April 2025 - Linux-stable-mirror

[PATCH v2] iio: adc: Include valid channel for channel selection

by Gabriel Shahrouzi

According to the datasheet on page 9 under the channel selection table, all devices (AD7816/7/8) are able to use the channel marked as 7. This channel is used for diagnostic purposes by routing the internal 1.23V bandgap source through the MUX to the input of the ADC. Replace checking for string equality with checking for the same chip ID to reduce time complexity. Group invalid channels for all devices together because they are processed the same way. Fixes: 7924425db04a ("staging: iio: adc: new driver for AD7816 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- Changes since v2: - Refactor by adding chip_info struct which simplifies condtional logic. --- drivers/staging/iio/adc/ad7816.c | 68 ++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 30 deletions(-) diff --git a/drivers/staging/iio/adc/ad7816.c b/drivers/staging/iio/adc/ad7816.c index 6c14d7bcdd675..ec955cbf06c17 100644 --- a/drivers/staging/iio/adc/ad7816.c +++ b/drivers/staging/iio/adc/ad7816.c @@ -41,8 +41,20 @@ * struct ad7816_chip_info - chip specific information */ +enum ad7816_type { + ID_AD7816, + ID_AD7817, + ID_AD7818, +}; + struct ad7816_chip_info { - kernel_ulong_t id; + const char *name; + enum ad7816_type type; + u8 max_channels; +}; + +struct ad7816_state { + const struct ad7816_chip_info *chip_info; struct spi_device *spi_dev; struct gpio_desc *rdwr_pin; struct gpio_desc *convert_pin; @@ -52,16 +64,11 @@ struct ad7816_chip_info { u8 mode; }; -enum ad7816_type { - ID_AD7816, - ID_AD7817, - ID_AD7818, -}; /* * ad7816 data access by SPI */ -static int ad7816_spi_read(struct ad7816_chip_info *chip, u16 *data) +static int ad7816_spi_read(struct ad7816_state *chip, u16 *data) { struct spi_device *spi_dev = chip->spi_dev; int ret; @@ -84,7 +91,7 @@ static int ad7816_spi_read(struct ad7816_chip_info *chip, u16 *data) gpiod_set_value(chip->convert_pin, 1); } - if (chip->id == ID_AD7816 || chip->id == ID_AD7817) { + if (chip->chip_info->type == ID_AD7816 || chip->chip_info->type == ID_AD7817) { while (gpiod_get_value(chip->busy_pin)) cpu_relax(); } @@ -102,7 +109,7 @@ static int ad7816_spi_read(struct ad7816_chip_info *chip, u16 *data) return ret; } -static int ad7816_spi_write(struct ad7816_chip_info *chip, u8 data) +static int ad7816_spi_write(struct ad7816_state *chip, u8 data) { struct spi_device *spi_dev = chip->spi_dev; int ret; @@ -121,7 +128,7 @@ static ssize_t ad7816_show_mode(struct device *dev, char *buf) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); if (chip->mode) return sprintf(buf, "power-save\n"); @@ -134,7 +141,7 @@ static ssize_t ad7816_store_mode(struct device *dev, size_t len) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); if (strcmp(buf, "full")) { gpiod_set_value(chip->rdwr_pin, 1); @@ -167,7 +174,7 @@ static ssize_t ad7816_show_channel(struct device *dev, char *buf) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); return sprintf(buf, "%d\n", chip->channel_id); } @@ -178,7 +185,7 @@ static ssize_t ad7816_store_channel(struct device *dev, size_t len) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); unsigned long data; int ret; @@ -186,17 +193,10 @@ static ssize_t ad7816_store_channel(struct device *dev, if (ret) return ret; - if (data > AD7816_CS_MAX && data != AD7816_CS_MASK) { - dev_err(&chip->spi_dev->dev, "Invalid channel id %lu for %s.\n", - data, indio_dev->name); - return -EINVAL; - } else if (strcmp(indio_dev->name, "ad7818") == 0 && data > 1) { + if (data > chip->chip_info->max_channels && data != AD7816_CS_MASK) { dev_err(&chip->spi_dev->dev, - "Invalid channel id %lu for ad7818.\n", data); - return -EINVAL; - } else if (strcmp(indio_dev->name, "ad7816") == 0 && data > 0) { - dev_err(&chip->spi_dev->dev, - "Invalid channel id %lu for ad7816.\n", data); + "Invalid channel id %lu for %s (max regular: %u).\n", data, + chip->chip_info->name, chip->chip_info->max_channels); return -EINVAL; } @@ -215,7 +215,7 @@ static ssize_t ad7816_show_value(struct device *dev, char *buf) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); u16 data; s8 value; int ret; @@ -271,7 +271,7 @@ static ssize_t ad7816_show_oti(struct device *dev, char *buf) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); int value; if (chip->channel_id > AD7816_CS_MAX) { @@ -292,7 +292,7 @@ static inline ssize_t ad7816_set_oti(struct device *dev, size_t len) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7816_chip_info *chip = iio_priv(indio_dev); + struct ad7816_state *chip = iio_priv(indio_dev); long value; u8 data; int ret; @@ -345,14 +345,22 @@ static const struct iio_info ad7816_info = { .event_attrs = &ad7816_event_attribute_group, }; +static const struct ad7816_chip_info ad7816_chip_infos[] = { + [ID_AD7816] = { .name = "ad7816", .max_channels = 0, .type = ID_AD7816 }, + [ID_AD7817] = { .name = "ad7817", .max_channels = 3, .type = ID_AD7817 }, + [ID_AD7818] = { .name = "ad7818", .max_channels = 1, .type = ID_AD7818 }, +}; + /* * device probe and remove */ static int ad7816_probe(struct spi_device *spi_dev) { - struct ad7816_chip_info *chip; + struct ad7816_state *chip; struct iio_dev *indio_dev; + const struct spi_device_id *id = spi_get_device_id(spi_dev); + enum ad7816_type chip_type = (enum ad7816_type)id->driver_data; int i, ret; indio_dev = devm_iio_device_alloc(&spi_dev->dev, sizeof(*chip)); @@ -361,12 +369,12 @@ static int ad7816_probe(struct spi_device *spi_dev) chip = iio_priv(indio_dev); /* this is only used for device removal purposes */ dev_set_drvdata(&spi_dev->dev, indio_dev); + chip->chip_info = &ad7816_chip_infos[chip_type]; chip->spi_dev = spi_dev; for (i = 0; i <= AD7816_CS_MAX; i++) chip->oti_data[i] = 203; - chip->id = spi_get_device_id(spi_dev)->driver_data; chip->rdwr_pin = devm_gpiod_get(&spi_dev->dev, "rdwr", GPIOD_OUT_HIGH); if (IS_ERR(chip->rdwr_pin)) { ret = PTR_ERR(chip->rdwr_pin); @@ -382,7 +390,7 @@ static int ad7816_probe(struct spi_device *spi_dev) ret); return ret; } - if (chip->id == ID_AD7816 || chip->id == ID_AD7817) { + if (chip->chip_info->type == ID_AD7816 || chip->chip_info->type == ID_AD7817) { chip->busy_pin = devm_gpiod_get(&spi_dev->dev, "busy", GPIOD_IN); if (IS_ERR(chip->busy_pin)) { @@ -393,7 +401,7 @@ static int ad7816_probe(struct spi_device *spi_dev) } } - indio_dev->name = spi_get_device_id(spi_dev)->name; + indio_dev->name = chip->chip_info->name; indio_dev->info = &ad7816_info; indio_dev->modes = INDIO_DIRECT_MODE; -- 2.43.0

1 week, 4 days

2
2
0 0

[PATCH v3 1/5] staging: iio: adc: ad7816: Allow channel 7 for all devices

by Gabriel Shahrouzi

According to the datasheet on page 9 under the channel selection table, all devices (AD7816/7/8) are able to use the channel marked as 7. This channel is used for diagnostic purposes by routing the internal 1.23V bandgap source through the MUX to the input of the ADC. Modify the channel validation logic to permit channel 7 for all supported device types. Fixes: 7924425db04a ("staging: iio: adc: new driver for AD7816 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- drivers/staging/iio/adc/ad7816.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/iio/adc/ad7816.c b/drivers/staging/iio/adc/ad7816.c index 6c14d7bcdd675..a44b0c8c82b12 100644 --- a/drivers/staging/iio/adc/ad7816.c +++ b/drivers/staging/iio/adc/ad7816.c @@ -190,11 +190,11 @@ static ssize_t ad7816_store_channel(struct device *dev, dev_err(&chip->spi_dev->dev, "Invalid channel id %lu for %s.\n", data, indio_dev->name); return -EINVAL; - } else if (strcmp(indio_dev->name, "ad7818") == 0 && data > 1) { + } else if (strcmp(indio_dev->name, "ad7818") == 0 && data > 1 && data != AD7816_CS_MASK) { dev_err(&chip->spi_dev->dev, "Invalid channel id %lu for ad7818.\n", data); return -EINVAL; - } else if (strcmp(indio_dev->name, "ad7816") == 0 && data > 0) { + } else if (strcmp(indio_dev->name, "ad7816") == 0 && data > 0 && data != AD7816_CS_MASK) { dev_err(&chip->spi_dev->dev, "Invalid channel id %lu for ad7816.\n", data); return -EINVAL; -- 2.43.0

1 week, 4 days

1
0
0 0

[PATCH v3 0/4] J722S: Disable WIZ0 and WIZ1 in SoC file

by Siddharth Vadapalli

Hello, This series disables the "serdes_wiz0" and "serdes_wiz1" device-tree nodes in the J722S SoC file and enables them in the board files where they are required along with "serdes0" and "serdes1". There are two reasons behind this change: 1. To follow the existing convention of disabling nodes in the SoC file and enabling them in the board file as required. 2. To address situations where a board file hasn't explicitly disabled "serdes_wiz0" and "serdes_wiz1" (example: am67a-beagley-ai.dts) as a result of which booting the board displays the following errors: wiz bus@f0000:phy@f000000: probe with driver wiz failed with error -12 ... wiz bus@f0000:phy@f010000: probe with driver wiz failed with error -12 Additionally, another series for DT cleanup at: https://lore.kernel.org/r/20250412052712.927626-1-s-vadapalli@ti.com/ has been squashed into this series as patches 3 and 4. This has been done based on Nishanth's suggestion at: https://lore.kernel.org/r/20250414143916.zhskssezbffmvnsz@dragonfly/ Series is based on linux-next tagged next-20250417. NOTE: For patches 1 and 2 of this series which are "Fixes", it has also been verified that this series applies to the following commit cfb2e2c57aef Merge tag 'mm-hotfixes-stable-2025-04-16-19-59' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm of Mainline Linux. v2 of this series is at: https://lore.kernel.org/r/20250408103606.3679505-1-s-vadapalli@ti.com/ Changes since v2: - Collected Reviewed-by tags from Udit Kumar <u-kumar1(a)ti.com>. - Squashed the DT cleanup series at: https://lore.kernel.org/r/20250412052712.927626-1-s-vadapalli@ti.com/ as patches 3 and 4 of this series. v1 of this series is at: https://lore.kernel.org/r/20250408060636.3413856-1-s-vadapalli@ti.com/ Changes since v1: - Added "Fixes" tag and updated commit message accordingly. Regards, Siddharth. Siddharth Vadapalli (4): arm64: dts: ti: k3-j722s-evm: Enable "serdes_wiz0" and "serdes_wiz1" arm64: dts: ti: k3-j722s-main: Disable "serdes_wiz0" and "serdes_wiz1" arm64: dts: ti: k3-j722s-main: don't disable serdes0 and serdes1 arm64: dts: ti: k3-j722s-evm: drop redundant status within serdes0/serdes1 arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 10 ++++++++-- arch/arm64/boot/dts/ti/k3-j722s-main.dtsi | 8 ++++---- 2 files changed, 12 insertions(+), 6 deletions(-) -- 2.34.1

1 week, 4 days

3
6
0 0

[for-linus][PATCH 6/7] tracing: Fix filter string testing

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The filter string testing uses strncpy_from_kernel/user_nofault() to retrieve the string to test the filter against. The if() statement was incorrect as it considered 0 as a fault, when it is only negative that it faulted. Running the following commands: # cd /sys/kernel/tracing # echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter # echo 1 > events/syscalls/sys_enter_openat/enable # ls /proc/$$/maps # cat trace Would produce nothing, but with the fix it will produce something like: ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0) Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQ… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers") Reported-by: Andrii Nakryiko <andrii.nakryiko(a)gmail.com> Reported-by: Mykyta Yatsenko <mykyta.yatsenko5(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_filter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 0993dfc1c5c1..2048560264bb 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -808,7 +808,7 @@ static __always_inline char *test_string(char *str) kstr = ubuf->buffer; /* For safety, do not trust the string pointer */ - if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE)) + if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0) return NULL; return kstr; } @@ -827,7 +827,7 @@ static __always_inline char *test_ustring(char *str) /* user space address? */ ustr = (char __user *)str; - if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE)) + if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0) return NULL; return kstr; -- 2.47.2

1 week, 4 days

1
0
0 0

[PATCH v2] iio: ad5933: Correct settling cycles encoding per datasheet

by Gabriel Shahrouzi

Implement the settling cycles encoding as specified in the AD5933 datasheet, Table 13 ("Number of Settling Times Cycles Register"). The previous logic did not correctly translate the user-requested effective cycle count into the required 9-bit base + 2-bit multiplier format (D10..D0) for values exceeding 511. Clamp the user input for out_altvoltage0_settling_cycles to the maximum effective value of 2044 cycles (511 * 4x multiplier). Fixes: f94aa354d676 ("iio: impedance-analyzer: New driver for AD5933/4 Impedance Converter, Network Analyzer") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- Changes in v2: - Fix spacing in comment around '+'. - Define mask and values for settling cycle multipliers. --- .../staging/iio/impedance-analyzer/ad5933.c | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c index d5544fc2fe989..3c301a8ebd2ab 100644 --- a/drivers/staging/iio/impedance-analyzer/ad5933.c +++ b/drivers/staging/iio/impedance-analyzer/ad5933.c @@ -28,7 +28,7 @@ #define AD5933_REG_FREQ_START 0x82 /* R/W, 3 bytes */ #define AD5933_REG_FREQ_INC 0x85 /* R/W, 3 bytes */ #define AD5933_REG_INC_NUM 0x88 /* R/W, 2 bytes, 9 bit */ -#define AD5933_REG_SETTLING_CYCLES 0x8A /* R/W, 2 bytes */ +#define AD5933_REG_SETTLING_CYCLES 0x8A /* R/W, 2 bytes, 11 + 2 bit */ #define AD5933_REG_STATUS 0x8F /* R, 1 byte */ #define AD5933_REG_TEMP_DATA 0x92 /* R, 2 bytes*/ #define AD5933_REG_REAL_DATA 0x94 /* R, 2 bytes*/ @@ -71,6 +71,8 @@ #define AD5933_INT_OSC_FREQ_Hz 16776000 #define AD5933_MAX_OUTPUT_FREQ_Hz 100000 #define AD5933_MAX_RETRIES 100 +#define AD5933_MAX_FREQ_POINTS 511 +#define AD5933_MAX_SETTLING_CYCLES 2044 /* 511 * 4 */ #define AD5933_OUT_RANGE 1 #define AD5933_OUT_RANGE_AVAIL 2 @@ -82,6 +84,12 @@ #define AD5933_POLL_TIME_ms 10 #define AD5933_INIT_EXCITATION_TIME_ms 100 +/* Settling cycles multiplier bits D10, D9 */ +#define AD5933_SETTLE_MUL_MASK (BIT(10) | BIT(9)) +#define AD5933_SETTLE_MUL_1X 0 +#define AD5933_SETTLE_MUL_2X BIT(9) +#define AD5933_SETTLE_MUL_4X (BIT(10) | BIT(9)) + struct ad5933_state { struct i2c_client *client; struct clk *mclk; @@ -411,14 +419,15 @@ static ssize_t ad5933_store(struct device *dev, ret = ad5933_cmd(st, 0); break; case AD5933_OUT_SETTLING_CYCLES: - val = clamp(val, (u16)0, (u16)0x7FF); + val = clamp(val, (u16)0, (u16)AD5933_MAX_SETTLING_CYCLES); st->settling_cycles = val; - /* 2x, 4x handling, see datasheet */ + /* Encode value for register: D10..D0 */ + /* Datasheet Table 13: If cycles > 1022 -> val/4, set bits D10=1, D9=1 */ if (val > 1022) - val = (val >> 2) | (3 << 9); - else if (val > 511) - val = (val >> 1) | BIT(9); + val = (val >> 2) | AD5933_SETTLE_MUL_4X; + else if (val > 511) /* Datasheet: If cycles > 511 -> val/2, set bit D9=1 */ + val = (val >> 1) | AD5933_SETTLE_MUL_2X; dat = cpu_to_be16(val); ret = ad5933_i2c_write(st->client, @@ -426,7 +435,7 @@ static ssize_t ad5933_store(struct device *dev, 2, (u8 *)&dat); break; case AD5933_FREQ_POINTS: - val = clamp(val, (u16)0, (u16)511); + val = clamp(val, (u16)0, (u16)AD5933_MAX_FREQ_POINTS); st->freq_points = val; dat = cpu_to_be16(val); -- 2.43.0

1 week, 4 days

1
0
0 0

[PATCH] x86/mm: fix _pgd_alloc() for Xen PV mode

by Juergen Gross

Recently _pgd_alloc() was switched from using __get_free_pages() to pagetable_alloc_noprof(), which might return a compound page in case the allocation order is larger than 0. On x86 this will be the case if CONFIG_MITIGATION_PAGE_TABLE_ISOLATION is set, even if PTI has been disabled at runtime. When running as a Xen PV guest (this will always disable PTI), using a compound page for a PGD will result in VM_BUG_ON_PGFLAGS being triggered when the Xen code tries to pin the PGD. Fix the Xen issue together with the not needed 8k allocation for a PGD with PTI disabled by using a variable holding the PGD allocation order in case CONFIG_MITIGATION_PAGE_TABLE_ISOLATION is set. Reported-by: Petr Vaněk <arkamar(a)atlas.cz> Fixes: a9b3c355c2e6 ("asm-generic: pgalloc: provide generic __pgd_{alloc,free}") Cc: stable(a)vger.kernel.org Signed-off-by: Juergen Gross <jgross(a)suse.com> --- arch/x86/include/asm/pgalloc.h | 7 ++++++- arch/x86/mm/pgtable.c | 4 ++++ arch/x86/mm/pti.c | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index a33147520044..754f95bddf98 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -34,8 +34,13 @@ static inline void paravirt_release_p4d(unsigned long pfn) {} * Instead of one PGD, we acquire two PGDs. Being order-1, it is * both 8k in size and 8k-aligned. That lets us just flip bit 12 * in a pointer to swap between the two 4k halves. + * + * As PTI can be runtime disabled (either via boot parameter or due to + * running as a Xen PV guest), store the actually needed allocation + * order in a global variable. */ -#define PGD_ALLOCATION_ORDER 1 +#define PGD_ALLOCATION_ORDER pgd_allocation_order +extern unsigned int pgd_allocation_order; #else #define PGD_ALLOCATION_ORDER 0 #endif diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index a05fcddfc811..f61b2d6be311 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -12,6 +12,10 @@ phys_addr_t physical_mask __ro_after_init = (1ULL << __PHYSICAL_MASK_SHIFT) - 1; EXPORT_SYMBOL(physical_mask); #endif +#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION +unsigned int pgd_allocation_order = 0; +#endif + pgtable_t pte_alloc_one(struct mm_struct *mm) { return __pte_alloc_one(mm, GFP_PGTABLE_USER); diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c index 5f0d579932c6..44b7120c63e3 100644 --- a/arch/x86/mm/pti.c +++ b/arch/x86/mm/pti.c @@ -38,6 +38,7 @@ #include <asm/desc.h> #include <asm/sections.h> #include <asm/set_memory.h> +#include <asm/pgalloc.h> #undef pr_fmt #define pr_fmt(fmt) "Kernel/User page tables isolation: " fmt @@ -97,6 +98,8 @@ void __init pti_check_boottime_disable(void) if (pti_mode == PTI_AUTO && !boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) return; + pgd_allocation_order = 1; + setup_force_cpu_cap(X86_FEATURE_PTI); } -- 2.43.0

1 week, 4 days

3
2
0 0

[PATCH AUTOSEL 5.10 8/8] fbdev: omapfb: Add 'plane' value check

by Sasha Levin

From: Leonid Arapov <arapovl839(a)gmail.com> [ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ] Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB of the enum parameter plane. The value of this parameter is initialized in dss_init_overlays and in the current state of the code it cannot take this value so it's not a real problem. For the purposes of defensive coding it wouldn't be superfluous to check the parameter value, because some functions down the call stack process this value correctly and some not. For example, in dispc_ovl_setup_global_alpha it may lead to buffer overflow. Add check for this value. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. Signed-off-by: Leonid Arapov <arapovl839(a)gmail.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c index b2d6e6df21615..d852bef1d507f 100644 --- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c @@ -2751,9 +2751,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi, bool mem_to_mem) { int r; - enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane); + enum omap_overlay_caps caps; enum omap_channel channel; + if (plane == OMAP_DSS_WB) + return -EINVAL; + + caps = dss_feat_get_overlay_caps(plane); channel = dispc_ovl_get_channel_out(plane); DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->" -- 2.39.5

1 week, 5 days

2
1
0 0

[PATCH AUTOSEL 6.6 01/26] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process

by Sasha Levin

From: P Praneesh <quic_ppranees(a)quicinc.com> [ Upstream commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 ] Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry to fetch the next entry from the destination ring. This is incorrect because ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination rings. This leads to invalid entry fetches, causing potential data corruption or crashes due to accessing incorrect memory locations. This happens because the source ring and destination ring have different handling mechanisms and using the wrong function results in incorrect pointer arithmetic and ring management. To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures that the correct function is used for fetching entries from the destination ring, preventing invalid memory accesses. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Signed-off-by: P Praneesh <quic_ppranees(a)quicinc.com> Link: https://patch.msgid.link/20241223060132.3506372-7-quic_ppranees@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index f1e57e98bdc60..35f22a4a16cf2 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2571,7 +2571,7 @@ int ath12k_dp_mon_rx_process_stats(struct ath12k *ar, int mac_id, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_src_get_next_entry(ab, srng); + ath12k_hal_srng_dst_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.39.5

1 week, 5 days

2
26
0 0

[PATCH AUTOSEL 5.10 01/15] page_pool: avoid infinite loop to schedule delayed worker

by Sasha Levin

From: Jason Xing <kerneljasonxing(a)gmail.com> [ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ] We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. Signed-off-by: Jason Xing <kerneljasonxing(a)gmail.com> Reviewed-by: Mina Almasry <almasrymina(a)google.com> Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/core/page_pool.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/core/page_pool.c b/net/core/page_pool.c index 08fbf4049c108..a11809b3149b4 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -485,7 +485,13 @@ static void page_pool_release_retry(struct work_struct *wq) int inflight; inflight = page_pool_release(pool); - if (!inflight) + /* In rare cases, a driver bug may cause inflight to go negative. + * Don't reschedule release if inflight is 0 or negative. + * - If 0, the page_pool has been destroyed + * - if negative, we will never recover + * in both cases no reschedule is necessary. + */ + if (inflight <= 0) return; /* Periodic warning */ -- 2.39.5

1 week, 5 days

2
16
0 0

[PATCH AUTOSEL 6.1 1/9] HID: pidff: Convert infinite length from Linux API to PID standard

by Sasha Levin

From: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> [ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ] Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL), Linux doesn't actually define anythi as of now, while USB PID defines NULL (0xffff). Most PID devices do not expect a 0-length effect and can't interpret it as infinite. This change fixes Force Feedback for most PID compliant devices. As most games depend on updating the values of already playing infinite effects, this is crucial to ensure they will actually work. Previously, users had to rely on third-party software to do this conversion and make their PID devices usable. Co-developed-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> Reviewed-by: Michał Kopeć <michal(a)nozomi.space> Reviewed-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Cristóferson Bueno <cbueno81(a)gmail.com> Tested-by: Pablo Cisneros <patchkez(a)protonmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/usbhid/hid-pidff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c index 3b4ee21cd8111..5fe4422bb5bad 100644 --- a/drivers/hid/usbhid/hid-pidff.c +++ b/drivers/hid/usbhid/hid-pidff.c @@ -21,6 +21,7 @@ #include "usbhid.h" #define PID_EFFECTS_MAX 64 +#define PID_INFINITE 0xffff /* Report usage table used to put reports into an array */ @@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff, pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0]; pidff->set_effect_type->value[0] = pidff->create_new_effect_type->value[0]; - pidff->set_effect[PID_DURATION].value[0] = effect->replay.length; + + /* Convert infinite length from Linux API (0) + to PID standard (NULL) if needed */ + pidff->set_effect[PID_DURATION].value[0] = + effect->replay.length == 0 ? PID_INFINITE : effect->replay.length; + pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button; pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] = effect->trigger.interval; -- 2.39.5

1 week, 5 days

2
9
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025