- Linux-stable-mirror - lists.linaro.org

[PATCH 6.1.y] cifs: Convert struct fealist away from 1-element array

by Vitaly Chikunov

From: Kees Cook <keescook(a)chromium.org> commit 398d5843c03261a2b68730f2f00643826bcec6ba upstream. The kernel is globally removing the ambiguous 0-length and 1-element arrays in favor of flexible arrays, so that we can gain both compile-time and run-time array bounds checking[1]. While struct fealist is defined as a "fake" flexible array (via a 1-element array), it is only used for examination of the first array element. Walking the list is performed separately, so there is no reason to treat the "list" member of struct fealist as anything other than a single entry. Adjust the struct and code to match. Additionally, struct fea uses the "name" member either as a dynamic string, or is manually calculated from the start of the struct. Redefine the member as a flexible array. No machine code output differences are produced after these changes. [1] For lots of details, see both: https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element… https://people.kernel.org/kees/bounded-flexible-arrays-in-c Cc: Steve French <sfrench(a)samba.org> Cc: Paulo Alcantara <pc(a)cjr.nz> Cc: Ronnie Sahlberg <lsahlber(a)redhat.com> Cc: Shyam Prasad N <sprasad(a)microsoft.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: linux-cifs(a)vger.kernel.org Cc: samba-technical(a)lists.samba.org Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ vt: Tested to not break build on x86_64 over v6.1.78. Bug report at [1]. ] Link: https://lore.kernel.org/all/qjyfz2xftsbch6aozgplxyjfyqnuhn7j44udrucls4pqa5e… Cc: stable(a)vger.kernel.org # 6.1 Signed-off-by: Vitaly Chikunov <vt(a)altlinux.org> --- fs/smb/client/cifspdu.h | 4 ++-- fs/smb/client/cifssmb.c | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/smb/client/cifspdu.h b/fs/smb/client/cifspdu.h index 97bb1838555b..96ed0a4a2ce2 100644 --- a/fs/smb/client/cifspdu.h +++ b/fs/smb/client/cifspdu.h @@ -2593,7 +2593,7 @@ struct fea { unsigned char EA_flags; __u8 name_len; __le16 value_len; - char name[1]; + char name[]; /* optionally followed by value */ } __attribute__((packed)); /* flags for _FEA.fEA */ @@ -2601,7 +2601,7 @@ struct fea { struct fealist { __le32 list_len; - struct fea list[1]; + struct fea list; } __attribute__((packed)); /* used to hold an arbitrary blob of data */ diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c index 67c5fc2b2db9..784fc5ba2c44 100644 --- a/fs/smb/client/cifssmb.c +++ b/fs/smb/client/cifssmb.c @@ -5697,7 +5697,7 @@ CIFSSMBQAllEAs(const unsigned int xid, struct cifs_tcon *tcon, /* account for ea list len */ list_len -= 4; - temp_fea = ea_response_data->list; + temp_fea = &ea_response_data->list; temp_ptr = (char *)temp_fea; while (list_len > 0) { unsigned int name_len; @@ -5812,7 +5812,7 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, else name_len = strnlen(ea_name, 255); - count = sizeof(*parm_data) + ea_value_len + name_len; + count = sizeof(*parm_data) + 1 + ea_value_len + name_len; pSMB->MaxParameterCount = cpu_to_le16(2); /* BB find max SMB PDU from sess */ pSMB->MaxDataCount = cpu_to_le16(1000); @@ -5836,14 +5836,14 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, byte_count = 3 /* pad */ + params + count; pSMB->DataCount = cpu_to_le16(count); parm_data->list_len = cpu_to_le32(count); - parm_data->list[0].EA_flags = 0; + parm_data->list.EA_flags = 0; /* we checked above that name len is less than 255 */ - parm_data->list[0].name_len = (__u8)name_len; + parm_data->list.name_len = (__u8)name_len; /* EA names are always ASCII */ if (ea_name) - strncpy(parm_data->list[0].name, ea_name, name_len); - parm_data->list[0].name[name_len] = 0; - parm_data->list[0].value_len = cpu_to_le16(ea_value_len); + strncpy(parm_data->list.name, ea_name, name_len); + parm_data->list.name[name_len] = '\0'; + parm_data->list.value_len = cpu_to_le16(ea_value_len); /* caller ensures that ea_value_len is less than 64K but we need to ensure that it fits within the smb */ @@ -5851,7 +5851,7 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, negotiated SMB buffer size BB */ /* if (ea_value_len > buffer_size - 512 (enough for header)) */ if (ea_value_len) - memcpy(parm_data->list[0].name+name_len+1, + memcpy(parm_data->list.name + name_len + 1, ea_value, ea_value_len); pSMB->TotalDataCount = pSMB->DataCount; -- 2.42.1

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: don't drop extent_map for free space inode on write" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021802-crunchy-presoak-d1f4@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 5571e41ec6e5 ("btrfs: don't drop extent_map for free space inode on write error") 4c0c8cfc8433 ("btrfs: move btrfs_drop_extent_cache() to extent_map.c") cef7820d6abf ("btrfs: fix missed extent on fsync after dropping extent maps") 570eb97bace8 ("btrfs: unify the lock/unlock extent variants") dbbf49928f2e ("btrfs: remove the wake argument from clear_extent_bits") e3974c669472 ("btrfs: move core extent_io_tree functions to extent-io-tree.c") 38830018387e ("btrfs: move a few exported extent_io_tree helpers to extent-io-tree.c") 04eba8932392 ("btrfs: temporarily export and then move extent state helpers") 91af24e48474 ("btrfs: temporarily export and move core extent_io_tree tree functions") 6962541e964f ("btrfs: move btrfs_debug_check_extent_io_range into extent-io-tree.c") ec39e39bbf97 ("btrfs: export wait_extent_bit") a66318872c41 ("btrfs: move simple extent bit helpers out of extent_io.c") ad795329574c ("btrfs: convert BUG_ON(EXTENT_BIT_LOCKED) checks to ASSERT's") 83cf709a89fb ("btrfs: move extent state init and alloc functions to their own file") c45379a20fbc ("btrfs: temporarily export alloc_extent_state helpers") a40246e8afc0 ("btrfs: separate out the eb and extent state leak helpers") a62a3bd9546b ("btrfs: separate out the extent state and extent buffer init code") 87c11705cc94 ("btrfs: convert the io_failure_tree to a plain rb_tree") a2061748052c ("btrfs: unexport internal failrec functions") 0d0a762c419a ("btrfs: rename clean_io_failure and remove extraneous args") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade Mon Sep 17 00:00:00 2001 From: Josef Bacik <josef(a)toxicpanda.com> Date: Wed, 31 Jan 2024 14:27:25 -0500 Subject: [PATCH] btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test. CC: stable(a)vger.kernel.org # 4.14+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 7bcc1c03437a..d232eca1bbee 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -3184,8 +3184,23 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent) unwritten_start += logical_len; clear_extent_uptodate(io_tree, unwritten_start, end, NULL); - /* Drop extent maps for the part of the extent we didn't write. */ - btrfs_drop_extent_map_range(inode, unwritten_start, end, false); + /* + * Drop extent maps for the part of the extent we didn't write. + * + * We have an exception here for the free_space_inode, this is + * because when we do btrfs_get_extent() on the free space inode + * we will search the commit root. If this is a new block group + * we won't find anything, and we will trip over the assert in + * writepage where we do ASSERT(em->block_start != + * EXTENT_MAP_HOLE). + * + * Theoretically we could also skip this for any NOCOW extent as + * we don't mess with the extent map tree in the NOCOW case, but + * for now simply skip this if we are the free space inode. + */ + if (!btrfs_is_free_space_inode(inode)) + btrfs_drop_extent_map_range(inode, unwritten_start, + end, false); /* * If the ordered extent had an IOERR or something else went

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: don't drop extent_map for free space inode on write" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021800-willed-chug-3616@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 5571e41ec6e5 ("btrfs: don't drop extent_map for free space inode on write error") 4c0c8cfc8433 ("btrfs: move btrfs_drop_extent_cache() to extent_map.c") cef7820d6abf ("btrfs: fix missed extent on fsync after dropping extent maps") 570eb97bace8 ("btrfs: unify the lock/unlock extent variants") dbbf49928f2e ("btrfs: remove the wake argument from clear_extent_bits") e3974c669472 ("btrfs: move core extent_io_tree functions to extent-io-tree.c") 38830018387e ("btrfs: move a few exported extent_io_tree helpers to extent-io-tree.c") 04eba8932392 ("btrfs: temporarily export and then move extent state helpers") 91af24e48474 ("btrfs: temporarily export and move core extent_io_tree tree functions") 6962541e964f ("btrfs: move btrfs_debug_check_extent_io_range into extent-io-tree.c") ec39e39bbf97 ("btrfs: export wait_extent_bit") a66318872c41 ("btrfs: move simple extent bit helpers out of extent_io.c") ad795329574c ("btrfs: convert BUG_ON(EXTENT_BIT_LOCKED) checks to ASSERT's") 83cf709a89fb ("btrfs: move extent state init and alloc functions to their own file") c45379a20fbc ("btrfs: temporarily export alloc_extent_state helpers") a40246e8afc0 ("btrfs: separate out the eb and extent state leak helpers") a62a3bd9546b ("btrfs: separate out the extent state and extent buffer init code") 87c11705cc94 ("btrfs: convert the io_failure_tree to a plain rb_tree") a2061748052c ("btrfs: unexport internal failrec functions") 0d0a762c419a ("btrfs: rename clean_io_failure and remove extraneous args") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade Mon Sep 17 00:00:00 2001 From: Josef Bacik <josef(a)toxicpanda.com> Date: Wed, 31 Jan 2024 14:27:25 -0500 Subject: [PATCH] btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test. CC: stable(a)vger.kernel.org # 4.14+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 7bcc1c03437a..d232eca1bbee 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -3184,8 +3184,23 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent) unwritten_start += logical_len; clear_extent_uptodate(io_tree, unwritten_start, end, NULL); - /* Drop extent maps for the part of the extent we didn't write. */ - btrfs_drop_extent_map_range(inode, unwritten_start, end, false); + /* + * Drop extent maps for the part of the extent we didn't write. + * + * We have an exception here for the free_space_inode, this is + * because when we do btrfs_get_extent() on the free space inode + * we will search the commit root. If this is a new block group + * we won't find anything, and we will trip over the assert in + * writepage where we do ASSERT(em->block_start != + * EXTENT_MAP_HOLE). + * + * Theoretically we could also skip this for any NOCOW extent as + * we don't mess with the extent map tree in the NOCOW case, but + * for now simply skip this if we are the free space inode. + */ + if (!btrfs_is_free_space_inode(inode)) + btrfs_drop_extent_map_range(inode, unwritten_start, + end, false); /* * If the ordered extent had an IOERR or something else went

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: don't drop extent_map for free space inode on write" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021858-sharpie-diffusive-52e1@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 5571e41ec6e5 ("btrfs: don't drop extent_map for free space inode on write error") 4c0c8cfc8433 ("btrfs: move btrfs_drop_extent_cache() to extent_map.c") cef7820d6abf ("btrfs: fix missed extent on fsync after dropping extent maps") 570eb97bace8 ("btrfs: unify the lock/unlock extent variants") dbbf49928f2e ("btrfs: remove the wake argument from clear_extent_bits") e3974c669472 ("btrfs: move core extent_io_tree functions to extent-io-tree.c") 38830018387e ("btrfs: move a few exported extent_io_tree helpers to extent-io-tree.c") 04eba8932392 ("btrfs: temporarily export and then move extent state helpers") 91af24e48474 ("btrfs: temporarily export and move core extent_io_tree tree functions") 6962541e964f ("btrfs: move btrfs_debug_check_extent_io_range into extent-io-tree.c") ec39e39bbf97 ("btrfs: export wait_extent_bit") a66318872c41 ("btrfs: move simple extent bit helpers out of extent_io.c") ad795329574c ("btrfs: convert BUG_ON(EXTENT_BIT_LOCKED) checks to ASSERT's") 83cf709a89fb ("btrfs: move extent state init and alloc functions to their own file") c45379a20fbc ("btrfs: temporarily export alloc_extent_state helpers") a40246e8afc0 ("btrfs: separate out the eb and extent state leak helpers") a62a3bd9546b ("btrfs: separate out the extent state and extent buffer init code") 87c11705cc94 ("btrfs: convert the io_failure_tree to a plain rb_tree") a2061748052c ("btrfs: unexport internal failrec functions") 0d0a762c419a ("btrfs: rename clean_io_failure and remove extraneous args") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade Mon Sep 17 00:00:00 2001 From: Josef Bacik <josef(a)toxicpanda.com> Date: Wed, 31 Jan 2024 14:27:25 -0500 Subject: [PATCH] btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test. CC: stable(a)vger.kernel.org # 4.14+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 7bcc1c03437a..d232eca1bbee 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -3184,8 +3184,23 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent) unwritten_start += logical_len; clear_extent_uptodate(io_tree, unwritten_start, end, NULL); - /* Drop extent maps for the part of the extent we didn't write. */ - btrfs_drop_extent_map_range(inode, unwritten_start, end, false); + /* + * Drop extent maps for the part of the extent we didn't write. + * + * We have an exception here for the free_space_inode, this is + * because when we do btrfs_get_extent() on the free space inode + * we will search the commit root. If this is a new block group + * we won't find anything, and we will trip over the assert in + * writepage where we do ASSERT(em->block_start != + * EXTENT_MAP_HOLE). + * + * Theoretically we could also skip this for any NOCOW extent as + * we don't mess with the extent map tree in the NOCOW case, but + * for now simply skip this if we are the free space inode. + */ + if (!btrfs_is_free_space_inode(inode)) + btrfs_drop_extent_map_range(inode, unwritten_start, + end, false); /* * If the ordered extent had an IOERR or something else went

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: don't drop extent_map for free space inode on write" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021856-vigorous-supper-1ca1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 5571e41ec6e5 ("btrfs: don't drop extent_map for free space inode on write error") 4c0c8cfc8433 ("btrfs: move btrfs_drop_extent_cache() to extent_map.c") cef7820d6abf ("btrfs: fix missed extent on fsync after dropping extent maps") 570eb97bace8 ("btrfs: unify the lock/unlock extent variants") dbbf49928f2e ("btrfs: remove the wake argument from clear_extent_bits") e3974c669472 ("btrfs: move core extent_io_tree functions to extent-io-tree.c") 38830018387e ("btrfs: move a few exported extent_io_tree helpers to extent-io-tree.c") 04eba8932392 ("btrfs: temporarily export and then move extent state helpers") 91af24e48474 ("btrfs: temporarily export and move core extent_io_tree tree functions") 6962541e964f ("btrfs: move btrfs_debug_check_extent_io_range into extent-io-tree.c") ec39e39bbf97 ("btrfs: export wait_extent_bit") a66318872c41 ("btrfs: move simple extent bit helpers out of extent_io.c") ad795329574c ("btrfs: convert BUG_ON(EXTENT_BIT_LOCKED) checks to ASSERT's") 83cf709a89fb ("btrfs: move extent state init and alloc functions to their own file") c45379a20fbc ("btrfs: temporarily export alloc_extent_state helpers") a40246e8afc0 ("btrfs: separate out the eb and extent state leak helpers") a62a3bd9546b ("btrfs: separate out the extent state and extent buffer init code") 87c11705cc94 ("btrfs: convert the io_failure_tree to a plain rb_tree") a2061748052c ("btrfs: unexport internal failrec functions") 0d0a762c419a ("btrfs: rename clean_io_failure and remove extraneous args") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade Mon Sep 17 00:00:00 2001 From: Josef Bacik <josef(a)toxicpanda.com> Date: Wed, 31 Jan 2024 14:27:25 -0500 Subject: [PATCH] btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test. CC: stable(a)vger.kernel.org # 4.14+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 7bcc1c03437a..d232eca1bbee 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -3184,8 +3184,23 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent) unwritten_start += logical_len; clear_extent_uptodate(io_tree, unwritten_start, end, NULL); - /* Drop extent maps for the part of the extent we didn't write. */ - btrfs_drop_extent_map_range(inode, unwritten_start, end, false); + /* + * Drop extent maps for the part of the extent we didn't write. + * + * We have an exception here for the free_space_inode, this is + * because when we do btrfs_get_extent() on the free space inode + * we will search the commit root. If this is a new block group + * we won't find anything, and we will trip over the assert in + * writepage where we do ASSERT(em->block_start != + * EXTENT_MAP_HOLE). + * + * Theoretically we could also skip this for any NOCOW extent as + * we don't mess with the extent map tree in the NOCOW case, but + * for now simply skip this if we are the free space inode. + */ + if (!btrfs_is_free_space_inode(inode)) + btrfs_drop_extent_map_range(inode, unwritten_start, + end, false); /* * If the ordered extent had an IOERR or something else went

1 year, 6 months

1
0
0 0

Btrfs fixes for 6.7.x

by David Sterba

Hi, there's been a bug in btrfs space reservation since 6.7 that is now affecting quite some users. I'd like to ask to add the fix right after it got merged to Linus' tree so it can possibly be released in 6.7.5. All apply cleanly on top of current 6.7.x tree. Thanks. 1693d5442c458ae8d5b0d58463b873cd879569ed f4a9f219411f318ae60d6ff7f129082a75686c6c 12c5128f101bfa47a08e4c0e1a75cfa2d0872bcd 2f6397e448e689adf57e6788c90f913abd7e1af8 Short ids with subjects: 1693d5442c45 btrfs: add and use helper to check if block group is used f4a9f219411f btrfs: do not delete unused block group if it may be used soon 12c5128f101b btrfs: add new unused block groups to the list of unused block groups 2f6397e448e6 btrfs: don't refill whole delayed refs block reserve when starting transaction

1 year, 6 months

2
1
0 0

please pick up 4ef9ad19e17676 ("mm: huge_memory: don't force huge page alignment on 32 bit") in linux-6.7.y

by Thorsten Leemhuis

Hi Greg! It seems to me that two of my mails to you[1] fell through the cracks during the last two weeks, so I'm trying again with this main that is not a reply to the earlier thread: Could you please pick up 4ef9ad19e17676 ("mm: huge_memory: don't force huge page alignment on 32 bit") in linux-6.7.y? The author ACKed that[2]. And btw: you might also want to pick up c4608d1bf7c653 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") as well. Its stable tag contains a typo, hence I guess your scripts have missed it (I only noticed that by chance). Ciao, Thorsten [1] https://lore.kernel.org/all/dc9f8eab-ec5c-46f1-a168-c510650d1cac@leemhuis.i… https://lore.kernel.org/all/1354c5d5-99b7-4178-bcf5-9ddb776de946@leemhuis.i… [2] https://lore.kernel.org/all/CAHbLzkp7s1CcSE0rc-CpfcCrNtMdepAA5-K+0P4wz11x4S…

1 year, 6 months

2
1
0 0

Re: [PATCH] mm: huge_memory: don't force huge page alignment on 32 bit

by Linux regression tracking (Thorsten Leemhuis)

[adding the stable team] On 05.02.24 18:07, Yang Shi wrote: > On Sat, Feb 3, 2024 at 1:24 AM Thorsten Leemhuis > <regressions(a)leemhuis.info> wrote: >> On 18.01.24 14:35, Yang Shi wrote: >>> >>> The commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP >>> boundaries") caused two issues [1] [2] reported on 32 bit system or compat >>> userspace. >>> >>> It doesn't make too much sense to force huge page alignment on 32 bit >>> system due to the constrained virtual address space. >>> >>> [1] https://lore.kernel.org/linux-mm/CAHbLzkqa1SCBA10yjWTtA2mKCsoK5+M1BthSDL8RO… >>> [2] https://lore.kernel.org/linux-mm/CAHbLzkqa1SCBA10yjWTtA2mKCsoK5+M1BthSDL8RO… >> >> [FWIW, this is now 4ef9ad19e17676 ("mm: huge_memory: don't force huge >> page alignment on 32 bit") in mainline] >> >> Quick question: it it okay to ask Greg to pick this up for linux-6.7.y >> series? > > Yes, definitely. Thanks for following up. In that case: Greg, could you please consider picking up 4ef9ad19e17676 ("mm: huge_memory: don't force huge page alignment on 32 bit") for the next linux-6.7 rc round? tia! Ohh, and btw: you might also want to pick up c4608d1bf7c653 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") if you haven't already done so: its stable tag contains a typo, hence I guess your scripts might have missed it (I only noticed that by chance). Ciao, Thorsten >> I'm wondering because Jiri's report ([1] in above quote) sounded like >> this is something that will affect and annoy quite a few people with the >> linux-6.7.y. >> >> Ciao, Thorsten >> >>> Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") >>> Reported-by: Jiri Slaby <jirislaby(a)kernel.org> >>> Reported-by: Suren Baghdasaryan <surenb(a)google.com> >>> Tested-by: Jiri Slaby <jirislaby(a)kernel.org> >>> Tested-by: Suren Baghdasaryan <surenb(a)google.com> >>> Cc: Rik van Riel <riel(a)surriel.com> >>> Cc: Matthew Wilcox <willy(a)infradead.org> >>> Cc: Christopher Lameter <cl(a)linux.com> >>> Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> >>> --- >>> mm/huge_memory.c | 9 +++++++++ >>> 1 file changed, 9 insertions(+) >>> >>> diff --git a/mm/huge_memory.c b/mm/huge_memory.c >>> index 94ef5c02b459..e9fbaccbe0c0 100644 >>> --- a/mm/huge_memory.c >>> +++ b/mm/huge_memory.c >>> @@ -37,6 +37,7 @@ >>> #include <linux/page_owner.h> >>> #include <linux/sched/sysctl.h> >>> #include <linux/memory-tiers.h> >>> +#include <linux/compat.h> >>> >>> #include <asm/tlb.h> >>> #include <asm/pgalloc.h> >>> @@ -811,6 +812,14 @@ static unsigned long __thp_get_unmapped_area(struct file *filp, >>> loff_t off_align = round_up(off, size); >>> unsigned long len_pad, ret; >>> >>> + /* >>> + * It doesn't make too much sense to froce huge page alignment on >>> + * 32 bit system or compat userspace due to the contrained virtual >>> + * address space and address entropy. >>> + */ >>> + if (IS_ENABLED(CONFIG_32BIT) || in_compat_syscall()) >>> + return 0; >>> + >>> if (off_end <= off_align || (off_end - off_align) < size) >>> return 0; >>> > >

1 year, 6 months

3
2
0 0

[PATCH] xtensa: fix MAKE_PC_FROM_RA second argument

by Max Filippov

Xtensa has two-argument MAKE_PC_FROM_RA macro to convert a0 to an actual return address because when windowed ABI is used call{,x}{4,8,12} opcodes stuff encoded window size into the top 2 bits of the register that becomes a return address in the called function. Second argument of that macro is supposed to be an address having these 2 topmost bits set correctly, but the comment suggested that that could be the stack address. However the stack doesn't have to be in the same 1GByte region as the code, especially in noMMU XIP configurations. Fix the comment and use either _text or regs->pc as the second argument for the MAKE_PC_FROM_RA macro. Cc: stable(a)vger.kernel.org Signed-off-by: Max Filippov <jcmvbkbc(a)gmail.com> --- arch/xtensa/include/asm/processor.h | 8 ++++---- arch/xtensa/include/asm/ptrace.h | 2 +- arch/xtensa/kernel/process.c | 5 +++-- arch/xtensa/kernel/stacktrace.c | 3 ++- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/arch/xtensa/include/asm/processor.h b/arch/xtensa/include/asm/processor.h index d008a153a2b9..7ed1a2085bd7 100644 --- a/arch/xtensa/include/asm/processor.h +++ b/arch/xtensa/include/asm/processor.h @@ -115,9 +115,9 @@ #define MAKE_RA_FOR_CALL(ra,ws) (((ra) & 0x3fffffff) | (ws) << 30) /* Convert return address to a valid pc - * Note: We assume that the stack pointer is in the same 1GB ranges as the ra + * Note: 'text' is the address within the same 1GB range as the ra */ -#define MAKE_PC_FROM_RA(ra,sp) (((ra) & 0x3fffffff) | ((sp) & 0xc0000000)) +#define MAKE_PC_FROM_RA(ra, text) (((ra) & 0x3fffffff) | ((unsigned long)(text) & 0xc0000000)) #elif defined(__XTENSA_CALL0_ABI__) @@ -127,9 +127,9 @@ #define MAKE_RA_FOR_CALL(ra, ws) (ra) /* Convert return address to a valid pc - * Note: We assume that the stack pointer is in the same 1GB ranges as the ra + * Note: 'text' is not used as 'ra' is always the full address */ -#define MAKE_PC_FROM_RA(ra, sp) (ra) +#define MAKE_PC_FROM_RA(ra, text) (ra) #else #error Unsupported Xtensa ABI diff --git a/arch/xtensa/include/asm/ptrace.h b/arch/xtensa/include/asm/ptrace.h index a270467556dc..86c70117371b 100644 --- a/arch/xtensa/include/asm/ptrace.h +++ b/arch/xtensa/include/asm/ptrace.h @@ -87,7 +87,7 @@ struct pt_regs { # define user_mode(regs) (((regs)->ps & 0x00000020)!=0) # define instruction_pointer(regs) ((regs)->pc) # define return_pointer(regs) (MAKE_PC_FROM_RA((regs)->areg[0], \ - (regs)->areg[1])) + (regs)->pc)) # ifndef CONFIG_SMP # define profile_pc(regs) instruction_pointer(regs) diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index a815577d25fd..7bd66677f7b6 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -47,6 +47,7 @@ #include <asm/asm-offsets.h> #include <asm/regs.h> #include <asm/hw_breakpoint.h> +#include <asm/sections.h> #include <asm/traps.h> extern void ret_from_fork(void); @@ -380,7 +381,7 @@ unsigned long __get_wchan(struct task_struct *p) int count = 0; sp = p->thread.sp; - pc = MAKE_PC_FROM_RA(p->thread.ra, p->thread.sp); + pc = MAKE_PC_FROM_RA(p->thread.ra, _text); do { if (sp < stack_page + sizeof(struct task_struct) || @@ -392,7 +393,7 @@ unsigned long __get_wchan(struct task_struct *p) /* Stack layout: sp-4: ra, sp-3: sp' */ - pc = MAKE_PC_FROM_RA(SPILL_SLOT(sp, 0), sp); + pc = MAKE_PC_FROM_RA(SPILL_SLOT(sp, 0), _text); sp = SPILL_SLOT(sp, 1); } while (count++ < 16); return 0; diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c index 831ffb648bda..ed324fdf2a2f 100644 --- a/arch/xtensa/kernel/stacktrace.c +++ b/arch/xtensa/kernel/stacktrace.c @@ -13,6 +13,7 @@ #include <linux/stacktrace.h> #include <asm/ftrace.h> +#include <asm/sections.h> #include <asm/stacktrace.h> #include <asm/traps.h> #include <linux/uaccess.h> @@ -189,7 +190,7 @@ void walk_stackframe(unsigned long *sp, if (a1 <= (unsigned long)sp) break; - frame.pc = MAKE_PC_FROM_RA(a0, a1); + frame.pc = MAKE_PC_FROM_RA(a0, _text); frame.sp = a1; if (fn(&frame, data)) -- 2.39.2

1 year, 6 months

1
0
0 0

Please put the gcc "asm goto" bug workaround into stable

by Linus Torvalds

I didn't think to mark these for stable in the commits, but they definitely should go into the stable queue, since it's a known mis-compilation of the kvm nested guest code with gcc-11 otherwise. The bug technically affects other gcc versions too, but apparently not so that we'd actually notice. It's two commits: 4356e9f841f7 ("work around gcc bugs with 'asm goto' with outputs") 68fb3ca0e408 ("update workarounds for gcc "asm goto" issue") where the first one works around the problem, and the second one ("update") just ends up pinpointing exactly which gcc versions are affected so that future gcc releases won't get the unnecessary workaround. Technically only the first one really needs to go into stable. The second one is more of a judgement call - do you want to match upstream, and do you care about the (very slight) code generation improvement with updated gcc versions? Linus

1 year, 6 months

2
3
0 0

[PATCH 2/6] KVM: x86/xen: inject vCPU upcall vector when local APIC is enabled

by David Woodhouse

From: David Woodhouse <dwmw(a)amazon.co.uk> Linux guests since commit b1c3497e604d ("x86/xen: Add support for HVMOP_set_evtchn_upcall_vector") in v6.0 onwards will use the per-vCPU upcall vector when it's advertised in the Xen CPUID leaves. This upcall is injected through the guest's local APIC as an MSI, unlike the older system vector which was merely injected by the hypervisor any time the CPU was able to receive an interrupt and the upcall_pending flags is set in its vcpu_info. Effectively, that makes the per-CPU upcall edge triggered instead of level triggered, which results in the upcall being lost if the MSI is delivered when the local APIC is *disabled*. Xen checks the vcpu_info->evtchn_upcall_pending flag when the local APIC for a vCPU is software enabled (in fact, on any write to the SPIV register which doesn't disable the APIC). Do the same in KVM since KVM doesn't provide a way for userspace to intervene and trap accesses to the SPIV register of a local APIC emulated by KVM. Fixes: fde0451be8fb3 ("KVM: x86/xen: Support per-vCPU event channel upcall via local APIC") Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Reviewed-by: Paul Durrant <paul(a)xen.org> Cc: stable(a)vger.kernel.org --- arch/x86/kvm/lapic.c | 5 ++++- arch/x86/kvm/xen.c | 2 +- arch/x86/kvm/xen.h | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 3242f3da2457..75bc7d3f0022 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -41,6 +41,7 @@ #include "ioapic.h" #include "trace.h" #include "x86.h" +#include "xen.h" #include "cpuid.h" #include "hyperv.h" #include "smm.h" @@ -499,8 +500,10 @@ static inline void apic_set_spiv(struct kvm_lapic *apic, u32 val) } /* Check if there are APF page ready requests pending */ - if (enabled) + if (enabled) { kvm_make_request(KVM_REQ_APF_READY, apic->vcpu); + kvm_xen_sw_enable_lapic(apic->vcpu); + } } static inline void kvm_apic_set_xapic_id(struct kvm_lapic *apic, u8 id) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index 4a24899bbcfa..847d9e75df6d 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -568,7 +568,7 @@ void kvm_xen_update_runstate(struct kvm_vcpu *v, int state) kvm_xen_update_runstate_guest(v, state == RUNSTATE_runnable); } -static void kvm_xen_inject_vcpu_vector(struct kvm_vcpu *v) +void kvm_xen_inject_vcpu_vector(struct kvm_vcpu *v) { struct kvm_lapic_irq irq = { }; int r; diff --git a/arch/x86/kvm/xen.h b/arch/x86/kvm/xen.h index f8f1fe22d090..f5841d9000ae 100644 --- a/arch/x86/kvm/xen.h +++ b/arch/x86/kvm/xen.h @@ -18,6 +18,7 @@ extern struct static_key_false_deferred kvm_xen_enabled; int __kvm_xen_has_interrupt(struct kvm_vcpu *vcpu); void kvm_xen_inject_pending_events(struct kvm_vcpu *vcpu); +void kvm_xen_inject_vcpu_vector(struct kvm_vcpu *vcpu); int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data); int kvm_xen_vcpu_get_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data); int kvm_xen_hvm_set_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data); @@ -36,6 +37,19 @@ int kvm_xen_setup_evtchn(struct kvm *kvm, const struct kvm_irq_routing_entry *ue); void kvm_xen_update_tsc_info(struct kvm_vcpu *vcpu); +static inline void kvm_xen_sw_enable_lapic(struct kvm_vcpu *vcpu) +{ + /* + * The local APIC is being enabled. If the per-vCPU upcall vector is + * set and the vCPU's evtchn_upcall_pending flag is set, inject the + * interrupt. + */ + if (static_branch_unlikely(&kvm_xen_enabled.key) && + vcpu->arch.xen.vcpu_info_cache.active && + vcpu->arch.xen.upcall_vector && __kvm_xen_has_interrupt(vcpu)) + kvm_xen_inject_vcpu_vector(vcpu); +} + static inline bool kvm_xen_msr_enabled(struct kvm *kvm) { return static_branch_unlikely(&kvm_xen_enabled.key) && @@ -101,6 +115,10 @@ static inline void kvm_xen_destroy_vcpu(struct kvm_vcpu *vcpu) { } +static inline void kvm_xen_sw_enable_lapic(struct kvm_vcpu *vcpu) +{ +} + static inline bool kvm_xen_msr_enabled(struct kvm *kvm) { return false; -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH] crypto: qat - resolve race condition during AER recovery

by Damian Muszynski

During the PCI AER system's error recovery process, the kernel driver may encounter a race condition with freeing the reset_data structure's memory. If the device restart will take more than 10 seconds the function scheduling that restart will exit due to a timeout, and the reset_data structure will be freed. However, this data structure is used for completion notification after the restart is completed, which leads to a UAF bug. This results in a KFENCE bug notice. BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat] Use-after-free read at 0x00000000bc56fddf (in kfence-#142): adf_device_reset_worker+0x38/0xa0 [intel_qat] process_one_work+0x173/0x340 To resolve this race condition, the memory associated to the container of the work_struct is freed on the worker if the timeout expired, otherwise on the function that schedules the worker. The timeout detection can be done by checking if the caller is still waiting for completion or not by using completion_done() function. Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework") Cc: <stable(a)vger.kernel.org> Signed-off-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> --- drivers/crypto/intel/qat/qat_common/adf_aer.c | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/intel/qat/qat_common/adf_aer.c b/drivers/crypto/intel/qat/qat_common/adf_aer.c index 3597e7605a14..9da2278bd5b7 100644 --- a/drivers/crypto/intel/qat/qat_common/adf_aer.c +++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c @@ -130,7 +130,8 @@ static void adf_device_reset_worker(struct work_struct *work) if (adf_dev_restart(accel_dev)) { /* The device hanged and we can't restart it so stop here */ dev_err(&GET_DEV(accel_dev), "Restart device failed\n"); - if (reset_data->mode == ADF_DEV_RESET_ASYNC) + if (reset_data->mode == ADF_DEV_RESET_ASYNC || + completion_done(&reset_data->compl)) kfree(reset_data); WARN(1, "QAT: device restart failed. Device is unusable\n"); return; @@ -146,11 +147,19 @@ static void adf_device_reset_worker(struct work_struct *work) adf_dev_restarted_notify(accel_dev); clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status); - /* The dev is back alive. Notify the caller if in sync mode */ - if (reset_data->mode == ADF_DEV_RESET_SYNC) - complete(&reset_data->compl); - else + /* + * The dev is back alive. Notify the caller if in sync mode + * + * If device restart will take a more time than expected, + * the schedule_reset() function can timeout and exit. This can be + * detected by calling the completion_done() function. In this case + * the reset_data structure needs to be freed here. + */ + if (reset_data->mode == ADF_DEV_RESET_ASYNC || + completion_done(&reset_data->compl)) kfree(reset_data); + else + complete(&reset_data->compl); } static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev, @@ -183,8 +192,9 @@ static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev, dev_err(&GET_DEV(accel_dev), "Reset device timeout expired\n"); ret = -EFAULT; + } else { + kfree(reset_data); } - kfree(reset_data); return ret; } return 0; base-commit: 86f2ff2d4ec09a7eea931a56fbed2105037ba2ee -- 2.43.0

1 year, 6 months

2
1
0 0

[PATCH] crypto: qat - change SLAs cleanup flow at shutdown

by Damian Muszynski

The implementation of the Rate Limiting (RL) feature includes the cleanup of all SLAs during device shutdown. For each SLA, the firmware is notified of the removal through an admin message, the data structures that take into account the budgets are updated and the memory is freed. However, this explicit cleanup is not necessary as (1) the device is reset, and the firmware state is lost and (2) all RL data structures are freed anyway. In addition, if the device is unresponsive, for example after a PCI AER error is detected, the admin interface might not be available. This might slow down the shutdown sequence and cause a timeout in the recovery flows which in turn makes the driver believe that the device is not recoverable. Fix by replacing the explicit SLAs removal with just a free of the SLA data structures. Fixes: d9fb8408376e ("crypto: qat - add rate limiting feature to qat_4xxx") Cc: <stable(a)vger.kernel.org> Signed-off-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> --- drivers/crypto/intel/qat/qat_common/adf_rl.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/intel/qat/qat_common/adf_rl.c b/drivers/crypto/intel/qat/qat_common/adf_rl.c index de1b214dba1f..d4f2db3c53d8 100644 --- a/drivers/crypto/intel/qat/qat_common/adf_rl.c +++ b/drivers/crypto/intel/qat/qat_common/adf_rl.c @@ -788,6 +788,24 @@ static void clear_sla(struct adf_rl *rl_data, struct rl_sla *sla) sla_type_arr[node_id] = NULL; } +static void free_all_sla(struct adf_accel_dev *accel_dev) +{ + struct adf_rl *rl_data = accel_dev->rate_limiting; + int sla_id; + + mutex_lock(&rl_data->rl_lock); + + for (sla_id = 0; sla_id < RL_NODES_CNT_MAX; sla_id++) { + if (!rl_data->sla[sla_id]) + continue; + + kfree(rl_data->sla[sla_id]); + rl_data->sla[sla_id] = NULL; + } + + mutex_unlock(&rl_data->rl_lock); +} + /** * add_update_sla() - handles the creation and the update of an SLA * @accel_dev: pointer to acceleration device structure @@ -1155,7 +1173,7 @@ void adf_rl_stop(struct adf_accel_dev *accel_dev) return; adf_sysfs_rl_rm(accel_dev); - adf_rl_remove_sla_all(accel_dev, true); + free_all_sla(accel_dev); } void adf_rl_exit(struct adf_accel_dev *accel_dev) base-commit: 84c2f23ad68a847e36dc9cae44f21c5e321a321c -- 2.43.0

1 year, 6 months

2
1
0 0

[PATCH] btrfs: reject zoned RW mount if sectorsize is smaller than page size

by Qu Wenruo

[BUG] There is a bug report that with zoned device and sectorsize is smaller than page size (aka, subpage), btrfs would crash with a very basic workload: # getconfig PAGESIZE 16384 # mkfs.btrfs -f $dev -s 4k # mount $dev $mnt # $fsstress -w -n 8 -s 1707820327 -v -d $mnt # umount $mnt The crash would look like this (with CONFIG_BTRFS_ASSERT enabled): assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1384 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1384! CPU: 0 PID: 872 Comm: kworker/u9:2 Tainted: G OE 6.8.0-rc3-custom+ #7 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20231122-12.fc39 11/22/2023 Workqueue: writeback wb_workfn (flush-btrfs-8) pc : __extent_writepage_io+0x404/0x460 [btrfs] lr : __extent_writepage_io+0x404/0x460 [btrfs] Call trace: __extent_writepage_io+0x404/0x460 [btrfs] extent_write_locked_range+0x16c/0x460 [btrfs] run_delalloc_cow+0x88/0x118 [btrfs] btrfs_run_delalloc_range+0x128/0x228 [btrfs] writepage_delalloc+0xb8/0x178 [btrfs] __extent_writepage+0xc8/0x3a0 [btrfs] extent_write_cache_pages+0x1cc/0x460 [btrfs] extent_writepages+0x8c/0x120 [btrfs] btrfs_writepages+0x18/0x30 [btrfs] do_writepages+0x94/0x1f8 __writeback_single_inode+0x4c/0x388 writeback_sb_inodes+0x208/0x4b0 wb_writeback+0x118/0x3c0 wb_do_writeback+0xbc/0x388 wb_workfn+0x80/0x240 process_one_work+0x154/0x3c8 worker_thread+0x2bc/0x3e0 kthread+0xf4/0x108 ret_from_fork+0x10/0x20 Code: 9102c021 90000be0 91378000 9402bf53 (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] There are several factors causing the problem: 1. __extent_writepage_io() requires all dirty ranges to have delalloc executed This can be solved by adding @start and @len parameter to only submit IO for a subset of the page, and update several involved helpers to do subpage checks. So this is not a big deal. 2. Subpage only accepts for full page aligned ranges for extent_write_locked_range() For zoned device, regular COW is switched to utilize extent_write_locked_range() to submit the IO. But the caller, run_delalloc_cow() can be called to run on a subpage range, e.g. 0 4K 8K 12K 16K |/////| |/////| Where |///| is the dirtied range. In that case, btrfs_run_delalloc_range() would call run_delalloc_cow(), which would call extent_write_locked_range() for [0, 4K), and unlock the whole [0, 16K) page. But btrfs_run_delalloc_range() would again be called for range [8K, 12K), as there are still dirty range left. In that case, since the whole page is already unlocked by previous iteration, and would cause different ASSERT()s inside extent_write_locked_range(). That's also why compression for subpage cases require fully page aligned range. [WORKAROUND] A proper fix requires some big changes to delalloc workload, to allow extent_write_locked_range() to handle multiple different entries with the same @locked_page. So for now, disable read-write support for subpage zoned btrfs. The problem can only be solved if subpage btrfs can handle subpage compression, which need quite some work on the delalloc procedure for the @locked_page handling. Reported-by: HAN Yuwei <hrx(a)bupt.moe> Link: https://lore.kernel.org/all/1ACD2E3643008A17+da260584-2c7f-432a-9e22-9d390a… CC: stable(a)vger.kernel.org # 5.10+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/disk-io.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index c3ab268533ca..85cd23aebdd6 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -3193,7 +3193,8 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount) * part of @locked_page. * That's also why compression for subpage only work for page aligned ranges. */ - if (fs_info->sectorsize < PAGE_SIZE && btrfs_is_zoned(fs_info) && is_rw_mount) { + if (fs_info->sectorsize < PAGE_SIZE && + btrfs_fs_incompat(fs_info, ZONED) && is_rw_mount) { btrfs_warn(fs_info, "no zoned read-write support for page size %lu with sectorsize %u", PAGE_SIZE, fs_info->sectorsize); -- 2.43.0

1 year, 6 months

4
8
0 0

[PATCH 1/2] serial: stm32: do not always set SER_RS485_RX_DURING_TX if RS485 is enabled

by Lino Sanfilippo

Before commit 07c30ea5861f ("serial: Do not hold the port lock when setting rx-during-tx GPIO") the SER_RS485_RX_DURING_TX flag was only set if the rx-during-tx mode was not controlled by a GPIO. Now the flag is set unconditionally when RS485 is enabled. This results in an incorrect setting if the rx-during-tx GPIO is not asserted. Fix this by setting the flag only if the rx-during-tx mode is not controlled by a GPIO and thus restore the correct behaviour. Cc: <stable(a)vger.kernel.org> # 6.6+ Fixes: 07c30ea5861f ("serial: Do not hold the port lock when setting rx-during-tx GPIO") Signed-off-by: Lino Sanfilippo <l.sanfilippo(a)kunbus.com> --- drivers/tty/serial/stm32-usart.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c index 794b77512740..693e932d6feb 100644 --- a/drivers/tty/serial/stm32-usart.c +++ b/drivers/tty/serial/stm32-usart.c @@ -251,7 +251,9 @@ static int stm32_usart_config_rs485(struct uart_port *port, struct ktermios *ter writel_relaxed(cr3, port->membase + ofs->cr3); writel_relaxed(cr1, port->membase + ofs->cr1); - rs485conf->flags |= SER_RS485_RX_DURING_TX; + if (!port->rs485_rx_during_tx_gpio) + rs485conf->flags |= SER_RS485_RX_DURING_TX; + } else { stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DEM | USART_CR3_DEP); base-commit: 841c35169323cd833294798e58b9bf63fa4fa1de -- 2.43.0

1 year, 6 months

1
1
0 0

[PATCH] ata: libata-core: Do not call ata_dev_power_set_standby() twice

by Niklas Cassel

From: Damien Le Moal <dlemoal(a)kernel.org> For regular system shutdown, ata_dev_power_set_standby() will be executed twice: once the scsi device is removed and another when ata_pci_shutdown_one() executes and EH completes unloading the devices. Make the second call to ata_dev_power_set_standby() do nothing by using ata_dev_power_is_active() and return if the device is already in standby. Fixes: 2da4c5e24e86 ("ata: libata-core: Improve ata_dev_power_set_active()") Cc: stable(a)vger.kernel.org Signed-off-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- This fix was originally part of patch that contained both a fix and a revert in a single patch: https://lore.kernel.org/linux-ide/20240111115123.1258422-3-dlemoal@kernel.o… This patch contains the only the fix (as it is valid even without the revert), without the revert. Updated the Fixes tag to point to a more appropriate commit, since we no longer revert any code. drivers/ata/libata-core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index d9f80f4f70f5..af2334bc806d 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -85,6 +85,7 @@ static unsigned int ata_dev_init_params(struct ata_device *dev, static unsigned int ata_dev_set_xfermode(struct ata_device *dev); static void ata_dev_xfermask(struct ata_device *dev); static unsigned long ata_dev_blacklisted(const struct ata_device *dev); +static bool ata_dev_power_is_active(struct ata_device *dev); atomic_t ata_print_id = ATOMIC_INIT(0); @@ -2017,8 +2018,9 @@ void ata_dev_power_set_standby(struct ata_device *dev) struct ata_taskfile tf; unsigned int err_mask; - /* If the device is already sleeping, do nothing. */ - if (dev->flags & ATA_DFLAG_SLEEPING) + /* If the device is already sleeping or in standby, do nothing. */ + if ((dev->flags & ATA_DFLAG_SLEEPING) || + !ata_dev_power_is_active(dev)) return; /* -- 2.43.1

1 year, 6 months

2
3
0 0

[PATCH 1/4] platform/x86: x86-android-tablets: Fix keyboard touchscreen on Lenovo Yogabook1 X90

by Hans de Goede

After commit 4014ae236b1d ("platform/x86: x86-android-tablets: Stop using gpiolib private APIs") the touchscreen in the keyboard half of the Lenovo Yogabook1 X90 stopped working with the following error: Goodix-TS i2c-goodix_ts: error -EBUSY: Failed to get irq GPIO The problem is that when getting the IRQ for instantiated i2c_client-s from a GPIO (rather then using an IRQ directly from the IOAPIC), x86_acpi_irq_helper_get() now properly requests the GPIO, which disallows other drivers from requesting it. Normally this is a good thing, but the goodix touchscreen also uses the IRQ as an output during reset to select which of its 2 possible I2C addresses should be used. Add a new free_gpio flag to struct x86_acpi_irq_data to deal with this and release the GPIO after getting the IRQ in this special case. Fixes: 4014ae236b1d ("platform/x86: x86-android-tablets: Stop using gpiolib private APIs") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/platform/x86/x86-android-tablets/core.c | 3 +++ drivers/platform/x86/x86-android-tablets/lenovo.c | 1 + drivers/platform/x86/x86-android-tablets/x86-android-tablets.h | 1 + 3 files changed, 5 insertions(+) diff --git a/drivers/platform/x86/x86-android-tablets/core.c b/drivers/platform/x86/x86-android-tablets/core.c index f8221a15575b..f6547c9d7584 100644 --- a/drivers/platform/x86/x86-android-tablets/core.c +++ b/drivers/platform/x86/x86-android-tablets/core.c @@ -113,6 +113,9 @@ int x86_acpi_irq_helper_get(const struct x86_acpi_irq_data *data) if (irq_type != IRQ_TYPE_NONE && irq_type != irq_get_trigger_type(irq)) irq_set_irq_type(irq, irq_type); + if (data->free_gpio) + devm_gpiod_put(&x86_android_tablet_device->dev, gpiod); + return irq; case X86_ACPI_IRQ_TYPE_PMIC: status = acpi_get_handle(NULL, data->chip, &handle); diff --git a/drivers/platform/x86/x86-android-tablets/lenovo.c b/drivers/platform/x86/x86-android-tablets/lenovo.c index f1c66a61bfc5..c297391955ad 100644 --- a/drivers/platform/x86/x86-android-tablets/lenovo.c +++ b/drivers/platform/x86/x86-android-tablets/lenovo.c @@ -116,6 +116,7 @@ static const struct x86_i2c_client_info lenovo_yb1_x90_i2c_clients[] __initconst .trigger = ACPI_EDGE_SENSITIVE, .polarity = ACPI_ACTIVE_LOW, .con_id = "goodix_ts_irq", + .free_gpio = true, }, }, { /* Wacom Digitizer in keyboard half */ diff --git a/drivers/platform/x86/x86-android-tablets/x86-android-tablets.h b/drivers/platform/x86/x86-android-tablets/x86-android-tablets.h index 49fed9410adb..468993edfeee 100644 --- a/drivers/platform/x86/x86-android-tablets/x86-android-tablets.h +++ b/drivers/platform/x86/x86-android-tablets/x86-android-tablets.h @@ -39,6 +39,7 @@ struct x86_acpi_irq_data { int index; int trigger; /* ACPI_EDGE_SENSITIVE / ACPI_LEVEL_SENSITIVE */ int polarity; /* ACPI_ACTIVE_HIGH / ACPI_ACTIVE_LOW / ACPI_ACTIVE_BOTH */ + bool free_gpio; /* Release GPIO after getting IRQ (for TYPE_GPIOINT) */ const char *con_id; }; -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 0/2] mm/damon: fix quota status loss due to online tunings

by SeongJae Park

DAMON_RECLAIM and DAMON_LRU_SORT is not preserving internal quota status when applying new user parameters, and hence could cause temporal quota accuracy degradation. Fix it by preserving the status. SeongJae Park (2): mm/damon/reclaim: fix quota stauts loss due to online tunings mm/damon/lru_sort: fix quota status loss due to online tunings mm/damon/lru_sort.c | 43 ++++++++++++++++++++++++++++++++++++------- mm/damon/reclaim.c | 18 +++++++++++++++++- 2 files changed, 53 insertions(+), 8 deletions(-) base-commit: 0f8cac70960349ba21deb424bd41bc4f4362c113 -- 2.39.2

1 year, 6 months

1
2
0 0

Linux 6.7.5

by Greg Kroah-Hartman

I'm announcing the release of the 6.7.5 kernel. All users of the 6.7 kernel series must upgrade. The updated 6.7.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.7.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arc/include/asm/cacheflush.h | 1 arch/arm/include/asm/cacheflush.h | 2 arch/csky/abiv1/inc/abi/cacheflush.h | 1 arch/csky/abiv2/inc/abi/cacheflush.h | 1 arch/m68k/include/asm/cacheflush_mm.h | 1 arch/mips/include/asm/cacheflush.h | 2 arch/nios2/include/asm/cacheflush.h | 1 arch/parisc/include/asm/cacheflush.h | 1 arch/riscv/include/asm/cacheflush.h | 3 arch/riscv/include/asm/hugetlb.h | 3 arch/riscv/include/asm/stacktrace.h | 5 arch/riscv/include/asm/tlb.h | 2 arch/riscv/include/asm/tlbflush.h | 2 arch/riscv/mm/hugetlbpage.c | 78 ++++++- arch/riscv/mm/init.c | 4 arch/riscv/mm/tlbflush.c | 6 arch/sh/include/asm/cacheflush.h | 1 arch/sparc/include/asm/cacheflush_32.h | 1 arch/sparc/include/asm/cacheflush_64.h | 1 arch/x86/boot/header.S | 14 - arch/x86/boot/setup.ld | 6 arch/x86/lib/getuser.S | 24 +- arch/x86/lib/putuser.S | 20 - arch/xtensa/include/asm/cacheflush.h | 6 block/blk-iocost.c | 7 drivers/atm/idt77252.c | 2 drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 drivers/dma/fsl-qdma.c | 28 -- drivers/dma/ti/k3-udma.c | 10 drivers/firmware/efi/libstub/efistub.h | 3 drivers/firmware/efi/libstub/kaslr.c | 2 drivers/firmware/efi/libstub/randomalloc.c | 12 - drivers/firmware/efi/libstub/x86-stub.c | 25 +- drivers/firmware/efi/libstub/x86-stub.h | 4 drivers/firmware/efi/libstub/zboot.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 -- drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c | 63 +++-- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 33 --- drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 1 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 8 drivers/gpu/drm/i915/gvt/handlers.c | 3 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 drivers/gpu/drm/msm/dp/dp_link.c | 22 +- drivers/gpu/drm/msm/dp/dp_reg.h | 3 drivers/hwmon/aspeed-pwm-tacho.c | 7 drivers/hwmon/coretemp.c | 40 +-- drivers/input/keyboard/atkbd.c | 13 - drivers/input/serio/i8042-acpipnpio.h | 6 drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 + drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 drivers/net/ethernet/engleder/tsnep_main.c | 16 + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 14 + drivers/net/ethernet/stmicro/stmmac/common.h | 1 drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++++ drivers/net/netdevsim/dev.c | 8 drivers/net/ppp/ppp_async.c | 4 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 drivers/net/wireless/intel/iwlwifi/fw/api/debug.h | 2 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 6 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 9 drivers/nvme/host/core.c | 7 drivers/pci/bus.c | 49 +++- drivers/pci/controller/dwc/pcie-qcom.c | 2 drivers/pci/pci.c | 78 ++++--- drivers/pci/pci.h | 4 drivers/pci/pcie/aspm.c | 13 - drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 30 ++ drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 drivers/phy/ti/phy-omap-usb2.c | 4 drivers/scsi/scsi_error.c | 3 drivers/scsi/scsi_lib.c | 4 drivers/usb/dwc3/dwc3-pci.c | 4 drivers/usb/dwc3/host.c | 4 drivers/usb/host/xhci-plat.c | 3 drivers/usb/host/xhci-ring.c | 80 ++++++- drivers/usb/host/xhci.h | 1 drivers/usb/serial/cp210x.c | 1 drivers/usb/serial/option.c | 1 drivers/usb/serial/qcserial.c | 2 drivers/usb/typec/tcpm/tcpm.c | 3 fs/bcachefs/clock.c | 4 fs/bcachefs/fs-io.c | 2 fs/bcachefs/fs-ioctl.c | 42 ++- fs/bcachefs/journal_io.c | 3 fs/bcachefs/move.c | 2 fs/bcachefs/move.h | 1 fs/bcachefs/rebalance.c | 13 + fs/bcachefs/replicas.c | 10 fs/bcachefs/snapshot.c | 2 fs/bcachefs/util.c | 5 fs/ceph/inode.c | 2 fs/ext4/mballoc.c | 20 + fs/namei.c | 16 + fs/ntfs3/ntfs_fs.h | 2 fs/smb/client/sess.c | 2 fs/smb/client/smb2pdu.c | 2 include/asm-generic/cacheflush.h | 6 include/linux/ceph/messenger.h | 2 include/linux/dmaengine.h | 3 include/linux/hrtimer.h | 4 include/linux/namei.h | 1 include/linux/pci.h | 5 include/net/cfg80211.h | 4 include/net/netfilter/nf_tables.h | 16 + include/trace/events/rxrpc.h | 8 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/io_uring.h | 7 io_uring/net.c | 50 +++- io_uring/poll.c | 49 ++-- io_uring/poll.h | 9 io_uring/rw.c | 10 kernel/time/hrtimer.c | 3 mm/percpu.c | 8 net/ceph/messenger_v1.c | 33 +-- net/ceph/messenger_v2.c | 4 net/ceph/osd_client.c | 9 net/core/datagram.c | 2 net/devlink/core.c | 12 - net/ipv4/af_inet.c | 6 net/ipv4/ip_tunnel_core.c | 2 net/mac80211/cfg.c | 14 - net/mac80211/mlme.c | 106 +++++++-- net/mac80211/tx.c | 7 net/netfilter/nf_tables_api.c | 4 net/netfilter/nfnetlink_queue.c | 13 - net/netfilter/nft_compat.c | 17 + net/netfilter/nft_ct.c | 3 net/netfilter/nft_set_hash.c | 8 net/netfilter/nft_set_pipapo.c | 128 ++++++------ net/netfilter/nft_set_pipapo.h | 18 + net/netfilter/nft_set_pipapo_avx2.c | 17 - net/netfilter/nft_set_rbtree.c | 17 - net/rxrpc/ar-internal.h | 37 ++- net/rxrpc/call_event.c | 12 - net/rxrpc/call_object.c | 1 net/rxrpc/conn_event.c | 10 net/rxrpc/input.c | 115 +++++++++- net/rxrpc/output.c | 8 net/rxrpc/proc.c | 2 net/rxrpc/rxkad.c | 4 net/tipc/bearer.c | 6 net/unix/garbage.c | 11 + net/wireless/scan.c | 63 +++++ sound/soc/amd/acp-config.c | 15 - sound/usb/quirks.c | 38 ++- tools/perf/tests/shell/script.sh | 73 ++++++ tools/perf/util/evlist.c | 9 tools/testing/selftests/core/close_range_test.c | 1 tools/testing/selftests/net/big_tcp.sh | 4 tools/testing/selftests/net/cmsg_ipv6.sh | 4 tools/testing/selftests/net/pmtu.sh | 52 ++-- tools/testing/selftests/net/udpgro_fwd.sh | 14 + tools/testing/selftests/net/udpgso_bench_rx.c | 2 tools/testing/selftests/net/unicast_extensions.sh | 101 ++++----- 160 files changed, 1559 insertions(+), 735 deletions(-) Abhinav Kumar (1): drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Al Viro (2): new helper: user_path_locked_at() bch2_ioctl_subvolume_destroy(): fix locking Alexander Tsoy (1): ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Alexandre Ghiti (5): mm: Introduce flush_cache_vmap_early() riscv: Fix set_huge_pte_at() for NAPOT mapping riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled riscv: Flush the tlb when a page directory is freed riscv: Fix arch_hugetlb_migration_supported() for NAPOT Antoine Tenart (1): tunnels: fix out of bounds access when building IPv6 PMTU error Ard Biesheuvel (3): x86/efistub: Give up if memory attribute protocol returns an error x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section Badhri Jagan Sridharan (1): Revert "usb: typec: tcpm: fix cc role at port reset" Baokun Li (1): ext4: regenerate buddy after block freeing failed if under fc replay Ben Dooks (1): riscv: declare overflow_stack as exported from traps.c Benjamin Berg (2): wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig wifi: cfg80211: consume both probe response and beacon IEs Christoph Hellwig (1): bcachefs: fix incorrect usage of REQ_OP_FLUSH Christophe JAILLET (2): dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Dan Carpenter (2): drm/i915/gvt: Fix uninitialized variable in handle_mmio() fs/ntfs3: Fix an NULL dereference bug Daniel Hill (1): bcachefs: rebalance should wakeup on shutdown if disabled David Howells (4): rxrpc: Fix generation of serial numbers to skip zero rxrpc: Fix delayed ACKs to not set the reference serial number rxrpc: Fix response to PING RESPONSE ACKs to a dead call rxrpc: Fix counting of new acks and nacks Emmanuel Grumbach (1): wifi: iwlwifi: mvm: fix a battery life regression Eric Dumazet (3): netdevsim: avoid potential loop in nsim_dev_trap_report_work() inet: read sk->sk_family once in inet_recv_error() ppp_async: limit MRU to 64K Florian Westphal (4): netfilter: nfnetlink_queue: un-break NF_REPEAT netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer Frank Li (1): dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Frederic Weisbecker (1): hrtimer: Report offline hrtimer enqueue Furong Xu (2): net: stmmac: xgmac: fix handling of DPP safety error for DMA channels net: stmmac: xgmac: fix a typo of register name in DPP safety handling Gerhard Engleder (1): tsnep: Fix mapping for zero copy XDP_TX action Greg Kroah-Hartman (2): Revert "ASoC: amd: Add new dmi entries for acp5x platform" Linux 6.7.5 Guanhua Gao (1): dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Guoyu Ou (1): bcachefs: unlock parent dir if entry is not found in subvolume deletion Hangbin Liu (2): selftests/net: convert unicast_extensions.sh to run it in unique namespace selftests/net: convert pmtu.sh to run it in unique namespace Hans de Goede (1): Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Heikki Krogerus (1): usb: dwc3: pci: add support for the Intel Arrow Lake-H Ian Rogers (1): perf tests: Add perf script test Ivan Vecera (1): net: atlantic: Fix DMA mapping for PTP hwts ring JackBB Wu (1): USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Jai Luthra (1): dmaengine: ti: k3-udma: Report short packet errors Jakub Kicinski (1): selftests: cmsg_ipv6: repeat the exact packet James Clark (1): perf evlist: Fix evlist__new_default() for > 1 core PMU Jens Axboe (6): io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers io_uring/poll: move poll execution helpers higher up io_uring/net: un-indent mshot retry path in io_recv_finish() io_uring/rw: ensure poll based multishot read retries appropriately io_uring/poll: add requeue return code from poll multishot handling io_uring/net: limit inline multishot retries Jiri Pirko (1): devlink: avoid potential loop in devlink_rel_nested_in_notify_work() Johan Hovold (1): PCI/ASPM: Fix deadlock when enabling ASPM Johannes Berg (5): wifi: cfg80211: detect stuck ECSA element in probe resp wifi: mac80211: improve CSA/ECSA connection refusal wifi: mac80211: fix RCU use in TDLS fast-xmit wifi: mac80211: fix unsolicited broadcast probe config wifi: mac80211: fix waiting for beacons logic Julian Sikorski (1): ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Kees Cook (1): wifi: brcmfmac: Adjust n_channels usage for __counted_by Kent Overstreet (4): bcachefs: Don't pass memcmp() as a pointer bcachefs: Add missing bch2_moving_ctxt_flush_all() bcachefs: bch2_kthread_io_clock_wait() no longer sleeps until full amount bcachefs: time_stats: Check for last_event == 0 when updating freq stats Kuniyuki Iwashima (1): af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Kuogee Hsieh (2): drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Leonard Dallmayr (1): USB: serial: cp210x: add ID for IMST iM871A-USB Loic Prylli (1): hwmon: (aspeed-pwm-tacho) mutex for tach reading Mantas Pucka (2): phy: qcom-qmp-usb: fix register offsets for ipq8074/ipq6018 phy: qcom-qmp-usb: fix serdes init sequence for IPQ6018 Mario Limonciello (1): Revert "drm/amd/pm: fix the high voltage and temperature issue" Mathias Nyman (1): xhci: process isoc TD properly when there was a transaction error mid TD. Maurizio Lombardi (1): nvme-host: fix the updating of the firmware version Michael Lass (1): net: Fix from address in memcpy_to_iter_csum() Michal Pecio (1): xhci: handle isoc Babble and Buffer Overrun events properly Ming Lei (1): scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Miri Korenblit (1): wifi: iwlwifi: exit eSR only after the FW does Muhammad Usama Anjum (1): selftests: core: include linux/close_range.h for CLOSE_RANGE_* macros Pablo Neira Ayuso (7): netfilter: nft_compat: narrow down revision to unsigned 8-bits netfilter: nft_compat: reject unused compat flag netfilter: nft_compat: restrict match/target protocol to u16 netfilter: nft_set_pipapo: remove static in nft_pipapo_get() netfilter: nft_ct: reject direction for ct id netfilter: nf_tables: use timestamp to check for set element timeout netfilter: nft_set_rbtree: skip end interval element from gc Paolo Abeni (4): selftests: net: cut more slack for gro fwd tests. selftests: net: fix tcp listener handling in pmtu.sh selftests: net: avoid just another constant wait selftests: net: let big_tcp test cope with slow env Prashanth K (2): usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Puliang Lu (1): USB: serial: option: add Fibocom FM101-GL variant Qiuxu Zhuo (1): x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups Sean Young (1): ALSA: usb-audio: add quirk for RODE NT-USB+ Shigeru Yoshida (1): tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Shyam Prasad N (2): cifs: avoid redundant calls to disable multichannel cifs: failure to add channel on iface should bump up weight Simon Horman (1): net: stmmac: xgmac: use #define for string constants Srinivasan Shanmugam (3): drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Su Yue (2): bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit bcachefs: grab s_umount only if snapshotting Takashi Iwai (1): ALSA: usb-audio: Sort quirk table entries Tejun Heo (1): blk-iocost: Fix an UBSAN shift-out-of-bounds warning Thomas Richter (1): perf test: Fix 'perf script' tests on s390 Tony Lindgren (1): phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Vincent Chen (1): riscv: mm: execute local TLB flush after populating vmemmap Werner Sembach (1): Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Xiubo Li (3): libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() libceph: just wait for more data to be available on the socket ceph: always set initial i_blkbits to CEPH_FSCRYPT_BLOCK_SHIFT Yoshihiro Shimoda (1): phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Yujie Liu (1): selftests/net: change shebang to bash to support "source" Zhang Rui (2): hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhipeng Lu (2): atm: idt77252: fix a memleak in open_card_ubr0 octeontx2-pf: Fix a memleak otx2_sq_init

1 year, 6 months

1
1
0 0

Linux 6.6.17

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.17 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/process/changes.rst | 2 MAINTAINERS | 1 Makefile | 2 arch/arc/include/asm/cacheflush.h | 1 arch/arm/include/asm/cacheflush.h | 2 arch/csky/abiv1/inc/abi/cacheflush.h | 1 arch/csky/abiv2/inc/abi/cacheflush.h | 1 arch/m68k/include/asm/cacheflush_mm.h | 1 arch/mips/include/asm/cacheflush.h | 2 arch/nios2/include/asm/cacheflush.h | 1 arch/parisc/include/asm/cacheflush.h | 1 arch/riscv/include/asm/cacheflush.h | 3 arch/riscv/include/asm/hugetlb.h | 3 arch/riscv/include/asm/sbi.h | 3 arch/riscv/include/asm/stacktrace.h | 5 arch/riscv/include/asm/tlb.h | 8 arch/riscv/include/asm/tlbflush.h | 17 - arch/riscv/kernel/sbi.c | 32 - arch/riscv/mm/hugetlbpage.c | 78 ++++ arch/riscv/mm/init.c | 4 arch/riscv/mm/tlbflush.c | 158 +++++---- arch/sh/include/asm/cacheflush.h | 1 arch/sparc/include/asm/cacheflush_32.h | 1 arch/sparc/include/asm/cacheflush_64.h | 1 arch/x86/lib/getuser.S | 24 - arch/x86/lib/putuser.S | 20 - arch/xtensa/include/asm/cacheflush.h | 6 block/blk-iocost.c | 7 drivers/atm/idt77252.c | 2 drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 drivers/dma/fsl-qdma.c | 27 - drivers/dma/ti/k3-udma.c | 10 drivers/firmware/efi/libstub/efistub.h | 3 drivers/firmware/efi/libstub/kaslr.c | 2 drivers/firmware/efi/libstub/randomalloc.c | 12 drivers/firmware/efi/libstub/x86-stub.c | 25 - drivers/firmware/efi/libstub/x86-stub.h | 4 drivers/firmware/efi/libstub/zboot.c | 2 drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hwseq.c | 63 ++- drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 drivers/gpu/drm/i915/gvt/handlers.c | 3 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 drivers/gpu/drm/msm/dp/dp_link.c | 22 - drivers/gpu/drm/msm/dp/dp_reg.h | 3 drivers/hwmon/aspeed-pwm-tacho.c | 7 drivers/hwmon/coretemp.c | 40 +- drivers/input/keyboard/atkbd.c | 13 drivers/input/serio/i8042-acpipnpio.h | 6 drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 drivers/net/ethernet/engleder/tsnep_main.c | 16 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 14 drivers/net/ethernet/stmicro/stmmac/common.h | 1 drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++ drivers/net/netdevsim/dev.c | 8 drivers/net/ppp/ppp_async.c | 4 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 6 drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 drivers/phy/ti/phy-omap-usb2.c | 4 drivers/scsi/scsi_error.c | 3 drivers/scsi/scsi_lib.c | 4 drivers/usb/dwc3/dwc3-pci.c | 4 drivers/usb/dwc3/host.c | 4 drivers/usb/host/xhci-plat.c | 3 drivers/usb/host/xhci-ring.c | 80 +++- drivers/usb/host/xhci.h | 1 drivers/usb/serial/cp210x.c | 1 drivers/usb/serial/option.c | 1 drivers/usb/serial/qcserial.c | 2 drivers/usb/typec/tcpm/tcpm.c | 3 fs/ext4/mballoc.c | 20 + fs/ntfs3/ntfs_fs.h | 2 fs/smb/client/sess.c | 2 fs/smb/client/smb2pdu.c | 2 fs/xfs/Kconfig | 2 fs/xfs/libxfs/xfs_alloc.c | 27 + fs/xfs/libxfs/xfs_bmap.c | 21 - fs/xfs/libxfs/xfs_defer.c | 28 + fs/xfs/libxfs/xfs_defer.h | 2 fs/xfs/libxfs/xfs_inode_buf.c | 3 fs/xfs/libxfs/xfs_rtbitmap.c | 33 + fs/xfs/libxfs/xfs_sb.h | 2 fs/xfs/xfs_bmap_util.c | 24 - fs/xfs/xfs_dquot.c | 5 fs/xfs/xfs_dquot_item_recover.c | 21 + fs/xfs/xfs_file.c | 63 +++ fs/xfs/xfs_inode.c | 24 + fs/xfs/xfs_inode.h | 17 + fs/xfs/xfs_inode_item_recover.c | 14 fs/xfs/xfs_ioctl.c | 30 + fs/xfs/xfs_iops.c | 7 fs/xfs/xfs_log.c | 23 - fs/xfs/xfs_log_recover.c | 2 fs/xfs/xfs_reflink.c | 5 fs/xfs/xfs_rtalloc.c | 33 + fs/xfs/xfs_rtalloc.h | 27 - include/asm-generic/cacheflush.h | 6 include/linux/ceph/messenger.h | 2 include/linux/dmaengine.h | 3 include/linux/hrtimer.h | 4 include/trace/events/rxrpc.h | 8 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/io_uring.h | 7 io_uring/net.c | 50 ++- io_uring/poll.c | 39 +- kernel/time/hrtimer.c | 3 mm/percpu.c | 8 net/ceph/messenger_v1.c | 33 + net/ceph/messenger_v2.c | 4 net/ceph/osd_client.c | 9 net/ipv4/af_inet.c | 6 net/ipv4/ip_tunnel_core.c | 2 net/mac80211/mlme.c | 3 net/mac80211/tx.c | 7 net/netfilter/nft_compat.c | 17 - net/netfilter/nft_ct.c | 3 net/netfilter/nft_set_pipapo.c | 108 +++--- net/netfilter/nft_set_pipapo.h | 18 - net/netfilter/nft_set_pipapo_avx2.c | 17 - net/netfilter/nft_set_rbtree.c | 6 net/rxrpc/ar-internal.h | 37 +- net/rxrpc/call_event.c | 12 net/rxrpc/call_object.c | 1 net/rxrpc/conn_event.c | 10 net/rxrpc/input.c | 115 +++++- net/rxrpc/output.c | 8 net/rxrpc/proc.c | 2 net/rxrpc/rxkad.c | 4 net/tipc/bearer.c | 6 net/unix/garbage.c | 11 rust/alloc/alloc.rs | 21 - rust/alloc/boxed.rs | 56 ++- rust/alloc/lib.rs | 13 rust/alloc/raw_vec.rs | 30 + rust/alloc/vec/drain_filter.rs | 199 ------------ rust/alloc/vec/extract_if.rs | 115 ++++++ rust/alloc/vec/mod.rs | 110 +++--- rust/alloc/vec/spec_extend.rs | 8 rust/compiler_builtins.rs | 1 rust/kernel/print.rs | 1 rust/kernel/sync/arc.rs | 2 rust/kernel/task.rs | 2 scripts/min-tool-version.sh | 2 sound/soc/amd/acp-config.c | 15 sound/usb/quirks.c | 38 +- tools/perf/util/evlist.c | 9 tools/testing/selftests/net/big_tcp.sh | 4 tools/testing/selftests/net/cmsg_ipv6.sh | 4 tools/testing/selftests/net/pmtu.sh | 52 +-- tools/testing/selftests/net/udpgro_fwd.sh | 14 tools/testing/selftests/net/udpgso_bench_rx.c | 2 tools/testing/selftests/net/unicast_extensions.sh | 101 ++---- 157 files changed, 1701 insertions(+), 1017 deletions(-) Abhinav Kumar (1): drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Alexander Tsoy (1): ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Alexandre Ghiti (8): riscv: Improve tlb_flush() riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole tlb riscv: Improve flush_tlb_kernel_range() mm: Introduce flush_cache_vmap_early() riscv: Fix set_huge_pte_at() for NAPOT mapping riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled riscv: Flush the tlb when a page directory is freed riscv: Fix arch_hugetlb_migration_supported() for NAPOT Anthony Iliopoulos (1): xfs: fix again select in kconfig XFS_ONLINE_SCRUB_STATS Antoine Tenart (1): tunnels: fix out of bounds access when building IPv6 PMTU error Ard Biesheuvel (2): x86/efistub: Give up if memory attribute protocol returns an error x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR Aurelien Jarno (1): media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Badhri Jagan Sridharan (1): Revert "usb: typec: tcpm: fix cc role at port reset" Baokun Li (1): ext4: regenerate buddy after block freeing failed if under fc replay Ben Dooks (1): riscv: declare overflow_stack as exported from traps.c Catherine Hoang (2): MAINTAINERS: add Catherine as xfs maintainer for 6.6.y xfs: allow read IO and FICLONE to run concurrently Cheng Lin (1): xfs: introduce protection for drop nlink Christoph Hellwig (4): xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space xfs: only remap the written blocks in xfs_reflink_end_cow_extent xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags xfs: respect the stable writes flag on the RT device Christophe JAILLET (2): dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Dan Carpenter (2): drm/i915/gvt: Fix uninitialized variable in handle_mmio() fs/ntfs3: Fix an NULL dereference bug Darrick J. Wong (8): xfs: bump max fsgeom struct version xfs: hoist freeing of rt data fork extent mappings xfs: prevent rt growfs when quota is enabled xfs: rt stubs should return negative errnos when rt disabled xfs: fix units conversion error in xfs_bmap_del_extent_delay xfs: make sure maxlen is still congruent with prod when rounding down xfs: clean up dqblk extraction xfs: dquot recovery does not validate the recovered dquot Dave Chinner (1): xfs: inode recovery does not validate the recovered inode David Howells (4): rxrpc: Fix generation of serial numbers to skip zero rxrpc: Fix delayed ACKs to not set the reference serial number rxrpc: Fix response to PING RESPONSE ACKs to a dead call rxrpc: Fix counting of new acks and nacks Eric Dumazet (3): netdevsim: avoid potential loop in nsim_dev_trap_report_work() inet: read sk->sk_family once in inet_recv_error() ppp_async: limit MRU to 64K Florian Westphal (3): netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer Frank Li (1): dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Frederic Weisbecker (1): hrtimer: Report offline hrtimer enqueue Furong Xu (2): net: stmmac: xgmac: fix handling of DPP safety error for DMA channels net: stmmac: xgmac: fix a typo of register name in DPP safety handling Gerhard Engleder (1): tsnep: Fix mapping for zero copy XDP_TX action Greg Kroah-Hartman (2): Revert "ASoC: amd: Add new dmi entries for acp5x platform" Linux 6.6.17 Guanhua Gao (1): dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Hangbin Liu (2): selftests/net: convert unicast_extensions.sh to run it in unique namespace selftests/net: convert pmtu.sh to run it in unique namespace Hans de Goede (1): Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Heikki Krogerus (1): usb: dwc3: pci: add support for the Intel Arrow Lake-H Ivan Vecera (1): net: atlantic: Fix DMA mapping for PTP hwts ring JackBB Wu (1): USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Jai Luthra (1): dmaengine: ti: k3-udma: Report short packet errors Jakub Kicinski (1): selftests: cmsg_ipv6: repeat the exact packet James Clark (1): perf evlist: Fix evlist__new_default() for > 1 core PMU Jens Axboe (5): io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers io_uring/poll: move poll execution helpers higher up io_uring/net: un-indent mshot retry path in io_recv_finish() io_uring/poll: add requeue return code from poll multishot handling io_uring/net: limit inline multishot retries Johannes Berg (2): wifi: mac80211: fix RCU use in TDLS fast-xmit wifi: mac80211: fix waiting for beacons logic Julian Sikorski (1): ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Kees Cook (1): wifi: brcmfmac: Adjust n_channels usage for __counted_by Kuniyuki Iwashima (1): af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Kuogee Hsieh (2): drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Leah Rumancik (1): xfs: up(ic_sema) if flushing data device fails Leonard Dallmayr (1): USB: serial: cp210x: add ID for IMST iM871A-USB Loic Prylli (1): hwmon: (aspeed-pwm-tacho) mutex for tach reading Long Li (2): xfs: factor out xfs_defer_pending_abort xfs: abort intent items when recovery intents fail Mathias Nyman (1): xhci: process isoc TD properly when there was a transaction error mid TD. Michal Pecio (1): xhci: handle isoc Babble and Buffer Overrun events properly Miguel Ojeda (5): rust: arc: add explicit `drop()` around `Box::from_raw()` rust: upgrade to Rust 1.72.1 rust: task: remove redundant explicit link rust: print: use explicit link in documentation rust: upgrade to Rust 1.73.0 Ming Lei (1): scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Miri Korenblit (1): wifi: iwlwifi: exit eSR only after the FW does Omar Sandoval (1): xfs: fix internal error from AGFL exhaustion Pablo Neira Ayuso (5): netfilter: nft_compat: narrow down revision to unsigned 8-bits netfilter: nft_compat: reject unused compat flag netfilter: nft_compat: restrict match/target protocol to u16 netfilter: nft_ct: reject direction for ct id netfilter: nft_set_rbtree: skip end interval element from gc Paolo Abeni (4): selftests: net: cut more slack for gro fwd tests. selftests: net: fix tcp listener handling in pmtu.sh selftests: net: avoid just another constant wait selftests: net: let big_tcp test cope with slow env Prashanth K (2): usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Puliang Lu (1): USB: serial: option: add Fibocom FM101-GL variant Qiuxu Zhuo (1): x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups Sean Young (1): ALSA: usb-audio: add quirk for RODE NT-USB+ Shigeru Yoshida (1): tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Shyam Prasad N (2): cifs: avoid redundant calls to disable multichannel cifs: failure to add channel on iface should bump up weight Simon Horman (1): net: stmmac: xgmac: use #define for string constants Srinivasan Shanmugam (3): drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Takashi Iwai (1): ALSA: usb-audio: Sort quirk table entries Tejun Heo (1): blk-iocost: Fix an UBSAN shift-out-of-bounds warning Tony Lindgren (1): phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Vincent Chen (1): riscv: mm: execute local TLB flush after populating vmemmap Werner Sembach (1): Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Xiubo Li (2): libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() libceph: just wait for more data to be available on the socket Yoshihiro Shimoda (1): phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Yujie Liu (1): selftests/net: change shebang to bash to support "source" Zhang Rui (2): hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhipeng Lu (2): atm: idt77252: fix a memleak in open_card_ubr0 octeontx2-pf: Fix a memleak otx2_sq_init

1 year, 6 months

1
1
0 0

Linux 6.1.78

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.78 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 block/blk-core.c | 11 + block/blk-iocost.c | 7 drivers/atm/idt77252.c | 2 drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 - drivers/dma/fsl-qdma.c | 27 +-- drivers/dma/ti/k3-udma.c | 10 + drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 drivers/gpu/drm/i915/gvt/handlers.c | 3 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 drivers/gpu/drm/msm/dp/dp_link.c | 22 +-- drivers/gpu/drm/msm/dp/dp_reg.h | 3 drivers/hwmon/aspeed-pwm-tacho.c | 7 drivers/hwmon/coretemp.c | 40 ++--- drivers/infiniband/hw/irdma/verbs.c | 2 drivers/input/keyboard/atkbd.c | 13 + drivers/input/serio/i8042-acpipnpio.h | 6 drivers/mtd/parsers/ofpart_core.c | 19 ++ drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 + drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 14 + drivers/net/ethernet/stmicro/stmmac/common.h | 1 drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++++++- drivers/net/netdevsim/dev.c | 8 - drivers/net/ppp/ppp_async.c | 4 drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 drivers/phy/ti/phy-omap-usb2.c | 4 drivers/scsi/scsi_error.c | 3 drivers/scsi/scsi_lib.c | 4 drivers/usb/dwc3/host.c | 4 drivers/usb/host/xhci-plat.c | 3 drivers/usb/serial/cp210x.c | 1 drivers/usb/serial/option.c | 1 drivers/usb/serial/qcserial.c | 2 drivers/vhost/vhost.c | 5 fs/dlm/lowcomms.c | 38 +---- fs/ext4/mballoc.c | 20 ++ fs/f2fs/compress.c | 27 +++ fs/f2fs/f2fs.h | 2 fs/f2fs/super.c | 4 fs/ntfs3/ntfs_fs.h | 2 fs/smb/client/sess.c | 2 include/linux/dmaengine.h | 3 include/linux/hrtimer.h | 4 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/net.c | 1 kernel/time/clocksource.c | 25 +++ kernel/time/hrtimer.c | 3 net/ipv4/af_inet.c | 6 net/ipv4/ip_tunnel_core.c | 2 net/mac80211/mlme.c | 3 net/netfilter/nft_compat.c | 17 +- net/netfilter/nft_ct.c | 3 net/netfilter/nft_set_pipapo.c | 108 +++++++-------- net/netfilter/nft_set_pipapo.h | 18 +- net/netfilter/nft_set_pipapo_avx2.c | 17 +- net/netfilter/nft_set_rbtree.c | 6 net/rxrpc/conn_event.c | 8 + net/tipc/bearer.c | 6 net/unix/garbage.c | 11 + sound/soc/amd/acp-config.c | 15 -- sound/usb/quirks.c | 38 +++-- tools/testing/selftests/net/cmsg_ipv6.sh | 4 tools/testing/selftests/net/pmtu.sh | 18 +- tools/testing/selftests/net/udpgro_fwd.sh | 14 + tools/testing/selftests/net/udpgso_bench_rx.c | 2 69 files changed, 519 insertions(+), 242 deletions(-) Abhinav Kumar (1): drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Alexander Aring (1): fs: dlm: don't put dlm_local_addrs on heap Alexander Tsoy (1): ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Antoine Tenart (1): tunnels: fix out of bounds access when building IPv6 PMTU error Baokun Li (1): ext4: regenerate buddy after block freeing failed if under fc replay Christophe JAILLET (2): dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Dan Carpenter (2): drm/i915/gvt: Fix uninitialized variable in handle_mmio() fs/ntfs3: Fix an NULL dereference bug David Howells (1): rxrpc: Fix response to PING RESPONSE ACKs to a dead call Eric Dumazet (3): netdevsim: avoid potential loop in nsim_dev_trap_report_work() inet: read sk->sk_family once in inet_recv_error() ppp_async: limit MRU to 64K Florian Westphal (3): netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer Francesco Dolcini (1): mtd: parsers: ofpart: add workaround for #size-cells 0 Frank Li (1): dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Frederic Weisbecker (1): hrtimer: Report offline hrtimer enqueue Furong Xu (2): net: stmmac: xgmac: fix handling of DPP safety error for DMA channels net: stmmac: xgmac: fix a typo of register name in DPP safety handling Greg Kroah-Hartman (2): Revert "ASoC: amd: Add new dmi entries for acp5x platform" Linux 6.1.78 Guanhua Gao (1): dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Hans de Goede (1): Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Ivan Vecera (1): net: atlantic: Fix DMA mapping for PTP hwts ring JackBB Wu (1): USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Jai Luthra (1): dmaengine: ti: k3-udma: Report short packet errors Jakub Kicinski (1): selftests: cmsg_ipv6: repeat the exact packet Jens Axboe (2): io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers block: treat poll queue enter similarly to timeouts Jiri Wiesner (1): clocksource: Skip watchdog check for large watchdog intervals Johannes Berg (1): wifi: mac80211: fix waiting for beacons logic Julian Sikorski (1): ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Kuniyuki Iwashima (1): af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Kuogee Hsieh (2): drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Leonard Dallmayr (1): USB: serial: cp210x: add ID for IMST iM871A-USB Loic Prylli (1): hwmon: (aspeed-pwm-tacho) mutex for tach reading Mike Marciniszyn (1): RDMA/irdma: Fix support for 64k pages Ming Lei (1): scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Pablo Neira Ayuso (5): netfilter: nft_compat: narrow down revision to unsigned 8-bits netfilter: nft_compat: reject unused compat flag netfilter: nft_compat: restrict match/target protocol to u16 netfilter: nft_ct: reject direction for ct id netfilter: nft_set_rbtree: skip end interval element from gc Paolo Abeni (2): selftests: net: cut more slack for gro fwd tests. selftests: net: avoid just another constant wait Prashanth K (2): usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prathu Baronia (1): vhost: use kzalloc() instead of kmalloc() followed by memset() Puliang Lu (1): USB: serial: option: add Fibocom FM101-GL variant Sean Young (1): ALSA: usb-audio: add quirk for RODE NT-USB+ Sheng Yong (1): f2fs: add helper to check compression level Shigeru Yoshida (1): tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Shyam Prasad N (1): cifs: failure to add channel on iface should bump up weight Simon Horman (1): net: stmmac: xgmac: use #define for string constants Srinivasan Shanmugam (1): drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Takashi Iwai (1): ALSA: usb-audio: Sort quirk table entries Tejun Heo (1): blk-iocost: Fix an UBSAN shift-out-of-bounds warning Tony Lindgren (1): phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Werner Sembach (1): Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Yoshihiro Shimoda (1): phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Zhang Rui (2): hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhipeng Lu (2): atm: idt77252: fix a memleak in open_card_ubr0 octeontx2-pf: Fix a memleak otx2_sq_init

1 year, 6 months

1
1
0 0

[PATCH v5] sparc: vDSO: fix return value of __setup handler

by Randy Dunlap

__setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from vdso_setup(). Fixes: 9a08862a5d2e ("vDSO for sparc") Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> Reported-by: Igor Zhbanov <izh1979(a)gmail.com> Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: "David S. Miller" <davem(a)davemloft.net> Cc: sparclinux(a)vger.kernel.org Cc: Dan Carpenter <dan.carpenter(a)oracle.com> Cc: Nick Alcock <nick.alcock(a)oracle.com> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: stable(a)vger.kernel.org Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Andreas Larsson <andreas(a)gaisler.com> --- v2: correct the Fixes: tag (Dan Carpenter) v3: add more Cc's; correct Igor's email address; change From: Igor to Reported-by: Igor; v4: add Arnd to Cc: list v5: add Andreas to Cc: list arch/sparc/vdso/vma.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff -- a/arch/sparc/vdso/vma.c b/arch/sparc/vdso/vma.c --- a/arch/sparc/vdso/vma.c +++ b/arch/sparc/vdso/vma.c @@ -449,9 +449,8 @@ static __init int vdso_setup(char *s) unsigned long val; err = kstrtoul(s, 10, &val); - if (err) - return err; - vdso_enabled = val; - return 0; + if (!err) + vdso_enabled = val; + return 1; } __setup("vdso=", vdso_setup);

1 year, 6 months

2
1
0 0

[PATCH v5] sparc64: NMI watchdog: fix return value of __setup handler

by Randy Dunlap

__setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from setup_nmi_watchdog(). Fixes: e5553a6d0442 ("sparc64: Implement NMI watchdog on capable cpus.") Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> Reported-by: Igor Zhbanov <izh1979(a)gmail.com> Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: "David S. Miller" <davem(a)davemloft.net> Cc: sparclinux(a)vger.kernel.org Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: stable(a)vger.kernel.org Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Andreas Larsson <andreas(a)gaisler.com> --- v2: change From: Igor to Reported-by: add more Cc's v3: use Igor's current email address v4: add Arnd to Cc: list v5: add Andreas to Cc: list arch/sparc/kernel/nmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -- a/arch/sparc/kernel/nmi.c b/arch/sparc/kernel/nmi.c --- a/arch/sparc/kernel/nmi.c +++ b/arch/sparc/kernel/nmi.c @@ -279,7 +279,7 @@ static int __init setup_nmi_watchdog(cha if (!strncmp(str, "panic", 5)) panic_on_timeout = 1; - return 0; + return 1; } __setup("nmi_watchdog=", setup_nmi_watchdog);

1 year, 6 months

2
1
0 0

[PATCH v2] scsi: core: Consult supported VPD page list prior to fetching page

by Martin K. Petersen

Commit c92a6b5d6335 ("scsi: core: Query VPD size before getting full page") removed the logic which checks whether a VPD page is present on the supported pages list before asking for the page itself. That was done because SPC helpfully states "The Supported VPD Pages VPD page list may or may not include all the VPD pages that are able to be returned by the device server". Testing had revealed a few devices that supported some of the 0xBn pages but didn't actually list them in page 0. Julian Sikorski bisected a problem with his drive resetting during discovery to the commit above. As it turns out, this particular drive firmware will crash if we attempt to fetch page 0xB9. Various approaches were attempted to work around this. In the end, reinstating the logic that consults VPD page 0 before fetching any other page was the path of least resistance. A firmware update for the devices which originally compelled us to remove the check has since been released. Cc: stable(a)vger.kernel.org Cc: Bart Van Assche <bvanassche(a)acm.org> Fixes: c92a6b5d6335 ("scsi: core: Query VPD size before getting full page") Reported-by: Julian Sikorski <belegdol(a)gmail.com> Tested-by: Julian Sikorski <belegdol(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- v2: Address Bart's comments. --- drivers/scsi/scsi.c | 22 ++++++++++++++++++++-- include/scsi/scsi_device.h | 4 ---- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index 76d369343c7a..8cad9792a562 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -328,21 +328,39 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer, return result + 4; } +enum scsi_vpd_parameters { + SCSI_VPD_HEADER_SIZE = 4, + SCSI_VPD_LIST_SIZE = 36, +}; + static int scsi_get_vpd_size(struct scsi_device *sdev, u8 page) { - unsigned char vpd_header[SCSI_VPD_HEADER_SIZE] __aligned(4); + unsigned char vpd[SCSI_VPD_LIST_SIZE] __aligned(4); int result; if (sdev->no_vpd_size) return SCSI_DEFAULT_VPD_LEN; + /* + * Fetch the supported pages VPD and validate that the requested page + * number is present. + */ + if (page != 0) { + result = scsi_vpd_inquiry(sdev, vpd, 0, sizeof(vpd)); + if (result < SCSI_VPD_HEADER_SIZE) + return 0; + + result -= SCSI_VPD_HEADER_SIZE; + if (!memchr(&vpd[SCSI_VPD_HEADER_SIZE], page, result)) + return 0; + } /* * Fetch the VPD page header to find out how big the page * is. This is done to prevent problems on legacy devices * which can not handle allocation lengths as large as * potentially requested by the caller. */ - result = scsi_vpd_inquiry(sdev, vpd_header, page, sizeof(vpd_header)); + result = scsi_vpd_inquiry(sdev, vpd, page, SCSI_VPD_HEADER_SIZE); if (result < 0) return 0; diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h index cb019c80763b..72a6b3923fc7 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -100,10 +100,6 @@ struct scsi_vpd { unsigned char data[]; }; -enum scsi_vpd_parameters { - SCSI_VPD_HEADER_SIZE = 4, -}; - struct scsi_device { struct Scsi_Host *host; struct request_queue *request_queue; -- 2.42.1

1 year, 6 months

4
4
0 0

[PATCH v2] fs, USB gadget: Rework kiocb cancellation

by Bart Van Assche

Calling kiocb_set_cancel_fn() without knowing whether the caller submitted a struct kiocb or a struct aio_kiocb is unsafe. Fix this by introducing the cancel_kiocb() method in struct file_operations. The following call trace illustrates that without this patch an out-of-bounds write happens if I/O is submitted by io_uring (from a phone with an ARM CPU and kernel 6.1): WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Several ideas in this patch come from the following patch: Christoph Hellwig, "[PATCH 08/32] aio: replace kiocb_set_cancel_fn with a cancel_kiocb file operation", May 2018 (https://lore.kernel.org/all/20180515194833.6906-9-hch@lst.de/). Cc: Christoph Hellwig <hch(a)lst.de> Cc: Avi Kivity <avi(a)scylladb.com> Cc: Sandeep Dhavale <dhavale(a)google.com> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/usb/gadget/function/f_fs.c | 19 +---- drivers/usb/gadget/legacy/inode.c | 12 +-- fs/aio.c | 129 +++++++++++++++++++---------- include/linux/aio.h | 7 -- include/linux/fs.h | 1 + 5 files changed, 90 insertions(+), 78 deletions(-) Changes compared to v1: - Fixed a race between request completion and addition to the list of active requests. - Changed the return type of .cancel_kiocb() from int into void. - Simplified the .cancel_kiocb() implementations. - Introduced the ki_opcode member in struct aio_kiocb. - aio_cancel_and_del() checks .ki_opcode before accessing union members. - Left out the include/include/mm changes. diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6bff6cb93789..4837e3071263 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -31,7 +31,6 @@ #include <linux/usb/composite.h> #include <linux/usb/functionfs.h> -#include <linux/aio.h> #include <linux/kthread.h> #include <linux/poll.h> #include <linux/eventfd.h> @@ -1157,23 +1156,16 @@ ffs_epfile_open(struct inode *inode, struct file *file) return stream_open(inode, file); } -static int ffs_aio_cancel(struct kiocb *kiocb) +static void ffs_epfile_cancel_kiocb(struct kiocb *kiocb) { struct ffs_io_data *io_data = kiocb->private; struct ffs_epfile *epfile = kiocb->ki_filp->private_data; unsigned long flags; - int value; spin_lock_irqsave(&epfile->ffs->eps_lock, flags); - if (io_data && io_data->ep && io_data->req) - value = usb_ep_dequeue(io_data->ep, io_data->req); - else - value = -EINVAL; - + usb_ep_dequeue(io_data->ep, io_data->req); spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags); - - return value; } static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) @@ -1198,9 +1190,6 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) kiocb->private = p; - if (p->aio) - kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - res = ffs_epfile_io(kiocb->ki_filp, p); if (res == -EIOCBQUEUED) return res; @@ -1242,9 +1231,6 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) kiocb->private = p; - if (p->aio) - kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - res = ffs_epfile_io(kiocb->ki_filp, p); if (res == -EIOCBQUEUED) return res; @@ -1356,6 +1342,7 @@ static const struct file_operations ffs_epfile_operations = { .release = ffs_epfile_release, .unlocked_ioctl = ffs_epfile_ioctl, .compat_ioctl = compat_ptr_ioctl, + .cancel_kiocb = ffs_epfile_cancel_kiocb, }; diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index 03179b1880fd..c2cf7fca6937 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -22,7 +22,6 @@ #include <linux/slab.h> #include <linux/poll.h> #include <linux/kthread.h> -#include <linux/aio.h> #include <linux/uio.h> #include <linux/refcount.h> #include <linux/delay.h> @@ -446,23 +445,18 @@ struct kiocb_priv { unsigned actual; }; -static int ep_aio_cancel(struct kiocb *iocb) +static void ep_cancel_kiocb(struct kiocb *iocb) { struct kiocb_priv *priv = iocb->private; struct ep_data *epdata; - int value; local_irq_disable(); epdata = priv->epdata; // spin_lock(&epdata->dev->lock); if (likely(epdata && epdata->ep && priv->req)) - value = usb_ep_dequeue (epdata->ep, priv->req); - else - value = -EINVAL; + usb_ep_dequeue(epdata->ep, priv->req); // spin_unlock(&epdata->dev->lock); local_irq_enable(); - - return value; } static void ep_user_copy_worker(struct work_struct *work) @@ -537,7 +531,6 @@ static ssize_t ep_aio(struct kiocb *iocb, iocb->private = priv; priv->iocb = iocb; - kiocb_set_cancel_fn(iocb, ep_aio_cancel); get_ep(epdata); priv->epdata = epdata; priv->actual = 0; @@ -709,6 +702,7 @@ static const struct file_operations ep_io_operations = { .unlocked_ioctl = ep_ioctl, .read_iter = ep_read_iter, .write_iter = ep_write_iter, + .cancel_kiocb = ep_cancel_kiocb, }; /* ENDPOINT INITIALIZATION diff --git a/fs/aio.c b/fs/aio.c index bb2ff48991f3..9dc0be703aa6 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -203,7 +203,6 @@ struct aio_kiocb { }; struct kioctx *ki_ctx; - kiocb_cancel_fn *ki_cancel; struct io_event ki_res; @@ -211,6 +210,8 @@ struct aio_kiocb { * for cancellation */ refcount_t ki_refcnt; + u16 ki_opcode; /* IOCB_CMD_* */ + /* * If the aio_resfd field of the userspace iocb is not zero, * this is the underlying eventfd context to deliver events to. @@ -587,22 +588,6 @@ static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events) #define AIO_EVENTS_FIRST_PAGE ((PAGE_SIZE - sizeof(struct aio_ring)) / sizeof(struct io_event)) #define AIO_EVENTS_OFFSET (AIO_EVENTS_PER_PAGE - AIO_EVENTS_FIRST_PAGE) -void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel) -{ - struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw); - struct kioctx *ctx = req->ki_ctx; - unsigned long flags; - - if (WARN_ON_ONCE(!list_empty(&req->ki_list))) - return; - - spin_lock_irqsave(&ctx->ctx_lock, flags); - list_add_tail(&req->ki_list, &ctx->active_reqs); - req->ki_cancel = cancel; - spin_unlock_irqrestore(&ctx->ctx_lock, flags); -} -EXPORT_SYMBOL(kiocb_set_cancel_fn); - /* * free_ioctx() should be RCU delayed to synchronize against the RCU * protected lookup_ioctx() and also needs process context to call @@ -634,6 +619,8 @@ static void free_ioctx_reqs(struct percpu_ref *ref) queue_rcu_work(system_wq, &ctx->free_rwork); } +static void aio_cancel_and_del(struct aio_kiocb *req); + /* * When this function runs, the kioctx has been removed from the "hash table" * and ctx->users has dropped to 0, so we know no more kiocbs can be submitted - @@ -649,8 +636,7 @@ static void free_ioctx_users(struct percpu_ref *ref) while (!list_empty(&ctx->active_reqs)) { req = list_first_entry(&ctx->active_reqs, struct aio_kiocb, ki_list); - req->ki_cancel(&req->rw); - list_del_init(&req->ki_list); + aio_cancel_and_del(req); } spin_unlock_irq(&ctx->ctx_lock); @@ -1552,6 +1538,24 @@ static ssize_t aio_setup_rw(int rw, const struct iocb *iocb, return __import_iovec(rw, buf, len, UIO_FASTIOV, iovec, iter, compat); } +static void aio_add_rw_to_active_reqs(struct kiocb *req) +{ + struct aio_kiocb *aio = container_of(req, struct aio_kiocb, rw); + struct kioctx *ctx = aio->ki_ctx; + unsigned long flags; + + /* + * If the .cancel_kiocb() callback has been set, add the request + * to the list of active requests. + */ + if (!req->ki_filp->f_op->cancel_kiocb) + return; + + spin_lock_irqsave(&ctx->ctx_lock, flags); + list_add_tail(&aio->ki_list, &ctx->active_reqs); + spin_unlock_irqrestore(&ctx->ctx_lock, flags); +} + static inline void aio_rw_done(struct kiocb *req, ssize_t ret) { switch (ret) { @@ -1593,8 +1597,10 @@ static int aio_read(struct kiocb *req, const struct iocb *iocb, if (ret < 0) return ret; ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter)); - if (!ret) + if (!ret) { + aio_add_rw_to_active_reqs(req); aio_rw_done(req, call_read_iter(file, req, &iter)); + } kfree(iovec); return ret; } @@ -1622,6 +1628,7 @@ static int aio_write(struct kiocb *req, const struct iocb *iocb, return ret; ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter)); if (!ret) { + aio_add_rw_to_active_reqs(req); if (S_ISREG(file_inode(file)->i_mode)) kiocb_start_write(req); req->ki_flags |= IOCB_WRITE; @@ -1715,6 +1722,54 @@ static void poll_iocb_unlock_wq(struct poll_iocb *req) rcu_read_unlock(); } +/* Must be called only for IOCB_CMD_POLL requests. */ +static void aio_poll_cancel(struct aio_kiocb *aiocb) +{ + struct poll_iocb *req = &aiocb->poll; + struct kioctx *ctx = aiocb->ki_ctx; + + lockdep_assert_held(&ctx->ctx_lock); + + if (!poll_iocb_lock_wq(req)) + return; + + WRITE_ONCE(req->cancelled, true); + if (!req->work_scheduled) { + schedule_work(&aiocb->poll.work); + req->work_scheduled = true; + } + poll_iocb_unlock_wq(req); +} + +static void aio_cancel_and_del(struct aio_kiocb *req) +{ + void (*cancel_kiocb)(struct kiocb *) = + req->rw.ki_filp->f_op->cancel_kiocb; + struct kioctx *ctx = req->ki_ctx; + + lockdep_assert_held(&ctx->ctx_lock); + + switch (req->ki_opcode) { + case IOCB_CMD_PREAD: + case IOCB_CMD_PWRITE: + case IOCB_CMD_PREADV: + case IOCB_CMD_PWRITEV: + if (cancel_kiocb) + cancel_kiocb(&req->rw); + break; + case IOCB_CMD_FSYNC: + case IOCB_CMD_FDSYNC: + break; + case IOCB_CMD_POLL: + aio_poll_cancel(req); + break; + default: + WARN_ONCE(true, "invalid aio operation %d\n", req->ki_opcode); + } + + list_del_init(&req->ki_list); +} + static void aio_poll_complete_work(struct work_struct *work) { struct poll_iocb *req = container_of(work, struct poll_iocb, work); @@ -1727,11 +1782,11 @@ static void aio_poll_complete_work(struct work_struct *work) mask = vfs_poll(req->file, &pt) & req->events; /* - * Note that ->ki_cancel callers also delete iocb from active_reqs after - * calling ->ki_cancel. We need the ctx_lock roundtrip here to - * synchronize with them. In the cancellation case the list_del_init - * itself is not actually needed, but harmless so we keep it in to - * avoid further branches in the fast path. + * aio_cancel_and_del() deletes the iocb from the active_reqs list. We + * need the ctx_lock here to synchronize with aio_cancel_and_del(). In + * the cancellation case the list_del_init itself is not actually + * needed, but harmless so we keep it in to avoid further branches in + * the fast path. */ spin_lock_irq(&ctx->ctx_lock); if (poll_iocb_lock_wq(req)) { @@ -1760,24 +1815,6 @@ static void aio_poll_complete_work(struct work_struct *work) iocb_put(iocb); } -/* assumes we are called with irqs disabled */ -static int aio_poll_cancel(struct kiocb *iocb) -{ - struct aio_kiocb *aiocb = container_of(iocb, struct aio_kiocb, rw); - struct poll_iocb *req = &aiocb->poll; - - if (poll_iocb_lock_wq(req)) { - WRITE_ONCE(req->cancelled, true); - if (!req->work_scheduled) { - schedule_work(&aiocb->poll.work); - req->work_scheduled = true; - } - poll_iocb_unlock_wq(req); - } /* else, the request was force-cancelled by POLLFREE already */ - - return 0; -} - static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, void *key) { @@ -1945,7 +1982,6 @@ static int aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) * active_reqs so that it can be cancelled if needed. */ list_add_tail(&aiocb->ki_list, &ctx->active_reqs); - aiocb->ki_cancel = aio_poll_cancel; } if (on_queue) poll_iocb_unlock_wq(req); @@ -1993,6 +2029,8 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, req->ki_res.res = 0; req->ki_res.res2 = 0; + req->ki_opcode = iocb->aio_lio_opcode; + switch (iocb->aio_lio_opcode) { case IOCB_CMD_PREAD: return aio_read(&req->rw, iocb, false, compat); @@ -2189,8 +2227,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, /* TODO: use a hash or array, this sucks. */ list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { if (kiocb->ki_res.obj == obj) { - ret = kiocb->ki_cancel(&kiocb->rw); - list_del_init(&kiocb->ki_list); + aio_cancel_and_del(kiocb); break; } } diff --git a/include/linux/aio.h b/include/linux/aio.h index 86892a4fe7c8..2aa6d0be3171 100644 --- a/include/linux/aio.h +++ b/include/linux/aio.h @@ -4,20 +4,13 @@ #include <linux/aio_abi.h> -struct kioctx; -struct kiocb; struct mm_struct; -typedef int (kiocb_cancel_fn)(struct kiocb *); - /* prototypes */ #ifdef CONFIG_AIO extern void exit_aio(struct mm_struct *mm); -void kiocb_set_cancel_fn(struct kiocb *req, kiocb_cancel_fn *cancel); #else static inline void exit_aio(struct mm_struct *mm) { } -static inline void kiocb_set_cancel_fn(struct kiocb *req, - kiocb_cancel_fn *cancel) { } #endif /* CONFIG_AIO */ #endif /* __LINUX__AIO_H */ diff --git a/include/linux/fs.h b/include/linux/fs.h index ed5966a70495..7ec714878637 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2021,6 +2021,7 @@ struct file_operations { int (*uring_cmd)(struct io_uring_cmd *ioucmd, unsigned int issue_flags); int (*uring_cmd_iopoll)(struct io_uring_cmd *, struct io_comp_batch *, unsigned int poll_flags); + void (*cancel_kiocb)(struct kiocb *); } __randomize_layout; /* Wrap a directory iterator that needs exclusive inode access */

1 year, 6 months

3
9
0 0

6.8-rc: system freezes after resuming from suspend

by Trolli Schmittlauch

I've found a regression somewhere between 6.7.4 and 6.8.0-rc0 that causes my Framework 7840 AMD laptop to freeze after waking it from a suspend. I can reliably trigger the issue, but unfortunately cannot provide useful logs for now and hope to get some help with doing so. How to reproduce ---------------- The last working kernel release was 6.7.4, the issue appeared in all 6.8 release candidates from 1-4. 1. normally boot the system with a 6.8 kernel 2. suspend and resume the system 2 to 4 times. Usually, the freeze already occurs at the 2nd resume. 2.1 graphical approach: I've reproduced this directly from the "Suspend" button in my SDDM display manager (X11) 2.2 TTY approach: You can also directly swith to a tty after boot, log in, and then issue `systemctl suspend` 2 to 4 times 3. After resume number 2 or later, the system freezes while resuming and cannot be used anymore. The screen is switched on and displays something, but no inputs are processed and the image is static. 3.1 graphical approach: When suspending and resuming by closing and opening the laptop lid, the screen is black with the cursor displayed. When doing so while keeping the lid open, the display manager's background image and a cursor are displayed, but only statically frozen. No keyboard or touchpad input is processed. 3.2 on a TTY: When suspending and resuming from a tty, a few kernel messages still manage to be printed, but after that no new information is displayed. E.g. when keeping a `journalctl -f` session open in another tmux pane, that journal output does not update anymore. Keyboard inputs are not processed anymore. Nonetheless, the cursor continues to blink regulary. I've attached two screenshots showing the situation with kernels 6.7.4 (working) and 6.8 (broken). Detailed Description -------------------- In most cases, the freeze already occurs after the 2nd suspend-resume-cycle. Unfortunately, this freeze also appears to block IO, as after a forced hard reboot I cannot retrieve relevant information from `journalctl -b "-1"`. The last retrievable log messages are from the successful suspend action. I welcome any recommendation on how to retrieve valuable information. I have not yet played around with cmdline parameters relevant for debug. System Details -------------- Distro: NixOS 23.11, kernel 6.8 rc1-4 compiled manually kernel: Linux version 6.8.0-rc4 (nixbld@localhost) (gcc (GCC) 12.3.0, GNU ld (GNU Binutils) 2.40) #1-NixOS SMP PREEMPT_DYNAMIC Sun Feb 11 20:18:13 UTC 2024 hardware: Framework 13 laptop, 7840 AMD series, CPU AMD Ryzen 7 7840U x86_64 In the attachments you find: - the used kernel config - my cmdline params - 2 screenshots from the bug occuring when triggered from a tty Next Steps ---------- I intend to bisect the issue, but this can take a while due to the need for manual testing and a kernel compile cycle requiring >30min for now. I am mostly reporting this now already to still raise awareness in the RC phase and to have something where I can point other Framework laptop users towards for reproduction of the bug. All the best schmittlauch Disclaimer: I read the kernel docs on reporting issues, IMHO these were a bit unclear on whether RC kernels are in the scope of the stable and regressions lists. If they aren't please point me to where to do this. So far I had only reported bugs via the bugzilla.

1 year, 6 months

1
0
0 0

[PATCH] usb: dwc3: gadget: Don't disconnect if not started

by Thinh Nguyen

Don't go through soft-disconnection sequence if the controller hasn't started. Otherwise, there will be timeout and warning reports from the soft-disconnection flow. Cc: stable(a)vger.kernel.org Fixes: 61a348857e86 ("usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend") Reported-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Closes: https://lore.kernel.org/linux-usb/20240215233536.7yejlj3zzkl23vjd@synopsys.… Tested-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> --- drivers/usb/dwc3/gadget.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 4c8dd6724678..28f49400f3e8 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -2650,6 +2650,11 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc) int ret; spin_lock_irqsave(&dwc->lock, flags); + if (!dwc->pullups_connected) { + spin_unlock_irqrestore(&dwc->lock, flags); + return 0; + } + dwc->connected = false; /* base-commit: 7d708c145b2631941b8b0b4a740dc2990818c39c -- 2.28.0

1 year, 6 months

1
0
0 0

[PATCH v3] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend

by Uttkarsh Aggarwal

In current scenario if Plug-out and Plug-In performed continuously there could be a chance while checking for dwc->gadget_driver in dwc3_gadget_suspend, a NULL pointer dereference may occur. Call Stack: CPU1: CPU2: gadget_unbind_driver dwc3_suspend_common dwc3_gadget_stop dwc3_gadget_suspend dwc3_disconnect_gadget CPU1 basically clears the variable and CPU2 checks the variable. Consider CPU1 is running and right before gadget_driver is cleared and in parallel CPU2 executes dwc3_gadget_suspend where it finds dwc->gadget_driver which is not NULL and resumes execution and then CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where it checks dwc->gadget_driver is already NULL because of which the NULL pointer deference occur. Cc: <stable(a)vger.kernel.org> Fixes: 9772b47a4c29 ("usb: dwc3: gadget: Fix suspend/resume during device mode") Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa(a)quicinc.com> --- changes in v3: Corrected fixes tag and typo mistake in commit message dw3_gadget_stop -> dwc3_gadget_stop. Link to v2: https://lore.kernel.org/linux-usb/CAKzKK0r8RUqgXy1o5dndU21KuTKtyZ5rn5Fb9sZq… Changes in v2: Added cc and fixes tag missing in v1. Link to v1: https://lore.kernel.org/linux-usb/20240110095532.4776-1-quic_uaggarwa@quici… drivers/usb/dwc3/gadget.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 019368f8e9c4..564976b3e2b9 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4709,15 +4709,13 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) unsigned long flags; int ret; - if (!dwc->gadget_driver) - return 0; - ret = dwc3_gadget_soft_disconnect(dwc); if (ret) goto err; spin_lock_irqsave(&dwc->lock, flags); - dwc3_disconnect_gadget(dwc); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); spin_unlock_irqrestore(&dwc->lock, flags); return 0; -- 2.17.1

1 year, 6 months

3
4
0 0

[PATCH] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata

by Easwar Hariharan

Add the MIDR value of Microsoft Azure Cobalt 100, which is a Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and therefore suffers from all the same errata. CC: Mark Rutland <mark.rutland(a)arm.com> CC: Marc Zyngier <maz(a)kernel.org> CC: Anshuman Khandual <anshuman.khandual(a)arm.com> CC: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- Documentation/arch/arm64/silicon-errata.rst | 7 +++++++ arch/arm64/include/asm/cputype.h | 4 ++++ arch/arm64/kernel/cpu_errata.c | 3 +++ 3 files changed, 14 insertions(+) diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst index e8c2ce1f9df6..45a7f4932fe0 100644 --- a/Documentation/arch/arm64/silicon-errata.rst +++ b/Documentation/arch/arm64/silicon-errata.rst @@ -243,3 +243,10 @@ stable kernels. +----------------+-----------------+-----------------+-----------------------------+ | ASR | ASR8601 | #8601001 | N/A | +----------------+-----------------+-----------------+-----------------------------+ ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2139208 | ARM64_ERRATUM_2139208 | ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2067961 | ARM64_ERRATUM_2067961 | ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 | ++----------------+-----------------+-----------------+-----------------------------+ diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h index 7c7493cb571f..a632a7514e55 100644 --- a/arch/arm64/include/asm/cputype.h +++ b/arch/arm64/include/asm/cputype.h @@ -61,6 +61,7 @@ #define ARM_CPU_IMP_HISI 0x48 #define ARM_CPU_IMP_APPLE 0x61 #define ARM_CPU_IMP_AMPERE 0xC0 +#define ARM_CPU_IMP_MICROSOFT 0x6D #define ARM_CPU_PART_AEM_V8 0xD0F #define ARM_CPU_PART_FOUNDATION 0xD00 @@ -135,6 +136,8 @@ #define AMPERE_CPU_PART_AMPERE1 0xAC3 +#define MSFT_CPU_PART_AZURE_COBALT_100 0xD49 /* Based on r0p0 of ARM Neoverse N2 */ + #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) @@ -193,6 +196,7 @@ #define MIDR_APPLE_M2_BLIZZARD_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_BLIZZARD_MAX) #define MIDR_APPLE_M2_AVALANCHE_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_AVALANCHE_MAX) #define MIDR_AMPERE1 MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1) +#define MIDR_MICROSOFT_AZURE_COBALT_100 MIDR_CPU_MODEL(ARM_CPU_IMP_MICROSOFT, MSFT_CPU_PART_AZURE_COBALT_100) /* Fujitsu Erratum 010001 affects A64FX 1.0 and 1.1, (v0r0 and v1r0) */ #define MIDR_FUJITSU_ERRATUM_010001 MIDR_FUJITSU_A64FX diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c index 967c7c7a4e7d..76b8dd37092a 100644 --- a/arch/arm64/kernel/cpu_errata.c +++ b/arch/arm64/kernel/cpu_errata.c @@ -374,6 +374,7 @@ static const struct midr_range erratum_1463225[] = { static const struct midr_range trbe_overwrite_fill_mode_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2139208 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2119858 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), @@ -387,6 +388,7 @@ static const struct midr_range trbe_overwrite_fill_mode_cpus[] = { static const struct midr_range tsb_flush_fail_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2067961 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2054223 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), @@ -399,6 +401,7 @@ static const struct midr_range tsb_flush_fail_cpus[] = { static struct midr_range trbe_write_out_of_range_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2253138 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2224489 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), -- 2.34.1

1 year, 6 months

3
4
0 0

[for-linus][PATCH 2/4] tracing/synthetic: Fix trace_string() return value

by Steven Rostedt

From: Thorsten Blum <thorsten.blum(a)toblux.com> Fix trace_string() by assigning the string length to the return variable which got lost in commit ddeea494a16f ("tracing/synthetic: Use union instead of casts") and caused trace_string() to always return 0. Link: https://lore.kernel.org/linux-trace-kernel/20240214220555.711598-1-thorsten… Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Fixes: ddeea494a16f ("tracing/synthetic: Use union instead of casts") Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Thorsten Blum <thorsten.blum(a)toblux.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_synth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c index e7af286af4f1..c82b401a294d 100644 --- a/kernel/trace/trace_events_synth.c +++ b/kernel/trace/trace_events_synth.c @@ -441,8 +441,9 @@ static unsigned int trace_string(struct synth_trace_event *entry, if (is_dynamic) { union trace_synth_field *data = &entry->fields[*n_u64]; + len = fetch_store_strlen((unsigned long)str_val); data->as_dynamic.offset = struct_size(entry, fields, event->n_u64) + data_size; - data->as_dynamic.len = fetch_store_strlen((unsigned long)str_val); + data->as_dynamic.len = len; ret = fetch_store_string((unsigned long)str_val, &entry->fields[*n_u64], entry); -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 6.1 00/65] 6.1.78-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.78 release. There are 65 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 Feb 2024 14:28:54 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.78-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.78-rc2 Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix a typo of register name in DPP safety handling Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Sort quirk table entries Simon Horman <horms(a)kernel.org> net: stmmac: xgmac: use #define for string constants Jiri Wiesner <jwiesner(a)suse.de> clocksource: Skip watchdog check for large watchdog intervals Jens Axboe <axboe(a)kernel.dk> block: treat poll queue enter similarly to timeouts Sheng Yong <shengyong(a)oppo.com> f2fs: add helper to check compression level Mike Marciniszyn <mike.marciniszyn(a)intel.com> RDMA/irdma: Fix support for 64k pages Prathu Baronia <prathubaronia2011(a)gmail.com> vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: amd: Add new dmi entries for acp5x platform" Jens Axboe <axboe(a)kernel.dk> io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Frederic Weisbecker <frederic(a)kernel.org> hrtimer: Report offline hrtimer enqueue Prashanth K <quic_prashk(a)quicinc.com> usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Leonard Dallmayr <leonard.dallmayr(a)mailbox.org> USB: serial: cp210x: add ID for IMST iM871A-USB Puliang Lu <puliang.lu(a)fibocom.com> USB: serial: option: add Fibocom FM101-GL variant JackBB Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Sean Young <sean(a)mess.org> ALSA: usb-audio: add quirk for RODE NT-USB+ Julian Sikorski <belegdol+github(a)gmail.com> ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Alexander Tsoy <alexander(a)tsoy.me> ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Francesco Dolcini <francesco.dolcini(a)toradex.com> mtd: parsers: ofpart: add workaround for #size-cells 0 Alexander Aring <aahringo(a)redhat.com> fs: dlm: don't put dlm_local_addrs on heap Tejun Heo <tj(a)kernel.org> blk-iocost: Fix an UBSAN shift-out-of-bounds warning Ming Lei <ming.lei(a)redhat.com> scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix an NULL dereference bug Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove scratch_aligned pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: add helper to release pcpu scratch area Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: store index in scratch maps Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_ct: reject direction for ct id Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: narrow down revision to unsigned 8-bits Jakub Kicinski <kuba(a)kernel.org> selftests: cmsg_ipv6: repeat the exact packet Eric Dumazet <edumazet(a)google.com> ppp_async: limit MRU to 64K Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Shigeru Yoshida <syoshida(a)redhat.com> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() David Howells <dhowells(a)redhat.com> rxrpc: Fix response to PING RESPONSE ACKs to a dead call Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/gvt: Fix uninitialized variable in handle_mmio() Eric Dumazet <edumazet(a)google.com> inet: read sk->sk_family once in inet_recv_error() Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix out-of-bounds memory access Loic Prylli <lprylli(a)netflix.com> hwmon: (aspeed-pwm-tacho) mutex for tach reading Zhipeng Lu <alexious(a)zju.edu.cn> octeontx2-pf: Fix a memleak otx2_sq_init Zhipeng Lu <alexious(a)zju.edu.cn> atm: idt77252: fix a memleak in open_card_ubr0 Antoine Tenart <atenart(a)kernel.org> tunnels: fix out of bounds access when building IPv6 PMTU error Paolo Abeni <pabeni(a)redhat.com> selftests: net: avoid just another constant wait Paolo Abeni <pabeni(a)redhat.com> selftests: net: cut more slack for gro fwd tests. Ivan Vecera <ivecera(a)redhat.com> net: atlantic: Fix DMA mapping for PTP hwts ring Eric Dumazet <edumazet(a)google.com> netdevsim: avoid potential loop in nsim_dev_trap_report_work() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix waiting for beacons logic Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Shyam Prasad N <sprasad(a)microsoft.com> cifs: failure to add channel on iface should bump up weight Tony Lindgren <tony(a)atomide.com> phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Frank Li <Frank.Li(a)nxp.com> dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Jai Luthra <j-luthra(a)ti.com> dmaengine: ti: k3-udma: Report short packet errors Guanhua Gao <guanhua.gao(a)nxp.com> dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay ------------- Diffstat: Makefile | 4 +- block/blk-core.c | 11 ++- block/blk-iocost.c | 7 ++ drivers/atm/idt77252.c | 2 + drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +- drivers/dma/fsl-qdma.c | 27 ++---- drivers/dma/ti/k3-udma.c | 10 +- .../drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- drivers/gpu/drm/i915/gvt/handlers.c | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 - drivers/gpu/drm/msm/dp/dp_link.c | 22 +++-- drivers/gpu/drm/msm/dp/dp_reg.h | 3 + drivers/hwmon/aspeed-pwm-tacho.c | 7 ++ drivers/hwmon/coretemp.c | 40 ++++---- drivers/infiniband/hw/irdma/verbs.c | 2 +- drivers/input/keyboard/atkbd.c | 13 ++- drivers/input/serio/i8042-acpipnpio.h | 6 ++ drivers/mtd/parsers/ofpart_core.c | 19 ++++ drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 +- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 +++ drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 ++- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 ++++++++++- drivers/net/netdevsim/dev.c | 8 +- drivers/net/ppp/ppp_async.c | 4 + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 - drivers/phy/ti/phy-omap-usb2.c | 4 +- drivers/scsi/scsi_error.c | 3 +- drivers/scsi/scsi_lib.c | 4 +- drivers/usb/dwc3/host.c | 4 +- drivers/usb/host/xhci-plat.c | 3 + drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/vhost/vhost.c | 5 +- fs/dlm/lowcomms.c | 38 +++----- fs/ext4/mballoc.c | 20 ++++ fs/f2fs/compress.c | 27 ++++++ fs/f2fs/f2fs.h | 2 + fs/f2fs/super.c | 4 +- fs/ntfs3/ntfs_fs.h | 2 +- fs/smb/client/sess.c | 2 + include/linux/dmaengine.h | 3 +- include/linux/hrtimer.h | 4 +- include/uapi/linux/netfilter/nf_tables.h | 2 + io_uring/net.c | 1 + kernel/time/clocksource.c | 25 ++++- kernel/time/hrtimer.c | 3 + net/ipv4/af_inet.c | 6 +- net/ipv4/ip_tunnel_core.c | 2 +- net/mac80211/mlme.c | 3 +- net/netfilter/nft_compat.c | 17 +++- net/netfilter/nft_ct.c | 3 + net/netfilter/nft_set_pipapo.c | 108 ++++++++++----------- net/netfilter/nft_set_pipapo.h | 18 +++- net/netfilter/nft_set_pipapo_avx2.c | 17 ++-- net/rxrpc/conn_event.c | 8 ++ net/tipc/bearer.c | 6 ++ net/unix/garbage.c | 11 +++ sound/soc/amd/acp-config.c | 15 +-- sound/usb/quirks.c | 38 +++++--- tools/testing/selftests/net/cmsg_ipv6.sh | 4 +- tools/testing/selftests/net/pmtu.sh | 18 +++- tools/testing/selftests/net/udpgro_fwd.sh | 14 ++- tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- 68 files changed, 517 insertions(+), 240 deletions(-)

1 year, 6 months

9
11
0 0

7840U amdgpu MMVM_L2_PROTECTION_FAULT_STATUS

by Michael Zimmermann

I have a Framework 13 with a 7840U and started having massive GPU driver issues a few weeks ago (including system freezes). Unfortunately the information of when exactly this started to happen is gone, but It should be somewhere in between 6.6.0 and 6.7.4. I got many different and random dmesg-errors and system behaviors, but I currently can only reproduce one, so let's focus on that for now. First some basic info: I'm on Arch Linux using the `linux` kernel package.(currently at 6.7.4). I have an external monitor connected via a thinkpad thunderbolt 4 dock. I am using amdgpu.sg_display=0 and VRAM sharing is configured to UMA_GAME_OPTIMIZED in the firmware settings. If I start playing a youtube video in firefox with hardware acceleration enabled, it stutters until it stops playing after a few seconds. I can see this in the kernel log. I see this multiple times for many different addresses. [ 5641.070540] amdgpu 0000:c1:00.0: amdgpu: [mmhub] page fault (src_id:0 ring:40 vmid:1 pasid:32786, for process RDD Process pid 3680 thread firefox-bi:cs0 pid 3852) [ 5641.070549] amdgpu 0000:c1:00.0: amdgpu: in page starting at address 0x0000000000020000 from client 18 [ 5641.070553] amdgpu 0000:c1:00.0: amdgpu: MMVM_L2_PROTECTION_FAULT_STATUS:0x00143A51 [ 5641.070556] amdgpu 0000:c1:00.0: amdgpu: Faulty UTCL2 client ID: unknown (0x1d) [ 5641.070559] amdgpu 0000:c1:00.0: amdgpu: MORE_FAULTS: 0x1 [ 5641.070561] amdgpu 0000:c1:00.0: amdgpu: WALKER_ERROR: 0x0 [ 5641.070563] amdgpu 0000:c1:00.0: amdgpu: PERMISSION_FAULTS: 0x5 [ 5641.070565] amdgpu 0000:c1:00.0: amdgpu: MAPPING_ERROR: 0x0 [ 5641.070567] amdgpu 0000:c1:00.0: amdgpu: RW: 0x1 Thanks Michael

1 year, 6 months

2
1
0 0

[PATCH 6.6 000/124] 6.6.17-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.17 release. There are 124 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 Feb 2024 14:22:24 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.17-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.17-rc2 Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix a typo of register name in DPP safety handling Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Sort quirk table entries Simon Horman <horms(a)kernel.org> net: stmmac: xgmac: use #define for string constants Jens Axboe <axboe(a)kernel.dk> io_uring/net: limit inline multishot retries Jens Axboe <axboe(a)kernel.dk> io_uring/poll: add requeue return code from poll multishot handling Jens Axboe <axboe(a)kernel.dk> io_uring/net: un-indent mshot retry path in io_recv_finish() Jens Axboe <axboe(a)kernel.dk> io_uring/poll: move poll execution helpers higher up Jens Axboe <axboe(a)kernel.dk> io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Aurelien Jarno <aurelien(a)aurel32.net> media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: amd: Add new dmi entries for acp5x platform" Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Frederic Weisbecker <frederic(a)kernel.org> hrtimer: Report offline hrtimer enqueue Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Arrow Lake-H Michal Pecio <michal.pecio(a)gmail.com> xhci: handle isoc Babble and Buffer Overrun events properly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: process isoc TD properly when there was a transaction error mid TD. Prashanth K <quic_prashk(a)quicinc.com> usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups Badhri Jagan Sridharan <badhri(a)google.com> Revert "usb: typec: tcpm: fix cc role at port reset" Leonard Dallmayr <leonard.dallmayr(a)mailbox.org> USB: serial: cp210x: add ID for IMST iM871A-USB Puliang Lu <puliang.lu(a)fibocom.com> USB: serial: option: add Fibocom FM101-GL variant JackBB Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Sean Young <sean(a)mess.org> ALSA: usb-audio: add quirk for RODE NT-USB+ Julian Sikorski <belegdol+github(a)gmail.com> ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Alexander Tsoy <alexander(a)tsoy.me> ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Tejun Heo <tj(a)kernel.org> blk-iocost: Fix an UBSAN shift-out-of-bounds warning Ben Dooks <ben.dooks(a)codethink.co.uk> riscv: declare overflow_stack as exported from traps.c Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix arch_hugetlb_migration_supported() for NAPOT Xiubo Li <xiubli(a)redhat.com> libceph: just wait for more data to be available on the socket Xiubo Li <xiubli(a)redhat.com> libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Flush the tlb when a page directory is freed Ming Lei <ming.lei(a)redhat.com> scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix set_huge_pte_at() for NAPOT mapping Vincent Chen <vincent.chen(a)sifive.com> riscv: mm: execute local TLB flush after populating vmemmap Alexandre Ghiti <alexghiti(a)rivosinc.com> mm: Introduce flush_cache_vmap_early() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Improve flush_tlb_kernel_range() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole tlb Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Improve tlb_flush() Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix an NULL dereference bug Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove scratch_aligned pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: add helper to release pcpu scratch area Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: store index in scratch maps Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_ct: reject direction for ct id Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: narrow down revision to unsigned 8-bits Jakub Kicinski <kuba(a)kernel.org> selftests: cmsg_ipv6: repeat the exact packet Eric Dumazet <edumazet(a)google.com> ppp_async: limit MRU to 64K Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Shigeru Yoshida <syoshida(a)redhat.com> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Paolo Abeni <pabeni(a)redhat.com> selftests: net: let big_tcp test cope with slow env David Howells <dhowells(a)redhat.com> rxrpc: Fix counting of new acks and nacks David Howells <dhowells(a)redhat.com> rxrpc: Fix response to PING RESPONSE ACKs to a dead call David Howells <dhowells(a)redhat.com> rxrpc: Fix delayed ACKs to not set the reference serial number David Howells <dhowells(a)redhat.com> rxrpc: Fix generation of serial numbers to skip zero Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/gvt: Fix uninitialized variable in handle_mmio() Eric Dumazet <edumazet(a)google.com> inet: read sk->sk_family once in inet_recv_error() Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix out-of-bounds memory access Loic Prylli <lprylli(a)netflix.com> hwmon: (aspeed-pwm-tacho) mutex for tach reading Zhipeng Lu <alexious(a)zju.edu.cn> octeontx2-pf: Fix a memleak otx2_sq_init Zhipeng Lu <alexious(a)zju.edu.cn> atm: idt77252: fix a memleak in open_card_ubr0 Antoine Tenart <atenart(a)kernel.org> tunnels: fix out of bounds access when building IPv6 PMTU error Gerhard Engleder <gerhard(a)engleder-embedded.com> tsnep: Fix mapping for zero copy XDP_TX action Paolo Abeni <pabeni(a)redhat.com> selftests: net: avoid just another constant wait Paolo Abeni <pabeni(a)redhat.com> selftests: net: fix tcp listener handling in pmtu.sh Yujie Liu <yujie.liu(a)intel.com> selftests/net: change shebang to bash to support "source" Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert pmtu.sh to run it in unique namespace Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert unicast_extensions.sh to run it in unique namespace Paolo Abeni <pabeni(a)redhat.com> selftests: net: cut more slack for gro fwd tests. Ivan Vecera <ivecera(a)redhat.com> net: atlantic: Fix DMA mapping for PTP hwts ring Eric Dumazet <edumazet(a)google.com> netdevsim: avoid potential loop in nsim_dev_trap_report_work() Kees Cook <keescook(a)chromium.org> wifi: brcmfmac: Adjust n_channels usage for __counted_by Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: exit eSR only after the FW does Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix waiting for beacons logic Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU use in TDLS fast-xmit Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Give up if memory attribute protocol returns an error Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Christoph Hellwig <hch(a)lst.de> xfs: respect the stable writes flag on the RT device Christoph Hellwig <hch(a)lst.de> xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags Darrick J. Wong <djwong(a)kernel.org> xfs: dquot recovery does not validate the recovered dquot Darrick J. Wong <djwong(a)kernel.org> xfs: clean up dqblk extraction Dave Chinner <dchinner(a)redhat.com> xfs: inode recovery does not validate the recovered inode Anthony Iliopoulos <ailiop(a)suse.com> xfs: fix again select in kconfig XFS_ONLINE_SCRUB_STATS Omar Sandoval <osandov(a)fb.com> xfs: fix internal error from AGFL exhaustion Leah Rumancik <leah.rumancik(a)gmail.com> xfs: up(ic_sema) if flushing data device fails Christoph Hellwig <hch(a)lst.de> xfs: only remap the written blocks in xfs_reflink_end_cow_extent Long Li <leo.lilong(a)huawei.com> xfs: abort intent items when recovery intents fail Long Li <leo.lilong(a)huawei.com> xfs: factor out xfs_defer_pending_abort Catherine Hoang <catherine.hoang(a)oracle.com> xfs: allow read IO and FICLONE to run concurrently Christoph Hellwig <hch(a)lst.de> xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space Cheng Lin <cheng.lin130(a)zte.com.cn> xfs: introduce protection for drop nlink Darrick J. Wong <djwong(a)kernel.org> xfs: make sure maxlen is still congruent with prod when rounding down Darrick J. Wong <djwong(a)kernel.org> xfs: fix units conversion error in xfs_bmap_del_extent_delay Darrick J. Wong <djwong(a)kernel.org> xfs: rt stubs should return negative errnos when rt disabled Darrick J. Wong <djwong(a)kernel.org> xfs: prevent rt growfs when quota is enabled Darrick J. Wong <djwong(a)kernel.org> xfs: hoist freeing of rt data fork extent mappings Darrick J. Wong <djwong(a)kernel.org> xfs: bump max fsgeom struct version Catherine Hoang <catherine.hoang(a)oracle.com> MAINTAINERS: add Catherine as xfs maintainer for 6.6.y Miguel Ojeda <ojeda(a)kernel.org> rust: upgrade to Rust 1.73.0 Miguel Ojeda <ojeda(a)kernel.org> rust: print: use explicit link in documentation Miguel Ojeda <ojeda(a)kernel.org> rust: task: remove redundant explicit link Miguel Ojeda <ojeda(a)kernel.org> rust: upgrade to Rust 1.72.1 Miguel Ojeda <ojeda(a)kernel.org> rust: arc: add explicit `drop()` around `Box::from_raw()` Shyam Prasad N <sprasad(a)microsoft.com> cifs: failure to add channel on iface should bump up weight Shyam Prasad N <sprasad(a)microsoft.com> cifs: avoid redundant calls to disable multichannel Tony Lindgren <tony(a)atomide.com> phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Frank Li <Frank.Li(a)nxp.com> dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV James Clark <james.clark(a)arm.com> perf evlist: Fix evlist__new_default() for > 1 core PMU Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Jai Luthra <j-luthra(a)ti.com> dmaengine: ti: k3-udma: Report short packet errors Guanhua Gao <guanhua.gao(a)nxp.com> dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay ------------- Diffstat: Documentation/process/changes.rst | 2 +- MAINTAINERS | 1 + Makefile | 4 +- arch/arc/include/asm/cacheflush.h | 1 + arch/arm/include/asm/cacheflush.h | 2 + arch/csky/abiv1/inc/abi/cacheflush.h | 1 + arch/csky/abiv2/inc/abi/cacheflush.h | 1 + arch/m68k/include/asm/cacheflush_mm.h | 1 + arch/mips/include/asm/cacheflush.h | 2 + arch/nios2/include/asm/cacheflush.h | 1 + arch/parisc/include/asm/cacheflush.h | 1 + arch/riscv/include/asm/cacheflush.h | 3 +- arch/riscv/include/asm/hugetlb.h | 3 + arch/riscv/include/asm/sbi.h | 3 - arch/riscv/include/asm/stacktrace.h | 5 + arch/riscv/include/asm/tlb.h | 8 +- arch/riscv/include/asm/tlbflush.h | 17 +- arch/riscv/kernel/sbi.c | 32 ++-- arch/riscv/mm/hugetlbpage.c | 78 +++++++- arch/riscv/mm/init.c | 4 + arch/riscv/mm/tlbflush.c | 156 +++++++++------- arch/sh/include/asm/cacheflush.h | 1 + arch/sparc/include/asm/cacheflush_32.h | 1 + arch/sparc/include/asm/cacheflush_64.h | 1 + arch/x86/lib/getuser.S | 24 +-- arch/x86/lib/putuser.S | 20 +-- arch/xtensa/include/asm/cacheflush.h | 6 +- block/blk-iocost.c | 7 + drivers/atm/idt77252.c | 2 + drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +- drivers/dma/fsl-qdma.c | 27 ++- drivers/dma/ti/k3-udma.c | 10 +- drivers/firmware/efi/libstub/efistub.h | 3 +- drivers/firmware/efi/libstub/kaslr.c | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 12 +- drivers/firmware/efi/libstub/x86-stub.c | 25 +-- drivers/firmware/efi/libstub/x86-stub.h | 4 +- drivers/firmware/efi/libstub/zboot.c | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hwseq.c | 63 ++++--- .../drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- drivers/gpu/drm/i915/gvt/handlers.c | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 - drivers/gpu/drm/msm/dp/dp_link.c | 22 ++- drivers/gpu/drm/msm/dp/dp_reg.h | 3 + drivers/hwmon/aspeed-pwm-tacho.c | 7 + drivers/hwmon/coretemp.c | 40 +++-- drivers/input/keyboard/atkbd.c | 13 +- drivers/input/serio/i8042-acpipnpio.h | 6 + drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 +- drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 +- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++ drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + drivers/net/ethernet/engleder/tsnep_main.c | 16 +- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 +- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++++- drivers/net/netdevsim/dev.c | 8 +- drivers/net/ppp/ppp_async.c | 4 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 6 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 6 +- drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 - drivers/phy/ti/phy-omap-usb2.c | 4 +- drivers/scsi/scsi_error.c | 3 +- drivers/scsi/scsi_lib.c | 4 +- drivers/usb/dwc3/dwc3-pci.c | 4 + drivers/usb/dwc3/host.c | 4 +- drivers/usb/host/xhci-plat.c | 3 + drivers/usb/host/xhci-ring.c | 80 +++++++-- drivers/usb/host/xhci.h | 1 + drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/tcpm/tcpm.c | 3 +- fs/ext4/mballoc.c | 20 +++ fs/ntfs3/ntfs_fs.h | 2 +- fs/smb/client/sess.c | 2 + fs/smb/client/smb2pdu.c | 2 +- fs/xfs/Kconfig | 2 +- fs/xfs/libxfs/xfs_alloc.c | 27 ++- fs/xfs/libxfs/xfs_bmap.c | 21 +-- fs/xfs/libxfs/xfs_defer.c | 38 ++-- fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/libxfs/xfs_inode_buf.c | 3 + fs/xfs/libxfs/xfs_rtbitmap.c | 33 ++++ fs/xfs/libxfs/xfs_sb.h | 2 +- fs/xfs/xfs_bmap_util.c | 24 +-- fs/xfs/xfs_dquot.c | 5 +- fs/xfs/xfs_dquot_item_recover.c | 21 ++- fs/xfs/xfs_file.c | 63 +++++-- fs/xfs/xfs_inode.c | 24 +++ fs/xfs/xfs_inode.h | 17 ++ fs/xfs/xfs_inode_item_recover.c | 14 +- fs/xfs/xfs_ioctl.c | 34 ++-- fs/xfs/xfs_iops.c | 7 + fs/xfs/xfs_log.c | 23 +-- fs/xfs/xfs_log_recover.c | 2 +- fs/xfs/xfs_reflink.c | 5 + fs/xfs/xfs_rtalloc.c | 33 +++- fs/xfs/xfs_rtalloc.h | 27 +-- include/asm-generic/cacheflush.h | 6 + include/linux/ceph/messenger.h | 2 +- include/linux/dmaengine.h | 3 +- include/linux/hrtimer.h | 4 +- include/trace/events/rxrpc.h | 8 +- include/uapi/linux/netfilter/nf_tables.h | 2 + io_uring/io_uring.h | 7 + io_uring/net.c | 54 ++++-- io_uring/poll.c | 39 ++-- kernel/time/hrtimer.c | 3 + mm/percpu.c | 8 +- net/ceph/messenger_v1.c | 33 ++-- net/ceph/messenger_v2.c | 4 +- net/ceph/osd_client.c | 9 +- net/ipv4/af_inet.c | 6 +- net/ipv4/ip_tunnel_core.c | 2 +- net/mac80211/mlme.c | 3 +- net/mac80211/tx.c | 7 +- net/netfilter/nft_compat.c | 17 +- net/netfilter/nft_ct.c | 3 + net/netfilter/nft_set_pipapo.c | 108 +++++------ net/netfilter/nft_set_pipapo.h | 18 +- net/netfilter/nft_set_pipapo_avx2.c | 17 +- net/rxrpc/ar-internal.h | 37 +++- net/rxrpc/call_event.c | 12 +- net/rxrpc/call_object.c | 1 + net/rxrpc/conn_event.c | 10 +- net/rxrpc/input.c | 115 ++++++++++-- net/rxrpc/output.c | 8 +- net/rxrpc/proc.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/tipc/bearer.c | 6 + net/unix/garbage.c | 11 ++ rust/alloc/alloc.rs | 21 --- rust/alloc/boxed.rs | 56 ++++-- rust/alloc/lib.rs | 13 +- rust/alloc/raw_vec.rs | 30 ++-- rust/alloc/vec/drain_filter.rs | 199 --------------------- rust/alloc/vec/extract_if.rs | 115 ++++++++++++ rust/alloc/vec/mod.rs | 110 ++++++------ rust/alloc/vec/spec_extend.rs | 8 +- rust/compiler_builtins.rs | 1 + rust/kernel/print.rs | 1 + rust/kernel/sync/arc.rs | 2 +- rust/kernel/task.rs | 2 +- scripts/min-tool-version.sh | 2 +- sound/soc/amd/acp-config.c | 15 +- sound/usb/quirks.c | 38 ++-- tools/perf/util/evlist.c | 9 +- tools/testing/selftests/net/big_tcp.sh | 4 +- tools/testing/selftests/net/cmsg_ipv6.sh | 4 +- tools/testing/selftests/net/pmtu.sh | 52 +++--- tools/testing/selftests/net/udpgro_fwd.sh | 14 +- tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- tools/testing/selftests/net/unicast_extensions.sh | 93 +++++----- 156 files changed, 1703 insertions(+), 1019 deletions(-)

1 year, 6 months

9
8
0 0

[PATCH 2/6] drm/buddy: fix range bias

by Matthew Auld

There is a corner case here where start/end is after/before the block range we are currently checking. If so we need to be sure that splitting the block will eventually give use the block size we need. To do that we should adjust the block range to account for the start/end, and only continue with the split if the size/alignment will fit the requested size. Not doing so can result in leaving split blocks unmerged when it eventually fails. Fixes: afea229fe102 ("drm: improve drm_buddy_alloc function") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v5.18+ --- drivers/gpu/drm/drm_buddy.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index c1a99bf4dffd..d09540d4065b 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -332,6 +332,7 @@ alloc_range_bias(struct drm_buddy *mm, u64 start, u64 end, unsigned int order) { + u64 req_size = mm->chunk_size << order; struct drm_buddy_block *block; struct drm_buddy_block *buddy; LIST_HEAD(dfs); @@ -367,6 +368,15 @@ alloc_range_bias(struct drm_buddy *mm, if (drm_buddy_block_is_allocated(block)) continue; + if (block_start < start || block_end > end) { + u64 adjusted_start = max(block_start, start); + u64 adjusted_end = min(block_end, end); + + if (round_down(adjusted_end + 1, req_size) <= + round_up(adjusted_start, req_size)) + continue; + } + if (contains(start, end, block_start, block_end) && order == drm_buddy_block_order(block)) { /* -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 6.7 000/127] 6.7.5-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.7.5 release. There are 127 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 Feb 2024 14:22:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.7.5-rc2.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.7.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.7.5-rc2 Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix a typo of register name in DPP safety handling Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Sort quirk table entries Simon Horman <horms(a)kernel.org> net: stmmac: xgmac: use #define for string constants Michael Lass <bevan(a)bi-co.net> net: Fix from address in memcpy_to_iter_csum() Jens Axboe <axboe(a)kernel.dk> io_uring/net: limit inline multishot retries Jens Axboe <axboe(a)kernel.dk> io_uring/poll: add requeue return code from poll multishot handling Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: amd: Add new dmi entries for acp5x platform" Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: time_stats: Check for last_event == 0 when updating freq stats Guoyu Ou <benogy(a)gmail.com> bcachefs: unlock parent dir if entry is not found in subvolume deletion Christoph Hellwig <hch(a)lst.de> bcachefs: fix incorrect usage of REQ_OP_FLUSH Su Yue <glass.su(a)suse.com> bcachefs: grab s_umount only if snapshotting Su Yue <glass.su(a)suse.com> bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: bch2_kthread_io_clock_wait() no longer sleeps until full amount Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Add missing bch2_moving_ctxt_flush_all() Daniel Hill <daniel(a)gluo.nz> bcachefs: rebalance should wakeup on shutdown if disabled Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Don't pass memcmp() as a pointer Al Viro <viro(a)zeniv.linux.org.uk> bch2_ioctl_subvolume_destroy(): fix locking Al Viro <viro(a)zeniv.linux.org.uk> new helper: user_path_locked_at() Johan Hovold <johan+linaro(a)kernel.org> PCI/ASPM: Fix deadlock when enabling ASPM Jens Axboe <axboe(a)kernel.dk> io_uring/rw: ensure poll based multishot read retries appropriately Jens Axboe <axboe(a)kernel.dk> io_uring/net: un-indent mshot retry path in io_recv_finish() Jens Axboe <axboe(a)kernel.dk> io_uring/poll: move poll execution helpers higher up Jens Axboe <axboe(a)kernel.dk> io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: fix a battery life regression Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Frederic Weisbecker <frederic(a)kernel.org> hrtimer: Report offline hrtimer enqueue Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Arrow Lake-H Michal Pecio <michal.pecio(a)gmail.com> xhci: handle isoc Babble and Buffer Overrun events properly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: process isoc TD properly when there was a transaction error mid TD. Prashanth K <quic_prashk(a)quicinc.com> usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups Mario Limonciello <mario.limonciello(a)amd.com> Revert "drm/amd/pm: fix the high voltage and temperature issue" Badhri Jagan Sridharan <badhri(a)google.com> Revert "usb: typec: tcpm: fix cc role at port reset" Leonard Dallmayr <leonard.dallmayr(a)mailbox.org> USB: serial: cp210x: add ID for IMST iM871A-USB Puliang Lu <puliang.lu(a)fibocom.com> USB: serial: option: add Fibocom FM101-GL variant JackBB Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Sean Young <sean(a)mess.org> ALSA: usb-audio: add quirk for RODE NT-USB+ Julian Sikorski <belegdol+github(a)gmail.com> ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Alexander Tsoy <alexander(a)tsoy.me> ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Tejun Heo <tj(a)kernel.org> blk-iocost: Fix an UBSAN shift-out-of-bounds warning Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests: core: include linux/close_range.h for CLOSE_RANGE_* macros Maurizio Lombardi <mlombard(a)redhat.com> nvme-host: fix the updating of the firmware version Ben Dooks <ben.dooks(a)codethink.co.uk> riscv: declare overflow_stack as exported from traps.c Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix arch_hugetlb_migration_supported() for NAPOT Xiubo Li <xiubli(a)redhat.com> ceph: always set initial i_blkbits to CEPH_FSCRYPT_BLOCK_SHIFT Xiubo Li <xiubli(a)redhat.com> libceph: just wait for more data to be available on the socket Xiubo Li <xiubli(a)redhat.com> libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Flush the tlb when a page directory is freed Ming Lei <ming.lei(a)redhat.com> scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix set_huge_pte_at() for NAPOT mapping Vincent Chen <vincent.chen(a)sifive.com> riscv: mm: execute local TLB flush after populating vmemmap Alexandre Ghiti <alexghiti(a)rivosinc.com> mm: Introduce flush_cache_vmap_early() Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix an NULL dereference bug Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove scratch_aligned pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: add helper to release pcpu scratch area Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: store index in scratch maps Florian Westphal <fw(a)strlen.de> netfilter: nfnetlink_queue: un-break NF_REPEAT Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: use timestamp to check for set element timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_ct: reject direction for ct id Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_pipapo: remove static in nft_pipapo_get() Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: narrow down revision to unsigned 8-bits Jakub Kicinski <kuba(a)kernel.org> selftests: cmsg_ipv6: repeat the exact packet Eric Dumazet <edumazet(a)google.com> ppp_async: limit MRU to 64K Jiri Pirko <jiri(a)resnulli.us> devlink: avoid potential loop in devlink_rel_nested_in_notify_work() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Shigeru Yoshida <syoshida(a)redhat.com> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Paolo Abeni <pabeni(a)redhat.com> selftests: net: let big_tcp test cope with slow env David Howells <dhowells(a)redhat.com> rxrpc: Fix counting of new acks and nacks David Howells <dhowells(a)redhat.com> rxrpc: Fix response to PING RESPONSE ACKs to a dead call David Howells <dhowells(a)redhat.com> rxrpc: Fix delayed ACKs to not set the reference serial number David Howells <dhowells(a)redhat.com> rxrpc: Fix generation of serial numbers to skip zero Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/gvt: Fix uninitialized variable in handle_mmio() Eric Dumazet <edumazet(a)google.com> inet: read sk->sk_family once in inet_recv_error() Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix out-of-bounds memory access Loic Prylli <lprylli(a)netflix.com> hwmon: (aspeed-pwm-tacho) mutex for tach reading Zhipeng Lu <alexious(a)zju.edu.cn> octeontx2-pf: Fix a memleak otx2_sq_init Zhipeng Lu <alexious(a)zju.edu.cn> atm: idt77252: fix a memleak in open_card_ubr0 Antoine Tenart <atenart(a)kernel.org> tunnels: fix out of bounds access when building IPv6 PMTU error Gerhard Engleder <gerhard(a)engleder-embedded.com> tsnep: Fix mapping for zero copy XDP_TX action Paolo Abeni <pabeni(a)redhat.com> selftests: net: avoid just another constant wait Paolo Abeni <pabeni(a)redhat.com> selftests: net: fix tcp listener handling in pmtu.sh Yujie Liu <yujie.liu(a)intel.com> selftests/net: change shebang to bash to support "source" Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert pmtu.sh to run it in unique namespace Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert unicast_extensions.sh to run it in unique namespace Paolo Abeni <pabeni(a)redhat.com> selftests: net: cut more slack for gro fwd tests. Ivan Vecera <ivecera(a)redhat.com> net: atlantic: Fix DMA mapping for PTP hwts ring Eric Dumazet <edumazet(a)google.com> netdevsim: avoid potential loop in nsim_dev_trap_report_work() Kees Cook <keescook(a)chromium.org> wifi: brcmfmac: Adjust n_channels usage for __counted_by Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: exit eSR only after the FW does Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix waiting for beacons logic Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix unsolicited broadcast probe config Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU use in TDLS fast-xmit Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: improve CSA/ECSA connection refusal Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: detect stuck ECSA element in probe resp Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: consume both probe response and beacon IEs Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Give up if memory attribute protocol returns an error Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Shyam Prasad N <sprasad(a)microsoft.com> cifs: failure to add channel on iface should bump up weight Shyam Prasad N <sprasad(a)microsoft.com> cifs: avoid redundant calls to disable multichannel Tony Lindgren <tony(a)atomide.com> phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Frank Li <Frank.Li(a)nxp.com> dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV James Clark <james.clark(a)arm.com> perf evlist: Fix evlist__new_default() for > 1 core PMU Thomas Richter <tmricht(a)linux.ibm.com> perf test: Fix 'perf script' tests on s390 Ian Rogers <irogers(a)google.com> perf tests: Add perf script test Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Mantas Pucka <mantas(a)8devices.com> phy: qcom-qmp-usb: fix serdes init sequence for IPQ6018 Mantas Pucka <mantas(a)8devices.com> phy: qcom-qmp-usb: fix register offsets for ipq8074/ipq6018 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Jai Luthra <j-luthra(a)ti.com> dmaengine: ti: k3-udma: Report short packet errors Guanhua Gao <guanhua.gao(a)nxp.com> dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay ------------- Diffstat: Makefile | 4 +- arch/arc/include/asm/cacheflush.h | 1 + arch/arm/include/asm/cacheflush.h | 2 + arch/csky/abiv1/inc/abi/cacheflush.h | 1 + arch/csky/abiv2/inc/abi/cacheflush.h | 1 + arch/m68k/include/asm/cacheflush_mm.h | 1 + arch/mips/include/asm/cacheflush.h | 2 + arch/nios2/include/asm/cacheflush.h | 1 + arch/parisc/include/asm/cacheflush.h | 1 + arch/riscv/include/asm/cacheflush.h | 3 +- arch/riscv/include/asm/hugetlb.h | 3 + arch/riscv/include/asm/stacktrace.h | 5 + arch/riscv/include/asm/tlb.h | 2 +- arch/riscv/include/asm/tlbflush.h | 2 + arch/riscv/mm/hugetlbpage.c | 78 ++++++++++++- arch/riscv/mm/init.c | 4 + arch/riscv/mm/tlbflush.c | 6 + arch/sh/include/asm/cacheflush.h | 1 + arch/sparc/include/asm/cacheflush_32.h | 1 + arch/sparc/include/asm/cacheflush_64.h | 1 + arch/x86/boot/header.S | 14 +-- arch/x86/boot/setup.ld | 6 +- arch/x86/lib/getuser.S | 24 ++-- arch/x86/lib/putuser.S | 20 ++-- arch/xtensa/include/asm/cacheflush.h | 6 +- block/blk-iocost.c | 7 ++ drivers/atm/idt77252.c | 2 + drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +- drivers/dma/fsl-qdma.c | 28 ++--- drivers/dma/ti/k3-udma.c | 10 +- drivers/firmware/efi/libstub/efistub.h | 3 +- drivers/firmware/efi/libstub/kaslr.c | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 12 +- drivers/firmware/efi/libstub/x86-stub.c | 25 ++-- drivers/firmware/efi/libstub/x86-stub.h | 4 +- drivers/firmware/efi/libstub/zboot.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 ++-- .../drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- .../drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c | 63 +++++----- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 33 +----- drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 1 - .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 8 +- drivers/gpu/drm/i915/gvt/handlers.c | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 - drivers/gpu/drm/msm/dp/dp_link.c | 22 ++-- drivers/gpu/drm/msm/dp/dp_reg.h | 3 + drivers/hwmon/aspeed-pwm-tacho.c | 7 ++ drivers/hwmon/coretemp.c | 40 ++++--- drivers/input/keyboard/atkbd.c | 13 ++- drivers/input/serio/i8042-acpipnpio.h | 6 + drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 +- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 +++ drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + drivers/net/ethernet/engleder/tsnep_main.c | 16 ++- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 ++- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 58 +++++++++- drivers/net/netdevsim/dev.c | 8 +- drivers/net/ppp/ppp_async.c | 4 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/api/debug.h | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 6 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 9 +- drivers/nvme/host/core.c | 7 +- drivers/pci/bus.c | 49 +++++--- drivers/pci/controller/dwc/pcie-qcom.c | 2 +- drivers/pci/pci.c | 78 ++++++++----- drivers/pci/pci.h | 4 +- drivers/pci/pcie/aspm.c | 13 ++- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 30 ++++- drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 - drivers/phy/ti/phy-omap-usb2.c | 4 +- drivers/scsi/scsi_error.c | 3 +- drivers/scsi/scsi_lib.c | 4 +- drivers/usb/dwc3/dwc3-pci.c | 4 + drivers/usb/dwc3/host.c | 4 +- drivers/usb/host/xhci-plat.c | 3 + drivers/usb/host/xhci-ring.c | 80 ++++++++++--- drivers/usb/host/xhci.h | 1 + drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/tcpm/tcpm.c | 3 +- fs/bcachefs/clock.c | 4 +- fs/bcachefs/fs-io.c | 2 +- fs/bcachefs/fs-ioctl.c | 42 +++---- fs/bcachefs/journal_io.c | 3 +- fs/bcachefs/move.c | 2 +- fs/bcachefs/move.h | 1 + fs/bcachefs/rebalance.c | 13 ++- fs/bcachefs/replicas.c | 10 +- fs/bcachefs/snapshot.c | 2 +- fs/bcachefs/util.c | 5 +- fs/ceph/inode.c | 2 + fs/ext4/mballoc.c | 20 ++++ fs/namei.c | 16 ++- fs/ntfs3/ntfs_fs.h | 2 +- fs/smb/client/sess.c | 2 + fs/smb/client/smb2pdu.c | 2 +- include/asm-generic/cacheflush.h | 6 + include/linux/ceph/messenger.h | 2 +- include/linux/dmaengine.h | 3 +- include/linux/hrtimer.h | 4 +- include/linux/namei.h | 1 + include/linux/pci.h | 5 + include/net/cfg80211.h | 4 + include/net/netfilter/nf_tables.h | 16 ++- include/trace/events/rxrpc.h | 8 +- include/uapi/linux/netfilter/nf_tables.h | 2 + io_uring/io_uring.h | 7 ++ io_uring/net.c | 54 ++++++--- io_uring/poll.c | 49 ++++---- io_uring/poll.h | 9 ++ io_uring/rw.c | 10 +- kernel/time/hrtimer.c | 3 + mm/percpu.c | 8 +- net/ceph/messenger_v1.c | 33 +++--- net/ceph/messenger_v2.c | 4 +- net/ceph/osd_client.c | 9 +- net/core/datagram.c | 2 +- net/devlink/core.c | 12 +- net/ipv4/af_inet.c | 6 +- net/ipv4/ip_tunnel_core.c | 2 +- net/mac80211/cfg.c | 14 +-- net/mac80211/mlme.c | 106 ++++++++++++----- net/mac80211/tx.c | 7 +- net/netfilter/nf_tables_api.c | 4 +- net/netfilter/nfnetlink_queue.c | 13 ++- net/netfilter/nft_compat.c | 17 ++- net/netfilter/nft_ct.c | 3 + net/netfilter/nft_set_hash.c | 8 +- net/netfilter/nft_set_pipapo.c | 128 +++++++++++---------- net/netfilter/nft_set_pipapo.h | 18 ++- net/netfilter/nft_set_pipapo_avx2.c | 17 ++- net/netfilter/nft_set_rbtree.c | 11 +- net/rxrpc/ar-internal.h | 37 ++++-- net/rxrpc/call_event.c | 12 +- net/rxrpc/call_object.c | 1 + net/rxrpc/conn_event.c | 10 +- net/rxrpc/input.c | 115 +++++++++++++++--- net/rxrpc/output.c | 8 +- net/rxrpc/proc.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/tipc/bearer.c | 6 + net/unix/garbage.c | 11 ++ net/wireless/scan.c | 63 +++++++++- sound/soc/amd/acp-config.c | 15 +-- sound/usb/quirks.c | 38 +++--- tools/perf/tests/shell/script.sh | 73 ++++++++++++ tools/perf/util/evlist.c | 9 +- tools/testing/selftests/core/close_range_test.c | 1 + tools/testing/selftests/net/big_tcp.sh | 4 +- tools/testing/selftests/net/cmsg_ipv6.sh | 4 +- tools/testing/selftests/net/pmtu.sh | 52 +++++---- tools/testing/selftests/net/udpgro_fwd.sh | 14 ++- tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- tools/testing/selftests/net/unicast_extensions.sh | 93 +++++++-------- 160 files changed, 1555 insertions(+), 731 deletions(-)

1 year, 6 months

7
8
0 0

Re: Healthcare Leads

by Deanna Holder

Hi, I hope you are the right person to discuss about *Healthcare Leads*, which includes complete contact details, and tele-verified email addresses. Please find the Leads Breakdown Chart below: *Criteria* *Counts* *Criteria* *Counts* *Criteria* *Counts* Allergy immunology 5,064 Healthcare Technology 20,540 Plastic surgery 8,371 Anesthesiology 30,155 Nephrology 6,606 Preventive medicine 6,642 Cardiology 24,577 Neurological surgery 7,066 Psychiatry 4,315 Dermatology 8,467 Neurology 13,354 Radiology 32,763 Emergency medicine 22,300 Obgyn 35,163 Surgery 39,517 Endocrinology diabetes metabolism 3,756 Oncology 17,881 Urology 10,135 Family practice1 62,544 Ophthalmology 15,237 Physician 100,000 Gastroenterology 11,913 Orthopedics 22,145 Doctors 128,000 General practice 12,957 Other 15,559 Dentists 150,200 Geriatrics Doctors 9,634 Otolaryngology 9,539 Osteopathic 25,000 Infectious disease 5,677 Pathology 15,467 Acupuncture 5,000 Internal medicine1 120,029 Pediatrics 55,684 Chiropractors 11,000 Haematology Doctors 12,850 Physical medicine 8,437 Rheumatology 5,000 *Data Fields:* Every lead includes Name, Company, Job Title, Website, Physical Address, Industry, *Phone Number and Verified/Opt-In Email Address.* Please let me know if you have any queries about our custom opt-in list and I would love to answer them. Kindly share your thoughts. Warm Regards, *Deanna Holder* *Marketing Executive * ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- We respect your privacy, if you want to remove it from this list. Please reply with the subject line as “Leave Out”.

1 year, 6 months

1
0
0 0

[PATCH 5.10.y] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)

by kovalev＠altlinux.org

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit c86df29d11dfba27c0a1f5039cd6fe387fbf4239 ] The dispatcher function is currently abusing the ftrace __fentry__ call location for its own purposes -- this obviously gives trouble when the dispatcher and ftrace are both in use. A previous solution tried using __attribute__((patchable_function_entry())) which works, except it is GCC-8+ only, breaking the build on the earlier still supported compilers. Instead use static_call() -- which has its own annotations and does not conflict with ftrace -- to rewrite the dispatch function. By using: return static_call()(ctx, insni, bpf_func) you get a perfect forwarding tail call as function body (iow a single jmp instruction). By having the default static_call() target be bpf_dispatcher_nop_func() it retains the default behaviour (an indirect call to the argument function). Only once a dispatcher program is attached is the target rewritten to directly call the JIT'ed image. Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Tested-by: Björn Töpel <bjorn(a)kernel.org> Tested-by: Jiri Olsa <jolsa(a)kernel.org> Acked-by: Björn Töpel <bjorn(a)kernel.org> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lkml.kernel.org/r/Y1/oBlK0yFk5c/Im@hirez.programming.kicks-ass.net Link: https://lore.kernel.org/bpf/20221103120647.796772565@infradead.org Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- include/linux/bpf.h | 39 ++++++++++++++++++++++++++++++++++++++- kernel/bpf/dispatcher.c | 22 ++++++++-------------- 2 files changed, 46 insertions(+), 15 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 8f4379e93ad49b..2c8c7515609a07 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -21,6 +21,7 @@ #include <linux/kallsyms.h> #include <linux/capability.h> #include <linux/percpu-refcount.h> +#include <linux/static_call.h> struct bpf_verifier_env; struct bpf_verifier_log; @@ -650,6 +651,10 @@ struct bpf_dispatcher { void *image; u32 image_off; struct bpf_ksym ksym; +#ifdef CONFIG_HAVE_STATIC_CALL + struct static_call_key *sc_key; + void *sc_tramp; +#endif }; static __always_inline unsigned int bpf_dispatcher_nop_func( @@ -667,6 +672,34 @@ struct bpf_trampoline *bpf_trampoline_get(u64 key, struct bpf_attach_target_info *tgt_info); void bpf_trampoline_put(struct bpf_trampoline *tr); int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); + +/* + * When the architecture supports STATIC_CALL replace the bpf_dispatcher_fn + * indirection with a direct call to the bpf program. If the architecture does + * not have STATIC_CALL, avoid a double-indirection. + */ +#ifdef CONFIG_HAVE_STATIC_CALL + +#define __BPF_DISPATCHER_SC_INIT(_name) \ + .sc_key = &STATIC_CALL_KEY(_name), \ + .sc_tramp = STATIC_CALL_TRAMP_ADDR(_name), + +#define __BPF_DISPATCHER_SC(name) \ + DEFINE_STATIC_CALL(bpf_dispatcher_##name##_call, bpf_dispatcher_nop_func) + +#define __BPF_DISPATCHER_CALL(name) \ + static_call(bpf_dispatcher_##name##_call)(ctx, insnsi, bpf_func) + +#define __BPF_DISPATCHER_UPDATE(_d, _new) \ + __static_call_update((_d)->sc_key, (_d)->sc_tramp, (_new)) + +#else +#define __BPF_DISPATCHER_SC_INIT(name) +#define __BPF_DISPATCHER_SC(name) +#define __BPF_DISPATCHER_CALL(name) bpf_func(ctx, insnsi) +#define __BPF_DISPATCHER_UPDATE(_d, _new) +#endif + #define BPF_DISPATCHER_INIT(_name) { \ .mutex = __MUTEX_INITIALIZER(_name.mutex), \ .func = &_name##_func, \ @@ -678,20 +711,23 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); .name = #_name, \ .lnode = LIST_HEAD_INIT(_name.ksym.lnode), \ }, \ + __BPF_DISPATCHER_SC_INIT(_name##_call) \ } #define DEFINE_BPF_DISPATCHER(name) \ + __BPF_DISPATCHER_SC(name); \ noinline unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ const struct bpf_insn *insnsi, \ unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)) \ { \ - return bpf_func(ctx, insnsi); \ + return __BPF_DISPATCHER_CALL(name); \ } \ EXPORT_SYMBOL(bpf_dispatcher_##name##_func); \ struct bpf_dispatcher bpf_dispatcher_##name = \ BPF_DISPATCHER_INIT(bpf_dispatcher_##name); + #define DECLARE_BPF_DISPATCHER(name) \ unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ @@ -699,6 +735,7 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)); \ extern struct bpf_dispatcher bpf_dispatcher_##name; + #define BPF_DISPATCHER_FUNC(name) bpf_dispatcher_##name##_func #define BPF_DISPATCHER_PTR(name) (&bpf_dispatcher_##name) void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c index 2444bd15cc2d03..4c6c2e3ac56459 100644 --- a/kernel/bpf/dispatcher.c +++ b/kernel/bpf/dispatcher.c @@ -4,6 +4,7 @@ #include <linux/hash.h> #include <linux/bpf.h> #include <linux/filter.h> +#include <linux/static_call.h> /* The BPF dispatcher is a multiway branch code generator. The * dispatcher is a mechanism to avoid the performance penalty of an @@ -104,17 +105,11 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) { - void *old, *new; - u32 noff; - int err; - - if (!prev_num_progs) { - old = NULL; - noff = 0; - } else { - old = d->image + d->image_off; + void *new; + u32 noff = 0; + + if (prev_num_progs) noff = d->image_off ^ (PAGE_SIZE / 2); - } new = d->num_progs ? d->image + noff : NULL; if (new) { @@ -122,11 +117,10 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) return; } - err = bpf_arch_text_poke(d->func, BPF_MOD_JUMP, old, new); - if (err || !new) - return; + __BPF_DISPATCHER_UPDATE(d, new ?: &bpf_dispatcher_nop_func); - d->image_off = noff; + if (new) + d->image_off = noff; } void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, -- 2.33.8

1 year, 6 months

1
1
0 0

[PATCH 5.15.y] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)

by kovalev＠altlinux.org

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit c86df29d11dfba27c0a1f5039cd6fe387fbf4239 ] The dispatcher function is currently abusing the ftrace __fentry__ call location for its own purposes -- this obviously gives trouble when the dispatcher and ftrace are both in use. A previous solution tried using __attribute__((patchable_function_entry())) which works, except it is GCC-8+ only, breaking the build on the earlier still supported compilers. Instead use static_call() -- which has its own annotations and does not conflict with ftrace -- to rewrite the dispatch function. By using: return static_call()(ctx, insni, bpf_func) you get a perfect forwarding tail call as function body (iow a single jmp instruction). By having the default static_call() target be bpf_dispatcher_nop_func() it retains the default behaviour (an indirect call to the argument function). Only once a dispatcher program is attached is the target rewritten to directly call the JIT'ed image. Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Tested-by: Björn Töpel <bjorn(a)kernel.org> Tested-by: Jiri Olsa <jolsa(a)kernel.org> Acked-by: Björn Töpel <bjorn(a)kernel.org> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lkml.kernel.org/r/Y1/oBlK0yFk5c/Im@hirez.programming.kicks-ass.net Link: https://lore.kernel.org/bpf/20221103120647.796772565@infradead.org Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- include/linux/bpf.h | 39 ++++++++++++++++++++++++++++++++++++++- kernel/bpf/dispatcher.c | 22 ++++++++-------------- 2 files changed, 46 insertions(+), 15 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 00c615fc8ec3c3..633b8842e617e8 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -23,6 +23,7 @@ #include <linux/slab.h> #include <linux/percpu-refcount.h> #include <linux/bpfptr.h> +#include <linux/static_call.h> struct bpf_verifier_env; struct bpf_verifier_log; @@ -765,6 +766,10 @@ struct bpf_dispatcher { void *image; u32 image_off; struct bpf_ksym ksym; +#ifdef CONFIG_HAVE_STATIC_CALL + struct static_call_key *sc_key; + void *sc_tramp; +#endif }; static __always_inline __nocfi unsigned int bpf_dispatcher_nop_func( @@ -782,6 +787,34 @@ struct bpf_trampoline *bpf_trampoline_get(u64 key, struct bpf_attach_target_info *tgt_info); void bpf_trampoline_put(struct bpf_trampoline *tr); int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); + +/* + * When the architecture supports STATIC_CALL replace the bpf_dispatcher_fn + * indirection with a direct call to the bpf program. If the architecture does + * not have STATIC_CALL, avoid a double-indirection. + */ +#ifdef CONFIG_HAVE_STATIC_CALL + +#define __BPF_DISPATCHER_SC_INIT(_name) \ + .sc_key = &STATIC_CALL_KEY(_name), \ + .sc_tramp = STATIC_CALL_TRAMP_ADDR(_name), + +#define __BPF_DISPATCHER_SC(name) \ + DEFINE_STATIC_CALL(bpf_dispatcher_##name##_call, bpf_dispatcher_nop_func) + +#define __BPF_DISPATCHER_CALL(name) \ + static_call(bpf_dispatcher_##name##_call)(ctx, insnsi, bpf_func) + +#define __BPF_DISPATCHER_UPDATE(_d, _new) \ + __static_call_update((_d)->sc_key, (_d)->sc_tramp, (_new)) + +#else +#define __BPF_DISPATCHER_SC_INIT(name) +#define __BPF_DISPATCHER_SC(name) +#define __BPF_DISPATCHER_CALL(name) bpf_func(ctx, insnsi) +#define __BPF_DISPATCHER_UPDATE(_d, _new) +#endif + #define BPF_DISPATCHER_INIT(_name) { \ .mutex = __MUTEX_INITIALIZER(_name.mutex), \ .func = &_name##_func, \ @@ -793,20 +826,23 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); .name = #_name, \ .lnode = LIST_HEAD_INIT(_name.ksym.lnode), \ }, \ + __BPF_DISPATCHER_SC_INIT(_name##_call) \ } #define DEFINE_BPF_DISPATCHER(name) \ + __BPF_DISPATCHER_SC(name); \ noinline __nocfi unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ const struct bpf_insn *insnsi, \ unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)) \ { \ - return bpf_func(ctx, insnsi); \ + return __BPF_DISPATCHER_CALL(name); \ } \ EXPORT_SYMBOL(bpf_dispatcher_##name##_func); \ struct bpf_dispatcher bpf_dispatcher_##name = \ BPF_DISPATCHER_INIT(bpf_dispatcher_##name); + #define DECLARE_BPF_DISPATCHER(name) \ unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ @@ -814,6 +850,7 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)); \ extern struct bpf_dispatcher bpf_dispatcher_##name; + #define BPF_DISPATCHER_FUNC(name) bpf_dispatcher_##name##_func #define BPF_DISPATCHER_PTR(name) (&bpf_dispatcher_##name) void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c index 2444bd15cc2d03..23042cfb5e809b 100644 --- a/kernel/bpf/dispatcher.c +++ b/kernel/bpf/dispatcher.c @@ -4,6 +4,7 @@ #include <linux/hash.h> #include <linux/bpf.h> #include <linux/filter.h> +#include <linux/static_call.h> /* The BPF dispatcher is a multiway branch code generator. The * dispatcher is a mechanism to avoid the performance penalty of an @@ -104,17 +105,11 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) { - void *old, *new; - u32 noff; - int err; - - if (!prev_num_progs) { - old = NULL; - noff = 0; - } else { - old = d->image + d->image_off; + void *new; + u32 noff = 0; + + if (prev_num_progs) noff = d->image_off ^ (PAGE_SIZE / 2); - } new = d->num_progs ? d->image + noff : NULL; if (new) { @@ -122,11 +117,10 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) return; } - err = bpf_arch_text_poke(d->func, BPF_MOD_JUMP, old, new); - if (err || !new) - return; + __BPF_DISPATCHER_UPDATE(d, new ?: &bpf_dispatcher_nop_func); - d->image_off = noff; + if (new) + d->image_off = noff; } void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, -- 2.33.8

1 year, 6 months

1
1
0 0

[PATCH v2] arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata

by Easwar Hariharan

Add the MIDR value of Microsoft Azure Cobalt 100, which is a Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and therefore suffers from all the same errata. CC: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- changelog: v1->v2: * v1: https://lore.kernel.org/linux-arm-kernel/20240212232909.2276378-1-eahariha@… * Consistently use MICROSOFT throughout --- Documentation/arch/arm64/silicon-errata.rst | 7 +++++++ arch/arm64/include/asm/cputype.h | 4 ++++ arch/arm64/kernel/cpu_errata.c | 3 +++ 3 files changed, 14 insertions(+) diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst index e8c2ce1f9df6..45a7f4932fe0 100644 --- a/Documentation/arch/arm64/silicon-errata.rst +++ b/Documentation/arch/arm64/silicon-errata.rst @@ -243,3 +243,10 @@ stable kernels. +----------------+-----------------+-----------------+-----------------------------+ | ASR | ASR8601 | #8601001 | N/A | +----------------+-----------------+-----------------+-----------------------------+ ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2139208 | ARM64_ERRATUM_2139208 | ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2067961 | ARM64_ERRATUM_2067961 | ++----------------+-----------------+-----------------+-----------------------------+ +| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 | ++----------------+-----------------+-----------------+-----------------------------+ diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h index 7c7493cb571f..52f076afeb96 100644 --- a/arch/arm64/include/asm/cputype.h +++ b/arch/arm64/include/asm/cputype.h @@ -61,6 +61,7 @@ #define ARM_CPU_IMP_HISI 0x48 #define ARM_CPU_IMP_APPLE 0x61 #define ARM_CPU_IMP_AMPERE 0xC0 +#define ARM_CPU_IMP_MICROSOFT 0x6D #define ARM_CPU_PART_AEM_V8 0xD0F #define ARM_CPU_PART_FOUNDATION 0xD00 @@ -135,6 +136,8 @@ #define AMPERE_CPU_PART_AMPERE1 0xAC3 +#define MICROSOFT_CPU_PART_AZURE_COBALT_100 0xD49 /* Based on r0p0 of ARM Neoverse N2 */ + #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) @@ -193,6 +196,7 @@ #define MIDR_APPLE_M2_BLIZZARD_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_BLIZZARD_MAX) #define MIDR_APPLE_M2_AVALANCHE_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_AVALANCHE_MAX) #define MIDR_AMPERE1 MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1) +#define MIDR_MICROSOFT_AZURE_COBALT_100 MIDR_CPU_MODEL(ARM_CPU_IMP_MICROSOFT, MICROSOFT_CPU_PART_AZURE_COBALT_100) /* Fujitsu Erratum 010001 affects A64FX 1.0 and 1.1, (v0r0 and v1r0) */ #define MIDR_FUJITSU_ERRATUM_010001 MIDR_FUJITSU_A64FX diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c index 967c7c7a4e7d..76b8dd37092a 100644 --- a/arch/arm64/kernel/cpu_errata.c +++ b/arch/arm64/kernel/cpu_errata.c @@ -374,6 +374,7 @@ static const struct midr_range erratum_1463225[] = { static const struct midr_range trbe_overwrite_fill_mode_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2139208 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2119858 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), @@ -387,6 +388,7 @@ static const struct midr_range trbe_overwrite_fill_mode_cpus[] = { static const struct midr_range tsb_flush_fail_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2067961 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2054223 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), @@ -399,6 +401,7 @@ static const struct midr_range tsb_flush_fail_cpus[] = { static struct midr_range trbe_write_out_of_range_cpus[] = { #ifdef CONFIG_ARM64_ERRATUM_2253138 MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), #endif #ifdef CONFIG_ARM64_ERRATUM_2224489 MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), -- 2.34.1

1 year, 6 months

6
5
0 0

[PATCH] usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers

by Pawel Laszczak

Cadence have several controllers from 0x000403xx family but current driver suuport detecting only one with DID equal 0x0004034E. It causes that if someone uses different CDNSP controller then driver will use incorrect version and register space. Patch fix this issue. cc: <stable(a)vger.kernel.org> Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- Changlog: v2: - typo have been removed drivers/usb/cdns3/core.c | 1 - drivers/usb/cdns3/drd.c | 13 +++++++++---- drivers/usb/cdns3/drd.h | 6 +++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c index 33548771a0d3..465e9267b49c 100644 --- a/drivers/usb/cdns3/core.c +++ b/drivers/usb/cdns3/core.c @@ -395,7 +395,6 @@ static int cdns_role_set(struct usb_role_switch *sw, enum usb_role role) return ret; } - /** * cdns_wakeup_irq - interrupt handler for wakeup events * @irq: irq number for cdns3/cdnsp core device diff --git a/drivers/usb/cdns3/drd.c b/drivers/usb/cdns3/drd.c index 04b6d12f2b9a..ee917f1b091c 100644 --- a/drivers/usb/cdns3/drd.c +++ b/drivers/usb/cdns3/drd.c @@ -156,7 +156,8 @@ bool cdns_is_device(struct cdns *cdns) */ static void cdns_otg_disable_irq(struct cdns *cdns) { - writel(0, &cdns->otg_irq_regs->ien); + if (cdns->version) + writel(0, &cdns->otg_irq_regs->ien); } /** @@ -422,15 +423,20 @@ int cdns_drd_init(struct cdns *cdns) cdns->otg_regs = (void __iomem *)&cdns->otg_v1_regs->cmd; - if (readl(&cdns->otg_cdnsp_regs->did) == OTG_CDNSP_DID) { + state = readl(&cdns->otg_cdnsp_regs->did); + + if (OTG_CDNSP_CHECK_DID(state)) { cdns->otg_irq_regs = (struct cdns_otg_irq_regs __iomem *) &cdns->otg_cdnsp_regs->ien; cdns->version = CDNSP_CONTROLLER_V2; - } else { + } else if (OTG_CDNS3_CHECK_DID(state)) { cdns->otg_irq_regs = (struct cdns_otg_irq_regs __iomem *) &cdns->otg_v1_regs->ien; writel(1, &cdns->otg_v1_regs->simulate); cdns->version = CDNS3_CONTROLLER_V1; + } else { + dev_err(cdns->dev, "not supporte DID=0x%08x\n", state); + return -EINVAL; } dev_dbg(cdns->dev, "DRD version v1 (ID: %08x, rev: %08x)\n", @@ -483,7 +489,6 @@ int cdns_drd_exit(struct cdns *cdns) return 0; } - /* Indicate the cdns3 core was power lost before */ bool cdns_power_is_lost(struct cdns *cdns) { diff --git a/drivers/usb/cdns3/drd.h b/drivers/usb/cdns3/drd.h index cbdf94f73ed9..d72370c321d3 100644 --- a/drivers/usb/cdns3/drd.h +++ b/drivers/usb/cdns3/drd.h @@ -79,7 +79,11 @@ struct cdnsp_otg_regs { __le32 susp_timing_ctrl; }; -#define OTG_CDNSP_DID 0x0004034E +/* CDNSP driver supports 0x000403xx Cadence USB controller family. */ +#define OTG_CDNSP_CHECK_DID(did) (((did) & GENMASK(31, 8)) == 0x00040300) + +/* CDNS3 driver supports 0x000402xx Cadence USB controller family. */ +#define OTG_CDNS3_CHECK_DID(did) (((did) & GENMASK(31, 8)) == 0x00040200) /* * Common registers interface for both CDNS3 and CDNSP version of DRD. -- 2.37.2

1 year, 6 months

1
0
0 0

[PATCH net 1/3] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock

by Marc Kleine-Budde

From: Ziqi Zhao <astrajoan(a)yahoo.com> The following 3 locks would race against each other, causing the deadlock situation in the Syzbot bug report: - j1939_socks_lock - active_session_list_lock - sk_session_queue_lock A reasonable fix is to change j1939_socks_lock to an rwlock, since in the rare situations where a write lock is required for the linked list that j1939_socks_lock is protecting, the code does not attempt to acquire any more locks. This would break the circular lock dependency, where, for example, the current thread already locks j1939_socks_lock and attempts to acquire sk_session_queue_lock, and at the same time, another thread attempts to acquire j1939_socks_lock while holding sk_session_queue_lock. NOTE: This patch along does not fix the unregister_netdevice bug reported by Syzbot; instead, it solves a deadlock situation to prepare for one or more further patches to actually fix the Syzbot bug, which appears to be a reference counting problem within the j1939 codebase. Reported-by: <syzbot+1591462f226d9cbf0564(a)syzkaller.appspotmail.com> Signed-off-by: Ziqi Zhao <astrajoan(a)yahoo.com> Reviewed-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Acked-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com [mkl: remove unrelated newline change] Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/j1939/j1939-priv.h | 2 +- net/can/j1939/main.c | 2 +- net/can/j1939/socket.c | 24 ++++++++++++------------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/net/can/j1939/j1939-priv.h b/net/can/j1939/j1939-priv.h index 16af1a7f80f6..74f15592d170 100644 --- a/net/can/j1939/j1939-priv.h +++ b/net/can/j1939/j1939-priv.h @@ -86,7 +86,7 @@ struct j1939_priv { unsigned int tp_max_packet_size; /* lock for j1939_socks list */ - spinlock_t j1939_socks_lock; + rwlock_t j1939_socks_lock; struct list_head j1939_socks; struct kref rx_kref; diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c index ecff1c947d68..a6fb89fa6278 100644 --- a/net/can/j1939/main.c +++ b/net/can/j1939/main.c @@ -274,7 +274,7 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev) return ERR_PTR(-ENOMEM); j1939_tp_init(priv); - spin_lock_init(&priv->j1939_socks_lock); + rwlock_init(&priv->j1939_socks_lock); INIT_LIST_HEAD(&priv->j1939_socks); mutex_lock(&j1939_netdev_lock); diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index 14c431663233..94cfc2315e54 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -80,16 +80,16 @@ static void j1939_jsk_add(struct j1939_priv *priv, struct j1939_sock *jsk) jsk->state |= J1939_SOCK_BOUND; j1939_priv_get(priv); - spin_lock_bh(&priv->j1939_socks_lock); + write_lock_bh(&priv->j1939_socks_lock); list_add_tail(&jsk->list, &priv->j1939_socks); - spin_unlock_bh(&priv->j1939_socks_lock); + write_unlock_bh(&priv->j1939_socks_lock); } static void j1939_jsk_del(struct j1939_priv *priv, struct j1939_sock *jsk) { - spin_lock_bh(&priv->j1939_socks_lock); + write_lock_bh(&priv->j1939_socks_lock); list_del_init(&jsk->list); - spin_unlock_bh(&priv->j1939_socks_lock); + write_unlock_bh(&priv->j1939_socks_lock); j1939_priv_put(priv); jsk->state &= ~J1939_SOCK_BOUND; @@ -329,13 +329,13 @@ bool j1939_sk_recv_match(struct j1939_priv *priv, struct j1939_sk_buff_cb *skcb) struct j1939_sock *jsk; bool match = false; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { match = j1939_sk_recv_match_one(jsk, skcb); if (match) break; } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); return match; } @@ -344,11 +344,11 @@ void j1939_sk_recv(struct j1939_priv *priv, struct sk_buff *skb) { struct j1939_sock *jsk; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { j1939_sk_recv_one(jsk, skb); } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); } static void j1939_sk_sock_destruct(struct sock *sk) @@ -1080,12 +1080,12 @@ void j1939_sk_errqueue(struct j1939_session *session, } /* spread RX notifications to all sockets subscribed to this session */ - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { if (j1939_sk_recv_match_one(jsk, &session->skcb)) __j1939_sk_errqueue(session, &jsk->sk, type); } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); }; void j1939_sk_send_loop_abort(struct sock *sk, int err) @@ -1273,7 +1273,7 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) struct j1939_sock *jsk; int error_code = ENETDOWN; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { jsk->sk.sk_err = error_code; if (!sock_flag(&jsk->sk, SOCK_DEAD)) @@ -1281,7 +1281,7 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) j1939_sk_queue_drop_all(priv, jsk, error_code); } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); } static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd, base-commit: 858b31133dbec88465bcc0a006f4dc43173662b8 -- 2.43.0

1 year, 6 months

3
2
0 0

[PATCH 4.19 5.4 5.10 5.15 6.1 6.6 6.7] nilfs2: fix data corruption in dsync block recovery for small block sizes

by Ryusuke Konishi

commit 67b8bcbaed4777871bb0dcc888fb02a614a98ab1 upstream. The helper function nilfs_recovery_copy_block() of nilfs_recovery_dsync_blocks(), which recovers data from logs created by data sync writes during a mount after an unclean shutdown, incorrectly calculates the on-page offset when copying repair data to the file's page cache. In environments where the block size is smaller than the page size, this flaw can cause data corruption and leak uninitialized memory bytes during the recovery process. Fix these issues by correcting this byte offset calculation on the page. Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Please apply this patch to the stable trees. This patch is identical to the upstream commit. I have confirmed that the bug this patch fixes reproduces in all these stable trees, so I believe it should be applied to them. I have also confirmed that the build passes and the issue is fixed on all target stable trees. Thanks, Ryusuke Konishi fs/nilfs2/recovery.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c index 0955b657938f..a9b8d77c8c1d 100644 --- a/fs/nilfs2/recovery.c +++ b/fs/nilfs2/recovery.c @@ -472,9 +472,10 @@ static int nilfs_prepare_segment_for_recovery(struct the_nilfs *nilfs, static int nilfs_recovery_copy_block(struct the_nilfs *nilfs, struct nilfs_recovery_block *rb, - struct page *page) + loff_t pos, struct page *page) { struct buffer_head *bh_org; + size_t from = pos & ~PAGE_MASK; void *kaddr; bh_org = __bread(nilfs->ns_bdev, rb->blocknr, nilfs->ns_blocksize); @@ -482,7 +483,7 @@ static int nilfs_recovery_copy_block(struct the_nilfs *nilfs, return -EIO; kaddr = kmap_atomic(page); - memcpy(kaddr + bh_offset(bh_org), bh_org->b_data, bh_org->b_size); + memcpy(kaddr + from, bh_org->b_data, bh_org->b_size); kunmap_atomic(kaddr); brelse(bh_org); return 0; @@ -521,7 +522,7 @@ static int nilfs_recover_dsync_blocks(struct the_nilfs *nilfs, goto failed_inode; } - err = nilfs_recovery_copy_block(nilfs, rb, page); + err = nilfs_recovery_copy_block(nilfs, rb, pos, page); if (unlikely(err)) goto failed_page; -- 2.39.3

1 year, 6 months

1
0
0 0

Re: [PATCH] usb: cdnsp: blocked some cdns3 specific code

by Peter Chen

It is for both cdns3 and cdnsp. Reply-To: In-Reply-To: <20240206104018.48272-1-pawell(a)cadence.com> On 24-02-06 11:40:18, Pawel Laszczak wrote: > host.c file has some parts of code that were introduced for CDNS3 driver > and should not be used with CDNSP driver. > This patch blocks using these parts of codes by CDNSP driver. > These elements include: > - xhci_plat_cdns3_xhci object > - cdns3 specific XECP_PORT_CAP_REG register > - cdns3 specific XECP_AUX_CTRL_REG1 register > > cc: <stable(a)vger.kernel.org> > Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") > Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> > --- > drivers/usb/cdns3/host.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/cdns3/host.c b/drivers/usb/cdns3/host.c > index 6164fc4c96a4..ceca4d839dfd 100644 > --- a/drivers/usb/cdns3/host.c > +++ b/drivers/usb/cdns3/host.c > @@ -18,6 +18,11 @@ > #include "../host/xhci.h" > #include "../host/xhci-plat.h" > > +/* > + * The XECP_PORT_CAP_REG and XECP_AUX_CTRL_REG1 exist only > + * in Cadence USB3 dual-role controller, so it can't be used > + * with Cadence CDNSP dual-role controller. > + */ > #define XECP_PORT_CAP_REG 0x8000 > #define XECP_AUX_CTRL_REG1 0x8120 > > @@ -57,6 +62,8 @@ static const struct xhci_plat_priv xhci_plat_cdns3_xhci = { > .resume_quirk = xhci_cdns3_resume_quirk, > }; > > +static const struct xhci_plat_priv xhci_plat_cdnsp_xhci; > + > static int __cdns_host_init(struct cdns *cdns) > { > struct platform_device *xhci; > @@ -81,8 +88,13 @@ static int __cdns_host_init(struct cdns *cdns) > goto err1; > } > > - cdns->xhci_plat_data = kmemdup(&xhci_plat_cdns3_xhci, > - sizeof(struct xhci_plat_priv), GFP_KERNEL); > + if (cdns->version < CDNSP_CONTROLLER_V2) > + cdns->xhci_plat_data = kmemdup(&xhci_plat_cdns3_xhci, > + sizeof(struct xhci_plat_priv), GFP_KERNEL); > + else > + cdns->xhci_plat_data = kmemdup(&xhci_plat_cdnsp_xhci, > + sizeof(struct xhci_plat_priv), GFP_KERNEL); > + You may explain why you duplicate another structure for cdnsp at commit log. > if (!cdns->xhci_plat_data) { > ret = -ENOMEM; > goto err1; > Others are okay for me. -- Thanks, Peter Chen

1 year, 6 months

2
1
0 0

[PATCH] usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers

by Pawel Laszczak

Cadence have several controllers from 0x000403xx family but current driver suuport detecting only one with DID equal 0x0004034E. It causes that if someone use different CDNSP controller then driver will use incorrect version and register space. Patch fix this issue. cc: <stable(a)vger.kernel.org> Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/cdns3/core.c | 1 - drivers/usb/cdns3/drd.c | 13 +++++++++---- drivers/usb/cdns3/drd.h | 6 +++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c index 33548771a0d3..465e9267b49c 100644 --- a/drivers/usb/cdns3/core.c +++ b/drivers/usb/cdns3/core.c @@ -395,7 +395,6 @@ static int cdns_role_set(struct usb_role_switch *sw, enum usb_role role) return ret; } - /** * cdns_wakeup_irq - interrupt handler for wakeup events * @irq: irq number for cdns3/cdnsp core device diff --git a/drivers/usb/cdns3/drd.c b/drivers/usb/cdns3/drd.c index 04b6d12f2b9a..ee917f1b091c 100644 --- a/drivers/usb/cdns3/drd.c +++ b/drivers/usb/cdns3/drd.c @@ -156,7 +156,8 @@ bool cdns_is_device(struct cdns *cdns) */ static void cdns_otg_disable_irq(struct cdns *cdns) { - writel(0, &cdns->otg_irq_regs->ien); + if (cdns->version) + writel(0, &cdns->otg_irq_regs->ien); } /** @@ -422,15 +423,20 @@ int cdns_drd_init(struct cdns *cdns) cdns->otg_regs = (void __iomem *)&cdns->otg_v1_regs->cmd; - if (readl(&cdns->otg_cdnsp_regs->did) == OTG_CDNSP_DID) { + state = readl(&cdns->otg_cdnsp_regs->did); + + if (OTG_CDNSP_CHECK_DID(state)) { cdns->otg_irq_regs = (struct cdns_otg_irq_regs __iomem *) &cdns->otg_cdnsp_regs->ien; cdns->version = CDNSP_CONTROLLER_V2; - } else { + } else if (OTG_CDNS3_CHECK_DID(state)) { cdns->otg_irq_regs = (struct cdns_otg_irq_regs __iomem *) &cdns->otg_v1_regs->ien; writel(1, &cdns->otg_v1_regs->simulate); cdns->version = CDNS3_CONTROLLER_V1; + } else { + dev_err(cdns->dev, "not supporte DID=0x%08x\n", state); + return -EINVAL; } dev_dbg(cdns->dev, "DRD version v1 (ID: %08x, rev: %08x)\n", @@ -483,7 +489,6 @@ int cdns_drd_exit(struct cdns *cdns) return 0; } - /* Indicate the cdns3 core was power lost before */ bool cdns_power_is_lost(struct cdns *cdns) { diff --git a/drivers/usb/cdns3/drd.h b/drivers/usb/cdns3/drd.h index cbdf94f73ed9..d72370c321d3 100644 --- a/drivers/usb/cdns3/drd.h +++ b/drivers/usb/cdns3/drd.h @@ -79,7 +79,11 @@ struct cdnsp_otg_regs { __le32 susp_timing_ctrl; }; -#define OTG_CDNSP_DID 0x0004034E +/* CDNSP driver supports 0x000403xx Cadence USB controller family. */ +#define OTG_CDNSP_CHECK_DID(did) (((did) & GENMASK(31, 8)) == 0x00040300) + +/* CDNS3 driver supports 0x000402xx Cadence USB controller family. */ +#define OTG_CDNS3_CHECK_DID(did) (((did) & GENMASK(31, 8)) == 0x00040200) /* * Common registers interface for both CDNS3 and CDNSP version of DRD. -- 2.37.2

1 year, 6 months

2
1
0 0

[PATCH v3] soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request

by Maulik Shah

Each RPMh VRM accelerator resource has 3 or 4 contiguous 4-byte aligned addresses associated with it. These control voltage, enable state, mode, and in legacy targets, voltage headroom. The current in-flight request checking logic looks for exact address matches. Requests for different addresses of the same RPMh resource as thus not detected as in-flight. Add new cmd-db API cmd_db_match_resource_addr() to enhance the in-flight request check for VRM requests by ignoring the address offset. This ensures that only one request is allowed to be in-flight for a given VRM resource. This is needed to avoid scenarios where request commands are carried out by RPMh hardware out-of-order leading to LDO regulator over-current protection triggering. Fixes: 658628e7ef78 ("drivers: qcom: rpmh-rsc: add RPMH controller for QCOM SoCs") cc: stable(a)vger.kernel.org Reviewed-by: Konrad Dybcio <konrad.dybcio(a)linaro.org> Signed-off-by: Elliot Berman <quic_eberman(a)quicinc.com> Signed-off-by: Maulik Shah <quic_mkshah(a)quicinc.com> --- Changes in v3: - Fix s-o-b chain - Add cmd-db API to compare addresses - Reuse already defined resource types in cmd-db - Add Fixes tag and Cc to stable - Retain Reviewed-by tag of v2 - Link to v2: https://lore.kernel.org/r/20240119-rpmh-rsc-fixes-v2-1-e42c0a9e36f0@quicinc… Changes in v2: - Use GENMASK() and FIELD_GET() - Link to v1: https://lore.kernel.org/r/20240117-rpmh-rsc-fixes-v1-1-71ee4f8f72a4@quicinc… --- drivers/soc/qcom/cmd-db.c | 41 +++++++++++++++++++++++++++++++++++------ drivers/soc/qcom/rpmh-rsc.c | 3 ++- include/soc/qcom/cmd-db.h | 10 +++++++++- 3 files changed, 46 insertions(+), 8 deletions(-) diff --git a/drivers/soc/qcom/cmd-db.c b/drivers/soc/qcom/cmd-db.c index a5fd68411bed..e87682b9755e 100644 --- a/drivers/soc/qcom/cmd-db.c +++ b/drivers/soc/qcom/cmd-db.c @@ -1,6 +1,10 @@ /* SPDX-License-Identifier: GPL-2.0 */ -/* Copyright (c) 2016-2018, 2020, The Linux Foundation. All rights reserved. */ +/* + * Copyright (c) 2016-2018, 2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. + */ +#include <linux/bitfield.h> #include <linux/debugfs.h> #include <linux/kernel.h> #include <linux/module.h> @@ -15,8 +19,8 @@ #define NUM_PRIORITY 2 #define MAX_SLV_ID 8 -#define SLAVE_ID_MASK 0x7 -#define SLAVE_ID_SHIFT 16 +#define SLAVE_ID(addr) FIELD_GET(GENMASK(19, 16), addr) +#define VRM_ADDR(addr) FIELD_GET(GENMASK(19, 4), addr) /** * struct entry_header: header for each entry in cmddb @@ -221,9 +225,34 @@ const void *cmd_db_read_aux_data(const char *id, size_t *len) EXPORT_SYMBOL_GPL(cmd_db_read_aux_data); /** - * cmd_db_read_slave_id - Get the slave ID for a given resource address + * cmd_db_match_resource_addr - Compare if both Resource addresses are same + * + * @addr1: Resource address to compare + * @addr2: Resource address to compare + * + * Return: true on matching addresses, false otherwise + */ +bool cmd_db_match_resource_addr(u32 addr1, u32 addr2) +{ + /* + * Each RPMh VRM accelerator resource has 3 or 4 contiguous 4-byte + * aligned addresses associated with it. Ignore the offset to check + * for VRM requests. + */ + if (SLAVE_ID(addr1) == CMD_DB_HW_VRM + && VRM_ADDR(addr1) == VRM_ADDR(addr2)) + return true; + else if (addr1 == addr2) + return true; + else + return false; +} +EXPORT_SYMBOL_GPL(cmd_db_match_resource_addr); + +/** + * cmd_db_read_slave_id - Get the slave ID for a given resource name * - * @id: Resource id to query the DB for version + * @id: Resource id to query the DB for slave id * * Return: cmd_db_hw_type enum on success, CMD_DB_HW_INVALID on error */ @@ -238,7 +267,7 @@ enum cmd_db_hw_type cmd_db_read_slave_id(const char *id) return CMD_DB_HW_INVALID; addr = le32_to_cpu(ent->addr); - return (addr >> SLAVE_ID_SHIFT) & SLAVE_ID_MASK; + return SLAVE_ID(addr); } EXPORT_SYMBOL_GPL(cmd_db_read_slave_id); diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c index a021dc71807b..daf64be966fe 100644 --- a/drivers/soc/qcom/rpmh-rsc.c +++ b/drivers/soc/qcom/rpmh-rsc.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 /* * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #define pr_fmt(fmt) "%s " fmt, KBUILD_MODNAME @@ -557,7 +558,7 @@ static int check_for_req_inflight(struct rsc_drv *drv, struct tcs_group *tcs, for_each_set_bit(j, &curr_enabled, MAX_CMDS_PER_TCS) { addr = read_tcs_cmd(drv, drv->regs[RSC_DRV_CMD_ADDR], i, j); for (k = 0; k < msg->num_cmds; k++) { - if (addr == msg->cmds[k].addr) + if (cmd_db_match_resource_addr(msg->cmds[k].addr, addr)) return -EBUSY; } } diff --git a/include/soc/qcom/cmd-db.h b/include/soc/qcom/cmd-db.h index c8bb56e6852a..47a6cab75e63 100644 --- a/include/soc/qcom/cmd-db.h +++ b/include/soc/qcom/cmd-db.h @@ -1,5 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0 */ -/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. */ +/* + * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. + */ #ifndef __QCOM_COMMAND_DB_H__ #define __QCOM_COMMAND_DB_H__ @@ -21,6 +24,8 @@ u32 cmd_db_read_addr(const char *resource_id); const void *cmd_db_read_aux_data(const char *resource_id, size_t *len); +bool cmd_db_match_resource_addr(u32 addr1, u32 addr2); + enum cmd_db_hw_type cmd_db_read_slave_id(const char *resource_id); int cmd_db_ready(void); @@ -31,6 +36,9 @@ static inline u32 cmd_db_read_addr(const char *resource_id) static inline const void *cmd_db_read_aux_data(const char *resource_id, size_t *len) { return ERR_PTR(-ENODEV); } +static inline bool cmd_db_match_resource_addr(u32 addr1, u32 addr2) +{ return false; } + static inline enum cmd_db_hw_type cmd_db_read_slave_id(const char *resource_id) { return -ENODEV; } --- base-commit: 615d300648869c774bd1fe54b4627bb0c20faed4 change-id: 20240210-rpmh-rsc-fixes-372a79ab364b Best regards, -- Maulik Shah <quic_mkshah(a)quicinc.com>

1 year, 6 months

6
7
0 0

[PATCH] scsi: core: Consult supported VPD page list prior to fetching page

by Martin K. Petersen

Commit c92a6b5d6335 ("scsi: core: Query VPD size before getting full page") removed the logic which checks whether a VPD page is present on the supported pages list before asking for the page itself. That was done because SPC helpfully states "The Supported VPD Pages VPD page list may or may not include all the VPD pages that are able to be returned by the device server". Testing had revealed a few devices that supported some of the 0xBn pages but didn't actually list them in page 0. Julian Sikorski bisected a problem with his drive resetting during discovery to the commit above. As it turns out, this particular drive firmware will crash if we attempt to fetch page 0xB9. Various approaches were attempted to work around this. In the end, reinstating the logic that consults VPD page 0 before fetching any other page was the path of least resistance. A firmware update for the devices which originally compelled us to remove the check has since been released. Cc: <stable(a)vger.kernel.org> Fixes: c92a6b5d6335 ("scsi: core: Query VPD size before getting full page") Reported-by: Julian Sikorski <belegdol(a)gmail.com> Tested-by: Julian Sikorski <belegdol(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- drivers/scsi/scsi.c | 21 +++++++++++++++++++-- include/scsi/scsi_device.h | 1 + 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index 76d369343c7a..5ef5fcf022ed 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -330,19 +330,36 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer, static int scsi_get_vpd_size(struct scsi_device *sdev, u8 page) { - unsigned char vpd_header[SCSI_VPD_HEADER_SIZE] __aligned(4); + unsigned char vpd[SCSI_VPD_LIST_SIZE] __aligned(4); int result; if (sdev->no_vpd_size) return SCSI_DEFAULT_VPD_LEN; + /* + * Fetch the supported pages VPD and validate that the requested page + * number is present. + */ + if (page != 0) { + result = scsi_vpd_inquiry(sdev, vpd, 0, sizeof(vpd)); + if (result < SCSI_VPD_HEADER_SIZE) + return 0; + + for (unsigned int i = SCSI_VPD_HEADER_SIZE ; i < result ; i++) { + if (vpd[i] == page) + goto found; + } + + return 0; + } +found: /* * Fetch the VPD page header to find out how big the page * is. This is done to prevent problems on legacy devices * which can not handle allocation lengths as large as * potentially requested by the caller. */ - result = scsi_vpd_inquiry(sdev, vpd_header, page, sizeof(vpd_header)); + result = scsi_vpd_inquiry(sdev, vpd, page, SCSI_VPD_HEADER_SIZE); if (result < 0) return 0; diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h index cb019c80763b..6673885565e3 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -102,6 +102,7 @@ struct scsi_vpd { enum scsi_vpd_parameters { SCSI_VPD_HEADER_SIZE = 4, + SCSI_VPD_LIST_SIZE = 36, }; struct scsi_device { -- 2.42.1

1 year, 6 months

2
3
0 0

[PATCH v2] kbuild: Fix changing ELF file type for output of gen_btf for big endian

by Nathan Chancellor

Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works fine for little endian platforms: 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| +00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| However, for big endian platforms, it changes the wrong byte, resulting in an invalid ELF file type, which ld.lld rejects: 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| +00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| Type: <unknown>: 103 ld.lld: error: .btf.vmlinux.bin.o: unknown file type Fix this by updating the entire 16-bit e_type field rather than just a single byte, so that everything works correctly for all platforms and linkers. 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| +00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| Type: REL (Relocatable file) While in the area, update the comment to mention that binutils 2.35+ matches LLD's behavior of rejecting an ET_EXEC input, which occurred after the comment was added. Cc: stable(a)vger.kernel.org Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") Link: https://github.com/llvm/llvm-project/pull/75643 Suggested-by: Masahiro Yamada <masahiroy(a)kernel.org> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- Changes in v2: - Rather than change the seek value for dd, update the entire e_type field (Masahiro). Due to this change, I did not carry forward the tags of v1. - Slightly update commit message to remove mention of ET_EXEC, which does not match the dump (Masahiro). - Update comment to mention binutils 2.35+ has the same behavior as LLD (Fangrui). - Link to v1: https://lore.kernel.org/r/20240208-fix-elf-type-btf-vmlinux-bin-o-big-endia… --- scripts/link-vmlinux.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index a432b171be82..7862a8101747 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -135,8 +135,13 @@ gen_btf() ${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \ --strip-all ${1} ${2} 2>/dev/null # Change e_type to ET_REL so that it can be used to link final vmlinux. - # Unlike GNU ld, lld does not allow an ET_EXEC input. - printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none + # GNU ld 2.35+ and lld do not allow an ET_EXEC input. + if is_enabled CONFIG_CPU_BIG_ENDIAN; then + et_rel='\0\1' + else + et_rel='\1\0' + fi + printf "${et_rel}" | dd of=${2} conv=notrunc bs=1 seek=16 status=none } # Create ${2} .S file with all symbols from the ${1} object file --- base-commit: 54be6c6c5ae8e0d93a6c4641cb7528eb0b6ba478 change-id: 20240208-fix-elf-type-btf-vmlinux-bin-o-big-endian-dbc55a1e1296 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 6 months

6
6
0 0

[PATCH] wifi: nl80211: reject iftype change with mesh ID change

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> It's currently possible to change the mesh ID when the interface isn't yet in mesh mode, at the same time as changing it into mesh mode. This leads to an overwrite of data in the wdev->u union for the interface type it currently has, causing cfg80211_change_iface() to do wrong things when switching. We could probably allow setting an interface to mesh while setting the mesh ID at the same time by doing a different order of operations here, but realistically there's no userspace that's going to do this, so just disallow changes in iftype when setting mesh ID. Cc: stable(a)vger.kernel.org Fixes: 29cbe68c516a ("cfg80211/mac80211: add mesh join/leave commands") Reported-by: syzbot+dd4779978217b1973180(a)syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> --- net/wireless/nl80211.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index b09700400d09..bd54a928bab4 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -4197,6 +4197,8 @@ static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info) if (ntype != NL80211_IFTYPE_MESH_POINT) return -EINVAL; + if (otype != NL80211_IFTYPE_MESH_POINT) + return -EINVAL; if (netif_running(dev)) return -EBUSY; -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 07/17] drm/amd/display: Only allow dig mapping to pwrseq in new asic

by Rodrigo Siqueira

From: Lewis Huang <lewis.huang(a)amd.com> [Why] The old asic only have 1 pwrseq hw. We don't need to map the diginst to pwrseq inst in old asic. [How] 1. Only mapping dig to pwrseq for new asic. 2. Move mapping function into dcn specific panel control component Cc: Stable <stable(a)vger.kernel.org> # v6.6+ Cc: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3122 Reviewed-by: Anthony Koo <anthony.koo(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Lewis Huang <lewis.huang(a)amd.com> --- .../drm/amd/display/dc/dce/dce_panel_cntl.c | 1 + .../amd/display/dc/dcn301/dcn301_panel_cntl.c | 1 + .../amd/display/dc/dcn31/dcn31_panel_cntl.c | 18 ++++++++++++- .../drm/amd/display/dc/inc/hw/panel_cntl.h | 2 +- .../drm/amd/display/dc/link/link_factory.c | 26 +------------------ 5 files changed, 21 insertions(+), 27 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c b/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c index e8570060d007..5bca67407c5b 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c @@ -290,4 +290,5 @@ void dce_panel_cntl_construct( dce_panel_cntl->base.funcs = &dce_link_panel_cntl_funcs; dce_panel_cntl->base.ctx = init_data->ctx; dce_panel_cntl->base.inst = init_data->inst; + dce_panel_cntl->base.pwrseq_inst = 0; } diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_panel_cntl.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_panel_cntl.c index ad0df1a72a90..9e96a3ace207 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_panel_cntl.c +++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_panel_cntl.c @@ -215,4 +215,5 @@ void dcn301_panel_cntl_construct( dcn301_panel_cntl->base.funcs = &dcn301_link_panel_cntl_funcs; dcn301_panel_cntl->base.ctx = init_data->ctx; dcn301_panel_cntl->base.inst = init_data->inst; + dcn301_panel_cntl->base.pwrseq_inst = 0; } diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_panel_cntl.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_panel_cntl.c index 03248422d6ff..281be20b1a10 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_panel_cntl.c +++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_panel_cntl.c @@ -154,8 +154,24 @@ void dcn31_panel_cntl_construct( struct dcn31_panel_cntl *dcn31_panel_cntl, const struct panel_cntl_init_data *init_data) { + uint8_t pwrseq_inst = 0xF; + dcn31_panel_cntl->base.funcs = &dcn31_link_panel_cntl_funcs; dcn31_panel_cntl->base.ctx = init_data->ctx; dcn31_panel_cntl->base.inst = init_data->inst; - dcn31_panel_cntl->base.pwrseq_inst = init_data->pwrseq_inst; + + switch (init_data->eng_id) { + case ENGINE_ID_DIGA: + pwrseq_inst = 0; + break; + case ENGINE_ID_DIGB: + pwrseq_inst = 1; + break; + default: + DC_LOG_WARNING("Unsupported pwrseq engine id: %d!\n", init_data->eng_id); + ASSERT(false); + break; + } + + dcn31_panel_cntl->base.pwrseq_inst = pwrseq_inst; } diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/panel_cntl.h b/drivers/gpu/drm/amd/display/dc/inc/hw/panel_cntl.h index 5dcbaa2db964..e97d964a1791 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/hw/panel_cntl.h +++ b/drivers/gpu/drm/amd/display/dc/inc/hw/panel_cntl.h @@ -57,7 +57,7 @@ struct panel_cntl_funcs { struct panel_cntl_init_data { struct dc_context *ctx; uint32_t inst; - uint32_t pwrseq_inst; + uint32_t eng_id; }; struct panel_cntl { diff --git a/drivers/gpu/drm/amd/display/dc/link/link_factory.c b/drivers/gpu/drm/amd/display/dc/link/link_factory.c index 37d3027c32dc..cf22b8f28ba6 100644 --- a/drivers/gpu/drm/amd/display/dc/link/link_factory.c +++ b/drivers/gpu/drm/amd/display/dc/link/link_factory.c @@ -370,30 +370,6 @@ static enum transmitter translate_encoder_to_transmitter( } } -static uint8_t translate_dig_inst_to_pwrseq_inst(struct dc_link *link) -{ - uint8_t pwrseq_inst = 0xF; - struct dc_context *dc_ctx = link->dc->ctx; - - DC_LOGGER_INIT(dc_ctx->logger); - - switch (link->eng_id) { - case ENGINE_ID_DIGA: - pwrseq_inst = 0; - break; - case ENGINE_ID_DIGB: - pwrseq_inst = 1; - break; - default: - DC_LOG_WARNING("Unsupported pwrseq engine id: %d!\n", link->eng_id); - ASSERT(false); - break; - } - - return pwrseq_inst; -} - - static void link_destruct(struct dc_link *link) { int i; @@ -657,7 +633,7 @@ static bool construct_phy(struct dc_link *link, link->link_id.id == CONNECTOR_ID_LVDS)) { panel_cntl_init_data.ctx = dc_ctx; panel_cntl_init_data.inst = panel_cntl_init_data.ctx->dc_edp_id_count; - panel_cntl_init_data.pwrseq_inst = translate_dig_inst_to_pwrseq_inst(link); + panel_cntl_init_data.eng_id = link->eng_id; link->panel_cntl = link->dc->res_pool->funcs->panel_cntl_create( &panel_cntl_init_data); -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 06/17] drm/amd/display: adjust few initialization order in dm

by Rodrigo Siqueira

From: Wayne Lin <wayne.lin(a)amd.com> [Why] Observe error message "Can't retrieve aconnector in hpd_rx_irq_offload_work" when boot up with a mst tbt4 dock connected. After analyzing, there are few parts needed to be adjusted: 1. hpd_rx_offload_wq[].aconnector is not initialzed before the dmub outbox hpd_irq handler get registered which causes the error message. 2. registeration of hpd and hpd_rx_irq event for usb4 dp tunneling is not aligned with legacy interface sequence [How] Put DMUB_NOTIFICATION_HPD and DMUB_NOTIFICATION_HPD_IRQ handler registration into register_hpd_handlers() to align other interfaces and get hpd_rx_offload_wq[].aconnector initialized earlier than that. Leave DMUB_NOTIFICATION_AUX_REPLY registered as it was since we need that while calling dc_link_detect(). USB4 connection status will be proactively detected by dc_link_detect_connection_type() in amdgpu_dm_initialize_drm_device() Cc: Stable <stable(a)vger.kernel.org> Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Wayne Lin <wayne.lin(a)amd.com> --- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index b9ac3d2f8029..ed0ad44dd1d8 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1843,21 +1843,12 @@ static int amdgpu_dm_init(struct amdgpu_device *adev) DRM_ERROR("amdgpu: fail to register dmub aux callback"); goto error; } - if (!register_dmub_notify_callback(adev, DMUB_NOTIFICATION_HPD, dmub_hpd_callback, true)) { - DRM_ERROR("amdgpu: fail to register dmub hpd callback"); - goto error; - } - if (!register_dmub_notify_callback(adev, DMUB_NOTIFICATION_HPD_IRQ, dmub_hpd_callback, true)) { - DRM_ERROR("amdgpu: fail to register dmub hpd callback"); - goto error; - } - } - - /* Enable outbox notification only after IRQ handlers are registered and DMUB is alive. - * It is expected that DMUB will resend any pending notifications at this point, for - * example HPD from DPIA. - */ - if (dc_is_dmub_outbox_supported(adev->dm.dc)) { + /* Enable outbox notification only after IRQ handlers are registered and DMUB is alive. + * It is expected that DMUB will resend any pending notifications at this point. Note + * that hpd and hpd_irq handler registration are deferred to register_hpd_handlers() to + * align legacy interface initialization sequence. Connection status will be proactivly + * detected once in the amdgpu_dm_initialize_drm_device. + */ dc_enable_dmub_outbox(adev->dm.dc); /* DPIA trace goes to dmesg logs only if outbox is enabled */ @@ -3546,6 +3537,14 @@ static void register_hpd_handlers(struct amdgpu_device *adev) int_params.requested_polarity = INTERRUPT_POLARITY_DEFAULT; int_params.current_polarity = INTERRUPT_POLARITY_DEFAULT; + if (dc_is_dmub_outbox_supported(adev->dm.dc)) { + if (!register_dmub_notify_callback(adev, DMUB_NOTIFICATION_HPD, dmub_hpd_callback, true)) + DRM_ERROR("amdgpu: fail to register dmub hpd callback"); + + if (!register_dmub_notify_callback(adev, DMUB_NOTIFICATION_HPD_IRQ, dmub_hpd_callback, true)) + DRM_ERROR("amdgpu: fail to register dmub hpd callback"); + } + list_for_each_entry(connector, &dev->mode_config.connector_list, head) { @@ -3574,10 +3573,6 @@ static void register_hpd_handlers(struct amdgpu_device *adev) handle_hpd_rx_irq, (void *) aconnector); } - - if (adev->dm.hpd_rx_offload_wq) - adev->dm.hpd_rx_offload_wq[connector->index].aconnector = - aconnector; } } @@ -4589,6 +4584,10 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) goto fail; } + if (dm->hpd_rx_offload_wq) + dm->hpd_rx_offload_wq[aconnector->base.index].aconnector = + aconnector; + if (!dc_link_detect_connection_type(link, &new_connection_type)) DRM_ERROR("KMS: Failed to detect connector\n"); -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 3/3] btrfs: dev-replace: properly validate device names

by David Sterba

There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links). Link: https://lore.kernel.org/linux-btrfs/000000000000d1a1d1060cc9c5e7@google.com/ Link: https://lore.kernel.org/linux-btrfs/tencent_44CA0665C9836EF9EEC80CB9E7E206D… CC: stable(a)vger.kernel.org # 4.19+ CC: Edward Adam Davis <eadavis(a)qq.com> Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8(a)syzkaller.appspotmail.com Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index 1502d664c892..79c4293ddf37 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c @@ -725,6 +725,23 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, return ret; } +static int btrfs_check_replace_dev_names(struct btrfs_ioctl_dev_replace_args *args) +{ + if (args->start.srcdevid == 0) { + if (memchr(args->start.srcdev_name, 0, + sizeof(args->start.srcdev_name)) == NULL) + return -ENAMETOOLONG; + } else { + args->start.srcdev_name[0] = 0; + } + + if (memchr(args->start.tgtdev_name, 0, + sizeof(args->start.tgtdev_name)) == NULL) + return -ENAMETOOLONG; + + return 0; +} + int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, struct btrfs_ioctl_dev_replace_args *args) { @@ -737,10 +754,9 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, default: return -EINVAL; } - - if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || - args->start.tgtdev_name[0] == '\0') - return -EINVAL; + ret = btrfs_check_replace_dev_names(args); + if (ret < 0) + return ret; ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, args->start.srcdevid, -- 2.42.1

1 year, 6 months

1
0
0 0

Re: [PATCH 6.7 000/127] 6.7.5-rc2 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

1 year, 6 months

1
0
0 0

[PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()

by Ryusuke Konishi

commit 38296afe3c6ee07319e01bb249aa4bb47c07b534 upstream. Syzbot reported a hang issue in migrate_pages_batch() called by mbind() and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2. While migrate_pages_batch() locks a folio and waits for the writeback to complete, the log writer thread that should bring the writeback to completion picks up the folio being written back in nilfs_lookup_dirty_data_buffers() that it calls for subsequent log creation and was trying to lock the folio. Thus causing a deadlock. In the first place, it is unexpected that folios/pages in the middle of writeback will be updated and become dirty. Nilfs2 adds a checksum to verify the validity of the log being written and uses it for recovery at mount, so data changes during writeback are suppressed. Since this is broken, an unclean shutdown could potentially cause recovery to fail. Investigation revealed that the root cause is that the wait for writeback completion in nilfs_page_mkwrite() is conditional, and if the backing device does not require stable writes, data may be modified without waiting. Fix these issues by making nilfs_page_mkwrite() wait for writeback to finish regardless of the stable write requirement of the backing device. Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com Fixes: 1d1d1a767206 ("mm: only enforce stable page writes if the backing device requires it") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+ee2ae68da3b22d04cd8d(a)syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/00000000000047d819061004ad6c@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Please apply this patch to the stable trees indicated by the subject line prefix. This patch is tailored to account for page/folio conversion and an fs-wide change around page_mkwrite, and is applicable as-is to all versions from v3.9 (where the issue was introduced) to v6.5. Also, all the builds and retests I did on each stable tree passed. Thanks, Ryusuke Konishi fs/nilfs2/file.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/file.c b/fs/nilfs2/file.c index a265d391ffe9..822e8d95d31e 100644 --- a/fs/nilfs2/file.c +++ b/fs/nilfs2/file.c @@ -105,7 +105,13 @@ static vm_fault_t nilfs_page_mkwrite(struct vm_fault *vmf) nilfs_transaction_commit(inode->i_sb); mapped: - wait_for_stable_page(page); + /* + * Since checksumming including data blocks is performed to determine + * the validity of the log to be written and used for recovery, it is + * necessary to wait for writeback to finish here, regardless of the + * stable write requirement of the backing device. + */ + wait_on_page_writeback(page); out: sb_end_pagefault(inode->i_sb); return block_page_mkwrite_return(ret); -- 2.39.3

1 year, 6 months

1
0
0 0

[PATCH 6.1 00/64] 6.1.78-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.78 release. There are 64 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 15 Feb 2024 17:18:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.78-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.78-rc1 Jiri Wiesner <jwiesner(a)suse.de> clocksource: Skip watchdog check for large watchdog intervals Jens Axboe <axboe(a)kernel.dk> block: treat poll queue enter similarly to timeouts Sheng Yong <shengyong(a)oppo.com> f2fs: add helper to check compression level Mike Marciniszyn <mike.marciniszyn(a)intel.com> RDMA/irdma: Fix support for 64k pages Prathu Baronia <prathubaronia2011(a)gmail.com> vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: amd: Add new dmi entries for acp5x platform" Jens Axboe <axboe(a)kernel.dk> io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Frederic Weisbecker <frederic(a)kernel.org> hrtimer: Report offline hrtimer enqueue Michal Pecio <michal.pecio(a)gmail.com> xhci: handle isoc Babble and Buffer Overrun events properly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: process isoc TD properly when there was a transaction error mid TD. Prashanth K <quic_prashk(a)quicinc.com> usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Leonard Dallmayr <leonard.dallmayr(a)mailbox.org> USB: serial: cp210x: add ID for IMST iM871A-USB Puliang Lu <puliang.lu(a)fibocom.com> USB: serial: option: add Fibocom FM101-GL variant JackBB Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Sean Young <sean(a)mess.org> ALSA: usb-audio: add quirk for RODE NT-USB+ Julian Sikorski <belegdol+github(a)gmail.com> ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Alexander Tsoy <alexander(a)tsoy.me> ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Francesco Dolcini <francesco.dolcini(a)toradex.com> mtd: parsers: ofpart: add workaround for #size-cells 0 Alexander Aring <aahringo(a)redhat.com> fs: dlm: don't put dlm_local_addrs on heap Tejun Heo <tj(a)kernel.org> blk-iocost: Fix an UBSAN shift-out-of-bounds warning Ming Lei <ming.lei(a)redhat.com> scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix an NULL dereference bug Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove scratch_aligned pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: add helper to release pcpu scratch area Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: store index in scratch maps Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_ct: reject direction for ct id Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: narrow down revision to unsigned 8-bits Jakub Kicinski <kuba(a)kernel.org> selftests: cmsg_ipv6: repeat the exact packet Eric Dumazet <edumazet(a)google.com> ppp_async: limit MRU to 64K Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Shigeru Yoshida <syoshida(a)redhat.com> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() David Howells <dhowells(a)redhat.com> rxrpc: Fix response to PING RESPONSE ACKs to a dead call Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/gvt: Fix uninitialized variable in handle_mmio() Eric Dumazet <edumazet(a)google.com> inet: read sk->sk_family once in inet_recv_error() Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix out-of-bounds memory access Loic Prylli <lprylli(a)netflix.com> hwmon: (aspeed-pwm-tacho) mutex for tach reading Zhipeng Lu <alexious(a)zju.edu.cn> octeontx2-pf: Fix a memleak otx2_sq_init Zhipeng Lu <alexious(a)zju.edu.cn> atm: idt77252: fix a memleak in open_card_ubr0 Antoine Tenart <atenart(a)kernel.org> tunnels: fix out of bounds access when building IPv6 PMTU error Paolo Abeni <pabeni(a)redhat.com> selftests: net: avoid just another constant wait Paolo Abeni <pabeni(a)redhat.com> selftests: net: cut more slack for gro fwd tests. Ivan Vecera <ivecera(a)redhat.com> net: atlantic: Fix DMA mapping for PTP hwts ring Eric Dumazet <edumazet(a)google.com> netdevsim: avoid potential loop in nsim_dev_trap_report_work() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix waiting for beacons logic Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Shyam Prasad N <sprasad(a)microsoft.com> cifs: failure to add channel on iface should bump up weight Tony Lindgren <tony(a)atomide.com> phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Frank Li <Frank.Li(a)nxp.com> dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Jai Luthra <j-luthra(a)ti.com> dmaengine: ti: k3-udma: Report short packet errors Guanhua Gao <guanhua.gao(a)nxp.com> dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay ------------- Diffstat: Makefile | 4 +- block/blk-core.c | 11 ++- block/blk-iocost.c | 7 ++ drivers/atm/idt77252.c | 2 + drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +- drivers/dma/fsl-qdma.c | 27 ++---- drivers/dma/ti/k3-udma.c | 10 +- .../drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- drivers/gpu/drm/i915/gvt/handlers.c | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 - drivers/gpu/drm/msm/dp/dp_link.c | 22 +++-- drivers/gpu/drm/msm/dp/dp_reg.h | 3 + drivers/hwmon/aspeed-pwm-tacho.c | 7 ++ drivers/hwmon/coretemp.c | 40 ++++---- drivers/infiniband/hw/irdma/verbs.c | 2 +- drivers/input/keyboard/atkbd.c | 13 ++- drivers/input/serio/i8042-acpipnpio.h | 6 ++ drivers/mtd/parsers/ofpart_core.c | 19 ++++ drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 +- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 +++ drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 ++- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 ++++++++++- drivers/net/netdevsim/dev.c | 8 +- drivers/net/ppp/ppp_async.c | 4 + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 - drivers/phy/ti/phy-omap-usb2.c | 4 +- drivers/scsi/scsi_error.c | 3 +- drivers/scsi/scsi_lib.c | 4 +- drivers/usb/dwc3/host.c | 4 +- drivers/usb/host/xhci-plat.c | 3 + drivers/usb/host/xhci-ring.c | 80 ++++++++++++--- drivers/usb/host/xhci.h | 1 + drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/vhost/vhost.c | 5 +- fs/dlm/lowcomms.c | 38 +++----- fs/ext4/mballoc.c | 20 ++++ fs/f2fs/compress.c | 27 ++++++ fs/f2fs/f2fs.h | 2 + fs/f2fs/super.c | 4 +- fs/ntfs3/ntfs_fs.h | 2 +- fs/smb/client/sess.c | 2 + include/linux/dmaengine.h | 3 +- include/linux/hrtimer.h | 4 +- include/uapi/linux/netfilter/nf_tables.h | 2 + io_uring/net.c | 1 + kernel/time/clocksource.c | 25 ++++- kernel/time/hrtimer.c | 3 + net/ipv4/af_inet.c | 6 +- net/ipv4/ip_tunnel_core.c | 2 +- net/mac80211/mlme.c | 3 +- net/netfilter/nft_compat.c | 17 +++- net/netfilter/nft_ct.c | 3 + net/netfilter/nft_set_pipapo.c | 108 ++++++++++----------- net/netfilter/nft_set_pipapo.h | 18 +++- net/netfilter/nft_set_pipapo_avx2.c | 17 ++-- net/rxrpc/conn_event.c | 8 ++ net/tipc/bearer.c | 6 ++ net/unix/garbage.c | 11 +++ sound/soc/amd/acp-config.c | 15 +-- sound/usb/quirks.c | 6 ++ tools/testing/selftests/net/cmsg_ipv6.sh | 4 +- tools/testing/selftests/net/pmtu.sh | 18 +++- tools/testing/selftests/net/udpgro_fwd.sh | 14 ++- tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- 70 files changed, 566 insertions(+), 239 deletions(-)

1 year, 6 months

12
79
0 0

patch "iio: accel: bma400: Fix a compilation problem" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: accel: bma400: Fix a compilation problem to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 4cb81840d8f29b66d9d05c6d7f360c9560f7e2f4 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello(a)amd.com> Date: Wed, 31 Jan 2024 16:52:46 -0600 Subject: iio: accel: bma400: Fix a compilation problem The kernel fails when compiling without `CONFIG_REGMAP_I2C` but with `CONFIG_BMA400`. ``` ld: drivers/iio/accel/bma400_i2c.o: in function `bma400_i2c_probe': bma400_i2c.c:(.text+0x23): undefined reference to `__devm_regmap_init_i2c' ``` Link: https://download.01.org/0day-ci/archive/20240131/202401311634.FE5CBVwe-lkp@… Fixes: 465c811f1f20 ("iio: accel: Add driver for the BMA400") Fixes: 9bea10642396 ("iio: accel: bma400: add support for bma400 spi") Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://lore.kernel.org/r/20240131225246.14169-1-mario.limonciello@amd.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/accel/Kconfig b/drivers/iio/accel/Kconfig index 91adcac875a4..c9d7afe489e8 100644 --- a/drivers/iio/accel/Kconfig +++ b/drivers/iio/accel/Kconfig @@ -219,10 +219,12 @@ config BMA400 config BMA400_I2C tristate + select REGMAP_I2C depends on BMA400 config BMA400_SPI tristate + select REGMAP_SPI depends on BMA400 config BMC150_ACCEL -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: commom: st_sensors: ensure proper DMA alignment" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: commom: st_sensors: ensure proper DMA alignment to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 862cf85fef85becc55a173387527adb4f076fab0 Mon Sep 17 00:00:00 2001 From: Nuno Sa <nuno.sa(a)analog.com> Date: Wed, 31 Jan 2024 10:16:47 +0100 Subject: iio: commom: st_sensors: ensure proper DMA alignment Aligning the buffer to the L1 cache is not sufficient in some platforms as they might have larger cacheline sizes for caches after L1 and thus, we can't guarantee DMA safety. That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same for st_sensors common buffer. While at it, moved the odr_lock before buffer_data as we definitely don't want any other data to share a cacheline with the buffer. [1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ Fixes: e031d5f558f1 ("iio:st_sensors: remove buffer allocation at each buffer enable") Signed-off-by: Nuno Sa <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20240131-dev_dma_safety_stm-v2-1-580c07fae51b@ana… Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- include/linux/iio/common/st_sensors.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/iio/common/st_sensors.h b/include/linux/iio/common/st_sensors.h index 607c3a89a647..f9ae5cdd884f 100644 --- a/include/linux/iio/common/st_sensors.h +++ b/include/linux/iio/common/st_sensors.h @@ -258,9 +258,9 @@ struct st_sensor_data { bool hw_irq_trigger; s64 hw_timestamp; - char buffer_data[ST_SENSORS_MAX_BUFFER_SIZE] ____cacheline_aligned; - struct mutex odr_lock; + + char buffer_data[ST_SENSORS_MAX_BUFFER_SIZE] __aligned(IIO_DMA_MINALIGN); }; #ifdef CONFIG_IIO_BUFFER -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 621c6257128149e45b36ffb973a01c3f3461b893 Mon Sep 17 00:00:00 2001 From: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Date: Sun, 4 Feb 2024 04:56:17 -0800 Subject: iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP When als_capture_sample() is called with usage ID HID_USAGE_SENSOR_TIME_TIMESTAMP, return 0. The HID sensor core ignores the return value for capture_sample() callback, so return value doesn't make difference. But correct the return value to return success instead of -EINVAL. Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://lore.kernel.org/r/20240204125617.2635574-1-srinivas.pandruvada@linu… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/light/hid-sensor-als.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/light/hid-sensor-als.c b/drivers/iio/light/hid-sensor-als.c index 5cd27f04b45e..b6c4bef2a7bb 100644 --- a/drivers/iio/light/hid-sensor-als.c +++ b/drivers/iio/light/hid-sensor-als.c @@ -226,6 +226,7 @@ static int als_capture_sample(struct hid_sensor_hub_device *hsdev, case HID_USAGE_SENSOR_TIME_TIMESTAMP: als_state->timestamp = hid_sensor_convert_timestamp(&als_state->common_attributes, *(s64 *)raw_data); + ret = 0; break; default: break; -- 2.43.1

1 year, 6 months

1
0
0 0

patch "staging: iio: ad5933: fix type mismatch regression" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: iio: ad5933: fix type mismatch regression to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 6db053cd949fcd6254cea9f2cd5d39f7bd64379c Mon Sep 17 00:00:00 2001 From: David Schiller <david.schiller(a)jku.at> Date: Mon, 22 Jan 2024 14:49:17 +0100 Subject: staging: iio: ad5933: fix type mismatch regression Commit 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse warning") fixed a compiler warning, but introduced a bug that resulted in one of the two 16 bit IIO channels always being zero (when both are enabled). This is because int is 32 bits wide on most architectures and in the case of a little-endian machine the two most significant bytes would occupy the buffer for the second channel as 'val' is being passed as a void pointer to 'iio_push_to_buffers()'. Fix by defining 'val' as u16. Tested working on ARM64. Fixes: 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse warning") Signed-off-by: David Schiller <david.schiller(a)jku.at> Link: https://lore.kernel.org/r/20240122134916.2137957-1-david.schiller@jku.at Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c index e748a5d04e97..9149d41fe65b 100644 --- a/drivers/staging/iio/impedance-analyzer/ad5933.c +++ b/drivers/staging/iio/impedance-analyzer/ad5933.c @@ -608,7 +608,7 @@ static void ad5933_work(struct work_struct *work) struct ad5933_state, work.work); struct iio_dev *indio_dev = i2c_get_clientdata(st->client); __be16 buf[2]; - int val[2]; + u16 val[2]; unsigned char status; int ret; -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: adc: ad_sigma_delta: ensure proper DMA alignment" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad_sigma_delta: ensure proper DMA alignment to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 59598510be1d49e1cff7fd7593293bb8e1b2398b Mon Sep 17 00:00:00 2001 From: Nuno Sa <nuno.sa(a)analog.com> Date: Wed, 17 Jan 2024 13:41:03 +0100 Subject: iio: adc: ad_sigma_delta: ensure proper DMA alignment Aligning the buffer to the L1 cache is not sufficient in some platforms as they might have larger cacheline sizes for caches after L1 and thus, we can't guarantee DMA safety. That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same for the sigma_delta ADCs. [1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ Fixes: 0fb6ee8d0b5e ("iio: ad_sigma_delta: Don't put SPI transfer buffer on the stack") Signed-off-by: Nuno Sa <nuno.sa(a)analog.com> Link: https://lore.kernel.org/r/20240117-dev_sigma_delta_no_irq_flags-v1-1-db3926… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- include/linux/iio/adc/ad_sigma_delta.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h index 7852f6c9a714..719cf9cc6e1a 100644 --- a/include/linux/iio/adc/ad_sigma_delta.h +++ b/include/linux/iio/adc/ad_sigma_delta.h @@ -8,6 +8,8 @@ #ifndef __AD_SIGMA_DELTA_H__ #define __AD_SIGMA_DELTA_H__ +#include <linux/iio/iio.h> + enum ad_sigma_delta_mode { AD_SD_MODE_CONTINUOUS = 0, AD_SD_MODE_SINGLE = 1, @@ -99,7 +101,7 @@ struct ad_sigma_delta { * 'rx_buf' is up to 32 bits per sample + 64 bit timestamp, * rounded to 16 bytes to take into account padding. */ - uint8_t tx_buf[4] ____cacheline_aligned; + uint8_t tx_buf[4] __aligned(IIO_DMA_MINALIGN); uint8_t rx_buf[16] __aligned(8); }; -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: imu: adis: ensure proper DMA alignment" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: adis: ensure proper DMA alignment to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 8e98b87f515d8c4bae521048a037b2cc431c3fd5 Mon Sep 17 00:00:00 2001 From: Nuno Sa <nuno.sa(a)analog.com> Date: Wed, 17 Jan 2024 14:10:49 +0100 Subject: iio: imu: adis: ensure proper DMA alignment Aligning the buffer to the L1 cache is not sufficient in some platforms as they might have larger cacheline sizes for caches after L1 and thus, we can't guarantee DMA safety. That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same for the sigma_delta ADCs. [1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library") Signed-off-by: Nuno Sa <nuno.sa(a)analog.com> Link: https://lore.kernel.org/r/20240117-adis-improv-v1-1-7f90e9fad200@analog.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- include/linux/iio/imu/adis.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/iio/imu/adis.h b/include/linux/iio/imu/adis.h index dc9ea299e088..8898966bc0f0 100644 --- a/include/linux/iio/imu/adis.h +++ b/include/linux/iio/imu/adis.h @@ -11,6 +11,7 @@ #include <linux/spi/spi.h> #include <linux/interrupt.h> +#include <linux/iio/iio.h> #include <linux/iio/types.h> #define ADIS_WRITE_REG(reg) ((0x80 | (reg))) @@ -131,7 +132,7 @@ struct adis { unsigned long irq_flag; void *buffer; - u8 tx[10] ____cacheline_aligned; + u8 tx[10] __aligned(IIO_DMA_MINALIGN); u8 rx[4]; }; -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: imu: bno055: serdev requires REGMAP" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: bno055: serdev requires REGMAP to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 35ec2d03b282a939949090bd8c39eb37a5856721 Mon Sep 17 00:00:00 2001 From: Randy Dunlap <rdunlap(a)infradead.org> Date: Wed, 10 Jan 2024 10:56:11 -0800 Subject: iio: imu: bno055: serdev requires REGMAP There are a ton of build errors when REGMAP is not set, so select REGMAP to fix all of them. Examples (not all of them): ../drivers/iio/imu/bno055/bno055_ser_core.c:495:15: error: variable 'bno055_ser_regmap_bus' has initializer but incomplete type 495 | static struct regmap_bus bno055_ser_regmap_bus = { ../drivers/iio/imu/bno055/bno055_ser_core.c:496:10: error: 'struct regmap_bus' has no member named 'write' 496 | .write = bno055_ser_write_reg, ../drivers/iio/imu/bno055/bno055_ser_core.c:497:10: error: 'struct regmap_bus' has no member named 'read' 497 | .read = bno055_ser_read_reg, ../drivers/iio/imu/bno055/bno055_ser_core.c: In function 'bno055_ser_probe': ../drivers/iio/imu/bno055/bno055_ser_core.c:532:18: error: implicit declaration of function 'devm_regmap_init'; did you mean 'vmem_map_init'? [-Werror=implicit-function-declaration] 532 | regmap = devm_regmap_init(&serdev->dev, &bno055_ser_regmap_bus, ../drivers/iio/imu/bno055/bno055_ser_core.c:532:16: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 532 | regmap = devm_regmap_init(&serdev->dev, &bno055_ser_regmap_bus, ../drivers/iio/imu/bno055/bno055_ser_core.c: At top level: ../drivers/iio/imu/bno055/bno055_ser_core.c:495:26: error: storage size of 'bno055_ser_regmap_bus' isn't known 495 | static struct regmap_bus bno055_ser_regmap_bus = { Fixes: 2eef5a9cc643 ("iio: imu: add BNO055 serdev driver") Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> Cc: Andrea Merello <andrea.merello(a)iit.it> Cc: Jonathan Cameron <jic23(a)kernel.org> Cc: Lars-Peter Clausen <lars(a)metafoo.de> Cc: linux-iio(a)vger.kernel.org Cc: <Stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20240110185611.19723-1-rdunlap@infradead.org Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/bno055/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/imu/bno055/Kconfig b/drivers/iio/imu/bno055/Kconfig index 83e53acfbe88..c7f5866a177d 100644 --- a/drivers/iio/imu/bno055/Kconfig +++ b/drivers/iio/imu/bno055/Kconfig @@ -8,6 +8,7 @@ config BOSCH_BNO055 config BOSCH_BNO055_SERIAL tristate "Bosch BNO055 attached via UART" depends on SERIAL_DEV_BUS + select REGMAP select BOSCH_BNO055 help Enable this to support Bosch BNO055 IMUs attached via UART. -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: pressure: bmp280: Add missing bmp085 to SPI id table" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: pressure: bmp280: Add missing bmp085 to SPI id table to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From b67f3e653e305abf1471934d7b9fdb9ad2df3eef Mon Sep 17 00:00:00 2001 From: Sam Protsenko <semen.protsenko(a)linaro.org> Date: Wed, 20 Dec 2023 12:47:53 -0600 Subject: iio: pressure: bmp280: Add missing bmp085 to SPI id table "bmp085" is missing in bmp280_spi_id[] table, which leads to the next warning in dmesg: SPI driver bmp280 has no spi_device_id for bosch,bmp085 Add "bmp085" to bmp280_spi_id[] by mimicking its existing description in bmp280_of_spi_match[] table to fix the above warning. Signed-off-by: Sam Protsenko <semen.protsenko(a)linaro.org> Fixes: b26b4e91700f ("iio: pressure: bmp280: add SPI interface driver") Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Reviewed-by: Linus Walleij <linus.walleij(a)linaro.org> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/pressure/bmp280-spi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/pressure/bmp280-spi.c b/drivers/iio/pressure/bmp280-spi.c index 433d6fac83c4..e8a5fed07e88 100644 --- a/drivers/iio/pressure/bmp280-spi.c +++ b/drivers/iio/pressure/bmp280-spi.c @@ -87,6 +87,7 @@ static const struct of_device_id bmp280_of_spi_match[] = { MODULE_DEVICE_TABLE(of, bmp280_of_spi_match); static const struct spi_device_id bmp280_spi_id[] = { + { "bmp085", (kernel_ulong_t)&bmp180_chip_info }, { "bmp180", (kernel_ulong_t)&bmp180_chip_info }, { "bmp181", (kernel_ulong_t)&bmp180_chip_info }, { "bmp280", (kernel_ulong_t)&bmp280_chip_info }, -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: magnetometer: rm3100: add boundary check for the value read from" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: magnetometer: rm3100: add boundary check for the value read from to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 792595bab4925aa06532a14dd256db523eb4fa5e Mon Sep 17 00:00:00 2001 From: "zhili.liu" <zhili.liu(a)ucas.com.cn> Date: Tue, 2 Jan 2024 09:07:11 +0800 Subject: iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Recently, we encounter kernel crash in function rm3100_common_probe caused by out of bound access of array rm3100_samp_rates (because of underlying hardware failures). Add boundary check to prevent out of bound access. Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100") Suggested-by: Zhouyi Zhou <zhouzhouyi(a)gmail.com> Signed-off-by: zhili.liu <zhili.liu(a)ucas.com.cn> Link: https://lore.kernel.org/r/1704157631-3814-1-git-send-email-zhouzhouyi@gmail… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/magnetometer/rm3100-core.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/iio/magnetometer/rm3100-core.c b/drivers/iio/magnetometer/rm3100-core.c index 69938204456f..42b70cd42b39 100644 --- a/drivers/iio/magnetometer/rm3100-core.c +++ b/drivers/iio/magnetometer/rm3100-core.c @@ -530,6 +530,7 @@ int rm3100_common_probe(struct device *dev, struct regmap *regmap, int irq) struct rm3100_data *data; unsigned int tmp; int ret; + int samp_rate_index; indio_dev = devm_iio_device_alloc(dev, sizeof(*data)); if (!indio_dev) @@ -586,9 +587,14 @@ int rm3100_common_probe(struct device *dev, struct regmap *regmap, int irq) ret = regmap_read(regmap, RM3100_REG_TMRC, &tmp); if (ret < 0) return ret; + + samp_rate_index = tmp - RM3100_TMRC_OFFSET; + if (samp_rate_index < 0 || samp_rate_index >= RM3100_SAMP_NUM) { + dev_err(dev, "The value read from RM3100_REG_TMRC is invalid!\n"); + return -EINVAL; + } /* Initializing max wait time, which is double conversion time. */ - data->conversion_time = rm3100_samp_rates[tmp - RM3100_TMRC_OFFSET][2] - * 2; + data->conversion_time = rm3100_samp_rates[samp_rate_index][2] * 2; /* Cycle count values may not be what we want. */ if ((tmp - RM3100_TMRC_OFFSET) == 0) -- 2.43.1

1 year, 6 months

1
0
0 0

patch "iio: core: fix memleak in iio_device_register_sysfs" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: core: fix memleak in iio_device_register_sysfs to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 95a0d596bbd0552a78e13ced43f2be1038883c81 Mon Sep 17 00:00:00 2001 From: Dinghao Liu <dinghao.liu(a)zju.edu.cn> Date: Fri, 8 Dec 2023 15:31:19 +0800 Subject: iio: core: fix memleak in iio_device_register_sysfs When iio_device_register_sysfs_group() fails, we should free iio_dev_opaque->chan_attr_group.attrs to prevent potential memleak. Fixes: 32f171724e5c ("iio: core: rework iio device group creation") Signed-off-by: Dinghao Liu <dinghao.liu(a)zju.edu.cn> Link: https://lore.kernel.org/r/20231208073119.29283-1-dinghao.liu@zju.edu.cn Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/industrialio-core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index 9a85752124dd..173dc00762a1 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -1584,10 +1584,13 @@ static int iio_device_register_sysfs(struct iio_dev *indio_dev) ret = iio_device_register_sysfs_group(indio_dev, &iio_dev_opaque->chan_attr_group); if (ret) - goto error_clear_attrs; + goto error_free_chan_attrs; return 0; +error_free_chan_attrs: + kfree(iio_dev_opaque->chan_attr_group.attrs); + iio_dev_opaque->chan_attr_group.attrs = NULL; error_clear_attrs: iio_free_chan_devattr_list(&iio_dev_opaque->channel_attr_list); -- 2.43.1

1 year, 6 months

1
0
0 0

[REGRESSION] Acp5x probing regression introduced between kernel 6.7.2 -> 6.7.4

by Ted Chang

Hi kernel maintainers, I noticed 6.7.4 has introduced a regression for the steam deck. The LCD steam deck can no longer probe the acp5x audio chipset anymore. This regression does not affect the 6.8.x series. I did not test kernel 6.7.3 because Opensuse tumbleweed skipped the update on my machine. Steps to reproduce the problem 1. Obtain a steam deck 2. Install kernel 6.7.4 3. Boot the device and you will see dummy output in gnome shell Observed kernel logs. [ 8.755614] cs35l41 spi-VLV1776:00: supply VA not found, using dummy regulator [ 8.760506] cs35l41 spi-VLV1776:00: supply VP not found, using dummy regulator [ 8.777148] cs35l41 spi-VLV1776:00: Cirrus Logic CS35L41 (35a40), Revision: B2 [ 8.777471] cs35l41 spi-VLV1776:01: supply VA not found, using dummy regulator [ 8.777532] cs35l41 spi-VLV1776:01: supply VP not found, using dummy regulator [ 8.777709] cs35l41 spi-VLV1776:01: Reset line busy, assuming shared reset [ 8.788465] cs35l41 spi-VLV1776:01: Cirrus Logic CS35L41 (35a40), Revision: B2 [ 8.877280] snd_hda_intel 0000:04:00.1: enabling device (0000 -> 0002) [ 8.877595] snd_hda_intel 0000:04:00.1: Handle vga_switcheroo audio client [ 8.889913] snd_acp_pci 0000:04:00.5: enabling device (0000 -> 0002) [ 8.890063] snd_acp_pci 0000:04:00.5: Unsupported device revision:0x50 [ 8.890129] snd_acp_pci: probe of 0000:04:00.5 failed with error -22 [ 8.906136] snd_hda_intel 0000:04:00.1: bound 0000:04:00.0 (ops amdgpu_dm_audio_component_bind_ops [amdgpu] No kernel module in use shown. 04:00.5 Multimedia controller [0480]: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor [1022:15e2] (rev 50) Subsystem: Valve Software Device [1e44:1776] Flags: fast devsel, IRQ 70, IOMMU group 4 Memory at 80380000 (32-bit, non-prefetchable) [size=256K] Capabilities: <access denied> Kernel modules: snd_pci_acp3x, snd_rn_pci_acp3x, snd_pci_acp5x, snd_pci_acp6x, snd_acp_pci, snd_rpl_pci_acp6x, snd_pci_ps, snd_sof_amd_renoir, snd_sof_amd_rembrandt, snd_sof_amd_vangogh, snd_sof_amd_acp63 Information for package kernel-default: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : kernel-default Version : 6.7.4-1.1 Arch : x86_64 Vendor : openSUSE Installed Size : 240.3 MiB Installed : Yes Status : up-to-date Source package : kernel-default-6.7.4-1.1.nosrc Upstream URL : https://www.kernel.org/ Summary : The Standard Kernel Description : The standard kernel for both uniprocessor and multiprocessor systems. Source Timestamp: 2024-02-06 05:32:37 +0000 GIT Revision: 01735a3e65287585dd830a6a3d33d909a4f9ae7f GIT Branch: stable Handle 0x0000, DMI type 0, 26 bytes BIOS Information Vendor: Valve Version: F7A0120 Release Date: 12/01/2023 Address: 0xE0000 Runtime Size: 128 kB BIOS Revision: 1.20 Firmware Revision: 1.16 #regzbot introduced: v6.7.2..v6.7.4

1 year, 6 months

5
5
0 0

[PATCH net 3/3] can: netlink: Fix TDCO calculation using the old data bittiming

by Marc Kleine-Budde

From: Maxime Jayat <maxime.jayat(a)mobile-devices.fr> The TDCO calculation was done using the currently applied data bittiming, instead of the newly computed data bittiming, which means that the TDCO had an invalid value unless setting the same data bittiming twice. Fixes: d99755f71a80 ("can: netlink: add interface for CAN-FD Transmitter Delay Compensation (TDC)") Signed-off-by: Maxime Jayat <maxime.jayat(a)mobile-devices.fr> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://lore.kernel.org/all/40579c18-63c0-43a4-8d4c-f3a6c1c0b417@munic.io Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/dev/netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c index 036d85ef07f5..dfdc039d92a6 100644 --- a/drivers/net/can/dev/netlink.c +++ b/drivers/net/can/dev/netlink.c @@ -346,7 +346,7 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], /* Neither of TDC parameters nor TDC flags are * provided: do calculation */ - can_calc_tdco(&priv->tdc, priv->tdc_const, &priv->data_bittiming, + can_calc_tdco(&priv->tdc, priv->tdc_const, &dbt, &priv->ctrlmode, priv->ctrlmode_supported); } /* else: both CAN_CTRLMODE_TDC_{AUTO,MANUAL} are explicitly * turned off. TDC is disabled: do nothing -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH net 2/3] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

by Marc Kleine-Budde

From: Oleksij Rempel <o.rempel(a)pengutronix.de> Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0 j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320 [can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ? j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350 [can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can] __netif_receive_skb_one_core+0x13d/0x150 ? __pfx___netif_receive_skb_one_core+0x10/0x10 ? __kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0 __netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260 __napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ? __pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80 </IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ? __check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100 sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ? __rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320 vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ? __kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70 __x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0 __kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120 j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") Reported-by: Sili Luo <rootlab(a)huawei.com> Suggested-by: Sili Luo <rootlab(a)huawei.com> Acked-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/j1939/j1939-priv.h | 1 + net/can/j1939/socket.c | 22 ++++++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/net/can/j1939/j1939-priv.h b/net/can/j1939/j1939-priv.h index 74f15592d170..31a93cae5111 100644 --- a/net/can/j1939/j1939-priv.h +++ b/net/can/j1939/j1939-priv.h @@ -301,6 +301,7 @@ struct j1939_sock { int ifindex; struct j1939_addr addr; + spinlock_t filters_lock; struct j1939_filter *filters; int nfilters; pgn_t pgn_rx_filter; diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index 94cfc2315e54..305dd72c844c 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1939_sock *jsk, static bool j1939_sk_match_filter(struct j1939_sock *jsk, const struct j1939_sk_buff_cb *skcb) { - const struct j1939_filter *f = jsk->filters; - int nfilter = jsk->nfilters; + const struct j1939_filter *f; + int nfilter; + + spin_lock_bh(&jsk->filters_lock); + + f = jsk->filters; + nfilter = jsk->nfilters; if (!nfilter) /* receive all when no filters are assigned */ - return true; + goto filter_match_found; for (; nfilter; ++f, --nfilter) { if ((skcb->addr.pgn & f->pgn_mask) != f->pgn) @@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct j1939_sock *jsk, continue; if ((skcb->addr.src_name & f->name_mask) != f->name) continue; - return true; + goto filter_match_found; } + + spin_unlock_bh(&jsk->filters_lock); return false; + +filter_match_found: + spin_unlock_bh(&jsk->filters_lock); + return true; } static bool j1939_sk_recv_match_one(struct j1939_sock *jsk, @@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk) atomic_set(&jsk->skb_pending, 0); spin_lock_init(&jsk->sk_session_queue_lock); INIT_LIST_HEAD(&jsk->sk_session_queue); + spin_lock_init(&jsk->filters_lock); /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */ sock_set_flag(sk, SOCK_RCU_FREE); @@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct socket *sock, int level, int optname, } lock_sock(&jsk->sk); + spin_lock_bh(&jsk->filters_lock); ofilters = jsk->filters; jsk->filters = filters; jsk->nfilters = count; + spin_unlock_bh(&jsk->filters_lock); release_sock(&jsk->sk); kfree(ofilters); return 0; -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH v2 1/2] drm/buddy: Fix alloc_range() error handling code

by Arunpravin Paneer Selvam

Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3097 Tested-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240207174456.341121-… Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index f57e6d74fb0e..c1a99bf4dffd 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -539,6 +539,12 @@ static int __alloc_range(struct drm_buddy *mm, } while (1); list_splice_tail(&allocated, blocks); + + if (total_allocated < size) { + err = -ENOSPC; + goto err_free; + } + return 0; err_undo: base-commit: b6ddaa63f728d26c12048aed76be99c24f435c41 -- 2.25.1

1 year, 6 months

1
0
0 0

[PATCH] scsi: sd: usb_storage: uas: Access media prior to querying device properties

by Martin K. Petersen

It has been observed that some USB/UAS devices return generic properties hardcoded in firmware for mode pages and vital product data for a period of time after a device has been discovered. The reported properties are either garbage or they do not accurately reflect the properties of the physical storage device attached in the case of a bridge. Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") we would call revalidate several times during device discovery. As a result, incorrect values would eventually get replaced with ones accurately describing the attached storage. When we did away with the redundant revalidate pass, several cases were reported where devices reported nonsensical values or would end up in write-protected state. An initial attempt at addressing this issue involved introducing a delayed second revalidate invocation. However, this approach still left some devices reporting incorrect characteristics. Tasos Sahanidis debugged the problem further and identified that introducing a READ operation prior to MODE SENSE fixed the problem and that it wasn't a timing issue. Issuing a READ appears to cause the devices to update their SCSI pages to reflect the actual properties of the storage media. Device properties like vendor, model, and storage capacity appear to be correctly reported from the get-go. It is unclear why these device defer populating the remaining characteristics. Match the behavior of a well known commercial operating system and trigger a READ operation prior to querying device characteristics to force the device to populate mode pages and VPDs. The additional READ is triggered by a flag set in the USB storage and UAS drivers. We avoid issuing the READ for other transport classes since some storage devices identify Linux through our particular discovery command sequence. Cc: <stable(a)vger.kernel.org> Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") Reported-by: Tasos Sahanidis <tasos(a)tasossah.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- drivers/scsi/sd.c | 27 ++++++++++++++++++++++++++- drivers/usb/storage/scsiglue.c | 7 +++++++ drivers/usb/storage/uas.c | 7 +++++++ include/scsi/scsi_device.h | 1 + 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 530918cbfce2..c284628f702c 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3405,6 +3405,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, return true; } +static void sd_read_block_zero(struct scsi_disk *sdkp) +{ + unsigned int buf_len = sdkp->device->sector_size; + char *buffer, cmd[10] = { }; + + buffer = kmalloc(buf_len, GFP_KERNEL); + if (!buffer) + return; + + cmd[0] = READ_10; + put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ + put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ + + scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len, + SD_TIMEOUT, sdkp->max_retries, NULL); + kfree(buffer); +} + /** * sd_revalidate_disk - called the first time a new disk is seen, * performs disk spin up, read_capacity, etc. @@ -3444,7 +3462,14 @@ static int sd_revalidate_disk(struct gendisk *disk) */ if (sdkp->media_present) { sd_read_capacity(sdkp, buffer); - + /* + * Some USB/UAS devices return generic values for mode pages + * and VPDs until the media has been accessed. Trigger a READ + * operation to force the device to populate mode pages and + * VPDs. + */ + if (sdp->read_before_ms) + sd_read_block_zero(sdkp); /* * set the default to rotational. All non-rotational devices * support the block characteristics VPD page, which will diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c index c54e9805da53..12cf9940e5b6 100644 --- a/drivers/usb/storage/scsiglue.c +++ b/drivers/usb/storage/scsiglue.c @@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev) */ sdev->use_192_bytes_for_3f = 1; + /* + * Some devices report generic values until the media has been + * accessed. Force a READ(10) prior to querying device + * characteristics. + */ + sdev->read_before_ms = 1; + /* * Some devices don't like MODE SENSE with page=0x3f, * which is the command used for checking if a device diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c index 696bb0b23599..299a6767b7b3 100644 --- a/drivers/usb/storage/uas.c +++ b/drivers/usb/storage/uas.c @@ -878,6 +878,13 @@ static int uas_slave_configure(struct scsi_device *sdev) if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) sdev->guess_capacity = 1; + /* + * Some devices report generic values until the media has been + * accessed. Force a READ(10) prior to querying device + * characteristics. + */ + sdev->read_before_ms = 1; + /* * Some devices don't like MODE SENSE with page=0x3f, * which is the command used for checking if a device diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h index 10480eb582b2..cb019c80763b 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -202,6 +202,7 @@ struct scsi_device { unsigned use_10_for_rw:1; /* first try 10-byte read / write */ unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ + unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ unsigned no_write_same:1; /* no WRITE SAME command */ unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ -- 2.42.1

1 year, 6 months

5
5
0 0

[PATCH 6.6 000/121] 6.6.17-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.17 release. There are 121 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 15 Feb 2024 17:18:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.17-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.17-rc1 Jens Axboe <axboe(a)kernel.dk> io_uring/net: limit inline multishot retries Jens Axboe <axboe(a)kernel.dk> io_uring/poll: add requeue return code from poll multishot handling Jens Axboe <axboe(a)kernel.dk> io_uring/net: un-indent mshot retry path in io_recv_finish() Jens Axboe <axboe(a)kernel.dk> io_uring/poll: move poll execution helpers higher up Jens Axboe <axboe(a)kernel.dk> io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Aurelien Jarno <aurelien(a)aurel32.net> media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: amd: Add new dmi entries for acp5x platform" Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Frederic Weisbecker <frederic(a)kernel.org> hrtimer: Report offline hrtimer enqueue Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Arrow Lake-H Michal Pecio <michal.pecio(a)gmail.com> xhci: handle isoc Babble and Buffer Overrun events properly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: process isoc TD properly when there was a transaction error mid TD. Prashanth K <quic_prashk(a)quicinc.com> usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups Badhri Jagan Sridharan <badhri(a)google.com> Revert "usb: typec: tcpm: fix cc role at port reset" Leonard Dallmayr <leonard.dallmayr(a)mailbox.org> USB: serial: cp210x: add ID for IMST iM871A-USB Puliang Lu <puliang.lu(a)fibocom.com> USB: serial: option: add Fibocom FM101-GL variant JackBB Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Sean Young <sean(a)mess.org> ALSA: usb-audio: add quirk for RODE NT-USB+ Julian Sikorski <belegdol+github(a)gmail.com> ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Alexander Tsoy <alexander(a)tsoy.me> ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Tejun Heo <tj(a)kernel.org> blk-iocost: Fix an UBSAN shift-out-of-bounds warning Ben Dooks <ben.dooks(a)codethink.co.uk> riscv: declare overflow_stack as exported from traps.c Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix arch_hugetlb_migration_supported() for NAPOT Xiubo Li <xiubli(a)redhat.com> libceph: just wait for more data to be available on the socket Xiubo Li <xiubli(a)redhat.com> libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Flush the tlb when a page directory is freed Ming Lei <ming.lei(a)redhat.com> scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix set_huge_pte_at() for NAPOT mapping Vincent Chen <vincent.chen(a)sifive.com> riscv: mm: execute local TLB flush after populating vmemmap Alexandre Ghiti <alexghiti(a)rivosinc.com> mm: Introduce flush_cache_vmap_early() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Improve flush_tlb_kernel_range() Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole tlb Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Improve tlb_flush() Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix an NULL dereference bug Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove scratch_aligned pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: add helper to release pcpu scratch area Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: store index in scratch maps Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_ct: reject direction for ct id Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_compat: narrow down revision to unsigned 8-bits Jakub Kicinski <kuba(a)kernel.org> selftests: cmsg_ipv6: repeat the exact packet Eric Dumazet <edumazet(a)google.com> ppp_async: limit MRU to 64K Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. Shigeru Yoshida <syoshida(a)redhat.com> tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Paolo Abeni <pabeni(a)redhat.com> selftests: net: let big_tcp test cope with slow env David Howells <dhowells(a)redhat.com> rxrpc: Fix counting of new acks and nacks David Howells <dhowells(a)redhat.com> rxrpc: Fix response to PING RESPONSE ACKs to a dead call David Howells <dhowells(a)redhat.com> rxrpc: Fix delayed ACKs to not set the reference serial number David Howells <dhowells(a)redhat.com> rxrpc: Fix generation of serial numbers to skip zero Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/gvt: Fix uninitialized variable in handle_mmio() Eric Dumazet <edumazet(a)google.com> inet: read sk->sk_family once in inet_recv_error() Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix bogus core_id to attr name mapping Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Fix out-of-bounds memory access Loic Prylli <lprylli(a)netflix.com> hwmon: (aspeed-pwm-tacho) mutex for tach reading Zhipeng Lu <alexious(a)zju.edu.cn> octeontx2-pf: Fix a memleak otx2_sq_init Zhipeng Lu <alexious(a)zju.edu.cn> atm: idt77252: fix a memleak in open_card_ubr0 Antoine Tenart <atenart(a)kernel.org> tunnels: fix out of bounds access when building IPv6 PMTU error Gerhard Engleder <gerhard(a)engleder-embedded.com> tsnep: Fix mapping for zero copy XDP_TX action Paolo Abeni <pabeni(a)redhat.com> selftests: net: avoid just another constant wait Paolo Abeni <pabeni(a)redhat.com> selftests: net: fix tcp listener handling in pmtu.sh Yujie Liu <yujie.liu(a)intel.com> selftests/net: change shebang to bash to support "source" Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert pmtu.sh to run it in unique namespace Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: convert unicast_extensions.sh to run it in unique namespace Paolo Abeni <pabeni(a)redhat.com> selftests: net: cut more slack for gro fwd tests. Ivan Vecera <ivecera(a)redhat.com> net: atlantic: Fix DMA mapping for PTP hwts ring Eric Dumazet <edumazet(a)google.com> netdevsim: avoid potential loop in nsim_dev_trap_report_work() Kees Cook <keescook(a)chromium.org> wifi: brcmfmac: Adjust n_channels usage for __counted_by Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: exit eSR only after the FW does Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix waiting for beacons logic Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU use in TDLS fast-xmit Furong Xu <0x1207(a)gmail.com> net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR Ard Biesheuvel <ardb(a)kernel.org> x86/efistub: Give up if memory attribute protocol returns an error Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Christoph Hellwig <hch(a)lst.de> xfs: respect the stable writes flag on the RT device Christoph Hellwig <hch(a)lst.de> xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags Darrick J. Wong <djwong(a)kernel.org> xfs: dquot recovery does not validate the recovered dquot Darrick J. Wong <djwong(a)kernel.org> xfs: clean up dqblk extraction Dave Chinner <dchinner(a)redhat.com> xfs: inode recovery does not validate the recovered inode Anthony Iliopoulos <ailiop(a)suse.com> xfs: fix again select in kconfig XFS_ONLINE_SCRUB_STATS Omar Sandoval <osandov(a)fb.com> xfs: fix internal error from AGFL exhaustion Leah Rumancik <leah.rumancik(a)gmail.com> xfs: up(ic_sema) if flushing data device fails Christoph Hellwig <hch(a)lst.de> xfs: only remap the written blocks in xfs_reflink_end_cow_extent Long Li <leo.lilong(a)huawei.com> xfs: abort intent items when recovery intents fail Long Li <leo.lilong(a)huawei.com> xfs: factor out xfs_defer_pending_abort Catherine Hoang <catherine.hoang(a)oracle.com> xfs: allow read IO and FICLONE to run concurrently Christoph Hellwig <hch(a)lst.de> xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space Cheng Lin <cheng.lin130(a)zte.com.cn> xfs: introduce protection for drop nlink Darrick J. Wong <djwong(a)kernel.org> xfs: make sure maxlen is still congruent with prod when rounding down Darrick J. Wong <djwong(a)kernel.org> xfs: fix units conversion error in xfs_bmap_del_extent_delay Darrick J. Wong <djwong(a)kernel.org> xfs: rt stubs should return negative errnos when rt disabled Darrick J. Wong <djwong(a)kernel.org> xfs: prevent rt growfs when quota is enabled Darrick J. Wong <djwong(a)kernel.org> xfs: hoist freeing of rt data fork extent mappings Darrick J. Wong <djwong(a)kernel.org> xfs: bump max fsgeom struct version Catherine Hoang <catherine.hoang(a)oracle.com> MAINTAINERS: add Catherine as xfs maintainer for 6.6.y Miguel Ojeda <ojeda(a)kernel.org> rust: upgrade to Rust 1.73.0 Miguel Ojeda <ojeda(a)kernel.org> rust: print: use explicit link in documentation Miguel Ojeda <ojeda(a)kernel.org> rust: task: remove redundant explicit link Miguel Ojeda <ojeda(a)kernel.org> rust: upgrade to Rust 1.72.1 Miguel Ojeda <ojeda(a)kernel.org> rust: arc: add explicit `drop()` around `Box::from_raw()` Shyam Prasad N <sprasad(a)microsoft.com> cifs: failure to add channel on iface should bump up weight Shyam Prasad N <sprasad(a)microsoft.com> cifs: avoid redundant calls to disable multichannel Tony Lindgren <tony(a)atomide.com> phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Frank Li <Frank.Li(a)nxp.com> dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV James Clark <james.clark(a)arm.com> perf evlist: Fix evlist__new_default() for > 1 core PMU Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Jai Luthra <j-luthra(a)ti.com> dmaengine: ti: k3-udma: Report short packet errors Guanhua Gao <guanhua.gao(a)nxp.com> dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay ------------- Diffstat: Documentation/process/changes.rst | 2 +- MAINTAINERS | 1 + Makefile | 4 +- arch/arc/include/asm/cacheflush.h | 1 + arch/arm/include/asm/cacheflush.h | 2 + arch/csky/abiv1/inc/abi/cacheflush.h | 1 + arch/csky/abiv2/inc/abi/cacheflush.h | 1 + arch/m68k/include/asm/cacheflush_mm.h | 1 + arch/mips/include/asm/cacheflush.h | 2 + arch/nios2/include/asm/cacheflush.h | 1 + arch/parisc/include/asm/cacheflush.h | 1 + arch/riscv/include/asm/cacheflush.h | 3 +- arch/riscv/include/asm/hugetlb.h | 3 + arch/riscv/include/asm/sbi.h | 3 - arch/riscv/include/asm/stacktrace.h | 5 + arch/riscv/include/asm/tlb.h | 8 +- arch/riscv/include/asm/tlbflush.h | 17 +- arch/riscv/kernel/sbi.c | 32 ++-- arch/riscv/mm/hugetlbpage.c | 78 +++++++- arch/riscv/mm/init.c | 4 + arch/riscv/mm/tlbflush.c | 156 +++++++++------- arch/sh/include/asm/cacheflush.h | 1 + arch/sparc/include/asm/cacheflush_32.h | 1 + arch/sparc/include/asm/cacheflush_64.h | 1 + arch/x86/lib/getuser.S | 24 +-- arch/x86/lib/putuser.S | 20 +-- arch/xtensa/include/asm/cacheflush.h | 6 +- block/blk-iocost.c | 7 + drivers/atm/idt77252.c | 2 + drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c | 10 +- drivers/dma/fsl-qdma.c | 27 ++- drivers/dma/ti/k3-udma.c | 10 +- drivers/firmware/efi/libstub/efistub.h | 3 +- drivers/firmware/efi/libstub/kaslr.c | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 12 +- drivers/firmware/efi/libstub/x86-stub.c | 25 +-- drivers/firmware/efi/libstub/x86-stub.h | 4 +- drivers/firmware/efi/libstub/zboot.c | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hwseq.c | 63 ++++--- .../drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- drivers/gpu/drm/i915/gvt/handlers.c | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 5 - drivers/gpu/drm/msm/dp/dp_link.c | 22 ++- drivers/gpu/drm/msm/dp/dp_reg.h | 3 + drivers/hwmon/aspeed-pwm-tacho.c | 7 + drivers/hwmon/coretemp.c | 40 +++-- drivers/input/keyboard/atkbd.c | 13 +- drivers/input/serio/i8042-acpipnpio.h | 6 + drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 +- drivers/net/ethernet/aquantia/atlantic/aq_ptp.c | 4 +- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++ drivers/net/ethernet/aquantia/atlantic/aq_ring.h | 1 + drivers/net/ethernet/engleder/tsnep_main.c | 16 +- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 14 +- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 3 + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 57 +++++- drivers/net/netdevsim/dev.c | 8 +- drivers/net/ppp/ppp_async.c | 4 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 6 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 6 +- drivers/phy/renesas/phy-rcar-gen3-usb2.c | 4 - drivers/phy/ti/phy-omap-usb2.c | 4 +- drivers/scsi/scsi_error.c | 3 +- drivers/scsi/scsi_lib.c | 4 +- drivers/usb/dwc3/dwc3-pci.c | 4 + drivers/usb/dwc3/host.c | 4 +- drivers/usb/host/xhci-plat.c | 3 + drivers/usb/host/xhci-ring.c | 80 +++++++-- drivers/usb/host/xhci.h | 1 + drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/tcpm/tcpm.c | 3 +- fs/ext4/mballoc.c | 20 +++ fs/ntfs3/ntfs_fs.h | 2 +- fs/smb/client/sess.c | 2 + fs/smb/client/smb2pdu.c | 2 +- fs/xfs/Kconfig | 2 +- fs/xfs/libxfs/xfs_alloc.c | 27 ++- fs/xfs/libxfs/xfs_bmap.c | 21 +-- fs/xfs/libxfs/xfs_defer.c | 38 ++-- fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/libxfs/xfs_inode_buf.c | 3 + fs/xfs/libxfs/xfs_rtbitmap.c | 33 ++++ fs/xfs/libxfs/xfs_sb.h | 2 +- fs/xfs/xfs_bmap_util.c | 24 +-- fs/xfs/xfs_dquot.c | 5 +- fs/xfs/xfs_dquot_item_recover.c | 21 ++- fs/xfs/xfs_file.c | 63 +++++-- fs/xfs/xfs_inode.c | 24 +++ fs/xfs/xfs_inode.h | 17 ++ fs/xfs/xfs_inode_item_recover.c | 14 +- fs/xfs/xfs_ioctl.c | 34 ++-- fs/xfs/xfs_iops.c | 7 + fs/xfs/xfs_log.c | 23 +-- fs/xfs/xfs_log_recover.c | 2 +- fs/xfs/xfs_reflink.c | 5 + fs/xfs/xfs_rtalloc.c | 33 +++- fs/xfs/xfs_rtalloc.h | 27 +-- include/asm-generic/cacheflush.h | 6 + include/linux/ceph/messenger.h | 2 +- include/linux/dmaengine.h | 3 +- include/linux/hrtimer.h | 4 +- include/trace/events/rxrpc.h | 8 +- include/uapi/linux/netfilter/nf_tables.h | 2 + io_uring/io_uring.h | 7 + io_uring/net.c | 54 ++++-- io_uring/poll.c | 39 ++-- kernel/time/hrtimer.c | 3 + mm/percpu.c | 8 +- net/ceph/messenger_v1.c | 33 ++-- net/ceph/messenger_v2.c | 4 +- net/ceph/osd_client.c | 9 +- net/ipv4/af_inet.c | 6 +- net/ipv4/ip_tunnel_core.c | 2 +- net/mac80211/mlme.c | 3 +- net/mac80211/tx.c | 7 +- net/netfilter/nft_compat.c | 17 +- net/netfilter/nft_ct.c | 3 + net/netfilter/nft_set_pipapo.c | 108 +++++------ net/netfilter/nft_set_pipapo.h | 18 +- net/netfilter/nft_set_pipapo_avx2.c | 17 +- net/rxrpc/ar-internal.h | 37 +++- net/rxrpc/call_event.c | 12 +- net/rxrpc/call_object.c | 1 + net/rxrpc/conn_event.c | 10 +- net/rxrpc/input.c | 115 ++++++++++-- net/rxrpc/output.c | 8 +- net/rxrpc/proc.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/tipc/bearer.c | 6 + net/unix/garbage.c | 11 ++ rust/alloc/alloc.rs | 21 --- rust/alloc/boxed.rs | 56 ++++-- rust/alloc/lib.rs | 13 +- rust/alloc/raw_vec.rs | 30 ++-- rust/alloc/vec/drain_filter.rs | 199 --------------------- rust/alloc/vec/extract_if.rs | 115 ++++++++++++ rust/alloc/vec/mod.rs | 110 ++++++------ rust/alloc/vec/spec_extend.rs | 8 +- rust/compiler_builtins.rs | 1 + rust/kernel/print.rs | 1 + rust/kernel/sync/arc.rs | 2 +- rust/kernel/task.rs | 2 +- scripts/min-tool-version.sh | 2 +- sound/soc/amd/acp-config.c | 15 +- sound/usb/quirks.c | 6 + tools/perf/util/evlist.c | 9 +- tools/testing/selftests/net/big_tcp.sh | 4 +- tools/testing/selftests/net/cmsg_ipv6.sh | 4 +- tools/testing/selftests/net/pmtu.sh | 52 +++--- tools/testing/selftests/net/udpgro_fwd.sh | 14 +- tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- tools/testing/selftests/net/unicast_extensions.sh | 93 +++++----- 156 files changed, 1686 insertions(+), 1003 deletions(-)

1 year, 6 months

12
133
0 0

[PATCH 5.15 0/1] ext4, jbd2: add an optimized bmap for the journal inode

by Nikolay Kuratov

It's already into 6.6 and fixes the Syzkaller issue Link: https://syzkaller.appspot.com/bug?id=e4aaa78795e490421c79f76ec3679006c8ff4c… Theoretically the issue boils down to commit 51ae846cff56 ("ext4: fix warning in ext4_iomap_begin as race between bmap and write") so it should be in 5.10, 5.15 and 6.1 kernels. But we at Linux Verification Center can reproduce it with 5.15 and 6.1 only so I'm asking to apply the fix for those two. Theodore Ts'o (1): ext4, jbd2: add an optimized bmap for the journal inode fs/ext4/super.c | 23 +++++++++++++++++++++++ fs/jbd2/journal.c | 9 ++++++--- include/linux/jbd2.h | 8 ++++++++ 3 files changed, 37 insertions(+), 3 deletions(-) -- 2.34.1

1 year, 6 months

1
1
0 0

[PATCH] comedi: comedi_test: Prevent timers rescheduling during deletion

by Ian Abbott

The comedi_test devices have a couple of timers (ai_timer and ao_timer) that can be started to simulate hardware interrupts. Their expiry functions normally reschedule the timer. The driver code calls either del_timer_sync() or del_timer() to delete the timers from the queue, but does not currently prevent the timers from rescheduling themselves so synchronized deletion may be ineffective. Add a couple of boolean members (one for each timer: ai_timer_enable and ao_timer_enable) to the device private data structure to indicate whether the timers are allowed to reschedule themselves. Set the member to true when adding the timer to the queue, and to false when deleting the timer from the queue in the waveform_ai_cancel() and waveform_ao_cancel() functions. The del_timer_sync() function is also called from the waveform_detach() function, but the timer enable members will already be set to false when that function is called, so no change is needed there. Fixes: 403fe7f34e33 ("staging: comedi: comedi_test: fix timer race conditions") Cc: <stable(a)vger.kernel.org> # 4.4+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- drivers/comedi/drivers/comedi_test.c | 37 +++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 30ea8b53ebf8..7fefe0de0bcc 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -87,6 +87,8 @@ struct waveform_private { struct comedi_device *dev; /* parent comedi device */ u64 ao_last_scan_time; /* time of previous AO scan in usec */ unsigned int ao_scan_period; /* AO scan period in usec */ + bool ai_timer_enable:1; /* should AI timer be running? */ + bool ao_timer_enable:1; /* should AO timer be running? */ unsigned short ao_loopbacks[N_CHANS]; }; @@ -232,12 +234,18 @@ static void waveform_ai_timer(struct timer_list *t) if (cmd->stop_src == TRIG_COUNT && async->scans_done >= cmd->stop_arg) { async->events |= COMEDI_CB_EOA; } else { + unsigned long flags; + if (devpriv->ai_convert_time > now) time_increment = devpriv->ai_convert_time - now; else time_increment = 1; - mod_timer(&devpriv->ai_timer, - jiffies + usecs_to_jiffies(time_increment)); + spin_lock_irqsave(&dev->spinlock, flags); + if (devpriv->ai_timer_enable) { + mod_timer(&devpriv->ai_timer, + jiffies + usecs_to_jiffies(time_increment)); + } + spin_unlock_irqrestore(&dev->spinlock, flags); } overrun: @@ -352,6 +360,7 @@ static int waveform_ai_cmd(struct comedi_device *dev, struct comedi_cmd *cmd = &s->async->cmd; unsigned int first_convert_time; u64 wf_current; + unsigned long flags; if (cmd->flags & CMDF_PRIORITY) { dev_err(dev->class_dev, @@ -393,9 +402,12 @@ static int waveform_ai_cmd(struct comedi_device *dev, * Seem to need an extra jiffy here, otherwise timer expires slightly * early! */ + spin_lock_irqsave(&dev->spinlock, flags); + devpriv->ai_timer_enable = true; devpriv->ai_timer.expires = jiffies + usecs_to_jiffies(devpriv->ai_convert_period) + 1; add_timer(&devpriv->ai_timer); + spin_unlock_irqrestore(&dev->spinlock, flags); return 0; } @@ -403,7 +415,11 @@ static int waveform_ai_cancel(struct comedi_device *dev, struct comedi_subdevice *s) { struct waveform_private *devpriv = dev->private; + unsigned long flags; + spin_lock_irqsave(&dev->spinlock, flags); + devpriv->ai_timer_enable = false; + spin_unlock_irqrestore(&dev->spinlock, flags); if (in_softirq()) { /* Assume we were called from the timer routine itself. */ del_timer(&devpriv->ai_timer); @@ -494,9 +510,14 @@ static void waveform_ao_timer(struct timer_list *t) } else { unsigned int time_inc = devpriv->ao_last_scan_time + devpriv->ao_scan_period - now; + unsigned long flags; - mod_timer(&devpriv->ao_timer, - jiffies + usecs_to_jiffies(time_inc)); + spin_lock_irqsave(&dev->spinlock, flags); + if (devpriv->ao_timer_enable) { + mod_timer(&devpriv->ao_timer, + jiffies + usecs_to_jiffies(time_inc)); + } + spin_unlock_irqrestore(&dev->spinlock, flags); } underrun: @@ -510,6 +531,7 @@ static int waveform_ao_inttrig_start(struct comedi_device *dev, struct waveform_private *devpriv = dev->private; struct comedi_async *async = s->async; struct comedi_cmd *cmd = &async->cmd; + unsigned long flags; if (trig_num != cmd->start_arg) return -EINVAL; @@ -517,9 +539,12 @@ static int waveform_ao_inttrig_start(struct comedi_device *dev, async->inttrig = NULL; devpriv->ao_last_scan_time = ktime_to_us(ktime_get()); + spin_lock_irqsave(&dev->spinlock, flags); + devpriv->ao_timer_enable = true; devpriv->ao_timer.expires = jiffies + usecs_to_jiffies(devpriv->ao_scan_period); add_timer(&devpriv->ao_timer); + spin_unlock_irqrestore(&dev->spinlock, flags); return 1; } @@ -602,8 +627,12 @@ static int waveform_ao_cancel(struct comedi_device *dev, struct comedi_subdevice *s) { struct waveform_private *devpriv = dev->private; + unsigned long flags; s->async->inttrig = NULL; + spin_lock_irqsave(&dev->spinlock, flags); + devpriv->ao_timer_enable = false; + spin_unlock_irqrestore(&dev->spinlock, flags); if (in_softirq()) { /* Assume we were called from the timer routine itself. */ del_timer(&devpriv->ao_timer); -- 2.43.0

1 year, 6 months

1
2
0 0

[PATCH -fixes v3 2/2] riscv: Save/restore envcfg CSR during CPU suspend

by Samuel Holland

The value of the [ms]envcfg CSR is lost when entering a nonretentive idle state, so the CSR must be rewritten when resuming the CPU. The [ms]envcfg CSR was added in version 1.12 of the privileged ISA, and is used by extensions other than Zicboz. However, the kernel currenly has no way to determine the privileged ISA version. Since Zicboz is the only in-kernel user of this CSR so far, use it as a proxy for determining if the CSR is implemented. Cc: <stable(a)vger.kernel.org> # v6.7+ Fixes: 43c16d51a19b ("RISC-V: Enable cbo.zero in usermode") Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> --- Changes in v3: - Check for Zicboz instead of the privileged ISA version Changes in v2: - Check for privileged ISA v1.12 instead of the specific CSR - Use riscv_has_extension_likely() instead of new ALTERNATIVE()s arch/riscv/include/asm/suspend.h | 1 + arch/riscv/kernel/suspend.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/arch/riscv/include/asm/suspend.h b/arch/riscv/include/asm/suspend.h index 02f87867389a..491296a335d0 100644 --- a/arch/riscv/include/asm/suspend.h +++ b/arch/riscv/include/asm/suspend.h @@ -14,6 +14,7 @@ struct suspend_context { struct pt_regs regs; /* Saved and restored by high-level functions */ unsigned long scratch; + unsigned long envcfg; unsigned long tvec; unsigned long ie; #ifdef CONFIG_MMU diff --git a/arch/riscv/kernel/suspend.c b/arch/riscv/kernel/suspend.c index 239509367e42..28166006688e 100644 --- a/arch/riscv/kernel/suspend.c +++ b/arch/riscv/kernel/suspend.c @@ -15,6 +15,8 @@ void suspend_save_csrs(struct suspend_context *context) { context->scratch = csr_read(CSR_SCRATCH); + if (riscv_cpu_has_extension_unlikely(smp_processor_id(), RISCV_ISA_EXT_ZICBOZ)) + context->envcfg = csr_read(CSR_ENVCFG); context->tvec = csr_read(CSR_TVEC); context->ie = csr_read(CSR_IE); @@ -36,6 +38,8 @@ void suspend_save_csrs(struct suspend_context *context) void suspend_restore_csrs(struct suspend_context *context) { csr_write(CSR_SCRATCH, context->scratch); + if (riscv_cpu_has_extension_unlikely(smp_processor_id(), RISCV_ISA_EXT_ZICBOZ)) + csr_write(CSR_ENVCFG, context->envcfg); csr_write(CSR_TVEC, context->tvec); csr_write(CSR_IE, context->ie); -- 2.43.0

1 year, 6 months

2
1
0 0

[PATCH 1/2] drm/buddy: Fix alloc_range() error handling code

by Arunpravin Paneer Selvam

Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3097 Tested-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240207174456.341121-… Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index f57e6d74fb0e..c1a99bf4dffd 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -539,6 +539,12 @@ static int __alloc_range(struct drm_buddy *mm, } while (1); list_splice_tail(&allocated, blocks); + + if (total_allocated < size) { + err = -ENOSPC; + goto err_free; + } + return 0; err_undo: base-commit: 2c80a2b715df75881359d07dbaacff8ad411f40e -- 2.25.1

1 year, 6 months

1
0
0 0

[PATCH] media: mxl5xx: Move xpt structures off stack

by Nathan Chancellor

When building for LoongArch with clang 18.0.0, the stack usage of probe() is larger than the allowed 2048 bytes: drivers/media/dvb-frontends/mxl5xx.c:1698:12: warning: stack frame size (2368) exceeds limit (2048) in 'probe' [-Wframe-larger-than] 1698 | static int probe(struct mxl *state, struct mxl5xx_cfg *cfg) | ^ 1 warning generated. This is the result of the linked LLVM commit, which changes how the arrays of structures in config_ts() get handled with CONFIG_INIT_STACK_ZERO and CONFIG_INIT_STACK_PATTERN, which causes the above warning in combination with inlining, as config_ts() gets inlined into probe(). This warning can be easily fixed by moving the array of structures off of the stackvia 'static const', which is a better location for these variables anyways because they are static data that is only ever read from, never modified, so allocating the stack space is wasteful. This drops the stack usage from 2368 bytes to 256 bytes with the same compiler and configuration. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/1977 Link: https://github.com/llvm/llvm-project/commit/afe8b93ffdfef5d8879e1894b9d7dda… Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/media/dvb-frontends/mxl5xx.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/media/dvb-frontends/mxl5xx.c b/drivers/media/dvb-frontends/mxl5xx.c index 4ebbcf05cc09..91e9c378397c 100644 --- a/drivers/media/dvb-frontends/mxl5xx.c +++ b/drivers/media/dvb-frontends/mxl5xx.c @@ -1381,57 +1381,57 @@ static int config_ts(struct mxl *state, enum MXL_HYDRA_DEMOD_ID_E demod_id, u32 nco_count_min = 0; u32 clk_type = 0; - struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 8, 1}, {0x90700010, 9, 1}, {0x90700010, 10, 1}, {0x90700010, 11, 1}, {0x90700010, 12, 1}, {0x90700010, 13, 1}, {0x90700010, 14, 1}, {0x90700010, 15, 1} }; - struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 16, 1}, {0x90700010, 17, 1}, {0x90700010, 18, 1}, {0x90700010, 19, 1}, {0x90700010, 20, 1}, {0x90700010, 21, 1}, {0x90700010, 22, 1}, {0x90700010, 23, 1} }; - struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 0, 1}, {0x90700014, 1, 1}, {0x90700014, 2, 1}, {0x90700014, 3, 1}, {0x90700014, 4, 1}, {0x90700014, 5, 1}, {0x90700014, 6, 1}, {0x90700014, 7, 1} }; - struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { {0x90700018, 0, 3}, {0x90700018, 4, 3}, {0x90700018, 8, 3}, {0x90700018, 12, 3}, {0x90700018, 16, 3}, {0x90700018, 20, 3}, {0x90700018, 24, 3}, {0x90700018, 28, 3} }; - struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 16, 1}, {0x9070000C, 17, 1}, {0x9070000C, 18, 1}, {0x9070000C, 19, 1}, {0x9070000C, 20, 1}, {0x9070000C, 21, 1}, {0x9070000C, 22, 1}, {0x9070000C, 23, 1} }; - struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 0, 1}, {0x90700010, 1, 1}, {0x90700010, 2, 1}, {0x90700010, 3, 1}, {0x90700010, 4, 1}, {0x90700010, 5, 1}, {0x90700010, 6, 1}, {0x90700010, 7, 1} }; - struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 0, 1}, {0x9070000C, 1, 1}, {0x9070000C, 2, 1}, {0x9070000C, 3, 1}, {0x9070000C, 4, 1}, {0x9070000C, 5, 1}, {0x9070000C, 6, 1}, {0x9070000C, 7, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 24, 1}, {0x9070000C, 25, 1}, {0x9070000C, 26, 1}, {0x9070000C, 27, 1}, {0x9070000C, 28, 1}, {0x9070000C, 29, 1}, {0x9070000C, 30, 1}, {0x9070000C, 31, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 8, 1}, {0x90700014, 9, 1}, {0x90700014, 10, 1}, {0x90700014, 11, 1}, {0x90700014, 12, 1}, {0x90700014, 13, 1}, {0x90700014, 14, 1}, {0x90700014, 15, 1} }; - struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { {0x907001D4, 0, 1}, {0x907001D4, 1, 1}, {0x907001D4, 2, 1}, {0x907001D4, 3, 1}, {0x907001D4, 4, 1}, {0x907001D4, 5, 1}, {0x907001D4, 6, 1}, {0x907001D4, 7, 1} }; - struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { {0x90700044, 16, 80}, {0x90700044, 16, 81}, {0x90700044, 16, 82}, {0x90700044, 16, 83}, {0x90700044, 16, 84}, {0x90700044, 16, 85}, --- base-commit: 02d4e62ae2452c83e4a3e279b8e4cb4dcbad4b31 change-id: 20240111-dvb-mxl5xx-move-structs-off-stack-e12172b1ef02 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 6 months

3
3
0 0

Re: [PATCH 6.7 000/124] 6.7.5-rc1 review

by Ronald Warsow

Hi Greg *no* regressions here on x86_64 (RKL, Intel 11th Gen.CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

1 year, 6 months

1
0
0 0

[PATCH 6.1.y] dlm: Treat dlm_local_addr[0] as sockaddr_storage *

by Jordan Rife

Backport e11dea8 ("dlm: use kernel_connect() and kernel_bind()") to Linux stable 6.1 caused a regression. The original patch expected dlm_local_addrs[0] to be of type sockaddr_storage, because c51c9cd ("fs: dlm: don't put dlm_local_addrs on heap") changed its type from sockaddr_storage* to sockaddr_storage in Linux 6.5+ while in older Linux versions this is still the original sockaddr_storage*. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063338 Cc: <stable(a)vger.kernel.org> # 6.1.x Fixes: e11dea8f5033 ("dlm: use kernel_connect() and kernel_bind()") Signed-off-by: Jordan Rife <jrife(a)google.com> --- fs/dlm/lowcomms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c index 72f34f96d0155..8426073e73cf2 100644 --- a/fs/dlm/lowcomms.c +++ b/fs/dlm/lowcomms.c @@ -1900,7 +1900,7 @@ static int dlm_tcp_listen_bind(struct socket *sock) /* Bind to our port */ make_sockaddr(dlm_local_addr[0], dlm_config.ci_tcp_port, &addr_len); - return kernel_bind(sock, (struct sockaddr *)&dlm_local_addr[0], + return kernel_bind(sock, (struct sockaddr *)dlm_local_addr[0], addr_len); } -- 2.43.0.687.g38aa6559b0-goog

1 year, 6 months

2
6
0 0

[PATCH] ASoC: SOF: IPC3: fix message bounds on ipc ops

by Peter Ujfalusi

From: Curtis Malainey <cujomalainey(a)chromium.org> commit 74ad8ed65121 ("ASoC: SOF: ipc3: Implement rx_msg IPC ops") introduced a new allocation before the upper bounds check in do_rx_work. As a result A DSP can cause bad allocations if spewing garbage. Fixes: 74ad8ed65121 ("ASoC: SOF: ipc3: Implement rx_msg IPC ops") Reported-by: Tim Van Patten <timvp(a)google.com> Cc: stable(a)vger.kernel.org Signed-off-by: Curtis Malainey <cujomalainey(a)chromium.org> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Daniel Baluta <daniel.baluta(a)nxp.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> --- sound/soc/sof/ipc3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c index fb40378ad084..c03dd513fbff 100644 --- a/sound/soc/sof/ipc3.c +++ b/sound/soc/sof/ipc3.c @@ -1067,7 +1067,7 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev) return; } - if (hdr.size < sizeof(hdr)) { + if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) { dev_err(sdev->dev, "The received message size is invalid\n"); return; } -- 2.43.0

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] io_uring/net: limit inline multishot retries" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 76b367a2d83163cf19173d5cb0b562acbabc8eac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021330-twice-pacify-2be5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 76b367a2d831 ("io_uring/net: limit inline multishot retries") 91e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76b367a2d83163cf19173d5cb0b562acbabc8eac Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Mon, 29 Jan 2024 12:00:58 -0700 Subject: [PATCH] io_uring/net: limit inline multishot retries If we have multiple clients and some/all are flooding the receives to such an extent that we can retry a LOT handling multishot receives, then we can be starving some clients and hence serving traffic in an imbalanced fashion. Limit multishot retry attempts to some arbitrary value, whose only purpose serves to ensure that we don't keep serving a single connection for way too long. We default to 32 retries, which should be more than enough to provide fairness, yet not so small that we'll spend too much time requeuing rather than handling traffic. Cc: stable(a)vger.kernel.org Depends-on: 704ea888d646 ("io_uring/poll: add requeue return code from poll multishot handling") Depends-on: 1e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") Depends-on: e84b01a880f6 ("io_uring/poll: move poll execution helpers higher up") Fixes: b3fdea6ecb55 ("io_uring: multishot recv") Fixes: 9bb66906f23e ("io_uring: support multishot in recvmsg") Link: https://github.com/axboe/liburing/issues/1043 Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index 740c6bfa5b59..a12ff69e6843 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -60,6 +60,7 @@ struct io_sr_msg { unsigned len; unsigned done_io; unsigned msg_flags; + unsigned nr_multishot_loops; u16 flags; /* initialised and used only by !msg send variants */ u16 addr_len; @@ -70,6 +71,13 @@ struct io_sr_msg { struct io_kiocb *notif; }; +/* + * Number of times we'll try and do receives if there's more data. If we + * exceed this limit, then add us to the back of the queue and retry from + * there. This helps fairness between flooding clients. + */ +#define MULTISHOT_MAX_RETRY 32 + static inline bool io_check_multishot(struct io_kiocb *req, unsigned int issue_flags) { @@ -611,6 +619,7 @@ int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) sr->msg_flags |= MSG_CMSG_COMPAT; #endif sr->done_io = 0; + sr->nr_multishot_loops = 0; return 0; } @@ -654,12 +663,20 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, */ if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER, *ret, cflags | IORING_CQE_F_MORE)) { + struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); + int mshot_retry_ret = IOU_ISSUE_SKIP_COMPLETE; + io_recv_prep_retry(req); /* Known not-empty or unknown state, retry */ - if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) - return false; + if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) { + if (sr->nr_multishot_loops++ < MULTISHOT_MAX_RETRY) + return false; + /* mshot retries exceeded, force a requeue */ + sr->nr_multishot_loops = 0; + mshot_retry_ret = IOU_REQUEUE; + } if (issue_flags & IO_URING_F_MULTISHOT) - *ret = IOU_ISSUE_SKIP_COMPLETE; + *ret = mshot_retry_ret; else *ret = -EAGAIN; return true;

1 year, 6 months

3
5
0 0

FAILED: patch "[PATCH] hrtimer: Report offline hrtimer enqueue" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x dad6a09f3148257ac1773cd90934d721d68ab595 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021300-sagging-enhance-9113@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: dad6a09f3148 ("hrtimer: Report offline hrtimer enqueue") 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") f61eff83cec9 ("hrtimer: Prepare support for PREEMPT_RT") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dad6a09f3148257ac1773cd90934d721d68ab595 Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker <frederic(a)kernel.org> Date: Mon, 29 Jan 2024 15:56:36 -0800 Subject: [PATCH] hrtimer: Report offline hrtimer enqueue The hrtimers migration on CPU-down hotplug process has been moved earlier, before the CPU actually goes to die. This leaves a small window of opportunity to queue an hrtimer in a blind spot, leaving it ignored. For example a practical case has been reported with RCU waking up a SCHED_FIFO task right before the CPUHP_AP_IDLE_DEAD stage, queuing that way a sched/rt timer to the local offline CPU. Make sure such situations never go unnoticed and warn when that happens. Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Reported-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240129235646.3171983-4-boqun.feng@gmail.com diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h index 87e3bedf8eb0..641c4567cfa7 100644 --- a/include/linux/hrtimer.h +++ b/include/linux/hrtimer.h @@ -157,6 +157,7 @@ enum hrtimer_base_type { * @max_hang_time: Maximum time spent in hrtimer_interrupt * @softirq_expiry_lock: Lock which is taken while softirq based hrtimer are * expired + * @online: CPU is online from an hrtimers point of view * @timer_waiters: A hrtimer_cancel() invocation waits for the timer * callback to finish. * @expires_next: absolute time of the next event, is required for remote @@ -179,7 +180,8 @@ struct hrtimer_cpu_base { unsigned int hres_active : 1, in_hrtirq : 1, hang_detected : 1, - softirq_activated : 1; + softirq_activated : 1, + online : 1; #ifdef CONFIG_HIGH_RES_TIMERS unsigned int nr_events; unsigned short nr_retries; diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 760793998cdd..edb0f821dcea 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -1085,6 +1085,7 @@ static int enqueue_hrtimer(struct hrtimer *timer, enum hrtimer_mode mode) { debug_activate(timer, mode); + WARN_ON_ONCE(!base->cpu_base->online); base->cpu_base->active_bases |= 1 << base->index; @@ -2183,6 +2184,7 @@ int hrtimers_prepare_cpu(unsigned int cpu) cpu_base->softirq_next_timer = NULL; cpu_base->expires_next = KTIME_MAX; cpu_base->softirq_expires_next = KTIME_MAX; + cpu_base->online = 1; hrtimer_cpu_base_init_expiry_lock(cpu_base); return 0; } @@ -2250,6 +2252,7 @@ int hrtimers_cpu_dying(unsigned int dying_cpu) smp_call_function_single(ncpu, retrigger_next_event, NULL, 0); raw_spin_unlock(&new_base->lock); + old_base->online = 0; raw_spin_unlock(&old_base->lock); return 0;

1 year, 6 months

3
2
0 0

[PATCH] Bluetooth: qca: fix device-address endianness

by Johan Hovold

The WCN6855 firmware on the Lenovo ThinkPad X13s expects the Bluetooth device address in MSB order when setting it using the EDL_WRITE_BD_ADDR_OPCODE command. Presumably, this is the case for all non-ROME devices which all use the EDL_WRITE_BD_ADDR_OPCODE command for this (unlike the ROME devices which use a different command and expect the address in LSB order). Reverse the little-endian address before setting it to make sure that the address can be configured using tools like btmgmt or using the 'local-bd-address' devicetree property. Note that this can potentially break systems with boot firmware which has started relying on the broken behaviour and is incorrectly passing the address via devicetree in MSB order. Fixes: 5c0a1001c8be ("Bluetooth: hci_qca: Add helper to set device address") Cc: stable(a)vger.kernel.org # 5.1 Cc: Balakrishna Godavarthi <quic_bgodavar(a)quicinc.com> Cc: Matthias Kaehlcke <mka(a)chromium.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- Hi Qualcomm people, Could you please verify with your documentation that all non-ROME devices expect the address provided in the EDL_WRITE_BD_ADDR_OPCODE command in MSB order? I assume this is not something that anyone would change between firmware revisions, but if that turns out to be the case, we'd need to reverse the address based on firmware revision or similar. Johan drivers/bluetooth/btqca.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index fdb0fae88d1c..29035daf21bc 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -826,11 +826,15 @@ EXPORT_SYMBOL_GPL(qca_uart_setup); int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) { + bdaddr_t bdaddr_swapped; struct sk_buff *skb; int err; - skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr, - HCI_EV_VENDOR, HCI_INIT_TIMEOUT); + baswap(&bdaddr_swapped, bdaddr); + + skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, + &bdaddr_swapped, HCI_EV_VENDOR, + HCI_INIT_TIMEOUT); if (IS_ERR(skb)) { err = PTR_ERR(skb); bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err); -- 2.41.0

1 year, 6 months

6
15
0 0

FAILED: patch "[PATCH] clocksource: Skip watchdog check for large watchdog intervals" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 644649553508b9bacf0fc7a5bdc4f9e0165576a5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012905-carry-revolt-b8d5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 644649553508 ("clocksource: Skip watchdog check for large watchdog intervals") c37e85c135ce ("clocksource: Loosen clocksource watchdog constraints") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 644649553508b9bacf0fc7a5bdc4f9e0165576a5 Mon Sep 17 00:00:00 2001 From: Jiri Wiesner <jwiesner(a)suse.de> Date: Mon, 22 Jan 2024 18:23:50 +0100 Subject: [PATCH] clocksource: Skip watchdog check for large watchdog intervals There have been reports of the watchdog marking clocksources unstable on machines with 8 NUMA nodes: clocksource: timekeeping watchdog on CPU373: Marking clocksource 'tsc' as unstable because the skew is too large: clocksource: 'hpet' wd_nsec: 14523447520 clocksource: 'tsc' cs_nsec: 14524115132 The measured clocksource skew - the absolute difference between cs_nsec and wd_nsec - was 668 microseconds: cs_nsec - wd_nsec = 14524115132 - 14523447520 = 667612 The kernel used 200 microseconds for the uncertainty_margin of both the clocksource and watchdog, resulting in a threshold of 400 microseconds (the md variable). Both the cs_nsec and the wd_nsec value indicate that the readout interval was circa 14.5 seconds. The observed behaviour is that watchdog checks failed for large readout intervals on 8 NUMA node machines. This indicates that the size of the skew was directly proportinal to the length of the readout interval on those machines. The measured clocksource skew, 668 microseconds, was evaluated against a threshold (the md variable) that is suited for readout intervals of roughly WATCHDOG_INTERVAL, i.e. HZ >> 1, which is 0.5 second. The intention of 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold") was to tighten the threshold for evaluating skew and set the lower bound for the uncertainty_margin of clocksources to twice WATCHDOG_MAX_SKEW. Later in c37e85c135ce ("clocksource: Loosen clocksource watchdog constraints"), the WATCHDOG_MAX_SKEW constant was increased to 125 microseconds to fit the limit of NTP, which is able to use a clocksource that suffers from up to 500 microseconds of skew per second. Both the TSC and the HPET use default uncertainty_margin. When the readout interval gets stretched the default uncertainty_margin is no longer a suitable lower bound for evaluating skew - it imposes a limit that is far stricter than the skew with which NTP can deal. The root causes of the skew being directly proportinal to the length of the readout interval are: * the inaccuracy of the shift/mult pairs of clocksources and the watchdog * the conversion to nanoseconds is imprecise for large readout intervals Prevent this by skipping the current watchdog check if the readout interval exceeds 2 * WATCHDOG_INTERVAL. Considering the maximum readout interval of 2 * WATCHDOG_INTERVAL, the current default uncertainty margin (of the TSC and HPET) corresponds to a limit on clocksource skew of 250 ppm (microseconds of skew per second). To keep the limit imposed by NTP (500 microseconds of skew per second) for all possible readout intervals, the margins would have to be scaled so that the threshold value is proportional to the length of the actual readout interval. As for why the readout interval may get stretched: Since the watchdog is executed in softirq context the expiration of the watchdog timer can get severely delayed on account of a ksoftirqd thread not getting to run in a timely manner. Surely, a system with such belated softirq execution is not working well and the scheduling issue should be looked into but the clocksource watchdog should be able to deal with it accordingly. Fixes: 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold") Suggested-by: Feng Tang <feng.tang(a)intel.com> Signed-off-by: Jiri Wiesner <jwiesner(a)suse.de> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Tested-by: Paul E. McKenney <paulmck(a)kernel.org> Reviewed-by: Feng Tang <feng.tang(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240122172350.GA740@incl diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c index c108ed8a9804..3052b1f1168e 100644 --- a/kernel/time/clocksource.c +++ b/kernel/time/clocksource.c @@ -99,6 +99,7 @@ static u64 suspend_start; * Interval: 0.5sec. */ #define WATCHDOG_INTERVAL (HZ >> 1) +#define WATCHDOG_INTERVAL_MAX_NS ((2 * WATCHDOG_INTERVAL) * (NSEC_PER_SEC / HZ)) /* * Threshold: 0.0312s, when doubled: 0.0625s. @@ -134,6 +135,7 @@ static DECLARE_WORK(watchdog_work, clocksource_watchdog_work); static DEFINE_SPINLOCK(watchdog_lock); static int watchdog_running; static atomic_t watchdog_reset_pending; +static int64_t watchdog_max_interval; static inline void clocksource_watchdog_lock(unsigned long *flags) { @@ -399,8 +401,8 @@ static inline void clocksource_reset_watchdog(void) static void clocksource_watchdog(struct timer_list *unused) { u64 csnow, wdnow, cslast, wdlast, delta; + int64_t wd_nsec, cs_nsec, interval; int next_cpu, reset_pending; - int64_t wd_nsec, cs_nsec; struct clocksource *cs; enum wd_read_status read_ret; unsigned long extra_wait = 0; @@ -470,6 +472,27 @@ static void clocksource_watchdog(struct timer_list *unused) if (atomic_read(&watchdog_reset_pending)) continue; + /* + * The processing of timer softirqs can get delayed (usually + * on account of ksoftirqd not getting to run in a timely + * manner), which causes the watchdog interval to stretch. + * Skew detection may fail for longer watchdog intervals + * on account of fixed margins being used. + * Some clocksources, e.g. acpi_pm, cannot tolerate + * watchdog intervals longer than a few seconds. + */ + interval = max(cs_nsec, wd_nsec); + if (unlikely(interval > WATCHDOG_INTERVAL_MAX_NS)) { + if (system_state > SYSTEM_SCHEDULING && + interval > 2 * watchdog_max_interval) { + watchdog_max_interval = interval; + pr_warn("Long readout interval, skipping watchdog check: cs_nsec: %lld wd_nsec: %lld\n", + cs_nsec, wd_nsec); + } + watchdog_timer.expires = jiffies; + continue; + } + /* Check the deviation from the watchdog clocksource. */ md = cs->uncertainty_margin + watchdog->uncertainty_margin; if (abs(cs_nsec - wd_nsec) > md) {

1 year, 6 months

3
2
0 0

Backport request: commit fe92f874f091 ("net: Fix from address in memcpy_to_iter_csum()")

by Jeffrey E Altman

Please backport to stable 6.7 the following patch which was merged upstream as commit fe92f874f09145a6951deacaa4961390238bbe0d Author: Michael Lass <bevan(a)bi-co.net> Date: Wed Jan 31 16:52:20 2024 +0100 net: Fix from address in memcpy_to_iter_csum() While inlining csum_and_memcpy() into memcpy_to_iter_csum(), the from address passed to csum_partial_copy_nocheck() was accidentally changed. This causes a regression in applications using UDP, as for example OpenAFS, causing loss of datagrams. Fixes: dc32bff195b4 ("iov_iter, net: Fold in csum_and_memcpy()") Cc: David Howells <dhowells(a)redhat.com> Cc: stable(a)vger.kernel.org Cc: regressions(a)lists.linux.dev Signed-off-by: Michael Lass <bevan(a)bi-co.net> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> Acked-by: David Howells <dhowells(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Thank you. -------- Forwarded Message -------- Subject: [PATCH] net: Fix from address in memcpy_to_iter_csum() Date: Wed, 31 Jan 2024 16:52:20 +0100 From: Michael Lass <bevan(a)bi-co.net> To: netdev(a)vger.kernel.org CC: David Howells <dhowells(a)redhat.com>, regressions(a)lists.linux.dev While inlining csum_and_memcpy() into memcpy_to_iter_csum(), the from address passed to csum_partial_copy_nocheck() was accidentally changed. This causes a regression in applications using UDP, as for example OpenAFS, causing loss of datagrams. Fixes: dc32bff195b4 ("iov_iter, net: Fold in csum_and_memcpy()") Cc: David Howells <dhowells(a)redhat.com> Cc: stable(a)vger.kernel.org Cc: regressions(a)lists.linux.dev Signed-off-by: Michael Lass <bevan(a)bi-co.net> --- net/core/datagram.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/datagram.c b/net/core/datagram.c index 103d46fa0eeb..a8b625abe242 100644 --- a/net/core/datagram.c +++ b/net/core/datagram.c @@ -751,7 +751,7 @@ size_t memcpy_to_iter_csum(void *iter_to, size_t progress, size_t len, void *from, void *priv2) { __wsum *csum = priv2; - __wsum next = csum_partial_copy_nocheck(from, iter_to, len); + __wsum next = csum_partial_copy_nocheck(from + progress, iter_to, len); *csum = csum_block_add(*csum, next, progress); return 0; -- 2.43.0

1 year, 6 months

2
1
0 0

6.1-stable backport

by Jens Axboe

Hi, Can you cherry pick commit 33391eecd631 to 6.1-stable? Looks like we never got that one marked appropriately. For full reference: commit 33391eecd63158536fb5257fee5be3a3bdc30e3c Author: Jens Axboe <axboe(a)kernel.dk> Date: Fri Jan 20 07:51:07 2023 -0700 block: treat poll queue enter similarly to timeouts Thanks, -- Jens Axboe

1 year, 6 months

2
1
0 0

[regression] linux-6.6.y, minmax: virtual memory exhausted in i586 chroot during kernel compilation

by Linux regression tracking (Thorsten Leemhuis)

Hi Greg, Sasha, and David, I noticed a regression report in bugzilla.kernel.org that seems to be specific to the linux-6.6.y series: Quoting from https://bugzilla.kernel.org/show_bug.cgi?id=218484 : > After upgrading to version 6.6.16, the kernel compilation on a i586 > arch (on a 32bit chroot in a 64bit host) fails with a message: > > virtual memory exhausted: Cannot allocate memory > > this happens even lowering the number of parallel compilation > threads. On a x86_64 arch the same problem doesn't occur. It's not > clear whether some weird recursion is triggered that exhausts the > memory, but it seems that the problem is caused by the patchset > 'minmax' added to the 6.6.16 version, in particular it seems caused > by these patches: > > - minmax-allow-min-max-clamp-if-the-arguments-have-the-same-signedness.patch > - minmax-fix-indentation-of-__cmp_once-and-__clamp_once.patch > - minmax-allow-comparisons-of-int-against-unsigned-char-short.patch > - minmax-relax-check-to-allow-comparison-between-unsigned-arguments-and-signed-constants.patch > > Reverting those patches fixes the memory exhaustion problem during compilation. The reporter later added: > From a quick test the same problem doesn't occur in 6.8-rc4. See the ticket for more details. Note, you have to use bugzilla to reach the reporter, as I sadly[1] can not CCed them in mails like this. [TLDR for the rest of this mail: I'm adding this report to the list of tracked Linux kernel regressions; the text you find below is based on a few templates paragraphs you might have encountered already in similar form.] BTW, let me use this mail to also add the report to the list of tracked regressions to ensure it's doesn't fall through the cracks: #regzbot introduced: 204c653d5d0c79940..9487d93f172acef https://bugzilla.kernel.org/show_bug.cgi?id=218484 #regzbot title: minmax: virtual memory exhausted in 6.6.16 with i586 chroot #regzbot ignore-activity Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page. [1] because bugzilla.kernel.org tells users upon registration their "email address will never be displayed to logged out users"

1 year, 6 months

3
5
0 0

FAILED: patch "[PATCH] io_uring/net: limit inline multishot retries" failed to apply to 6.7-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.7-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.7.y git checkout FETCH_HEAD git cherry-pick -x 76b367a2d83163cf19173d5cb0b562acbabc8eac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021328-washboard-crevice-aaa0@gregkh' --subject-prefix 'PATCH 6.7.y' HEAD^.. Possible dependencies: 76b367a2d831 ("io_uring/net: limit inline multishot retries") 91e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76b367a2d83163cf19173d5cb0b562acbabc8eac Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Mon, 29 Jan 2024 12:00:58 -0700 Subject: [PATCH] io_uring/net: limit inline multishot retries If we have multiple clients and some/all are flooding the receives to such an extent that we can retry a LOT handling multishot receives, then we can be starving some clients and hence serving traffic in an imbalanced fashion. Limit multishot retry attempts to some arbitrary value, whose only purpose serves to ensure that we don't keep serving a single connection for way too long. We default to 32 retries, which should be more than enough to provide fairness, yet not so small that we'll spend too much time requeuing rather than handling traffic. Cc: stable(a)vger.kernel.org Depends-on: 704ea888d646 ("io_uring/poll: add requeue return code from poll multishot handling") Depends-on: 1e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") Depends-on: e84b01a880f6 ("io_uring/poll: move poll execution helpers higher up") Fixes: b3fdea6ecb55 ("io_uring: multishot recv") Fixes: 9bb66906f23e ("io_uring: support multishot in recvmsg") Link: https://github.com/axboe/liburing/issues/1043 Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index 740c6bfa5b59..a12ff69e6843 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -60,6 +60,7 @@ struct io_sr_msg { unsigned len; unsigned done_io; unsigned msg_flags; + unsigned nr_multishot_loops; u16 flags; /* initialised and used only by !msg send variants */ u16 addr_len; @@ -70,6 +71,13 @@ struct io_sr_msg { struct io_kiocb *notif; }; +/* + * Number of times we'll try and do receives if there's more data. If we + * exceed this limit, then add us to the back of the queue and retry from + * there. This helps fairness between flooding clients. + */ +#define MULTISHOT_MAX_RETRY 32 + static inline bool io_check_multishot(struct io_kiocb *req, unsigned int issue_flags) { @@ -611,6 +619,7 @@ int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) sr->msg_flags |= MSG_CMSG_COMPAT; #endif sr->done_io = 0; + sr->nr_multishot_loops = 0; return 0; } @@ -654,12 +663,20 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, */ if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER, *ret, cflags | IORING_CQE_F_MORE)) { + struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); + int mshot_retry_ret = IOU_ISSUE_SKIP_COMPLETE; + io_recv_prep_retry(req); /* Known not-empty or unknown state, retry */ - if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) - return false; + if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) { + if (sr->nr_multishot_loops++ < MULTISHOT_MAX_RETRY) + return false; + /* mshot retries exceeded, force a requeue */ + sr->nr_multishot_loops = 0; + mshot_retry_ret = IOU_REQUEUE; + } if (issue_flags & IO_URING_F_MULTISHOT) - *ret = IOU_ISSUE_SKIP_COMPLETE; + *ret = mshot_retry_ret; else *ret = -EAGAIN; return true;

1 year, 6 months

3
3
0 0

FAILED: patch "[PATCH] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 72bd80252feeb3bef8724230ee15d9f7ab541c6e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021339-flick-facsimile-65c3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 72bd80252fee ("io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers") f9ead18c1058 ("io_uring: split network related opcodes into its own file") e0da14def1ee ("io_uring: move statx handling to its own file") a9c210cebe13 ("io_uring: move epoll handler to its own file") 4cf90495281b ("io_uring: add a dummy -EOPNOTSUPP prep handler") 99f15d8d6136 ("io_uring: move uring_cmd handling to its own file") cd40cae29ef8 ("io_uring: split out open/close operations") 453b329be5ea ("io_uring: separate out file table handling code") f4c163dd7d4b ("io_uring: split out fadvise/madvise operations") 0d5847274037 ("io_uring: split out fs related sync/fallocate functions") 531113bbd5bf ("io_uring: split out splice related operations") 11aeb71406dd ("io_uring: split out filesystem related operations") e28683bdfc2f ("io_uring: move nop into its own file") 5e2a18d93fec ("io_uring: move xattr related opcodes to its own file") 97b388d70b53 ("io_uring: handle completions in the core") de23077eda61 ("io_uring: set completion results upfront") e27f928ee1cb ("io_uring: add io_uring_types.h") 4d4c9cff4f70 ("io_uring: define a request type cleanup handler") 890968dc0336 ("io_uring: unify struct io_symlink and io_hardlink") 9a3a11f977f9 ("io_uring: convert iouring_cmd to io_cmd_type") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 1 Feb 2024 06:42:36 -0700 Subject: [PATCH] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers If we use IORING_OP_RECV with provided buffers and pass in '0' as the length of the request, the length is retrieved from the selected buffer. If MSG_WAITALL is also set and we get a short receive, then we may hit the retry path which decrements sr->len and increments the buffer for a retry. However, the length is still zero at this point, which means that sr->len now becomes huge and import_ubuf() will cap it to MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole. Fix this by always assigning sr->len once the buffer has been selected. Cc: stable(a)vger.kernel.org Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index a12ff69e6843..43bc9a5f96f9 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -923,6 +923,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) if (!buf) return -ENOBUFS; sr->buf = buf; + sr->len = len; } ret = import_ubuf(ITER_DEST, sr->buf, len, &msg.msg_iter);

1 year, 6 months

3
2
0 0

[PATCH 6.1] f2fs: add helper to check compression level

by Chao Yu

From: Sheng Yong <shengyong(a)oppo.com> commit c571fbb5b59a3741e48014faa92c2f14bc59fe50 upstream. This patch adds a helper function to check if compression level is valid. Meanwhile, this patch fixes a reported issue [1]: The issue is easily reproducible by: 1. dd if=/dev/zero of=test.img count=100 bs=1M 2. mkfs.f2fs -f -O compression,extra_attr ./test.img 3. mount -t f2fs -o compress_algorithm=zstd:6,compress_chksum,atgc,gc_merge,lazytime ./test.img /mnt resulting in [ 60.789982] F2FS-fs (loop0): invalid zstd compress level: 6 A bugzilla report has been submitted in https://bugzilla.kernel.org/show_bug.cgi?id=218471 [1] https://lore.kernel.org/lkml/ZcWDOjKEnPDxZ0Or@google.com/T/ The root cause is commit 00e120b5e4b5 ("f2fs: assign default compression level") tries to check low boundary of compress level w/ zstd_min_clevel(), however, since commit e0c1b49f5b67 ("lib: zstd: Upgrade to latest upstream zstd version 1.4.10"), zstd supports negative compress level, it cast type for negative value returned from zstd_min_clevel() to unsigned int in below check condition, result in repored issue. if (level < zstd_min_clevel() || ... This patch fixes this issue by casting type for level to int before comparison. Fixes: 00e120b5e4b5 ("f2fs: assign default compression level") Signed-off-by: Sheng Yong <shengyong(a)oppo.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/compress.c | 27 +++++++++++++++++++++++++++ fs/f2fs/f2fs.h | 2 ++ fs/f2fs/super.c | 4 ++-- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index 4cb58e8d699e..4e83cfa1b073 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -55,6 +55,7 @@ struct f2fs_compress_ops { int (*init_decompress_ctx)(struct decompress_io_ctx *dic); void (*destroy_decompress_ctx)(struct decompress_io_ctx *dic); int (*decompress_pages)(struct decompress_io_ctx *dic); + bool (*is_level_valid)(int level); }; static unsigned int offset_in_cluster(struct compress_ctx *cc, pgoff_t index) @@ -322,11 +323,21 @@ static int lz4_decompress_pages(struct decompress_io_ctx *dic) return 0; } +static bool lz4_is_level_valid(int lvl) +{ +#ifdef CONFIG_F2FS_FS_LZ4HC + return !lvl || (lvl >= LZ4HC_MIN_CLEVEL && lvl <= LZ4HC_MAX_CLEVEL); +#else + return lvl == 0; +#endif +} + static const struct f2fs_compress_ops f2fs_lz4_ops = { .init_compress_ctx = lz4_init_compress_ctx, .destroy_compress_ctx = lz4_destroy_compress_ctx, .compress_pages = lz4_compress_pages, .decompress_pages = lz4_decompress_pages, + .is_level_valid = lz4_is_level_valid, }; #endif @@ -490,6 +501,11 @@ static int zstd_decompress_pages(struct decompress_io_ctx *dic) return 0; } +static bool zstd_is_level_valid(int lvl) +{ + return lvl >= zstd_min_clevel() && lvl <= zstd_max_clevel(); +} + static const struct f2fs_compress_ops f2fs_zstd_ops = { .init_compress_ctx = zstd_init_compress_ctx, .destroy_compress_ctx = zstd_destroy_compress_ctx, @@ -497,6 +513,7 @@ static const struct f2fs_compress_ops f2fs_zstd_ops = { .init_decompress_ctx = zstd_init_decompress_ctx, .destroy_decompress_ctx = zstd_destroy_decompress_ctx, .decompress_pages = zstd_decompress_pages, + .is_level_valid = zstd_is_level_valid, }; #endif @@ -555,6 +572,16 @@ bool f2fs_is_compress_backend_ready(struct inode *inode) return f2fs_cops[F2FS_I(inode)->i_compress_algorithm]; } +bool f2fs_is_compress_level_valid(int alg, int lvl) +{ + const struct f2fs_compress_ops *cops = f2fs_cops[alg]; + + if (cops->is_level_valid) + return cops->is_level_valid(lvl); + + return lvl == 0; +} + static mempool_t *compress_page_pool; static int num_compress_pages = 512; module_param(num_compress_pages, uint, 0444); diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 5c76ba764b71..e5a9498b89c0 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -4219,6 +4219,7 @@ bool f2fs_compress_write_end(struct inode *inode, void *fsdata, int f2fs_truncate_partial_cluster(struct inode *inode, u64 from, bool lock); void f2fs_compress_write_end_io(struct bio *bio, struct page *page); bool f2fs_is_compress_backend_ready(struct inode *inode); +bool f2fs_is_compress_level_valid(int alg, int lvl); int f2fs_init_compress_mempool(void); void f2fs_destroy_compress_mempool(void); void f2fs_decompress_cluster(struct decompress_io_ctx *dic, bool in_task); @@ -4283,6 +4284,7 @@ static inline bool f2fs_is_compress_backend_ready(struct inode *inode) /* not support compression */ return false; } +static inline bool f2fs_is_compress_level_valid(int alg, int lvl) { return false; } static inline struct page *f2fs_compress_control_page(struct page *page) { WARN_ON_ONCE(1); diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 3805162dcef2..0c0d0671febe 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -628,7 +628,7 @@ static int f2fs_set_lz4hc_level(struct f2fs_sb_info *sbi, const char *str) if (kstrtouint(str + 1, 10, &level)) return -EINVAL; - if (level < LZ4HC_MIN_CLEVEL || level > LZ4HC_MAX_CLEVEL) { + if (!f2fs_is_compress_level_valid(COMPRESS_LZ4, level)) { f2fs_info(sbi, "invalid lz4hc compress level: %d", level); return -EINVAL; } @@ -666,7 +666,7 @@ static int f2fs_set_zstd_level(struct f2fs_sb_info *sbi, const char *str) if (kstrtouint(str + 1, 10, &level)) return -EINVAL; - if (level < zstd_min_clevel() || level > zstd_max_clevel()) { + if (!f2fs_is_compress_level_valid(COMPRESS_ZSTD, level)) { f2fs_info(sbi, "invalid zstd compress level: %d", level); return -EINVAL; } -- 2.40.1

1 year, 6 months

2
1
0 0

[PATCH 6.1.y 0/7] ASoC: codecs: es8326: fix support

by kovalev＠altlinux.org

These patches were backported from v6.6 upstream and are intended for 6.1.y stable kernel. Patches have been successfully tested on the latest 6.1.75 kernel. [PATCH 6.1.y 1/7] ASoC: codecs: es8326: Convert to i2c's .probe_new() [PATCH 6.1.y 2/7] ASoC: codecs: ES8326: Add es8326_mute function [PATCH 6.1.y 3/7] ASoC: codecs: ES8326: Change Hp_detect register names [PATCH 6.1.y 4/7] ASoC: codecs: ES8326: Change Volatile Reg function [PATCH 6.1.y 5/7] ASoC: codecs: ES8326: Fix power-up sequence [PATCH 6.1.y 6/7] ASOC: codecs: ES8326: Add calibration support for [PATCH 6.1.y 7/7] ASoC: codecs: ES8326: Update jact detection function

1 year, 6 months

3
10
0 0

[PATCH v6.1.y-v4.19.y] vhost: use kzalloc() instead of kmalloc() followed by memset()

by Ajay Kaher

From: Prathu Baronia <prathubaronia2011(a)gmail.com> From: Prathu Baronia <prathubaronia2011(a)gmail.com> commit 4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9 upstream Use kzalloc() to allocate new zeroed out msg node instead of memsetting a node allocated with kmalloc(). Signed-off-by: Prathu Baronia <prathubaronia2011(a)gmail.com> Message-Id: <20230522085019.42914-1-prathubaronia2011(a)gmail.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> [Ajay: This is a security fix as per CVE-2024-0340] Signed-off-by: Ajay Kaher <ajay.kaher(a)broadcom.com> --- drivers/vhost/vhost.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 07427302084955..ecb3b397bb3888 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2563,12 +2563,11 @@ EXPORT_SYMBOL_GPL(vhost_disable_notify); /* Create a new message. */ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) { - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + /* Make sure all padding within the structure is initialized. */ + struct vhost_msg_node *node = kzalloc(sizeof(*node), GFP_KERNEL); if (!node) return NULL; - /* Make sure all padding within the structure is initialized. */ - memset(&node->msg, 0, sizeof node->msg); node->vq = vq; node->msg.type = type; return node;

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] io_uring/net: limit inline multishot retries" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 76b367a2d83163cf19173d5cb0b562acbabc8eac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021331-stool-hash-b0c4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 76b367a2d831 ("io_uring/net: limit inline multishot retries") 91e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") b6b2bb58a754 ("io_uring: never overflow io_aux_cqe") b2e74db55dd9 ("io_uring/net: don't overflow multishot recv") 1bfed2334971 ("io_uring/net: don't overflow multishot accept") b65db9211ecb ("io_uring/net: use proper value for msg_inq") 0aa69d53ac7c ("Merge tag 'for-6.5/io_uring-2023-06-23' of git://git.kernel.dk/linux") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76b367a2d83163cf19173d5cb0b562acbabc8eac Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Mon, 29 Jan 2024 12:00:58 -0700 Subject: [PATCH] io_uring/net: limit inline multishot retries If we have multiple clients and some/all are flooding the receives to such an extent that we can retry a LOT handling multishot receives, then we can be starving some clients and hence serving traffic in an imbalanced fashion. Limit multishot retry attempts to some arbitrary value, whose only purpose serves to ensure that we don't keep serving a single connection for way too long. We default to 32 retries, which should be more than enough to provide fairness, yet not so small that we'll spend too much time requeuing rather than handling traffic. Cc: stable(a)vger.kernel.org Depends-on: 704ea888d646 ("io_uring/poll: add requeue return code from poll multishot handling") Depends-on: 1e5d765a82f ("io_uring/net: un-indent mshot retry path in io_recv_finish()") Depends-on: e84b01a880f6 ("io_uring/poll: move poll execution helpers higher up") Fixes: b3fdea6ecb55 ("io_uring: multishot recv") Fixes: 9bb66906f23e ("io_uring: support multishot in recvmsg") Link: https://github.com/axboe/liburing/issues/1043 Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index 740c6bfa5b59..a12ff69e6843 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -60,6 +60,7 @@ struct io_sr_msg { unsigned len; unsigned done_io; unsigned msg_flags; + unsigned nr_multishot_loops; u16 flags; /* initialised and used only by !msg send variants */ u16 addr_len; @@ -70,6 +71,13 @@ struct io_sr_msg { struct io_kiocb *notif; }; +/* + * Number of times we'll try and do receives if there's more data. If we + * exceed this limit, then add us to the back of the queue and retry from + * there. This helps fairness between flooding clients. + */ +#define MULTISHOT_MAX_RETRY 32 + static inline bool io_check_multishot(struct io_kiocb *req, unsigned int issue_flags) { @@ -611,6 +619,7 @@ int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) sr->msg_flags |= MSG_CMSG_COMPAT; #endif sr->done_io = 0; + sr->nr_multishot_loops = 0; return 0; } @@ -654,12 +663,20 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, */ if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER, *ret, cflags | IORING_CQE_F_MORE)) { + struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); + int mshot_retry_ret = IOU_ISSUE_SKIP_COMPLETE; + io_recv_prep_retry(req); /* Known not-empty or unknown state, retry */ - if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) - return false; + if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1) { + if (sr->nr_multishot_loops++ < MULTISHOT_MAX_RETRY) + return false; + /* mshot retries exceeded, force a requeue */ + sr->nr_multishot_loops = 0; + mshot_retry_ret = IOU_REQUEUE; + } if (issue_flags & IO_URING_F_MULTISHOT) - *ret = IOU_ISSUE_SKIP_COMPLETE; + *ret = mshot_retry_ret; else *ret = -EAGAIN; return true;

1 year, 6 months

2
1
0 0

FAILED: patch "[PATCH] xhci: handle isoc Babble and Buffer Overrun events properly" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7c4650ded49e5b88929ecbbb631efb8b0838e811 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021308-hardness-undercook-6840@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 7c4650ded49e ("xhci: handle isoc Babble and Buffer Overrun events properly") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7c4650ded49e5b88929ecbbb631efb8b0838e811 Mon Sep 17 00:00:00 2001 From: Michal Pecio <michal.pecio(a)gmail.com> Date: Thu, 25 Jan 2024 17:27:37 +0200 Subject: [PATCH] xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the early TRBs. Yet the driver makes such assumption and releases the TD, allowing the remaining TRBs to be freed or overwritten by new TDs. The xHC should also report completion of the final TRB due to its IOC flag being set by us, regardless of prior errors. This event cannot be recognized if the TD has already been freed earlier, resulting in "Transfer event TRB DMA ptr not part of current TD" error message. Fix this by reusing the logic for processing isoc Transaction Errors. This also handles hosts which fail to report the final completion. Fix transfer length reporting on Babble errors. They may be caused by device malfunction, no guarantee that the buffer has been filled. Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20240125152737.2983959-5-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 41be7d31a36e..f0d8a607ff21 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2394,9 +2394,13 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, case COMP_BANDWIDTH_OVERRUN_ERROR: frame->status = -ECOMM; break; - case COMP_ISOCH_BUFFER_OVERRUN: case COMP_BABBLE_DETECTED_ERROR: + sum_trbs_for_length = true; + fallthrough; + case COMP_ISOCH_BUFFER_OVERRUN: frame->status = -EOVERFLOW; + if (ep_trb != td->last_trb) + td->error_mid_td = true; break; case COMP_INCOMPATIBLE_DEVICE_ERROR: case COMP_STALL_ERROR:

1 year, 6 months

3
3
0 0

[PATCH 1/2] drm/buddy: Fix alloc_range() error handling code

by Arunpravin Paneer Selvam

Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3097 Tested-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240207174456.341121-… Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index f57e6d74fb0e..c1a99bf4dffd 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -539,6 +539,12 @@ static int __alloc_range(struct drm_buddy *mm, } while (1); list_splice_tail(&allocated, blocks); + + if (total_allocated < size) { + err = -ENOSPC; + goto err_free; + } + return 0; err_undo: base-commit: 2c80a2b715df75881359d07dbaacff8ad411f40e -- 2.25.1

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] PCI/ASPM: Fix deadlock when enabling ASPM" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1e560864159d002b453da42bd2c13a1805515a20 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021339-undesired-juicy-366a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 1e560864159d ("PCI/ASPM: Fix deadlock when enabling ASPM") ac865f00af29 ("Merge tag 'pci-v6.7-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e560864159d002b453da42bd2c13a1805515a20 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Tue, 30 Jan 2024 11:02:43 +0100 Subject: [PATCH] PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock when enabling ASPM during probe of Qualcomm PCIe controllers as reported by lockdep: ============================================ WARNING: possible recursive locking detected 6.7.0 #40 Not tainted -------------------------------------------- kworker/u16:5/90 is trying to acquire lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc but task is already holding lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(pci_bus_sem); lock(pci_bus_sem); *** DEADLOCK *** Call trace: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] The deadlock can easily be reproduced on machines like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. Add a new pci_set_power_state_locked() and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice. Link: https://lore.kernel.org/r/ZZu0qx2cmn7IwTyQ@hovoldconsulting.com Link: https://lore.kernel.org/r/20240130100243.11011-1-johan+linaro@kernel.org Fixes: f93e71aea6c6 ("Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"") Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Cc: <stable(a)vger.kernel.org> # 6.7 diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c index 9c2137dae429..826b5016a101 100644 --- a/drivers/pci/bus.c +++ b/drivers/pci/bus.c @@ -386,21 +386,8 @@ void pci_bus_add_devices(const struct pci_bus *bus) } EXPORT_SYMBOL(pci_bus_add_devices); -/** pci_walk_bus - walk devices on/under bus, calling callback. - * @top bus whose devices should be walked - * @cb callback to be called for each device found - * @userdata arbitrary pointer to be passed to callback. - * - * Walk the given bus, including any bridged devices - * on buses under this bus. Call the provided callback - * on each device found. - * - * We check the return of @cb each time. If it returns anything - * other than 0, we break out. - * - */ -void pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), - void *userdata) +static void __pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), + void *userdata, bool locked) { struct pci_dev *dev; struct pci_bus *bus; @@ -408,7 +395,8 @@ void pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), int retval; bus = top; - down_read(&pci_bus_sem); + if (!locked) + down_read(&pci_bus_sem); next = top->devices.next; for (;;) { if (next == &bus->devices) { @@ -431,10 +419,37 @@ void pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), if (retval) break; } - up_read(&pci_bus_sem); + if (!locked) + up_read(&pci_bus_sem); +} + +/** + * pci_walk_bus - walk devices on/under bus, calling callback. + * @top: bus whose devices should be walked + * @cb: callback to be called for each device found + * @userdata: arbitrary pointer to be passed to callback + * + * Walk the given bus, including any bridged devices + * on buses under this bus. Call the provided callback + * on each device found. + * + * We check the return of @cb each time. If it returns anything + * other than 0, we break out. + */ +void pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), void *userdata) +{ + __pci_walk_bus(top, cb, userdata, false); } EXPORT_SYMBOL_GPL(pci_walk_bus); +void pci_walk_bus_locked(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), void *userdata) +{ + lockdep_assert_held(&pci_bus_sem); + + __pci_walk_bus(top, cb, userdata, true); +} +EXPORT_SYMBOL_GPL(pci_walk_bus_locked); + struct pci_bus *pci_bus_get(struct pci_bus *bus) { if (bus) diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c index 10f2d0bb86be..2ce2a3bd932b 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c @@ -972,7 +972,7 @@ static int qcom_pcie_enable_aspm(struct pci_dev *pdev, void *userdata) * Downstream devices need to be in D0 state before enabling PCI PM * substates. */ - pci_set_power_state(pdev, PCI_D0); + pci_set_power_state_locked(pdev, PCI_D0); pci_enable_link_state_locked(pdev, PCIE_LINK_STATE_ALL); return 0; diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index d8f11a078924..9ab9b1008d8b 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -1354,6 +1354,7 @@ int pci_power_up(struct pci_dev *dev) /** * pci_set_full_power_state - Put a PCI device into D0 and update its state * @dev: PCI device to power up + * @locked: whether pci_bus_sem is held * * Call pci_power_up() to put @dev into D0, read from its PCI_PM_CTRL register * to confirm the state change, restore its BARs if they might be lost and @@ -1363,7 +1364,7 @@ int pci_power_up(struct pci_dev *dev) * to D0, it is more efficient to use pci_power_up() directly instead of this * function. */ -static int pci_set_full_power_state(struct pci_dev *dev) +static int pci_set_full_power_state(struct pci_dev *dev, bool locked) { u16 pmcsr; int ret; @@ -1399,7 +1400,7 @@ static int pci_set_full_power_state(struct pci_dev *dev) } if (dev->bus->self) - pcie_aspm_pm_state_change(dev->bus->self); + pcie_aspm_pm_state_change(dev->bus->self, locked); return 0; } @@ -1428,10 +1429,22 @@ void pci_bus_set_current_state(struct pci_bus *bus, pci_power_t state) pci_walk_bus(bus, __pci_dev_set_current_state, &state); } +static void __pci_bus_set_current_state(struct pci_bus *bus, pci_power_t state, bool locked) +{ + if (!bus) + return; + + if (locked) + pci_walk_bus_locked(bus, __pci_dev_set_current_state, &state); + else + pci_walk_bus(bus, __pci_dev_set_current_state, &state); +} + /** * pci_set_low_power_state - Put a PCI device into a low-power state. * @dev: PCI device to handle. * @state: PCI power state (D1, D2, D3hot) to put the device into. + * @locked: whether pci_bus_sem is held * * Use the device's PCI_PM_CTRL register to put it into a low-power state. * @@ -1442,7 +1455,7 @@ void pci_bus_set_current_state(struct pci_bus *bus, pci_power_t state) * 0 if device already is in the requested state. * 0 if device's power state has been successfully changed. */ -static int pci_set_low_power_state(struct pci_dev *dev, pci_power_t state) +static int pci_set_low_power_state(struct pci_dev *dev, pci_power_t state, bool locked) { u16 pmcsr; @@ -1496,29 +1509,12 @@ static int pci_set_low_power_state(struct pci_dev *dev, pci_power_t state) pci_power_name(state)); if (dev->bus->self) - pcie_aspm_pm_state_change(dev->bus->self); + pcie_aspm_pm_state_change(dev->bus->self, locked); return 0; } -/** - * pci_set_power_state - Set the power state of a PCI device - * @dev: PCI device to handle. - * @state: PCI power state (D0, D1, D2, D3hot) to put the device into. - * - * Transition a device to a new power state, using the platform firmware and/or - * the device's PCI PM registers. - * - * RETURN VALUE: - * -EINVAL if the requested state is invalid. - * -EIO if device does not support PCI PM or its PM capabilities register has a - * wrong version, or device doesn't support the requested state. - * 0 if the transition is to D1 or D2 but D1 and D2 are not supported. - * 0 if device already is in the requested state. - * 0 if the transition is to D3 but D3 is not supported. - * 0 if device's power state has been successfully changed. - */ -int pci_set_power_state(struct pci_dev *dev, pci_power_t state) +static int __pci_set_power_state(struct pci_dev *dev, pci_power_t state, bool locked) { int error; @@ -1542,7 +1538,7 @@ int pci_set_power_state(struct pci_dev *dev, pci_power_t state) return 0; if (state == PCI_D0) - return pci_set_full_power_state(dev); + return pci_set_full_power_state(dev, locked); /* * This device is quirked not to be put into D3, so don't put it in @@ -1556,16 +1552,16 @@ int pci_set_power_state(struct pci_dev *dev, pci_power_t state) * To put the device in D3cold, put it into D3hot in the native * way, then put it into D3cold using platform ops. */ - error = pci_set_low_power_state(dev, PCI_D3hot); + error = pci_set_low_power_state(dev, PCI_D3hot, locked); if (pci_platform_power_transition(dev, PCI_D3cold)) return error; /* Powering off a bridge may power off the whole hierarchy */ if (dev->current_state == PCI_D3cold) - pci_bus_set_current_state(dev->subordinate, PCI_D3cold); + __pci_bus_set_current_state(dev->subordinate, PCI_D3cold, locked); } else { - error = pci_set_low_power_state(dev, state); + error = pci_set_low_power_state(dev, state, locked); if (pci_platform_power_transition(dev, state)) return error; @@ -1573,8 +1569,38 @@ int pci_set_power_state(struct pci_dev *dev, pci_power_t state) return 0; } + +/** + * pci_set_power_state - Set the power state of a PCI device + * @dev: PCI device to handle. + * @state: PCI power state (D0, D1, D2, D3hot) to put the device into. + * + * Transition a device to a new power state, using the platform firmware and/or + * the device's PCI PM registers. + * + * RETURN VALUE: + * -EINVAL if the requested state is invalid. + * -EIO if device does not support PCI PM or its PM capabilities register has a + * wrong version, or device doesn't support the requested state. + * 0 if the transition is to D1 or D2 but D1 and D2 are not supported. + * 0 if device already is in the requested state. + * 0 if the transition is to D3 but D3 is not supported. + * 0 if device's power state has been successfully changed. + */ +int pci_set_power_state(struct pci_dev *dev, pci_power_t state) +{ + return __pci_set_power_state(dev, state, false); +} EXPORT_SYMBOL(pci_set_power_state); +int pci_set_power_state_locked(struct pci_dev *dev, pci_power_t state) +{ + lockdep_assert_held(&pci_bus_sem); + + return __pci_set_power_state(dev, state, true); +} +EXPORT_SYMBOL(pci_set_power_state_locked); + #define PCI_EXP_SAVE_REGS 7 static struct pci_cap_saved_state *_pci_find_saved_cap(struct pci_dev *pci_dev, diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h index 2336a8d1edab..e9750b1b19ba 100644 --- a/drivers/pci/pci.h +++ b/drivers/pci/pci.h @@ -571,12 +571,12 @@ int pcie_retrain_link(struct pci_dev *pdev, bool use_lt); #ifdef CONFIG_PCIEASPM void pcie_aspm_init_link_state(struct pci_dev *pdev); void pcie_aspm_exit_link_state(struct pci_dev *pdev); -void pcie_aspm_pm_state_change(struct pci_dev *pdev); +void pcie_aspm_pm_state_change(struct pci_dev *pdev, bool locked); void pcie_aspm_powersave_config_link(struct pci_dev *pdev); #else static inline void pcie_aspm_init_link_state(struct pci_dev *pdev) { } static inline void pcie_aspm_exit_link_state(struct pci_dev *pdev) { } -static inline void pcie_aspm_pm_state_change(struct pci_dev *pdev) { } +static inline void pcie_aspm_pm_state_change(struct pci_dev *pdev, bool locked) { } static inline void pcie_aspm_powersave_config_link(struct pci_dev *pdev) { } #endif diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index 5a0066ecc3c5..bc0bd86695ec 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -1003,8 +1003,11 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) up_read(&pci_bus_sem); } -/* @pdev: the root port or switch downstream port */ -void pcie_aspm_pm_state_change(struct pci_dev *pdev) +/* + * @pdev: the root port or switch downstream port + * @locked: whether pci_bus_sem is held + */ +void pcie_aspm_pm_state_change(struct pci_dev *pdev, bool locked) { struct pcie_link_state *link = pdev->link_state; @@ -1014,12 +1017,14 @@ void pcie_aspm_pm_state_change(struct pci_dev *pdev) * Devices changed PM state, we should recheck if latency * meets all functions' requirement */ - down_read(&pci_bus_sem); + if (!locked) + down_read(&pci_bus_sem); mutex_lock(&aspm_lock); pcie_update_aspm_capable(link->root); pcie_config_aspm_path(link); mutex_unlock(&aspm_lock); - up_read(&pci_bus_sem); + if (!locked) + up_read(&pci_bus_sem); } void pcie_aspm_powersave_config_link(struct pci_dev *pdev) diff --git a/include/linux/pci.h b/include/linux/pci.h index add9368e6314..7ab0d13672da 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h @@ -1422,6 +1422,7 @@ int pci_load_and_free_saved_state(struct pci_dev *dev, struct pci_saved_state **state); int pci_platform_power_transition(struct pci_dev *dev, pci_power_t state); int pci_set_power_state(struct pci_dev *dev, pci_power_t state); +int pci_set_power_state_locked(struct pci_dev *dev, pci_power_t state); pci_power_t pci_choose_state(struct pci_dev *dev, pm_message_t state); bool pci_pme_capable(struct pci_dev *dev, pci_power_t state); void pci_pme_active(struct pci_dev *dev, bool enable); @@ -1625,6 +1626,8 @@ int pci_scan_bridge(struct pci_bus *bus, struct pci_dev *dev, int max, void pci_walk_bus(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), void *userdata); +void pci_walk_bus_locked(struct pci_bus *top, int (*cb)(struct pci_dev *, void *), + void *userdata); int pci_cfg_space_size(struct pci_dev *dev); unsigned char pci_bus_max_busnr(struct pci_bus *bus); void pci_setup_bridge(struct pci_bus *bus); @@ -2025,6 +2028,8 @@ static inline int pci_save_state(struct pci_dev *dev) { return 0; } static inline void pci_restore_state(struct pci_dev *dev) { } static inline int pci_set_power_state(struct pci_dev *dev, pci_power_t state) { return 0; } +static inline int pci_set_power_state_locked(struct pci_dev *dev, pci_power_t state) +{ return 0; } static inline int pci_wake_from_d3(struct pci_dev *dev, bool enable) { return 0; } static inline pci_power_t pci_choose_state(struct pci_dev *dev,

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] xhci: handle isoc Babble and Buffer Overrun events properly" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 7c4650ded49e5b88929ecbbb631efb8b0838e811 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021310-prelaunch-earmark-e533@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 7c4650ded49e ("xhci: handle isoc Babble and Buffer Overrun events properly") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7c4650ded49e5b88929ecbbb631efb8b0838e811 Mon Sep 17 00:00:00 2001 From: Michal Pecio <michal.pecio(a)gmail.com> Date: Thu, 25 Jan 2024 17:27:37 +0200 Subject: [PATCH] xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the early TRBs. Yet the driver makes such assumption and releases the TD, allowing the remaining TRBs to be freed or overwritten by new TDs. The xHC should also report completion of the final TRB due to its IOC flag being set by us, regardless of prior errors. This event cannot be recognized if the TD has already been freed earlier, resulting in "Transfer event TRB DMA ptr not part of current TD" error message. Fix this by reusing the logic for processing isoc Transaction Errors. This also handles hosts which fail to report the final completion. Fix transfer length reporting on Babble errors. They may be caused by device malfunction, no guarantee that the buffer has been filled. Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20240125152737.2983959-5-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 41be7d31a36e..f0d8a607ff21 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2394,9 +2394,13 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, case COMP_BANDWIDTH_OVERRUN_ERROR: frame->status = -ECOMM; break; - case COMP_ISOCH_BUFFER_OVERRUN: case COMP_BABBLE_DETECTED_ERROR: + sum_trbs_for_length = true; + fallthrough; + case COMP_ISOCH_BUFFER_OVERRUN: frame->status = -EOVERFLOW; + if (ep_trb != td->last_trb) + td->error_mid_td = true; break; case COMP_INCOMPATIBLE_DEVICE_ERROR: case COMP_STALL_ERROR:

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] xhci: handle isoc Babble and Buffer Overrun events properly" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 7c4650ded49e5b88929ecbbb631efb8b0838e811 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021309-hypertext-gush-3da8@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 7c4650ded49e ("xhci: handle isoc Babble and Buffer Overrun events properly") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7c4650ded49e5b88929ecbbb631efb8b0838e811 Mon Sep 17 00:00:00 2001 From: Michal Pecio <michal.pecio(a)gmail.com> Date: Thu, 25 Jan 2024 17:27:37 +0200 Subject: [PATCH] xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the early TRBs. Yet the driver makes such assumption and releases the TD, allowing the remaining TRBs to be freed or overwritten by new TDs. The xHC should also report completion of the final TRB due to its IOC flag being set by us, regardless of prior errors. This event cannot be recognized if the TD has already been freed earlier, resulting in "Transfer event TRB DMA ptr not part of current TD" error message. Fix this by reusing the logic for processing isoc Transaction Errors. This also handles hosts which fail to report the final completion. Fix transfer length reporting on Babble errors. They may be caused by device malfunction, no guarantee that the buffer has been filled. Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20240125152737.2983959-5-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 41be7d31a36e..f0d8a607ff21 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2394,9 +2394,13 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, case COMP_BANDWIDTH_OVERRUN_ERROR: frame->status = -ECOMM; break; - case COMP_ISOCH_BUFFER_OVERRUN: case COMP_BABBLE_DETECTED_ERROR: + sum_trbs_for_length = true; + fallthrough; + case COMP_ISOCH_BUFFER_OVERRUN: frame->status = -EOVERFLOW; + if (ep_trb != td->last_trb) + td->error_mid_td = true; break; case COMP_INCOMPATIBLE_DEVICE_ERROR: case COMP_STALL_ERROR:

1 year, 6 months

1
0
0 0

FAILED: patch "[PATCH] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 72bd80252feeb3bef8724230ee15d9f7ab541c6e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024021340-playable-subsiding-a8db@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 72bd80252fee ("io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers") f9ead18c1058 ("io_uring: split network related opcodes into its own file") e0da14def1ee ("io_uring: move statx handling to its own file") a9c210cebe13 ("io_uring: move epoll handler to its own file") 4cf90495281b ("io_uring: add a dummy -EOPNOTSUPP prep handler") 99f15d8d6136 ("io_uring: move uring_cmd handling to its own file") cd40cae29ef8 ("io_uring: split out open/close operations") 453b329be5ea ("io_uring: separate out file table handling code") f4c163dd7d4b ("io_uring: split out fadvise/madvise operations") 0d5847274037 ("io_uring: split out fs related sync/fallocate functions") 531113bbd5bf ("io_uring: split out splice related operations") 11aeb71406dd ("io_uring: split out filesystem related operations") e28683bdfc2f ("io_uring: move nop into its own file") 5e2a18d93fec ("io_uring: move xattr related opcodes to its own file") 97b388d70b53 ("io_uring: handle completions in the core") de23077eda61 ("io_uring: set completion results upfront") e27f928ee1cb ("io_uring: add io_uring_types.h") 4d4c9cff4f70 ("io_uring: define a request type cleanup handler") 890968dc0336 ("io_uring: unify struct io_symlink and io_hardlink") 9a3a11f977f9 ("io_uring: convert iouring_cmd to io_cmd_type") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 1 Feb 2024 06:42:36 -0700 Subject: [PATCH] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers If we use IORING_OP_RECV with provided buffers and pass in '0' as the length of the request, the length is retrieved from the selected buffer. If MSG_WAITALL is also set and we get a short receive, then we may hit the retry path which decrements sr->len and increments the buffer for a retry. However, the length is still zero at this point, which means that sr->len now becomes huge and import_ubuf() will cap it to MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole. Fix this by always assigning sr->len once the buffer has been selected. Cc: stable(a)vger.kernel.org Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index a12ff69e6843..43bc9a5f96f9 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -923,6 +923,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) if (!buf) return -ENOBUFS; sr->buf = buf; + sr->len = len; } ret = import_ubuf(ITER_DEST, sr->buf, len, &msg.msg_iter);

1 year, 6 months

1
0
0 0

af_iucv kernel module fails to load on bootup / manual start via modprobe

by Leo M

Hello, * update to 5.10.197 included upstream changes from 6.x kernel. * in particular this: * https://lore.kernel.org/all/20230917191101.257176910@linuxfoundation.org/ * this isn't an issue with the upstream state in the 6.x kernel as the problems this change might cause are alleviated by this commit that altered the way the iucv_if symbol was loaded: * https://github.com/torvalds/linux/commit/4eb9eda6ba64114d98827e2870e024d5ab… In the current state the symbol is not loaded correctly and the feature is not working properly. This issue hasn't been resolved still and is in a broken state up to the current 5.10.x version. Is it possible to include this fix in the next 5.10.x version? Sincerely, Leonardo Martinho

1 year, 6 months

2
1
0 0

Regression, i.MX7 boot failure, Linux v6.1.77

by Francesco Dolcini

Hello Sasha, kernel v6.1.77 introduces a regression, with a boot failure, on i.MX7, with commit db30f469ae8b ("ARM: dts: imx7s: Fix nand-controller #size-cells"). The issue is known [1][2], changing `#size-cells = <0>` is formally correct, but do not play well with the firmware that are deployed on those embedded devices, leading to a boot failure. A mitigation was implemented in the Linux kernel, commit 84549c816dc3 ("mtd: parsers: ofpart: add workaround for #size-cells 0") that was merged into v6.3, the firmware was also fixed, however existing device using old firmware will not boot anymore if updating to a newer kernel. I would ask you to drop such a patch from any stable patches queue and not backport it to any older kernel. To fix v6.1.y I see two options: - backport 84549c816dc3 - revert db30f469ae8b What do you prefer? Should I send myself a patch? [1] https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/ [2] https://lore.kernel.org/all/20221202071900.1143950-1-francesco@dolcini.it/ Francesco

1 year, 6 months

2
1
0 0

[PATCH 1/2] HID: wacom: generic: Avoid reporting a serial of '0' to userspace

by Tobita, Tatsunosuke

From: Tatsunosuke Tobita <tatsunosuke.tobita(a)wacom.com> The xf86-input-wacom driver does not treat '0' as a valid serial number and will drop any input report which contains an MSC_SERIAL = 0 event. The kernel driver already takes care to avoid sending any MSC_SERIAL event if the value of serial[0] == 0 (which is the case for devices that don't actually report a serial number), but this is not quite sufficient. Only the lower 32 bits of the serial get reported to userspace, so if this portion of the serial is zero then there can still be problems. This commit allows the driver to report either the lower 32 bits if they are non-zero or the upper 32 bits otherwise. Signed-off-by: Jason Gerecke <jason.gerecke(a)wacom.com> Signed-off-by: Tatsunosuke Tobita <tatsunosuke.tobita(a)wacom.com> Fixes: f85c9dc678a5 ("HID: wacom: generic: Support tool ID and additional tool types") CC: stable(a)vger.kernel.org # v4.10 --- drivers/hid/wacom_wac.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index da8a01fedd39..fbe10fbc5769 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2575,7 +2575,14 @@ static void wacom_wac_pen_report(struct hid_device *hdev, wacom_wac->hid_data.tipswitch); input_report_key(input, wacom_wac->tool[0], sense); if (wacom_wac->serial[0]) { - input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]); + /* + * xf86-input-wacom does not accept a serial number + * of '0'. Report the low 32 bits if possible, but + * if they are zero, report the upper ones instead. + */ + __u32 serial_lo = wacom_wac->serial[0] & 0xFFFFFFFFu; + __u32 serial_hi = wacom_wac->serial[0] >> 32; + input_event(input, EV_MSC, MSC_SERIAL, (int)(serial_lo ? serial_lo : serial_hi)); input_report_abs(input, ABS_MISC, sense ? id : 0); } -- 2.34.1

1 year, 6 months

2
1
0 0

[PATCH 2/3] irqchip/gic-v3-its: Restore quirk probing for ACPI-based systems

by Marc Zyngier

While refactoring the way the ITSs are probed, the handling of quirks applicable to ACPI-based platforms was lost. As a result, systems such as HIP07 lose their GICv4 functionnality, and some other may even fail to boot, unless they are configured to boot with DT. Move the enabling of quirks into its_probe_one(), making it common to all firmware implementations. Fixes: 9585a495ac93 ("irqchip/gic-v3-its: Split allocation from initialisation of its_node") Reviewed-by: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/irqchip/irq-gic-v3-its.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index fec1b58470df..250b4562f308 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -5091,6 +5091,8 @@ static int __init its_probe_one(struct its_node *its) u32 ctlr; int err; + its_enable_quirks(its); + if (is_v4(its)) { if (!(its->typer & GITS_TYPER_VMOVP)) { err = its_compute_its_list_map(its); @@ -5442,7 +5444,6 @@ static int __init its_of_probe(struct device_node *node) if (!its) return -ENOMEM; - its_enable_quirks(its); err = its_probe_one(its); if (err) { its_node_destroy(its); -- 2.39.2

1 year, 6 months

2
1
0 0

[PATCH 3/3] irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update

by Marc Zyngier

When updating the affinity of a VPE, we currently skip the VMOVP command if the two CPUs are part of the same VPE affinity. But this is wrong, as the doorbell corresponding to this VPE is still delivered on the 'old' CPU, which screws up the balancing. Furthermore, offlining that 'old' CPU results in doorbell interrupts generated for this VPE being discarded. The harsh reality is that we cannot easily elide VMOVP when a set_affinity request occurs. It needs to be obeyed, and if an optimisation is to be made, it is at the point where the affinity change request is made (such as in KVM). Drop the VMOVP elision altogether, and only use the vpe_table_mask to try and stay within the same ITS affinity group if at all possible. Fixes: dd3f050a216e (irqchip/gic-v4.1: Implement the v4.1 flavour of VMOVP) Reported-by: Kunkun Jiang <jiangkunkun(a)huawei.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/irqchip/irq-gic-v3-its.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 250b4562f308..53abd4779914 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -3826,8 +3826,9 @@ static int its_vpe_set_affinity(struct irq_data *d, bool force) { struct its_vpe *vpe = irq_data_get_irq_chip_data(d); - int from, cpu = cpumask_first(mask_val); + struct cpumask common, *table_mask; unsigned long flags; + int from, cpu; /* * Changing affinity is mega expensive, so let's be as lazy as @@ -3843,19 +3844,22 @@ static int its_vpe_set_affinity(struct irq_data *d, * taken on any vLPI handling path that evaluates vpe->col_idx. */ from = vpe_to_cpuid_lock(vpe, &flags); - if (from == cpu) - goto out; - - vpe->col_idx = cpu; + table_mask = gic_data_rdist_cpu(from)->vpe_table_mask; /* - * GICv4.1 allows us to skip VMOVP if moving to a cpu whose RD - * is sharing its VPE table with the current one. + * If we are offered another CPU in the same GICv4.1 ITS + * affinity, pick this one. Otherwise, any CPU will do. */ - if (gic_data_rdist_cpu(cpu)->vpe_table_mask && - cpumask_test_cpu(from, gic_data_rdist_cpu(cpu)->vpe_table_mask)) + if (table_mask && cpumask_and(&common, mask_val, table_mask)) + cpu = cpumask_test_cpu(from, &common) ? from : cpumask_first(&common); + else + cpu = cpumask_first(mask_val); + + if (from == cpu) goto out; + vpe->col_idx = cpu; + its_send_vmovp(vpe); its_vpe_db_proxy_move(vpe, from, cpu); -- 2.39.2

1 year, 6 months

2
1
0 0

[PATCH 5.10/5.15 v2 0/1 RFC] mm/truncate: fix WARNING in ext4_set_page_dirty()

by Roman Smirnov

Syzkaller reports warning in ext4_set_page_dirty() in 5.10 and 5.15 stable releases. It happens because invalidate_inode_page() frees pages that are needed for the system. To fix this we need to add additional checks to the function. page_mapped() checks if a page exists in the page tables, but this is not enough. The page can be used in other places: https://elixir.bootlin.com/linux/v6.8-rc1/source/include/linux/page_ref.h#L… Kernel outputs an error line related to direct I/O: https://syzkaller.appspot.com/text?tag=CrashLog&x=14ab52dac80000 The problem can be fixed in 5.10 and 5.15 stable releases by the following patch. The patch replaces page_mapped() call with check that finds additional references to the page excluding page cache and filesystem private data. If additional references exist, the page cannot be freed. This version does not include the first patch from the first version. The problem can be fixed without it. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Link: https://syzkaller.appspot.com/bug?extid=02f21431b65c214aa1d6 Matthew Wilcox (Oracle) (1): mm/truncate: Replace page_mapped() call in invalidate_inode_page() mm/truncate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.34.1

1 year, 6 months

4
7
0 0

[PATCH] xen/events: close evtchn after mapping cleanup

by Maximilian Heyne

shutdown_pirq and startup_pirq are not taking the irq_mapping_update_lock because they can't due to lock inversion. Both are called with the irq_desc->lock being taking. The lock order, however, is first irq_mapping_update_lock and then irq_desc->lock. This opens multiple races: - shutdown_pirq can be interrupted by a function that allocates an event channel: CPU0 CPU1 shutdown_pirq { xen_evtchn_close(e) __startup_pirq { EVTCHNOP_bind_pirq -> returns just freed evtchn e set_evtchn_to_irq(e, irq) } xen_irq_info_cleanup() { set_evtchn_to_irq(e, -1) } } Assume here event channel e refers here to the same event channel number. After this race the evtchn_to_irq mapping for e is invalid (-1). - __startup_pirq races with __unbind_from_irq in a similar way. Because __startup_pirq doesn't take irq_mapping_update_lock it can grab the evtchn that __unbind_from_irq is currently freeing and cleaning up. In this case even though the event channel is allocated, its mapping can be unset in evtchn_to_irq. The fix is to first cleanup the mappings and then close the event channel. In this way, when an event channel gets allocated it's potential previous evtchn_to_irq mappings are guaranteed to be unset already. This is also the reverse order of the allocation where first the event channel is allocated and then the mappings are setup. On a 5.10 kernel prior to commit 3fcdaf3d7634 ("xen/events: modify internal [un]bind interfaces"), we hit a BUG like the following during probing of NVMe devices. The issue is that during nvme_setup_io_queues, pci_free_irq is called for every device which results in a call to shutdown_pirq. With many nvme devices it's therefore likely to hit this race during boot because there will be multiple calls to shutdown_pirq and startup_pirq are running potentially in parallel. ------------[ cut here ]------------ blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled kernel BUG at drivers/xen/events/events_base.c:499! invalid opcode: 0000 [#1] SMP PTI CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1 Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006 Workqueue: nvme-reset-wq nvme_reset_work RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0 Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00 R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_trace_log_lvl+0x1c1/0x2d9 ? show_trace_log_lvl+0x1c1/0x2d9 ? set_affinity_irq+0xdc/0x1c0 ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0x90/0x110 ? bind_evtchn_to_cpu+0xdf/0xf0 ? do_error_trap+0x65/0x80 ? bind_evtchn_to_cpu+0xdf/0xf0 ? exc_invalid_op+0x4e/0x70 ? bind_evtchn_to_cpu+0xdf/0xf0 ? asm_exc_invalid_op+0x12/0x20 ? bind_evtchn_to_cpu+0xdf/0xf0 ? bind_evtchn_to_cpu+0xc5/0xf0 set_affinity_irq+0xdc/0x1c0 irq_do_set_affinity+0x1d7/0x1f0 irq_setup_affinity+0xd6/0x1a0 irq_startup+0x8a/0xf0 __setup_irq+0x639/0x6d0 ? nvme_suspend+0x150/0x150 request_threaded_irq+0x10c/0x180 ? nvme_suspend+0x150/0x150 pci_request_irq+0xa8/0xf0 ? __blk_mq_free_request+0x74/0xa0 queue_request_irq+0x6f/0x80 nvme_create_queue+0x1af/0x200 nvme_create_io_queues+0xbd/0xf0 nvme_setup_io_queues+0x246/0x320 ? nvme_irq_check+0x30/0x30 nvme_reset_work+0x1c8/0x400 process_one_work+0x1b0/0x350 worker_thread+0x49/0x310 ? process_one_work+0x350/0x350 kthread+0x11b/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x22/0x30 Modules linked in: ---[ end trace a11715de1eee1873 ]--- Fixes: d46a78b05c0e ("xen: implement pirq type event channels") Cc: stable(a)vger.kernel.org Co-debugged-by: Andrew Panyakin <apanyaki(a)amazon.com> Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> --- drivers/xen/events/events_base.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index b8cfea7812d6..3b9f080109d7 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -923,8 +923,8 @@ static void shutdown_pirq(struct irq_data *data) return; do_mask(info, EVT_MASK_REASON_EXPLICIT); - xen_evtchn_close(evtchn); xen_irq_info_cleanup(info); + xen_evtchn_close(evtchn); } static void enable_pirq(struct irq_data *data) @@ -956,6 +956,7 @@ EXPORT_SYMBOL_GPL(xen_irq_from_gsi); static void __unbind_from_irq(struct irq_info *info, unsigned int irq) { evtchn_port_t evtchn; + bool close_evtchn = false; if (!info) { xen_irq_free_desc(irq); @@ -975,7 +976,7 @@ static void __unbind_from_irq(struct irq_info *info, unsigned int irq) struct xenbus_device *dev; if (!info->is_static) - xen_evtchn_close(evtchn); + close_evtchn = true; switch (info->type) { case IRQT_VIRQ: @@ -995,6 +996,9 @@ static void __unbind_from_irq(struct irq_info *info, unsigned int irq) } xen_irq_info_cleanup(info); + + if (close_evtchn) + xen_evtchn_close(evtchn); } xen_free_irq(info); -- 2.40.1 Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879

1 year, 6 months

2
2
0 0

[tip: irq/urgent] irqchip/irq-brcmstb-l2: Add write memory barrier before exit

by tip-bot2 for Doug Berger

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: b0344d6854d25a8b3b901c778b1728885dd99007 Gitweb: https://git.kernel.org/tip/b0344d6854d25a8b3b901c778b1728885dd99007 Author: Doug Berger <opendmb(a)gmail.com> AuthorDate: Fri, 09 Feb 2024 17:24:49 -08:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Tue, 13 Feb 2024 09:33:31 +01:00 irqchip/irq-brcmstb-l2: Add write memory barrier before exit It was observed on Broadcom devices that use GIC v3 architecture L1 interrupt controllers as the parent of brcmstb-l2 interrupt controllers that the deactivation of the parent interrupt could happen before the brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the interrupt only to find that no L2 interrupt was pending. The result was a spurious interrupt invoking handle_bad_irq() with its associated messaging. While this did not create a functional problem it is a waste of cycles. The hazard exists because the memory mapped bus writes to the brcmstb-l2 registers are buffered and the GIC v3 architecture uses a very efficient system register write to deactivate the interrupt. Add a write memory barrier prior to invoking chained_irq_exit() to introduce a dsb(st) on those systems to ensure the system register write cannot be executed until the memory mapped writes are visible to the system. [ florian: Added Fixes tag ] Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller") Signed-off-by: Doug Berger <opendmb(a)gmail.com> Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadco… --- drivers/irqchip/irq-brcmstb-l2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-brcmstb-l2.c b/drivers/irqchip/irq-brcmstb-l2.c index 5559c94..2b0b317 100644 --- a/drivers/irqchip/irq-brcmstb-l2.c +++ b/drivers/irqchip/irq-brcmstb-l2.c @@ -2,7 +2,7 @@ /* * Generic Broadcom Set Top Box Level 2 Interrupt controller driver * - * Copyright (C) 2014-2017 Broadcom + * Copyright (C) 2014-2024 Broadcom */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt @@ -112,6 +112,9 @@ static void brcmstb_l2_intc_irq_handle(struct irq_desc *desc) generic_handle_domain_irq(b->domain, irq); } while (status); out: + /* Don't ack parent before all device writes are done */ + wmb(); + chained_irq_exit(chip, desc); }

1 year, 6 months

1
0
0 0

Re: [PATCH RFC v2 4/8] m68k: Handle arrivals of multiple signals correctly

by Finn Thain

[Cc: stable] On Mon, 12 Feb 2024, Ulrich Hecht wrote: > > > On 02/08/2024 11:51 PM CET Finn Thain <fthain(a)linux-m68k.org> wrote: > > Ulrich, I imagine that you would normally receive fixes via the > > corresponding -stable trees. If Michael's series went into > > stable/linux-4.19.y you could cherry-pick from there for your v4.4.y tree > > and maybe avoid some merge conflicts that way. > > That would work for me. > OK. Here's the relevant commit. It fixes bd6f56a75bb2 which first appeared in v2.6.38-rc1. I believe this can be cherry-picked without any conflicts. 50e43a573344 m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal

1 year, 6 months

1
0
0 0

[PATCH -fixes v2 1/4] riscv: Fix enabling cbo.zero when running in M-mode

by Samuel Holland

When the kernel is running in M-mode, the CBZE bit must be set in the menvcfg CSR, not in senvcfg. Cc: <stable(a)vger.kernel.org> Fixes: 43c16d51a19b ("RISC-V: Enable cbo.zero in usermode") Reviewed-by: Andrew Jones <ajones(a)ventanamicro.com> Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> --- (no changes since v1) arch/riscv/include/asm/csr.h | 2 ++ arch/riscv/kernel/cpufeature.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 510014051f5d..2468c55933cd 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -424,6 +424,7 @@ # define CSR_STATUS CSR_MSTATUS # define CSR_IE CSR_MIE # define CSR_TVEC CSR_MTVEC +# define CSR_ENVCFG CSR_MENVCFG # define CSR_SCRATCH CSR_MSCRATCH # define CSR_EPC CSR_MEPC # define CSR_CAUSE CSR_MCAUSE @@ -448,6 +449,7 @@ # define CSR_STATUS CSR_SSTATUS # define CSR_IE CSR_SIE # define CSR_TVEC CSR_STVEC +# define CSR_ENVCFG CSR_SENVCFG # define CSR_SCRATCH CSR_SSCRATCH # define CSR_EPC CSR_SEPC # define CSR_CAUSE CSR_SCAUSE diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c index 89920f84d0a3..c5b13f7dd482 100644 --- a/arch/riscv/kernel/cpufeature.c +++ b/arch/riscv/kernel/cpufeature.c @@ -950,7 +950,7 @@ arch_initcall(check_unaligned_access_all_cpus); void riscv_user_isa_enable(void) { if (riscv_cpu_has_extension_unlikely(smp_processor_id(), RISCV_ISA_EXT_ZICBOZ)) - csr_set(CSR_SENVCFG, ENVCFG_CBZE); + csr_set(CSR_ENVCFG, ENVCFG_CBZE); } #ifdef CONFIG_RISCV_ALTERNATIVE -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH] kbuild: Fix changing ELF file type for output of gen_btf for big endian

by Nathan Chancellor

Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") changed the ELF type of .btf.vmlinux.bin.o from ET_EXEC to ET_REL via dd, which works fine for little endian platforms: 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| +00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| However, for big endian platforms, it changes the wrong byte, resulting in an invalid ELF file type, which ld.lld rejects: 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| +00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| Type: <unknown>: 103 ld.lld: error: .btf.vmlinux.bin.o: unknown file type Fix this by using a different seek value for dd when targeting big endian, so that the correct byte gets changed and everything works correctly for all linkers. 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| +00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| Type: REL (Relocatable file) Cc: stable(a)vger.kernel.org Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") Link: https://github.com/llvm/llvm-project/pull/75643 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- scripts/link-vmlinux.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index a432b171be82..8a9f48b3cb32 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -135,8 +135,15 @@ gen_btf() ${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \ --strip-all ${1} ${2} 2>/dev/null # Change e_type to ET_REL so that it can be used to link final vmlinux. - # Unlike GNU ld, lld does not allow an ET_EXEC input. - printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none + # Unlike GNU ld, lld does not allow an ET_EXEC input. Make sure the correct + # byte gets changed with big endian platforms, otherwise e_type may be an + # invalid value. + if is_enabled CONFIG_CPU_BIG_ENDIAN; then + seek=17 + else + seek=16 + fi + printf '\1' | dd of=${2} conv=notrunc bs=1 seek=${seek} status=none } # Create ${2} .S file with all symbols from the ${1} object file --- base-commit: 54be6c6c5ae8e0d93a6c4641cb7528eb0b6ba478 change-id: 20240208-fix-elf-type-btf-vmlinux-bin-o-big-endian-dbc55a1e1296 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 6 months

6
6
0 0

[PATCH AUTOSEL 4.19 1/3] hwmon: (coretemp) Enlarge per package core count limit

by Sasha Levin

From: Zhang Rui <rui.zhang(a)intel.com> [ Upstream commit 34cf8c657cf0365791cdc658ddbca9cc907726ce ] Currently, coretemp driver supports only 128 cores per package. This loses some core temperature information on systems that have more than 128 cores per package. [ 58.685033] coretemp coretemp.0: Adding Core 128 failed [ 58.692009] coretemp coretemp.0: Adding Core 129 failed ... Enlarge the limitation to 512 because there are platforms with more than 256 cores per package. Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> Link: https://lore.kernel.org/r/20240202092144.71180-4-rui.zhang@intel.com Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hwmon/coretemp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c index 33371f7a4c0f..e08bb28ec427 100644 --- a/drivers/hwmon/coretemp.c +++ b/drivers/hwmon/coretemp.c @@ -53,7 +53,7 @@ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); #define PKG_SYSFS_ATTR_NO 1 /* Sysfs attribute for package temp */ #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ -#define NUM_REAL_CORES 128 /* Number of Real cores per cpu */ +#define NUM_REAL_CORES 512 /* Number of Real cores per cpu */ #define CORETEMP_NAME_LENGTH 28 /* String Length of attrs */ #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */ #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) -- 2.43.0

1 year, 6 months

1
2
0 0

[PATCH AUTOSEL 5.4 1/4] hwmon: (coretemp) Enlarge per package core count limit

by Sasha Levin

From: Zhang Rui <rui.zhang(a)intel.com> [ Upstream commit 34cf8c657cf0365791cdc658ddbca9cc907726ce ] Currently, coretemp driver supports only 128 cores per package. This loses some core temperature information on systems that have more than 128 cores per package. [ 58.685033] coretemp coretemp.0: Adding Core 128 failed [ 58.692009] coretemp coretemp.0: Adding Core 129 failed ... Enlarge the limitation to 512 because there are platforms with more than 256 cores per package. Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> Link: https://lore.kernel.org/r/20240202092144.71180-4-rui.zhang@intel.com Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hwmon/coretemp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c index 0eabad344961..b8d5087da65b 100644 --- a/drivers/hwmon/coretemp.c +++ b/drivers/hwmon/coretemp.c @@ -40,7 +40,7 @@ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); #define PKG_SYSFS_ATTR_NO 1 /* Sysfs attribute for package temp */ #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ -#define NUM_REAL_CORES 128 /* Number of Real cores per cpu */ +#define NUM_REAL_CORES 512 /* Number of Real cores per cpu */ #define CORETEMP_NAME_LENGTH 28 /* String Length of attrs */ #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */ #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) -- 2.43.0

1 year, 6 months

1
3
0 0

[PATCH AUTOSEL 5.10 1/6] efi: runtime: Fix potential overflow of soft-reserved region size

by Sasha Levin

From: Andrew Bresticker <abrestic(a)rivosinc.com> [ Upstream commit de1034b38a346ef6be25fe8792f5d1e0684d5ff4 ] md_size will have been narrowed if we have >= 4GB worth of pages in a soft-reserved region. Signed-off-by: Andrew Bresticker <abrestic(a)rivosinc.com> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/firmware/efi/arm-runtime.c | 2 +- drivers/firmware/efi/riscv-runtime.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/arm-runtime.c b/drivers/firmware/efi/arm-runtime.c index 3359ae2adf24..9054c2852580 100644 --- a/drivers/firmware/efi/arm-runtime.c +++ b/drivers/firmware/efi/arm-runtime.c @@ -107,7 +107,7 @@ static int __init arm_enable_runtime_services(void) efi_memory_desc_t *md; for_each_efi_memory_desc(md) { - int md_size = md->num_pages << EFI_PAGE_SHIFT; + u64 md_size = md->num_pages << EFI_PAGE_SHIFT; struct resource *res; if (!(md->attribute & EFI_MEMORY_SP)) diff --git a/drivers/firmware/efi/riscv-runtime.c b/drivers/firmware/efi/riscv-runtime.c index d28e715d2bcc..6711e64eb0b1 100644 --- a/drivers/firmware/efi/riscv-runtime.c +++ b/drivers/firmware/efi/riscv-runtime.c @@ -85,7 +85,7 @@ static int __init riscv_enable_runtime_services(void) efi_memory_desc_t *md; for_each_efi_memory_desc(md) { - int md_size = md->num_pages << EFI_PAGE_SHIFT; + u64 md_size = md->num_pages << EFI_PAGE_SHIFT; struct resource *res; if (!(md->attribute & EFI_MEMORY_SP)) -- 2.43.0

1 year, 6 months

1
5
0 0

[PATCH AUTOSEL 5.15 01/22] fs/ntfs3: Modified fix directory element type detection

by Sasha Levin

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 22457c047ed971f2f2e33be593ddfabd9639a409 ] Unfortunately reparse attribute is used for many purposes (several dozens). It is not possible here to know is this name symlink or not. To get exactly the type of name we should to open inode (read mft). getattr for opened file (fstat) correctly returns symlink. Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ntfs3/dir.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c index d4d9f4ffb6d9..c2fb76bb28f4 100644 --- a/fs/ntfs3/dir.c +++ b/fs/ntfs3/dir.c @@ -309,11 +309,31 @@ static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, return 0; } - /* NTFS: symlinks are "dir + reparse" or "file + reparse" */ - if (fname->dup.fa & FILE_ATTRIBUTE_REPARSE_POINT) - dt_type = DT_LNK; - else - dt_type = (fname->dup.fa & FILE_ATTRIBUTE_DIRECTORY) ? DT_DIR : DT_REG; + /* + * NTFS: symlinks are "dir + reparse" or "file + reparse" + * Unfortunately reparse attribute is used for many purposes (several dozens). + * It is not possible here to know is this name symlink or not. + * To get exactly the type of name we should to open inode (read mft). + * getattr for opened file (fstat) correctly returns symlink. + */ + dt_type = (fname->dup.fa & FILE_ATTRIBUTE_DIRECTORY) ? DT_DIR : DT_REG; + + /* + * It is not reliable to detect the type of name using duplicated information + * stored in parent directory. + * The only correct way to get the type of name - read MFT record and find ATTR_STD. + * The code below is not good idea. + * It does additional locks/reads just to get the type of name. + * Should we use additional mount option to enable branch below? + */ + if ((fname->dup.fa & FILE_ATTRIBUTE_REPARSE_POINT) && + ino != ni->mi.rno) { + struct inode *inode = ntfs_iget5(sbi->sb, &e->ref, NULL); + if (!IS_ERR_OR_NULL(inode)) { + dt_type = fs_umode_to_dtype(inode->i_mode); + iput(inode); + } + } return !dir_emit(ctx, (s8 *)name, name_len, ino, dt_type); } -- 2.43.0

1 year, 6 months

1
21
0 0

[PATCH AUTOSEL 6.6 01/51] fs/ntfs3: Improve alternative boot processing

by Sasha Levin

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit c39de951282df9a60ef70664e4378d88006b2670 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ntfs3/super.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index f763e3256ccc..aa3b2c262ab6 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -865,6 +865,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, u16 fn, ao; u8 cluster_bits; u32 boot_off = 0; + sector_t boot_block = 0; const char *hint = "Primary boot"; /* Save original dev_size. Used with alternative boot. */ @@ -872,11 +873,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sbi->volume.blocks = dev_size >> PAGE_SHIFT; - bh = ntfs_bread(sb, 0); +read_boot: + bh = ntfs_bread(sb, boot_block); if (!bh) - return -EIO; + return boot_block ? -EINVAL : -EIO; -check_boot: err = -EINVAL; /* Corrupted image; do not read OOB */ @@ -1107,26 +1108,24 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, } out: - if (err == -EINVAL && !bh->b_blocknr && dev_size0 > PAGE_SHIFT) { + brelse(bh); + + if (err == -EINVAL && !boot_block && dev_size0 > PAGE_SHIFT) { u32 block_size = min_t(u32, sector_size, PAGE_SIZE); u64 lbo = dev_size0 - sizeof(*boot); - /* - * Try alternative boot (last sector) - */ - brelse(bh); - - sb_set_blocksize(sb, block_size); - bh = ntfs_bread(sb, lbo >> blksize_bits(block_size)); - if (!bh) - return -EINVAL; - + boot_block = lbo >> blksize_bits(block_size); boot_off = lbo & (block_size - 1); - hint = "Alternative boot"; - dev_size = dev_size0; /* restore original size. */ - goto check_boot; + if (boot_block && block_size >= boot_off + sizeof(*boot)) { + /* + * Try alternative boot (last sector) + */ + sb_set_blocksize(sb, block_size); + hint = "Alternative boot"; + dev_size = dev_size0; /* restore original size. */ + goto read_boot; + } } - brelse(bh); return err; } -- 2.43.0

1 year, 6 months

1
50
0 0

[PATCH AUTOSEL 6.7 01/58] fs/ntfs3: Improve alternative boot processing

by Sasha Levin

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit c39de951282df9a60ef70664e4378d88006b2670 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ntfs3/super.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 9153dffde950..09d61c6c90aa 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -866,6 +866,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, u16 fn, ao; u8 cluster_bits; u32 boot_off = 0; + sector_t boot_block = 0; const char *hint = "Primary boot"; /* Save original dev_size. Used with alternative boot. */ @@ -873,11 +874,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sbi->volume.blocks = dev_size >> PAGE_SHIFT; - bh = ntfs_bread(sb, 0); +read_boot: + bh = ntfs_bread(sb, boot_block); if (!bh) - return -EIO; + return boot_block ? -EINVAL : -EIO; -check_boot: err = -EINVAL; /* Corrupted image; do not read OOB */ @@ -1108,26 +1109,24 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, } out: - if (err == -EINVAL && !bh->b_blocknr && dev_size0 > PAGE_SHIFT) { + brelse(bh); + + if (err == -EINVAL && !boot_block && dev_size0 > PAGE_SHIFT) { u32 block_size = min_t(u32, sector_size, PAGE_SIZE); u64 lbo = dev_size0 - sizeof(*boot); - /* - * Try alternative boot (last sector) - */ - brelse(bh); - - sb_set_blocksize(sb, block_size); - bh = ntfs_bread(sb, lbo >> blksize_bits(block_size)); - if (!bh) - return -EINVAL; - + boot_block = lbo >> blksize_bits(block_size); boot_off = lbo & (block_size - 1); - hint = "Alternative boot"; - dev_size = dev_size0; /* restore original size. */ - goto check_boot; + if (boot_block && block_size >= boot_off + sizeof(*boot)) { + /* + * Try alternative boot (last sector) + */ + sb_set_blocksize(sb, block_size); + hint = "Alternative boot"; + dev_size = dev_size0; /* restore original size. */ + goto read_boot; + } } - brelse(bh); return err; } -- 2.43.0

1 year, 6 months

1
57
0 0

[PATCH] tracing: Fix wasted memory in saved_cmdlines logic

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> While looking at improving the saved_cmdlines cache I found a huge amount of wasted memory that should be used for the cmdlines. The tracing data saves pids during the trace. At sched switch, if a trace occurred, it will save the comm of the task that did the trace. This is saved in a "cache" that maps pids to comms and exposed to user space via the /sys/kernel/tracing/saved_cmdlines file. Currently it only caches by default 128 comms. The structure that uses this creates an array to store the pids using PID_MAX_DEFAULT (which is usually set to 32768). This causes the structure to be of the size of 131104 bytes on 64 bit machines. In hex: 131104 = 0x20020, and since the kernel allocates generic memory in powers of two, the kernel would allocate 0x40000 or 262144 bytes to store this structure. That leaves 131040 bytes of wasted space. Worse, the structure points to an allocated array to store the comm names, which is 16 bytes times the amount of names to save (currently 128), which is 2048 bytes. Instead of allocating a separate array, make the structure end with a variable length string and use the extra space for that. This is similar to a recommendation that Linus had made about eventfs_inode names: https://lore.kernel.org/all/20240130190355.11486-5-torvalds@linux-foundatio… Instead of allocating a separate string array to hold the saved comms, have the structure end with: char saved_cmdlines[]; and round up to the next power of two over sizeof(struct saved_cmdline_buffers) + num_cmdlines * TASK_COMM_LEN It will use this extra space for the saved_cmdline portion. Now, instead of saving only 128 comms by default, by using this wasted space at the end of the structure it can save over 8000 comms and even saves space by removing the need for allocating the other array. Cc: stable(a)vger.kernel.org Fixes: 939c7a4f04fcd ("tracing: Introduce saved_cmdlines_size file") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 73 +++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 39 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 2a7c6fd934e9..0b3e60b827f7 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2320,7 +2320,7 @@ struct saved_cmdlines_buffer { unsigned *map_cmdline_to_pid; unsigned cmdline_num; int cmdline_idx; - char *saved_cmdlines; + char saved_cmdlines[]; }; static struct saved_cmdlines_buffer *savedcmd; @@ -2334,47 +2334,54 @@ static inline void set_cmdline(int idx, const char *cmdline) strncpy(get_saved_cmdlines(idx), cmdline, TASK_COMM_LEN); } -static int allocate_cmdlines_buffer(unsigned int val, - struct saved_cmdlines_buffer *s) +static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) +{ + int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN); + + kfree(s->map_cmdline_to_pid); + free_pages((unsigned long)s, order); +} + +static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) { + struct saved_cmdlines_buffer *s; + struct page *page; + int orig_size, size; + int order; + + /* Figure out how much is needed to hold the given number of cmdlines */ + orig_size = sizeof(*s) + val * TASK_COMM_LEN; + order = get_order(orig_size); + size = 1 << (order + PAGE_SHIFT); + page = alloc_pages(GFP_KERNEL, order); + if (!page) + return NULL; + + s = page_address(page); + memset(s, 0, sizeof(*s)); + + /* Round up to actual allocation */ + val = (size - sizeof(*s)) / TASK_COMM_LEN; + s->cmdline_num = val; + s->map_cmdline_to_pid = kmalloc_array(val, sizeof(*s->map_cmdline_to_pid), GFP_KERNEL); - if (!s->map_cmdline_to_pid) - return -ENOMEM; - - s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL); - if (!s->saved_cmdlines) { - kfree(s->map_cmdline_to_pid); - return -ENOMEM; - } s->cmdline_idx = 0; - s->cmdline_num = val; memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP, sizeof(s->map_pid_to_cmdline)); memset(s->map_cmdline_to_pid, NO_CMDLINE_MAP, val * sizeof(*s->map_cmdline_to_pid)); - return 0; + return s; } static int trace_create_savedcmd(void) { - int ret; - - savedcmd = kmalloc(sizeof(*savedcmd), GFP_KERNEL); - if (!savedcmd) - return -ENOMEM; - - ret = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT, savedcmd); - if (ret < 0) { - kfree(savedcmd); - savedcmd = NULL; - return -ENOMEM; - } + savedcmd = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT); - return 0; + return savedcmd ? 0 : -ENOMEM; } int is_tracing_stopped(void) @@ -6056,26 +6063,14 @@ tracing_saved_cmdlines_size_read(struct file *filp, char __user *ubuf, return simple_read_from_buffer(ubuf, cnt, ppos, buf, r); } -static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) -{ - kfree(s->saved_cmdlines); - kfree(s->map_cmdline_to_pid); - kfree(s); -} - static int tracing_resize_saved_cmdlines(unsigned int val) { struct saved_cmdlines_buffer *s, *savedcmd_temp; - s = kmalloc(sizeof(*s), GFP_KERNEL); + s = allocate_cmdlines_buffer(val); if (!s) return -ENOMEM; - if (allocate_cmdlines_buffer(val, s) < 0) { - kfree(s); - return -ENOMEM; - } - preempt_disable(); arch_spin_lock(&trace_cmdline_lock); savedcmd_temp = savedcmd; -- 2.43.0

1 year, 6 months

2
3
0 0

[withdrawn] fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/task_mmu: add display flag for VM_MAYOVERLAY has been removed from the -mm tree. Its filename was fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch This patch was dropped because it was withdrawn ------------------------------------------------------ From: Anshuman Khandual <anshuman.khandual(a)arm.com> Subject: fs/proc/task_mmu: add display flag for VM_MAYOVERLAY Date: Thu, 8 Feb 2024 14:18:05 +0530 VM_UFFD_MISSING flag is mutually exclussive with VM_MAYOVERLAY flag as they both use the same bit position i.e 0x00000200 in the vm_flags. Let's update show_smap_vma_flags() to display the correct flags depending on CONFIG_MMU. Link: https://lkml.kernel.org/r/20240208084805.1252337-1-anshuman.khandual@arm.com Fixes: b6b7a8faf05c ("mm/nommu: don't use VM_MAYSHARE for MAP_PRIVATE mappings") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay +++ a/fs/proc/task_mmu.c @@ -681,7 +681,11 @@ static void show_smap_vma_flags(struct s [ilog2(VM_HUGEPAGE)] = "hg", [ilog2(VM_NOHUGEPAGE)] = "nh", [ilog2(VM_MERGEABLE)] = "mg", +#ifdef CONFIG_MMU [ilog2(VM_UFFD_MISSING)]= "um", +#else + [ilog2(VM_MAYOVERLAY)] = "ov", +#endif /* CONFIG_MMU */ [ilog2(VM_UFFD_WP)] = "uw", #ifdef CONFIG_ARM64_MTE [ilog2(VM_MTE)] = "mt", _ Patches currently in -mm which might be from anshuman.khandual(a)arm.com are mm-memblock-add-memblock_rsrv_noinit-into-flagname-array.patch mm-cma-dont-treat-bad-input-arguments-for-cma_alloc-as-its-failure.patch mm-cma-drop-config_cma_debug.patch mm-cma-make-max_cma_areas-=-config_cma_areas.patch mm-cma-add-sysfs-file-release_pages_success.patch

1 year, 6 months

1
0
0 0

[tip: x86/urgent] x86/mm/ident_map: Use gbpages only where full GB page should be mapped.

by tip-bot2 for Steve Wahl

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: d794734c9bbfe22f86686dc2909c25f5ffe1a572 Gitweb: https://git.kernel.org/tip/d794734c9bbfe22f86686dc2909c25f5ffe1a572 Author: Steve Wahl <steve.wahl(a)hpe.com> AuthorDate: Fri, 26 Jan 2024 10:48:41 -06:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 12 Feb 2024 14:53:42 -08:00 x86/mm/ident_map: Use gbpages only where full GB page should be mapped. When ident_pud_init() uses only gbpages to create identity maps, large ranges of addresses not actually requested can be included in the resulting table; a 4K request will map a full GB. On UV systems, this ends up including regions that will cause hardware to halt the system if accessed (these are marked "reserved" by BIOS). Even processor speculation into these regions is enough to trigger the system halt. Only use gbpages when map creation requests include the full GB page of space. Fall back to using smaller 2M pages when only portions of a GB page are included in the request. No attempt is made to coalesce mapping requests. If a request requires a map entry at the 2M (pmd) level, subsequent mapping requests within the same 1G region will also be at the pmd level, even if adjacent or overlapping such requests could have been combined to map a full gbpage. Existing usage starts with larger regions and then adds smaller regions, so this should not have any great consequence. [ dhansen: fix up comment formatting, simplifty changelog ] Signed-off-by: Steve Wahl <steve.wahl(a)hpe.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20240126164841.170866-1-steve.wahl%40hpe.com --- arch/x86/mm/ident_map.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c index 968d700..f50cc21 100644 --- a/arch/x86/mm/ident_map.c +++ b/arch/x86/mm/ident_map.c @@ -26,18 +26,31 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, for (; addr < end; addr = next) { pud_t *pud = pud_page + pud_index(addr); pmd_t *pmd; + bool use_gbpage; next = (addr & PUD_MASK) + PUD_SIZE; if (next > end) next = end; - if (info->direct_gbpages) { - pud_t pudval; + /* if this is already a gbpage, this portion is already mapped */ + if (pud_large(*pud)) + continue; + + /* Is using a gbpage allowed? */ + use_gbpage = info->direct_gbpages; - if (pud_present(*pud)) - continue; + /* Don't use gbpage if it maps more than the requested region. */ + /* at the begining: */ + use_gbpage &= ((addr & ~PUD_MASK) == 0); + /* ... or at the end: */ + use_gbpage &= ((next & ~PUD_MASK) == 0); + + /* Never overwrite existing mappings */ + use_gbpage &= !pud_present(*pud); + + if (use_gbpage) { + pud_t pudval; - addr &= PUD_MASK; pudval = __pud((addr - info->offset) | info->page_flag); set_pud(pud, pudval); continue;

1 year, 6 months

1
0
0 0

+ kasan-test-avoid-gcc-warning-for-intentional-overflow.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: kasan/test: avoid gcc warning for intentional overflow has been added to the -mm mm-unstable branch. Its filename is kasan-test-avoid-gcc-warning-for-intentional-overflow.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Arnd Bergmann <arnd(a)arndb.de> Subject: kasan/test: avoid gcc warning for intentional overflow Date: Mon, 12 Feb 2024 12:15:52 +0100 The out-of-bounds test allocates an object that is three bytes too short in order to validate the bounds checking. Starting with gcc-14, this causes a compile-time warning as gcc has grown smart enough to understand the sizeof() logic: mm/kasan/kasan_test.c: In function 'kmalloc_oob_16': mm/kasan/kasan_test.c:443:14: error: allocation of insufficient size '13' for type 'struct <anonymous>' with size '16' [-Werror=alloc-size] 443 | ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); | ^ Hide the actual computation behind a RELOC_HIDE() that ensures the compiler misses the intentional bug. Link: https://lkml.kernel.org/r/20240212111609.869266-1-arnd@kernel.org Fixes: 3f15801cdc23 ("lib: add kasan test module") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/kasan/kasan_test.c~kasan-test-avoid-gcc-warning-for-intentional-overflow +++ a/mm/kasan/kasan_test.c @@ -440,7 +440,8 @@ static void kmalloc_oob_16(struct kunit /* This test is specifically crafted for the generic mode. */ KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); - ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); + /* RELOC_HIDE to prevent gcc from warning about short alloc */ + ptr1 = RELOC_HIDE(kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL), 0); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); _ Patches currently in -mm which might be from arnd(a)arndb.de are mm-damon-dbgfs-implement-deprecation-notice-file-fix.patch kasan-test-avoid-gcc-warning-for-intentional-overflow.patch

1 year, 6 months

1
0
0 0

[PATCH] ASoC: amd: yc: Fix non-functional mic on Lenovo 82UU

by Attila Tőkés

Like many other models, the Lenovo 82UU (Yoga Slim 7 Pro 14ARH7) needs a quirk entry for the internal microphone to function. Cc: stable(a)vger.kernel.org Signed-off-by: Attila Tőkés <attitokes(a)gmail.com> --- sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c index 23d44a50d815..864976a81393 100644 --- a/sound/soc/amd/yc/acp6x-mach.c +++ b/sound/soc/amd/yc/acp6x-mach.c @@ -234,6 +234,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { DMI_MATCH(DMI_PRODUCT_NAME, "82UG"), } }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "82UU"), + } + }, { .driver_data = &acp6x_card, .matches = { -- 2.34.1

1 year, 6 months

2
1
0 0

[PATCH 6.1.y] fs: dlm: don't put dlm_local_addrs on heap

by Jordan Rife

From: Alexander Aring <aahringo(a)redhat.com> commit c51c9cd8addcfbdc097dbefd59f022402183644b upstream This patch removes to allocate the dlm_local_addr[] pointers on the heap. Instead we directly store the type of "struct sockaddr_storage". This removes function deinit_local() because it was freeing memory only. Backport e11dea8 ("dlm: use kernel_connect() and kernel_bind()") to Linux stable 6.1 caused a regression. The original patch expected dlm_local_addrs[0] to be of type sockaddr_storage, because c51c9cd ("fs: dlm: don't put dlm_local_addrs on heap") changed its type from sockaddr_storage* to sockaddr_storage in Linux 6.5+ while in older Linux versions this is still the original sockaddr_storage*. Signed-off-by: Alexander Aring <aahringo(a)redhat.com> Signed-off-by: David Teigland <teigland(a)redhat.com> Signed-off-by: Jordan Rife <jrife(a)google.com> Tested-by: Valentin Kleibel <valentin(a)vrvis.at> Fixes: e11dea8f5033 ("dlm: use kernel_connect() and kernel_bind()") Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063338 Link: https://lore.kernel.org/stable/20240209162658.70763-2-jrife@google.com/T/#u Cc: <stable(a)vger.kernel.org> # 6.1.x --- fs/dlm/lowcomms.c | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c index 72f34f96d0155..e26af8c23aa80 100644 --- a/fs/dlm/lowcomms.c +++ b/fs/dlm/lowcomms.c @@ -174,7 +174,7 @@ static LIST_HEAD(dlm_node_addrs); static DEFINE_SPINLOCK(dlm_node_addrs_spin); static struct listen_connection listen_con; -static struct sockaddr_storage *dlm_local_addr[DLM_MAX_ADDR_COUNT]; +static struct sockaddr_storage dlm_local_addr[DLM_MAX_ADDR_COUNT]; static int dlm_local_count; int dlm_allow_conn; @@ -398,7 +398,7 @@ static int nodeid_to_addr(int nodeid, struct sockaddr_storage *sas_out, if (!sa_out) return 0; - if (dlm_local_addr[0]->ss_family == AF_INET) { + if (dlm_local_addr[0].ss_family == AF_INET) { struct sockaddr_in *in4 = (struct sockaddr_in *) &sas; struct sockaddr_in *ret4 = (struct sockaddr_in *) sa_out; ret4->sin_addr.s_addr = in4->sin_addr.s_addr; @@ -727,7 +727,7 @@ static void add_sock(struct socket *sock, struct connection *con) static void make_sockaddr(struct sockaddr_storage *saddr, uint16_t port, int *addr_len) { - saddr->ss_family = dlm_local_addr[0]->ss_family; + saddr->ss_family = dlm_local_addr[0].ss_family; if (saddr->ss_family == AF_INET) { struct sockaddr_in *in4_addr = (struct sockaddr_in *)saddr; in4_addr->sin_port = cpu_to_be16(port); @@ -1167,7 +1167,7 @@ static int sctp_bind_addrs(struct socket *sock, uint16_t port) int i, addr_len, result = 0; for (i = 0; i < dlm_local_count; i++) { - memcpy(&localaddr, dlm_local_addr[i], sizeof(localaddr)); + memcpy(&localaddr, &dlm_local_addr[i], sizeof(localaddr)); make_sockaddr(&localaddr, port, &addr_len); if (!i) @@ -1187,7 +1187,7 @@ static int sctp_bind_addrs(struct socket *sock, uint16_t port) /* Get local addresses */ static void init_local(void) { - struct sockaddr_storage sas, *addr; + struct sockaddr_storage sas; int i; dlm_local_count = 0; @@ -1195,21 +1195,10 @@ static void init_local(void) if (dlm_our_addr(&sas, i)) break; - addr = kmemdup(&sas, sizeof(*addr), GFP_NOFS); - if (!addr) - break; - dlm_local_addr[dlm_local_count++] = addr; + memcpy(&dlm_local_addr[dlm_local_count++], &sas, sizeof(sas)); } } -static void deinit_local(void) -{ - int i; - - for (i = 0; i < dlm_local_count; i++) - kfree(dlm_local_addr[i]); -} - static struct writequeue_entry *new_writequeue_entry(struct connection *con) { struct writequeue_entry *entry; @@ -1575,7 +1564,7 @@ static void dlm_connect(struct connection *con) } /* Create a socket to communicate with */ - result = sock_create_kern(&init_net, dlm_local_addr[0]->ss_family, + result = sock_create_kern(&init_net, dlm_local_addr[0].ss_family, SOCK_STREAM, dlm_proto_ops->proto, &sock); if (result < 0) goto socket_err; @@ -1786,7 +1775,6 @@ void dlm_lowcomms_stop(void) foreach_conn(free_conn); srcu_read_unlock(&connections_srcu, idx); work_stop(); - deinit_local(); dlm_proto_ops = NULL; } @@ -1803,7 +1791,7 @@ static int dlm_listen_for_all(void) if (result < 0) return result; - result = sock_create_kern(&init_net, dlm_local_addr[0]->ss_family, + result = sock_create_kern(&init_net, dlm_local_addr[0].ss_family, SOCK_STREAM, dlm_proto_ops->proto, &sock); if (result < 0) { log_print("Can't create comms socket: %d", result); @@ -1842,7 +1830,7 @@ static int dlm_tcp_bind(struct socket *sock) /* Bind to our cluster-known address connecting to avoid * routing problems. */ - memcpy(&src_addr, dlm_local_addr[0], sizeof(src_addr)); + memcpy(&src_addr, &dlm_local_addr[0], sizeof(src_addr)); make_sockaddr(&src_addr, 0, &addr_len); result = kernel_bind(sock, (struct sockaddr *)&src_addr, @@ -1899,7 +1887,7 @@ static int dlm_tcp_listen_bind(struct socket *sock) int addr_len; /* Bind to our port */ - make_sockaddr(dlm_local_addr[0], dlm_config.ci_tcp_port, &addr_len); + make_sockaddr(&dlm_local_addr[0], dlm_config.ci_tcp_port, &addr_len); return kernel_bind(sock, (struct sockaddr *)&dlm_local_addr[0], addr_len); } @@ -1992,7 +1980,7 @@ int dlm_lowcomms_start(void) error = work_start(); if (error) - goto fail_local; + goto fail; dlm_allow_conn = 1; @@ -2022,8 +2010,6 @@ int dlm_lowcomms_start(void) fail_proto_ops: dlm_allow_conn = 0; work_stop(); -fail_local: - deinit_local(); fail: return error; } -- 2.43.0.687.g38aa6559b0-goog

1 year, 6 months

1
0
0 0

[PATCH 05/10] arm64: dts: qcom: sc8280xp-x13s: limit pcie4 link speed

by Johan Hovold

Limit the WiFi PCIe link speed to Gen2 speed (500 GB/s), which is the speed that the boot firmware has brought up the link at (and that Windows uses). This is specifically needed to avoid a large amount of link errors when restarting the link during boot (but which are currently not reported). This may potentially also help with intermittent failures to download the ath11k firmware during boot which can be seen when there is a longer delay between restarting the link and loading the WiFi driver (e.g. when using full disk encryption). Fixes: 123b30a75623 ("arm64: dts: qcom: sc8280xp-x13s: enable WiFi controller") Cc: stable(a)vger.kernel.org # 6.2 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts index 511d53d9c5a1..ff4b896b1bbf 100644 --- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts @@ -863,6 +863,8 @@ &pcie3a_phy { }; &pcie4 { + max-link-speed = <2>; + perst-gpios = <&tlmm 141 GPIO_ACTIVE_LOW>; wake-gpios = <&tlmm 139 GPIO_ACTIVE_LOW>; -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH 03/10] arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP

by Johan Hovold

Add the missing PCIe CX performance level votes to avoid relying on other drivers (e.g. USB or UFS) to maintain the nominal performance level required for Gen3 speeds. Fixes: 813e83157001 ("arm64: dts: qcom: sc8280xp/sa8540p: add PCIe2-4 nodes") Cc: stable(a)vger.kernel.org # 6.2 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi index ae41b3051819..36382b1bd965 100644 --- a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi +++ b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi @@ -1780,6 +1780,7 @@ pcie4: pcie@1c00000 { reset-names = "pci"; power-domains = <&gcc PCIE_4_GDSC>; + required-opps = <&rpmhpd_opp_nom>; phys = <&pcie4_phy>; phy-names = "pciephy"; @@ -1878,6 +1879,7 @@ pcie3b: pcie@1c08000 { reset-names = "pci"; power-domains = <&gcc PCIE_3B_GDSC>; + required-opps = <&rpmhpd_opp_nom>; phys = <&pcie3b_phy>; phy-names = "pciephy"; @@ -1976,6 +1978,7 @@ pcie3a: pcie@1c10000 { reset-names = "pci"; power-domains = <&gcc PCIE_3A_GDSC>; + required-opps = <&rpmhpd_opp_nom>; phys = <&pcie3a_phy>; phy-names = "pciephy"; @@ -2077,6 +2080,7 @@ pcie2b: pcie@1c18000 { reset-names = "pci"; power-domains = <&gcc PCIE_2B_GDSC>; + required-opps = <&rpmhpd_opp_nom>; phys = <&pcie2b_phy>; phy-names = "pciephy"; @@ -2175,6 +2179,7 @@ pcie2a: pcie@1c20000 { reset-names = "pci"; power-domains = <&gcc PCIE_2A_GDSC>; + required-opps = <&rpmhpd_opp_nom>; phys = <&pcie2a_phy>; phy-names = "pciephy"; -- 2.43.0

1 year, 6 months

1
0
0 0

Re: [syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space

by syzbot

syzbot suspects this issue was fixed by commit: commit 6f861765464f43a71462d52026fbddfc858239a5 Author: Jan Kara <jack(a)suse.cz> Date: Wed Nov 1 17:43:10 2023 +0000 fs: Block writes to mounted block devices bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1764f648180000 start commit: e6fda526d9db Merge tag 'arm64-fixes' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=1e3d5175079af5a4 dashboard link: https://syzkaller.appspot.com/bug?extid=6e5f2db05775244c73b7 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a56679a80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d76b5da80000 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: fs: Block writes to mounted block devices For information about bisection process see: https://goo.gl/tpsmEJ#bisection

1 year, 6 months

2
1
0 0

[PATCH 0/2] Bluetooth: SCO: possible deadlock in sco_conn_del

by oficerovas＠altlinux.org

From: Alexander Ofitserov <oficerovas(a)altlinux.org> Syzkaller hit 'possible deadlock in sco_conn_del' bug. This bug is not a vulnerability and is reproduced only when running with root privileges for stable 6.1 kernel. This series of patches is fix for this particular bug. Both of these patches were taken from upstream and applied clearly without any conflicts. First one is the fix for the problem and another one is for fix first patch. Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 ====================================================== WARNING: possible circular locking dependency detected 6.1.55-un-def-alt1 #1 Not tainted ------------------------------------------------------ syz-executor272/377 is trying to acquire lock: ffff888115b93130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0x121/0x2c0 [bluetooth] but task is already holding lock: ffffffffc12bce28 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xcc/0x2a0 [bluetooth] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (hci_cb_list_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x12f/0x18f0 kernel/locking/mutex.c:747 hci_remote_features_evt+0x45b/0x950 [bluetooth] hci_event_packet+0x91e/0xf60 [bluetooth] hci_rx_work+0xa68/0x10f0 [bluetooth] process_one_work+0xa18/0x1570 kernel/workqueue.c:2292 worker_thread+0x63a/0x1260 kernel/workqueue.c:2439 kthread+0x2ec/0x3b0 kernel/kthread.c:376 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:306 -> #1 (&hdev->lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x12f/0x18f0 kernel/locking/mutex.c:747 sco_sock_connect+0x1e9/0xa60 [bluetooth] __sys_connect_file+0x15a/0x1a0 net/socket.c:1976 __sys_connect+0x16a/0x1a0 net/socket.c:1993 __do_sys_connect net/socket.c:2003 [inline] __se_sys_connect net/socket.c:2000 [inline] __x64_sys_connect+0x74/0xb0 net/socket.c:2000 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x5c/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x64/0xce -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3824 [inline] __lock_acquire+0x28c2/0x5350 kernel/locking/lockdep.c:5048 lock_acquire kernel/locking/lockdep.c:5661 [inline] lock_acquire+0x1fb/0x580 kernel/locking/lockdep.c:5626 lock_sock_nested+0x42/0x100 net/core/sock.c:3475 sco_conn_del+0x121/0x2c0 [bluetooth] sco_disconn_cfm+0x67/0x80 [bluetooth] hci_conn_hash_flush+0x11e/0x2a0 [bluetooth] hci_dev_close_sync+0x51d/0xf70 [bluetooth] hci_rfkill_set_block+0x17c/0x1c0 [bluetooth] rfkill_set_block+0x202/0x550 [rfkill] rfkill_fop_write+0x2b8/0x540 [rfkill] vfs_write+0x2d7/0xdd0 fs/read_write.c:582 ksys_write+0x1f5/0x260 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x5c/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x64/0xce other info that might help us debug this: Chain exists of: sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(hci_cb_list_lock); lock(&hdev->lock); lock(hci_cb_list_lock); lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); *** DEADLOCK *** 4 locks held by syz-executor272/377: #0: ffffffffc0d83688 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x162/0x540 [rfkill] #1: ffff888100de90b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x174/0x1c0 [bluetooth] #2: ffff888100de8078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x2e1/0xf70 [bluetooth] #3: ffffffffc12bce28 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xcc/0x2a0 [bluetooth] stack backtrace: CPU: 1 PID: 377 Comm: syz-executor272 Not tainted 6.1.55-un-def-alt1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-alt1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x14f/0x1be lib/dump_stack.c:106 check_noncircular+0x263/0x2e0 kernel/locking/lockdep.c:2170 check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3824 [inline] __lock_acquire+0x28c2/0x5350 kernel/locking/lockdep.c:5048 lock_acquire kernel/locking/lockdep.c:5661 [inline] lock_acquire+0x1fb/0x580 kernel/locking/lockdep.c:5626 lock_sock_nested+0x42/0x100 net/core/sock.c:3475 sco_conn_del+0x121/0x2c0 [bluetooth] sco_disconn_cfm+0x67/0x80 [bluetooth] hci_conn_hash_flush+0x11e/0x2a0 [bluetooth] hci_dev_close_sync+0x51d/0xf70 [bluetooth] hci_rfkill_set_block+0x17c/0x1c0 [bluetooth] rfkill_set_block+0x202/0x550 [rfkill] rfkill_fop_write+0x2b8/0x540 [rfkill] vfs_write+0x2d7/0xdd0 fs/read_write.c:582 ksys_write+0x1f5/0x260 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x5c/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7fa908ef7d49 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fa9085f7e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055a2e59de080 RCX: 00007fa908ef7d49 RDX: 0000000000000008 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb3f52d1e R13: 00007ffdb3f52d1f R14: 000055a2e59de088 R15: 00007fa9085f8640 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <pthread.h> #include <sched.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/epoll.h> #include <sys/ioctl.h> #include <sys/mount.h> #include <sys/prctl.h> #include <sys/resource.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/time.h> #include <sys/types.h> #include <sys/uio.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #include <linux/capability.h> #include <linux/futex.h> #include <linux/rfkill.h> static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 201; #define MAX_FDS 30 static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } #define BTPROTO_HCI 1 #define ACL_LINK 1 #define SCAN_PAGE 2 typedef struct { uint8_t b[6]; } __attribute__((packed)) bdaddr_t; #define HCI_COMMAND_PKT 1 #define HCI_EVENT_PKT 4 #define HCI_VENDOR_PKT 0xff struct hci_command_hdr { uint16_t opcode; uint8_t plen; } __attribute__((packed)); struct hci_event_hdr { uint8_t evt; uint8_t plen; } __attribute__((packed)); #define HCI_EV_CONN_COMPLETE 0x03 struct hci_ev_conn_complete { uint8_t status; uint16_t handle; bdaddr_t bdaddr; uint8_t link_type; uint8_t encr_mode; } __attribute__((packed)); #define HCI_EV_CONN_REQUEST 0x04 struct hci_ev_conn_request { bdaddr_t bdaddr; uint8_t dev_class[3]; uint8_t link_type; } __attribute__((packed)); #define HCI_EV_REMOTE_FEATURES 0x0b struct hci_ev_remote_features { uint8_t status; uint16_t handle; uint8_t features[8]; } __attribute__((packed)); #define HCI_EV_CMD_COMPLETE 0x0e struct hci_ev_cmd_complete { uint8_t ncmd; uint16_t opcode; } __attribute__((packed)); #define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a #define HCI_OP_READ_BUFFER_SIZE 0x1005 struct hci_rp_read_buffer_size { uint8_t status; uint16_t acl_mtu; uint8_t sco_mtu; uint16_t acl_max_pkt; uint16_t sco_max_pkt; } __attribute__((packed)); #define HCI_OP_READ_BD_ADDR 0x1009 struct hci_rp_read_bd_addr { uint8_t status; bdaddr_t bdaddr; } __attribute__((packed)); #define HCI_EV_LE_META 0x3e struct hci_ev_le_meta { uint8_t subevent; } __attribute__((packed)); #define HCI_EV_LE_CONN_COMPLETE 0x01 struct hci_ev_le_conn_complete { uint8_t status; uint16_t handle; uint8_t role; uint8_t bdaddr_type; bdaddr_t bdaddr; uint16_t interval; uint16_t latency; uint16_t supervision_timeout; uint8_t clk_accurancy; } __attribute__((packed)); struct hci_dev_req { uint16_t dev_id; uint32_t dev_opt; }; struct vhci_vendor_pkt { uint8_t type; uint8_t opcode; uint16_t id; }; #define HCIDEVUP _IOW('H', 201, int) #define HCISETSCAN _IOW('H', 221, int) static int vhci_fd = -1; static void rfkill_unblock_all() { int fd = open("/dev/rfkill", O_WRONLY); if (fd < 0) exit(1); struct rfkill_event event = {0}; event.idx = 0; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; event.soft = 0; event.hard = 0; if (write(fd, &event, sizeof(event)) < 0) exit(1); close(fd); } static void hci_send_event_packet(int fd, uint8_t evt, void* data, size_t data_len) { struct iovec iv[3]; struct hci_event_hdr hdr; hdr.evt = evt; hdr.plen = data_len; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = data; iv[2].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data, size_t data_len) { struct iovec iv[4]; struct hci_event_hdr hdr; hdr.evt = HCI_EV_CMD_COMPLETE; hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len; struct hci_ev_cmd_complete evt_hdr; evt_hdr.ncmd = 1; evt_hdr.opcode = opcode; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = &evt_hdr; iv[2].iov_len = sizeof(evt_hdr); iv[3].iov_base = data; iv[3].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static bool process_command_pkt(int fd, char* buf, ssize_t buf_size) { struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf; if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) || hdr->plen != buf_size - sizeof(struct hci_command_hdr)) exit(1); switch (hdr->opcode) { case HCI_OP_WRITE_SCAN_ENABLE: { uint8_t status = 0; hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status)); return true; } case HCI_OP_READ_BD_ADDR: { struct hci_rp_read_bd_addr rp = {0}; rp.status = 0; memset(&rp.bdaddr, 0xaa, 6); hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } case HCI_OP_READ_BUFFER_SIZE: { struct hci_rp_read_buffer_size rp = {0}; rp.status = 0; rp.acl_mtu = 1021; rp.sco_mtu = 96; rp.acl_max_pkt = 4; rp.sco_max_pkt = 6; hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } } char dummy[0xf9] = {0}; hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy)); return false; } static void* event_thread(void* arg) { while (1) { char buf[1024] = {0}; ssize_t buf_size = read(vhci_fd, buf, sizeof(buf)); if (buf_size < 0) exit(1); if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) { if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1)) break; } } return NULL; } #define HCI_HANDLE_1 200 #define HCI_HANDLE_2 201 static void initialize_vhci() { int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); if (hci_sock < 0) exit(1); vhci_fd = open("/dev/vhci", O_RDWR); if (vhci_fd == -1) exit(1); const int kVhciFd = 202; if (dup2(vhci_fd, kVhciFd) < 0) exit(1); close(vhci_fd); vhci_fd = kVhciFd; struct vhci_vendor_pkt vendor_pkt; if (read(vhci_fd, &vendor_pkt, sizeof(vendor_pkt)) != sizeof(vendor_pkt)) exit(1); if (vendor_pkt.type != HCI_VENDOR_PKT) exit(1); pthread_t th; if (pthread_create(&th, NULL, event_thread, NULL)) exit(1); int ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); if (ret) { if (errno == ERFKILL) { rfkill_unblock_all(); ret = ioctl(hci_sock, HCIDEVUP, vendor_pkt.id); } if (ret && errno != EALREADY) exit(1); } struct hci_dev_req dr = {0}; dr.dev_id = vendor_pkt.id; dr.dev_opt = SCAN_PAGE; if (ioctl(hci_sock, HCISETSCAN, &dr)) exit(1); struct hci_ev_conn_request request; memset(&request, 0, sizeof(request)); memset(&request.bdaddr, 0xaa, 6); *(uint8_t*)&request.bdaddr.b[5] = 0x10; request.link_type = ACL_LINK; hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request)); struct hci_ev_conn_complete complete; memset(&complete, 0, sizeof(complete)); complete.status = 0; complete.handle = HCI_HANDLE_1; memset(&complete.bdaddr, 0xaa, 6); *(uint8_t*)&complete.bdaddr.b[5] = 0x10; complete.link_type = ACL_LINK; complete.encr_mode = 0; hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete)); struct hci_ev_remote_features features; memset(&features, 0, sizeof(features)); features.status = 0; features.handle = HCI_HANDLE_1; hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features)); struct { struct hci_ev_le_meta le_meta; struct hci_ev_le_conn_complete le_conn; } le_conn; memset(&le_conn, 0, sizeof(le_conn)); le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE; memset(&le_conn.le_conn.bdaddr, 0xaa, 6); *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11; le_conn.le_conn.role = 1; le_conn.le_conn.handle = HCI_HANDLE_2; hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn)); pthread_join(th, NULL); close(hci_sock); } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); initialize_vhci(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } setup_binderfs(); loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); close_fds(); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/rfkill\000", 12); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x100001ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint32_t*)0x20000040 = 0; *(uint8_t*)0x20000044 = 0; *(uint8_t*)0x20000045 = 3; *(uint8_t*)0x20000046 = 1; *(uint8_t*)0x20000047 = 0; syscall(__NR_write, r[0], 0x20000040ul, 8ul); break; case 2: res = -1; res = syz_init_net_socket(0x1f, 5, 2); if (res != -1) r[1] = res; break; case 3: *(uint16_t*)0x20000040 = 0x1f; *(uint16_t*)0x20000042 = 0; memset((void*)0x20000044, 255, 6); *(uint16_t*)0x2000004a = 0; *(uint8_t*)0x2000004c = 0; syscall(__NR_connect, r[1], 0x20000040ul, 0xeul); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { do_sandbox_none(); } } sleep(1000000); return 0; } [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency [PATCH 2/2] Bluetooth: SCO: fix sco_conn related locking and validity -- 2.42.1

1 year, 6 months

2
3
0 0

[PATCH v3] fs, USB gadget: Remove libaio I/O cancellation support

by Bart Van Assche

Originally io_cancel() only supported cancelling USB reads and writes. If I/O was cancelled successfully, information about the cancelled I/O operation was copied to the data structure the io_cancel() 'result' argument points at. Commit 63b05203af57 ("[PATCH] AIO: retry infrastructure fixes and enhancements") changed the io_cancel() behavior from reporting status information via the 'result' argument into reporting status information on the completion ring. Commit 41003a7bcfed ("aio: remove retry-based AIO") accidentally changed the behavior into not reporting a completion event on the completion ring for cancelled requests. This is a bug because successful cancellation leads to an iocb leak in user space. Since this bug was introduced more than ten years ago and since nobody has complained since then, remove support for I/O cancellation. Keep support for cancellation of IOCB_CMD_POLL requests. Calling kiocb_set_cancel_fn() without knowing whether the caller submitted a struct kiocb or a struct aio_kiocb is unsafe. The following call trace illustrates that without this patch an out-of-bounds write happens if I/O is submitted by io_uring (from a phone with an ARM CPU and kernel 6.1): WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Cc: Christoph Hellwig <hch(a)lst.de> Cc: Avi Kivity <avi(a)scylladb.com> Cc: Sandeep Dhavale <dhavale(a)google.com> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 63b05203af57 ("[PATCH] AIO: retry infrastructure fixes and enhancements") Cc: <stable(a)vger.kernel.org> Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/usb/gadget/function/f_fs.c | 25 ------------------- drivers/usb/gadget/legacy/inode.c | 20 --------------- fs/aio.c | 39 +++++------------------------- include/linux/aio.h | 9 ------- 4 files changed, 6 insertions(+), 87 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6bff6cb93789..59789292f4f7 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1157,25 +1157,6 @@ ffs_epfile_open(struct inode *inode, struct file *file) return stream_open(inode, file); } -static int ffs_aio_cancel(struct kiocb *kiocb) -{ - struct ffs_io_data *io_data = kiocb->private; - struct ffs_epfile *epfile = kiocb->ki_filp->private_data; - unsigned long flags; - int value; - - spin_lock_irqsave(&epfile->ffs->eps_lock, flags); - - if (io_data && io_data->ep && io_data->req) - value = usb_ep_dequeue(io_data->ep, io_data->req); - else - value = -EINVAL; - - spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags); - - return value; -} - static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) { struct ffs_io_data io_data, *p = &io_data; @@ -1198,9 +1179,6 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) kiocb->private = p; - if (p->aio) - kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - res = ffs_epfile_io(kiocb->ki_filp, p); if (res == -EIOCBQUEUED) return res; @@ -1242,9 +1220,6 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) kiocb->private = p; - if (p->aio) - kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - res = ffs_epfile_io(kiocb->ki_filp, p); if (res == -EIOCBQUEUED) return res; diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index 03179b1880fd..99b7366d77af 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -446,25 +446,6 @@ struct kiocb_priv { unsigned actual; }; -static int ep_aio_cancel(struct kiocb *iocb) -{ - struct kiocb_priv *priv = iocb->private; - struct ep_data *epdata; - int value; - - local_irq_disable(); - epdata = priv->epdata; - // spin_lock(&epdata->dev->lock); - if (likely(epdata && epdata->ep && priv->req)) - value = usb_ep_dequeue (epdata->ep, priv->req); - else - value = -EINVAL; - // spin_unlock(&epdata->dev->lock); - local_irq_enable(); - - return value; -} - static void ep_user_copy_worker(struct work_struct *work) { struct kiocb_priv *priv = container_of(work, struct kiocb_priv, work); @@ -537,7 +518,6 @@ static ssize_t ep_aio(struct kiocb *iocb, iocb->private = priv; priv->iocb = iocb; - kiocb_set_cancel_fn(iocb, ep_aio_cancel); get_ep(epdata); priv->epdata = epdata; priv->actual = 0; diff --git a/fs/aio.c b/fs/aio.c index bb2ff48991f3..c20946d5fcf3 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -203,7 +203,7 @@ struct aio_kiocb { }; struct kioctx *ki_ctx; - kiocb_cancel_fn *ki_cancel; + int (*ki_cancel)(struct kiocb *); struct io_event ki_res; @@ -587,22 +587,6 @@ static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events) #define AIO_EVENTS_FIRST_PAGE ((PAGE_SIZE - sizeof(struct aio_ring)) / sizeof(struct io_event)) #define AIO_EVENTS_OFFSET (AIO_EVENTS_PER_PAGE - AIO_EVENTS_FIRST_PAGE) -void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel) -{ - struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw); - struct kioctx *ctx = req->ki_ctx; - unsigned long flags; - - if (WARN_ON_ONCE(!list_empty(&req->ki_list))) - return; - - spin_lock_irqsave(&ctx->ctx_lock, flags); - list_add_tail(&req->ki_list, &ctx->active_reqs); - req->ki_cancel = cancel; - spin_unlock_irqrestore(&ctx->ctx_lock, flags); -} -EXPORT_SYMBOL(kiocb_set_cancel_fn); - /* * free_ioctx() should be RCU delayed to synchronize against the RCU * protected lookup_ioctx() and also needs process context to call @@ -2158,13 +2142,11 @@ COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id, #endif /* sys_io_cancel: - * Attempts to cancel an iocb previously passed to io_submit. If - * the operation is successfully cancelled, the resulting event is - * copied into the memory pointed to by result without being placed - * into the completion queue and 0 is returned. May fail with - * -EFAULT if any of the data structures pointed to are invalid. - * May fail with -EINVAL if aio_context specified by ctx_id is - * invalid. May fail with -EAGAIN if the iocb specified was not + * Attempts to cancel an IOCB_CMD_POLL iocb previously passed to + * io_submit(). If the operation is successfully cancelled 0 is returned. + * May fail with -EFAULT if any of the data structures pointed to are + * invalid. May fail with -EINVAL if aio_context specified by ctx_id is + * invalid. May fail with -EINPROGRESS if the iocb specified was not * cancelled. Will fail with -ENOSYS if not implemented. */ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, @@ -2196,15 +2178,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, } spin_unlock_irq(&ctx->ctx_lock); - if (!ret) { - /* - * The result argument is no longer used - the io_event is - * always delivered via the ring buffer. -EINPROGRESS indicates - * cancellation is progress: - */ - ret = -EINPROGRESS; - } - percpu_ref_put(&ctx->users); return ret; diff --git a/include/linux/aio.h b/include/linux/aio.h index 86892a4fe7c8..9aabca4a0eed 100644 --- a/include/linux/aio.h +++ b/include/linux/aio.h @@ -2,22 +2,13 @@ #ifndef __LINUX__AIO_H #define __LINUX__AIO_H -#include <linux/aio_abi.h> - -struct kioctx; -struct kiocb; struct mm_struct; -typedef int (kiocb_cancel_fn)(struct kiocb *); - /* prototypes */ #ifdef CONFIG_AIO extern void exit_aio(struct mm_struct *mm); -void kiocb_set_cancel_fn(struct kiocb *req, kiocb_cancel_fn *cancel); #else static inline void exit_aio(struct mm_struct *mm) { } -static inline void kiocb_set_cancel_fn(struct kiocb *req, - kiocb_cancel_fn *cancel) { } #endif /* CONFIG_AIO */ #endif /* __LINUX__AIO_H */

1 year, 6 months

4
5
0 0

[PATCH net 0/7] mptcp: locking cleanup & misc. fixes

by Matthieu Baerts (NGI0)

Patches 1-4 are fixes for issues found by Paolo while working on adding TCP_NOTSENT_LOWAT support. The latter will need to track more states under the msk data lock. Since the locking msk locking schema is already quite complex, do a long awaited clean-up step by moving several confusing lockless initialization under the relevant locks. Note that it is unlikely a real race could happen even prior to such patches as the MPTCP-level state machine implicitly ensures proper serialization of the write accesses, even lacking explicit lock. But still, simplification is welcome and this will help for the maintenance. This can be backported up to v5.6. Patch 5 is a fix for the userspace PM, not to add new local address entries if the address is already in the list. This behaviour can be seen since v5.19. Patch 6 fixes an issue when Fastopen is used. The issue can happen since v6.2. A previous fix has already been applied, but not taking care of all cases according to syzbot. Patch 7 updates Geliang's email address in the MAINTAINERS file. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Geliang Tang (2): mptcp: check addrs list in userspace_pm_get_local_id MAINTAINERS: update Geliang's email address Paolo Abeni (5): mptcp: drop the push_pending field mptcp: fix rcv space initialization mptcp: fix more tx path fields initialization mptcp: corner case locking for rx path fields initialization mptcp: really cope with fastopen race .mailmap | 9 +++--- MAINTAINERS | 2 +- net/mptcp/fastopen.c | 6 ++-- net/mptcp/options.c | 9 +++--- net/mptcp/pm_userspace.c | 13 ++++++++- net/mptcp/protocol.c | 31 +++++++++++---------- net/mptcp/protocol.h | 16 ++++++----- net/mptcp/subflow.c | 71 ++++++++++++++++++++++++++++++------------------ 8 files changed, 95 insertions(+), 62 deletions(-) --- base-commit: 335bac1daae3fd9070d0f9f34d7d7ba708729256 change-id: 20240202-upstream-net-20240202-locking-cleanup-misc-5f2ee79d8356 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 year, 6 months

2
7
0 0

[PATCH] comedi: comedi_8255: Correct error in subdevice initialization

by Frej Drejhammar

The refactoring done in commit 5c57b1ccecc7 ("comedi: comedi_8255: Rework subdevice initialization functions") to the initialization of the io field of struct subdev_8255_private broke all cards using the drivers/comedi/drivers/comedi_8255.c module. Prior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field in the newly allocated struct subdev_8255_private to the non-NULL callback given to the function, otherwise it used a flag parameter to select between subdev_8255_mmio and subdev_8255_io. The refactoring removed that logic and the flag, as subdev_8255_mm_init() and subdev_8255_io_init() now explicitly pass subdev_8255_mmio and subdev_8255_io respectively to __subdev_8255_init(), only __subdev_8255_init() never sets spriv->io to the supplied callback. That spriv->io is NULL leads to a later BUG: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP PTI CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1 Hardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0 Call Trace: <TASK> ? __die_body+0x15/0x57 ? page_fault_oops+0x2ef/0x33c ? insert_vmap_area.constprop.0+0xb6/0xd5 ? alloc_vmap_area+0x529/0x5ee ? exc_page_fault+0x15a/0x489 ? asm_exc_page_fault+0x22/0x30 __subdev_8255_init+0x79/0x8d [comedi_8255] pci_8255_auto_attach+0x11a/0x139 [8255_pci] comedi_auto_config+0xac/0x117 [comedi] ? __pfx___driver_attach+0x10/0x10 pci_device_probe+0x88/0xf9 really_probe+0x101/0x248 __driver_probe_device+0xbb/0xed driver_probe_device+0x1a/0x72 __driver_attach+0xd4/0xed bus_for_each_dev+0x76/0xb8 bus_add_driver+0xbe/0x1be driver_register+0x9a/0xd8 comedi_pci_driver_register+0x28/0x48 [comedi_pci] ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci] do_one_initcall+0x72/0x183 do_init_module+0x5b/0x1e8 init_module_from_file+0x86/0xac __do_sys_finit_module+0x151/0x218 do_syscall_64+0x72/0xdb entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f72f50a0cb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9 RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e RBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000 R10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8 </TASK> Modules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0 This patch simply corrects the above mistake by initializing spriv->io to the given io callback. Fixes: 5c57b1ccecc7 ("comedi: comedi_8255: Rework subdevice initialization functions") Signed-off-by: Frej Drejhammar <frej.drejhammar(a)gmail.com> Cc: <stable(a)vger.kernel.org> --- drivers/comedi/drivers/comedi_8255.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/comedi/drivers/comedi_8255.c b/drivers/comedi/drivers/comedi_8255.c index e4974b508328..a933ef53845a 100644 --- a/drivers/comedi/drivers/comedi_8255.c +++ b/drivers/comedi/drivers/comedi_8255.c @@ -159,6 +159,7 @@ static int __subdev_8255_init(struct comedi_device *dev, return -ENOMEM; spriv->context = context; + spriv->io = io; s->type = COMEDI_SUBD_DIO; s->subdev_flags = SDF_READABLE | SDF_WRITABLE; -- 2.43.0

1 year, 6 months

2
1
0 0

[PATCH] scsi: elx: efct: adjust error handling inside efct_hw_setup_io

by Fedor Pchelkin

IO and WQE buffers are allocated once per HW and can be reused later. If WQE buffers allocation fails then the whole allocation is marked as failed but already created IO array internal objects are not freed. hw->io is freed but not nullified in that specific case - it may become a problem later as efct_hw_setup_io() is supposed to be reusable for the same HW. While at it, use kcalloc instead of kmalloc_array/memset-zero combination and get rid of some needless NULL assignments: nullifying hw->io[i] elements just before freeing hw->io is not really useful. Found by Linux Verification Center (linuxtesting.org). Fixes: 4df84e846624 ("scsi: elx: efct: Driver initialization routines") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/scsi/elx/efct/efct_hw.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/elx/efct/efct_hw.c b/drivers/scsi/elx/efct/efct_hw.c index 5a5525054d71..e5486e6949f9 100644 --- a/drivers/scsi/elx/efct/efct_hw.c +++ b/drivers/scsi/elx/efct/efct_hw.c @@ -487,12 +487,10 @@ efct_hw_setup_io(struct efct_hw *hw) struct efct *efct = hw->os; if (!hw->io) { - hw->io = kmalloc_array(hw->config.n_io, sizeof(io), GFP_KERNEL); + hw->io = kcalloc(hw->config.n_io, sizeof(io), GFP_KERNEL); if (!hw->io) return -ENOMEM; - memset(hw->io, 0, hw->config.n_io * sizeof(io)); - for (i = 0; i < hw->config.n_io; i++) { hw->io[i] = kzalloc(sizeof(*io), GFP_KERNEL); if (!hw->io[i]) @@ -502,10 +500,8 @@ efct_hw_setup_io(struct efct_hw *hw) /* Create WQE buffs for IO */ hw->wqe_buffs = kzalloc((hw->config.n_io * hw->sli.wqe_size), GFP_KERNEL); - if (!hw->wqe_buffs) { - kfree(hw->io); - return -ENOMEM; - } + if (!hw->wqe_buffs) + goto error; } else { /* re-use existing IOs, including SGLs */ @@ -586,10 +582,8 @@ efct_hw_setup_io(struct efct_hw *hw) return 0; error: - for (i = 0; i < hw->config.n_io && hw->io[i]; i++) { + for (i = 0; i < hw->config.n_io && hw->io[i]; i++) kfree(hw->io[i]); - hw->io[i] = NULL; - } kfree(hw->io); hw->io = NULL; -- 2.39.2

1 year, 6 months

2
3
0 0

[PATCH stable 5.4 v2] net: bcmgenet: Fix EEE implementation

by Florian Fainelli

commit a9f31047baca57d47440c879cf259b86f900260c upstream We had a number of short comings: - EEE must be re-evaluated whenever the state machine detects a link change as wight be switching from a link partner with EEE enabled/disabled - tx_lpi_enabled controls whether EEE should be enabled/disabled for the transmit path, which applies to the TBUF block - We do not need to forcibly enable EEE upon system resume, as the PHY state machine will trigger a link event that will do that, too Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support") Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadco… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- Changes in v2: - removed Changed-id .../net/ethernet/broadcom/genet/bcmgenet.c | 22 +++++++------------ .../net/ethernet/broadcom/genet/bcmgenet.h | 3 +++ drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +++++ 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c index eeadeeec17ba..380bf7a328ba 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c @@ -1018,7 +1018,8 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev, } } -static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) +void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + bool tx_lpi_enabled) { struct bcmgenet_priv *priv = netdev_priv(dev); u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; @@ -1038,7 +1039,7 @@ static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) /* Enable EEE and switch to a 27Mhz clock automatically */ reg = bcmgenet_readl(priv->base + off); - if (enable) + if (tx_lpi_enabled) reg |= TBUF_EEE_EN | TBUF_PM_EN; else reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); @@ -1059,6 +1060,7 @@ static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) priv->eee.eee_enabled = enable; priv->eee.eee_active = enable; + priv->eee.tx_lpi_enabled = tx_lpi_enabled; } static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) @@ -1074,6 +1076,7 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) e->eee_enabled = p->eee_enabled; e->eee_active = p->eee_active; + e->tx_lpi_enabled = p->tx_lpi_enabled; e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); return phy_ethtool_get_eee(dev->phydev, e); @@ -1083,7 +1086,6 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_eee *e) { struct bcmgenet_priv *priv = netdev_priv(dev); struct ethtool_eee *p = &priv->eee; - int ret = 0; if (GENET_IS_V1(priv)) return -EOPNOTSUPP; @@ -1094,16 +1096,11 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_eee *e) p->eee_enabled = e->eee_enabled; if (!p->eee_enabled) { - bcmgenet_eee_enable_set(dev, false); + bcmgenet_eee_enable_set(dev, false, false); } else { - ret = phy_init_eee(dev->phydev, 0); - if (ret) { - netif_err(priv, hw, dev, "EEE initialization failed\n"); - return ret; - } - + p->eee_active = phy_init_eee(dev->phydev, false) >= 0; bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); - bcmgenet_eee_enable_set(dev, true); + bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled); } return phy_ethtool_set_eee(dev->phydev, e); @@ -3688,9 +3685,6 @@ static int bcmgenet_resume(struct device *d) if (!device_may_wakeup(d)) phy_resume(dev->phydev); - if (priv->eee.eee_enabled) - bcmgenet_eee_enable_set(dev, true); - bcmgenet_netif_start(dev); netif_device_attach(dev); diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h index 5b7c2f9241d0..29bf256d13f6 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h @@ -736,4 +736,7 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv, void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, enum bcmgenet_power_mode mode); +void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + bool tx_lpi_enabled); + #endif /* __BCMGENET_H__ */ diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c index 2fbec2acb606..026f00ccaa0c 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmmii.c +++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c @@ -25,6 +25,7 @@ #include "bcmgenet.h" + /* setup netdev link state when PHY link status change and * update UMAC and RGMII block when link up */ @@ -96,6 +97,11 @@ void bcmgenet_mii_setup(struct net_device *dev) CMD_RX_PAUSE_IGNORE | CMD_TX_PAUSE_IGNORE); reg |= cmd_bits; bcmgenet_umac_writel(priv, reg, UMAC_CMD); + + priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0; + bcmgenet_eee_enable_set(dev, + priv->eee.eee_enabled && priv->eee.eee_active, + priv->eee.tx_lpi_enabled); } else { /* done if nothing has changed */ if (!status_changed) -- 2.34.1

1 year, 6 months

2
3
0 0

[PATCH] power: supply: mm8013: select REGMAP_I2C

by Thomas Weißschuh

The driver uses regmap APIs so it should make sure they are available. Fixes: c75f4bf6800b ("power: supply: Introduce MM8013 fuel gauge driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/power/supply/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/power/supply/Kconfig b/drivers/power/supply/Kconfig index f21cb05815ec..3e31375491d5 100644 --- a/drivers/power/supply/Kconfig +++ b/drivers/power/supply/Kconfig @@ -978,6 +978,7 @@ config CHARGER_QCOM_SMB2 config FUEL_GAUGE_MM8013 tristate "Mitsumi MM8013 fuel gauge driver" depends on I2C + select REGMAP_I2C help Say Y here to enable the Mitsumi MM8013 fuel gauge driver. It enables the monitoring of many battery parameters, including --- base-commit: 54be6c6c5ae8e0d93a6c4641cb7528eb0b6ba478 change-id: 20240204-mm8013-regmap-d8d18ada07c2 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

1 year, 6 months

3
2
0 0

Please apply commit b4909252da9b ("drivers: lkdtm: fix clang -Wformat warning") to v5.15.y

by Guenter Roeck

Hi, please consider applying the following patch to v5.15.y to fix a build error seen with various test builds (m68k:allmodconfig, powerpc:allmodconfig, powerpc:ppc32_allmodconfig, and xtensa:allmodconfig). b4909252da9b ("drivers: lkdtm: fix clang -Wformat warning") Thanks, Guenter

1 year, 6 months

2
1
0 0

[PATCH v2 5.15.y 0/3] Backport Fixes to 5.15.y

by Guruswamy Basavaiah

Correction: The subject line in my previous message erroneously stated "5.10.y" in patch 2/3 and 3/3, instead of the correct "5.15.y." Sending again after correction. Here are the three backported patches aimed at addressing a potential crash and an actual crash. Patch 1 Fix potential OOB access in receive_encrypted_standard() if server returned a large shdr->NextCommand in cifs. Patch 2 fix validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts(). Patch 3 fix issue in patch 2. The original patches were authored by Paulo Alcantara <pc(a)manguebit.com>. Original Patches: 1. eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()") 2. af1689a9b770 ("smb: client: fix potential OOBs in smb2_parse_contexts()") 3. 76025cc2285d ("smb: client: fix parsing of SMB3.1.1 POSIX create context") Please review and consider applying these patches. https://lore.kernel.org/all/2023121834-semisoft-snarl-49ad@gregkh/ fs/cifs/smb2ops.c | 4 +++- fs/cifs/smb2pdu.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------- fs/cifs/smb2proto.h | 12 +++++++----- 3 files changed, 66 insertions(+), 43 deletions(-)

1 year, 6 months

1
3
0 0

[PATCH 5.15.y 1/3] smb: client: fix OOB in receive_encrypted_standard()

by Guruswamy Basavaiah

From: Paulo Alcantara <pc(a)manguebit.com> [ Upstream commit eec04ea119691e65227a97ce53c0da6b9b74b0b7 ] Fix potential OOB in receive_encrypted_standard() if server returned a large shdr->NextCommand that would end up writing off the end of @next_buffer. Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") Cc: stable(a)vger.kernel.org Reported-by: Robert Morris <rtm(a)csail.mit.edu> Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [Guru: receive_encrypted_standard() is present in file smb2ops.c, smb2ops.c file location is changed, modified patch accordingly.] Signed-off-by: Guruswamy Basavaiah <guruswamy.basavaiah(a)broadcom.com> --- fs/cifs/smb2ops.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index f31da2647d04..867b32b1393f 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -5153,6 +5153,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server, struct smb2_sync_hdr *shdr; unsigned int pdu_length = server->pdu_size; unsigned int buf_size; + unsigned int next_cmd; struct mid_q_entry *mid_entry; int next_is_large; char *next_buffer = NULL; @@ -5181,14 +5182,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server, next_is_large = server->large_buf; one_more: shdr = (struct smb2_sync_hdr *)buf; - if (shdr->NextCommand) { + next_cmd = le32_to_cpu(shdr->NextCommand); + if (next_cmd) { + if (WARN_ON_ONCE(next_cmd > pdu_length)) + return -1; if (next_is_large) next_buffer = (char *)cifs_buf_get(); else next_buffer = (char *)cifs_small_buf_get(); - memcpy(next_buffer, - buf + le32_to_cpu(shdr->NextCommand), - pdu_length - le32_to_cpu(shdr->NextCommand)); + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); } mid_entry = smb2_find_mid(server, buf); @@ -5212,8 +5214,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server, else ret = cifs_handle_standard(server, mid_entry); - if (ret == 0 && shdr->NextCommand) { - pdu_length -= le32_to_cpu(shdr->NextCommand); + if (ret == 0 && next_cmd) { + pdu_length -= next_cmd; server->large_buf = next_is_large; if (next_is_large) server->bigbuf = buf = next_buffer; -- 2.25.1

1 year, 6 months

1
5
0 0

[PATCH v2] Revert "usb: typec: tcpm: fix cc role at port reset"

by Badhri Jagan Sridharan

This reverts commit 1e35f074399dece73d5df11847d4a0d7a6f49434. Given that ERROR_RECOVERY calls into PORT_RESET for Hi-Zing the CC pins, setting CC pins to default state during PORT_RESET breaks error recovery. 4.5.2.2.2.1 ErrorRecovery State Requirements The port shall not drive VBUS or VCONN, and shall present a high-impedance to ground (above zOPEN) on its CC1 and CC2 pins. Hi-Zing the CC pins is the inteded behavior for PORT_RESET. CC pins are set to default state after tErrorRecovery in PORT_RESET_WAIT_OFF. 4.5.2.2.2.2 Exiting From ErrorRecovery State A Sink shall transition to Unattached.SNK after tErrorRecovery. A Source shall transition to Unattached.SRC after tErrorRecovery. Cc: stable(a)vger.kernel.org Cc: Frank Wang <frank.wang(a)rock-chips.com> Fixes: 1e35f074399d ("usb: typec: tcpm: fix cc role at port reset") Signed-off-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 5945e3a2b0f7..9d410718eaf4 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4876,8 +4876,7 @@ static void run_state_machine(struct tcpm_port *port) break; case PORT_RESET: tcpm_reset_port(port); - tcpm_set_cc(port, tcpm_default_state(port) == SNK_UNATTACHED ? - TYPEC_CC_RD : tcpm_rp_cc(port)); + tcpm_set_cc(port, TYPEC_CC_OPEN); tcpm_set_state(port, PORT_RESET_WAIT_OFF, PD_T_ERROR_RECOVERY); break; base-commit: 933bb7b878ddd0f8c094db45551a7daddf806e00 -- 2.43.0.429.g432eaa2c6b-goog

1 year, 6 months

5
4
0 0

[REGRESSION] 6.7.0: ASoC: SOF: refactoring breaks sof-rt5682 audio on chromebook; successfully bisected

by Mole Shang

I'm relatively new here, first time reporting a regression, so apologies in advance if I'm doing something wrong. I'm using Arch Linux (linux-mainline kernel) on my chromebook Acer Spin 713-2W (Voxel), and after upgrading linux-mainline from 6.7-rc4 to 6.7-rc5 the audio setup isn't working anymore. Firstly I suspected its some changes in the sof- firmware, yet got no luck in upgrading sof-firmware (2023.09.2 -> 2023.12). On certain chromebooks, audio setup needs custom ALSA ucm confs [1], but after contacting the chromebook-linux-audio developer [2], I think it's not a conf problem, but rather a kernel regression. After hours of bisecting, the first bad commit 31ed8da (ASoC: SOF: sof-audio: Modify logic for enabling/disabling topology cores) ensures the regression. demsg log pasted below: // before 31ed8da, working [ 61.572587] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x60010000 (msg/reply size: 108/20): -22 [ 61.572593] sof-audio-pci-intel-tgl 0000:00:1f.3: HW params ipc failed for stream 1 [ 61.572594] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_hw_params on 0000:00:1f.3: -22 [ 61.573247] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x60010000 (msg/reply size: 108/20): -22 [ 61.573250] sof-audio-pci-intel-tgl 0000:00:1f.3: HW params ipc failed for stream 1 [ 61.573251] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_hw_params on 0000:00:1f.3: -22 [ 61.573888] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x60010000 (msg/reply size: 108/20): -22 [ 61.573892] sof-audio-pci-intel-tgl 0000:00:1f.3: HW params ipc failed for stream 1 [ 61.573893] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_hw_params on 0000:00:1f.3: -22 [ 61.574570] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x60010000 (msg/reply size: 108/20): -22 [ 61.574572] sof-audio-pci-intel-tgl 0000:00:1f.3: HW params ipc failed for stream 1 [ 61.574573] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_hw_params on 0000:00:1f.3: -22 // after 31ed8da, broken [ 48.930740] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x30020000 (msg/reply size: 12/0): -13 [ 48.930762] sof-audio-pci-intel-tgl 0000:00:1f.3: failed to free widget DMIC0.IN [ 57.235697] sof-audio-pci-intel-tgl 0000:00:1f.3: ipc tx error for 0x30030000 (msg/reply size: 16/0): -22 [ 57.235701] sof-audio-pci-intel-tgl 0000:00:1f.3: sof_ipc3_route_setup: route DMIC0.IN -> BUF4.0 failed [ 57.235703] sof-audio-pci-intel-tgl 0000:00:1f.3: sof_ipc3_set_up_all_pipelines: route set up failed [ 57.235704] sof-audio-pci-intel-tgl 0000:00:1f.3: Failed to restore pipeline after resume -22 [ 57.235706] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.235926] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.235966] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236006] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236041] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236074] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236107] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236141] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236173] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236205] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 [ 57.236239] sof-audio-pci-intel-tgl 0000:00:1f.3: ASoC: error at snd_soc_pcm_component_pm_runtime_get on 0000:00:1f.3: -22 Steps to reproduce: - Run chromebook-linux-audio script [2] (this would install custom sof-rt5682 ucm confs [1] into /usr/share/alsa/ucm2/conf.d/sof-rt5682 and write a line `options snd-intel-dspcfg dsp_driver=3` to /etc/modprobe.d/snd-sof.conf) - Reboot, gets audio working on kernels before 31ed8da - Install latest stable kernel (6.7.3), audio broken - Install latest git kernel (6.8-rc2), audio broken - Revert 31ed8da, build upon latest linux-git (6.8-rc2), audio working Apologies for my busyiness that I should have reported it long before the regression enters stable and lts, but sadly linux-lts (6.6.13) seems to be affected too [3]. Please let me know if there's any other thing that I can help debugging. -- Mole Shang [1]: https://github.com/WeirdTreeThing/chromebook-ucm-conf/tree/main/sof-rt5682 [2]: https://github.com/WeirdTreeThing/chromebook-linux-audio/issues/70 [3]: https://github.com/WeirdTreeThing/chromebook-linux-audio/issues/ 70#issuecomment-1911048309 #regzbot introduced: 31ed8da1c8e5e504710bb36863700e3389f8fc81

1 year, 6 months

2
1
0 0

[char-misc 1/2] mei: me: add arrow lake point S DID

by Tomas Winkler

From: Alexander Usyskin <alexander.usyskin(a)intel.com> Add Arrow Lake S device id. Cc: <stable(a)vger.kernel.org> Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> --- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/misc/mei/hw-me-regs.h b/drivers/misc/mei/hw-me-regs.h index 961e5d53a27a8c4221b4b33c..b10536e4974dbdeed046f4f0 100644 --- a/drivers/misc/mei/hw-me-regs.h +++ b/drivers/misc/mei/hw-me-regs.h @@ -112,6 +112,7 @@ #define MEI_DEV_ID_RPL_S 0x7A68 /* Raptor Lake Point S */ #define MEI_DEV_ID_MTL_M 0x7E70 /* Meteor Lake Point M */ +#define MEI_DEV_ID_ARL_S 0x7F68 /* Arrow Lake Point S */ /* * MEI HW Section diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c index 676d566f38ddfd2cbb5c167f..1a614fb7fdb675e77bcb6be8 100644 --- a/drivers/misc/mei/pci-me.c +++ b/drivers/misc/mei/pci-me.c @@ -119,6 +119,7 @@ static const struct pci_device_id mei_me_pci_tbl[] = { {MEI_PCI_DEVICE(MEI_DEV_ID_RPL_S, MEI_ME_PCH15_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_MTL_M, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_S, MEI_ME_PCH15_CFG)}, /* required last entry */ {0, } -- 2.43.0

1 year, 6 months

1
1
0 0

Re: [PATCH v2] btrfs: handle missing chunk mapping more gracefully

by Celeste Liu

On 3/2/23 09:54, Qu Wenruo wrote: > [BUG] > During my scrub rework, I did a stupid thing like this: > > bio->bi_iter.bi_sector = stripe->logical; > btrfs_submit_bio(fs_info, bio, stripe->mirror_num); > > Above bi_sector assignment is using logical address directly, which > lacks ">> SECTOR_SHIFT". > > This results a read on a range which has no chunk mapping. > > This results the following crash: > > BTRFS critical (device dm-1): unable to find logical 11274289152 length 65536 > assertion failed: !IS_ERR(em), in fs/btrfs/volumes.c:6387 > ------------[ cut here ]------------ > > Sure this is all my fault, but this shows a possible problem in real > world, that some bitflip in file extents/tree block can point to > unmapped ranges, and trigger above ASSERT(), or if CONFIG_BTRFS_ASSERT > is not configured, cause invalid pointer. > > [PROBLEMS] > In above call chain, we just don't handle the possible error from > btrfs_get_chunk_map() inside __btrfs_map_block(). > > [FIX] > The fix is pretty straightforward, just replace the ASSERT() with proper > error handling. > > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > --- > Changelog: > v2: > - Rebased to latest misc-next > The error path in bio.c is already fixed, thus only need to replace > the ASSERT() in __btrfs_map_block(). > --- > fs/btrfs/volumes.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c > index 4d479ac233a4..93bc45001e68 100644 > --- a/fs/btrfs/volumes.c > +++ b/fs/btrfs/volumes.c > @@ -6242,7 +6242,8 @@ int __btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, > return -EINVAL; > > em = btrfs_get_chunk_map(fs_info, logical, *length); > - ASSERT(!IS_ERR(em)); > + if (IS_ERR(em)) > + return PTR_ERR(em); > > map = em->map_lookup; > data_stripes = nr_data_stripes(map); This bug affects 6.1.y LTS branch but no backport commit of this fix in 6.1.y branch. Please include it. Thanks.

1 year, 6 months

2
3
0 0

+ mm-memblock-add-memblock_rsrv_noinit-into-flagname-array.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/memblock: add MEMBLOCK_RSRV_NOINIT into flagname[] array has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memblock-add-memblock_rsrv_noinit-into-flagname-array.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Anshuman Khandual <anshuman.khandual(a)arm.com> Subject: mm/memblock: add MEMBLOCK_RSRV_NOINIT into flagname[] array Date: Fri, 9 Feb 2024 08:39:12 +0530 The commit 77e6c43e137c ("memblock: introduce MEMBLOCK_RSRV_NOINIT flag") skipped adding this newly introduced memblock flag into flagname[] array, thus preventing a correct memblock flags output for applicable memblock regions. Link: https://lkml.kernel.org/r/20240209030912.1382251-1-anshuman.khandual@arm.com Fixes: 77e6c43e137c ("memblock: introduce MEMBLOCK_RSRV_NOINIT flag") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memblock.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/memblock.c~mm-memblock-add-memblock_rsrv_noinit-into-flagname-array +++ a/mm/memblock.c @@ -2249,6 +2249,7 @@ static const char * const flagname[] = { [ilog2(MEMBLOCK_MIRROR)] = "MIRROR", [ilog2(MEMBLOCK_NOMAP)] = "NOMAP", [ilog2(MEMBLOCK_DRIVER_MANAGED)] = "DRV_MNG", + [ilog2(MEMBLOCK_RSRV_NOINIT)] = "RSV_NIT", }; static int memblock_debug_show(struct seq_file *m, void *private) _ Patches currently in -mm which might be from anshuman.khandual(a)arm.com are fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch mm-memblock-add-memblock_rsrv_noinit-into-flagname-array.patch mm-cma-dont-treat-bad-input-arguments-for-cma_alloc-as-its-failure.patch mm-cma-drop-config_cma_debug.patch mm-cma-make-max_cma_areas-=-config_cma_areas.patch mm-cma-add-sysfs-file-release_pages_success.patch

1 year, 6 months

1
0
0 0

[PATCH] drm/buddy: Fix alloc_range() error handling code

by Arunpravin Paneer Selvam

Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3097 Tested-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240207174456.341121-… Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index f57e6d74fb0e..c1a99bf4dffd 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -539,6 +539,12 @@ static int __alloc_range(struct drm_buddy *mm, } while (1); list_splice_tail(&allocated, blocks); + + if (total_allocated < size) { + err = -ENOSPC; + goto err_free; + } + return 0; err_undo: -- 2.25.1

1 year, 6 months

3
3
0 0

[PATCH 6.6 00/21] xfs backports for 6.6.y (from v6.7)

by Catherine Hoang

Hello, This series contains backports for 6.6 from the 6.7 release. This patchset has gone through xfs testing and review. Anthony Iliopoulos (1): xfs: fix again select in kconfig XFS_ONLINE_SCRUB_STATS Catherine Hoang (2): MAINTAINERS: add Catherine as xfs maintainer for 6.6.y xfs: allow read IO and FICLONE to run concurrently Cheng Lin (1): xfs: introduce protection for drop nlink Christoph Hellwig (4): xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space xfs: only remap the written blocks in xfs_reflink_end_cow_extent xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags xfs: respect the stable writes flag on the RT device Darrick J. Wong (8): xfs: bump max fsgeom struct version xfs: hoist freeing of rt data fork extent mappings xfs: prevent rt growfs when quota is enabled xfs: rt stubs should return negative errnos when rt disabled xfs: fix units conversion error in xfs_bmap_del_extent_delay xfs: make sure maxlen is still congruent with prod when rounding down xfs: clean up dqblk extraction xfs: dquot recovery does not validate the recovered dquot Dave Chinner (1): xfs: inode recovery does not validate the recovered inode Leah Rumancik (1): xfs: up(ic_sema) if flushing data device fails Long Li (2): xfs: factor out xfs_defer_pending_abort xfs: abort intent items when recovery intents fail Omar Sandoval (1): xfs: fix internal error from AGFL exhaustion MAINTAINERS | 1 + fs/xfs/Kconfig | 2 +- fs/xfs/libxfs/xfs_alloc.c | 27 ++++++++++++-- fs/xfs/libxfs/xfs_bmap.c | 21 +++-------- fs/xfs/libxfs/xfs_defer.c | 28 +++++++++------ fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/libxfs/xfs_inode_buf.c | 3 ++ fs/xfs/libxfs/xfs_rtbitmap.c | 33 +++++++++++++++++ fs/xfs/libxfs/xfs_sb.h | 2 +- fs/xfs/xfs_bmap_util.c | 24 +++++++------ fs/xfs/xfs_dquot.c | 5 +-- fs/xfs/xfs_dquot_item_recover.c | 21 +++++++++-- fs/xfs/xfs_file.c | 63 ++++++++++++++++++++++++++------- fs/xfs/xfs_inode.c | 24 +++++++++++++ fs/xfs/xfs_inode.h | 17 +++++++++ fs/xfs/xfs_inode_item_recover.c | 14 +++++++- fs/xfs/xfs_ioctl.c | 30 ++++++++++------ fs/xfs/xfs_iops.c | 7 ++++ fs/xfs/xfs_log.c | 23 ++++++------ fs/xfs/xfs_log_recover.c | 2 +- fs/xfs/xfs_reflink.c | 5 +++ fs/xfs/xfs_rtalloc.c | 33 +++++++++++++---- fs/xfs/xfs_rtalloc.h | 27 ++++++++------ 23 files changed, 312 insertions(+), 102 deletions(-) -- 2.39.3

1 year, 6 months

3
23
0 0

[PATCH v2] arm64/signal: Don't assume that TIF_SVE means we saved SVE state

by Mark Brown

When we are in a syscall we will only save the FPSIMD subset even though the task still has access to the full register set, and on context switch we will only remove TIF_SVE when loading the register state. This means that the signal handling code should not assume that TIF_SVE means that the register state is stored in SVE format, it should instead check the format that was recorded during save. Fixes: 8c845e273104 ("arm64/sve: Leave SVE enabled on syscall if we don't context switch") Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- Changes in v2: - Rebase onto v6.8-rc2. - Link to v1: https://lore.kernel.org/r/20240119-arm64-sve-signal-regs-v1-1-b9fd61b0289a@… --- arch/arm64/kernel/fpsimd.c | 2 +- arch/arm64/kernel/signal.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index a5dc6f764195..25ceaee6b025 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1635,7 +1635,7 @@ void fpsimd_preserve_current_state(void) void fpsimd_signal_preserve_current_state(void) { fpsimd_preserve_current_state(); - if (test_thread_flag(TIF_SVE)) + if (current->thread.fp_type == FP_STATE_SVE) sve_to_fpsimd(current); } diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 0e8beb3349ea..425b1bc17a3f 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -242,7 +242,7 @@ static int preserve_sve_context(struct sve_context __user *ctx) vl = task_get_sme_vl(current); vq = sve_vq_from_vl(vl); flags |= SVE_SIG_FLAG_SM; - } else if (test_thread_flag(TIF_SVE)) { + } else if (current->thread.fp_type == FP_STATE_SVE) { vq = sve_vq_from_vl(vl); } @@ -878,7 +878,7 @@ static int setup_sigframe_layout(struct rt_sigframe_user_layout *user, if (system_supports_sve() || system_supports_sme()) { unsigned int vq = 0; - if (add_all || test_thread_flag(TIF_SVE) || + if (add_all || current->thread.fp_type == FP_STATE_SVE || thread_sm_enabled(&current->thread)) { int vl = max(sve_max_vl(), sme_max_vl()); --- base-commit: 41bccc98fb7931d63d03f326a746ac4d429c1dd3 change-id: 20240118-arm64-sve-signal-regs-5711e0d10425 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 year, 6 months

2
1
0 0

[regression 6.1.67] dlm: cannot start dlm midcomms -97 after backport of e9cdebbe23f1 ("dlm: use kernel_connect() and kernel_bind()")

by Salvatore Bonaccorso

Hi Valentin, hi all [This is about a regression reported in Debian for 6.1.67] On Tue, Feb 06, 2024 at 01:00:11PM +0100, Valentin Kleibel wrote: > Package: linux-image-amd64 > Version: 6.1.76+1 > Source: linux > Source-Version: 6.1.76+1 > Severity: important > Control: notfound -1 6.6.15-2 > > Dear Maintainers, > > We discovered a bug affecting dlm that prevents any tcp communications by > dlm when booted with debian kernel 6.1.76-1. > > Dlm startup works (corosync-cpgtool shows the dlm:controld group with all > expected nodes) but as soon as we try to add a lockspace dmesg shows: > ``` > dlm: Using TCP for communications > dlm: cannot start dlm midcomms -97 > ``` > > It seems that commit "dlm: use kernel_connect() and kernel_bind()" > (e9cdebbe) was merged to 6.1. > > Checking the code it seems that the changed function dlm_tcp_listen_bind() > fails with exit code 97 (EAFNOSUPPORT) > It is called from > > dlm/lockspace.c: threads_start() -> dlm_midcomms_start() > dlm/midcomms.c: dlm_midcomms_start() -> dlm_lowcomms_start() > dlm/lowcomms.c: dlm_lowcomms_start() -> dlm_listen_for_all() -> > dlm_proto_ops->listen_bind() = dlm_tcp_listen_bind() > > The error code is returned all the way to threads_start() where the error > message is emmitted. > > Booting with the unsigned kernel from testing (6.6.15-2), which also > contains this commit, works without issues. > > I'm not sure what additional changes are required to get this working or if > rolling back this change is an option. > > We'd be happy to test patches that might fix this issue. Thanks for your report. So we have a 6.1.76 specific regression for the backport of e9cdebbe23f1 ("dlm: use kernel_connect() and kernel_bind()") . Let's loop in the upstream regression list for tracking and people involved for the subsystem to see if the issue can be identified. As it is working for 6.6.15 which includes the commit backport as well it might be very well that a prerequisite is missing. # annotate regression with 6.1.y specific commit #regzbot ^introduced e11dea8f503341507018b60906c4a9e7332f3663 #regzbot link: https://bugs.debian.org/1063338 Any ideas? Regards, Salvatore

1 year, 6 months

4
8
0 0

[PATCH] drm/buddy: Fix alloc_range() error handling code

by Arunpravin Paneer Selvam

Few users have observed display corruption when they boot the machine to KDE Plasma or playing games. We have root caused the problem that whenever alloc_range() couldn't find the required memory blocks the function was returning SUCCESS in some of the corner cases. The right approach would be if the total allocated size is less than the required size, the function should return -ENOSPC. Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3097 Tested-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240207174456.341121-… Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index f57e6d74fb0e..c1a99bf4dffd 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -539,6 +539,12 @@ static int __alloc_range(struct drm_buddy *mm, } while (1); list_splice_tail(&allocated, blocks); + + if (total_allocated < size) { + err = -ENOSPC; + goto err_free; + } + return 0; err_undo: -- 2.25.1

1 year, 6 months

1
0
0 0

[for-linus][PATCH 2/2] tracing: Fix wasted memory in saved_cmdlines logic

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> While looking at improving the saved_cmdlines cache I found a huge amount of wasted memory that should be used for the cmdlines. The tracing data saves pids during the trace. At sched switch, if a trace occurred, it will save the comm of the task that did the trace. This is saved in a "cache" that maps pids to comms and exposed to user space via the /sys/kernel/tracing/saved_cmdlines file. Currently it only caches by default 128 comms. The structure that uses this creates an array to store the pids using PID_MAX_DEFAULT (which is usually set to 32768). This causes the structure to be of the size of 131104 bytes on 64 bit machines. In hex: 131104 = 0x20020, and since the kernel allocates generic memory in powers of two, the kernel would allocate 0x40000 or 262144 bytes to store this structure. That leaves 131040 bytes of wasted space. Worse, the structure points to an allocated array to store the comm names, which is 16 bytes times the amount of names to save (currently 128), which is 2048 bytes. Instead of allocating a separate array, make the structure end with a variable length string and use the extra space for that. This is similar to a recommendation that Linus had made about eventfs_inode names: https://lore.kernel.org/all/20240130190355.11486-5-torvalds@linux-foundatio… Instead of allocating a separate string array to hold the saved comms, have the structure end with: char saved_cmdlines[]; and round up to the next power of two over sizeof(struct saved_cmdline_buffers) + num_cmdlines * TASK_COMM_LEN It will use this extra space for the saved_cmdline portion. Now, instead of saving only 128 comms by default, by using this wasted space at the end of the structure it can save over 8000 comms and even saves space by removing the need for allocating the other array. Link: https://lore.kernel.org/linux-trace-kernel/20240208105328.7e73f71d@rorschac… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Vincent Donnefort <vdonnefort(a)google.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Mete Durlu <meted(a)linux.ibm.com> Fixes: 939c7a4f04fcd ("tracing: Introduce saved_cmdlines_size file") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 73 +++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 39 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 2a7c6fd934e9..ea6d13ff256c 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2320,7 +2320,7 @@ struct saved_cmdlines_buffer { unsigned *map_cmdline_to_pid; unsigned cmdline_num; int cmdline_idx; - char *saved_cmdlines; + char saved_cmdlines[]; }; static struct saved_cmdlines_buffer *savedcmd; @@ -2334,47 +2334,54 @@ static inline void set_cmdline(int idx, const char *cmdline) strncpy(get_saved_cmdlines(idx), cmdline, TASK_COMM_LEN); } -static int allocate_cmdlines_buffer(unsigned int val, - struct saved_cmdlines_buffer *s) +static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) +{ + int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN); + + kfree(s->map_cmdline_to_pid); + free_pages((unsigned long)s, order); +} + +static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) { + struct saved_cmdlines_buffer *s; + struct page *page; + int orig_size, size; + int order; + + /* Figure out how much is needed to hold the given number of cmdlines */ + orig_size = sizeof(*s) + val * TASK_COMM_LEN; + order = get_order(orig_size); + size = 1 << (order + PAGE_SHIFT); + page = alloc_pages(GFP_KERNEL, order); + if (!page) + return NULL; + + s = page_address(page); + memset(s, 0, sizeof(*s)); + + /* Round up to actual allocation */ + val = (size - sizeof(*s)) / TASK_COMM_LEN; + s->cmdline_num = val; + s->map_cmdline_to_pid = kmalloc_array(val, sizeof(*s->map_cmdline_to_pid), GFP_KERNEL); - if (!s->map_cmdline_to_pid) - return -ENOMEM; - - s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL); - if (!s->saved_cmdlines) { - kfree(s->map_cmdline_to_pid); - return -ENOMEM; - } s->cmdline_idx = 0; - s->cmdline_num = val; memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP, sizeof(s->map_pid_to_cmdline)); memset(s->map_cmdline_to_pid, NO_CMDLINE_MAP, val * sizeof(*s->map_cmdline_to_pid)); - return 0; + return s; } static int trace_create_savedcmd(void) { - int ret; - - savedcmd = kmalloc(sizeof(*savedcmd), GFP_KERNEL); - if (!savedcmd) - return -ENOMEM; - - ret = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT, savedcmd); - if (ret < 0) { - kfree(savedcmd); - savedcmd = NULL; - return -ENOMEM; - } + savedcmd = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT); - return 0; + return savedcmd ? 0 : -ENOMEM; } int is_tracing_stopped(void) @@ -6056,26 +6063,14 @@ tracing_saved_cmdlines_size_read(struct file *filp, char __user *ubuf, return simple_read_from_buffer(ubuf, cnt, ppos, buf, r); } -static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) -{ - kfree(s->saved_cmdlines); - kfree(s->map_cmdline_to_pid); - kfree(s); -} - static int tracing_resize_saved_cmdlines(unsigned int val) { struct saved_cmdlines_buffer *s, *savedcmd_temp; - s = kmalloc(sizeof(*s), GFP_KERNEL); + s = allocate_cmdlines_buffer(val); if (!s) return -ENOMEM; - if (allocate_cmdlines_buffer(val, s) < 0) { - kfree(s); - return -ENOMEM; - } - preempt_disable(); arch_spin_lock(&trace_cmdline_lock); savedcmd_temp = savedcmd; -- 2.43.0

1 year, 6 months

1
1
0 0

[PATCH 1/3] driver core: bus: introduce can_remove()

by Hamza Mahfooz

Currently, drivers have no mechanism to block requests to unbind devices. However, this can cause resource leaks and leave the device in an inconsistent state, such that rebinding the device may cause a hang or otherwise prevent the device from being rebound. So, introduce the can_remove() callback to allow drivers to indicate if it isn't appropriate to remove a device at the given time. Cc: stable(a)vger.kernel.org Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- drivers/base/bus.c | 4 ++++ include/linux/device/bus.h | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/base/bus.c b/drivers/base/bus.c index daee55c9b2d9..7c259b01ea99 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -239,6 +239,10 @@ static ssize_t unbind_store(struct device_driver *drv, const char *buf, dev = bus_find_device_by_name(bus, NULL, buf); if (dev && dev->driver == drv) { + if (dev->bus && dev->bus->can_remove && + !dev->bus->can_remove(dev)) + return -EBUSY; + device_driver_detach(dev); err = count; } diff --git a/include/linux/device/bus.h b/include/linux/device/bus.h index 5ef4ec1c36c3..c9d4af0ed3b8 100644 --- a/include/linux/device/bus.h +++ b/include/linux/device/bus.h @@ -46,6 +46,7 @@ struct fwnode_handle; * be called at late_initcall_sync level. If the device has * consumers that are never bound to a driver, this function * will never get called until they do. + * @can_remove: Called before attempting to remove a device from this bus. * @remove: Called when a device removed from this bus. * @shutdown: Called at shut-down time to quiesce the device. * @@ -85,6 +86,7 @@ struct bus_type { int (*uevent)(const struct device *dev, struct kobj_uevent_env *env); int (*probe)(struct device *dev); void (*sync_state)(struct device *dev); + bool (*can_remove)(struct device *dev); void (*remove)(struct device *dev); void (*shutdown)(struct device *dev); -- 2.43.0

1 year, 6 months

5
11
0 0

[for-linus][PATCH 1/2] ftrace: Fix DIRECT_CALLS to use SAVE_REGS by default

by Steven Rostedt

From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> The commit 60c8971899f3 ("ftrace: Make DIRECT_CALLS work WITH_ARGS and !WITH_REGS") changed DIRECT_CALLS to use SAVE_ARGS when there are multiple ftrace_ops at the same function, but since the x86 only support to jump to direct_call from ftrace_regs_caller, when we set the function tracer on the same target function on x86, ftrace-direct does not work as below (this actually works on arm64.) At first, insmod ftrace-direct.ko to put a direct_call on 'wake_up_process()'. # insmod kernel/samples/ftrace/ftrace-direct.ko # less trace ... <idle>-0 [006] ..s1. 564.686958: my_direct_func: waking up rcu_preempt-17 <idle>-0 [007] ..s1. 564.687836: my_direct_func: waking up kcompactd0-63 <idle>-0 [006] ..s1. 564.690926: my_direct_func: waking up rcu_preempt-17 <idle>-0 [006] ..s1. 564.696872: my_direct_func: waking up rcu_preempt-17 <idle>-0 [007] ..s1. 565.191982: my_direct_func: waking up kcompactd0-63 Setup a function filter to the 'wake_up_process' too, and enable it. # cd /sys/kernel/tracing/ # echo wake_up_process > set_ftrace_filter # echo function > current_tracer # less trace ... <idle>-0 [006] ..s3. 686.180972: wake_up_process <-call_timer_fn <idle>-0 [006] ..s3. 686.186919: wake_up_process <-call_timer_fn <idle>-0 [002] ..s3. 686.264049: wake_up_process <-call_timer_fn <idle>-0 [002] d.h6. 686.515216: wake_up_process <-kick_pool <idle>-0 [002] d.h6. 686.691386: wake_up_process <-kick_pool Then, only function tracer is shown on x86. But if you enable 'kprobe on ftrace' event (which uses SAVE_REGS flag) on the same function, it is shown again. # echo 'p wake_up_process' >> dynamic_events # echo 1 > events/kprobes/p_wake_up_process_0/enable # echo > trace # less trace ... <idle>-0 [006] ..s2. 2710.345919: p_wake_up_process_0: (wake_up_process+0x4/0x20) <idle>-0 [006] ..s3. 2710.345923: wake_up_process <-call_timer_fn <idle>-0 [006] ..s1. 2710.345928: my_direct_func: waking up rcu_preempt-17 <idle>-0 [006] ..s2. 2710.349931: p_wake_up_process_0: (wake_up_process+0x4/0x20) <idle>-0 [006] ..s3. 2710.349934: wake_up_process <-call_timer_fn <idle>-0 [006] ..s1. 2710.349937: my_direct_func: waking up rcu_preempt-17 To fix this issue, use SAVE_REGS flag for multiple ftrace_ops flag of direct_call by default. Link: https://lore.kernel.org/linux-trace-kernel/170484558617.178953.159051694939… Fixes: 60c8971899f3 ("ftrace: Make DIRECT_CALLS work WITH_ARGS and !WITH_REGS") Cc: stable(a)vger.kernel.org Cc: Florent Revest <revest(a)chromium.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Reviewed-by: Mark Rutland <mark.rutland(a)arm.com> Tested-by: Mark Rutland <mark.rutland(a)arm.com> [arm64] Acked-by: Jiri Olsa <jolsa(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ftrace.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index b01ae7d36021..c060d5b47910 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -5325,7 +5325,17 @@ static LIST_HEAD(ftrace_direct_funcs); static int register_ftrace_function_nolock(struct ftrace_ops *ops); +/* + * If there are multiple ftrace_ops, use SAVE_REGS by default, so that direct + * call will be jumped from ftrace_regs_caller. Only if the architecture does + * not support ftrace_regs_caller but direct_call, use SAVE_ARGS so that it + * jumps from ftrace_caller for multiple ftrace_ops. + */ +#ifndef HAVE_DYNAMIC_FTRACE_WITH_REGS #define MULTI_FLAGS (FTRACE_OPS_FL_DIRECT | FTRACE_OPS_FL_SAVE_ARGS) +#else +#define MULTI_FLAGS (FTRACE_OPS_FL_DIRECT | FTRACE_OPS_FL_SAVE_REGS) +#endif static int check_direct_multi(struct ftrace_ops *ops) { -- 2.43.0

1 year, 6 months

1
0
0 0

[PATCH v3] soc: qcom: mdt_loader: Add Upperbounds check for program header access

by Auditya Bhattaram

hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH is found. Add an upperbound check to phdrs to access within elf size. Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment") Cc: <stable(a)vger.kernel.org> Signed-off-by: Auditya Bhattaram <quic_audityab(a)quicinc.com> --- Changes in v3: - Corrected wrong patch versioning in the Subject. - Added error prints for Invalid access. Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@… Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@… --- drivers/soc/qcom/mdt_loader.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 6f177e46fa0f..61e2377cc5c3 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, if (phdrs[0].p_type == PT_LOAD) return ERR_PTR(-EINVAL); + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); + return ERR_PTR(-EINVAL); + } + for (i = 1; i < ehdr->e_phnum; i++) { if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { hash_segment = i; -- 2.17.1

1 year, 6 months

2
2
0 0

[PATCH v4] mm/zswap: invalidate old entry when store fail or !zswap_enabled

by chengming.zhou＠linux.dev

From: Chengming Zhou <zhouchengming(a)bytedance.com> We may encounter duplicate entry in the zswap_store(): 1. swap slot that freed to per-cpu swap cache, doesn't invalidate the zswap entry, then got reused. This has been fixed. 2. !exclusive load mode, swapin folio will leave its zswap entry on the tree, then swapout again. This has been removed. 3. one folio can be dirtied again after zswap_store(), so need to zswap_store() again. This should be handled correctly. So we must invalidate the old duplicate entry before insert the new one, which actually doesn't have to be done at the beginning of zswap_store(). And this is a normal situation, we shouldn't WARN_ON(1) in this case, so delete it. (The WARN_ON(1) seems want to detect swap entry UAF problem? But not very necessary here.) The good point is that we don't need to lock tree twice in the store success path. Note we still need to invalidate the old duplicate entry in the store failure path, otherwise the new data in swapfile could be overwrite by the old data in zswap pool when lru writeback. We have to do this even when !zswap_enabled since zswap can be disabled anytime. If the folio store success before, then got dirtied again but zswap disabled, we won't invalidate the old duplicate entry in the zswap_store(). So later lru writeback may overwrite the new data in swapfile. Fixes: 42c06a0e8ebe ("mm: kill frontswap") Cc: <stable(a)vger.kernel.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Yosry Ahmed <yosryahmed(a)google.com> Acked-by: Chris Li <chrisl(a)kernel.org> Signed-off-by: Chengming Zhou <zhouchengming(a)bytedance.com> --- v4: - VM_WARN_ON generate no code when !CONFIG_DEBUG_VM, change to use WARN_ON. v3: - Fix a few grammatical problems in comments, per Yosry. v2: - Change the duplicate entry invalidation loop to if, since we hold the lock, we won't find it once we invalidate it, per Yosry. - Add Fixes tag. --- mm/zswap.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index cd67f7f6b302..62fe307521c9 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1518,18 +1518,8 @@ bool zswap_store(struct folio *folio) return false; if (!zswap_enabled) - return false; + goto check_old; - /* - * If this is a duplicate, it must be removed before attempting to store - * it, otherwise, if the store fails the old page won't be removed from - * the tree, and it might be written back overriding the new data. - */ - spin_lock(&tree->lock); - entry = zswap_rb_search(&tree->rbroot, offset); - if (entry) - zswap_invalidate_entry(tree, entry); - spin_unlock(&tree->lock); objcg = get_obj_cgroup_from_folio(folio); if (objcg && !obj_cgroup_may_zswap(objcg)) { memcg = get_mem_cgroup_from_objcg(objcg); @@ -1608,14 +1598,12 @@ bool zswap_store(struct folio *folio) /* map */ spin_lock(&tree->lock); /* - * A duplicate entry should have been removed at the beginning of this - * function. Since the swap entry should be pinned, if a duplicate is - * found again here it means that something went wrong in the swap - * cache. + * The folio may have been dirtied again, invalidate the + * possibly stale entry before inserting the new entry. */ - while (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { - WARN_ON(1); + if (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { zswap_invalidate_entry(tree, dupentry); + WARN_ON(zswap_rb_insert(&tree->rbroot, entry, &dupentry)); } if (entry->length) { INIT_LIST_HEAD(&entry->lru); @@ -1638,6 +1626,17 @@ bool zswap_store(struct folio *folio) reject: if (objcg) obj_cgroup_put(objcg); +check_old: + /* + * If the zswap store fails or zswap is disabled, we must invalidate the + * possibly stale entry which was previously stored at this offset. + * Otherwise, writeback could overwrite the new data in the swapfile. + */ + spin_lock(&tree->lock); + entry = zswap_rb_search(&tree->rbroot, offset); + if (entry) + zswap_invalidate_entry(tree, entry); + spin_unlock(&tree->lock); return false; shrink: -- 2.40.1

1 year, 6 months

5
8
0 0

+ mm-zswap-invalidate-duplicate-entry-when-zswap_enabled.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/zswap: invalidate duplicate entry when !zswap_enabled has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-zswap-invalidate-duplicate-entry-when-zswap_enabled.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Chengming Zhou <zhouchengming(a)bytedance.com> Subject: mm/zswap: invalidate duplicate entry when !zswap_enabled Date: Thu, 8 Feb 2024 02:32:54 +0000 We have to invalidate any duplicate entry even when !zswap_enabled since zswap can be disabled anytime. If the folio store success before, then got dirtied again but zswap disabled, we won't invalidate the old duplicate entry in the zswap_store(). So later lru writeback may overwrite the new data in swapfile. Link: https://lkml.kernel.org/r/20240208023254.3873823-1-chengming.zhou@linux.dev Fixes: 42c06a0e8ebe ("mm: kill frontswap") Signed-off-by: Chengming Zhou <zhouchengming(a)bytedance.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/mm/zswap.c~mm-zswap-invalidate-duplicate-entry-when-zswap_enabled +++ a/mm/zswap.c @@ -1516,7 +1516,7 @@ bool zswap_store(struct folio *folio) if (folio_test_large(folio)) return false; - if (!zswap_enabled || !tree) + if (!tree) return false; /* @@ -1531,6 +1531,10 @@ bool zswap_store(struct folio *folio) zswap_invalidate_entry(tree, dupentry); } spin_unlock(&tree->lock); + + if (!zswap_enabled) + return false; + objcg = get_obj_cgroup_from_folio(folio); if (objcg && !obj_cgroup_may_zswap(objcg)) { memcg = get_mem_cgroup_from_objcg(objcg); _ Patches currently in -mm which might be from zhouchengming(a)bytedance.com are mm-zswap-invalidate-duplicate-entry-when-zswap_enabled.patch mm-zswap-make-sure-each-swapfile-always-have-zswap-rb-tree.patch mm-zswap-split-zswap-rb-tree.patch mm-zswap-fix-race-between-lru-writeback-and-swapoff.patch mm-list_lru-remove-list_lru_putback.patch mm-zswap-add-more-comments-in-shrink_memcg_cb.patch mm-zswap-invalidate-zswap-entry-when-swap-entry-free.patch mm-zswap-stop-lru-list-shrinking-when-encounter-warm-region.patch mm-zswap-remove-duplicate_entry-debug-value.patch mm-zswap-only-support-zswap_exclusive_loads_enabled.patch mm-zswap-zswap-entry-doesnt-need-refcount-anymore.patch

1 year, 6 months

1
0
0 0

+ fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: add display flag for VM_MAYOVERLAY has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Anshuman Khandual <anshuman.khandual(a)arm.com> Subject: fs/proc/task_mmu: add display flag for VM_MAYOVERLAY Date: Thu, 8 Feb 2024 14:18:05 +0530 VM_UFFD_MISSING flag is mutually exclussive with VM_MAYOVERLAY flag as they both use the same bit position i.e 0x00000200 in the vm_flags. Let's update show_smap_vma_flags() to display the correct flags depending on CONFIG_MMU. Link: https://lkml.kernel.org/r/20240208084805.1252337-1-anshuman.khandual@arm.com Fixes: b6b7a8faf05c ("mm/nommu: don't use VM_MAYSHARE for MAP_PRIVATE mappings") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay +++ a/fs/proc/task_mmu.c @@ -681,7 +681,11 @@ static void show_smap_vma_flags(struct s [ilog2(VM_HUGEPAGE)] = "hg", [ilog2(VM_NOHUGEPAGE)] = "nh", [ilog2(VM_MERGEABLE)] = "mg", +#ifdef CONFIG_MMU [ilog2(VM_UFFD_MISSING)]= "um", +#else + [ilog2(VM_MAYOVERLAY)] = "ov", +#endif /* CONFIG_MMU */ [ilog2(VM_UFFD_WP)] = "uw", #ifdef CONFIG_ARM64_MTE [ilog2(VM_MTE)] = "mt", _ Patches currently in -mm which might be from anshuman.khandual(a)arm.com are fs-proc-task_mmu-add-display-flag-for-vm_mayoverlay.patch mm-cma-dont-treat-bad-input-arguments-for-cma_alloc-as-its-failure.patch mm-cma-drop-config_cma_debug.patch mm-cma-make-max_cma_areas-=-config_cma_areas.patch mm-cma-add-sysfs-file-release_pages_success.patch

1 year, 6 months

1
0
0 0

+ lib-kconfigdebug-test_iov_iter-depends-on-mmu.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: lib/Kconfig.debug: TEST_IOV_ITER depends on MMU has been added to the -mm mm-hotfixes-unstable branch. Its filename is lib-kconfigdebug-test_iov_iter-depends-on-mmu.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Guenter Roeck <linux(a)roeck-us.net> Subject: lib/Kconfig.debug: TEST_IOV_ITER depends on MMU Date: Thu, 8 Feb 2024 07:30:10 -0800 Trying to run the iov_iter unit test on a nommu system such as the qemu kc705-nommu emulation results in a crash. KTAP version 1 # Subtest: iov_iter # module: kunit_iov_iter 1..9 BUG: failure at mm/nommu.c:318/vmap()! Kernel panic - not syncing: BUG! The test calls vmap() directly, but vmap() is not supported on nommu systems, causing the crash. TEST_IOV_ITER therefore needs to depend on MMU. Link: https://lkml.kernel.org/r/20240208153010.1439753-1-linux@roeck-us.net Fixes: 2d71340ff1d4 ("iov_iter: Kunit tests for copying to/from an iterator") Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Cc: David Howells <dhowells(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/Kconfig.debug | 1 + 1 file changed, 1 insertion(+) --- a/lib/Kconfig.debug~lib-kconfigdebug-test_iov_iter-depends-on-mmu +++ a/lib/Kconfig.debug @@ -2235,6 +2235,7 @@ config TEST_DIV64 config TEST_IOV_ITER tristate "Test iov_iter operation" if !KUNIT_ALL_TESTS depends on KUNIT + depends on MMU default KUNIT_ALL_TESTS help Enable this to turn on testing of the operation of the I/O iterator _ Patches currently in -mm which might be from linux(a)roeck-us.net are lib-kconfigdebug-test_iov_iter-depends-on-mmu.patch

1 year, 6 months

1
0
0 0

[obsolete] xfs-disable-large-folio-support-in-xfile_create.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: xfs: disable large folio support in xfile_create has been removed from the -mm tree. Its filename was xfs-disable-large-folio-support-in-xfile_create.patch This patch was dropped because it is obsolete ------------------------------------------------------ From: Christoph Hellwig <hch(a)lst.de> Subject: xfs: disable large folio support in xfile_create Date: Wed, 10 Jan 2024 10:21:09 +0100 The xfarray code will crash if large folios are force enabled using: echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled Fixing this will require a bit of an API change, and prefeably sorting out the hwpoison story for pages vs folio and where it is placed in the shmem API. For now use this one liner to disable large folios. Link: https://lkml.kernel.org/r/20240110092109.1950011-3-hch@lst.de Fixes: 3934e8ebb7cc ("xfs: create a big array data structure") Reported-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Cc: Chandan Babu R <chandan.babu(a)oracle.com> Cc: Christian K��nig <christian.koenig(a)amd.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: Dave Airlie <airlied(a)gmail.com> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Howells <dhowells(a)redhat.com> Cc: Huang Rui <ray.huang(a)amd.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: Jarkko Sakkinen <jarkko(a)kernel.org> Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Tvrtko Ursulin <tvrtko.ursulin(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/xfs/scrub/xfile.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/xfs/scrub/xfile.c~xfs-disable-large-folio-support-in-xfile_create +++ a/fs/xfs/scrub/xfile.c @@ -94,6 +94,11 @@ xfile_create( lockdep_set_class(&inode->i_rwsem, &xfile_i_mutex_key); + /* + * We're not quite ready for large folios yet. + */ + mapping_clear_large_folios(inode->i_mapping); + trace_xfile_create(xf); *xfilep = xf; _ Patches currently in -mm which might be from hch(a)lst.de are

1 year, 6 months

1
0
0 0

[obsolete] mm-add-a-mapping_clear_large_folios-helper.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: add a mapping_clear_large_folios helper has been removed from the -mm tree. Its filename was mm-add-a-mapping_clear_large_folios-helper.patch This patch was dropped because it is obsolete ------------------------------------------------------ From: Christoph Hellwig <hch(a)lst.de> Subject: mm: add a mapping_clear_large_folios helper Date: Wed, 10 Jan 2024 10:21:08 +0100 Patch series "disable large folios for shmem file used by xfs xfile". Darrick reported that the fairly new XFS xfile code blows up when force enabling large folio for shmem. This series fixes this quickly by disabling large folios for this particular shmem file for now until it can be fixed properly, which will be a lot more invasive. This patch (of 2): Users of shmem_kernel_file_setup might not be able to deal with large folios (yet). Give them a way to disable large folio support on their mapping. Link: https://lkml.kernel.org/r/20240110092109.1950011-1-hch@lst.de Link: https://lkml.kernel.org/r/20240110092109.1950011-2-hch@lst.de Fixes: 3934e8ebb7cc ("xfs: create a big array data structure") Signed-off-by: Christoph Hellwig <hch(a)lst.de> Cc: Chandan Babu R <chandan.babu(a)oracle.com> Cc: Christian K��nig <christian.koenig(a)amd.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: "Darrick J. Wong" <djwong(a)kernel.org> Cc: Dave Airlie <airlied(a)gmail.com> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: David Howells <dhowells(a)redhat.com> Cc: Huang Rui <ray.huang(a)amd.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: Jarkko Sakkinen <jarkko(a)kernel.org> Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Tvrtko Ursulin <tvrtko.ursulin(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/pagemap.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/include/linux/pagemap.h~mm-add-a-mapping_clear_large_folios-helper +++ a/include/linux/pagemap.h @@ -360,6 +360,20 @@ static inline void mapping_set_large_fol __set_bit(AS_LARGE_FOLIO_SUPPORT, &mapping->flags); } +/** + * mapping_clear_large_folios() - Disable large folio support for a mapping + * @mapping: The mapping. + * + * This can be called to undo the effect of mapping_set_large_folios(). + * + * Context: This should not be called while the inode is active as it + * is non-atomic. + */ +static inline void mapping_clear_large_folios(struct address_space *mapping) +{ + __clear_bit(AS_LARGE_FOLIO_SUPPORT, &mapping->flags); +} + /* * Large folio support currently depends on THP. These dependencies are * being worked on but are not yet fixed. _ Patches currently in -mm which might be from hch(a)lst.de are xfs-disable-large-folio-support-in-xfile_create.patch

1 year, 6 months

1
0
0 0

Apply e08ff622c91a to 6.6.y

by Miguel Ojeda

Hi Greg, Sasha, Please consider applying commit e08ff622c91a to 6.6.y. It requires the following chain: 828176d037e2 ("rust: arc: add explicit `drop()` around `Box::from_raw()`") ae6df65dabc3 ("rust: upgrade to Rust 1.72.1") c61bcc278b19 ("rust: task: remove redundant explicit link") a53d8cdd5a0a ("rust: print: use explicit link in documentation") e08ff622c91a ("rust: upgrade to Rust 1.73.0") which applies cleanly to 6.6.y. This upgrades the Rust compiler version from 1.71.1 to 1.73.0 (2 version upgrades + 3 prerequisites for the upgrades), fixing a couple issues with the Rust compiler version currently used in 6.6.y. In particular: - A build error with `CONFIG_RUST_DEBUG_ASSERTIONS` enabled (`.eh_frame` section unexpected generation). This is solved applying up to ae6df65dabc3. - A developer-only Make target error (building `.rsi` single-target files, i.e. the equivalent to requesting a preprocessed file in C). This is solved applying all of them. Thanks! Cheers, Miguel

1 year, 6 months

2
1
0 0

[PATCH stable 5.4] net: bcmgenet: Fix EEE implementation

by Florian Fainelli

commit a9f31047baca57d47440c879cf259b86f900260c upstream We had a number of short comings: - EEE must be re-evaluated whenever the state machine detects a link change as wight be switching from a link partner with EEE enabled/disabled - tx_lpi_enabled controls whether EEE should be enabled/disabled for the transmit path, which applies to the TBUF block - We do not need to forcibly enable EEE upon system resume, as the PHY state machine will trigger a link event that will do that, too Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support") Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadco… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Change-Id: I9e9d9d9e10817c7fcf3d9cde2389a1f6fe42a2ba --- .../net/ethernet/broadcom/genet/bcmgenet.c | 22 +++++++------------ .../net/ethernet/broadcom/genet/bcmgenet.h | 3 +++ drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +++++ 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c index eeadeeec17ba..380bf7a328ba 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c @@ -1018,7 +1018,8 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev, } } -static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) +void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + bool tx_lpi_enabled) { struct bcmgenet_priv *priv = netdev_priv(dev); u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; @@ -1038,7 +1039,7 @@ static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) /* Enable EEE and switch to a 27Mhz clock automatically */ reg = bcmgenet_readl(priv->base + off); - if (enable) + if (tx_lpi_enabled) reg |= TBUF_EEE_EN | TBUF_PM_EN; else reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); @@ -1059,6 +1060,7 @@ static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) priv->eee.eee_enabled = enable; priv->eee.eee_active = enable; + priv->eee.tx_lpi_enabled = tx_lpi_enabled; } static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) @@ -1074,6 +1076,7 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) e->eee_enabled = p->eee_enabled; e->eee_active = p->eee_active; + e->tx_lpi_enabled = p->tx_lpi_enabled; e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); return phy_ethtool_get_eee(dev->phydev, e); @@ -1083,7 +1086,6 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_eee *e) { struct bcmgenet_priv *priv = netdev_priv(dev); struct ethtool_eee *p = &priv->eee; - int ret = 0; if (GENET_IS_V1(priv)) return -EOPNOTSUPP; @@ -1094,16 +1096,11 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_eee *e) p->eee_enabled = e->eee_enabled; if (!p->eee_enabled) { - bcmgenet_eee_enable_set(dev, false); + bcmgenet_eee_enable_set(dev, false, false); } else { - ret = phy_init_eee(dev->phydev, 0); - if (ret) { - netif_err(priv, hw, dev, "EEE initialization failed\n"); - return ret; - } - + p->eee_active = phy_init_eee(dev->phydev, false) >= 0; bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); - bcmgenet_eee_enable_set(dev, true); + bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled); } return phy_ethtool_set_eee(dev->phydev, e); @@ -3688,9 +3685,6 @@ static int bcmgenet_resume(struct device *d) if (!device_may_wakeup(d)) phy_resume(dev->phydev); - if (priv->eee.eee_enabled) - bcmgenet_eee_enable_set(dev, true); - bcmgenet_netif_start(dev); netif_device_attach(dev); diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h index 5b7c2f9241d0..29bf256d13f6 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h @@ -736,4 +736,7 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv, void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, enum bcmgenet_power_mode mode); +void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + bool tx_lpi_enabled); + #endif /* __BCMGENET_H__ */ diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c index 2fbec2acb606..026f00ccaa0c 100644 --- a/drivers/net/ethernet/broadcom/genet/bcmmii.c +++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c @@ -25,6 +25,7 @@ #include "bcmgenet.h" + /* setup netdev link state when PHY link status change and * update UMAC and RGMII block when link up */ @@ -96,6 +97,11 @@ void bcmgenet_mii_setup(struct net_device *dev) CMD_RX_PAUSE_IGNORE | CMD_TX_PAUSE_IGNORE); reg |= cmd_bits; bcmgenet_umac_writel(priv, reg, UMAC_CMD); + + priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0; + bcmgenet_eee_enable_set(dev, + priv->eee.eee_enabled && priv->eee.eee_active, + priv->eee.tx_lpi_enabled); } else { /* done if nothing has changed */ if (!status_changed) -- 2.34.1

1 year, 6 months

2
2
0 0

[PATCH 1/8] docs: kernel_feat.py: fix build error for missing files

by Vegard Nossum

If the directory passed to the '.. kernel-feat::' directive does not exist or the get_feat.pl script does not find any files to extract features from, Sphinx will report the following error: Sphinx parallel build error: UnboundLocalError: local variable 'fname' referenced before assignment make[2]: *** [Documentation/Makefile:102: htmldocs] Error 2 This is due to how I changed the script in c48a7c44a1d0 ("docs: kernel_feat.py: fix potential command injection"). Before that, the filename passed along to self.nestedParse() in this case was weirdly just the whole get_feat.pl invocation. We can fix it by doing what kernel_abi.py does -- just pass self.arguments[0] as 'fname'. Fixes: c48a7c44a1d0 ("docs: kernel_feat.py: fix potential command injection") Cc: Justin Forbes <jforbes(a)fedoraproject.org> Cc: Salvatore Bonaccorso <carnil(a)debian.org> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mauro Carvalho Chehab <mchehab(a)kernel.org> Cc: stable(a)vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nossum(a)oracle.com> --- Documentation/sphinx/kernel_feat.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/sphinx/kernel_feat.py b/Documentation/sphinx/kernel_feat.py index b9df61eb4501..03ace5f01b5c 100644 --- a/Documentation/sphinx/kernel_feat.py +++ b/Documentation/sphinx/kernel_feat.py @@ -109,7 +109,7 @@ class KernelFeat(Directive): else: out_lines += line + "\n" - nodeList = self.nestedParse(out_lines, fname) + nodeList = self.nestedParse(out_lines, self.arguments[0]) return nodeList def nestedParse(self, lines, fname): -- 2.34.1

1 year, 6 months

4
7
0 0

[PATCH] drm/i915/dp: Limit SST link rate to <=8.1Gbps

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Limit the link rate to HBR3 or below (<=8.1Gbps) in SST mode. UHBR (10Gbps+) link rates require 128b/132b channel encoding which we have not yet hooked up into the SST/no-sideband codepaths. Cc: stable(a)vger.kernel.org Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index ab415f41924d..5045c34a16be 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -2356,6 +2356,9 @@ intel_dp_compute_config_limits(struct intel_dp *intel_dp, limits->min_rate = intel_dp_common_rate(intel_dp, 0); limits->max_rate = intel_dp_max_link_rate(intel_dp); + /* FIXME 128b/132b SST support missing */ + limits->max_rate = min(limits->max_rate, 810000); + limits->min_lane_count = 1; limits->max_lane_count = intel_dp_max_lane_count(intel_dp); -- 2.43.0

1 year, 6 months

2
1
0 0

[PATCH] leds: trigger: netdev: Fix kernel panic on interface rename trig notify

by Christian Marangi

Commit d5e01266e7f5 ("leds: trigger: netdev: add additional specific link speed mode") in the various changes, reworked the way to set the LINKUP mode in commit cee4bd16c319 ("leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename") and moved it to a generic function. This changed the logic where, in the previous implementation the dev from the trigger event was used to check if the carrier was ok, but in the new implementation with the generic function, the dev in trigger_data is used instead. This is problematic and cause a possible kernel panic due to the fact that the dev in the trigger_data still reference the old one as the new one (passed from the trigger event) still has to be hold and saved in the trigger_data struct (done in the NETDEV_REGISTER case). On calling of get_device_state(), an invalid net_dev is used and this cause a kernel panic. To handle this correctly, move the call to get_device_state() after the new net_dev is correctly set in trigger_data (in the NETDEV_REGISTER case) and correctly parse the new dev. Fixes: d5e01266e7f5 ("leds: trigger: netdev: add additional specific link speed mode") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/leds/trigger/ledtrig-netdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c index 8e5475819590..df1b1d8468e6 100644 --- a/drivers/leds/trigger/ledtrig-netdev.c +++ b/drivers/leds/trigger/ledtrig-netdev.c @@ -504,12 +504,12 @@ static int netdev_trig_notify(struct notifier_block *nb, trigger_data->duplex = DUPLEX_UNKNOWN; switch (evt) { case NETDEV_CHANGENAME: - get_device_state(trigger_data); - fallthrough; case NETDEV_REGISTER: dev_put(trigger_data->net_dev); dev_hold(dev); trigger_data->net_dev = dev; + if (evt == NETDEV_CHANGENAME) + get_device_state(trigger_data); break; case NETDEV_UNREGISTER: dev_put(trigger_data->net_dev); -- 2.43.0

1 year, 6 months

3
10
0 0

[PATCH] fs: relax mount_setattr() permission checks

by Christian Brauner

When we added mount_setattr() I added additional checks compared to the legacy do_reconfigure_mnt() and do_change_type() helpers used by regular mount(2). If that mount had a parent then verify that the caller and the mount namespace the mount is attached to match and if not make sure that it's an anonymous mount. The real rootfs falls into neither category. It is neither an anoymous mount because it is obviously attached to the initial mount namespace but it also obviously doesn't have a parent mount. So that means legacy mount(2) allows changing mount properties on the real rootfs but mount_setattr(2) blocks this. I never thought much about this but of course someone on this planet of earth changes properties on the real rootfs as can be seen in [1]. Since util-linux finally switched to the new mount api in 2.39 not so long ago it also relies on mount_setattr() and that surfaced this issue when Fedora 39 finally switched to it. Fix this. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2256843 Reported-by: Karel Zak <kzak(a)redhat.com> Cc: stable(a)vger.kernel.org # v5.12+ Signed-off-by: Christian Brauner <brauner(a)kernel.org> --- fs/namespace.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 437f60e96d40..fb0286920bce 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -4472,10 +4472,15 @@ static int do_mount_setattr(struct path *path, struct mount_kattr *kattr) /* * If this is an attached mount make sure it's located in the callers * mount namespace. If it's not don't let the caller interact with it. - * If this is a detached mount make sure it has an anonymous mount - * namespace attached to it, i.e. we've created it via OPEN_TREE_CLONE. + * + * If this mount doesn't have a parent it's most often simply a + * detached mount with an anonymous mount namespace. IOW, something + * that's simply not attached yet. But there are apparently also users + * that do change mount properties on the rootfs itself. That obviously + * neither has a parent nor is it a detached mount so we cannot + * unconditionally check for detached mounts. */ - if (!(mnt_has_parent(mnt) ? check_mnt(mnt) : is_anon_ns(mnt->mnt_ns))) + if (mnt_has_parent(mnt) && !check_mnt(mnt)) goto out; /* --- base-commit: 2a42e144dd0b62eaf79148394ab057145afbc3c5 change-id: 20240206-vfs-mount-rootfs-70aff2e3956d

1 year, 6 months

2
3
0 0

[PATCH 5.10 0/2] bpf: cpumap: Fix memory leak in cpu_map_update_elem

by Alexey Panov

Syzkaller reports "memory leak in cpu_map_update_elem" in 5.10 stable release. The problem has been fixed by the following patches which can be cleanly applied to the 5.10 branch. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

1 year, 6 months

1
2
0 0

[PATCH net] s390/qeth: Fix potential loss of L3-IP@ in case of network issues

by Alexandra Winter

Symptom: In case of a bad cable connection (e.g. dirty optics) a fast sequence of network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth interface. In case of a second DOWN while recovery is still ongoing, it can happen that the IP@ of a Layer3 qeth interface is lost and will not be recovered by the second UP. Problem: When registration of IP addresses with Layer 3 qeth devices fails, (e.g. because of bad address format) the respective IP address is deleted from its hash-table in the driver. If registration fails because of a ENETDOWN condition, the address should stay in the hashtable, so a subsequent recovery can restore it. 3caa4af834df ("qeth: keep ip-address after LAN_OFFLINE failure") fixes this for registration failures during normal operation, but not during recovery. Solution: Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE, i.e. for some reason the card already/still has this address registered. Fixes: 4a71df50047f ("qeth: new qeth device driver") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandra Winter <wintera(a)linux.ibm.com> --- drivers/s390/net/qeth_l3_main.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c index b92a32b4b114..04c64ce0a1ca 100644 --- a/drivers/s390/net/qeth_l3_main.c +++ b/drivers/s390/net/qeth_l3_main.c @@ -255,9 +255,10 @@ static void qeth_l3_clear_ip_htable(struct qeth_card *card, int recover) if (!recover) { hash_del(&addr->hnode); kfree(addr); - continue; + } else { + /* prepare for recovery */ + addr->disp_flag = QETH_DISP_ADDR_ADD; } - addr->disp_flag = QETH_DISP_ADDR_ADD; } mutex_unlock(&card->ip_lock); @@ -278,9 +279,11 @@ static void qeth_l3_recover_ip(struct qeth_card *card) if (addr->disp_flag == QETH_DISP_ADDR_ADD) { rc = qeth_l3_register_addr_entry(card, addr); - if (!rc) { + if (!rc || rc == -EADDRINUSE || rc == -ENETDOWN) { + /* keep it in the records */ addr->disp_flag = QETH_DISP_ADDR_DO_NOTHING; } else { + /* bad address */ hash_del(&addr->hnode); kfree(addr); } -- 2.40.1

1 year, 6 months

2
1
0 0

[PATCH 0/6] tools: Fix rtla and rv problems (found) with clang

by Daniel Bristot de Oliveira

RHEL people reported some errors when compiling rtla and rv with clang. The command line used to compile the tools is: $ make HOSTCC=clang CC=clang LLVM_IAS=1 The first problem is two unsupported flags passed to the compiler: -ffat-lto-objects and -Wno-maybe-uninitialized. They will be removed if the compile is clang. Also, the clang linker does not automatically recognize the -flto=auto option used at compilation time, so it is explicitly set. With the compiler working, it starts pointing to some warnings and errors about uninitialized variables, variable size, and an unused function. These problems are also fixed. Daniel Bristot de Oliveira (6): tools/rtla: Fix Makefile compiler options for clang tools/rtla: Fix uninitialized bucket/data->bucket_size warning tools/rtla: Fix clang warning about mount_point var size tools/rtla: Remove unused sched_getattr() function tools/rv: Fix Makefile compiler options for clang tools/rv: Fix curr_reactor uninitialized variable tools/tracing/rtla/Makefile | 7 ++++++- tools/tracing/rtla/src/osnoise_hist.c | 3 +-- tools/tracing/rtla/src/timerlat_hist.c | 3 +-- tools/tracing/rtla/src/utils.c | 8 +------- tools/verification/rv/Makefile | 7 ++++++- tools/verification/rv/src/in_kernel.c | 2 +- 6 files changed, 16 insertions(+), 14 deletions(-) -- 2.43.0

1 year, 6 months

2
8
0 0

[PATCH V3 1/2] net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio

by Sinthu Raja

From: Sinthu Raja <sinthu.raja(a)ti.com> The below commit introduced a WARN when phy state is not in the states: PHY_HALTED, PHY_READY and PHY_UP. commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") When cpsw_new resumes, there have port in PHY_NOLINK state, so the below warning comes out. Set mac_managed_pm be true to tell mdio that the phy resume/suspend is managed by the mac, to fix the following warning: WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144 CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1 Hardware name: Generic AM33XX (Flattened Device Tree) unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x24/0x2c dump_stack_lvl from __warn+0x84/0x15c __warn from warn_slowpath_fmt+0x1a8/0x1c8 warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144 mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140 dpm_run_callback from device_resume+0xb8/0x2b8 device_resume from dpm_resume+0x144/0x314 dpm_resume from dpm_resume_end+0x14/0x20 dpm_resume_end from suspend_devices_and_enter+0xd0/0x924 suspend_devices_and_enter from pm_suspend+0x2e0/0x33c pm_suspend from state_store+0x74/0xd0 state_store from kernfs_fop_write_iter+0x104/0x1ec kernfs_fop_write_iter from vfs_write+0x1b8/0x358 vfs_write from ksys_write+0x78/0xf8 ksys_write from ret_fast_syscall+0x0/0x54 Exception stack(0xe094dfa8 to 0xe094dff0) dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001 dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000 dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66 Cc: <stable(a)vger.kernel.org> # v6.0+ Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") Signed-off-by: Sinthu Raja <sinthu.raja(a)ti.com> --- Changes in V3: - No Change Changes in V2: - Add fixes tag. drivers/net/ethernet/ti/cpsw_new.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c index 498c50c6d1a7..087dcb67505a 100644 --- a/drivers/net/ethernet/ti/cpsw_new.c +++ b/drivers/net/ethernet/ti/cpsw_new.c @@ -773,6 +773,9 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv) slave->slave_num); return; } + + phy->mac_managed_pm = true; + slave->phy = phy; phy_attached_info(slave->phy); -- 2.36.1

1 year, 6 months

4
3
0 0

[PATCH 0/2] ARM: prctl: Reject PR_SET_MDWE where not supported

by Zev Weiss

Hello, I noticed after a recent kernel update that my ARM926 system started segfaulting on any execve() after calling prctl(PR_SET_MDWE). After some investigation it appears that ARMv5 is incapable of providing the appropriate protections for MDWE, since any readable memory is also implicitly executable. (Note that I'm not an expert in either ARM arch details or the mm subsystem, so please bear with me if I've botched something in the above analysis.) The prctl_set_mdwe() function already had some special-case logic added disabling it on PARISC (commit 793838138c15, "prctl: Disable prctl(PR_SET_MDWE) on parisc"); this patch series (1) generalizes that check to use an arch_*() function, and (2) adds a corresponding override for ARM to disable MDWE on pre-ARMv6 CPUs. With the series applied, prctl(PR_SET_MDWE) is rejected on ARMv5 and subsequent execve() calls (as well as mmap(PROT_READ|PROT_WRITE)) can succeed instead of unconditionally failing; on ARMv6 the prctl works as it did previously. Since this was effectively a userspace-breaking change in v6.3 (with newer MDWE-aware userspace on older pre-MDWE kernels the prctl would simply fail safely) I've CCed -stable for v6.3+, though since the patches depend on the PARISC one above it will only apply cleanly on the linux-6.6.y and linux-6.7.y branches, since at least at time of writing the 6.3 through 6.5 branches don't have that patch backported (due to further missing dependencies [0]). Thanks, Zev [0] https://lore.kernel.org/all/2023112456-linked-nape-bf19@gregkh/ Zev Weiss (2): prctl: Generalize PR_SET_MDWE support check to be per-arch ARM: prctl: Reject PR_SET_MDWE on pre-ARMv6 arch/arm/include/asm/mman.h | 14 ++++++++++++++ arch/parisc/include/asm/mman.h | 14 ++++++++++++++ include/linux/mman.h | 8 ++++++++ kernel/sys.c | 7 +++++-- 4 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 arch/arm/include/asm/mman.h create mode 100644 arch/parisc/include/asm/mman.h -- 2.43.0

1 year, 6 months

3
6
0 0

[merged mm-hotfixes-stable] hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE has been removed from the -mm tree. Its filename was hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Prakash Sangappa <prakash.sangappa(a)oracle.com> Subject: mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE Date: Tue, 23 Jan 2024 12:04:42 -0800 For shared memory of type SHM_HUGETLB, hugetlb pages are reserved in shmget() call. If SHM_NORESERVE flags is specified then the hugetlb pages are not reserved. However when the shared memory is attached with the shmat() call the hugetlb pages are getting reserved incorrectly for SHM_HUGETLB shared memory created with SHM_NORESERVE which is a bug. ------------------------------- Following test shows the issue. $cat shmhtb.c int main() { int shmflags = 0660 | IPC_CREAT | SHM_HUGETLB | SHM_NORESERVE; int shmid; shmid = shmget(SKEY, SHMSZ, shmflags); if (shmid < 0) { printf("shmat: shmget() failed, %d\n", errno); return 1; } printf("After shmget()\n"); system("cat /proc/meminfo | grep -i hugepages_"); shmat(shmid, NULL, 0); printf("\nAfter shmat()\n"); system("cat /proc/meminfo | grep -i hugepages_"); shmctl(shmid, IPC_RMID, NULL); return 0; } #sysctl -w vm.nr_hugepages=20 #./shmhtb After shmget() HugePages_Total: 20 HugePages_Free: 20 HugePages_Rsvd: 0 HugePages_Surp: 0 After shmat() HugePages_Total: 20 HugePages_Free: 20 HugePages_Rsvd: 5 <-- HugePages_Surp: 0 -------------------------------- Fix is to ensure that hugetlb pages are not reserved for SHM_HUGETLB shared memory in the shmat() call. Link: https://lkml.kernel.org/r/1706040282-12388-1-git-send-email-prakash.sangapp… Signed-off-by: Prakash Sangappa <prakash.sangappa(a)oracle.com> Acked-by: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve +++ a/fs/hugetlbfs/inode.c @@ -100,6 +100,7 @@ static int hugetlbfs_file_mmap(struct fi loff_t len, vma_len; int ret; struct hstate *h = hstate_file(file); + vm_flags_t vm_flags; /* * vma address alignment (but not the pgoff alignment) has @@ -141,10 +142,20 @@ static int hugetlbfs_file_mmap(struct fi file_accessed(file); ret = -ENOMEM; + + vm_flags = vma->vm_flags; + /* + * for SHM_HUGETLB, the pages are reserved in the shmget() call so skip + * reserving here. Note: only for SHM hugetlbfs file, the inode + * flag S_PRIVATE is set. + */ + if (inode->i_flags & S_PRIVATE) + vm_flags |= VM_NORESERVE; + if (!hugetlb_reserve_pages(inode, vma->vm_pgoff >> huge_page_order(h), len >> huge_page_shift(h), vma, - vma->vm_flags)) + vm_flags)) goto out; ret = 0; _ Patches currently in -mm which might be from prakash.sangappa(a)oracle.com are

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-potential-bug-in-end_buffer_async_write.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix potential bug in end_buffer_async_write has been removed from the -mm tree. Its filename was nilfs2-fix-potential-bug-in-end_buffer_async_write.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix potential bug in end_buffer_async_write Date: Sun, 4 Feb 2024 01:16:45 +0900 According to a syzbot report, end_buffer_async_write(), which handles the completion of block device writes, may detect abnormal condition of the buffer async_write flag and cause a BUG_ON failure when using nilfs2. Nilfs2 itself does not use end_buffer_async_write(). But, the async_write flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") as a means of resolving double list insertion of dirty blocks in nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the resulting crash. This modification is safe as long as it is used for file data and b-tree node blocks where the page caches are independent. However, it was irrelevant and redundant to also introduce async_write for segment summary and super root blocks that share buffers with the backing device. This led to the possibility that the BUG_ON check in end_buffer_async_write would fail as described above, if independent writebacks of the backing device occurred in parallel. The use of async_write for segment summary buffers has already been removed in a previous change. Fix this issue by removing the manipulation of the async_write flag for the remaining super root block buffer. Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+5c04210f7c7f897c1e7f(a)syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/segment.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/fs/nilfs2/segment.c~nilfs2-fix-potential-bug-in-end_buffer_async_write +++ a/fs/nilfs2/segment.c @@ -1703,7 +1703,6 @@ static void nilfs_segctor_prepare_write( list_for_each_entry(bh, &segbuf->sb_payload_buffers, b_assoc_buffers) { - set_buffer_async_write(bh); if (bh == segbuf->sb_super_root) { if (bh->b_folio != bd_folio) { folio_lock(bd_folio); @@ -1714,6 +1713,7 @@ static void nilfs_segctor_prepare_write( } break; } + set_buffer_async_write(bh); if (bh->b_folio != fs_folio) { nilfs_begin_folio_io(fs_folio); fs_folio = bh->b_folio; @@ -1800,7 +1800,6 @@ static void nilfs_abort_logs(struct list list_for_each_entry(bh, &segbuf->sb_payload_buffers, b_assoc_buffers) { - clear_buffer_async_write(bh); if (bh == segbuf->sb_super_root) { clear_buffer_uptodate(bh); if (bh->b_folio != bd_folio) { @@ -1809,6 +1808,7 @@ static void nilfs_abort_logs(struct list } break; } + clear_buffer_async_write(bh); if (bh->b_folio != fs_folio) { nilfs_end_folio_io(fs_folio, err); fs_folio = bh->b_folio; @@ -1896,8 +1896,9 @@ static void nilfs_segctor_complete_write BIT(BH_Delay) | BIT(BH_NILFS_Volatile) | BIT(BH_NILFS_Redirected)); - set_mask_bits(&bh->b_state, clear_bits, set_bits); if (bh == segbuf->sb_super_root) { + set_buffer_uptodate(bh); + clear_buffer_dirty(bh); if (bh->b_folio != bd_folio) { folio_end_writeback(bd_folio); bd_folio = bh->b_folio; @@ -1905,6 +1906,7 @@ static void nilfs_segctor_complete_write update_sr = true; break; } + set_mask_bits(&bh->b_state, clear_bits, set_bits); if (bh->b_folio != fs_folio) { nilfs_end_folio_io(fs_folio, 0); fs_folio = bh->b_folio; _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-convert-segment-buffer-to-use-kmap_local.patch nilfs2-convert-nilfs_copy_buffer-to-use-kmap_local.patch nilfs2-convert-metadata-file-common-code-to-use-kmap_local.patch nilfs2-convert-sufile-to-use-kmap_local.patch nilfs2-convert-persistent-object-allocator-to-use-kmap_local.patch nilfs2-convert-dat-to-use-kmap_local.patch nilfs2-move-nilfs_bmap_write-call-out-of-nilfs_write_inode_common.patch nilfs2-do-not-acquire-rwsem-in-nilfs_bmap_write.patch nilfs2-convert-ifile-to-use-kmap_local.patch nilfs2-localize-highmem-mapping-for-checkpoint-creation-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-finalization-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-reading-within-cpfile.patch nilfs2-remove-nilfs_cpfile_getput_checkpoint.patch nilfs2-convert-cpfile-to-use-kmap_local.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-schemes-fix-wrong-damos-tried-regions-update-timeout-setup.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs-schemes: fix wrong DAMOS tried regions update timeout setup has been removed from the -mm tree. Its filename was mm-damon-sysfs-schemes-fix-wrong-damos-tried-regions-update-timeout-setup.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/sysfs-schemes: fix wrong DAMOS tried regions update timeout setup Date: Fri, 2 Feb 2024 11:19:56 -0800 DAMON sysfs interface's update_schemes_tried_regions command has a timeout of two apply intervals of the DAMOS scheme. Having zero value DAMOS scheme apply interval means it will use the aggregation interval as the value. However, the timeout setup logic is mistakenly using the sampling interval insted of the aggregartion interval for the case. This could cause earlier-than-expected timeout of the command. Fix it. Link: https://lkml.kernel.org/r/20240202191956.88791-1-sj@kernel.org Fixes: 7d6fa31a2fd7 ("mm/damon/sysfs-schemes: add timeout for update_schemes_tried_regions") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> # 6.7.x Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs-schemes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/sysfs-schemes.c~mm-damon-sysfs-schemes-fix-wrong-damos-tried-regions-update-timeout-setup +++ a/mm/damon/sysfs-schemes.c @@ -2194,7 +2194,7 @@ static void damos_tried_regions_init_upd sysfs_regions->upd_timeout_jiffies = jiffies + 2 * usecs_to_jiffies(scheme->apply_interval_us ? scheme->apply_interval_us : - ctx->attrs.sample_interval); + ctx->attrs.aggr_interval); } } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-check-apply-interval-in-damon_do_apply_schemes.patch docs-admin-guide-mm-damon-usage-use-sysfs-interface-for-tracepoints-example.patch mm-damon-rename-config_damon_dbgfs-to-damon_dbgfs_deprecated.patch mm-damon-dbgfs-implement-deprecation-notice-file.patch mm-damon-dbgfs-make-debugfs-interface-deprecation-message-a-macro.patch docs-admin-guide-mm-damon-usage-document-deprecated-file-of-damon-debugfs-interface.patch selftets-damon-prepare-for-monitor_on-file-renaming.patch mm-damon-dbgfs-rename-monitor_on-file-to-monitor_on_deprecated.patch docs-admin-guide-mm-damon-usage-update-for-monitor_on-renaming.patch docs-translations-damon-usage-update-for-monitor_on-renaming.patch mm-damon-sysfs-handle-state-file-inputs-for-every-sampling-interval-if-possible.patch selftests-damon-_damon_sysfs-support-damos-quota.patch selftests-damon-_damon_sysfs-support-damos-stats.patch selftests-damon-_damon_sysfs-support-damos-apply-interval.patch selftests-damon-add-a-test-for-damos-quota.patch selftests-damon-add-a-test-for-damos-apply-intervals.patch selftests-damon-add-a-test-for-a-race-between-target_ids_read-and-dbgfs_before_terminate.patch selftests-damon-add-a-test-for-the-pid-leak-of-dbgfs_target_ids_write.patch selftests-damon-_chk_dependency-get-debugfs-mount-point-from-proc-mounts.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() has been removed from the -mm tree. Its filename was nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() Date: Wed, 31 Jan 2024 23:56:57 +0900 Syzbot reported a hang issue in migrate_pages_batch() called by mbind() and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2. While migrate_pages_batch() locks a folio and waits for the writeback to complete, the log writer thread that should bring the writeback to completion picks up the folio being written back in nilfs_lookup_dirty_data_buffers() that it calls for subsequent log creation and was trying to lock the folio. Thus causing a deadlock. In the first place, it is unexpected that folios/pages in the middle of writeback will be updated and become dirty. Nilfs2 adds a checksum to verify the validity of the log being written and uses it for recovery at mount, so data changes during writeback are suppressed. Since this is broken, an unclean shutdown could potentially cause recovery to fail. Investigation revealed that the root cause is that the wait for writeback completion in nilfs_page_mkwrite() is conditional, and if the backing device does not require stable writes, data may be modified without waiting. Fix these issues by making nilfs_page_mkwrite() wait for writeback to finish regardless of the stable write requirement of the backing device. Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com Fixes: 1d1d1a767206 ("mm: only enforce stable page writes if the backing device requires it") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+ee2ae68da3b22d04cd8d(a)syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/00000000000047d819061004ad6c@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/file.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/fs/nilfs2/file.c~nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers +++ a/fs/nilfs2/file.c @@ -107,7 +107,13 @@ static vm_fault_t nilfs_page_mkwrite(str nilfs_transaction_commit(inode->i_sb); mapped: - folio_wait_stable(folio); + /* + * Since checksumming including data blocks is performed to determine + * the validity of the log to be written and used for recovery, it is + * necessary to wait for writeback to finish here, regardless of the + * stable write requirement of the backing device. + */ + folio_wait_writeback(folio); out: sb_end_pagefault(inode->i_sb); return vmf_fs_error(ret); _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-convert-segment-buffer-to-use-kmap_local.patch nilfs2-convert-nilfs_copy_buffer-to-use-kmap_local.patch nilfs2-convert-metadata-file-common-code-to-use-kmap_local.patch nilfs2-convert-sufile-to-use-kmap_local.patch nilfs2-convert-persistent-object-allocator-to-use-kmap_local.patch nilfs2-convert-dat-to-use-kmap_local.patch nilfs2-move-nilfs_bmap_write-call-out-of-nilfs_write_inode_common.patch nilfs2-do-not-acquire-rwsem-in-nilfs_bmap_write.patch nilfs2-convert-ifile-to-use-kmap_local.patch nilfs2-localize-highmem-mapping-for-checkpoint-creation-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-finalization-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-reading-within-cpfile.patch nilfs2-remove-nilfs_cpfile_getput_checkpoint.patch nilfs2-convert-cpfile-to-use-kmap_local.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] fshugetlb-fix-null-pointer-dereference-in-hugetlbs_fill_super.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super has been removed from the -mm tree. Its filename was fshugetlb-fix-null-pointer-dereference-in-hugetlbs_fill_super.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oscar Salvador <osalvador(a)suse.de> Subject: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Date: Tue, 30 Jan 2024 22:04:18 +0100 When configuring a hugetlb filesystem via the fsconfig() syscall, there is a possible NULL dereference in hugetlbfs_fill_super() caused by assigning NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize is non valid. E.g: Taking the following steps: fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC); fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0); fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced with NULL, losing its previous value, and we will print an error: ... ... case Opt_pagesize: ps = memparse(param->string, &rest); ctx->hstate = h; if (!ctx->hstate) { pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); return -EINVAL; } return 0; ... ... This is a problem because later on, we will dereference ctxt->hstate in hugetlbfs_fill_super() ... ... sb->s_blocksize = huge_page_size(ctx->hstate); ... ... Causing below Oops. Fix this by replacing cxt->hstate value only when then pagesize is known to be valid. kernel: hugetlbfs: Unsupported page size 0 MB kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028 kernel: #PF: supervisor read access in kernel mode kernel: #PF: error_code(0x0000) - not-present page kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 kernel: Oops: 0000 [#1] PREEMPT SMP PTI kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 kernel: Call Trace: kernel: <TASK> kernel: ? __die_body+0x1a/0x60 kernel: ? page_fault_oops+0x16f/0x4a0 kernel: ? search_bpf_extables+0x65/0x70 kernel: ? fixup_exception+0x22/0x310 kernel: ? exc_page_fault+0x69/0x150 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 kernel: ? hugetlbfs_fill_super+0x28/0x1a0 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: vfs_get_super+0x40/0xa0 kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 kernel: vfs_get_tree+0x25/0xd0 kernel: vfs_cmd_create+0x64/0xe0 kernel: __x64_sys_fsconfig+0x395/0x410 kernel: do_syscall_64+0x80/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? exc_page_fault+0x69/0x150 kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 kernel: RIP: 0033:0x7ffbc0cb87c9 kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbc0cb87c9 kernel: RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 kernel: RBP: 00007ffc29d2f3b0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 kernel: R13: 00007ffc29d2f4c0 R14: 0000000000000000 R15: 0000000000000000 kernel: </TASK> kernel: Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) sunrpc(E) netfs(E) af_packet(E) bridge(E) stp(E) llc(E) iscsi_ibft(E) iscsi_boot_sysfs(E) intel_rapl_msr(E) intel_rapl_common(E) iTCO_wdt(E) intel_pmc_bxt(E) sb_edac(E) iTCO_vendor_support(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) rfkill(E) ipmi_ssif(E) kvm(E) acpi_ipmi(E) irqbypass(E) pcspkr(E) igb(E) ipmi_si(E) mei_me(E) i2c_i801(E) joydev(E) intel_pch_thermal(E) i2c_smbus(E) dca(E) lpc_ich(E) mei(E) ipmi_devintf(E) ipmi_msghandler(E) acpi_pad(E) tiny_power_button(E) button(E) fuse(E) efi_pstore(E) configfs(E) ip_tables(E) x_tables(E) ext4(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) sd_mod(E) t10_pi(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) polyval_clmulni(E) ahci(E) xhci_pci(E) polyval_generic(E) gf128mul(E) ghash_clmulni_intel(E) sha512_ssse3(E) sha256_ssse3(E) xhci_pci_renesas(E) libahci(E) ehci_pci(E) sha1_ssse3(E) xhci_hc d(E) ehci_hcd(E) libata(E) kernel: mgag200(E) i2c_algo_bit(E) usbcore(E) wmi(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) scsi_common(E) aesni_intel(E) crypto_simd(E) cryptd(E) kernel: Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):1 kernel: CR2: 0000000000000028 kernel: ---[ end trace 0000000000000000 ]--- kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 Link: https://lkml.kernel.org/r/20240130210418.3771-1-osalvador@suse.de Fixes: 32021982a324 ("hugetlbfs: Convert to fs_context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Signed-off-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/hugetlbfs/inode.c~fshugetlb-fix-null-pointer-dereference-in-hugetlbs_fill_super +++ a/fs/hugetlbfs/inode.c @@ -1365,6 +1365,7 @@ static int hugetlbfs_parse_param(struct { struct hugetlbfs_fs_context *ctx = fc->fs_private; struct fs_parse_result result; + struct hstate *h; char *rest; unsigned long ps; int opt; @@ -1409,11 +1410,12 @@ static int hugetlbfs_parse_param(struct case Opt_pagesize: ps = memparse(param->string, &rest); - ctx->hstate = size_to_hstate(ps); - if (!ctx->hstate) { + h = size_to_hstate(ps); + if (!h) { pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); return -EINVAL; } + ctx->hstate = h; return 0; case Opt_min_size: _ Patches currently in -mm which might be from osalvador(a)suse.de are

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] arch-arm-mm-fix-major-fault-accounting-when-retrying-under-per-vma-lock.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: arch/arm/mm: fix major fault accounting when retrying under per-VMA lock has been removed from the -mm tree. Its filename was arch-arm-mm-fix-major-fault-accounting-when-retrying-under-per-vma-lock.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: arch/arm/mm: fix major fault accounting when retrying under per-VMA lock Date: Mon, 22 Jan 2024 22:43:05 -0800 The change [1] missed ARM architecture when fixing major fault accounting for page fault retry under per-VMA lock. The user-visible effects is that it restores correct major fault accounting that was broken after [2] was merged in 6.7 kernel. The more detailed description is in [3] and this patch simply adds the same fix to ARM architecture which I missed in [3]. Add missing code to fix ARM architecture fault accounting. [1] 46e714c729c8 ("arch/mm/fault: fix major fault accounting when retrying under per-VMA lock") [2] https://lore.kernel.org/all/20231006195318.4087158-6-willy@infradead.org/ [3] https://lore.kernel.org/all/20231226214610.109282-1-surenb@google.com/ Link: https://lkml.kernel.org/r/20240123064305.2829244-1-surenb@google.com Fixes: 12214eba1992 ("mm: handle read faults under the VMA lock") Reported-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/arm/mm/fault.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/arm/mm/fault.c~arch-arm-mm-fix-major-fault-accounting-when-retrying-under-per-vma-lock +++ a/arch/arm/mm/fault.c @@ -298,6 +298,8 @@ do_page_fault(unsigned long addr, unsign goto done; } count_vm_vma_lock_event(VMA_LOCK_RETRY); + if (fault & VM_FAULT_MAJOR) + flags |= FAULT_FLAG_TRIED; /* Quick path to respond to signals */ if (fault_signal_pending(fault, regs)) { _ Patches currently in -mm which might be from surenb(a)google.com are userfaultfd-handle-zeropage-moves-by-uffdio_move.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix data corruption in dsync block recovery for small block sizes has been removed from the -mm tree. Its filename was nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix data corruption in dsync block recovery for small block sizes Date: Wed, 24 Jan 2024 21:19:36 +0900 The helper function nilfs_recovery_copy_block() of nilfs_recovery_dsync_blocks(), which recovers data from logs created by data sync writes during a mount after an unclean shutdown, incorrectly calculates the on-page offset when copying repair data to the file's page cache. In environments where the block size is smaller than the page size, this flaw can cause data corruption and leak uninitialized memory bytes during the recovery process. Fix these issues by correcting this byte offset calculation on the page. Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/recovery.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/fs/nilfs2/recovery.c~nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes +++ a/fs/nilfs2/recovery.c @@ -472,9 +472,10 @@ static int nilfs_prepare_segment_for_rec static int nilfs_recovery_copy_block(struct the_nilfs *nilfs, struct nilfs_recovery_block *rb, - struct page *page) + loff_t pos, struct page *page) { struct buffer_head *bh_org; + size_t from = pos & ~PAGE_MASK; void *kaddr; bh_org = __bread(nilfs->ns_bdev, rb->blocknr, nilfs->ns_blocksize); @@ -482,7 +483,7 @@ static int nilfs_recovery_copy_block(str return -EIO; kaddr = kmap_atomic(page); - memcpy(kaddr + bh_offset(bh_org), bh_org->b_data, bh_org->b_size); + memcpy(kaddr + from, bh_org->b_data, bh_org->b_size); kunmap_atomic(kaddr); brelse(bh_org); return 0; @@ -521,7 +522,7 @@ static int nilfs_recover_dsync_blocks(st goto failed_inode; } - err = nilfs_recovery_copy_block(nilfs, rb, page); + err = nilfs_recovery_copy_block(nilfs, rb, pos, page); if (unlikely(err)) goto failed_page; _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-convert-segment-buffer-to-use-kmap_local.patch nilfs2-convert-nilfs_copy_buffer-to-use-kmap_local.patch nilfs2-convert-metadata-file-common-code-to-use-kmap_local.patch nilfs2-convert-sufile-to-use-kmap_local.patch nilfs2-convert-persistent-object-allocator-to-use-kmap_local.patch nilfs2-convert-dat-to-use-kmap_local.patch nilfs2-move-nilfs_bmap_write-call-out-of-nilfs_write_inode_common.patch nilfs2-do-not-acquire-rwsem-in-nilfs_bmap_write.patch nilfs2-convert-ifile-to-use-kmap_local.patch nilfs2-localize-highmem-mapping-for-checkpoint-creation-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-finalization-within-cpfile.patch nilfs2-localize-highmem-mapping-for-checkpoint-reading-within-cpfile.patch nilfs2-remove-nilfs_cpfile_getput_checkpoint.patch nilfs2-convert-cpfile-to-use-kmap_local.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] exit-wait_task_zombie-kill-the-no-longer-necessary-spin_lock_irqsiglock.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) has been removed from the -mm tree. Its filename was exit-wait_task_zombie-kill-the-no-longer-necessary-spin_lock_irqsiglock.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) Date: Tue, 23 Jan 2024 16:34:00 +0100 After the recent changes nobody use siglock to read the values protected by stats_lock, we can kill spin_lock_irq(&current->sighand->siglock) and update the comment. With this patch only __exit_signal() and thread_group_start_cputime() take stats_lock under siglock. Link: https://lkml.kernel.org/r/20240123153359.GA21866@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/exit.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) --- a/kernel/exit.c~exit-wait_task_zombie-kill-the-no-longer-necessary-spin_lock_irqsiglock +++ a/kernel/exit.c @@ -1127,17 +1127,14 @@ static int wait_task_zombie(struct wait_ * and nobody can change them. * * psig->stats_lock also protects us from our sub-threads - * which can reap other children at the same time. Until - * we change k_getrusage()-like users to rely on this lock - * we have to take ->siglock as well. + * which can reap other children at the same time. * * We use thread_group_cputime_adjusted() to get times for * the thread group, which consolidates times for all threads * in the group including the group leader. */ thread_group_cputime_adjusted(p, &tgutime, &tgstime); - spin_lock_irq(&current->sighand->siglock); - write_seqlock(&psig->stats_lock); + write_seqlock_irq(&psig->stats_lock); psig->cutime += tgutime + sig->cutime; psig->cstime += tgstime + sig->cstime; psig->cgtime += task_gtime(p) + sig->gtime + sig->cgtime; @@ -1160,8 +1157,7 @@ static int wait_task_zombie(struct wait_ psig->cmaxrss = maxrss; task_io_accounting_add(&psig->ioac, &p->ioac); task_io_accounting_add(&psig->ioac, &sig->ioac); - write_sequnlock(&psig->stats_lock); - spin_unlock_irq(&current->sighand->siglock); + write_sequnlock_irq(&psig->stats_lock); } if (wo->wo_rusage) _ Patches currently in -mm which might be from oleg(a)redhat.com are ptrace_attach-shift-sendsigstop-into-ptrace_set_stopped.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats has been removed from the -mm tree. Its filename was fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats Date: Tue, 23 Jan 2024 16:33:57 +0100 lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call do_task_stat() at the same time and the process has NR_THREADS, it will spin with irqs disabled O(NR_CPUS * NR_THREADS) time. Change do_task_stat() to use sig->stats_lock to gather the statistics outside of ->siglock protected section, in the likely case this code will run lockless. Link: https://lkml.kernel.org/r/20240123153357.GA21857@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/array.c | 58 +++++++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 26 deletions(-) --- a/fs/proc/array.c~fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats +++ a/fs/proc/array.c @@ -477,13 +477,13 @@ static int do_task_stat(struct seq_file int permitted; struct mm_struct *mm; unsigned long long start_time; - unsigned long cmin_flt = 0, cmaj_flt = 0; - unsigned long min_flt = 0, maj_flt = 0; - u64 cutime, cstime, utime, stime; - u64 cgtime, gtime; + unsigned long cmin_flt, cmaj_flt, min_flt, maj_flt; + u64 cutime, cstime, cgtime, utime, stime, gtime; unsigned long rsslim = 0; unsigned long flags; int exit_code = task->exit_code; + struct signal_struct *sig = task->signal; + unsigned int seq = 1; state = *get_task_state(task); vsize = eip = esp = 0; @@ -511,12 +511,8 @@ static int do_task_stat(struct seq_file sigemptyset(&sigign); sigemptyset(&sigcatch); - cutime = cstime = 0; - cgtime = gtime = 0; if (lock_task_sighand(task, &flags)) { - struct signal_struct *sig = task->signal; - if (sig->tty) { struct pid *pgrp = tty_get_pgrp(sig->tty); tty_pgrp = pid_nr_ns(pgrp, ns); @@ -527,27 +523,9 @@ static int do_task_stat(struct seq_file num_threads = get_nr_threads(task); collect_sigign_sigcatch(task, &sigign, &sigcatch); - cmin_flt = sig->cmin_flt; - cmaj_flt = sig->cmaj_flt; - cutime = sig->cutime; - cstime = sig->cstime; - cgtime = sig->cgtime; rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); - /* add up live thread stats at the group level */ if (whole) { - struct task_struct *t; - - __for_each_thread(sig, t) { - min_flt += t->min_flt; - maj_flt += t->maj_flt; - gtime += task_gtime(t); - } - - min_flt += sig->min_flt; - maj_flt += sig->maj_flt; - gtime += sig->gtime; - if (sig->flags & (SIGNAL_GROUP_EXIT | SIGNAL_STOP_STOPPED)) exit_code = sig->group_exit_code; } @@ -562,6 +540,34 @@ static int do_task_stat(struct seq_file if (permitted && (!whole || num_threads < 2)) wchan = !task_is_running(task); + do { + seq++; /* 2 on the 1st/lockless path, otherwise odd */ + flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); + + cmin_flt = sig->cmin_flt; + cmaj_flt = sig->cmaj_flt; + cutime = sig->cutime; + cstime = sig->cstime; + cgtime = sig->cgtime; + + if (whole) { + struct task_struct *t; + + min_flt = sig->min_flt; + maj_flt = sig->maj_flt; + gtime = sig->gtime; + + rcu_read_lock(); + __for_each_thread(sig, t) { + min_flt += t->min_flt; + maj_flt += t->maj_flt; + gtime += task_gtime(t); + } + rcu_read_unlock(); + } + } while (need_seqretry(&sig->stats_lock, seq)); + done_seqretry_irqrestore(&sig->stats_lock, seq, flags); + if (whole) { thread_group_cputime_adjusted(task, &utime, &stime); } else { _ Patches currently in -mm which might be from oleg(a)redhat.com are ptrace_attach-shift-sendsigstop-into-ptrace_set_stopped.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-do_task_stat-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand() has been removed from the -mm tree. Its filename was fs-proc-do_task_stat-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand() Date: Tue, 23 Jan 2024 16:33:55 +0100 Patch series "fs/proc: do_task_stat: use sig->stats_". do_task_stat() has the same problem as getrusage() had before "getrusage: use sig->stats_lock rather than lock_task_sighand()": a hard lockup. If NR_CPUS threads call lock_task_sighand() at the same time and the process has NR_THREADS, spin_lock_irq will spin with irqs disabled O(NR_CPUS * NR_THREADS) time. This patch (of 3): thread_group_cputime() does its own locking, we can safely shift thread_group_cputime_adjusted() which does another for_each_thread loop outside of ->siglock protected section. Not only this removes for_each_thread() from the critical section with irqs disabled, this removes another case when stats_lock is taken with siglock held. We want to remove this dependency, then we can change the users of stats_lock to not disable irqs. Link: https://lkml.kernel.org/r/20240123153313.GA21832@redhat.com Link: https://lkml.kernel.org/r/20240123153355.GA21854@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/array.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/fs/proc/array.c~fs-proc-do_task_stat-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand +++ a/fs/proc/array.c @@ -511,7 +511,7 @@ static int do_task_stat(struct seq_file sigemptyset(&sigign); sigemptyset(&sigcatch); - cutime = cstime = utime = stime = 0; + cutime = cstime = 0; cgtime = gtime = 0; if (lock_task_sighand(task, &flags)) { @@ -546,7 +546,6 @@ static int do_task_stat(struct seq_file min_flt += sig->min_flt; maj_flt += sig->maj_flt; - thread_group_cputime_adjusted(task, &utime, &stime); gtime += sig->gtime; if (sig->flags & (SIGNAL_GROUP_EXIT | SIGNAL_STOP_STOPPED)) @@ -562,10 +561,13 @@ static int do_task_stat(struct seq_file if (permitted && (!whole || num_threads < 2)) wchan = !task_is_running(task); - if (!whole) { + + if (whole) { + thread_group_cputime_adjusted(task, &utime, &stime); + } else { + task_cputime_adjusted(task, &utime, &stime); min_flt = task->min_flt; maj_flt = task->maj_flt; - task_cputime_adjusted(task, &utime, &stime); gtime = task_gtime(task); } _ Patches currently in -mm which might be from oleg(a)redhat.com are ptrace_attach-shift-sendsigstop-into-ptrace_set_stopped.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] getrusage-use-sig-stats_lock-rather-than-lock_task_sighand.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: getrusage: use sig->stats_lock rather than lock_task_sighand() has been removed from the -mm tree. Its filename was getrusage-use-sig-stats_lock-rather-than-lock_task_sighand.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: getrusage: use sig->stats_lock rather than lock_task_sighand() Date: Mon, 22 Jan 2024 16:50:53 +0100 lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call getrusage() at the same time and the process has NR_THREADS, spin_lock_irq will spin with irqs disabled O(NR_CPUS * NR_THREADS) time. Change getrusage() to use sig->stats_lock, it was specifically designed for this type of use. This way it runs lockless in the likely case. TODO: - Change do_task_stat() to use sig->stats_lock too, then we can remove spin_lock_irq(siglock) in wait_task_zombie(). - Turn sig->stats_lock into seqcount_rwlock_t, this way the readers in the slow mode won't exclude each other. See https://lore.kernel.org/all/20230913154907.GA26210@redhat.com/ - stats_lock has to disable irqs because ->siglock can be taken in irq context, it would be very nice to change __exit_signal() to avoid the siglock->stats_lock dependency. Link: https://lkml.kernel.org/r/20240122155053.GA26214@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Reported-by: Dylan Hatch <dylanbhatch(a)google.com> Tested-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/kernel/sys.c~getrusage-use-sig-stats_lock-rather-than-lock_task_sighand +++ a/kernel/sys.c @@ -1788,7 +1788,9 @@ void getrusage(struct task_struct *p, in unsigned long maxrss; struct mm_struct *mm; struct signal_struct *sig = p->signal; + unsigned int seq = 0; +retry: memset(r, 0, sizeof(*r)); utime = stime = 0; maxrss = 0; @@ -1800,8 +1802,7 @@ void getrusage(struct task_struct *p, in goto out_thread; } - if (!lock_task_sighand(p, &flags)) - return; + flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); switch (who) { case RUSAGE_BOTH: @@ -1829,14 +1830,23 @@ void getrusage(struct task_struct *p, in r->ru_oublock += sig->oublock; if (maxrss < sig->maxrss) maxrss = sig->maxrss; + + rcu_read_lock(); __for_each_thread(sig, t) accumulate_thread_rusage(t, r); + rcu_read_unlock(); + break; default: BUG(); } - unlock_task_sighand(p, &flags); + + if (need_seqretry(&sig->stats_lock, seq)) { + seq = 1; + goto retry; + } + done_seqretry_irqrestore(&sig->stats_lock, seq, flags); if (who == RUSAGE_CHILDREN) goto out_children; _ Patches currently in -mm which might be from oleg(a)redhat.com are ptrace_attach-shift-sendsigstop-into-ptrace_set_stopped.patch

1 year, 6 months

1
0
0 0

[merged mm-hotfixes-stable] getrusage-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() has been removed from the -mm tree. Its filename was getrusage-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() Date: Mon, 22 Jan 2024 16:50:50 +0100 Patch series "getrusage: use sig->stats_lock", v2. This patch (of 2): thread_group_cputime() does its own locking, we can safely shift thread_group_cputime_adjusted() which does another for_each_thread loop outside of ->siglock protected section. This is also preparation for the next patch which changes getrusage() to use stats_lock instead of siglock, thread_group_cputime() takes the same lock. With the current implementation recursive read_seqbegin_or_lock() is fine, thread_group_cputime() can't enter the slow mode if the caller holds stats_lock, yet this looks more safe and better performance-wise. Link: https://lkml.kernel.org/r/20240122155023.GA26169@redhat.com Link: https://lkml.kernel.org/r/20240122155050.GA26205@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Reported-by: Dylan Hatch <dylanbhatch(a)google.com> Tested-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) --- a/kernel/sys.c~getrusage-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand +++ a/kernel/sys.c @@ -1785,17 +1785,19 @@ void getrusage(struct task_struct *p, in struct task_struct *t; unsigned long flags; u64 tgutime, tgstime, utime, stime; - unsigned long maxrss = 0; + unsigned long maxrss; + struct mm_struct *mm; struct signal_struct *sig = p->signal; - memset((char *)r, 0, sizeof (*r)); + memset(r, 0, sizeof(*r)); utime = stime = 0; + maxrss = 0; if (who == RUSAGE_THREAD) { task_cputime_adjusted(current, &utime, &stime); accumulate_thread_rusage(p, r); maxrss = sig->maxrss; - goto out; + goto out_thread; } if (!lock_task_sighand(p, &flags)) @@ -1819,9 +1821,6 @@ void getrusage(struct task_struct *p, in fallthrough; case RUSAGE_SELF: - thread_group_cputime_adjusted(p, &tgutime, &tgstime); - utime += tgutime; - stime += tgstime; r->ru_nvcsw += sig->nvcsw; r->ru_nivcsw += sig->nivcsw; r->ru_minflt += sig->min_flt; @@ -1839,19 +1838,24 @@ void getrusage(struct task_struct *p, in } unlock_task_sighand(p, &flags); -out: - r->ru_utime = ns_to_kernel_old_timeval(utime); - r->ru_stime = ns_to_kernel_old_timeval(stime); - - if (who != RUSAGE_CHILDREN) { - struct mm_struct *mm = get_task_mm(p); + if (who == RUSAGE_CHILDREN) + goto out_children; - if (mm) { - setmax_mm_hiwater_rss(&maxrss, mm); - mmput(mm); - } + thread_group_cputime_adjusted(p, &tgutime, &tgstime); + utime += tgutime; + stime += tgstime; + +out_thread: + mm = get_task_mm(p); + if (mm) { + setmax_mm_hiwater_rss(&maxrss, mm); + mmput(mm); } + +out_children: r->ru_maxrss = maxrss * (PAGE_SIZE / 1024); /* convert pages to KBs */ + r->ru_utime = ns_to_kernel_old_timeval(utime); + r->ru_stime = ns_to_kernel_old_timeval(stime); } SYSCALL_DEFINE2(getrusage, int, who, struct rusage __user *, ru) _ Patches currently in -mm which might be from oleg(a)redhat.com are ptrace_attach-shift-sendsigstop-into-ptrace_set_stopped.patch

1 year, 6 months

1
0
0 0

[PATCH] ASoC: tas2781: remove unused acpi_subysystem_id

by Gergo Koteles

The acpi_subysystem_id is only written and freed, not read, so unnecessary. Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") CC: stable(a)vger.kernel.org Signed-off-by: Gergo Koteles <soyer(a)irl.hu> --- include/sound/tas2781.h | 1 - sound/pci/hda/tas2781_hda_i2c.c | 10 ---------- sound/soc/codecs/tas2781-comlib.c | 1 - 3 files changed, 12 deletions(-) diff --git a/include/sound/tas2781.h b/include/sound/tas2781.h index 9aff384941de..99ca3e401fd1 100644 --- a/include/sound/tas2781.h +++ b/include/sound/tas2781.h @@ -103,7 +103,6 @@ struct tasdevice_priv { struct tm tm; enum device_catlog_id catlog_id; - const char *acpi_subsystem_id; unsigned char cal_binaryname[TASDEVICE_MAX_CHANNELS][64]; unsigned char crc8_lkp_tbl[CRC8_TABLE_SIZE]; unsigned char coef_binaryname[64]; diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c index 1bfb00102a77..02c85084aca5 100644 --- a/sound/pci/hda/tas2781_hda_i2c.c +++ b/sound/pci/hda/tas2781_hda_i2c.c @@ -129,18 +129,8 @@ static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid) acpi_dev_free_resource_list(&resources); strscpy(p->dev_name, hid, sizeof(p->dev_name)); - physdev = get_device(acpi_get_first_physical_node(adev)); acpi_dev_put(adev); - /* No side-effect to the playback even if subsystem_id is NULL*/ - sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); - if (IS_ERR(sub)) - sub = NULL; - - p->acpi_subsystem_id = sub; - - put_device(physdev); - return 0; err: diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c index 5d0e5348b361..3aa81514dad7 100644 --- a/sound/soc/codecs/tas2781-comlib.c +++ b/sound/soc/codecs/tas2781-comlib.c @@ -408,7 +408,6 @@ void tasdevice_remove(struct tasdevice_priv *tas_priv) { if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) gpio_free(tas_priv->irq_info.irq_gpio); - kfree(tas_priv->acpi_subsystem_id); mutex_destroy(&tas_priv->codec_lock); } EXPORT_SYMBOL_GPL(tasdevice_remove); base-commit: 610010737f74482a61896596a0116876ecf9e65c -- 2.43.0

1 year, 6 months

3
7
0 0

[PATCH AUTOSEL 4.19 1/3] ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

by Sasha Levin

From: Baokun Li <libaokun1(a)huawei.com> [ Upstream commit 4530b3660d396a646aad91a787b6ab37cf604b53 ] Determine if the group block bitmap is corrupted before using ac_b_ex in ext4_mb_try_best_found() to avoid allocating blocks from a group with a corrupted block bitmap in the following concurrency and making the situation worse. ext4_mb_regular_allocator ext4_lock_group(sb, group) ext4_mb_good_group // check if the group bbitmap is corrupted ext4_mb_complex_scan_group // Scan group gets ac_b_ex but doesn't use it ext4_unlock_group(sb, group) ext4_mark_group_bitmap_corrupted(group) // The block bitmap was corrupted during // the group unlock gap. ext4_mb_try_best_found ext4_lock_group(ac->ac_sb, group) ext4_mb_use_best_found mb_mark_used // Allocating blocks in block bitmap corrupted group Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-7-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ext4/mballoc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 8875fac9f958..cf034a38e8ba 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1802,6 +1802,9 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, return err; ext4_lock_group(ac->ac_sb, group); + if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) + goto out; + max = mb_find_extent(e4b, ex.fe_start, ex.fe_len, &ex); if (max > 0) { @@ -1809,6 +1812,7 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, ext4_mb_use_best_found(ac, e4b); } +out: ext4_unlock_group(ac->ac_sb, group); ext4_mb_unload_buddy(e4b); -- 2.43.0

1 year, 6 months

1
2
0 0

[PATCH AUTOSEL 5.4 1/7] ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

by Sasha Levin

From: Baokun Li <libaokun1(a)huawei.com> [ Upstream commit 4530b3660d396a646aad91a787b6ab37cf604b53 ] Determine if the group block bitmap is corrupted before using ac_b_ex in ext4_mb_try_best_found() to avoid allocating blocks from a group with a corrupted block bitmap in the following concurrency and making the situation worse. ext4_mb_regular_allocator ext4_lock_group(sb, group) ext4_mb_good_group // check if the group bbitmap is corrupted ext4_mb_complex_scan_group // Scan group gets ac_b_ex but doesn't use it ext4_unlock_group(sb, group) ext4_mark_group_bitmap_corrupted(group) // The block bitmap was corrupted during // the group unlock gap. ext4_mb_try_best_found ext4_lock_group(ac->ac_sb, group) ext4_mb_use_best_found mb_mark_used // Allocating blocks in block bitmap corrupted group Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-7-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ext4/mballoc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 9e5aa625ab30..c1af95898aa4 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1802,6 +1802,9 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, return err; ext4_lock_group(ac->ac_sb, group); + if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) + goto out; + max = mb_find_extent(e4b, ex.fe_start, ex.fe_len, &ex); if (max > 0) { @@ -1809,6 +1812,7 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, ext4_mb_use_best_found(ac, e4b); } +out: ext4_unlock_group(ac->ac_sb, group); ext4_mb_unload_buddy(e4b); -- 2.43.0

1 year, 6 months

1
6
0 0

[PATCH AUTOSEL 5.15 01/23] ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt

by Sasha Levin

From: Baokun Li <libaokun1(a)huawei.com> [ Upstream commit 993bf0f4c393b3667830918f9247438a8f6fdb5b ] Determine if bb_fragments is 0 instead of determining bb_free to eliminate the risk of dividing by zero when the block bitmap is corrupted. Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-6-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ext4/mballoc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index e44c28ceb9cd..3df3c3894f7b 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -853,7 +853,7 @@ mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) { struct ext4_sb_info *sbi = EXT4_SB(sb); - if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_free == 0) + if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) return; write_lock(&sbi->s_mb_rb_lock); -- 2.43.0

1 year, 6 months

1
22
0 0

[PATCH AUTOSEL 6.1 01/29] ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt

by Sasha Levin

From: Baokun Li <libaokun1(a)huawei.com> [ Upstream commit 993bf0f4c393b3667830918f9247438a8f6fdb5b ] Determine if bb_fragments is 0 instead of determining bb_free to eliminate the risk of dividing by zero when the block bitmap is corrupted. Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-6-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ext4/mballoc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 33be702d6e38..779555925029 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -831,7 +831,7 @@ mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) struct ext4_sb_info *sbi = EXT4_SB(sb); int new_order; - if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_free == 0) + if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) return; new_order = mb_avg_fragment_size_order(sb, -- 2.43.0

1 year, 6 months

1
28
0 0

[PATCH AUTOSEL 6.6 01/38] ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt

by Sasha Levin

From: Baokun Li <libaokun1(a)huawei.com> [ Upstream commit 993bf0f4c393b3667830918f9247438a8f6fdb5b ] Determine if bb_fragments is 0 instead of determining bb_free to eliminate the risk of dividing by zero when the block bitmap is corrupted. Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-6-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ext4/mballoc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 9a4b73485ded..f74a8f144a66 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -841,7 +841,7 @@ mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) struct ext4_sb_info *sbi = EXT4_SB(sb); int new_order; - if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_free == 0) + if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) return; new_order = mb_avg_fragment_size_order(sb, -- 2.43.0

1 year, 6 months

1
37
0 0

[PATCH v2] clocksource: timer-riscv: Clear timer interrupt on timer initialization

by Ley Foon Tan

In the RISC-V specification, the stimecmp register doesn't have a default value. To prevent the timer interrupt from being triggered during timer initialization, clear the timer interrupt by writing stimecmp with a maximum value. Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available") Cc: <stable(a)vger.kernel.org> Signed-off-by: Ley Foon Tan <leyfoon.tan(a)starfivetech.com> --- v2: Resolved comments from Anup. - Moved riscv_clock_event_stop() to riscv_timer_starting_cpu(). - Added Fixes tag --- drivers/clocksource/timer-riscv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c index e66dcbd66566..672669eb7281 100644 --- a/drivers/clocksource/timer-riscv.c +++ b/drivers/clocksource/timer-riscv.c @@ -116,6 +116,9 @@ static int riscv_timer_starting_cpu(unsigned int cpu) ce->rating = 450; clockevents_config_and_register(ce, riscv_timebase, 100, 0x7fffffff); + /* Clear timer interrupt */ + riscv_clock_event_stop(); + enable_percpu_irq(riscv_clock_event_irq, irq_get_trigger_type(riscv_clock_event_irq)); return 0; -- 2.43.0

1 year, 6 months

3
2
0 0

[PATCH 6.7 000/641] 6.7.2-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.7.2 release. There are 641 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Jan 2024 23:56:49 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.7.2-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.7.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.7.2-rc1 Marek Szyprowski <m.szyprowski(a)samsung.com> i2c: s3c24xx: fix transferring more than one message in polling mode Marek Szyprowski <m.szyprowski(a)samsung.com> i2c: s3c24xx: fix read transfers in polling mode Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work Amit Cohen <amcohen(a)nvidia.com> selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes Petr Machata <petrm(a)nvidia.com> mlxsw: spectrum_router: Register netdevice notifier before nexthop Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix stack corruption Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure Christoph Hellwig <hch(a)lst.de> loop: fix the the direct I/O support check when used on top of block devices Ludvig Pärsson <ludvig.parsson(a)axis.com> ethtool: netlink: Add missing ethnl_ops_begin/complete Mark Brown <broonie(a)kernel.org> arm64/ptrace: Don't flush ZA/ZT storage when writing ZA via ptrace Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> kdb: Fix a potential buffer overflow in kdb_local() Pavel Begunkov <asml.silence(a)gmail.com> io_uring: adjust defer tw counting Fedor Pchelkin <pchelkin(a)ispras.ru> ipvs: avoid stat macros calls from preemptible context Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: skip dead set elements in netlink dump Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: do not allow mismatch field size and set key length Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> netfilter: bridge: replace physindev with physinif in nf_bridge_info Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> netfilter: propagate net to nf_bridge_get_physindev Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> netfilter: nf_queue: remove excess nf_bridge variable Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> netfilter: nfnetlink_log: use proper helper for fetching physinif Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_limit: do not ignore unsupported flags Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject invalid set policy Jakub Kicinski <kuba(a)kernel.org> net: netdevsim: don't try to destroy PHC on VFs Paolo Abeni <pabeni(a)redhat.com> mptcp: relax check on MPC passive fallback Hengqi Chen <hengqi.chen(a)gmail.com> LoongArch: BPF: Prevent out-of-bounds memory access Kunwu Chan <chentao(a)kylinos.cn> net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe Hao Sun <sunhao.th(a)gmail.com> bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS Qiang Ma <maqianga(a)uniontech.com> net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls Benjamin Poirier <bpoirier(a)nvidia.com> selftests: bonding: Change script interpreter Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fall back to INPUT power for AVG power via INFO IOCTL Dafna Hirschfeld <dhirschfeld(a)habana.ai> drm/amdkfd: fixes for HMM mem allocation Lukas Wunner <lukas(a)wunner.de> gpiolib: Fix scope-based gpio_device refcounting Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: SOF: ipc4-loader: remove the CPC check warnings Su Hui <suhui(a)nfschina.com> gpio: mlxbf3: add an error code check in mlxbf3_gpio_probe Michal Simek <michal.simek(a)amd.com> dt-bindings: gpio: xilinx: Fix node address in gpio Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> net: ravb: Fix dma_addr_t truncation in error case John Fastabend <john.fastabend(a)gmail.com> net: tls, fix WARNIING in __sk_msg_free Martin KaFai Lau <martin.lau(a)kernel.org> bpf: Avoid iter->offset making backward progress in bpf_iter_udp Martin KaFai Lau <martin.lau(a)kernel.org> bpf: iter_udp: Retry with a larger batch size without going back to the previous bucket Marc Kleine-Budde <mkl(a)pengutronix.de> net: netdev_queue: netdev_txq_completed_mb(): fix wake condition Eric Dumazet <edumazet(a)google.com> net: add more sanity check in virtio_net_hdr_to_skb() Gao Xiang <xiang(a)kernel.org> erofs: fix inconsistent per-file compression format Eric Dumazet <edumazet(a)google.com> udp: annotate data-races around up->pending Sneh Shah <quic_snehshah(a)quicinc.com> net: stmmac: Fix ethool link settings ops for integrated PCS Jens Axboe <axboe(a)kernel.dk> block: ensure we hold a queue reference when using queue limits Eric Dumazet <edumazet(a)google.com> mptcp: refine opt_mp_capable determination Eric Dumazet <edumazet(a)google.com> mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() Eric Dumazet <edumazet(a)google.com> mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() Eric Dumazet <edumazet(a)google.com> mptcp: strict validation before using mp_opt->hmac Eric Dumazet <edumazet(a)google.com> mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ALSA: hda: Properly setup HDMI stream Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> net: phy: micrel: populate .soft_reset for KSZ9131 Horatiu Vultur <horatiu.vultur(a)microchip.com> net: micrel: Fix PTP frame parsing for lan8841 Chancel Liu <chancel.liu(a)nxp.com> ALSA: aloop: Introduce a function to get if access is interleaved mode Taehee Yoo <ap420073(a)gmail.com> amt: do not use overwrapped cb area Sanjuán García, Jorge <Jorge.SanjuanGarcia(a)duagon.com> net: ethernet: ti: am65-cpsw: Fix max mtu to fit ethernet frames Nithin Dabilpuram <ndabilpuram(a)marvell.com> octeontx2-af: CN10KB: Fix FIFO length calculation for RPM2 David Howells <dhowells(a)redhat.com> rxrpc: Fix use of Don't Fragment flag Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Lin Ma <linma(a)zju.edu.cn> net: qualcomm: rmnet: fix global oob in rmnet_policy Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: fix max size calculation in zpci_memcpy_toio() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> ASoC: mediatek: sof-common: Add NULL check for normal_link string Jianjun Wang <jianjun.wang(a)mediatek.com> PCI: mediatek-gen3: Fix translation window size calculation Gaosheng Cui <cuigaosheng1(a)huawei.com> apparmor: Fix memory leak in unpack_profile() Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: keystone: Fix race condition when initializing PHYs Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: Fix the H2C expected PDU len calculation Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> PCI: xilinx-xdma: Fix error code in xilinx_pl_dma_pcie_init_irq_domain() Krzysztof Wilczyński <kwilczynski(a)kernel.org> PCI: xilinx-xdma: Fix uninitialized symbols in xilinx_pl_dma_pcie_setup_irq() Arnd Bergmann <arnd(a)arndb.de> nvme: trace: avoid memcpy overflow warning Arnd Bergmann <arnd(a)arndb.de> nvmet: re-fix tracing strncpy() warning Shameer Kolothum <shameerali.kolothum.thodi(a)huawei.com> hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> spi: coldfire-qspi: Remove an erroneous clk_disable_unprepare() from the remove function Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix missing target list lock Ben Gainey <ben.gainey(a)arm.com> perf db-export: Fix missing reference count get in call_path_from_sample() Dan Carpenter <dan.carpenter(a)linaro.org> cdx: Unlock on error path in rescan_store() Dan Carpenter <dan.carpenter(a)linaro.org> cdx: call of_node_put() on error path Sam Ravnborg <sam(a)ravnborg.org> serial: apbuart: fix console prompt on qemu Christoph Niedermaier <cniedermaier(a)dh-electronics.com> serial: imx: Correct clock error message in function probe() Chunfeng Yun <chunfeng.yun(a)mediatek.com> usb: xhci-mtk: fix a short packet issue of gen1 isoc-in transfer Fedor Pchelkin <pchelkin(a)ispras.ru> apparmor: avoid crash when parsed profile name is empty Fedor Pchelkin <pchelkin(a)ispras.ru> apparmor: fix possible memory leak in unpack_trans_table Jim Harris <jim.harris(a)samsung.com> cxl/region: fix x9 interleave typo Ian Rogers <irogers(a)google.com> perf stat: Fix hard coded LL miss units Ian Rogers <irogers(a)google.com> perf env: Avoid recursively taking env->bpf_progs.lock Fedor Pchelkin <pchelkin(a)ispras.ru> apparmor: free the allocated pdb objects Christoph Hellwig <hch(a)lst.de> nvmet-tcp: fix a missing endianess conversion in nvmet_tcp_try_peek_pdu Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: fix a crash in nvmet_req_complete() Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length John Johansen <john.johansen(a)canonical.com> apparmor: Fix ref count leak in task_kill Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> vdpa: Fix an error handling path in eni_vdpa_probe() Kunwu Chan <chentao(a)kylinos.cn> power: supply: Fix null pointer dereference in smb2_probe Jing Zhang <renyu.zj(a)linux.alibaba.com> perf vendor events: Remove UTF-8 characters from cmn.json Ashish Mhetre <amhetre(a)nvidia.com> iommu: Don't reserve 0-length IOVA region Ayush Singh <ayushdevel1325(a)gmail.com> greybus: gb-beagleplay: Remove use of pad bytes Andrzej Pietrasiewicz <andrzej.p(a)collabora.com> usb: gadget: webcam: Make g_webcam loadable again Nícolas F. R. A. Prado <nfraprado(a)collabora.com> spmi: mtk-pmif: Serialize PMIF status check and command submission Rob Herring <robh(a)kernel.org> cdx: Explicitly include correct DT includes, again Douglas Anderson <dianders(a)chromium.org> usb: core: Fix crash w/ usb_choose_configuration() if no driver Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: qrb5165-rb5: use u16 for DP altmode svid Oliver Neukum <oneukum(a)suse.com> usb: cdc-acm: return correct error code on unsupported break Manivannan Sadhasivam <mani(a)kernel.org> PCI: epf-mhi: Fix the DMA data direction of dma_unmap_single() Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Pass mhi_ep_buf_info struct to read/write APIs Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Use slab allocator where applicable Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Do not allocate event ring element on stack Namhyung Kim <namhyung(a)kernel.org> perf unwind-libunwind: Fix base address for .eh_frame Namhyung Kim <namhyung(a)kernel.org> perf unwind-libdw: Handle JIT-generated DSOs properly Namhyung Kim <namhyung(a)kernel.org> perf genelf: Set ELF program header addresses properly Yicong Yang <yangyicong(a)hisilicon.com> perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event() Yicong Yang <yangyicong(a)hisilicon.com> perf header: Fix one memory leakage in perf_event__fprintf_event_update() Nuno Sa <nuno.sa(a)analog.com> iio: adc: ad9467: fix scale setting Nuno Sa <nuno.sa(a)analog.com> iio: adc: ad9467: add mutex to struct ad9467_state Nuno Sa <nuno.sa(a)analog.com> iio: adc: ad9467: don't ignore error codes Nuno Sa <nuno.sa(a)analog.com> iio: adc: ad9467: fix reset gpio handling Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> selftests/sgx: Skip non X86_64 platform Jo Van Bulck <jo.vanbulck(a)cs.kuleuven.be> selftests/sgx: Include memory clobber for inline asm in test enclave Jo Van Bulck <jo.vanbulck(a)cs.kuleuven.be> selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry Jo Van Bulck <jo.vanbulck(a)cs.kuleuven.be> selftests/sgx: Fix uninitialized pointer dereference in error path Paul Geurts <paul_geurts(a)live.nl> serial: imx: fix tx statemachine deadlock Sakari Ailus <sakari.ailus(a)linux.intel.com> software node: Let args be NULL in software_node_get_reference_args Sakari Ailus <sakari.ailus(a)linux.intel.com> acpi: property: Let args be NULL in __acpi_node_get_property_reference Gregory Price <gourry.memverge(a)gmail.com> base/node.c: initialize the accessor list before registering Ian Rogers <irogers(a)google.com> perf stat: Exit perf stat if parse groups fails Kan Liang <kan.liang(a)linux.intel.com> perf mem: Fix error on hybrid related to availability of mem event in a PMU Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> perf vendor events powerpc: Update datasource event name to fix duplicate events Ilkka Koskinen <ilkka(a)os.amperecomputing.com> perf vendor events arm64 AmpereOne: Rename BPU_FLUSH_MEM_FAULT to GPC_FLUSH_MEM_FAULT Brett Creeley <brett.creeley(a)amd.com> vfio/pds: Fix calculations in pds_vfio_dirty_sync Veronika Molnarova <vmolnaro(a)redhat.com> perf test record user-regs: Fix mask for vg register Douglas Anderson <dianders(a)chromium.org> r8152: Choose our USB config with choose_configuration() rather than probe() Douglas Anderson <dianders(a)chromium.org> usb: core: Allow subclassed USB drivers to override usb_choose_configuration() Umang Jain <umang.jain(a)ideasonboard.com> staging: vc04_services: Do not pass NULL to vchiq_log_error() Umang Jain <umang.jain(a)ideasonboard.com> staging: vc04_services: vchiq_core: Log through struct vchiq_instance Arnaldo Carvalho de Melo <acme(a)redhat.com> libapi: Add missing linux/types.h header to get the __u64 type on io.h Adrian Hunter <adrian.hunter(a)intel.com> perf header: Fix segfault on build_mem_topology() error path Nick Forrington <nick.forrington(a)arm.com> perf test: Remove atomics from test_loop to avoid test failures Laurentiu Tudor <laurentiu.tudor(a)nxp.com> iommu: Map reserved memory as cacheable if device is coherent Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource() Su Hui <suhui(a)nfschina.com> power: supply: bq256xx: fix some problem in bq256xx_hw_init Jan Palus <jpalus(a)fastmail.com> power: supply: cw2015: correct time_to_empty units in sysfs Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/dp: Fix the max DSC bpc supported by source Frederik Haxel <haxel(a)fzi.de> riscv: Fixed wrong register in XIP_FIXUP_FLASH_OFFSET macro Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix module_alloc() that did not reset the linear mapping permissions Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Check if the code to patch lies in the exit section Vincent Whitchurch <vincent.whitchurch(a)axis.com> um: virt-pci: fix platform map offset Serge Semin <fancer.lancer(a)gmail.com> mips: Fix incorrect max_low_pfn adjustment Serge Semin <fancer.lancer(a)gmail.com> mips: dmi: Fix early remap on MIPS32 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> srcu: Use try-lock lockdep annotation for NMI-safe access. Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> mfd: intel-lpss: Fix the fractional clock divider flags Kunwu Chan <chentao(a)kylinos.cn> mfd: tps6594: Add null pointer check to tps6594_device_init() Martin Kurbanov <mmkurbanov(a)salutedevices.com> leds: aw200xx: Fix write to DIM parameter Dang Huynh <danct12(a)riseup.net> leds: aw2013: Select missing dependency REGMAP_I2C Paul E. McKenney <paulmck(a)kernel.org> rcu: Restrict access to RCU CPU stall notifiers Kunwu Chan <chentao(a)kylinos.cn> mfd: syscon: Fix null pointer dereference in of_syscon_register() Charles Keepax <ckeepax(a)opensource.cirrus.com> mfd: cs42l43: Correct SoundWire port list Neil Armstrong <neil.armstrong(a)linaro.org> mfd: rk8xx: fixup devices registration with PLATFORM_DEVID_AUTO Randy Dunlap <rdunlap(a)infradead.org> ARM: 9330/1: davinci: also select PINCTRL Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: set safe default SPI clock frequency Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: add check for unsupported SPI modes during probe Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Correct behavior when processing some confidence == false touches Yauhen Kharuzhy <jekhor(a)gmail.com> HID: sensor-hub: Enable hid core report processing for all devices Marcelo Schmitt <marcelo.schmitt(a)analog.com> iio: adc: ad7091r: Pass iio_dev to event handler Sean Christopherson <seanjc(a)google.com> KVM: x86/pmu: Reset the PMU, i.e. stop counters, before refreshing Sean Christopherson <seanjc(a)google.com> KVM: x86/pmu: Move PMU reset logic to common x86 code Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache Marc Zyngier <maz(a)kernel.org> KVM: arm64: vgic-v4: Restore pending state on host userspace write Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/kvm: Do not try to disable kvmclock if it was not enabled Manivannan Sadhasivam <mani(a)kernel.org> ARM: dts: qcom: sdx55: Fix the base address of PCIe PHY qizhong cheng <qizhong.cheng(a)mediatek.com> PCI: mediatek: Clear interrupt status before dispatching handler Niklas Cassel <niklas.cassel(a)wdc.com> PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support Bjorn Helgaas <bhelgaas(a)google.com> x86/pci: Reserve ECAM if BIOS didn't include it in PNP0C02 _CRS Tadeusz Struk <tstruk(a)gigaio.com> PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg() Huang Ying <ying.huang(a)intel.com> cxl/port: Fix decoder initialization when nr_targets > interleave_ways Christian König <christian.koenig(a)amd.com> drm/amdgpu: revert "Adjust removal control flow for smu v13_0_2" Sean Christopherson <seanjc(a)google.com> Revert "nSVM: Check for reserved encodings of TLB_CONTROL in nested VMCB" Nicolas Dichtel <nicolas.dichtel(a)6wind.com> Revert "net: rtnetlink: Enslave device before bringing it up" Romain Gantois <romain.gantois(a)bootlin.com> net: stmmac: Prevent DSA tags from breaking COE Petr Tesarik <petr(a)tesarici.cz> net: stmmac: fix ethtool per-queue statistics David Lin <yu-hao.lin(a)nxp.com> wifi: mwifiex: fix uninitialized firmware_stat David Lin <yu-hao.lin(a)nxp.com> wifi: mwifiex: configure BSSID consistently when starting AP David Lin <yu-hao.lin(a)nxp.com> wifi: mwifiex: add extra delay for firmware ready Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code Christian Marangi <ansuelsmth(a)gmail.com> wifi: mt76: fix broken precal loading from MTD for mt7915 Isaac J. Manjarres <isaacmanjarres(a)google.com> iommu/dma: Trace bounce buffer usage when mapping buffers Rob Clark <robdclark(a)chromium.org> iommu/arm-smmu-qcom: Add missing GMU entry to match table Aurelien Jarno <aurelien(a)aurel32.net> media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Jiri Olsa <olsajiri(a)gmail.com> bpf: Fix re-attachment branch in bpf_tracing_prog_attach Gui-Dong Han <2045gemini(a)gmail.com> Bluetooth: Fix atomicity violation in {min,max}_key_size_set Stefan Berger <stefanb(a)linux.ibm.com> rootfs: Fix support for rootfstype= when root= is given Bart Van Assche <bvanassche(a)acm.org> md/raid1: Use blk_opf_t for read and write operations Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: Fix out-of-bounds access in of_pwm_single_xlate() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: jz4740: Don't use dev_err_probe() in .request() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: check if catch-all set element is active in next generation Matthew Wilcox (Oracle) <willy(a)infradead.org> block: Fix iterating over an empty bio with bio_for_each_folio_all Matthew Wilcox (Oracle) <willy(a)infradead.org> block: Remove special-casing of compound pages Min Li <min15.li(a)samsung.com> block: add check that partition length needs to be aligned with block size Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Enable PCIe PME from D3 Yu Kuai <yukuai3(a)huawei.com> md: Fix md_seq_ops() regressions Junxiao Bi <junxiao.bi(a)oracle.com> md: bypass block throttle for superblock update Chandrakanth patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Block PEL Enable Command on Controller Reset and Unrecoverable State Chandrakanth patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Clean up block devices post controller reset Chandrakanth patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Refresh sdev queue depth after controller reset Amir Goldstein <amir73il(a)gmail.com> scsi: target: core: add missing file_{start,end}_write() Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Simplify power management during async scan Nam Cao <namcao(a)linutronix.de> fbdev: flush deferred IO before closing Nam Cao <namcao(a)linutronix.de> fbdev: flush deferred work in fb_deferred_io_fsync() Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/acornfb: Fix name of fb_ops initializer macro Jens Axboe <axboe(a)kernel.dk> io_uring: ensure local task_work is run on wait timeout Jens Axboe <axboe(a)kernel.dk> io_uring/rw: ensure io->bytes_done is always initialized Pavel Begunkov <asml.silence(a)gmail.com> io_uring: don't check iopoll if request completes Xi Ruoyao <xry111(a)xry111.site> LoongArch: Fix and simplify fcsr initialization on execve() Eric Biggers <ebiggers(a)google.com> ceph: select FS_ENCRYPTION_ALGS if FS_ENCRYPTION Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: only v2 leases handle the directory Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: validate mech token in session setup Bin Li <bin.li(a)canonical.com> ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5 Yo-Jung Lin <leo.lin(a)canonical.com> ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP ZBook Çağhan Demir <caghandemir(a)marun.edu.tr> ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx Takashi Iwai <tiwai(a)suse.de> ALSA: oxygen: Fix right channel of capture volume mixer Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: omap: do not override settings for RS485 support Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: 8250_exar: Set missing rs485_supported flag Christoph Niedermaier <cniedermaier(a)dh-electronics.com> serial: imx: Ensure that imx_uart_rs485_config() is called with enabled clock Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: core, imx: do not set RS485 enabled if it is not supported Stefan Wahren <wahrenst(a)gmx.net> serial: 8250_bcm2835aux: Restore clock error handling Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: core: set missing supported flag for RX during TX GPIO Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: core: make sure RS485 cannot be enabled when it is not supported Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: core: fix sanitizing check for RTS settings Lino Sanfilippo <l.sanfilippo(a)kunbus.com> serial: Do not hold the port lock when setting rx-during-tx GPIO Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: phy: qcom,sc8280xp-qmp-usb43dp-phy: fix path to header Gui-Dong Han <2045gemini(a)gmail.com> usb: mon: Fix atomicity violation in mon_bin_vma_fault RD Babiera <rdbabiera(a)google.com> usb: typec: class: fix typec_altmode_put_partner to put plugs Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" Frank Li <Frank.Li(a)nxp.com> usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled Frank Li <Frank.Li(a)nxp.com> usb: cdns3: fix iso transfer error when mult is not zero Frank Li <Frank.Li(a)nxp.com> usb: cdns3: fix uvc failure work since sg support enabled Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: wait controller resume finished for wakeup irq Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Revert "usb: dwc3: Soft reset phy on probe for host" Wesley Cheng <quic_wcheng(a)quicinc.com> usb: dwc3: gadget: Queue PM runtime idle on disconnect event Wesley Cheng <quic_wcheng(a)quicinc.com> usb: dwc3: gadget: Handle EP0 request dequeuing properly Uttkarsh Aggarwal <quic_uaggarwa(a)quicinc.com> usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart Xu Yang <xu.yang_2(a)nxp.com> usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() Richard Acayan <mailingradian(a)gmail.com> usb: gadget: u_ether: Re-attach netif device to mirror detachment Frank Li <Frank.Li(a)nxp.com> Revert "usb: gadget: f_uvc: change endpoint allocation in uvc_function_bind()" Heiko Carstens <hca(a)linux.ibm.com> tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Increase default stack size to 32KB Arnd Bergmann <arnd(a)arndb.de> clocksource/drivers/ep93xx: Fix error handling during probe Inochi Amaoto <inochiama(a)outlook.com> dt-bindings: timer: thead,c900-aclint-mtimer: separate mtime and mtimecmp regs Tony Lindgren <tony(a)atomide.com> clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc warnings Carlos Llamas <cmllamas(a)google.com> binder: fix race between mmput() and do_exit() Jan Beulich <jbeulich(a)suse.com> xen-netback: don't produce zero-size SKB frags Kaibo Ma <ent3rm4n(a)gmail.com> Revert "drm/amdkfd: Relocate TBA/TMA to opposite side of VM hole" Matthew Maurer <mmaurer(a)google.com> rust: Ignore preserve-most functions Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - use ab83 as id when skipping the getid command Carlos Llamas <cmllamas(a)google.com> binder: fix unused alloc->free_async_space Carlos Llamas <cmllamas(a)google.com> binder: fix async space check for 0-sized buffers Jordan Rome <linux(a)jordanrome.com> selftests/bpf: Add assert for user stacks in test_task_stack Tejun Heo <tj(a)kernel.org> Revert "kernfs: convert kernfs_idr_lock to an irq safe raw spinlock" Andrea Righi <andrea.righi(a)canonical.com> kernfs: convert kernfs_idr_lock to an irq safe raw spinlock Jing Xia <jing.xia(a)unisoc.com> class: fix use-after-free in class_register() Geert Uytterhoeven <geert+renesas(a)glider.be> of: unittest: Fix of_count_phandle_with_args() expected value message Dario Binacchi <dario.binacchi(a)amarulasolutions.com> fbdev: imxfb: fix left margin setting Christian A. Ehrhardt <lk(a)c--e.de> of: Fix double free in of_parse_phandle_with_args_map Li Nan <linan122(a)huawei.com> ksmbd: validate the zero field of packet header Mirsad Todorovac <mirsad.todorovac(a)alu.unizg.hr> kselftest/alsa - conf: Stringify the printed errno in sysfs_get() Mirsad Todorovac <mirsad.todorovac(a)alu.unizg.hr> kselftest/alsa - mixer-test: Fix the print format specifier warning Mirsad Todorovac <mirsad.todorovac(a)alu.unizg.hr> kselftest/alsa - mixer-test: fix the number of parameters to ksft_exit_fail_msg() Arnd Bergmann <arnd(a)arndb.de> drm/amd/display: avoid stringop-overflow warnings for dp_decide_lane_settings() Zhipeng Lu <alexious(a)zju.edu.cn> drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c Sergey Gorenko <sergeygo(a)nvidia.com> IB/iser: Prevent invalidating wrong MR Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdkfd: Fix type of 'dbg_flags' in 'struct kfd_process' Peter Robinson <pbrobinson(a)gmail.com> mmc: sdhci_omap: Fix TI SoC dependencies Peter Robinson <pbrobinson(a)gmail.com> mmc: sdhci_am654: Fix TI SoC dependencies Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add missing mutex lock around get meter levels Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add missing error checks to *_ctl_get() Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add missing error check to scarlett2_config_save() Hans de Goede <hdegoede(a)redhat.com> ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[] Philipp Zabel <p.zabel(a)pengutronix.de> pwm: stm32: Fix enable count for clk in .probe() Philipp Zabel <p.zabel(a)pengutronix.de> pwm: stm32: Use hweight32 in stm32_pwm_detect_channels Théo Lebrun <theo.lebrun(a)bootlin.com> clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: dispcc-sm8550: Use the correct PLL configuration function Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: dispcc-sm8550: Update disp PLL settings Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gpucc-sm8550: Update GPU PLL settings Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gcc-sm8550: Mark RCGs shared where applicable Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gcc-sm8550: use collapse-voting for PCIe GDSCs Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gcc-sm8550: Mark the PCIe GDSCs votable Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gcc-sm8550: Add the missing RETAIN_FF_ENABLE GDSC flag Xingyuan Mo <hdthky0(a)gmail.com> accel/habanalabs: fix information leak in sec_attest_info() Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/mediatek: dp: Add phy_mtk_dp module as pre-dependency Gergo Koteles <soyer(a)irl.hu> ASoC: tas2781: add support for FW version 0x0503 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: amd: vangogh: Drop conflicting ACPI-based probing Su Hui <suhui(a)nfschina.com> clk: si5341: fix an error code problem in si5341_output_clk_set_rate Marek Vasut <marek.vasut+renesas(a)mailbox.org> clk: rs9: Fix DIF OEn bit placement on 9FGV0241 Vignesh Raghavendra <vigneshr(a)ti.com> watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused Stefan Wahren <wahrenst(a)gmx.net> watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling Jerry Hoemann <jerry.hoemann(a)hpe.com> watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO Curtis Klein <curtis.klein(a)hpe.com> watchdog: set cdev owner before adding Jay Buddhabhatti <jay.buddhabhatti(a)amd.com> drivers: clk: zynqmp: update divider round rate logic Jay Buddhabhatti <jay.buddhabhatti(a)amd.com> drivers: clk: zynqmp: calculate closest mux rate Yang Yingliang <yangyingliang(a)huawei.com> clk: sp7021: fix return value check in sp7021_clk_probe() Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: videocc-sm8150: Add missing PLL config property Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to check return value of f2fs_recover_xattr_data Zhipeng Lu <alexious(a)zju.edu.cn> drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table Zhipeng Lu <alexious(a)zju.edu.cn> gpu/drm/radeon: fix two memleaks in radeon_vm_init Zhipeng Lu <alexious(a)zju.edu.cn> drivers/amd/pm: fix a use-after-free in kv_parse_power_table Zhipeng Lu <alexious(a)zju.edu.cn> drm/amd/pm: fix a double-free in si_dpm_init Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/debugfs: fix error code when smc register accessors are NULL Hsiao Chien Sung <shawn.sung(a)mediatek.com> drm/mediatek: Fix underrun in VDO1 when switches off the layer Hsiao Chien Sung <shawn.sung(a)mediatek.com> drm/mediatek: Remove the redundant driver data for DPI Hsiao Chien Sung <shawn.sung(a)mediatek.com> drm/mediatek: Return error if MDP RDMA failed to enable the clock Arnd Bergmann <arnd(a)arndb.de> media: i2c: mt9m114: use fsleep() in place of udelay() Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: Drop enable and frame_count parameters from dpu_hw_setup_misr() Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: Set input_sel bit for INTF Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l: Check reset monitor registers Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l-cpg: Reuse code in rzg2l_cpg_reset() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe() Dan Carpenter <dan.carpenter(a)linaro.org> media: dvbdev: drop refcount on error path in dvb_device_open() Chao Yu <chao(a)kernel.org> f2fs: fix to update iostat correctly in f2fs_filemap_fault() Chao Yu <chao(a)kernel.org> f2fs: fix to check compress file in f2fs_move_file_range() Chao Yu <chao(a)kernel.org> f2fs: fix to wait on block writeback for post_read case Chris Morgan <macromorgan(a)hotmail.com> drm/panel: st7701: Fix AVCL calculation Bjorn Andersson <quic_bjorande(a)quicinc.com> drm/msm/adreno: Fix A680 chip id Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: rkisp1: Fix memory leaks in rkisp1_isp_unregister() Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: rkisp1: Fix media device memory leak Mehdi Djait <mehdi.djait(a)bootlin.com> media: dt-bindings: media: rkisp1: Fix the port description for the parallel interface Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: imx-mipi-csis: Drop extra clock enable at probe() Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: imx-mipi-csis: Fix clock handling in remove() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: videobuf2: request more buffers for vb2_read Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: bttv: add back vbi hack Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: bttv: start_streaming should return a proper error code Daniel Rosenberg <drosen(a)google.com> f2fs: Restrict max filesize for 16K f2fs Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix memory leak in free_mr_init() Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: SOF: Intel: pci-mtl: fix ARL-S definitions Zhipeng Lu <alexious(a)zju.edu.cn> media: cx231xx: fix a memleak in cx231xx_init_isoc Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: tc358767: Fix return value on error case Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable Zhipeng Lu <alexious(a)zju.edu.cn> drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table Zhipeng Lu <alexious(a)zju.edu.cn> drm/radeon/dpm: fix a memleak in sumo_parse_power_table Yang Yingliang <yangyingliang(a)huawei.com> drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check writeback connectors in create_validate_stream_for_sink Harry Wentland <harry.wentland(a)amd.com> drm/amd/display: Use drm_connector in create_stream_for_sink Harry Wentland <harry.wentland(a)amd.com> drm/amd/display: Return drm_connector from find_first_crtc_matching_connector Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: correct clk bit for WB2 block AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/panfrost: Ignore core_mask for poweroff and disable PWRTRANS irq Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: populate SSPP scaler block version Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: enable SmartDMA on SM8450 Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: SOF: topology: Use partial match for disconnecting DAI link and DAI widget Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL Brent Lu <brent.lu(a)intel.com> ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch Sebastian Reichel <sre(a)kernel.org> media: v4l: async: Fix duplicated list deletion Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/drv: propagate errors from drm_modeset_register_all() Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks Bjorn Andersson <quic_bjorande(a)quicinc.com> drm/msm/dpu: Add missing safe_lut_tbl in sc8180x catalog Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/mdp4: flush vblank event on disable Arnd Bergmann <arnd(a)arndb.de> drm/msm/a6xx: add QMP dependency Linus Walleij <linus.walleij(a)linaro.org> ASoC: cs35l34: Fix GPIO name and drop legacy include Linus Walleij <linus.walleij(a)linaro.org> ASoC: cs35l33: Fix GPIO name and drop legacy include Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> drm/imx/lcdc: Fix double-free of driver data Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Fix dss reset Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Check for K2G in in dispc_softreset() Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Return error value from from softreset Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Move reset to the end of dispc_init() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix NULL pointer dereference at hibernate Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: check return value of radeon_ring_lock() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() Arnd Bergmann <arnd(a)arndb.de> ASoC: fsl_rpmsg: update Kconfig dependencies Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/sm712fb: Use correct initializer macros for struct fb_ops Xin Ji <xji(a)analogixsemi.com> Revert "drm/bridge: Add 200ms delay to wait FW HPD status stable" Chao Yu <chao(a)kernel.org> f2fs: fix to avoid dirent corruption Liu Ying <victor.liu(a)nxp.com> drm/bridge: imx93-mipi-dsi: Fix a couple of building warnings Dario Binacchi <dario.binacchi(a)amarulasolutions.com> drm/bridge: Fix typo in post_disable() description Luben Tuikov <ltuikov89(a)gmail.com> drm/sched: Fix bounds limiting when given a malformed entity Alexander Stein <alexander.stein(a)ew.tq-group.com> media: amphion: Fix VPU core alias name Paul Kocialkowski <paul.kocialkowski(a)bootlin.com> media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls Paul Kocialkowski <paul.kocialkowski(a)bootlin.com> media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls Paul Kocialkowski <paul.kocialkowski(a)bootlin.com> media: visl: Hook the (TRY_)DECODER_CMD stateless ioctls Zheng Wang <zyytlz.wz(a)163.com> media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices Ricardo B. Marliere <ricardo(a)marliere.net> media: pvrusb2: fix use after free on context disconnection Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tilcdc: Fix irq free on unload Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function Abhinav Singh <singhabhinav9051571833(a)gmail.com> drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer Chris Morgan <macromorgan(a)hotmail.com> drm/panel-elida-kd35t133: hold panel in reset for unprepare Chris Morgan <macromorgan(a)hotmail.com> drm/panel: nv3051d: Hold panel in reset for unprepare Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix inappropriate err code for unsupported operations Leon Romanovsky <leon(a)kernel.org> RDMA/usnic: Silence uninitialized symbol smatch warnings AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/dp_mst: Fix fractional DSC bpp handling Jouni Högander <jouni.hogander(a)intel.com> drm/i915/display: Move releasing gem object away from fb tracking Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Revert "drm/omapdrm: Annotate dma-fence critical section in commit path" Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Revert "drm/tidss: Annotate dma-fence critical section in commit path" Arnd Bergmann <arnd(a)arndb.de> ARM: davinci: always select CONFIG_CPU_ARM926T Eric Dumazet <edumazet(a)google.com> ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() David Howells <dhowells(a)redhat.com> rxrpc: Fix skbuff cleanup of call's recvmsg_queue and rx_oos_queue Asmaa Mnebhi <asmaa(a)nvidia.com> mlxbf_gige: Enable the GigE port in mlxbf_gige_open Asmaa Mnebhi <asmaa(a)nvidia.com> mlxbf_gige: Fix intermittent no ip issue Tao Liu <taoliu828(a)163.com> net/sched: act_ct: fix skb leak and crash on ooo frags Ming Lei <ming.lei(a)redhat.com> blk-cgroup: fix rcu lockdep warning in blkg_lookup() Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Fix gotol with large offsets Eric Dumazet <edumazet(a)google.com> sctp: fix busy polling Eric Dumazet <edumazet(a)google.com> sctp: support MSG_ERRQUEUE flag in recvmsg() John Fastabend <john.fastabend(a)gmail.com> bpf: sockmap, fix proto update hook to avoid dup calls Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: parse all ML elements in an ML probe response Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: correct comment about MLD ID Kunwu Chan <chentao(a)kylinos.cn> ice: Fix some null pointer dereference issues in ice_ptp.c Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Fix led pinctrl of lubancat 1 Christoph Hellwig <hch(a)lst.de> null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS Francesco Dolcini <francesco.dolcini(a)toradex.com> Bluetooth: btmtkuart: fix recv_buf() return value Francesco Dolcini <francesco.dolcini(a)toradex.com> Bluetooth: btnxpuart: fix recv_buf() return value Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: Fix bogus check for re-auth no supported with non-ssp Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: validate chain type update if available Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: mark newset as dead on transaction abort Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: assign phy_ctxt before eSR activation Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: fix out of bound copy_from_user Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mvm: Do not warn if valid link pair was not found Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: send TX path flush in rfkill Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request Ayala Beker <ayala.beker(a)intel.com> wifi: mac80211: fix advertised TTLM scheduling Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192se: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192de: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192c: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: add calculate_bit_shift() Hou Tao <houtao1(a)huawei.com> bpf: Use c->unit_size to select target cache during free Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc8180x: Fix up PCIe nodes Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc8180x: Mark PCIe hosts cache-coherent Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sm8550: Update idle state time requirements Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sm8550: Separate out X3 idle state Chukun Pan <amadeus(a)jmu.edu.cn> arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc7280: Mark SDHCI hosts as cache-coherent Li Nan <linan122(a)huawei.com> block: add check of 'minors' and 'first_minor' in device_add_disk() Abel Vesa <abel.vesa(a)linaro.org> soc: qcom: llcc: Fix LLCC_TRP_ATTR2_CFGn offset Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> firmware: qcom: qseecom: fix memory leaks in error paths Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8150-hdk: fix SS USB regulators Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8150: make dispcc cast minimal vote on MMCX Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sm6375: Hook up MPM Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sm6375: fix USB wakeup interrupt types Atul Dhudase <quic_adhudase(a)quicinc.com> soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration Nikita Travkin <nikita(a)trvn.ru> arm64: dts: qcom: acer-aspire1: Correct audio codec definition Hou Tao <houtao1(a)huawei.com> bpf: Limit the number of kprobes when attaching program to multiple kprobes Hou Tao <houtao1(a)huawei.com> bpf: Limit the number of uprobes when attaching program to multiple uprobes Joakim Zhang <joakim.zhang(a)cixtech.com> dma-mapping: clear dev->dma_mem to NULL after freeing it Arseniy Krasnov <avkrasnov(a)salutedevices.com> virtio/vsock: send credit update during setting SO_RCVLOWAT Arseniy Krasnov <avkrasnov(a)salutedevices.com> virtio/vsock: fix logic which reduces credit update messages Leone Fernando <leone4fernando(a)gmail.com> ipmr: support IP_PKTINFO on cache report IGMP msg Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: fix grep checking for fib_nexthop_multiprefix Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix a race condition between btf_put() and map_free() Ahmad Fatoum <a.fatoum(a)pengutronix.de> ARM: dts: stm32: don't mix SCMI and non-SCMI board compatibles Tushar Vyavahare <tushar.vyavahare(a)intel.com> selftests/xsk: Fix for SEND_RECEIVE_UNALIGNED test Yihang Li <liyihang9(a)huawei.com> scsi: hisi_sas: Correct the number of global debugfs registers Yihang Li <liyihang9(a)huawei.com> scsi: hisi_sas: Rollback some operations if FLR failed Yihang Li <liyihang9(a)huawei.com> scsi: hisi_sas: Check before using pointer variables Yihang Li <liyihang9(a)huawei.com> scsi: hisi_sas: Replace with standard error code return value Manivannan Sadhasivam <mani(a)kernel.org> scsi: ufs: qcom: Fix the return value when platform_get_resource_byname() fails Manivannan Sadhasivam <mani(a)kernel.org> scsi: ufs: qcom: Fix the return value of ufs_qcom_ice_program_key() Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm: Reduce GPU to nominal speed Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: renesas: white-hawk-cpu: Fix missing serial console pin control Rob Herring <robh(a)kernel.org> arm64: dts: xilinx: Apply overlays to base dtbs Li Nan <linan122(a)huawei.com> block: Set memalloc_noio to false on device_add_disk() error path YiFei Zhu <zhuyifei(a)google.com> selftests/bpf: Relax time_tai test for equal timestamps in tai_forward Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: don't support triggered EHT CQI feedback Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7921: fix wrong 6Ghz power type Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7921: fix CLC command timeout when suspend/resume Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7921: fix country count limitation for CLC Eugen Hristev <eugen.hristev(a)collabora.com> arm64: dts: mediatek: mt8186: fix address warning for ADSP mailboxes Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8186: Fix alias prefix for ovl_2l0 Moudy Ho <moudy.ho(a)mediatek.com> arm64: dts: mediatek: mt8195: revise VDOSYS RDMA node name Moudy Ho <moudy.ho(a)mediatek.com> arm64: dts: mediatek: mt8183: correct MDP3 DMA-related nodes Moudy Ho <moudy.ho(a)mediatek.com> dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names Tiezhu Yang <yangtiezhu(a)loongson.cn> test_bpf: Rename second ALU64_SMOD_X to ALU64_SMOD_K Andrei Matei <andreimatei1(a)gmail.com> bpf: Fix accesses to uninit stack slots Andrei Matei <andreimatei1(a)gmail.com> bpf: Guard stack limits against 32bit overflow Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties Andrei Matei <andreimatei1(a)gmail.com> bpf: Fix verification of indirect var-off stack access Wang Zhao <wang.zhao(a)mediatek.com> wifi: mt76: mt7921s: fix workqueue problem causes STA association fail Arnd Bergmann <arnd(a)arndb.de> wifi: mt76: mt7996: fix mt7996_mcu_all_sta_info_event struct packing StanleyYP Wang <StanleyYP.Wang(a)mediatek.com> wifi: mt76: mt7915: also MT7981 is 3T3R but nss2 on 5 GHz band StanleyYP Wang <StanleyYP.Wang(a)mediatek.com> wifi: mt76: mt7915: fix EEPROM offset of TSSI flag on MT7981 StanleyYP Wang <StanleyYP.Wang(a)mediatek.com> wifi: mt76: mt7996: fix alignment of sta info event MeiChia Chiu <meichia.chiu(a)mediatek.com> wifi: mt76: mt7996: fix rate usage of inband discovery frames Sujuan Chen <sujuan.chen(a)mediatek.com> wifi: mt76: mt7996: fix the size of struct bss_rate_tlv Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7915: fallback to non-wed mode if platform_get_resource fails in mt7915_mmio_wed_init() Christian Marangi <ansuelsmth(a)gmail.com> wifi: mt76: fix typo in mt76_get_of_eeprom_from_nvmem function Yi-Chia Hsieh <yi-chia.hsieh(a)mediatek.com> wifi: mt76: mt7996: fix uninitialized variable in parsing txfree Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sm8550: fix USB wakeup interrupt types Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sc7280: fix usb_2 wakeup interrupt types Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sa8775p: fix USB wakeup interrupt types Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc7280: Mark Adreno SMMU as DMA coherent Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc7280: Fix up GPU SIDs Nia Espera <nespera(a)igalia.com> arm64: dts: qcom: sm8350: Fix DMA0 address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm6125: add interrupts to DWC3 USB controller Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sdm845-db845c: correct LED panic indicator Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator Caleb Connolly <caleb.connolly(a)linaro.org> arm64: dts: qcom: qrb2210-rb1: use USB host mode Artem Chernyshev <artem.chernyshev(a)red-soft.ru> scsi: fnic: Return error if vmalloc() failed Andrii Nakryiko <andrii(a)kernel.org> bpf: fix check for attempt to corrupt spilled pointer Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: specify the interface when do arping Hou Tao <houtao1(a)huawei.com> bpf: Defer the free of inner map when necessary Hou Tao <houtao1(a)huawei.com> bpf: Add map and need_defer parameters to .map_fd_put_ptr() Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sm6350: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sc8280xp: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sa8775p: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sm8250: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sm8150: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sdm845: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered Douglas Anderson <dianders(a)chromium.org> arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8550: correct TX Soundwire clock Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8450: correct TX Soundwire clock Bjorn Andersson <quic_bjorande(a)quicinc.com> arm64: dts: qcom: sc8180x-primus: Fix HALL_INT polarity Stephen Boyd <swboyd(a)chromium.org> dt-bindings: arm: qcom: Fix html link Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: sdx65: correct SPMI node name Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: sdx65: correct PCIe EP phy-names Andrii Nakryiko <andrii(a)kernel.org> bpf: enforce precision of R0 on callback return Yu Kuai <yukuai3(a)huawei.com> md: synchronize flush io with array reconfiguration Jeroen van Ingen Schenau <jeroen.vaningenschenau(a)novoserve.com> selftests/bpf: Fix erroneous bitmask operation Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> wifi: rtw88: sdio: Honor the host max_req_size in the RX path Jan Kiszka <jan.kiszka(a)siemens.com> arm64: dts: ti: iot2050: Re-add aliases Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type Nitin Yadav <n-yadav(a)ti.com> arm64: dts: ti: k3-am62a-main: Fix GPIO pin count in DT nodes Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath12k: fix the error handler of rfkill config Bart Van Assche <bvanassche(a)acm.org> scsi: bfa: Use the proper data type for BLIST flags Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() Peter Delevoryas <peter(a)pjd.dev> net/ncsi: Fix netlink major/minor version numbers Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> ARM: dts: qcom: apq8064: correct XOADC register address Arnd Bergmann <arnd(a)arndb.de> wifi: libertas: stop selecting wext Luca Weiss <luca.weiss(a)fairphone.com> wifi: ath11k: Defer on rproc_get failure Jordan Rome <jordalgo(a)meta.com> bpf: Add crosstask check to __bpf_get_stack Dave Marchevsky <davemarchevsky(a)fb.com> bpf: Add KF_RCU flag to bpf_refcount_acquire_impl Florian Lehner <dev(a)der-flo.net> bpf, lpm: Fix check prefixlen before walking trie Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw88: fix RX filter in FIF_ALLMULTI flag Dan Carpenter <dan.carpenter(a)linaro.org> wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async() Luca Weiss <luca(a)z3ntu.xyz> ARM: dts: qcom: msm8226: provide dsi phy clocks to mmcc Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sc8280xp-x13s: add missing camera LED pin config Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sc8280xp-x13s: Use the correct DP PHY compatible Caleb Connolly <caleb.connolly(a)linaro.org> arm64: dts: qcom: qrb4210-rb2: don't force usb peripheral mode David McKay <david.mckay(a)codasip.com> asm-generic: Fix 32 bit __generic_cmpxchg_local Benjamin Coddington <bcodding(a)redhat.com> SUNRPC: Fixup v4.1 backchannel request timeouts Trond Myklebust <trond.myklebust(a)hammerspace.com> pNFS: Fix the pnfs block driver's calculation of layoutget size Olga Kornievskaia <kolga(a)netapp.com> SUNRPC: fix _xprt_switch_find_current_entry logic Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT Scott Mayhew <smayhew(a)redhat.com> NFS: Use parent's objective cred in nfs_access_login_time() Benjamin Coddington <bcodding(a)redhat.com> blocklayoutdriver: Fix reference leak of pnfs_device_node Arnd Bergmann <arnd(a)arndb.de> csky: fix arch_jump_label_transform_static override David Howells <dhowells(a)redhat.com> keys, dns: Fix size check of V1 server-list header Chengming Zhou <zhouchengming(a)bytedance.com> crypto: scomp - fix req->dst buffer overflow Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - do not resize req->src when doing hash operations Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix processing hash requests with req->nbytes < sg->length Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - improve error handling in sahara_sha_process() Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix wait_for_completion_timeout() error handling Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix ahash reqsize Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - handle zero-length aes requests Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - avoid skcipher fallback code duplication wangyangxin <wangyangxin1(a)huawei.com> crypto: virtio - Wait for tasklet to complete on device remove Alexander Aring <aahringo(a)redhat.com> dlm: fix format seq ops type 4 Edward Adam Davis <eadavis(a)qq.com> gfs2: fix kernel BUG in gfs2_quota_cleanup Osama Muhammad <osmtendev(a)gmail.com> gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Christian Brauner <brauner(a)kernel.org> fs: indicate request originates from old mount API Gao Xiang <xiang(a)kernel.org> erofs: fix memory leak on short-lived bounced pages Sergey Shtylyov <s.shtylyov(a)omp.ru> pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() Zhiqi Song <songzhiqi1(a)huawei.com> crypto: hisilicon/zip - save capability registers in probe process Zhiqi Song <songzhiqi1(a)huawei.com> crypto: hisilicon/sec2 - save capability registers in probe process Zhiqi Song <songzhiqi1(a)huawei.com> crypto: hisilicon/hpre - save capability registers in probe process Wenkai Lin <linwenkai6(a)hisilicon.com> crypto: hisilicon/qm - add a function to set qm algs Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/zip - add zip comp high perf mode configuration Zhiqi Song <songzhiqi1(a)huawei.com> crypto: hisilicon/qm - save capability registers in qm init process Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix error handling in sahara_hw_descriptor_create() Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix processing requests with cryptlen < sg->length Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix ahash selftest failure Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix cbc selftest failure Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - remove FLAGS_NEW_KEY logic Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> crypto: safexcel - Add error handling for dma_map_sg() calls Yang Yingliang <yangyingliang(a)huawei.com> hwrng: stm32 - add missing clk_disable_unprepare() in stm32_rng_init() Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add NULL pointer check Damian Muszynski <damian.muszynski(a)intel.com> crypto: qat - fix mutex ordering in adf_rl Damian Muszynski <damian.muszynski(a)intel.com> crypto: qat - fix error path in add_update_sla() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow multiple in-flight AIO requests Dinghao Liu <dinghao.liu(a)zju.edu.cn> crypto: ccp - fix memleak in ccp_init_dm_workarea Chen Ni <nichen(a)iscas.ac.cn> crypto: sa2ul - Return crypto_aead_setkey to transfer the error Damian Muszynski <damian.muszynski(a)intel.com> crypto: qat - add sysfs_added flag for rate limiting Damian Muszynski <damian.muszynski(a)intel.com> crypto: qat - add sysfs_added flag for ras Gonglei (Arei) <arei.gonglei(a)huawei.com> crypto: virtio - Handle dataq logic with tasklet Chanho Park <chanho61.park(a)samsung.com> crypto: jh7110 - Correct deferred probe return Dan Carpenter <dan.carpenter(a)linaro.org> crypto: qat - prevent underflow in rp2srv_store() Dan Carpenter <dan.carpenter(a)linaro.org> crypto: rsa - add a check for allocation failure Mickaël Salaün <mic(a)digikod.net> selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket Binbin Zhou <zhoubinbin(a)loongson.cn> drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment Borislav Petkov (AMD) <bp(a)alien8.de> cpuidle: haltpoll: Do not enable interrupts when entering idle ZhaoLong Wang <wangzhaolong1(a)huawei.com> mtd: Fix gluebi NULL pointer dereference caused by ftl notifier Richard Fitzgerald <rf(a)opensource.cirrus.com> kunit: debugfs: Handle errors from alloc_string_stream() Richard Fitzgerald <rf(a)opensource.cirrus.com> kunit: debugfs: Fix unchecked dereference in debugfs_print_results() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: core: Fix NULL pointer dereference in zone registration error path Tony Luck <tony.luck(a)intel.com> ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> ACPI: LPSS: Fix the fractional clock divider flags Wolfram Sang <wsa+renesas(a)sang-engineering.com> spi: sh-msiof: Enforce fixed DTDL for R-Car H3 Ard Biesheuvel <ardb(a)kernel.org> efivarfs: Free s_fs_info on unmount Ilias Apalodimas <ilias.apalodimas(a)linaro.org> efivarfs: force RO when remounting if SetVariable is not supported Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> calipso: fix memory leak in netlbl_calipso_add_pass() Alexandra Diupina <adiupina(a)astralinux.ru> cpufreq: scmi: process the result of devm_of_clk_add_hw_provider() David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/vsec: Fix xa_alloc memory leak Yang Yingliang <yangyingliang(a)huawei.com> spi: cadence-quadspi: add missing clk_disable_unprepare() in cqspi_probe() Chen Ni <nichen(a)iscas.ac.cn> KEYS: encrypted: Add check for strsep Nikita Kiryushin <kiryushin(a)ancud.ru> ACPI: LPIT: Avoid u32 multiplication overflow Nikita Kiryushin <kiryushin(a)ancud.ru> ACPI: video: check for error while searching for backlight device parent Ronald Monthero <debug.penguin32(a)gmail.com> mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response Amit Kumar Mahapatra <amit.kumar-mahapatra(a)amd.com> spi: spi-zynqmp-gqspi: fix driver kconfig dependencies Alexander Antonov <alexander.antonov(a)linux.intel.com> perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Yiwei Lin <s921975628(a)gmail.com> sched/fair: Update min_vruntime for reweight_entity() correctly Kunwu Chan <chentao(a)kylinos.cn> powerpc/imc-pmu: Add a null pointer check in update_events_in_group() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check in opal_powercap_init() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check in opal_event_init() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check to scom_debug_init_one() Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: Avoid warning on invalid token argument to sys_rtas() Kajol Jain <kjain(a)linux.ibm.com> powerpc/hv-gpci: Add return value check in affinity_domain_via_partition_show function Michael Ellerman <mpe(a)ellerman.id.au> selftests/powerpc: Fix error handling in FPU/VMX preemption tests Nicholas Piggin <npiggin(a)gmail.com> KVM: PPC: Book3S HV: Handle pending exceptions on guest entry with MSR_EE Junhao He <hejunhao3(a)huawei.com> drivers/perf: hisi: Fix some event id for HiSilicon UC pmu Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fix HN-F class_occup_id events Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/intel: Set new revision only after a successful update Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries/memhp: Fix access beyond end of drmem array Randy Dunlap <rdunlap(a)infradead.org> powerpc/44x: select I2C for CURRITUCK Peter Zijlstra <peterz(a)infradead.org> x86: Fix CPUIDLE_FLAG_IRQ_ENABLE leaking timer reprogram Jann Horn <jannh(a)google.com> fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() Masahiro Yamada <masahiroy(a)kernel.org> powerpc: add crtsavres.o to always-y instead of extra-y Arnd Bergmann <arnd(a)arndb.de> EDAC/thunderx: Fix possible out-of-bounds string access Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/inject: Clear test status value Colin Ian King <colin.i.king(a)gmail.com> x86/lib: Fix overflow when counting digits ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 6 + Documentation/devicetree/bindings/arm/qcom.yaml | 2 +- .../devicetree/bindings/gpio/xlnx,gpio-xilinx.yaml | 2 +- .../bindings/media/mediatek,mdp3-rdma.yaml | 29 +- .../bindings/media/mediatek,mdp3-wrot.yaml | 23 +- .../devicetree/bindings/media/rockchip-isp1.yaml | 11 +- .../phy/qcom,sc8280xp-qmp-usb43dp-phy.yaml | 4 +- .../bindings/timer/thead,c900-aclint-mtimer.yaml | 9 +- Documentation/driver-api/pci/p2pdma.rst | 16 +- Makefile | 4 +- arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 2 +- arch/arm/boot/dts/qcom/qcom-msm8226.dtsi | 4 +- arch/arm/boot/dts/qcom/qcom-sdx55.dtsi | 4 +- arch/arm/boot/dts/qcom/qcom-sdx65.dtsi | 4 +- arch/arm/boot/dts/st/stm32mp157a-dk1-scmi.dts | 2 +- arch/arm/boot/dts/st/stm32mp157c-dk2-scmi.dts | 2 +- arch/arm/boot/dts/st/stm32mp157c-ed1-scmi.dts | 2 +- arch/arm/boot/dts/st/stm32mp157c-ev1-scmi.dts | 3 +- arch/arm/mach-davinci/Kconfig | 2 + arch/arm64/boot/dts/freescale/imx8mm.dtsi | 4 +- arch/arm64/boot/dts/hisilicon/hikey970-pmic.dtsi | 3 - arch/arm64/boot/dts/mediatek/mt8183.dtsi | 6 +- arch/arm64/boot/dts/mediatek/mt8186.dtsi | 6 +- arch/arm64/boot/dts/mediatek/mt8195.dtsi | 24 +- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- arch/arm64/boot/dts/qcom/qrb2210-rb1.dts | 4 + arch/arm64/boot/dts/qcom/qrb4210-rb2.dts | 1 - arch/arm64/boot/dts/qcom/qrb5165-rb5.dts | 4 +- arch/arm64/boot/dts/qcom/sa8775p.dtsi | 14 +- arch/arm64/boot/dts/qcom/sc7180-acer-aspire1.dts | 17 +- arch/arm64/boot/dts/qcom/sc7180.dtsi | 2 +- arch/arm64/boot/dts/qcom/sc7280.dtsi | 12 +- arch/arm64/boot/dts/qcom/sc8180x-primus.dts | 2 +- arch/arm64/boot/dts/qcom/sc8180x.dtsi | 10 +- .../dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 11 + arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 2 +- arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 2 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6125.dtsi | 4 + arch/arm64/boot/dts/qcom/sm6350.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6375.dtsi | 41 ++- arch/arm64/boot/dts/qcom/sm8150-hdk.dts | 12 +- arch/arm64/boot/dts/qcom/sm8150.dtsi | 3 +- arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8350.dtsi | 4 +- arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8550.dtsi | 38 ++- .../boot/dts/renesas/r8a779g0-white-hawk-cpu.dtsi | 3 + arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 2 +- arch/arm64/boot/dts/ti/k3-am62a-main.dtsi | 4 +- arch/arm64/boot/dts/ti/k3-am65-iot2050-common.dtsi | 10 + arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 +- arch/arm64/boot/dts/xilinx/Makefile | 9 +- arch/arm64/kernel/ptrace.c | 13 +- arch/arm64/kvm/vgic/vgic-its.c | 5 + arch/arm64/kvm/vgic/vgic-mmio-v3.c | 27 +- arch/csky/include/asm/jump_label.h | 5 + arch/loongarch/include/asm/elf.h | 5 - arch/loongarch/kernel/elf.c | 5 - arch/loongarch/kernel/process.c | 1 + arch/loongarch/net/bpf_jit.c | 5 +- arch/mips/alchemy/devboards/db1200.c | 2 +- arch/mips/alchemy/devboards/db1550.c | 2 +- arch/mips/include/asm/dmi.h | 2 +- arch/mips/kernel/setup.c | 4 +- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/rtas.c | 19 +- arch/powerpc/kvm/book3s_hv.c | 18 +- arch/powerpc/lib/Makefile | 2 +- arch/powerpc/perf/hv-gpci.c | 3 + arch/powerpc/perf/imc-pmu.c | 6 + arch/powerpc/platforms/44x/Kconfig | 1 + arch/powerpc/platforms/powernv/opal-irqchip.c | 2 + arch/powerpc/platforms/powernv/opal-powercap.c | 6 + arch/powerpc/platforms/powernv/opal-xscom.c | 5 + arch/powerpc/platforms/pseries/hotplug-memory.c | 9 +- arch/riscv/include/asm/sections.h | 1 + arch/riscv/include/asm/xip_fixup.h | 2 +- arch/riscv/kernel/module.c | 3 +- arch/riscv/kernel/patch.c | 11 +- arch/riscv/kernel/vmlinux-xip.lds.S | 2 + arch/riscv/kernel/vmlinux.lds.S | 2 + arch/riscv/mm/pageattr.c | 11 +- arch/s390/include/asm/pci_io.h | 32 +- arch/s390/net/bpf_jit_comp.c | 2 +- arch/s390/pci/pci_mmio.c | 12 +- arch/um/drivers/virt-pci.c | 2 +- arch/x86/events/intel/uncore_snbep.c | 10 +- arch/x86/include/asm/kvm-x86-pmu-ops.h | 2 +- arch/x86/include/asm/mwait.h | 11 +- arch/x86/kernel/cpu/mce/inject.c | 1 + arch/x86/kernel/cpu/microcode/intel.c | 14 +- arch/x86/kernel/kvmclock.c | 12 +- arch/x86/kvm/pmu.c | 63 +++- arch/x86/kvm/pmu.h | 18 -- arch/x86/kvm/svm/nested.c | 15 - arch/x86/kvm/svm/pmu.c | 16 - arch/x86/kvm/vmx/pmu_intel.c | 20 -- arch/x86/lib/misc.c | 2 +- arch/x86/pci/mmconfig-shared.c | 13 +- block/bio.c | 46 +-- block/blk-cgroup.h | 3 +- block/blk-mq.c | 16 +- block/genhd.c | 5 +- block/ioctl.c | 11 +- crypto/af_alg.c | 14 +- crypto/rsa.c | 2 + crypto/scompress.c | 6 + drivers/accel/habanalabs/common/habanalabs_ioctl.c | 2 +- drivers/acpi/acpi_extlog.c | 7 +- drivers/acpi/acpi_lpit.c | 2 +- drivers/acpi/acpi_lpss.c | 3 +- drivers/acpi/acpi_video.c | 12 +- drivers/acpi/property.c | 4 + drivers/android/binder_alloc.c | 22 +- drivers/base/class.c | 1 + drivers/base/node.c | 9 +- drivers/base/swnode.c | 3 + drivers/block/loop.c | 52 ++-- drivers/block/null_blk/main.c | 12 +- drivers/bluetooth/btmtkuart.c | 11 +- drivers/bluetooth/btnxpuart.c | 7 +- drivers/bus/mhi/ep/main.c | 139 ++++++--- drivers/bus/mhi/ep/ring.c | 41 +-- drivers/cdx/cdx.c | 14 +- drivers/char/hw_random/stm32-rng.c | 1 + drivers/clk/clk-renesas-pcie.c | 2 +- drivers/clk/clk-si5341.c | 4 +- drivers/clk/clk-sp7021.c | 12 +- drivers/clk/qcom/dispcc-sm8550.c | 12 +- drivers/clk/qcom/gcc-sm8550.c | 110 +++---- drivers/clk/qcom/gpucc-sm8150.c | 4 +- drivers/clk/qcom/gpucc-sm8550.c | 6 +- drivers/clk/qcom/videocc-sm8150.c | 1 + drivers/clk/renesas/rzg2l-cpg.c | 91 +++--- drivers/clk/zynqmp/clk-mux-zynqmp.c | 2 +- drivers/clk/zynqmp/divider.c | 66 +--- drivers/clocksource/timer-ep93xx.c | 5 +- drivers/clocksource/timer-ti-dm.c | 4 +- drivers/cpufreq/scmi-cpufreq.c | 7 +- drivers/cpuidle/cpuidle-haltpoll.c | 9 +- drivers/crypto/ccp/ccp-ops.c | 5 +- drivers/crypto/hisilicon/hpre/hpre_main.c | 122 ++++---- drivers/crypto/hisilicon/qm.c | 98 +++++- drivers/crypto/hisilicon/sec2/sec.h | 7 + drivers/crypto/hisilicon/sec2/sec_crypto.c | 10 +- drivers/crypto/hisilicon/sec2/sec_main.c | 70 +++-- drivers/crypto/hisilicon/zip/zip_main.c | 175 ++++++++--- drivers/crypto/inside-secure/safexcel_cipher.c | 19 +- .../intel/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/intel/qat/qat_common/adf_rl.c | 7 +- drivers/crypto/intel/qat/qat_common/adf_rl.h | 1 + drivers/crypto/intel/qat/qat_common/adf_sysfs.c | 6 +- .../intel/qat/qat_common/adf_sysfs_ras_counters.c | 7 +- drivers/crypto/intel/qat/qat_common/adf_sysfs_rl.c | 8 + drivers/crypto/sa2ul.c | 3 +- drivers/crypto/sahara.c | 248 +++++++-------- drivers/crypto/starfive/jh7110-cryp.c | 10 +- drivers/crypto/virtio/virtio_crypto_common.h | 2 + drivers/crypto/virtio/virtio_crypto_core.c | 26 +- drivers/cxl/core/port.c | 24 +- drivers/cxl/core/region.c | 2 +- drivers/cxl/cxl.h | 2 - drivers/edac/thunderx_edac.c | 10 +- drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 20 +- drivers/firmware/ti_sci.c | 10 +- drivers/gpio/gpio-mlxbf3.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 32 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 34 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_reset.h | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.h | 1 - drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c | 26 +- drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 6 +- drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 21 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 76 +++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +- .../display/dc/link/protocols/link_dp_training.c | 2 +- .../display/dc/link/protocols/link_dp_training.h | 2 +- drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +- drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 52 +--- drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 5 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 6 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 3 - .../gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c | 3 +- drivers/gpu/drm/bridge/imx/imx93-mipi-dsi.c | 4 +- drivers/gpu/drm/bridge/tc358767.c | 2 +- drivers/gpu/drm/bridge/ti-tpd12s015.c | 4 +- drivers/gpu/drm/display/drm_dp_mst_topology.c | 20 +- drivers/gpu/drm/drm_drv.c | 10 +- drivers/gpu/drm/i915/display/intel_dp.c | 2 +- drivers/gpu/drm/i915/display/intel_dp_mst.c | 5 +- drivers/gpu/drm/i915/display/intel_frontbuffer.c | 2 - .../gpu/drm/i915/gem/i915_gem_object_frontbuffer.h | 1 + drivers/gpu/drm/imx/lcdc/imx-lcdc.c | 9 - drivers/gpu/drm/mediatek/mtk_disp_merge.c | 2 +- drivers/gpu/drm/mediatek/mtk_dp.c | 1 + drivers/gpu/drm/mediatek/mtk_dpi.c | 16 +- drivers/gpu/drm/mediatek/mtk_mdp_rdma.c | 3 +- drivers/gpu/drm/msm/Kconfig | 1 + drivers/gpu/drm/msm/adreno/adreno_device.c | 2 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h | 8 +- .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 9 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_6_0_sm8250.h | 2 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_6_2_sc7180.h | 2 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_7_2_sc7280.h | 2 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 24 +- drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 95 ++++-- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 6 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.h | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_lm.c | 6 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_lm.h | 3 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_util.c | 20 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_util.h | 8 +- drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c | 9 + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +- drivers/gpu/drm/nouveau/dispnv50/disp.c | 3 +- drivers/gpu/drm/nouveau/nv04_fence.c | 2 +- drivers/gpu/drm/omapdrm/omap_drv.c | 9 +- drivers/gpu/drm/panel/panel-elida-kd35t133.c | 2 + drivers/gpu/drm/panel/panel-newvision-nv3051d.c | 2 + drivers/gpu/drm/panel/panel-sitronix-st7701.c | 2 +- drivers/gpu/drm/panfrost/panfrost_gpu.c | 70 +++-- drivers/gpu/drm/radeon/r100.c | 4 +- drivers/gpu/drm/radeon/r600_cs.c | 4 +- drivers/gpu/drm/radeon/radeon_display.c | 7 +- drivers/gpu/drm/radeon/radeon_vm.c | 8 +- drivers/gpu/drm/radeon/si.c | 4 + drivers/gpu/drm/radeon/sumo_dpm.c | 4 +- drivers/gpu/drm/radeon/trinity_dpm.c | 4 +- drivers/gpu/drm/scheduler/sched_entity.c | 13 +- drivers/gpu/drm/tests/drm_dp_mst_helper_test.c | 6 +- drivers/gpu/drm/tidss/tidss_dispc.c | 63 +++- drivers/gpu/drm/tidss/tidss_kms.c | 4 - drivers/gpu/drm/tilcdc/tilcdc_drv.c | 2 +- drivers/greybus/gb-beagleplay.c | 58 +++- drivers/hid/hid-sensor-hub.c | 2 +- drivers/hid/wacom_wac.c | 32 +- drivers/i2c/busses/i2c-s3c2410.c | 40 +-- drivers/idle/intel_idle.c | 19 +- drivers/iio/adc/ad7091r-base.c | 6 +- drivers/iio/adc/ad9467.c | 112 +++++-- drivers/iio/adc/adi-axi-adc.c | 74 +---- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +- drivers/infiniband/hw/hns/hns_roce_pd.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 4 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/ulp/iser/iscsi_iser.h | 2 - drivers/infiniband/ulp/iser/iser_initiator.c | 5 +- drivers/infiniband/ulp/iser/iser_memory.c | 8 +- drivers/infiniband/ulp/iser/iser_verbs.c | 1 - drivers/input/keyboard/atkbd.c | 12 +- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 + drivers/iommu/dma-iommu.c | 3 + drivers/iommu/of_iommu.c | 7 + drivers/leds/Kconfig | 1 + drivers/leds/leds-aw200xx.c | 7 +- drivers/md/md.c | 69 +++-- drivers/md/raid1.c | 12 +- drivers/media/common/videobuf2/videobuf2-core.c | 9 +- drivers/media/dvb-core/dvbdev.c | 2 + drivers/media/dvb-frontends/m88ds3103.c | 7 +- drivers/media/i2c/mt9m114.c | 2 +- drivers/media/pci/bt8xx/bttv-driver.c | 27 +- drivers/media/pci/bt8xx/bttv-vbi.c | 8 +- drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 +- drivers/media/platform/amphion/vpu_core.c | 2 +- .../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 - drivers/media/platform/nxp/imx-mipi-csis.c | 17 +- .../media/platform/rockchip/rkisp1/rkisp1-dev.c | 6 +- .../media/platform/rockchip/rkisp1/rkisp1-isp.c | 1 + drivers/media/platform/verisilicon/hantro_drv.c | 2 + drivers/media/platform/verisilicon/hantro_v4l2.c | 3 + drivers/media/test-drivers/visl/visl-video.c | 3 + drivers/media/usb/cx231xx/cx231xx-core.c | 2 + drivers/media/usb/pvrusb2/pvrusb2-context.c | 3 +- drivers/media/v4l2-core/v4l2-async.c | 1 - drivers/mfd/cs42l43-sdw.c | 74 ++--- drivers/mfd/intel-lpss.c | 2 +- drivers/mfd/rk8xx-core.c | 34 +-- drivers/mfd/syscon.c | 4 + drivers/mfd/tps6594-core.c | 3 + drivers/mmc/host/Kconfig | 10 +- drivers/mtd/mtd_blkdevs.c | 4 +- drivers/mtd/nand/raw/fsl_ifc_nand.c | 2 +- drivers/net/amt.c | 6 +- drivers/net/dsa/vitesse-vsc73xx-core.c | 2 + drivers/net/ethernet/intel/ice/ice_ptp.c | 4 + drivers/net/ethernet/marvell/octeontx2/af/rpm.c | 7 +- .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 26 +- .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 6 +- .../net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c | 8 +- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 6 +- .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 24 +- drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 +- drivers/net/ethernet/renesas/ravb_main.c | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac.h | 1 + .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 29 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 5 +- drivers/net/netdevsim/netdev.c | 9 +- drivers/net/phy/micrel.c | 9 + drivers/net/usb/r8152.c | 16 +- drivers/net/wireless/ath/ath11k/ahb.c | 4 +- drivers/net/wireless/ath/ath12k/core.c | 6 +- drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 3 +- drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 2 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 8 +- drivers/net/wireless/intel/iwlwifi/mvm/phy-ctxt.c | 11 - drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 2 +- drivers/net/wireless/marvell/libertas/Kconfig | 2 - drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 + drivers/net/wireless/marvell/mwifiex/fw.h | 1 + drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 + drivers/net/wireless/marvell/mwifiex/sdio.c | 21 +- drivers/net/wireless/marvell/mwifiex/sdio.h | 2 + drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 8 + drivers/net/wireless/mediatek/mt76/eeprom.c | 6 +- drivers/net/wireless/mediatek/mt76/mt76.h | 3 +- drivers/net/wireless/mediatek/mt76/mt7615/sdio.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h | 3 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7915/mmio.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7921/init.c | 23 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 38 ++- drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 11 +- drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h | 1 + drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 3 + drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 4 +- .../net/wireless/mediatek/mt76/mt7921/sdio_mac.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 10 +- drivers/net/wireless/mediatek/mt76/sdio.c | 18 +- drivers/net/wireless/purelifi/plfxlc/usb.c | 5 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 79 +---- drivers/net/wireless/realtek/rtlwifi/pci.h | 5 - .../net/wireless/realtek/rtlwifi/rtl8188ee/phy.c | 14 +- .../wireless/realtek/rtlwifi/rtl8192c/phy_common.c | 12 +- .../wireless/realtek/rtlwifi/rtl8192c/phy_common.h | 1 - .../net/wireless/realtek/rtlwifi/rtl8192ce/phy.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8192ce/phy.h | 1 - .../net/wireless/realtek/rtlwifi/rtl8192cu/phy.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 15 +- .../net/wireless/realtek/rtlwifi/rtl8192ee/phy.c | 16 +- .../net/wireless/realtek/rtlwifi/rtl8192se/phy.c | 15 +- .../net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 5 +- drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 + drivers/net/wireless/realtek/rtw88/mac80211.c | 4 +- drivers/net/wireless/realtek/rtw88/sdio.c | 35 ++- drivers/net/xen-netback/netback.c | 44 ++- drivers/nvme/target/tcp.c | 22 +- drivers/nvme/target/trace.h | 5 +- drivers/of/base.c | 1 + drivers/of/unittest-data/tests-phandle.dtsi | 10 +- drivers/of/unittest.c | 74 +++-- drivers/pci/controller/dwc/pci-keystone.c | 9 + drivers/pci/controller/dwc/pcie-designware-ep.c | 1 + drivers/pci/controller/pcie-mediatek-gen3.c | 85 +++--- drivers/pci/controller/pcie-mediatek.c | 10 +- drivers/pci/controller/pcie-xilinx-dma-pl.c | 6 +- drivers/pci/endpoint/functions/pci-epf-mhi.c | 66 ++-- drivers/perf/arm-cmn.c | 2 +- drivers/perf/hisilicon/hisi_uncore_uc_pmu.c | 4 +- drivers/platform/x86/intel/vsec.c | 25 +- drivers/platform/x86/intel/vsec.h | 1 + drivers/power/supply/bq256xx_charger.c | 5 +- drivers/power/supply/cw2015_battery.c | 2 +- drivers/power/supply/qcom_pmi8998_charger.c | 4 + drivers/pwm/core.c | 2 +- drivers/pwm/pwm-jz4740.c | 7 +- drivers/pwm/pwm-stm32.c | 31 +- drivers/scsi/bfa/bfad_bsg.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 3 +- drivers/scsi/hisi_sas/hisi_sas_main.c | 11 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 9 +- drivers/scsi/lpfc/lpfc_els.c | 4 +- drivers/scsi/mpi3mr/mpi3mr_app.c | 16 + drivers/scsi/mpi3mr/mpi3mr_os.c | 19 +- drivers/soc/qcom/llcc-qcom.c | 10 +- drivers/spi/Kconfig | 3 +- drivers/spi/spi-cadence-quadspi.c | 4 +- drivers/spi/spi-coldfire-qspi.c | 1 - drivers/spi/spi-sh-msiof.c | 17 ++ drivers/spmi/spmi-mtk-pmif.c | 20 +- drivers/staging/media/rkvdec/rkvdec.c | 3 + .../interface/vchiq_arm/vchiq_connected.c | 4 +- .../interface/vchiq_arm/vchiq_connected.h | 4 +- .../vc04_services/interface/vchiq_arm/vchiq_core.c | 6 +- drivers/target/target_core_file.c | 10 +- drivers/thermal/loongson2_thermal.c | 2 +- drivers/thermal/thermal_core.c | 1 - drivers/tty/serial/8250/8250_bcm2835aux.c | 2 + drivers/tty/serial/8250/8250_exar.c | 5 +- drivers/tty/serial/8250/8250_omap.c | 2 +- drivers/tty/serial/apbuart.c | 2 +- drivers/tty/serial/imx.c | 40 +-- drivers/tty/serial/omap-serial.c | 27 +- drivers/tty/serial/sc16is7xx.c | 8 +- drivers/tty/serial/serial_core.c | 61 +++- drivers/tty/serial/stm32-usart.c | 8 +- drivers/tty/tty_io.c | 3 + drivers/ufs/core/ufshcd.c | 7 +- drivers/ufs/host/ufs-qcom.c | 4 +- drivers/usb/cdns3/cdns3-gadget.c | 142 ++++++--- drivers/usb/cdns3/cdns3-gadget.h | 3 + drivers/usb/chipidea/core.c | 7 + drivers/usb/class/cdc-acm.c | 3 + drivers/usb/core/generic.c | 16 + drivers/usb/dwc3/core.c | 39 +-- drivers/usb/dwc3/ep0.c | 5 +- drivers/usb/dwc3/gadget.c | 19 +- drivers/usb/gadget/function/f_uvc.c | 63 ++-- drivers/usb/gadget/function/u_ether.c | 2 + drivers/usb/gadget/function/u_uvc.h | 6 + drivers/usb/gadget/legacy/webcam.c | 333 ++++++++++++++++----- drivers/usb/host/xhci-mtk.c | 40 ++- drivers/usb/host/xhci-mtk.h | 2 + drivers/usb/mon/mon_bin.c | 7 +- drivers/usb/phy/phy-mxs-usb.c | 3 +- drivers/usb/typec/class.c | 4 +- drivers/vdpa/alibaba/eni_vdpa.c | 6 +- drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 7 +- drivers/vfio/pci/pds/dirty.c | 6 +- drivers/vhost/vsock.c | 1 + drivers/video/fbdev/acornfb.c | 2 +- drivers/video/fbdev/core/fb_defio.c | 8 +- drivers/video/fbdev/imxfb.c | 27 +- drivers/video/fbdev/sm712fb.c | 6 +- drivers/watchdog/bcm2835_wdt.c | 3 +- drivers/watchdog/hpwdt.c | 2 +- drivers/watchdog/rti_wdt.c | 13 +- drivers/watchdog/watchdog_dev.c | 3 +- fs/ceph/Kconfig | 1 + fs/dlm/debug_fs.c | 2 +- fs/efivarfs/super.c | 15 + fs/erofs/decompressor.c | 2 +- fs/erofs/zdata.c | 5 +- fs/erofs/zmap.c | 23 +- fs/f2fs/data.c | 7 +- fs/f2fs/file.c | 7 +- fs/f2fs/namei.c | 2 +- fs/f2fs/node.c | 6 +- fs/f2fs/super.c | 8 + fs/f2fs/xattr.c | 11 +- fs/gfs2/quota.c | 3 +- fs/gfs2/rgrp.c | 2 +- fs/namespace.c | 11 + fs/nfs/blocklayout/blocklayout.c | 7 +- fs/nfs/dir.c | 2 +- fs/nfs/direct.c | 5 +- fs/nfs/internal.h | 2 +- fs/nfs/nfs4proc.c | 3 + fs/nfs/pnfs.c | 3 +- fs/pipe.c | 17 +- fs/pstore/ram_core.c | 2 +- fs/smb/server/asn1.c | 5 + fs/smb/server/connection.c | 6 - fs/smb/server/connection.h | 2 +- fs/smb/server/oplock.c | 6 + fs/smb/server/smb2pdu.c | 22 +- fs/smb/server/smb_common.c | 6 +- fs/smb/server/transport_rdma.c | 11 +- fs/smb/server/transport_tcp.c | 13 +- include/asm-generic/cmpxchg-local.h | 2 +- include/crypto/if_alg.h | 3 + include/drm/display/drm_dp_mst_helper.h | 2 +- include/drm/drm_bridge.h | 2 +- include/linux/bio.h | 9 +- include/linux/bpf.h | 13 +- include/linux/clk-provider.h | 4 +- include/linux/gpio/driver.h | 2 +- include/linux/hisi_acc_qm.h | 20 +- include/linux/iio/adc/adi-axi-adc.h | 4 + include/linux/mhi_ep.h | 19 +- include/linux/netfilter_bridge.h | 6 +- include/linux/pci.h | 12 +- include/linux/rcu_notifier.h | 6 +- include/linux/rcupdate.h | 6 + include/linux/skbuff.h | 2 +- include/linux/srcu.h | 2 +- include/linux/usb.h | 6 + include/linux/virtio_net.h | 9 +- include/linux/virtio_vsock.h | 1 + include/net/af_vsock.h | 2 +- include/net/bluetooth/hci_core.h | 1 - include/net/netdev_queues.h | 2 +- include/uapi/linux/bpf.h | 3 + init/do_mounts.c | 9 +- io_uring/io_uring.c | 22 +- io_uring/rw.c | 10 +- kernel/bpf/arraymap.c | 12 +- kernel/bpf/hashtab.c | 6 +- kernel/bpf/helpers.c | 2 +- kernel/bpf/lpm_trie.c | 3 + kernel/bpf/map_in_map.c | 13 +- kernel/bpf/map_in_map.h | 2 +- kernel/bpf/memalloc.c | 105 +------ kernel/bpf/stackmap.c | 11 +- kernel/bpf/syscall.c | 47 ++- kernel/bpf/verifier.c | 96 +++--- kernel/debug/kdb/kdb_main.c | 2 - kernel/dma/coherent.c | 4 +- kernel/rcu/Kconfig.debug | 25 ++ kernel/rcu/rcu.h | 8 +- kernel/rcu/rcutorture.c | 12 +- kernel/rcu/tree_stall.h | 11 +- kernel/rcu/update.c | 6 + kernel/sched/fair.c | 20 +- kernel/time/tick-sched.c | 5 + kernel/trace/bpf_trace.c | 7 + lib/kunit/debugfs.c | 34 ++- lib/test_bpf.c | 2 +- net/bluetooth/hci_conn.c | 8 +- net/bluetooth/hci_debugfs.c | 12 +- net/bluetooth/hci_event.c | 11 +- net/bridge/br_netfilter_hooks.c | 42 ++- net/bridge/br_netfilter_ipv6.c | 14 +- net/core/rtnetlink.c | 14 +- net/dns_resolver/dns_key.c | 2 +- net/dsa/user.c | 7 +- net/ethtool/features.c | 9 +- net/ipv4/af_inet.c | 1 + net/ipv4/ipmr.c | 13 +- net/ipv4/netfilter/nf_reject_ipv4.c | 9 +- net/ipv4/udp.c | 34 +-- net/ipv6/ip6_tunnel.c | 26 +- net/ipv6/mcast.c | 4 + net/ipv6/netfilter/nf_reject_ipv6.c | 11 +- net/ipv6/udp.c | 16 +- net/mac80211/mlme.c | 49 ++- net/mptcp/options.c | 6 +- net/mptcp/subflow.c | 17 +- net/ncsi/internal.h | 7 +- net/ncsi/ncsi-netlink.c | 4 +- net/ncsi/ncsi-pkt.h | 7 +- net/ncsi/ncsi-rsp.c | 26 +- net/netfilter/ipset/ip_set_hash_netiface.c | 8 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_log_syslog.c | 13 +- net/netfilter/nf_queue.c | 6 +- net/netfilter/nf_tables_api.c | 38 ++- net/netfilter/nfnetlink_log.c | 8 +- net/netfilter/nft_limit.c | 19 +- net/netfilter/xt_physdev.c | 2 +- net/netlabel/netlabel_calipso.c | 49 +-- net/rxrpc/ar-internal.h | 1 + net/rxrpc/call_object.c | 4 +- net/rxrpc/local_object.c | 13 +- net/rxrpc/output.c | 6 +- net/rxrpc/rxkad.c | 2 + net/sched/act_ct.c | 12 +- net/sctp/socket.c | 13 +- net/sunrpc/xprt.c | 23 +- net/sunrpc/xprtmultipath.c | 2 +- net/tls/tls_sw.c | 6 +- net/unix/unix_bpf.c | 21 +- net/vmw_vsock/af_vsock.c | 9 +- net/vmw_vsock/hyperv_transport.c | 4 +- net/vmw_vsock/virtio_transport.c | 1 + net/vmw_vsock/virtio_transport_common.c | 43 ++- net/vmw_vsock/vsock_loopback.c | 1 + net/wireless/scan.c | 47 ++- rust/bindgen_parameters | 4 + security/apparmor/lib.c | 1 + security/apparmor/lsm.c | 1 - security/apparmor/policy.c | 13 +- security/apparmor/policy_unpack.c | 13 +- security/keys/encrypted-keys/encrypted.c | 4 + security/selinux/hooks.c | 7 + sound/drivers/aloop.c | 23 +- sound/pci/hda/patch_hdmi.c | 6 + sound/pci/hda/patch_realtek.c | 3 + sound/pci/oxygen/oxygen_mixer.c | 2 +- sound/soc/amd/vangogh/acp5x-mach.c | 35 +-- sound/soc/codecs/cs35l33.c | 4 +- sound/soc/codecs/cs35l34.c | 4 +- sound/soc/codecs/rt5645.c | 8 - sound/soc/codecs/tas2781-fmwlib.c | 1 + sound/soc/fsl/Kconfig | 1 + .../soc/intel/boards/sof_sdw_rt_sdca_jack_common.c | 1 + sound/soc/intel/common/soc-acpi-intel-glk-match.c | 14 +- sound/soc/mediatek/common/mtk-dsp-sof-common.c | 2 +- sound/soc/sof/intel/hda.h | 1 + sound/soc/sof/intel/mtl.c | 28 ++ sound/soc/sof/intel/pci-mtl.c | 12 +- sound/soc/sof/ipc4-loader.c | 11 +- sound/soc/sof/topology.c | 2 +- sound/usb/mixer_scarlett2.c | 207 +++++++++---- tools/include/uapi/linux/bpf.h | 3 + tools/lib/api/io.h | 1 + tools/perf/builtin-stat.c | 18 +- .../arch/arm64/ampere/ampereone/core-imp-def.json | 2 +- .../pmu-events/arch/arm64/arm/cmn/sys/cmn.json | 2 +- .../arch/powerpc/power10/datasource.json | 18 +- .../attr/test-record-user-regs-no-sve-aarch64 | 2 +- .../tests/attr/test-record-user-regs-sve-aarch64 | 2 +- tools/perf/tests/workloads/thloop.c | 4 +- tools/perf/util/bpf-event.c | 8 +- tools/perf/util/bpf-event.h | 12 +- tools/perf/util/db-export.c | 4 +- tools/perf/util/env.c | 50 ++-- tools/perf/util/env.h | 4 + tools/perf/util/genelf.c | 6 +- tools/perf/util/header.c | 17 +- tools/perf/util/hisi-ptt.c | 1 + tools/perf/util/mem-events.c | 25 +- tools/perf/util/stat-shadow.c | 2 +- tools/perf/util/unwind-libdw.c | 21 +- tools/perf/util/unwind-libunwind-local.c | 2 +- tools/testing/selftests/alsa/conf.c | 2 +- tools/testing/selftests/alsa/mixer-test.c | 4 +- tools/testing/selftests/bpf/prog_tests/bpf_iter.c | 2 + tools/testing/selftests/bpf/prog_tests/time_tai.c | 2 +- .../selftests/bpf/progs/bpf_iter_task_stack.c | 5 + tools/testing/selftests/bpf/progs/iters.c | 2 +- .../selftests/bpf/progs/test_global_func16.c | 2 +- .../selftests/bpf/progs/verifier_basic_stack.c | 8 +- .../testing/selftests/bpf/progs/verifier_int_ptr.c | 5 +- .../selftests/bpf/progs/verifier_raw_stack.c | 5 +- .../testing/selftests/bpf/progs/verifier_var_off.c | 62 +++- .../selftests/bpf/progs/xdp_synproxy_kern.c | 4 +- .../selftests/bpf/verifier/atomic_cmpxchg.c | 11 - tools/testing/selftests/bpf/verifier/calls.c | 4 +- tools/testing/selftests/bpf/xskxceiver.c | 25 +- .../drivers/net/bonding/mode-1-recovery-updelay.sh | 2 +- .../drivers/net/bonding/mode-2-recovery-updelay.sh | 2 +- .../testing/selftests/drivers/net/mlxsw/qos_pfc.sh | 18 +- .../drivers/net/mlxsw/spectrum-2/tc_flower.sh | 106 ++++++- .../selftests/net/arp_ndisc_untracked_subnets.sh | 2 +- .../selftests/net/fib_nexthop_multiprefix.sh | 4 +- tools/testing/selftests/powerpc/math/fpu_preempt.c | 9 +- tools/testing/selftests/powerpc/math/vmx_preempt.c | 10 +- tools/testing/selftests/sgx/Makefile | 2 +- tools/testing/selftests/sgx/load.c | 9 +- tools/testing/selftests/sgx/sigstruct.c | 5 +- tools/testing/selftests/sgx/test_encl.c | 8 +- 643 files changed, 5372 insertions(+), 3267 deletions(-)

1 year, 6 months

13
663
0 0

[PATCH 5.15 0/1] cifs: Fix stack-out-of-bounds in smb2_set_next_command()

by ZhaoLong Wang

Hello, I am sending this patch for inclusion in the stable tree, as it fixes a critical stack-out-of-bounds bug in the cifs module related to the `smb2_set_next_command()` function. Problem Summary: A problem was observed in the `statfs` system call for cifs, where it failed with a "Resource temporarily unavailable" message. Further investigation with KASAN revealed a stack-out-of-bounds error. The root cause was a miscalculation of the size of the `smb2_query_info_req` structure in the `SMB2_query_info_init()` function. This situation arose due to a dependency on a prior commit (`eb3e28c1e89b`) that replaced a 1-element array with a flexible array member in the `smb2_query_info_req` structure. This commit was not backported to the 5.10.y and 5.15.y stable branch, leading to an incorrect size calculation after the backport of commit `33eae65c6f49`. Fix Details: The patch corrects the size calculation to ensure the correct length is used when initializing the `smb2_query_info_req` structure. It has been tested and confirmed to resolve the issue without introducing any regressions. Maybe the prior commit eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") should be backported to solve this problem directly. The patch does not seem to conflict. Best regards, ZhaoLong Wang ZhaoLong Wang (1): cifs: Fix stack-out-of-bounds in smb2_set_next_command() fs/cifs/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.39.2

1 year, 6 months

2
2
0 0

[PATCH v3] mm/zswap: invalidate old entry when store fail or !zswap_enabled

by chengming.zhou＠linux.dev

From: Chengming Zhou <zhouchengming(a)bytedance.com> We may encounter duplicate entry in the zswap_store(): 1. swap slot that freed to per-cpu swap cache, doesn't invalidate the zswap entry, then got reused. This has been fixed. 2. !exclusive load mode, swapin folio will leave its zswap entry on the tree, then swapout again. This has been removed. 3. one folio can be dirtied again after zswap_store(), so need to zswap_store() again. This should be handled correctly. So we must invalidate the old duplicate entry before insert the new one, which actually doesn't have to be done at the beginning of zswap_store(). And this is a normal situation, we shouldn't WARN_ON(1) in this case, so delete it. (The WARN_ON(1) seems want to detect swap entry UAF problem? But not very necessary here.) The good point is that we don't need to lock tree twice in the store success path. Note we still need to invalidate the old duplicate entry in the store failure path, otherwise the new data in swapfile could be overwrite by the old data in zswap pool when lru writeback. We have to do this even when !zswap_enabled since zswap can be disabled anytime. If the folio store success before, then got dirtied again but zswap disabled, we won't invalidate the old duplicate entry in the zswap_store(). So later lru writeback may overwrite the new data in swapfile. Fixes: 42c06a0e8ebe ("mm: kill frontswap") Cc: <stable(a)vger.kernel.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Yosry Ahmed <yosryahmed(a)google.com> Signed-off-by: Chengming Zhou <zhouchengming(a)bytedance.com> --- v3: - Fix a few grammatical problems in comments, per Yosry. v2: - Change the duplicate entry invalidation loop to if, since we hold the lock, we won't find it once we invalidate it, per Yosry. - Add Fixes tag. --- mm/zswap.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index cd67f7f6b302..d9d8947d6761 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1518,18 +1518,8 @@ bool zswap_store(struct folio *folio) return false; if (!zswap_enabled) - return false; + goto check_old; - /* - * If this is a duplicate, it must be removed before attempting to store - * it, otherwise, if the store fails the old page won't be removed from - * the tree, and it might be written back overriding the new data. - */ - spin_lock(&tree->lock); - entry = zswap_rb_search(&tree->rbroot, offset); - if (entry) - zswap_invalidate_entry(tree, entry); - spin_unlock(&tree->lock); objcg = get_obj_cgroup_from_folio(folio); if (objcg && !obj_cgroup_may_zswap(objcg)) { memcg = get_mem_cgroup_from_objcg(objcg); @@ -1608,14 +1598,12 @@ bool zswap_store(struct folio *folio) /* map */ spin_lock(&tree->lock); /* - * A duplicate entry should have been removed at the beginning of this - * function. Since the swap entry should be pinned, if a duplicate is - * found again here it means that something went wrong in the swap - * cache. + * The folio may have been dirtied again, invalidate the + * possibly stale entry before inserting the new entry. */ - while (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { - WARN_ON(1); + if (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { zswap_invalidate_entry(tree, dupentry); + VM_WARN_ON(zswap_rb_insert(&tree->rbroot, entry, &dupentry)); } if (entry->length) { INIT_LIST_HEAD(&entry->lru); @@ -1638,6 +1626,17 @@ bool zswap_store(struct folio *folio) reject: if (objcg) obj_cgroup_put(objcg); +check_old: + /* + * If the zswap store fails or zswap is disabled, we must invalidate the + * possibly stale entry which was previously stored at this offset. + * Otherwise, writeback could overwrite the new data in the swapfile. + */ + spin_lock(&tree->lock); + entry = zswap_rb_search(&tree->rbroot, offset); + if (entry) + zswap_invalidate_entry(tree, entry); + spin_unlock(&tree->lock); return false; shrink: -- 2.40.1

1 year, 6 months

4
4
0 0

[PATCH 1/1] netfilter: ipset: Missing gc cancellations fixed

by Jozsef Kadlecsik

The patch fdb8e12cc2cc ("netfilter: ipset: fix performance regression in swap operation") missed to add the calls to gc cancellations at the error path of create operations and at module unload. Also, because the half of the destroy operations now executed by a function registered by call_rcu(), neither NFNL_SUBSYS_IPSET mutex or rcu read lock is held and therefore the checking of them results false warnings. Reported-by: syzbot+52bbc0ad036f6f0d4a25(a)syzkaller.appspotmail.com Reported-by: Brad Spengler <spender(a)grsecurity.net> Reported-by: Стас Ничипорович <stasn77(a)gmail.com> Fixes: fdb8e12cc2cc ("netfilter: ipset: fix performance regression in swap operation") Tested-by: Brad Spengler <spender(a)grsecurity.net> Tested-by: Стас Ничипорович <stasn77(a)gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec(a)netfilter.org> --- net/netfilter/ipset/ip_set_core.c | 2 ++ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index bcaad9c009fe..3184cc6be4c9 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1154,6 +1154,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info, return ret; cleanup: + set->variant->cancel_gc(set); set->variant->destroy(set); put_out: module_put(set->type->me); @@ -2378,6 +2379,7 @@ ip_set_net_exit(struct net *net) set = ip_set(inst, i); if (set) { ip_set(inst, i) = NULL; + set->variant->cancel_gc(set); ip_set_destroy_set(set); } } diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h index c62998b46f00..7f362cad8e68 100644 --- a/net/netfilter/ipset/ip_set_hash_gen.h +++ b/net/netfilter/ipset/ip_set_hash_gen.h @@ -431,7 +431,7 @@ mtype_ahash_destroy(struct ip_set *set, struct htable *t, bool ext_destroy) u32 i; for (i = 0; i < jhash_size(t->htable_bits); i++) { - n = __ipset_dereference(hbucket(t, i)); + n = hbucket(t, i); if (!n) continue; if (set->extensions & IPSET_EXT_DESTROY && ext_destroy) @@ -451,7 +451,7 @@ mtype_destroy(struct ip_set *set) struct htype *h = set->data; struct list_head *l, *lt; - mtype_ahash_destroy(set, ipset_dereference_nfnl(h->table), true); + mtype_ahash_destroy(set, h->table, true); list_for_each_safe(l, lt, &h->ad) { list_del(l); kfree(l); -- 2.39.2

1 year, 6 months

3
2
0 0

[PATCH] btrfs: always scan a single device when mounted

by David Sterba

There are reports that since version 6.7 update-grub fails to find the device of the root on systems without initrd and on a single device. This looks like the device name changed in the output of /proc/self/mountinfo: 6.5-rc5 working 18 1 0:16 / / rw,noatime - btrfs /dev/sda8 ... 6.7 not working: 17 1 0:15 / / rw,noatime - btrfs /dev/root ... and "update-grub" shows this error: /usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?) This looks like it's related to the device name, but grub-probe recognizes the "/dev/root" path and tries to find the underlying device. However there's a special case for some filesystems, for btrfs in particular. The generic root device detection heuristic is not done and it all relies on reading the device infos by a btrfs specific ioctl. This ioctl returns the device name as it was saved at the time of device scan (in this case it's /dev/root). The change in 6.7 for temp_fsid to allow several single device filesystem to exist with the same fsid (and transparently generate a new UUID at mount time) was to skip caching/registering such devices. This also skipped mounted device. One step of scanning is to check if the device name hasn't changed, and if yes then update the cached value. This broke the grub-probe as it always read the device /dev/root and couldn't find it in the system. A temporary workaround is to create a symlink but this does not survive reboot. The right fix is to allow updating the device path of a mounted filesystem even if this is a single device one. This does not affect the temp_fsid feature, the UUID of the mounted filesystem remains the same and the matching is based on device major:minor which is unique per mounted filesystem. As the main part of device scanning and list update is done in device_list_add() that handles all corner cases and locking, it is extended to take a parameter that tells it to do everything as before, except adding a new device entry. This covers the path when the device (that exists for all mounted devices) name changes, updating /dev/root to /dev/sdx. Any other single device with filesystem is skipped. Note that if a system is booted and initial mount is done on the /dev/root device, this will be the cached name of the device. Only after the command "btrfs device rescan" it will change as it triggers the rename. The fix was verified by users whose systems were affected. CC: stable(a)vger.kernel.org # 6.7+ Fixes: bc27d6f0aa0e ("btrfs: scan but don't register device on single device filesystem") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=218353 Link: https://lore.kernel.org/lkml/CAKLYgeJ1tUuqLcsquwuFqjDXPSJpEiokrWK2gisPKDZLs… Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/volumes.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 474ab7ed65ea..f2c2f7ca5c3d 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -738,6 +738,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, bool same_fsid_diff_dev = false; bool has_metadata_uuid = (btrfs_super_incompat_flags(disk_super) & BTRFS_FEATURE_INCOMPAT_METADATA_UUID); + bool can_create_new = *new_device_added; if (btrfs_super_flags(disk_super) & BTRFS_SUPER_FLAG_CHANGING_FSID_V2) { btrfs_err(NULL, @@ -753,6 +754,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, return ERR_PTR(error); } + *new_device_added = false; fs_devices = find_fsid_by_device(disk_super, path_devt, &same_fsid_diff_dev); if (!fs_devices) { @@ -804,6 +806,15 @@ static noinline struct btrfs_device *device_list_add(const char *path, return ERR_PTR(-EBUSY); } + if (!can_create_new) { + pr_info( + "BTRFS: device fsid %pU devid %llu transid %llu %s skip registration scanned by %s (%d)\n", + disk_super->fsid, devid, found_transid, path, + current->comm, task_pid_nr(current)); + mutex_unlock(&fs_devices->device_list_mutex); + return NULL; + } + nofs_flag = memalloc_nofs_save(); device = btrfs_alloc_device(NULL, &devid, disk_super->dev_item.uuid, path); @@ -1355,27 +1366,14 @@ struct btrfs_device *btrfs_scan_one_device(const char *path, blk_mode_t flags, goto error_bdev_put; } - if (!mount_arg_dev && btrfs_super_num_devices(disk_super) == 1 && - !(btrfs_super_flags(disk_super) & BTRFS_SUPER_FLAG_SEEDING)) { - dev_t devt; - - ret = lookup_bdev(path, &devt); - if (ret) - btrfs_warn(NULL, "lookup bdev failed for path %s: %d", - path, ret); - else - btrfs_free_stale_devices(devt, NULL); - - pr_debug("BTRFS: skip registering single non-seed device %s\n", path); - device = NULL; - goto free_disk_super; - } + if (mount_arg_dev || btrfs_super_num_devices(disk_super) != 1 || + (btrfs_super_flags(disk_super) & BTRFS_SUPER_FLAG_SEEDING)) + new_device_added = true; device = device_list_add(path, disk_super, &new_device_added); if (!IS_ERR(device) && new_device_added) btrfs_free_stale_devices(device->devt, device); -free_disk_super: btrfs_release_disk_super(disk_super); error_bdev_put: -- 2.42.1

1 year, 6 months

4
4
0 0

[PATCH 1/4] arm64: dts: qcom: sm8550-qrd: correct WCD9385 TX port mapping

by Krzysztof Kozlowski

WCD9385 audio codec TX port mapping was copied form HDK8450, but in fact it is offset by one. Correct it to fix recording via analogue microphones. Cc: <stable(a)vger.kernel.org> Fixes: 83fae950c992 ("arm64: dts: qcom: sm8550-qrd: add WCD9385 audio-codec") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- arch/arm64/boot/dts/qcom/sm8550-qrd.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sm8550-qrd.dts b/arch/arm64/boot/dts/qcom/sm8550-qrd.dts index 6c8e206080d2..76e9ca954093 100644 --- a/arch/arm64/boot/dts/qcom/sm8550-qrd.dts +++ b/arch/arm64/boot/dts/qcom/sm8550-qrd.dts @@ -842,7 +842,7 @@ &swr2 { wcd_tx: codec@0,3 { compatible = "sdw20217010d00"; reg = <0 3>; - qcom,tx-port-mapping = <1 1 2 3>; + qcom,tx-port-mapping = <2 2 3 4>; }; }; -- 2.34.1

1 year, 6 months

4
9
0 0

[git:media_tree/master] media: tc358743: register v4l2 async device only after successful setup

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: tc358743: register v4l2 async device only after successful setup Author: Alexander Stein <alexander.stein(a)ew.tq-group.com> Date: Wed Jan 10 10:01:11 2024 +0100 Ensure the device has been setup correctly before registering the v4l2 async device, thus allowing userspace to access. Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Robert Foss <rfoss(a)kernel.org> Fixes: 4c5211a10039 ("[media] tc358743: register v4l2 asynchronous subdevice") Cc: stable(a)vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> drivers/media/i2c/tc358743.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 2785935da497..558152575d10 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2091,9 +2091,6 @@ static int tc358743_probe(struct i2c_client *client) state->mbus_fmt_code = MEDIA_BUS_FMT_RGB888_1X24; sd->dev = &client->dev; - err = v4l2_async_register_subdev(sd); - if (err < 0) - goto err_hdl; mutex_init(&state->confctl_mutex); @@ -2151,6 +2148,10 @@ static int tc358743_probe(struct i2c_client *client) if (err) goto err_work_queues; + err = v4l2_async_register_subdev(sd); + if (err < 0) + goto err_work_queues; + v4l2_info(sd, "%s found @ 0x%x (%s)\n", client->name, client->addr << 1, client->adapter->name);

1 year, 6 months

1
0
0 0

[PATCH v2] mm/zswap: invalidate old entry when store fail or !zswap_enabled

by chengming.zhou＠linux.dev

From: Chengming Zhou <zhouchengming(a)bytedance.com> We may encounter duplicate entry in the zswap_store(): 1. swap slot that freed to per-cpu swap cache, doesn't invalidate the zswap entry, then got reused. This has been fixed. 2. !exclusive load mode, swapin folio will leave its zswap entry on the tree, then swapout again. This has been removed. 3. one folio can be dirtied again after zswap_store(), so need to zswap_store() again. This should be handled correctly. So we must invalidate the old duplicate entry before insert the new one, which actually doesn't have to be done at the beginning of zswap_store(). And this is a normal situation, we shouldn't WARN_ON(1) in this case, so delete it. (The WARN_ON(1) seems want to detect swap entry UAF problem? But not very necessary here.) The good point is that we don't need to lock tree twice in the store success path. Note we still need to invalidate the old duplicate entry in the store failure path, otherwise the new data in swapfile could be overwrite by the old data in zswap pool when lru writeback. We have to do this even when !zswap_enabled since zswap can be disabled anytime. If the folio store success before, then got dirtied again but zswap disabled, we won't invalidate the old duplicate entry in the zswap_store(). So later lru writeback may overwrite the new data in swapfile. Fixes: 42c06a0e8ebe ("mm: kill frontswap") Cc: <stable(a)vger.kernel.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Signed-off-by: Chengming Zhou <zhouchengming(a)bytedance.com> --- v2: - Change the duplicate entry invalidation loop to if, since we hold the lock, we won't find it once we invalidate it, per Yosry. - Add Fixes tag. --- mm/zswap.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index cd67f7f6b302..6c1466633274 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1518,18 +1518,8 @@ bool zswap_store(struct folio *folio) return false; if (!zswap_enabled) - return false; + goto check_old; - /* - * If this is a duplicate, it must be removed before attempting to store - * it, otherwise, if the store fails the old page won't be removed from - * the tree, and it might be written back overriding the new data. - */ - spin_lock(&tree->lock); - entry = zswap_rb_search(&tree->rbroot, offset); - if (entry) - zswap_invalidate_entry(tree, entry); - spin_unlock(&tree->lock); objcg = get_obj_cgroup_from_folio(folio); if (objcg && !obj_cgroup_may_zswap(objcg)) { memcg = get_mem_cgroup_from_objcg(objcg); @@ -1608,14 +1598,12 @@ bool zswap_store(struct folio *folio) /* map */ spin_lock(&tree->lock); /* - * A duplicate entry should have been removed at the beginning of this - * function. Since the swap entry should be pinned, if a duplicate is - * found again here it means that something went wrong in the swap - * cache. + * The folio could be dirtied again, invalidate the possible old entry + * before insert this new entry. */ - while (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { - WARN_ON(1); + if (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { zswap_invalidate_entry(tree, dupentry); + VM_WARN_ON(zswap_rb_insert(&tree->rbroot, entry, &dupentry)); } if (entry->length) { INIT_LIST_HEAD(&entry->lru); @@ -1638,6 +1626,17 @@ bool zswap_store(struct folio *folio) reject: if (objcg) obj_cgroup_put(objcg); +check_old: + /* + * If zswap store fail or zswap disabled, we must invalidate possible + * old entry which previously stored by this folio. Otherwise, later + * writeback could overwrite the new data in swapfile. + */ + spin_lock(&tree->lock); + entry = zswap_rb_search(&tree->rbroot, offset); + if (entry) + zswap_invalidate_entry(tree, entry); + spin_unlock(&tree->lock); return false; shrink: -- 2.40.1

1 year, 6 months

2
1
0 0

Requesting 3 patches for Apple Magic Keyboard 2021 to be merged to LTS kernels

by Aseda Aboagye

Dear stable kernel maintainers, I am writing to request that 3 related patches be merged to various LTS kernels. I'm not sure if it would have been preferable for me to send 3 separate emails, so please forgive me if I chose wrongly. (This is my first foray into interacting with the kernel community) :) The patches are as follows: 1. 0cd3be51733f (HID: apple: Add support for the 2021 Magic Keyboard, 2021-10-08) 2. 346338ef00d3 (HID: apple: Swap the Fn and Left Control keys on Apple keyboards, 2020-05-15) 3. 531cb56972f2 (HID: apple: Add 2021 magic keyboard FN key mapping, 2021-11-08) These patches have all been merged to mainline, but I believe when they were submitted, backporting may not have been considered. The Apple Magic Keyboard 2021 (Model # A2450) seems to be a popular keyboard, and without these patches, for users on certain LTS kernels that use this keyboard, the function keys do not behave as expected. e.g. Pressing the brightness down or brightness up key didn't work, and bizarrely pressing the globe/Fn key alone caused the brightness to decrease. None of the top row keys worked as expected. I checked to see where the patches were missing and figured that it would be good to have those patches in those kernels. I would ask that patches 1 & 3 be merged to v4.19, v5.4, v5.10, and v5.15. I would ask that patch 2 be merged to: v5.4 and v4.19. For patch 3 to apply cleanly, it needed patch 2 to be present in the tree. Thanks, -- Aseda Aboagye

1 year, 6 months

2
2
0 0

[PATCH] perf/x86: Fix out of range data

by Namhyung Kim

On x86 each cpu_hw_events maintains a table for counter assignment but it missed to update one for the deleted event in x86_pmu_del(). This can make perf_clear_dirty_counters() reset used counter if it's called before event scheduling or enabling. Then it would return out of range data which doesn't make sense. The following code can reproduce the problem. $ cat repro.c #include <pthread.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <linux/perf_event.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/syscall.h> struct perf_event_attr attr = { .type = PERF_TYPE_HARDWARE, .config = PERF_COUNT_HW_CPU_CYCLES, .disabled = 1, }; void *worker(void *arg) { int cpu = (long)arg; int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); void *p; do { ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0); p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0); ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0); ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0); munmap(p, 4096); ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0); } while (1); return NULL; } int main(void) { int i; int n = sysconf(_SC_NPROCESSORS_ONLN); pthread_t *th = calloc(n, sizeof(*th)); for (i = 0; i < n; i++) pthread_create(&th[i], NULL, worker, (void *)(long)i); for (i = 0; i < n; i++) pthread_join(th[i], NULL); free(th); return 0; } And you can see the out of range data using perf stat like this. Probably it'd be easier to see on a large machine. $ gcc -o repro repro.c -pthread $ ./repro & $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }' 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%) 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%) 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%) 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%) 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%) 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%) 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%) 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%) 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%) 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%) 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle It should move the contents in the cpuc->assign as well. Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task") Cc: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Namhyung Kim <namhyung(a)kernel.org> --- arch/x86/events/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c index 09050641ce5d..5b0dd07b1ef1 100644 --- a/arch/x86/events/core.c +++ b/arch/x86/events/core.c @@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_event *event, int flags) while (++i < cpuc->n_events) { cpuc->event_list[i-1] = cpuc->event_list[i]; cpuc->event_constraint[i-1] = cpuc->event_constraint[i]; + cpuc->assign[i-1] = cpuc->assign[i]; } cpuc->event_constraint[i-1] = NULL; --cpuc->n_events; -- 2.43.0.472.g3155946c3a-goog

1 year, 6 months

2
3
0 0

[PATCH v3 8/8] m68k: Move signal frame following exception on 68020/030

by Michael Schmitz

From: Finn Thain <fthain(a)linux-m68k.org> commit b845b574f86dcb6a70dfa698aa87a237b0878d2a upstream. On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause a stack page fault during instruction execution (i.e. not at an instruction boundary) and produce a format 0xB exception frame. In this situation, the value of USP will be unreliable. If a signal is to be delivered following the exception, this USP value is used to calculate the location for a signal frame. This can result in a corrupted user stack. The corruption was detected in dash (actually in glibc) where it showed up as an intermittent "stack smashing detected" message and crash following signal delivery for SIGCHLD. It was hard to reproduce that failure because delivery of the signal raced with the page fault and because the kernel places an unpredictable gap of up to 7 bytes between the USP and the signal frame. A format 0xB exception frame can be produced by a bus error or an address error. The 68030 Users Manual says that address errors occur immediately upon detection during instruction prefetch. The instruction pipeline allows prefetch to overlap with other instructions, which means an address error can arise during the execution of a different instruction. So it seems likely that this patch may help in the address error case also. Reported-and-tested-by: Stan Johnson <userm57(a)yahoo.com> Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_6… Cc: Michael Schmitz <schmitzmic(a)gmail.com> Cc: Andreas Schwab <schwab(a)linux-m68k.org> Cc: stable(a)vger.kernel.org Co-developed-by: Michael Schmitz <schmitzmic(a)gmail.com> Signed-off-by: Michael Schmitz <schmitzmic(a)gmail.com> Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> Reviewed-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Link: https://lore.kernel.org/r/9e66262a754fcba50208aa424188896cc52a1dd1.16833658… Signed-off-by: Geert Uytterhoeven <geert(a)linux-m68k.org> --- arch/m68k/kernel/signal.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c index 8fb8ee804b3a..de7c1bde62bc 100644 --- a/arch/m68k/kernel/signal.c +++ b/arch/m68k/kernel/signal.c @@ -808,11 +808,17 @@ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs * } static inline void __user * -get_sigframe(struct ksignal *ksig, size_t frame_size) +get_sigframe(struct ksignal *ksig, struct pt_regs *tregs, size_t frame_size) { unsigned long usp = sigsp(rdusp(), ksig); + unsigned long gap = 0; - return (void __user *)((usp - frame_size) & -8UL); + if (CPU_IS_020_OR_030 && tregs->format == 0xb) { + /* USP is unreliable so use worst-case value */ + gap = 256; + } + + return (void __user *)((usp - gap - frame_size) & -8UL); } static int setup_frame(struct ksignal *ksig, sigset_t *set, @@ -830,7 +836,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set, return -EFAULT; } - frame = get_sigframe(ksig, sizeof(*frame) + fsize); + frame = get_sigframe(ksig, tregs, sizeof(*frame) + fsize); if (fsize) err |= copy_to_user (frame + 1, regs + 1, fsize); @@ -903,7 +909,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, return -EFAULT; } - frame = get_sigframe(ksig, sizeof(*frame)); + frame = get_sigframe(ksig, tregs, sizeof(*frame)); if (fsize) err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize); -- 2.17.1

1 year, 6 months

1
0
0 0

[PATCH v3 1/8] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()

by Michael Schmitz

commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream. If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap between mappings which is added to the vm_struct representing the mapping. __ioremap() uses the actual requested size (after alignment), while __iounmap() is passed the size from the vm_struct. On 020/030, early termination descriptors are used to set up mappings of extent 'size', which are validated on unmapping. The unmapped gap of size IO_SIZE defeats the sanity check of the pmd tables, causing __iounmap() to loop forever on 030. On 040/060, unmapping of page table entries does not check for a valid mapping, so the umapping loop always completes there. Adjust size to be unmapped by the gap that had been added in the vm_struct prior. This fixes the hang in atari_platform_init() reported a long time ago, and a similar one reported by Finn recently (addressed by removing ioremap() use from the SWIM driver. Tested on my Falcon in 030 mode - untested but should work the same on 040/060 (the extra page tables cleared there would never have been set up anyway). Signed-off-by: Michael Schmitz <schmitzmic(a)gmail.com> [geert: Minor commit description improvements] [geert: This was fixed in 2.4.23, but not in 2.5.x] Signed-off-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: stable(a)vger.kernel.org Cc: <cip-dev(a)lists.cip-project.org> # 4.4 --- arch/m68k/mm/kmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/m68k/mm/kmap.c b/arch/m68k/mm/kmap.c index 6e4955bc542b..fcd52cefee29 100644 --- a/arch/m68k/mm/kmap.c +++ b/arch/m68k/mm/kmap.c @@ -88,7 +88,8 @@ static inline void free_io_area(void *addr) for (p = &iolist ; (tmp = *p) ; p = &tmp->next) { if (tmp->addr == addr) { *p = tmp->next; - __iounmap(tmp->addr, tmp->size); + /* remove gap added in get_io_area() */ + __iounmap(tmp->addr, tmp->size - IO_SIZE); kfree(tmp); return; } -- 2.17.1

1 year, 6 months

1
0
0 0

[PATCH 5.10/5.15/6.1 0/1] net: prevent mss overflow in skb_segment()

by Alexey Panov

Syzkaller reports NULL pointer dereference issue at skb_segment() in 5.10/5.15/6.1 stable releases. The problem has been fixed by the following patch which can be cleanly applied to 5.10/5.15/6.1 branches. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

1 year, 6 months

1
1
0 0

[PATCH] blk-wbt: Fix detection of dirty-throttled tasks

by Jan Kara

The detection of dirty-throttled tasks in blk-wbt has been subtly broken since its beginning in 2016. Namely if we are doing cgroup writeback and the throttled task is not in the root cgroup, balance_dirty_pages() will set dirty_sleep for the non-root bdi_writeback structure. However blk-wbt checks dirty_sleep only in the root cgroup bdi_writeback structure. Thus detection of recently throttled tasks is not working in this case (we noticed this when we switched to cgroup v2 and suddently writeback was slow). Since blk-wbt has no easy way to get to proper bdi_writeback and furthermore its intention has always been to work on the whole device rather than on individual cgroups, just move the dirty_sleep timestamp from bdi_writeback to backing_dev_info. That fixes the checking for recently throttled task and saves memory for everybody as a bonus. CC: stable(a)vger.kernel.org Fixes: b57d74aff9ab ("writeback: track if we're sleeping on progress in balance_dirty_pages()") Signed-off-by: Jan Kara <jack(a)suse.cz> --- block/blk-wbt.c | 4 ++-- include/linux/backing-dev-defs.h | 7 +++++-- mm/backing-dev.c | 2 +- mm/page-writeback.c | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/block/blk-wbt.c b/block/blk-wbt.c index 5ba3cd574eac..0c0e270a8265 100644 --- a/block/blk-wbt.c +++ b/block/blk-wbt.c @@ -163,9 +163,9 @@ static void wb_timestamp(struct rq_wb *rwb, unsigned long *var) */ static bool wb_recent_wait(struct rq_wb *rwb) { - struct bdi_writeback *wb = &rwb->rqos.disk->bdi->wb; + struct backing_dev_info *bdi = rwb->rqos.disk->bdi; - return time_before(jiffies, wb->dirty_sleep + HZ); + return time_before(jiffies, bdi->last_bdp_sleep + HZ); } static inline struct rq_wait *get_rq_wait(struct rq_wb *rwb, diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h index ae12696ec492..ad17739a2e72 100644 --- a/include/linux/backing-dev-defs.h +++ b/include/linux/backing-dev-defs.h @@ -141,8 +141,6 @@ struct bdi_writeback { struct delayed_work dwork; /* work item used for writeback */ struct delayed_work bw_dwork; /* work item used for bandwidth estimate */ - unsigned long dirty_sleep; /* last wait */ - struct list_head bdi_node; /* anchored at bdi->wb_list */ #ifdef CONFIG_CGROUP_WRITEBACK @@ -179,6 +177,11 @@ struct backing_dev_info { * any dirty wbs, which is depended upon by bdi_has_dirty(). */ atomic_long_t tot_write_bandwidth; + /* + * Jiffies when last process was dirty throttled on this bdi. Used by + * blk-wbt. + */ + unsigned long last_bdp_sleep; struct bdi_writeback wb; /* the root writeback info for this bdi */ struct list_head wb_list; /* list of all wbs */ diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 1e3447bccdb1..e039d05304dd 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -436,7 +436,6 @@ static int wb_init(struct bdi_writeback *wb, struct backing_dev_info *bdi, INIT_LIST_HEAD(&wb->work_list); INIT_DELAYED_WORK(&wb->dwork, wb_workfn); INIT_DELAYED_WORK(&wb->bw_dwork, wb_update_bandwidth_workfn); - wb->dirty_sleep = jiffies; err = fprop_local_init_percpu(&wb->completions, gfp); if (err) @@ -921,6 +920,7 @@ int bdi_init(struct backing_dev_info *bdi) INIT_LIST_HEAD(&bdi->bdi_list); INIT_LIST_HEAD(&bdi->wb_list); init_waitqueue_head(&bdi->wb_waitq); + bdi->last_bdp_sleep = jiffies; return cgwb_bdi_init(bdi); } diff --git a/mm/page-writeback.c b/mm/page-writeback.c index cd4e4ae77c40..cc37fa7f3364 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -1921,7 +1921,7 @@ static int balance_dirty_pages(struct bdi_writeback *wb, break; } __set_current_state(TASK_KILLABLE); - wb->dirty_sleep = now; + bdi->last_bdp_sleep = jiffies; io_schedule_timeout(pause); current->dirty_paused_when = now + pause; -- 2.35.3

1 year, 6 months

2
2
0 0

[PATCH 5.15.y 0/1] smb: client: fix "df: Resource temporarily unavailable" on 5.15 stable kernel

by kovalev＠altlinux.org

ATTENTION! Before applying this patch a conflict patch in the queue needs to be removed: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… Describe bug: After mounting a remote cifs resource, it becomes unavailable: df: /mnt/sambashare: Resource temporarily unavailable It was tested on the following Linux kernel: Linux altlinux 5.15.148 The error appeared starting from kernel 5.15.147 after adding the commit [1] "smb: client: fix OOB in SMB2_query_info_init()", in which the buffer length increases by 1 as a result of changes: . - iov[0].iov_len = total_len - 1 + input_len; + iov[0].iov_len = len; . [1] https://patchwork.kernel.org/project/cifs-client/patch/20231213152557.6634-… Error fixed by backported commit in next patch adapted for the 5.15 kernel: [PATCH 5.15.y 1/1] smb3: Replace smb2pdu 1-element arrays with flex-arrays P.S. I have already backported similar changes for the 5.10.y kernel [2], but I did not know that there was the same error on 5.15, since I only deal with kernels 5.10 and 6.1. Therefore, this patch is to follow the rules of backport to stable branches. [2] https://lore.kernel.org/all/2024012613-woozy-exhume-7b9d@gregkh/T/

1 year, 6 months

1
1
0 0

[PATCH v6 0/4] Regather scattered PCI-Code

by Philipp Stanner

@Stable-Kernel: You receive this patch series because its first patch fixes a leak in PCI. @Bjorn: I decided that it's now actually possible to just embed the docu updates to the respective patches, instead of a separate patch. Also dropped the ioport_unmap() for now. Changes in v6: - Remove the addition of ioport_unmap() from patch #1, since this is not really a bug, as explained by the comment above pci_iounmap. (Bjorn) - Drop the patch unifying the two versions of pci_iounmap(). (Bjorn) - Make patch #4's style congruent with PCI style. - Drop (in any case empty) ioport_unmap() again from pci_iounmap() - Add forgotten updates to Documentation/ when moving files from lib/ to drivers/pci/ Changes in v5: - Add forgotten update to MAINTAINERS file. Changes in v4: - Apply Arnd's Reviewed-by's - Add ifdef CONFIG_HAS_IOPORT_MAP guard in drivers/pci/iomap.c (build error on openrisc) - Fix typo in patch no.5 Changes in v3: - Create a separate patch for the leaks in lib/iomap.c. Make it the series' first patch. (Arnd) - Turns out the aforementioned bug wasn't just accidentally removing iounmap() with the ifdef, it was also missing ioport_unmap() to begin with. Add it. - Move the ARCH_WANTS_GENERIC_IOMEM_IS_IOPORT-mechanism from asm-generic/io.h to asm-generic/ioport.h. (Arnd) - Adjust the implementation of iomem_is_ioport() in asm-generic/io.h so that it matches exactly what pci_iounmap() previously did in lib/pci_iomap.c. (Arnd) - Move the CONFIG_HAS_IOPORT guard in asm-generic/io.h so that iomem_is_ioport() will always be compiled and just returns false if there are no ports. - Add TODOs to several places informing about the generic iomem_is_ioport() in lib/iomap.c not being generic. - Add TODO about the followup work to make drivers/pci/iomap.c's pci_iounmap() actually generic. Changes in v2: - Replace patch 4, previously extending the comment about pci_iounmap() in lib/iomap.c, with a patch that moves pci_iounmap() from that file to drivers/pci/iomap.c, creating a unified version there. (Arnd) - Implement iomem_is_ioport() as a new helper in asm-generic/io.h and lib/iomap.c. (Arnd) - Move the build rule in drivers/pci/Makefile for iomap.o under the guard of #if PCI. This had to be done because when just checking for GENERIC_PCI_IOMAP being defined, the functions don't disappear, which was the case previously in lib/pci_iomap.c, where the entire file was made empty if PCI was not set by the guard #ifdef PCI. (Intel's Bots) - Rephares all patches' commit messages a little bit. Sooooooooo. I reworked v1. Please review this carefully, the IO-Ranges are obviously a bit tricky, as is the build-system / ifdef-ery. Arnd has suggested that architectures defining a custom inb() need their own iomem_is_ioport(), as well. I've grepped for inb() and found the following list of archs that define their own: - alpha - arm - m68k <-- - parisc - powerpc - sh - sparc - x86 <-- All of those have their own definitons of pci_iounmap(). Therefore, they don't need our generic version in the first place and, thus, also need no iomem_is_ioport(). The two exceptions are x86 and m68k. The former uses lib/iomap.c through CONFIG_GENERIC_IOMAP, as Arnd pointed out in the previous discussion (thus, CONFIG_GENERIC_IOMAP is not really generic in this regard). So as I see it, only m68k WOULD need its own custom definition of iomem_is_ioport(). But as I understand it it doesn't because it uses the one from asm-generic/pci_iomap.h ?? I wasn't entirely sure how to deal with the address ranges for the generic implementation in asm-generic/io.h. It's marked with a TODO. Input appreciated. I removed the guard around define pci_iounmap in asm-generic/io.h. An alternative would be to have it be guarded by CONFIG_GENERIC_IOMAP and CONFIG_GENERIC_PCI_IOMAP, both. Without such a guard, there is no collision however, because generic pci_iounmap() from drivers/pci/iomap.c will only get pulled in when CONFIG_GENERIC_PCI_IOMAP is actually set. I cross-built this for a variety of architectures, including the usual suspects (s390, m68k). So far successfully. But let's see what Intel's robots say :O P. Original cover letter: Hi! So it seems that since ca. 2007 the PCI code has been scattered a bit. PCI's devres code, which is only ever used by users of the entire PCI-subsystem anyways, resides in lib/devres.c and is guarded by an ifdef PCI, just as the content of lib/pci_iomap.c is. It, thus, seems reasonable to move all of that. As I were at it, I moved as much of the devres-specific code from pci.c to devres.c, too. The only exceptions are four functions that are currently difficult to move. More information about that can be read here [1]. I noticed these scattered files while working on (new) PCI-specific devres functions. If we can get this here merged, I'll soon send another patch series that addresses some API-inconsistencies and could move the devres-part of the four remaining functions. I don't want to do that in this series as this here is only about moving code, whereas the next series would have to actually change API behavior. I successfully (cross-)built this for x86, x86_64, AARCH64 and ARM (allyesconfig). I booted a kernel with it on x86_64, with a Fedora desktop environment as payload. The OS came up fine I hope this is OK. If we can get it in, we'd soon have a very consistent PCI API again. Regards, P. Philipp Stanner (4): lib/pci_iomap.c: fix cleanup bug in pci_iounmap() lib: move pci_iomap.c to drivers/pci/ lib: move pci-specific devres code to drivers/pci/ PCI: Move devres code from pci.c to devres.c Documentation/driver-api/device-io.rst | 2 +- Documentation/driver-api/pci/pci.rst | 6 + MAINTAINERS | 1 - drivers/pci/Kconfig | 5 + drivers/pci/Makefile | 3 +- drivers/pci/devres.c | 450 +++++++++++++++++++++++++ lib/pci_iomap.c => drivers/pci/iomap.c | 5 +- drivers/pci/pci.c | 249 -------------- drivers/pci/pci.h | 24 ++ lib/Kconfig | 3 - lib/Makefile | 1 - lib/devres.c | 208 +----------- 12 files changed, 490 insertions(+), 467 deletions(-) create mode 100644 drivers/pci/devres.c rename lib/pci_iomap.c => drivers/pci/iomap.c (99%) -- 2.43.0

1 year, 6 months

3
12
0 0

[PATCH] HID: wacom: Do not register input devices until after hid_hw_start

by Gerecke, Jason

From: Jason Gerecke <killertofu(a)gmail.com> If a input device is opened before hid_hw_start is called, events may not be received from the hardware. In the case of USB-backed devices, for example, the hid_hw_start function is responsible for filling in the URB which is submitted when the input device is opened. If a device is opened prematurely, polling will never start because the device will not have been in the correct state to send the URB. Because the wacom driver registers its input devices before calling hid_hw_start, there is a window of time where a device can be opened and end up in an inoperable state. Some ARM-based Chromebooks in particular reliably trigger this bug. This commit splits the wacom_register_inputs function into two pieces. One which is responsible for setting up the allocated inputs (and runs prior to hid_hw_start so that devices are ready for any input events they may end up receiving) and another which only registers the devices (and runs after hid_hw_start to ensure devices can be immediately opened without issue). Note that the functions to initialize the LEDs and remotes are also moved after hid_hw_start to maintain their own dependency chains. Fixes: 7704ac937345 ("HID: wacom: implement generic HID handling for pen generic devices") Cc: stable(a)vger.kernel.org # v3.18+ Suggested-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Jason Gerecke <jason.gerecke(a)wacom.com> --- drivers/hid/wacom_sys.c | 63 ++++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 20 deletions(-) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index b613f11ed9498..2bc45b24075c3 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2087,7 +2087,7 @@ static int wacom_allocate_inputs(struct wacom *wacom) return 0; } -static int wacom_register_inputs(struct wacom *wacom) +static int wacom_setup_inputs(struct wacom *wacom) { struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev; struct wacom_wac *wacom_wac = &(wacom->wacom_wac); @@ -2106,10 +2106,6 @@ static int wacom_register_inputs(struct wacom *wacom) input_free_device(pen_input_dev); wacom_wac->pen_input = NULL; pen_input_dev = NULL; - } else { - error = input_register_device(pen_input_dev); - if (error) - goto fail; } error = wacom_setup_touch_input_capabilities(touch_input_dev, wacom_wac); @@ -2118,10 +2114,6 @@ static int wacom_register_inputs(struct wacom *wacom) input_free_device(touch_input_dev); wacom_wac->touch_input = NULL; touch_input_dev = NULL; - } else { - error = input_register_device(touch_input_dev); - if (error) - goto fail; } error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac); @@ -2130,7 +2122,34 @@ static int wacom_register_inputs(struct wacom *wacom) input_free_device(pad_input_dev); wacom_wac->pad_input = NULL; pad_input_dev = NULL; - } else { + } + + return 0; +} + +static int wacom_register_inputs(struct wacom *wacom) +{ + struct input_dev *pen_input_dev, *touch_input_dev, *pad_input_dev; + struct wacom_wac *wacom_wac = &(wacom->wacom_wac); + int error = 0; + + pen_input_dev = wacom_wac->pen_input; + touch_input_dev = wacom_wac->touch_input; + pad_input_dev = wacom_wac->pad_input; + + if (pen_input_dev) { + error = input_register_device(pen_input_dev); + if (error) + goto fail; + } + + if (touch_input_dev) { + error = input_register_device(touch_input_dev); + if (error) + goto fail; + } + + if (pad_input_dev) { error = input_register_device(pad_input_dev); if (error) goto fail; @@ -2383,6 +2402,20 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) if (error) goto fail; + error = wacom_setup_inputs(wacom); + if (error) + goto fail; + + if (features->type == HID_GENERIC) + connect_mask |= HID_CONNECT_DRIVER; + + /* Regular HID work starts now */ + error = hid_hw_start(hdev, connect_mask); + if (error) { + hid_err(hdev, "hw start failed\n"); + goto fail; + } + error = wacom_register_inputs(wacom); if (error) goto fail; @@ -2397,16 +2430,6 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) goto fail; } - if (features->type == HID_GENERIC) - connect_mask |= HID_CONNECT_DRIVER; - - /* Regular HID work starts now */ - error = hid_hw_start(hdev, connect_mask); - if (error) { - hid_err(hdev, "hw start failed\n"); - goto fail; - } - if (!wireless) { /* Note that if query fails it is not a hard failure */ wacom_query_tablet_data(wacom); -- 2.43.0

1 year, 6 months

3
2
0 0