_cpu_online(). [GRP1:0] migrator = GRP0:0 active = GRP0:0 nextevt = T8 / \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = TMIGR_NONE active = NONE active = NONE nextevt = KTIME_MAX nextevt = T8 / \ | 0 1 .. 7 8 idle idle idle 5) CPU 8 goes idle with a timer T8 and relies on GRP0:0 as the migrator. But it's not really active, so T8 gets ignored. --> The update which is done in third step is not noticed by setup code. So a wrong migrator is set to top level group and a timer could get ignored. (B) Reading group->parent and group->childmask when an hierarchy update is ongoing and reaches the formerly top level group is racy as those values could be inconsistent. (The notation of migrator and active now slightly changes in contrast to the above example, as now the childmasks are used.) [GRP1:0] migrator = TMIGR_NONE active = 0x00 nextevt = KTIME_MAX \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = TMIGR_NONE active = 0x00 active = 0x00 nextevt = KTIME_MAX nextevt = KTIME_MAX childmask= 0 childmask= 1 parent = NULL parent = GRP1:0 / \ 0 1 .. 7 8 idle idle !online childmask=1 1) Hierarchy has 8 CPUs. CPU 8 is at the moment in the process of onlining but did not yet connect GRP0:0 to GRP1:0. [GRP1:0] migrator = TMIGR_NONE active = 0x00 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = TMIGR_NONE migrator = TMIGR_NONE active = 0x00 active = 0x00 nextevt = KTIME_MAX nextevt = KTIME_MAX childmask= 0 childmask= 1 parent = GRP1:0 parent = GRP1:0 / \ 0 1 .. 7 8 idle idle !online childmask=1 2) Setup code (running on CPU 8) now connects GRP0:0 to GRP1:0, updates parent pointer of GRP0:0 and ... [GRP1:0] migrator = TMIGR_NONE active = 0x00 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = 0x01 migrator = TMIGR_NONE active = 0x01 active = 0x00 nextevt = KTIME_MAX nextevt = KTIME_MAX childmask= 0 childmask= 1 parent = GRP1:0 parent = GRP1:0 / \ 0 1 .. 7 8 active idle !online childmask=1 tmigr_walk.childmask = 0 3) ... CPU 0 comes active in the same time. As migrator in GRP0:0 was TMIGR_NONE, childmask of GRP0:0 is stored in update propagation data structure tmigr_walk (as update of childmask is not yet visible/updated). And now ... [GRP1:0] migrator = TMIGR_NONE active = 0x00 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = 0x01 migrator = TMIGR_NONE active = 0x01 active = 0x00 nextevt = KTIME_MAX nextevt = KTIME_MAX childmask= 2 childmask= 1 parent = GRP1:0 parent = GRP1:0 / \ 0 1 .. 7 8 active idle !online childmask=1 tmigr_walk.childmask = 0 4) ... childmask of GRP0:0 is updated by CPU 8 (still part of setup code). [GRP1:0] migrator = 0x00 active = 0x00 nextevt = KTIME_MAX / \ [GRP0:0] [GRP0:1] migrator = 0x01 migrator = TMIGR_NONE active = 0x01 active = 0x00 nextevt = KTIME_MAX nextevt = KTIME_MAX childmask= 2 childmask= 1 parent = GRP1:0 parent = GRP1:0 / \ 0 1 .. 7 8 active idle !online childmask=1 tmigr_walk.childmask = 0 5) CPU 0 sees the connection to GRP1:0 and now propagates active state to GRP1:0 but with childmask = 0 as stored in propagation data structure. --> Now GRP1:0 always has a migrator as 0x00 != TMIGR_NONE and for all CPUs it looks like GRP1:0 is always active. To prevent those races, the setup of the hierarchy is moved into the cpuhotplug prepare callback. The prepare callback is not executed by the CPU which will come online, it is executed by the CPU which prepares onlining of the other CPU. This CPU is active while it is connecting the formerly top level to the new one. This prevents from (A) to happen and it also prevents from any further walk above the formerly top level until that active CPU becomes inactive, releasing the new ->parent and ->childmask updates to be visible by any subsequent walk up above the formerly top level hierarchy. This prevents from (B) to happen. The direction for the updates is now forced to look like "from bottom to top". However if the active CPU prevents from tmigr_cpu_(in)active() to walk up with the update not-or-half visible, nothing prevents walking up to the new top with a 0 childmask in tmigr_handle_remote_up() or tmigr_requires_handle_remote_up() if the active CPU doing the prepare is not the migrator. But then it looks fine because: * tmigr_check_migrator() should just return false * The migrator is active and should eventually observe the new childmask at some point in a future tick. Split setup functionality of online callback into the cpuhotplug prepare callback and setup hotplug state. Reorder the code, that all prepare related functions are close to each other and online and offline callbacks are also close together. Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model") Signed-off-by: Anna-Maria Behnsen <anna-maria(a)linutronix.de> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240703202839.8921-1-anna-maria@linutronix.de --- include/linux/cpuhotplug.h | 1 +- kernel/time/timer_migration.c | 181 ++++++++++++++++++--------------- 2 files changed, 101 insertions(+), 81 deletions(-) diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h index 7a5785f..df59666 100644 --- a/include/linux/cpuhotplug.h +++ b/include/linux/cpuhotplug.h @@ -122,6 +122,7 @@ enum cpuhp_state { CPUHP_KVM_PPC_BOOK3S_PREPARE, CPUHP_ZCOMP_PREPARE, CPUHP_TIMERS_PREPARE, + CPUHP_TMIGR_PREPARE, CPUHP_MIPS_SOC_PREPARE, CPUHP_BP_PREPARE_DYN, CPUHP_BP_PREPARE_DYN_END = CPUHP_BP_PREPARE_DYN + 20, diff --git a/kernel/time/timer_migration.c b/kernel/time/timer_migration.c index d91efe1..9b86efd 100644 --- a/kernel/time/timer_migration.c +++ b/kernel/time/timer_migration.c @@ -1438,6 +1438,66 @@ u64 tmigr_quick_check(u64 nextevt) return KTIME_MAX; } +/* + * tmigr_trigger_active() - trigger a CPU to become active again + * + * This function is executed on a CPU which is part of cpu_online_mask, when the + * last active CPU in the hierarchy is offlining. With this, it is ensured that + * the other CPU is active and takes over the migrator duty. + */ +static long tmigr_trigger_active(void *unused) +{ + struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); + + WARN_ON_ONCE(!tmc->online || tmc->idle); + + return 0; +} + +static int tmigr_cpu_offline(unsigned int cpu) +{ + struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); + int migrator; + u64 firstexp; + + raw_spin_lock_irq(&tmc->lock); + tmc->online = false; + WRITE_ONCE(tmc->wakeup, KTIME_MAX); + + /* + * CPU has to handle the local events on his own, when on the way to + * offline; Therefore nextevt value is set to KTIME_MAX + */ + firstexp = __tmigr_cpu_deactivate(tmc, KTIME_MAX); + trace_tmigr_cpu_offline(tmc); + raw_spin_unlock_irq(&tmc->lock); + + if (firstexp != KTIME_MAX) { + migrator = cpumask_any_but(cpu_online_mask, cpu); + work_on_cpu(migrator, tmigr_trigger_active, NULL); + } + + return 0; +} + +static int tmigr_cpu_online(unsigned int cpu) +{ + struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); + + /* Check whether CPU data was successfully initialized */ + if (WARN_ON_ONCE(!tmc->tmgroup)) + return -EINVAL; + + raw_spin_lock_irq(&tmc->lock); + trace_tmigr_cpu_online(tmc); + tmc->idle = timer_base_is_idle(); + if (!tmc->idle) + __tmigr_cpu_activate(tmc); + tmc->online = true; + raw_spin_unlock_irq(&tmc->lock); + return 0; +} + static void tmigr_init_group(struct tmigr_group *group, unsigned int lvl, int node) { @@ -1512,7 +1572,7 @@ static struct tmigr_group *tmigr_get_group(unsigned int cpu, int node, static void tmigr_connect_child_parent(struct tmigr_group *child, struct tmigr_group *parent) { - union tmigr_state childstate; + struct tmigr_walk data; raw_spin_lock_irq(&child->lock); raw_spin_lock_nested(&parent->lock, SINGLE_DEPTH_NESTING); @@ -1540,22 +1600,24 @@ static void tmigr_connect_child_parent(struct tmigr_group *child, * child to the new parent. So tmigr_connect_child_parent() is * executed with the formerly top level group (child) and the newly * created group (parent). + * + * * It is ensured that the child is active, as this setup path is + * executed in hotplug prepare callback. This is exectued by an + * already connected and !idle CPU. Even if all other CPUs go idle, + * the CPU executing the setup will be responsible up to current top + * level group. And the next time it goes inactive, it will release + * the new childmask and parent to subsequent walkers through this + * @child. Therefore propagate active state unconditionally. */ - childstate.state = atomic_read(&child->migr_state); - if (childstate.migrator != TMIGR_NONE) { - struct tmigr_walk data; - - data.childmask = child->childmask; + data.childmask = child->childmask; - /* - * There is only one new level per time (which is protected by - * tmigr_mutex). When connecting the child and the parent and - * set the child active when the parent is inactive, the parent - * needs to be the uppermost level. Otherwise there went - * something wrong! - */ - WARN_ON(!tmigr_active_up(parent, child, &data) && parent->parent); - } + /* + * There is only one new level per time (which is protected by + * tmigr_mutex). When connecting the child and the parent and set the + * child active when the parent is inactive, the parent needs to be the + * uppermost level. Otherwise there went something wrong! + */ + WARN_ON(!tmigr_active_up(parent, child, &data) && parent->parent); } static int tmigr_setup_groups(unsigned int cpu, unsigned int node) @@ -1661,80 +1723,32 @@ static int tmigr_add_cpu(unsigned int cpu) return ret; } -static int tmigr_cpu_online(unsigned int cpu) +static int tmigr_cpu_prepare(unsigned int cpu) { - struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); - int ret; - - /* First online attempt? Initialize CPU data */ - if (!tmc->tmgroup) { - raw_spin_lock_init(&tmc->lock); - - ret = tmigr_add_cpu(cpu); - if (ret < 0) - return ret; - - if (tmc->childmask == 0) - return -EINVAL; + struct tmigr_cpu *tmc = per_cpu_ptr(&tmigr_cpu, cpu); + int ret = 0; - timerqueue_init(&tmc->cpuevt.nextevt); - tmc->cpuevt.nextevt.expires = KTIME_MAX; - tmc->cpuevt.ignore = true; - tmc->cpuevt.cpu = cpu; - - tmc->remote = false; - WRITE_ONCE(tmc->wakeup, KTIME_MAX); - } - raw_spin_lock_irq(&tmc->lock); - trace_tmigr_cpu_online(tmc); - tmc->idle = timer_base_is_idle(); - if (!tmc->idle) - __tmigr_cpu_activate(tmc); - tmc->online = true; - raw_spin_unlock_irq(&tmc->lock); - return 0; -} - -/* - * tmigr_trigger_active() - trigger a CPU to become active again - * - * This function is executed on a CPU which is part of cpu_online_mask, when the - * last active CPU in the hierarchy is offlining. With this, it is ensured that - * the other CPU is active and takes over the migrator duty. - */ -static long tmigr_trigger_active(void *unused) -{ - struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); + /* Not first online attempt? */ + if (tmc->tmgroup) + return ret; - WARN_ON_ONCE(!tmc->online || tmc->idle); + raw_spin_lock_init(&tmc->lock); - return 0; -} + ret = tmigr_add_cpu(cpu); + if (ret < 0) + return ret; -static int tmigr_cpu_offline(unsigned int cpu) -{ - struct tmigr_cpu *tmc = this_cpu_ptr(&tmigr_cpu); - int migrator; - u64 firstexp; + if (tmc->childmask == 0) + return -EINVAL; - raw_spin_lock_irq(&tmc->lock); - tmc->online = false; + timerqueue_init(&tmc->cpuevt.nextevt); + tmc->cpuevt.nextevt.expires = KTIME_MAX; + tmc->cpuevt.ignore = true; + tmc->cpuevt.cpu = cpu; + tmc->remote = false; WRITE_ONCE(tmc->wakeup, KTIME_MAX); - /* - * CPU has to handle the local events on his own, when on the way to - * offline; Therefore nextevt value is set to KTIME_MAX - */ - firstexp = __tmigr_cpu_deactivate(tmc, KTIME_MAX); - trace_tmigr_cpu_offline(tmc); - raw_spin_unlock_irq(&tmc->lock); - - if (firstexp != KTIME_MAX) { - migrator = cpumask_any_but(cpu_online_mask, cpu); - work_on_cpu(migrator, tmigr_trigger_active, NULL); - } - - return 0; + return ret; } static int __init tmigr_init(void) @@ -1793,6 +1807,11 @@ static int __init tmigr_init(void) tmigr_hierarchy_levels, TMIGR_CHILDREN_PER_GROUP, tmigr_crossnode_level); + ret = cpuhp_setup_state(CPUHP_AP_TMIGR_ONLINE, "tmigr:prepare", + tmigr_cpu_prepare, NULL); + if (ret) + goto err; + ret = cpuhp_setup_state(CPUHP_AP_TMIGR_ONLINE, "tmigr:online", tmigr_cpu_online, tmigr_cpu_offline); if (ret)

9 months, 3 weeks

1
0
0 0

[PATCH v2 2/3] tpm: Address !chip->auth in tpm_buf_append_name()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm_buf_append_name(). Thus, address !chip->auth in tpm_buf_append_name() and remove the fallback implementation for !TCG_TPM2_HMAC. Cc: stable(a)vger.kernel.org # v6.9+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- drivers/char/tpm/Makefile | 2 +- drivers/char/tpm/tpm2-sessions.c | 205 ++++++++++++++++--------------- include/linux/tpm.h | 16 +-- 3 files changed, 113 insertions(+), 110 deletions(-) diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 4c695b0388f3..9bb142c75243 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -16,8 +16,8 @@ tpm-y += eventlog/common.o tpm-y += eventlog/tpm1.o tpm-y += eventlog/tpm2.o tpm-y += tpm-buf.o +tpm-y += tpm2-sessions.o -tpm-$(CONFIG_TCG_TPM2_HMAC) += tpm2-sessions.o tpm-$(CONFIG_ACPI) += tpm_ppi.o eventlog/acpi.o tpm-$(CONFIG_EFI) += eventlog/efi.o tpm-$(CONFIG_OF) += eventlog/of.o diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 2f1d96a5a5a7..06d0f10a2301 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -163,6 +163,112 @@ static u8 name_size(const u8 *name) return size_map[alg] + 2; } +static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) +{ + struct tpm_header *head = (struct tpm_header *)buf->data; + off_t offset = TPM_HEADER_SIZE; + u32 tot_len = be32_to_cpu(head->length); + u32 val; + + /* we're starting after the header so adjust the length */ + tot_len -= TPM_HEADER_SIZE; + + /* skip public */ + val = tpm_buf_read_u16(buf, &offset); + if (val > tot_len) + return -EINVAL; + offset += val; + /* name */ + val = tpm_buf_read_u16(buf, &offset); + if (val != name_size(&buf->data[offset])) + return -EINVAL; + memcpy(name, &buf->data[offset], val); + /* forget the rest */ + return 0; +} + +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) +{ + struct tpm_buf buf; + int rc; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); + if (rc) + return rc; + + tpm_buf_append_u32(&buf, handle); + rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); + if (rc == TPM2_RC_SUCCESS) + rc = tpm2_parse_read_public(name, &buf); + + tpm_buf_destroy(&buf); + + return rc; +} + +/** + * tpm_buf_append_name() - add a handle area to the buffer + * @chip: the TPM chip structure + * @buf: The buffer to be appended + * @handle: The handle to be appended + * @name: The name of the handle (may be NULL) + * + * In order to compute session HMACs, we need to know the names of the + * objects pointed to by the handles. For most objects, this is simply + * the actual 4 byte handle or an empty buf (in these cases @name + * should be NULL) but for volatile objects, permanent objects and NV + * areas, the name is defined as the hash (according to the name + * algorithm which should be set to sha256) of the public area to + * which the two byte algorithm id has been appended. For these + * objects, the @name pointer should point to this. If a name is + * required but @name is NULL, then TPM2_ReadPublic() will be called + * on the handle to obtain the name. + * + * As with most tpm_buf operations, success is assumed because failure + * will be caused by an incorrect programming model and indicated by a + * kernel message. + */ +void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name) +{ + enum tpm2_mso_type mso = tpm2_handle_mso(handle); + struct tpm2_auth *auth = chip->auth; + int slot; + + if (!chip->auth) { + tpm_buf_append_u32(buf, handle); + /* count the number of handles in the upper bits of flags */ + buf->handles++; + return; + } + + slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4; + if (slot >= AUTH_MAX_NAMES) { + dev_err(&chip->dev, "TPM: too many handles\n"); + return; + } + WARN(auth->session != tpm_buf_length(buf), + "name added in wrong place\n"); + tpm_buf_append_u32(buf, handle); + auth->session += 4; + + if (mso == TPM2_MSO_PERSISTENT || + mso == TPM2_MSO_VOLATILE || + mso == TPM2_MSO_NVRAM) { + if (!name) + tpm2_read_public(chip, handle, auth->name[slot]); + } else { + if (name) + dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); + } + + auth->name_h[slot] = handle; + if (name) + memcpy(auth->name[slot], name, name_size(name)); +} +EXPORT_SYMBOL_GPL(tpm_buf_append_name); + +#ifdef CONFIG_TCG_TPM2_HMAC /* * It turns out the crypto hmac(sha256) is hard for us to consume * because it assumes a fixed key and the TPM seems to change the key @@ -567,104 +673,6 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) } EXPORT_SYMBOL(tpm_buf_fill_hmac_session); -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) -{ - struct tpm_header *head = (struct tpm_header *)buf->data; - off_t offset = TPM_HEADER_SIZE; - u32 tot_len = be32_to_cpu(head->length); - u32 val; - - /* we're starting after the header so adjust the length */ - tot_len -= TPM_HEADER_SIZE; - - /* skip public */ - val = tpm_buf_read_u16(buf, &offset); - if (val > tot_len) - return -EINVAL; - offset += val; - /* name */ - val = tpm_buf_read_u16(buf, &offset); - if (val != name_size(&buf->data[offset])) - return -EINVAL; - memcpy(name, &buf->data[offset], val); - /* forget the rest */ - return 0; -} - -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) -{ - struct tpm_buf buf; - int rc; - - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); - if (rc) - return rc; - - tpm_buf_append_u32(&buf, handle); - rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_read_public(name, &buf); - - tpm_buf_destroy(&buf); - - return rc; -} - -/** - * tpm_buf_append_name() - add a handle area to the buffer - * @chip: the TPM chip structure - * @buf: The buffer to be appended - * @handle: The handle to be appended - * @name: The name of the handle (may be NULL) - * - * In order to compute session HMACs, we need to know the names of the - * objects pointed to by the handles. For most objects, this is simply - * the actual 4 byte handle or an empty buf (in these cases @name - * should be NULL) but for volatile objects, permanent objects and NV - * areas, the name is defined as the hash (according to the name - * algorithm which should be set to sha256) of the public area to - * which the two byte algorithm id has been appended. For these - * objects, the @name pointer should point to this. If a name is - * required but @name is NULL, then TPM2_ReadPublic() will be called - * on the handle to obtain the name. - * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. - */ -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name) -{ - enum tpm2_mso_type mso = tpm2_handle_mso(handle); - struct tpm2_auth *auth = chip->auth; - int slot; - - slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE)/4; - if (slot >= AUTH_MAX_NAMES) { - dev_err(&chip->dev, "TPM: too many handles\n"); - return; - } - WARN(auth->session != tpm_buf_length(buf), - "name added in wrong place\n"); - tpm_buf_append_u32(buf, handle); - auth->session += 4; - - if (mso == TPM2_MSO_PERSISTENT || - mso == TPM2_MSO_VOLATILE || - mso == TPM2_MSO_NVRAM) { - if (!name) - tpm2_read_public(chip, handle, auth->name[slot]); - } else { - if (name) - dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); - } - - auth->name_h[slot] = handle; - if (name) - memcpy(auth->name[slot], name, name_size(name)); -} -EXPORT_SYMBOL(tpm_buf_append_name); - /** * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness * @chip: the TPM chip structure @@ -1311,3 +1319,4 @@ int tpm2_sessions_init(struct tpm_chip *chip) return rc; } +#endif /* CONFIG_TCG_TPM2_HMAC */ diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 21a67dc9efe8..2844fea4a12a 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -211,8 +211,8 @@ struct tpm_chip { u8 null_key_name[TPM2_NAME_SIZE]; u8 null_ec_key_x[EC_PT_SZ]; u8 null_ec_key_y[EC_PT_SZ]; - struct tpm2_auth *auth; #endif + struct tpm2_auth *auth; }; #define TPM_HEADER_SIZE 10 @@ -490,11 +490,13 @@ static inline void tpm_buf_append_empty_auth(struct tpm_buf *buf, u32 handle) { } #endif -#ifdef CONFIG_TCG_TPM2_HMAC -int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle, u8 *name); + +#ifdef CONFIG_TCG_TPM2_HMAC + +int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -521,14 +523,6 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_append_name(struct tpm_chip *chip, - struct tpm_buf *buf, - u32 handle, u8 *name) -{ - tpm_buf_append_u32(buf, handle); - /* count the number of handles in the upper bits of flags */ - buf->handles++; -} static inline void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, -- 2.45.2

9 months, 3 weeks

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2024