August 2024 - Linux-stable-mirror

[PATCH v2] usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes()

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> Device attribute group @usb3_hardware_lpm_attr_group is merged by add_power_attributes(), but it is not unmerged explicitly, fixed by unmerging it in remove_power_attributes(). Fixes: 655fe4effe0f ("usbcore: add sysfs support to xHCI usb3 hardware LPM") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v2: - Add stable tag - Link to v1: https://lore.kernel.org/r/20240814-sysfs_fix-v1-1-2224a29a259b@quicinc.com --- drivers/usb/core/sysfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c index d83231d6736a..61b6d978892c 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -670,6 +670,7 @@ static int add_power_attributes(struct device *dev) static void remove_power_attributes(struct device *dev) { + sysfs_unmerge_group(&dev->kobj, &usb3_hardware_lpm_attr_group); sysfs_unmerge_group(&dev->kobj, &usb2_hardware_lpm_attr_group); sysfs_unmerge_group(&dev->kobj, &power_attr_group); } --- base-commit: ca7df2c7bb5f83fe46aa9ce998b7352c6b28f3a1 change-id: 20240814-sysfs_fix-2206de9b0179 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

4 months, 3 weeks

1
0
0 0

[PATCH] erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails

by Gao Xiang

If z_erofs_gbuf_growsize() partially fails on a global buffer due to memory allocation failure or fault injection (as reported by syzbot [1]), new pages need to be freed by comparing to the existing pages to avoid memory leaks. However, the old gbuf->pages[] array may not be large enough, which can lead to null-ptr-deref or out-of-bound access. Fix this by checking against gbuf->nrpages in advance. Fixes: d6db47e571dc ("erofs: do not use pagepool in z_erofs_gbuf_growsize()") Cc: <stable(a)vger.kernel.org> # 6.10+ Cc: Chunhai Guo <guochunhai(a)vivo.com> Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> --- fs/erofs/zutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/erofs/zutil.c b/fs/erofs/zutil.c index 9b53883e5caf..37afe2024840 100644 --- a/fs/erofs/zutil.c +++ b/fs/erofs/zutil.c @@ -111,7 +111,8 @@ int z_erofs_gbuf_growsize(unsigned int nrpages) out: if (i < z_erofs_gbuf_count && tmp_pages) { for (j = 0; j < nrpages; ++j) - if (tmp_pages[j] && tmp_pages[j] != gbuf->pages[j]) + if (tmp_pages[j] && (j >= gbuf->nrpages || + tmp_pages[j] != gbuf->pages[j])) __free_page(tmp_pages[j]); kfree(tmp_pages); } -- 2.43.5

4 months, 3 weeks

2
3
0 0

[PATCH] usb: xhci: fixes lost of data for xHCI Cadence Controllers

by Pawel Laszczak

Stream endpoint can skip part of TD during next transfer initialization after beginning stopped during active stream data transfer. The Set TR Dequeue Pointer command does not clear all internal transfer-related variables that position stream endpoint on transfer ring. USB Controller stores all endpoint state information within RsvdO fields inside endpoint context structure. For stream endpoints, all relevant information regarding particular StreamID is stored within corresponding Stream Endpoint context. Whenever driver wants to stop stream endpoint traffic, it invokes Stop Endpoint command which forces the controller to dump all endpoint state-related variables into RsvdO spaces into endpoint context and stream endpoint context. Whenever driver wants to reinitialize endpoint starting point on Transfer Ring, it uses the Set TR Dequeue Pointer command to update dequeue pointer for particular stream in Stream Endpoint Context. When stream endpoint is forced to stop active transfer in the middle of TD, it dumps an information about TRB bytes left in RsvdO fields in Stream Endpoint Context which will be used in next transfer initialization to designate starting point for XDMA. This field is not cleared during Set TR Dequeue Pointer command which causes XDMA to skip over transfer ring and leads to data loss on stream pipe. Patch fixes this by clearing out all RsvdO fields before initializing new transfer via that StreamID. Field Rsvd0 is reserved field, so patch should not have impact for other xHCI controllers. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: <stable(a)vger.kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/host/xhci-ring.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 1dde53f6eb31..7fc1c4efcae2 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1385,7 +1385,20 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, if (ep->ep_state & EP_HAS_STREAMS) { struct xhci_stream_ctx *ctx = &ep->stream_info->stream_ctx_array[stream_id]; + u32 edtl; + deq = le64_to_cpu(ctx->stream_ring) & SCTX_DEQ_MASK; + edtl = EVENT_TRB_LEN(le32_to_cpu(ctx->reserved[1])); + + /* + * Existing Cadence xHCI controllers store some endpoint state information + * within Rsvd0 fields of Stream Endpoint context. This field is not + * cleared during Set TR Dequeue Pointer command which causes XDMA to skip + * over transfer ring and leads to data loss on stream pipe. + * To fix this issue driver must clear Rsvd0 field. + */ + ctx->reserved[1] = 0; + ctx->reserved[0] = cpu_to_le32(edtl); } else { deq = le64_to_cpu(ep_ctx->deq) & ~EP_CTX_CYCLE_MASK; } -- 2.43.0

4 months, 3 weeks

2
2
0 0

[PATCH v2 1/3] drm/xe: Read out rawclk_freq for display

by Maarten Lankhorst

Failing to read out rawclk makes it impossible to read out backlight, which results in backlight not working when the backlight is off during boot, or when reloading the module. Signed-off-by: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Fixes: 44e694958b95 ("drm/xe/display: Implement display support") Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/display/xe_display.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/xe/display/xe_display.c b/drivers/gpu/drm/xe/display/xe_display.c index 30dfdac9f6fa9..79add15c6c4c7 100644 --- a/drivers/gpu/drm/xe/display/xe_display.c +++ b/drivers/gpu/drm/xe/display/xe_display.c @@ -159,6 +159,9 @@ int xe_display_init_noirq(struct xe_device *xe) intel_display_device_info_runtime_init(xe); + RUNTIME_INFO(xe)->rawclk_freq = intel_read_rawclk(xe); + drm_dbg(&xe->drm, "rawclk rate: %d kHz\n", RUNTIME_INFO(xe)->rawclk_freq); + err = intel_display_driver_probe_noirq(xe); if (err) { intel_opregion_cleanup(display); -- 2.45.2

4 months, 3 weeks

2
2
0 0

[PATCH v2] irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init

by Ma Ke

Add the missing of_node_put() to release the refcount incremented by of_find_matching_node(). Cc: stable(a)vger.kernel.org Fixes: 4266ab1a8ff5 ("irqchip/gic-v2m: Refactor to prepare for ACPI support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch according to suggestions. --- drivers/irqchip/irq-gic-v2m.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/irqchip/irq-gic-v2m.c b/drivers/irqchip/irq-gic-v2m.c index 51af63c046ed..d5988012eb40 100644 --- a/drivers/irqchip/irq-gic-v2m.c +++ b/drivers/irqchip/irq-gic-v2m.c @@ -407,12 +407,12 @@ static int __init gicv2m_of_init(struct fwnode_handle *parent_handle, ret = gicv2m_init_one(&child->fwnode, spi_start, nr_spis, &res, 0); - if (ret) { - of_node_put(child); + if (ret) break; - } } + if (ret && child) + of_put_node(child); if (!ret) ret = gicv2m_allocate_domains(parent); if (ret) -- 2.25.1

4 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 61ebe5a747da649057c37be1c37eb934b4af79ca # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081917-rubber-cable-a9ab@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0") 88ae5fb755b0 ("mm: vmalloc: enable memory allocation profiling") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61ebe5a747da649057c37be1c37eb934b4af79ca Mon Sep 17 00:00:00 2001 From: Hailong Liu <hailong.liu(a)oppo.com> Date: Thu, 8 Aug 2024 20:19:56 +0800 Subject: [PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. Link: https://lkml.kernel.org/r/20240808122019.3361-1-hailong.liu@oppo.com Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") Signed-off-by: Hailong Liu <hailong.liu(a)oppo.com> Reported-by: Tangquan Zheng <zhengtangquan(a)oppo.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Acked-by: Barry Song <baohua(a)kernel.org> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..af2de36549d6 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3584,15 +3584,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid, page = alloc_pages_noprof(alloc_gfp, order); else page = alloc_pages_node_noprof(nid, alloc_gfp, order); - if (unlikely(!page)) { - if (!nofail) - break; - - /* fall back to the zero order allocations */ - alloc_gfp |= __GFP_NOFAIL; - order = 0; - continue; - } + if (unlikely(!page)) + break; /* * Higher order allocations must be able to be treated as

4 months, 3 weeks

2
1
0 0

[PATCH v2 0/3] soc: qcom: pmic_glink: v6.11-rc bug fixes

by Bjorn Andersson

Amit and Johan both reported a NULL pointer dereference in the pmic_glink client code during initialization, and Stephen Boyd pointed out the problem (race condition). While investigating, and writing the fix, I noticed that ucsi_unregister() is called in atomic context but tries to sleep, and I also noticed that the condition for when to inform the pmic_glink client drivers when the remote has gone down is just wrong. So, let's fix all three. As mentioned in the commit message for the UCSI fix, I have a series in the works that makes the GLINK callback happen in a sleepable context, which would remove the need for the clients list to be protected by a spinlock, and removing the work scheduling. This is however not -rc material... In addition to the NULL pointer dereference, there is the -ECANCELED issue reported here: https://lore.kernel.org/all/Zqet8iInnDhnxkT9@hovoldconsulting.com/ Johan reports that these fixes do not address that issue. Signed-off-by: Bjorn Andersson <quic_bjorande(a)quicinc.com> --- Changes in v2: - Refer to the correct commit in the ucsi_unregister() patch. - Updated wording in the same commit message about the new error message in the log. - Changed the data type of the introduced state variables, opted to go for a bool as we only represent two states (and I would like to further clean this up going forward) - Initialized the spinlock - Link to v1: https://lore.kernel.org/r/20240818-pmic-glink-v6-11-races-v1-0-f87c577e0bc9… --- Bjorn Andersson (3): soc: qcom: pmic_glink: Fix race during initialization usb: typec: ucsi: Move unregister out of atomic section soc: qcom: pmic_glink: Actually communicate with remote goes down drivers/power/supply/qcom_battmgr.c | 16 ++++++++----- drivers/soc/qcom/pmic_glink.c | 40 ++++++++++++++++++++++---------- drivers/soc/qcom/pmic_glink_altmode.c | 17 +++++++++----- drivers/usb/typec/ucsi/ucsi_glink.c | 43 ++++++++++++++++++++++++++--------- include/linux/soc/qcom/pmic_glink.h | 11 +++++---- 5 files changed, 87 insertions(+), 40 deletions(-) --- base-commit: 2fd613d27928293eaa87788b10e8befb6805cd42 change-id: 20240818-pmic-glink-v6-11-races-363f5964c339 Best regards, -- Bjorn Andersson <quic_bjorande(a)quicinc.com>

4 months, 3 weeks

3
9
0 0

[PATCH 0/3] soc: qcom: pmic_glink: v6.11-rc bug fixes

by Bjorn Andersson

Amit and Johan both reported a NULL pointer dereference in the pmic_glink client code during initialization, and Stephen Boyd pointed out the problem (race condition). While investigating, and writing the fix, I noticed that ucsi_unregister() is called in atomic context but tries to sleep, and I also noticed that the condition for when to inform the pmic_glink client drivers when the remote has gone down is just wrong. So, let's fix all three. As mentioned in the commit message for the UCSI fix, I have a series in the works that makes the GLINK callback happen in a sleepable context, which would remove the need for the clients list to be protected by a spinlock, and removing the work scheduling. This is however not -rc material... In addition to the NULL pointer dereference, there is the -ECANCELED issue reported here: https://lore.kernel.org/all/Zqet8iInnDhnxkT9@hovoldconsulting.com/ I have not yet been able to either reproduce this or convince myself that this is the same issue. Signed-off-by: Bjorn Andersson <quic_bjorande(a)quicinc.com> --- Bjorn Andersson (3): soc: qcom: pmic_glink: Fix race during initialization usb: typec: ucsi: Move unregister out of atomic section soc: qcom: pmic_glink: Actually communicate with remote goes down drivers/power/supply/qcom_battmgr.c | 16 ++++++++----- drivers/soc/qcom/pmic_glink.c | 40 +++++++++++++++++++++---------- drivers/soc/qcom/pmic_glink_altmode.c | 17 +++++++++----- drivers/usb/typec/ucsi/ucsi_glink.c | 44 ++++++++++++++++++++++++++--------- include/linux/soc/qcom/pmic_glink.h | 11 +++++---- 5 files changed, 88 insertions(+), 40 deletions(-) --- base-commit: 296c871d2904cff2b4742702ef94512ab467a8e3 change-id: 20240818-pmic-glink-v6-11-races-363f5964c339 Best regards, -- Bjorn Andersson <quic_bjorande(a)quicinc.com>

4 months, 3 weeks

7
23
0 0

[PATCH 5.15.y] block: use "unsigned long" for blk_validate_block_size().

by David Hunter

Since lo_simple_ioctl(LOOP_SET_BLOCK_SIZE) and ioctl(NBD_SET_BLKSIZE) pass user-controlled "unsigned long arg" to blk_validate_block_size(), "unsigned long" should be used for validation. Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/9ecbf057-4375-c2db-ab53-e4cc0dff953d@i-love.sakur… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> (cherry picked from commit 37ae5a0f5287a52cf51242e76ccf198d02ffe495) Signed-off-by: David Hunter <david.hunter.linux(a)gmail.com> --- include/linux/blkdev.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index 905844172cfd..c6d57814988d 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -235,7 +235,7 @@ struct request { void *end_io_data; }; -static inline int blk_validate_block_size(unsigned int bsize) +static inline int blk_validate_block_size(unsigned long bsize) { if (bsize < 512 || bsize > PAGE_SIZE || !is_power_of_2(bsize)) return -EINVAL; -- 2.43.0

4 months, 3 weeks

1
1
0 0

+ mm-krealloc-consider-spare-memory-for-__gfp_zero.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm: krealloc: consider spare memory for __GFP_ZERO has been added to the -mm mm-unstable branch. Its filename is mm-krealloc-consider-spare-memory-for-__gfp_zero.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Danilo Krummrich <dakr(a)kernel.org> Subject: mm: krealloc: consider spare memory for __GFP_ZERO Date: Tue, 13 Aug 2024 00:34:34 +0200 As long as krealloc() is called with __GFP_ZERO consistently, starting with the initial memory allocation, __GFP_ZERO should be fully honored. However, if for an existing allocation krealloc() is called with a decreased size, it is not ensured that the spare portion the allocation is zeroed. Thus, if krealloc() is subsequently called with a larger size again, __GFP_ZERO can't be fully honored, since we don't know the previous size, but only the bucket size. Example: buf = kzalloc(64, GFP_KERNEL); memset(buf, 0xff, 64); buf = krealloc(buf, 48, GFP_KERNEL | __GFP_ZERO); /* After this call the last 16 bytes are still 0xff. */ buf = krealloc(buf, 64, GFP_KERNEL | __GFP_ZERO); Fix this, by explicitly setting spare memory to zero, when shrinking an allocation with __GFP_ZERO flag set or init_on_alloc enabled. Link: https://lkml.kernel.org/r/20240812223707.32049-1-dakr@kernel.org Signed-off-by: Danilo Krummrich <dakr(a)kernel.org> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: David Rientjes <rientjes(a)google.com> Cc: Christoph Lameter <cl(a)linux.com> Cc: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Pekka Enberg <penberg(a)kernel.org> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/slab_common.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/slab_common.c~mm-krealloc-consider-spare-memory-for-__gfp_zero +++ a/mm/slab_common.c @@ -1273,6 +1273,13 @@ __do_krealloc(const void *p, size_t new_ /* If the object still fits, repoison it precisely. */ if (ks >= new_size) { + /* Zero out spare memory. */ + if (want_init_on_alloc(flags)) { + kasan_disable_current(); + memset((void *)p + new_size, 0, ks - new_size); + kasan_enable_current(); + } + p = kasan_krealloc((void *)p, new_size, flags); return (void *)p; } _ Patches currently in -mm which might be from dakr(a)kernel.org are mm-vmalloc-implement-vrealloc.patch mm-vmalloc-implement-vrealloc-fix.patch mm-vmalloc-implement-vrealloc-fix-2.patch mm-vmalloc-implement-vrealloc-fix-3.patch mm-vmalloc-implement-vrealloc-fix-4.patch mm-kvmalloc-align-kvrealloc-with-krealloc.patch mm-kvmalloc-align-kvrealloc-with-krealloc-fix.patch mm-kvmalloc-align-kvrealloc-with-krealloc-fix-2.patch mm-kvmalloc-align-kvrealloc-with-krealloc-fix-3.patch mm-krealloc-consider-spare-memory-for-__gfp_zero.patch mm-krealloc-clarify-valid-usage-of-__gfp_zero.patch

4 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2024