April 2025 - Linux-stable-mirror

[RFC PATCH net-next v2 01/11] net: phylink: fix possible circular locking dep with config in-band

by Christian Marangi

Debug lock detection revealed a possible circular locking dependency between phylink_major_config() and phylink_bringup_phy(). This was introduced by the addition of phy_config_inband(), which acquires the phydev lock. This made the locking order in phylink_bringup_phy() inconsistent, as it acquires the phydev lock before phylink's state_mutex. A deadlock can occur when phylink_major_config() is called from phylink_resolve(), where the state_mutex is taken first and then the phydev lock. This is the reverse of the order used in phylink_bringup_phy(). To avoid this circular dependency, change the locking order in phylink_bringup_phy() to match the pattern used in phylink_resolve(): take state_mutex first, then the phydev lock. A sample lockdep warning is included below for reference: [ 147.749178] [ 147.750682] ====================================================== [ 147.756850] WARNING: possible circular locking dependency detected [ 147.763019] 6.14.0-next-20250404+ #0 Tainted: G O [ 147.769189] ------------------------------------------------------ [ 147.775356] kworker/u16:0/12 is trying to acquire lock: [ 147.780571] ffffff80ce9bcf08 (&dev->lock#2){+.+.}-{4:4}, at: phy_config_inband+0x44/0x90 [ 147.788672] [ 147.788672] but task is already holding lock: [ 147.794492] ffffff80c0dfbda0 (&pl->state_mutex){+.+.}-{4:4}, at: phylink_resolve+0x2c/0x6a8 [ 147.802840] [ 147.802840] which lock already depends on the new lock. [ 147.802840] [ 147.811002] [ 147.811002] the existing dependency chain (in reverse order) is: [ 147.818472] [ 147.818472] -> #1 (&pl->state_mutex){+.+.}-{4:4}: [ 147.824647] __mutex_lock+0x90/0x924 [ 147.828738] mutex_lock_nested+0x20/0x28 [ 147.833173] phylink_bringup_phy+0x210/0x700 [ 147.837954] phylink_fwnode_phy_connect+0xe0/0x124 [ 147.843256] phylink_of_phy_connect+0x18/0x20 [ 147.848124] dsa_user_create+0x210/0x414 [ 147.852561] dsa_port_setup+0xd4/0x14c [ 147.856823] dsa_register_switch+0xbb0/0xe40 [ 147.861605] mt7988_probe+0xf8/0x140 [ 147.865694] platform_probe+0x64/0xbc [ 147.869869] really_probe+0xbc/0x388 [ 147.873955] __driver_probe_device+0x78/0x154 [ 147.878823] driver_probe_device+0x3c/0xd4 [ 147.883430] __device_attach_driver+0xb0/0x144 [ 147.888383] bus_for_each_drv+0x6c/0xb0 [ 147.892732] __device_attach+0x9c/0x19c [ 147.897078] device_initial_probe+0x10/0x18 [ 147.901771] bus_probe_device+0xa8/0xac [ 147.906118] deferred_probe_work_func+0xb8/0x118 [ 147.911245] process_one_work+0x224/0x610 [ 147.915769] worker_thread+0x1b8/0x35c [ 147.920029] kthread+0x11c/0x1e8 [ 147.923769] ret_from_fork+0x10/0x20 [ 147.927857] [ 147.927857] -> #0 (&dev->lock#2){+.+.}-{4:4}: [ 147.933686] __lock_acquire+0x12b8/0x1ff0 [ 147.938209] lock_acquire+0xf4/0x2d8 [ 147.942295] __mutex_lock+0x90/0x924 [ 147.946383] mutex_lock_nested+0x20/0x28 [ 147.950817] phy_config_inband+0x44/0x90 [ 147.955252] phylink_major_config+0x684/0xa64 [ 147.960120] phylink_resolve+0x24c/0x6a8 [ 147.964554] process_one_work+0x224/0x610 [ 147.969075] worker_thread+0x1b8/0x35c [ 147.973335] kthread+0x11c/0x1e8 [ 147.977075] ret_from_fork+0x10/0x20 [ 147.981162] [ 147.981162] other info that might help us debug this: [ 147.981162] [ 147.989150] Possible unsafe locking scenario: [ 147.989150] [ 147.995056] CPU0 CPU1 [ 147.999575] ---- ---- [ 148.004094] lock(&pl->state_mutex); [ 148.007748] lock(&dev->lock#2); [ 148.013572] lock(&pl->state_mutex); [ 148.019742] lock(&dev->lock#2); [ 148.023051] [ 148.023051] *** DEADLOCK *** [ 148.023051] [ 148.028958] 3 locks held by kworker/u16:0/12: [ 148.033304] #0: ffffff80c0011d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x1a8/0x610 [ 148.044082] #1: ffffffc081ca3dd8 ((work_completion)(&pl->resolve)){+.+.}-{0:0}, at: process_one_work+0x1d0/0x610 [ 148.054338] #2: ffffff80c0dfbda0 (&pl->state_mutex){+.+.}-{4:4}, at: phylink_resolve+0x2c/0x6a8 [ 148.063119] [ 148.063119] stack backtrace: [ 148.067465] CPU: 3 UID: 0 PID: 12 Comm: kworker/u16:0 Tainted: G O 6.14.0-next-20250404+ #0 NONE [ 148.067472] Tainted: [O]=OOT_MODULE [ 148.067474] Hardware name: Bananapi BPI-R4 2.5GE PoE (DT) [ 148.067476] Workqueue: events_power_efficient phylink_resolve [ 148.067482] Call trace: [ 148.067484] show_stack+0x14/0x1c (C) [ 148.067492] dump_stack_lvl+0x84/0xc0 [ 148.067497] dump_stack+0x14/0x1c [ 148.067500] print_circular_bug+0x330/0x43c [ 148.067505] check_noncircular+0x124/0x134 [ 148.067508] __lock_acquire+0x12b8/0x1ff0 [ 148.067512] lock_acquire+0xf4/0x2d8 [ 148.067516] __mutex_lock+0x90/0x924 [ 148.067521] mutex_lock_nested+0x20/0x28 [ 148.067527] phy_config_inband+0x44/0x90 [ 148.067531] phylink_major_config+0x684/0xa64 [ 148.067535] phylink_resolve+0x24c/0x6a8 [ 148.067539] process_one_work+0x224/0x610 [ 148.067544] worker_thread+0x1b8/0x35c [ 148.067548] kthread+0x11c/0x1e8 [ 148.067552] ret_from_fork+0x10/0x20 Cc: stable(a)vger.kernel.org Fixes: 5fd0f1a02e75 ("net: phylink: add negotiation of in-band capabilities") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/net/phy/phylink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c index 69ca765485db..4a1edf19dfad 100644 --- a/drivers/net/phy/phylink.c +++ b/drivers/net/phy/phylink.c @@ -2072,8 +2072,8 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, dev_name(&phy->mdio.dev), phy->drv->name, irq_str); kfree(irq_str); - mutex_lock(&phy->lock); mutex_lock(&pl->state_mutex); + mutex_lock(&phy->lock); pl->phydev = phy; pl->phy_state.interface = interface; pl->phy_state.pause = MLO_PAUSE_NONE; @@ -2115,8 +2115,8 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, phy_disable_eee(phy); } - mutex_unlock(&pl->state_mutex); mutex_unlock(&phy->lock); + mutex_unlock(&pl->state_mutex); phylink_dbg(pl, "phy: %s setting supported %*pb advertising %*pb\n", -- 2.48.1

2 weeks, 5 days

1
0
0 0

[PATCH] media: dst_ca: Add error handling for dst_comm_init()

by Wentao Liang

The function dst_ci_command() calls the function dst_comm_init() but does not handle the error if the init fails. A proper implementation can be found in dst_command() in /source/drivers/media/pci/bt8xx/dst.c. Add error handling to the dst_comm_init(). Print an error message via dprintk(), and jump to the 'error' label if the function fails. Fixes: 50b215a05878 ("[PATCH] dvb: DST: reorganize Twinhan DST driver to support CI") Cc: stable(a)vger.kernel.org # v2.6+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/media/pci/bt8xx/dst_ca.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c index a9cc6e7a57f9..a743f7653fdd 100644 --- a/drivers/media/pci/bt8xx/dst_ca.c +++ b/drivers/media/pci/bt8xx/dst_ca.c @@ -66,7 +66,10 @@ static int dst_ci_command(struct dst_state* state, u8 * data, u8 *ca_string, u8 u8 reply; mutex_lock(&state->dst_mutex); - dst_comm_init(state); + if (dst_comm_init(state) < 0) { + dprintk(verbose, DST_CA_ERROR, 1, "DST initialization failed."); + goto error; + } msleep(65); if (write_dst(state, data, len)) { -- 2.42.0.windows.2

2 weeks, 5 days

1
0
0 0

[PATCH v4] staging: rtl8723bs: Add error handling for sd_read()

by Wentao Liang

The sdio_read32() calls sd_read(), but does not handle the error if sd_read() fails. This could lead to subsequent operations processing invalid data. A proper implementation can be found in sdio_readN(). Add error handling for the sd_read() to free tmpbuf and return error code if sd_read() fails. This ensure that the memcpy() is only performed when the read operation is successful. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable(a)vger.kernel.org # v4.12+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v4: Add change log and fix error code v3: Add Cc flag v2: Change code to initialize val drivers/staging/rtl8723bs/hal/sdio_ops.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/hal/sdio_ops.c b/drivers/staging/rtl8723bs/hal/sdio_ops.c index 21e9f1858745..045153991986 100644 --- a/drivers/staging/rtl8723bs/hal/sdio_ops.c +++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c @@ -185,7 +185,12 @@ static u32 sdio_read32(struct intf_hdl *intfhdl, u32 addr) return SDIO_ERR_VAL32; ftaddr &= ~(u16)0x3; - sd_read(intfhdl, ftaddr, 8, tmpbuf); + err = sd_read(intfhdl, ftaddr, 8, tmpbuf); + if (err) { + kfree(tmpbuf) + return SDIO_ERR_VAL32; + } + memcpy(&le_tmp, tmpbuf + shift, 4); val = le32_to_cpu(le_tmp); -- 2.42.0.windows.2

2 weeks, 6 days

3
2
0 0

[PATCH 5.15.y] cifs: Fix UAF in cifs_demultiplex_thread()

by He Zhe

From: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> commit d527f51331cace562393a8038d870b3e9916686f upstream. There is a UAF when xfstests on cifs: BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160 cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320 mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60 allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90 SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70 cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0 mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is because: mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifs_demultiplex_thread SMB2_negotiate | cifs_send_recv | compound_send_recv | smb_send_rqst | wait_for_response | wait_event_state [1] | | standard_receive3 | cifs_handle_standard | handle_mid | mid->resp_buf = buf; [2] | dequeue_mid [3] KILL the process [4] | resp_iov[i].iov_base = buf | free_rsp_buf [5] | | is_network_name_deleted [6] | callback 1. After send request to server, wait the response until mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to mid; 3. Set the mid state to RECEIVED; 4. Kill the process, the mid state already RECEIVED, get 0; 5. Handle and release the negotiate response; 6. UAF. It can be easily reproduce with add some delay in [3] - [6]. Only sync call has the problem since async call's callback is executed in cifsd process. Add an extra state to mark the mid state to READY before wakeup the waitter, then it can get the resp safely. Fixes: ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages") Reviewed-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [fs/cifs was moved to fs/smb/client since 38c8a9a52082 ("smb: move client and server files to common directory fs/smb"). We apply the patch to fs/cifs with some minor context changes.] Signed-off-by: He Zhe <zhe.he(a)windriver.com> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- Build test passed. --- fs/cifs/cifsglob.h | 1 + fs/cifs/transport.c | 34 +++++++++++++++++++++++----------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 2ee67a27020d..8bd5d528244e 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1719,6 +1719,7 @@ static inline bool is_retryable_error(int error) #define MID_RETRY_NEEDED 8 /* session closed while this request out */ #define MID_RESPONSE_MALFORMED 0x10 #define MID_SHUTDOWN 0x20 +#define MID_RESPONSE_READY 0x40 /* ready for other process handle the rsp */ /* Flags */ #define MID_WAIT_CANCELLED 1 /* Cancelled while waiting for response */ diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index 49b7edbe3497..8cf12c106afa 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -34,6 +34,8 @@ void cifs_wake_up_task(struct mid_q_entry *mid) { + if (mid->mid_state == MID_RESPONSE_RECEIVED) + mid->mid_state = MID_RESPONSE_READY; wake_up_process(mid->callback_data); } @@ -86,7 +88,8 @@ static void _cifs_mid_q_entry_release(struct kref *refcount) struct TCP_Server_Info *server = midEntry->server; if (midEntry->resp_buf && (midEntry->mid_flags & MID_WAIT_CANCELLED) && - midEntry->mid_state == MID_RESPONSE_RECEIVED && + (midEntry->mid_state == MID_RESPONSE_RECEIVED || + midEntry->mid_state == MID_RESPONSE_READY) && server->ops->handle_cancelled_mid) server->ops->handle_cancelled_mid(midEntry, server); @@ -762,7 +765,8 @@ wait_for_response(struct TCP_Server_Info *server, struct mid_q_entry *midQ) int error; error = wait_event_freezekillable_unsafe(server->response_q, - midQ->mid_state != MID_REQUEST_SUBMITTED); + midQ->mid_state != MID_REQUEST_SUBMITTED && + midQ->mid_state != MID_RESPONSE_RECEIVED); if (error < 0) return -ERESTARTSYS; @@ -914,7 +918,7 @@ cifs_sync_mid_result(struct mid_q_entry *mid, struct TCP_Server_Info *server) spin_lock(&GlobalMid_Lock); switch (mid->mid_state) { - case MID_RESPONSE_RECEIVED: + case MID_RESPONSE_READY: spin_unlock(&GlobalMid_Lock); return rc; case MID_RETRY_NEEDED: @@ -1013,6 +1017,9 @@ cifs_compound_callback(struct mid_q_entry *mid) credits.instance = server->reconnect_instance; add_credits(server, &credits, mid->optype); + + if (mid->mid_state == MID_RESPONSE_RECEIVED) + mid->mid_state = MID_RESPONSE_READY; } static void @@ -1204,7 +1211,8 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, send_cancel(server, &rqst[i], midQ[i]); spin_lock(&GlobalMid_Lock); midQ[i]->mid_flags |= MID_WAIT_CANCELLED; - if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED || + midQ[i]->mid_state == MID_RESPONSE_RECEIVED) { midQ[i]->callback = cifs_cancelled_callback; cancelled_mid[i] = true; credits[i].value = 0; @@ -1225,7 +1233,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, } if (!midQ[i]->resp_buf || - midQ[i]->mid_state != MID_RESPONSE_RECEIVED) { + midQ[i]->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_dbg(FYI, "Bad MID state?\n"); goto out; @@ -1404,7 +1412,8 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, if (rc != 0) { send_cancel(server, &rqst, midQ); spin_lock(&GlobalMid_Lock); - if (midQ->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) { /* no longer considered to be "in-flight" */ midQ->callback = DeleteMidQEntry; spin_unlock(&GlobalMid_Lock); @@ -1421,7 +1430,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, } if (!midQ->resp_buf || !out_buf || - midQ->mid_state != MID_RESPONSE_RECEIVED) { + midQ->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_server_dbg(VFS, "Bad MID state?\n"); goto out; @@ -1541,13 +1550,15 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, /* Wait for a reply - allow signals to interrupt. */ rc = wait_event_interruptible(server->response_q, - (!(midQ->mid_state == MID_REQUEST_SUBMITTED)) || + (!(midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED)) || ((server->tcpStatus != CifsGood) && (server->tcpStatus != CifsNew))); /* Were we interrupted by a signal ? */ if ((rc == -ERESTARTSYS) && - (midQ->mid_state == MID_REQUEST_SUBMITTED) && + (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) && ((server->tcpStatus == CifsGood) || (server->tcpStatus == CifsNew))) { @@ -1577,7 +1588,8 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, if (rc) { send_cancel(server, &rqst, midQ); spin_lock(&GlobalMid_Lock); - if (midQ->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) { /* no longer considered to be "in-flight" */ midQ->callback = DeleteMidQEntry; spin_unlock(&GlobalMid_Lock); @@ -1595,7 +1607,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, return rc; /* rcvd frame is ok */ - if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_RECEIVED) { + if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_tcon_dbg(VFS, "Bad MID state?\n"); goto out; -- 2.34.1

2 weeks, 6 days

2
1
0 0

[PATCH 6.1] Revert "fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super"

by Fedor Pchelkin

This reverts commit f9c572d02fcced59c68f0287680fef9a5e0f5c9a which is commit 91a4b1ee78cb100b19b70f077c247f211110348f upstream. The backported version of the fix does a lot of things which it shouldn't do and which the upstream commit doesn't touch as well. Various auto-formatting changes and duplicate assignments made by the ported version are not a big deal on its own, but what is more important, it just drops 'sbi->zone_max' initialization for an unknown reason. Original commit doesn't ever intend to do anything with that. Better revert this commit from the stable branch for now. Found by Linux Verification Center (linuxtesting.org). Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- FWIW there exists another variant of this backport patch [1] which at a quick glance looks more appropriate and was posted nearly a year ago. I've added Roman - author of [1] - to Cc. Maybe he would be interested in resending this so that it'd appear in your queue again. Anyway, it's up to you to decide whether to take Roman's patch or just ignore it... [1]: https://lore.kernel.org/stable/20240424101114.192681-2-r.smirnov@omp.ru/ fs/ntfs3/ntfs_fs.h | 2 -- fs/ntfs3/super.c | 68 +++++++++++++++------------------------------- 2 files changed, 22 insertions(+), 48 deletions(-) diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h index f2f32e304b3d..05d9abd66b37 100644 --- a/fs/ntfs3/ntfs_fs.h +++ b/fs/ntfs3/ntfs_fs.h @@ -42,11 +42,9 @@ enum utf16_endian; #define MINUS_ONE_T ((size_t)(-1)) /* Biggest MFT / smallest cluster */ #define MAXIMUM_BYTES_PER_MFT 4096 -#define MAXIMUM_SHIFT_BYTES_PER_MFT 12 #define NTFS_BLOCKS_PER_MFT_RECORD (MAXIMUM_BYTES_PER_MFT / 512) #define MAXIMUM_BYTES_PER_INDEX 4096 -#define MAXIMUM_SHIFT_BYTES_PER_INDEX 12 #define NTFS_BLOCKS_PER_INODE (MAXIMUM_BYTES_PER_INDEX / 512) /* NTFS specific error code when fixup failed. */ diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 674a16c0c66b..eee54214f4a3 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -680,7 +680,7 @@ static u32 true_sectors_per_clst(const struct NTFS_BOOT *boot) * ntfs_init_from_boot - Init internal info from on-disk boot sector. */ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, - u64 dev_size) + u64 dev_size) { struct ntfs_sb_info *sbi = sb->s_fs_info; int err; @@ -705,12 +705,12 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, /* 0x55AA is not mandaroty. Thanks Maxim Suhanov*/ /*if (0x55 != boot->boot_magic[0] || 0xAA != boot->boot_magic[1]) - * goto out; + * goto out; */ boot_sector_size = (u32)boot->bytes_per_sector[1] << 8; if (boot->bytes_per_sector[0] || boot_sector_size < SECTOR_SIZE || - !is_power_of_2(boot_sector_size)) { + !is_power_of_2(boot_sector_size)) { goto out; } @@ -733,49 +733,15 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, /* Check MFT record size. */ if ((boot->record_size < 0 && - SECTOR_SIZE > (2U << (-boot->record_size))) || - (boot->record_size >= 0 && !is_power_of_2(boot->record_size))) { - goto out; - } - - /* Calculate cluster size */ - sbi->cluster_size = boot_sector_size * sct_per_clst; - sbi->cluster_bits = blksize_bits(sbi->cluster_size); - - if (boot->record_size >= 0) { - record_size = (u32)boot->record_size << sbi->cluster_bits; - } else if (-boot->record_size <= MAXIMUM_SHIFT_BYTES_PER_MFT) { - record_size = 1u << (-boot->record_size); - } else { - ntfs_err(sb, "%s: invalid record size %d.", "NTFS", - boot->record_size); - goto out; - } - - sbi->record_size = record_size; - sbi->record_bits = blksize_bits(record_size); - sbi->attr_size_tr = (5 * record_size >> 4); // ~320 bytes - - if (record_size > MAXIMUM_BYTES_PER_MFT) { - ntfs_err(sb, "Unsupported bytes per MFT record %u.", - record_size); - goto out; - } - - if (boot->index_size >= 0) { - sbi->index_size = (u32)boot->index_size << sbi->cluster_bits; - } else if (-boot->index_size <= MAXIMUM_SHIFT_BYTES_PER_INDEX) { - sbi->index_size = 1u << (-boot->index_size); - } else { - ntfs_err(sb, "%s: invalid index size %d.", "NTFS", - boot->index_size); + SECTOR_SIZE > (2U << (-boot->record_size))) || + (boot->record_size >= 0 && !is_power_of_2(boot->record_size))) { goto out; } /* Check index record size. */ if ((boot->index_size < 0 && - SECTOR_SIZE > (2U << (-boot->index_size))) || - (boot->index_size >= 0 && !is_power_of_2(boot->index_size))) { + SECTOR_SIZE > (2U << (-boot->index_size))) || + (boot->index_size >= 0 && !is_power_of_2(boot->index_size))) { goto out; } @@ -796,6 +762,9 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, dev_size += sector_size - 1; } + sbi->cluster_size = boot_sector_size * sct_per_clst; + sbi->cluster_bits = blksize_bits(sbi->cluster_size); + sbi->mft.lbo = mlcn << sbi->cluster_bits; sbi->mft.lbo2 = mlcn2 << sbi->cluster_bits; @@ -816,9 +785,9 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sbi->cluster_mask = sbi->cluster_size - 1; sbi->cluster_mask_inv = ~(u64)sbi->cluster_mask; sbi->record_size = record_size = boot->record_size < 0 - ? 1 << (-boot->record_size) - : (u32)boot->record_size - << sbi->cluster_bits; + ? 1 << (-boot->record_size) + : (u32)boot->record_size + << sbi->cluster_bits; if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE) goto out; @@ -832,8 +801,8 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, ALIGN(sizeof(enum ATTR_TYPE), 8); sbi->index_size = boot->index_size < 0 - ? 1u << (-boot->index_size) - : (u32)boot->index_size << sbi->cluster_bits; + ? 1u << (-boot->index_size) + : (u32)boot->index_size << sbi->cluster_bits; sbi->volume.ser_num = le64_to_cpu(boot->serial_num); @@ -902,6 +871,13 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sb->s_maxbytes = 0xFFFFFFFFull << sbi->cluster_bits; #endif + /* + * Compute the MFT zone at two steps. + * It would be nice if we are able to allocate 1/8 of + * total clusters for MFT but not more then 512 MB. + */ + sbi->zone_max = min_t(CLST, 0x20000000 >> sbi->cluster_bits, clusters >> 3); + err = 0; out: -- 2.49.0

2 weeks, 6 days

1
0
0 0

RE: ISC West 2025 Attendee Contact List to Enhance Your B2B Lead Generation

by Jessica Garcia

Hi , Checking if you've had a chance to read the email I sent previously. If you need further information, I'd be happy to go over the figures and pricing. Regards Jessica Marketing Manager Campaign Data Leads., Please reply with REMOVE if you don't wish to receive further emails -----Original Message----- From: Jessica Garcia To: Subject: ISC West 2025 Attendee Contact List to Enhance Your B2B Lead Generation Hi , Planning to get the ICS West 2025 attendee list? Expo Name: International Security Conference & Exposition West 2025 Total Number of records: 23,000 records List includes: Company Name, Contact Name, Job Title, Mailing Address, Phone, Emails, etc. Interested in moving forward with these leads? Let me know, and I'll share the price. Can't wait for your reply Regards Jessica Marketing Manager Campaign Data Leads., Please reply with REMOVE if you don't wish to receive further emails

2 weeks, 6 days

1
0
0 0

[PATCH v3] staging: rtl8723bs: Add error handling for sd_read().

by Wentao Liang

The sdio_read32() calls sd_read(), but does not handle the error if sd_read() fails. This could lead to subsequent operations processing invalid data. A proper implementation can be found in sdio_readN(). Add error handling to the sd_read(), ensuring that the memcpy() is only performed when the read operation is successful. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable(a)vger.kernel.org # v4.12+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/staging/rtl8723bs/hal/sdio_ops.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/hal/sdio_ops.c b/drivers/staging/rtl8723bs/hal/sdio_ops.c index 21e9f1858745..b21fd087c9a0 100644 --- a/drivers/staging/rtl8723bs/hal/sdio_ops.c +++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c @@ -185,9 +185,11 @@ static u32 sdio_read32(struct intf_hdl *intfhdl, u32 addr) return SDIO_ERR_VAL32; ftaddr &= ~(u16)0x3; - sd_read(intfhdl, ftaddr, 8, tmpbuf); - memcpy(&le_tmp, tmpbuf + shift, 4); - val = le32_to_cpu(le_tmp); + val = sd_read(intfhdl, ftaddr, 8, tmpbuf); + if (!val) { + memcpy(&le_tmp, tmpbuf + shift, 4); + val = le32_to_cpu(le_tmp); + } kfree(tmpbuf); } -- 2.42.0.windows.2

2 weeks, 6 days

2
1
0 0

[PATCH] serial: sifive: lock port in startup()/shutdown() callbacks

by Ryo Takakura

startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. The register is also accessed from write() callback. If console were printing and startup()/shutdown() callback gets called, its access to the register could be overwritten. Add port->lock to startup()/shutdown() callbacks to make sure their access to SIFIVE_SERIAL_IE_OFFS is synchronized against write() callback. Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART") Signed-off-by: Ryo Takakura <ryotkkr98(a)gmail.com> Cc: stable(a)vger.kernel.org --- This patch used be part of a series for converting sifive driver to nbcon[0]. It's now sent seperatly as the rest of the series does not need be applied to the stable branch. Sincerely, Ryo Takakura [0] https://lore.kernel.org/all/20250405043833.397020-1-ryotkkr98@gmail.com/ --- drivers/tty/serial/sifive.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c index 5904a2d4c..054a8e630 100644 --- a/drivers/tty/serial/sifive.c +++ b/drivers/tty/serial/sifive.c @@ -563,8 +563,11 @@ static void sifive_serial_break_ctl(struct uart_port *port, int break_state) static int sifive_serial_startup(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_enable_rxwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); return 0; } @@ -572,9 +575,12 @@ static int sifive_serial_startup(struct uart_port *port) static void sifive_serial_shutdown(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_disable_rxwm(ssp); __ssp_disable_txwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); } /** -- 2.34.1

2 weeks, 6 days

2
2
0 0

[6.1 PATCH RESEND 00/12] KVM: arm64: Backport of SVE fixes to v6.1

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.1. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Brown (4): KVM: arm64: Discard any SVE state when entering KVM guests arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE arm64/fpsimd: Have KVM explicitly say which FP registers to save arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/fpsimd.h | 4 +- arch/arm64/include/asm/kvm_host.h | 19 +++--- arch/arm64/include/asm/kvm_hyp.h | 1 + arch/arm64/include/asm/processor.h | 7 +++ arch/arm64/kernel/fpsimd.c | 69 +++++++++++++++------ arch/arm64/kernel/process.c | 2 + arch/arm64/kernel/ptrace.c | 3 + arch/arm64/kernel/signal.c | 7 ++- arch/arm64/kvm/arm.c | 1 - arch/arm64/kvm/fpsimd.c | 92 ++++++++------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++++++++++++++++++++----------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 +-- arch/arm64/kvm/hyp/nvhe/pkvm.c | 17 +---- arch/arm64/kvm/hyp/nvhe/switch.c | 91 +++++++++++++++++---------- arch/arm64/kvm/hyp/vhe/switch.c | 12 ++-- arch/arm64/kvm/reset.c | 3 + 17 files changed, 259 insertions(+), 188 deletions(-) --- base-commit: 344a09659766c83c42cdd4943318deabde89a9c3 change-id: 20250227-stable-sve-6-1-075c1295b363 Best regards, -- Mark Brown <broonie(a)kernel.org>

2 weeks, 6 days

2
24
0 0

[PATCH Linux-6.12.y 1/1] idpf: Don't hard code napi_struct size

by Yifei Liu

From: Joe Damato <jdamato(a)fastly.com> commit 49717ef01ce1b6dbe4cd12bee0fc25e086c555df upstream. The sizeof(struct napi_struct) can change. Don't hardcode the size to 400 bytes and instead use "sizeof(struct napi_struct)". Suggested-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Signed-off-by: Joe Damato <jdamato(a)fastly.com> Acked-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Link: https://patch.msgid.link/20241004105407.73585-1-jdamato@fastly.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> (cherry picked from commit 49717ef01ce1b6dbe4cd12bee0fc25e086c555df) [Yifei: In Linux-6.12.y, it still hard code the size of napi_struct, adding a member will lead the entire build failed] Signed-off-by: Yifei Liu <yifei.l.liu(a)oracle.com> --- drivers/net/ethernet/intel/idpf/idpf_txrx.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h index f0537826f840..9c1fe84108ed 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h +++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h @@ -438,7 +438,8 @@ struct idpf_q_vector { __cacheline_group_end_aligned(cold); }; libeth_cacheline_set_assert(struct idpf_q_vector, 112, - 424 + 2 * sizeof(struct dim), + 24 + sizeof(struct napi_struct) + + 2 * sizeof(struct dim), 8 + sizeof(cpumask_var_t)); struct idpf_rx_queue_stats { -- 2.46.0

2 weeks, 6 days

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025