July 2024 - Linux-stable-mirror

[PATCH v2 1/3] serial: qcom-geni: fix soft lockup on sw flow control and suspend

by Johan Hovold

The stop_tx() callback is used to implement software flow control and must not discard data as the Qualcomm GENI driver is currently doing when there is an active TX command. Cancelling an active command can also leave data in the hardware FIFO, which prevents the watermark interrupt from being enabled when TX is later restarted. This results in a soft lockup and is easily triggered by stopping TX using software flow control in a serial console but this can also happen after suspend. Fix this by only stopping any active command, and effectively clearing the hardware fifo, when shutting down the port. When TX is later restarted, a transfer command may need to be issued to discard any stale data that could prevent the watermark interrupt from firing. Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Cc: stable(a)vger.kernel.org # 4.17 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 33 +++++++++++++++++++-------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 2bd25afe0d92..a41360d34790 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -649,15 +649,25 @@ static void qcom_geni_serial_start_tx_dma(struct uart_port *uport) static void qcom_geni_serial_start_tx_fifo(struct uart_port *uport) { + unsigned char c; u32 irq_en; - if (qcom_geni_serial_main_active(uport) || - !qcom_geni_serial_tx_empty(uport)) - return; + /* + * Start a new transfer in case the previous command was cancelled and + * left data in the FIFO which may prevent the watermark interrupt + * from triggering. Note that the stale data is discarded. + */ + if (!qcom_geni_serial_main_active(uport) && + !qcom_geni_serial_tx_empty(uport)) { + if (uart_fifo_out(uport, &c, 1) == 1) { + writel(M_CMD_DONE_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + qcom_geni_serial_setup_tx(uport, 1); + writel(c, uport->membase + SE_GENI_TX_FIFOn); + } + } irq_en = readl(uport->membase + SE_GENI_M_IRQ_EN); irq_en |= M_TX_FIFO_WATERMARK_EN | M_CMD_DONE_EN; - writel(DEF_TX_WM, uport->membase + SE_GENI_TX_WATERMARK_REG); writel(irq_en, uport->membase + SE_GENI_M_IRQ_EN); } @@ -665,13 +675,17 @@ static void qcom_geni_serial_start_tx_fifo(struct uart_port *uport) static void qcom_geni_serial_stop_tx_fifo(struct uart_port *uport) { u32 irq_en; - struct qcom_geni_serial_port *port = to_dev_port(uport); irq_en = readl(uport->membase + SE_GENI_M_IRQ_EN); irq_en &= ~(M_CMD_DONE_EN | M_TX_FIFO_WATERMARK_EN); writel(0, uport->membase + SE_GENI_TX_WATERMARK_REG); writel(irq_en, uport->membase + SE_GENI_M_IRQ_EN); - /* Possible stop tx is called multiple times. */ +} + +static void qcom_geni_serial_cancel_tx_cmd(struct uart_port *uport) +{ + struct qcom_geni_serial_port *port = to_dev_port(uport); + if (!qcom_geni_serial_main_active(uport)) return; @@ -684,6 +698,8 @@ static void qcom_geni_serial_stop_tx_fifo(struct uart_port *uport) writel(M_CMD_ABORT_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); } writel(M_CMD_CANCEL_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + + port->tx_remaining = 0; } static void qcom_geni_serial_handle_rx_fifo(struct uart_port *uport, bool drop) @@ -1069,11 +1085,10 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); - if (uart_console(uport)) - return; - qcom_geni_serial_stop_tx(uport); qcom_geni_serial_stop_rx(uport); + + qcom_geni_serial_cancel_tx_cmd(uport); } static int qcom_geni_serial_port_setup(struct uart_port *uport) -- 2.44.1

5 months, 3 weeks

1
0
0 0

[PATCH 2/3] serial: qcom-geni: fix soft lockup on sw flow control and suspend

by Johan Hovold

The stop_tx() callback is used to implement software flow control and must not discard data as the Qualcomm GENI driver is currently doing when there is an active TX command. Cancelling an active command can also leave data in the hardware FIFO, which prevents the watermark interrupt from being enabled when TX is later restarted. This results in a soft lockup and is easily triggered by stopping TX using software flow control in a serial console but this can also happen after suspend. Fix this by only stopping any active command, and effectively clearing the hardware fifo, when shutting down the port. Make sure to temporarily raise the watermark level so that the interrupt fires when TX is restarted. Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Cc: stable(a)vger.kernel.org # 4.17 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 28 +++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 1d5d6045879a..72addeb9f461 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -651,13 +651,8 @@ static void qcom_geni_serial_start_tx_fifo(struct uart_port *uport) { u32 irq_en; - if (qcom_geni_serial_main_active(uport) || - !qcom_geni_serial_tx_empty(uport)) - return; - irq_en = readl(uport->membase + SE_GENI_M_IRQ_EN); irq_en |= M_TX_FIFO_WATERMARK_EN | M_CMD_DONE_EN; - writel(DEF_TX_WM, uport->membase + SE_GENI_TX_WATERMARK_REG); writel(irq_en, uport->membase + SE_GENI_M_IRQ_EN); } @@ -665,16 +660,28 @@ static void qcom_geni_serial_start_tx_fifo(struct uart_port *uport) static void qcom_geni_serial_stop_tx_fifo(struct uart_port *uport) { u32 irq_en; - struct qcom_geni_serial_port *port = to_dev_port(uport); irq_en = readl(uport->membase + SE_GENI_M_IRQ_EN); irq_en &= ~(M_CMD_DONE_EN | M_TX_FIFO_WATERMARK_EN); writel(0, uport->membase + SE_GENI_TX_WATERMARK_REG); writel(irq_en, uport->membase + SE_GENI_M_IRQ_EN); - /* Possible stop tx is called multiple times. */ +} + +static void qcom_geni_serial_clear_tx_fifo(struct uart_port *uport) +{ + struct qcom_geni_serial_port *port = to_dev_port(uport); + if (!qcom_geni_serial_main_active(uport)) return; + /* + * Increase watermark level so that TX can be restarted and wait for + * sequencer to start to prevent lockups. + */ + writel(port->tx_fifo_depth, uport->membase + SE_GENI_TX_WATERMARK_REG); + qcom_geni_serial_poll_bit(uport, SE_GENI_M_IRQ_STATUS, + M_TX_FIFO_WATERMARK_EN, true); + geni_se_cancel_m_cmd(&port->se); if (!qcom_geni_serial_poll_bit(uport, SE_GENI_M_IRQ_STATUS, M_CMD_CANCEL_EN, true)) { @@ -684,6 +691,8 @@ static void qcom_geni_serial_stop_tx_fifo(struct uart_port *uport) writel(M_CMD_ABORT_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); } writel(M_CMD_CANCEL_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + + port->tx_remaining = 0; } static void qcom_geni_serial_handle_rx_fifo(struct uart_port *uport, bool drop) @@ -1069,11 +1078,10 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); - if (uart_console(uport)) - return; - qcom_geni_serial_stop_tx(uport); qcom_geni_serial_stop_rx(uport); + + qcom_geni_serial_clear_tx_fifo(uport); } static int qcom_geni_serial_port_setup(struct uart_port *uport) -- 2.44.1

5 months, 3 weeks

3
5
0 0

[PATCH 5.4 000/189] 5.4.279-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.279 release. There are 189 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Jul 2024 10:28:06 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.279-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.279-rc1 Alex Bee <knaerzche(a)gmail.com> arm64: dts: rockchip: Add sound-dai-cells for RK3368 Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix data races around icsk->icsk_af_ops. Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix data races around sk->sk_prot. Eric Dumazet <edumazet(a)google.com> ipv6: annotate some data-races around sk->sk_prot Matthew Wilcox (Oracle) <willy(a)infradead.org> nfs: Leave pages in the pagecache if readpage failed Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Refuse too small period requests Jaime Liao <jaimeliao(a)mxic.com.tw> mtd: spinand: macronix: Add support for serial NAND flash Arnd Bergmann <arnd(a)arndb.de> ftruncate: pass a signed offset Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Fix double free on error Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't accept TT entries for out-of-spec VIDs Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Arnd Bergmann <arnd(a)arndb.de> hexagon: fix fadvise64_64 calling conventions Arnd Bergmann <arnd(a)arndb.de> csky, hexagon: fix broken sys_sync_file_range Arnd Bergmann <arnd(a)arndb.de> sh: rework sync_file_range ABI Oleksij Rempel <linux(a)rempel-privat.de> net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Oleksij Rempel <linux(a)rempel-privat.de> net: can: j1939: recover socket queue on CAN bus error during BAM transmission Shigeru Yoshida <syoshida(a)redhat.com> net: can: j1939: Initialize unused data in j1939_send_one() Jean-Michel Hautbois <jeanmichel.hautbois(a)yoseli.org> tty: mcf: MCF54418 has 10 UARTS Stefan Eichenberger <stefan.eichenberger(a)toradex.com> serial: imx: set receiver level before starting uart Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix endpoint checking in cxacru_bind() Dan Carpenter <dan.carpenter(a)linaro.org> usb: musb: da8xx: fix a resource leak in probe() Oliver Neukum <oneukum(a)suse.com> usb: gadget: printer: SS+ support Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> net: usb: ax88179_178a: improve link status logs Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix sensor data read operation Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix overflows in compensate() functions Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix calibration data variable Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix pressure value output Fernando Yang <hagisf(a)usp.br> iio: adc: ad7266: Fix variable checking bug Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not invert write-protect twice Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Linus Torvalds <torvalds(a)linux-foundation.org> x86: stop playing stack games in profile_pc() Aleksandr Mishin <amishin(a)t-argos.ru> gpio: davinci: Validate the obtained number of IRQs Hannes Reinecke <hare(a)suse.de> nvme: fixup comment for nvme RDMA Provider Type Andrew Davis <afd(a)ti.com> soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Ricardo Ribalda <ribalda(a)chromium.org> media: dvbdev: Initialize sbuf Oswald Buddenhagen <oswald.buddenhagen(a)gmx.de> ALSA: emux: improve patch ioctl data validation Dawei Li <dawei.li(a)shingroup.cn> net/dpaa2: Avoid explicit cpumask var allocation on stack Dawei Li <dawei.li(a)shingroup.cn> net/iucv: Avoid explicit cpumask var allocation on stack Denis Arefev <arefev(a)swemel.ru> mtd: partitions: redboot: Added conversion of operands to a larger type Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Arnd Bergmann <arnd(a)arndb.de> parisc: use correct compat recv/recvfrom syscalls Arnd Bergmann <arnd(a)arndb.de> sparc: fix old compat_sys_select() Enguerrand de Ribaucourt <enguerrand.de-ribaucourt(a)savoirfairelinux.com> net: phy: micrel: add Microchip KSZ 9477 to the device table Divya Koppera <Divya.Koppera(a)microchip.com> net: phy: mchp: Add support for LAN8814 QUAD PHY Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: fix initial port flush problem Elinor Montmasson <elinor.montmasson(a)savoirfairelinux.com> ASoC: fsl-asoc-card: set priv->pdev before using it Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: validate family when identifying table via handle Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix UBSAN warning in kv_dpm.c Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Hagar Hemdan <hagarhem(a)amazon.com> pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER Marc Ferland <marc.ferland(a)sonatest.com> iio: dac: ad5592r: fix temperature channel scaling value Alexandru Ardelean <alexandru.ardelean(a)analog.com> iio: dac: ad5592r: un-indent code-block for scale read Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock Yazen Ghannam <yazen.ghannam(a)amd.com> x86/amd_nb: Check for invalid SMN reads Naveen Naidu <naveennaidu479(a)gmail.com> PCI: Add PCI_ERROR_RESPONSE and related definitions Haifeng Xu <haifeng.xu(a)shopee.com> perf/core: Fix missing wakeup when waiting for context reference Matthias Maennich <maennich(a)google.com> kheaders: explicitly define file modes for archived headers Masahiro Yamada <masahiroy(a)kernel.org> Revert "kheaders: substituting --sort in archive creation" Jeff Johnson <quic_jjohnson(a)quicinc.com> tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Make use of invalid opcode produce a link error Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: qcs404: fix bluetooth device address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: smdk4412: fix keypad no-autorepeat Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: smdkv310: fix keypad no-autorepeat Grygorii Tertychnyi <grembeter(a)gmail.com> i2c: ocores: set IACK bit after core is enabled Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 14 Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: fix UBSAN warning in kv_dpm.c Raju Rangoju <Raju.Rangoju(a)amd.com> ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix missing kmem_cache_destroy() Biju Das <biju.das.jz(a)bp.renesas.com> regulator: core: Fix modpost error "regulator_get_regmap" undefined Oliver Neukum <oneukum(a)suse.com> net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix suspicious rcu_dereference_protected() Heng Qi <hengqi(a)linux.alibaba.com> virtio_net: checksum offloading handling fix David Ruth <druth(a)chromium.org> net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: act_api: rely on rcu in tcf_idr_check_alloc Yue Haibing <yuehaibing(a)huawei.com> netns: Make get_net_ns() handle zero refcount net Eric Dumazet <edumazet(a)google.com> xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL dereference in rt6_probe() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL deref in fib6_nh_init() Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> netrom: Fix a memory leak in nr_heartbeat_expiry() Ondrej Mosnacek <omosnace(a)redhat.com> cipso: fix total option length computation Christian Marangi <ansuelsmth(a)gmail.com> mips: bmips: BCM6358: make sure CBR is correctly set Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> MIPS: Routerboard 532: Fix vendor retry check code Songyang Li <leesongyang(a)outlook.com> MIPS: Octeon: Add PCIe link status check Mario Limonciello <mario.limonciello(a)amd.com> PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Roman Smirnov <r.smirnov(a)omp.ru> udf: udftime: prevent overflow in udf_disk_stamp_to_time() Alex Henrie <alexhenrie24(a)gmail.com> usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Michael Ellerman <mpe(a)ellerman.id.au> powerpc/io: Avoid clang null pointer arithmetic warnings Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries: Enforce hcall result buffer validity and size Uri Arev <me(a)wantyapps.xyz> Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Manish Rangankar <mrangankar(a)marvell.com> scsi: qedi: Fix crash while reading debugfs attribute Wander Lairson Costa <wander(a)redhat.com> drop_monitor: replace spin_lock by raw_spin_lock Eric Dumazet <edumazet(a)google.com> batman-adv: bypass empty buckets in batadv_purge_orig_ref() Alessandro Carminati (Red Hat) <alessandro.carminati(a)gmail.com> selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Paul E. McKenney <paulmck(a)kernel.org> rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Jean Delvare <jdelvare(a)suse.de> i2c: at91: Fix the functionality flags of the slave-only interface Shichao Lai <shichaorai(a)gmail.com> usb-storage: alauda: Check whether the media is initialized Sicong Huang <congei42(a)163.com> greybus: Fix use-after-free bug in gb_interface_release due to race condition. Florian Westphal <fw(a)strlen.de> netfilter: nftables: exthdr: fix 4-byte stack OOB write Matthias Goergens <matthias.goergens(a)gmail.com> hugetlb_encode.h: fix undefined behaviour (34 << 26) Vineeth Pillai <viremana(a)linux.microsoft.com> hv_utils: drain the timesync packets on onchannelcallback Oleg Nesterov <oleg(a)redhat.com> tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential kernel bug due to lack of writeback flag waiting Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Lunar Lake support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Sapphire Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids support Nuno Sa <nuno.sa(a)analog.com> dmaengine: axi-dmac: fix possible race in remove() Rick Wertenbroek <rick.wertenbroek(a)gmail.com> PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Su Yue <glass.su(a)suse.com> ocfs2: fix races between hole punching and AIO+DIO Su Yue <glass.su(a)suse.com> ocfs2: use coarse time for new created files Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore Hagar Gamal Halim Hemdan <hagarhem(a)amazon.com> vmci: prevent speculation leaks by sanitizing event in event_deliver() Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing/selftests: Fix kprobe event name test for .isra. functions Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Jani Nikula <jani.nikula(a)intel.com> drm/exynos/vidi: fix memory leak in .get_modes() Dirk Behme <dirk.behme(a)de.bosch.com> drivers: core: synchronize really_probe() and dev_uevent() Taehee Yoo <ap420073(a)gmail.com> ionic: fix use after netif_napi_del() Petr Pavlu <petr.pavlu(a)suse.com> net/ipv6: Fix the RT cache flush via sysctl using a previous delay Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Eric Dumazet <edumazet(a)google.com> tcp: fix race in tcp_v6_syn_recv_sock() Adam Miotk <adam.miotk(a)arm.com> drm/bridge/panel: Fix runtime warning on panel bridge release Amjad Ouled-Ameur <amjad.ouled-ameur(a)arm.com> drm/komeda: check for error-valued pointer Aleksandr Mishin <amishin(a)t-argos.ru> liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet José Expósito <jose.exposito89(a)gmail.com> HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Lu Baolu <baolu.lu(a)linux.intel.com> iommu: Return right value in iommu_sva_bind_device() Kun(llfl) <llfl(a)linux.alibaba.com> iommu/amd: Fix sysfs leak in iommu init Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> HID: core: remove unnecessary WARN_ON() in implement() Gregor Herburger <gregor.herburger(a)tq-group.com> gpio: tqmx86: fix typo in Kconfig label Chen Hanxiao <chenhx.fnst(a)fujitsu.com> SUNRPC: return proper error from gss_wrap_req_priv Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: try trimming too long modalias strings Breno Leitao <leitao(a)debian.org> scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply broken streams quirk to Etron EJ188 xHCI host Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply reset resume quirk to Etron EJ188 xHCI host Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> jfs: xattr: fix buffer overflow for invalid xattr Tomas Winkler <tomas.winkler(a)intel.com> mei: me: release irq in mei_me_pci_resume error path Alan Stern <stern(a)rowland.harvard.edu> USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Matthew Wilcox (Oracle) <willy(a)infradead.org> nilfs2: return the mapped address from nilfs_get_page() Matthew Wilcox (Oracle) <willy(a)infradead.org> nilfs2: Remove check for PageError Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Split and rework cpacf query functions Heiko Carstens <hca(a)linux.ibm.com> s390/cpacf: get rid of register asm Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix bogus test success on Aarch64 Mark Brown <broonie(a)kernel.org> selftests/mm: log a consistent test name for check_compaction Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests/mm: conform test to TAP format output Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: replace hardcoded divisor value with BIT() macro George Shen <george.shen(a)amd.com> drm/amd/display: Handle Y carry-over in VCP X.Y calculation Joao Paulo Goncalves <joao.goncalves(a)toradex.com> ASoC: ti: davinci-mcasp: Fix race condition during probe Peter Ujfalusi <peter.ujfalusi(a)ti.com> ASoC: ti: davinci-mcasp: Handle missing required DT properties Peter Ujfalusi <peter.ujfalusi(a)ti.com> ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling Peter Ujfalusi <peter.ujfalusi(a)ti.com> ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing Peter Ujfalusi <peter.ujfalusi(a)ti.com> ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional Zhang Qilong <zhangqilong3(a)huawei.com> ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params Colin Ian King <colin.king(a)canonical.com> ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret Wesley Cheng <quic_wcheng(a)quicinc.com> usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete Eric Dumazet <edumazet(a)google.com> ipv6: fix possible race in __fib6_drop_pcpu_from() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). Karol Kolacinski <karol.kolacinski(a)intel.com> ptp: Fix error message on failed pin verification Eric Dumazet <edumazet(a)google.com> net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Stop waiting for PCI if pci channel is offline Jason Xing <kernelxing(a)tencent.com> tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Hangyu Hua <hbh25y(a)gmail.com> net: sched: sch_multiq: fix possible OOB write in multiq_tune() Eric Dumazet <edumazet(a)google.com> ipv6: sr: block BH in seg6_output_core() and seg6_input_core() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't read past the mfuart notifcation Shahar S Matityahu <shahar.s.matityahu(a)intel.com> wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Lin Ma <linma(a)zju.edu.cn> wifi: cfg80211: pmsr: use correct nla_get_uX functions Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Nicolas Escande <nico.escande(a)gmail.com> wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/exynos4210-smdkv310.dts | 2 +- arch/arm/boot/dts/exynos4412-origen.dts | 2 +- arch/arm/boot/dts/exynos4412-smdk4412.dts | 2 +- arch/arm/boot/dts/rk3066a.dtsi | 1 + arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3368.dtsi | 3 + arch/csky/include/uapi/asm/unistd.h | 1 + arch/hexagon/include/asm/syscalls.h | 6 + arch/hexagon/include/uapi/asm/unistd.h | 1 + arch/hexagon/kernel/syscalltab.c | 7 + arch/mips/bmips/setup.c | 3 +- arch/mips/pci/ops-rc32434.c | 4 +- arch/mips/pci/pcie-octeon.c | 6 + arch/parisc/kernel/syscalls/syscall.tbl | 4 +- arch/powerpc/include/asm/hvcall.h | 8 +- arch/powerpc/include/asm/io.h | 24 +- arch/s390/include/asm/cpacf.h | 307 ++++++++++++-------- arch/sh/kernel/sys_sh32.c | 11 + arch/sh/kernel/syscalls/syscall.tbl | 3 +- arch/sparc/kernel/syscalls/syscall.tbl | 2 +- arch/x86/kernel/amd_nb.c | 9 +- arch/x86/kernel/time.c | 20 +- drivers/acpi/acpica/exregion.c | 23 +- drivers/ata/libata-core.c | 8 +- drivers/base/core.c | 3 + drivers/bluetooth/ath3k.c | 25 +- drivers/dma/dma-axi-dmac.c | 2 +- drivers/dma/ioat/init.c | 1 + drivers/gpio/Kconfig | 2 +- drivers/gpio/gpio-davinci.c | 5 + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 2 + .../amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 + .../drm/arm/display/komeda/komeda_pipeline_state.c | 2 +- drivers/gpu/drm/bridge/panel.c | 7 +- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 +- drivers/gpu/drm/exynos/exynos_hdmi.c | 7 +- drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 6 + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +- drivers/gpu/drm/radeon/sumo_dpm.c | 2 + drivers/greybus/interface.c | 1 + drivers/hid/hid-core.c | 1 - drivers/hid/hid-logitech-dj.c | 4 +- drivers/hv/hv_util.c | 19 +- drivers/hwtracing/intel_th/pci.c | 25 ++ drivers/i2c/busses/i2c-at91-slave.c | 3 +- drivers/i2c/busses/i2c-ocores.c | 2 +- drivers/iio/adc/ad7266.c | 2 + drivers/iio/chemical/bme680.h | 2 + drivers/iio/chemical/bme680_core.c | 62 +++- drivers/iio/dac/ad5592r-base.c | 62 ++-- drivers/iio/dac/ad5592r-base.h | 1 + drivers/input/input.c | 105 ++++++- drivers/iommu/amd_iommu_init.c | 9 + drivers/media/dvb-core/dvbdev.c | 2 +- drivers/misc/mei/pci-me.c | 4 +- drivers/misc/vmw_vmci/vmci_event.c | 6 +- drivers/mmc/host/sdhci-pci-core.c | 11 +- drivers/mmc/host/sdhci.c | 25 +- drivers/mtd/nand/spi/macronix.c | 99 +++++++ drivers/mtd/parsers/redboot.c | 2 +- drivers/net/dsa/microchip/ksz9477.c | 6 +- drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/fw.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/health.c | 8 + .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 4 + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +- drivers/net/phy/micrel.c | 15 + drivers/net/usb/ax88179_178a.c | 6 +- drivers/net/usb/rtl8150.c | 3 +- drivers/net/virtio_net.c | 12 +- drivers/net/vxlan.c | 4 + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 - drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 +- drivers/pci/controller/pcie-rockchip-ep.c | 6 +- drivers/pci/pci.c | 12 + drivers/pinctrl/core.c | 2 +- drivers/pinctrl/pinctrl-rockchip.c | 63 ++++- drivers/ptp/ptp_chardev.c | 3 +- drivers/pwm/pwm-stm32.c | 3 + drivers/regulator/core.c | 1 + drivers/scsi/mpt3sas/mpt3sas_base.c | 19 ++ drivers/scsi/qedi/qedi_debugfs.c | 12 +- drivers/soc/ti/wkup_m3_ipc.c | 7 +- drivers/tty/serial/imx.c | 4 +- drivers/tty/serial/mcf.c | 2 +- drivers/tty/serial/sc16is7xx.c | 25 +- drivers/usb/atm/cxacru.c | 14 + drivers/usb/class/cdc-wdm.c | 4 +- drivers/usb/gadget/function/f_fs.c | 4 + drivers/usb/gadget/function/f_printer.c | 1 + drivers/usb/host/xhci-pci.c | 7 + drivers/usb/host/xhci-ring.c | 5 +- drivers/usb/misc/uss720.c | 22 +- drivers/usb/musb/da8xx.c | 8 +- drivers/usb/storage/alauda.c | 9 +- fs/jfs/xattr.c | 4 +- fs/nfs/read.c | 4 - fs/nilfs2/dir.c | 59 ++-- fs/nilfs2/segment.c | 3 + fs/ocfs2/file.c | 2 + fs/ocfs2/namei.c | 2 +- fs/open.c | 4 +- fs/proc/vmcore.c | 2 + fs/udf/udftime.c | 11 +- include/linux/compat.h | 2 +- include/linux/iommu.h | 2 +- include/linux/micrel_phy.h | 1 + include/linux/nvme.h | 4 +- include/linux/pci.h | 9 + include/linux/syscalls.h | 2 +- include/net/bluetooth/hci_core.h | 36 ++- include/net/netfilter/nf_tables.h | 5 + include/uapi/asm-generic/hugetlb_encode.h | 24 +- kernel/events/core.c | 13 + kernel/gcov/gcc_4_7.c | 4 +- kernel/gen_kheaders.sh | 9 +- kernel/rcu/rcutorture.c | 3 +- kernel/time/tick-common.c | 42 +-- kernel/trace/preemptirq_delay_test.c | 1 + net/batman-adv/originator.c | 29 ++ net/bluetooth/l2cap_core.c | 8 +- net/can/j1939/main.c | 6 +- net/can/j1939/transport.c | 21 +- net/core/drop_monitor.c | 20 +- net/core/net_namespace.c | 9 +- net/core/sock.c | 6 +- net/ipv4/af_inet.c | 23 +- net/ipv4/cipso_ipv4.c | 12 +- net/ipv4/tcp.c | 16 +- net/ipv6/af_inet6.c | 24 +- net/ipv6/ip6_fib.c | 6 +- net/ipv6/ipv6_sockglue.c | 9 +- net/ipv6/route.c | 9 +- net/ipv6/seg6_iptunnel.c | 14 +- net/ipv6/tcp_ipv6.c | 9 +- net/ipv6/xfrm6_policy.c | 8 +- net/iucv/iucv.c | 26 +- net/mac80211/mesh_pathtbl.c | 13 + net/mac80211/sta_info.c | 4 +- net/netfilter/ipset/ip_set_core.c | 104 ++++--- net/netfilter/ipset/ip_set_list_set.c | 30 +- net/netfilter/nf_tables_api.c | 13 +- net/netfilter/nft_exthdr.c | 17 +- net/netfilter/nft_lookup.c | 3 +- net/netrom/nr_timer.c | 3 +- net/sched/act_api.c | 66 +++-- net/sched/sch_multiq.c | 2 +- net/sched/sch_taprio.c | 15 +- net/sunrpc/auth_gss/auth_gss.c | 4 +- net/unix/af_unix.c | 47 ++-- net/unix/diag.c | 12 +- net/wireless/pmsr.c | 8 +- sound/soc/fsl/fsl-asoc-card.c | 3 +- sound/soc/ti/davinci-mcasp.c | 312 +++++++++------------ sound/synth/emux/soundfont.c | 17 +- tools/include/asm-generic/hugetlb_encode.h | 20 +- tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 +- .../ftrace/test.d/kprobe/kprobe_eventname.tc | 3 +- tools/testing/selftests/vm/compaction_test.c | 108 +++---- 163 files changed, 1693 insertions(+), 968 deletions(-)

5 months, 3 weeks

7
198
0 0

[PATCH 5.10 000/290] 5.10.221-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.221 release. There are 290 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Jul 2024 10:28:12 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.221-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.221-rc1 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). Alex Bee <knaerzche(a)gmail.com> arm64: dts: rockchip: Add sound-dai-cells for RK3368 Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node Marc Zyngier <maz(a)kernel.org> KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption Ard Biesheuvel <ardb(a)kernel.org> efi/x86: Free EFI memory map only when installing a new one. Ard Biesheuvel <ardb(a)kernel.org> efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures Ard Biesheuvel <ardb(a)kernel.org> efi: memmap: Move manipulation routines into x86 arch tree Liu Zixian <liuzixian4(a)huawei.com> efi: Correct comment on efi_memmap_alloc Zheng Zhi Yuan <kevinjone25(a)g.ncu.edu.tw> drivers: fix typo in firmware/efi/memmap.c Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix data races around icsk->icsk_af_ops. Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix data races around sk->sk_prot. Eric Dumazet <edumazet(a)google.com> ipv6: annotate some data-races around sk->sk_prot Matthew Wilcox (Oracle) <willy(a)infradead.org> nfs: Leave pages in the pagecache if readpage failed Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Refuse too small period requests Jaime Liao <jaimeliao(a)mxic.com.tw> mtd: spinand: macronix: Add support for serial NAND flash Arnd Bergmann <arnd(a)arndb.de> syscalls: fix compat_sys_io_pgetevents_time64 usage Arnd Bergmann <arnd(a)arndb.de> ftruncate: pass a signed offset Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Fix double free on error Niklas Cassel <cassel(a)kernel.org> ata: ahci: Clean up sysfs file on error Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't accept TT entries for out-of-spec VIDs Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix potential UAF by revoke of fence registers Ma Ke <make24(a)iscas.ac.cn> drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes Arnd Bergmann <arnd(a)arndb.de> hexagon: fix fadvise64_64 calling conventions Arnd Bergmann <arnd(a)arndb.de> csky, hexagon: fix broken sys_sync_file_range Arnd Bergmann <arnd(a)arndb.de> sh: rework sync_file_range ABI Dragan Simic <dsimic(a)manjaro.org> kbuild: Install dtb files as 0644 in Makefile.dtbinst Oleksij Rempel <linux(a)rempel-privat.de> net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new Oleksij Rempel <linux(a)rempel-privat.de> net: can: j1939: recover socket queue on CAN bus error during BAM transmission Shigeru Yoshida <syoshida(a)redhat.com> net: can: j1939: Initialize unused data in j1939_send_one() Jean-Michel Hautbois <jeanmichel.hautbois(a)yoseli.org> tty: mcf: MCF54418 has 10 UARTS Stefan Eichenberger <stefan.eichenberger(a)toradex.com> serial: imx: set receiver level before starting uart Udit Kumar <u-kumar1(a)ti.com> serial: 8250_omap: Implementation of Errata i2310 Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix endpoint checking in cxacru_bind() Dan Carpenter <dan.carpenter(a)linaro.org> usb: musb: da8xx: fix a resource leak in probe() Oliver Neukum <oneukum(a)suse.com> usb: gadget: printer: fix races against disable Oliver Neukum <oneukum(a)suse.com> usb: gadget: printer: SS+ support Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> net: usb: ax88179_178a: improve link status logs Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix sensor data read operation Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix overflows in compensate() functions Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix calibration data variable Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix pressure value output Fernando Yang <hagisf(a)usp.br> iio: adc: ad7266: Fix variable checking bug David Lechner <dlechner(a)baylibre.com> counter: ti-eqep: enable clock at probe Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Do not invert write-protect twice Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos Jan Kara <jack(a)suse.cz> ocfs2: fix DIO failure due to insufficient transaction credits Linus Torvalds <torvalds(a)linux-foundation.org> x86: stop playing stack games in profile_pc() Kent Gibson <warthog618(a)gmail.com> gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) Aleksandr Mishin <amishin(a)t-argos.ru> gpio: davinci: Validate the obtained number of IRQs Liu Ying <victor.liu(a)nxp.com> drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA Hannes Reinecke <hare(a)suse.de> nvme: fixup comment for nvme RDMA Provider Type Erick Archer <erick.archer(a)outlook.com> drm/radeon/radeon_display: Decrease the size of allocated memory Andrew Davis <afd(a)ti.com> soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message Ricardo Ribalda <ribalda(a)chromium.org> media: dvbdev: Initialize sbuf Oswald Buddenhagen <oswald.buddenhagen(a)gmx.de> ALSA: emux: improve patch ioctl data validation Dawei Li <dawei.li(a)shingroup.cn> net/dpaa2: Avoid explicit cpumask var allocation on stack Dawei Li <dawei.li(a)shingroup.cn> net/iucv: Avoid explicit cpumask var allocation on stack Anton Protopopov <aspsk(a)isovalent.com> bpf: Add a check for struct bpf_fib_lookup size Denis Arefev <arefev(a)swemel.ru> mtd: partitions: redboot: Added conversion of operands to a larger type Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep Yunseong Kim <yskelg(a)gmail.com> tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers Arnd Bergmann <arnd(a)arndb.de> parisc: use correct compat recv/recvfrom syscalls Arnd Bergmann <arnd(a)arndb.de> sparc: fix compat recv/recvfrom syscalls Arnd Bergmann <arnd(a)arndb.de> sparc: fix old compat_sys_select() Daniil Dulov <d.dulov(a)aladdin.ru> xdp: Remove WARN() from __xdp_reg_mem_model() Toke Høiland-Jørgensen <toke(a)redhat.com> xdp: Allow registering memory model without rxq reference Jakub Kicinski <kuba(a)kernel.org> xdp: Move the rxq_info.mem clearing to unreg_mem_model() Enguerrand de Ribaucourt <enguerrand.de-ribaucourt(a)savoirfairelinux.com> net: phy: micrel: add Microchip KSZ 9477 to the device table Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: fix initial port flush problem Elinor Montmasson <elinor.montmasson(a)savoirfairelinux.com> ASoC: fsl-asoc-card: set priv->pdev before using it Jeff Layton <jlayton(a)kernel.org> nfsd: hold a lighter-weight client reference over CB_RECALL_ANY Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix svcxdr_init_encode's buflen calculation Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() Yunjian Wang <wangyunjian(a)huawei.com> SUNRPC: Fix null pointer dereference in svc_rqst_free() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: validate family when identifying table via handle Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix UBSAN warning in kv_dpm.c Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: use dedicated pinctrl type for RK3328 Jianqun Xu <jay.xu(a)rock-chips.com> pinctrl/rockchip: separate struct rockchip_pin_bank to a head file Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins Hagar Hemdan <hagarhem(a)amazon.com> pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER John Keeping <jkeeping(a)inmusicbrands.com> Input: ili210x - fix ili251x_read_touch_data() return value Mario Limonciello <mario.limonciello(a)amd.com> ACPI: x86: Force StorageD3Enable on more products Mario Limonciello <mario.limonciello(a)amd.com> ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable Mario Limonciello <mario.limonciello(a)amd.com> ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable Mario Limonciello <mario.limonciello(a)amd.com> ACPI: x86: Add another system to quirk list for forcing StorageD3Enable Mario Limonciello <mario.limonciello(a)amd.com> ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable Mario Limonciello <mario.limonciello(a)amd.com> ACPI: Add quirks for AMD Renoir/Lucienne CPUs to force the D3 hint Jan Beulich <jbeulich(a)suse.com> x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix deadlock in smb2_find_smb_tcon() Shyam Prasad N <sprasad(a)microsoft.com> cifs: missed ref-counting smb session in find Yazen Ghannam <yazen.ghannam(a)amd.com> x86/amd_nb: Check for invalid SMN reads Naveen Naidu <naveennaidu479(a)gmail.com> PCI: Add PCI_ERROR_RESPONSE and related definitions Haifeng Xu <haifeng.xu(a)shopee.com> perf/core: Fix missing wakeup when waiting for context reference Matthias Maennich <maennich(a)google.com> kheaders: explicitly define file modes for archived headers Masahiro Yamada <masahiroy(a)kernel.org> Revert "kheaders: substituting --sort in archive creation" Ken Milmore <ken.milmore(a)gmail.com> r8169: Fix possible ring buffer corruption on fragmented Tx packets. Heiner Kallweit <hkallweit1(a)gmail.com> r8169: remove not needed check in rtl8169_start_xmit Heiner Kallweit <hkallweit1(a)gmail.com> r8169: remove nr_frags argument from rtl_tx_slots_avail Heiner Kallweit <hkallweit1(a)gmail.com> r8169: improve rtl8169_start_xmit Heiner Kallweit <hkallweit1(a)gmail.com> r8169: improve rtl_tx Heiner Kallweit <hkallweit1(a)gmail.com> r8169: remove unneeded memory barrier in rtl_tx Tony Luck <tony.luck(a)intel.com> x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Tony Luck <tony.luck(a)intel.com> x86/cpu/vfm: Add new macros to work with (vendor/family/model) values Jeff Johnson <quic_jjohnson(a)quicinc.com> tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Make use of invalid opcode produce a link error Matthew Mirvish <matthew(a)mm12.xyz> bcache: fix variable length array abuse in btree_iter Vamshi Gajjela <vamshigajjela(a)google.com> spmi: hisi-spmi-controller: Do not override device identifier Trond Myklebust <trond.myklebust(a)hammerspace.com> knfsd: LOOKUP can return an illegal error value Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> pmdomain: ti-sci: Fix duplicate PD referrals Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Kees Cook <keescook(a)chromium.org> rtlwifi: rtl8192de: Style clean-ups Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: smdk4412: fix keypad no-autorepeat Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: samsung: smdkv310: fix keypad no-autorepeat Martin Leung <martin.leung(a)amd.com> drm/amd/display: revert Exit idle optimizations before HDCP execution Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Grygorii Tertychnyi <grembeter(a)gmail.com> i2c: ocores: set IACK bit after core is enabled Aleksandr Nogikh <nogikh(a)google.com> kcov: don't lose track of remote references during softirqs Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 14 Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: fix UBSAN warning in kv_dpm.c Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on N14AP7 Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Add check for srq max_sge attribute Raju Rangoju <Raju.Rangoju(a)amd.com> ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix missing kmem_cache_destroy() Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix error path in ioat3_dma_probe() Bjorn Helgaas <bhelgaas(a)google.com> dmaengine: ioat: use PCI core macros for PCIe Capability Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix leaking on version mismatch Bjorn Helgaas <bhelgaas(a)google.com> dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() Qing Wang <wangqing(a)vivo.com> dmaengine: ioat: switch from 'pci_' to 'dma_' API Biju Das <biju.das.jz(a)bp.renesas.com> regulator: core: Fix modpost error "regulator_get_regmap" undefined Oliver Neukum <oneukum(a)suse.com> net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix suspicious rcu_dereference_protected() Heng Qi <hengqi(a)linux.alibaba.com> virtio_net: checksum offloading handling fix Xiaolei Wang <xiaolei.wang(a)windriver.com> net: stmmac: No need to calculate speed divider when offload is disabled Xin Long <lucien.xin(a)gmail.com> sched: act_ct: add netns into the key of tcf_ct_flow_table Vlad Buslov <vladbu(a)nvidia.com> net/sched: act_ct: set 'net' pointer when creating new nf_flow_table Xin Long <lucien.xin(a)gmail.com> tipc: force a dst refcount before doing decryption David Ruth <druth(a)chromium.org> net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: act_api: rely on rcu in tcf_idr_check_alloc Stefan Wahren <wahrenst(a)gmx.net> qca_spi: Make interrupt remembering atomic Yue Haibing <yuehaibing(a)huawei.com> netns: Make get_net_ns() handle zero refcount net Eric Dumazet <edumazet(a)google.com> xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL dereference in rt6_probe() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL deref in fib6_nh_init() Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> netrom: Fix a memory leak in nr_heartbeat_expiry() Ondrej Mosnacek <omosnace(a)redhat.com> cipso: fix total option length computation Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: Build event generation tests only as modules Christian Marangi <ansuelsmth(a)gmail.com> mips: bmips: BCM6358: make sure CBR is correctly set Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> MIPS: Routerboard 532: Fix vendor retry check code Parker Newman <pnewman(a)connecttech.com> serial: exar: adding missing CTI and Exar PCI ids Songyang Li <leesongyang(a)outlook.com> MIPS: Octeon: Add PCIe link status check Mario Limonciello <mario.limonciello(a)amd.com> PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Roman Smirnov <r.smirnov(a)omp.ru> udf: udftime: prevent overflow in udf_disk_stamp_to_time() Alex Henrie <alexhenrie24(a)gmail.com> usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Yunlei He <heyunlei(a)oppo.com> f2fs: remove clear SB_INLINECRYPT flag in default_options Aleksandr Aprelkov <aaprelkov(a)usergate.com> iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Tzung-Bi Shih <tzungbi(a)kernel.org> power: supply: cros_usbpd: provide ID table for avoiding fallback match Michael Ellerman <mpe(a)ellerman.id.au> powerpc/io: Avoid clang null pointer arithmetic warnings Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries: Enforce hcall result buffer validity and size Erico Nunes <nunes.erico(a)gmail.com> drm/lima: mask irqs in timeout path before hard reset Erico Nunes <nunes.erico(a)gmail.com> drm/lima: add mask irq callback to gp and pp Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Exit idle optimizations before HDCP execution Uri Arev <me(a)wantyapps.xyz> Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Takashi Iwai <tiwai(a)suse.de> ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Sean O'Brien <seobrien(a)chromium.org> HID: Add quirk for Logitech Casa touchpad Breno Leitao <leitao(a)debian.org> netpoll: Fix race condition in netpoll_owner_active Kunwu Chan <chentao(a)kylinos.cn> kselftest: arm64: Add a null pointer check Manish Rangankar <mrangankar(a)marvell.com> scsi: qedi: Fix crash while reading debugfs attribute Wander Lairson Costa <wander(a)redhat.com> drop_monitor: replace spin_lock by raw_spin_lock Eric Dumazet <edumazet(a)google.com> af_packet: avoid a false positive warning in packet_setsockopt() Arnd Bergmann <arnd(a)arndb.de> wifi: ath9k: work around memset overflow warning Eric Dumazet <edumazet(a)google.com> batman-adv: bypass empty buckets in batadv_purge_orig_ref() Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Alessandro Carminati (Red Hat) <alessandro.carminati(a)gmail.com> selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Justin Stitt <justinstitt(a)google.com> block/ioctl: prefer different overflow check Zqiang <qiang.zhang1211(a)gmail.com> rcutorture: Fix invalid context warning when enable srcu barrier testing Paul E. McKenney <paulmck(a)kernel.org> rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Herbert Xu <herbert(a)gondor.apana.org.au> padata: Disable BH when taking works lock on MT path Oleg Nesterov <oleg(a)redhat.com> zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Jean Delvare <jdelvare(a)suse.de> i2c: designware: Fix the functionality flags of the slave-only interface Jean Delvare <jdelvare(a)suse.de> i2c: at91: Fix the functionality flags of the slave-only interface Shichao Lai <shichaorai(a)gmail.com> usb-storage: alauda: Check whether the media is initialized Sicong Huang <congei42(a)163.com> greybus: Fix use-after-free bug in gb_interface_release due to race condition. Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Jump to error handling labels in start/stop errors YonglongLi <liyonglong(a)chinatelecom.cn> mptcp: pm: update add_addr counters after connect YonglongLi <liyonglong(a)chinatelecom.cn> mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID Paolo Abeni <pabeni(a)redhat.com> mptcp: ensure snd_una is properly initialized on connect Matthias Goergens <matthias.goergens(a)gmail.com> hugetlb_encode.h: fix undefined behaviour (34 << 26) Doug Brown <doug(a)schmorgal.com> serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Oleg Nesterov <oleg(a)redhat.com> tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential kernel bug due to lack of writeback flag waiting Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Lunar Lake support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Sapphire Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids support Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs Nuno Sa <nuno.sa(a)analog.com> dmaengine: axi-dmac: fix possible race in remove() Rick Wertenbroek <rick.wertenbroek(a)gmail.com> PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Su Yue <glass.su(a)suse.com> ocfs2: fix races between hole punching and AIO+DIO Su Yue <glass.su(a)suse.com> ocfs2: use coarse time for new created files Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore Hagar Gamal Halim Hemdan <hagarhem(a)amazon.com> vmci: prevent speculation leaks by sanitizing event in event_deliver() Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Jani Nikula <jani.nikula(a)intel.com> drm/exynos/vidi: fix memory leak in .get_modes() Dirk Behme <dirk.behme(a)de.bosch.com> drivers: core: synchronize really_probe() and dev_uevent() Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: delete unneeded update watermark call Marc Ferland <marc.ferland(a)sonatest.com> iio: dac: ad5592r: fix temperature channel scaling value David Lechner <dlechner(a)baylibre.com> iio: adc: ad9467: fix scan type sign Taehee Yoo <ap420073(a)gmail.com> ionic: fix use after netif_napi_del() Petr Pavlu <petr.pavlu(a)suse.com> net/ipv6: Fix the RT cache flush via sysctl using a previous delay Xiaolei Wang <xiaolei.wang(a)windriver.com> net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Eric Dumazet <edumazet(a)google.com> tcp: fix race in tcp_v6_syn_recv_sock() Adam Miotk <adam.miotk(a)arm.com> drm/bridge/panel: Fix runtime warning on panel bridge release Amjad Ouled-Ameur <amjad.ouled-ameur(a)arm.com> drm/komeda: check for error-valued pointer Aleksandr Mishin <amishin(a)t-argos.ru> liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet Jie Wang <wangjie125(a)huawei.com> net: hns3: add cond_resched() to hns3 ring buffer init process Csókás, Bence <csokas.bence(a)prolan.hu> net: sfp: Always call `sfp_sm_mod_remove()` on remove Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: 3D disabled should not effect STDU memory limits José Expósito <jose.exposito89(a)gmail.com> HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Lu Baolu <baolu.lu(a)linux.intel.com> iommu: Return right value in iommu_sva_bind_device() Kun(llfl) <llfl(a)linux.alibaba.com> iommu/amd: Fix sysfs leak in iommu init Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Introduce pci segment structure Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> gpio: tqmx86: store IRQ trigger type and unmask status separately Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> HID: core: remove unnecessary WARN_ON() in implement() Gregor Herburger <gregor.herburger(a)tq-group.com> gpio: tqmx86: fix typo in Kconfig label Chen Hanxiao <chenhx.fnst(a)fujitsu.com> SUNRPC: return proper error from gss_wrap_req_priv Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: try trimming too long modalias strings Michael Ellerman <mpe(a)ellerman.id.au> powerpc/uaccess: Fix build errors seen with GCC 13/14 Breno Leitao <leitao(a)debian.org> scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply broken streams quirk to Etron EJ188 xHCI host Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply reset resume quirk to Etron EJ188 xHCI host Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> jfs: xattr: fix buffer overflow for invalid xattr Tomas Winkler <tomas.winkler(a)intel.com> mei: me: release irq in mei_me_pci_resume error path Alan Stern <stern(a)rowland.harvard.edu> USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Matthew Wilcox (Oracle) <willy(a)infradead.org> nilfs2: return the mapped address from nilfs_get_page() Matthew Wilcox (Oracle) <willy(a)infradead.org> nilfs2: Remove check for PageError Filipe Manana <fdmanana(a)suse.com> btrfs: fix leak of qgroup extent records after transaction abort Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Split and rework cpacf query functions Heiko Carstens <hca(a)linux.ibm.com> s390/cpacf: get rid of register asm Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix bogus test success on Aarch64 Mark Brown <broonie(a)kernel.org> selftests/mm: log a consistent test name for check_compaction Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests/mm: conform test to TAP format output Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> mmc: davinci: Don't strip remove function when driver is builtin Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: replace hardcoded divisor value with BIT() macro George Shen <george.shen(a)amd.com> drm/amd/display: Handle Y carry-over in VCP X.Y calculation Wesley Cheng <quic_wcheng(a)quicinc.com> usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete Eric Dumazet <edumazet(a)google.com> ipv6: fix possible race in __fib6_drop_pcpu_from() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). Karol Kolacinski <karol.kolacinski(a)intel.com> ptp: Fix error message on failed pin verification Eric Dumazet <edumazet(a)google.com> net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Jason Xing <kernelxing(a)tencent.com> tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Hangyu Hua <hbh25y(a)gmail.com> net: sched: sch_multiq: fix possible OOB write in multiq_tune() Eric Dumazet <edumazet(a)google.com> ipv6: sr: block BH in seg6_output_core() and seg6_input_core() DelphineCCChiu <delphine_cc_chiu(a)wiwynn.com> net/ncsi: Fix the multi thread manner of NCSI driver Peter Delevoryas <peter(a)pjd.dev> net/ncsi: Simplify Kconfig/dts control flow Ivan Mikhaylov <i.mikhaylov(a)yadro.com> net/ncsi: add NCSI Intel OEM command to keep PHY up Lingbo Kong <quic_lingbok(a)quicinc.com> wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't read past the mfuart notifcation Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Shahar S Matityahu <shahar.s.matityahu(a)intel.com> wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Lin Ma <linma(a)zju.edu.cn> wifi: cfg80211: pmsr: use correct nla_get_uX functions Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Nicolas Escande <nico.escande(a)gmail.com> wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Damien Le Moal <dlemoal(a)kernel.org> null_blk: Print correct max open zones limit in null_init_zoned_dev() Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing/selftests: Fix kprobe event name test for .isra. functions ------------- Diffstat: .../bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +- Makefile | 4 +- arch/arm/boot/dts/exynos4210-smdkv310.dts | 2 +- arch/arm/boot/dts/exynos4412-origen.dts | 2 +- arch/arm/boot/dts/exynos4412-smdk4412.dts | 2 +- arch/arm/boot/dts/rk3066a.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3368.dtsi | 3 + arch/arm64/include/asm/kvm_host.h | 1 + arch/arm64/include/asm/unistd32.h | 2 +- arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/vgic/vgic-v3.c | 2 +- arch/arm64/kvm/vgic/vgic-v4.c | 8 +- arch/csky/include/uapi/asm/unistd.h | 1 + arch/hexagon/include/asm/syscalls.h | 6 + arch/hexagon/include/uapi/asm/unistd.h | 1 + arch/hexagon/kernel/syscalltab.c | 7 + arch/mips/bmips/setup.c | 3 +- arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +- arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- arch/mips/pci/ops-rc32434.c | 4 +- arch/mips/pci/pcie-octeon.c | 6 + arch/parisc/kernel/syscalls/syscall.tbl | 4 +- arch/powerpc/include/asm/hvcall.h | 8 +- arch/powerpc/include/asm/io.h | 24 +- arch/powerpc/include/asm/uaccess.h | 15 +- arch/powerpc/kernel/syscalls/syscall.tbl | 2 +- arch/s390/include/asm/cpacf.h | 307 +++++++++++++-------- arch/s390/kernel/syscalls/syscall.tbl | 2 +- arch/sh/kernel/sys_sh32.c | 11 + arch/sh/kernel/syscalls/syscall.tbl | 3 +- arch/sparc/kernel/sys32.S | 221 --------------- arch/sparc/kernel/syscalls/syscall.tbl | 8 +- arch/x86/entry/syscalls/syscall_32.tbl | 2 +- arch/x86/include/asm/cpu_device_id.h | 98 +++++++ arch/x86/include/asm/efi.h | 11 + arch/x86/kernel/amd_nb.c | 9 +- arch/x86/kernel/cpu/match.c | 4 +- arch/x86/kernel/time.c | 20 +- arch/x86/mm/numa.c | 6 +- arch/x86/platform/efi/Makefile | 3 +- arch/x86/platform/efi/efi.c | 8 +- arch/x86/platform/efi/memmap.c | 249 +++++++++++++++++ block/ioctl.c | 2 +- drivers/acpi/acpica/exregion.c | 23 +- drivers/acpi/device_pm.c | 3 + drivers/acpi/internal.h | 9 + drivers/acpi/video_detect.c | 8 + drivers/acpi/x86/utils.c | 34 +++ drivers/ata/ahci.c | 17 +- drivers/ata/libata-core.c | 8 +- drivers/base/core.c | 3 + drivers/block/null_blk/zoned.c | 2 +- drivers/bluetooth/ath3k.c | 25 +- drivers/counter/ti-eqep.c | 6 + drivers/dma/dma-axi-dmac.c | 2 +- drivers/dma/ioat/init.c | 73 +++-- drivers/dma/ioat/registers.h | 7 - drivers/firmware/efi/fdtparams.c | 4 + drivers/firmware/efi/memmap.c | 239 +--------------- drivers/gpio/Kconfig | 2 +- drivers/gpio/gpio-davinci.c | 5 + drivers/gpio/gpio-tqmx86.c | 46 +-- drivers/gpio/gpiolib-cdev.c | 16 +- .../amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 + drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c | 2 + .../drm/arm/display/komeda/komeda_pipeline_state.c | 2 +- drivers/gpu/drm/bridge/panel.c | 7 +- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 +- drivers/gpu/drm/exynos/exynos_hdmi.c | 7 +- drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 1 + drivers/gpu/drm/lima/lima_bcast.c | 12 + drivers/gpu/drm/lima/lima_bcast.h | 3 + drivers/gpu/drm/lima/lima_gp.c | 8 + drivers/gpu/drm/lima/lima_pp.c | 18 ++ drivers/gpu/drm/lima/lima_sched.c | 7 + drivers/gpu/drm/lima/lima_sched.h | 1 + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 6 + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +- drivers/gpu/drm/panel/panel-simple.c | 1 + drivers/gpu/drm/radeon/radeon.h | 1 - drivers/gpu/drm/radeon/radeon_display.c | 8 +- drivers/gpu/drm/radeon/sumo_dpm.c | 2 + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 - drivers/greybus/interface.c | 1 + drivers/hid/hid-core.c | 1 - drivers/hid/hid-ids.h | 1 + drivers/hid/hid-logitech-dj.c | 4 +- drivers/hid/hid-multitouch.c | 6 + drivers/hwtracing/intel_th/pci.c | 25 ++ drivers/i2c/busses/i2c-at91-slave.c | 3 +- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/i2c/busses/i2c-ocores.c | 2 +- drivers/iio/adc/ad7266.c | 2 + drivers/iio/adc/ad9467.c | 4 +- drivers/iio/chemical/bme680.h | 2 + drivers/iio/chemical/bme680_core.c | 62 ++++- drivers/iio/dac/ad5592r-base.c | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 - drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 - drivers/infiniband/hw/mlx5/srq.c | 13 +- drivers/input/input.c | 105 ++++++- drivers/input/touchscreen/ili210x.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 24 +- drivers/iommu/amd/init.c | 55 +++- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +- drivers/md/bcache/bset.c | 44 +-- drivers/md/bcache/bset.h | 28 +- drivers/md/bcache/btree.c | 40 +-- drivers/md/bcache/super.c | 5 +- drivers/md/bcache/sysfs.c | 2 +- drivers/md/bcache/writeback.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/misc/mei/pci-me.c | 4 +- drivers/misc/vmw_vmci/vmci_event.c | 6 +- drivers/mmc/host/davinci_mmc.c | 4 +- drivers/mmc/host/sdhci-pci-core.c | 11 +- drivers/mmc/host/sdhci.c | 25 +- drivers/mtd/nand/spi/macronix.c | 112 ++++++++ drivers/mtd/parsers/redboot.c | 2 +- drivers/net/dsa/microchip/ksz9477.c | 6 +- drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 + drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +- drivers/net/ethernet/qualcomm/qca_debug.c | 6 +- drivers/net/ethernet/qualcomm/qca_spi.c | 16 +- drivers/net/ethernet/qualcomm/qca_spi.h | 3 +- drivers/net/ethernet/realtek/r8169_main.c | 48 ++-- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 55 ++-- drivers/net/phy/micrel.c | 1 + drivers/net/phy/sfp.c | 3 +- drivers/net/usb/ax88179_178a.c | 6 +- drivers/net/usb/rtl8150.c | 3 +- drivers/net/virtio_net.c | 12 +- drivers/net/vxlan/vxlan_core.c | 4 + drivers/net/wireless/ath/ath.h | 6 +- drivers/net/wireless/ath/ath9k/main.c | 3 +- drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 - drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 +- .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 19 +- drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 - drivers/pci/controller/pcie-rockchip-ep.c | 6 +- drivers/pci/pci.c | 12 + drivers/pinctrl/core.c | 2 +- drivers/pinctrl/pinctrl-rockchip.c | 294 ++++---------------- drivers/pinctrl/pinctrl-rockchip.h | 246 +++++++++++++++++ drivers/power/supply/cros_usbpd-charger.c | 11 +- drivers/ptp/ptp_chardev.c | 3 +- drivers/pwm/pwm-stm32.c | 3 + drivers/regulator/core.c | 1 + drivers/remoteproc/ti_k3_r5_remoteproc.c | 25 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 19 ++ drivers/scsi/qedi/qedi_debugfs.c | 12 +- drivers/soc/ti/ti_sci_pm_domains.c | 20 +- drivers/soc/ti/wkup_m3_ipc.c | 7 +- drivers/staging/hikey9xx/hisi-spmi-controller.c | 1 - drivers/tty/serial/8250/8250_exar.c | 42 +++ drivers/tty/serial/8250/8250_omap.c | 25 +- drivers/tty/serial/8250/8250_pxa.c | 1 + drivers/tty/serial/imx.c | 4 +- drivers/tty/serial/mcf.c | 2 +- drivers/tty/serial/sc16is7xx.c | 25 +- drivers/usb/atm/cxacru.c | 14 + drivers/usb/class/cdc-wdm.c | 4 +- drivers/usb/gadget/function/f_fs.c | 4 + drivers/usb/gadget/function/f_printer.c | 40 ++- drivers/usb/host/xhci-pci.c | 7 + drivers/usb/host/xhci-ring.c | 5 +- drivers/usb/misc/uss720.c | 22 +- drivers/usb/musb/da8xx.c | 8 +- drivers/usb/storage/alauda.c | 9 +- fs/btrfs/disk-io.c | 10 +- fs/cifs/smb2transport.c | 12 +- fs/f2fs/super.c | 2 - fs/jfs/xattr.c | 4 +- fs/nfs/read.c | 4 - fs/nfsd/nfs4state.c | 7 +- fs/nfsd/nfsfh.c | 4 +- fs/nilfs2/dir.c | 59 ++-- fs/nilfs2/segment.c | 3 + fs/ocfs2/aops.c | 5 + fs/ocfs2/file.c | 2 + fs/ocfs2/journal.c | 17 ++ fs/ocfs2/journal.h | 2 + fs/ocfs2/namei.c | 2 +- fs/ocfs2/ocfs2_trace.h | 2 + fs/open.c | 4 +- fs/proc/vmcore.c | 2 + fs/udf/udftime.c | 11 +- include/kvm/arm_vgic.h | 2 +- include/linux/compat.h | 2 +- include/linux/efi.h | 10 +- include/linux/iommu.h | 2 +- include/linux/kcov.h | 2 + include/linux/mod_devicetable.h | 2 + include/linux/nvme.h | 4 +- include/linux/pci.h | 9 + include/linux/sunrpc/svc.h | 20 +- include/linux/syscalls.h | 2 +- include/net/bluetooth/hci_core.h | 36 ++- include/net/netfilter/nf_tables.h | 5 + include/net/xdp.h | 3 + include/trace/events/qdisc.h | 2 +- include/trace/events/sunrpc.h | 8 +- include/uapi/asm-generic/hugetlb_encode.h | 26 +- include/uapi/asm-generic/unistd.h | 2 +- kernel/events/core.c | 13 + kernel/gcov/gcc_4_7.c | 4 +- kernel/gen_kheaders.sh | 9 +- kernel/kcov.c | 1 + kernel/padata.c | 8 +- kernel/pid_namespace.c | 1 + kernel/rcu/rcutorture.c | 12 +- kernel/sys_ni.c | 2 +- kernel/time/tick-common.c | 42 +-- kernel/trace/Kconfig | 4 +- kernel/trace/preemptirq_delay_test.c | 1 + net/batman-adv/originator.c | 29 ++ net/bluetooth/l2cap_core.c | 8 +- net/can/j1939/main.c | 6 +- net/can/j1939/transport.c | 21 +- net/core/drop_monitor.c | 20 +- net/core/filter.c | 3 + net/core/net_namespace.c | 9 +- net/core/netpoll.c | 2 +- net/core/sock.c | 6 +- net/core/xdp.c | 100 ++++--- net/ipv4/af_inet.c | 23 +- net/ipv4/cipso_ipv4.c | 12 +- net/ipv4/tcp.c | 16 +- net/ipv6/af_inet6.c | 24 +- net/ipv6/ip6_fib.c | 6 +- net/ipv6/ipv6_sockglue.c | 9 +- net/ipv6/route.c | 9 +- net/ipv6/seg6_iptunnel.c | 14 +- net/ipv6/tcp_ipv6.c | 9 +- net/ipv6/xfrm6_policy.c | 8 +- net/iucv/iucv.c | 26 +- net/mac80211/he.c | 10 +- net/mac80211/mesh_pathtbl.c | 13 + net/mac80211/sta_info.c | 4 +- net/mptcp/pm_netlink.c | 18 +- net/mptcp/protocol.c | 1 + net/ncsi/Kconfig | 6 + net/ncsi/internal.h | 7 + net/ncsi/ncsi-manage.c | 112 +++++--- net/ncsi/ncsi-rsp.c | 4 +- net/netfilter/ipset/ip_set_core.c | 104 ++++--- net/netfilter/ipset/ip_set_list_set.c | 30 +- net/netfilter/nf_tables_api.c | 13 +- net/netfilter/nft_lookup.c | 3 +- net/netrom/nr_timer.c | 3 +- net/packet/af_packet.c | 26 +- net/sched/act_api.c | 66 +++-- net/sched/act_ct.c | 21 +- net/sched/sch_multiq.c | 2 +- net/sched/sch_taprio.c | 15 +- net/sunrpc/auth_gss/auth_gss.c | 4 +- net/sunrpc/svc.c | 18 +- net/tipc/node.c | 1 + net/unix/af_unix.c | 47 ++-- net/unix/diag.c | 12 +- net/wireless/pmsr.c | 8 +- scripts/Makefile.dtbinst | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/fsl/fsl-asoc-card.c | 3 +- sound/soc/intel/boards/sof_sdw.c | 9 + sound/synth/emux/soundfont.c | 17 +- tools/include/asm-generic/hugetlb_encode.h | 20 +- tools/testing/selftests/arm64/tags/tags_test.c | 4 + .../selftests/bpf/prog_tests/btf_map_in_map.c | 26 +- tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 +- .../ftrace/test.d/kprobe/kprobe_eventname.tc | 3 +- tools/testing/selftests/vm/compaction_test.c | 108 ++++---- 278 files changed, 3057 insertions(+), 1923 deletions(-)

5 months, 3 weeks

6
296
0 0

[PATCH v3 3/3] tpm: Address !chip->auth in tpm_buf_append_hmac_session*()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm_buf_hmac_session*(). Thus, address !chip->auth in tpm_buf_hmac_session*() and remove the fallback implementation for !TCG_TPM2_HMAC. Cc: stable(a)vger.kernel.org # v6.9+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: * Address: https://lore.kernel.org/linux-integrity/922603265d61011dbb23f18a04525ae973b… v2: * Use auth in place of chip->auth. --- drivers/char/tpm/tpm2-sessions.c | 184 ++++++++++++++++++------------- include/linux/tpm.h | 68 ++++-------- 2 files changed, 128 insertions(+), 124 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 179bcaac06ce..e0be22b8ae70 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -270,6 +270,108 @@ void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, } EXPORT_SYMBOL_GPL(tpm_buf_append_name); +/** + * tpm_buf_append_hmac_session() - Append a TPM session element + * @chip: the TPM chip structure + * @buf: The buffer to be appended + * @attributes: The session attributes + * @passphrase: The session authority (NULL if none) + * @passphrase_len: The length of the session authority (0 if none) + * + * This fills in a session structure in the TPM command buffer, except + * for the HMAC which cannot be computed until the command buffer is + * complete. The type of session is controlled by the @attributes, + * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the + * session won't terminate after tpm_buf_check_hmac_response(), + * TPM2_SA_DECRYPT which means this buffers first parameter should be + * encrypted with a session key and TPM2_SA_ENCRYPT, which means the + * response buffer's first parameter needs to be decrypted (confusing, + * but the defines are written from the point of view of the TPM). + * + * Any session appended by this command must be finalized by calling + * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect + * and the TPM will reject the command. + * + * As with most tpm_buf operations, success is assumed because failure + * will be caused by an incorrect programming model and indicated by a + * kernel message. + */ +void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, + u8 attributes, u8 *passphrase, + int passphrase_len) +{ + u8 __maybe_unused nonce[SHA256_DIGEST_SIZE]; + struct tpm2_auth __maybe_unused *auth; + u32 __maybe_unused len; + + if (!__and(IS_ENABLED(CONFIG_TCG_TPM2_HMAC), chip->auth)) { + /* offset tells us where the sessions area begins */ + int offset = buf->handles * 4 + TPM_HEADER_SIZE; + u32 len = 9 + passphrase_len; + + if (tpm_buf_length(buf) != offset) { + /* not the first session so update the existing length */ + len += get_unaligned_be32(&buf->data[offset]); + put_unaligned_be32(len, &buf->data[offset]); + } else { + tpm_buf_append_u32(buf, len); + } + /* auth handle */ + tpm_buf_append_u32(buf, TPM2_RS_PW); + /* nonce */ + tpm_buf_append_u16(buf, 0); + /* attributes */ + tpm_buf_append_u8(buf, 0); + /* passphrase */ + tpm_buf_append_u16(buf, passphrase_len); + tpm_buf_append(buf, passphrase, passphrase_len); + return; + } + +#ifdef CONFIG_TCG_TPM2_HMAC + /* + * The Architecture Guide requires us to strip trailing zeros + * before computing the HMAC + */ + while (passphrase && passphrase_len > 0 && passphrase[passphrase_len - 1] == '\0') + passphrase_len--; + + auth = chip->auth; + auth->attrs = attributes; + auth->passphrase_len = passphrase_len; + if (passphrase_len) + memcpy(auth->passphrase, passphrase, passphrase_len); + + if (auth->session != tpm_buf_length(buf)) { + /* we're not the first session */ + len = get_unaligned_be32(&buf->data[auth->session]); + if (4 + len + auth->session != tpm_buf_length(buf)) { + WARN(1, "session length mismatch, cannot append"); + return; + } + + /* add our new session */ + len += 9 + 2 * SHA256_DIGEST_SIZE; + put_unaligned_be32(len, &buf->data[auth->session]); + } else { + tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE); + } + + /* random number for our nonce */ + get_random_bytes(nonce, sizeof(nonce)); + memcpy(auth->our_nonce, nonce, sizeof(nonce)); + tpm_buf_append_u32(buf, auth->handle); + /* our new nonce */ + tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); + tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); + tpm_buf_append_u8(buf, auth->attrs); + /* and put a placeholder for the hmac */ + tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); + tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); +#endif /* CONFIG_TCG_TPM2_HMAC */ +} +EXPORT_SYMBOL_GPL(tpm_buf_append_hmac_session); + #ifdef CONFIG_TCG_TPM2_HMAC static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, @@ -455,82 +557,6 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) crypto_free_kpp(kpp); } -/** - * tpm_buf_append_hmac_session() - Append a TPM session element - * @chip: the TPM chip structure - * @buf: The buffer to be appended - * @attributes: The session attributes - * @passphrase: The session authority (NULL if none) - * @passphrase_len: The length of the session authority (0 if none) - * - * This fills in a session structure in the TPM command buffer, except - * for the HMAC which cannot be computed until the command buffer is - * complete. The type of session is controlled by the @attributes, - * the main ones of which are TPM2_SA_CONTINUE_SESSION which means the - * session won't terminate after tpm_buf_check_hmac_response(), - * TPM2_SA_DECRYPT which means this buffers first parameter should be - * encrypted with a session key and TPM2_SA_ENCRYPT, which means the - * response buffer's first parameter needs to be decrypted (confusing, - * but the defines are written from the point of view of the TPM). - * - * Any session appended by this command must be finalized by calling - * tpm_buf_fill_hmac_session() otherwise the HMAC will be incorrect - * and the TPM will reject the command. - * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. - */ -void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, - u8 attributes, u8 *passphrase, - int passphrase_len) -{ - u8 nonce[SHA256_DIGEST_SIZE]; - u32 len; - struct tpm2_auth *auth = chip->auth; - - /* - * The Architecture Guide requires us to strip trailing zeros - * before computing the HMAC - */ - while (passphrase && passphrase_len > 0 - && passphrase[passphrase_len - 1] == '\0') - passphrase_len--; - - auth->attrs = attributes; - auth->passphrase_len = passphrase_len; - if (passphrase_len) - memcpy(auth->passphrase, passphrase, passphrase_len); - - if (auth->session != tpm_buf_length(buf)) { - /* we're not the first session */ - len = get_unaligned_be32(&buf->data[auth->session]); - if (4 + len + auth->session != tpm_buf_length(buf)) { - WARN(1, "session length mismatch, cannot append"); - return; - } - - /* add our new session */ - len += 9 + 2 * SHA256_DIGEST_SIZE; - put_unaligned_be32(len, &buf->data[auth->session]); - } else { - tpm_buf_append_u32(buf, 9 + 2 * SHA256_DIGEST_SIZE); - } - - /* random number for our nonce */ - get_random_bytes(nonce, sizeof(nonce)); - memcpy(auth->our_nonce, nonce, sizeof(nonce)); - tpm_buf_append_u32(buf, auth->handle); - /* our new nonce */ - tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); - tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); - tpm_buf_append_u8(buf, auth->attrs); - /* and put a placeholder for the hmac */ - tpm_buf_append_u16(buf, SHA256_DIGEST_SIZE); - tpm_buf_append(buf, nonce, SHA256_DIGEST_SIZE); -} -EXPORT_SYMBOL(tpm_buf_append_hmac_session); - /** * tpm_buf_fill_hmac_session() - finalize the session HMAC * @chip: the TPM chip structure @@ -561,6 +587,9 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u8 cphash[SHA256_DIGEST_SIZE]; struct sha256_state sctx; + if (!auth) + return; + /* save the command code in BE format */ auth->ordinal = head->ordinal; @@ -719,6 +748,9 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, u32 cc = be32_to_cpu(auth->ordinal); int parm_len, len, i, handles; + if (!auth) + return rc; + if (auth->session >= TPM_HEADER_SIZE) { WARN(1, "tpm session not filled correctly\n"); goto out; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index d9a6991b247d..e47f5d65935e 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -493,10 +493,6 @@ static inline void tpm_buf_append_empty_auth(struct tpm_buf *buf, u32 handle) void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle, u8 *name); - -#ifdef CONFIG_TCG_TPM2_HMAC - -int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -506,9 +502,27 @@ static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, u8 *passphrase, int passphraselen) { - tpm_buf_append_hmac_session(chip, buf, attributes, passphrase, - passphraselen); + struct tpm_header *head; + int offset; + + if (__and(IS_ENABLED(CONFIG_TCG_TPM2_HMAC), chip->auth)) { + tpm_buf_append_hmac_session(chip, buf, attributes, passphrase, passphraselen); + } else { + offset = buf->handles * 4 + TPM_HEADER_SIZE; + head = (struct tpm_header *)buf->data; + + /* + * If the only sessions are optional, the command tag must change to + * TPM2_ST_NO_SESSIONS. + */ + if (tpm_buf_length(buf) == offset) + head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); + } } + +#ifdef CONFIG_TCG_TPM2_HMAC + +int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, int rc); @@ -523,48 +537,6 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_append_hmac_session(struct tpm_chip *chip, - struct tpm_buf *buf, - u8 attributes, u8 *passphrase, - int passphraselen) -{ - /* offset tells us where the sessions area begins */ - int offset = buf->handles * 4 + TPM_HEADER_SIZE; - u32 len = 9 + passphraselen; - - if (tpm_buf_length(buf) != offset) { - /* not the first session so update the existing length */ - len += get_unaligned_be32(&buf->data[offset]); - put_unaligned_be32(len, &buf->data[offset]); - } else { - tpm_buf_append_u32(buf, len); - } - /* auth handle */ - tpm_buf_append_u32(buf, TPM2_RS_PW); - /* nonce */ - tpm_buf_append_u16(buf, 0); - /* attributes */ - tpm_buf_append_u8(buf, 0); - /* passphrase */ - tpm_buf_append_u16(buf, passphraselen); - tpm_buf_append(buf, passphrase, passphraselen); -} -static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, - struct tpm_buf *buf, - u8 attributes, - u8 *passphrase, - int passphraselen) -{ - int offset = buf->handles * 4 + TPM_HEADER_SIZE; - struct tpm_header *head = (struct tpm_header *) buf->data; - - /* - * if the only sessions are optional, the command tag - * must change to TPM2_ST_NO_SESSIONS - */ - if (tpm_buf_length(buf) == offset) - head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); -} static inline void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) { -- 2.45.2

5 months, 3 weeks

1
0
0 0

[PATCH v3 2/3] tpm: Address !chip->auth in tpm_buf_append_name()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm_buf_append_name(). Thus, address !chip->auth in tpm_buf_append_name() and remove the fallback implementation for !TCG_TPM2_HMAC. Cc: stable(a)vger.kernel.org # v6.10+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: * Address: https://lore.kernel.org/linux-integrity/922603265d61011dbb23f18a04525ae973b… v2: * N/A --- drivers/char/tpm/Makefile | 2 +- drivers/char/tpm/tpm2-sessions.c | 217 +++++++++++++++++-------------- include/linux/tpm.h | 14 +- 3 files changed, 121 insertions(+), 112 deletions(-) diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile index 4c695b0388f3..9bb142c75243 100644 --- a/drivers/char/tpm/Makefile +++ b/drivers/char/tpm/Makefile @@ -16,8 +16,8 @@ tpm-y += eventlog/common.o tpm-y += eventlog/tpm1.o tpm-y += eventlog/tpm2.o tpm-y += tpm-buf.o +tpm-y += tpm2-sessions.o -tpm-$(CONFIG_TCG_TPM2_HMAC) += tpm2-sessions.o tpm-$(CONFIG_ACPI) += tpm_ppi.o eventlog/acpi.o tpm-$(CONFIG_EFI) += eventlog/efi.o tpm-$(CONFIG_OF) += eventlog/of.o diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 2f1d96a5a5a7..179bcaac06ce 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -83,9 +83,6 @@ #define AES_KEY_BYTES AES_KEYSIZE_128 #define AES_KEY_BITS (AES_KEY_BYTES*8) -static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, - u32 *handle, u8 *name); - /* * This is the structure that carries all the auth information (like * session handle, nonces, session key and auth) from use to use it is @@ -148,6 +145,7 @@ struct tpm2_auth { u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE]; }; +#ifdef CONFIG_TCG_TPM2_HMAC /* * Name Size based on TPM algorithm (assumes no hash bigger than 255) */ @@ -163,6 +161,120 @@ static u8 name_size(const u8 *name) return size_map[alg] + 2; } +static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) +{ + struct tpm_header *head = (struct tpm_header *)buf->data; + off_t offset = TPM_HEADER_SIZE; + u32 tot_len = be32_to_cpu(head->length); + u32 val; + + /* we're starting after the header so adjust the length */ + tot_len -= TPM_HEADER_SIZE; + + /* skip public */ + val = tpm_buf_read_u16(buf, &offset); + if (val > tot_len) + return -EINVAL; + offset += val; + /* name */ + val = tpm_buf_read_u16(buf, &offset); + if (val != name_size(&buf->data[offset])) + return -EINVAL; + memcpy(name, &buf->data[offset], val); + /* forget the rest */ + return 0; +} + +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) +{ + struct tpm_buf buf; + int rc; + + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); + if (rc) + return rc; + + tpm_buf_append_u32(&buf, handle); + rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); + if (rc == TPM2_RC_SUCCESS) + rc = tpm2_parse_read_public(name, &buf); + + tpm_buf_destroy(&buf); + + return rc; +} +#endif /* CONFIG_TCG_TPM2_HMAC */ + +/** + * tpm_buf_append_name() - add a handle area to the buffer + * @chip: the TPM chip structure + * @buf: The buffer to be appended + * @handle: The handle to be appended + * @name: The name of the handle (may be NULL) + * + * In order to compute session HMACs, we need to know the names of the + * objects pointed to by the handles. For most objects, this is simply + * the actual 4 byte handle or an empty buf (in these cases @name + * should be NULL) but for volatile objects, permanent objects and NV + * areas, the name is defined as the hash (according to the name + * algorithm which should be set to sha256) of the public area to + * which the two byte algorithm id has been appended. For these + * objects, the @name pointer should point to this. If a name is + * required but @name is NULL, then TPM2_ReadPublic() will be called + * on the handle to obtain the name. + * + * As with most tpm_buf operations, success is assumed because failure + * will be caused by an incorrect programming model and indicated by a + * kernel message. + */ +void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name) +{ + enum tpm2_mso_type __maybe_unused mso = tpm2_handle_mso(handle); + struct tpm2_auth __maybe_unused *auth; + int __maybe_unused slot; + + if (!__and(IS_ENABLED(CONFIG_TCG_TPM2_HMAC), chip->auth)) { + tpm_buf_append_u32(buf, handle); + /* count the number of handles in the upper bits of flags */ + buf->handles++; + return; + } + +#ifdef CONFIG_TCG_TPM2_HMAC + slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4; + if (slot >= AUTH_MAX_NAMES) { + dev_err(&chip->dev, "TPM: too many handles\n"); + return; + } + auth = chip->auth; + WARN(auth->session != tpm_buf_length(buf), + "name added in wrong place\n"); + tpm_buf_append_u32(buf, handle); + auth->session += 4; + + if (mso == TPM2_MSO_PERSISTENT || + mso == TPM2_MSO_VOLATILE || + mso == TPM2_MSO_NVRAM) { + if (!name) + tpm2_read_public(chip, handle, auth->name[slot]); + } else { + if (name) + dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); + } + + auth->name_h[slot] = handle; + if (name) + memcpy(auth->name[slot], name, name_size(name)); +#endif /* CONFIG_TCG_TPM2_HMAC */ +} +EXPORT_SYMBOL_GPL(tpm_buf_append_name); + +#ifdef CONFIG_TCG_TPM2_HMAC + +static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy, + u32 *handle, u8 *name); + /* * It turns out the crypto hmac(sha256) is hard for us to consume * because it assumes a fixed key and the TPM seems to change the key @@ -567,104 +679,6 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) } EXPORT_SYMBOL(tpm_buf_fill_hmac_session); -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) -{ - struct tpm_header *head = (struct tpm_header *)buf->data; - off_t offset = TPM_HEADER_SIZE; - u32 tot_len = be32_to_cpu(head->length); - u32 val; - - /* we're starting after the header so adjust the length */ - tot_len -= TPM_HEADER_SIZE; - - /* skip public */ - val = tpm_buf_read_u16(buf, &offset); - if (val > tot_len) - return -EINVAL; - offset += val; - /* name */ - val = tpm_buf_read_u16(buf, &offset); - if (val != name_size(&buf->data[offset])) - return -EINVAL; - memcpy(name, &buf->data[offset], val); - /* forget the rest */ - return 0; -} - -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) -{ - struct tpm_buf buf; - int rc; - - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); - if (rc) - return rc; - - tpm_buf_append_u32(&buf, handle); - rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_read_public(name, &buf); - - tpm_buf_destroy(&buf); - - return rc; -} - -/** - * tpm_buf_append_name() - add a handle area to the buffer - * @chip: the TPM chip structure - * @buf: The buffer to be appended - * @handle: The handle to be appended - * @name: The name of the handle (may be NULL) - * - * In order to compute session HMACs, we need to know the names of the - * objects pointed to by the handles. For most objects, this is simply - * the actual 4 byte handle or an empty buf (in these cases @name - * should be NULL) but for volatile objects, permanent objects and NV - * areas, the name is defined as the hash (according to the name - * algorithm which should be set to sha256) of the public area to - * which the two byte algorithm id has been appended. For these - * objects, the @name pointer should point to this. If a name is - * required but @name is NULL, then TPM2_ReadPublic() will be called - * on the handle to obtain the name. - * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. - */ -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name) -{ - enum tpm2_mso_type mso = tpm2_handle_mso(handle); - struct tpm2_auth *auth = chip->auth; - int slot; - - slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE)/4; - if (slot >= AUTH_MAX_NAMES) { - dev_err(&chip->dev, "TPM: too many handles\n"); - return; - } - WARN(auth->session != tpm_buf_length(buf), - "name added in wrong place\n"); - tpm_buf_append_u32(buf, handle); - auth->session += 4; - - if (mso == TPM2_MSO_PERSISTENT || - mso == TPM2_MSO_VOLATILE || - mso == TPM2_MSO_NVRAM) { - if (!name) - tpm2_read_public(chip, handle, auth->name[slot]); - } else { - if (name) - dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); - } - - auth->name_h[slot] = handle; - if (name) - memcpy(auth->name[slot], name, name_size(name)); -} -EXPORT_SYMBOL(tpm_buf_append_name); - /** * tpm_buf_check_hmac_response() - check the TPM return HMAC for correctness * @chip: the TPM chip structure @@ -1311,3 +1325,4 @@ int tpm2_sessions_init(struct tpm_chip *chip) return rc; } +#endif /* CONFIG_TCG_TPM2_HMAC */ diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 21a67dc9efe8..d9a6991b247d 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -490,11 +490,13 @@ static inline void tpm_buf_append_empty_auth(struct tpm_buf *buf, u32 handle) { } #endif -#ifdef CONFIG_TCG_TPM2_HMAC -int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, u32 handle, u8 *name); + +#ifdef CONFIG_TCG_TPM2_HMAC + +int tpm2_start_auth_session(struct tpm_chip *chip); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -521,14 +523,6 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_append_name(struct tpm_chip *chip, - struct tpm_buf *buf, - u32 handle, u8 *name) -{ - tpm_buf_append_u32(buf, handle); - /* count the number of handles in the upper bits of flags */ - buf->handles++; -} static inline void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, -- 2.45.2

5 months, 3 weeks

1
0
0 0

[PATCH v3 1/3] tpm: Address !chip->auth in tpm2_*_auth_session()

by Jarkko Sakkinen

Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause a null derefence in tpm2_*_auth_session(). Thus, address !chip->auth in tpm2_*_auth_session(). Cc: stable(a)vger.kernel.org # v6.9+ Reported-by: Stefan Berger <stefanb(a)linux.ibm.com> Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@li… Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: * Use dev_warn_once() instead of pr_warn_once(). --- drivers/char/tpm/tpm2-sessions.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 907ac9956a78..2f1d96a5a5a7 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -824,8 +824,13 @@ EXPORT_SYMBOL(tpm_buf_check_hmac_response); */ void tpm2_end_auth_session(struct tpm_chip *chip) { - tpm2_flush_context(chip, chip->auth->handle); - memzero_explicit(chip->auth, sizeof(*chip->auth)); + struct tpm2_auth *auth = chip->auth; + + if (!auth) + return; + + tpm2_flush_context(chip, auth->handle); + memzero_explicit(auth, sizeof(*auth)); } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -907,6 +912,11 @@ int tpm2_start_auth_session(struct tpm_chip *chip) int rc; u32 null_key; + if (!auth) { + dev_warn_once(&chip->dev, "auth session is not active\n"); + return 0; + } + rc = tpm2_load_null(chip, &null_key); if (rc) goto out; -- 2.45.2

5 months, 3 weeks

1
0
0 0

[PATCH] drm/ttm: Always take the bo delayed cleanup path for imported bos

by Thomas Hellström

Bos can be put with multiple unrelated dma-resv locks held. But imported bos attempt to grab the bo dma-resv during dma-buf detach that typically happens during cleanup. That leads to lockde splats similar to the below and a potential ABBA deadlock. Fix this by always taking the delayed workqueue cleanup path for imported bos. Requesting stable fixes from when the Xe driver was introduced, since its usage of drm_exec and wide vm dma_resvs appear to be the first reliable trigger of this. [22982.116427] ============================================ [22982.116428] WARNING: possible recursive locking detected [22982.116429] 6.10.0-rc2+ #10 Tainted: G U W [22982.116430] -------------------------------------------- [22982.116430] glxgears:sh0/5785 is trying to acquire lock: [22982.116431] ffff8c2bafa539a8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: dma_buf_detach+0x3b/0xf0 [22982.116438] but task is already holding lock: [22982.116438] ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec] [22982.116442] other info that might help us debug this: [22982.116442] Possible unsafe locking scenario: [22982.116443] CPU0 [22982.116444] ---- [22982.116444] lock(reservation_ww_class_mutex); [22982.116445] lock(reservation_ww_class_mutex); [22982.116447] *** DEADLOCK *** [22982.116447] May be due to missing lock nesting notation [22982.116448] 5 locks held by glxgears:sh0/5785: [22982.116449] #0: ffff8c2d9aba58c8 (&xef->vm.lock){+.+.}-{3:3}, at: xe_file_close+0xde/0x1c0 [xe] [22982.116507] #1: ffff8c2e28cc8480 (&vm->lock){++++}-{3:3}, at: xe_vm_close_and_put+0x161/0x9b0 [xe] [22982.116578] #2: ffff8c2e31982970 (&val->lock){.+.+}-{3:3}, at: xe_validation_ctx_init+0x6d/0x70 [xe] [22982.116647] #3: ffffacdc469478a8 (reservation_ww_class_acquire){+.+.}-{0:0}, at: xe_vma_destroy_unlocked+0x7f/0xe0 [xe] [22982.116716] #4: ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec] [22982.116719] stack backtrace: [22982.116720] CPU: 8 PID: 5785 Comm: glxgears:sh0 Tainted: G U W 6.10.0-rc2+ #10 [22982.116721] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 [22982.116723] Call Trace: [22982.116724] <TASK> [22982.116725] dump_stack_lvl+0x77/0xb0 [22982.116727] __lock_acquire+0x1232/0x2160 [22982.116730] lock_acquire+0xcb/0x2d0 [22982.116732] ? dma_buf_detach+0x3b/0xf0 [22982.116734] ? __lock_acquire+0x417/0x2160 [22982.116736] __ww_mutex_lock.constprop.0+0xd0/0x13b0 [22982.116738] ? dma_buf_detach+0x3b/0xf0 [22982.116741] ? dma_buf_detach+0x3b/0xf0 [22982.116743] ? ww_mutex_lock+0x2b/0x90 [22982.116745] ww_mutex_lock+0x2b/0x90 [22982.116747] dma_buf_detach+0x3b/0xf0 [22982.116749] drm_prime_gem_destroy+0x2f/0x40 [drm] [22982.116775] xe_ttm_bo_destroy+0x32/0x220 [xe] [22982.116818] ? __mutex_unlock_slowpath+0x3a/0x290 [22982.116821] drm_exec_unlock_all+0xa1/0xd0 [drm_exec] [22982.116823] drm_exec_fini+0x12/0xb0 [drm_exec] [22982.116824] xe_validation_ctx_fini+0x15/0x40 [xe] [22982.116892] xe_vma_destroy_unlocked+0xb1/0xe0 [xe] [22982.116959] xe_vm_close_and_put+0x41a/0x9b0 [xe] [22982.117025] ? xa_find+0xe3/0x1e0 [22982.117028] xe_file_close+0x10a/0x1c0 [xe] [22982.117074] drm_file_free+0x22a/0x280 [drm] [22982.117099] drm_release_noglobal+0x22/0x70 [drm] [22982.117119] __fput+0xf1/0x2d0 [22982.117122] task_work_run+0x59/0x90 [22982.117125] do_exit+0x330/0xb40 [22982.117127] do_group_exit+0x36/0xa0 [22982.117129] get_signal+0xbd2/0xbe0 [22982.117131] arch_do_signal_or_restart+0x3e/0x240 [22982.117134] syscall_exit_to_user_mode+0x1e7/0x290 [22982.117137] do_syscall_64+0xa1/0x180 [22982.117139] ? lock_acquire+0xcb/0x2d0 [22982.117140] ? __set_task_comm+0x28/0x1e0 [22982.117141] ? find_held_lock+0x2b/0x80 [22982.117144] ? __set_task_comm+0xe1/0x1e0 [22982.117145] ? lock_release+0xca/0x290 [22982.117147] ? __do_sys_prctl+0x245/0xab0 [22982.117149] ? lockdep_hardirqs_on_prepare+0xde/0x190 [22982.117150] ? syscall_exit_to_user_mode+0xb0/0x290 [22982.117152] ? do_syscall_64+0xa1/0x180 [22982.117154] ? __lock_acquire+0x417/0x2160 [22982.117155] ? reacquire_held_locks+0xd1/0x1f0 [22982.117156] ? do_user_addr_fault+0x30c/0x790 [22982.117158] ? lock_acquire+0xcb/0x2d0 [22982.117160] ? find_held_lock+0x2b/0x80 [22982.117162] ? do_user_addr_fault+0x357/0x790 [22982.117163] ? lock_release+0xca/0x290 [22982.117164] ? do_user_addr_fault+0x361/0x790 [22982.117166] ? trace_hardirqs_off+0x4b/0xc0 [22982.117168] ? clear_bhb_loop+0x45/0xa0 [22982.117170] ? clear_bhb_loop+0x45/0xa0 [22982.117172] ? clear_bhb_loop+0x45/0xa0 [22982.117174] entry_SYSCALL_64_after_hwframe+0x76/0x7e [22982.117176] RIP: 0033:0x7f943d267169 [22982.117192] Code: Unable to access opcode bytes at 0x7f943d26713f. [22982.117193] RSP: 002b:00007f9430bffc80 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [22982.117195] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007f943d267169 [22982.117196] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 00005622f89579d0 [22982.117197] RBP: 00007f9430bffcb0 R08: 0000000000000000 R09: 00000000ffffffff [22982.117198] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [22982.117199] R13: 0000000000000000 R14: 0000000000000000 R15: 00005622f89579d0 [22982.117202] </TASK> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: Christian König <christian.koenig(a)amd.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: intel-xe(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.8+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/ttm/ttm_bo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c index 6396dece0db1..2427be8bc97f 100644 --- a/drivers/gpu/drm/ttm/ttm_bo.c +++ b/drivers/gpu/drm/ttm/ttm_bo.c @@ -346,6 +346,7 @@ static void ttm_bo_release(struct kref *kref) if (!dma_resv_test_signaled(bo->base.resv, DMA_RESV_USAGE_BOOKKEEP) || (want_init_on_free() && (bo->ttm != NULL)) || + bo->type == ttm_bo_type_sg || !dma_resv_trylock(bo->base.resv)) { /* The BO is not idle, resurrect it for delayed destroy */ ttm_bo_flush_all_fences(bo); -- 2.44.0

5 months, 3 weeks

4
4
0 0

[PATCH] drm/xe: Use write-back caching mode for system memory on DGFX

by Thomas Hellström

The caching mode for buffer objects with VRAM as a possible placement was forced to write-combined, regardless of placement. However, write-combined system memory is expensive to allocate and even though it is pooled, the pool is expensive to shrink, since it involves global CPU TLB flushes. Moreover write-combined system memory from TTM is only reliably available on x86 and DGFX doesn't have an x86 restriction. So regardless of the cpu caching mode selected for a bo, internally use write-back caching mode for system memory on DGFX. Coherency is maintained, but user-space clients may perceive a difference in cpu access speeds. Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Fixes: 622f709ca629 ("drm/xe/uapi: Add support for CPU caching mode") Cc: Pallavi Mishra <pallavi.mishra(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: dri-devel(a)lists.freedesktop.org Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Cc: Effie Yu <effie.yu(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Jose Souza <jose.souza(a)intel.com> Cc: Michal Mrozek <michal.mrozek(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_bo.c | 47 +++++++++++++++++++------------- drivers/gpu/drm/xe/xe_bo_types.h | 3 +- include/uapi/drm/xe_drm.h | 8 +++++- 3 files changed, 37 insertions(+), 21 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 65c696966e96..31192d983d9e 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -343,7 +343,7 @@ static struct ttm_tt *xe_ttm_tt_create(struct ttm_buffer_object *ttm_bo, struct xe_device *xe = xe_bo_device(bo); struct xe_ttm_tt *tt; unsigned long extra_pages; - enum ttm_caching caching; + enum ttm_caching caching = ttm_cached; int err; tt = kzalloc(sizeof(*tt), GFP_KERNEL); @@ -357,26 +357,35 @@ static struct ttm_tt *xe_ttm_tt_create(struct ttm_buffer_object *ttm_bo, extra_pages = DIV_ROUND_UP(xe_device_ccs_bytes(xe, bo->size), PAGE_SIZE); - switch (bo->cpu_caching) { - case DRM_XE_GEM_CPU_CACHING_WC: - caching = ttm_write_combined; - break; - default: - caching = ttm_cached; - break; - } - - WARN_ON((bo->flags & XE_BO_FLAG_USER) && !bo->cpu_caching); - /* - * Display scanout is always non-coherent with the CPU cache. - * - * For Xe_LPG and beyond, PPGTT PTE lookups are also non-coherent and - * require a CPU:WC mapping. + * DGFX system memory is always WB / ttm_cached, since + * other caching modes are only supported on x86. DGFX + * GPU system memory accesses are always coherent with the + * CPU. */ - if ((!bo->cpu_caching && bo->flags & XE_BO_FLAG_SCANOUT) || - (xe->info.graphics_verx100 >= 1270 && bo->flags & XE_BO_FLAG_PAGETABLE)) - caching = ttm_write_combined; + if (!IS_DGFX(xe)) { + switch (bo->cpu_caching) { + case DRM_XE_GEM_CPU_CACHING_WC: + caching = ttm_write_combined; + break; + default: + caching = ttm_cached; + break; + } + + WARN_ON((bo->flags & XE_BO_FLAG_USER) && !bo->cpu_caching); + + /* + * Display scanout is always non-coherent with the CPU cache. + * + * For Xe_LPG and beyond, PPGTT PTE lookups are also + * non-coherent and require a CPU:WC mapping. + */ + if ((!bo->cpu_caching && bo->flags & XE_BO_FLAG_SCANOUT) || + (xe->info.graphics_verx100 >= 1270 && + bo->flags & XE_BO_FLAG_PAGETABLE)) + caching = ttm_write_combined; + } if (bo->flags & XE_BO_FLAG_NEEDS_UC) { /* diff --git a/drivers/gpu/drm/xe/xe_bo_types.h b/drivers/gpu/drm/xe/xe_bo_types.h index 86422e113d39..10450f1fbbde 100644 --- a/drivers/gpu/drm/xe/xe_bo_types.h +++ b/drivers/gpu/drm/xe/xe_bo_types.h @@ -66,7 +66,8 @@ struct xe_bo { /** * @cpu_caching: CPU caching mode. Currently only used for userspace - * objects. + * objects. Exceptions are system memory on DGFX, which is always + * WB. */ u16 cpu_caching; diff --git a/include/uapi/drm/xe_drm.h b/include/uapi/drm/xe_drm.h index 93e00be44b2d..1189b3044723 100644 --- a/include/uapi/drm/xe_drm.h +++ b/include/uapi/drm/xe_drm.h @@ -783,7 +783,13 @@ struct drm_xe_gem_create { #define DRM_XE_GEM_CPU_CACHING_WC 2 /** * @cpu_caching: The CPU caching mode to select for this object. If - * mmaping the object the mode selected here will also be used. + * mmaping the object the mode selected here will also be used. The + * exception is when mapping system memory (including evicted + * system memory) on discrete GPUs. The caching mode selected will + * then be overridden to DRM_XE_GEM_CPU_CACHING_WB, and coherency + * between GPU- and CPU is guaranteed. The caching mode of + * existing CPU-mappings will be updated transparently to + * user-space clients. */ __u16 cpu_caching; /** @pad: MBZ */ -- 2.44.0

5 months, 3 weeks

5
4
0 0

[PATCH V4] mm/gup: Clear the LRU flag of a page before adding to LRU batch

by yangge1116＠126.com

From: yangge <yangge1116(a)126.com> If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual virtual machine with device passthrough, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But the current code will cause the migration failure due to unexpected page refcounts, and eventually cause the virtual machine fail to start. If a page is added in LRU batch, its refcount increases one, remove the page from LRU batch decreases one. Page migration requires the page is not referenced by others except page mapping. Before migrating a page, we should try to drain the page from LRU batch in case the page is in it, however, folio_test_lru() is not sufficient to tell whether the page is in LRU batch or not, if the page is in LRU batch, the migration will fail. To solve the problem above, we modify the logic of adding to LRU batch. Before adding a page to LRU batch, we clear the LRU flag of the page so that we can check whether the page is in LRU batch by folio_test_lru(page). It's quite valuable, because likely we don't want to blindly drain the LRU batch simply because there is some unexpected reference on a page, as described above. This change makes the LRU flag of a page invisible for longer, which may impact some programs. For example, as long as a page is on a LRU batch, we cannot isolate it, and we cannot check if it's an LRU page. Further, a page can now only be on exactly one LRU batch. This doesn't seem to matter much, because a new page is allocated from buddy and added to the lru batch, or be isolated, it's LRU flag may also be invisible for a long time. Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Cc: <stable(a)vger.kernel.org> Signed-off-by: yangge <yangge1116(a)126.com> --- mm/swap.c | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) V4: Adjust commit message according to David's comments V3: Add fixes tag V2: Adjust code and commit message according to David's comments diff --git a/mm/swap.c b/mm/swap.c index dc205bd..9caf6b0 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -211,10 +211,6 @@ static void folio_batch_move_lru(struct folio_batch *fbatch, move_fn_t move_fn) for (i = 0; i < folio_batch_count(fbatch); i++) { struct folio *folio = fbatch->folios[i]; - /* block memcg migration while the folio moves between lru */ - if (move_fn != lru_add_fn && !folio_test_clear_lru(folio)) - continue; - folio_lruvec_relock_irqsave(folio, &lruvec, &flags); move_fn(lruvec, folio); @@ -255,11 +251,16 @@ static void lru_move_tail_fn(struct lruvec *lruvec, struct folio *folio) void folio_rotate_reclaimable(struct folio *folio) { if (!folio_test_locked(folio) && !folio_test_dirty(folio) && - !folio_test_unevictable(folio) && folio_test_lru(folio)) { + !folio_test_unevictable(folio)) { struct folio_batch *fbatch; unsigned long flags; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock_irqsave(&lru_rotate.lock, flags); fbatch = this_cpu_ptr(&lru_rotate.fbatch); folio_batch_add_and_move(fbatch, folio, lru_move_tail_fn); @@ -352,11 +353,15 @@ static void folio_activate_drain(int cpu) void folio_activate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_active(folio) && - !folio_test_unevictable(folio)) { + if (!folio_test_active(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.activate); folio_batch_add_and_move(fbatch, folio, folio_activate_fn); @@ -700,6 +705,11 @@ void deactivate_file_folio(struct folio *folio) return; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate_file); folio_batch_add_and_move(fbatch, folio, lru_deactivate_file_fn); @@ -716,11 +726,16 @@ void deactivate_file_folio(struct folio *folio) */ void folio_deactivate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_unevictable(folio) && - (folio_test_active(folio) || lru_gen_enabled())) { + if (!folio_test_unevictable(folio) && (folio_test_active(folio) || + lru_gen_enabled())) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate); folio_batch_add_and_move(fbatch, folio, lru_deactivate_fn); @@ -737,12 +752,16 @@ void folio_deactivate(struct folio *folio) */ void folio_mark_lazyfree(struct folio *folio) { - if (folio_test_lru(folio) && folio_test_anon(folio) && - folio_test_swapbacked(folio) && !folio_test_swapcache(folio) && - !folio_test_unevictable(folio)) { + if (folio_test_anon(folio) && folio_test_swapbacked(folio) && + !folio_test_swapcache(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_lazyfree); folio_batch_add_and_move(fbatch, folio, lru_lazyfree_fn); -- 2.7.4

5 months, 3 weeks

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2024