- Linux-stable-mirror - lists.linaro.org

[PATCH 6.1.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -459,30 +459,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1198,10 +1174,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (bh_read(bh, 0) >= 0) return bh;

1 year

1
1
0 0

[PATCH] scsi: megaraid: Remove redundant check in megasas_init_fw()

by George Rurikov

This is cosmetic fix. The memory for 'fusion' (instance->ctrl_context) is allocated in megasas_alloc_ctrl_mem() in a call to megasas_alloc_fusion_context(). A possible allocation error is handled after megasas_alloc_ctrl_mem() with a fail_alloc_dma_buf label transition. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/scsi/megaraid/megaraid_sas_base.c | 111 +++++++++++----------- 1 file changed, 54 insertions(+), 57 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index 6c79c350a4d5..e4823680e009 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -6149,68 +6149,65 @@ static int megasas_init_fw(struct megasas_instance *instance) scratch_pad_1 = megasas_readl (instance, &instance->reg_set->outbound_scratch_pad_1); - /* Check max MSI-X vectors */ - if (fusion) { - if (instance->adapter_type == THUNDERBOLT_SERIES) { - /* Thunderbolt Series*/ - instance->msix_vectors = (scratch_pad_1 - & MR_MAX_REPLY_QUEUES_OFFSET) + 1; - } else { - instance->msix_vectors = ((scratch_pad_1 - & MR_MAX_REPLY_QUEUES_EXT_OFFSET) - >> MR_MAX_REPLY_QUEUES_EXT_OFFSET_SHIFT) + 1; - - /* - * For Invader series, > 8 MSI-x vectors - * supported by FW/HW implies combined - * reply queue mode is enabled. - * For Ventura series, > 16 MSI-x vectors - * supported by FW/HW implies combined - * reply queue mode is enabled. - */ - switch (instance->adapter_type) { - case INVADER_SERIES: - if (instance->msix_vectors > 8) - instance->msix_combined = true; - break; - case AERO_SERIES: - case VENTURA_SERIES: - if (instance->msix_vectors > 16) - instance->msix_combined = true; - break; - } - if (rdpq_enable) - instance->is_rdpq = (scratch_pad_1 & MR_RDPQ_MODE_OFFSET) ? - 1 : 0; + if (instance->adapter_type == THUNDERBOLT_SERIES) { + /* Thunderbolt Series*/ + instance->msix_vectors = (scratch_pad_1 + & MR_MAX_REPLY_QUEUES_OFFSET) + 1; + } else { + instance->msix_vectors = ((scratch_pad_1 + & MR_MAX_REPLY_QUEUES_EXT_OFFSET) + >> MR_MAX_REPLY_QUEUES_EXT_OFFSET_SHIFT) + 1; - if (instance->adapter_type >= INVADER_SERIES && - !instance->msix_combined) { - instance->msix_load_balance = true; - instance->smp_affinity_enable = false; - } + /* + * For Invader series, > 8 MSI-x vectors + * supported by FW/HW implies combined + * reply queue mode is enabled. + * For Ventura series, > 16 MSI-x vectors + * supported by FW/HW implies combined + * reply queue mode is enabled. + */ + switch (instance->adapter_type) { + case INVADER_SERIES: + if (instance->msix_vectors > 8) + instance->msix_combined = true; + break; + case AERO_SERIES: + case VENTURA_SERIES: + if (instance->msix_vectors > 16) + instance->msix_combined = true; + break; + } - /* Save 1-15 reply post index address to local memory - * Index 0 is already saved from reg offset - * MPI2_REPLY_POST_HOST_INDEX_OFFSET - */ - for (loop = 1; loop < MR_MAX_MSIX_REG_ARRAY; loop++) { - instance->reply_post_host_index_addr[loop] = - (u32 __iomem *) - ((u8 __iomem *)instance->reg_set + - MPI2_SUP_REPLY_POST_HOST_INDEX_OFFSET - + (loop * 0x10)); - } + if (rdpq_enable) + instance->is_rdpq = (scratch_pad_1 & MR_RDPQ_MODE_OFFSET) ? + 1 : 0; + + if (instance->adapter_type >= INVADER_SERIES && + !instance->msix_combined) { + instance->msix_load_balance = true; + instance->smp_affinity_enable = false; } - dev_info(&instance->pdev->dev, - "firmware supports msix\t: (%d)", - instance->msix_vectors); - if (msix_vectors) - instance->msix_vectors = min(msix_vectors, - instance->msix_vectors); - } else /* MFI adapters */ - instance->msix_vectors = 1; + /* Save 1-15 reply post index address to local memory + * Index 0 is already saved from reg offset + * MPI2_REPLY_POST_HOST_INDEX_OFFSET + */ + for (loop = 1; loop < MR_MAX_MSIX_REG_ARRAY; loop++) { + instance->reply_post_host_index_addr[loop] = + (u32 __iomem *) + ((u8 __iomem *)instance->reg_set + + MPI2_SUP_REPLY_POST_HOST_INDEX_OFFSET + + (loop * 0x10)); + } + } + + dev_info(&instance->pdev->dev, + "firmware supports msix\t: (%d)", + instance->msix_vectors); + if (msix_vectors) + instance->msix_vectors = min(msix_vectors, + instance->msix_vectors); /* -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

1 year

1
0
0 0

[PATCH AUTOSEL 6.10 09/18] spi: spidev: Add an entry for elgin,jg10309-01

by Sasha Levin

From: Fabio Estevam <festevam(a)gmail.com> [ Upstream commit 5f3eee1eef5d0edd23d8ac0974f56283649a1512 ] The rv1108-elgin-r1 board has an LCD controlled via SPI in userspace. The marking on the LCD is JG10309-01. Add the "elgin,jg10309-01" compatible string. Signed-off-by: Fabio Estevam <festevam(a)gmail.com> Reviewed-by: Heiko Stuebner <heiko(a)sntech.de> Link: https://patch.msgid.link/20240828180057.3167190-2-festevam@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/spi/spidev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index 5304728c68c2..14bf0fa65bef 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c @@ -731,6 +731,7 @@ static int spidev_of_check(struct device *dev) static const struct of_device_id spidev_dt_ids[] = { { .compatible = "cisco,spi-petra", .data = &spidev_of_check }, { .compatible = "dh,dhcom-board", .data = &spidev_of_check }, + { .compatible = "elgin,jg10309-01", .data = &spidev_of_check }, { .compatible = "lineartechnology,ltc2488", .data = &spidev_of_check }, { .compatible = "lwn,bk4", .data = &spidev_of_check }, { .compatible = "menlo,m53cpld", .data = &spidev_of_check }, -- 2.43.0

1 year

2
2
0 0

[PATCH 5.4.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 5 +- net/core/sock_destructor.h | 12 +++++ net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 5 files changed, 72 insertions(+), 19 deletions(-) create mode 100644 net/core/sock_destructor.h diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 29ccc33a1c627..3191d0ffc6e9a 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -704,10 +704,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/core/sock_destructor.h b/net/core/sock_destructor.h new file mode 100644 index 0000000000000..2f396e6bfba5a --- /dev/null +++ b/net/core/sock_destructor.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _NET_CORE_SOCK_DESTRUCTOR_H +#define _NET_CORE_SOCK_DESTRUCTOR_H +#include <net/tcp.h> + +static inline bool is_skb_wmem(const struct sk_buff *skb) +{ + return skb->destructor == sock_wfree || + skb->destructor == __sock_wfree || + (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree); +} +#endif diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index e0e8a65d561ec..12ef3cb26676d 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -359,12 +362,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -381,13 +384,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -401,7 +404,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -411,13 +414,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -426,6 +444,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -433,13 +457,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -455,7 +479,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -472,6 +496,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -479,6 +518,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -541,6 +582,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index fed9666a2f7da..cab68c63ea65e 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -296,6 +296,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -461,7 +462,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

1 year

1
0
0 0

[PATCH 5.10.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.10 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 5 +- net/core/sock_destructor.h | 12 +++++ net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 5 files changed, 72 insertions(+), 19 deletions(-) create mode 100644 net/core/sock_destructor.h diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 31755d496b01d..31ae4b74d4352 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -733,10 +733,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/core/sock_destructor.h b/net/core/sock_destructor.h new file mode 100644 index 0000000000000..2f396e6bfba5a --- /dev/null +++ b/net/core/sock_destructor.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _NET_CORE_SOCK_DESTRUCTOR_H +#define _NET_CORE_SOCK_DESTRUCTOR_H +#include <net/tcp.h> + +static inline bool is_skb_wmem(const struct sk_buff *skb) +{ + return skb->destructor == sock_wfree || + skb->destructor == __sock_wfree || + (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree); +} +#endif diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index e0e8a65d561ec..12ef3cb26676d 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -359,12 +362,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -381,13 +384,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -401,7 +404,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -411,13 +414,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -426,6 +444,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -433,13 +457,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -455,7 +479,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -472,6 +496,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -479,6 +518,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -541,6 +582,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index c129ad334eb39..8c2163f95711c 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -296,6 +296,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -471,7 +472,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

1 year

1
0
0 0

[PATCH 5.15.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.15 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 7 +-- net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 4 files changed, 60 insertions(+), 21 deletions(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b230c422dc3b9..7f52562fac19c 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -660,8 +660,6 @@ typedef unsigned char *sk_buff_data_t; * @rbnode: RB tree node, alternative to next/prev for netem/tcp * @list: queue head * @sk: Socket we are owned by - * @ip_defrag_offset: (aka @sk) alternate use of @sk, used in - * fragmentation management * @dev: Device we arrived on/are leaving by * @dev_scratch: (aka @dev) alternate use of @dev when @dev would be %NULL * @cb: Control buffer. Free for use by every layer. Put private vars here @@ -778,10 +776,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index 341096807100c..7e38170111999 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -390,12 +393,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -412,13 +415,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -432,7 +435,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -442,13 +445,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -457,6 +475,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -464,13 +488,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -486,7 +510,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -503,6 +527,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -510,6 +549,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -572,6 +613,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 2e5b090d7c89f..0ec5ec5a5b45a 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -297,6 +297,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -472,7 +473,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

1 year

1
0
0 0

[PATCH v4 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6371e0ee88b0..e9d3a6a9d397 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.46.0

1 year

1
0
0 0

[PATCH v4 4/5] tpm: Allocate chip->auth in tpm2_start_auth_session()

by Jarkko Sakkinen

Move allocation of chip->auth to tpm2_start_auth_session() so that the field can be used as flag to tell whether auth session is active or not. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Change to bug. v3: - No changes. v2: - A new patch. --- drivers/char/tpm/tpm2-sessions.c | 43 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 42eb910e9acc..6371e0ee88b0 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -484,7 +484,8 @@ static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v, sha256_final(&sctx, out); } -static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) +static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, + struct tpm2_auth *auth) { struct crypto_kpp *kpp; struct kpp_request *req; @@ -543,7 +544,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ); sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ); kpp_request_set_input(req, s, EC_PT_SZ*2); - sg_init_one(d, chip->auth->salt, EC_PT_SZ); + sg_init_one(d, auth->salt, EC_PT_SZ); kpp_request_set_output(req, d, EC_PT_SZ); crypto_kpp_compute_shared_secret(req); kpp_request_free(req); @@ -554,8 +555,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) * This works because KDFe fully consumes the secret before it * writes the salt */ - tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x, - chip->auth->salt); + tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt); out: crypto_free_kpp(kpp); @@ -854,6 +854,8 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, /* manually close the session if it wasn't consumed */ tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } else { /* reset for next use */ auth->session = TPM_HEADER_SIZE; @@ -882,6 +884,8 @@ void tpm2_end_auth_session(struct tpm_chip *chip) tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -969,25 +973,29 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) */ int tpm2_start_auth_session(struct tpm_chip *chip) { + struct tpm2_auth *auth; struct tpm_buf buf; - struct tpm2_auth *auth = chip->auth; - int rc; u32 null_key; + int rc; - if (!auth) { - dev_warn_once(&chip->dev, "auth session is not active\n"); + if (chip->auth) { + dev_warn_once(&chip->dev, "auth session is active\n"); return 0; } + auth = kzalloc(sizeof(*auth), GFP_KERNEL); + if (!auth) + return -ENOMEM; + rc = tpm2_load_null(chip, &null_key); if (rc) - goto out; + goto err; auth->session = TPM_HEADER_SIZE; rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS); if (rc) - goto out; + goto err; /* salt key handle */ tpm_buf_append_u32(&buf, null_key); @@ -999,7 +1007,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce)); /* append encrypted salt and squirrel away unencrypted in auth */ - tpm_buf_append_salt(&buf, chip); + tpm_buf_append_salt(&buf, chip, auth); /* session type (HMAC, audit or policy) */ tpm_buf_append_u8(&buf, TPM2_SE_HMAC); @@ -1020,10 +1028,13 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_destroy(&buf); - if (rc) - goto out; + if (rc == TPM2_RC_SUCCESS) { + chip->auth = auth; + return 0; + } - out: +err: + kfree(auth); return rc; } EXPORT_SYMBOL(tpm2_start_auth_session); @@ -1375,10 +1386,6 @@ int tpm2_sessions_init(struct tpm_chip *chip) if (rc) return rc; - chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); - if (!chip->auth) - return -ENOMEM; - return rc; } #endif /* CONFIG_TCG_TPM2_HMAC */ -- 2.46.0

1 year

1
0
0 0

[PATCH v4 3/5] tpm: flush the null key only when /dev/tpm0 is accessed

by Jarkko Sakkinen

Instead of flushing and reloading the null key for every single auth session, flush it only when: 1. User space needs to access /dev/tpm{rm}0. 2. When going to sleep. 3. When unregistering the chip. This removes the need to load and swap the null key between TPM and regular memory per transaction, when the user space is not using the chip. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Changed to bug fix as not having the patch there is a major hit to bootup times. v3: - Unchanged. v2: - Refined the commit message. - Added tested-by from Pengyu Ma <mapengyu(a)gmail.com>. - Removed spurious pr_info() statement. --- drivers/char/tpm/tpm-chip.c | 13 +++++++++++++ drivers/char/tpm/tpm-dev-common.c | 7 +++++++ drivers/char/tpm/tpm-interface.c | 9 +++++++-- drivers/char/tpm/tpm2-cmd.c | 3 +++ drivers/char/tpm/tpm2-sessions.c | 17 ++++++++++++++--- include/linux/tpm.h | 2 ++ 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 854546000c92..0ea00e32f575 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -674,6 +674,19 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { +#ifdef CONFIG_TCG_TPM2_HMAC + int rc; + + rc = tpm_try_get_ops(chip); + if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } + tpm_put_ops(chip); + } +#endif + tpm_del_legacy_sysfs(chip); if (tpm_is_hwrng_enabled(chip)) hwrng_unregister(&chip->hwrng); diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 30b4c288c1bb..4eaa8e05c291 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -27,6 +27,13 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, struct tpm_header *header = (void *)buf; ssize_t ret, len; +#ifdef CONFIG_TCG_TPM2_HMAC + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } +#endif + ret = tpm2_prepare_space(chip, space, buf, bufsiz); /* If the command is not implemented by the TPM, synthesize a * response with a TPM2_RC_COMMAND_CODE return for user-space. diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 5da134f12c9a..bfa47d48b0f2 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -379,10 +379,15 @@ int tpm_pm_suspend(struct device *dev) rc = tpm_try_get_ops(chip); if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) + if (chip->flags & TPM_CHIP_FLAG_TPM2) { +#ifdef CONFIG_TCG_TPM2_HMAC + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; +#endif tpm2_shutdown(chip, TPM2_SU_STATE); - else + } else { rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + } tpm_put_ops(chip); } diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e856259219e..aba024cbe7c5 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -364,6 +364,9 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 handle) struct tpm_buf buf; int rc; + if (!handle) + return; + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); if (rc) { dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a62f64e21511..42eb910e9acc 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -920,11 +920,19 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) u32 tmp_null_key; int rc; + /* fast path */ + if (chip->null_key) { + *null_key = chip->null_key; + return 0; + } + rc = tpm2_load_context(chip, chip->null_key_context, &offset, &tmp_null_key); if (rc != -EINVAL) { - if (!rc) + if (!rc) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; + } return rc; } dev_info(&chip->dev, "the null key has been reset\n"); @@ -935,6 +943,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) /* Return the null key if the name has not been changed: */ if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; return 0; } @@ -1005,7 +1014,6 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append_u16(&buf, TPM_ALG_SHA256); rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); - tpm2_flush_context(chip, null_key); if (rc == TPM2_RC_SUCCESS) rc = tpm2_parse_start_auth_session(auth, &buf); @@ -1337,7 +1345,10 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) rc = tpm2_save_context(chip, null_key, chip->null_key_context, sizeof(chip->null_key_context), &offset); - tpm2_flush_context(chip, null_key); + if (rc) + tpm2_flush_context(chip, null_key); + else + chip->null_key = null_key; } if (rc < 0) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e93ee8d936a9..4eb39db80e05 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -205,6 +205,8 @@ struct tpm_chip { #ifdef CONFIG_TCG_TPM2_HMAC /* details for communication security via sessions */ + /* loaded null key */ + u32 null_key; /* saved context for NULL seed */ u8 null_key_context[TPM2_MAX_CONTEXT_SIZE]; /* name of NULL seed */ -- 2.46.0

1 year

1
0
0 0

[PATCH v4 2/5] tpm: Return on tpm2_create_primary() failure in tpm2_load_null()

by Jarkko Sakkinen

tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 38 +++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 795f4c7c6adb..a62f64e21511 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -915,32 +915,34 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } + dev_info(&chip->dev, "the null key has been reset\n"); - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); - chip->flags |= TPM_CHIP_FLAG_DISABLE; + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "the null key integrity check failedh\n"); + tpm2_flush_context(chip, tmp_null_key); + chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; } -- 2.46.0

1 year

1
0
0 0

[PATCH v4 1/5] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() does not ignores the result of saving the null key. Address this by printing either TPM or POSIX error code, and returning -ENODEV back to the caller. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Fixed up stable version. v3: - Handle TPM and POSIX error separately and return -ENODEV always back to the caller. v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index d3521aadd43e..795f4c7c6adb 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1338,7 +1338,13 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) tpm2_flush_context(chip, null_key); } - return rc; + if (rc < 0) + dev_err(&chip->dev, "saving the null key failed with error %d\n", rc); + else if (rc > 0) + dev_err(&chip->dev, "saving the null key failed with TPM error 0x%04X\n", rc); + + /* Map all errors to -ENODEV: */ + return rc ? -ENODEV : rc; } /** @@ -1354,7 +1360,7 @@ int tpm2_sessions_init(struct tpm_chip *chip) rc = tpm2_create_null_primary(chip); if (rc) - dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.46.0

1 year

1
0
0 0

[PATCH 5.10.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -458,30 +458,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1197,10 +1173,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (buffer_uptodate(bh)) return bh;

1 year

1
0
0 0

stable request for kernel 6.1/6.6 for commit f3c89983cb4f ("block: Fix where bio IO priority gets set")

by Jinpu Wang

Hi Greg, hi Sasha, Please applied f3c89983cb4f ("block: Fix where bio IO priority gets set") to stable 6.1+, it applies cleanly to v6.1.110/v6.6.51. Thx! Jinpu Wang @ IONOS

1 year

1
0
0 0

Request to revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex" from 5.15/6.1/6.6

by Fedor Pchelkin

Hi, Upstream commit 1474bc87fe57 ("wifi: cfg80211: check wiphy mutex is held for wdev mutex") has been backported recently to 5.15/6.1/6.6 stable branches. After that we started seeing numerous lockdep assertion splats in these kernels originating from different parts of wireless stack where wdev_lock() is called. There is also a huge pile of them already found in Syzbot [1,2,3]. Digging more into the issue it appears that the blamed commit is a part of a much larger series [4] with locking cleanups and improvements for the whole wireless subsystem. The series was merged at 6.7. The cover letter for the series says: There's a kind of pointless commit in there that adds some wiphy locking assertions to the wdev as an intermediate step, I can remove that if you think that's better. We ran with it at that intermediate stage for a while to test things. So backporting this commit to stable branches without taking the series as a whole is pointless and just leads to bogus lockdep assertion splats there. The series itself is an improvement and cleanup work and therefore is not considered as material for old stable kernels. The solution which comes to mind is to revert this backported patch from the affected stable branches. Namely: - 5.15 https://lore.kernel.org/stable/20240901160825.013135421@linuxfoundation.org/ - 6.1 https://lore.kernel.org/stable/20240827143842.546537850@linuxfoundation.org/ - 6.6 https://lore.kernel.org/stable/20240827143846.794100356@linuxfoundation.org/ The intention why it was suddenly backported to these branches a year after merge-to-upstream is not clear actually: there are no stable or Fixes tags in commit message, and I don't find any public request for explicit backport on mailing lists. Please let me know if you can revert the commits yourself or I have to prepare and send them to you. [1]: https://syzkaller.appspot.com/bug?extid=310a1a9715fc1c9ead61 [2]: https://syzkaller.appspot.com/bug?extid=b730e8b6bc76d07fe10b [3]: https://syzkaller.appspot.com/bug?extid=09501cf606ec2823fafa [4]: https://lore.kernel.org/linux-wireless/20230828115927.116700-41-johannes@si… -- Thanks, Fedor

1 year

1
0
0 0

Linux 6.10.11

by Greg Kroah-Hartman

I'm announcing the release of the 6.10.11 kernel. All users of the 6.10 kernel series must upgrade. The updated 6.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/netlink/specs/mptcp_pm.yaml | 1 Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++ arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 6 arch/riscv/mm/cacheflush.c | 12 arch/s390/Kconfig | 13 + arch/s390/boot/startup.c | 3 arch/x86/hyperv/hv_init.c | 5 arch/x86/include/asm/mshyperv.h | 1 arch/x86/kernel/cpu/mshyperv.c | 20 + drivers/clk/sophgo/clk-cv18xx-ip.c | 2 drivers/clocksource/hyperv_timer.c | 16 + drivers/cxl/acpi.c | 40 +++ drivers/cxl/core/region.c | 23 + drivers/cxl/cxl.h | 3 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 5 drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++ drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 63 ++++- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.h | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 57 ---- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 20 - drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 20 - drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 55 +--- drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 drivers/gpu/drm/drm_syncobj.c | 17 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 2 drivers/gpu/drm/xe/xe_bo.c | 6 drivers/gpu/drm/xe/xe_drm_client.c | 45 +++ drivers/gpu/drm/xe/xe_gsc.c | 4 drivers/gpu/drm/xe/xe_wa.c | 10 drivers/hid/hid-asus.c | 3 drivers/hid/hid-ids.h | 3 drivers/hid/hid-multitouch.c | 33 ++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/input/touchscreen/edt-ft5x06.c | 6 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/dsa/ocelot/felix_vsc9959.c | 11 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 drivers/net/ethernet/intel/ice/ice_lib.c | 15 - drivers/net/ethernet/intel/ice/ice_switch.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/wangxun/libwx/wx_type.h | 6 drivers/net/phy/dp83822.c | 35 +- drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 18 - drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/perf/riscv_pmu_sbi.c | 7 drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 58 ++++ drivers/platform/x86/asus-wmi.c | 16 + drivers/platform/x86/panasonic-laptop.c | 58 +++- drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 17 - drivers/spi/spi-nxp-fspi.c | 5 drivers/spi/spi-zynqmp-gqspi.c | 30 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +- drivers/usb/typec/ucsi/ucsi.c | 44 ++- drivers/usb/typec/ucsi/ucsi.h | 1 fs/bcachefs/extents.c | 23 + fs/bcachefs/fs-io-buffered.c | 149 +++--------- fs/bcachefs/fs.c | 8 fs/bcachefs/fs.h | 7 fs/bcachefs/fsck.c | 18 + fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/smb/client/cifsencrypt.c | 2 fs/smb/server/mgmt/share_config.c | 15 - fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 include/linux/virtio_net.h | 3 kernel/cgroup/cpuset.c | 33 +- kernel/trace/trace_kprobe.c | 25 +- kernel/trace/trace_osnoise.c | 10 mm/memory.c | 27 +- net/hsr/hsr_device.c | 67 ++++- net/hsr/hsr_forward.c | 37 ++ net/hsr/hsr_framereg.c | 12 net/hsr/hsr_framereg.h | 2 net/hsr/hsr_main.h | 4 net/hsr/hsr_netlink.c | 1 net/ipv4/fou_core.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/codecs/peb2466.c | 3 sound/soc/intel/common/soc-acpi-intel-lnl-match.c | 1 sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 1 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 tools/testing/selftests/net/lib/csum.c | 16 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 134 files changed, 1308 insertions(+), 550 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Alexander Gordeev (1): s390/mm: Pin identity mapping base to zero Alexandre Ghiti (1): drivers: perf: Fix smp_processor_id() use in preemptible code Alison Schofield (1): cxl: Restore XOR'd position bits during address translation Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure AngeloGioacchino Del Regno (1): drm/mediatek: Set sensible cursor width/height values to fix crash Anirudh Rayabharam (Microsoft) (1): x86/hyperv: fix kexec crash due to VP assist page corruption Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Asbjørn Sloth Tønnesen (1): netlink: specs: mptcp: fix port endianness Bard Liao (2): ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item Ben Skeggs (1): drm/nouveau/fb: restore init() for ramgp102 Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bert Karwatzki (1): wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type Charlie Jenkins (1): riscv: Disable preemption while handling PR_RISCV_CTX_SW_FENCEI_OFF ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Cruise (1): drm/amd/display: Disable error correction if it's not supported Dan Carpenter (1): firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() Daniele Ceraolo Spurio (2): drm/xe: fix WA 14018094691 drm/xe: use devm instead of drmm for managed bo David (Ming Qiang) Wu (2): drm/amd/amdgpu: apply command submission parser for JPEG v1 drm/amd/amdgpu: apply command submission parser for JPEG v2+ David Howells (1): cifs: Fix signature miscalculation Dexuan Cui (1): clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Felix Kaechele (1): Input: edt-ft5x06 - add support for FocalTech FT8201 Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (4): usbnet: ipheth: remove extraneous rx URB length check usbnet: ipheth: drop RX URBs with no payload usbnet: ipheth: do not stop RX on failing RX callback usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.10.11 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Heikki Krogerus (1): usb: typec: ucsi: Fix cable registration Ilya Bakoulin (1): drm/amd/display: Fix FEC_READY write on DP LT Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jameson Thies (2): usb: typec: ucsi: Always set number of alternate modes usb: typec: ucsi: Only set number of plug altmodes after registration Jani Nikula (1): drm/xe/display: fix compat IS_DISPLAY_STEP() range end Jeff Layton (1): btrfs: update target inode's ctime on unlink Jeongjun Park (1): net: hsr: prevent NULL pointer dereference in hsr_proxy_announce() Jiawen Wu (1): net: libwx: fix number of Rx and Tx descriptors Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Kent Overstreet (3): bcachefs: Fix bch2_extents_match() false positive bcachefs: Revert lockless buffered IO path bcachefs: Don't delete open files in online fsck Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Li Qiang (1): clk/sophgo: Using BUG() instead of unreachable() in mmux_get_parent_id() Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Lukasz Majewski (1): net: hsr: Send supervisory frames to HSR network with ProxyNodeTable data Luke D. Jones (2): hid-asus: add ROG Ally X prod ID to quirk list platform/x86: asus-wmi: Add quirk for ROG Ally X Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Martyna Szapar-Mudlaw (1): ice: Fix lldp packets dropping after changing the number of channels Masami Hiramatsu (Google) (1): tracing/kprobes: Fix build error when find_module() is not available Matthew Auld (2): drm/xe/client: fix deadlock in show_meminfo() drm/xe/client: add missing bo locking in show_meminfo() Matthieu Baerts (NGI0) (1): selftests: mptcp: join: restrict fullmesh endp on 1st sf Maximilian Luz (5): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 platform/surface: aggregator_registry: Add support for Surface Laptop Studio 2 platform/surface: aggregator_registry: Add fan and thermal sensor support for Surface Laptop 5 platform/surface: aggregator_registry: Add support for Surface Laptop 6 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Michal Schmidt (1): ice: fix VSI lists confusion when adding VLANs Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (1): octeontx2-af: Modify SMQ flush sequence to drop packets Ngai-Mint Kwan (1): drm/xe/xe2lpm: Extend Wa_16021639441 Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Peiyang Wang (1): net: hns3: use correct release function during uninitialization Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (3): spi: zynqmp-gqspi: Scale timeout by data size selftests: net: csum: Fix checksums for packets with non-zero padding net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (2): net/mlx5e: Add missing link modes to ptys2ethtool_map net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock Steven Rostedt (1): tracing/osnoise: Fix build when timerlat is not enabled Su Hui (1): ASoC: codecs: avoid possible garbage value in peb2466_reg_read() T.J. Mercier (2): drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Tobias Jakobi (2): drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct() Tomas Paukrt (1): net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Waiman Long (1): cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr Xiaoliang Yang (1): net: dsa: felix: ignore pending status of TAS module when it's disabled Xingyu Wu (1): riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 rate to 1.5GHz Yinjie Yao (1): drm/amdgpu: Update kmd_fw_shared for VCN5 peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

1 year

1
1
0 0

Linux 6.6.52

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.52 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 +++ arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 arch/riscv/boot/dts/starfive/jh7110-starfive-visionfive-2.dtsi | 4 arch/x86/hyperv/hv_init.c | 5 arch/x86/include/asm/mshyperv.h | 1 arch/x86/kernel/cpu/mshyperv.c | 4 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++++ drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 + drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 55 ++---- drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 + drivers/gpu/drm/drm_syncobj.c | 17 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 drivers/hid/hid-ids.h | 2 drivers/hid/hid-multitouch.c | 33 +++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/iio/adc/ad7124.c | 58 ++---- drivers/infiniband/hw/mlx5/main.c | 2 drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/dsa/ocelot/felix_vsc9959.c | 11 - drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 drivers/net/ethernet/intel/ice/ice_lib.c | 15 - drivers/net/ethernet/intel/ice/ice_switch.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 - drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 + drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/port.c | 2 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 18 + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/nvmem/core.c | 13 + drivers/nvmem/u-boot-env.c | 91 +++++----- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 8 drivers/platform/x86/panasonic-laptop.c | 58 +++++- drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 17 - drivers/spi/spi-nxp-fspi.c | 5 drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 ++ fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/smb/client/cifsencrypt.c | 2 fs/smb/server/mgmt/share_config.c | 15 + fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 - fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 + include/linux/mlx5/port.h | 2 include/linux/nvmem-consumer.h | 1 include/linux/property.h | 8 include/linux/virtio_net.h | 3 kernel/trace/trace_osnoise.c | 10 - mm/memory.c | 27 ++ net/ipv4/fou_core.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/codecs/peb2466.c | 3 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 tools/testing/selftests/net/csum.c | 16 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 91 files changed, 741 insertions(+), 325 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure Anirudh Rayabharam (Microsoft) (1): x86/hyperv: fix kexec crash due to VP assist page corruption Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Ben Skeggs (1): drm/nouveau/fb: restore init() for ramgp102 Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bert Karwatzki (1): wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Cruise (1): drm/amd/display: Disable error correction if it's not supported David (Ming Qiang) Wu (1): drm/amd/amdgpu: apply command submission parser for JPEG v1 David Howells (1): cifs: Fix signature miscalculation Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Dumitru Ceclan (1): iio: adc: ad7124: fix DT configuration parsing Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (4): usbnet: ipheth: remove extraneous rx URB length check usbnet: ipheth: drop RX URBs with no payload usbnet: ipheth: do not stop RX on failing RX callback usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.6.52 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Ilya Bakoulin (1): drm/amd/display: Fix FEC_READY write on DP LT Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jeff Layton (1): btrfs: update target inode's ctime on unlink Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence John Thomson (1): nvmem: u-boot-env: error if NVMEM device is too small Jonathan Cameron (3): device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. device property: Introduce device_for_each_child_node_scoped() iio: adc: ad7124: Switch from of specific to fwnode based property handling Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Martyna Szapar-Mudlaw (1): ice: Fix lldp packets dropping after changing the number of channels Matthieu Baerts (NGI0) (1): selftests: mptcp: join: restrict fullmesh endp on 1st sf Maximilian Luz (2): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Michal Schmidt (1): ice: fix VSI lists confusion when adding VLANs Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (1): octeontx2-af: Modify SMQ flush sequence to drop packets Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patrisious Haddad (1): IB/mlx5: Rename 400G_8X speed to comply to naming convention Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Peiyang Wang (1): net: hns3: use correct release function during uninitialization Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rafał Miłecki (4): nvmem: core: add nvmem_dev_size() helper nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper nvmem: u-boot-env: use nvmem device helpers nvmem: u-boot-env: improve coding style Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (3): net: xilinx: axienet: Fix race in axienet_stop selftests: net: csum: Fix checksums for packets with non-zero padding net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (2): net/mlx5e: Add missing link modes to ptys2ethtool_map net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock Steven Rostedt (1): tracing/osnoise: Fix build when timerlat is not enabled Su Hui (1): ASoC: codecs: avoid possible garbage value in peb2466_reg_read() T.J. Mercier (2): drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr William Qiu (1): riscv: dts: starfive: add assigned-clock* to limit frquency Xiaoliang Yang (1): net: dsa: felix: ignore pending status of TAS module when it's disabled peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

1 year

1
1
0 0

Linux 6.1.111

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.111 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++- arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/hid/hid-ids.h | 2 drivers/hid/hid-multitouch.c | 33 ++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/intel/ice/ice_switch.c | 2 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 15 + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 177 +++++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 5 drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 8 drivers/platform/x86/panasonic-laptop.c | 58 ++++- drivers/soc/ti/omap_prm.c | 2 drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 22 - drivers/spi/spi-nxp-fspi.c | 5 drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +- fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/ntfs3/attrlist.c | 4 fs/ntfs3/bitmap.c | 4 fs/ntfs3/frecord.c | 4 fs/ntfs3/super.c | 2 fs/smb/server/mgmt/share_config.c | 15 + fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 - include/linux/virtio_net.h | 3 mm/memory.c | 27 +- net/ipv4/fou.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 68 files changed, 603 insertions(+), 173 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (1): usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.1.111 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jeff Layton (1): btrfs: update target inode's ctime on unlink Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Konstantin Komarov (1): fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Kunwu Chan (1): pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Maximilian Luz (2): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (2): octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush octeontx2-af: Modify SMQ flush sequence to drop packets Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (2): net: xilinx: axienet: Fix race in axienet_stop net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (1): net/mlx5e: Add missing link modes to ptys2ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock T.J. Mercier (1): dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Uwe Kleine-König (1): spi: geni-qcom: Convert to platform remove callback returning void Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

1 year

1
1
0 0

[PATCH 1/5] drm/i915/gem: fix bitwise and logical AND mixup

by Jani Nikula

CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND is an int, defaulting to 250. When the wakeref is non-zero, it's either -1 or a dynamically allocated pointer, depending on CONFIG_DRM_I915_DEBUG_RUNTIME_PM. It's likely that the code works by coincidence with the bitwise AND, but with CONFIG_DRM_I915_DEBUG_RUNTIME_PM=y, there's the off chance that the condition evaluates to false, and intel_wakeref_auto() doesn't get called. Switch to the intended logical AND. Fixes: ad74457a6b5a ("drm/i915/dgfx: Release mmap on rpm suspend") Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Anshuman Gupta <anshuman.gupta(a)intel.com> Cc: Andi Shyti <andi.shyti(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.1+ Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 5c72462d1f57..c157ade48c39 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -1131,7 +1131,7 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) GEM_WARN_ON(!i915_ttm_cpu_maps_iomem(bo->resource)); } - if (wakeref & CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) + if (wakeref && CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) intel_wakeref_auto(&to_i915(obj->base.dev)->runtime_pm.userfault_wakeref, msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); -- 2.39.2

1 year

4
4
0 0

AMD Family 0x1a RAPL reading fixes

by Mario Limonciello

Hi, There were some fixes for RAPL reading issues recently on some AMD systems. Can you please bring this commit to 6.6.y, 6.10.y and 6.11.y? commit 166df51097a2 ("powercap/intel_rapl: Add support for AMD family 1Ah") Can you also please bring this commit to 6.10.y and 6.11.y? commit 26096aed255f ("powercap/intel_rapl: Fix the energy-pkg event for AMD CPUs") Thanks!

1 year

1
0
0 0

[PATCH v2] drm/panic: Fix uninitialized spinlock acquisition with CONFIG_DRM_PANIC=n

by Lyude Paul

It turns out that if you happen to have a kernel config where CONFIG_DRM_PANIC is disabled and spinlock debugging is enabled, along with KMS being enabled - we'll end up trying to acquire an uninitialized spin_lock with drm_panic_lock() when we try to do a commit: rvkms rvkms.0: [drm:drm_atomic_commit] committing 0000000068d2ade1 INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 4 PID: 1347 Comm: modprobe Not tainted 6.10.0-rc1Lyude-Test+ #272 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20240524-3.fc40 05/24/2024 Call Trace: <TASK> dump_stack_lvl+0x77/0xa0 assign_lock_key+0x114/0x120 register_lock_class+0xa8/0x2c0 __lock_acquire+0x7d/0x2bd0 ? __vmap_pages_range_noflush+0x3a8/0x550 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 lock_acquire+0xec/0x290 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 ? lock_release+0xee/0x310 _raw_spin_lock_irqsave+0x4e/0x70 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 drm_atomic_helper_swap_state+0x2ad/0x3a0 drm_atomic_helper_commit+0xb1/0x270 drm_atomic_commit+0xaf/0xe0 ? __pfx___drm_printfn_info+0x10/0x10 drm_client_modeset_commit_atomic+0x1a1/0x250 drm_client_modeset_commit_locked+0x4b/0x180 drm_client_modeset_commit+0x27/0x50 __drm_fb_helper_restore_fbdev_mode_unlocked+0x76/0x90 drm_fb_helper_set_par+0x38/0x40 fbcon_init+0x3c4/0x690 visual_init+0xc0/0x120 do_bind_con_driver+0x409/0x4c0 do_take_over_console+0x233/0x280 do_fb_registered+0x11f/0x210 fbcon_fb_registered+0x2c/0x60 register_framebuffer+0x248/0x2a0 __drm_fb_helper_initial_config_and_unlock+0x58a/0x720 drm_fbdev_generic_client_hotplug+0x6e/0xb0 drm_client_register+0x76/0xc0 _RNvXs_CsHeezP08sTT_5rvkmsNtB4_5RvkmsNtNtCs1cdwasc6FUb_6kernel8platform6Driver5probe+0xed2/0x1060 [rvkms] ? _RNvMs_NtCs1cdwasc6FUb_6kernel8platformINtB4_7AdapterNtCsHeezP08sTT_5rvkms5RvkmsE14probe_callbackBQ_+0x2b/0x70 [rvkms] ? acpi_dev_pm_attach+0x25/0x110 ? platform_probe+0x6a/0xa0 ? really_probe+0x10b/0x400 ? __driver_probe_device+0x7c/0x140 ? driver_probe_device+0x22/0x1b0 ? __device_attach_driver+0x13a/0x1c0 ? __pfx___device_attach_driver+0x10/0x10 ? bus_for_each_drv+0x114/0x170 ? __device_attach+0xd6/0x1b0 ? bus_probe_device+0x9e/0x120 ? device_add+0x288/0x4b0 ? platform_device_add+0x75/0x230 ? platform_device_register_full+0x141/0x180 ? rust_helper_platform_device_register_simple+0x85/0xb0 ? _RNvMs2_NtCs1cdwasc6FUb_6kernel8platformNtB5_6Device13create_simple+0x1d/0x60 ? _RNvXs0_CsHeezP08sTT_5rvkmsNtB5_5RvkmsNtCs1cdwasc6FUb_6kernel6Module4init+0x11e/0x160 [rvkms] ? 0xffffffffc083f000 ? init_module+0x20/0x1000 [rvkms] ? kernfs_xattr_get+0x3e/0x80 ? do_one_initcall+0x148/0x3f0 ? __lock_acquire+0x5ef/0x2bd0 ? __lock_acquire+0x5ef/0x2bd0 ? __lock_acquire+0x5ef/0x2bd0 ? put_cpu_partial+0x51/0x1d0 ? lock_acquire+0xec/0x290 ? put_cpu_partial+0x51/0x1d0 ? lock_release+0xee/0x310 ? put_cpu_partial+0x51/0x1d0 ? fs_reclaim_acquire+0x69/0xf0 ? lock_acquire+0xec/0x290 ? fs_reclaim_acquire+0x69/0xf0 ? kfree+0x22f/0x340 ? lock_release+0xee/0x310 ? kmalloc_trace_noprof+0x48/0x340 ? do_init_module+0x22/0x240 ? kmalloc_trace_noprof+0x155/0x340 ? do_init_module+0x60/0x240 ? __se_sys_finit_module+0x2e0/0x3f0 ? do_syscall_64+0xa4/0x180 ? syscall_exit_to_user_mode+0x108/0x140 ? do_syscall_64+0xb0/0x180 ? vma_end_read+0xd0/0xe0 ? do_user_addr_fault+0x309/0x640 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Fix this by stubbing these macros out when this config option isn't enabled, along with fixing the unused variable warning that introduces. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Fixes: e2a1cda3e0c7 ("drm/panic: Add drm panic locking") Cc: <stable(a)vger.kernel.org> # v6.10+ --- V2: * Use static inline instead of macros so we don't need __maybe_unused --- drivers/gpu/drm/drm_atomic_helper.c | 2 +- include/drm/drm_panic.h | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 43cdf39019a44..5186d2114a503 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -3015,7 +3015,7 @@ int drm_atomic_helper_swap_state(struct drm_atomic_state *state, bool stall) { int i, ret; - unsigned long flags; + unsigned long flags = 0; struct drm_connector *connector; struct drm_connector_state *old_conn_state, *new_conn_state; struct drm_crtc *crtc; diff --git a/include/drm/drm_panic.h b/include/drm/drm_panic.h index 54085d5d05c34..f4e1fa9ae607a 100644 --- a/include/drm/drm_panic.h +++ b/include/drm/drm_panic.h @@ -64,6 +64,8 @@ struct drm_scanout_buffer { }; +#ifdef CONFIG_DRM_PANIC + /** * drm_panic_trylock - try to enter the panic printing critical section * @dev: struct drm_device @@ -149,4 +151,16 @@ struct drm_scanout_buffer { #define drm_panic_unlock(dev, flags) \ raw_spin_unlock_irqrestore(&(dev)->mode_config.panic_lock, flags) +#else + +static inline bool drm_panic_trylock(struct drm_device *dev, unsigned long flags) +{ + return true; +} + +static inline void drm_panic_lock(struct drm_device *dev, unsigned long flags) {} +static inline void drm_panic_unlock(struct drm_device *dev, unsigned long flags) {} + +#endif + #endif /* __DRM_PANIC_H__ */ base-commit: bf05aeac230e390a5aee4bd3dc978b0c4d7e745f -- 2.46.0

1 year

2
2
0 0

[PATCH] ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO

by Hans de Goede

Dell All In One (AIO) models released after 2017 may use a backlight controller board connected to an UART. In DSDT this uart port will be defined as: Name (_HID, "DELL0501") Name (_CID, EisaId ("PNP0501") The Dell OptiPlex 5480 AIO has an ACPI device for one if its UARTs with the above _HID + _CID. Loading the dell-uart-backlight driver fails with the following errors: [ 18.261353] dell_uart_backlight serial0-0: Timed out waiting for response. [ 18.261356] dell_uart_backlight serial0-0: error -ETIMEDOUT: getting firmware version [ 18.261359] dell_uart_backlight serial0-0: probe with driver dell_uart_backlight failed with error -110 Indicating that there is no backlight controller board attached to the UART, while the GPU's native backlight control method does work. Add a quirk to use the GPU's native backlight control method on this model. Fixes: cd8e468efb4f ("ACPI: video: Add Dell UART backlight controller detection") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/acpi/video_detect.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c index b70e84e8049a..015bd8e66c1c 100644 --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -844,6 +844,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { * controller board in their ACPI tables (and may even have one), but * which need native backlight control nevertheless. */ + { + /* https://github.com/zabbly/linux/issues/26 */ + .callback = video_detect_force_native, + /* Dell OptiPlex 5480 AIO */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 5480 AIO"), + }, + }, { /* https://bugzilla.redhat.com/show_bug.cgi?id=2303936 */ .callback = video_detect_force_native, -- 2.46.0

1 year

1
0
0 0

[PATCH 0/6] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Comparing to the original patches, the helper vfs_empty_path() is moved to stat.c from linux/fs.h, because get_user() is only available in fs.h since v5.7, where commit 80fbaf1c3f29 ('rcuwait: Add @State argument to rcuwait_wait_event()') added linux/sched/signal.h to rcuwait.h, and uaccess.h finally got its way to fs.h along the path uaccess.h -> sched/task.h -> sched/signal.h -> rcuwait.h -> percpu-rwsem.h -> fs.h. uaccess.h cannot be directly included in fs.h before v5.7, where commit df23e2be3d24 ('acpi: Remove header dependency') removed proc_fs.h from acpi/acpi_bus.h, preventing arch/x86/boot/compressed/cmdline.c from indirectly including fs.h. Otherwise, the function set_fs() defined in asm/uaccess.h will get into cmdline.c, which contains another set_fs(), resulting conflicting function definations. There is no users of vfs_empty_path() except stat.c, and as a result, putting it in stat.c is acceptable. The existing vfs_statx_fd(), which is removed since v5.10, is utilized to implement short-circuit handling of NULL and "" paths, instead of introducing vfs_statx_path(), simplifying the implementation. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (2): fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Christoph Hellwig (2): fs: implement vfs_stat and vfs_lstat in terms of vfs_fstatat fs: move vfs_fstatat out of line Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/stat.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++----- include/linux/fs.h | 26 ++++++++++-------------- 2 files changed, 63 insertions(+), 21 deletions(-) --- base-commit: 661f109c057497c8baf507a2562ceb9f9fb3cbc2 change-id: 20240918-statx-stable-linux-5-4-y-a79d4268600d Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

1 year

1
6
0 0

[PATCH 0/4] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 5.15 and 5.10, the content of vfs_statx_path() is modified to match this. The original patch also moved path_mounted() from namespace.c to internal.h, which is not applicable for 5.15 and 5.10 since it has not been introduced before 6.5. The original patch also used CLASS(fd_raw, ) to convert a file descriptor number provided from the user space in to a struct and automatically release it afterwards. Since CLASS mechanism is only available since 6.1.79, obtaining and releasing fd struct is done manually. do_statx() was directly handling filename string instead of a struct filename * before 5.18, as a result short-circuiting is implemented in do_statx() instead of sys_statx, without the need of introducing do_statx_fd(). Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (2): fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/stat.c | 73 +++++++++++++++++++++++++++++++++++++++++++++--------- include/linux/fs.h | 17 +++++++++++++ 2 files changed, 78 insertions(+), 12 deletions(-) --- base-commit: 3a5928702e7120f83f703fd566082bfb59f1a57e change-id: 20240918-statx-stable-linux-5-15-y-9a30358a7d47 Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

1 year

1
4
0 0

[PATCH 0/5] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 6.1, the content of vfs_statx_path() is modified to match this. The original patch also moved path_mounted() from namespace.c to internal.h, which is not applicable for 6.1 since it has not been introduced before 6.5. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (3): file: add fd_raw cleanup class fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/internal.h | 2 + fs/stat.c | 101 ++++++++++++++++++++++++++++++++++++++++----------- include/linux/file.h | 1 + include/linux/fs.h | 17 +++++++++ 4 files changed, 99 insertions(+), 22 deletions(-) --- base-commit: 5f55cad62cc9d8d29dd3556e0243b14355725ffb change-id: 20240918-statx-stable-linux-6-1-y-37e6ca691c9b Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

1 year

1
5
0 0

[PATCH 0/4] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 6.6, the content of vfs_statx_path() is modified to match this. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (3): file: add fd_raw cleanup class fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/internal.h | 14 +++++++ fs/namespace.c | 13 ------ fs/stat.c | 113 ++++++++++++++++++++++++++++++++++++--------------- include/linux/file.h | 1 + include/linux/fs.h | 17 ++++++++ 5 files changed, 112 insertions(+), 46 deletions(-) --- base-commit: 6d1dc55b5bab93ef868d223b740d527ee7501063 change-id: 20240918-statx-stable-linux-6-6-y-02566b94440d Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

1 year

1
4
0 0

[PATCH 5.10] crypto: tcrypt - Fix missing return value check

by Denis Arefev

From: Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> [ Upstream commit 7b3d52683b3a47c0ba1dfd6b5994a3a795b06972 ] There are several places where the return value check of crypto_aead_setkey and crypto_aead_setauthsize were lost. It is necessary to add these checks. At the same time, move the crypto_aead_setauthsize() call out of the loop, and only need to call it once after load transform. Fixes: 53f52d7aecb4 ("crypto: tcrypt - Added speed tests for AEAD crypto alogrithms in tcrypt test suite") Signed-off-by: Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> Reviewed-by: Vitaly Chikunov <vt(a)altlinux.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- crypto/tcrypt.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c index 7972d2784b3b..580c50afa587 100644 --- a/crypto/tcrypt.c +++ b/crypto/tcrypt.c @@ -290,6 +290,11 @@ static void test_mb_aead_speed(const char *algo, int enc, int secs, } ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("alg: aead: Failed to setauthsize for %s: %d\n", algo, + ret); + goto out_free_tfm; + } for (i = 0; i < num_mb; ++i) if (testmgr_alloc_buf(data[i].xbuf)) { @@ -315,7 +320,7 @@ static void test_mb_aead_speed(const char *algo, int enc, int secs, for (i = 0; i < num_mb; ++i) { data[i].req = aead_request_alloc(tfm, GFP_KERNEL); if (!data[i].req) { - pr_err("alg: skcipher: Failed to allocate request for %s\n", + pr_err("alg: aead: Failed to allocate request for %s\n", algo); while (i--) aead_request_free(data[i].req); @@ -565,13 +570,19 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, sgout = &sg[9]; tfm = crypto_alloc_aead(algo, 0, 0); - if (IS_ERR(tfm)) { pr_err("alg: aead: Failed to load transform for %s: %ld\n", algo, PTR_ERR(tfm)); goto out_notfm; } + ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("alg: aead: Failed to setauthsize for %s: %d\n", algo, + ret); + goto out_noreq; + } + crypto_init_wait(&wait); printk(KERN_INFO "\ntesting speed of %s (%s) %s\n", algo, get_driver_name(crypto_aead, tfm), e); @@ -607,8 +618,13 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, break; } } + ret = crypto_aead_setkey(tfm, key, *keysize); - ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("setkey() failed flags=%x: %d\n", + crypto_aead_get_flags(tfm), ret); + goto out; + } iv_len = crypto_aead_ivsize(tfm); if (iv_len) @@ -618,15 +634,8 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, printk(KERN_INFO "test %u (%d bit key, %d byte blocks): ", i, *keysize * 8, *b_size); - memset(tvmem[0], 0xff, PAGE_SIZE); - if (ret) { - pr_err("setkey() failed flags=%x\n", - crypto_aead_get_flags(tfm)); - goto out; - } - sg_init_aead(sg, xbuf, *b_size + (enc ? 0 : authsize), assoc, aad_size); -- 2.25.1

1 year

1
0
0 0

[PATCH 6.1] drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()

by Denis Arefev

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> [ Upstream commit 2a3cfb9a24a28da9cc13d2c525a76548865e182c ] Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL before the call to dc_enable_dmub_notifications(), check beforehand to ensure there will not be a possible NULL-ptr-deref there. Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy(). Clean up by combining them all under one 'if'. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX") Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 393e32259a77..4850aed54604 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1876,14 +1876,14 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev) dc_deinit_callbacks(adev->dm.dc); #endif - if (adev->dm.dc) + if (adev->dm.dc) { dc_dmub_srv_destroy(&adev->dm.dc->ctx->dmub_srv); - - if (dc_enable_dmub_notifications(adev->dm.dc)) { - kfree(adev->dm.dmub_notify); - adev->dm.dmub_notify = NULL; - destroy_workqueue(adev->dm.delayed_hpd_wq); - adev->dm.delayed_hpd_wq = NULL; + if (dc_enable_dmub_notifications(adev->dm.dc)) { + kfree(adev->dm.dmub_notify); + adev->dm.dmub_notify = NULL; + destroy_workqueue(adev->dm.delayed_hpd_wq); + adev->dm.delayed_hpd_wq = NULL; + } } if (adev->dm.dmub_bo) -- 2.25.1

1 year

1
0
0 0

[PATCH] drbd: Fix atomicity violation in drbd_uuid_set_bm()

by Qiu-ji Chen

The violation of atomicity occurs when the drbd_uuid_set_bm function is executed simultaneously with modifying the value of device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while device->ldev->md.uuid[UI_BITMAP] passes the validity check when its value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is written to zero. In this case, the check in drbd_uuid_set_bm might refer to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking), which allows an invalid value to pass the validity check, resulting in inconsistency. To address this issue, it is recommended to include the data validity check within the locked section of the function. This modification ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not change during the validation process, thereby maintaining its integrity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/block/drbd/drbd_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c index a9e49b212341..abafc4edf9ed 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -3399,10 +3399,12 @@ void drbd_uuid_new_current(struct drbd_device *device) __must_hold(local) void drbd_uuid_set_bm(struct drbd_device *device, u64 val) __must_hold(local) { unsigned long flags; - if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) + spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); + if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) { + spin_unlock_irqrestore(&device->ldev->md.uuid_lock, flags); return; + } - spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); if (val == 0) { drbd_uuid_move_history(device); device->ldev->md.uuid[UI_HISTORY_START] = device->ldev->md.uuid[UI_BITMAP]; -- 2.34.1

1 year

3
2
0 0

[PATCH 6.6 00/91] 6.6.52-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.52 release. There are 91 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.52-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.52-rc1 William Qiu <william.qiu(a)starfivetech.com> riscv: dts: starfive: add assigned-clock* to limit frquency Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID David Howells <dhowells(a)redhat.com> cifs: Fix signature miscalculation Su Hui <suhui(a)nfschina.com> ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v1 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/fb: restore init() for ramgp102 T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler T.J. Mercier <tjmercier(a)google.com> drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Steven Rostedt <rostedt(a)goodmis.org> tracing/osnoise: Fix build when timerlat is not enabled Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Xiaoliang Yang <xiaoliang.yang_1(a)nxp.com> net: dsa: felix: ignore pending status of TAS module when it's disabled Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sean Anderson <sean.anderson(a)linux.dev> selftests: net: csum: Fix checksums for packets with non-zero padding Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Patrisious Haddad <phaddad(a)nvidia.com> IB/mlx5: Rename 400G_8X speed to comply to naming convention Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Michal Schmidt <mschmidt(a)redhat.com> ice: fix VSI lists confusion when adding VLANs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Martyna Szapar-Mudlaw <martyna.szapar-mudlaw(a)linux.intel.com> ice: Fix lldp packets dropping after changing the number of channels Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure Ilya Bakoulin <ilya.bakoulin(a)amd.com> drm/amd/display: Fix FEC_READY write on DP LT Cruise <cruise.hung(a)amd.com> drm/amd/display: Disable error correction if it's not supported FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix race in axienet_stop Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> x86/hyperv: fix kexec crash due to VP assist page corruption Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: restrict fullmesh endp on 1st sf Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Prevent lowcore vs identity mapping overlap Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use correct release function during uninitialization Bert Karwatzki <spasswolf(a)web.de> wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: do not stop RX on failing RX callback Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: drop RX URBs with no payload Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: remove extraneous rx URB length check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check John Thomson <git(a)johnthomson.fastmail.com.au> nvmem: u-boot-env: error if NVMEM device is too small Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: improve coding style Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: use nvmem device helpers Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper Rafał Miłecki <rafal(a)milecki.pl> nvmem: core: add nvmem_dev_size() helper Dumitru Ceclan <mitrutzceclan(a)gmail.com> iio: adc: ad7124: fix DT configuration parsing Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7124: Switch from of specific to fwnode based property handling Jonathan Cameron <Jonathan.Cameron(a)huawei.com> device property: Introduce device_for_each_child_node_scoped() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - .../dts/starfive/jh7110-starfive-visionfive-2.dtsi | 4 + arch/s390/kernel/setup.c | 19 ++++- arch/x86/hyperv/hv_init.c | 5 +- arch/x86/include/asm/mshyperv.h | 1 - arch/x86/kernel/cpu/mshyperv.c | 4 +- drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 +++++++++++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 +++ .../amd/display/dc/link/protocols/link_dp_phy.c | 53 ++++++------- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 +++ drivers/gpu/drm/drm_syncobj.c | 17 +++- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 + drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-multitouch.c | 33 ++++++++ drivers/hwmon/pmbus/pmbus.h | 6 ++ drivers/hwmon/pmbus/pmbus_core.c | 17 +++- drivers/iio/adc/ad7124.c | 58 ++++++-------- drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 +++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 11 ++- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 ++- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_lib.c | 15 ++-- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 +++- drivers/net/ethernet/jme.c | 10 +-- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 +- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++++++++++--- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 +++ .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++++++----- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/port.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 ++ drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 ++ drivers/net/phy/vitesse.c | 14 ---- drivers/net/usb/ipheth.c | 18 +++-- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/nvmem/core.c | 13 ++++ drivers/nvmem/u-boot-env.c | 91 +++++++++++----------- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 8 +- drivers/platform/x86/panasonic-laptop.c | 58 +++++++++++--- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 17 ++-- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++++-- fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 ++-- fs/nfs/nfs4proc.c | 9 ++- fs/nfs/pnfs.c | 5 +- fs/smb/client/cifsencrypt.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 +++- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 ++- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 ++- fs/smb/server/smb_common.c | 9 ++- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 ++- include/linux/mlx5/port.h | 2 +- include/linux/nvmem-consumer.h | 1 + include/linux/property.h | 8 ++ include/linux/virtio_net.h | 3 +- kernel/trace/trace_osnoise.c | 10 +-- mm/memory.c | 27 +++++-- net/ipv4/fou_core.c | 4 +- net/mptcp/pm_netlink.c | 13 +++- net/netfilter/nft_socket.c | 48 ++++++++++-- scripts/kconfig/merge_config.sh | 2 + sound/soc/codecs/peb2466.c | 3 +- sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- tools/testing/selftests/net/csum.c | 16 +++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +- 92 files changed, 797 insertions(+), 329 deletions(-)

1 year

11
105
0 0

[PATCH 6.10 000/121] 6.10.11-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.10.11 release. There are 121 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.10.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.10.11-rc1 Jameson Thies <jthies(a)google.com> usb: typec: ucsi: Only set number of plug altmodes after registration Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID David Howells <dhowells(a)redhat.com> cifs: Fix signature miscalculation Jani Nikula <jani.nikula(a)intel.com> drm/xe/display: fix compat IS_DISPLAY_STEP() range end Su Hui <suhui(a)nfschina.com> ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/kprobes: Fix build error when find_module() is not available Matthew Auld <matthew.auld(a)intel.com> drm/xe/client: add missing bo locking in show_meminfo() Matthew Auld <matthew.auld(a)intel.com> drm/xe/client: fix deadlock in show_meminfo() David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v2+ David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v1 Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct() Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/fb: restore init() for ramgp102 T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler T.J. Mercier <tjmercier(a)google.com> drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Steven Rostedt <rostedt(a)goodmis.org> tracing/osnoise: Fix build when timerlat is not enabled Asbjørn Sloth Tønnesen <ast(a)fiberby.net> netlink: specs: mptcp: fix port endianness Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Xiaoliang Yang <xiaoliang.yang_1(a)nxp.com> net: dsa: felix: ignore pending status of TAS module when it's disabled Jeongjun Park <aha310510(a)gmail.com> net: hsr: prevent NULL pointer dereference in hsr_proxy_announce() Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Charlie Jenkins <charlie(a)rivosinc.com> riscv: Disable preemption while handling PR_RISCV_CTX_SW_FENCEI_OFF Alexandre Ghiti <alexghiti(a)rivosinc.com> drivers: perf: Fix smp_processor_id() use in preemptible code Sean Anderson <sean.anderson(a)linux.dev> selftests: net: csum: Fix checksums for packets with non-zero padding Tomas Paukrt <tomaspaukrt(a)email.cz> net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Michal Schmidt <mschmidt(a)redhat.com> ice: fix VSI lists confusion when adding VLANs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Martyna Szapar-Mudlaw <martyna.szapar-mudlaw(a)linux.intel.com> ice: Fix lldp packets dropping after changing the number of channels Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Eric Dumazet <edumazet(a)google.com> net: hsr: remove seqnr_lock Lukasz Majewski <lukma(a)denx.de> net: hsr: Send supervisory frames to HSR network with ProxyNodeTable data Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Alison Schofield <alison.schofield(a)intel.com> cxl: Restore XOR'd position bits during address translation peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Li Qiang <liqiang01(a)kylinos.cn> clk/sophgo: Using BUG() instead of unreachable() in mmux_get_parent_id() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure Ilya Bakoulin <ilya.bakoulin(a)amd.com> drm/amd/display: Fix FEC_READY write on DP LT Cruise <cruise.hung(a)amd.com> drm/amd/display: Disable error correction if it's not supported Xingyu Wu <xingyu.wu(a)starfivetech.com> riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 rate to 1.5GHz Dan Carpenter <dan.carpenter(a)linaro.org> firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Don't delete open files in online fsck Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Revert lockless buffered IO path Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix bch2_extents_match() false positive Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> x86/hyperv: fix kexec crash due to VP assist page corruption Dexuan Cui <decui(a)microsoft.com> clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix number of Rx and Tx descriptors Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: restrict fullmesh endp on 1st sf Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Pin identity mapping base to zero Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Prevent lowcore vs identity mapping overlap Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: use devm instead of drmm for managed bo Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: fix WA 14018094691 Ngai-Mint Kwan <ngai-mint.kwan(a)linux.intel.com> drm/xe/xe2lpm: Extend Wa_16021639441 Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson <sean.anderson(a)linux.dev> spi: zynqmp-gqspi: Scale timeout by data size Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop 6 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add fan and thermal sensor support for Surface Laptop 5 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Studio 2 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Luke D. Jones <luke(a)ljones.dev> platform/x86: asus-wmi: Add quirk for ROG Ally X Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Waiman Long <longman(a)redhat.com> cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug Felix Kaechele <felix(a)kaechele.ca> Input: edt-ft5x06 - add support for FocalTech FT8201 Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Luke D. Jones <luke(a)ljones.dev> hid-asus: add ROG Ally X prod ID to quirk list Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use correct release function during uninitialization Yinjie Yao <yinjie.yao(a)amd.com> drm/amdgpu: Update kmd_fw_shared for VCN5 Bert Karwatzki <spasswolf(a)web.de> wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: do not stop RX on failing RX callback Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: drop RX URBs with no payload Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: remove extraneous rx URB length check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: Set sensible cursor width/height values to fix crash Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: Fix cable registration Jameson Thies <jthies(a)google.com> usb: typec: ucsi: Always set number of alternate modes ------------- Diffstat: Documentation/netlink/specs/mptcp_pm.yaml | 1 - Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 6 + arch/riscv/mm/cacheflush.c | 12 +- arch/s390/Kconfig | 13 ++ arch/s390/boot/startup.c | 3 +- arch/s390/kernel/setup.c | 19 ++- arch/x86/hyperv/hv_init.c | 5 +- arch/x86/include/asm/mshyperv.h | 1 - arch/x86/kernel/cpu/mshyperv.c | 20 ++- drivers/clk/sophgo/clk-cv18xx-ip.c | 2 +- drivers/clocksource/hyperv_timer.c | 16 ++- drivers/cxl/acpi.c | 40 ++++++ drivers/cxl/core/region.c | 23 ++-- drivers/cxl/cxl.h | 3 + drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 5 +- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 ++ drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 63 ++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 + drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 + drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.h | 1 - drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 57 +------- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 3 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 20 +-- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 20 +-- .../amd/display/dc/link/protocols/link_dp_phy.c | 53 ++++---- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++ drivers/gpu/drm/drm_syncobj.c | 17 ++- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 + drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 + drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 2 +- drivers/gpu/drm/xe/xe_bo.c | 6 +- drivers/gpu/drm/xe/xe_drm_client.c | 45 ++++++- drivers/gpu/drm/xe/xe_gsc.c | 4 +- drivers/gpu/drm/xe/xe_wa.c | 10 ++ drivers/hid/hid-asus.c | 3 + drivers/hid/hid-ids.h | 3 + drivers/hid/hid-multitouch.c | 33 +++++ drivers/hwmon/pmbus/pmbus.h | 6 + drivers/hwmon/pmbus/pmbus_core.c | 17 ++- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 ++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/input/touchscreen/edt-ft5x06.c | 6 + drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 11 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_lib.c | 15 ++- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 ++- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 +- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 ++++++-- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 ++ .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++++--- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 + drivers/net/ethernet/wangxun/libwx/wx_type.h | 6 +- drivers/net/phy/dp83822.c | 35 +++-- drivers/net/phy/vitesse.c | 14 -- drivers/net/usb/ipheth.c | 18 +-- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/perf/riscv_pmu_sbi.c | 7 +- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 58 +++++++- drivers/platform/x86/asus-wmi.c | 16 ++- drivers/platform/x86/panasonic-laptop.c | 58 ++++++-- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 17 ++- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/spi/spi-zynqmp-gqspi.c | 30 ++++- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++- drivers/usb/typec/ucsi/ucsi.c | 44 +++--- drivers/usb/typec/ucsi/ucsi.h | 1 - fs/bcachefs/extents.c | 23 +++- fs/bcachefs/fs-io-buffered.c | 149 ++++++--------------- fs/bcachefs/fs.c | 8 ++ fs/bcachefs/fs.h | 7 + fs/bcachefs/fsck.c | 18 +++ fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 +-- fs/nfs/nfs4proc.c | 9 +- fs/nfs/pnfs.c | 5 +- fs/smb/client/cifsencrypt.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 ++- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 +- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 +- fs/smb/server/smb_common.c | 9 +- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 +- include/linux/virtio_net.h | 3 +- kernel/cgroup/cpuset.c | 33 ++--- kernel/trace/trace_kprobe.c | 25 +++- kernel/trace/trace_osnoise.c | 10 +- mm/memory.c | 27 +++- net/hsr/hsr_device.c | 102 +++++++++----- net/hsr/hsr_forward.c | 41 +++++- net/hsr/hsr_framereg.c | 12 ++ net/hsr/hsr_framereg.h | 2 + net/hsr/hsr_main.h | 10 +- net/hsr/hsr_netlink.c | 3 +- net/ipv4/fou_core.c | 4 +- net/mptcp/pm_netlink.c | 13 +- net/netfilter/nft_socket.c | 48 ++++++- scripts/kconfig/merge_config.sh | 2 + sound/soc/codecs/peb2466.c | 3 +- sound/soc/intel/common/soc-acpi-intel-lnl-match.c | 1 + sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 1 + sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- tools/testing/selftests/net/lib/csum.c | 16 ++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +- 135 files changed, 1378 insertions(+), 587 deletions(-)

1 year

11
133
0 0

[PATCH 6.1] drm/amdkfd: Skip handle mapping SVM range with no GPU access

by Murad Masimov

From: Philip Yang <Philip.Yang(a)amd.com> commit 8c45b31909b730f9c7b146588e038f9c6553394d upstream. If the SVM range has no GPU access nor access-in-place attribute, validate and map to GPU should skip the range. Add NULL pointer check if find_first_bit(ctx->bitmap, MAX_GPU_INSTANCE) returns MAX_GPU_INSTANCE as gpuidx if ctx->bitmap is empty. Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Alex Sierra <alex.sierra(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [m.masimov(a)maxima.ru: In order to adapt this patch to branch 6.1 ctx was treated as a variable and not as a pointer.] Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c index 7fa5e70f1aac..a44781b66af9 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c @@ -1491,6 +1491,8 @@ static void *kfd_svm_page_owner(struct kfd_process *p, int32_t gpuidx) struct kfd_process_device *pdd; pdd = kfd_process_device_from_gpuidx(p, gpuidx); + if (!pdd) + return NULL; return SVM_ADEV_PGMAP_OWNER(pdd->dev->adev); } @@ -1561,10 +1563,10 @@ static int svm_range_validate_and_map(struct mm_struct *mm, } if (bitmap_empty(ctx.bitmap, MAX_GPU_INSTANCE)) { - if (!prange->mapped_to_gpu) - return 0; - bitmap_copy(ctx.bitmap, prange->bitmap_access, MAX_GPU_INSTANCE); + if (!prange->mapped_to_gpu || + bitmap_empty(ctx.bitmap, MAX_GPU_INSTANCE)) + return 0; } if (prange->actual_loc && !prange->ttm_res) { -- 2.39.2

1 year

1
0
0 0

[PATCH] ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8

by nikolai.afanasenkov＠hp.com

From: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> The HP Elite mt645 G8 Mobile Thin Client uses an ALC236 codec and needs the ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to enable the mute and micmute LED functionality. This patch adds the system ID of the HP Elite mt645 G8 to the `alc269_fixup_tbl` in `patch_realtek.c` to enable the required quirk. Cc: stable(a)vger.kernel.org Signed-off-by: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 452c6e7c20e2..5ad5a901f9b6 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8caf, "HP Elite mt645 G8 Mobile Thin Client", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8cde, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), -- 2.34.1

1 year

2
1
0 0

[PATCH RFC V5 1/1] ocfs2: reserve space for inline xattr before attaching reflink tree

by Gautham Ananthakrishna

One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Cc: stable(a)vger.kernel.org Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 25c8ec3c8c3a5..80f441878dc1f 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 6510ad783c912..2c572b336ba48 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6511,16 +6511,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.43.5

1 year

1
0
0 0

[PATCH AUTOSEL 4.19] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index f8b0fa2dbe37..b43f25b3c99d 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -243,6 +243,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

1 year

1
0
0 0

[PATCH AUTOSEL 5.4] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 51d95c4b692c..cebbcc6c36ae 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -256,6 +256,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

1 year

1
0
0 0

[PATCH AUTOSEL 5.10] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 021cd067733e..a91aad434d03 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -275,6 +275,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

1 year

1
0
0 0

[PATCH AUTOSEL 5.15] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 8d3c649a1769..3794b223fd69 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -322,6 +322,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.priv_high & HV_ISOLATION) { -- 2.43.0

1 year

1
0
0 0

[PATCH AUTOSEL 6.1 1/2] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 9b039e9635e4..542b818c0d20 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -324,6 +324,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.priv_high & HV_ISOLATION) { -- 2.43.0

1 year

1
1
0 0

[PATCH AUTOSEL 6.6 1/2] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index e6bba12c759c..9a7cd3ce59ed 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -423,6 +423,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.priv_high & HV_ISOLATION) { -- 2.43.0

1 year

1
1
0 0

[PATCH AUTOSEL 6.10 1/3] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index e0fd57a8ba84..c3e38eaf6d2f 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -424,6 +424,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.priv_high & HV_ISOLATION) { -- 2.43.0

1 year

1
2
0 0

[PATCH 1/1] io_uring/sqpoll: do not allow pinning outside of cpuset

by Felix Moessbauer

The submit queue polling threads are userland threads that just never exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, the affinity of the poller thread is set to the cpu specified in sq_thread_cpu. However, this CPU can be outside of the cpuset defined by the cgroup cpuset controller. This violates the rules defined by the cpuset controller and is a potential issue for realtime applications. In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in case no explicit pinning is required by inheriting the one of the creating task. In case of explicit pinning, the check is more complicated, as also a cpu outside of the parent cpumask is allowed. We implemented this by using cpuset_cpus_allowed (that has support for cgroup cpusets) and testing if the requested cpu is in the set. Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") Cc: stable(a)vger.kernel.org # 6.1+ Signed-off-by: Felix Moessbauer <felix.moessbauer(a)siemens.com> --- Hi, that's hopefully the last fix of cpu pinnings of the sq poller threads. However, there is more to come on the io-wq side. E.g the syscalls for IORING_REGISTER_IOWQ_AFF that can be used to change the affinites are not yet protected. I'm currently just lacking good reproducers for that. I also have to admit that I don't feel too comfortable making changes to the wq part, given that I don't have good tests. While fixing this, I'm wondering if it makes sense to add tests for the combination of pinning and cpuset. If yes, where should these tests be added? Best regards, Felix Moessbauer Siemens AG io_uring/sqpoll.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index 713be7c29388..b8ec8fec99b8 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -10,6 +10,7 @@ #include <linux/slab.h> #include <linux/audit.h> #include <linux/security.h> +#include <linux/cpuset.h> #include <linux/io_uring.h> #include <uapi/linux/io_uring.h> @@ -459,10 +460,12 @@ __cold int io_sq_offload_create(struct io_ring_ctx *ctx, return 0; if (p->flags & IORING_SETUP_SQ_AFF) { + struct cpumask allowed_mask; int cpu = p->sq_thread_cpu; ret = -EINVAL; - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + cpuset_cpus_allowed(current, &allowed_mask); + if (!cpumask_test_cpu(cpu, &allowed_mask)) goto err_sqpoll; sqd->sq_cpu = cpu; } else { -- 2.39.2

1 year

3
5
0 0

RE: Patch "riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 rate to 1.5GHz" has been added to the 6.10-stable tree

by Xingyu Wu

On 13/09/2024 22:12, Sasha Levin wrote: > > This is a note to let you know that I've just added the patch titled > > riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 > rate to 1.5GHz > > to the 6.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable- > queue.git;a=summary > > The filename of the patch is: > riscv-dts-starfive-jh7110-common-fix-lower-rate-of-c.patch > and it can be found in the queue-6.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, please let > <stable(a)vger.kernel.org> know about it. > Hi Sasha, This patch only has the part of DTS without the clock driver patch[1]. [1]: https://lore.kernel.org/all/20240826080430.179788-2-xingyu.wu@starfivetech.… I don't know your plan about this driver patch, or maybe I missed it. But the DTS changes really needs the driver patch to work and you should add the driver patch. Thanks, Xingyu Wu > > > commit 67b60bf9777bd340c7179adb5376dcdd3f0c260c > Author: Xingyu Wu <xingyu.wu(a)starfivetech.com> > Date: Mon Aug 26 16:04:30 2024 +0800 > > riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 > rate to 1.5GHz > > [ Upstream commit 61f2e8a3a94175dbbaad6a54f381b2a505324610 ] > > CPUfreq supports 4 cpu frequency loads on 375/500/750/1500MHz. > But now PLL0 rate is 1GHz and the cpu frequency loads become > 250/333/500/1000MHz in fact. > > The PLL0 rate should be default set to 1.5GHz and set the > cpu_core rate to 500MHz in safe. > > Fixes: e2c510d6d630 ("riscv: dts: starfive: Add cpu scaling for JH7110 SoC") > Signed-off-by: Xingyu Wu <xingyu.wu(a)starfivetech.com> > Reviewed-by: Hal Feng <hal.feng(a)starfivetech.com> > Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/arch/riscv/boot/dts/starfive/jh7110-common.dtsi > b/arch/riscv/boot/dts/starfive/jh7110-common.dtsi > index 68d16717db8c..51d85f447626 100644 > --- a/arch/riscv/boot/dts/starfive/jh7110-common.dtsi > +++ b/arch/riscv/boot/dts/starfive/jh7110-common.dtsi > @@ -354,6 +354,12 @@ spi_dev0: spi@0 { > }; > }; > > +&syscrg { > + assigned-clocks = <&syscrg JH7110_SYSCLK_CPU_CORE>, > + <&pllclk JH7110_PLLCLK_PLL0_OUT>; > + assigned-clock-rates = <500000000>, <1500000000>; }; > + > &sysgpio { > i2c0_pins: i2c0-0 { > i2c-pins {

1 year

3
11
0 0

[PATCH v2] riscv: entry: always initialize regs->a0 to -ENOSYS

by Celeste Liu

Otherwise when the tracer changes syscall number to -1, the kernel fails to initialize a0 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. For example, it will break strace syscall tampering. Fixes: 52449c17bdd1 ("riscv: entry: set a0 = -ENOSYS only when syscall != -1") Reported-by: "Dmitry V. Levin" <ldv(a)strace.io> Reviewed-by: Björn Töpel <bjorn(a)rivosinc.com> Cc: stable(a)vger.kernel.org Signed-off-by: Celeste Liu <CoelacanthusHex(a)gmail.com> --- arch/riscv/kernel/traps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 05a16b1f0aee..51ebfd23e007 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -319,6 +319,7 @@ void do_trap_ecall_u(struct pt_regs *regs) regs->epc += 4; regs->orig_a0 = regs->a0; + regs->a0 = -ENOSYS; riscv_v_vstate_discard(regs); @@ -328,8 +329,7 @@ void do_trap_ecall_u(struct pt_regs *regs) if (syscall >= 0 && syscall < NR_syscalls) syscall_handler(regs, syscall); - else if (syscall != -1) - regs->a0 = -ENOSYS; + /* * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), * so the maximum stack offset is 1k bytes (10 bits). -- 2.45.2

1 year

4
3
0 0

[PATCH] Revert "vmgenid: emit uevent when VMGENID updates"

by Jason A. Donenfeld

This reverts commit ad6bcdad2b6724e113f191a12f859a9e8456b26d. I had nak'd it, and Greg said on the thread that it links that he wasn't going to take it either, especially since it's not his code or his tree, but then, seemingly accidentally, it got pushed up some months later, in what looks like a mistake, with no further discussion in the linked thread. So revert it, since it's clearly not intended. Fixes: ad6bcdad2b67 ("vmgenid: emit uevent when VMGENID updates") Cc: stable(a)vger.kernel.org Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20230531095119.11202-2-bchalios@amazon.es Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com> --- drivers/virt/vmgenid.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/virt/vmgenid.c b/drivers/virt/vmgenid.c index b67a28da4702..a1c467a0e9f7 100644 --- a/drivers/virt/vmgenid.c +++ b/drivers/virt/vmgenid.c @@ -68,7 +68,6 @@ static int vmgenid_add(struct acpi_device *device) static void vmgenid_notify(struct acpi_device *device, u32 event) { struct vmgenid_state *state = acpi_driver_data(device); - char *envp[] = { "NEW_VMGENID=1", NULL }; u8 old_id[VMGENID_SIZE]; memcpy(old_id, state->this_id, sizeof(old_id)); @@ -76,7 +75,6 @@ static void vmgenid_notify(struct acpi_device *device, u32 event) if (!memcmp(old_id, state->this_id, sizeof(old_id))) return; add_vmfork_randomness(state->this_id, sizeof(state->this_id)); - kobject_uevent_env(&device->dev.kobj, KOBJ_CHANGE, envp); } static const struct acpi_device_id vmgenid_ids[] = { -- 2.44.0

1 year

6
15
0 0

[PATCH 5.10.y] genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()

by Sergey Shtylyov

[ Upstream commit feabecaff5902f896531dde90646ca5dfa9d4f7d ] If ipi_send_{mask|single}() is called with an invalid interrupt number, all the local variables there will be NULL. ipi_send_verify() which is invoked from these functions does verify its 'data' parameter, resulting in a kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets dereferenced. Add a missing NULL pointer check in ipi_send_verify()... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: 3b8e29a82dd1 ("genirq: Implement ipi_send_mask/single()") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/r/b541232d-c2b6-1fe9-79b4-a7129459e4d0@omp.ru --- kernel/irq/ipi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: linux-stable/kernel/irq/ipi.c =================================================================== --- linux-stable.orig/kernel/irq/ipi.c +++ linux-stable/kernel/irq/ipi.c @@ -186,9 +186,9 @@ EXPORT_SYMBOL_GPL(ipi_get_hwirq); static int ipi_send_verify(struct irq_chip *chip, struct irq_data *data, const struct cpumask *dest, unsigned int cpu) { - struct cpumask *ipimask = irq_data_get_affinity_mask(data); + struct cpumask *ipimask; - if (!chip || !ipimask) + if (!chip || !data) return -EINVAL; if (!chip->ipi_send_single && !chip->ipi_send_mask) @@ -197,6 +197,10 @@ static int ipi_send_verify(struct irq_ch if (cpu >= nr_cpu_ids) return -EINVAL; + ipimask = irq_data_get_affinity_mask(data); + if (!ipimask) + return -EINVAL; + if (dest) { if (!cpumask_subset(dest, ipimask)) return -EINVAL;

1 year

1
0
0 0

[PATCH -stable,5.15 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport for fixes for 5.15-stable: The following list shows the backported patches, I am using original commit IDs for reference: 1) 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") 2) efefd4f00c96 ("netfilter: nf_tables: missing iterator type in lookup walk") Please, apply, Thanks Pablo Neira Ayuso (2): netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: nf_tables: missing iterator type in lookup walk include/net/netfilter/nf_tables.h | 13 +++++++++++++ net/netfilter/nf_tables_api.c | 5 +++++ net/netfilter/nft_lookup.c | 1 + net/netfilter/nft_set_pipapo.c | 6 ++++-- 4 files changed, 23 insertions(+), 2 deletions(-) -- 2.30.2

1 year

1
2
0 0

[PATCH -stable,6.1 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport for fixes for 6.1-stable: The following list shows the backported patches, I am using original commit IDs for reference: 1) 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") 2) efefd4f00c96 ("netfilter: nf_tables: missing iterator type in lookup walk") Please, apply, Thanks Pablo Neira Ayuso (2): netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: nf_tables: missing iterator type in lookup walk include/net/netfilter/nf_tables.h | 13 +++++++++++++ net/netfilter/nf_tables_api.c | 5 +++++ net/netfilter/nft_lookup.c | 1 + net/netfilter/nft_set_pipapo.c | 6 ++++-- 4 files changed, 23 insertions(+), 2 deletions(-) -- 2.30.2

1 year

1
2
0 0

[PATCH -stable,6.6 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport for fixes for 6.6-stable: The following list shows the backported patches, I am using original commit IDs for reference: 1) 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") 2) efefd4f00c96 ("netfilter: nf_tables: missing iterator type in lookup walk") Please, apply, Thanks Pablo Neira Ayuso (2): netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: nf_tables: missing iterator type in lookup walk include/net/netfilter/nf_tables.h | 13 +++++++++++++ net/netfilter/nf_tables_api.c | 5 +++++ net/netfilter/nft_lookup.c | 1 + net/netfilter/nft_set_pipapo.c | 6 ++++-- 4 files changed, 23 insertions(+), 2 deletions(-) -- 2.30.2

1 year

1
2
0 0

[PATCH 6.1/6.6] drm/amd/display: Add NULL pointer check for kzalloc

by Vitaliy Shevtsov

From: Hersen Wu <hersenxs.wu(a)amd.com> commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 upstream. [Why & How] Check return pointer of kzalloc before using it. Found by Linux Verification Center (linuxtesting.org) with Svace. Reviewed-by: Alex Hung <alex.hung(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Hersen Wu <hersenxs.wu(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [v.shevtsov(a)maxima.ru: In order to adapt this patch to branches 6.1/6.6 changes related to files drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c, drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c were excluded.] Signed-off-by: Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> --- .../gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 8 ++++++++ .../gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 8 ++++++++ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 3 +++ drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 ++ drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c | 2 ++ drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 2 ++ 9 files changed, 40 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c index 3ce0ee0d012f..367b163537c4 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c @@ -568,11 +568,19 @@ void dcn3_clk_mgr_construct( dce_clock_read_ss_info(clk_mgr); clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); + if (!clk_mgr->base.bw_params) { + BREAK_TO_DEBUGGER(); + return; + } /* need physical address of table to give to PMFW */ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), &clk_mgr->wm_range_table_addr); + if (!clk_mgr->wm_range_table) { + BREAK_TO_DEBUGGER(); + return; + } } void dcn3_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c index 1d84a04acb3f..3ade764d3323 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c @@ -816,11 +816,19 @@ void dcn32_clk_mgr_construct( clk_mgr->smu_present = false; clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); + if (!clk_mgr->base.bw_params) { + BREAK_TO_DEBUGGER(); + return; + } /* need physical address of table to give to PMFW */ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), &clk_mgr->wm_range_table_addr); + if (!clk_mgr->wm_range_table) { + BREAK_TO_DEBUGGER(); + return; + } } void dcn32_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c index 5a8d1a051314..6c58618f1b9c 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c @@ -2062,6 +2062,9 @@ bool dcn30_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c index d3f76512841b..73a7b1ec353e 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c @@ -1324,6 +1324,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], @@ -1773,6 +1775,9 @@ bool dcn31_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c index 6b8abdb5c7f8..1a4280b89a1f 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c @@ -1372,6 +1372,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], @@ -1743,6 +1745,9 @@ bool dcn314_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + if (filter_modes_for_single_channel_workaround(dc, context)) goto validate_fail; diff --git a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c index b9b1e5ac4f53..e78954514e3e 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c @@ -1325,6 +1325,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], diff --git a/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c b/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c index af3eddc0cf32..932fe9b5c08c 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c @@ -1322,6 +1322,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c index 2b8700b291a4..0762f58cffdb 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c @@ -1310,6 +1310,8 @@ static struct hpo_dp_link_encoder *dcn32_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ #undef REG_STRUCT #define REG_STRUCT hpo_dp_link_enc_regs @@ -1852,6 +1854,9 @@ bool dcn32_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn32_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c index aed92ced7b76..85430e5baa45 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c @@ -1296,6 +1296,8 @@ static struct hpo_dp_link_encoder *dcn321_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ #undef REG_STRUCT #define REG_STRUCT hpo_dp_link_enc_regs -- 2.46.1

1 year

1
0
0 0

[PATCH 6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix

by Aleksandr Burakov

No upstream commit exists for this commit. Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init() after the referenced memory was deallocated by calling function 'x86_android_tablet_cleanup()'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs") Signed-off-by: Aleksandr Burakov <a.burakov(a)rosalinux.ru> --- drivers/platform/x86/x86-android-tablets.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c index 9178076d9d7d..9838c5332201 100644 --- a/drivers/platform/x86/x86-android-tablets.c +++ b/drivers/platform/x86/x86-android-tablets.c @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void) for (i = 0; i < pdev_count; i++) { pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]); if (IS_ERR(pdevs[i])) { + int ret = PTR_ERR(pdevs[i]); x86_android_tablet_cleanup(); - return PTR_ERR(pdevs[i]); + return ret; } } -- 2.25.1

1 year

3
2
0 0

[PATCH] btrfs: qgroup: set a more sane default value for subtree drop threshold

by Qu Wenruo

Since commit 011b46c30476 ("btrfs: skip subtree scan if it's too high to avoid low stall in btrfs_commit_transaction()"), btrfs qgroup can automatically skip large subtree scan at the cost of marking qgroup inconsistent. It's designed to address the final performance problem of snapshot drop with qgroup enabled, but to be safe the default value is BTRFS_MAX_LEVEL, requiring a user space daemon to set a different value to make it work. I'd say it's not a good idea to rely on user space tool to set this default value, especially when some operations (snapshot dropping) can be triggered immediately after mount, leaving a very small window to that that sysfs interface. So instead of disabling this new feature by default, enable it with a low threshold (3), so that large subvolume tree drop at mount time won't cause huge qgroup workload. Cc: stable(a)vger.kernel.org # 6.1 Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/disk-io.c | 2 +- fs/btrfs/qgroup.c | 2 +- fs/btrfs/qgroup.h | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 25d768e67e37..a9bd54d1be1e 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -1959,7 +1959,7 @@ static void btrfs_init_qgroup(struct btrfs_fs_info *fs_info) fs_info->qgroup_seq = 1; fs_info->qgroup_ulist = NULL; fs_info->qgroup_rescan_running = false; - fs_info->qgroup_drop_subtree_thres = BTRFS_MAX_LEVEL; + fs_info->qgroup_drop_subtree_thres = BTRFS_QGROUP_DROP_SUBTREE_THRES_DEFAULT; mutex_init(&fs_info->qgroup_rescan_lock); } diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index c297909f1506..aec096dc8829 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1407,7 +1407,7 @@ int btrfs_quota_disable(struct btrfs_fs_info *fs_info) fs_info->quota_root = NULL; fs_info->qgroup_flags &= ~BTRFS_QGROUP_STATUS_FLAG_ON; fs_info->qgroup_flags &= ~BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE; - fs_info->qgroup_drop_subtree_thres = BTRFS_MAX_LEVEL; + fs_info->qgroup_drop_subtree_thres = BTRFS_QGROUP_DROP_SUBTREE_THRES_DEFAULT; spin_unlock(&fs_info->qgroup_lock); btrfs_free_qgroup_config(fs_info); diff --git a/fs/btrfs/qgroup.h b/fs/btrfs/qgroup.h index 98adf4ec7b01..c229256d6fd5 100644 --- a/fs/btrfs/qgroup.h +++ b/fs/btrfs/qgroup.h @@ -121,6 +121,8 @@ struct btrfs_inode; #define BTRFS_QGROUP_RUNTIME_FLAG_CANCEL_RESCAN (1ULL << 63) #define BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING (1ULL << 62) +#define BTRFS_QGROUP_DROP_SUBTREE_THRES_DEFAULT (3) + /* * Record a dirty extent, and info qgroup to update quota on it */ -- 2.46.0

1 year

2
1
0 0

[PATCH v3 3/7] tpm: Return on tpm2_create_primary() failure in tpm2_load_null()

by Jarkko Sakkinen

tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 38 +++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 0993d18ee886..03c56f0eda49 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -850,32 +850,34 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } + dev_info(&chip->dev, "the null key has been reset\n"); - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); - chip->flags |= TPM_CHIP_FLAG_DISABLE; + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "the null key integrity check failedh\n"); + tpm2_flush_context(chip, tmp_null_key); + chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; } -- 2.46.0

1 year

1
0
0 0

[PATCH v3 2/7] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() does not ignores the result of saving the null key. Address this by printing either TPM or POSIX error code, and returning -ENODEV back to the caller. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: - Handle TPM and POSIX error separately and return -ENODEV always back to the caller. v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6cc1ea81c57c..0993d18ee886 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1273,7 +1273,13 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) tpm2_flush_context(chip, null_key); } - return rc; + if (rc < 0) + dev_err(&chip->dev, "saving the null key failed with error %d\n", rc); + else if (rc > 0) + dev_err(&chip->dev, "saving the null key failed with TPM error 0x%04X\n", rc); + + /* Map all errors to -ENODEV: */ + return rc ? -ENODEV : rc; } /** @@ -1289,7 +1295,7 @@ int tpm2_sessions_init(struct tpm_chip *chip) rc = tpm2_create_null_primary(chip); if (rc) - dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.46.0

1 year

1
0
0 0

[PATCH 2/3] serial: qcom-geni: fix shutdown race

by Johan Hovold

A commit adding back the stopping of tx on port shutdown failed to add back the locking which had also been removed by commit e83766334f96 ("tty: serial: qcom_geni_serial: No need to stop tx/rx on UART shutdown"). Holding the port lock is needed to serialise against the console code, which may update the interrupt enable register and access the port state. The call to stop rx that was added by the same commit is redundant as serial core will already have taken care of that and can thus be removed. Fixes: d8aca2f96813 ("tty: serial: qcom-geni-serial: stop operations in progress at shutdown") Fixes: 947cc4ecc06c ("serial: qcom-geni: fix soft lockup on sw flow control and suspend") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 9ea6bd09e665..88ad5a6e7de2 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1096,10 +1096,10 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); + uart_port_lock_irq(uport); qcom_geni_serial_stop_tx(uport); - qcom_geni_serial_stop_rx(uport); - qcom_geni_serial_cancel_tx_cmd(uport); + uart_port_unlock_irq(uport); } static void qcom_geni_serial_flush_buffer(struct uart_port *uport) -- 2.44.2

1 year

2
1
0 0

[PATCH v3] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition

by Kaixin Wang

In the svc_i3c_master_probe function, &master->hj_work is bound with svc_i3c_master_hj_work, &master->ibi_work is bound with svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the hj_work, svc_i3c_master_irq_handler can start the ibi_work. If we remove the module which will call svc_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | svc_i3c_master_hj_work svc_i3c_master_remove | i3c_master_unregister(&master->base)| device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in svc_i3c_master_remove. Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void") Cc: stable(a)vger.kernel.org Signed-off-by: Kaixin Wang <kxwang23(a)m.fudan.edu.cn> Reviewed-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- v3: - add the tag "Cc: stable(a)vger.kernel.org" in the sign-off area - Link to v2: https://lore.kernel.org/r/20240914154030.180-1-kxwang23@m.fudan.edu.cn v2: - add fixes tag and cc stable, suggested by Frank - add Reviewed-by label from Miquel - Link to v1: https://lore.kernel.org/r/20240911150135.839946-1-kxwang23@m.fudan.edu.cn --- drivers/i3c/master/svc-i3c-master.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c index 0a68fd1b81d4..e084ba648b4a 100644 --- a/drivers/i3c/master/svc-i3c-master.c +++ b/drivers/i3c/master/svc-i3c-master.c @@ -1775,6 +1775,7 @@ static void svc_i3c_master_remove(struct platform_device *pdev) { struct svc_i3c_master *master = platform_get_drvdata(pdev); + cancel_work_sync(&master->hj_work); i3c_master_unregister(&master->base); pm_runtime_dont_use_autosuspend(&pdev->dev); -- 2.39.1.windows.1

1 year

3
2
0 0

[PATCH 5.10] mtd: rawnand: mxc: Remove platform data support

by Denis Arefev

From: Fabio Estevam <festevam(a)gmail.com> [ Upstream commit 0f6b791955a6365b5ebe8b6a5b01de69a47ee92e ] i.MX is a devicetree-only platform now and the existing platform data support in this driver was only useful for old non-devicetree platforms. Get rid of the platform data support since it is no longer used. Signed-off-by: Fabio Estevam <festevam(a)gmail.com> Reviewed-by: Sascha Hauer <s.hauer(a)pengutronix.de> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/20201110121908.19400-1-festevam@gmail.com Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/mtd/nand/raw/Kconfig | 2 +- drivers/mtd/nand/raw/mxc_nand.c | 75 ++-------------------- include/linux/platform_data/mtd-mxc_nand.h | 19 ------ 3 files changed, 5 insertions(+), 91 deletions(-) delete mode 100644 include/linux/platform_data/mtd-mxc_nand.h diff --git a/drivers/mtd/nand/raw/Kconfig b/drivers/mtd/nand/raw/Kconfig index 6c46f25b57e2..58421866bdc3 100644 --- a/drivers/mtd/nand/raw/Kconfig +++ b/drivers/mtd/nand/raw/Kconfig @@ -313,7 +313,7 @@ config MTD_NAND_VF610_NFC config MTD_NAND_MXC tristate "Freescale MXC NAND controller" depends on ARCH_MXC || COMPILE_TEST - depends on HAS_IOMEM + depends on HAS_IOMEM && OF help This enables the driver for the NAND flash controller on the MXC processors. diff --git a/drivers/mtd/nand/raw/mxc_nand.c b/drivers/mtd/nand/raw/mxc_nand.c index 684c51e5e60d..f896364968d8 100644 --- a/drivers/mtd/nand/raw/mxc_nand.c +++ b/drivers/mtd/nand/raw/mxc_nand.c @@ -21,7 +21,6 @@ #include <linux/completion.h> #include <linux/of.h> #include <linux/of_device.h> -#include <linux/platform_data/mtd-mxc_nand.h> #define DRIVER_NAME "mxc_nand" @@ -184,7 +183,6 @@ struct mxc_nand_host { unsigned int buf_start; const struct mxc_nand_devtype_data *devtype_data; - struct mxc_nand_platform_data pdata; }; static const char * const part_probes[] = { @@ -1611,29 +1609,6 @@ static inline int is_imx53_nfc(struct mxc_nand_host *host) return host->devtype_data == &imx53_nand_devtype_data; } -static const struct platform_device_id mxcnd_devtype[] = { - { - .name = "imx21-nand", - .driver_data = (kernel_ulong_t) &imx21_nand_devtype_data, - }, { - .name = "imx27-nand", - .driver_data = (kernel_ulong_t) &imx27_nand_devtype_data, - }, { - .name = "imx25-nand", - .driver_data = (kernel_ulong_t) &imx25_nand_devtype_data, - }, { - .name = "imx51-nand", - .driver_data = (kernel_ulong_t) &imx51_nand_devtype_data, - }, { - .name = "imx53-nand", - .driver_data = (kernel_ulong_t) &imx53_nand_devtype_data, - }, { - /* sentinel */ - } -}; -MODULE_DEVICE_TABLE(platform, mxcnd_devtype); - -#ifdef CONFIG_OF static const struct of_device_id mxcnd_dt_ids[] = { { .compatible = "fsl,imx21-nand", @@ -1655,26 +1630,6 @@ static const struct of_device_id mxcnd_dt_ids[] = { }; MODULE_DEVICE_TABLE(of, mxcnd_dt_ids); -static int mxcnd_probe_dt(struct mxc_nand_host *host) -{ - struct device_node *np = host->dev->of_node; - const struct of_device_id *of_id = - of_match_device(mxcnd_dt_ids, host->dev); - - if (!np) - return 1; - - host->devtype_data = of_id->data; - - return 0; -} -#else -static int mxcnd_probe_dt(struct mxc_nand_host *host) -{ - return 1; -} -#endif - static int mxcnd_attach_chip(struct nand_chip *chip) { struct mtd_info *mtd = nand_to_mtd(chip); @@ -1759,6 +1714,7 @@ static const struct nand_controller_ops mxcnd_controller_ops = { static int mxcnd_probe(struct platform_device *pdev) { + const struct of_device_id *of_id; struct nand_chip *this; struct mtd_info *mtd; struct mxc_nand_host *host; @@ -1800,20 +1756,8 @@ static int mxcnd_probe(struct platform_device *pdev) if (IS_ERR(host->clk)) return PTR_ERR(host->clk); - err = mxcnd_probe_dt(host); - if (err > 0) { - struct mxc_nand_platform_data *pdata = - dev_get_platdata(&pdev->dev); - if (pdata) { - host->pdata = *pdata; - host->devtype_data = (struct mxc_nand_devtype_data *) - pdev->id_entry->driver_data; - } else { - err = -ENODEV; - } - } - if (err < 0) - return err; + of_id = of_match_device(mxcnd_dt_ids, host->dev); + host->devtype_data = of_id->data; if (!host->devtype_data->setup_interface) this->options |= NAND_KEEP_TIMINGS; @@ -1843,14 +1787,6 @@ static int mxcnd_probe(struct platform_device *pdev) this->legacy.select_chip = host->devtype_data->select_chip; - /* NAND bus width determines access functions used by upper layer */ - if (host->pdata.width == 2) - this->options |= NAND_BUSWIDTH_16; - - /* update flash based bbt */ - if (host->pdata.flash_bbt) - this->bbt_options |= NAND_BBT_USE_FLASH; - init_completion(&host->op_completion); host->irq = platform_get_irq(pdev, 0); @@ -1891,9 +1827,7 @@ static int mxcnd_probe(struct platform_device *pdev) goto escan; /* Register the partitions */ - err = mtd_device_parse_register(mtd, part_probes, NULL, - host->pdata.parts, - host->pdata.nr_parts); + err = mtd_device_parse_register(mtd, part_probes, NULL, NULL, 0); if (err) goto cleanup_nand; @@ -1930,7 +1864,6 @@ static struct platform_driver mxcnd_driver = { .name = DRIVER_NAME, .of_match_table = of_match_ptr(mxcnd_dt_ids), }, - .id_table = mxcnd_devtype, .probe = mxcnd_probe, .remove = mxcnd_remove, }; diff --git a/include/linux/platform_data/mtd-mxc_nand.h b/include/linux/platform_data/mtd-mxc_nand.h deleted file mode 100644 index d1230030c6db..000000000000 --- a/include/linux/platform_data/mtd-mxc_nand.h +++ /dev/null @@ -1,19 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Copyright 2004-2007 Freescale Semiconductor, Inc. All Rights Reserved. - * Copyright 2008 Sascha Hauer, kernel(a)pengutronix.de - */ - -#ifndef __ASM_ARCH_NAND_H -#define __ASM_ARCH_NAND_H - -#include <linux/mtd/partitions.h> - -struct mxc_nand_platform_data { - unsigned int width; /* data bus width in bytes */ - unsigned int hw_ecc:1; /* 0 if suppress hardware ECC */ - unsigned int flash_bbt:1; /* set to 1 to use a flash based bbt */ - struct mtd_partition *parts; /* partition table */ - int nr_parts; /* size of parts */ -}; -#endif /* __ASM_ARCH_NAND_H */ -- 2.25.1

1 year

1
0
0 0

[PATCH 5.10] Input: adp5588-keys - add support for fw properties

by Denis Arefev

From: Nuno Sá <nuno.sa(a)analog.com> [ Upstream commit 6704a86283b7e79ff7ae36d388466428f6672962 ] Use firmware properties (eg: OF) to get the device specific configuration. This change just replaces the platform data since there was no platform using it and so, it makes no sense having both. Special note to the PULL-UP disable setting that is now supported as part of the gpio subsystem (using 'set_config()' callback). Signed-off-by: Nuno Sá <nuno.sa(a)analog.com> Reviewed-by: Andy Shevchenko <andy.shevchenko(a)gmail.com> Link: https://lore.kernel.org/r/20220829131553.690063-5-nuno.sa@analog.com [In v5.10.226 IRQCHIP_IMMUTABLE is missing, replaced with (1 << 11)] [In v5.10.226 GPIOCHIP_IRQ_RESOURCE_HELPERS is missing, removed, since there is initialization in gpiochip_set_irq_hooks] [In v5.10.226 DEFINE_SIMPLE_DEV_PM_OPS is missing, replaced with static const struct dev_pm_ops] Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> --- drivers/input/keyboard/Kconfig | 3 + drivers/input/keyboard/adp5588-keys.c | 849 ++++++++++++++++---------- include/linux/platform_data/adp5588.h | 171 ------ 3 files changed, 532 insertions(+), 491 deletions(-) delete mode 100644 include/linux/platform_data/adp5588.h diff --git a/drivers/input/keyboard/Kconfig b/drivers/input/keyboard/Kconfig index 3f7a5ff17a9a..9a58f668cd25 100644 --- a/drivers/input/keyboard/Kconfig +++ b/drivers/input/keyboard/Kconfig @@ -40,6 +40,9 @@ config KEYBOARD_ADP5520 config KEYBOARD_ADP5588 tristate "ADP5588/87 I2C QWERTY Keypad and IO Expander" depends on I2C + select GPIOLIB + select GPIOLIB_IRQCHIP + select INPUT_MATRIXKMAP help Say Y here if you want to use a ADP5588/87 attached to your system I2C bus. diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 90a59b973d00..b1ce00d638a4 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -8,25 +8,163 @@ * Copyright (C) 2008-2010 Analog Devices Inc. */ -#include <linux/module.h> +#include <linux/bits.h> +#include <linux/delay.h> +#include <linux/errno.h> +#include <linux/gpio/consumer.h> +#include <linux/gpio/driver.h> +#include <linux/i2c.h> +#include <linux/input.h> +#include <linux/input/matrix_keypad.h> #include <linux/interrupt.h> #include <linux/irq.h> -#include <linux/workqueue.h> -#include <linux/errno.h> -#include <linux/pm.h> +#include <linux/ktime.h> +#include <linux/module.h> +#include <linux/mod_devicetable.h> +#include <linux/pinctrl/pinconf-generic.h> #include <linux/platform_device.h> -#include <linux/input.h> -#include <linux/i2c.h> -#include <linux/gpio.h> +#include <linux/pm.h> +#include <linux/regulator/consumer.h> #include <linux/slab.h> +#include <linux/timekeeping.h> + +#define DEV_ID 0x00 /* Device ID */ +#define CFG 0x01 /* Configuration Register1 */ +#define INT_STAT 0x02 /* Interrupt Status Register */ +#define KEY_LCK_EC_STAT 0x03 /* Key Lock and Event Counter Register */ +#define KEY_EVENTA 0x04 /* Key Event Register A */ +#define KEY_EVENTB 0x05 /* Key Event Register B */ +#define KEY_EVENTC 0x06 /* Key Event Register C */ +#define KEY_EVENTD 0x07 /* Key Event Register D */ +#define KEY_EVENTE 0x08 /* Key Event Register E */ +#define KEY_EVENTF 0x09 /* Key Event Register F */ +#define KEY_EVENTG 0x0A /* Key Event Register G */ +#define KEY_EVENTH 0x0B /* Key Event Register H */ +#define KEY_EVENTI 0x0C /* Key Event Register I */ +#define KEY_EVENTJ 0x0D /* Key Event Register J */ +#define KP_LCK_TMR 0x0E /* Keypad Lock1 to Lock2 Timer */ +#define UNLOCK1 0x0F /* Unlock Key1 */ +#define UNLOCK2 0x10 /* Unlock Key2 */ +#define GPIO_INT_STAT1 0x11 /* GPIO Interrupt Status */ +#define GPIO_INT_STAT2 0x12 /* GPIO Interrupt Status */ +#define GPIO_INT_STAT3 0x13 /* GPIO Interrupt Status */ +#define GPIO_DAT_STAT1 0x14 /* GPIO Data Status, Read twice to clear */ +#define GPIO_DAT_STAT2 0x15 /* GPIO Data Status, Read twice to clear */ +#define GPIO_DAT_STAT3 0x16 /* GPIO Data Status, Read twice to clear */ +#define GPIO_DAT_OUT1 0x17 /* GPIO DATA OUT */ +#define GPIO_DAT_OUT2 0x18 /* GPIO DATA OUT */ +#define GPIO_DAT_OUT3 0x19 /* GPIO DATA OUT */ +#define GPIO_INT_EN1 0x1A /* GPIO Interrupt Enable */ +#define GPIO_INT_EN2 0x1B /* GPIO Interrupt Enable */ +#define GPIO_INT_EN3 0x1C /* GPIO Interrupt Enable */ +#define KP_GPIO1 0x1D /* Keypad or GPIO Selection */ +#define KP_GPIO2 0x1E /* Keypad or GPIO Selection */ +#define KP_GPIO3 0x1F /* Keypad or GPIO Selection */ +#define GPI_EM1 0x20 /* GPI Event Mode 1 */ +#define GPI_EM2 0x21 /* GPI Event Mode 2 */ +#define GPI_EM3 0x22 /* GPI Event Mode 3 */ +#define GPIO_DIR1 0x23 /* GPIO Data Direction */ +#define GPIO_DIR2 0x24 /* GPIO Data Direction */ +#define GPIO_DIR3 0x25 /* GPIO Data Direction */ +#define GPIO_INT_LVL1 0x26 /* GPIO Edge/Level Detect */ +#define GPIO_INT_LVL2 0x27 /* GPIO Edge/Level Detect */ +#define GPIO_INT_LVL3 0x28 /* GPIO Edge/Level Detect */ +#define DEBOUNCE_DIS1 0x29 /* Debounce Disable */ +#define DEBOUNCE_DIS2 0x2A /* Debounce Disable */ +#define DEBOUNCE_DIS3 0x2B /* Debounce Disable */ +#define GPIO_PULL1 0x2C /* GPIO Pull Disable */ +#define GPIO_PULL2 0x2D /* GPIO Pull Disable */ +#define GPIO_PULL3 0x2E /* GPIO Pull Disable */ +#define CMP_CFG_STAT 0x30 /* Comparator Configuration and Status Register */ +#define CMP_CONFG_SENS1 0x31 /* Sensor1 Comparator Configuration Register */ +#define CMP_CONFG_SENS2 0x32 /* L2 Light Sensor Reference Level, Output Falling for Sensor 1 */ +#define CMP1_LVL2_TRIP 0x33 /* L2 Light Sensor Hysteresis (Active when Output Rising) for Sensor 1 */ +#define CMP1_LVL2_HYS 0x34 /* L3 Light Sensor Reference Level, Output Falling For Sensor 1 */ +#define CMP1_LVL3_TRIP 0x35 /* L3 Light Sensor Hysteresis (Active when Output Rising) For Sensor 1 */ +#define CMP1_LVL3_HYS 0x36 /* Sensor 2 Comparator Configuration Register */ +#define CMP2_LVL2_TRIP 0x37 /* L2 Light Sensor Reference Level, Output Falling for Sensor 2 */ +#define CMP2_LVL2_HYS 0x38 /* L2 Light Sensor Hysteresis (Active when Output Rising) for Sensor 2 */ +#define CMP2_LVL3_TRIP 0x39 /* L3 Light Sensor Reference Level, Output Falling For Sensor 2 */ +#define CMP2_LVL3_HYS 0x3A /* L3 Light Sensor Hysteresis (Active when Output Rising) For Sensor 2 */ +#define CMP1_ADC_DAT_R1 0x3B /* Comparator 1 ADC data Register1 */ +#define CMP1_ADC_DAT_R2 0x3C /* Comparator 1 ADC data Register2 */ +#define CMP2_ADC_DAT_R1 0x3D /* Comparator 2 ADC data Register1 */ +#define CMP2_ADC_DAT_R2 0x3E /* Comparator 2 ADC data Register2 */ + +#define ADP5588_DEVICE_ID_MASK 0xF + + /* Configuration Register1 */ +#define ADP5588_AUTO_INC BIT(7) +#define ADP5588_GPIEM_CFG BIT(6) +#define ADP5588_OVR_FLOW_M BIT(5) +#define ADP5588_INT_CFG BIT(4) +#define ADP5588_OVR_FLOW_IEN BIT(3) +#define ADP5588_K_LCK_IM BIT(2) +#define ADP5588_GPI_IEN BIT(1) +#define ADP5588_KE_IEN BIT(0) + +/* Interrupt Status Register */ +#define ADP5588_CMP2_INT BIT(5) +#define ADP5588_CMP1_INT BIT(4) +#define ADP5588_OVR_FLOW_INT BIT(3) +#define ADP5588_K_LCK_INT BIT(2) +#define ADP5588_GPI_INT BIT(1) +#define ADP5588_KE_INT BIT(0) + +/* Key Lock and Event Counter Register */ +#define ADP5588_K_LCK_EN BIT(6) +#define ADP5588_LCK21 0x30 +#define ADP5588_KEC GENMASK(3, 0) + +#define ADP5588_MAXGPIO 18 +#define ADP5588_BANK(offs) ((offs) >> 3) +#define ADP5588_BIT(offs) (1u << ((offs) & 0x7)) + +/* Put one of these structures in i2c_board_info platform_data */ -#include <linux/platform_data/adp5588.h> +/* + * 128 so it fits matrix-keymap maximum number of keys when the full + * 10cols * 8rows are used. + */ +#define ADP5588_KEYMAPSIZE 128 + +#define GPI_PIN_ROW0 97 +#define GPI_PIN_ROW1 98 +#define GPI_PIN_ROW2 99 +#define GPI_PIN_ROW3 100 +#define GPI_PIN_ROW4 101 +#define GPI_PIN_ROW5 102 +#define GPI_PIN_ROW6 103 +#define GPI_PIN_ROW7 104 +#define GPI_PIN_COL0 105 +#define GPI_PIN_COL1 106 +#define GPI_PIN_COL2 107 +#define GPI_PIN_COL3 108 +#define GPI_PIN_COL4 109 +#define GPI_PIN_COL5 110 +#define GPI_PIN_COL6 111 +#define GPI_PIN_COL7 112 +#define GPI_PIN_COL8 113 +#define GPI_PIN_COL9 114 + +#define GPI_PIN_ROW_BASE GPI_PIN_ROW0 +#define GPI_PIN_ROW_END GPI_PIN_ROW7 +#define GPI_PIN_COL_BASE GPI_PIN_COL0 +#define GPI_PIN_COL_END GPI_PIN_COL9 + +#define GPI_PIN_BASE GPI_PIN_ROW_BASE +#define GPI_PIN_END GPI_PIN_COL_END + +#define ADP5588_ROWS_MAX (GPI_PIN_ROW7 - GPI_PIN_ROW0 + 1) +#define ADP5588_COLS_MAX (GPI_PIN_COL9 - GPI_PIN_COL0 + 1) + +#define ADP5588_GPIMAPSIZE_MAX (GPI_PIN_END - GPI_PIN_BASE + 1) /* Key Event Register xy */ -#define KEY_EV_PRESSED (1 << 7) -#define KEY_EV_MASK (0x7F) +#define KEY_EV_PRESSED BIT(7) +#define KEY_EV_MASK GENMASK(6, 0) -#define KP_SEL(x) (0xFFFF >> (16 - x)) /* 2^x-1 */ +#define KP_SEL(x) (BIT(x) - 1) /* 2^x-1 */ #define KEYP_MAX_EVENT 10 @@ -36,23 +174,29 @@ * asserted. */ #define WA_DELAYED_READOUT_REVID(rev) ((rev) < 4) +#define WA_DELAYED_READOUT_TIME 25 + +#define ADP5588_INVALID_HWIRQ (~0UL) struct adp5588_kpad { struct i2c_client *client; struct input_dev *input; - struct delayed_work work; + ktime_t irq_time; unsigned long delay; + u32 row_shift; + u32 rows; + u32 cols; + u32 unlock_keys[2]; + int nkeys_unlock; unsigned short keycode[ADP5588_KEYMAPSIZE]; - const struct adp5588_gpi_map *gpimap; - unsigned short gpimapsize; -#ifdef CONFIG_GPIOLIB unsigned char gpiomap[ADP5588_MAXGPIO]; - bool export_gpio; struct gpio_chip gc; struct mutex gpio_lock; /* Protect cached dir, dat_out */ u8 dat_out[3]; u8 dir[3]; -#endif + u8 int_en[3]; + u8 irq_mask[3]; + u8 pull_dis[3]; }; static int adp5588_read(struct i2c_client *client, u8 reg) @@ -70,8 +214,7 @@ static int adp5588_write(struct i2c_client *client, u8 reg, u8 val) return i2c_smbus_write_byte_data(client, reg, val); } -#ifdef CONFIG_GPIOLIB -static int adp5588_gpio_get_value(struct gpio_chip *chip, unsigned off) +static int adp5588_gpio_get_value(struct gpio_chip *chip, unsigned int off) { struct adp5588_kpad *kpad = gpiochip_get_data(chip); unsigned int bank = ADP5588_BANK(kpad->gpiomap[off]); @@ -91,7 +234,7 @@ static int adp5588_gpio_get_value(struct gpio_chip *chip, unsigned off) } static void adp5588_gpio_set_value(struct gpio_chip *chip, - unsigned off, int val) + unsigned int off, int val) { struct adp5588_kpad *kpad = gpiochip_get_data(chip); unsigned int bank = ADP5588_BANK(kpad->gpiomap[off]); @@ -104,13 +247,47 @@ static void adp5588_gpio_set_value(struct gpio_chip *chip, else kpad->dat_out[bank] &= ~bit; - adp5588_write(kpad->client, GPIO_DAT_OUT1 + bank, - kpad->dat_out[bank]); + adp5588_write(kpad->client, GPIO_DAT_OUT1 + bank, kpad->dat_out[bank]); + + mutex_unlock(&kpad->gpio_lock); +} + +static int adp5588_gpio_set_config(struct gpio_chip *chip, unsigned int off, + unsigned long config) +{ + struct adp5588_kpad *kpad = gpiochip_get_data(chip); + unsigned int bank = ADP5588_BANK(kpad->gpiomap[off]); + unsigned int bit = ADP5588_BIT(kpad->gpiomap[off]); + bool pull_disable; + int ret; + + switch (pinconf_to_config_param(config)) { + case PIN_CONFIG_BIAS_PULL_UP: + pull_disable = false; + break; + case PIN_CONFIG_BIAS_DISABLE: + pull_disable = true; + break; + default: + return -EOPNOTSUPP; + } + + mutex_lock(&kpad->gpio_lock); + + if (pull_disable) + kpad->pull_dis[bank] |= bit; + else + kpad->pull_dis[bank] &= bit; + + ret = adp5588_write(kpad->client, GPIO_PULL1 + bank, + kpad->pull_dis[bank]); mutex_unlock(&kpad->gpio_lock); + + return ret; } -static int adp5588_gpio_direction_input(struct gpio_chip *chip, unsigned off) +static int adp5588_gpio_direction_input(struct gpio_chip *chip, unsigned int off) { struct adp5588_kpad *kpad = gpiochip_get_data(chip); unsigned int bank = ADP5588_BANK(kpad->gpiomap[off]); @@ -128,7 +305,7 @@ static int adp5588_gpio_direction_input(struct gpio_chip *chip, unsigned off) } static int adp5588_gpio_direction_output(struct gpio_chip *chip, - unsigned off, int val) + unsigned int off, int val) { struct adp5588_kpad *kpad = gpiochip_get_data(chip); unsigned int bank = ADP5588_BANK(kpad->gpiomap[off]); @@ -145,17 +322,19 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip, kpad->dat_out[bank] &= ~bit; ret = adp5588_write(kpad->client, GPIO_DAT_OUT1 + bank, - kpad->dat_out[bank]); - ret |= adp5588_write(kpad->client, GPIO_DIR1 + bank, - kpad->dir[bank]); + kpad->dat_out[bank]); + if (ret) + goto out_unlock; + ret = adp5588_write(kpad->client, GPIO_DIR1 + bank, kpad->dir[bank]); + +out_unlock: mutex_unlock(&kpad->gpio_lock); return ret; } -static int adp5588_build_gpiomap(struct adp5588_kpad *kpad, - const struct adp5588_kpad_platform_data *pdata) +static int adp5588_build_gpiomap(struct adp5588_kpad *kpad) { bool pin_used[ADP5588_MAXGPIO]; int n_unused = 0; @@ -163,15 +342,12 @@ static int adp5588_build_gpiomap(struct adp5588_kpad *kpad, memset(pin_used, 0, sizeof(pin_used)); - for (i = 0; i < pdata->rows; i++) + for (i = 0; i < kpad->rows; i++) pin_used[i] = true; - for (i = 0; i < pdata->cols; i++) + for (i = 0; i < kpad->cols; i++) pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true; - for (i = 0; i < kpad->gpimapsize; i++) - pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true; - for (i = 0; i < ADP5588_MAXGPIO; i++) if (!pin_used[i]) kpad->gpiomap[n_unused++] = i; @@ -179,40 +355,106 @@ static int adp5588_build_gpiomap(struct adp5588_kpad *kpad, return n_unused; } +static void adp5588_irq_bus_lock(struct irq_data *d) +{ + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct adp5588_kpad *kpad = gpiochip_get_data(gc); + + mutex_lock(&kpad->gpio_lock); +} + +static void adp5588_irq_bus_sync_unlock(struct irq_data *d) +{ + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct adp5588_kpad *kpad = gpiochip_get_data(gc); + int i; + + for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) { + if (kpad->int_en[i] ^ kpad->irq_mask[i]) { + kpad->int_en[i] = kpad->irq_mask[i]; + adp5588_write(kpad->client, GPI_EM1 + i, kpad->int_en[i]); + } + } + + mutex_unlock(&kpad->gpio_lock); +} + +static void adp5588_irq_mask(struct irq_data *d) +{ + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct adp5588_kpad *kpad = gpiochip_get_data(gc); + irq_hw_number_t hwirq = irqd_to_hwirq(d); + unsigned long real_irq = kpad->gpiomap[hwirq]; + + kpad->irq_mask[ADP5588_BANK(real_irq)] &= ~ADP5588_BIT(real_irq); + gpiochip_disable_irq(gc, hwirq); +} + +static void adp5588_irq_unmask(struct irq_data *d) +{ + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct adp5588_kpad *kpad = gpiochip_get_data(gc); + irq_hw_number_t hwirq = irqd_to_hwirq(d); + unsigned long real_irq = kpad->gpiomap[hwirq]; + + gpiochip_enable_irq(gc, hwirq); + kpad->irq_mask[ADP5588_BANK(real_irq)] |= ADP5588_BIT(real_irq); +} + +static int adp5588_irq_set_type(struct irq_data *d, unsigned int type) +{ + if (!(type & IRQ_TYPE_EDGE_BOTH)) + return -EINVAL; + + irq_set_handler_locked(d, handle_edge_irq); + + return 0; +} + +static const struct irq_chip adp5588_irq_chip = { + .name = "adp5588", + .irq_mask = adp5588_irq_mask, + .irq_unmask = adp5588_irq_unmask, + .irq_bus_lock = adp5588_irq_bus_lock, + .irq_bus_sync_unlock = adp5588_irq_bus_sync_unlock, + .irq_set_type = adp5588_irq_set_type, + .flags = IRQCHIP_SKIP_SET_WAKE | (1 << 11), +}; + static int adp5588_gpio_add(struct adp5588_kpad *kpad) { struct device *dev = &kpad->client->dev; - const struct adp5588_kpad_platform_data *pdata = dev_get_platdata(dev); - const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; + struct gpio_irq_chip *girq; int i, error; - if (!gpio_data) - return 0; - - kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata); + kpad->gc.ngpio = adp5588_build_gpiomap(kpad); if (kpad->gc.ngpio == 0) { dev_info(dev, "No unused gpios left to export\n"); return 0; } - kpad->export_gpio = true; - + kpad->gc.parent = &kpad->client->dev; kpad->gc.direction_input = adp5588_gpio_direction_input; kpad->gc.direction_output = adp5588_gpio_direction_output; kpad->gc.get = adp5588_gpio_get_value; kpad->gc.set = adp5588_gpio_set_value; + kpad->gc.set_config = adp5588_gpio_set_config; kpad->gc.can_sleep = 1; - kpad->gc.base = gpio_data->gpio_start; + kpad->gc.base = -1; kpad->gc.label = kpad->client->name; kpad->gc.owner = THIS_MODULE; - kpad->gc.names = gpio_data->names; + + girq = &kpad->gc.irq; + girq->chip = (struct irq_chip *)&adp5588_irq_chip; + girq->handler = handle_bad_irq; + girq->threaded = true; mutex_init(&kpad->gpio_lock); - error = gpiochip_add_data(&kpad->gc, kpad); + error = devm_gpiochip_add_data(dev, &kpad->gc, kpad); if (error) { - dev_err(dev, "gpiochip_add failed, err: %d\n", error); + dev_err(dev, "gpiochip_add failed: %d\n", error); return error; } @@ -220,82 +462,121 @@ static int adp5588_gpio_add(struct adp5588_kpad *kpad) kpad->dat_out[i] = adp5588_read(kpad->client, GPIO_DAT_OUT1 + i); kpad->dir[i] = adp5588_read(kpad->client, GPIO_DIR1 + i); - } - - if (gpio_data->setup) { - error = gpio_data->setup(kpad->client, - kpad->gc.base, kpad->gc.ngpio, - gpio_data->context); - if (error) - dev_warn(dev, "setup failed, %d\n", error); + kpad->pull_dis[i] = adp5588_read(kpad->client, GPIO_PULL1 + i); } return 0; } -static void adp5588_gpio_remove(struct adp5588_kpad *kpad) +static unsigned long adp5588_gpiomap_get_hwirq(struct device *dev, + const u8 *map, unsigned int gpio, + unsigned int ngpios) { - struct device *dev = &kpad->client->dev; - const struct adp5588_kpad_platform_data *pdata = dev_get_platdata(dev); - const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; - int error; + unsigned int hwirq; - if (!kpad->export_gpio) - return; + for (hwirq = 0; hwirq < ngpios; hwirq++) + if (map[hwirq] == gpio) + return hwirq; - if (gpio_data->teardown) { - error = gpio_data->teardown(kpad->client, - kpad->gc.base, kpad->gc.ngpio, - gpio_data->context); - if (error) - dev_warn(dev, "teardown failed %d\n", error); - } + /* should never happen */ + dev_warn_ratelimited(dev, "could not find the hwirq for gpio(%u)\n", gpio); - gpiochip_remove(&kpad->gc); -} -#else -static inline int adp5588_gpio_add(struct adp5588_kpad *kpad) -{ - return 0; + return ADP5588_INVALID_HWIRQ; } -static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad) +static void adp5588_gpio_irq_handle(struct adp5588_kpad *kpad, int key_val, + int key_press) { + unsigned int irq, gpio = key_val - GPI_PIN_BASE, irq_type; + struct i2c_client *client = kpad->client; + struct irq_data *irqd; + unsigned long hwirq; + + hwirq = adp5588_gpiomap_get_hwirq(&client->dev, kpad->gpiomap, + gpio, kpad->gc.ngpio); + if (hwirq == ADP5588_INVALID_HWIRQ) { + dev_err(&client->dev, "Could not get hwirq for key(%u)\n", key_val); + return; + } + + irq = irq_find_mapping(kpad->gc.irq.domain, hwirq); + if (!irq) + return; + + irqd = irq_get_irq_data(irq); + if (!irqd) { + dev_err(&client->dev, "Could not get irq(%u) data\n", irq); + return; + } + + irq_type = irqd_get_trigger_type(irqd); + + /* + * Default is active low which means key_press is asserted on + * the falling edge. + */ + if ((irq_type & IRQ_TYPE_EDGE_RISING && !key_press) || + (irq_type & IRQ_TYPE_EDGE_FALLING && key_press)) + handle_nested_irq(irq); } -#endif static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) { - int i, j; + int i; for (i = 0; i < ev_cnt; i++) { - int key = adp5588_read(kpad->client, Key_EVENTA + i); + int key = adp5588_read(kpad->client, KEY_EVENTA + i); int key_val = key & KEY_EV_MASK; + int key_press = key & KEY_EV_PRESSED; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { - for (j = 0; j < kpad->gpimapsize; j++) { - if (key_val == kpad->gpimap[j].pin) { - input_report_switch(kpad->input, - kpad->gpimap[j].sw_evt, - key & KEY_EV_PRESSED); - break; - } - } + /* gpio line used as IRQ source */ + adp5588_gpio_irq_handle(kpad, key_val, key_press); } else { + int row = (key_val - 1) / ADP5588_COLS_MAX; + int col = (key_val - 1) % ADP5588_COLS_MAX; + int code = MATRIX_SCAN_CODE(row, col, kpad->row_shift); + + dev_dbg_ratelimited(&kpad->client->dev, + "report key(%d) r(%d) c(%d) code(%d)\n", + key_val, row, col, kpad->keycode[code]); + input_report_key(kpad->input, - kpad->keycode[key_val - 1], - key & KEY_EV_PRESSED); + kpad->keycode[code], key_press); } } } -static void adp5588_work(struct work_struct *work) +static irqreturn_t adp5588_hard_irq(int irq, void *handle) +{ + struct adp5588_kpad *kpad = handle; + + kpad->irq_time = ktime_get(); + + return IRQ_WAKE_THREAD; +} + +static irqreturn_t adp5588_thread_irq(int irq, void *handle) { - struct adp5588_kpad *kpad = container_of(work, - struct adp5588_kpad, work.work); + struct adp5588_kpad *kpad = handle; struct i2c_client *client = kpad->client; + ktime_t target_time, now; + unsigned long delay; int status, ev_cnt; + /* + * Readout needs to wait for at least 25ms after the notification + * for REVID < 4. + */ + if (kpad->delay) { + target_time = ktime_add_ms(kpad->irq_time, kpad->delay); + now = ktime_get(); + if (ktime_before(now, target_time)) { + delay = ktime_to_us(ktime_sub(target_time, now)); + usleep_range(delay, delay + 1000); + } + } + status = adp5588_read(client, INT_STAT); if (status & ADP5588_OVR_FLOW_INT) /* Unlikely and should never happen */ @@ -308,218 +589,199 @@ static void adp5588_work(struct work_struct *work) input_sync(kpad->input); } } - adp5588_write(client, INT_STAT, status); /* Status is W1C */ -} - -static irqreturn_t adp5588_irq(int irq, void *handle) -{ - struct adp5588_kpad *kpad = handle; - - /* - * use keventd context to read the event fifo registers - * Schedule readout at least 25ms after notification for - * REVID < 4 - */ - schedule_delayed_work(&kpad->work, kpad->delay); + adp5588_write(client, INT_STAT, status); /* Status is W1C */ return IRQ_HANDLED; } -static int adp5588_setup(struct i2c_client *client) +static int adp5588_setup(struct adp5588_kpad *kpad) { - const struct adp5588_kpad_platform_data *pdata = - dev_get_platdata(&client->dev); - const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; + struct i2c_client *client = kpad->client; int i, ret; - unsigned char evt_mode1 = 0, evt_mode2 = 0, evt_mode3 = 0; - ret = adp5588_write(client, KP_GPIO1, KP_SEL(pdata->rows)); - ret |= adp5588_write(client, KP_GPIO2, KP_SEL(pdata->cols) & 0xFF); - ret |= adp5588_write(client, KP_GPIO3, KP_SEL(pdata->cols) >> 8); - - if (pdata->en_keylock) { - ret |= adp5588_write(client, UNLOCK1, pdata->unlock_key1); - ret |= adp5588_write(client, UNLOCK2, pdata->unlock_key2); - ret |= adp5588_write(client, KEY_LCK_EC_STAT, ADP5588_K_LCK_EN); - } + ret = adp5588_write(client, KP_GPIO1, KP_SEL(kpad->rows)); + if (ret) + return ret; - for (i = 0; i < KEYP_MAX_EVENT; i++) - ret |= adp5588_read(client, Key_EVENTA); + ret = adp5588_write(client, KP_GPIO2, KP_SEL(kpad->cols) & 0xFF); + if (ret) + return ret; - for (i = 0; i < pdata->gpimapsize; i++) { - unsigned short pin = pdata->gpimap[i].pin; + ret = adp5588_write(client, KP_GPIO3, KP_SEL(kpad->cols) >> 8); + if (ret) + return ret; - if (pin <= GPI_PIN_ROW_END) { - evt_mode1 |= (1 << (pin - GPI_PIN_ROW_BASE)); - } else { - evt_mode2 |= ((1 << (pin - GPI_PIN_COL_BASE)) & 0xFF); - evt_mode3 |= ((1 << (pin - GPI_PIN_COL_BASE)) >> 8); - } + for (i = 0; i < kpad->nkeys_unlock; i++) { + ret = adp5588_write(client, UNLOCK1 + i, kpad->unlock_keys[i]); + if (ret) + return ret; } - if (pdata->gpimapsize) { - ret |= adp5588_write(client, GPI_EM1, evt_mode1); - ret |= adp5588_write(client, GPI_EM2, evt_mode2); - ret |= adp5588_write(client, GPI_EM3, evt_mode3); + if (kpad->nkeys_unlock) { + ret = adp5588_write(client, KEY_LCK_EC_STAT, ADP5588_K_LCK_EN); + if (ret) + return ret; } - if (gpio_data) { - for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) { - int pull_mask = gpio_data->pullup_dis_mask; - - ret |= adp5588_write(client, GPIO_PULL1 + i, - (pull_mask >> (8 * i)) & 0xFF); - } + for (i = 0; i < KEYP_MAX_EVENT; i++) { + ret = adp5588_read(client, KEY_EVENTA); + if (ret) + return ret; } - ret |= adp5588_write(client, INT_STAT, - ADP5588_CMP2_INT | ADP5588_CMP1_INT | - ADP5588_OVR_FLOW_INT | ADP5588_K_LCK_INT | - ADP5588_GPI_INT | ADP5588_KE_INT); /* Status is W1C */ + ret = adp5588_write(client, INT_STAT, + ADP5588_CMP2_INT | ADP5588_CMP1_INT | + ADP5588_OVR_FLOW_INT | ADP5588_K_LCK_INT | + ADP5588_GPI_INT | ADP5588_KE_INT); /* Status is W1C */ + if (ret) + return ret; - ret |= adp5588_write(client, CFG, ADP5588_INT_CFG | - ADP5588_OVR_FLOW_IEN | - ADP5588_KE_IEN); + return adp5588_write(client, CFG, ADP5588_INT_CFG | + ADP5588_OVR_FLOW_IEN | ADP5588_KE_IEN); +} + +static int adp5588_fw_parse(struct adp5588_kpad *kpad) +{ + struct i2c_client *client = kpad->client; + int ret, i; - if (ret < 0) { - dev_err(&client->dev, "Write Error\n"); + ret = matrix_keypad_parse_properties(&client->dev, &kpad->rows, + &kpad->cols); + if (ret) return ret; + + if (kpad->rows > ADP5588_ROWS_MAX || kpad->cols > ADP5588_COLS_MAX) { + dev_err(&client->dev, "Invalid nr of rows(%u) or cols(%u)\n", + kpad->rows, kpad->cols); + return -EINVAL; } - return 0; -} + ret = matrix_keypad_build_keymap(NULL, NULL, kpad->rows, kpad->cols, + kpad->keycode, kpad->input); + if (ret) + return ret; -static void adp5588_report_switch_state(struct adp5588_kpad *kpad) -{ - int gpi_stat1 = adp5588_read(kpad->client, GPIO_DAT_STAT1); - int gpi_stat2 = adp5588_read(kpad->client, GPIO_DAT_STAT2); - int gpi_stat3 = adp5588_read(kpad->client, GPIO_DAT_STAT3); - int gpi_stat_tmp, pin_loc; - int i; + kpad->row_shift = get_count_order(kpad->cols); - for (i = 0; i < kpad->gpimapsize; i++) { - unsigned short pin = kpad->gpimap[i].pin; + if (device_property_read_bool(&client->dev, "autorepeat")) + __set_bit(EV_REP, kpad->input->evbit); - if (pin <= GPI_PIN_ROW_END) { - gpi_stat_tmp = gpi_stat1; - pin_loc = pin - GPI_PIN_ROW_BASE; - } else if ((pin - GPI_PIN_COL_BASE) < 8) { - gpi_stat_tmp = gpi_stat2; - pin_loc = pin - GPI_PIN_COL_BASE; - } else { - gpi_stat_tmp = gpi_stat3; - pin_loc = pin - GPI_PIN_COL_BASE - 8; - } + kpad->nkeys_unlock = device_property_count_u32(&client->dev, + "adi,unlock-keys"); + if (kpad->nkeys_unlock <= 0) { + /* so that we don't end up enabling key lock */ + kpad->nkeys_unlock = 0; + return 0; + } + + if (kpad->nkeys_unlock > ARRAY_SIZE(kpad->unlock_keys)) { + dev_err(&client->dev, "number of unlock keys(%d) > (%zu)\n", + kpad->nkeys_unlock, ARRAY_SIZE(kpad->unlock_keys)); + return -EINVAL; + } - if (gpi_stat_tmp < 0) { - dev_err(&kpad->client->dev, - "Can't read GPIO_DAT_STAT switch %d default to OFF\n", - pin); - gpi_stat_tmp = 0; + ret = device_property_read_u32_array(&client->dev, "adi,unlock-keys", + kpad->unlock_keys, + kpad->nkeys_unlock); + if (ret) + return ret; + + for (i = 0; i < kpad->nkeys_unlock; i++) { + /* + * Even though it should be possible (as stated in the datasheet) + * to use GPIs (which are part of the keys event) as unlock keys, + * it was not working at all and was leading to overflow events + * at some point. Hence, for now, let's just allow keys which are + * part of keypad matrix to be used and if a reliable way of + * using GPIs is found, this condition can be removed/lightened. + */ + if (kpad->unlock_keys[i] >= kpad->cols * kpad->rows) { + dev_err(&client->dev, "Invalid unlock key(%d)\n", + kpad->unlock_keys[i]); + return -EINVAL; } - input_report_switch(kpad->input, - kpad->gpimap[i].sw_evt, - !(gpi_stat_tmp & (1 << pin_loc))); + /* + * Firmware properties keys start from 0 but on the device they + * start from 1. + */ + kpad->unlock_keys[i] += 1; } - input_sync(kpad->input); + return 0; } +static void adp5588_disable_regulator(void *reg) +{ + regulator_disable(reg); +} static int adp5588_probe(struct i2c_client *client, const struct i2c_device_id *id) { struct adp5588_kpad *kpad; - const struct adp5588_kpad_platform_data *pdata = - dev_get_platdata(&client->dev); struct input_dev *input; + struct gpio_desc *gpio; + struct regulator *vcc; unsigned int revid; - int ret, i; + int ret; int error; if (!i2c_check_functionality(client->adapter, - I2C_FUNC_SMBUS_BYTE_DATA)) { + I2C_FUNC_SMBUS_BYTE_DATA)) { dev_err(&client->dev, "SMBUS Byte Data not Supported\n"); return -EIO; } - if (!pdata) { - dev_err(&client->dev, "no platform data?\n"); - return -EINVAL; - } - - if (!pdata->rows || !pdata->cols || !pdata->keymap) { - dev_err(&client->dev, "no rows, cols or keymap from pdata\n"); - return -EINVAL; - } + kpad = devm_kzalloc(&client->dev, sizeof(*kpad), GFP_KERNEL); + if (!kpad) + return -ENOMEM; - if (pdata->keymapsize != ADP5588_KEYMAPSIZE) { - dev_err(&client->dev, "invalid keymapsize\n"); - return -EINVAL; - } + input = devm_input_allocate_device(&client->dev); + if (!input) + return -ENOMEM; - if (!pdata->gpimap && pdata->gpimapsize) { - dev_err(&client->dev, "invalid gpimap from pdata\n"); - return -EINVAL; - } + kpad->client = client; + kpad->input = input; - if (pdata->gpimapsize > ADP5588_GPIMAPSIZE_MAX) { - dev_err(&client->dev, "invalid gpimapsize\n"); - return -EINVAL; - } + error = adp5588_fw_parse(kpad); + if (error) + return error; - for (i = 0; i < pdata->gpimapsize; i++) { - unsigned short pin = pdata->gpimap[i].pin; + vcc = devm_regulator_get(&client->dev, "vcc"); + if (IS_ERR(vcc)) + return PTR_ERR(vcc); - if (pin < GPI_PIN_BASE || pin > GPI_PIN_END) { - dev_err(&client->dev, "invalid gpi pin data\n"); - return -EINVAL; - } + error = regulator_enable(vcc); + if (error) + return error; - if (pin <= GPI_PIN_ROW_END) { - if (pin - GPI_PIN_ROW_BASE + 1 <= pdata->rows) { - dev_err(&client->dev, "invalid gpi row data\n"); - return -EINVAL; - } - } else { - if (pin - GPI_PIN_COL_BASE + 1 <= pdata->cols) { - dev_err(&client->dev, "invalid gpi col data\n"); - return -EINVAL; - } - } - } + error = devm_add_action_or_reset(&client->dev, + adp5588_disable_regulator, vcc); + if (error) + return error; - if (!client->irq) { - dev_err(&client->dev, "no IRQ?\n"); - return -EINVAL; - } + gpio = devm_gpiod_get_optional(&client->dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(gpio)) + return PTR_ERR(gpio); - kpad = kzalloc(sizeof(*kpad), GFP_KERNEL); - input = input_allocate_device(); - if (!kpad || !input) { - error = -ENOMEM; - goto err_free_mem; + if (gpio) { + fsleep(30); + gpiod_set_value_cansleep(gpio, 0); + fsleep(60); } - kpad->client = client; - kpad->input = input; - INIT_DELAYED_WORK(&kpad->work, adp5588_work); - ret = adp5588_read(client, DEV_ID); - if (ret < 0) { - error = ret; - goto err_free_mem; - } + if (ret < 0) + return ret; - revid = (u8) ret & ADP5588_DEVICE_ID_MASK; + revid = ret & ADP5588_DEVICE_ID_MASK; if (WA_DELAYED_READOUT_REVID(revid)) - kpad->delay = msecs_to_jiffies(30); + kpad->delay = msecs_to_jiffies(WA_DELAYED_READOUT_TIME); input->name = client->name; input->phys = "adp5588-keys/input0"; - input->dev.parent = &client->dev; input_set_drvdata(input, kpad); @@ -528,112 +790,54 @@ static int adp5588_probe(struct i2c_client *client, input->id.product = 0x0001; input->id.version = revid; - input->keycodesize = sizeof(kpad->keycode[0]); - input->keycodemax = pdata->keymapsize; - input->keycode = kpad->keycode; - - memcpy(kpad->keycode, pdata->keymap, - pdata->keymapsize * input->keycodesize); - - kpad->gpimap = pdata->gpimap; - kpad->gpimapsize = pdata->gpimapsize; - - /* setup input device */ - __set_bit(EV_KEY, input->evbit); - - if (pdata->repeat) - __set_bit(EV_REP, input->evbit); - - for (i = 0; i < input->keycodemax; i++) - if (kpad->keycode[i] <= KEY_MAX) - __set_bit(kpad->keycode[i], input->keybit); - __clear_bit(KEY_RESERVED, input->keybit); - - if (kpad->gpimapsize) - __set_bit(EV_SW, input->evbit); - for (i = 0; i < kpad->gpimapsize; i++) - __set_bit(kpad->gpimap[i].sw_evt, input->swbit); - error = input_register_device(input); if (error) { - dev_err(&client->dev, "unable to register input device\n"); - goto err_free_mem; - } - - error = request_irq(client->irq, adp5588_irq, - IRQF_TRIGGER_FALLING, - client->dev.driver->name, kpad); - if (error) { - dev_err(&client->dev, "irq %d busy?\n", client->irq); - goto err_unreg_dev; + dev_err(&client->dev, "unable to register input device: %d\n", + error); + return error; } - error = adp5588_setup(client); + error = adp5588_setup(kpad); if (error) - goto err_free_irq; - - if (kpad->gpimapsize) - adp5588_report_switch_state(kpad); + return error; error = adp5588_gpio_add(kpad); if (error) - goto err_free_irq; + return error; - device_init_wakeup(&client->dev, 1); - i2c_set_clientdata(client, kpad); + error = devm_request_threaded_irq(&client->dev, client->irq, + adp5588_hard_irq, adp5588_thread_irq, + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + client->dev.driver->name, kpad); + if (error) { + dev_err(&client->dev, "failed to request irq %d: %d\n", + client->irq, error); + return error; + } dev_info(&client->dev, "Rev.%d keypad, irq %d\n", revid, client->irq); return 0; - - err_free_irq: - free_irq(client->irq, kpad); - cancel_delayed_work_sync(&kpad->work); - err_unreg_dev: - input_unregister_device(input); - input = NULL; - err_free_mem: - input_free_device(input); - kfree(kpad); - - return error; } static int adp5588_remove(struct i2c_client *client) { - struct adp5588_kpad *kpad = i2c_get_clientdata(client); - adp5588_write(client, CFG, 0); - free_irq(client->irq, kpad); - cancel_delayed_work_sync(&kpad->work); - input_unregister_device(kpad->input); - adp5588_gpio_remove(kpad); - kfree(kpad); - + /* all resources will be freed by devm */ return 0; } -#ifdef CONFIG_PM static int adp5588_suspend(struct device *dev) { - struct adp5588_kpad *kpad = dev_get_drvdata(dev); - struct i2c_client *client = kpad->client; + struct i2c_client *client = to_i2c_client(dev); disable_irq(client->irq); - cancel_delayed_work_sync(&kpad->work); - - if (device_may_wakeup(&client->dev)) - enable_irq_wake(client->irq); return 0; } static int adp5588_resume(struct device *dev) { - struct adp5588_kpad *kpad = dev_get_drvdata(dev); - struct i2c_client *client = kpad->client; - - if (device_may_wakeup(&client->dev)) - disable_irq_wake(client->irq); + struct i2c_client *client = to_i2c_client(dev); enable_irq(client->irq); @@ -644,7 +848,6 @@ static const struct dev_pm_ops adp5588_dev_pm_ops = { .suspend = adp5588_suspend, .resume = adp5588_resume, }; -#endif static const struct i2c_device_id adp5588_id[] = { { "adp5588-keys", 0 }, @@ -653,12 +856,18 @@ static const struct i2c_device_id adp5588_id[] = { }; MODULE_DEVICE_TABLE(i2c, adp5588_id); +static const struct of_device_id adp5588_of_match[] = { + { .compatible = "adi,adp5588" }, + { .compatible = "adi,adp5587" }, + {} +}; +MODULE_DEVICE_TABLE(of, adp5588_of_match); + static struct i2c_driver adp5588_driver = { .driver = { .name = KBUILD_MODNAME, -#ifdef CONFIG_PM + .of_match_table = adp5588_of_match, .pm = &adp5588_dev_pm_ops, -#endif }, .probe = adp5588_probe, .remove = adp5588_remove, diff --git a/include/linux/platform_data/adp5588.h b/include/linux/platform_data/adp5588.h deleted file mode 100644 index 6d3f7d911a92..000000000000 --- a/include/linux/platform_data/adp5588.h +++ /dev/null @@ -1,171 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Analog Devices ADP5588 I/O Expander and QWERTY Keypad Controller - * - * Copyright 2009-2010 Analog Devices Inc. - */ - -#ifndef _ADP5588_H -#define _ADP5588_H - -#define DEV_ID 0x00 /* Device ID */ -#define CFG 0x01 /* Configuration Register1 */ -#define INT_STAT 0x02 /* Interrupt Status Register */ -#define KEY_LCK_EC_STAT 0x03 /* Key Lock and Event Counter Register */ -#define Key_EVENTA 0x04 /* Key Event Register A */ -#define Key_EVENTB 0x05 /* Key Event Register B */ -#define Key_EVENTC 0x06 /* Key Event Register C */ -#define Key_EVENTD 0x07 /* Key Event Register D */ -#define Key_EVENTE 0x08 /* Key Event Register E */ -#define Key_EVENTF 0x09 /* Key Event Register F */ -#define Key_EVENTG 0x0A /* Key Event Register G */ -#define Key_EVENTH 0x0B /* Key Event Register H */ -#define Key_EVENTI 0x0C /* Key Event Register I */ -#define Key_EVENTJ 0x0D /* Key Event Register J */ -#define KP_LCK_TMR 0x0E /* Keypad Lock1 to Lock2 Timer */ -#define UNLOCK1 0x0F /* Unlock Key1 */ -#define UNLOCK2 0x10 /* Unlock Key2 */ -#define GPIO_INT_STAT1 0x11 /* GPIO Interrupt Status */ -#define GPIO_INT_STAT2 0x12 /* GPIO Interrupt Status */ -#define GPIO_INT_STAT3 0x13 /* GPIO Interrupt Status */ -#define GPIO_DAT_STAT1 0x14 /* GPIO Data Status, Read twice to clear */ -#define GPIO_DAT_STAT2 0x15 /* GPIO Data Status, Read twice to clear */ -#define GPIO_DAT_STAT3 0x16 /* GPIO Data Status, Read twice to clear */ -#define GPIO_DAT_OUT1 0x17 /* GPIO DATA OUT */ -#define GPIO_DAT_OUT2 0x18 /* GPIO DATA OUT */ -#define GPIO_DAT_OUT3 0x19 /* GPIO DATA OUT */ -#define GPIO_INT_EN1 0x1A /* GPIO Interrupt Enable */ -#define GPIO_INT_EN2 0x1B /* GPIO Interrupt Enable */ -#define GPIO_INT_EN3 0x1C /* GPIO Interrupt Enable */ -#define KP_GPIO1 0x1D /* Keypad or GPIO Selection */ -#define KP_GPIO2 0x1E /* Keypad or GPIO Selection */ -#define KP_GPIO3 0x1F /* Keypad or GPIO Selection */ -#define GPI_EM1 0x20 /* GPI Event Mode 1 */ -#define GPI_EM2 0x21 /* GPI Event Mode 2 */ -#define GPI_EM3 0x22 /* GPI Event Mode 3 */ -#define GPIO_DIR1 0x23 /* GPIO Data Direction */ -#define GPIO_DIR2 0x24 /* GPIO Data Direction */ -#define GPIO_DIR3 0x25 /* GPIO Data Direction */ -#define GPIO_INT_LVL1 0x26 /* GPIO Edge/Level Detect */ -#define GPIO_INT_LVL2 0x27 /* GPIO Edge/Level Detect */ -#define GPIO_INT_LVL3 0x28 /* GPIO Edge/Level Detect */ -#define Debounce_DIS1 0x29 /* Debounce Disable */ -#define Debounce_DIS2 0x2A /* Debounce Disable */ -#define Debounce_DIS3 0x2B /* Debounce Disable */ -#define GPIO_PULL1 0x2C /* GPIO Pull Disable */ -#define GPIO_PULL2 0x2D /* GPIO Pull Disable */ -#define GPIO_PULL3 0x2E /* GPIO Pull Disable */ -#define CMP_CFG_STAT 0x30 /* Comparator Configuration and Status Register */ -#define CMP_CONFG_SENS1 0x31 /* Sensor1 Comparator Configuration Register */ -#define CMP_CONFG_SENS2 0x32 /* L2 Light Sensor Reference Level, Output Falling for Sensor 1 */ -#define CMP1_LVL2_TRIP 0x33 /* L2 Light Sensor Hysteresis (Active when Output Rising) for Sensor 1 */ -#define CMP1_LVL2_HYS 0x34 /* L3 Light Sensor Reference Level, Output Falling For Sensor 1 */ -#define CMP1_LVL3_TRIP 0x35 /* L3 Light Sensor Hysteresis (Active when Output Rising) For Sensor 1 */ -#define CMP1_LVL3_HYS 0x36 /* Sensor 2 Comparator Configuration Register */ -#define CMP2_LVL2_TRIP 0x37 /* L2 Light Sensor Reference Level, Output Falling for Sensor 2 */ -#define CMP2_LVL2_HYS 0x38 /* L2 Light Sensor Hysteresis (Active when Output Rising) for Sensor 2 */ -#define CMP2_LVL3_TRIP 0x39 /* L3 Light Sensor Reference Level, Output Falling For Sensor 2 */ -#define CMP2_LVL3_HYS 0x3A /* L3 Light Sensor Hysteresis (Active when Output Rising) For Sensor 2 */ -#define CMP1_ADC_DAT_R1 0x3B /* Comparator 1 ADC data Register1 */ -#define CMP1_ADC_DAT_R2 0x3C /* Comparator 1 ADC data Register2 */ -#define CMP2_ADC_DAT_R1 0x3D /* Comparator 2 ADC data Register1 */ -#define CMP2_ADC_DAT_R2 0x3E /* Comparator 2 ADC data Register2 */ - -#define ADP5588_DEVICE_ID_MASK 0xF - - /* Configuration Register1 */ -#define ADP5588_AUTO_INC (1 << 7) -#define ADP5588_GPIEM_CFG (1 << 6) -#define ADP5588_OVR_FLOW_M (1 << 5) -#define ADP5588_INT_CFG (1 << 4) -#define ADP5588_OVR_FLOW_IEN (1 << 3) -#define ADP5588_K_LCK_IM (1 << 2) -#define ADP5588_GPI_IEN (1 << 1) -#define ADP5588_KE_IEN (1 << 0) - -/* Interrupt Status Register */ -#define ADP5588_CMP2_INT (1 << 5) -#define ADP5588_CMP1_INT (1 << 4) -#define ADP5588_OVR_FLOW_INT (1 << 3) -#define ADP5588_K_LCK_INT (1 << 2) -#define ADP5588_GPI_INT (1 << 1) -#define ADP5588_KE_INT (1 << 0) - -/* Key Lock and Event Counter Register */ -#define ADP5588_K_LCK_EN (1 << 6) -#define ADP5588_LCK21 0x30 -#define ADP5588_KEC 0xF - -#define ADP5588_MAXGPIO 18 -#define ADP5588_BANK(offs) ((offs) >> 3) -#define ADP5588_BIT(offs) (1u << ((offs) & 0x7)) - -/* Put one of these structures in i2c_board_info platform_data */ - -#define ADP5588_KEYMAPSIZE 80 - -#define GPI_PIN_ROW0 97 -#define GPI_PIN_ROW1 98 -#define GPI_PIN_ROW2 99 -#define GPI_PIN_ROW3 100 -#define GPI_PIN_ROW4 101 -#define GPI_PIN_ROW5 102 -#define GPI_PIN_ROW6 103 -#define GPI_PIN_ROW7 104 -#define GPI_PIN_COL0 105 -#define GPI_PIN_COL1 106 -#define GPI_PIN_COL2 107 -#define GPI_PIN_COL3 108 -#define GPI_PIN_COL4 109 -#define GPI_PIN_COL5 110 -#define GPI_PIN_COL6 111 -#define GPI_PIN_COL7 112 -#define GPI_PIN_COL8 113 -#define GPI_PIN_COL9 114 - -#define GPI_PIN_ROW_BASE GPI_PIN_ROW0 -#define GPI_PIN_ROW_END GPI_PIN_ROW7 -#define GPI_PIN_COL_BASE GPI_PIN_COL0 -#define GPI_PIN_COL_END GPI_PIN_COL9 - -#define GPI_PIN_BASE GPI_PIN_ROW_BASE -#define GPI_PIN_END GPI_PIN_COL_END - -#define ADP5588_GPIMAPSIZE_MAX (GPI_PIN_END - GPI_PIN_BASE + 1) - -struct adp5588_gpi_map { - unsigned short pin; - unsigned short sw_evt; -}; - -struct adp5588_kpad_platform_data { - int rows; /* Number of rows */ - int cols; /* Number of columns */ - const unsigned short *keymap; /* Pointer to keymap */ - unsigned short keymapsize; /* Keymap size */ - unsigned repeat:1; /* Enable key repeat */ - unsigned en_keylock:1; /* Enable Key Lock feature */ - unsigned short unlock_key1; /* Unlock Key 1 */ - unsigned short unlock_key2; /* Unlock Key 2 */ - const struct adp5588_gpi_map *gpimap; - unsigned short gpimapsize; - const struct adp5588_gpio_platform_data *gpio_data; -}; - -struct i2c_client; /* forward declaration */ - -struct adp5588_gpio_platform_data { - int gpio_start; /* GPIO Chip base # */ - const char *const *names; - unsigned irq_base; /* interrupt base # */ - unsigned pullup_dis_mask; /* Pull-Up Disable Mask */ - int (*setup)(struct i2c_client *client, - unsigned gpio, unsigned ngpio, - void *context); - int (*teardown)(struct i2c_client *client, - unsigned gpio, unsigned ngpio, - void *context); - void *context; -}; - -#endif -- 2.25.1

1 year

1
0
0 0

[PATCH] nvmet: Remove unnecessary check in nvmet_sq_destroy()

by George Rurikov

This fix is mostly cosmetic. Since “ctrl->sqs” is initialized in the same place as “ctrl” (nvmet_alloc_ctrl), in my opinion checking “ctrl->sqs” for 0 in line 814 is redundant. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org Fixes: 64f5e9cdd711 ("nvmet: fix memory leak when removing namespaces and controllers concurrently") Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/nvme/target/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c index ed2424f8a396..d1b287310265 100644 --- a/drivers/nvme/target/core.c +++ b/drivers/nvme/target/core.c @@ -811,7 +811,7 @@ void nvmet_sq_destroy(struct nvmet_sq *sq) * If this is the admin queue, complete all AERs so that our * queue doesn't have outstanding requests on it. */ - if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) + if (ctrl && ctrl->sqs[0] == sq) nvmet_async_events_failall(ctrl); percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); wait_for_completion(&sq->confirm_done); -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

1 year

1
0
0 0

[PATCH 5.10/5.15/6.1] Bluetooth: btbcm: Handle memory allocation failure in btbcm_get_board_name()

by Aleksandr Mishin

No upstream commit exists for this commit. The issue was introduced with commit 63fac3343b99 ("Bluetooth: btbcm: Support per-board firmware variants"). In btbcm_get_board_name() devm_kstrdup() can return NULL due to memory allocation failure. Add NULL return check to prevent NULL dereference. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 63fac3343b99 ("Bluetooth: btbcm: Support per-board firmware variants") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> --- drivers/bluetooth/btbcm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c index de2ea589aa49..6191fd74ab3d 100644 --- a/drivers/bluetooth/btbcm.c +++ b/drivers/bluetooth/btbcm.c @@ -551,6 +551,8 @@ static const char *btbcm_get_board_name(struct device *dev) /* get rid of any '/' in the compatible string */ len = strlen(tmp) + 1; board_type = devm_kzalloc(dev, len, GFP_KERNEL); + if (!board_type) + return NULL; strscpy(board_type, tmp, len); for (i = 0; i < len; i++) { if (board_type[i] == '/') -- 2.30.2

1 year

1
0
0 0

[PATCH 1/2] net: dsa: RCU-protect dsa_ptr in struct net_device

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> There are multiple races of zeroing dsa_ptr in struct net_device (on shutdown/remove) against asynchronous dereferences all over the net code. Widespread pattern is as follows: CPU0 CPU1 if (netdev_uses_dsa()) dev->dsa_ptr = NULL; dev->dsa_ptr->... One of the possible crashes: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G O 6.1.99+ #1 pc : lan9303_rcv lr : lan9303_rcv Call trace: lan9303_rcv dsa_switch_rcv __netif_receive_skb_list_core netif_receive_skb_list_internal napi_gro_receive fec_enet_rx_napi __napi_poll net_rx_action ... RCU-protect dsa_ptr and use rcu_dereference() or rtnl_dereference() depending on the calling context. Rename netdev_uses_dsa() into __netdev_uses_dsa_currently() (assumes ether RCU or RTNL lock held) and netdev_uses_dsa_currently() variants which better reflect the uselessness of the function's return value, which becomes outdated right after the call. Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- drivers/net/dsa/mt7530.c | 3 +- drivers/net/dsa/ocelot/felix.c | 3 +- drivers/net/dsa/qca/qca8k-8xxx.c | 3 +- drivers/net/ethernet/broadcom/bcmsysport.c | 8 +- drivers/net/ethernet/mediatek/airoha_eth.c | 2 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 22 +++-- drivers/net/ethernet/mediatek/mtk_ppe.c | 15 ++- include/linux/netdevice.h | 2 +- include/net/dsa.h | 36 +++++-- include/net/dsa_stubs.h | 6 +- net/bridge/br_input.c | 2 +- net/core/dev.c | 3 +- net/core/flow_dissector.c | 19 ++-- net/dsa/conduit.c | 66 ++++++++----- net/dsa/dsa.c | 19 ++-- net/dsa/port.c | 3 +- net/dsa/tag.c | 3 +- net/dsa/tag.h | 19 ++-- net/dsa/tag_8021q.c | 10 +- net/dsa/tag_brcm.c | 2 +- net/dsa/tag_dsa.c | 8 +- net/dsa/tag_qca.c | 10 +- net/dsa/tag_sja1105.c | 22 +++-- net/dsa/user.c | 104 +++++++++++--------- net/ethernet/eth.c | 2 +- 25 files changed, 240 insertions(+), 152 deletions(-) diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c index ec18e68bf3a8..82d3f1786156 100644 --- a/drivers/net/dsa/mt7530.c +++ b/drivers/net/dsa/mt7530.c @@ -20,6 +20,7 @@ #include <linux/reset.h> #include <linux/gpio/consumer.h> #include <linux/gpio/driver.h> +#include <linux/rtnetlink.h> #include <net/dsa.h> #include "mt7530.h" @@ -3092,7 +3093,7 @@ mt753x_conduit_state_change(struct dsa_switch *ds, const struct net_device *conduit, bool operational) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(conduit->dsa_ptr); struct mt7530_priv *priv = ds->priv; int val = 0; u8 mask; diff --git a/drivers/net/dsa/ocelot/felix.c b/drivers/net/dsa/ocelot/felix.c index 4a705f7333f4..f6bc0ff0c116 100644 --- a/drivers/net/dsa/ocelot/felix.c +++ b/drivers/net/dsa/ocelot/felix.c @@ -21,6 +21,7 @@ #include <linux/of_net.h> #include <linux/pci.h> #include <linux/of.h> +#include <linux/rtnetlink.h> #include <net/pkt_sched.h> #include <net/dsa.h> #include "felix.h" @@ -57,7 +58,7 @@ static int felix_cpu_port_for_conduit(struct dsa_switch *ds, return lag; } - cpu_dp = conduit->dsa_ptr; + cpu_dp = rtnl_dereference(conduit->dsa_ptr); return cpu_dp->index; } diff --git a/drivers/net/dsa/qca/qca8k-8xxx.c b/drivers/net/dsa/qca/qca8k-8xxx.c index f8d8c70642c4..10b4d7e9be2f 100644 --- a/drivers/net/dsa/qca/qca8k-8xxx.c +++ b/drivers/net/dsa/qca/qca8k-8xxx.c @@ -20,6 +20,7 @@ #include <linux/gpio/consumer.h> #include <linux/etherdevice.h> #include <linux/dsa/tag_qca.h> +#include <linux/rtnetlink.h> #include "qca8k.h" #include "qca8k_leds.h" @@ -1754,7 +1755,7 @@ static void qca8k_conduit_change(struct dsa_switch *ds, const struct net_device *conduit, bool operational) { - struct dsa_port *dp = conduit->dsa_ptr; + struct dsa_port *dp = rtnl_dereference(conduit->dsa_ptr); struct qca8k_priv *priv = ds->priv; /* Ethernet MIB/MDIO is only supported for CPU port 0 */ diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c index c9faa8540859..bd9bc081346d 100644 --- a/drivers/net/ethernet/broadcom/bcmsysport.c +++ b/drivers/net/ethernet/broadcom/bcmsysport.c @@ -145,7 +145,7 @@ static void bcm_sysport_set_rx_csum(struct net_device *dev, * sure we tell the RXCHK hardware to expect a 4-bytes Broadcom * tag after the Ethernet MAC Source Address. */ - if (netdev_uses_dsa(dev)) + if (__netdev_uses_dsa_currently(dev)) reg |= RXCHK_BRCM_TAG_EN; else reg &= ~RXCHK_BRCM_TAG_EN; @@ -173,7 +173,7 @@ static void bcm_sysport_set_tx_csum(struct net_device *dev, * checksum to be computed correctly when using VLAN HW acceleration, * else it has no effect, so it can always be turned on. */ - if (netdev_uses_dsa(dev)) + if (__netdev_uses_dsa_currently(dev)) reg |= tdma_control_bit(priv, SW_BRCM_TAG); else reg &= ~tdma_control_bit(priv, SW_BRCM_TAG); @@ -1950,7 +1950,7 @@ static inline void gib_set_pad_extension(struct bcm_sysport_priv *priv) reg = gib_readl(priv, GIB_CONTROL); /* Include Broadcom tag in pad extension and fix up IPG_LENGTH */ - if (netdev_uses_dsa(priv->netdev)) { + if (__netdev_uses_dsa_currently(priv->netdev)) { reg &= ~(GIB_PAD_EXTENSION_MASK << GIB_PAD_EXTENSION_SHIFT); reg |= ENET_BRCM_TAG_LEN << GIB_PAD_EXTENSION_SHIFT; } @@ -2299,7 +2299,7 @@ static u16 bcm_sysport_select_queue(struct net_device *dev, struct sk_buff *skb, struct bcm_sysport_tx_ring *tx_ring; unsigned int q, port; - if (!netdev_uses_dsa(dev)) + if (!__netdev_uses_dsa_currently(dev)) return netdev_pick_tx(dev, skb, NULL); /* DSA tagging layer will have configured the correct queue */ diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c index 1c5b85a86df1..f7425d393b22 100644 --- a/drivers/net/ethernet/mediatek/airoha_eth.c +++ b/drivers/net/ethernet/mediatek/airoha_eth.c @@ -2255,7 +2255,7 @@ static int airoha_dev_open(struct net_device *dev) if (err) return err; - if (netdev_uses_dsa(dev)) + if (__netdev_uses_dsa_currently(dev)) airoha_fe_set(eth, REG_GDM_INGRESS_CFG(port->id), GDM_STAG_EN_MASK); else diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index 16ca427cf4c3..82a828349323 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -24,6 +24,7 @@ #include <linux/pcs/pcs-mtk-lynxi.h> #include <linux/jhash.h> #include <linux/bitfield.h> +#include <linux/rcupdate.h> #include <net/dsa.h> #include <net/dst_metadata.h> #include <net/page_pool/helpers.h> @@ -1375,7 +1376,8 @@ static void mtk_tx_set_dma_desc_v2(struct net_device *dev, void *txd, /* tx checksum offload */ if (info->csum) data |= TX_DMA_CHKSUM_V2; - if (mtk_is_netsys_v3_or_greater(eth) && netdev_uses_dsa(dev)) + if (mtk_is_netsys_v3_or_greater(eth) && + __netdev_uses_dsa_currently(dev)) data |= TX_DMA_SPTAG_V3; } WRITE_ONCE(desc->txd5, data); @@ -2183,7 +2185,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, * hardware treats the MTK special tag as a VLAN and untags it. */ if (mtk_is_netsys_v1(eth) && (trxd.rxd2 & RX_DMA_VTAG) && - netdev_uses_dsa(netdev)) { + __netdev_uses_dsa_currently(netdev)) { unsigned int port = RX_DMA_VPID(trxd.rxd3) & GENMASK(2, 0); if (port < ARRAY_SIZE(eth->dsa_meta) && @@ -3304,7 +3306,7 @@ static void mtk_gdm_config(struct mtk_eth *eth, u32 id, u32 config) val |= config; - if (eth->netdev[id] && netdev_uses_dsa(eth->netdev[id])) + if (eth->netdev[id] && __netdev_uses_dsa_currently(eth->netdev[id])) val |= MTK_GDMA_SPECIAL_TAG; mtk_w32(eth, val, MTK_GDMA_FWD_CFG(id)); @@ -3313,12 +3315,16 @@ static void mtk_gdm_config(struct mtk_eth *eth, u32 id, u32 config) static bool mtk_uses_dsa(struct net_device *dev) { + bool ret = false; #if IS_ENABLED(CONFIG_NET_DSA) - return netdev_uses_dsa(dev) && - dev->dsa_ptr->tag_ops->proto == DSA_TAG_PROTO_MTK; -#else - return false; + struct dsa_port *dp; + + rcu_read_lock(); + dp = rcu_dereference(dev->dsa_ptr); + ret = dp && dp->tag_ops->proto == DSA_TAG_PROTO_MTK; + rcu_read_unlock(); #endif + return ret; } static int mtk_device_event(struct notifier_block *n, unsigned long event, void *ptr) @@ -4482,7 +4488,7 @@ static u16 mtk_select_queue(struct net_device *dev, struct sk_buff *skb, struct mtk_mac *mac = netdev_priv(dev); unsigned int queue = 0; - if (netdev_uses_dsa(dev)) + if (__netdev_uses_dsa_currently(dev)) queue = skb_get_queue_mapping(skb) + 3; else queue = mac->id; diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.c b/drivers/net/ethernet/mediatek/mtk_ppe.c index 0acee405a749..0c78ec90d855 100644 --- a/drivers/net/ethernet/mediatek/mtk_ppe.c +++ b/drivers/net/ethernet/mediatek/mtk_ppe.c @@ -8,6 +8,7 @@ #include <linux/platform_device.h> #include <linux/if_ether.h> #include <linux/if_vlan.h> +#include <linux/rcupdate.h> #include <net/dst_metadata.h> #include <net/dsa.h> #include "mtk_eth_soc.h" @@ -785,9 +786,17 @@ void __mtk_ppe_check_skb(struct mtk_ppe *ppe, struct sk_buff *skb, u16 hash) switch (skb->protocol) { #if IS_ENABLED(CONFIG_NET_DSA) case htons(ETH_P_XDSA): - if (!netdev_uses_dsa(skb->dev) || - skb->dev->dsa_ptr->tag_ops->proto != DSA_TAG_PROTO_MTK) - goto out; + { + struct dsa_port *dp; + bool proto_mtk; + + rcu_read_lock(); + dp = rcu_dereference(skb->dev->dsa_ptr); + proto_mtk = dp && dp->tag_ops->proto == DSA_TAG_PROTO_MTK; + rcu_read_unlock(); + if (!proto_mtk) + goto out; + } if (!skb_metadata_dst(skb)) tag += 4; diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 607009150b5f..e645c7eabd42 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -2229,7 +2229,7 @@ struct net_device { struct vlan_info __rcu *vlan_info; #endif #if IS_ENABLED(CONFIG_NET_DSA) - struct dsa_port *dsa_ptr; + struct dsa_port __rcu *dsa_ptr; #endif #if IS_ENABLED(CONFIG_TIPC) struct tipc_bearer __rcu *tipc_ptr; diff --git a/include/net/dsa.h b/include/net/dsa.h index d7a6c2930277..ab2777611e71 100644 --- a/include/net/dsa.h +++ b/include/net/dsa.h @@ -19,6 +19,7 @@ #include <linux/phy.h> #include <linux/platform_data/dsa.h> #include <linux/phylink.h> +#include <linux/rcupdate.h> #include <net/devlink.h> #include <net/switchdev.h> @@ -92,8 +93,9 @@ struct dsa_switch; struct dsa_device_ops { struct sk_buff *(*xmit)(struct sk_buff *skb, struct net_device *dev); struct sk_buff *(*rcv)(struct sk_buff *skb, struct net_device *dev); - void (*flow_dissect)(const struct sk_buff *skb, __be16 *proto, - int *offset); + void (*flow_dissect)(const struct sk_buff *skb, + const struct dsa_port *dp, + __be16 *proto, int *offset); int (*connect)(struct dsa_switch *ds); void (*disconnect)(struct dsa_switch *ds); unsigned int needed_headroom; @@ -1334,14 +1336,29 @@ bool dsa_mdb_present_in_other_db(struct dsa_switch *ds, int port, struct dsa_db db); /* Keep inline for faster access in hot path */ -static inline bool netdev_uses_dsa(const struct net_device *dev) + +/* Must be called under RCU or RTNL lock */ +static inline bool __netdev_uses_dsa_currently(const struct net_device *dev) { #if IS_ENABLED(CONFIG_NET_DSA) - return dev->dsa_ptr && dev->dsa_ptr->rcv; + struct dsa_port *dp = rcu_dereference_rtnl(dev->dsa_ptr); + + return dp && dp->rcv; #endif return false; } +static inline bool netdev_uses_dsa_currently(const struct net_device *dev) +{ + bool ret = false; +#if IS_ENABLED(CONFIG_NET_DSA) + rcu_read_lock(); + ret = __netdev_uses_dsa_currently(dev); + rcu_read_unlock(); +#endif + return ret; +} + /* All DSA tags that push the EtherType to the right (basically all except tail * tags, which don't break dissection) can be treated the same from the * perspective of the flow dissector. @@ -1355,17 +1372,20 @@ static inline bool netdev_uses_dsa(const struct net_device *dev) * that, in __be16 shorts). * * - proto: the value of the real EtherType. + * + * Must be called under RCU read lock (because of dp). */ static inline void dsa_tag_generic_flow_dissect(const struct sk_buff *skb, + const struct dsa_port *dp, __be16 *proto, int *offset) { -#if IS_ENABLED(CONFIG_NET_DSA) - const struct dsa_device_ops *ops = skb->dev->dsa_ptr->tag_ops; - int tag_len = ops->needed_headroom; + int tag_len; + RCU_LOCKDEP_WARN(!rcu_read_lock_any_held(), "no rcu lock held"); + + tag_len = dp->tag_ops->needed_headroom; *offset = tag_len; *proto = ((__be16 *)skb->data)[(tag_len / 2) - 1]; -#endif } void dsa_unregister_switch(struct dsa_switch *ds); diff --git a/include/net/dsa_stubs.h b/include/net/dsa_stubs.h index 6f384897f287..ca899305ba36 100644 --- a/include/net/dsa_stubs.h +++ b/include/net/dsa_stubs.h @@ -22,9 +22,6 @@ static inline int dsa_conduit_hwtstamp_validate(struct net_device *dev, const struct kernel_hwtstamp_config *config, struct netlink_ext_ack *extack) { - if (!netdev_uses_dsa(dev)) - return 0; - /* rtnl_lock() is a sufficient guarantee, because as long as * netdev_uses_dsa() returns true, the dsa_core module is still * registered, and so, dsa_unregister_stubs() couldn't have run. @@ -33,6 +30,9 @@ static inline int dsa_conduit_hwtstamp_validate(struct net_device *dev, */ ASSERT_RTNL(); + if (!__netdev_uses_dsa_currently(dev)) + return 0; + return dsa_stubs->conduit_hwtstamp_validate(dev, config, extack); } diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index ceaa5a89b947..542cfc5678df 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -443,7 +443,7 @@ static rx_handler_result_t br_handle_frame_dummy(struct sk_buff **pskb) rx_handler_func_t *br_get_rx_handler(const struct net_device *dev) { - if (netdev_uses_dsa(dev)) + if (__netdev_uses_dsa_currently(dev)) return br_handle_frame_dummy; return br_handle_frame; diff --git a/net/core/dev.c b/net/core/dev.c index f66e61407883..9ae1c097cbad 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -5568,7 +5568,8 @@ static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc, } } - if (unlikely(skb_vlan_tag_present(skb)) && !netdev_uses_dsa(skb->dev)) { + if (unlikely(skb_vlan_tag_present(skb)) && + !__netdev_uses_dsa_currently(skb->dev)) { check_vlan_id: if (skb_vlan_tag_get_id(skb)) { /* Vlan id is non 0 and vlan_do_receive() above couldn't diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index 0e638a37aa09..e1523c609bb7 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -1071,25 +1071,30 @@ bool __skb_flow_dissect(const struct net *net, nhoff = skb_network_offset(skb); hlen = skb_headlen(skb); #if IS_ENABLED(CONFIG_NET_DSA) - if (unlikely(skb->dev && netdev_uses_dsa(skb->dev) && - proto == htons(ETH_P_XDSA))) { + if (unlikely(skb->dev && proto == htons(ETH_P_XDSA))) { struct metadata_dst *md_dst = skb_metadata_dst(skb); - const struct dsa_device_ops *ops; + struct dsa_port *dp; int offset = 0; - ops = skb->dev->dsa_ptr->tag_ops; + rcu_read_lock(); + + dp = rcu_dereference(skb->dev->dsa_ptr); /* Only DSA header taggers break flow dissection */ - if (ops->needed_headroom && + if (dp && dp->tag_ops->needed_headroom && (!md_dst || md_dst->type != METADATA_HW_PORT_MUX)) { - if (ops->flow_dissect) - ops->flow_dissect(skb, &proto, &offset); + if (dp->tag_ops->flow_dissect) + dp->tag_ops->flow_dissect(skb, dp, + &proto, &offset); else dsa_tag_generic_flow_dissect(skb, + dp, &proto, &offset); hlen -= offset; nhoff += offset; } + + rcu_read_unlock(); } #endif } diff --git a/net/dsa/conduit.c b/net/dsa/conduit.c index 3dfdb3cb47dc..967770cdf88f 100644 --- a/net/dsa/conduit.c +++ b/net/dsa/conduit.c @@ -9,6 +9,7 @@ #include <linux/ethtool.h> #include <linux/netdevice.h> #include <linux/netlink.h> +#include <linux/rcupdate.h> #include <net/dsa.h> #include "conduit.h" @@ -18,7 +19,7 @@ static int dsa_conduit_get_regs_len(struct net_device *dev) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; int port = cpu_dp->index; @@ -48,7 +49,7 @@ static int dsa_conduit_get_regs_len(struct net_device *dev) static void dsa_conduit_get_regs(struct net_device *dev, struct ethtool_regs *regs, void *data) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; struct ethtool_drvinfo *cpu_info; @@ -84,7 +85,7 @@ static void dsa_conduit_get_ethtool_stats(struct net_device *dev, struct ethtool_stats *stats, uint64_t *data) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; int port = cpu_dp->index; @@ -103,7 +104,7 @@ static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev, struct ethtool_stats *stats, uint64_t *data) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; int port = cpu_dp->index; @@ -127,7 +128,7 @@ static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev, static int dsa_conduit_get_sset_count(struct net_device *dev, int sset) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; int count = 0; @@ -150,7 +151,7 @@ static int dsa_conduit_get_sset_count(struct net_device *dev, int sset) static void dsa_conduit_get_strings(struct net_device *dev, uint32_t stringset, uint8_t *data) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; int port = cpu_dp->index; @@ -202,7 +203,7 @@ int __dsa_conduit_hwtstamp_validate(struct net_device *dev, const struct kernel_hwtstamp_config *config, struct netlink_ext_ack *extack) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); struct dsa_switch *ds = cpu_dp->ds; struct dsa_switch_tree *dst; struct dsa_port *dp; @@ -222,7 +223,7 @@ int __dsa_conduit_hwtstamp_validate(struct net_device *dev, static int dsa_conduit_ethtool_setup(struct net_device *dev) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); struct dsa_switch *ds = cpu_dp->ds; struct ethtool_ops *ops; @@ -251,7 +252,7 @@ static int dsa_conduit_ethtool_setup(struct net_device *dev) static void dsa_conduit_ethtool_teardown(struct net_device *dev) { - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); if (netif_is_lag_master(dev)) return; @@ -267,13 +268,14 @@ static void dsa_conduit_ethtool_teardown(struct net_device *dev) */ static void dsa_conduit_set_promiscuity(struct net_device *dev, int inc) { - const struct dsa_device_ops *ops = dev->dsa_ptr->tag_ops; + const struct dsa_device_ops *ops; + + ASSERT_RTNL(); + ops = rtnl_dereference(dev->dsa_ptr)->tag_ops; if ((dev->priv_flags & IFF_UNICAST_FLT) && !ops->promisc_on_conduit) return; - ASSERT_RTNL(); - dev_set_promiscuity(dev, inc); } @@ -281,10 +283,17 @@ static ssize_t tagging_show(struct device *d, struct device_attribute *attr, char *buf) { struct net_device *dev = to_net_dev(d); - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp; + int ret = 0; + + rcu_read_lock(); + cpu_dp = rcu_dereference(dev->dsa_ptr); + if (cpu_dp) + ret = sysfs_emit(buf, "%s\n", + dsa_tag_protocol_to_str(cpu_dp->tag_ops)); + rcu_read_unlock(); - return sysfs_emit(buf, "%s\n", - dsa_tag_protocol_to_str(cpu_dp->tag_ops)); + return ret; } static ssize_t tagging_store(struct device *d, struct device_attribute *attr, @@ -293,7 +302,7 @@ static ssize_t tagging_store(struct device *d, struct device_attribute *attr, const struct dsa_device_ops *new_tag_ops, *old_tag_ops; const char *end = strchrnul(buf, '\n'), *name; struct net_device *dev = to_net_dev(d); - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp; size_t len = end - buf; int err; @@ -305,13 +314,17 @@ static ssize_t tagging_store(struct device *d, struct device_attribute *attr, if (!name) return -ENOMEM; - old_tag_ops = cpu_dp->tag_ops; new_tag_ops = dsa_tag_driver_get_by_name(name); kfree(name); /* Bad tagger name? */ if (IS_ERR(new_tag_ops)) return PTR_ERR(new_tag_ops); + if (!rtnl_trylock()) + return restart_syscall(); + + cpu_dp = rtnl_dereference(dev->dsa_ptr); + old_tag_ops = cpu_dp->tag_ops; if (new_tag_ops == old_tag_ops) /* Drop the temporarily held duplicate reference, since * the DSA switch tree uses this tagger. @@ -321,6 +334,7 @@ static ssize_t tagging_store(struct device *d, struct device_attribute *attr, err = dsa_tree_change_tag_proto(cpu_dp->ds->dst, new_tag_ops, old_tag_ops); if (err) { + rtnl_unlock(); /* On failure the old tagger is restored, so we don't need the * driver for the new one. */ @@ -331,6 +345,7 @@ static ssize_t tagging_store(struct device *d, struct device_attribute *attr, /* On success we no longer need the module for the old tagging protocol */ out: + rtnl_unlock(); dsa_tag_driver_put(old_tag_ops); return count; } @@ -384,13 +399,11 @@ int dsa_conduit_setup(struct net_device *dev, struct dsa_port *cpu_dp) netdev_warn(dev, "error %d setting MTU to %d to include DSA overhead\n", ret, mtu); - /* If we use a tagging format that doesn't have an ethertype - * field, make sure that all packets from this point on get - * sent to the tag format's receive function. + rcu_assign_pointer(dev->dsa_ptr, cpu_dp); + /* + * No need to synchronize_rcu() here because dsa_ptr in not going away + * before it will be zeroed */ - wmb(); - - dev->dsa_ptr = cpu_dp; dsa_conduit_set_promiscuity(dev, 1); @@ -418,13 +431,12 @@ void dsa_conduit_teardown(struct net_device *dev) dsa_conduit_reset_mtu(dev); dsa_conduit_set_promiscuity(dev, -1); - dev->dsa_ptr = NULL; - /* If we used a tagging format that doesn't have an ethertype * field, make sure that all packets from this point get sent * without the tag and go through the regular receive path. */ - wmb(); + rcu_assign_pointer(dev->dsa_ptr, NULL); + synchronize_rcu(); } int dsa_conduit_lag_setup(struct net_device *lag_dev, struct dsa_port *cpu_dp, @@ -434,7 +446,7 @@ int dsa_conduit_lag_setup(struct net_device *lag_dev, struct dsa_port *cpu_dp, bool conduit_setup = false; int err; - if (!netdev_uses_dsa(lag_dev)) { + if (!__netdev_uses_dsa_currently(lag_dev)) { err = dsa_conduit_setup(lag_dev, cpu_dp); if (err) return err; diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c index 668c729946ea..36b9ebddc8b8 100644 --- a/net/dsa/dsa.c +++ b/net/dsa/dsa.c @@ -976,6 +976,8 @@ static int dsa_tree_bind_tag_proto(struct dsa_switch_tree *dst, /* Since the dsa/tagging sysfs device attribute is per conduit, the assumption * is that all DSA switches within a tree share the same tagger, otherwise * they would have formed disjoint trees (different "dsa,member" values). + * + * Must be called with RTNL lock held. */ int dsa_tree_change_tag_proto(struct dsa_switch_tree *dst, const struct dsa_device_ops *tag_ops, @@ -985,8 +987,7 @@ int dsa_tree_change_tag_proto(struct dsa_switch_tree *dst, struct dsa_port *dp; int err = -EBUSY; - if (!rtnl_trylock()) - return restart_syscall(); + ASSERT_RTNL(); /* At the moment we don't allow changing the tag protocol under * traffic. The rtnl_mutex also happens to serialize concurrent @@ -1011,15 +1012,12 @@ int dsa_tree_change_tag_proto(struct dsa_switch_tree *dst, if (err) goto out_unwind_tagger; - rtnl_unlock(); - return 0; out_unwind_tagger: info.tag_ops = old_tag_ops; dsa_tree_notify(dst, DSA_NOTIFIER_TAG_PROTO, &info); out_unlock: - rtnl_unlock(); return err; } @@ -1027,7 +1025,7 @@ static void dsa_tree_conduit_state_change(struct dsa_switch_tree *dst, struct net_device *conduit) { struct dsa_notifier_conduit_state_info info; - struct dsa_port *cpu_dp = conduit->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(conduit->dsa_ptr); info.conduit = conduit; info.operational = dsa_port_conduit_is_operational(cpu_dp); @@ -1039,7 +1037,7 @@ void dsa_tree_conduit_admin_state_change(struct dsa_switch_tree *dst, struct net_device *conduit, bool up) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(conduit->dsa_ptr); bool notify = false; /* Don't keep track of admin state on LAG DSA conduits, @@ -1062,7 +1060,7 @@ void dsa_tree_conduit_oper_state_change(struct dsa_switch_tree *dst, struct net_device *conduit, bool up) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(conduit->dsa_ptr); bool notify = false; /* Don't keep track of oper state on LAG DSA conduits, @@ -1594,10 +1592,11 @@ void dsa_switch_shutdown(struct dsa_switch *ds) } /* Disconnect from further netdevice notifiers on the conduit, - * since netdev_uses_dsa() will now return false. + * from now on, netdev_uses_dsa_currently() will return false. */ dsa_switch_for_each_cpu_port(dp, ds) - dp->conduit->dsa_ptr = NULL; + rcu_assign_pointer(dp->conduit->dsa_ptr, NULL); + synchronize_rcu(); rtnl_unlock(); out: diff --git a/net/dsa/port.c b/net/dsa/port.c index 25258b33e59e..6220c520d776 100644 --- a/net/dsa/port.c +++ b/net/dsa/port.c @@ -11,6 +11,7 @@ #include <linux/notifier.h> #include <linux/of_mdio.h> #include <linux/of_net.h> +#include <linux/rtnetlink.h> #include "dsa.h" #include "port.h" @@ -1414,7 +1415,7 @@ static int dsa_port_assign_conduit(struct dsa_port *dp, if (err && fail_on_err) return err; - dp->cpu_dp = conduit->dsa_ptr; + dp->cpu_dp = rtnl_dereference(conduit->dsa_ptr); dp->cpu_port_in_lag = netif_is_lag_master(conduit); return 0; diff --git a/net/dsa/tag.c b/net/dsa/tag.c index 79ad105902d9..ba662adecc14 100644 --- a/net/dsa/tag.c +++ b/net/dsa/tag.c @@ -10,6 +10,7 @@ #include <linux/netdevice.h> #include <linux/ptp_classify.h> #include <linux/skbuff.h> +#include <linux/rcupdate.h> #include <net/dsa.h> #include <net/dst_metadata.h> @@ -55,7 +56,7 @@ static int dsa_switch_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *unused) { struct metadata_dst *md_dst = skb_metadata_dst(skb); - struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_port *cpu_dp = rcu_dereference(dev->dsa_ptr); struct sk_buff *nskb = NULL; struct dsa_user_priv *p; diff --git a/net/dsa/tag.h b/net/dsa/tag.h index d5707870906b..dbb2217d4344 100644 --- a/net/dsa/tag.h +++ b/net/dsa/tag.h @@ -5,6 +5,7 @@ #include <linux/if_vlan.h> #include <linux/list.h> +#include <linux/rcupdate.h> #include <linux/types.h> #include <net/dsa.h> @@ -32,11 +33,14 @@ static inline int dsa_tag_protocol_overhead(const struct dsa_device_ops *ops) static inline struct net_device *dsa_conduit_find_user(struct net_device *dev, int device, int port) { - struct dsa_port *cpu_dp = dev->dsa_ptr; - struct dsa_switch_tree *dst = cpu_dp->dst; + struct dsa_port *cpu_dp; struct dsa_port *dp; - list_for_each_entry(dp, &dst->ports, list) + cpu_dp = rcu_dereference(dev->dsa_ptr); + if (!cpu_dp) + return NULL; + + list_for_each_entry(dp, &cpu_dp->dst->ports, list) if (dp->ds->index == device && dp->index == port && dp->type == DSA_PORT_TYPE_USER) return dp->user; @@ -184,14 +188,17 @@ static inline struct sk_buff *dsa_software_vlan_untag(struct sk_buff *skb) static inline struct net_device * dsa_find_designated_bridge_port_by_vid(struct net_device *conduit, u16 vid) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; - struct dsa_switch_tree *dst = cpu_dp->dst; + struct dsa_port *cpu_dp; struct bridge_vlan_info vinfo; struct net_device *user; struct dsa_port *dp; int err; - list_for_each_entry(dp, &dst->ports, list) { + cpu_dp = rcu_dereference(conduit->dsa_ptr); + if (!cpu_dp) + return NULL; + + list_for_each_entry(dp, &cpu_dp->dst->ports, list) { if (dp->type != DSA_PORT_TYPE_USER) continue; diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c index 3ee53e28ec2e..c9fb4fd2a4cf 100644 --- a/net/dsa/tag_8021q.c +++ b/net/dsa/tag_8021q.c @@ -5,6 +5,7 @@ * primitives for taggers that rely on 802.1Q VLAN tags to use. */ #include <linux/if_vlan.h> +#include <linux/rcupdate.h> #include <linux/dsa/8021q.h> #include "port.h" @@ -474,14 +475,17 @@ EXPORT_SYMBOL_GPL(dsa_8021q_xmit); static struct net_device * dsa_tag_8021q_find_port_by_vbid(struct net_device *conduit, int vbid) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; - struct dsa_switch_tree *dst = cpu_dp->dst; + struct dsa_port *cpu_dp; struct dsa_port *dp; if (WARN_ON(!vbid)) return NULL; - dsa_tree_for_each_user_port(dp, dst) { + cpu_dp = rcu_dereference(conduit->dsa_ptr); + if (!cpu_dp) + return NULL; + + dsa_tree_for_each_user_port(dp, cpu_dp->dst) { if (!dp->bridge) continue; diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c index 8c3c068728e5..c87f16cd959f 100644 --- a/net/dsa/tag_brcm.c +++ b/net/dsa/tag_brcm.c @@ -269,7 +269,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, return NULL; /* VLAN tag is added by BCM63xx internal switch */ - if (netdev_uses_dsa(skb->dev)) + if (__netdev_uses_dsa_currently(skb->dev)) len += VLAN_HLEN; /* Remove Broadcom tag and update checksum */ diff --git a/net/dsa/tag_dsa.c b/net/dsa/tag_dsa.c index 2a2c4fb61a65..7f5dc8d384c9 100644 --- a/net/dsa/tag_dsa.c +++ b/net/dsa/tag_dsa.c @@ -48,6 +48,7 @@ #include <linux/dsa/mv88e6xxx.h> #include <linux/etherdevice.h> #include <linux/list.h> +#include <linux/rcupdate.h> #include <linux/slab.h> #include "tag.h" @@ -257,14 +258,15 @@ static struct sk_buff *dsa_rcv_ll(struct sk_buff *skb, struct net_device *dev, source_port = (dsa_header[1] >> 3) & 0x1f; if (trunk) { - struct dsa_port *cpu_dp = dev->dsa_ptr; - struct dsa_lag *lag; + struct dsa_port *cpu_dp = rcu_dereference(dev->dsa_ptr); + struct dsa_lag *lag = NULL; /* The exact source port is not available in the tag, * so we inject the frame directly on the upper * team/bond. */ - lag = dsa_lag_by_id(cpu_dp->dst, source_port + 1); + if (cpu_dp) + lag = dsa_lag_by_id(cpu_dp->dst, source_port + 1); skb->dev = lag ? lag->dev : NULL; } else { skb->dev = dsa_conduit_find_user(dev, source_device, diff --git a/net/dsa/tag_qca.c b/net/dsa/tag_qca.c index 0cf61286b426..dbc1f659ed07 100644 --- a/net/dsa/tag_qca.c +++ b/net/dsa/tag_qca.c @@ -5,6 +5,7 @@ #include <linux/etherdevice.h> #include <linux/bitfield.h> +#include <linux/rcupdate.h> #include <net/dsa.h> #include <linux/dsa/tag_qca.h> @@ -36,8 +37,8 @@ static struct sk_buff *qca_tag_xmit(struct sk_buff *skb, struct net_device *dev) static struct sk_buff *qca_tag_rcv(struct sk_buff *skb, struct net_device *dev) { struct qca_tagger_data *tagger_data; - struct dsa_port *dp = dev->dsa_ptr; - struct dsa_switch *ds = dp->ds; + struct dsa_port *dp; + struct dsa_switch *ds; u8 ver, pk_type; __be16 *phdr; int port; @@ -45,6 +46,11 @@ static struct sk_buff *qca_tag_rcv(struct sk_buff *skb, struct net_device *dev) BUILD_BUG_ON(sizeof(struct qca_mgmt_ethhdr) != QCA_HDR_MGMT_HEADER_LEN + QCA_HDR_LEN); + dp = rcu_dereference(dev->dsa_ptr); + if (!dp) + return NULL; + ds = dp->ds; + tagger_data = ds->tagger_data; if (unlikely(!pskb_may_pull(skb, QCA_HDR_LEN))) diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c index 3e902af7eea6..0746a7d34178 100644 --- a/net/dsa/tag_sja1105.c +++ b/net/dsa/tag_sja1105.c @@ -5,6 +5,7 @@ #include <linux/dsa/sja1105.h> #include <linux/dsa/8021q.h> #include <linux/packing.h> +#include <linux/rcupdate.h> #include "tag.h" #include "tag_8021q.h" @@ -530,12 +531,13 @@ static struct sk_buff *sja1110_rcv_meta(struct sk_buff *skb, u16 rx_header) int n_ts = SJA1110_RX_HEADER_N_TS(rx_header); struct sja1105_tagger_data *tagger_data; struct net_device *conduit = skb->dev; + struct dsa_switch *ds = NULL; struct dsa_port *cpu_dp; - struct dsa_switch *ds; int i; - cpu_dp = conduit->dsa_ptr; - ds = dsa_switch_find(cpu_dp->dst->index, switch_id); + cpu_dp = rcu_dereference(conduit->dsa_ptr); + if (cpu_dp) + ds = dsa_switch_find(cpu_dp->dst->index, switch_id); if (!ds) { net_err_ratelimited("%s: cannot find switch id %d\n", conduit->name, switch_id); @@ -662,24 +664,26 @@ static struct sk_buff *sja1110_rcv(struct sk_buff *skb, return skb; } -static void sja1105_flow_dissect(const struct sk_buff *skb, __be16 *proto, - int *offset) +static void sja1105_flow_dissect(const struct sk_buff *skb, + const struct dsa_port *dp, + __be16 *proto, int *offset) { /* No tag added for management frames, all ok */ if (unlikely(sja1105_is_link_local(skb))) return; - dsa_tag_generic_flow_dissect(skb, proto, offset); + dsa_tag_generic_flow_dissect(skb, dp, proto, offset); } -static void sja1110_flow_dissect(const struct sk_buff *skb, __be16 *proto, - int *offset) +static void sja1110_flow_dissect(const struct sk_buff *skb, + const struct dsa_port *dp, + __be16 *proto, int *offset) { /* Management frames have 2 DSA tags on RX, so the needed_headroom we * declared is fine for the generic dissector adjustment procedure. */ if (unlikely(sja1105_is_link_local(skb))) - return dsa_tag_generic_flow_dissect(skb, proto, offset); + return dsa_tag_generic_flow_dissect(skb, dp, proto, offset); /* For the rest, there is a single DSA tag, the tag_8021q one */ *offset = VLAN_HLEN; diff --git a/net/dsa/user.c b/net/dsa/user.c index f5adfa1d978a..2afd21e34772 100644 --- a/net/dsa/user.c +++ b/net/dsa/user.c @@ -21,6 +21,7 @@ #include <linux/if_hsr.h> #include <net/dcbnl.h> #include <linux/netpoll.h> +#include <linux/rcupdate.h> #include <linux/string.h> #include "conduit.h" @@ -2839,7 +2840,7 @@ int dsa_user_change_conduit(struct net_device *dev, struct net_device *conduit, return -EOPNOTSUPP; } - if (!netdev_uses_dsa(conduit)) { + if (!__netdev_uses_dsa_currently(conduit)) { NL_SET_ERR_MSG_MOD(extack, "Interface not eligible as DSA conduit"); return -EOPNOTSUPP; @@ -3141,8 +3142,8 @@ static int dsa_lag_conduit_validate(struct net_device *lag_dev, netdev_for_each_lower_dev(lag_dev, lower1, iter1) { netdev_for_each_lower_dev(lag_dev, lower2, iter2) { - if (!netdev_uses_dsa(lower1) || - !netdev_uses_dsa(lower2)) { + if (!__netdev_uses_dsa_currently(lower1) || + !__netdev_uses_dsa_currently(lower2)) { NL_SET_ERR_MSG_MOD(extack, "All LAG ports must be eligible as DSA conduits"); return notifier_from_errno(-EINVAL); @@ -3151,8 +3152,8 @@ static int dsa_lag_conduit_validate(struct net_device *lag_dev, if (lower1 == lower2) continue; - if (!dsa_port_tree_same(lower1->dsa_ptr, - lower2->dsa_ptr)) { + if (!dsa_port_tree_same(rtnl_dereference(lower1->dsa_ptr), + rtnl_dereference(lower2->dsa_ptr))) { NL_SET_ERR_MSG_MOD(extack, "LAG contains DSA conduits of disjoint switch trees"); return notifier_from_errno(-EINVAL); @@ -3169,7 +3170,7 @@ dsa_conduit_prechangeupper_sanity_check(struct net_device *conduit, { struct netlink_ext_ack *extack = netdev_notifier_info_to_extack(&info->info); - if (!netdev_uses_dsa(conduit)) + if (!__netdev_uses_dsa_currently(conduit)) return NOTIFY_DONE; if (!info->linking) @@ -3205,20 +3206,22 @@ dsa_lag_conduit_prechangelower_sanity_check(struct net_device *dev, struct net_device *lower; struct list_head *iter; - if (!netdev_uses_dsa(lag_dev) || !netif_is_lag_master(lag_dev)) + if (!__netdev_uses_dsa_currently(lag_dev) || + !netif_is_lag_master(lag_dev)) return NOTIFY_DONE; if (!info->linking) return NOTIFY_DONE; - if (!netdev_uses_dsa(dev)) { + if (!__netdev_uses_dsa_currently(dev)) { NL_SET_ERR_MSG(extack, "Only DSA conduits can join a LAG DSA conduit"); return notifier_from_errno(-EINVAL); } netdev_for_each_lower_dev(lag_dev, lower, iter) { - if (!dsa_port_tree_same(dev->dsa_ptr, lower->dsa_ptr)) { + if (!dsa_port_tree_same(rtnl_dereference(dev->dsa_ptr), + rtnl_dereference(lower->dsa_ptr))) { NL_SET_ERR_MSG(extack, "Interface is DSA conduit for a different switch tree than this LAG"); return notifier_from_errno(-EINVAL); @@ -3257,7 +3260,8 @@ dsa_bridge_prechangelower_sanity_check(struct net_device *new_lower, extack = netdev_notifier_info_to_extack(&info->info); netdev_for_each_lower_dev(br, lower, iter) { - if (!netdev_uses_dsa(new_lower) && !netdev_uses_dsa(lower)) + if (!__netdev_uses_dsa_currently(new_lower) && + !__netdev_uses_dsa_currently(lower)) continue; if (!netdev_port_same_parent_id(lower, new_lower)) { @@ -3295,7 +3299,7 @@ static int dsa_conduit_lag_join(struct net_device *conduit, struct netdev_lag_upper_info *uinfo, struct netlink_ext_ack *extack) { - struct dsa_port *cpu_dp = conduit->dsa_ptr; + struct dsa_port *cpu_dp = rtnl_dereference(conduit->dsa_ptr); struct dsa_switch_tree *dst = cpu_dp->dst; struct dsa_port *dp; int err; @@ -3328,7 +3332,7 @@ static int dsa_conduit_lag_join(struct net_device *conduit, } } - dsa_conduit_lag_teardown(lag_dev, conduit->dsa_ptr); + dsa_conduit_lag_teardown(lag_dev, rtnl_dereference(conduit->dsa_ptr)); return err; } @@ -3336,17 +3340,16 @@ static int dsa_conduit_lag_join(struct net_device *conduit, static void dsa_conduit_lag_leave(struct net_device *conduit, struct net_device *lag_dev) { - struct dsa_port *dp, *cpu_dp = lag_dev->dsa_ptr; + struct dsa_port *dp, *cpu_dp = rtnl_dereference(lag_dev->dsa_ptr); struct dsa_switch_tree *dst = cpu_dp->dst; struct dsa_port *new_cpu_dp = NULL; struct net_device *lower; struct list_head *iter; netdev_for_each_lower_dev(lag_dev, lower, iter) { - if (netdev_uses_dsa(lower)) { - new_cpu_dp = lower->dsa_ptr; + new_cpu_dp = rtnl_dereference(lower->dsa_ptr); + if (new_cpu_dp) break; - } } if (new_cpu_dp) { @@ -3360,8 +3363,11 @@ static void dsa_conduit_lag_leave(struct net_device *conduit, /* Update the index of the virtual CPU port to match the lowest * physical CPU port */ - lag_dev->dsa_ptr = new_cpu_dp; - wmb(); + rcu_assign_pointer(lag_dev->dsa_ptr, new_cpu_dp); + /* + * No need to synchronize_rcu() here because dsa_ptr in not + * going away before it will be zeroed + */ } else { /* If the LAG DSA conduit has no ports left, migrate back all * user ports to the first physical CPU port @@ -3372,7 +3378,7 @@ static void dsa_conduit_lag_leave(struct net_device *conduit, /* This DSA conduit has left its LAG in any case, so let * the CPU port leave the hardware LAG as well */ - dsa_conduit_lag_teardown(lag_dev, conduit->dsa_ptr); + dsa_conduit_lag_teardown(lag_dev, rtnl_dereference(conduit->dsa_ptr)); } static int dsa_conduit_changeupper(struct net_device *dev, @@ -3381,7 +3387,7 @@ static int dsa_conduit_changeupper(struct net_device *dev, struct netlink_ext_ack *extack; int err = NOTIFY_DONE; - if (!netdev_uses_dsa(dev)) + if (!__netdev_uses_dsa_currently(dev)) return err; extack = netdev_notifier_info_to_extack(&info->info); @@ -3464,14 +3470,14 @@ static int dsa_user_netdevice_event(struct notifier_block *nb, err = dsa_port_lag_change(dp, info->lower_state_info); } + dp = rtnl_dereference(dev->dsa_ptr); + if (!dp) + return NOTIFY_OK; + /* Mirror LAG port events on DSA conduits that are in * a LAG towards their respective switch CPU ports */ - if (netdev_uses_dsa(dev)) { - dp = dev->dsa_ptr; - - err = dsa_port_lag_change(dp, info->lower_state_info); - } + err = dsa_port_lag_change(dp, info->lower_state_info); return notifier_from_errno(err); } @@ -3481,39 +3487,41 @@ static int dsa_user_netdevice_event(struct notifier_block *nb, * DSA driver may require the conduit port (and indirectly * the tagger) to be available for some special operation. */ - if (netdev_uses_dsa(dev)) { - struct dsa_port *cpu_dp = dev->dsa_ptr; - struct dsa_switch_tree *dst = cpu_dp->ds->dst; - - /* Track when the conduit port is UP */ - dsa_tree_conduit_oper_state_change(dst, dev, - netif_oper_up(dev)); - - /* Track when the conduit port is ready and can accept - * packet. - * NETDEV_UP event is not enough to flag a port as ready. - * We also have to wait for linkwatch_do_dev to dev_activate - * and emit a NETDEV_CHANGE event. - * We check if a conduit port is ready by checking if the dev - * have a qdisc assigned and is not noop. - */ - dsa_tree_conduit_admin_state_change(dst, dev, - !qdisc_tx_is_noop(dev)); + struct dsa_port *cpu_dp = rtnl_dereference(dev->dsa_ptr); + struct dsa_switch_tree *dst; - return NOTIFY_OK; - } + if (!cpu_dp) + return NOTIFY_DONE; + + dst = cpu_dp->ds->dst; + + /* Track when the conduit port is UP */ + dsa_tree_conduit_oper_state_change(dst, dev, + netif_oper_up(dev)); + + /* Track when the conduit port is ready and can accept + * packet. + * NETDEV_UP event is not enough to flag a port as ready. + * We also have to wait for linkwatch_do_dev to dev_activate + * and emit a NETDEV_CHANGE event. + * We check if a conduit port is ready by checking if the dev + * have a qdisc assigned and is not noop. + */ + dsa_tree_conduit_admin_state_change(dst, dev, + !qdisc_tx_is_noop(dev)); + + return NOTIFY_OK; - return NOTIFY_DONE; } case NETDEV_GOING_DOWN: { struct dsa_port *dp, *cpu_dp; struct dsa_switch_tree *dst; LIST_HEAD(close_list); - if (!netdev_uses_dsa(dev)) + cpu_dp = rtnl_dereference(dev->dsa_ptr); + if (!cpu_dp) return NOTIFY_DONE; - cpu_dp = dev->dsa_ptr; dst = cpu_dp->ds->dst; dsa_tree_conduit_admin_state_change(dst, dev, false); diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c index 4e3651101b86..a05ff82551c3 100644 --- a/net/ethernet/eth.c +++ b/net/ethernet/eth.c @@ -170,7 +170,7 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) * variants has been configured on the receiving interface, * and if so, set skb->protocol without looking at the packet. */ - if (unlikely(netdev_uses_dsa(dev))) + if (unlikely(netdev_uses_dsa_currently(dev))) return htons(ETH_P_XDSA); if (likely(eth_proto_is_802_3(eth->h_proto))) -- 2.46.0

1 year

7
9
0 0

[PATCH 5.10] xhci: check virt_dev is valid before dereferencing it

by Roman Smirnov

From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit 03ed579d9d51aa018830b0de3e8b463faf6b87db upstream. Check that the xhci_virt_dev structure that we dug out based on a slot_id value from a command completion is valid before dereferencing it. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20210129130044.206855-7-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Roman Smirnov <r.smirnov(a)omp.ru> --- drivers/usb/host/xhci-ring.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index fbb7a5b51ef4..a769803e7d38 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1415,6 +1415,8 @@ static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id, * is not waiting on the configure endpoint command. */ virt_dev = xhci->devs[slot_id]; + if (!virt_dev) + return; ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx); if (!ctrl_ctx) { xhci_warn(xhci, "Could not get input context, bad type.\n"); @@ -1459,6 +1461,8 @@ static void xhci_handle_cmd_addr_dev(struct xhci_hcd *xhci, int slot_id) struct xhci_slot_ctx *slot_ctx; vdev = xhci->devs[slot_id]; + if (!vdev) + return; slot_ctx = xhci_get_slot_ctx(xhci, vdev->out_ctx); trace_xhci_handle_cmd_addr_dev(slot_ctx); } @@ -1470,13 +1474,15 @@ static void xhci_handle_cmd_reset_dev(struct xhci_hcd *xhci, int slot_id, struct xhci_slot_ctx *slot_ctx; vdev = xhci->devs[slot_id]; + if (!vdev) { + xhci_warn(xhci, "Reset device command completion for disabled slot %u\n", + slot_id); + return; + } slot_ctx = xhci_get_slot_ctx(xhci, vdev->out_ctx); trace_xhci_handle_cmd_reset_dev(slot_ctx); xhci_dbg(xhci, "Completed reset device command.\n"); - if (!xhci->devs[slot_id]) - xhci_warn(xhci, "Reset device command completion " - "for disabled slot %u\n", slot_id); } static void xhci_handle_cmd_nec_get_fw(struct xhci_hcd *xhci, -- 2.34.1

1 year

1
1
0 0

[PATCH] list: Remove duplicated and unused macro list_for_each_reverse

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> Remove macro list_for_each_reverse due to below reasons: - it is same as list_for_each_prev. - it is not used by current kernel tree. Fixes: 8bf0cdfac7f8 ("<linux/list.h>: Introduce the list_for_each_reverse() method") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- include/linux/list.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/include/linux/list.h b/include/linux/list.h index 5f4b0a39cf46..29a375889fb8 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -686,14 +686,6 @@ static inline void list_splice_tail_init(struct list_head *list, #define list_for_each(pos, head) \ for (pos = (head)->next; !list_is_head(pos, (head)); pos = pos->next) -/** - * list_for_each_reverse - iterate backwards over a list - * @pos: the &struct list_head to use as a loop cursor. - * @head: the head for your list. - */ -#define list_for_each_reverse(pos, head) \ - for (pos = (head)->prev; pos != (head); pos = pos->prev) - /** * list_for_each_rcu - Iterate over a list in an RCU-safe fashion * @pos: the &struct list_head to use as a loop cursor. --- base-commit: 6a36d828bdef0e02b1e6c12e2160f5b83be6aab5 change-id: 20240916-fix_list-553c447bde0f Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

1 year

2
2
0 0

[PATCH 5.10] xhci: check virt_dev is valid before dereferencing it

by Roman Smirnov

From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit 03ed579d9d51aa018830b0de3e8b463faf6b87db upstream. Check that the xhci_virt_dev structure that we dug out based on a slot_id value from a command completion is valid before dereferencing it. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20210129130044.206855-7-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Roman Smirnov <r.smirnov(a)omp.ru> --- drivers/usb/host/xhci-ring.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index fbb7a5b51ef4..a769803e7d38 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1415,6 +1415,8 @@ static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id, * is not waiting on the configure endpoint command. */ virt_dev = xhci->devs[slot_id]; + if (!virt_dev) + return; ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx); if (!ctrl_ctx) { xhci_warn(xhci, "Could not get input context, bad type.\n"); @@ -1459,6 +1461,8 @@ static void xhci_handle_cmd_addr_dev(struct xhci_hcd *xhci, int slot_id) struct xhci_slot_ctx *slot_ctx; vdev = xhci->devs[slot_id]; + if (!vdev) + return; slot_ctx = xhci_get_slot_ctx(xhci, vdev->out_ctx); trace_xhci_handle_cmd_addr_dev(slot_ctx); } @@ -1470,13 +1474,15 @@ static void xhci_handle_cmd_reset_dev(struct xhci_hcd *xhci, int slot_id, struct xhci_slot_ctx *slot_ctx; vdev = xhci->devs[slot_id]; + if (!vdev) { + xhci_warn(xhci, "Reset device command completion for disabled slot %u\n", + slot_id); + return; + } slot_ctx = xhci_get_slot_ctx(xhci, vdev->out_ctx); trace_xhci_handle_cmd_reset_dev(slot_ctx); xhci_dbg(xhci, "Completed reset device command.\n"); - if (!xhci->devs[slot_id]) - xhci_warn(xhci, "Reset device command completion " - "for disabled slot %u\n", slot_id); } static void xhci_handle_cmd_nec_get_fw(struct xhci_hcd *xhci, -- 2.34.1

1 year

1
0
0 0

[PATCH 5.10] regmap: cache: Add extra parameter check in regcache_init

by Roman Smirnov

From: Schspa Shi <schspa(a)gmail.com> commit a5201d42e2f8a8e8062103170027840ee372742f upstream. When num_reg_defaults > 0 but reg_defaults is NULL, there will be a NULL pointer exception. Current code has no such usage, but as additional hardening, also check this to prevent any chance of crashing. Signed-off-by: Schspa Shi <schspa(a)gmail.com> Link: https://lore.kernel.org/r/20220629130951.63040-1-schspa@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Roman Smirnov <r.smirnov(a)omp.ru> --- drivers/base/regmap/regcache.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c index 7fdd702e564a..5ff79ba665ad 100644 --- a/drivers/base/regmap/regcache.c +++ b/drivers/base/regmap/regcache.c @@ -133,6 +133,12 @@ int regcache_init(struct regmap *map, const struct regmap_config *config) return -EINVAL; } + if (config->num_reg_defaults && !config->reg_defaults) { + dev_err(map->dev, + "Register defaults number are set without the reg!\n"); + return -EINVAL; + } + for (i = 0; i < config->num_reg_defaults; i++) if (config->reg_defaults[i].reg % map->reg_stride) return -EINVAL; -- 2.34.1

1 year

1
0
0 0

[PATCH v2 6.10] LoongArch: KVM: Remove undefined a6 argument comment for kvm_hypercall()

by WangYuli

From: Dandan Zhang <zhangdandan(a)uniontech.com> [ Upstream commit 494b0792d962e8efac72b3a5b6d9bcd4e6fa8cf0 ] The kvm_hypercall() set for LoongArch is limited to a1-a5. So the mention of a6 in the comment is undefined that needs to be rectified. Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Dandan Zhang <zhangdandan(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> -- Changlog: *v1 -> v2: Correct the commit-msg format. --- arch/loongarch/include/asm/kvm_para.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/include/asm/kvm_para.h b/arch/loongarch/include/asm/kvm_para.h index 4ba2312e5f8c..6d5e9b6c5714 100644 --- a/arch/loongarch/include/asm/kvm_para.h +++ b/arch/loongarch/include/asm/kvm_para.h @@ -28,9 +28,9 @@ * Hypercall interface for KVM hypervisor * * a0: function identifier - * a1-a6: args + * a1-a5: args * Return value will be placed in a0. - * Up to 6 arguments are passed in a1, a2, a3, a4, a5, a6. + * Up to 5 arguments are passed in a1, a2, a3, a4, a5. */ static __always_inline long kvm_hypercall0(u64 fid) { -- 2.43.0

1 year

2
3
0 0

[merged mm-stable] zram-free-secondary-algorithms-names.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: zram: free secondary algorithms names has been removed from the -mm tree. Its filename was zram-free-secondary-algorithms-names.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Subject: zram: free secondary algorithms names Date: Wed, 11 Sep 2024 11:54:56 +0900 We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/block/zram/zram_drv.c~zram-free-secondary-algorithms-names +++ a/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zr zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); } _ Patches currently in -mm which might be from senozhatsky(a)chromium.org are

1 year

1
0
0 0

[merged mm-stable] mm-z3fold-deprecate-config_z3fold.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: z3fold: deprecate CONFIG_Z3FOLD has been removed from the -mm tree. Its filename was mm-z3fold-deprecate-config_z3fold.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yosry Ahmed <yosryahmed(a)google.com> Subject: mm: z3fold: deprecate CONFIG_Z3FOLD Date: Wed, 4 Sep 2024 23:33:43 +0000 The z3fold compressed pages allocator is rarely used, most users use zsmalloc. The only disadvantage of zsmalloc in comparison is the dependency on MMU, and zbud is a more common option for !MMU as it was the default zswap allocator for a long time. Historically, zsmalloc had worse latency than zbud and z3fold but offered better memory savings. This is no longer the case as shown by a simple recent analysis [1]. That analysis showed that z3fold does not have any advantage over zsmalloc or zbud considering both performance and memory usage. In a kernel build test on tmpfs in a limited cgroup, z3fold took 3% more time and used 1.8% more memory. The latency of zswap_load() was 7% higher, and that of zswap_store() was 10% higher. Zsmalloc is better in all metrics. Moreover, z3fold apparently has latent bugs, which was made noticeable by a recent soft lockup bug report with z3fold [2]. Switching to zsmalloc not only fixed the problem, but also reduced the swap usage from 6~8G to 1~2G. Other users have also reported being bitten by mistakenly enabling z3fold. Other than hurting users, z3fold is repeatedly causing wasted engineering effort. Apart from investigating the above bug, it came up in multiple development discussions (e.g. [3]) as something we need to handle, when there aren't any legit users (at least not intentionally). The natural course of action is to deprecate z3fold, and remove in a few cycles if no objections are raised from active users. Next on the list should be zbud, as it offers marginal latency gains at the cost of huge memory waste when compared to zsmalloc. That one will need to wait until zsmalloc does not depend on MMU. Rename the user-visible config option from CONFIG_Z3FOLD to CONFIG_Z3FOLD_DEPRECATED so that users with CONFIG_Z3FOLD=y get a new prompt with explanation during make oldconfig. Also, remove CONFIG_Z3FOLD=y from defconfigs. [1]https://lore.kernel.org/lkml/CAJD7tkbRF6od-2x_L8-A1QL3=2Ww13sCj4S3i4bNndq… [2]https://lore.kernel.org/lkml/EF0ABD3E-A239-4111-A8AB-5C442E759CF3@gmail.c… [3]https://lore.kernel.org/lkml/CAJD7tkbnmeVugfunffSovJf9FAgy9rhBVt_tx=nxUve… [arnd(a)arndb.de: deprecate ZSWAP_ZPOOL_DEFAULT_Z3FOLD as well] Link: https://lkml.kernel.org/r/20240909202625.1054880-1-arnd@kernel.org Link: https://lkml.kernel.org/r/20240904233343.933462-1-yosryahmed@google.com Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Acked-by: Chris Down <chris(a)chrisdown.name> Acked-by: Nhat Pham <nphamcs(a)gmail.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Vitaly Wool <vitaly.wool(a)konsulko.com> Acked-by: Christoph Hellwig <hch(a)lst.de> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Huacai Chen <chenhuacai(a)kernel.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: WANG Xuerui <kernel(a)xen0n.name> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/loongarch/configs/loongson3_defconfig | 1 arch/powerpc/configs/ppc64_defconfig | 1 mm/Kconfig | 25 ++++++++++++++----- 3 files changed, 19 insertions(+), 8 deletions(-) --- a/arch/loongarch/configs/loongson3_defconfig~mm-z3fold-deprecate-config_z3fold +++ a/arch/loongarch/configs/loongson3_defconfig @@ -96,7 +96,6 @@ CONFIG_ZPOOL=y CONFIG_ZSWAP=y CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD=y CONFIG_ZBUD=y -CONFIG_Z3FOLD=y CONFIG_ZSMALLOC=m # CONFIG_COMPAT_BRK is not set CONFIG_MEMORY_HOTPLUG=y --- a/arch/powerpc/configs/ppc64_defconfig~mm-z3fold-deprecate-config_z3fold +++ a/arch/powerpc/configs/ppc64_defconfig @@ -81,7 +81,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_PARTITION_ADVANCED=y CONFIG_BINFMT_MISC=m CONFIG_ZSWAP=y -CONFIG_Z3FOLD=y CONFIG_ZSMALLOC=y # CONFIG_SLAB_MERGE_DEFAULT is not set CONFIG_SLAB_FREELIST_RANDOM=y --- a/mm/Kconfig~mm-z3fold-deprecate-config_z3fold +++ a/mm/Kconfig @@ -146,12 +146,15 @@ config ZSWAP_ZPOOL_DEFAULT_ZBUD help Use the zbud allocator as the default allocator. -config ZSWAP_ZPOOL_DEFAULT_Z3FOLD - bool "z3fold" - select Z3FOLD +config ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED + bool "z3foldi (DEPRECATED)" + select Z3FOLD_DEPRECATED help Use the z3fold allocator as the default allocator. + Deprecated and scheduled for removal in a few cycles, + see CONFIG_Z3FOLD_DEPRECATED. + config ZSWAP_ZPOOL_DEFAULT_ZSMALLOC bool "zsmalloc" select ZSMALLOC @@ -163,7 +166,7 @@ config ZSWAP_ZPOOL_DEFAULT string depends on ZSWAP default "zbud" if ZSWAP_ZPOOL_DEFAULT_ZBUD - default "z3fold" if ZSWAP_ZPOOL_DEFAULT_Z3FOLD + default "z3fold" if ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED default "zsmalloc" if ZSWAP_ZPOOL_DEFAULT_ZSMALLOC default "" @@ -177,15 +180,25 @@ config ZBUD deterministic reclaim properties that make it preferable to a higher density approach when reclaim will be used. -config Z3FOLD - tristate "3:1 compression allocator (z3fold)" +config Z3FOLD_DEPRECATED + tristate "3:1 compression allocator (z3fold) (DEPRECATED)" depends on ZSWAP help + Deprecated and scheduled for removal in a few cycles. If you have + a good reason for using Z3FOLD over ZSMALLOC, please contact + linux-mm(a)kvack.org and the zswap maintainers. + A special purpose allocator for storing compressed pages. It is designed to store up to three compressed pages per physical page. It is a ZBUD derivative so the simplicity and determinism are still there. +config Z3FOLD + tristate + default y if Z3FOLD_DEPRECATED=y + default m if Z3FOLD_DEPRECATED=m + depends on Z3FOLD_DEPRECATED + config ZSMALLOC tristate prompt "N:1 compression allocator (zsmalloc)" if (ZSWAP || ZRAM) _ Patches currently in -mm which might be from yosryahmed(a)google.com are

1 year

1
0
0 0

[merged mm-hotfixes-stable] mm-huge_memory-ensure-huge_zero_folio-wont-have-large_rmappable-flag-set.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: ensure huge_zero_folio won't have large_rmappable flag set has been removed from the -mm tree. Its filename was mm-huge_memory-ensure-huge_zero_folio-wont-have-large_rmappable-flag-set.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/huge_memory: ensure huge_zero_folio won't have large_rmappable flag set Date: Sat, 14 Sep 2024 09:53:06 +0800 Ensure huge_zero_folio won't have large_rmappable flag set. So it can be reported as thp,zero correctly through stable_page_flags(). Link: https://lkml.kernel.org/r/20240914015306.3656791-1-linmiaohe@huawei.com Fixes: 5691753d73a2 ("mm: convert huge_zero_page to huge_zero_folio") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/huge_memory.c~mm-huge_memory-ensure-huge_zero_folio-wont-have-large_rmappable-flag-set +++ a/mm/huge_memory.c @@ -220,6 +220,8 @@ retry: count_vm_event(THP_ZERO_PAGE_ALLOC_FAILED); return false; } + /* Ensure zero folio won't have large_rmappable flag set. */ + folio_clear_large_rmappable(zero_folio); preempt_disable(); if (cmpxchg(&huge_zero_folio, NULL, zero_folio)) { preempt_enable(); _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory.patch

1 year

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlbc-fix-uaf-of-vma-in-hugetlb-fault-pathway.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway has been removed from the -mm tree. Its filename was mm-hugetlbc-fix-uaf-of-vma-in-hugetlb-fault-pathway.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Vishal Moola (Oracle)" <vishal.moola(a)gmail.com> Subject: mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway Date: Sat, 14 Sep 2024 12:41:19 -0700 Syzbot reports a UAF in hugetlb_fault(). This happens because vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA to be freed before hugetlb_vma_unlock_read() is called. We can fix this by using a modified version of vmf_anon_prepare() that doesn't release the VMA lock on failure, and then release it ourselves after hugetlb_vma_unlock_read(). Link: https://lkml.kernel.org/r/20240914194243.245-2-vishal.moola@gmail.com Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") Reported-by: syzbot+2dab93857ee95f2eeb08(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Signed-off-by: Vishal Moola (Oracle) <vishal.moola(a)gmail.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) --- a/mm/hugetlb.c~mm-hugetlbc-fix-uaf-of-vma-in-hugetlb-fault-pathway +++ a/mm/hugetlb.c @@ -6048,7 +6048,7 @@ retry_avoidcopy: * When the original hugepage is shared one, it does not have * anon_vma prepared. */ - ret = vmf_anon_prepare(vmf); + ret = __vmf_anon_prepare(vmf); if (unlikely(ret)) goto out_release_all; @@ -6247,7 +6247,7 @@ static vm_fault_t hugetlb_no_page(struct } if (!(vma->vm_flags & VM_MAYSHARE)) { - ret = vmf_anon_prepare(vmf); + ret = __vmf_anon_prepare(vmf); if (unlikely(ret)) goto out; } @@ -6378,6 +6378,14 @@ static vm_fault_t hugetlb_no_page(struct folio_unlock(folio); out: hugetlb_vma_unlock_read(vma); + + /* + * We must check to release the per-VMA lock. __vmf_anon_prepare() is + * the only way ret can be set to VM_FAULT_RETRY. + */ + if (unlikely(ret & VM_FAULT_RETRY)) + vma_end_read(vma); + mutex_unlock(&hugetlb_fault_mutex_table[hash]); return ret; @@ -6599,6 +6607,14 @@ out_ptl: } out_mutex: hugetlb_vma_unlock_read(vma); + + /* + * We must check to release the per-VMA lock. __vmf_anon_prepare() in + * hugetlb_wp() is the only way ret can be set to VM_FAULT_RETRY. + */ + if (unlikely(ret & VM_FAULT_RETRY)) + vma_end_read(vma); + mutex_unlock(&hugetlb_fault_mutex_table[hash]); /* * Generally it's safe to hold refcount during waiting page lock. But _ Patches currently in -mm which might be from vishal.moola(a)gmail.com are

1 year

1
0
0 0

[merged mm-hotfixes-stable] mm-change-vmf_anon_prepare-to-__vmf_anon_prepare.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: change vmf_anon_prepare() to __vmf_anon_prepare() has been removed from the -mm tree. Its filename was mm-change-vmf_anon_prepare-to-__vmf_anon_prepare.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Vishal Moola (Oracle)" <vishal.moola(a)gmail.com> Subject: mm: change vmf_anon_prepare() to __vmf_anon_prepare() Date: Sat, 14 Sep 2024 12:41:18 -0700 Some callers of vmf_anon_prepare() may not want us to release the per-VMA lock ourselves. Rename vmf_anon_prepare() to __vmf_anon_prepare() and let the callers drop the lock when desired. Also, make vmf_anon_prepare() a wrapper that releases the per-VMA lock itself for any callers that don't care. This is in preparation to fix this bug reported by syzbot: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Link: https://lkml.kernel.org/r/20240914194243.245-1-vishal.moola@gmail.com Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") Reported-by: syzbot+2dab93857ee95f2eeb08(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Signed-off-by: Vishal Moola (Oracle) <vishal.moola(a)gmail.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 11 ++++++++++- mm/memory.c | 8 +++----- 2 files changed, 13 insertions(+), 6 deletions(-) --- a/mm/internal.h~mm-change-vmf_anon_prepare-to-__vmf_anon_prepare +++ a/mm/internal.h @@ -310,7 +310,16 @@ static inline void wake_throttle_isolate wake_up(wqh); } -vm_fault_t vmf_anon_prepare(struct vm_fault *vmf); +vm_fault_t __vmf_anon_prepare(struct vm_fault *vmf); +static inline vm_fault_t vmf_anon_prepare(struct vm_fault *vmf) +{ + vm_fault_t ret = __vmf_anon_prepare(vmf); + + if (unlikely(ret & VM_FAULT_RETRY)) + vma_end_read(vmf->vma); + return ret; +} + vm_fault_t do_swap_page(struct vm_fault *vmf); void folio_rotate_reclaimable(struct folio *folio); bool __folio_end_writeback(struct folio *folio); --- a/mm/memory.c~mm-change-vmf_anon_prepare-to-__vmf_anon_prepare +++ a/mm/memory.c @@ -3259,7 +3259,7 @@ static inline vm_fault_t vmf_can_call_fa } /** - * vmf_anon_prepare - Prepare to handle an anonymous fault. + * __vmf_anon_prepare - Prepare to handle an anonymous fault. * @vmf: The vm_fault descriptor passed from the fault handler. * * When preparing to insert an anonymous page into a VMA from a @@ -3273,7 +3273,7 @@ static inline vm_fault_t vmf_can_call_fa * Return: 0 if fault handling can proceed. Any other value should be * returned to the caller. */ -vm_fault_t vmf_anon_prepare(struct vm_fault *vmf) +vm_fault_t __vmf_anon_prepare(struct vm_fault *vmf) { struct vm_area_struct *vma = vmf->vma; vm_fault_t ret = 0; @@ -3281,10 +3281,8 @@ vm_fault_t vmf_anon_prepare(struct vm_fa if (likely(vma->anon_vma)) return 0; if (vmf->flags & FAULT_FLAG_VMA_LOCK) { - if (!mmap_read_trylock(vma->vm_mm)) { - vma_end_read(vma); + if (!mmap_read_trylock(vma->vm_mm)) return VM_FAULT_RETRY; - } } if (__anon_vma_prepare(vma)) ret = VM_FAULT_OOM; _ Patches currently in -mm which might be from vishal.moola(a)gmail.com are

1 year

1
0
0 0

[merged mm-hotfixes-stable] resource-fix-region_intersects-vs-add_memory_driver_managed.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: resource: fix region_intersects() vs add_memory_driver_managed() has been removed from the -mm tree. Its filename was resource-fix-region_intersects-vs-add_memory_driver_managed.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Huang Ying <ying.huang(a)intel.com> Subject: resource: fix region_intersects() vs add_memory_driver_managed() Date: Fri, 6 Sep 2024 11:07:11 +0800 On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM". Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: Jonathan Cameron <jonathan.cameron(a)huawei.com> Cc: Dave Jiang <dave.jiang(a)intel.com> Cc: Alison Schofield <alison.schofield(a)intel.com> Cc: Vishal Verma <vishal.l.verma(a)intel.com> Cc: Ira Weiny <ira.weiny(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/resource.c | 58 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 8 deletions(-) --- a/kernel/resource.c~resource-fix-region_intersects-vs-add_memory_driver_managed +++ a/kernel/resource.c @@ -540,20 +540,62 @@ static int __region_intersects(struct re size_t size, unsigned long flags, unsigned long desc) { - struct resource res; + resource_size_t ostart, oend; int type = 0; int other = 0; - struct resource *p; + struct resource *p, *dp; + bool is_type, covered; + struct resource res; res.start = start; res.end = start + size - 1; for (p = parent->child; p ; p = p->sibling) { - bool is_type = (((p->flags & flags) == flags) && - ((desc == IORES_DESC_NONE) || - (desc == p->desc))); - - if (resource_overlaps(p, &res)) - is_type ? type++ : other++; + if (!resource_overlaps(p, &res)) + continue; + is_type = (p->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == p->desc); + if (is_type) { + type++; + continue; + } + /* + * Continue to search in descendant resources as if the + * matched descendant resources cover some ranges of 'p'. + * + * |------------- "CXL Window 0" ------------| + * |-- "System RAM" --| + * + * will behave similar as the following fake resource + * tree when searching "System RAM". + * + * |-- "System RAM" --||-- "CXL Window 0a" --| + */ + covered = false; + ostart = max(res.start, p->start); + oend = min(res.end, p->end); + for_each_resource(p, dp, false) { + if (!resource_overlaps(dp, &res)) + continue; + is_type = (dp->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == dp->desc); + if (is_type) { + type++; + /* + * Range from 'ostart' to 'dp->start' + * isn't covered by matched resource. + */ + if (dp->start > ostart) + break; + if (dp->end >= oend) { + covered = true; + break; + } + /* Remove covered range */ + ostart = max(ostart, dp->end + 1); + } + } + if (!covered) + other++; } if (type == 0) _ Patches currently in -mm which might be from ying.huang(a)intel.com are resource-make-alloc_free_mem_region-works-for-iomem_resource.patch resource-kunit-add-test-case-for-region_intersects.patch

1 year

1
0
0 0

[PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

by Qianqiang Liu

> I think this patch just hides the real problem. > How could putcs have become NULL ? > > Helge Oh, you are right! I will figure it out. Best, Qianqiang Liu

1 year

1
0
0 0

[PATCH 1/1] RISC-V: Fix building rust when using GCC toolchain

by Jason Montleon

Clang does not support '-mno-riscv-attribute' resulting in the error error: unknown argument: '-mno-riscv-attribute' Not setting BINDGEN_TARGET_riscv results in the in the error error: unsupported argument 'medany' to option '-mcmodel=' for target \ 'unknown' error: unknown target triple 'unknown' Signed-off-by: Jason Montleon <jmontleo(a)redhat.com> Cc: stable(a)vger.kernel.org --- rust/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rust/Makefile b/rust/Makefile index f168d2c98a15..73eceaaae61e 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -228,11 +228,12 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \ -fzero-call-used-regs=% -fno-stack-clash-protection \ -fno-inline-functions-called-once -fsanitize=bounds-strict \ -fstrict-flex-arrays=% -fmin-function-alignment=% \ - --param=% --param asan-% + --param=% --param asan-% -mno-riscv-attribute # Derived from `scripts/Makefile.clang`. BINDGEN_TARGET_x86 := x86_64-linux-gnu BINDGEN_TARGET_arm64 := aarch64-linux-gnu +BINDGEN_TARGET_riscv := riscv64-linux-gnu BINDGEN_TARGET := $(BINDGEN_TARGET_$(SRCARCH)) # All warnings are inhibited since GCC builds are very experimental, -- 2.46.0

1 year

1
0
0 0

[PATCH 2/3] arm64: dts: qcom: x1e80100: fix PCIe4 and PCIe6a PHY clocks

by Johan Hovold

Add the missing clkref enable and pipediv2 clocks to the PCIe4 and PCIe6a PHYs. Fixes: 5eb83fc10289 ("arm64: dts: qcom: x1e80100: Add PCIe nodes") Cc: stable(a)vger.kernel.org # 6.9 Cc: Abel Vesa <abel.vesa(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi index 0cf4f3c12428..53e7d1e603cb 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi @@ -2980,14 +2980,16 @@ pcie6a_phy: phy@1bfc000 { clocks = <&gcc GCC_PCIE_6A_PHY_AUX_CLK>, <&gcc GCC_PCIE_6A_CFG_AHB_CLK>, - <&rpmhcc RPMH_CXO_CLK>, + <&tcsr TCSR_PCIE_4L_CLKREF_EN>, <&gcc GCC_PCIE_6A_PHY_RCHNG_CLK>, - <&gcc GCC_PCIE_6A_PIPE_CLK>; + <&gcc GCC_PCIE_6A_PIPE_CLK>, + <&gcc GCC_PCIE_6A_PIPEDIV2_CLK>; clock-names = "aux", "cfg_ahb", "ref", "rchng", - "pipe"; + "pipe", + "pipediv2"; resets = <&gcc GCC_PCIE_6A_PHY_BCR>, <&gcc GCC_PCIE_6A_NOCSR_COM_PHY_BCR>; @@ -3232,14 +3234,16 @@ pcie4_phy: phy@1c0e000 { clocks = <&gcc GCC_PCIE_4_AUX_CLK>, <&gcc GCC_PCIE_4_CFG_AHB_CLK>, - <&rpmhcc RPMH_CXO_CLK>, + <&tcsr TCSR_PCIE_2L_4_CLKREF_EN>, <&gcc GCC_PCIE_4_PHY_RCHNG_CLK>, - <&gcc GCC_PCIE_4_PIPE_CLK>; + <&gcc GCC_PCIE_4_PIPE_CLK>, + <&gcc GCC_PCIE_4_PIPEDIV2_CLK>; clock-names = "aux", "cfg_ahb", "ref", "rchng", - "pipe"; + "pipe", + "pipediv2"; resets = <&gcc GCC_PCIE_4_PHY_BCR>; reset-names = "phy"; -- 2.44.2

1 year

3
2
0 0

[PATCH] f2fs: fix to check atomic_file in f2fs ioctl interfaces

by Chao Yu

Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(), f2fs_move_file_range(), and f2fs_defragment_range() missed to check atomic_write status, which may cause potential race issue, fix it. Cc: stable(a)vger.kernel.org Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/file.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index a8d153eb0a95..99903eafa7fe 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2710,7 +2710,8 @@ static int f2fs_defragment_range(struct f2fs_sb_info *sbi, (range->start + range->len) >> PAGE_SHIFT, DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE)); - if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED)) { + if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED) || + f2fs_is_atomic_file(inode)) { err = -EINVAL; goto unlock_out; } @@ -2943,6 +2944,11 @@ static int f2fs_move_file_range(struct file *file_in, loff_t pos_in, goto out_unlock; } + if (f2fs_is_atomic_file(src) || f2fs_is_atomic_file(dst)) { + ret = -EINVAL; + goto out_unlock; + } + ret = -EINVAL; if (pos_in + len > src->i_size || pos_in + len < pos_in) goto out_unlock; @@ -3326,6 +3332,11 @@ static int f2fs_ioc_set_pin_file(struct file *filp, unsigned long arg) inode_lock(inode); + if (f2fs_is_atomic_file(inode)) { + ret = -EINVAL; + goto out; + } + if (!pin) { clear_inode_flag(inode, FI_PIN_FILE); f2fs_i_gc_failures_write(inode, 0); -- 2.40.1

1 year

2
1
0 0

[PATCH v2] usb: dwc3: re-enable runtime PM after failed resume

by Roy Luo

When dwc3_resume_common() returns an error, runtime pm is left in suspended and disabled state in dwc3_resume(). Since the device is suspended, its parent devices (like the power domain or glue driver) could also be suspended and may have released resources that dwc requires. Consequently, calling dwc3_suspend_common() in this situation could result in attempts to access unclocked or unpowered registers. To prevent these problems, runtime PM should always be re-enabled, even after failed resume attempts. This ensures that dwc3_suspend_common() is skipped in such cases. Fixes: 68c26fe58182 ("usb: dwc3: set pm runtime active before resume common") Cc: stable(a)vger.kernel.org Signed-off-by: Roy Luo <royluo(a)google.com> --- drivers/usb/dwc3/core.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index ccc3895dbd7f..4bd73b5fe41b 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2537,7 +2537,7 @@ static int dwc3_suspend(struct device *dev) static int dwc3_resume(struct device *dev) { struct dwc3 *dwc = dev_get_drvdata(dev); - int ret; + int ret = 0; pinctrl_pm_select_default_state(dev); @@ -2545,14 +2545,12 @@ static int dwc3_resume(struct device *dev) pm_runtime_set_active(dev); ret = dwc3_resume_common(dwc, PMSG_RESUME); - if (ret) { + if (ret) pm_runtime_set_suspended(dev); - return ret; - } pm_runtime_enable(dev); - return 0; + return ret; } static void dwc3_complete(struct device *dev) base-commit: ad618736883b8970f66af799e34007475fe33a68 -- 2.46.0.662.g92d0881bb0-goog

1 year

2
1
0 0

[PATCH v3] drm/xe/vram: fix ccs offset calculation

by Matthew Auld

Spec says SW is expected to round up to the nearest 128K, if not already aligned for the CC unit view of CCS. We are seeing the assert sometimes pop on BMG to tell us that there is a hole between GSM and CCS, as well as popping other asserts with having a vram size with strange alignment, which is likely caused by misaligned offset here. v2 (Shuicheng): - Do the round_up() on final SW address. BSpec: 68023 Fixes: b5c2ca0372dc ("drm/xe/xe2hpg: Determine flat ccs offset for vram") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Akshata Jahagirdar <akshata.jahagirdar(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Shuicheng Lin <shuicheng.lin(a)intel.com> Cc: Matt Roper <matthew.d.roper(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.10+ Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Tested-by: Shuicheng Lin <shuicheng.lin(a)intel.com> --- drivers/gpu/drm/xe/xe_vram.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/xe/xe_vram.c b/drivers/gpu/drm/xe/xe_vram.c index 7e765b1499b1..2a623bfcda7e 100644 --- a/drivers/gpu/drm/xe/xe_vram.c +++ b/drivers/gpu/drm/xe/xe_vram.c @@ -182,6 +182,7 @@ static inline u64 get_flat_ccs_offset(struct xe_gt *gt, u64 tile_size) offset = offset_hi << 32; /* HW view bits 39:32 */ offset |= offset_lo << 6; /* HW view bits 31:6 */ offset *= num_enabled; /* convert to SW view */ + offset = round_up(offset, SZ_128K); /* SW must round up to nearest 128K */ /* We don't expect any holes */ xe_assert_msg(xe, offset == (xe_mmio_read64_2x32(&gt_to_tile(gt)->mmio, GSMBASE) - -- 2.46.0

1 year

2
2
0 0

[PATCH] ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8

by nikolai.afanasenkov＠hp.com

From: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> The HP Elite mt645 G8 Mobile Thin Client uses an ALC236 codec and needs the ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to enable the mute and micmute LED functionality. This patch adds the system ID of the HP Elite mt645 G8 to the `alc269_fixup_tbl` in `patch_realtek.c` to enable the required quirk. Cc: stable(a)vger.kernel.org Signed-off-by: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 452c6e7c20e2..5ad5a901f9b6 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8caf, "HP Elite mt645 G8 Mobile Thin Client", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8cde, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), -- 2.34.1

1 year

1
0
0 0

[PATCH net] net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL

by Thomas Weißschuh

The rpl sr tunnel code contains calls to dst_cache_*() which are only present when the dst cache is built. Select DST_CACHE to build the dst cache, similar to other kconfig options in the same file. Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") Cc: stable(a)vger.kernel.org --- Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- net/ipv6/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 08d4b7132d4c..1c9c686d9522 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -323,6 +323,7 @@ config IPV6_RPL_LWTUNNEL bool "IPv6: RPL Source Routing Header support" depends on IPV6 select LWTUNNEL + select DST_CACHE help Support for RFC6554 RPL Source Routing Header using the lightweight tunnels mechanism. --- base-commit: ad060dbbcfcfcba624ef1a75e1d71365a98b86d8 change-id: 20240916-ipv6_rpl_lwtunnel-dst_cache-22561978f35f Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

1 year

2
5
0 0

Mrs. Rosella Thomas

by Rosella Thomas

Good Morning. I am Mrs. Rosella Thomas. My dear, would you be able to handle a project for us? Please contact me by email for more details. My email is this rosellathomas4(a)gmail.com Thanks Mrs. Rosella Thomas

1 year

1
0
0 0

[PATCH] RDMA/irdma: fix error message in irdma_modify_qp_roce()

by Vitaliy Shevtsov

Use a correct field max_dest_rd_atomic instead of max_rd_atomic for the error output. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> --- drivers/infiniband/hw/irdma/verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c index 76c5f461faca..baa3dff6faab 100644 --- a/drivers/infiniband/hw/irdma/verbs.c +++ b/drivers/infiniband/hw/irdma/verbs.c @@ -1324,7 +1324,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, if (attr->max_dest_rd_atomic > dev->hw_attrs.max_hw_ird) { ibdev_err(&iwdev->ibdev, "rd_atomic = %d, above max_hw_ird=%d\n", - attr->max_rd_atomic, + attr->max_dest_rd_atomic, dev->hw_attrs.max_hw_ird); return -EINVAL; } -- 2.46.1

1 year

3
2
0 0

[PATCH 1/3] serial: qcom-geni: fix premature receiver enable

by Johan Hovold

The receiver should no be enabled until the port is opened so drop the bogus call to start tx from the setup code which is shared with the console implementation. This was added for some confused implementation of hibernation support, but the receiver must not be started unconditionally as the port may not have been open when hibernating the system. Fixes: 35781d8356a2 ("tty: serial: qcom-geni-serial: Add support for Hibernation feature") Cc: stable(a)vger.kernel.org # 6.2 Cc: Aniket Randive <quic_arandive(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 6f0db310cf69..9ea6bd09e665 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1152,7 +1152,6 @@ static int qcom_geni_serial_port_setup(struct uart_port *uport) false, true, true); geni_se_init(&port->se, UART_RX_WM, port->rx_fifo_depth - 2); geni_se_select_mode(&port->se, port->dev_data->mode); - qcom_geni_serial_start_rx(uport); port->setup = true; return 0; -- 2.44.2

1 year

1
0
0 0

[failures] ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: reserve space for inline xattr before attaching reflink tree has been removed from the -mm tree. Its filename was ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch This patch was dropped because it had testing failures ------------------------------------------------------ From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Subject: ocfs2: reserve space for inline xattr before attaching reflink tree Date: Thu, 12 Sep 2024 06:47:20 +0000 One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240912064720.898600-1-gautham.ananthakrishna@or… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) --- a/fs/ocfs2/refcounttree.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = new_bh->b_data; + struct ocfs2_dinode *old_di = old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); --- a/fs/ocfs2/xattr.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/xattr.c @@ -6520,16 +6520,7 @@ static int ocfs2_reflink_xattr_inline(st } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); _ Patches currently in -mm which might be from gautham.ananthakrishna(a)oracle.com are

1 year

1
0
0 0

[PATCH RFC V4 1/1] ocfs2: reserve space for inline xattr before attaching reflink tree

by Gautham Ananthakrishna

One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Cc: stable(a)vger.kernel.org Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 3f80a56d0d60..05105d271fc8 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = new_bh->b_data; + struct ocfs2_dinode *old_di = old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 3b81213ed7b8..a9f716ec89e2 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6511,16 +6511,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.39.3

1 year

2
1
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: restrict fullmesh endp on 1st sf" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024091343-excusably-laborer-3bef@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 49ac6f05ace5 ("selftests: mptcp: join: restrict fullmesh endp on 1st sf") 4878f9f8421f ("selftests: mptcp: join: validate fullmesh endp on 1st sf") e571fb09c893 ("selftests: mptcp: add speed env var") 4aadde088a58 ("selftests: mptcp: add fullmesh env var") 080b7f5733fd ("selftests: mptcp: add fastclose env var") 662aa22d7dcd ("selftests: mptcp: set all env vars as local ones") 9e9d176df8e9 ("selftests: mptcp: add pm_nl_set_endpoint helper") 1534f87ee0dc ("selftests: mptcp: drop sflags parameter") 595ef566a2ef ("selftests: mptcp: drop addr_nr_ns1/2 parameters") 0c93af1f8907 ("selftests: mptcp: drop test_linkfail parameter") be7e9786c915 ("selftests: mptcp: set FAILING_LINKS in run_tests") 4369c198e599 ("selftests: mptcp: test userspace pm out of transfer") ae947bb2c253 ("selftests: mptcp: join: skip Fastclose tests if not supported") d4c81bbb8600 ("selftests: mptcp: join: support local endpoint being tracked or not") 4a0b866a3f7d ("selftests: mptcp: join: skip test if iptables/tc cmds fail") 0c4cd3f86a40 ("selftests: mptcp: join: use 'iptables-legacy' if available") 6c160b636c91 ("selftests: mptcp: update userspace pm subflow tests") 48d73f609dcc ("selftests: mptcp: update userspace pm addr tests") 8697a258ae24 ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Tue, 10 Sep 2024 21:06:36 +0200 Subject: [PATCH] selftests: mptcp: join: restrict fullmesh endp on 1st sf A new endpoint using the IP of the initial subflow has been recently added to increase the code coverage. But it breaks the test when using old kernels not having commit 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk"), e.g. on v5.15. Similar to commit d4c81bbb8600 ("selftests: mptcp: join: support local endpoint being tracked or not"), it is possible to add the new endpoint conditionally, by checking if "mptcp_pm_subflow_check_next" is present in kallsyms: this is not directly linked to the commit introducing this symbol but for the parent one which is linked anyway. So we can know in advance what will be the expected behaviour, and add the new endpoint only when it makes sense to do so. Fixes: 4878f9f8421f ("selftests: mptcp: join: validate fullmesh endp on 1st sf") Cc: stable(a)vger.kernel.org Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240910-net-selftests-mptcp-fix-install-v1-1-8f12… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index a4762c49a878..cde041c93906 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3064,7 +3064,9 @@ fullmesh_tests() pm_nl_set_limits $ns1 1 3 pm_nl_set_limits $ns2 1 3 pm_nl_add_endpoint $ns1 10.0.2.1 flags signal - pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh + if mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then + pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh + fi fullmesh=1 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 3 3 3

1 year

2
1
0 0

[PATCH] rust: sync: fix incorrect Sync bounds for LockedBy

by Alice Ryhl

The `impl Sync for LockedBy` implementation has insufficient trait bounds, as it only requires `T: Send`. However, `T: Sync` is also required for soundness because the `LockedBy::access` method could be used to provide shared access to the inner value from several threads in parallel. Cc: stable(a)vger.kernel.org Fixes: 7b1f55e3a984 ("rust: sync: introduce `LockedBy`") Signed-off-by: Alice Ryhl <aliceryhl(a)google.com> --- rust/kernel/sync/locked_by.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rust/kernel/sync/locked_by.rs b/rust/kernel/sync/locked_by.rs index babc731bd5f6..153ba4edcb03 100644 --- a/rust/kernel/sync/locked_by.rs +++ b/rust/kernel/sync/locked_by.rs @@ -83,9 +83,10 @@ pub struct LockedBy<T: ?Sized, U: ?Sized> { // SAFETY: `LockedBy` can be transferred across thread boundaries iff the data it protects can. unsafe impl<T: ?Sized + Send, U: ?Sized> Send for LockedBy<T, U> {} -// SAFETY: `LockedBy` serialises the interior mutability it provides, so it is `Sync` as long as the -// data it protects is `Send`. -unsafe impl<T: ?Sized + Send, U: ?Sized> Sync for LockedBy<T, U> {} +// SAFETY: Shared access to the `LockedBy` can provide both `&mut T` references in a synchronized +// manner, or `&T` access in an unsynchronized manner. The `Send` trait is sufficient for the first +// case, and `Sync` is sufficient for the second case. +unsafe impl<T: ?Sized + Send + Sync, U: ?Sized> Sync for LockedBy<T, U> {} impl<T, U> LockedBy<T, U> { /// Constructs a new instance of [`LockedBy`]. @@ -127,7 +128,7 @@ pub fn access<'a>(&'a self, owner: &'a U) -> &'a T { panic!("mismatched owners"); } - // SAFETY: `owner` is evidence that the owner is locked. + // SAFETY: `owner` is evidence that there are only shared references to the owner. unsafe { &*self.data.get() } } --- base-commit: 93dc3be19450447a3a7090bd1dfb9f3daac3e8d2 change-id: 20240912-locked-by-sync-fix-07193df52f98 Best regards, -- Alice Ryhl <aliceryhl(a)google.com>

1 year

4
6
0 0

+ zram-free-secondary-algorithms-names.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: zram: free secondary algorithms names has been added to the -mm mm-unstable branch. Its filename is zram-free-secondary-algorithms-names.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Subject: zram: free secondary algorithms names Date: Wed, 11 Sep 2024 11:54:56 +0900 We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/block/zram/zram_drv.c~zram-free-secondary-algorithms-names +++ a/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,13 @@ static void zram_destroy_comps(struct zr zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + if (!zram->comp_algs[prio]) + continue; + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); } _ Patches currently in -mm which might be from senozhatsky(a)chromium.org are zsmalloc-use-unique-zsmalloc-caches-names.patch zram-free-secondary-algorithms-names.patch

1 year

1
0
0 0

[PATCH v3] dt-bindings: serial: rs485: Fix rs485-rts-delay property

by Michal Simek

Code expects array only with 2 items which should be checked. But also item checking is not working as it should likely because of incorrect items description. Fixes: d50f974c4f7f ("dt-bindings: serial: Convert rs485 bindings to json-schema") Signed-off-by: Michal Simek <michal.simek(a)amd.com> Cc: <stable(a)vger.kernel.org> --- Changes in v3: - Remove incorrectly assigned value for the first item 50/100 because of my testing Changes in v2: - Remove maxItems properties which are not needed - Add stable ML to CC .../devicetree/bindings/serial/rs485.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/Documentation/devicetree/bindings/serial/rs485.yaml b/Documentation/devicetree/bindings/serial/rs485.yaml index 9418fd66a8e9..b93254ad2a28 100644 --- a/Documentation/devicetree/bindings/serial/rs485.yaml +++ b/Documentation/devicetree/bindings/serial/rs485.yaml @@ -18,16 +18,15 @@ properties: description: prop-encoded-array <a b> $ref: /schemas/types.yaml#/definitions/uint32-array items: - items: - - description: Delay between rts signal and beginning of data sent in - milliseconds. It corresponds to the delay before sending data. - default: 0 - maximum: 100 - - description: Delay between end of data sent and rts signal in milliseconds. - It corresponds to the delay after sending data and actual release - of the line. - default: 0 - maximum: 100 + - description: Delay between rts signal and beginning of data sent in + milliseconds. It corresponds to the delay before sending data. + default: 0 + maximum: 100 + - description: Delay between end of data sent and rts signal in milliseconds. + It corresponds to the delay after sending data and actual release + of the line. + default: 0 + maximum: 100 rs485-rts-active-high: description: drive RTS high when sending (this is the default). -- 2.43.0

1 year

2
1
0 0

+ ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: reserve space for inline xattr before attaching reflink tree has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Subject: ocfs2: reserve space for inline xattr before attaching reflink tree Date: Thu, 12 Sep 2024 06:47:20 +0000 One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240912064720.898600-1-gautham.ananthakrishna@or… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) --- a/fs/ocfs2/refcounttree.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = new_bh->b_data; + struct ocfs2_dinode *old_di = old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); --- a/fs/ocfs2/xattr.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/xattr.c @@ -6520,16 +6520,7 @@ static int ocfs2_reflink_xattr_inline(st } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); _ Patches currently in -mm which might be from gautham.ananthakrishna(a)oracle.com are ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch

1 year

1
0
0 0

[PATCH] crypto: Fix logical operator in _aead_recvmsg()

by George Rurikov

From: MrRurikov <grurikovsherbakov(a)yandex.ru> After having been compared to a NULL value at algif_aead.c:191, pointer 'tsgl_src' is passed as 2nd parameter in call to function 'crypto_aead_copy_sgl' at algif_aead.c:244, where it is dereferenced at algif_aead.c:85. Change logical operator from && to || because pointer 'tsgl_src' is NULL, then 'proccessed' will still be non-null Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") Signed-off-by: MrRurikov <grurikovsherbakov(a)yandex.ru> --- crypto/algif_aead.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index 7d58cbbce4af..135f09a4b3f8 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -191,7 +191,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, if (tsgl_src) break; } - if (processed && !tsgl_src) { + if (processed || !tsgl_src) { err = -EFAULT; goto free; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

1 year

4
3
0 0

[PATCH v5.4-v4.19] gpio: prevent potential speculation leaks in gpio_device_get_desc()

by hsimeliere.opensource＠witekio.com

From: Hagar Hemdan <hagarhem(a)amazon.com> commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream. Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/gpio/gpiolib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index abdf448b11a3..f83b2214d704 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4,6 +4,7 @@ #include <linux/module.h> #include <linux/interrupt.h> #include <linux/irq.h> +#include <linux/nospec.h> #include <linux/spinlock.h> #include <linux/list.h> #include <linux/device.h> @@ -147,7 +148,7 @@ struct gpio_desc *gpiochip_get_desc(struct gpio_chip *chip, if (hwnum >= gdev->ngpio) return ERR_PTR(-EINVAL); - return &gdev->descs[hwnum]; + return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; } /** -- 2.43.0

1 year

1
0
0 0

[PATCH v6.1-v5.10] gpio: prevent potential speculation leaks in gpio_device_get_desc()

by hsimeliere.opensource＠witekio.com

From: Hagar Hemdan <hagarhem(a)amazon.com> commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream. Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/gpio/gpiolib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 9d8c78312403..a0c1dabd2939 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -5,6 +5,7 @@ #include <linux/module.h> #include <linux/interrupt.h> #include <linux/irq.h> +#include <linux/nospec.h> #include <linux/spinlock.h> #include <linux/list.h> #include <linux/device.h> @@ -146,7 +147,7 @@ struct gpio_desc *gpiochip_get_desc(struct gpio_chip *gc, if (hwnum >= gdev->ngpio) return ERR_PTR(-EINVAL); - return &gdev->descs[hwnum]; + return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; } EXPORT_SYMBOL_GPL(gpiochip_get_desc); -- 2.43.0

1 year

1
0
0 0

Re: [PATCH 6.10 000/121] 6.10.11-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

1 year

1
0
0 0

[PATCH 6.10] LoongArch: KVM: Remove unnecessary definition of KVM_PRIVATE_MEM_SLOTS

by WangYuli

From: Yuli Wang <wangyuli(a)uniontech.com> [ Upstream commit 296b03ce389b4f7b3d7ea5664e53d432fb17e745 ] 1. "KVM_PRIVATE_MEM_SLOTS" is renamed as "KVM_INTERNAL_MEM_SLOTS". 2. "KVM_INTERNAL_MEM_SLOTS" defaults to zero, so it is not necessary to define it in LoongArch's asm/kvm_host.h. Link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… Link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Yuli Wang <wangyuli(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/kvm_host.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/loongarch/include/asm/kvm_host.h b/arch/loongarch/include/asm/kvm_host.h index c87b6ea0ec47..d348005d143e 100644 --- a/arch/loongarch/include/asm/kvm_host.h +++ b/arch/loongarch/include/asm/kvm_host.h @@ -26,8 +26,6 @@ #define KVM_MAX_VCPUS 256 #define KVM_MAX_CPUCFG_REGS 21 -/* memory slots that does not exposed to userspace */ -#define KVM_PRIVATE_MEM_SLOTS 0 #define KVM_HALT_POLL_NS_DEFAULT 500000 -- 2.43.0

1 year

2
1
0 0

[PATCH v2 3/6] tpm: Return on tpm2_create_primary() failure in tpm2_load_null()

by Jarkko Sakkinen

tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index d63510ad44ab..9c0356d7ce5e 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -850,22 +850,32 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } /* an integrity failure may mean the TPM has been reset */ dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; + + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + /* * Fatal TPM failure: the NULL seed has actually changed, so * the TPM must have been illegally reset. All in-kernel TPM @@ -874,6 +884,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) * userspace programmes can't be compromised by it. */ dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); + tpm2_flush_context(chip, tmp_null_key); chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; -- 2.46.0

1 year

1
0
0 0

[PATCH v2 2/6] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() ignores the return value of tpm2_create_null_primary(). Address this by returning on failure. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6cc1ea81c57c..d63510ad44ab 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1288,8 +1288,10 @@ int tpm2_sessions_init(struct tpm_chip *chip) int rc; rc = tpm2_create_null_primary(chip); - if (rc) + if (rc) { dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; + } chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.46.0

1 year

1
0
0 0

[PATCH 6.6] drm/amd/display: Fix subvp+drr logic errors

by Murad Masimov

From: Alvin Lee <alvin.lee2(a)amd.com> commit 8a0f02b7beed7b2b768dbdf3b79960de68f460c5 upstream. [Why] There is some logic error where the wrong variable was used to check for OTG_MASTER and DPP_PIPE. [How] Add booleans to confirm that the expected pipes were found before validating schedulability. Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Reviewed-by: Samson Tam <samson.tam(a)amd.com> Reviewed-by: Chaitanya Dhere <chaitanya.dhere(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- .../drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c index 3d82cbef1274..7160380d5690 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c @@ -879,6 +879,8 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) int16_t stretched_drr_us = 0; int16_t drr_stretched_vblank_us = 0; int16_t max_vblank_mallregion = 0; + bool subvp_found = false; + bool drr_found = false; // Find SubVP pipe for (i = 0; i < dc->res_pool->pipe_count; i++) { @@ -891,8 +893,10 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) continue; // Find the SubVP pipe - if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) + if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) { + subvp_found = true; break; + } } // Find the DRR pipe @@ -900,15 +904,20 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) drr_pipe = &context->res_ctx.pipe_ctx[i]; // We check for master pipe only - if (!resource_is_pipe_type(pipe, OTG_MASTER) || - !resource_is_pipe_type(pipe, DPP_PIPE)) + if (!resource_is_pipe_type(drr_pipe, OTG_MASTER) || + !resource_is_pipe_type(drr_pipe, DPP_PIPE)) continue; if (drr_pipe->stream->mall_stream_config.type == SUBVP_NONE && drr_pipe->stream->ignore_msa_timing_param && - (drr_pipe->stream->allow_freesync || drr_pipe->stream->vrr_active_variable)) + (drr_pipe->stream->allow_freesync || drr_pipe->stream->vrr_active_variable)) { + drr_found = true; break; + } } + if (!subvp_found || !drr_found) + return false; + main_timing = &pipe->stream->timing; phantom_timing = &pipe->stream->mall_stream_config.paired_stream->timing; drr_timing = &drr_pipe->stream->timing; -- 2.39.2

1 year

1
0
0 0

[PATCH 6.1] drm/amd/display: Fix subvp+drr logic errors

by Murad Masimov

From: Alvin Lee <alvin.lee2(a)amd.com> commit 8a0f02b7beed7b2b768dbdf3b79960de68f460c5 upstream. [Why] There is some logic error where the wrong variable was used to check for OTG_MASTER and DPP_PIPE. [How] Add booleans to confirm that the expected pipes were found before validating schedulability. Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Reviewed-by: Samson Tam <samson.tam(a)amd.com> Reviewed-by: Chaitanya Dhere <chaitanya.dhere(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [m.masimov(a)maxima.ru: In order to adapt this patch to branch 6.1 only changes related to finding the SubVP pipe were applied as in 6.1 drr_pipe is passed as a function argument.] Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c index 85e0d1c2a908..4b0719392d28 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c @@ -862,6 +862,7 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context, struc int16_t stretched_drr_us = 0; int16_t drr_stretched_vblank_us = 0; int16_t max_vblank_mallregion = 0; + bool subvp_found = false; // Find SubVP pipe for (i = 0; i < dc->res_pool->pipe_count; i++) { @@ -873,10 +874,15 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context, struc continue; // Find the SubVP pipe - if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) + if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) { + subvp_found = true; break; + } } + if (!subvp_found) + return false; + main_timing = &pipe->stream->timing; phantom_timing = &pipe->stream->mall_stream_config.paired_stream->timing; drr_timing = &drr_pipe->stream->timing; -- 2.39.2

1 year

1
0
0 0

[PATCH 6.10] LoongArch: KVM: Remove undefined a6 argument comment for kvm_hypercall()

by WangYuli

From: Dandan Zhang <zhangdandan(a)uniontech.com> The kvm_hypercall() set for LoongArch is limited to a1-a5. So the mention of a6 in the comment is undefined that needs to be rectified. Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Dandan Zhang <zhangdandan(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- arch/loongarch/include/asm/kvm_para.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/include/asm/kvm_para.h b/arch/loongarch/include/asm/kvm_para.h index 4ba2312e5f8c..6d5e9b6c5714 100644 --- a/arch/loongarch/include/asm/kvm_para.h +++ b/arch/loongarch/include/asm/kvm_para.h @@ -28,9 +28,9 @@ * Hypercall interface for KVM hypervisor * * a0: function identifier - * a1-a6: args + * a1-a5: args * Return value will be placed in a0. - * Up to 6 arguments are passed in a1, a2, a3, a4, a5, a6. + * Up to 5 arguments are passed in a1, a2, a3, a4, a5. */ static __always_inline long kvm_hypercall0(u64 fid) { -- 2.43.0

1 year

2
2
0 0

[PATCH] HID: plantronics: Additional PID for double volume key presses quirk

by Wade Wang

Add the below headsets for double volume key presses quirk Plantronics EncorePro 500 Series (047f:431e) Plantronics Blackwire_3325 Series (047f:430c) Quote from previous patch by Maxim Mikityanskiy and Terry Junge 'commit f567d6ef8606 ("HID: plantronics: Workaround for double volume key presses")' 'commit 3d57f36c89d8 ("HID: plantronics: Additional PIDs for double volume key presses quirk")' These Plantronics Series headset sends an opposite volume key following each volume key press. This patch adds a quirk to hid-plantronics for this product ID, which will ignore the second opposite volume key press if it happens within 250 ms from the last one that was handled. Cc: stable(a)vger.kernel.org Signed-off-by: Wade Wang <wade.wang(a)hp.com> --- drivers/hid/hid-ids.h | 2 ++ drivers/hid/hid-plantronics.c | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 781c5aa29859..a0aaac98a891 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -1050,6 +1050,8 @@ #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058 +#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES 0x430c +#define USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES 0x431e #define USB_VENDOR_ID_PANASONIC 0x04da #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 3d414ae194ac..2a19f3646ecb 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -38,8 +38,10 @@ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) #define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) +#define PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS BIT(1) #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ +#define PLT_FOLLOWED_KEY_TIMEOUT 250 /* ms */ struct plt_drv_data { unsigned long device_type; @@ -134,6 +136,9 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, cur_ts = jiffies; if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) return 1; /* Ignore the repeated key. */ + if ((drv_data->quirks & PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS) + && jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_KEY_TIMEOUT) + return 1; /* Ignore the followed volume key. */ drv_data->last_volume_key_ts = cur_ts; } @@ -210,6 +215,12 @@ static const struct hid_device_id plantronics_devices[] = { { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS|PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS|PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; -- 2.34.1

1 year

4
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror