- Linux-stable-mirror - lists.linaro.org

[merged mm-hotfixes-stable] nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix incorrect inode allocation from reserved inodes has been removed from the -mm tree. Its filename was nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix incorrect inode allocation from reserved inodes Date: Sun, 23 Jun 2024 14:11:35 +0900 If the bitmap block that manages the inode allocation status is corrupted, nilfs_ifile_create_inode() may allocate a new inode from the reserved inode area where it should not be allocated. Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of struct nilfs_root"), fixed the problem that reserved inodes with inode numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to bitmap corruption, but since the start number of non-reserved inodes is read from the super block and may change, in which case inode allocation may occur from the extended reserved inode area. If that happens, access to that inode will cause an IO error, causing the file system to degrade to an error state. Fix this potential issue by adding a wraparound option to the common metadata object allocation routine and by modifying nilfs_ifile_create_inode() to disable the option so that it only allocates inodes with inode numbers greater than or equal to the inode number read in "nilfs->ns_first_ino", regardless of the bitmap status of reserved inodes. Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/alloc.c | 19 +++++++++++++++---- fs/nilfs2/alloc.h | 4 ++-- fs/nilfs2/dat.c | 2 +- fs/nilfs2/ifile.c | 7 ++----- 4 files changed, 20 insertions(+), 12 deletions(-) --- a/fs/nilfs2/alloc.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/alloc.c @@ -377,11 +377,12 @@ void *nilfs_palloc_block_get_entry(const * @target: offset number of an entry in the group (start point) * @bsize: size in bits * @lock: spin lock protecting @bitmap + * @wrap: whether to wrap around */ static int nilfs_palloc_find_available_slot(unsigned char *bitmap, unsigned long target, unsigned int bsize, - spinlock_t *lock) + spinlock_t *lock, bool wrap) { int pos, end = bsize; @@ -397,6 +398,8 @@ static int nilfs_palloc_find_available_s end = target; } + if (!wrap) + return -ENOSPC; /* wrap around */ for (pos = 0; pos < end; pos++) { @@ -495,9 +498,10 @@ int nilfs_palloc_count_max_entries(struc * nilfs_palloc_prepare_alloc_entry - prepare to allocate a persistent object * @inode: inode of metadata file using this allocator * @req: nilfs_palloc_req structure exchanged for the allocation + * @wrap: whether to wrap around */ int nilfs_palloc_prepare_alloc_entry(struct inode *inode, - struct nilfs_palloc_req *req) + struct nilfs_palloc_req *req, bool wrap) { struct buffer_head *desc_bh, *bitmap_bh; struct nilfs_palloc_group_desc *desc; @@ -516,7 +520,7 @@ int nilfs_palloc_prepare_alloc_entry(str entries_per_group = nilfs_palloc_entries_per_group(inode); for (i = 0; i < ngroups; i += n) { - if (group >= ngroups) { + if (group >= ngroups && wrap) { /* wrap around */ group = 0; maxgroup = nilfs_palloc_group(inode, req->pr_entry_nr, @@ -550,7 +554,14 @@ int nilfs_palloc_prepare_alloc_entry(str bitmap_kaddr = kmap_local_page(bitmap_bh->b_page); bitmap = bitmap_kaddr + bh_offset(bitmap_bh); pos = nilfs_palloc_find_available_slot( - bitmap, group_offset, entries_per_group, lock); + bitmap, group_offset, entries_per_group, lock, + wrap); + /* + * Since the search for a free slot in the second and + * subsequent bitmap blocks always starts from the + * beginning, the wrap flag only has an effect on the + * first search. + */ kunmap_local(bitmap_kaddr); if (pos >= 0) goto found; --- a/fs/nilfs2/alloc.h~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/alloc.h @@ -50,8 +50,8 @@ struct nilfs_palloc_req { struct buffer_head *pr_entry_bh; }; -int nilfs_palloc_prepare_alloc_entry(struct inode *, - struct nilfs_palloc_req *); +int nilfs_palloc_prepare_alloc_entry(struct inode *inode, + struct nilfs_palloc_req *req, bool wrap); void nilfs_palloc_commit_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *); --- a/fs/nilfs2/dat.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/dat.c @@ -75,7 +75,7 @@ int nilfs_dat_prepare_alloc(struct inode { int ret; - ret = nilfs_palloc_prepare_alloc_entry(dat, req); + ret = nilfs_palloc_prepare_alloc_entry(dat, req, true); if (ret < 0) return ret; --- a/fs/nilfs2/ifile.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/ifile.c @@ -56,13 +56,10 @@ int nilfs_ifile_create_inode(struct inod struct nilfs_palloc_req req; int ret; - req.pr_entry_nr = 0; /* - * 0 says find free inode from beginning - * of a group. dull code!! - */ + req.pr_entry_nr = NILFS_FIRST_INO(ifile->i_sb); req.pr_entry_bh = NULL; - ret = nilfs_palloc_prepare_alloc_entry(ifile, &req); + ret = nilfs_palloc_prepare_alloc_entry(ifile, &req, false); if (!ret) { ret = nilfs_palloc_get_entry_block(ifile, req.pr_entry_nr, 1, &req.pr_entry_bh); _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: add missing check for inode numbers on directory entries has been removed from the -mm tree. Its filename was nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: add missing check for inode numbers on directory entries Date: Sun, 23 Jun 2024 14:11:34 +0900 Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d79afb004be235636ee8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara <jack(a)suse.cz> Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/dir.c | 6 ++++++ fs/nilfs2/nilfs.h | 5 +++++ 2 files changed, 11 insertions(+) --- a/fs/nilfs2/dir.c~nilfs2-add-missing-check-for-inode-numbers-on-directory-entries +++ a/fs/nilfs2/dir.c @@ -135,6 +135,9 @@ static bool nilfs_check_folio(struct fol goto Enamelen; if (((offs + rec_len - 1) ^ offs) & ~(chunk_size-1)) goto Espan; + if (unlikely(p->inode && + NILFS_PRIVATE_INODE(le64_to_cpu(p->inode)))) + goto Einumber; } if (offs != limit) goto Eend; @@ -160,6 +163,9 @@ Enamelen: goto bad_entry; Espan: error = "directory entry across blocks"; + goto bad_entry; +Einumber: + error = "disallowed inode number"; bad_entry: nilfs_error(sb, "bad entry in directory #%lu: %s - offset=%lu, inode=%lu, rec_len=%zd, name_len=%d", --- a/fs/nilfs2/nilfs.h~nilfs2-add-missing-check-for-inode-numbers-on-directory-entries +++ a/fs/nilfs2/nilfs.h @@ -121,6 +121,11 @@ enum { ((ino) >= NILFS_FIRST_INO(sb) || \ ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) +#define NILFS_PRIVATE_INODE(ino) ({ \ + ino_t __ino = (ino); \ + ((__ino) < NILFS_USER_INO && (__ino) != NILFS_ROOT_INO && \ + (__ino) != NILFS_SKETCH_INO); }) + /** * struct nilfs_transaction_info: context information for synchronization * @ti_magic: Magic number _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-inode-number-range-checks.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix inode number range checks has been removed from the -mm tree. Its filename was nilfs2-fix-inode-number-range-checks.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix inode number range checks Date: Sun, 23 Jun 2024 14:11:33 +0900 Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/nilfs.h | 5 +++-- fs/nilfs2/the_nilfs.c | 6 ++++++ fs/nilfs2/the_nilfs.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) --- a/fs/nilfs2/nilfs.h~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/nilfs.h @@ -116,9 +116,10 @@ enum { #define NILFS_FIRST_INO(sb) (((struct the_nilfs *)sb->s_fs_info)->ns_first_ino) #define NILFS_MDT_INODE(sb, ino) \ - ((ino) < NILFS_FIRST_INO(sb) && (NILFS_MDT_INO_BITS & BIT(ino))) + ((ino) < NILFS_USER_INO && (NILFS_MDT_INO_BITS & BIT(ino))) #define NILFS_VALID_INODE(sb, ino) \ - ((ino) >= NILFS_FIRST_INO(sb) || (NILFS_SYS_INO_BITS & BIT(ino))) + ((ino) >= NILFS_FIRST_INO(sb) || \ + ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) /** * struct nilfs_transaction_info: context information for synchronization --- a/fs/nilfs2/the_nilfs.c~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/the_nilfs.c @@ -452,6 +452,12 @@ static int nilfs_store_disk_layout(struc } nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino); + if (nilfs->ns_first_ino < NILFS_USER_INO) { + nilfs_err(nilfs->ns_sb, + "too small lower limit for non-reserved inode numbers: %u", + nilfs->ns_first_ino); + return -EINVAL; + } nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); if (nilfs->ns_blocks_per_segment < NILFS_SEG_MIN_BLOCKS) { --- a/fs/nilfs2/the_nilfs.h~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/the_nilfs.h @@ -182,7 +182,7 @@ struct the_nilfs { unsigned long ns_nrsvsegs; unsigned long ns_first_data_block; int ns_inode_size; - int ns_first_ino; + unsigned int ns_first_ino; u32 ns_crc_seed; /* /sys/fs/<nilfs>/<device> */ _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] mm-avoid-overflows-in-dirty-throttling-logic.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: avoid overflows in dirty throttling logic has been removed from the -mm tree. Its filename was mm-avoid-overflows-in-dirty-throttling-logic.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: mm: avoid overflows in dirty throttling logic Date: Fri, 21 Jun 2024 16:42:38 +0200 The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX. This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB. Link: https://lkml.kernel.org/r/20240621144246.11148-2-jack@suse.cz Signed-off-by: Jan Kara <jack(a)suse.cz> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Reviewed-By: Zach O'Keefe <zokeefe(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page-writeback.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) --- a/mm/page-writeback.c~mm-avoid-overflows-in-dirty-throttling-logic +++ a/mm/page-writeback.c @@ -415,13 +415,20 @@ static void domain_dirty_limits(struct d else bg_thresh = (bg_ratio * available_memory) / PAGE_SIZE; - if (bg_thresh >= thresh) - bg_thresh = thresh / 2; tsk = current; if (rt_task(tsk)) { bg_thresh += bg_thresh / 4 + global_wb_domain.dirty_limit / 32; thresh += thresh / 4 + global_wb_domain.dirty_limit / 32; } + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + if (thresh > UINT_MAX) + thresh = UINT_MAX; + /* This makes sure bg_thresh is within 32-bits as well */ + if (bg_thresh >= thresh) + bg_thresh = thresh / 2; dtc->thresh = thresh; dtc->bg_thresh = bg_thresh; @@ -471,7 +478,11 @@ static unsigned long node_dirty_limit(st if (rt_task(tsk)) dirty += dirty / 4; - return dirty; + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + return min_t(unsigned long, dirty, UINT_MAX); } /** @@ -508,10 +519,17 @@ static int dirty_background_bytes_handle void *buffer, size_t *lenp, loff_t *ppos) { int ret; + unsigned long old_bytes = dirty_background_bytes; ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); - if (ret == 0 && write) + if (ret == 0 && write) { + if (DIV_ROUND_UP(dirty_background_bytes, PAGE_SIZE) > + UINT_MAX) { + dirty_background_bytes = old_bytes; + return -ERANGE; + } dirty_background_ratio = 0; + } return ret; } @@ -537,6 +555,10 @@ static int dirty_bytes_handler(struct ct ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); if (ret == 0 && write && vm_dirty_bytes != old_bytes) { + if (DIV_ROUND_UP(vm_dirty_bytes, PAGE_SIZE) > UINT_MAX) { + vm_dirty_bytes = old_bytes; + return -ERANGE; + } writeback_set_ratelimit(); vm_dirty_ratio = 0; } _ Patches currently in -mm which might be from jack(a)suse.cz are readahead-make-sure-sync-readahead-reads-needed-page.patch filemap-fix-page_cache_next_miss-when-no-hole-found.patch readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch readahead-drop-pointless-index-from-force_page_cache_ra.patch readahead-drop-index-argument-of-page_cache_async_readahead.patch readahead-drop-dead-code-in-page_cache_ra_order.patch readahead-drop-dead-code-in-ondemand_readahead.patch readahead-disentangle-async-and-sync-readahead.patch readahead-fold-try_context_readahead-into-its-single-caller.patch readahead-simplify-gotos-in-page_cache_sync_ra.patch

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" has been removed from the -mm tree. Its filename was revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" Date: Fri, 21 Jun 2024 16:42:37 +0200 Patch series "mm: Avoid possible overflows in dirty throttling". Dirty throttling logic assumes dirty limits in page units fit into 32-bits. This patch series makes sure this is true (see patch 2/2 for more details). This patch (of 2): This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. The commit is broken in several ways. Firstly, the removed (u64) cast from the multiplication will introduce a multiplication overflow on 32-bit archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the default settings with 4GB of RAM will trigger this). Secondly, the div64_u64() is unnecessarily expensive on 32-bit archs. We have div64_ul() in case we want to be safe & cheap. Thirdly, if dirty thresholds are larger than 1<<32 pages, then dirty balancing is going to blow up in many other spectacular ways anyway so trying to fix one possible overflow is just moot. Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-By: Zach O'Keefe <zokeefe(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page-writeback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/page-writeback.c~revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again +++ a/mm/page-writeback.c @@ -1660,7 +1660,7 @@ static inline void wb_dirty_limits(struc */ dtc->wb_thresh = __wb_calc_thresh(dtc, dtc->thresh); dtc->wb_bg_thresh = dtc->thresh ? - div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; /* * In order to avoid the stacked BDI deadlock we need _ Patches currently in -mm which might be from jack(a)suse.cz are readahead-make-sure-sync-readahead-reads-needed-page.patch filemap-fix-page_cache_next_miss-when-no-hole-found.patch readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch readahead-drop-pointless-index-from-force_page_cache_ra.patch readahead-drop-index-argument-of-page_cache_async_readahead.patch readahead-drop-dead-code-in-page_cache_ra_order.patch readahead-drop-dead-code-in-ondemand_readahead.patch readahead-disentangle-async-and-sync-readahead.patch readahead-fold-try_context_readahead-into-its-single-caller.patch readahead-simplify-gotos-in-page_cache_sync_ra.patch

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] mm-optimize-the-redundant-loop-of-mm_update_owner_next.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: optimize the redundant loop of mm_update_owner_next() has been removed from the -mm tree. Its filename was mm-optimize-the-redundant-loop-of-mm_update_owner_next.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinliang Zheng <alexjlzheng(a)tencent.com> Subject: mm: optimize the redundant loop of mm_update_owner_next() Date: Thu, 20 Jun 2024 20:21:24 +0800 When mm_update_owner_next() is racing with swapoff (try_to_unuse()) or /proc or ptrace or page migration (get_task_mm()), it is impossible to find an appropriate task_struct in the loop whose mm_struct is the same as the target mm_struct. If the above race condition is combined with the stress-ng-zombie and stress-ng-dup tests, such a long loop can easily cause a Hard Lockup in write_lock_irq() for tasklist_lock. Recognize this situation in advance and exit early. Link: https://lkml.kernel.org/r/20240620122123.3877432-1-alexjlzheng@tencent.com Signed-off-by: Jinliang Zheng <alexjlzheng(a)tencent.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Tycho Andersen <tandersen(a)netflix.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/exit.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/exit.c~mm-optimize-the-redundant-loop-of-mm_update_owner_next +++ a/kernel/exit.c @@ -484,6 +484,8 @@ retry: * Search through everything else, we should not get here often. */ for_each_process(g) { + if (atomic_read(&mm->mm_users) <= 1) + break; if (g->flags & PF_KTHREAD) continue; for_each_thread(g, c) { _ Patches currently in -mm which might be from alexjlzheng(a)tencent.com are

1 year, 2 months

1
0
0 0

[alternative-merged] mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch has been removed from the -mm tree. Its filename was mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch This patch was dropped because an alternative patch was or shall be merged ------------------------------------------------------ From: yangge <yangge1116(a)126.com> Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch Date: Sat, 22 Jun 2024 14:48:04 +0800 If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual machine, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But the current code will cause the migration failure due to unexpected page refcounts, and eventually cause the virtual machine fail to start. If a page is added in LRU batch, its refcount increases one, remove the page from LRU batch decreases one. Page migration requires the page is not referenced by others except page mapping. Before migrating a page, we should try to drain the page from LRU batch in case the page is in it, however, folio_test_lru() is not sufficient to tell whether the page is in LRU batch or not, if the page is in LRU batch, the migration will fail. To solve the problem above, we modify the logic of adding to LRU batch. Before adding a page to LRU batch, we clear the LRU flag of the page so that we can check whether the page is in LRU batch by folio_test_lru(page). Seems making the LRU flag of the page invisible a long time is no problem, because a new page is allocated from buddy and added to the lru batch, its LRU flag is also not visible for a long time. Link: https://lkml.kernel.org/r/1719038884-1903-1-git-send-email-yangge1116@126.c… Signed-off-by: yangge <yangge1116(a)126.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Alex Shi <alex.shi(a)linux.alibaba.com> Cc: Shaohua Li <shli(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap.c | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) --- a/mm/swap.c~mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch +++ a/mm/swap.c @@ -212,10 +212,6 @@ static void folio_batch_move_lru(struct for (i = 0; i < folio_batch_count(fbatch); i++) { struct folio *folio = fbatch->folios[i]; - /* block memcg migration while the folio moves between lru */ - if (move_fn != lru_add_fn && !folio_test_clear_lru(folio)) - continue; - folio_lruvec_relock_irqsave(folio, &lruvec, &flags); move_fn(lruvec, folio); @@ -256,11 +252,16 @@ static void lru_move_tail_fn(struct lruv void folio_rotate_reclaimable(struct folio *folio) { if (!folio_test_locked(folio) && !folio_test_dirty(folio) && - !folio_test_unevictable(folio) && folio_test_lru(folio)) { + !folio_test_unevictable(folio)) { struct folio_batch *fbatch; unsigned long flags; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock_irqsave(&lru_rotate.lock, flags); fbatch = this_cpu_ptr(&lru_rotate.fbatch); folio_batch_add_and_move(fbatch, folio, lru_move_tail_fn); @@ -353,11 +354,15 @@ static void folio_activate_drain(int cpu void folio_activate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_active(folio) && - !folio_test_unevictable(folio)) { + if (!folio_test_active(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.activate); folio_batch_add_and_move(fbatch, folio, folio_activate_fn); @@ -701,6 +706,11 @@ void deactivate_file_folio(struct folio return; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate_file); folio_batch_add_and_move(fbatch, folio, lru_deactivate_file_fn); @@ -717,11 +727,16 @@ void deactivate_file_folio(struct folio */ void folio_deactivate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_unevictable(folio) && - (folio_test_active(folio) || lru_gen_enabled())) { + if (!folio_test_unevictable(folio) && (folio_test_active(folio) || + lru_gen_enabled())) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate); folio_batch_add_and_move(fbatch, folio, lru_deactivate_fn); @@ -738,12 +753,16 @@ void folio_deactivate(struct folio *foli */ void folio_mark_lazyfree(struct folio *folio) { - if (folio_test_lru(folio) && folio_test_anon(folio) && - folio_test_swapbacked(folio) && !folio_test_swapcache(folio) && - !folio_test_unevictable(folio)) { + if (folio_test_anon(folio) && folio_test_swapbacked(folio) && + !folio_test_swapcache(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_lazyfree); folio_batch_add_and_move(fbatch, folio, lru_lazyfree_fn); _ Patches currently in -mm which might be from yangge1116(a)126.com are

1 year, 2 months

1
0
0 0

[v2 linus-tree PATCH] mm: gup: do not call try_grab_folio() in slow path

by Yang Shi

The try_grab_folio() is supposed to be used in fast path and it elevates folio refcount by using add ref unless zero. We are guaranteed to have at least one stable reference in slow path, so the simple atomic add could be used. The performance difference should be trivial, but the misuse may be confusing and misleading. In another thread [1] a kernel warning was reported when pinning folio in CMA memory when launching SEV virtual machine. The splat looks like: [ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520 [ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6 [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520 [ 464.325515] Call Trace: [ 464.325520] <TASK> [ 464.325523] ? __get_user_pages+0x423/0x520 [ 464.325528] ? __warn+0x81/0x130 [ 464.325536] ? __get_user_pages+0x423/0x520 [ 464.325541] ? report_bug+0x171/0x1a0 [ 464.325549] ? handle_bug+0x3c/0x70 [ 464.325554] ? exc_invalid_op+0x17/0x70 [ 464.325558] ? asm_exc_invalid_op+0x1a/0x20 [ 464.325567] ? __get_user_pages+0x423/0x520 [ 464.325575] __gup_longterm_locked+0x212/0x7a0 [ 464.325583] internal_get_user_pages_fast+0xfb/0x190 [ 464.325590] pin_user_pages_fast+0x47/0x60 [ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd] [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd] Per the analysis done by yangge, when starting the SEV virtual machine, it will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. But the page is in CMA area, so fast GUP will fail then fallback to the slow path due to the longterm pinnalbe check in try_grab_folio(). The slow path will try to pin the pages then migrate them out of CMA area. But the slow path also uses try_grab_folio() to pin the page, it will also fail due to the same check then the above warning is triggered. [1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge11… Fixes: 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") Cc: <stable(a)vger.kernel.org> [6.6+] Reported-by: yangge <yangge1116(a)126.com> Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> --- mm/gup.c | 278 +++++++++++++++++++++++++---------------------- mm/huge_memory.c | 2 +- mm/internal.h | 3 +- 3 files changed, 148 insertions(+), 135 deletions(-) v2: 1. Fixed the build warning 2. Reworked the commit log to include the bug report and analysis (reworded by me) from yangge 3. Rebased onto the latest Linus's tree diff --git a/mm/gup.c b/mm/gup.c index ca0f5cedce9b..6be165224c1e 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -97,95 +97,6 @@ static inline struct folio *try_get_folio(struct page *page, int refs) return folio; } -/** - * try_grab_folio() - Attempt to get or pin a folio. - * @page: pointer to page to be grabbed - * @refs: the value to (effectively) add to the folio's refcount - * @flags: gup flags: these are the FOLL_* flag values. - * - * "grab" names in this file mean, "look at flags to decide whether to use - * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. - * - * Either FOLL_PIN or FOLL_GET (or neither) must be set, but not both at the - * same time. (That's true throughout the get_user_pages*() and - * pin_user_pages*() APIs.) Cases: - * - * FOLL_GET: folio's refcount will be incremented by @refs. - * - * FOLL_PIN on large folios: folio's refcount will be incremented by - * @refs, and its pincount will be incremented by @refs. - * - * FOLL_PIN on single-page folios: folio's refcount will be incremented by - * @refs * GUP_PIN_COUNTING_BIAS. - * - * Return: The folio containing @page (with refcount appropriately - * incremented) for success, or NULL upon failure. If neither FOLL_GET - * nor FOLL_PIN was set, that's considered failure, and furthermore, - * a likely bug in the caller, so a warning is also emitted. - */ -struct folio *try_grab_folio(struct page *page, int refs, unsigned int flags) -{ - struct folio *folio; - - if (WARN_ON_ONCE((flags & (FOLL_GET | FOLL_PIN)) == 0)) - return NULL; - - if (unlikely(!(flags & FOLL_PCI_P2PDMA) && is_pci_p2pdma_page(page))) - return NULL; - - if (flags & FOLL_GET) - return try_get_folio(page, refs); - - /* FOLL_PIN is set */ - - /* - * Don't take a pin on the zero page - it's not going anywhere - * and it is used in a *lot* of places. - */ - if (is_zero_page(page)) - return page_folio(page); - - folio = try_get_folio(page, refs); - if (!folio) - return NULL; - - /* - * Can't do FOLL_LONGTERM + FOLL_PIN gup fast path if not in a - * right zone, so fail and let the caller fall back to the slow - * path. - */ - if (unlikely((flags & FOLL_LONGTERM) && - !folio_is_longterm_pinnable(folio))) { - if (!put_devmap_managed_folio_refs(folio, refs)) - folio_put_refs(folio, refs); - return NULL; - } - - /* - * When pinning a large folio, use an exact count to track it. - * - * However, be sure to *also* increment the normal folio - * refcount field at least once, so that the folio really - * is pinned. That's why the refcount from the earlier - * try_get_folio() is left intact. - */ - if (folio_test_large(folio)) - atomic_add(refs, &folio->_pincount); - else - folio_ref_add(folio, - refs * (GUP_PIN_COUNTING_BIAS - 1)); - /* - * Adjust the pincount before re-checking the PTE for changes. - * This is essentially a smp_mb() and is paired with a memory - * barrier in folio_try_share_anon_rmap_*(). - */ - smp_mb__after_atomic(); - - node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); - - return folio; -} - static void gup_put_folio(struct folio *folio, int refs, unsigned int flags) { if (flags & FOLL_PIN) { @@ -203,28 +114,31 @@ static void gup_put_folio(struct folio *folio, int refs, unsigned int flags) } /** - * try_grab_page() - elevate a page's refcount by a flag-dependent amount - * @page: pointer to page to be grabbed - * @flags: gup flags: these are the FOLL_* flag values. + * try_grab_folio() - add a folio's refcount by a flag-dependent amount + * @folio: pointer to folio to be grabbed + * @refs: the value to (effectively) add to the folio's refcount + * @flags: gup flags: these are the FOLL_* flag values * * This might not do anything at all, depending on the flags argument. * * "grab" names in this file mean, "look at flags to decide whether to use - * FOLL_PIN or FOLL_GET behavior, when incrementing the page's refcount. + * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. * * Either FOLL_PIN or FOLL_GET (or neither) may be set, but not both at the same - * time. Cases: please see the try_grab_folio() documentation, with - * "refs=1". + * time. * * Return: 0 for success, or if no action was required (if neither FOLL_PIN * nor FOLL_GET was set, nothing is done). A negative error code for failure: * - * -ENOMEM FOLL_GET or FOLL_PIN was set, but the page could not + * -ENOMEM FOLL_GET or FOLL_PIN was set, but the folio could not * be grabbed. + * + * It is called when we have a stable reference for the folio, typically in + * GUP slow path. */ -int __must_check try_grab_page(struct page *page, unsigned int flags) +int __must_check try_grab_folio(struct folio *folio, int refs, unsigned int flags) { - struct folio *folio = page_folio(page); + struct page *page = &folio->page; if (WARN_ON_ONCE(folio_ref_count(folio) <= 0)) return -ENOMEM; @@ -233,7 +147,7 @@ int __must_check try_grab_page(struct page *page, unsigned int flags) return -EREMOTEIO; if (flags & FOLL_GET) - folio_ref_inc(folio); + folio_ref_add(folio, refs); else if (flags & FOLL_PIN) { /* * Don't take a pin on the zero page - it's not going anywhere @@ -243,18 +157,18 @@ int __must_check try_grab_page(struct page *page, unsigned int flags) return 0; /* - * Similar to try_grab_folio(): be sure to *also* - * increment the normal page refcount field at least once, + * Increment the normal page refcount field at least once, * so that the page really is pinned. */ if (folio_test_large(folio)) { - folio_ref_add(folio, 1); - atomic_add(1, &folio->_pincount); + folio_ref_add(folio, refs); + atomic_add(refs, &folio->_pincount); } else { - folio_ref_add(folio, GUP_PIN_COUNTING_BIAS); + folio_ref_add(folio, + refs * GUP_PIN_COUNTING_BIAS); } - node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, 1); + node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); } return 0; @@ -535,7 +449,7 @@ static unsigned long hugepte_addr_end(unsigned long addr, unsigned long end, */ static int gup_hugepte(struct vm_area_struct *vma, pte_t *ptep, unsigned long sz, unsigned long addr, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { unsigned long pte_end; struct page *page; @@ -558,9 +472,15 @@ static int gup_hugepte(struct vm_area_struct *vma, pte_t *ptep, unsigned long sz page = pte_page(pte); refs = record_subpages(page, sz, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); - if (!folio) - return 0; + if (fast) { + folio = try_grab_folio_fast(page, refs, flags); + if (!folio) + return 0; + } else { + folio = page_folio(page); + if (try_grab_folio(folio, refs, flags)) + return 0; + } if (unlikely(pte_val(pte) != pte_val(ptep_get(ptep)))) { gup_put_folio(folio, refs, flags); @@ -588,7 +508,7 @@ static int gup_hugepte(struct vm_area_struct *vma, pte_t *ptep, unsigned long sz static int gup_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, unsigned long addr, unsigned int pdshift, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { pte_t *ptep; unsigned long sz = 1UL << hugepd_shift(hugepd); @@ -598,7 +518,7 @@ static int gup_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, ptep = hugepte_offset(hugepd, addr, pdshift); do { next = hugepte_addr_end(addr, end, sz); - ret = gup_hugepte(vma, ptep, sz, addr, end, flags, pages, nr); + ret = gup_hugepte(vma, ptep, sz, addr, end, flags, pages, nr, fast); if (ret != 1) return ret; } while (ptep++, addr = next, addr != end); @@ -625,7 +545,7 @@ static struct page *follow_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, ptep = hugepte_offset(hugepd, addr, pdshift); ptl = huge_pte_lock(h, vma->vm_mm, ptep); ret = gup_hugepd(vma, hugepd, addr, pdshift, addr + PAGE_SIZE, - flags, &page, &nr); + flags, &page, &nr, false); spin_unlock(ptl); if (ret == 1) { @@ -642,7 +562,7 @@ static struct page *follow_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, static inline int gup_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, unsigned long addr, unsigned int pdshift, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { return 0; } @@ -729,7 +649,7 @@ static struct page *follow_huge_pud(struct vm_area_struct *vma, gup_must_unshare(vma, flags, page)) return ERR_PTR(-EMLINK); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) page = ERR_PTR(ret); else @@ -806,7 +726,7 @@ static struct page *follow_huge_pmd(struct vm_area_struct *vma, VM_BUG_ON_PAGE((flags & FOLL_PIN) && PageAnon(page) && !PageAnonExclusive(page), page); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) return ERR_PTR(ret); @@ -968,8 +888,8 @@ static struct page *follow_page_pte(struct vm_area_struct *vma, VM_BUG_ON_PAGE((flags & FOLL_PIN) && PageAnon(page) && !PageAnonExclusive(page), page); - /* try_grab_page() does nothing unless FOLL_GET or FOLL_PIN is set. */ - ret = try_grab_page(page, flags); + /* try_grab_folio() does nothing unless FOLL_GET or FOLL_PIN is set. */ + ret = try_grab_folio(page_folio(page), 1, flags); if (unlikely(ret)) { page = ERR_PTR(ret); goto out; @@ -1233,7 +1153,7 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address, goto unmap; *page = pte_page(entry); } - ret = try_grab_page(*page, gup_flags); + ret = try_grab_folio(page_folio(*page), 1, gup_flags); if (unlikely(ret)) goto unmap; out: @@ -1636,20 +1556,19 @@ static long __get_user_pages(struct mm_struct *mm, * pages. */ if (page_increm > 1) { - struct folio *folio; + struct folio *folio = page_folio(page); /* * Since we already hold refcount on the * large folio, this should never fail. */ - folio = try_grab_folio(page, page_increm - 1, - foll_flags); - if (WARN_ON_ONCE(!folio)) { + if (try_grab_folio(folio, page_increm - 1, + foll_flags)) { /* * Release the 1st page ref if the * folio is problematic, fail hard. */ - gup_put_folio(page_folio(page), 1, + gup_put_folio(folio, 1, foll_flags); ret = -EFAULT; goto out; @@ -2797,6 +2716,101 @@ EXPORT_SYMBOL(get_user_pages_unlocked); * This code is based heavily on the PowerPC implementation by Nick Piggin. */ #ifdef CONFIG_HAVE_GUP_FAST +/** + * try_grab_folio_fast() - Attempt to get or pin a folio in fast path. + * @page: pointer to page to be grabbed + * @refs: the value to (effectively) add to the folio's refcount + * @flags: gup flags: these are the FOLL_* flag values. + * + * "grab" names in this file mean, "look at flags to decide whether to use + * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. + * + * Either FOLL_PIN or FOLL_GET (or neither) must be set, but not both at the + * same time. (That's true throughout the get_user_pages*() and + * pin_user_pages*() APIs.) Cases: + * + * FOLL_GET: folio's refcount will be incremented by @refs. + * + * FOLL_PIN on large folios: folio's refcount will be incremented by + * @refs, and its pincount will be incremented by @refs. + * + * FOLL_PIN on single-page folios: folio's refcount will be incremented by + * @refs * GUP_PIN_COUNTING_BIAS. + * + * Return: The folio containing @page (with refcount appropriately + * incremented) for success, or NULL upon failure. If neither FOLL_GET + * nor FOLL_PIN was set, that's considered failure, and furthermore, + * a likely bug in the caller, so a warning is also emitted. + * + * It uses add ref unless zero to elevate the folio refcount and must be called + * in fast path only. + */ +static struct folio *try_grab_folio_fast(struct page *page, int refs, + unsigned int flags) +{ + struct folio *folio; + + /* Raise warn if it is not called in fast GUP */ + VM_WARN_ON_ONCE(!irqs_disabled()); + + if (WARN_ON_ONCE((flags & (FOLL_GET | FOLL_PIN)) == 0)) + return NULL; + + if (unlikely(!(flags & FOLL_PCI_P2PDMA) && is_pci_p2pdma_page(page))) + return NULL; + + if (flags & FOLL_GET) + return try_get_folio(page, refs); + + /* FOLL_PIN is set */ + + /* + * Don't take a pin on the zero page - it's not going anywhere + * and it is used in a *lot* of places. + */ + if (is_zero_page(page)) + return page_folio(page); + + folio = try_get_folio(page, refs); + if (!folio) + return NULL; + + /* + * Can't do FOLL_LONGTERM + FOLL_PIN gup fast path if not in a + * right zone, so fail and let the caller fall back to the slow + * path. + */ + if (unlikely((flags & FOLL_LONGTERM) && + !folio_is_longterm_pinnable(folio))) { + if (!put_devmap_managed_folio_refs(folio, refs)) + folio_put_refs(folio, refs); + return NULL; + } + + /* + * When pinning a large folio, use an exact count to track it. + * + * However, be sure to *also* increment the normal folio + * refcount field at least once, so that the folio really + * is pinned. That's why the refcount from the earlier + * try_get_folio() is left intact. + */ + if (folio_test_large(folio)) + atomic_add(refs, &folio->_pincount); + else + folio_ref_add(folio, + refs * (GUP_PIN_COUNTING_BIAS - 1)); + /* + * Adjust the pincount before re-checking the PTE for changes. + * This is essentially a smp_mb() and is paired with a memory + * barrier in folio_try_share_anon_rmap_*(). + */ + smp_mb__after_atomic(); + + node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); + + return folio; +} /* * Used in the GUP-fast path to determine whether GUP is permitted to work on @@ -2962,7 +2976,7 @@ static int gup_fast_pte_range(pmd_t pmd, pmd_t *pmdp, unsigned long addr, VM_BUG_ON(!pfn_valid(pte_pfn(pte))); page = pte_page(pte); - folio = try_grab_folio(page, 1, flags); + folio = try_grab_folio_fast(page, 1, flags); if (!folio) goto pte_unmap; @@ -3049,7 +3063,7 @@ static int gup_fast_devmap_leaf(unsigned long pfn, unsigned long addr, break; } - folio = try_grab_folio(page, 1, flags); + folio = try_grab_folio_fast(page, 1, flags); if (!folio) { gup_fast_undo_dev_pagemap(nr, nr_start, flags, pages); break; @@ -3138,7 +3152,7 @@ static int gup_fast_pmd_leaf(pmd_t orig, pmd_t *pmdp, unsigned long addr, page = pmd_page(orig); refs = record_subpages(page, PMD_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3182,7 +3196,7 @@ static int gup_fast_pud_leaf(pud_t orig, pud_t *pudp, unsigned long addr, page = pud_page(orig); refs = record_subpages(page, PUD_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3222,7 +3236,7 @@ static int gup_fast_pgd_leaf(pgd_t orig, pgd_t *pgdp, unsigned long addr, page = pgd_page(orig); refs = record_subpages(page, PGDIR_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3276,7 +3290,7 @@ static int gup_fast_pmd_range(pud_t *pudp, pud_t pud, unsigned long addr, * pmd format and THP pmd format */ if (gup_hugepd(NULL, __hugepd(pmd_val(pmd)), addr, - PMD_SHIFT, next, flags, pages, nr) != 1) + PMD_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pte_range(pmd, pmdp, addr, next, flags, pages, nr)) @@ -3306,7 +3320,7 @@ static int gup_fast_pud_range(p4d_t *p4dp, p4d_t p4d, unsigned long addr, return 0; } else if (unlikely(is_hugepd(__hugepd(pud_val(pud))))) { if (gup_hugepd(NULL, __hugepd(pud_val(pud)), addr, - PUD_SHIFT, next, flags, pages, nr) != 1) + PUD_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pmd_range(pudp, pud, addr, next, flags, pages, nr)) @@ -3333,7 +3347,7 @@ static int gup_fast_p4d_range(pgd_t *pgdp, pgd_t pgd, unsigned long addr, BUILD_BUG_ON(p4d_leaf(p4d)); if (unlikely(is_hugepd(__hugepd(p4d_val(p4d))))) { if (gup_hugepd(NULL, __hugepd(p4d_val(p4d)), addr, - P4D_SHIFT, next, flags, pages, nr) != 1) + P4D_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pud_range(p4dp, p4d, addr, next, flags, pages, nr)) @@ -3362,7 +3376,7 @@ static void gup_fast_pgd_range(unsigned long addr, unsigned long end, return; } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) { if (gup_hugepd(NULL, __hugepd(pgd_val(pgd)), addr, - PGDIR_SHIFT, next, flags, pages, nr) != 1) + PGDIR_SHIFT, next, flags, pages, nr, true) != 1) return; } else if (!gup_fast_p4d_range(pgdp, pgd, addr, next, flags, pages, nr)) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index db7946a0a28c..2120f7478e55 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1331,7 +1331,7 @@ struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr, if (!*pgmap) return ERR_PTR(-EFAULT); page = pfn_to_page(pfn); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) page = ERR_PTR(ret); diff --git a/mm/internal.h b/mm/internal.h index 6902b7dd8509..52db9219b2db 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -1182,8 +1182,7 @@ int migrate_device_coherent_page(struct page *page); /* * mm/gup.c */ -struct folio *try_grab_folio(struct page *page, int refs, unsigned int flags); -int __must_check try_grab_page(struct page *page, unsigned int flags); +int __must_check try_grab_folio(struct folio *folio, int refs, unsigned int flags); /* * mm/huge_memory.c -- 2.41.0

1 year, 2 months

3
2
0 0

+ mm-gup-do-not-call-try_grab_folio-in-slow-path.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: gup: do not call try_grab_folio() in slow path has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-do-not-call-try_grab_folio-in-slow-path.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yang Shi <yang(a)os.amperecomputing.com> Subject: mm: gup: do not call try_grab_folio() in slow path Date: Thu, 27 Jun 2024 16:16:01 -0700 The try_grab_folio() is supposed to be used in fast path and it elevates folio refcount by using add ref unless zero. We are guaranteed to have at least one stable reference in slow path, so the simple atomic add could be used. The performance difference should be trivial, but the misuse may be confusing and misleading. In another thread [1] a kernel warning was reported when pinning folio in CMA memory when launching SEV virtual machine. The splat looks like: [ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520 [ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6 [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520 [ 464.325515] Call Trace: [ 464.325520] <TASK> [ 464.325523] ? __get_user_pages+0x423/0x520 [ 464.325528] ? __warn+0x81/0x130 [ 464.325536] ? __get_user_pages+0x423/0x520 [ 464.325541] ? report_bug+0x171/0x1a0 [ 464.325549] ? handle_bug+0x3c/0x70 [ 464.325554] ? exc_invalid_op+0x17/0x70 [ 464.325558] ? asm_exc_invalid_op+0x1a/0x20 [ 464.325567] ? __get_user_pages+0x423/0x520 [ 464.325575] __gup_longterm_locked+0x212/0x7a0 [ 464.325583] internal_get_user_pages_fast+0xfb/0x190 [ 464.325590] pin_user_pages_fast+0x47/0x60 [ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd] [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd] Per the analysis done by yangge, when starting the SEV virtual machine, it will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. But the page is in CMA area, so fast GUP will fail then fallback to the slow path due to the longterm pinnalbe check in try_grab_folio(). The slow path will try to pin the pages then migrate them out of CMA area. But the slow path also uses try_grab_folio() to pin the page, it will also fail due to the same check then the above warning is triggered. [1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge11… Link: https://lkml.kernel.org/r/20240627231601.1713119-1-yang@os.amperecomputing.… Fixes: 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Reported-by: yangge <yangge1116(a)126.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 278 +++++++++++++++++++++++---------------------- mm/huge_memory.c | 2 mm/internal.h | 3 3 files changed, 148 insertions(+), 135 deletions(-) --- a/mm/gup.c~mm-gup-do-not-call-try_grab_folio-in-slow-path +++ a/mm/gup.c @@ -97,95 +97,6 @@ retry: return folio; } -/** - * try_grab_folio() - Attempt to get or pin a folio. - * @page: pointer to page to be grabbed - * @refs: the value to (effectively) add to the folio's refcount - * @flags: gup flags: these are the FOLL_* flag values. - * - * "grab" names in this file mean, "look at flags to decide whether to use - * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. - * - * Either FOLL_PIN or FOLL_GET (or neither) must be set, but not both at the - * same time. (That's true throughout the get_user_pages*() and - * pin_user_pages*() APIs.) Cases: - * - * FOLL_GET: folio's refcount will be incremented by @refs. - * - * FOLL_PIN on large folios: folio's refcount will be incremented by - * @refs, and its pincount will be incremented by @refs. - * - * FOLL_PIN on single-page folios: folio's refcount will be incremented by - * @refs * GUP_PIN_COUNTING_BIAS. - * - * Return: The folio containing @page (with refcount appropriately - * incremented) for success, or NULL upon failure. If neither FOLL_GET - * nor FOLL_PIN was set, that's considered failure, and furthermore, - * a likely bug in the caller, so a warning is also emitted. - */ -struct folio *try_grab_folio(struct page *page, int refs, unsigned int flags) -{ - struct folio *folio; - - if (WARN_ON_ONCE((flags & (FOLL_GET | FOLL_PIN)) == 0)) - return NULL; - - if (unlikely(!(flags & FOLL_PCI_P2PDMA) && is_pci_p2pdma_page(page))) - return NULL; - - if (flags & FOLL_GET) - return try_get_folio(page, refs); - - /* FOLL_PIN is set */ - - /* - * Don't take a pin on the zero page - it's not going anywhere - * and it is used in a *lot* of places. - */ - if (is_zero_page(page)) - return page_folio(page); - - folio = try_get_folio(page, refs); - if (!folio) - return NULL; - - /* - * Can't do FOLL_LONGTERM + FOLL_PIN gup fast path if not in a - * right zone, so fail and let the caller fall back to the slow - * path. - */ - if (unlikely((flags & FOLL_LONGTERM) && - !folio_is_longterm_pinnable(folio))) { - if (!put_devmap_managed_folio_refs(folio, refs)) - folio_put_refs(folio, refs); - return NULL; - } - - /* - * When pinning a large folio, use an exact count to track it. - * - * However, be sure to *also* increment the normal folio - * refcount field at least once, so that the folio really - * is pinned. That's why the refcount from the earlier - * try_get_folio() is left intact. - */ - if (folio_test_large(folio)) - atomic_add(refs, &folio->_pincount); - else - folio_ref_add(folio, - refs * (GUP_PIN_COUNTING_BIAS - 1)); - /* - * Adjust the pincount before re-checking the PTE for changes. - * This is essentially a smp_mb() and is paired with a memory - * barrier in folio_try_share_anon_rmap_*(). - */ - smp_mb__after_atomic(); - - node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); - - return folio; -} - static void gup_put_folio(struct folio *folio, int refs, unsigned int flags) { if (flags & FOLL_PIN) { @@ -203,28 +114,31 @@ static void gup_put_folio(struct folio * } /** - * try_grab_page() - elevate a page's refcount by a flag-dependent amount - * @page: pointer to page to be grabbed - * @flags: gup flags: these are the FOLL_* flag values. + * try_grab_folio() - add a folio's refcount by a flag-dependent amount + * @folio: pointer to folio to be grabbed + * @refs: the value to (effectively) add to the folio's refcount + * @flags: gup flags: these are the FOLL_* flag values * * This might not do anything at all, depending on the flags argument. * * "grab" names in this file mean, "look at flags to decide whether to use - * FOLL_PIN or FOLL_GET behavior, when incrementing the page's refcount. + * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. * * Either FOLL_PIN or FOLL_GET (or neither) may be set, but not both at the same - * time. Cases: please see the try_grab_folio() documentation, with - * "refs=1". + * time. * * Return: 0 for success, or if no action was required (if neither FOLL_PIN * nor FOLL_GET was set, nothing is done). A negative error code for failure: * - * -ENOMEM FOLL_GET or FOLL_PIN was set, but the page could not + * -ENOMEM FOLL_GET or FOLL_PIN was set, but the folio could not * be grabbed. + * + * It is called when we have a stable reference for the folio, typically in + * GUP slow path. */ -int __must_check try_grab_page(struct page *page, unsigned int flags) +int __must_check try_grab_folio(struct folio *folio, int refs, unsigned int flags) { - struct folio *folio = page_folio(page); + struct page *page = &folio->page; if (WARN_ON_ONCE(folio_ref_count(folio) <= 0)) return -ENOMEM; @@ -233,7 +147,7 @@ int __must_check try_grab_page(struct pa return -EREMOTEIO; if (flags & FOLL_GET) - folio_ref_inc(folio); + folio_ref_add(folio, refs); else if (flags & FOLL_PIN) { /* * Don't take a pin on the zero page - it's not going anywhere @@ -243,18 +157,18 @@ int __must_check try_grab_page(struct pa return 0; /* - * Similar to try_grab_folio(): be sure to *also* - * increment the normal page refcount field at least once, + * Increment the normal page refcount field at least once, * so that the page really is pinned. */ if (folio_test_large(folio)) { - folio_ref_add(folio, 1); - atomic_add(1, &folio->_pincount); + folio_ref_add(folio, refs); + atomic_add(refs, &folio->_pincount); } else { - folio_ref_add(folio, GUP_PIN_COUNTING_BIAS); + folio_ref_add(folio, + refs * GUP_PIN_COUNTING_BIAS); } - node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, 1); + node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); } return 0; @@ -535,7 +449,7 @@ static unsigned long hugepte_addr_end(un */ static int gup_hugepte(struct vm_area_struct *vma, pte_t *ptep, unsigned long sz, unsigned long addr, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { unsigned long pte_end; struct page *page; @@ -558,9 +472,15 @@ static int gup_hugepte(struct vm_area_st page = pte_page(pte); refs = record_subpages(page, sz, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); - if (!folio) - return 0; + if (fast) { + folio = try_grab_folio_fast(page, refs, flags); + if (!folio) + return 0; + } else { + folio = page_folio(page); + if (try_grab_folio(folio, refs, flags)) + return 0; + } if (unlikely(pte_val(pte) != pte_val(ptep_get(ptep)))) { gup_put_folio(folio, refs, flags); @@ -588,7 +508,7 @@ static int gup_hugepte(struct vm_area_st static int gup_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, unsigned long addr, unsigned int pdshift, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { pte_t *ptep; unsigned long sz = 1UL << hugepd_shift(hugepd); @@ -598,7 +518,7 @@ static int gup_hugepd(struct vm_area_str ptep = hugepte_offset(hugepd, addr, pdshift); do { next = hugepte_addr_end(addr, end, sz); - ret = gup_hugepte(vma, ptep, sz, addr, end, flags, pages, nr); + ret = gup_hugepte(vma, ptep, sz, addr, end, flags, pages, nr, fast); if (ret != 1) return ret; } while (ptep++, addr = next, addr != end); @@ -625,7 +545,7 @@ static struct page *follow_hugepd(struct ptep = hugepte_offset(hugepd, addr, pdshift); ptl = huge_pte_lock(h, vma->vm_mm, ptep); ret = gup_hugepd(vma, hugepd, addr, pdshift, addr + PAGE_SIZE, - flags, &page, &nr); + flags, &page, &nr, false); spin_unlock(ptl); if (ret == 1) { @@ -642,7 +562,7 @@ static struct page *follow_hugepd(struct static inline int gup_hugepd(struct vm_area_struct *vma, hugepd_t hugepd, unsigned long addr, unsigned int pdshift, unsigned long end, unsigned int flags, - struct page **pages, int *nr) + struct page **pages, int *nr, bool fast) { return 0; } @@ -729,7 +649,7 @@ static struct page *follow_huge_pud(stru gup_must_unshare(vma, flags, page)) return ERR_PTR(-EMLINK); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) page = ERR_PTR(ret); else @@ -806,7 +726,7 @@ static struct page *follow_huge_pmd(stru VM_BUG_ON_PAGE((flags & FOLL_PIN) && PageAnon(page) && !PageAnonExclusive(page), page); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) return ERR_PTR(ret); @@ -968,8 +888,8 @@ static struct page *follow_page_pte(stru VM_BUG_ON_PAGE((flags & FOLL_PIN) && PageAnon(page) && !PageAnonExclusive(page), page); - /* try_grab_page() does nothing unless FOLL_GET or FOLL_PIN is set. */ - ret = try_grab_page(page, flags); + /* try_grab_folio() does nothing unless FOLL_GET or FOLL_PIN is set. */ + ret = try_grab_folio(page_folio(page), 1, flags); if (unlikely(ret)) { page = ERR_PTR(ret); goto out; @@ -1233,7 +1153,7 @@ static int get_gate_page(struct mm_struc goto unmap; *page = pte_page(entry); } - ret = try_grab_page(*page, gup_flags); + ret = try_grab_folio(page_folio(*page), 1, gup_flags); if (unlikely(ret)) goto unmap; out: @@ -1636,20 +1556,19 @@ next_page: * pages. */ if (page_increm > 1) { - struct folio *folio; + struct folio *folio = page_folio(page); /* * Since we already hold refcount on the * large folio, this should never fail. */ - folio = try_grab_folio(page, page_increm - 1, - foll_flags); - if (WARN_ON_ONCE(!folio)) { + if (try_grab_folio(folio, page_increm - 1, + foll_flags)) { /* * Release the 1st page ref if the * folio is problematic, fail hard. */ - gup_put_folio(page_folio(page), 1, + gup_put_folio(folio, 1, foll_flags); ret = -EFAULT; goto out; @@ -2797,6 +2716,101 @@ EXPORT_SYMBOL(get_user_pages_unlocked); * This code is based heavily on the PowerPC implementation by Nick Piggin. */ #ifdef CONFIG_HAVE_GUP_FAST +/** + * try_grab_folio_fast() - Attempt to get or pin a folio in fast path. + * @page: pointer to page to be grabbed + * @refs: the value to (effectively) add to the folio's refcount + * @flags: gup flags: these are the FOLL_* flag values. + * + * "grab" names in this file mean, "look at flags to decide whether to use + * FOLL_PIN or FOLL_GET behavior, when incrementing the folio's refcount. + * + * Either FOLL_PIN or FOLL_GET (or neither) must be set, but not both at the + * same time. (That's true throughout the get_user_pages*() and + * pin_user_pages*() APIs.) Cases: + * + * FOLL_GET: folio's refcount will be incremented by @refs. + * + * FOLL_PIN on large folios: folio's refcount will be incremented by + * @refs, and its pincount will be incremented by @refs. + * + * FOLL_PIN on single-page folios: folio's refcount will be incremented by + * @refs * GUP_PIN_COUNTING_BIAS. + * + * Return: The folio containing @page (with refcount appropriately + * incremented) for success, or NULL upon failure. If neither FOLL_GET + * nor FOLL_PIN was set, that's considered failure, and furthermore, + * a likely bug in the caller, so a warning is also emitted. + * + * It uses add ref unless zero to elevate the folio refcount and must be called + * in fast path only. + */ +static struct folio *try_grab_folio_fast(struct page *page, int refs, + unsigned int flags) +{ + struct folio *folio; + + /* Raise warn if it is not called in fast GUP */ + VM_WARN_ON_ONCE(!irqs_disabled()); + + if (WARN_ON_ONCE((flags & (FOLL_GET | FOLL_PIN)) == 0)) + return NULL; + + if (unlikely(!(flags & FOLL_PCI_P2PDMA) && is_pci_p2pdma_page(page))) + return NULL; + + if (flags & FOLL_GET) + return try_get_folio(page, refs); + + /* FOLL_PIN is set */ + + /* + * Don't take a pin on the zero page - it's not going anywhere + * and it is used in a *lot* of places. + */ + if (is_zero_page(page)) + return page_folio(page); + + folio = try_get_folio(page, refs); + if (!folio) + return NULL; + + /* + * Can't do FOLL_LONGTERM + FOLL_PIN gup fast path if not in a + * right zone, so fail and let the caller fall back to the slow + * path. + */ + if (unlikely((flags & FOLL_LONGTERM) && + !folio_is_longterm_pinnable(folio))) { + if (!put_devmap_managed_folio_refs(folio, refs)) + folio_put_refs(folio, refs); + return NULL; + } + + /* + * When pinning a large folio, use an exact count to track it. + * + * However, be sure to *also* increment the normal folio + * refcount field at least once, so that the folio really + * is pinned. That's why the refcount from the earlier + * try_get_folio() is left intact. + */ + if (folio_test_large(folio)) + atomic_add(refs, &folio->_pincount); + else + folio_ref_add(folio, + refs * (GUP_PIN_COUNTING_BIAS - 1)); + /* + * Adjust the pincount before re-checking the PTE for changes. + * This is essentially a smp_mb() and is paired with a memory + * barrier in folio_try_share_anon_rmap_*(). + */ + smp_mb__after_atomic(); + + node_stat_mod_folio(folio, NR_FOLL_PIN_ACQUIRED, refs); + + return folio; +} /* * Used in the GUP-fast path to determine whether GUP is permitted to work on @@ -2962,7 +2976,7 @@ static int gup_fast_pte_range(pmd_t pmd, VM_BUG_ON(!pfn_valid(pte_pfn(pte))); page = pte_page(pte); - folio = try_grab_folio(page, 1, flags); + folio = try_grab_folio_fast(page, 1, flags); if (!folio) goto pte_unmap; @@ -3049,7 +3063,7 @@ static int gup_fast_devmap_leaf(unsigned break; } - folio = try_grab_folio(page, 1, flags); + folio = try_grab_folio_fast(page, 1, flags); if (!folio) { gup_fast_undo_dev_pagemap(nr, nr_start, flags, pages); break; @@ -3138,7 +3152,7 @@ static int gup_fast_pmd_leaf(pmd_t orig, page = pmd_page(orig); refs = record_subpages(page, PMD_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3182,7 +3196,7 @@ static int gup_fast_pud_leaf(pud_t orig, page = pud_page(orig); refs = record_subpages(page, PUD_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3222,7 +3236,7 @@ static int gup_fast_pgd_leaf(pgd_t orig, page = pgd_page(orig); refs = record_subpages(page, PGDIR_SIZE, addr, end, pages + *nr); - folio = try_grab_folio(page, refs, flags); + folio = try_grab_folio_fast(page, refs, flags); if (!folio) return 0; @@ -3276,7 +3290,7 @@ static int gup_fast_pmd_range(pud_t *pud * pmd format and THP pmd format */ if (gup_hugepd(NULL, __hugepd(pmd_val(pmd)), addr, - PMD_SHIFT, next, flags, pages, nr) != 1) + PMD_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pte_range(pmd, pmdp, addr, next, flags, pages, nr)) @@ -3306,7 +3320,7 @@ static int gup_fast_pud_range(p4d_t *p4d return 0; } else if (unlikely(is_hugepd(__hugepd(pud_val(pud))))) { if (gup_hugepd(NULL, __hugepd(pud_val(pud)), addr, - PUD_SHIFT, next, flags, pages, nr) != 1) + PUD_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pmd_range(pudp, pud, addr, next, flags, pages, nr)) @@ -3333,7 +3347,7 @@ static int gup_fast_p4d_range(pgd_t *pgd BUILD_BUG_ON(p4d_leaf(p4d)); if (unlikely(is_hugepd(__hugepd(p4d_val(p4d))))) { if (gup_hugepd(NULL, __hugepd(p4d_val(p4d)), addr, - P4D_SHIFT, next, flags, pages, nr) != 1) + P4D_SHIFT, next, flags, pages, nr, true) != 1) return 0; } else if (!gup_fast_pud_range(p4dp, p4d, addr, next, flags, pages, nr)) @@ -3362,7 +3376,7 @@ static void gup_fast_pgd_range(unsigned return; } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) { if (gup_hugepd(NULL, __hugepd(pgd_val(pgd)), addr, - PGDIR_SHIFT, next, flags, pages, nr) != 1) + PGDIR_SHIFT, next, flags, pages, nr, true) != 1) return; } else if (!gup_fast_p4d_range(pgdp, pgd, addr, next, flags, pages, nr)) --- a/mm/huge_memory.c~mm-gup-do-not-call-try_grab_folio-in-slow-path +++ a/mm/huge_memory.c @@ -1331,7 +1331,7 @@ struct page *follow_devmap_pmd(struct vm if (!*pgmap) return ERR_PTR(-EFAULT); page = pfn_to_page(pfn); - ret = try_grab_page(page, flags); + ret = try_grab_folio(page_folio(page), 1, flags); if (ret) page = ERR_PTR(ret); --- a/mm/internal.h~mm-gup-do-not-call-try_grab_folio-in-slow-path +++ a/mm/internal.h @@ -1182,8 +1182,7 @@ int migrate_device_coherent_page(struct /* * mm/gup.c */ -struct folio *try_grab_folio(struct page *page, int refs, unsigned int flags); -int __must_check try_grab_page(struct page *page, unsigned int flags); +int __must_check try_grab_folio(struct folio *folio, int refs, unsigned int flags); /* * mm/huge_memory.c _ Patches currently in -mm which might be from yang(a)os.amperecomputing.com are mm-page_ref-remove-folio_try_get_rcu.patch mm-gup-do-not-call-try_grab_folio-in-slow-path.patch hugetlbfs-add-mte-support.patch

1 year, 2 months

1
0
0 0

[PATCH v4] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()

by yskelg＠gmail.com

From: Yunseong Kim <yskelg(a)gmail.com> In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from qdisc->dev_queue->dev <NULL> ->name This situation simulated from bunch of veths and Bluetooth disconnection and reconnection. During qdisc initialization, qdisc was being set to noop_queue. In veth_init_queue, the initial tx_num was reduced back to one, causing the qdisc reset to be called with noop, which led to the kernel panic. I've attached the GitHub gist link that C converted syz-execprogram source code and 3 log of reproduced vmcore-dmesg. https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740 Yeoreum and I use two fuzzing tool simultaneously. One process with syz-executor : https://github.com/google/syzkaller $ ./syz-execprog -executor=./syz-executor -repeat=1 -sandbox=setuid \ -enable=none -collide=false log1 The other process with perf fuzzer: https://github.com/deater/perf_event_tests/tree/master/fuzzer $ perf_event_tests/fuzzer/perf_fuzzer I think this will happen on the kernel version. Linux kernel version +v6.7.10, +v6.8, +v6.9 and it could happen in v6.10. This occurred from 51270d573a8d. I think this patch is absolutely necessary. Previously, It was showing not intended string value of name. I've reproduced 3 time from my fedora 40 Debug Kernel with any other module or patched. version: 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug [ 5287.164555] veth0_vlan: left promiscuous mode [ 5287.164929] veth1_macvtap: left promiscuous mode [ 5287.164950] veth0_macvtap: left promiscuous mode [ 5287.164983] veth1_vlan: left promiscuous mode [ 5287.165008] veth0_vlan: left promiscuous mode [ 5287.165450] veth1_macvtap: left promiscuous mode [ 5287.165472] veth0_macvtap: left promiscuous mode [ 5287.165502] veth1_vlan: left promiscuous mode … [ 5297.598240] bridge0: port 2(bridge_slave_1) entered blocking state [ 5297.598262] bridge0: port 2(bridge_slave_1) entered forwarding state [ 5297.598296] bridge0: port 1(bridge_slave_0) entered blocking state [ 5297.598313] bridge0: port 1(bridge_slave_0) entered forwarding state [ 5297.616090] 8021q: adding VLAN 0 to HW filter on device bond0 [ 5297.620405] bridge0: port 1(bridge_slave_0) entered disabled state [ 5297.620730] bridge0: port 2(bridge_slave_1) entered disabled state [ 5297.627247] 8021q: adding VLAN 0 to HW filter on device team0 [ 5297.629636] bridge0: port 1(bridge_slave_0) entered blocking state … [ 5298.002798] bridge_slave_0: left promiscuous mode [ 5298.002869] bridge0: port 1(bridge_slave_0) entered disabled state [ 5298.309444] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 5298.315206] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 5298.320207] bond0 (unregistering): Released all slaves [ 5298.354296] hsr_slave_0: left promiscuous mode [ 5298.360750] hsr_slave_1: left promiscuous mode [ 5298.374889] veth1_macvtap: left promiscuous mode [ 5298.374931] veth0_macvtap: left promiscuous mode [ 5298.374988] veth1_vlan: left promiscuous mode [ 5298.375024] veth0_vlan: left promiscuous mode [ 5299.109741] team0 (unregistering): Port device team_slave_1 removed [ 5299.185870] team0 (unregistering): Port device team_slave_0 removed … [ 5300.155443] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 5300.155724] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 5300.155988] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 …. [ 5301.075531] team0: Port device team_slave_1 added [ 5301.085515] bridge0: port 1(bridge_slave_0) entered blocking state [ 5301.085531] bridge0: port 1(bridge_slave_0) entered disabled state [ 5301.085588] bridge_slave_0: entered allmulticast mode [ 5301.085800] bridge_slave_0: entered promiscuous mode [ 5301.095617] bridge0: port 1(bridge_slave_0) entered blocking state [ 5301.095633] bridge0: port 1(bridge_slave_0) entered disabled state … [ 5301.149734] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.173234] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.180517] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 5301.193481] hsr_slave_0: entered promiscuous mode [ 5301.204425] hsr_slave_1: entered promiscuous mode [ 5301.210172] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.210185] Cannot create hsr debugfs directory [ 5301.224061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 5301.246901] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.255934] team0: Port device team_slave_0 added [ 5301.256480] team0: Port device team_slave_1 added [ 5301.256948] team0: Port device team_slave_0 added … [ 5301.435928] hsr_slave_0: entered promiscuous mode [ 5301.446029] hsr_slave_1: entered promiscuous mode [ 5301.455872] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.455884] Cannot create hsr debugfs directory [ 5301.502664] hsr_slave_0: entered promiscuous mode [ 5301.513675] hsr_slave_1: entered promiscuous mode [ 5301.526155] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.526164] Cannot create hsr debugfs directory [ 5301.563662] hsr_slave_0: entered promiscuous mode [ 5301.576129] hsr_slave_1: entered promiscuous mode [ 5301.580259] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.580270] Cannot create hsr debugfs directory [ 5301.590269] 8021q: adding VLAN 0 to HW filter on device bond0 [ 5301.595872] KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137] [ 5301.595877] Mem abort info: [ 5301.595881] ESR = 0x0000000096000006 [ 5301.595885] EC = 0x25: DABT (current EL), IL = 32 bits [ 5301.595889] SET = 0, FnV = 0 [ 5301.595893] EA = 0, S1PTW = 0 [ 5301.595896] FSC = 0x06: level 2 translation fault [ 5301.595900] Data abort info: [ 5301.595903] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 5301.595907] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 5301.595911] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 5301.595915] [dfff800000000026] address between user and kernel address ranges [ 5301.595971] Internal error: Oops: 0000000096000006 [#1] SMP … [ 5301.596076] CPU: 2 PID: 102769 Comm: syz-executor.3 Kdump: loaded Tainted: G W ------- --- 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug #1 [ 5301.596080] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023 [ 5301.596082] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 5301.596085] pc : strnlen+0x40/0x88 [ 5301.596114] lr : trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 [ 5301.596124] sp : ffff8000beef6b40 [ 5301.596126] x29: ffff8000beef6b40 x28: dfff800000000000 x27: 0000000000000001 [ 5301.596131] x26: 6de1800082c62bd0 x25: 1ffff000110aa9e0 x24: ffff800088554f00 [ 5301.596136] x23: ffff800088554ec0 x22: 0000000000000130 x21: 0000000000000140 [ 5301.596140] x20: dfff800000000000 x19: ffff8000beef6c60 x18: ffff7000115106d8 [ 5301.596143] x17: ffff800121bad000 x16: ffff800080020000 x15: 0000000000000006 [ 5301.596147] x14: 0000000000000002 x13: ffff0001f3ed8d14 x12: ffff700017ddeda5 [ 5301.596151] x11: 1ffff00017ddeda4 x10: ffff700017ddeda4 x9 : ffff800082cc5eec [ 5301.596155] x8 : 0000000000000004 x7 : 00000000f1f1f1f1 x6 : 00000000f2f2f200 [ 5301.596158] x5 : 00000000f3f3f3f3 x4 : ffff700017dded80 x3 : 00000000f204f1f1 [ 5301.596162] x2 : 0000000000000026 x1 : 0000000000000000 x0 : 0000000000000130 [ 5301.596166] Call trace: [ 5301.596175] strnlen+0x40/0x88 [ 5301.596179] trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 [ 5301.596182] perf_trace_qdisc_reset+0xb0/0x538 [ 5301.596184] __traceiter_qdisc_reset+0x68/0xc0 [ 5301.596188] qdisc_reset+0x43c/0x5e8 [ 5301.596190] netif_set_real_num_tx_queues+0x288/0x770 [ 5301.596194] veth_init_queues+0xfc/0x130 [veth] [ 5301.596198] veth_newlink+0x45c/0x850 [veth] [ 5301.596202] rtnl_newlink_create+0x2c8/0x798 [ 5301.596205] __rtnl_newlink+0x92c/0xb60 [ 5301.596208] rtnl_newlink+0xd8/0x130 [ 5301.596211] rtnetlink_rcv_msg+0x2e0/0x890 [ 5301.596214] netlink_rcv_skb+0x1c4/0x380 [ 5301.596225] rtnetlink_rcv+0x20/0x38 [ 5301.596227] netlink_unicast+0x3c8/0x640 [ 5301.596231] netlink_sendmsg+0x658/0xa60 [ 5301.596234] __sock_sendmsg+0xd0/0x180 [ 5301.596243] __sys_sendto+0x1c0/0x280 [ 5301.596246] __arm64_sys_sendto+0xc8/0x150 [ 5301.596249] invoke_syscall+0xdc/0x268 [ 5301.596256] el0_svc_common.constprop.0+0x16c/0x240 [ 5301.596259] do_el0_svc+0x48/0x68 [ 5301.596261] el0_svc+0x50/0x188 [ 5301.596265] el0t_64_sync_handler+0x120/0x130 [ 5301.596268] el0t_64_sync+0x194/0x198 [ 5301.596272] Code: eb15001f 54000120 d343fc02 12000801 (38f46842) [ 5301.596285] SMP: stopping secondary CPUs [ 5301.597053] Starting crashdump kernel... [ 5301.597057] Bye! After applying our patch, I didn't find any kernel panic errors. We've found a simple reproducer # echo 1 > /sys/kernel/debug/tracing/events/qdisc/qdisc_reset/enable # ip link add veth0 type veth peer name veth1 Error: Unknown device type. However, without our patch applied, I tested upstream 6.10.0-rc3 kernel using the qdisc_reset event and the ip command on my qemu virtual machine. This 2 commands makes always kernel panic. Linux version: 6.10.0-rc3 [ 0.000000] Linux version 6.10.0-rc3-00164-g44ef20baed8e-dirty (paran@fedora) (gcc (GCC) 14.1.1 20240522 (Red Hat 14.1.1-4), GNU ld version 2.41-34.fc40) #20 SMP PREEMPT Sat Jun 15 16:51:25 KST 2024 Kernel panic message: [ 615.236484] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 615.237250] Dumping ftrace buffer: [ 615.237679] (ftrace buffer empty) [ 615.238097] Modules linked in: veth crct10dif_ce virtio_gpu virtio_dma_buf drm_shmem_helper drm_kms_helper zynqmp_fpga xilinx_can xilinx_spi xilinx_selectmap xilinx_core xilinx_pr_decoupler versal_fpga uvcvideo uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common mc usbnet deflate zstd ubifs ubi rcar_canfd rcar_can omap_mailbox ntb_msi_test ntb_hw_epf lattice_sysconfig_spi lattice_sysconfig ice40_spi gpio_xilinx dwmac_altr_socfpga mdio_regmap stmmac_platform stmmac pcs_xpcs dfl_fme_region dfl_fme_mgr dfl_fme_br dfl_afu dfl fpga_region fpga_bridge can can_dev br_netfilter bridge stp llc atl1c ath11k_pci mhi ath11k_ahb ath11k qmi_helpers ath10k_sdio ath10k_pci ath10k_core ath mac80211 libarc4 cfg80211 drm fuse backlight ipv6 Jun 22 02:36:5[3 6k152.62-4sm98k4-0k]v kCePUr:n e1l :P IUDn:a b4le6 8t oC ohmma: nidpl eN oketr nteali nptaedg i6n.g1 0re.0q-urecs3t- 0at0 1v6i4r-tgu4a4le fa2d0dbraeeds0se-dir tyd f#f2f08 615.252376] Hardware name: linux,dummy-virt (DT) [ 615.253220] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 615.254433] pc : strnlen+0x6c/0xe0 [ 615.255096] lr : trace_event_get_offsets_qdisc_reset+0x94/0x3d0 [ 615.256088] sp : ffff800080b269a0 [ 615.256615] x29: ffff800080b269a0 x28: ffffc070f3f98500 x27: 0000000000000001 [ 615.257831] x26: 0000000000000010 x25: ffffc070f3f98540 x24: ffffc070f619cf60 [ 615.259020] x23: 0000000000000128 x22: 0000000000000138 x21: dfff800000000000 [ 615.260241] x20: ffffc070f631ad00 x19: 0000000000000128 x18: ffffc070f448b800 [ 615.261454] x17: 0000000000000000 x16: 0000000000000001 x15: ffffc070f4ba2a90 [ 615.262635] x14: ffff700010164d73 x13: 1ffff80e1e8d5eb3 x12: 1ffff00010164d72 [ 615.263877] x11: ffff700010164d72 x10: dfff800000000000 x9 : ffffc070e85d6184 [ 615.265047] x8 : ffffc070e4402070 x7 : 000000000000f1f1 x6 : 000000001504a6d3 [ 615.266336] x5 : ffff28ca21122140 x4 : ffffc070f5043ea8 x3 : 0000000000000000 [ 615.267528] x2 : 0000000000000025 x1 : 0000000000000000 x0 : 0000000000000000 [ 615.268747] Call trace: [ 615.269180] strnlen+0x6c/0xe0 [ 615.269767] trace_event_get_offsets_qdisc_reset+0x94/0x3d0 [ 615.270716] trace_event_raw_event_qdisc_reset+0xe8/0x4e8 [ 615.271667] __traceiter_qdisc_reset+0xa0/0x140 [ 615.272499] qdisc_reset+0x554/0x848 [ 615.273134] netif_set_real_num_tx_queues+0x360/0x9a8 [ 615.274050] veth_init_queues+0x110/0x220 [veth] [ 615.275110] veth_newlink+0x538/0xa50 [veth] [ 615.276172] __rtnl_newlink+0x11e4/0x1bc8 [ 615.276944] rtnl_newlink+0xac/0x120 [ 615.277657] rtnetlink_rcv_msg+0x4e4/0x1370 [ 615.278409] netlink_rcv_skb+0x25c/0x4f0 [ 615.279122] rtnetlink_rcv+0x48/0x70 [ 615.279769] netlink_unicast+0x5a8/0x7b8 [ 615.280462] netlink_sendmsg+0xa70/0x1190 Yeoreum and I don't know if the patch we wrote will fix the underlying cause, but we think that priority is to prevent kernel panic happening. So, we're sending this patch. Fixes: 51270d573a8d ("tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string") Link: https://lore.kernel.org/lkml/20240229143432.273b4871@gandalf.local.home/t/ Cc: netdev(a)vger.kernel.org Cc: stable(a)vger.kernel.org # +v6.7.10, +v6.8 Tested-by: Yunseong Kim <yskelg(a)gmail.com> Signed-off-by: Yunseong Kim <yskelg(a)gmail.com> Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> --- include/trace/events/qdisc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h index f1b5e816e7e5..ff33f41a9db7 100644 --- a/include/trace/events/qdisc.h +++ b/include/trace/events/qdisc.h @@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset, TP_ARGS(q), TP_STRUCT__entry( - __string( dev, qdisc_dev(q)->name ) + __string( dev, qdisc_dev(q) ? qdisc_dev(q)->name : "(null)" ) __string( kind, q->ops->id ) __field( u32, parent ) __field( u32, handle ) -- 2.45.2

1 year, 2 months

4
3
0 0

[PATCH v2] rtc: abx80x: Fix return value of nvmem callback on read

by Joy Chakraborty

Read callbacks registered with nvmem core expect 0 to be returned on success and a negative value to be returned on failure. abx80x_nvmem_xfer() on read calls i2c_smbus_read_i2c_block_data() which returns the number of bytes read on success as per its api description, this return value is handled as an error and returned to nvmem even on success. Fix to handle all possible values that would be returned by i2c_smbus_read_i2c_block_data(). Fixes: e90ff8ede777 ("rtc: abx80x: Add nvmem support") Cc: stable(a)vger.kernel.org Signed-off-by: Joy Chakraborty <joychakr(a)google.com> --- drivers/rtc/rtc-abx80x.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c index fde2b8054c2e..1298962402ff 100644 --- a/drivers/rtc/rtc-abx80x.c +++ b/drivers/rtc/rtc-abx80x.c @@ -705,14 +705,18 @@ static int abx80x_nvmem_xfer(struct abx80x_priv *priv, unsigned int offset, if (ret) return ret; - if (write) + if (write) { ret = i2c_smbus_write_i2c_block_data(priv->client, reg, len, val); - else + if (ret) + return ret; + } else { ret = i2c_smbus_read_i2c_block_data(priv->client, reg, len, val); - if (ret) - return ret; + if (ret <= 0) + return ret ? ret : -EIO; + len = ret; + } offset += len; val += len; -- 2.45.2.505.gda0bf45e8d-goog

1 year, 2 months

5
6
0 0

[PATCH] rtc: isl1208: Fix return value of nvmem callbacks

by Joy Chakraborty

Read/write callbacks registered with nvmem core expect 0 to be returned on success and a negative value to be returned on failure. isl1208_nvmem_read()/isl1208_nvmem_write() currently return the number of bytes read/written on success, fix to return 0 on success and negative on failure. Fixes: c3544f6f51ed ("rtc: isl1208: Add new style nvmem support to driver") Cc: stable(a)vger.kernel.org Signed-off-by: Joy Chakraborty <joychakr(a)google.com> --- drivers/rtc/rtc-isl1208.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/rtc/rtc-isl1208.c b/drivers/rtc/rtc-isl1208.c index e50c23ee1646..206f96b90f58 100644 --- a/drivers/rtc/rtc-isl1208.c +++ b/drivers/rtc/rtc-isl1208.c @@ -775,14 +775,13 @@ static int isl1208_nvmem_read(void *priv, unsigned int off, void *buf, { struct isl1208_state *isl1208 = priv; struct i2c_client *client = to_i2c_client(isl1208->rtc->dev.parent); - int ret; /* nvmem sanitizes offset/count for us, but count==0 is possible */ if (!count) return count; - ret = isl1208_i2c_read_regs(client, ISL1208_REG_USR1 + off, buf, + + return isl1208_i2c_read_regs(client, ISL1208_REG_USR1 + off, buf, count); - return ret == 0 ? count : ret; } static int isl1208_nvmem_write(void *priv, unsigned int off, void *buf, @@ -790,15 +789,13 @@ static int isl1208_nvmem_write(void *priv, unsigned int off, void *buf, { struct isl1208_state *isl1208 = priv; struct i2c_client *client = to_i2c_client(isl1208->rtc->dev.parent); - int ret; /* nvmem sanitizes off/count for us, but count==0 is possible */ if (!count) return count; - ret = isl1208_i2c_set_regs(client, ISL1208_REG_USR1 + off, buf, - count); - return ret == 0 ? count : ret; + return isl1208_i2c_set_regs(client, ISL1208_REG_USR1 + off, buf, + count); } static const struct nvmem_config isl1208_nvmem_config = { -- 2.45.2.505.gda0bf45e8d-goog

1 year, 2 months

2
1
0 0

[PATCH] rtc: cmos: Fix return value of nvmem callbacks

by Joy Chakraborty

Read/write callbacks registered with nvmem core expect 0 to be returned on success and a negative value to be returned on failure. cmos_nvram_read()/cmos_nvram_write() currently return the number of bytes read or written, fix to return 0 on success and -EIO incase number of bytes requested was not read or written. Fixes: 8b5b7958fd1c ("rtc: cmos: use generic nvmem") Cc: stable(a)vger.kernel.org Signed-off-by: Joy Chakraborty <joychakr(a)google.com> --- drivers/rtc/rtc-cmos.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c index 7d99cd2c37a0..35dca2accbb8 100644 --- a/drivers/rtc/rtc-cmos.c +++ b/drivers/rtc/rtc-cmos.c @@ -643,11 +643,10 @@ static int cmos_nvram_read(void *priv, unsigned int off, void *val, size_t count) { unsigned char *buf = val; - int retval; off += NVRAM_OFFSET; spin_lock_irq(&rtc_lock); - for (retval = 0; count; count--, off++, retval++) { + for (; count; count--, off++) { if (off < 128) *buf++ = CMOS_READ(off); else if (can_bank2) @@ -657,7 +656,7 @@ static int cmos_nvram_read(void *priv, unsigned int off, void *val, } spin_unlock_irq(&rtc_lock); - return retval; + return count ? -EIO : 0; } static int cmos_nvram_write(void *priv, unsigned int off, void *val, @@ -665,7 +664,6 @@ static int cmos_nvram_write(void *priv, unsigned int off, void *val, { struct cmos_rtc *cmos = priv; unsigned char *buf = val; - int retval; /* NOTE: on at least PCs and Ataris, the boot firmware uses a * checksum on part of the NVRAM data. That's currently ignored @@ -674,7 +672,7 @@ static int cmos_nvram_write(void *priv, unsigned int off, void *val, */ off += NVRAM_OFFSET; spin_lock_irq(&rtc_lock); - for (retval = 0; count; count--, off++, retval++) { + for (; count; count--, off++) { /* don't trash RTC registers */ if (off == cmos->day_alrm || off == cmos->mon_alrm @@ -689,7 +687,7 @@ static int cmos_nvram_write(void *priv, unsigned int off, void *val, } spin_unlock_irq(&rtc_lock); - return retval; + return count ? -EIO : 0; } /*----------------------------------------------------------------*/ -- 2.45.2.505.gda0bf45e8d-goog

1 year, 2 months

4
4
0 0

[PATCH net v1 1/1] net: phy: micrel: ksz8081: disable broadcast only if PHY address is not 0

by Oleksij Rempel

Do not disable broadcast if we are using address 0 (broadcast) to communicate with this device. Otherwise we will use proper driver but no communication will be possible and no link changes will be detected. There are two scenarios where we can run in to this situation: - PHY is bootstrapped for address 0 - no PHY address is known and linux is scanning the MDIO bus, so first respond and attached device will be on address 0. The fixes tag points to the latest refactoring, not to the initial point where kszphy_broadcast_disable() was introduced. Fixes: 79e498a9c7da0 ("net: phy: micrel: Restore led_mode and clk_sel on resume") Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> --- drivers/net/phy/micrel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c index 81c20eb4b54b9..67c2e611150d2 100644 --- a/drivers/net/phy/micrel.c +++ b/drivers/net/phy/micrel.c @@ -590,7 +590,7 @@ static int kszphy_config_init(struct phy_device *phydev) type = priv->type; - if (type && type->has_broadcast_disable) + if (type && type->has_broadcast_disable && phydev->mdio.addr != 0) kszphy_broadcast_disable(phydev); if (type && type->has_nand_tree_disable) -- 2.39.2

1 year, 2 months

3
3
0 0

[PATCH 1/2] arm64: dts: mediatek: mt7622: readd syscon to pciesys node

by Christian Marangi

Sata node reference the pciesys with the property mediatek,phy-node and that is used as a syscon to access the pciesys regs. Readd the syscon compatible to pciesys node to restore correct functionality of the SATA interface. Fixes: 3ba5a6159434 ("arm64: dts: mediatek: mt7622: fix clock controllers") Reported-by: Frank Wunderlich <frank-w(a)public-files.de> Co-developed-by: Frank Wunderlich <frank-w(a)public-files.de> Signed-off-by: Frank Wunderlich <frank-w(a)public-files.de> Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> Cc: stable(a)vger.kernel.org --- arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi index 917fa39a74f8..bb0ec1edbe5b 100644 --- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi @@ -790,7 +790,7 @@ u2port1: usb-phy@1a0c5000 { }; pciesys: clock-controller@1a100800 { - compatible = "mediatek,mt7622-pciesys"; + compatible = "mediatek,mt7622-pciesys", "syscon"; reg = <0 0x1a100800 0 0x1000>; #clock-cells = <1>; #reset-cells = <1>; -- 2.45.1

1 year, 2 months

1
0
0 0

+ cachestat-do-not-flush-stats-in-recency-check.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: cachestat: do not flush stats in recency check has been added to the -mm mm-hotfixes-unstable branch. Its filename is cachestat-do-not-flush-stats-in-recency-check.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nhat Pham <nphamcs(a)gmail.com> Subject: cachestat: do not flush stats in recency check Date: Thu, 27 Jun 2024 13:17:37 -0700 syzbot detects that cachestat() is flushing stats, which can sleep, in its RCU read section (see [1]). This is done in the workingset_test_recent() step (which checks if the folio's eviction is recent). Move the stat flushing step to before the RCU read section of cachestat, and skip stat flushing during the recency check. [1]: https://lore.kernel.org/cgroups/000000000000f71227061bdf97e0@google.com/ Link: https://lkml.kernel.org/r/20240627201737.3506959-1-nphamcs@gmail.com Fixes: b00684722262 ("mm: workingset: move the stats flush into workingset_test_recent()") Signed-off-by: Nhat Pham <nphamcs(a)gmail.com> Reported-by: syzbot+b7f13b2d0cc156edf61a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/cgroups/000000000000f71227061bdf97e0@google.com/ Debugged-by: Johannes Weiner <hannes(a)cmpxchg.org> Suggested-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Kairui Song <kasong(a)tencent.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: <stable(a)vger.kernel.org> [6.8+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/swap.h | 3 ++- mm/filemap.c | 5 ++++- mm/workingset.c | 14 +++++++++++--- 3 files changed, 17 insertions(+), 5 deletions(-) --- a/include/linux/swap.h~cachestat-do-not-flush-stats-in-recency-check +++ a/include/linux/swap.h @@ -354,7 +354,8 @@ static inline swp_entry_t page_swap_entr } /* linux/mm/workingset.c */ -bool workingset_test_recent(void *shadow, bool file, bool *workingset); +bool workingset_test_recent(void *shadow, bool file, bool *workingset, + bool flush); void workingset_age_nonresident(struct lruvec *lruvec, unsigned long nr_pages); void *workingset_eviction(struct folio *folio, struct mem_cgroup *target_memcg); void workingset_refault(struct folio *folio, void *shadow); --- a/mm/filemap.c~cachestat-do-not-flush-stats-in-recency-check +++ a/mm/filemap.c @@ -4248,6 +4248,9 @@ static void filemap_cachestat(struct add XA_STATE(xas, &mapping->i_pages, first_index); struct folio *folio; + /* Flush stats (and potentially sleep) outside the RCU read section. */ + mem_cgroup_flush_stats_ratelimited(NULL); + rcu_read_lock(); xas_for_each(&xas, folio, last_index) { int order; @@ -4311,7 +4314,7 @@ static void filemap_cachestat(struct add goto resched; } #endif - if (workingset_test_recent(shadow, true, &workingset)) + if (workingset_test_recent(shadow, true, &workingset, false)) cs->nr_recently_evicted += nr_pages; goto resched; --- a/mm/workingset.c~cachestat-do-not-flush-stats-in-recency-check +++ a/mm/workingset.c @@ -412,10 +412,12 @@ void *workingset_eviction(struct folio * * @file: whether the corresponding folio is from the file lru. * @workingset: where the workingset value unpacked from shadow should * be stored. + * @flush: whether to flush cgroup rstat. * * Return: true if the shadow is for a recently evicted folio; false otherwise. */ -bool workingset_test_recent(void *shadow, bool file, bool *workingset) +bool workingset_test_recent(void *shadow, bool file, bool *workingset, + bool flush) { struct mem_cgroup *eviction_memcg; struct lruvec *eviction_lruvec; @@ -467,10 +469,16 @@ bool workingset_test_recent(void *shadow /* * Flush stats (and potentially sleep) outside the RCU read section. + * + * Note that workingset_test_recent() itself might be called in RCU read + * section (for e.g, in cachestat) - these callers need to skip flushing + * stats (via the flush argument). + * * XXX: With per-memcg flushing and thresholding, is ratelimiting * still needed here? */ - mem_cgroup_flush_stats_ratelimited(eviction_memcg); + if (flush) + mem_cgroup_flush_stats_ratelimited(eviction_memcg); eviction_lruvec = mem_cgroup_lruvec(eviction_memcg, pgdat); refault = atomic_long_read(&eviction_lruvec->nonresident_age); @@ -558,7 +566,7 @@ void workingset_refault(struct folio *fo mod_lruvec_state(lruvec, WORKINGSET_REFAULT_BASE + file, nr); - if (!workingset_test_recent(shadow, file, &workingset)) + if (!workingset_test_recent(shadow, file, &workingset, true)) return; folio_set_active(folio); _ Patches currently in -mm which might be from nphamcs(a)gmail.com are cachestat-do-not-flush-stats-in-recency-check.patch

1 year, 2 months

1
0
0 0

[PATCH -stable,4.19.x] netfilter: nf_tables: validate family when identifying table via handle

by Pablo Neira Ayuso

[ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ] Validate table family when looking up for it via NFTA_TABLE_HANDLE. Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") Reported-by: Xingyuan Mo <hdthky0(a)gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/netfilter/nf_tables_api.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 198e4a89df48..2c31470dd61f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -536,7 +536,7 @@ static struct nft_table *nft_table_lookup(const struct net *net, static struct nft_table *nft_table_lookup_byhandle(const struct net *net, const struct nlattr *nla, - u8 genmask) + int family, u8 genmask) { struct nftables_pernet *nft_net; struct nft_table *table; @@ -544,6 +544,7 @@ static struct nft_table *nft_table_lookup_byhandle(const struct net *net, nft_net = net_generic(net, nf_tables_net_id); list_for_each_entry(table, &nft_net->tables, list) { if (be64_to_cpu(nla_get_be64(nla)) == table->handle && + table->family == family && nft_active_genmask(table, genmask)) return table; } @@ -1189,7 +1190,7 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, if (nla[NFTA_TABLE_HANDLE]) { attr = nla[NFTA_TABLE_HANDLE]; - table = nft_table_lookup_byhandle(net, attr, genmask); + table = nft_table_lookup_byhandle(net, attr, family, genmask); } else { attr = nla[NFTA_TABLE_NAME]; table = nft_table_lookup(net, attr, family, genmask); -- 2.30.2

1 year, 2 months

2
3
0 0

[PATCH -stable,6.1.x] netfilter: nf_tables: use timestamp to check for set element timeout

by Pablo Neira Ayuso

commit 7395dfacfff65e9938ac0889dafa1ab01e987d15 upstream Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b005ed1c ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> --- This is a backport for 6.1.x, please apply. include/net/netfilter/nf_tables.h | 16 ++++++++++++++-- net/netfilter/nf_tables_api.c | 4 +++- net/netfilter/nft_set_hash.c | 8 +++++++- net/netfilter/nft_set_pipapo.c | 18 +++++++++++------- net/netfilter/nft_set_rbtree.c | 6 ++++-- 5 files changed, 39 insertions(+), 13 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 2fa344cb66f6..964cf7578bd5 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -784,10 +784,16 @@ static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ex return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS); } -static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) +static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext, + u64 tstamp) { return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && - time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext)); + time_after_eq64(tstamp, *nft_set_ext_expiration(ext)); +} + +static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) +{ + return __nft_set_elem_expired(ext, get_jiffies_64()); } static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, @@ -1711,6 +1717,7 @@ struct nftables_pernet { struct list_head notify_list; struct mutex commit_mutex; u64 table_handle; + u64 tstamp; unsigned int base_seq; u8 validate_state; unsigned int gc_seq; @@ -1723,6 +1730,11 @@ static inline struct nftables_pernet *nft_pernet(const struct net *net) return net_generic(net, nf_tables_net_id); } +static inline u64 nft_net_tstamp(const struct net *net) +{ + return nft_pernet(net)->tstamp; +} + #define __NFT_REDUCE_READONLY 1UL #define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1c4b7a8ec2cc..e838a6617b0a 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9377,6 +9377,7 @@ struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) { struct nft_set_elem_catchall *catchall, *next; + u64 tstamp = nft_net_tstamp(gc->net); const struct nft_set *set = gc->set; struct nft_set_elem elem; struct nft_set_ext *ext; @@ -9386,7 +9387,7 @@ struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); - if (!nft_set_elem_expired(ext)) + if (!__nft_set_elem_expired(ext, tstamp)) continue; gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); @@ -10138,6 +10139,7 @@ static bool nf_tables_valid_genid(struct net *net, u32 genid) bool genid_ok; mutex_lock(&nft_net->commit_mutex); + nft_net->tstamp = get_jiffies_64(); genid_ok = genid == 0 || nft_net->base_seq == genid; if (!genid_ok) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 2013de934cef..1fd3b413350d 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -35,6 +35,7 @@ struct nft_rhash_cmp_arg { const struct nft_set *set; const u32 *key; u8 genmask; + u64 tstamp; }; static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed) @@ -61,7 +62,7 @@ static inline int nft_rhash_cmp(struct rhashtable_compare_arg *arg, return 1; if (nft_set_elem_is_dead(&he->ext)) return 1; - if (nft_set_elem_expired(&he->ext)) + if (__nft_set_elem_expired(&he->ext, x->tstamp)) return 1; if (!nft_set_elem_active(&he->ext, x->genmask)) return 1; @@ -86,6 +87,7 @@ bool nft_rhash_lookup(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_cur(net), .set = set, .key = key, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -104,6 +106,7 @@ static void *nft_rhash_get(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_cur(net), .set = set, .key = elem->key.val.data, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -127,6 +130,7 @@ static bool nft_rhash_update(struct nft_set *set, const u32 *key, .genmask = NFT_GENMASK_ANY, .set = set, .key = key, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -170,6 +174,7 @@ static int nft_rhash_insert(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_next(net), .set = set, .key = elem->key.val.data, + .tstamp = nft_net_tstamp(net), }; struct nft_rhash_elem *prev; @@ -212,6 +217,7 @@ static void *nft_rhash_deactivate(const struct net *net, .genmask = nft_genmask_next(net), .set = set, .key = elem->key.val.data, + .tstamp = nft_net_tstamp(net), }; rcu_read_lock(); diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 2299ced939c4..a56ed216c223 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -504,6 +504,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, * @set: nftables API set representation * @data: Key data to be matched against existing elements * @genmask: If set, check that element is active in given genmask + * @tstamp: timestamp to check for expired elements * * This is essentially the same as the lookup function, except that it matches * key data against the uncommitted copy and doesn't use preallocated maps for @@ -513,7 +514,8 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, */ static struct nft_pipapo_elem *pipapo_get(const struct net *net, const struct nft_set *set, - const u8 *data, u8 genmask) + const u8 *data, u8 genmask, + u64 tstamp) { struct nft_pipapo_elem *ret = ERR_PTR(-ENOENT); struct nft_pipapo *priv = nft_set_priv(set); @@ -566,7 +568,7 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, goto out; if (last) { - if (nft_set_elem_expired(&f->mt[b].e->ext)) + if (__nft_set_elem_expired(&f->mt[b].e->ext, tstamp)) goto next_match; if ((genmask && !nft_set_elem_active(&f->mt[b].e->ext, genmask))) @@ -603,7 +605,7 @@ static void *nft_pipapo_get(const struct net *net, const struct nft_set *set, const struct nft_set_elem *elem, unsigned int flags) { return pipapo_get(net, set, (const u8 *)elem->key.val.data, - nft_genmask_cur(net)); + nft_genmask_cur(net), get_jiffies_64()); } /** @@ -1197,6 +1199,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, struct nft_pipapo *priv = nft_set_priv(set); struct nft_pipapo_match *m = priv->clone; u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); struct nft_pipapo_field *f; const u8 *start_p, *end_p; int i, bsize_max, err = 0; @@ -1206,7 +1209,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, else end = start; - dup = pipapo_get(net, set, start, genmask); + dup = pipapo_get(net, set, start, genmask, tstamp); if (!IS_ERR(dup)) { /* Check if we already have the same exact entry */ const struct nft_data *dup_key, *dup_end; @@ -1228,7 +1231,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, if (PTR_ERR(dup) == -ENOENT) { /* Look for partially overlapping entries */ - dup = pipapo_get(net, set, end, nft_genmask_next(net)); + dup = pipapo_get(net, set, end, nft_genmask_next(net), tstamp); } if (PTR_ERR(dup) != -ENOENT) { @@ -1581,6 +1584,7 @@ static void pipapo_gc(const struct nft_set *_set, struct nft_pipapo_match *m) struct nft_set *set = (struct nft_set *) _set; struct nft_pipapo *priv = nft_set_priv(set); struct net *net = read_pnet(&set->net); + u64 tstamp = nft_net_tstamp(net); int rules_f0, first_rule = 0; struct nft_pipapo_elem *e; struct nft_trans_gc *gc; @@ -1615,7 +1619,7 @@ static void pipapo_gc(const struct nft_set *_set, struct nft_pipapo_match *m) /* synchronous gc never fails, there is no need to set on * NFT_SET_ELEM_DEAD_BIT. */ - if (nft_set_elem_expired(&e->ext)) { + if (__nft_set_elem_expired(&e->ext, tstamp)) { priv->dirty = true; gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC); @@ -1786,7 +1790,7 @@ static void *pipapo_deactivate(const struct net *net, const struct nft_set *set, { struct nft_pipapo_elem *e; - e = pipapo_get(net, set, data, nft_genmask_next(net)); + e = pipapo_get(net, set, data, nft_genmask_next(net), nft_net_tstamp(net)); if (IS_ERR(e)) return NULL; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 5bf5572e945c..021d9e76129a 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -314,6 +314,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, struct nft_rbtree *priv = nft_set_priv(set); u8 cur_genmask = nft_genmask_cur(net); u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); int d; /* Descend the tree to search for an existing element greater than the @@ -361,7 +362,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, /* perform garbage collection to avoid bogus overlap reports * but skip new elements in this transaction. */ - if (nft_set_elem_expired(&rbe->ext) && + if (__nft_set_elem_expired(&rbe->ext, tstamp) && nft_set_elem_active(&rbe->ext, cur_genmask)) { const struct nft_rbtree_elem *removed_end; @@ -548,6 +549,7 @@ static void *nft_rbtree_deactivate(const struct net *net, const struct rb_node *parent = priv->root.rb_node; struct nft_rbtree_elem *rbe, *this = elem->priv; u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); int d; while (parent != NULL) { @@ -568,7 +570,7 @@ static void *nft_rbtree_deactivate(const struct net *net, nft_rbtree_interval_end(this)) { parent = parent->rb_right; continue; - } else if (nft_set_elem_expired(&rbe->ext)) { + } else if (__nft_set_elem_expired(&rbe->ext, tstamp)) { break; } else if (!nft_set_elem_active(&rbe->ext, genmask)) { parent = parent->rb_left; -- 2.30.2

1 year, 2 months

2
1
0 0

Re: Patch "mm: memblock: replace dereferences of memblock_region.nid with API calls" has been added to the 5.4-stable tree

by Mike Rapoport

Hi Sasha, On Wed, Jun 26, 2024 at 03:07:08PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > mm: memblock: replace dereferences of memblock_region.nid with API calls > > to the 5.4-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > mm-memblock-replace-dereferences-of-memblock_region..patch > and it can be found in the queue-5.4 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit dd8d9169375a725cadd5e3635342a6e2d483cf4c > Author: Mike Rapoport <rppt(a)kernel.org> > Date: Wed Jun 3 15:56:53 2020 -0700 > > mm: memblock: replace dereferences of memblock_region.nid with API calls > > Stable-dep-of: 3ac36aa73073 ("x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()") The commit 3ac36aa73073 shouldn't be backported to 5.4 or anything before 6.8 for that matter, I don't see a need to bring this in as well. > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c > index 53ebb4babf3a7..58c83c2b8748f 100644 > --- a/arch/arm64/mm/numa.c > +++ b/arch/arm64/mm/numa.c > @@ -354,13 +354,16 @@ static int __init numa_register_nodes(void) > struct memblock_region *mblk; > > /* Check that valid nid is set to memblks */ > - for_each_memblock(memory, mblk) > - if (mblk->nid == NUMA_NO_NODE || mblk->nid >= MAX_NUMNODES) { > + for_each_memblock(memory, mblk) { > + int mblk_nid = memblock_get_region_node(mblk); > + > + if (mblk_nid == NUMA_NO_NODE || mblk_nid >= MAX_NUMNODES) { > pr_warn("Warning: invalid memblk node %d [mem %#010Lx-%#010Lx]\n", > - mblk->nid, mblk->base, > + mblk_nid, mblk->base, > mblk->base + mblk->size - 1); > return -EINVAL; > } > + } > > /* Finally register nodes. */ > for_each_node_mask(nid, numa_nodes_parsed) { > diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c > index 7316dca7e846a..bd52ce954d59a 100644 > --- a/arch/x86/mm/numa.c > +++ b/arch/x86/mm/numa.c > @@ -502,8 +502,10 @@ static void __init numa_clear_kernel_node_hotplug(void) > * reserve specific pages for Sandy Bridge graphics. ] > */ > for_each_memblock(reserved, mb_region) { > - if (mb_region->nid != MAX_NUMNODES) > - node_set(mb_region->nid, reserved_nodemask); > + int nid = memblock_get_region_node(mb_region); > + > + if (nid != MAX_NUMNODES) > + node_set(nid, reserved_nodemask); > } > > /* > diff --git a/mm/memblock.c b/mm/memblock.c > index a75cc65f03307..d2d85d4d16b74 100644 > --- a/mm/memblock.c > +++ b/mm/memblock.c > @@ -1170,13 +1170,15 @@ void __init_memblock __next_mem_pfn_range(int *idx, int nid, > { > struct memblock_type *type = &memblock.memory; > struct memblock_region *r; > + int r_nid; > > while (++*idx < type->cnt) { > r = &type->regions[*idx]; > + r_nid = memblock_get_region_node(r); > > if (PFN_UP(r->base) >= PFN_DOWN(r->base + r->size)) > continue; > - if (nid == MAX_NUMNODES || nid == r->nid) > + if (nid == MAX_NUMNODES || nid == r_nid) > break; > } > if (*idx >= type->cnt) { > @@ -1189,7 +1191,7 @@ void __init_memblock __next_mem_pfn_range(int *idx, int nid, > if (out_end_pfn) > *out_end_pfn = PFN_DOWN(r->base + r->size); > if (out_nid) > - *out_nid = r->nid; > + *out_nid = r_nid; > } > > /** > @@ -1730,7 +1732,7 @@ int __init_memblock memblock_search_pfn_nid(unsigned long pfn, > *start_pfn = PFN_DOWN(type->regions[mid].base); > *end_pfn = PFN_DOWN(type->regions[mid].base + type->regions[mid].size); > > - return type->regions[mid].nid; > + return memblock_get_region_node(&type->regions[mid]); > } > #endif > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c > index 0ad582945f54d..4a649111178cc 100644 > --- a/mm/page_alloc.c > +++ b/mm/page_alloc.c > @@ -7214,7 +7214,7 @@ static void __init find_zone_movable_pfns_for_nodes(void) > if (!memblock_is_hotpluggable(r)) > continue; > > - nid = r->nid; > + nid = memblock_get_region_node(r); > > usable_startpfn = PFN_DOWN(r->base); > zone_movable_pfn[nid] = zone_movable_pfn[nid] ? > @@ -7235,7 +7235,7 @@ static void __init find_zone_movable_pfns_for_nodes(void) > if (memblock_is_mirror(r)) > continue; > > - nid = r->nid; > + nid = memblock_get_region_node(r); > > usable_startpfn = memblock_region_memory_base_pfn(r); > -- Sincerely yours, Mike.

1 year, 2 months

2
3
0 0

Re: Patch "scsi: mpt3sas: Add ioc_<level> logging macros" has been added to the 4.19-stable tree

by Joe Perches

On Wed, 2024-06-26 at 15:07 -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > scsi: mpt3sas: Add ioc_<level> logging macros > > to the 4.19-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > scsi-mpt3sas-add-ioc_-level-logging-macros.patch > and it can be found in the queue-4.19 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. [] > Stable-dep-of: 4254dfeda82f ("scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory") Huh? This doesn't make sense as far as I can tell. > diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.h b/drivers/scsi/mpt3sas/mpt3sas_base.h [] > @@ -160,6 +160,15 @@ struct mpt3sas_nvme_cmd { > */ > #define MPT3SAS_FMT "%s: " > > +#define ioc_err(ioc, fmt, ...) \ > + pr_err("%s: " fmt, (ioc)->name, ##__VA_ARGS__) > +#define ioc_notice(ioc, fmt, ...) \ > + pr_notice("%s: " fmt, (ioc)->name, ##__VA_ARGS__) > +#define ioc_warn(ioc, fmt, ...) \ > + pr_warn("%s: " fmt, (ioc)->name, ##__VA_ARGS__) > +#define ioc_info(ioc, fmt, ...) \ > + pr_info("%s: " fmt, (ioc)->name, ##__VA_ARGS__) > + This only adds ioc_<level> macros and the nominal stable dep patch below doesn't use them. $ git log --stat -p -1 4254dfeda82f commit 4254dfeda82f20844299dca6c38cbffcfd499f41 Author: Breno Leitao <leitao(a)debian.org> Date: Wed Jun 5 01:55:29 2024 -0700 scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path") Cc: stable(a)vger.kernel.org Suggested-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240605085530.499432-1-leitao@debian.org Reviewed-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- drivers/scsi/mpt3sas/mpt3sas_base.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 258647fc6bddb..1092497563b22 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -8512,6 +8512,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pd_handles_sz++; + /* + * pd_handles_sz should have, at least, the minimal room for + * set_bit()/test_bit(), otherwise out-of-memory touch may occur. + */ + ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long)); + ioc->pd_handles = kzalloc(ioc->pd_handles_sz, GFP_KERNEL); if (!ioc->pd_handles) { @@ -8529,6 +8535,13 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pend_os_device_add_sz++; + + /* + * pend_os_device_add_sz should have, at least, the minimal room for + * set_bit()/test_bit(), otherwise out-of-memory may occur. + */ + ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz, + sizeof(unsigned long)); ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz, GFP_KERNEL); if (!ioc->pend_os_device_add) { @@ -8820,6 +8833,12 @@ _base_check_ioc_facts_changes(struct MPT3SAS_ADAPTER *ioc) if (ioc->facts.MaxDevHandle % 8) pd_handles_sz++; + /* + * pd_handles should have, at least, the minimal room for + * set_bit()/test_bit(), otherwise out-of-memory touch may + * occur. + */ + pd_handles_sz = ALIGN(pd_handles_sz, sizeof(unsigned long)); pd_handles = krealloc(ioc->pd_handles, pd_handles_sz, GFP_KERNEL); if (!pd_handles) {

1 year, 2 months

2
1
0 0

[PATCH v2] Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591

by WangYuli

Add the support ID(0x13d3, 0x3591) to usb_device_id table for Realtek RTL8852BE. The device table is as follows: T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3591 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio S: SerialNumber=00e04c000001 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Cc: stable(a)vger.kernel.org Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- drivers/bluetooth/btusb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 2d7d47f9d007..2d5c971a59ad 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -555,6 +555,8 @@ static const struct usb_device_id quirks_table[] = { BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x13d3, 0x3572), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, -- 2.45.2

1 year, 2 months

2
1
0 0

[PATCH v7 3/3] firmware: qcom_scm: Mark get_wq_ctx() as atomic call

by Unnathi Chalicheemala

From: Murali Nalajala <quic_mnalajal(a)quicinc.com> Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can't be a standard SMC call. Hence mark get_wq_ctx() as a fast call. Fixes: 6bf325992236 ("firmware: qcom: scm: Add wait-queue handling logic") Cc: stable(a)vger.kernel.org Signed-off-by: Murali Nalajala <quic_mnalajal(a)quicinc.com> Signed-off-by: Unnathi Chalicheemala <quic_uchalich(a)quicinc.com> --- drivers/firmware/qcom/qcom_scm-smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/qcom/qcom_scm-smc.c b/drivers/firmware/qcom/qcom_scm-smc.c index 16cf88acfa8e..0a2a2c794d0e 100644 --- a/drivers/firmware/qcom/qcom_scm-smc.c +++ b/drivers/firmware/qcom/qcom_scm-smc.c @@ -71,7 +71,7 @@ int scm_get_wq_ctx(u32 *wq_ctx, u32 *flags, u32 *more_pending) struct arm_smccc_res get_wq_res; struct arm_smccc_args get_wq_ctx = {0}; - get_wq_ctx.args[0] = ARM_SMCCC_CALL_VAL(ARM_SMCCC_STD_CALL, + get_wq_ctx.args[0] = ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, ARM_SMCCC_SMC_64, ARM_SMCCC_OWNER_SIP, SCM_SMC_FNID(QCOM_SCM_SVC_WAITQ, QCOM_SCM_WAITQ_GET_WQ_CTX)); -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH] wifi: ath12k: Allow driver initialization for WoW unsupported devices

by Rameshkumar Sundaram

Currently during driver initialization, mac registration is allowed only for devices that advertise WMI_TLV_SERVICE_WOW, but QCN9274 doesn't support WoW and hence mac registration is aborted and driver is de-initialized. Allow mac registration to proceed without WoW Support for devices that don't advertise WMI_TLV_SERVICE_WOW. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 Cc: stable(a)vger.kernel.org Fixes: 4a3c212eee0e ("wifi: ath12k: add basic WoW functionalities") Signed-off-by: Rameshkumar Sundaram <quic_ramess(a)quicinc.com> --- drivers/net/wireless/ath/ath12k/wow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/wow.c b/drivers/net/wireless/ath/ath12k/wow.c index 685e8e98d845..c5cba825a84a 100644 --- a/drivers/net/wireless/ath/ath12k/wow.c +++ b/drivers/net/wireless/ath/ath12k/wow.c @@ -1001,8 +1001,8 @@ int ath12k_wow_op_resume(struct ieee80211_hw *hw) int ath12k_wow_init(struct ath12k *ar) { - if (WARN_ON(!test_bit(WMI_TLV_SERVICE_WOW, ar->wmi->wmi_ab->svc_map))) - return -EINVAL; + if (!test_bit(WMI_TLV_SERVICE_WOW, ar->wmi->wmi_ab->svc_map)) + return 0; ar->wow.wowlan_support = ath12k_wowlan_support; base-commit: dadc1101eabb54ace51aa6fc58c902bf43ac0ed7 -- 2.25.1

1 year, 2 months

3
5
0 0

[PATCH] riscv: entry: always initialize regs->a0 to -ENOSYS

by Celeste Liu

Otherwise when the tracer changes syscall number to -1, the kernel fails to initialize a0 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. For example, it will break strace syscall tampering. Fixes: 52449c17bdd1 ("riscv: entry: set a0 = -ENOSYS only when syscall != -1") Cc: stable(a)vger.kernel.org Signed-off-by: Celeste Liu <CoelacanthusHex(a)gmail.com> --- arch/riscv/kernel/traps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 05a16b1f0aee..51ebfd23e007 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -319,6 +319,7 @@ void do_trap_ecall_u(struct pt_regs *regs) regs->epc += 4; regs->orig_a0 = regs->a0; + regs->a0 = -ENOSYS; riscv_v_vstate_discard(regs); @@ -328,8 +329,7 @@ void do_trap_ecall_u(struct pt_regs *regs) if (syscall >= 0 && syscall < NR_syscalls) syscall_handler(regs, syscall); - else if (syscall != -1) - regs->a0 = -ENOSYS; + /* * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), * so the maximum stack offset is 1k bytes (10 bits). -- 2.45.2

1 year, 2 months

2
3
0 0

[PATCH 1/1] xhci: always resume roothubs if xHC was reset during resume

by Mathias Nyman

Usb device connect may not be detected after runtime resume if xHC is reset during resume. In runtime resume cases xhci_resume() will only resume roothubs if there are pending port events. If the xHC host is reset during runtime resume due to a Save/Restore Error (SRE) then these pending port events won't be detected as PORTSC change bits are not immediately set by host after reset. Unconditionally resume roothubs if xHC is reset during resume to ensure device connections are detected. Also return early with error code if starting xHC fails after reset. Issue was debugged and a similar solution suggested by Remi Pommarel. Using this instead as it simplifies future refactoring. Reported-by: Remi Pommarel <repk(a)triplefau.lt> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218987 Suggested-by: Remi Pommarel <repk(a)triplefau.lt> Tested-by: Remi Pommarel <repk(a)triplefau.lt> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 37eb37b0affa..0a8cf6c17f82 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1125,10 +1125,20 @@ int xhci_resume(struct xhci_hcd *xhci, pm_message_t msg) xhci_dbg(xhci, "Start the secondary HCD\n"); retval = xhci_run(xhci->shared_hcd); } - + if (retval) + return retval; + /* + * Resume roothubs unconditionally as PORTSC change bits are not + * immediately visible after xHC reset + */ hcd->state = HC_STATE_SUSPENDED; - if (xhci->shared_hcd) + + if (xhci->shared_hcd) { xhci->shared_hcd->state = HC_STATE_SUSPENDED; + usb_hcd_resume_root_hub(xhci->shared_hcd); + } + usb_hcd_resume_root_hub(hcd); + goto done; } @@ -1152,7 +1162,6 @@ int xhci_resume(struct xhci_hcd *xhci, pm_message_t msg) xhci_dbc_resume(xhci); - done: if (retval == 0) { /* * Resume roothubs only if there are pending events. @@ -1178,6 +1187,7 @@ int xhci_resume(struct xhci_hcd *xhci, pm_message_t msg) usb_hcd_resume_root_hub(hcd); } } +done: /* * If system is subject to the Quirk, Compliance Mode Timer needs to * be re-initialized Always after a system resume. Ports are subject -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH v7] usb: dwc3: core: Workaround for CSR read timeout

by joswang

From: Jos Wang <joswang(a)lenovo.com> This is a workaround for STAR 4846132, which only affects DWC_usb31 version2.00a operating in host mode. There is a problem in DWC_usb31 version 2.00a operating in host mode that would cause a CSR read timeout When CSR read coincides with RAM Clock Gating Entry. By disable Clock Gating, sacrificing power consumption for normal operation. Cc: stable(a)vger.kernel.org Signed-off-by: Jos Wang <joswang(a)lenovo.com> --- v6 -> v7: code no change. Just add the v4->v5 and v5->v6 version difference description v5 -> v6: code no change. however, there were two v5 patches, which confused the reviewers, so a v6 version was submitted. v4 -> v5: code no change. Patches "1/3" and "2/3" of the patch series are under review, this patch is submitted independently. v3 -> v4: modify commit message, add Cc: stable(a)vger.kernel.org v2 -> v3: - code refactor - modify comment, add STAR number, workaround applied in host mode - modify commit message, add STAR number, workaround applied in host mode - modify Author Jos Wang v1 -> v2: code no change. Add other case patches to the patch series drivers/usb/dwc3/core.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 7ee61a89520b..2a3adc80fe0f 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -957,12 +957,16 @@ static bool dwc3_core_is_valid(struct dwc3 *dwc) static void dwc3_core_setup_global_control(struct dwc3 *dwc) { + unsigned int power_opt; + unsigned int hw_mode; u32 reg; reg = dwc3_readl(dwc->regs, DWC3_GCTL); reg &= ~DWC3_GCTL_SCALEDOWN_MASK; + hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0); + power_opt = DWC3_GHWPARAMS1_EN_PWROPT(dwc->hwparams.hwparams1); - switch (DWC3_GHWPARAMS1_EN_PWROPT(dwc->hwparams.hwparams1)) { + switch (power_opt) { case DWC3_GHWPARAMS1_EN_PWROPT_CLK: /** * WORKAROUND: DWC3 revisions between 2.10a and 2.50a have an @@ -995,6 +999,20 @@ static void dwc3_core_setup_global_control(struct dwc3 *dwc) break; } + /* + * This is a workaround for STAR#4846132, which only affects + * DWC_usb31 version2.00a operating in host mode. + * + * There is a problem in DWC_usb31 version 2.00a operating + * in host mode that would cause a CSR read timeout When CSR + * read coincides with RAM Clock Gating Entry. By disable + * Clock Gating, sacrificing power consumption for normal + * operation. + */ + if (power_opt != DWC3_GHWPARAMS1_EN_PWROPT_NO && + hw_mode != DWC3_GHWPARAMS0_MODE_GADGET && DWC3_VER_IS(DWC31, 200A)) + reg |= DWC3_GCTL_DSBLCLKGTNG; + /* check if current dwc3 is on simulation board */ if (dwc->hwparams.hwparams6 & DWC3_GHWPARAMS6_EN_FPGA) { dev_info(dwc->dev, "Running with FPGA optimizations\n"); -- 2.17.1

1 year, 2 months

3
11
0 0

[PATCH 1/4] drm/vmwgfx: Fix a deadlock in dma buf fence polling

by Zack Rusin

Introduce a version of the fence ops that on release doesn't remove the fence from the pending list, and thus doesn't require a lock to fix poll->fence wait->fence unref deadlocks. vmwgfx overwrites the wait callback to iterate over the list of all fences and update their status, to do that it holds a lock to prevent the list modifcations from other threads. The fence destroy callback both deletes the fence and removes it from the list of pending fences, for which it holds a lock. dma buf polling cb unrefs a fence after it's been signaled: so the poll calls the wait, which signals the fences, which are being destroyed. The destruction tries to acquire the lock on the pending fences list which it can never get because it's held by the wait from which it was called. Old bug, but not a lot of userspace apps were using dma-buf polling interfaces. Fix those, in particular this fixes KDE stalls/deadlock. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 2298e804e96e ("drm/vmwgfx: rework to new fence interface, v2") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.2+ --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 5efc6a766f64..76971ef7801a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -32,7 +32,6 @@ #define VMW_FENCE_WRAP (1 << 31) struct vmw_fence_manager { - int num_fence_objects; struct vmw_private *dev_priv; spinlock_t lock; struct list_head fence_list; @@ -120,16 +119,23 @@ static void vmw_fence_goal_write(struct vmw_private *vmw, u32 value) * objects with actions attached to them. */ -static void vmw_fence_obj_destroy(struct dma_fence *f) +static void vmw_fence_obj_destroy_removed(struct dma_fence *f) { struct vmw_fence_obj *fence = container_of(f, struct vmw_fence_obj, base); + WARN_ON(!list_empty(&fence->head)); + fence->destroy(fence); +} + +static void vmw_fence_obj_destroy(struct dma_fence *f) +{ + struct vmw_fence_obj *fence = + container_of(f, struct vmw_fence_obj, base); struct vmw_fence_manager *fman = fman_from_fence(fence); spin_lock(&fman->lock); list_del_init(&fence->head); - --fman->num_fence_objects; spin_unlock(&fman->lock); fence->destroy(fence); } @@ -257,6 +263,13 @@ static const struct dma_fence_ops vmw_fence_ops = { .release = vmw_fence_obj_destroy, }; +static const struct dma_fence_ops vmw_fence_ops_removed = { + .get_driver_name = vmw_fence_get_driver_name, + .get_timeline_name = vmw_fence_get_timeline_name, + .enable_signaling = vmw_fence_enable_signaling, + .wait = vmw_fence_wait, + .release = vmw_fence_obj_destroy_removed, +}; /* * Execute signal actions on fences recently signaled. @@ -355,7 +368,6 @@ static int vmw_fence_obj_init(struct vmw_fence_manager *fman, goto out_unlock; } list_add_tail(&fence->head, &fman->fence_list); - ++fman->num_fence_objects; out_unlock: spin_unlock(&fman->lock); @@ -403,7 +415,7 @@ static bool vmw_fence_goal_new_locked(struct vmw_fence_manager *fman, u32 passed_seqno) { u32 goal_seqno; - struct vmw_fence_obj *fence; + struct vmw_fence_obj *fence, *next_fence; if (likely(!fman->seqno_valid)) return false; @@ -413,7 +425,7 @@ static bool vmw_fence_goal_new_locked(struct vmw_fence_manager *fman, return false; fman->seqno_valid = false; - list_for_each_entry(fence, &fman->fence_list, head) { + list_for_each_entry_safe(fence, next_fence, &fman->fence_list, head) { if (!list_empty(&fence->seq_passed_actions)) { fman->seqno_valid = true; vmw_fence_goal_write(fman->dev_priv, @@ -471,6 +483,7 @@ static void __vmw_fences_update(struct vmw_fence_manager *fman) rerun: list_for_each_entry_safe(fence, next_fence, &fman->fence_list, head) { if (seqno - fence->base.seqno < VMW_FENCE_WRAP) { + fence->base.ops = &vmw_fence_ops_removed; list_del_init(&fence->head); dma_fence_signal_locked(&fence->base); INIT_LIST_HEAD(&action_list); @@ -662,6 +675,7 @@ void vmw_fence_fifo_down(struct vmw_fence_manager *fman) VMW_FENCE_WAIT_TIMEOUT); if (unlikely(ret != 0)) { + fence->base.ops = &vmw_fence_ops_removed; list_del_init(&fence->head); dma_fence_signal(&fence->base); INIT_LIST_HEAD(&action_list); -- 2.40.1

1 year, 2 months

2
1
0 0

Linux 6.9.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.9.7 kernel. All users of the 6.9 kernel series must upgrade. The updated 6.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.9.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/dma/fsl,edma.yaml | 4 Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 Makefile | 2 arch/arm/boot/dts/nxp/imx/imx53-qsb-common.dtsi | 2 arch/arm/boot/dts/nxp/imx/imx53-qsb-hdmi.dtso | 6 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 3 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 arch/arm64/boot/dts/freescale/imx93-11x11-evk.dts | 1 arch/arm64/configs/defconfig | 1 arch/arm64/include/asm/sysreg.h | 24 - arch/arm64/kvm/vgic/vgic-init.c | 2 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 arch/arm64/kvm/vgic/vgic.h | 2 arch/csky/kernel/probes/ftrace.c | 3 arch/loongarch/Kconfig | 5 arch/loongarch/Kconfig.debug | 1 arch/loongarch/include/asm/hw_breakpoint.h | 4 arch/loongarch/kernel/ftrace_dyn.c | 3 arch/loongarch/kernel/hw_breakpoint.c | 96 ++-- arch/loongarch/kernel/ptrace.c | 47 +- arch/mips/bmips/setup.c | 3 arch/mips/include/asm/mipsmtregs.h | 2 arch/mips/pci/ops-rc32434.c | 4 arch/mips/pci/pcie-octeon.c | 6 arch/parisc/kernel/ftrace.c | 3 arch/powerpc/crypto/.gitignore | 2 arch/powerpc/include/asm/hvcall.h | 8 arch/powerpc/include/asm/io.h | 24 - arch/powerpc/kernel/kprobes-ftrace.c | 3 arch/riscv/kernel/probes/ftrace.c | 3 arch/s390/kernel/ftrace.c | 3 arch/x86/include/asm/cpu_device_id.h | 98 ++++ arch/x86/include/asm/efi.h | 1 arch/x86/kernel/cpu/match.c | 4 arch/x86/kernel/cpu/resctrl/monitor.c | 3 arch/x86/kernel/kprobes/ftrace.c | 3 arch/x86/kvm/x86.c | 9 arch/x86/platform/efi/memmap.c | 12 block/ioctl.c | 2 drivers/acpi/acpica/acevents.h | 4 drivers/acpi/acpica/evregion.c | 6 drivers/acpi/acpica/evxfregn.c | 54 ++ drivers/acpi/acpica/exregion.c | 23 - drivers/acpi/ec.c | 28 - drivers/acpi/internal.h | 5 drivers/acpi/mipi-disco-img.c | 28 - drivers/acpi/resource.c | 13 drivers/acpi/video_detect.c | 8 drivers/acpi/x86/utils.c | 20 drivers/ata/ahci.c | 8 drivers/block/nbd.c | 34 - drivers/bluetooth/ath3k.c | 25 - drivers/cpufreq/amd-pstate.c | 7 drivers/crypto/hisilicon/qm.c | 5 drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 drivers/cxl/core/pci.c | 29 + drivers/cxl/cxl.h | 2 drivers/cxl/pci.c | 22 + drivers/dma/Kconfig | 2 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 drivers/dma/idxd/irq.c | 4 drivers/dma/ioat/init.c | 55 +- drivers/dma/ti/k3-udma-glue.c | 5 drivers/dma/xilinx/xdma.c | 4 drivers/firmware/efi/memmap.c | 9 drivers/firmware/psci/psci.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 66 +-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 23 - drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 72 +++ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 2 drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 4 drivers/gpu/drm/lima/lima_bcast.c | 12 drivers/gpu/drm/lima/lima_bcast.h | 3 drivers/gpu/drm/lima/lima_gp.c | 8 drivers/gpu/drm/lima/lima_pp.c | 18 drivers/gpu/drm/lima/lima_sched.c | 9 drivers/gpu/drm/lima/lima_sched.h | 1 drivers/gpu/drm/radeon/sumo_dpm.c | 2 drivers/gpu/drm/xe/xe_guc.c | 4 drivers/hid/hid-asus.c | 51 +- drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 6 drivers/i2c/busses/i2c-imx-lpi2c.c | 19 drivers/i2c/busses/i2c-ocores.c | 2 drivers/infiniband/hw/bnxt_re/bnxt_re.h | 4 drivers/infiniband/hw/mana/mr.c | 1 drivers/infiniband/hw/mlx5/main.c | 4 drivers/infiniband/hw/mlx5/mr.c | 8 drivers/infiniband/hw/mlx5/srq.c | 13 drivers/infiniband/sw/rxe/rxe_resp.c | 13 drivers/infiniband/sw/rxe/rxe_verbs.c | 2 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 drivers/media/pci/intel/ipu-bridge.c | 66 ++- drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 2 drivers/net/dsa/realtek/rtl8366rb.c | 87 ---- drivers/net/dsa/realtek/rtl83xx.c | 7 drivers/net/ethernet/amazon/ena/ena_eth_com.c | 37 + drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 drivers/net/ethernet/amazon/ena/ena_regs_defs.h | 1 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 drivers/net/ethernet/intel/ice/ice_ddp.c | 23 - drivers/net/ethernet/intel/ice/ice_main.c | 10 drivers/net/ethernet/intel/ice/ice_switch.c | 6 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/Makefile | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 7 drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 2 drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 drivers/net/ethernet/microchip/lan743x_ethtool.c | 44 +- drivers/net/ethernet/microchip/lan743x_main.c | 48 +- drivers/net/ethernet/microchip/lan743x_main.h | 28 + drivers/net/ethernet/qualcomm/qca_debug.c | 6 drivers/net/ethernet/qualcomm/qca_spi.c | 16 drivers/net/ethernet/qualcomm/qca_spi.h | 3 drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 + drivers/net/phy/dp83tg720.c | 38 + drivers/net/phy/mxl-gpy.c | 58 +- drivers/net/phy/sfp.c | 21 drivers/net/usb/ax88179_178a.c | 18 drivers/net/usb/rtl8150.c | 3 drivers/net/virtio_net.c | 32 + drivers/net/wireless/ath/ath.h | 6 drivers/net/wireless/ath/ath12k/core.c | 1 drivers/net/wireless/ath/ath12k/mac.c | 16 drivers/net/wireless/ath/ath12k/qmi.c | 61 +- drivers/net/wireless/ath/ath12k/qmi.h | 2 drivers/net/wireless/ath/ath9k/main.c | 3 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/sdio_mac.c | 2 drivers/net/wireless/mediatek/mt76/sdio.c | 3 drivers/net/wireless/realtek/rtw89/core.c | 18 drivers/net/wireless/realtek/rtw89/core.h | 10 drivers/net/wireless/realtek/rtw89/pci.c | 19 drivers/net/wireless/realtek/rtw89/pci.h | 5 drivers/net/wireless/realtek/rtw89/rtw8851be.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852ae.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852be.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852ce.c | 23 + drivers/net/wireless/realtek/rtw89/rtw8922ae.c | 1 drivers/opp/core.c | 31 + drivers/pci/pci.c | 17 drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 189 +++++++- drivers/phy/qualcomm/phy-qcom-qmp-pcs-v6-n4.h | 32 + drivers/phy/qualcomm/phy-qcom-qmp-qserdes-txrx-v6_n4.h | 13 drivers/phy/qualcomm/phy-qcom-qmp.h | 2 drivers/platform/chrome/cros_usbpd_logger.c | 9 drivers/platform/chrome/cros_usbpd_notify.c | 9 drivers/platform/x86/p2sb.c | 29 - drivers/platform/x86/toshiba_acpi.c | 36 + drivers/platform/x86/x86-android-tablets/core.c | 8 drivers/platform/x86/x86-android-tablets/dmi.c | 18 drivers/platform/x86/x86-android-tablets/lenovo.c | 216 ++++++++++ drivers/platform/x86/x86-android-tablets/x86-android-tablets.h | 1 drivers/pmdomain/core.c | 10 drivers/power/supply/cros_usbpd-charger.c | 11 drivers/ptp/ptp_sysfs.c | 3 drivers/regulator/bd71815-regulator.c | 2 drivers/regulator/core.c | 1 drivers/scsi/qedi/qedi_debugfs.c | 12 drivers/scsi/sd.c | 4 drivers/spi/spi-cs42l43.c | 2 drivers/spi/spi-imx.c | 14 drivers/spi/spi-stm32-qspi.c | 12 drivers/spi/spi.c | 10 drivers/ssb/main.c | 4 drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c | 3 drivers/thermal/mediatek/lvts_thermal.c | 6 drivers/thermal/thermal_core.c | 6 drivers/tty/serial/8250/8250_dw.c | 27 + drivers/tty/serial/8250/8250_dwlib.h | 32 - drivers/tty/serial/8250/8250_exar.c | 42 + drivers/tty/serial/imx.c | 7 drivers/tty/tty_ldisc.c | 6 drivers/tty/vt/vt.c | 10 drivers/ufs/core/ufshcd.c | 1 drivers/usb/dwc3/dwc3-pci.c | 8 drivers/usb/gadget/function/f_hid.c | 6 drivers/usb/gadget/function/f_printer.c | 6 drivers/usb/gadget/function/rndis.c | 4 drivers/usb/gadget/function/uvc_configfs.c | 14 drivers/usb/host/xhci-pci.c | 15 drivers/usb/host/xhci-rcar.c | 6 drivers/usb/host/xhci-ring.c | 15 drivers/usb/host/xhci.h | 4 drivers/usb/misc/uss720.c | 20 drivers/usb/storage/scsiglue.c | 6 drivers/usb/storage/uas.c | 7 drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 10 drivers/usb/typec/ucsi/ucsi_glink.c | 22 - drivers/vfio/pci/vfio_pci_core.c | 78 ++- fs/btrfs/bio.c | 4 fs/btrfs/block-group.c | 11 fs/ext4/mballoc.c | 4 fs/ext4/super.c | 22 - fs/ext4/sysfs.c | 24 - fs/ext4/xattr.c | 113 ++--- fs/f2fs/node.c | 12 fs/f2fs/super.c | 12 fs/fs-writeback.c | 7 fs/ocfs2/journal.c | 192 ++++---- fs/ocfs2/ocfs2.h | 27 + fs/ocfs2/super.c | 4 fs/overlayfs/export.c | 6 fs/smb/client/cifsfs.c | 2 fs/udf/udftime.c | 11 include/acpi/acpixf.h | 4 include/linux/bpf_verifier.h | 2 include/linux/cpuset.h | 3 include/linux/kcov.h | 2 include/linux/kprobes.h | 7 include/linux/lsm_hook_defs.h | 2 include/linux/mod_devicetable.h | 2 include/linux/pagemap.h | 4 include/linux/pci.h | 7 include/linux/pm_domain.h | 6 include/linux/security.h | 5 include/linux/tty_driver.h | 8 include/net/netns/netfilter.h | 3 include/net/sch_generic.h | 1 include/scsi/scsi_devinfo.h | 4 io_uring/rsrc.c | 1 io_uring/sqpoll.c | 8 kernel/auditfilter.c | 5 kernel/bpf/lpm_trie.c | 13 kernel/bpf/verifier.c | 14 kernel/cgroup/cpuset.c | 141 ++---- kernel/cpu.c | 48 -- kernel/gcov/gcc_4_7.c | 4 kernel/kcov.c | 1 kernel/kprobes.c | 6 kernel/padata.c | 8 kernel/power/process.c | 2 kernel/rcu/rcutorture.c | 16 kernel/time/clocksource.c | 42 - kernel/trace/Kconfig | 4 kernel/trace/ftrace.c | 1 kernel/trace/preemptirq_delay_test.c | 1 lib/ubsan.h | 41 + mm/huge_memory.c | 28 - mm/memcontrol.c | 3 mm/page_table_check.c | 11 mm/shmem.c | 2 net/batman-adv/originator.c | 2 net/core/drop_monitor.c | 20 net/core/filter.c | 5 net/core/net_namespace.c | 9 net/core/netdev-genl.c | 16 net/core/netpoll.c | 2 net/core/sock.c | 3 net/devlink/core.c | 6 net/ipv4/cipso_ipv4.c | 12 net/ipv4/tcp_ao.c | 6 net/ipv4/tcp_input.c | 1 net/ipv6/route.c | 4 net/ipv6/seg6_local.c | 8 net/ipv6/xfrm6_policy.c | 8 net/mac80211/driver-ops.c | 17 net/mac80211/iface.c | 22 - net/mac80211/util.c | 2 net/netfilter/core.c | 13 net/netfilter/ipset/ip_set_core.c | 11 net/netfilter/nf_conntrack_standalone.c | 15 net/netfilter/nf_hooks_lwtunnel.c | 67 +++ net/netfilter/nf_internals.h | 6 net/netrom/nr_timer.c | 3 net/packet/af_packet.c | 26 - net/sched/act_api.c | 3 net/sched/act_ct.c | 16 net/sched/sch_api.c | 1 net/sched/sch_generic.c | 4 net/sched/sch_htb.c | 22 - net/tipc/node.c | 1 security/apparmor/audit.c | 6 security/apparmor/include/audit.h | 2 security/integrity/ima/ima.h | 2 security/integrity/ima/ima_policy.c | 15 security/security.c | 6 security/selinux/include/audit.h | 4 security/selinux/ss/services.c | 5 security/smack/smack_lsm.c | 4 sound/core/seq/seq_ump_convert.c | 2 sound/hda/intel-dsp-config.c | 2 sound/pci/hda/cs35l41_hda.c | 6 sound/pci/hda/cs35l56_hda.c | 4 sound/pci/hda/patch_realtek.c | 15 sound/pci/hda/tas2781_hda_i2c.c | 4 sound/soc/intel/boards/sof_sdw.c | 18 tools/arch/arm64/include/asm/sysreg.h | 24 - tools/testing/selftests/arm64/tags/tags_test.c | 4 tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c | 26 - tools/testing/selftests/bpf/progs/verifier_global_subprogs.c | 7 tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 tools/testing/selftests/net/cmsg_sender.c | 20 tools/testing/selftests/net/mptcp/userspace_pm.sh | 46 +- tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 virt/kvm/guest_memfd.c | 5 virt/kvm/kvm_main.c | 5 307 files changed, 3153 insertions(+), 1396 deletions(-) Abel Vesa (3): phy: qcom-qmp: qserdes-txrx: Add missing registers offsets phy: qcom-qmp: pcs: Add missing v6 N4 register offsets phy: qcom: qmp-combo: Switch from V6 to V6 N4 register offsets Adrian Hunter (1): clocksource: Make watchdog and suspend-timing multiplication overflow safe Ajrat Makhmutov (1): ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM Aleksandr Aprelkov (1): iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Aleksandr Nogikh (1): kcov: don't lose track of remote references during softirqs Alessandro Carminati (Red Hat) (1): selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Alex Deucher (2): drm/radeon: fix UBSAN warning in kv_dpm.c drm/amdgpu: fix UBSAN warning in kv_dpm.c Alex Henrie (1): usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Alex Williamson (1): vfio/pci: Collect hot-reset devices to local buffer Alexander Stein (1): i2c: lpi2c: Avoid calling clk_get_rate during transfer Alexei Starovoitov (1): bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie. Amit Kumar Mahapatra (1): spi: Fix SPI slave probe failure Andrew Ballance (1): hid: asus: asus_report_fixup: fix potential read out of bounds Andy Chi (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. Andy Shevchenko (1): serial: 8250_dw: Revert "Move definitions to the shared header" Ard Biesheuvel (1): efi/x86: Free EFI memory map only when installing a new one. Arnd Bergmann (2): wifi: ath9k: work around memset overflow warning dmaengine: fsl-edma: avoid linking both modules Arvid Norlander (1): platform/x86: toshiba_acpi: Add quirk for buttons on Z830 Aryan Srivastava (1): net: mvpp2: use slab_build_skb for oversized frames Baochen Qiang (2): wifi: ath12k: fix kernel crash during resume wifi: ath12k: check M3 buffer size as well whey trying to reuse it Baokun Li (3): ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() ext4: avoid overflow when setting values via sysfs ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() Baolin Wang (1): mm: shmem: fix getting incorrect lruvec when replacing a shmem folio Bart Van Assche (4): scsi: core: Introduce the BLIST_SKIP_IO_HINTS flag scsi: usb: uas: Do not query the IO Advice Hints Grouping mode page for USB/UAS devices nbd: Improve the documentation of the locking assumptions nbd: Fix signal handling Ben Fradella (1): platform/x86: p2sb: Don't init until unassigned resources have been assigned Biju Das (1): regulator: core: Fix modpost error "regulator_get_regmap" undefined Boris Burkov (1): btrfs: retry block group reclaim without infinite loop Breno Leitao (2): netpoll: Fix race condition in netpoll_owner_active KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Chao Yu (1): f2fs: fix to detect inconsistent nat entry during truncation Charles Keepax (1): spi: cs42l43: Correct SPI root clock speed Chenghai Huang (2): crypto: hisilicon/sec - Fix memory leak for sec resource release crypto: hisilicon/qm - Add the err memory release process to qm uninit Chenliang Li (1): io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed Christian Marangi (1): mips: bmips: BCM6358: make sure CBR is correctly set Christophe JAILLET (1): usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API Dan Carpenter (1): ptp: fix integer overflow in max_vclocks_store Daniel Borkmann (1): bpf: Fix reg_set_min_max corruption of fake_reg Daniel Golle (1): net: sfp: add quirk for ATS SFP-GE-T 1000Base-TX module Dave Jiang (1): cxl: Add post-reset warning if reset results in loss of previously committed HDM decoders Dave Martin (1): x86/resctrl: Don't try to free nonexistent RMIDs David Arinzon (1): net: ena: Add validation for completion descriptors consistency David Ruth (1): net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Davide Caratti (2): net/sched: fix false lockdep warning on qdisc root lock net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path Dmitry Baryshkov (4): arm64: defconfig: select INTERCONNECT_QCOM_SM6115 as built-in usb: typec: ucsi_glink: rework quirks implementation usb: typec: ucsi_glink: drop special handling for CCI_BUSY usb: typec: qcom-pmic-typec: split HPD bridge alloc and registration Dmitry Safonov (1): net/tcp_ao: Don't leak ao_info on error-path Dustin L. Howett (1): ALSA: hda/realtek: Remove Framework Laptop 16 from quirks Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on N14AP7 En-Wei Wu (1): ice: avoid IRQ collision to fix init failure on ACPI S3 resume Eric Dumazet (6): batman-adv: bypass empty buckets in batadv_purge_orig_ref() af_packet: avoid a false positive warning in packet_setsockopt() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Erico Nunes (3): drm/lima: add mask irq callback to gp and pp drm/lima: include pp bcast irq in timeout handler check drm/lima: mask irqs in timeout path before hard reset Esben Haabendal (1): serial: imx: Introduce timeout when waiting on transmitter empty Fabio Estevam (1): arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property Florian Westphal (1): bpf: Avoid splat in pskb_pull_reason Frank Li (1): arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Fullway Wang (1): media: mtk-vcodec: potential null pointer deference in SCP GUO Zihua (1): ima: Avoid blocking in RCU read-side critical section Gavrilov Ilia (1): netrom: Fix a memory leak in nr_heartbeat_expiry() Geetha sowjanya (1): octeontx2-pf: Fix linking objects into multiple modules Greg Kroah-Hartman (1): Linux 6.9.7 Grygorii Tertychnyi (1): i2c: ocores: set IACK bit after core is enabled Guenter Schafranek (1): ACPI: resource: Do IRQ override on GMxBGxx (XMG APEX 17 M23) Hans de Goede (5): ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets platform/x86: x86-android-tablets: Unregister devices in reverse order platform/x86: x86-android-tablets: Add Lenovo Yoga Tablet 2 Pro 1380F/L data usb: dwc3: pci: Don't set "linux,phy_charger_detect" property on Lenovo Yoga Tab2 1380 ACPI: scan: Ignore camera graph port nodes on all Dell Tiger, Alder and Raptor Lake models Heng Qi (2): virtio_net: checksum offloading handling fix virtio_net: fixing XDP for fully checksummed packets handling Herbert Xu (1): padata: Disable BH when taking works lock on MT path Honggang LI (2): RDMA/rxe: Fix responder length checking for UD request packets RDMA/rxe: Fix data copy for IB_SEND_INLINE Hui Li (3): LoongArch: Fix watchpoint setting error LoongArch: Trigger user-space watchpoints correctly LoongArch: Fix multiple hardware watchpoint issues Ignat Korchagin (1): net: do not leave a dangling sk pointer, when socket creation fails Ilpo Järvinen (2): PCI: Do not wait for disconnected devices when resuming MIPS: Routerboard 532: Fix vendor retry check code Jaegeuk Kim (1): f2fs: don't set RO when shutting down f2fs Jakub Kicinski (2): selftests: net: fix timestamp not arriving in cmsg_time.sh netdev-genl: fix error codes when outputting XDP features Jan Kara (1): ext4: do not create EA inode under buffer lock Jani Nikula (1): drm/i915/mso: using joiner is not possible with eDP MSO Jason Gunthorpe (3): RDMA/mlx5: Remove extra unlock on error path RDMA/mlx5: Follow rb_key.ats when creating new mkeys RDMA/mlx5: Ensure created mkeys always have a populated rb_key Jeff Johnson (1): tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Jens Axboe (1): io_uring/sqpoll: work around a potential audit memory leak Jian Wen (1): devlink: use kvzalloc() to allocate devlink instance resources Jianguo Wu (2): seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core Jiaxun Yang (1): MIPS: mipsmtregs: Fix target register for MFTC0 Joao Paulo Goncalves (1): arm64: dts: freescale: imx8mm-verdin: Fix GPU speed Joao Pinto (1): Avoid hw_desc array overrun in dw-axi-dmac Joel Slebodnick (1): scsi: ufs: core: Free memory allocated for model before reinit Johannes Berg (1): wifi: mac80211: fix monitor channel with chanctx emulation Johannes Thumshirn (1): btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Jose E. Marchesi (1): bpf: avoid uninitialized warnings in verifier_global_subprogs.c Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: improve reset check Joseph Qi (2): ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty() ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger() Jozsef Kadlecsik (1): netfilter: ipset: Fix suspicious rcu_dereference_protected() Julien Panis (1): thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data Justin Stitt (1): block/ioctl: prefer different overflow check Kalle Niemi (1): regulator: bd71815: fix ramp values Kees Cook (1): ubsan: Avoid i386 UBSAN handler crashes with Clang Kemeng Shi (1): fs/writeback: bail out if there is no more inodes for IO and queued once Konstantin Taranov (1): RDMA/mana_ib: Ignore optional access flags for MRs Krzysztof Kozlowski (3): dt-bindings: dma: fsl-edma: fix dma-channels constraints dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Kunwu Chan (1): kselftest: arm64: Add a null pointer check Leon Yen (1): wifi: mt76: mt7921s: fix potential hung tasks during chip recovery Li RongQing (1): dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Lingbo Kong (1): wifi: ath12k: fix the problem that down grade phy mode operation Linus Torvalds (3): tty: add the option to have a tty reject a new ldisc kprobe/ftrace: fix build error due to bad function definition Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" Liu Ying (1): arm: dts: imx53-qsb-hdmi: Disable panel instead of deleting node Louis Chauvet (1): dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr() Luiz Angelo Daros de Luca (2): net: dsa: realtek: keep default LED state in rtl8366rb net: dsa: realtek: do not assert reset on remove Luke D. Jones (1): HID: asus: fix more n-key report descriptors if n-key quirked Manish Rangankar (1): scsi: qedi: Fix crash while reading debugfs attribute Marc Kleine-Budde (1): spi: spi-imx: imx51: revert burst length calculation back to bits_per_word Marc Zyngier (1): KVM: arm64: Disassociate vcpus from redistributor region on teardown Marcin Szycik (1): ice: Fix VSI list rule with ICE_SW_LKUP_LAST type Marek Behún (1): net: sfp: enhance quirk for Fibrestore 2.5G copper SFP module Marek Vasut (1): arm64: dts: imx8mp: Fix TC9595 input clock on DH i.MX8M Plus DHCOM SoM Mario Limonciello (1): PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Martin Leung (1): drm/amd/display: revert Exit idle optimizations before HDCP execution Masami Hiramatsu (Google) (1): tracing: Build event generation tests only as modules Mathias Nyman (1): xhci: remove XHCI_TRUST_TX_LENGTH quirk Matthieu Baerts (NGI0) (1): selftests: mptcp: userspace_pm: fixed subtest names Max Krummenacher (1): arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input pin Michael Ellerman (1): powerpc/io: Avoid clang null pointer arithmetic warnings Michael Grzeschik (1): usb: gadget: uvc: configfs: ensure guid to be valid before set Michael Strauss (1): drm/amd/display: Attempt to avoid empty TUs when endpoint is DPIA Michal Wajdeczko (1): drm/xe/vf: Don't touch GuC irq registers if using memory irqs Miklos Szeredi (1): ovl: fix encoding fid for lower only root Nathan Lynch (2): powerpc/pseries: Enforce hcall result buffer validity and size powerpc/crypto: Add generated P8 asm to .gitignore Nicholas Kazlauskas (2): drm/amd/display: Exit idle optimizations before HDCP execution drm/amd/display: Workaround register access in idle race with cursor Nikita Shubin (4): dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() Niklas Cassel (1): ata: ahci: Do not enable LPM if no LPM states are supported by the HBA Oleksij Rempel (3): net: phy: dp83tg720: wake up PHYs in managed mode net: stmmac: Assign configured channel value to EXTTS event net: phy: dp83tg720: get master/slave configuration in link down state Oliver Neukum (1): net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Ondrej Mosnacek (1): cipso: fix total option length computation Pablo Caño (1): ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 Paolo Bonzini (1): virt: guest_memfd: fix reference leak on hwpoisoned page Parker Newman (1): serial: exar: adding missing CTI and Exar PCI ids Patrice Chotard (2): spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 Patrisious Haddad (1): RDMA/mlx5: Add check for srq max_sge attribute Paul E. McKenney (1): rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Paul Greenwalt (1): ice: fix 200G link speed message log Pavan Chebbi (1): bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Peng Ma (1): cpufreq: amd-pstate: fix memory leak on CPU EPP exit Peter Oberparleiter (1): gcov: add support for GCC 14 Peter Ujfalusi (1): ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option Peter Xu (1): mm/page_table_check: fix crash on ZONE_DEVICE Pierre-Louis Bossart (3): ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk Ping-Ke Shih (1): wifi: rtw89: 8852c: add quirk to set PCI BER for certain platforms Rafael Aquini (1): mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default Rafael J. Wysocki (3): ACPI: EC: Install address space handler at the namespace root ACPI: EC: Evaluate orphan _REG under EC device thermal: core: Change PM notifier priority to the minimum Raju Lakkaraju (3): net: lan743x: disable WOL upon resume to restore full data path operation net: lan743x: Support WOL at both the PHY and MAC appropriately net: phy: mxl-gpy: Remove interrupt mask clearing from config_init Raju Rangoju (1): ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Ran Xiaokai (1): mm: huge_memory: fix misused mapping_large_folio_support() for anon folios Rand Deeb (1): ssb: Fix potential NULL pointer dereference in ssb_device_uevent() Remi Pommarel (1): wifi: mac80211: Recalc offload when monitor stop Ricardo Ribalda (1): media: intel/ipu6: Fix build with !ACPI Roman Li (1): drm/amd/display: Remove redundant idle optimization check Roman Smirnov (1): udf: udftime: prevent overflow in udf_disk_stamp_to_time() Sean Christopherson (1): KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Sean O'Brien (1): HID: Add quirk for Logitech Casa touchpad Selvin Xavier (1): RDMA/bnxt_re: Fix the max msix vectors macro Shaul Triebitz (1): wifi: iwlwifi: mvm: fix ROC version check Shiqi Liu (1): arm64/sysreg: Update PIE permission encodings Siddharth Vadapalli (1): dmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id() Simon Horman (2): selftests: openvswitch: Use bash as interpreter octeontx2-pf: Add error handling to VLAN unoffload handling Simon Trimmer (4): ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() ALSA: hda: cs35l56: Component should be unbound before deconstruction ALSA: hda: cs35l41: Component should be unbound before deconstruction ALSA: hda: tas2781: Component should be unbound before deconstruction Songyang Li (1): MIPS: Octeon: Add PCIe link status check Srinivas Pandruvada (1): thermal: int340x: processor_thermal: Support shared interrupts Stefan Binding (2): ALSA: hda/realtek: Add quirks for HP Omen models using CS35L41 ALSA: hda/realtek: Add quirks for Lenovo 13X Stefan Wahren (1): qca_spi: Make interrupt remembering atomic Stephen Brennan (1): kprobe/ftrace: bail out if ftrace was killed Steve French (1): cifs: fix typo in module parameter enable_gcm_256 Sudeep Holla (1): firmware: psci: Fix return value from psci_system_suspend() Takashi Iwai (2): ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 ALSA: seq: ump: Fix missing System Reset message handling Tamim Khan (1): ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MV Tim Harvey (1): arm64: dts: freescale: imx8mp-venice-gw73xx-2x: fix BT shutdown GPIO Tony Luck (2): x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Tzung-Bi Shih (3): platform/chrome: cros_usbpd_logger: provide ID table for avoiding fallback match platform/chrome: cros_usbpd_notify: provide ID table for avoiding fallback match power: supply: cros_usbpd: provide ID table for avoiding fallback match Uri Arev (1): Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Viresh Kumar (1): OPP: Fix required_opp_tables for multiple genpds using same table Waiman Long (1): cgroup/cpuset: Make cpuset hotplug processing synchronous Wander Lairson Costa (1): drop_monitor: replace spin_lock by raw_spin_lock Wojciech Drewek (1): ice: implement AQ download pkg retry Xi Ruoyao (1): LoongArch: Only allow OBJTOOL & ORC unwinder if toolchain supports -mthin-add-sub Xiaolei Wang (1): net: stmmac: No need to calculate speed divider when offload is disabled Xin Long (2): tipc: force a dst refcount before doing decryption sched: act_ct: add netns into the key of tcf_ct_flow_table Yishai Hadas (1): RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init Yonghong Song (1): selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Yue Haibing (1): netns: Make get_net_ns() handle zero refcount net Yunlei He (1): f2fs: remove clear SB_INLINECRYPT flag in default_options Yunxiang Li (1): drm/amdgpu: fix locking scope when flushing tlb Zqiang (2): rcutorture: Make stall-tasks directly exit when rcutorture tests end rcutorture: Fix invalid context warning when enable srcu barrier testing

1 year, 2 months

1
1
0 0

Linux 6.6.36

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.36 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/dma/fsl,edma.yaml | 4 Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 Makefile | 2 arch/alpha/kernel/setup.c | 2 arch/alpha/kernel/sys_sio.c | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 4 arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 arch/arm64/boot/dts/freescale/imx93-11x11-evk.dts | 1 arch/arm64/configs/defconfig | 1 arch/arm64/kvm/vgic/vgic-init.c | 2 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 arch/arm64/kvm/vgic/vgic.h | 2 arch/csky/kernel/probes/ftrace.c | 3 arch/ia64/kernel/setup.c | 6 arch/loongarch/include/asm/efi.h | 2 arch/loongarch/include/asm/hw_breakpoint.h | 4 arch/loongarch/kernel/ftrace_dyn.c | 3 arch/loongarch/kernel/head.S | 3 arch/loongarch/kernel/hw_breakpoint.c | 96 ++--- arch/loongarch/kernel/image-vars.h | 1 arch/loongarch/kernel/ptrace.c | 47 +- arch/loongarch/kernel/setup.c | 2 arch/loongarch/kernel/vmlinux.lds.S | 11 arch/mips/bmips/setup.c | 3 arch/mips/kernel/setup.c | 2 arch/mips/pci/ops-rc32434.c | 4 arch/mips/pci/pcie-octeon.c | 6 arch/mips/sibyte/swarm/setup.c | 2 arch/mips/sni/setup.c | 2 arch/parisc/kernel/ftrace.c | 3 arch/powerpc/include/asm/hvcall.h | 8 arch/powerpc/include/asm/io.h | 24 - arch/powerpc/kernel/kprobes-ftrace.c | 3 arch/riscv/kernel/probes/ftrace.c | 3 arch/riscv/kernel/setup.c | 11 arch/riscv/mm/init.c | 13 arch/s390/kernel/ftrace.c | 3 arch/x86/include/asm/cpu_device_id.h | 98 +++++ arch/x86/include/asm/efi.h | 1 arch/x86/kernel/cpu/match.c | 4 arch/x86/kernel/kprobes/ftrace.c | 3 arch/x86/kvm/x86.c | 9 arch/x86/platform/efi/memmap.c | 12 block/ioctl.c | 2 drivers/acpi/acpica/acevents.h | 4 drivers/acpi/acpica/evregion.c | 6 drivers/acpi/acpica/evxfregn.c | 54 ++ drivers/acpi/acpica/exregion.c | 23 - drivers/acpi/ec.c | 28 - drivers/acpi/internal.h | 1 drivers/acpi/video_detect.c | 8 drivers/acpi/x86/utils.c | 20 - drivers/block/nbd.c | 34 - drivers/bluetooth/ath3k.c | 25 - drivers/cpufreq/amd-pstate.c | 7 drivers/crypto/hisilicon/qm.c | 5 drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 drivers/dma/Kconfig | 2 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 drivers/dma/idxd/irq.c | 4 drivers/dma/ioat/init.c | 55 +- drivers/firmware/efi/libstub/loongarch-stub.c | 9 drivers/firmware/efi/libstub/loongarch-stub.h | 4 drivers/firmware/efi/libstub/loongarch.c | 8 drivers/firmware/efi/memmap.c | 9 drivers/firmware/psci/psci.c | 4 drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 4 drivers/gpu/drm/lima/lima_bcast.c | 12 drivers/gpu/drm/lima/lima_bcast.h | 3 drivers/gpu/drm/lima/lima_gp.c | 8 drivers/gpu/drm/lima/lima_pp.c | 18 drivers/gpu/drm/lima/lima_sched.c | 7 drivers/gpu/drm/lima/lima_sched.h | 1 drivers/gpu/drm/radeon/sumo_dpm.c | 2 drivers/hid/hid-asus.c | 51 +- drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 6 drivers/i2c/busses/i2c-ocores.c | 2 drivers/infiniband/hw/bnxt_re/bnxt_re.h | 4 drivers/infiniband/hw/mana/mr.c | 1 drivers/infiniband/hw/mlx5/main.c | 4 drivers/infiniband/hw/mlx5/mr.c | 5 drivers/infiniband/hw/mlx5/srq.c | 13 drivers/infiniband/sw/rxe/rxe_resp.c | 13 drivers/infiniband/sw/rxe/rxe_verbs.c | 2 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 drivers/media/pci/intel/ipu-bridge.c | 66 ++- drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 2 drivers/net/dsa/realtek/rtl8366rb.c | 87 +--- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 drivers/net/ethernet/intel/ice/ice_main.c | 7 drivers/net/ethernet/intel/ice/ice_switch.c | 6 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/Makefile | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 7 drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 2 drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 drivers/net/ethernet/microchip/lan743x_ethtool.c | 44 ++ drivers/net/ethernet/microchip/lan743x_main.c | 48 ++ drivers/net/ethernet/microchip/lan743x_main.h | 28 + drivers/net/ethernet/qualcomm/qca_debug.c | 6 drivers/net/ethernet/qualcomm/qca_spi.c | 16 drivers/net/ethernet/qualcomm/qca_spi.h | 3 drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 +- drivers/net/phy/mxl-gpy.c | 58 +-- drivers/net/phy/sfp.c | 3 drivers/net/usb/ax88179_178a.c | 18 drivers/net/usb/rtl8150.c | 3 drivers/net/virtio_net.c | 32 + drivers/net/wireless/ath/ath.h | 6 drivers/net/wireless/ath/ath9k/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/sdio_mac.c | 2 drivers/net/wireless/mediatek/mt76/sdio.c | 3 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 9 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 drivers/pci/pci.c | 17 drivers/platform/x86/p2sb.c | 29 - drivers/platform/x86/toshiba_acpi.c | 36 + drivers/power/supply/cros_usbpd-charger.c | 11 drivers/ptp/ptp_sysfs.c | 3 drivers/regulator/bd71815-regulator.c | 2 drivers/regulator/core.c | 1 drivers/scsi/qedi/qedi_debugfs.c | 12 drivers/spi/spi-cs42l43.c | 2 drivers/spi/spi-imx.c | 14 drivers/spi/spi-stm32-qspi.c | 12 drivers/ssb/main.c | 4 drivers/thermal/mediatek/lvts_thermal.c | 6 drivers/tty/serial/8250/8250_dw.c | 27 + drivers/tty/serial/8250/8250_dwlib.h | 32 - drivers/tty/serial/8250/8250_exar.c | 42 ++ drivers/tty/serial/imx.c | 7 drivers/tty/tty_ldisc.c | 6 drivers/tty/vt/vt.c | 10 drivers/ufs/core/ufshcd.c | 1 drivers/usb/dwc3/dwc3-pci.c | 8 drivers/usb/gadget/function/f_hid.c | 6 drivers/usb/gadget/function/f_printer.c | 6 drivers/usb/gadget/function/rndis.c | 4 drivers/usb/gadget/function/uvc_configfs.c | 14 drivers/usb/misc/uss720.c | 20 - drivers/usb/typec/ucsi/ucsi_glink.c | 8 drivers/vfio/pci/vfio_pci_core.c | 78 ++-- fs/btrfs/bio.c | 4 fs/btrfs/block-group.c | 11 fs/ext4/mballoc.c | 4 fs/ext4/super.c | 22 - fs/ext4/sysfs.c | 24 - fs/f2fs/super.c | 12 fs/fs-writeback.c | 7 fs/ocfs2/acl.c | 4 fs/ocfs2/alloc.c | 6 fs/ocfs2/aops.c | 6 fs/ocfs2/dir.c | 9 fs/ocfs2/dlmfs/dlmfs.c | 4 fs/ocfs2/dlmglue.c | 29 - fs/ocfs2/file.c | 30 - fs/ocfs2/inode.c | 28 - fs/ocfs2/journal.c | 192 +++++----- fs/ocfs2/move_extents.c | 4 fs/ocfs2/namei.c | 18 fs/ocfs2/ocfs2.h | 27 + fs/ocfs2/refcounttree.c | 12 fs/ocfs2/super.c | 4 fs/ocfs2/xattr.c | 4 fs/overlayfs/export.c | 6 fs/smb/client/cifsfs.c | 2 fs/udf/udftime.c | 11 include/acpi/acpixf.h | 4 include/linux/atomic/atomic-arch-fallback.h | 6 include/linux/atomic/atomic-instrumented.h | 8 include/linux/atomic/atomic-long.h | 4 include/linux/kcov.h | 2 include/linux/kprobes.h | 7 include/linux/mod_devicetable.h | 2 include/linux/pci.h | 7 include/linux/tty_driver.h | 8 include/net/netns/netfilter.h | 3 include/net/sch_generic.h | 1 io_uring/rsrc.c | 1 io_uring/sqpoll.c | 8 kernel/gcov/gcc_4_7.c | 4 kernel/kcov.c | 1 kernel/kprobes.c | 6 kernel/padata.c | 8 kernel/rcu/rcutorture.c | 16 kernel/trace/Kconfig | 4 kernel/trace/ftrace.c | 1 kernel/trace/preemptirq_delay_test.c | 1 mm/page_table_check.c | 11 net/batman-adv/originator.c | 2 net/core/drop_monitor.c | 20 - net/core/filter.c | 5 net/core/net_namespace.c | 9 net/core/netpoll.c | 2 net/core/sock.c | 3 net/ipv4/cipso_ipv4.c | 12 net/ipv4/tcp_input.c | 1 net/ipv6/route.c | 4 net/ipv6/seg6_local.c | 8 net/ipv6/xfrm6_policy.c | 8 net/netfilter/core.c | 13 net/netfilter/ipset/ip_set_core.c | 11 net/netfilter/nf_conntrack_standalone.c | 15 net/netfilter/nf_hooks_lwtunnel.c | 67 +++ net/netfilter/nf_internals.h | 6 net/netrom/nr_timer.c | 3 net/packet/af_packet.c | 26 - net/sched/act_api.c | 66 ++- net/sched/act_ct.c | 16 net/sched/sch_api.c | 1 net/sched/sch_generic.c | 4 net/sched/sch_htb.c | 22 - net/tipc/node.c | 1 scripts/atomic/kerneldoc/sub_and_test | 2 sound/core/seq/seq_ump_convert.c | 2 sound/hda/intel-dsp-config.c | 2 sound/pci/hda/cs35l41_hda.c | 2 sound/pci/hda/cs35l56_hda.c | 4 sound/pci/hda/patch_realtek.c | 11 sound/pci/hda/tas2781_hda_i2c.c | 4 sound/soc/intel/boards/sof_sdw.c | 18 tools/perf/Documentation/perf-script.txt | 7 tools/perf/builtin-script.c | 24 - tools/testing/selftests/arm64/tags/tags_test.c | 4 tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c | 26 - tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 virt/kvm/kvm_main.c | 5 237 files changed, 1925 insertions(+), 992 deletions(-) Adrian Hunter (1): perf script: Show also errors for --insn-trace option Ajrat Makhmutov (1): ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM Aleksandr Aprelkov (1): iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Aleksandr Nogikh (1): kcov: don't lose track of remote references during softirqs Alessandro Carminati (Red Hat) (1): selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Alex Deucher (2): drm/radeon: fix UBSAN warning in kv_dpm.c drm/amdgpu: fix UBSAN warning in kv_dpm.c Alex Henrie (1): usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Alex Williamson (1): vfio/pci: Collect hot-reset devices to local buffer Alexandre Ghiti (1): riscv: Don't use PGD entries for the linear mapping Andrew Ballance (1): hid: asus: asus_report_fixup: fix potential read out of bounds Andy Chi (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. Andy Shevchenko (1): serial: 8250_dw: Revert "Move definitions to the shared header" Ard Biesheuvel (1): efi/x86: Free EFI memory map only when installing a new one. Arnd Bergmann (3): wifi: ath9k: work around memset overflow warning dmaengine: fsl-edma: avoid linking both modules vgacon: rework screen_info #ifdef checks Arvid Norlander (1): platform/x86: toshiba_acpi: Add quirk for buttons on Z830 Aryan Srivastava (1): net: mvpp2: use slab_build_skb for oversized frames Baokun Li (3): ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() ext4: avoid overflow when setting values via sysfs ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() Bart Van Assche (2): nbd: Improve the documentation of the locking assumptions nbd: Fix signal handling Ben Fradella (1): platform/x86: p2sb: Don't init until unassigned resources have been assigned Biju Das (1): regulator: core: Fix modpost error "regulator_get_regmap" undefined Boris Burkov (1): btrfs: retry block group reclaim without infinite loop Breno Leitao (2): netpoll: Fix race condition in netpoll_owner_active KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Carlos Llamas (1): locking/atomic: scripts: fix ${atomic}_sub_and_test() kerneldoc Changbin Du (1): perf: script: add raw|disasm arguments to --insn-trace option Charles Keepax (1): spi: cs42l43: Correct SPI root clock speed Chenghai Huang (2): crypto: hisilicon/sec - Fix memory leak for sec resource release crypto: hisilicon/qm - Add the err memory release process to qm uninit Chenliang Li (1): io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed Christian Marangi (1): mips: bmips: BCM6358: make sure CBR is correctly set Christophe JAILLET (1): usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API Dan Carpenter (1): ptp: fix integer overflow in max_vclocks_store Daniel Golle (1): net: sfp: add quirk for ATS SFP-GE-T 1000Base-TX module David Ruth (1): net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Davide Caratti (2): net/sched: fix false lockdep warning on qdisc root lock net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path Dmitry Baryshkov (1): usb: typec: ucsi_glink: drop special handling for CCI_BUSY Dustin L. Howett (1): ALSA: hda/realtek: Remove Framework Laptop 16 from quirks Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on N14AP7 En-Wei Wu (1): ice: avoid IRQ collision to fix init failure on ACPI S3 resume Eric Dumazet (6): batman-adv: bypass empty buckets in batadv_purge_orig_ref() af_packet: avoid a false positive warning in packet_setsockopt() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Erico Nunes (2): drm/lima: add mask irq callback to gp and pp drm/lima: mask irqs in timeout path before hard reset Esben Haabendal (1): serial: imx: Introduce timeout when waiting on transmitter empty Fabio Estevam (1): arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property Florian Westphal (1): bpf: Avoid splat in pskb_pull_reason Frank Li (1): arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Fullway Wang (1): media: mtk-vcodec: potential null pointer deference in SCP Gavrilov Ilia (1): netrom: Fix a memory leak in nr_heartbeat_expiry() Geetha sowjanya (1): octeontx2-pf: Fix linking objects into multiple modules Greg Kroah-Hartman (1): Linux 6.6.36 Grygorii Tertychnyi (1): i2c: ocores: set IACK bit after core is enabled Hans de Goede (2): ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets usb: dwc3: pci: Don't set "linux,phy_charger_detect" property on Lenovo Yoga Tab2 1380 Heng Qi (2): virtio_net: checksum offloading handling fix virtio_net: fixing XDP for fully checksummed packets handling Herbert Xu (1): padata: Disable BH when taking works lock on MT path Honggang LI (2): RDMA/rxe: Fix responder length checking for UD request packets RDMA/rxe: Fix data copy for IB_SEND_INLINE Hui Li (3): LoongArch: Fix watchpoint setting error LoongArch: Trigger user-space watchpoints correctly LoongArch: Fix multiple hardware watchpoint issues Ignat Korchagin (1): net: do not leave a dangling sk pointer, when socket creation fails Ilpo Järvinen (2): PCI: Do not wait for disconnected devices when resuming MIPS: Routerboard 532: Fix vendor retry check code Jaegeuk Kim (1): f2fs: don't set RO when shutting down f2fs Jani Nikula (1): drm/i915/mso: using joiner is not possible with eDP MSO Jason Gunthorpe (2): RDMA/mlx5: Remove extra unlock on error path RDMA/mlx5: Follow rb_key.ats when creating new mkeys Jeff Johnson (1): tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Jeff Layton (1): ocfs2: convert to new timestamp accessors Jens Axboe (1): io_uring/sqpoll: work around a potential audit memory leak Jianguo Wu (2): seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core Jiaxun Yang (1): LoongArch: Fix entry point in kernel image header Joao Pinto (1): Avoid hw_desc array overrun in dw-axi-dmac Joel Slebodnick (1): scsi: ufs: core: Free memory allocated for model before reinit Johannes Thumshirn (1): btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: improve reset check Joseph Qi (2): ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty() ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger() Jozsef Kadlecsik (1): netfilter: ipset: Fix suspicious rcu_dereference_protected() Julien Panis (1): thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data Justin Stitt (1): block/ioctl: prefer different overflow check Kalle Niemi (1): regulator: bd71815: fix ramp values Kemeng Shi (1): fs/writeback: bail out if there is no more inodes for IO and queued once Konstantin Taranov (1): RDMA/mana_ib: Ignore optional access flags for MRs Krzysztof Kozlowski (3): dt-bindings: dma: fsl-edma: fix dma-channels constraints dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Kunwu Chan (1): kselftest: arm64: Add a null pointer check Leon Yen (1): wifi: mt76: mt7921s: fix potential hung tasks during chip recovery Li RongQing (1): dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Linus Torvalds (3): tty: add the option to have a tty reject a new ldisc kprobe/ftrace: fix build error due to bad function definition Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" Luiz Angelo Daros de Luca (1): net: dsa: realtek: keep default LED state in rtl8366rb Luke D. Jones (1): HID: asus: fix more n-key report descriptors if n-key quirked Manish Rangankar (1): scsi: qedi: Fix crash while reading debugfs attribute Marc Kleine-Budde (1): spi: spi-imx: imx51: revert burst length calculation back to bits_per_word Marc Zyngier (1): KVM: arm64: Disassociate vcpus from redistributor region on teardown Marcin Szycik (1): ice: Fix VSI list rule with ICE_SW_LKUP_LAST type Marek Vasut (2): arm64: dts: imx8mp: Fix TC9595 reset GPIO on DH i.MX8M Plus DHCOM SoM arm64: dts: imx8mp: Fix TC9595 input clock on DH i.MX8M Plus DHCOM SoM Mario Limonciello (1): PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Martin Kaiser (1): arm64: defconfig: enable the vf610 gpio driver Martin Kaistra (1): wifi: rtl8xxxu: enable MFP support with security flag of RX descriptor Martin Leung (1): drm/amd/display: revert Exit idle optimizations before HDCP execution Masami Hiramatsu (Google) (1): tracing: Build event generation tests only as modules Max Krummenacher (1): arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input pin Michael Ellerman (1): powerpc/io: Avoid clang null pointer arithmetic warnings Michael Grzeschik (1): usb: gadget: uvc: configfs: ensure guid to be valid before set Miklos Szeredi (1): ovl: fix encoding fid for lower only root Nam Cao (1): riscv: force PAGE_SIZE linear mapping if debug_pagealloc is enabled Nathan Lynch (1): powerpc/pseries: Enforce hcall result buffer validity and size Nicholas Kazlauskas (1): drm/amd/display: Exit idle optimizations before HDCP execution Nikita Shubin (4): dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() Oleksij Rempel (1): net: stmmac: Assign configured channel value to EXTTS event Oliver Neukum (1): net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Ondrej Mosnacek (1): cipso: fix total option length computation Pablo Caño (1): ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 Parker Newman (1): serial: exar: adding missing CTI and Exar PCI ids Patrice Chotard (2): spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 Patrisious Haddad (1): RDMA/mlx5: Add check for srq max_sge attribute Paul E. McKenney (1): rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Pavan Chebbi (1): bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Pedro Tammela (1): net/sched: act_api: rely on rcu in tcf_idr_check_alloc Peng Ma (1): cpufreq: amd-pstate: fix memory leak on CPU EPP exit Peter Oberparleiter (1): gcov: add support for GCC 14 Peter Ujfalusi (1): ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option Peter Xu (1): mm/page_table_check: fix crash on ZONE_DEVICE Pierre-Louis Bossart (3): ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk Rafael Aquini (1): mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default Rafael J. Wysocki (2): ACPI: EC: Install address space handler at the namespace root ACPI: EC: Evaluate orphan _REG under EC device Raju Lakkaraju (3): net: lan743x: disable WOL upon resume to restore full data path operation net: lan743x: Support WOL at both the PHY and MAC appropriately net: phy: mxl-gpy: Remove interrupt mask clearing from config_init Raju Rangoju (1): ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Rand Deeb (1): ssb: Fix potential NULL pointer dereference in ssb_device_uevent() Ricardo Ribalda (1): media: intel/ipu6: Fix build with !ACPI Roman Smirnov (1): udf: udftime: prevent overflow in udf_disk_stamp_to_time() Sean Christopherson (1): KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Sean O'Brien (1): HID: Add quirk for Logitech Casa touchpad Selvin Xavier (1): RDMA/bnxt_re: Fix the max msix vectors macro Simon Horman (2): selftests: openvswitch: Use bash as interpreter octeontx2-pf: Add error handling to VLAN unoffload handling Simon Trimmer (3): ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() ALSA: hda: cs35l56: Component should be unbound before deconstruction ALSA: hda: tas2781: Component should be unbound before deconstruction Songyang Li (1): MIPS: Octeon: Add PCIe link status check Stefan Binding (1): ALSA: hda/realtek: Add quirks for Lenovo 13X Stefan Wahren (1): qca_spi: Make interrupt remembering atomic Stephen Brennan (1): kprobe/ftrace: bail out if ftrace was killed Steve French (1): cifs: fix typo in module parameter enable_gcm_256 Su Yue (1): ocfs2: update inode fsync transaction id in ocfs2_unlink and ocfs2_link Sudeep Holla (1): firmware: psci: Fix return value from psci_system_suspend() Takashi Iwai (2): ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 ALSA: seq: ump: Fix missing System Reset message handling Tim Harvey (1): arm64: dts: freescale: imx8mp-venice-gw73xx-2x: fix BT shutdown GPIO Tony Luck (2): x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Tzung-Bi Shih (1): power: supply: cros_usbpd: provide ID table for avoiding fallback match Uri Arev (1): Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Wander Lairson Costa (1): drop_monitor: replace spin_lock by raw_spin_lock Wang Yao (1): efi/loongarch: Directly position the loaded image file Xiaolei Wang (1): net: stmmac: No need to calculate speed divider when offload is disabled Xin Long (2): tipc: force a dst refcount before doing decryption sched: act_ct: add netns into the key of tcf_ct_flow_table Yishai Hadas (1): RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init Yonghong Song (1): selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Yue Haibing (1): netns: Make get_net_ns() handle zero refcount net Yunlei He (1): f2fs: remove clear SB_INLINECRYPT flag in default_options Zqiang (2): rcutorture: Make stall-tasks directly exit when rcutorture tests end rcutorture: Fix invalid context warning when enable srcu barrier testing

1 year, 2 months

1
1
0 0

Linux 6.1.96

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.96 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 Makefile | 7 arch/arm/boot/dts/exynos4210-smdkv310.dts | 2 arch/arm/boot/dts/exynos4412-origen.dts | 2 arch/arm/boot/dts/exynos4412-smdk4412.dts | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 2 arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 arch/arm64/boot/dts/freescale/imx93-11x11-evk.dts | 1 arch/arm64/kvm/vgic/vgic-init.c | 2 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 + arch/arm64/kvm/vgic/vgic.h | 2 arch/mips/bmips/setup.c | 3 arch/mips/boot/dts/brcm/bcm63268.dtsi | 2 arch/mips/pci/ops-rc32434.c | 4 arch/mips/pci/pcie-octeon.c | 6 arch/powerpc/include/asm/hvcall.h | 8 arch/powerpc/include/asm/io.h | 24 +- arch/x86/include/asm/cpu_device_id.h | 98 ++++++++++ arch/x86/kernel/cpu/match.c | 4 arch/x86/kvm/x86.c | 9 block/ioctl.c | 2 drivers/acpi/acpica/exregion.c | 23 -- drivers/bluetooth/ath3k.c | 25 +- drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 drivers/dma/idxd/irq.c | 4 drivers/dma/ioat/init.c | 67 +++--- drivers/dma/ioat/registers.h | 7 drivers/firmware/psci/psci.c | 4 drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 4 drivers/gpu/drm/lima/lima_bcast.c | 12 + drivers/gpu/drm/lima/lima_bcast.h | 3 drivers/gpu/drm/lima/lima_gp.c | 8 drivers/gpu/drm/lima/lima_pp.c | 18 + drivers/gpu/drm/lima/lima_sched.c | 7 drivers/gpu/drm/lima/lima_sched.h | 1 drivers/gpu/drm/radeon/sumo_dpm.c | 2 drivers/hid/hid-asus.c | 49 ++--- drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 6 drivers/i2c/busses/i2c-ocores.c | 2 drivers/infiniband/hw/mlx5/srq.c | 13 - drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 drivers/net/dsa/realtek/rtl8366rb.c | 87 ++------ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 drivers/net/ethernet/intel/ice/ice.h | 1 drivers/net/ethernet/intel/ice/ice_idc.c | 52 +++++ drivers/net/ethernet/intel/ice/ice_main.c | 36 +-- drivers/net/ethernet/intel/ice/ice_switch.c | 6 drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 drivers/net/ethernet/microchip/lan743x_ethtool.c | 44 ++++ drivers/net/ethernet/microchip/lan743x_main.c | 48 ++++ drivers/net/ethernet/microchip/lan743x_main.h | 28 ++ drivers/net/ethernet/qualcomm/qca_debug.c | 6 drivers/net/ethernet/qualcomm/qca_spi.c | 16 - drivers/net/ethernet/qualcomm/qca_spi.h | 3 drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 ++-- drivers/net/phy/mxl-gpy.c | 93 ++++++--- drivers/net/usb/ax88179_178a.c | 18 + drivers/net/usb/rtl8150.c | 3 drivers/net/virtio_net.c | 12 + drivers/net/wireless/ath/ath.h | 6 drivers/net/wireless/ath/ath9k/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/sdio_mac.c | 2 drivers/net/wireless/mediatek/mt76/sdio.c | 3 drivers/pci/pci.c | 12 + drivers/platform/x86/p2sb.c | 29 +- drivers/platform/x86/toshiba_acpi.c | 36 +++ drivers/power/supply/cros_usbpd-charger.c | 11 - drivers/ptp/ptp_sysfs.c | 3 drivers/regulator/bd71815-regulator.c | 2 drivers/regulator/core.c | 1 drivers/scsi/qedi/qedi_debugfs.c | 12 - drivers/soc/ti/ti_sci_pm_domains.c | 20 +- drivers/spi/spi-stm32-qspi.c | 12 - drivers/tty/serial/8250/8250_exar.c | 42 ++++ drivers/tty/serial/imx.c | 7 drivers/tty/tty_ldisc.c | 6 drivers/tty/vt/vt.c | 10 + drivers/usb/dwc3/dwc3-pci.c | 8 drivers/usb/gadget/function/f_hid.c | 6 drivers/usb/gadget/function/f_printer.c | 6 drivers/usb/gadget/function/rndis.c | 4 drivers/usb/misc/uss720.c | 20 +- fs/btrfs/block-group.c | 11 - fs/f2fs/super.c | 2 fs/smb/client/cifsfs.c | 2 fs/udf/udftime.c | 11 - include/linux/kcov.h | 2 include/linux/mod_devicetable.h | 2 include/linux/tty_driver.h | 8 include/net/sch_generic.h | 1 io_uring/sqpoll.c | 8 kernel/gcov/gcc_4_7.c | 4 kernel/gen_kheaders.sh | 9 kernel/kcov.c | 1 kernel/padata.c | 8 kernel/rcu/rcutorture.c | 16 - kernel/trace/Kconfig | 4 kernel/trace/preemptirq_delay_test.c | 1 mm/page_table_check.c | 11 + net/batman-adv/originator.c | 2 net/core/drop_monitor.c | 20 +- net/core/filter.c | 5 net/core/net_namespace.c | 9 net/core/netpoll.c | 2 net/core/sock.c | 3 net/ipv4/cipso_ipv4.c | 12 - net/ipv4/tcp_input.c | 1 net/ipv6/route.c | 4 net/ipv6/seg6_local.c | 8 net/ipv6/xfrm6_policy.c | 8 net/netfilter/ipset/ip_set_core.c | 11 - net/netrom/nr_timer.c | 3 net/packet/af_packet.c | 26 +- net/sched/act_api.c | 66 ++++-- net/sched/act_ct.c | 16 + net/sched/sch_api.c | 1 net/sched/sch_generic.c | 4 net/sched/sch_htb.c | 22 -- net/tipc/node.c | 1 sound/hda/intel-dsp-config.c | 2 sound/pci/hda/patch_realtek.c | 10 - sound/soc/intel/boards/sof_sdw.c | 9 tools/perf/Documentation/perf-script.txt | 7 tools/perf/builtin-script.c | 24 +- tools/testing/selftests/arm64/tags/tags_test.c | 4 tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c | 26 -- tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 + virt/kvm/kvm_main.c | 5 135 files changed, 1109 insertions(+), 560 deletions(-) Adrian Hunter (1): perf script: Show also errors for --insn-trace option Ajrat Makhmutov (1): ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM Aleksandr Aprelkov (1): iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Aleksandr Nogikh (1): kcov: don't lose track of remote references during softirqs Alessandro Carminati (Red Hat) (1): selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Alex Deucher (2): drm/radeon: fix UBSAN warning in kv_dpm.c drm/amdgpu: fix UBSAN warning in kv_dpm.c Alex Henrie (1): usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Andrew Ballance (1): hid: asus: asus_report_fixup: fix potential read out of bounds Andy Chi (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. Arnd Bergmann (1): wifi: ath9k: work around memset overflow warning Arvid Norlander (1): platform/x86: toshiba_acpi: Add quirk for buttons on Z830 Ben Fradella (1): platform/x86: p2sb: Don't init until unassigned resources have been assigned Biju Das (1): regulator: core: Fix modpost error "regulator_get_regmap" undefined Bjorn Helgaas (2): dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() dmaengine: ioat: use PCI core macros for PCIe Capability Boris Burkov (1): btrfs: retry block group reclaim without infinite loop Breno Leitao (2): netpoll: Fix race condition in netpoll_owner_active KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Changbin Du (1): perf: script: add raw|disasm arguments to --insn-trace option Chenghai Huang (1): crypto: hisilicon/sec - Fix memory leak for sec resource release Christian Marangi (1): mips: bmips: BCM6358: make sure CBR is correctly set Christophe JAILLET (1): usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API Dan Carpenter (1): ptp: fix integer overflow in max_vclocks_store David Ruth (1): net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Davide Caratti (2): net/sched: fix false lockdep warning on qdisc root lock net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path Dustin L. Howett (1): ALSA: hda/realtek: Remove Framework Laptop 16 from quirks Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on N14AP7 En-Wei Wu (1): ice: avoid IRQ collision to fix init failure on ACPI S3 resume Eric Dumazet (6): batman-adv: bypass empty buckets in batadv_purge_orig_ref() af_packet: avoid a false positive warning in packet_setsockopt() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Erico Nunes (2): drm/lima: add mask irq callback to gp and pp drm/lima: mask irqs in timeout path before hard reset Esben Haabendal (1): serial: imx: Introduce timeout when waiting on transmitter empty Fabio Estevam (1): arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property Florian Fainelli (1): MIPS: dts: bcm63268: Add missing properties to the TWD node Florian Westphal (1): bpf: Avoid splat in pskb_pull_reason Frank Li (1): arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Gavrilov Ilia (1): netrom: Fix a memory leak in nr_heartbeat_expiry() Greg Kroah-Hartman (1): Linux 6.1.96 Grygorii Tertychnyi (1): i2c: ocores: set IACK bit after core is enabled Hans de Goede (1): usb: dwc3: pci: Don't set "linux,phy_charger_detect" property on Lenovo Yoga Tab2 1380 Heng Qi (1): virtio_net: checksum offloading handling fix Herbert Xu (1): padata: Disable BH when taking works lock on MT path Ignat Korchagin (1): net: do not leave a dangling sk pointer, when socket creation fails Ilpo Järvinen (1): MIPS: Routerboard 532: Fix vendor retry check code Jani Nikula (1): drm/i915/mso: using joiner is not possible with eDP MSO Jeff Johnson (1): tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Jens Axboe (1): io_uring/sqpoll: work around a potential audit memory leak Jianguo Wu (1): seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors Joao Pinto (1): Avoid hw_desc array overrun in dw-axi-dmac Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: improve reset check Jozsef Kadlecsik (1): netfilter: ipset: Fix suspicious rcu_dereference_protected() Justin Stitt (1): block/ioctl: prefer different overflow check Kalle Niemi (1): regulator: bd71815: fix ramp values Krzysztof Kozlowski (4): dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema ARM: dts: samsung: smdkv310: fix keypad no-autorepeat ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat ARM: dts: samsung: smdk4412: fix keypad no-autorepeat Kunwu Chan (1): kselftest: arm64: Add a null pointer check Leon Yen (1): wifi: mt76: mt7921s: fix potential hung tasks during chip recovery Li RongQing (1): dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Linus Torvalds (2): tty: add the option to have a tty reject a new ldisc Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" Luiz Angelo Daros de Luca (1): net: dsa: realtek: keep default LED state in rtl8366rb Luke D. Jones (1): HID: asus: fix more n-key report descriptors if n-key quirked Manish Rangankar (1): scsi: qedi: Fix crash while reading debugfs attribute Marc Zyngier (1): KVM: arm64: Disassociate vcpus from redistributor region on teardown Marcin Szycik (1): ice: Fix VSI list rule with ICE_SW_LKUP_LAST type Mario Limonciello (1): PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Martin Leung (1): drm/amd/display: revert Exit idle optimizations before HDCP execution Masahiro Yamada (1): Revert "kheaders: substituting --sort in archive creation" Masami Hiramatsu (Google) (1): tracing: Build event generation tests only as modules Matthias Maennich (1): kheaders: explicitly define file modes for archived headers Max Krummenacher (1): arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input pin Michael Ellerman (1): powerpc/io: Avoid clang null pointer arithmetic warnings Michal Swiatkowski (1): ice: move RDMA init to ice_idc.c Nathan Chancellor (1): kbuild: Remove support for Clang's ThinLTO caching Nathan Lynch (1): powerpc/pseries: Enforce hcall result buffer validity and size Nicholas Kazlauskas (1): drm/amd/display: Exit idle optimizations before HDCP execution Nikita Shubin (4): dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() Oleksij Rempel (1): net: stmmac: Assign configured channel value to EXTTS event Oliver Neukum (1): net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Ondrej Mosnacek (1): cipso: fix total option length computation Parker Newman (1): serial: exar: adding missing CTI and Exar PCI ids Patrice Chotard (2): spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 Patrisious Haddad (1): RDMA/mlx5: Add check for srq max_sge attribute Paul E. McKenney (1): rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Pavan Chebbi (1): bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Pedro Tammela (1): net/sched: act_api: rely on rcu in tcf_idr_check_alloc Peter Oberparleiter (1): gcov: add support for GCC 14 Peter Ujfalusi (1): ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option Peter Xu (1): mm/page_table_check: fix crash on ZONE_DEVICE Pierre-Louis Bossart (1): ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 Rafael Aquini (1): mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default Raju Lakkaraju (3): net: lan743x: disable WOL upon resume to restore full data path operation net: lan743x: Support WOL at both the PHY and MAC appropriately net: phy: mxl-gpy: Remove interrupt mask clearing from config_init Raju Rangoju (1): ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Roman Smirnov (1): udf: udftime: prevent overflow in udf_disk_stamp_to_time() Sean Christopherson (1): KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Sean O'Brien (1): HID: Add quirk for Logitech Casa touchpad Simon Horman (1): octeontx2-pf: Add error handling to VLAN unoffload handling Songyang Li (1): MIPS: Octeon: Add PCIe link status check Stefan Binding (1): ALSA: hda/realtek: Add quirks for Lenovo 13X Stefan Wahren (1): qca_spi: Make interrupt remembering atomic Steve French (1): cifs: fix typo in module parameter enable_gcm_256 Sudeep Holla (1): firmware: psci: Fix return value from psci_system_suspend() Tomi Valkeinen (1): pmdomain: ti-sci: Fix duplicate PD referrals Tony Luck (2): x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Tzung-Bi Shih (1): power: supply: cros_usbpd: provide ID table for avoiding fallback match Uri Arev (1): Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Wander Lairson Costa (1): drop_monitor: replace spin_lock by raw_spin_lock Xiaolei Wang (1): net: stmmac: No need to calculate speed divider when offload is disabled Xin Long (2): tipc: force a dst refcount before doing decryption sched: act_ct: add netns into the key of tcf_ct_flow_table Xu Liang (1): net: phy: mxl-gpy: enhance delay time required by loopback disable function Yonghong Song (1): selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Yue Haibing (1): netns: Make get_net_ns() handle zero refcount net Yunlei He (1): f2fs: remove clear SB_INLINECRYPT flag in default_options Zqiang (2): rcutorture: Make stall-tasks directly exit when rcutorture tests end rcutorture: Fix invalid context warning when enable srcu barrier testing

1 year, 2 months

1
1
0 0

[PATCH v2] drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes

by Ma Ke

In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable(a)vger.kernel.org Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch according to suggestions from other patchs; - added Fixes line; - added Cc stable; - Link: https://lore.kernel.org/lkml/20240622072514.1867582-1-make24@iscas.ac.cn/T/ --- drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c index f08a6803dc18..3adc2c9ab72d 100644 --- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c +++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c @@ -311,6 +311,9 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector) if (mode_dev->panel_fixed_mode != NULL) { struct drm_display_mode *mode = drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); return 1; } -- 2.25.1

1 year, 2 months

3
2
0 0

[PATCH 6.6 000/192] 6.6.36-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.36 release. There are 192 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 27 Jun 2024 08:54:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.36-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.36-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" Andrew Ballance <andrewjballance(a)gmail.com> hid: asus: asus_report_fixup: fix potential read out of bounds Linus Torvalds <torvalds(a)linux-foundation.org> kprobe/ftrace: fix build error due to bad function definition Davide Caratti <dcaratti(a)redhat.com> net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk Martin Leung <martin.leung(a)amd.com> drm/amd/display: revert Exit idle optimizations before HDCP execution Jiaxun Yang <jiaxun.yang(a)flygoat.com> LoongArch: Fix entry point in kernel image header Wang Yao <wangyao(a)lemote.com> efi/loongarch: Directly position the loaded image file Arnd Bergmann <arnd(a)arndb.de> efi: move screen_info into efi init code Arnd Bergmann <arnd(a)arndb.de> vgacon: rework screen_info #ifdef checks Nam Cao <namcao(a)linutronix.de> riscv: force PAGE_SIZE linear mapping if debug_pagealloc is enabled Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Don't use PGD entries for the linear mapping Tony Luck <tony.luck(a)intel.com> x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL Tony Luck <tony.luck(a)intel.com> x86/cpu/vfm: Add new macros to work with (vendor/family/model) values Jeff Johnson <quic_jjohnson(a)quicinc.com> tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test Bart Van Assche <bvanassche(a)acm.org> nbd: Fix signal handling Bart Van Assche <bvanassche(a)acm.org> nbd: Improve the documentation of the locking assumptions Su Yue <glass.su(a)suse.com> ocfs2: update inode fsync transaction id in ocfs2_unlink and ocfs2_link Jeff Layton <jlayton(a)kernel.org> ocfs2: convert to new timestamp accessors Martin Kaistra <martin.kaistra(a)linutronix.de> wifi: rtl8xxxu: enable MFP support with security flag of RX descriptor Adrian Hunter <adrian.hunter(a)intel.com> perf script: Show also errors for --insn-trace option Changbin Du <changbin.du(a)huawei.com> perf: script: add raw|disasm arguments to --insn-trace option Patrice Chotard <patrice.chotard(a)foss.st.com> spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 Frank Li <Frank.Li(a)nxp.com> arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc Patrice Chotard <patrice.chotard(a)foss.st.com> spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema Grygorii Tertychnyi <grembeter(a)gmail.com> i2c: ocores: set IACK bit after core is enabled Peter Xu <peterx(a)redhat.com> mm/page_table_check: fix crash on ZONE_DEVICE Eric Dumazet <edumazet(a)google.com> tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() Rafael Aquini <aquini(a)redhat.com> mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: 8250_dw: Revert "Move definitions to the shared header" Ard Biesheuvel <ardb(a)kernel.org> efi/x86: Free EFI memory map only when installing a new one. Aleksandr Nogikh <nogikh(a)google.com> kcov: don't lose track of remote references during softirqs Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 14 Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger() Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: dma: fsl-edma: fix dma-channels constraints Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix UBSAN warning in kv_dpm.c Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: fix UBSAN warning in kv_dpm.c Jani Nikula <jani.nikula(a)intel.com> drm/i915/mso: using joiner is not possible with eDP MSO Pablo Caño <pablocpascual(a)gmail.com> ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on N14AP7 Andy Chi <andy.chi(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11. Miklos Szeredi <mszeredi(a)redhat.com> ovl: fix encoding fid for lower only root Jason Gunthorpe <jgg(a)ziepe.ca> RDMA/mlx5: Follow rb_key.ats when creating new mkeys Jason Gunthorpe <jgg(a)ziepe.ca> RDMA/mlx5: Remove extra unlock on error path Honggang LI <honggangli(a)163.com> RDMA/rxe: Fix data copy for IB_SEND_INLINE Sean Christopherson <seanjc(a)google.com> KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes Marc Zyngier <maz(a)kernel.org> KVM: arm64: Disassociate vcpus from redistributor region on teardown Breno Leitao <leitao(a)debian.org> KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Hui Li <lihui(a)loongson.cn> LoongArch: Fix multiple hardware watchpoint issues Hui Li <lihui(a)loongson.cn> LoongArch: Trigger user-space watchpoints correctly Hui Li <lihui(a)loongson.cn> LoongArch: Fix watchpoint setting error Steve French <stfrench(a)microsoft.com> cifs: fix typo in module parameter enable_gcm_256 Joel Slebodnick <jslebodn(a)redhat.com> scsi: ufs: core: Free memory allocated for model before reinit Boris Burkov <boris(a)bur.io> btrfs: retry block group reclaim without infinite loop Ignat Korchagin <ignat(a)cloudflare.com> net: do not leave a dangling sk pointer, when socket creation fails Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> net: usb: ax88179_178a: improve reset check Oleksij Rempel <o.rempel(a)pengutronix.de> net: stmmac: Assign configured channel value to EXTTS event Carlos Llamas <cmllamas(a)google.com> locking/atomic: scripts: fix ${atomic}_sub_and_test() kerneldoc Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() Baokun Li <libaokun1(a)huawei.com> ext4: avoid overflow when setting values via sysfs Martin Kaiser <martin(a)kaiser.cx> arm64: defconfig: enable the vf610 gpio driver Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Evaluate orphan _REG under EC device Konstantin Taranov <kotaranov(a)microsoft.com> RDMA/mana_ib: Ignore optional access flags for MRs Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Add check for srq max_sge attribute Yishai Hadas <yishaih(a)nvidia.com> RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init Sudeep Holla <sudeep.holla(a)arm.com> firmware: psci: Fix return value from psci_system_suspend() Chenliang Li <cliang01.li(a)samsung.com> io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed Marc Kleine-Budde <mkl(a)pengutronix.de> spi: spi-imx: imx51: revert burst length calculation back to bits_per_word Raju Rangoju <Raju.Rangoju(a)amd.com> ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Max Krummenacher <max.krummenacher(a)toradex.com> arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input pin Fabio Estevam <festevam(a)gmail.com> arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property Tim Harvey <tharvey(a)gateworks.com> arm64: dts: freescale: imx8mp-venice-gw73xx-2x: fix BT shutdown GPIO Marek Vasut <marex(a)denx.de> arm64: dts: imx8mp: Fix TC9595 input clock on DH i.MX8M Plus DHCOM SoM Marek Vasut <marex(a)denx.de> arm64: dts: imx8mp: Fix TC9595 reset GPIO on DH i.MX8M Plus DHCOM SoM Julien Panis <jpanis(a)baylibre.com> thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data Kalle Niemi <kaleposti(a)gmail.com> regulator: bd71815: fix ramp values Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix missing kmem_cache_destroy() Arnd Bergmann <arnd(a)arndb.de> dmaengine: fsl-edma: avoid linking both modules Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix error path in ioat3_dma_probe() Nikita Shubin <n.shubin(a)yadro.com> dmaengine: ioatdma: Fix leaking on version mismatch Li RongQing <lirongqing(a)baidu.com> dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Biju Das <biju.das.jz(a)bp.renesas.com> regulator: core: Fix modpost error "regulator_get_regmap" undefined Honggang LI <honggangli(a)163.com> RDMA/rxe: Fix responder length checking for UD request packets Charles Keepax <ckeepax(a)opensource.cirrus.com> spi: cs42l43: Correct SPI root clock speed Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the max msix vectors macro Oliver Neukum <oneukum(a)suse.com> net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings Pavan Chebbi <pavan.chebbi(a)broadcom.com> bnxt_en: Restore PTP tx_avail count in case of skb_pad() error Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix VSI list rule with ICE_SW_LKUP_LAST type Jianguo Wu <wujianguo(a)chinatelecom.cn> netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core Jianguo Wu <wujianguo(a)chinatelecom.cn> seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix suspicious rcu_dereference_protected() Geetha sowjanya <gakula(a)marvell.com> octeontx2-pf: Fix linking objects into multiple modules Simon Horman <horms(a)kernel.org> octeontx2-pf: Add error handling to VLAN unoffload handling Heng Qi <hengqi(a)linux.alibaba.com> virtio_net: fixing XDP for fully checksummed packets handling Heng Qi <hengqi(a)linux.alibaba.com> virtio_net: checksum offloading handling fix Xiaolei Wang <xiaolei.wang(a)windriver.com> net: stmmac: No need to calculate speed divider when offload is disabled Simon Horman <horms(a)kernel.org> selftests: openvswitch: Use bash as interpreter Dan Carpenter <dan.carpenter(a)linaro.org> ptp: fix integer overflow in max_vclocks_store Xin Long <lucien.xin(a)gmail.com> sched: act_ct: add netns into the key of tcf_ct_flow_table Xin Long <lucien.xin(a)gmail.com> tipc: force a dst refcount before doing decryption David Ruth <druth(a)chromium.org> net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: act_api: rely on rcu in tcf_idr_check_alloc Raju Lakkaraju <Raju.Lakkaraju(a)microchip.com> net: phy: mxl-gpy: Remove interrupt mask clearing from config_init Raju Lakkaraju <Raju.Lakkaraju(a)microchip.com> net: lan743x: Support WOL at both the PHY and MAC appropriately Raju Lakkaraju <Raju.Lakkaraju(a)microchip.com> net: lan743x: disable WOL upon resume to restore full data path operation Stefan Wahren <wahrenst(a)gmx.net> qca_spi: Make interrupt remembering atomic Yue Haibing <yuehaibing(a)huawei.com> netns: Make get_net_ns() handle zero refcount net Eric Dumazet <edumazet(a)google.com> xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL dereference in rt6_probe() Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible NULL deref in fib6_nh_init() Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> netrom: Fix a memory leak in nr_heartbeat_expiry() Ajrat Makhmutov <rautyrauty(a)gmail.com> ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM Florian Westphal <fw(a)strlen.de> bpf: Avoid splat in pskb_pull_reason Simon Trimmer <simont(a)opensource.cirrus.com> ALSA: hda: tas2781: Component should be unbound before deconstruction Simon Trimmer <simont(a)opensource.cirrus.com> ALSA: hda: cs35l56: Component should be unbound before deconstruction Ondrej Mosnacek <omosnace(a)redhat.com> cipso: fix total option length computation Aryan Srivastava <aryan.srivastava(a)alliedtelesis.co.nz> net: mvpp2: use slab_build_skb for oversized frames Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes En-Wei Wu <en-wei.wu(a)canonical.com> ice: avoid IRQ collision to fix init failure on ACPI S3 resume Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option Dustin L. Howett <dustin(a)howett.net> ALSA: hda/realtek: Remove Framework Laptop 16 from quirks Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: Build event generation tests only as modules Christian Marangi <ansuelsmth(a)gmail.com> mips: bmips: BCM6358: make sure CBR is correctly set Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> MIPS: Routerboard 532: Fix vendor retry check code Takashi Iwai <tiwai(a)suse.de> ALSA: seq: ump: Fix missing System Reset message handling Simon Trimmer <simont(a)opensource.cirrus.com> ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Do not wait for disconnected devices when resuming Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Install address space handler at the namespace root Peng Ma <andypma(a)tencent.com> cpufreq: amd-pstate: fix memory leak on CPU EPP exit Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Collect hot-reset devices to local buffer Linus Torvalds <torvalds(a)linux-foundation.org> tty: add the option to have a tty reject a new ldisc Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API Parker Newman <pnewman(a)connecttech.com> serial: exar: adding missing CTI and Exar PCI ids Esben Haabendal <esben(a)geanix.com> serial: imx: Introduce timeout when waiting on transmitter empty Songyang Li <leesongyang(a)outlook.com> MIPS: Octeon: Add PCIe link status check Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: don't set RO when shutting down f2fs Mario Limonciello <mario.limonciello(a)amd.com> PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports Roman Smirnov <r.smirnov(a)omp.ru> udf: udftime: prevent overflow in udf_disk_stamp_to_time() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> usb: typec: ucsi_glink: drop special handling for CCI_BUSY Hans de Goede <hdegoede(a)redhat.com> usb: dwc3: pci: Don't set "linux,phy_charger_detect" property on Lenovo Yoga Tab2 1380 Joao Pinto <Joao.Pinto(a)synopsys.com> Avoid hw_desc array overrun in dw-axi-dmac Alex Henrie <alexhenrie24(a)gmail.com> usb: misc: uss720: check for incompatible versions of the Belkin F5U002 Yunlei He <heyunlei(a)oppo.com> f2fs: remove clear SB_INLINECRYPT flag in default_options Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: gadget: uvc: configfs: ensure guid to be valid before set Stephen Brennan <stephen.s.brennan(a)oracle.com> kprobe/ftrace: bail out if ftrace was killed Baokun Li <libaokun1(a)huawei.com> ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() Aleksandr Aprelkov <aaprelkov(a)usergate.com> iommu/arm-smmu-v3: Free MSIs in case of ENOMEM Tzung-Bi Shih <tzungbi(a)kernel.org> power: supply: cros_usbpd: provide ID table for avoiding fallback match Ben Fradella <bfradell(a)netapp.com> platform/x86: p2sb: Don't init until unassigned resources have been assigned Michael Ellerman <mpe(a)ellerman.id.au> powerpc/io: Avoid clang null pointer arithmetic warnings Fullway Wang <fullwaywang(a)outlook.com> media: mtk-vcodec: potential null pointer deference in SCP Ricardo Ribalda <ribalda(a)chromium.org> media: intel/ipu6: Fix build with !ACPI Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries: Enforce hcall result buffer validity and size Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add quirks for Lenovo 13X Erico Nunes <nunes.erico(a)gmail.com> drm/lima: mask irqs in timeout path before hard reset Erico Nunes <nunes.erico(a)gmail.com> drm/lima: add mask irq callback to gp and pp Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 Arvid Norlander <lkml(a)vorpal.se> platform/x86: toshiba_acpi: Add quirk for buttons on Z830 Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Exit idle optimizations before HDCP execution Uri Arev <me(a)wantyapps.xyz> Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl Takashi Iwai <tiwai(a)suse.de> ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Luke D. Jones <luke(a)ljones.dev> HID: asus: fix more n-key report descriptors if n-key quirked Sean O'Brien <seobrien(a)chromium.org> HID: Add quirk for Logitech Casa touchpad Leon Yen <leon.yen(a)mediatek.com> wifi: mt76: mt7921s: fix potential hung tasks during chip recovery Breno Leitao <leitao(a)debian.org> netpoll: Fix race condition in netpoll_owner_active Luiz Angelo Daros de Luca <luizluca(a)gmail.com> net: dsa: realtek: keep default LED state in rtl8366rb Kunwu Chan <chentao(a)kylinos.cn> kselftest: arm64: Add a null pointer check Davide Caratti <dcaratti(a)redhat.com> net/sched: fix false lockdep warning on qdisc root lock Daniel Golle <daniel(a)makrotopia.org> net: sfp: add quirk for ATS SFP-GE-T 1000Base-TX module Manish Rangankar <mrangankar(a)marvell.com> scsi: qedi: Fix crash while reading debugfs attribute Wander Lairson Costa <wander(a)redhat.com> drop_monitor: replace spin_lock by raw_spin_lock Hans de Goede <hdegoede(a)redhat.com> ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets Eric Dumazet <edumazet(a)google.com> af_packet: avoid a false positive warning in packet_setsockopt() Arnd Bergmann <arnd(a)arndb.de> wifi: ath9k: work around memset overflow warning Eric Dumazet <edumazet(a)google.com> batman-adv: bypass empty buckets in batadv_purge_orig_ref() Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix flaky test btf_map_in_map/lookup_update Alessandro Carminati (Red Hat) <alessandro.carminati(a)gmail.com> selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh Rand Deeb <rand.sec96(a)gmail.com> ssb: Fix potential NULL pointer dereference in ssb_device_uevent() Justin Stitt <justinstitt(a)google.com> block/ioctl: prefer different overflow check Zqiang <qiang.zhang1211(a)gmail.com> rcutorture: Fix invalid context warning when enable srcu barrier testing Zqiang <qiang.zhang1211(a)gmail.com> rcutorture: Make stall-tasks directly exit when rcutorture tests end Paul E. McKenney <paulmck(a)kernel.org> rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: work around a potential audit memory leak Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/qm - Add the err memory release process to qm uninit Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/sec - Fix memory leak for sec resource release Herbert Xu <herbert(a)gondor.apana.org.au> padata: Disable BH when taking works lock on MT path Kemeng Shi <shikemeng(a)huaweicloud.com> fs/writeback: bail out if there is no more inodes for IO and queued once ------------- Diffstat: .../devicetree/bindings/dma/fsl,edma.yaml | 4 +- .../devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 +- .../bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +- Makefile | 4 +- arch/alpha/kernel/setup.c | 2 + arch/alpha/kernel/sys_sio.c | 2 + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 2 +- .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 4 +- .../boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 +- arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +- arch/arm64/boot/dts/freescale/imx93-11x11-evk.dts | 1 - arch/arm64/configs/defconfig | 1 + arch/arm64/kernel/efi.c | 4 - arch/arm64/kernel/image-vars.h | 2 + arch/arm64/kvm/vgic/vgic-init.c | 2 +- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +- arch/arm64/kvm/vgic/vgic.h | 2 +- arch/csky/kernel/probes/ftrace.c | 3 + arch/ia64/kernel/setup.c | 6 + arch/loongarch/include/asm/efi.h | 2 - arch/loongarch/include/asm/hw_breakpoint.h | 4 +- arch/loongarch/kernel/efi.c | 8 +- arch/loongarch/kernel/ftrace_dyn.c | 3 + arch/loongarch/kernel/head.S | 3 +- arch/loongarch/kernel/hw_breakpoint.c | 96 ++++++----- arch/loongarch/kernel/image-vars.h | 3 +- arch/loongarch/kernel/ptrace.c | 47 ++--- arch/loongarch/kernel/setup.c | 3 - arch/loongarch/kernel/vmlinux.lds.S | 11 +- arch/mips/bmips/setup.c | 3 +- arch/mips/kernel/setup.c | 2 +- arch/mips/pci/ops-rc32434.c | 4 +- arch/mips/pci/pcie-octeon.c | 6 + arch/mips/sibyte/swarm/setup.c | 2 +- arch/mips/sni/setup.c | 2 +- arch/parisc/kernel/ftrace.c | 3 + arch/powerpc/include/asm/hvcall.h | 8 +- arch/powerpc/include/asm/io.h | 24 +-- arch/powerpc/kernel/kprobes-ftrace.c | 3 + arch/riscv/kernel/image-vars.h | 2 + arch/riscv/kernel/probes/ftrace.c | 3 + arch/riscv/kernel/setup.c | 12 -- arch/riscv/mm/init.c | 13 +- arch/s390/kernel/ftrace.c | 3 + arch/x86/include/asm/cpu_device_id.h | 98 +++++++++++ arch/x86/include/asm/efi.h | 1 - arch/x86/kernel/cpu/match.c | 4 +- arch/x86/kernel/kprobes/ftrace.c | 3 + arch/x86/kvm/x86.c | 9 +- arch/x86/platform/efi/memmap.c | 12 +- block/ioctl.c | 2 +- drivers/acpi/acpica/acevents.h | 4 + drivers/acpi/acpica/evregion.c | 6 +- drivers/acpi/acpica/evxfregn.c | 54 ++++++ drivers/acpi/acpica/exregion.c | 23 +-- drivers/acpi/ec.c | 28 ++- drivers/acpi/internal.h | 1 - drivers/acpi/video_detect.c | 8 + drivers/acpi/x86/utils.c | 20 ++- drivers/block/nbd.c | 34 ++-- drivers/bluetooth/ath3k.c | 25 ++- drivers/cpufreq/amd-pstate.c | 7 + drivers/crypto/hisilicon/qm.c | 5 +- drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 +- drivers/dma/Kconfig | 2 +- drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 +- drivers/dma/dw-axi-dmac/dw-axi-dmac.h | 1 + drivers/dma/idxd/irq.c | 4 +- drivers/dma/ioat/init.c | 55 +++--- drivers/firmware/efi/efi-init.c | 14 +- drivers/firmware/efi/libstub/efi-stub-entry.c | 8 +- drivers/firmware/efi/libstub/loongarch-stub.c | 9 +- drivers/firmware/efi/libstub/loongarch-stub.h | 4 + drivers/firmware/efi/libstub/loongarch.c | 8 +- drivers/firmware/efi/memmap.c | 9 - drivers/firmware/psci/psci.c | 4 +- drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 + drivers/gpu/drm/i915/display/intel_dp.c | 4 + drivers/gpu/drm/lima/lima_bcast.c | 12 ++ drivers/gpu/drm/lima/lima_bcast.h | 3 + drivers/gpu/drm/lima/lima_gp.c | 8 + drivers/gpu/drm/lima/lima_pp.c | 18 ++ drivers/gpu/drm/lima/lima_sched.c | 7 + drivers/gpu/drm/lima/lima_sched.h | 1 + drivers/gpu/drm/radeon/sumo_dpm.c | 2 + drivers/hid/hid-asus.c | 51 +++--- drivers/hid/hid-ids.h | 1 + drivers/hid/hid-multitouch.c | 6 + drivers/i2c/busses/i2c-ocores.c | 2 +- drivers/infiniband/hw/bnxt_re/bnxt_re.h | 4 +- drivers/infiniband/hw/mana/mr.c | 1 + drivers/infiniband/hw/mlx5/main.c | 4 +- drivers/infiniband/hw/mlx5/mr.c | 5 +- drivers/infiniband/hw/mlx5/srq.c | 13 +- drivers/infiniband/sw/rxe/rxe_resp.c | 13 ++ drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +- drivers/media/pci/intel/ipu-bridge.c | 66 +++++-- .../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 2 + drivers/net/dsa/realtek/rtl8366rb.c | 87 +++------- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +- drivers/net/ethernet/intel/ice/ice_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_switch.c | 6 +- drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 +- .../net/ethernet/marvell/octeontx2/nic/Makefile | 3 +- .../ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 7 + .../ethernet/marvell/octeontx2/nic/otx2_devlink.c | 2 + .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 +- drivers/net/ethernet/microchip/lan743x_ethtool.c | 44 ++++- drivers/net/ethernet/microchip/lan743x_main.c | 48 +++++- drivers/net/ethernet/microchip/lan743x_main.h | 28 +++ drivers/net/ethernet/qualcomm/qca_debug.c | 6 +- drivers/net/ethernet/qualcomm/qca_spi.c | 16 +- drivers/net/ethernet/qualcomm/qca_spi.h | 3 +- .../net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 +++-- drivers/net/phy/mxl-gpy.c | 58 ++++--- drivers/net/phy/sfp.c | 3 + drivers/net/usb/ax88179_178a.c | 18 +- drivers/net/usb/rtl8150.c | 3 +- drivers/net/virtio_net.c | 32 +++- drivers/net/wireless/ath/ath.h | 6 +- drivers/net/wireless/ath/ath9k/main.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 + .../net/wireless/mediatek/mt76/mt7921/pci_mac.c | 2 - .../net/wireless/mediatek/mt76/mt7921/sdio_mac.c | 2 - drivers/net/wireless/mediatek/mt76/sdio.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 9 + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 +- drivers/pci/pci.c | 17 ++ drivers/platform/x86/p2sb.c | 29 ++-- drivers/platform/x86/toshiba_acpi.c | 36 +++- drivers/power/supply/cros_usbpd-charger.c | 11 +- drivers/ptp/ptp_sysfs.c | 3 +- drivers/regulator/bd71815-regulator.c | 2 +- drivers/regulator/core.c | 1 + drivers/scsi/qedi/qedi_debugfs.c | 12 +- drivers/spi/spi-cs42l43.c | 2 +- drivers/spi/spi-imx.c | 14 +- drivers/spi/spi-stm32-qspi.c | 12 +- drivers/ssb/main.c | 4 +- drivers/thermal/mediatek/lvts_thermal.c | 6 +- drivers/tty/serial/8250/8250_dw.c | 27 +++ drivers/tty/serial/8250/8250_dwlib.h | 32 ---- drivers/tty/serial/8250/8250_exar.c | 42 +++++ drivers/tty/serial/imx.c | 7 +- drivers/tty/tty_ldisc.c | 6 + drivers/tty/vt/vt.c | 10 ++ drivers/ufs/core/ufshcd.c | 1 + drivers/usb/dwc3/dwc3-pci.c | 8 +- drivers/usb/gadget/function/f_hid.c | 6 +- drivers/usb/gadget/function/f_printer.c | 6 +- drivers/usb/gadget/function/rndis.c | 4 +- drivers/usb/gadget/function/uvc_configfs.c | 14 +- drivers/usb/misc/uss720.c | 22 ++- drivers/usb/typec/ucsi/ucsi_glink.c | 8 +- drivers/vfio/pci/vfio_pci_core.c | 78 +++++---- fs/btrfs/bio.c | 4 +- fs/btrfs/block-group.c | 11 +- fs/ext4/mballoc.c | 4 + fs/ext4/super.c | 22 ++- fs/ext4/sysfs.c | 24 ++- fs/f2fs/super.c | 12 +- fs/fs-writeback.c | 7 +- fs/ocfs2/acl.c | 4 +- fs/ocfs2/alloc.c | 6 +- fs/ocfs2/aops.c | 6 +- fs/ocfs2/dir.c | 9 +- fs/ocfs2/dlmfs/dlmfs.c | 4 +- fs/ocfs2/dlmglue.c | 29 ++-- fs/ocfs2/file.c | 30 ++-- fs/ocfs2/inode.c | 28 +-- fs/ocfs2/journal.c | 192 ++++++++++++--------- fs/ocfs2/move_extents.c | 4 +- fs/ocfs2/namei.c | 18 +- fs/ocfs2/ocfs2.h | 27 +++ fs/ocfs2/refcounttree.c | 12 +- fs/ocfs2/super.c | 4 +- fs/ocfs2/xattr.c | 4 +- fs/overlayfs/export.c | 6 +- fs/smb/client/cifsfs.c | 2 +- fs/udf/udftime.c | 11 +- include/acpi/acpixf.h | 4 + include/linux/atomic/atomic-arch-fallback.h | 6 +- include/linux/atomic/atomic-instrumented.h | 8 +- include/linux/atomic/atomic-long.h | 4 +- include/linux/kcov.h | 2 + include/linux/kprobes.h | 7 + include/linux/mod_devicetable.h | 2 + include/linux/pci.h | 7 +- include/linux/tty_driver.h | 8 + include/net/netns/netfilter.h | 3 + include/net/sch_generic.h | 1 + io_uring/rsrc.c | 1 - io_uring/sqpoll.c | 8 + kernel/gcov/gcc_4_7.c | 4 +- kernel/kcov.c | 1 + kernel/kprobes.c | 6 + kernel/padata.c | 8 +- kernel/rcu/rcutorture.c | 16 +- kernel/trace/Kconfig | 4 +- kernel/trace/ftrace.c | 1 + kernel/trace/preemptirq_delay_test.c | 1 + mm/page_table_check.c | 11 +- net/batman-adv/originator.c | 2 + net/core/drop_monitor.c | 20 +-- net/core/filter.c | 5 + net/core/net_namespace.c | 9 +- net/core/netpoll.c | 2 +- net/core/sock.c | 3 + net/ipv4/cipso_ipv4.c | 12 +- net/ipv4/tcp_input.c | 1 + net/ipv6/route.c | 4 +- net/ipv6/seg6_local.c | 8 +- net/ipv6/xfrm6_policy.c | 8 +- net/netfilter/core.c | 13 +- net/netfilter/ipset/ip_set_core.c | 11 +- net/netfilter/nf_conntrack_standalone.c | 15 -- net/netfilter/nf_hooks_lwtunnel.c | 67 +++++++ net/netfilter/nf_internals.h | 6 + net/netrom/nr_timer.c | 3 +- net/packet/af_packet.c | 26 +-- net/sched/act_api.c | 66 ++++--- net/sched/act_ct.c | 16 +- net/sched/sch_api.c | 1 + net/sched/sch_generic.c | 4 + net/sched/sch_htb.c | 22 +-- net/tipc/node.c | 1 + scripts/atomic/kerneldoc/sub_and_test | 2 +- sound/core/seq/seq_ump_convert.c | 2 + sound/hda/intel-dsp-config.c | 2 +- sound/pci/hda/cs35l41_hda.c | 2 +- sound/pci/hda/cs35l56_hda.c | 4 +- sound/pci/hda/patch_realtek.c | 11 +- sound/pci/hda/tas2781_hda_i2c.c | 4 +- sound/soc/intel/boards/sof_sdw.c | 18 ++ tools/perf/Documentation/perf-script.txt | 7 +- tools/perf/builtin-script.c | 24 ++- tools/testing/selftests/arm64/tags/tags_test.c | 4 + .../selftests/bpf/prog_tests/btf_map_in_map.c | 26 +-- tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 +- .../selftests/net/openvswitch/openvswitch.sh | 2 +- virt/kvm/kvm_main.c | 5 +- 243 files changed, 1956 insertions(+), 1007 deletions(-)

1 year, 2 months

12
206
0 0

[PATCH] media: stm32: dcmipp: correct error handling in dcmipp_create_subdevs

by Alain Volmat

Correct error handling within the dcmipp_create_subdevs by properly decrementing the i counter when releasing the subdeves. Fixes: 28e0f3772296 ("media: stm32-dcmipp: STM32 DCMIPP camera interface driver") Cc: stable(a)vger.kernel.org Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> --- drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c index 4acc3b90d03a..4924ee36cfda 100644 --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c @@ -202,7 +202,7 @@ static int dcmipp_create_subdevs(struct dcmipp_device *dcmipp) return 0; err_init_entity: - while (i > 0) + while (i-- > 0) dcmipp->pipe_cfg->ents[i - 1].release(dcmipp->entity[i - 1]); return ret; } -- 2.25.1

1 year, 2 months

3
2
0 0

[git:media_stage/master] media: stm32: dcmipp: correct error handling in dcmipp_create_subdevs

by Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued: Subject: media: stm32: dcmipp: correct error handling in dcmipp_create_subdevs Author: Alain Volmat <alain.volmat(a)foss.st.com> Date: Mon Jun 24 10:41:22 2024 +0200 Correct error handling within the dcmipp_create_subdevs by properly decrementing the i counter when releasing the subdeves. Fixes: 28e0f3772296 ("media: stm32-dcmipp: STM32 DCMIPP camera interface driver") Cc: stable(a)vger.kernel.org Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c index 4acc3b90d03a..4924ee36cfda 100644 --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c @@ -202,7 +202,7 @@ static int dcmipp_create_subdevs(struct dcmipp_device *dcmipp) return 0; err_init_entity: - while (i > 0) + while (i-- > 0) dcmipp->pipe_cfg->ents[i - 1].release(dcmipp->entity[i - 1]); return ret; }

1 year, 2 months

1
0
0 0

[PATCH v2] drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes

by Ma Ke

In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable(a)vger.kernel.org Fixes: 89c78134cc54 ("gma500: Add Poulsbo support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch according to suggestions; - added Fixes line; - added Cc stable. --- drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c index 8486de230ec9..8d1be94a443b 100644 --- a/drivers/gpu/drm/gma500/psb_intel_lvds.c +++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c @@ -504,6 +504,9 @@ static int psb_intel_lvds_get_modes(struct drm_connector *connector) if (mode_dev->panel_fixed_mode != NULL) { struct drm_display_mode *mode = drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); return 1; } -- 2.25.1

1 year, 2 months

2
1
0 0

[PATCH] USB: serial: option: add Fibocom FM350-GL

by Bjørn Mork

FM350-GL is 5G Sub-6 WWAN module which uses M.2 form factor interface. It is based on Mediatek's MTK T700 CPU. The module supports PCIe Gen3 x1 and USB 2.0 and 3.0 interfaces. The manufacturer states that USB is "for debug" but it has been confirmed to be fully functional, except for modem-control requests on some of the interfaces. USB device composition is controlled by AT+GTUSBMODE=<mode> command. Two values are currently supported for the <mode>: 40: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB 41: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB+AP(LOG)+AP(META)(default value) Mode 40 corresponds to: T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 22 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7126 Rev= 0.01 S: Manufacturer=Fibocom Wireless Inc. S: Product=FM350-GL C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=125us I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Mode 41 corresponds to: T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7127 Rev= 0.01 S: Manufacturer=Fibocom Wireless Inc. S: Product=FM350-GL C:* #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=125us I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable(a)vger.kernel.org Signed-off-by: Bjørn Mork <bjorn(a)mork.no> --- drivers/usb/serial/option.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 8a5846d4adf6..599439bddfb7 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2224,6 +2224,10 @@ static const struct usb_device_id option_ids[] = { { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_7106_2COM, 0x02, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, 0x7126, 0xff, 0x00, 0x00), + .driver_info = NCTRL(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, 0x7127, 0xff, 0x00, 0x00), + .driver_info = NCTRL(2) | NCTRL(3) | NCTRL(4) }, { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MPL200), .driver_info = RSVD(1) | RSVD(4) }, -- 2.39.2

1 year, 2 months

2
3
0 0

[PATCH v2 2/4] jbd2: Precompute number of transaction descriptor blocks

by Jan Kara

Instead of computing the number of descriptor blocks a transaction can have each time we need it (which is currently when starting each transaction but will become more frequent later) precompute the number once during journal initialization together with maximum transaction size. We perform the precomputation whenever journal feature set is updated similarly as for computation of journal->j_revoke_records_per_block. CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/jbd2/journal.c | 61 ++++++++++++++++++++++++++++++++----------- fs/jbd2/transaction.c | 24 +---------------- include/linux/jbd2.h | 7 +++++ 3 files changed, 54 insertions(+), 38 deletions(-) diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index 1bb73750d307..ae5b544ed0cc 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -1451,6 +1451,48 @@ static int journal_revoke_records_per_block(journal_t *journal) return space / record_size; } +static int jbd2_journal_get_max_txn_bufs(journal_t *journal) +{ + return (journal->j_total_len - journal->j_fc_wbufsize) / 4; +} + +/* + * Base amount of descriptor blocks we reserve for each transaction. + */ +static int jbd2_descriptor_blocks_per_trans(journal_t *journal) +{ + int tag_space = journal->j_blocksize - sizeof(journal_header_t); + int tags_per_block; + + /* Subtract UUID */ + tag_space -= 16; + if (jbd2_journal_has_csum_v2or3(journal)) + tag_space -= sizeof(struct jbd2_journal_block_tail); + /* Commit code leaves a slack space of 16 bytes at the end of block */ + tags_per_block = (tag_space - 16) / journal_tag_bytes(journal); + /* + * Revoke descriptors are accounted separately so we need to reserve + * space for commit block and normal transaction descriptor blocks. + */ + return 1 + DIV_ROUND_UP(jbd2_journal_get_max_txn_bufs(journal), + tags_per_block); +} + +/* + * Initialize number of blocks each transaction reserves for its bookkeeping + * and maximum number of blocks a transaction can use. This needs to be called + * after the journal size and the fastcommit area size are initialized. + */ +static void jbd2_journal_init_transaction_limits(journal_t *journal) +{ + journal->j_revoke_records_per_block = + journal_revoke_records_per_block(journal); + journal->j_transaction_overhead_buffers = + jbd2_descriptor_blocks_per_trans(journal); + journal->j_max_transaction_buffers = + jbd2_journal_get_max_txn_bufs(journal); +} + /* * Load the on-disk journal superblock and read the key fields into the * journal_t. @@ -1492,8 +1534,8 @@ static int journal_load_superblock(journal_t *journal) if (jbd2_journal_has_csum_v2or3(journal)) journal->j_csum_seed = jbd2_chksum(journal, ~0, sb->s_uuid, sizeof(sb->s_uuid)); - journal->j_revoke_records_per_block = - journal_revoke_records_per_block(journal); + /* After journal features are set, we can compute transaction limits */ + jbd2_journal_init_transaction_limits(journal); if (jbd2_has_feature_fast_commit(journal)) { journal->j_fc_last = be32_to_cpu(sb->s_maxlen); @@ -1698,11 +1740,6 @@ journal_t *jbd2_journal_init_inode(struct inode *inode) return journal; } -static int jbd2_journal_get_max_txn_bufs(journal_t *journal) -{ - return (journal->j_total_len - journal->j_fc_wbufsize) / 4; -} - /* * Given a journal_t structure, initialise the various fields for * startup of a new journaling session. We use this both when creating @@ -1748,8 +1785,6 @@ static int journal_reset(journal_t *journal) journal->j_commit_sequence = journal->j_transaction_sequence - 1; journal->j_commit_request = journal->j_commit_sequence; - journal->j_max_transaction_buffers = jbd2_journal_get_max_txn_bufs(journal); - /* * Now that journal recovery is done, turn fast commits off here. This * way, if fast commit was enabled before the crash but if now FS has @@ -2290,8 +2325,6 @@ jbd2_journal_initialize_fast_commit(journal_t *journal) journal->j_fc_first = journal->j_last + 1; journal->j_fc_off = 0; journal->j_free = journal->j_last - journal->j_first; - journal->j_max_transaction_buffers = - jbd2_journal_get_max_txn_bufs(journal); return 0; } @@ -2379,8 +2412,7 @@ int jbd2_journal_set_features(journal_t *journal, unsigned long compat, sb->s_feature_ro_compat |= cpu_to_be32(ro); sb->s_feature_incompat |= cpu_to_be32(incompat); unlock_buffer(journal->j_sb_buffer); - journal->j_revoke_records_per_block = - journal_revoke_records_per_block(journal); + jbd2_journal_init_transaction_limits(journal); return 1; #undef COMPAT_FEATURE_ON @@ -2411,8 +2443,7 @@ void jbd2_journal_clear_features(journal_t *journal, unsigned long compat, sb->s_feature_compat &= ~cpu_to_be32(compat); sb->s_feature_ro_compat &= ~cpu_to_be32(ro); sb->s_feature_incompat &= ~cpu_to_be32(incompat); - journal->j_revoke_records_per_block = - journal_revoke_records_per_block(journal); + jbd2_journal_init_transaction_limits(journal); } EXPORT_SYMBOL(jbd2_journal_clear_features); diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index cb0b8d6fc0c6..a095f1a3114b 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -62,28 +62,6 @@ void jbd2_journal_free_transaction(transaction_t *transaction) kmem_cache_free(transaction_cache, transaction); } -/* - * Base amount of descriptor blocks we reserve for each transaction. - */ -static int jbd2_descriptor_blocks_per_trans(journal_t *journal) -{ - int tag_space = journal->j_blocksize - sizeof(journal_header_t); - int tags_per_block; - - /* Subtract UUID */ - tag_space -= 16; - if (jbd2_journal_has_csum_v2or3(journal)) - tag_space -= sizeof(struct jbd2_journal_block_tail); - /* Commit code leaves a slack space of 16 bytes at the end of block */ - tags_per_block = (tag_space - 16) / journal_tag_bytes(journal); - /* - * Revoke descriptors are accounted separately so we need to reserve - * space for commit block and normal transaction descriptor blocks. - */ - return 1 + DIV_ROUND_UP(journal->j_max_transaction_buffers, - tags_per_block); -} - /* * jbd2_get_transaction: obtain a new transaction_t object. * @@ -109,7 +87,7 @@ static void jbd2_get_transaction(journal_t *journal, transaction->t_expires = jiffies + journal->j_commit_interval; atomic_set(&transaction->t_updates, 0); atomic_set(&transaction->t_outstanding_credits, - jbd2_descriptor_blocks_per_trans(journal) + + journal->j_transaction_overhead_buffers + atomic_read(&journal->j_reserved_credits)); atomic_set(&transaction->t_outstanding_revokes, 0); atomic_set(&transaction->t_handle_count, 0); diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h index f91b930abe20..b900c642210c 100644 --- a/include/linux/jbd2.h +++ b/include/linux/jbd2.h @@ -1085,6 +1085,13 @@ struct journal_s */ int j_revoke_records_per_block; + /** + * @j_transaction_overhead: + * + * Number of blocks each transaction needs for its own bookkeeping + */ + int j_transaction_overhead_buffers; + /** * @j_commit_interval: * -- 2.35.3

1 year, 2 months

3
4
0 0

[PATCH v2 3/4] jbd2: Avoid infinite transaction commit loop

by Jan Kara

Commit 9f356e5a4f12 ("jbd2: Account descriptor blocks into t_outstanding_credits") started to account descriptor blocks into transactions outstanding credits. However it didn't appropriately decrease the maximum amount of credits available to userspace. Thus if the filesystem requests a transaction smaller than j_max_transaction_buffers but large enough that when descriptor blocks are added the size exceeds j_max_transaction_buffers, we confuse add_transaction_credits() into thinking previous handles have grown the transaction too much and enter infinite journal commit loop in start_this_handle() -> add_transaction_credits() trying to create transaction with enough credits available. Fix the problem by properly accounting for transaction space reserved for descriptor blocks when verifying requested transaction handle size. CC: stable(a)vger.kernel.org Fixes: 9f356e5a4f12 ("jbd2: Account descriptor blocks into t_outstanding_credits") Reported-by: Alexander Coffin <alex.coffin(a)maticrobots.com> Link: https://lore.kernel.org/all/CA+hUFcuGs04JHZ_WzA1zGN57+ehL2qmHOt5a7RMpo+rv6V… Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/jbd2/transaction.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index a095f1a3114b..66513c18ca29 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -191,6 +191,13 @@ static void sub_reserved_credits(journal_t *journal, int blocks) wake_up(&journal->j_wait_reserved); } +/* Maximum number of blocks for user transaction payload */ +static int jbd2_max_user_trans_buffers(journal_t *journal) +{ + return journal->j_max_transaction_buffers - + journal->j_transaction_overhead_buffers; +} + /* * Wait until we can add credits for handle to the running transaction. Called * with j_state_lock held for reading. Returns 0 if handle joined the running @@ -240,12 +247,12 @@ __must_hold(&journal->j_state_lock) * big to fit this handle? Wait until reserved credits are freed. */ if (atomic_read(&journal->j_reserved_credits) + total > - journal->j_max_transaction_buffers) { + jbd2_max_user_trans_buffers(journal)) { read_unlock(&journal->j_state_lock); jbd2_might_wait_for_commit(journal); wait_event(journal->j_wait_reserved, atomic_read(&journal->j_reserved_credits) + total <= - journal->j_max_transaction_buffers); + jbd2_max_user_trans_buffers(journal)); __acquire(&journal->j_state_lock); /* fake out sparse */ return 1; } @@ -285,14 +292,14 @@ __must_hold(&journal->j_state_lock) needed = atomic_add_return(rsv_blocks, &journal->j_reserved_credits); /* We allow at most half of a transaction to be reserved */ - if (needed > journal->j_max_transaction_buffers / 2) { + if (needed > jbd2_max_user_trans_buffers(journal) / 2) { sub_reserved_credits(journal, rsv_blocks); atomic_sub(total, &t->t_outstanding_credits); read_unlock(&journal->j_state_lock); jbd2_might_wait_for_commit(journal); wait_event(journal->j_wait_reserved, atomic_read(&journal->j_reserved_credits) + rsv_blocks - <= journal->j_max_transaction_buffers / 2); + <= jbd2_max_user_trans_buffers(journal) / 2); __acquire(&journal->j_state_lock); /* fake out sparse */ return 1; } @@ -322,12 +329,12 @@ static int start_this_handle(journal_t *journal, handle_t *handle, * size and limit the number of total credits to not exceed maximum * transaction size per operation. */ - if ((rsv_blocks > journal->j_max_transaction_buffers / 2) || - (rsv_blocks + blocks > journal->j_max_transaction_buffers)) { + if (rsv_blocks > jbd2_max_user_trans_buffers(journal) / 2 || + rsv_blocks + blocks > jbd2_max_user_trans_buffers(journal)) { printk(KERN_ERR "JBD2: %s wants too many credits " "credits:%d rsv_credits:%d max:%d\n", current->comm, blocks, rsv_blocks, - journal->j_max_transaction_buffers); + jbd2_max_user_trans_buffers(journal)); WARN_ON(1); return -ENOSPC; } -- 2.35.3

1 year, 2 months

3
5
0 0

[PATCH v2 03/13] ata: ahci: Clean up sysfs file on error

by Niklas Cassel

.probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however, if probe() fails after this call, we currently never call sysfs_remove_file_from_group(). (The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one()) does not help, as .remove() is not called on .probe() error.) Thus, if probe() fails after the sysfs_add_file_to_group() call, we get: sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme' CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 sysfs_warn_dup.cold+0x17/0x23 sysfs_add_file_mode_ns+0x11a/0x130 sysfs_add_file_to_group+0x7e/0xc0 ahci_init_one+0x31f/0xd40 [ahci] Fixes: 894fba7f434a ("ata: ahci: Add sysfs attribute to show remapped NVMe device count") Cc: stable(a)vger.kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/ata/ahci.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c index 5eb38fbbbecd..fc6fd583faf8 100644 --- a/drivers/ata/ahci.c +++ b/drivers/ata/ahci.c @@ -1975,8 +1975,10 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) n_ports = max(ahci_nr_ports(hpriv->cap), fls(hpriv->port_map)); host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports); - if (!host) - return -ENOMEM; + if (!host) { + rc = -ENOMEM; + goto err_rm_sysfs_file; + } host->private_data = hpriv; if (ahci_init_msi(pdev, n_ports, hpriv) < 0) { @@ -2031,11 +2033,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) /* initialize adapter */ rc = ahci_configure_dma_masks(pdev, hpriv); if (rc) - return rc; + goto err_rm_sysfs_file; rc = ahci_pci_reset_controller(host); if (rc) - return rc; + goto err_rm_sysfs_file; ahci_pci_init_controller(host); ahci_pci_print_info(host); @@ -2044,10 +2046,15 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) rc = ahci_host_activate(host, &ahci_sht); if (rc) - return rc; + goto err_rm_sysfs_file; pm_runtime_put_noidle(&pdev->dev); return 0; + +err_rm_sysfs_file: + sysfs_remove_file_from_group(&pdev->dev.kobj, + &dev_attr_remapped_nvme.attr, NULL); + return rc; } static void ahci_shutdown_one(struct pci_dev *pdev) -- 2.45.2

1 year, 2 months

3
3
0 0

[PATCH v2 02/13] ata: libata-core: Fix double free on error

by Niklas Cassel

If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed. Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths") Cc: stable(a)vger.kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/ata/libata-core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index 88e32f638f33..c916cbe3e099 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5573,8 +5573,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports) if (!host) return NULL; - if (!devres_open_group(dev, NULL, GFP_KERNEL)) - goto err_free; + if (!devres_open_group(dev, NULL, GFP_KERNEL)) { + kfree(host); + return NULL; + } dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL); if (!dr) @@ -5606,8 +5608,6 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports) err_out: devres_release_group(dev, NULL); - err_free: - kfree(host); return NULL; } EXPORT_SYMBOL_GPL(ata_host_alloc); -- 2.45.2

1 year, 2 months

3
2
0 0

[PATCH v2 01/13] ata: libata-core: Fix null pointer dereference on error

by Niklas Cassel

If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/ata/libata-core.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index e1bf8a19b3c8..88e32f638f33 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5518,10 +5518,12 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; - kfree(ap->pmp_link); - kfree(ap->slave_link); - kfree(ap->ncq_sense_buf); - kfree(ap); + if (ap) { + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap->ncq_sense_buf); + kfree(ap); + } host->ports[i] = NULL; } kfree(host); -- 2.45.2

1 year, 2 months

3
2
0 0

[PATCH 3/4] drm/vmwgfx: Fix handling of dumb buffers

by Zack Rusin

Dumb buffers can be used in kms but also through prime with gallium's resource_from_handle. In the second case the dumb buffers can be rendered by the GPU where with the regular DRM kms interfaces they are mapped and written to by the CPU. Because the same buffer can be written to by the GPU and CPU vmwgfx needs to use vmw_surface (object which properly tracks dirty state of the guest and gpu memory) instead of vmw_bo (which is just guest side memory). Furthermore the dumb buffer handles are expected to be gem objects by a lot of userspace. Make vmwgfx accept gem handles in prime and kms but internally switch to vmw_surface's to properly track the dirty state of the objects between the GPU and CPU. Fixes new kwin and kde on wayland. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: b32233acceff ("drm/vmwgfx: Fix prime import/export") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.9+ --- drivers/gpu/drm/vmwgfx/vmw_surface_cache.h | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 127 +++--- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 15 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 40 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 453 +++++++-------------- drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 17 +- drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 14 +- drivers/gpu/drm/vmwgfx/vmwgfx_prime.c | 32 +- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 27 +- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 33 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 145 +++---- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 277 ++++++++++++- 12 files changed, 688 insertions(+), 502 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmw_surface_cache.h b/drivers/gpu/drm/vmwgfx/vmw_surface_cache.h index b0d87c5f58d8..1ac3cb151b11 100644 --- a/drivers/gpu/drm/vmwgfx/vmw_surface_cache.h +++ b/drivers/gpu/drm/vmwgfx/vmw_surface_cache.h @@ -1,6 +1,8 @@ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /********************************************************** - * Copyright 2021 VMware, Inc. - * SPDX-License-Identifier: GPL-2.0 OR MIT + * + * Copyright (c) 2021-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation @@ -31,6 +33,10 @@ #include <drm/vmwgfx_drm.h> +#define SVGA3D_FLAGS_UPPER_32(svga3d_flags) ((svga3d_flags) >> 32) +#define SVGA3D_FLAGS_LOWER_32(svga3d_flags) \ + ((svga3d_flags) & ((uint64_t)U32_MAX)) + static inline u32 clamped_umul32(u32 a, u32 b) { uint64_t tmp = (uint64_t) a*b; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index e5eb21a471a6..f6fafb1fc5d8 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -1,8 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright © 2011-2023 VMware, Inc., Palo Alto, CA., USA - * All Rights Reserved. + * Copyright (c) 2011-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -28,15 +28,39 @@ #include "vmwgfx_bo.h" #include "vmwgfx_drv.h" - +#include "vmwgfx_resource_priv.h" #include <drm/ttm/ttm_placement.h> static void vmw_bo_release(struct vmw_bo *vbo) { + struct vmw_resource *res; + WARN_ON(vbo->tbo.base.funcs && kref_read(&vbo->tbo.base.refcount) != 0); vmw_bo_unmap(vbo); + + xa_destroy(&vbo->detached_resources); + WARN_ON(vbo->is_dumb && !vbo->dumb_surface); + if (vbo->is_dumb && vbo->dumb_surface) { + res = &vbo->dumb_surface->res; + WARN_ON(vbo != res->guest_memory_bo); + WARN_ON(!res->guest_memory_bo); + if (res->guest_memory_bo) { + /* Reserve and switch the backing mob. */ + mutex_lock(&res->dev_priv->cmdbuf_mutex); + (void)vmw_resource_reserve(res, false, true); + vmw_resource_mob_detach(res); + if (res->coherent) + vmw_bo_dirty_release(res->guest_memory_bo); + res->guest_memory_bo = NULL; + res->guest_memory_offset = 0; + vmw_resource_unreserve(res, false, false, false, NULL, + 0); + mutex_unlock(&res->dev_priv->cmdbuf_mutex); + } + vmw_surface_unreference(&vbo->dumb_surface); + } drm_gem_object_release(&vbo->tbo.base); } @@ -324,6 +348,11 @@ void vmw_bo_pin_reserved(struct vmw_bo *vbo, bool pin) * */ void *vmw_bo_map_and_cache(struct vmw_bo *vbo) +{ + return vmw_bo_map_and_cache_size(vbo, vbo->tbo.base.size); +} + +void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size) { struct ttm_buffer_object *bo = &vbo->tbo; bool not_used; @@ -334,9 +363,10 @@ void *vmw_bo_map_and_cache(struct vmw_bo *vbo) if (virtual) return virtual; - ret = ttm_bo_kmap(bo, 0, PFN_UP(bo->base.size), &vbo->map); + ret = ttm_bo_kmap(bo, 0, PFN_UP(size), &vbo->map); if (ret) - DRM_ERROR("Buffer object map failed: %d.\n", ret); + DRM_ERROR("Buffer object map failed: %d (size: bo = %zu, map = %zu).\n", + ret, bo->base.size, size); return ttm_kmap_obj_virtual(&vbo->map, &not_used); } @@ -389,6 +419,7 @@ static int vmw_bo_init(struct vmw_private *dev_priv, BUILD_BUG_ON(TTM_MAX_BO_PRIORITY <= 3); vmw_bo->tbo.priority = 3; vmw_bo->res_tree = RB_ROOT; + xa_init(&vmw_bo->detached_resources); params->size = ALIGN(params->size, PAGE_SIZE); drm_gem_private_object_init(vdev, &vmw_bo->tbo.base, params->size); @@ -653,52 +684,6 @@ void vmw_bo_fence_single(struct ttm_buffer_object *bo, dma_fence_put(&fence->base); } - -/** - * vmw_dumb_create - Create a dumb kms buffer - * - * @file_priv: Pointer to a struct drm_file identifying the caller. - * @dev: Pointer to the drm device. - * @args: Pointer to a struct drm_mode_create_dumb structure - * Return: Zero on success, negative error code on failure. - * - * This is a driver callback for the core drm create_dumb functionality. - * Note that this is very similar to the vmw_bo_alloc ioctl, except - * that the arguments have a different format. - */ -int vmw_dumb_create(struct drm_file *file_priv, - struct drm_device *dev, - struct drm_mode_create_dumb *args) -{ - struct vmw_private *dev_priv = vmw_priv(dev); - struct vmw_bo *vbo; - int cpp = DIV_ROUND_UP(args->bpp, 8); - int ret; - - switch (cpp) { - case 1: /* DRM_FORMAT_C8 */ - case 2: /* DRM_FORMAT_RGB565 */ - case 4: /* DRM_FORMAT_XRGB8888 */ - break; - default: - /* - * Dumb buffers don't allow anything else. - * This is tested via IGT's dumb_buffers - */ - return -EINVAL; - } - - args->pitch = args->width * cpp; - args->size = ALIGN(args->pitch * args->height, PAGE_SIZE); - - ret = vmw_gem_object_create_with_handle(dev_priv, file_priv, - args->size, &args->handle, - &vbo); - /* drop reference from allocate - handle holds it now */ - drm_gem_object_put(&vbo->tbo.base); - return ret; -} - /** * vmw_bo_swap_notify - swapout notify callback. * @@ -852,3 +837,43 @@ void vmw_bo_placement_set_default_accelerated(struct vmw_bo *bo) vmw_bo_placement_set(bo, domain, domain); } + +void vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res) +{ + xa_store(&vbo->detached_resources, (unsigned long)res, res, GFP_KERNEL); +} + +void vmw_bo_del_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res) +{ + xa_erase(&vbo->detached_resources, (unsigned long)res); +} + +struct vmw_surface *vmw_bo_surface(struct vmw_bo *vbo) +{ + unsigned long index; + struct vmw_resource *res = NULL; + struct vmw_surface *surf = NULL; + struct rb_node *rb_itr = vbo->res_tree.rb_node; + + if (vbo->is_dumb && vbo->dumb_surface) { + res = &vbo->dumb_surface->res; + goto out; + } + + xa_for_each(&vbo->detached_resources, index, res) { + if (res->func->res_type == vmw_res_surface) + goto out; + } + + for (rb_itr = rb_first(&vbo->res_tree); rb_itr; + rb_itr = rb_next(rb_itr)) { + res = rb_entry(rb_itr, struct vmw_resource, mob_node); + if (res->func->res_type == vmw_res_surface) + goto out; + } + +out: + if (res) + surf = vmw_res_to_srf(res); + return surf; +} diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h index f349642e6190..62b4342d5f7c 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h @@ -1,7 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0 OR MIT */ /************************************************************************** * - * Copyright 2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2023-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -35,11 +36,13 @@ #include <linux/rbtree_types.h> #include <linux/types.h> +#include <linux/xarray.h> struct vmw_bo_dirty; struct vmw_fence_obj; struct vmw_private; struct vmw_resource; +struct vmw_surface; enum vmw_bo_domain { VMW_BO_DOMAIN_SYS = BIT(0), @@ -85,11 +88,15 @@ struct vmw_bo { struct rb_root res_tree; u32 res_prios[TTM_MAX_BO_PRIORITY]; + struct xarray detached_resources; atomic_t cpu_writers; /* Not ref-counted. Protected by binding_mutex */ struct vmw_resource *dx_query_ctx; struct vmw_bo_dirty *dirty; + + bool is_dumb; + struct vmw_surface *dumb_surface; }; void vmw_bo_placement_set(struct vmw_bo *bo, u32 domain, u32 busy_domain); @@ -124,15 +131,21 @@ void vmw_bo_fence_single(struct ttm_buffer_object *bo, struct vmw_fence_obj *fence); void *vmw_bo_map_and_cache(struct vmw_bo *vbo); +void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size); void vmw_bo_unmap(struct vmw_bo *vbo); void vmw_bo_move_notify(struct ttm_buffer_object *bo, struct ttm_resource *mem); void vmw_bo_swap_notify(struct ttm_buffer_object *bo); +void vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res); +void vmw_bo_del_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res); +struct vmw_surface *vmw_bo_surface(struct vmw_bo *vbo); + int vmw_user_bo_lookup(struct drm_file *filp, u32 handle, struct vmw_bo **out); + /** * vmw_bo_adjust_prio - Adjust the buffer object eviction priority * according to attached resources diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h index 4ecaea0026fc..8de973549b5e 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h @@ -1,7 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0 OR MIT */ /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -762,6 +763,26 @@ extern int vmw_gmr_bind(struct vmw_private *dev_priv, int gmr_id); extern void vmw_gmr_unbind(struct vmw_private *dev_priv, int gmr_id); +/** + * User handles + */ +struct vmw_user_object { + struct vmw_surface *surface; + struct vmw_bo *buffer; +}; + +int vmw_user_object_lookup(struct vmw_private *dev_priv, struct drm_file *filp, + u32 handle, struct vmw_user_object *uo); +struct vmw_user_object *vmw_user_object_ref(struct vmw_user_object *uo); +void vmw_user_object_unref(struct vmw_user_object *uo); +bool vmw_user_object_is_null(struct vmw_user_object *uo); +struct vmw_surface *vmw_user_object_surface(struct vmw_user_object *uo); +struct vmw_bo *vmw_user_object_buffer(struct vmw_user_object *uo); +void *vmw_user_object_map(struct vmw_user_object *uo); +void *vmw_user_object_map_size(struct vmw_user_object *uo, size_t size); +void vmw_user_object_unmap(struct vmw_user_object *uo); +bool vmw_user_object_is_mapped(struct vmw_user_object *uo); + /** * Resource utilities - vmwgfx_resource.c */ @@ -776,11 +797,6 @@ extern int vmw_resource_validate(struct vmw_resource *res, bool intr, extern int vmw_resource_reserve(struct vmw_resource *res, bool interruptible, bool no_backup); extern bool vmw_resource_needs_backup(const struct vmw_resource *res); -extern int vmw_user_lookup_handle(struct vmw_private *dev_priv, - struct drm_file *filp, - uint32_t handle, - struct vmw_surface **out_surf, - struct vmw_bo **out_buf); extern int vmw_user_resource_lookup_handle( struct vmw_private *dev_priv, struct ttm_object_file *tfile, @@ -1060,9 +1076,6 @@ int vmw_kms_suspend(struct drm_device *dev); int vmw_kms_resume(struct drm_device *dev); void vmw_kms_lost_device(struct drm_device *dev); -int vmw_dumb_create(struct drm_file *file_priv, - struct drm_device *dev, - struct drm_mode_create_dumb *args); extern int vmw_resource_pin(struct vmw_resource *res, bool interruptible); extern void vmw_resource_unpin(struct vmw_resource *res); extern enum vmw_res_type vmw_res_type(const struct vmw_resource *res); @@ -1179,6 +1192,15 @@ extern int vmw_gb_surface_reference_ext_ioctl(struct drm_device *dev, int vmw_gb_surface_define(struct vmw_private *dev_priv, const struct vmw_surface_metadata *req, struct vmw_surface **srf_out); +struct vmw_surface *vmw_lookup_surface_for_buffer(struct vmw_private *vmw, + struct vmw_bo *bo, + u32 handle); +u32 vmw_lookup_surface_handle_for_buffer(struct vmw_private *vmw, + struct vmw_bo *bo, + u32 handle); +int vmw_dumb_create(struct drm_file *file_priv, + struct drm_device *dev, + struct drm_mode_create_dumb *args); /* * Shader management - vmwgfx_shader.c diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 13b2820cae51..b2b44a6ed3ec 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -193,13 +194,12 @@ static u32 vmw_du_cursor_mob_size(u32 w, u32 h) */ static u32 *vmw_du_cursor_plane_acquire_image(struct vmw_plane_state *vps) { - if (vps->surf) { - if (vps->surf_mapped) - return vmw_bo_map_and_cache(vps->surf->res.guest_memory_bo); - return vps->surf->snooper.image; - } else if (vps->bo) - return vmw_bo_map_and_cache(vps->bo); - return NULL; + struct vmw_surface *surf = vmw_user_object_surface(&vps->uo); + + if (surf && !vmw_user_object_is_mapped(&vps->uo)) + return surf->snooper.image; + + return vmw_user_object_map(&vps->uo); } static bool vmw_du_cursor_plane_has_changed(struct vmw_plane_state *old_vps, @@ -536,22 +536,16 @@ void vmw_du_primary_plane_destroy(struct drm_plane *plane) * vmw_du_plane_unpin_surf - unpins resource associated with a framebuffer surface * * @vps: plane state associated with the display surface - * @unreference: true if we also want to unreference the display. */ -void vmw_du_plane_unpin_surf(struct vmw_plane_state *vps, - bool unreference) +void vmw_du_plane_unpin_surf(struct vmw_plane_state *vps) { - if (vps->surf) { + struct vmw_surface *surf = vmw_user_object_surface(&vps->uo); + + if (surf) { if (vps->pinned) { - vmw_resource_unpin(&vps->surf->res); + vmw_resource_unpin(&surf->res); vps->pinned--; } - - if (unreference) { - if (vps->pinned) - DRM_ERROR("Surface still pinned\n"); - vmw_surface_unreference(&vps->surf); - } } } @@ -572,7 +566,7 @@ vmw_du_plane_cleanup_fb(struct drm_plane *plane, { struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); - vmw_du_plane_unpin_surf(vps, false); + vmw_du_plane_unpin_surf(vps); } @@ -661,25 +655,14 @@ vmw_du_cursor_plane_cleanup_fb(struct drm_plane *plane, struct vmw_cursor_plane *vcp = vmw_plane_to_vcp(plane); struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); - if (vps->surf_mapped) { - vmw_bo_unmap(vps->surf->res.guest_memory_bo); - vps->surf_mapped = false; - } + if (!vmw_user_object_is_null(&vps->uo)) + vmw_user_object_unmap(&vps->uo); vmw_du_cursor_plane_unmap_cm(vps); vmw_du_put_cursor_mob(vcp, vps); - vmw_du_plane_unpin_surf(vps, false); - - if (vps->surf) { - vmw_surface_unreference(&vps->surf); - vps->surf = NULL; - } - - if (vps->bo) { - vmw_bo_unreference(&vps->bo); - vps->bo = NULL; - } + vmw_du_plane_unpin_surf(vps); + vmw_user_object_unref(&vps->uo); } @@ -698,64 +681,41 @@ vmw_du_cursor_plane_prepare_fb(struct drm_plane *plane, struct drm_framebuffer *fb = new_state->fb; struct vmw_cursor_plane *vcp = vmw_plane_to_vcp(plane); struct vmw_plane_state *vps = vmw_plane_state_to_vps(new_state); + struct vmw_bo *bo = NULL; int ret = 0; - if (vps->surf) { - if (vps->surf_mapped) { - vmw_bo_unmap(vps->surf->res.guest_memory_bo); - vps->surf_mapped = false; - } - vmw_surface_unreference(&vps->surf); - vps->surf = NULL; - } - - if (vps->bo) { - vmw_bo_unreference(&vps->bo); - vps->bo = NULL; + if (!vmw_user_object_is_null(&vps->uo)) { + vmw_user_object_unmap(&vps->uo); + vmw_user_object_unref(&vps->uo); } if (fb) { if (vmw_framebuffer_to_vfb(fb)->bo) { - vps->bo = vmw_framebuffer_to_vfbd(fb)->buffer; - vmw_bo_reference(vps->bo); + vps->uo.buffer = vmw_framebuffer_to_vfbd(fb)->buffer; + vps->uo.surface = NULL; } else { - vps->surf = vmw_framebuffer_to_vfbs(fb)->surface; - vmw_surface_reference(vps->surf); + memcpy(&vps->uo, &vmw_framebuffer_to_vfbs(fb)->uo, sizeof(vps->uo)); } + vmw_user_object_ref(&vps->uo); } - if (!vps->surf && vps->bo) { - const u32 size = new_state->crtc_w * new_state->crtc_h * sizeof(u32); - - /* - * Not using vmw_bo_map_and_cache() helper here as we need to - * reserve the ttm_buffer_object first which - * vmw_bo_map_and_cache() omits. - */ - ret = ttm_bo_reserve(&vps->bo->tbo, true, false, NULL); - + bo = vmw_user_object_buffer(&vps->uo); + if (bo) { + ret = ttm_bo_reserve(&bo->tbo, true, false, NULL); if (unlikely(ret != 0)) return -ENOMEM; - ret = ttm_bo_kmap(&vps->bo->tbo, 0, PFN_UP(size), &vps->bo->map); - - ttm_bo_unreserve(&vps->bo->tbo); - - if (unlikely(ret != 0)) - return -ENOMEM; - } else if (vps->surf && !vps->bo && vps->surf->res.guest_memory_bo) { + if (vmw_framebuffer_to_vfb(fb)->bo) { + const u32 size = new_state->crtc_w * new_state->crtc_h * sizeof(u32); - WARN_ON(vps->surf->snooper.image); - ret = ttm_bo_reserve(&vps->surf->res.guest_memory_bo->tbo, true, false, - NULL); - if (unlikely(ret != 0)) - return -ENOMEM; - vmw_bo_map_and_cache(vps->surf->res.guest_memory_bo); - ttm_bo_unreserve(&vps->surf->res.guest_memory_bo->tbo); - vps->surf_mapped = true; + (void)vmw_bo_map_and_cache_size(bo, size); + } else { + vmw_bo_map_and_cache(bo); + } + ttm_bo_unreserve(&bo->tbo); } - if (vps->surf || vps->bo) { + if (!vmw_user_object_is_null(&vps->uo)) { vmw_du_get_cursor_mob(vcp, vps); vmw_du_cursor_plane_map_cm(vps); } @@ -782,9 +742,9 @@ vmw_du_cursor_plane_atomic_update(struct drm_plane *plane, hotspot_x = du->hotspot_x + new_state->hotspot_x; hotspot_y = du->hotspot_y + new_state->hotspot_y; - du->cursor_surface = vps->surf; + du->cursor_surface = vmw_user_object_surface(&vps->uo); - if (!vps->surf && !vps->bo) { + if (vmw_user_object_is_null(&vps->uo)) { vmw_cursor_update_position(dev_priv, false, 0, 0); return; } @@ -792,9 +752,8 @@ vmw_du_cursor_plane_atomic_update(struct drm_plane *plane, vps->cursor.hotspot_x = hotspot_x; vps->cursor.hotspot_y = hotspot_y; - if (vps->surf) { + if (du->cursor_surface) du->cursor_age = du->cursor_surface->snooper.age; - } if (!vmw_du_cursor_plane_has_changed(old_vps, vps)) { /* @@ -913,7 +872,7 @@ int vmw_du_cursor_plane_atomic_check(struct drm_plane *plane, } if (!vmw_framebuffer_to_vfb(fb)->bo) { - surface = vmw_framebuffer_to_vfbs(fb)->surface; + surface = vmw_user_object_surface(&vmw_framebuffer_to_vfbs(fb)->uo); WARN_ON(!surface); @@ -1074,11 +1033,7 @@ vmw_du_plane_duplicate_state(struct drm_plane *plane) memset(&vps->cursor, 0, sizeof(vps->cursor)); /* Each ref counted resource needs to be acquired again */ - if (vps->surf) - (void) vmw_surface_reference(vps->surf); - - if (vps->bo) - (void) vmw_bo_reference(vps->bo); + vmw_user_object_ref(&vps->uo); state = &vps->base; @@ -1128,11 +1083,7 @@ vmw_du_plane_destroy_state(struct drm_plane *plane, struct vmw_plane_state *vps = vmw_plane_state_to_vps(state); /* Should have been freed by cleanup_fb */ - if (vps->surf) - vmw_surface_unreference(&vps->surf); - - if (vps->bo) - vmw_bo_unreference(&vps->bo); + vmw_user_object_unref(&vps->uo); drm_atomic_helper_plane_destroy_state(plane, state); } @@ -1227,7 +1178,7 @@ static void vmw_framebuffer_surface_destroy(struct drm_framebuffer *framebuffer) vmw_framebuffer_to_vfbs(framebuffer); drm_framebuffer_cleanup(framebuffer); - vmw_surface_unreference(&vfbs->surface); + vmw_user_object_unref(&vfbs->uo); kfree(vfbs); } @@ -1272,29 +1223,41 @@ int vmw_kms_readback(struct vmw_private *dev_priv, return -ENOSYS; } +static int vmw_framebuffer_surface_create_handle(struct drm_framebuffer *fb, + struct drm_file *file_priv, + unsigned int *handle) +{ + struct vmw_framebuffer_surface *vfbs = vmw_framebuffer_to_vfbs(fb); + struct vmw_bo *bo = vmw_user_object_buffer(&vfbs->uo); + + return drm_gem_handle_create(file_priv, &bo->tbo.base, handle); +} static const struct drm_framebuffer_funcs vmw_framebuffer_surface_funcs = { + .create_handle = vmw_framebuffer_surface_create_handle, .destroy = vmw_framebuffer_surface_destroy, .dirty = drm_atomic_helper_dirtyfb, }; static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, - struct vmw_surface *surface, + struct vmw_user_object *uo, struct vmw_framebuffer **out, const struct drm_mode_fb_cmd2 - *mode_cmd, - bool is_bo_proxy) + *mode_cmd) { struct drm_device *dev = &dev_priv->drm; struct vmw_framebuffer_surface *vfbs; enum SVGA3dSurfaceFormat format; + struct vmw_surface *surface; int ret; /* 3D is only supported on HWv8 and newer hosts */ if (dev_priv->active_display_unit == vmw_du_legacy) return -ENOSYS; + surface = vmw_user_object_surface(uo); + /* * Sanity checks. */ @@ -1357,8 +1320,8 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, } drm_helper_mode_fill_fb_struct(dev, &vfbs->base.base, mode_cmd); - vfbs->surface = vmw_surface_reference(surface); - vfbs->is_bo_proxy = is_bo_proxy; + memcpy(&vfbs->uo, uo, sizeof(vfbs->uo)); + vmw_user_object_ref(&vfbs->uo); *out = &vfbs->base; @@ -1370,7 +1333,7 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, return 0; out_err2: - vmw_surface_unreference(&surface); + vmw_user_object_unref(&vfbs->uo); kfree(vfbs); out_err1: return ret; @@ -1386,7 +1349,6 @@ static int vmw_framebuffer_bo_create_handle(struct drm_framebuffer *fb, { struct vmw_framebuffer_bo *vfbd = vmw_framebuffer_to_vfbd(fb); - return drm_gem_handle_create(file_priv, &vfbd->buffer->tbo.base, handle); } @@ -1407,86 +1369,6 @@ static const struct drm_framebuffer_funcs vmw_framebuffer_bo_funcs = { .dirty = drm_atomic_helper_dirtyfb, }; -/** - * vmw_create_bo_proxy - create a proxy surface for the buffer object - * - * @dev: DRM device - * @mode_cmd: parameters for the new surface - * @bo_mob: MOB backing the buffer object - * @srf_out: newly created surface - * - * When the content FB is a buffer object, we create a surface as a proxy to the - * same buffer. This way we can do a surface copy rather than a surface DMA. - * This is a more efficient approach - * - * RETURNS: - * 0 on success, error code otherwise - */ -static int vmw_create_bo_proxy(struct drm_device *dev, - const struct drm_mode_fb_cmd2 *mode_cmd, - struct vmw_bo *bo_mob, - struct vmw_surface **srf_out) -{ - struct vmw_surface_metadata metadata = {0}; - uint32_t format; - struct vmw_resource *res; - unsigned int bytes_pp; - int ret; - - switch (mode_cmd->pixel_format) { - case DRM_FORMAT_ARGB8888: - case DRM_FORMAT_XRGB8888: - format = SVGA3D_X8R8G8B8; - bytes_pp = 4; - break; - - case DRM_FORMAT_RGB565: - case DRM_FORMAT_XRGB1555: - format = SVGA3D_R5G6B5; - bytes_pp = 2; - break; - - case 8: - format = SVGA3D_P8; - bytes_pp = 1; - break; - - default: - DRM_ERROR("Invalid framebuffer format %p4cc\n", - &mode_cmd->pixel_format); - return -EINVAL; - } - - metadata.format = format; - metadata.mip_levels[0] = 1; - metadata.num_sizes = 1; - metadata.base_size.width = mode_cmd->pitches[0] / bytes_pp; - metadata.base_size.height = mode_cmd->height; - metadata.base_size.depth = 1; - metadata.scanout = true; - - ret = vmw_gb_surface_define(vmw_priv(dev), &metadata, srf_out); - if (ret) { - DRM_ERROR("Failed to allocate proxy content buffer\n"); - return ret; - } - - res = &(*srf_out)->res; - - /* Reserve and switch the backing mob. */ - mutex_lock(&res->dev_priv->cmdbuf_mutex); - (void) vmw_resource_reserve(res, false, true); - vmw_user_bo_unref(&res->guest_memory_bo); - res->guest_memory_bo = vmw_user_bo_ref(bo_mob); - res->guest_memory_offset = 0; - vmw_resource_unreserve(res, false, false, false, NULL, 0); - mutex_unlock(&res->dev_priv->cmdbuf_mutex); - - return 0; -} - - - static int vmw_kms_new_framebuffer_bo(struct vmw_private *dev_priv, struct vmw_bo *bo, struct vmw_framebuffer **out, @@ -1565,55 +1447,24 @@ vmw_kms_srf_ok(struct vmw_private *dev_priv, uint32_t width, uint32_t height) * vmw_kms_new_framebuffer - Create a new framebuffer. * * @dev_priv: Pointer to device private struct. - * @bo: Pointer to buffer object to wrap the kms framebuffer around. - * Either @bo or @surface must be NULL. - * @surface: Pointer to a surface to wrap the kms framebuffer around. - * Either @bo or @surface must be NULL. - * @only_2d: No presents will occur to this buffer object based framebuffer. - * This helps the code to do some important optimizations. + * @uo: Pointer to user object to wrap the kms framebuffer around. + * Either the buffer or surface inside the user object must be NULL. * @mode_cmd: Frame-buffer metadata. */ struct vmw_framebuffer * vmw_kms_new_framebuffer(struct vmw_private *dev_priv, - struct vmw_bo *bo, - struct vmw_surface *surface, - bool only_2d, + struct vmw_user_object *uo, const struct drm_mode_fb_cmd2 *mode_cmd) { struct vmw_framebuffer *vfb = NULL; - bool is_bo_proxy = false; int ret; - /* - * We cannot use the SurfaceDMA command in an non-accelerated VM, - * therefore, wrap the buffer object in a surface so we can use the - * SurfaceCopy command. - */ - if (vmw_kms_srf_ok(dev_priv, mode_cmd->width, mode_cmd->height) && - bo && only_2d && - mode_cmd->width > 64 && /* Don't create a proxy for cursor */ - dev_priv->active_display_unit == vmw_du_screen_target) { - ret = vmw_create_bo_proxy(&dev_priv->drm, mode_cmd, - bo, &surface); - if (ret) - return ERR_PTR(ret); - - is_bo_proxy = true; - } - /* Create the new framebuffer depending one what we have */ - if (surface) { - ret = vmw_kms_new_framebuffer_surface(dev_priv, surface, &vfb, - mode_cmd, - is_bo_proxy); - /* - * vmw_create_bo_proxy() adds a reference that is no longer - * needed - */ - if (is_bo_proxy) - vmw_surface_unreference(&surface); - } else if (bo) { - ret = vmw_kms_new_framebuffer_bo(dev_priv, bo, &vfb, + if (vmw_user_object_surface(uo)) { + ret = vmw_kms_new_framebuffer_surface(dev_priv, uo, &vfb, + mode_cmd); + } else if (uo->buffer) { + ret = vmw_kms_new_framebuffer_bo(dev_priv, uo->buffer, &vfb, mode_cmd); } else { BUG(); @@ -1635,14 +1486,12 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, { struct vmw_private *dev_priv = vmw_priv(dev); struct vmw_framebuffer *vfb = NULL; - struct vmw_surface *surface = NULL; - struct vmw_bo *bo = NULL; + struct vmw_user_object uo = {0}; int ret; /* returns either a bo or surface */ - ret = vmw_user_lookup_handle(dev_priv, file_priv, - mode_cmd->handles[0], - &surface, &bo); + ret = vmw_user_object_lookup(dev_priv, file_priv, mode_cmd->handles[0], + &uo); if (ret) { DRM_ERROR("Invalid buffer object handle %u (0x%x).\n", mode_cmd->handles[0], mode_cmd->handles[0]); @@ -1650,7 +1499,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, } - if (!bo && + if (vmw_user_object_surface(&uo) && !vmw_kms_srf_ok(dev_priv, mode_cmd->width, mode_cmd->height)) { DRM_ERROR("Surface size cannot exceed %dx%d\n", dev_priv->texture_max_width, @@ -1659,20 +1508,15 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, } - vfb = vmw_kms_new_framebuffer(dev_priv, bo, surface, - !(dev_priv->capabilities & SVGA_CAP_3D), - mode_cmd); + vfb = vmw_kms_new_framebuffer(dev_priv, &uo, mode_cmd); if (IS_ERR(vfb)) { ret = PTR_ERR(vfb); goto err_out; } err_out: - /* vmw_user_lookup_handle takes one ref so does new_fb */ - if (bo) - vmw_user_bo_unref(&bo); - if (surface) - vmw_surface_unreference(&surface); + /* vmw_user_object_lookup takes one ref so does new_fb */ + vmw_user_object_unref(&uo); if (ret) { DRM_ERROR("failed to create vmw_framebuffer: %i\n", ret); @@ -2585,72 +2429,6 @@ void vmw_kms_helper_validation_finish(struct vmw_private *dev_priv, vmw_fence_obj_unreference(&fence); } -/** - * vmw_kms_update_proxy - Helper function to update a proxy surface from - * its backing MOB. - * - * @res: Pointer to the surface resource - * @clips: Clip rects in framebuffer (surface) space. - * @num_clips: Number of clips in @clips. - * @increment: Integer with which to increment the clip counter when looping. - * Used to skip a predetermined number of clip rects. - * - * This function makes sure the proxy surface is updated from its backing MOB - * using the region given by @clips. The surface resource @res and its backing - * MOB needs to be reserved and validated on call. - */ -int vmw_kms_update_proxy(struct vmw_resource *res, - const struct drm_clip_rect *clips, - unsigned num_clips, - int increment) -{ - struct vmw_private *dev_priv = res->dev_priv; - struct drm_vmw_size *size = &vmw_res_to_srf(res)->metadata.base_size; - struct { - SVGA3dCmdHeader header; - SVGA3dCmdUpdateGBImage body; - } *cmd; - SVGA3dBox *box; - size_t copy_size = 0; - int i; - - if (!clips) - return 0; - - cmd = VMW_CMD_RESERVE(dev_priv, sizeof(*cmd) * num_clips); - if (!cmd) - return -ENOMEM; - - for (i = 0; i < num_clips; ++i, clips += increment, ++cmd) { - box = &cmd->body.box; - - cmd->header.id = SVGA_3D_CMD_UPDATE_GB_IMAGE; - cmd->header.size = sizeof(cmd->body); - cmd->body.image.sid = res->id; - cmd->body.image.face = 0; - cmd->body.image.mipmap = 0; - - if (clips->x1 > size->width || clips->x2 > size->width || - clips->y1 > size->height || clips->y2 > size->height) { - DRM_ERROR("Invalid clips outsize of framebuffer.\n"); - return -EINVAL; - } - - box->x = clips->x1; - box->y = clips->y1; - box->z = 0; - box->w = clips->x2 - clips->x1; - box->h = clips->y2 - clips->y1; - box->d = 1; - - copy_size += sizeof(*cmd); - } - - vmw_cmd_commit(dev_priv, copy_size); - - return 0; -} - /** * vmw_kms_create_implicit_placement_property - Set up the implicit placement * property. @@ -2785,8 +2563,9 @@ int vmw_du_helper_plane_update(struct vmw_du_update_plane *update) } else { struct vmw_framebuffer_surface *vfbs = container_of(update->vfb, typeof(*vfbs), base); + struct vmw_surface *surf = vmw_user_object_surface(&vfbs->uo); - ret = vmw_validation_add_resource(&val_ctx, &vfbs->surface->res, + ret = vmw_validation_add_resource(&val_ctx, &surf->res, 0, VMW_RES_DIRTY_NONE, NULL, NULL); } @@ -2949,3 +2728,77 @@ int vmw_connector_get_modes(struct drm_connector *connector) return num_modes; } + +struct vmw_user_object *vmw_user_object_ref(struct vmw_user_object *uo) +{ + if (uo->buffer) + vmw_user_bo_ref(uo->buffer); + else if (uo->surface) + vmw_surface_reference(uo->surface); + return uo; +} + +void vmw_user_object_unref(struct vmw_user_object *uo) +{ + if (uo->buffer) + vmw_user_bo_unref(&uo->buffer); + else if (uo->surface) + vmw_surface_unreference(&uo->surface); +} + +struct vmw_bo * +vmw_user_object_buffer(struct vmw_user_object *uo) +{ + if (uo->buffer) + return uo->buffer; + else if (uo->surface) + return uo->surface->res.guest_memory_bo; + return NULL; +} + +struct vmw_surface * +vmw_user_object_surface(struct vmw_user_object *uo) +{ + if (uo->buffer) + return uo->buffer->dumb_surface; + return uo->surface; +} + +void *vmw_user_object_map(struct vmw_user_object *uo) +{ + struct vmw_bo *bo = vmw_user_object_buffer(uo); + + WARN_ON(!bo); + return vmw_bo_map_and_cache(bo); +} + +void *vmw_user_object_map_size(struct vmw_user_object *uo, size_t size) +{ + struct vmw_bo *bo = vmw_user_object_buffer(uo); + + WARN_ON(!bo); + return vmw_bo_map_and_cache_size(bo, size); +} + +void vmw_user_object_unmap(struct vmw_user_object *uo) +{ + struct vmw_bo *bo = vmw_user_object_buffer(uo); + + WARN_ON(!bo); + + vmw_bo_unmap(bo); +} + +bool vmw_user_object_is_mapped(struct vmw_user_object *uo) +{ + struct vmw_bo *bo = vmw_user_object_buffer(uo); + + WARN_ON(!bo); + + return (bo && bo->map.bo); +} + +bool vmw_user_object_is_null(struct vmw_user_object *uo) +{ + return !uo->buffer && !uo->surface; +} diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h index bf24f2f0dcfc..6141fadf81ef 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h @@ -1,7 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0 OR MIT */ /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -221,11 +222,9 @@ struct vmw_framebuffer { struct vmw_framebuffer_surface { struct vmw_framebuffer base; - struct vmw_surface *surface; - bool is_bo_proxy; /* true if this is proxy surface for DMA buf */ + struct vmw_user_object uo; }; - struct vmw_framebuffer_bo { struct vmw_framebuffer base; struct vmw_bo *buffer; @@ -277,8 +276,7 @@ struct vmw_cursor_plane_state { */ struct vmw_plane_state { struct drm_plane_state base; - struct vmw_surface *surf; - struct vmw_bo *bo; + struct vmw_user_object uo; int content_fb_type; unsigned long bo_size; @@ -457,9 +455,7 @@ int vmw_kms_readback(struct vmw_private *dev_priv, uint32_t num_clips); struct vmw_framebuffer * vmw_kms_new_framebuffer(struct vmw_private *dev_priv, - struct vmw_bo *bo, - struct vmw_surface *surface, - bool only_2d, + struct vmw_user_object *uo, const struct drm_mode_fb_cmd2 *mode_cmd); void vmw_guess_mode_timing(struct drm_display_mode *mode); void vmw_kms_update_implicit_fb(struct vmw_private *dev_priv); @@ -486,8 +482,7 @@ void vmw_du_plane_reset(struct drm_plane *plane); struct drm_plane_state *vmw_du_plane_duplicate_state(struct drm_plane *plane); void vmw_du_plane_destroy_state(struct drm_plane *plane, struct drm_plane_state *state); -void vmw_du_plane_unpin_surf(struct vmw_plane_state *vps, - bool unreference); +void vmw_du_plane_unpin_surf(struct vmw_plane_state *vps); int vmw_du_crtc_atomic_check(struct drm_crtc *crtc, struct drm_atomic_state *state); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c index 5befc2719a49..39949e0a493f 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -147,8 +148,9 @@ static int vmw_ldu_fb_pin(struct vmw_framebuffer *vfb) struct vmw_bo *buf; int ret; - buf = vfb->bo ? vmw_framebuffer_to_vfbd(&vfb->base)->buffer : - vmw_framebuffer_to_vfbs(&vfb->base)->surface->res.guest_memory_bo; + buf = vfb->bo ? + vmw_framebuffer_to_vfbd(&vfb->base)->buffer : + vmw_user_object_buffer(&vmw_framebuffer_to_vfbs(&vfb->base)->uo); if (!buf) return 0; @@ -169,8 +171,10 @@ static int vmw_ldu_fb_unpin(struct vmw_framebuffer *vfb) struct vmw_private *dev_priv = vmw_priv(vfb->base.dev); struct vmw_bo *buf; - buf = vfb->bo ? vmw_framebuffer_to_vfbd(&vfb->base)->buffer : - vmw_framebuffer_to_vfbs(&vfb->base)->surface->res.guest_memory_bo; + buf = vfb->bo ? + vmw_framebuffer_to_vfbd(&vfb->base)->buffer : + vmw_user_object_buffer(&vmw_framebuffer_to_vfbs(&vfb->base)->uo); + if (WARN_ON(!buf)) return 0; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_prime.c b/drivers/gpu/drm/vmwgfx/vmwgfx_prime.c index c99cad444991..598b90ac7590 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_prime.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_prime.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2013 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2013-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -31,6 +32,7 @@ */ #include "vmwgfx_drv.h" +#include "vmwgfx_bo.h" #include "ttm_object.h" #include <linux/dma-buf.h> @@ -88,13 +90,35 @@ int vmw_prime_handle_to_fd(struct drm_device *dev, uint32_t handle, uint32_t flags, int *prime_fd) { + struct vmw_private *vmw = vmw_priv(dev); struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; + struct vmw_bo *vbo; int ret; + int surf_handle; - if (handle > VMWGFX_NUM_MOB) + if (handle > VMWGFX_NUM_MOB) { ret = ttm_prime_handle_to_fd(tfile, handle, flags, prime_fd); - else - ret = drm_gem_prime_handle_to_fd(dev, file_priv, handle, flags, prime_fd); + } else { + ret = vmw_user_bo_lookup(file_priv, handle, &vbo); + if (ret) + return ret; + if (vbo && vbo->is_dumb) { + ret = drm_gem_prime_handle_to_fd(dev, file_priv, handle, + flags, prime_fd); + } else { + surf_handle = vmw_lookup_surface_handle_for_buffer(vmw, + vbo, + handle); + if (surf_handle > 0) + ret = ttm_prime_handle_to_fd(tfile, surf_handle, + flags, prime_fd); + else + ret = drm_gem_prime_handle_to_fd(dev, file_priv, + handle, flags, + prime_fd); + } + vmw_user_bo_unref(&vbo); + } return ret; } diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c index 848dba09981b..a73af8a355fb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -58,6 +59,7 @@ void vmw_resource_mob_attach(struct vmw_resource *res) rb_link_node(&res->mob_node, parent, new); rb_insert_color(&res->mob_node, &gbo->res_tree); + vmw_bo_del_detached_resource(gbo, res); vmw_bo_prio_add(gbo, res->used_prio); } @@ -287,28 +289,35 @@ int vmw_user_resource_lookup_handle(struct vmw_private *dev_priv, * * The pointer this pointed at by out_surf and out_buf needs to be null. */ -int vmw_user_lookup_handle(struct vmw_private *dev_priv, +int vmw_user_object_lookup(struct vmw_private *dev_priv, struct drm_file *filp, - uint32_t handle, - struct vmw_surface **out_surf, - struct vmw_bo **out_buf) + u32 handle, + struct vmw_user_object *uo) { struct ttm_object_file *tfile = vmw_fpriv(filp)->tfile; struct vmw_resource *res; int ret; - BUG_ON(*out_surf || *out_buf); + WARN_ON(uo->surface || uo->buffer); ret = vmw_user_resource_lookup_handle(dev_priv, tfile, handle, user_surface_converter, &res); if (!ret) { - *out_surf = vmw_res_to_srf(res); + uo->surface = vmw_res_to_srf(res); return 0; } - *out_surf = NULL; - ret = vmw_user_bo_lookup(filp, handle, out_buf); + uo->surface = NULL; + ret = vmw_user_bo_lookup(filp, handle, &uo->buffer); + if (!ret && !uo->buffer->is_dumb) { + uo->surface = vmw_lookup_surface_for_buffer(dev_priv, + uo->buffer, + handle); + if (uo->surface) + vmw_user_bo_unref(&uo->buffer); + } + return ret; } diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index df0039a8ef29..0f4bfd98480a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2011-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2011-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -240,7 +241,7 @@ static void vmw_sou_crtc_mode_set_nofb(struct drm_crtc *crtc) struct vmw_connector_state *vmw_conn_state; int x, y; - sou->buffer = vps->bo; + sou->buffer = vmw_user_object_buffer(&vps->uo); conn_state = sou->base.connector.state; vmw_conn_state = vmw_connector_state_to_vcs(conn_state); @@ -376,10 +377,11 @@ vmw_sou_primary_plane_cleanup_fb(struct drm_plane *plane, struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); struct drm_crtc *crtc = plane->state->crtc ? plane->state->crtc : old_state->crtc; + struct vmw_bo *bo = vmw_user_object_buffer(&vps->uo); - if (vps->bo) - vmw_bo_unpin(vmw_priv(crtc->dev), vps->bo, false); - vmw_bo_unreference(&vps->bo); + if (bo) + vmw_bo_unpin(vmw_priv(crtc->dev), bo, false); + vmw_user_object_unref(&vps->uo); vps->bo_size = 0; vmw_du_plane_cleanup_fb(plane, old_state); @@ -411,9 +413,10 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, .bo_type = ttm_bo_type_device, .pin = true }; + struct vmw_bo *bo = NULL; if (!new_fb) { - vmw_bo_unreference(&vps->bo); + vmw_user_object_unref(&vps->uo); vps->bo_size = 0; return 0; @@ -422,17 +425,17 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, bo_params.size = new_state->crtc_w * new_state->crtc_h * 4; dev_priv = vmw_priv(crtc->dev); - if (vps->bo) { + bo = vmw_user_object_buffer(&vps->uo); + if (bo) { if (vps->bo_size == bo_params.size) { /* * Note that this might temporarily up the pin-count * to 2, until cleanup_fb() is called. */ - return vmw_bo_pin_in_vram(dev_priv, vps->bo, - true); + return vmw_bo_pin_in_vram(dev_priv, bo, true); } - vmw_bo_unreference(&vps->bo); + vmw_user_object_unref(&vps->uo); vps->bo_size = 0; } @@ -442,7 +445,7 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, * resume the overlays, this is preferred to failing to alloc. */ vmw_overlay_pause_all(dev_priv); - ret = vmw_bo_create(dev_priv, &bo_params, &vps->bo); + ret = vmw_gem_object_create(dev_priv, &bo_params, &vps->uo.buffer); vmw_overlay_resume_all(dev_priv); if (ret) return ret; @@ -453,7 +456,7 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, * TTM already thinks the buffer is pinned, but make sure the * pin_count is upped. */ - return vmw_bo_pin_in_vram(dev_priv, vps->bo, true); + return vmw_bo_pin_in_vram(dev_priv, vps->uo.buffer, true); } static uint32_t vmw_sou_bo_fifo_size(struct vmw_du_update_plane *update, @@ -580,6 +583,7 @@ static uint32_t vmw_sou_surface_pre_clip(struct vmw_du_update_plane *update, { struct vmw_kms_sou_dirty_cmd *blit = cmd; struct vmw_framebuffer_surface *vfbs; + struct vmw_surface *surf = NULL; vfbs = container_of(update->vfb, typeof(*vfbs), base); @@ -587,7 +591,8 @@ static uint32_t vmw_sou_surface_pre_clip(struct vmw_du_update_plane *update, blit->header.size = sizeof(blit->body) + sizeof(SVGASignedRect) * num_hits; - blit->body.srcImage.sid = vfbs->surface->res.id; + surf = vmw_user_object_surface(&vfbs->uo); + blit->body.srcImage.sid = surf->res.id; blit->body.destScreenId = update->du->unit; /* Update the source and destination bounding box later in post_clip */ @@ -1104,7 +1109,7 @@ int vmw_kms_sou_do_surface_dirty(struct vmw_private *dev_priv, int ret; if (!srf) - srf = &vfbs->surface->res; + srf = &vmw_user_object_surface(&vfbs->uo)->res; ret = vmw_validation_add_resource(&val_ctx, srf, 0, VMW_RES_DIRTY_NONE, NULL, NULL); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c index 2041c4d48daa..398a4ad0dbf0 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /****************************************************************************** * - * COPYRIGHT (C) 2014-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2014-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -29,6 +30,7 @@ #include "vmwgfx_kms.h" #include "vmwgfx_vkms.h" #include "vmw_surface_cache.h" +#include <linux/fsnotify.h> #include <drm/drm_atomic.h> #include <drm/drm_atomic_helper.h> @@ -723,7 +725,7 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv, int ret; if (!srf) - srf = &vfbs->surface->res; + srf = &vmw_user_object_surface(&vfbs->uo)->res; ret = vmw_validation_add_resource(&val_ctx, srf, 0, VMW_RES_DIRTY_NONE, NULL, NULL); @@ -734,12 +736,6 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv, if (ret) goto out_unref; - if (vfbs->is_bo_proxy) { - ret = vmw_kms_update_proxy(srf, clips, num_clips, inc); - if (ret) - goto out_finish; - } - sdirty.base.fifo_commit = vmw_kms_stdu_surface_fifo_commit; sdirty.base.clip = vmw_kms_stdu_surface_clip; sdirty.base.fifo_reserve_size = sizeof(struct vmw_stdu_surface_copy) + @@ -753,7 +749,7 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv, ret = vmw_kms_helper_dirty(dev_priv, framebuffer, clips, vclips, dest_x, dest_y, num_clips, inc, &sdirty.base); -out_finish: + vmw_kms_helper_validation_finish(dev_priv, NULL, &val_ctx, out_fence, NULL); @@ -872,9 +868,8 @@ vmw_stdu_primary_plane_cleanup_fb(struct drm_plane *plane, { struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); - if (vps->surf) + if (vmw_user_object_surface(&vps->uo)) WARN_ON(!vps->pinned); - vmw_du_plane_cleanup_fb(plane, old_state); vps->content_fb_type = SAME_AS_DISPLAY; @@ -882,7 +877,6 @@ vmw_stdu_primary_plane_cleanup_fb(struct drm_plane *plane, } - /** * vmw_stdu_primary_plane_prepare_fb - Readies the display surface * @@ -906,13 +900,15 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, enum stdu_content_type new_content_type; struct vmw_framebuffer_surface *new_vfbs; uint32_t hdisplay = new_state->crtc_w, vdisplay = new_state->crtc_h; + struct drm_plane_state *old_state = plane->state; + struct drm_rect rect; int ret; /* No FB to prepare */ if (!new_fb) { - if (vps->surf) { + if (vmw_user_object_surface(&vps->uo)) { WARN_ON(vps->pinned != 0); - vmw_surface_unreference(&vps->surf); + vmw_user_object_unref(&vps->uo); } return 0; @@ -922,8 +918,8 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, new_vfbs = (vfb->bo) ? NULL : vmw_framebuffer_to_vfbs(new_fb); if (new_vfbs && - new_vfbs->surface->metadata.base_size.width == hdisplay && - new_vfbs->surface->metadata.base_size.height == vdisplay) + vmw_user_object_surface(&new_vfbs->uo)->metadata.base_size.width == hdisplay && + vmw_user_object_surface(&new_vfbs->uo)->metadata.base_size.height == vdisplay) new_content_type = SAME_AS_DISPLAY; else if (vfb->bo) new_content_type = SEPARATE_BO; @@ -961,29 +957,29 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, metadata.num_sizes = 1; metadata.scanout = true; } else { - metadata = new_vfbs->surface->metadata; + metadata = vmw_user_object_surface(&new_vfbs->uo)->metadata; } metadata.base_size.width = hdisplay; metadata.base_size.height = vdisplay; metadata.base_size.depth = 1; - if (vps->surf) { + if (vmw_user_object_surface(&vps->uo)) { struct drm_vmw_size cur_base_size = - vps->surf->metadata.base_size; + vmw_user_object_surface(&vps->uo)->metadata.base_size; if (cur_base_size.width != metadata.base_size.width || cur_base_size.height != metadata.base_size.height || - vps->surf->metadata.format != metadata.format) { + vmw_user_object_surface(&vps->uo)->metadata.format != metadata.format) { WARN_ON(vps->pinned != 0); - vmw_surface_unreference(&vps->surf); + vmw_user_object_unref(&vps->uo); } } - if (!vps->surf) { + if (!vmw_user_object_surface(&vps->uo)) { ret = vmw_gb_surface_define(dev_priv, &metadata, - &vps->surf); + &vps->uo.surface); if (ret != 0) { DRM_ERROR("Couldn't allocate STDU surface.\n"); return ret; @@ -996,18 +992,19 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, * The only time we add a reference in prepare_fb is if the * state object doesn't have a reference to begin with */ - if (vps->surf) { + if (vmw_user_object_surface(&vps->uo)) { WARN_ON(vps->pinned != 0); - vmw_surface_unreference(&vps->surf); + vmw_user_object_unref(&vps->uo); } - vps->surf = vmw_surface_reference(new_vfbs->surface); + memcpy(&vps->uo, &new_vfbs->uo, sizeof(vps->uo)); + vmw_user_object_ref(&vps->uo); } - if (vps->surf) { + if (vmw_user_object_surface(&vps->uo)) { /* Pin new surface before flipping */ - ret = vmw_resource_pin(&vps->surf->res, false); + ret = vmw_resource_pin(&vmw_user_object_surface(&vps->uo)->res, false); if (ret) goto out_srf_unref; @@ -1016,6 +1013,34 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, vps->content_fb_type = new_content_type; + /* + * The drm fb code will do blit's via the vmap interface, which doesn't + * trigger vmw_bo page dirty tracking due to being kernel side (and thus + * doesn't require mmap'ing) so we have to update the surface's dirty + * regions by hand but we want to be careful to not overwrite the + * resource if it has been written to by the gpu (res_dirty). + */ + if (vps->uo.buffer && vps->uo.buffer->is_dumb) { + struct vmw_surface *surf = vmw_user_object_surface(&vps->uo); + struct vmw_resource *res = &surf->res; + + if (!res->res_dirty && drm_atomic_helper_damage_merged(old_state, + new_state, + &rect)) { + /* + * At some point it might be useful to actually translate + * (rect.x1, rect.y1) => start, and (rect.x2, rect.y2) => end, + * but currently the fb code will just report the entire fb + * dirty so in practice it doesn't matter. + */ + pgoff_t start = res->guest_memory_offset >> PAGE_SHIFT; + pgoff_t end = __KERNEL_DIV_ROUND_UP(res->guest_memory_offset + + res->guest_memory_size, + PAGE_SIZE); + vmw_resource_dirty_update(res, start, end); + } + } + /* * This should only happen if the buffer object is too large to create a * proxy surface for. @@ -1026,7 +1051,7 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane, return 0; out_srf_unref: - vmw_surface_unreference(&vps->surf); + vmw_user_object_unref(&vps->uo); return ret; } @@ -1168,14 +1193,8 @@ static uint32_t vmw_stdu_surface_fifo_size_same_display(struct vmw_du_update_plane *update, uint32_t num_hits) { - struct vmw_framebuffer_surface *vfbs; uint32_t size = 0; - vfbs = container_of(update->vfb, typeof(*vfbs), base); - - if (vfbs->is_bo_proxy) - size += sizeof(struct vmw_stdu_update_gb_image) * num_hits; - size += sizeof(struct vmw_stdu_update); return size; @@ -1184,61 +1203,14 @@ vmw_stdu_surface_fifo_size_same_display(struct vmw_du_update_plane *update, static uint32_t vmw_stdu_surface_fifo_size(struct vmw_du_update_plane *update, uint32_t num_hits) { - struct vmw_framebuffer_surface *vfbs; uint32_t size = 0; - vfbs = container_of(update->vfb, typeof(*vfbs), base); - - if (vfbs->is_bo_proxy) - size += sizeof(struct vmw_stdu_update_gb_image) * num_hits; - size += sizeof(struct vmw_stdu_surface_copy) + sizeof(SVGA3dCopyBox) * num_hits + sizeof(struct vmw_stdu_update); return size; } -static uint32_t -vmw_stdu_surface_update_proxy(struct vmw_du_update_plane *update, void *cmd) -{ - struct vmw_framebuffer_surface *vfbs; - struct drm_plane_state *state = update->plane->state; - struct drm_plane_state *old_state = update->old_state; - struct vmw_stdu_update_gb_image *cmd_update = cmd; - struct drm_atomic_helper_damage_iter iter; - struct drm_rect clip; - uint32_t copy_size = 0; - - vfbs = container_of(update->vfb, typeof(*vfbs), base); - - /* - * proxy surface is special where a buffer object type fb is wrapped - * in a surface and need an update gb image command to sync with device. - */ - drm_atomic_helper_damage_iter_init(&iter, old_state, state); - drm_atomic_for_each_plane_damage(&iter, &clip) { - SVGA3dBox *box = &cmd_update->body.box; - - cmd_update->header.id = SVGA_3D_CMD_UPDATE_GB_IMAGE; - cmd_update->header.size = sizeof(cmd_update->body); - cmd_update->body.image.sid = vfbs->surface->res.id; - cmd_update->body.image.face = 0; - cmd_update->body.image.mipmap = 0; - - box->x = clip.x1; - box->y = clip.y1; - box->z = 0; - box->w = drm_rect_width(&clip); - box->h = drm_rect_height(&clip); - box->d = 1; - - copy_size += sizeof(*cmd_update); - cmd_update++; - } - - return copy_size; -} - static uint32_t vmw_stdu_surface_populate_copy(struct vmw_du_update_plane *update, void *cmd, uint32_t num_hits) @@ -1253,7 +1225,7 @@ vmw_stdu_surface_populate_copy(struct vmw_du_update_plane *update, void *cmd, cmd_copy->header.id = SVGA_3D_CMD_SURFACE_COPY; cmd_copy->header.size = sizeof(cmd_copy->body) + sizeof(SVGA3dCopyBox) * num_hits; - cmd_copy->body.src.sid = vfbs->surface->res.id; + cmd_copy->body.src.sid = vmw_user_object_surface(&vfbs->uo)->res.id; cmd_copy->body.dest.sid = stdu->display_srf->res.id; return sizeof(*cmd_copy); @@ -1324,10 +1296,7 @@ static int vmw_stdu_plane_update_surface(struct vmw_private *dev_priv, srf_update.mutex = &dev_priv->cmdbuf_mutex; srf_update.intr = true; - if (vfbs->is_bo_proxy) - srf_update.post_prepare = vmw_stdu_surface_update_proxy; - - if (vfbs->surface->res.id != stdu->display_srf->res.id) { + if (vmw_user_object_surface(&vfbs->uo)->res.id != stdu->display_srf->res.id) { srf_update.calc_fifo_size = vmw_stdu_surface_fifo_size; srf_update.pre_clip = vmw_stdu_surface_populate_copy; srf_update.clip = vmw_stdu_surface_populate_clip; @@ -1371,7 +1340,7 @@ vmw_stdu_primary_plane_atomic_update(struct drm_plane *plane, stdu = vmw_crtc_to_stdu(crtc); dev_priv = vmw_priv(crtc->dev); - stdu->display_srf = vps->surf; + stdu->display_srf = vmw_user_object_surface(&vps->uo); stdu->content_fb_type = vps->content_fb_type; stdu->cpp = vps->cpp; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index e7a744dfcecf..223e58415fb9 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -1,7 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /************************************************************************** * - * Copyright 2009-2023 VMware, Inc., Palo Alto, CA., USA + * Copyright (c) 2009-2024 Broadcom. All Rights Reserved. The term + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -36,9 +37,6 @@ #include <drm/ttm/ttm_placement.h> #define SVGA3D_FLAGS_64(upper32, lower32) (((uint64_t)upper32 << 32) | lower32) -#define SVGA3D_FLAGS_UPPER_32(svga3d_flags) (svga3d_flags >> 32) -#define SVGA3D_FLAGS_LOWER_32(svga3d_flags) \ - (svga3d_flags & ((uint64_t)U32_MAX)) /** * struct vmw_user_surface - User-space visible surface resource @@ -686,6 +684,14 @@ static void vmw_user_surface_base_release(struct ttm_base_object **p_base) struct vmw_resource *res = &user_srf->srf.res; *p_base = NULL; + + /* + * Dumb buffers own the resource and they'll unref the + * resource themselves + */ + if (res && res->guest_memory_bo && res->guest_memory_bo->is_dumb) + return; + vmw_resource_unreference(&res); } @@ -864,6 +870,7 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, vmw_resource_unreference(&res); goto out_unlock; } + vmw_bo_add_detached_resource(res->guest_memory_bo, res); } tmp = vmw_resource_reference(&srf->res); @@ -892,6 +899,113 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, return ret; } +static struct vmw_user_surface * +vmw_lookup_user_surface_for_buffer(struct vmw_private *vmw, struct vmw_bo *bo, + u32 handle) +{ + struct vmw_user_surface *user_srf = NULL; + struct vmw_surface *surf; + struct ttm_base_object *base; + + surf = vmw_bo_surface(bo); + if (surf) { + rcu_read_lock(); + user_srf = container_of(surf, struct vmw_user_surface, srf); + base = &user_srf->prime.base; + if (base && !kref_get_unless_zero(&base->refcount)) { + drm_dbg_driver(&vmw->drm, + "%s: referencing a stale surface handle %d\n", + __func__, handle); + base = NULL; + user_srf = NULL; + } + rcu_read_unlock(); + } + + return user_srf; +} + +struct vmw_surface *vmw_lookup_surface_for_buffer(struct vmw_private *vmw, + struct vmw_bo *bo, + u32 handle) +{ + struct vmw_user_surface *user_srf = + vmw_lookup_user_surface_for_buffer(vmw, bo, handle); + struct vmw_surface *surf = NULL; + struct ttm_base_object *base; + + if (user_srf) { + surf = vmw_surface_reference(&user_srf->srf); + base = &user_srf->prime.base; + ttm_base_object_unref(&base); + } + return surf; +} + +u32 vmw_lookup_surface_handle_for_buffer(struct vmw_private *vmw, + struct vmw_bo *bo, + u32 handle) +{ + struct vmw_user_surface *user_srf = + vmw_lookup_user_surface_for_buffer(vmw, bo, handle); + int surf_handle = 0; + struct ttm_base_object *base; + + if (user_srf) { + base = &user_srf->prime.base; + surf_handle = (u32)base->handle; + ttm_base_object_unref(&base); + } + return surf_handle; +} + +static int vmw_buffer_prime_to_surface_base(struct vmw_private *dev_priv, + struct drm_file *file_priv, + u32 fd, u32 *handle, + struct ttm_base_object **base_p) +{ + struct ttm_base_object *base; + struct vmw_bo *bo; + struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; + struct vmw_user_surface *user_srf; + int ret; + + ret = drm_gem_prime_fd_to_handle(&dev_priv->drm, file_priv, fd, handle); + if (ret) { + drm_warn(&dev_priv->drm, + "Wasn't able to find user buffer for fd = %u.\n", fd); + return ret; + } + + ret = vmw_user_bo_lookup(file_priv, *handle, &bo); + if (ret) { + drm_warn(&dev_priv->drm, + "Wasn't able to lookup user buffer for handle = %u.\n", *handle); + return ret; + } + + user_srf = vmw_lookup_user_surface_for_buffer(dev_priv, bo, *handle); + if (WARN_ON(!user_srf)) { + drm_warn(&dev_priv->drm, + "User surface fd %d (handle %d) is null.\n", fd, *handle); + ret = -EINVAL; + goto out; + } + + base = &user_srf->prime.base; + ret = ttm_ref_object_add(tfile, base, NULL, false); + if (ret) { + drm_warn(&dev_priv->drm, + "Couldn't add an object ref for the buffer (%d).\n", *handle); + goto out; + } + + *base_p = base; +out: + vmw_user_bo_unref(&bo); + + return ret; +} static int vmw_surface_handle_reference(struct vmw_private *dev_priv, @@ -901,15 +1015,19 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv, struct ttm_base_object **base_p) { struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; - struct vmw_user_surface *user_srf; + struct vmw_user_surface *user_srf = NULL; uint32_t handle; struct ttm_base_object *base; int ret; if (handle_type == DRM_VMW_HANDLE_PRIME) { ret = ttm_prime_fd_to_handle(tfile, u_handle, &handle); - if (unlikely(ret != 0)) - return ret; + if (ret) + return vmw_buffer_prime_to_surface_base(dev_priv, + file_priv, + u_handle, + &handle, + base_p); } else { handle = u_handle; } @@ -1503,7 +1621,12 @@ vmw_gb_surface_define_internal(struct drm_device *dev, ret = vmw_user_bo_lookup(file_priv, req->base.buffer_handle, &res->guest_memory_bo); if (ret == 0) { - if (res->guest_memory_bo->tbo.base.size < res->guest_memory_size) { + if (res->guest_memory_bo->is_dumb) { + VMW_DEBUG_USER("Can't backup surface with a dumb buffer.\n"); + vmw_user_bo_unref(&res->guest_memory_bo); + ret = -EINVAL; + goto out_unlock; + } else if (res->guest_memory_bo->tbo.base.size < res->guest_memory_size) { VMW_DEBUG_USER("Surface backup buffer too small.\n"); vmw_user_bo_unref(&res->guest_memory_bo); ret = -EINVAL; @@ -1560,6 +1683,7 @@ vmw_gb_surface_define_internal(struct drm_device *dev, rep->handle = user_srf->prime.base.handle; rep->backup_size = res->guest_memory_size; if (res->guest_memory_bo) { + vmw_bo_add_detached_resource(res->guest_memory_bo, res); rep->buffer_map_handle = drm_vma_node_offset_addr(&res->guest_memory_bo->tbo.base.vma_node); rep->buffer_size = res->guest_memory_bo->tbo.base.size; @@ -2100,3 +2224,140 @@ int vmw_gb_surface_define(struct vmw_private *dev_priv, out_unlock: return ret; } + +static SVGA3dSurfaceFormat vmw_format_bpp_to_svga(struct vmw_private *vmw, + int bpp) +{ + switch (bpp) { + case 8: /* DRM_FORMAT_C8 */ + return SVGA3D_P8; + case 16: /* DRM_FORMAT_RGB565 */ + return SVGA3D_R5G6B5; + case 32: /* DRM_FORMAT_XRGB8888 */ + if (has_sm4_context(vmw)) + return SVGA3D_B8G8R8X8_UNORM; + return SVGA3D_X8R8G8B8; + default: + drm_warn(&vmw->drm, "Unsupported format bpp: %d\n", bpp); + return SVGA3D_X8R8G8B8; + } +} + +/** + * vmw_dumb_create - Create a dumb kms buffer + * + * @file_priv: Pointer to a struct drm_file identifying the caller. + * @dev: Pointer to the drm device. + * @args: Pointer to a struct drm_mode_create_dumb structure + * Return: Zero on success, negative error code on failure. + * + * This is a driver callback for the core drm create_dumb functionality. + * Note that this is very similar to the vmw_bo_alloc ioctl, except + * that the arguments have a different format. + */ +int vmw_dumb_create(struct drm_file *file_priv, + struct drm_device *dev, + struct drm_mode_create_dumb *args) +{ + struct vmw_private *dev_priv = vmw_priv(dev); + struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; + struct vmw_bo *vbo = NULL; + struct vmw_resource *res = NULL; + union drm_vmw_gb_surface_create_ext_arg arg = { 0 }; + struct drm_vmw_gb_surface_create_ext_req *req = &arg.req; + int ret; + struct drm_vmw_size drm_size = { + .width = args->width, + .height = args->height, + .depth = 1, + }; + SVGA3dSurfaceFormat format = vmw_format_bpp_to_svga(dev_priv, args->bpp); + const struct SVGA3dSurfaceDesc *desc = vmw_surface_get_desc(format); + SVGA3dSurfaceAllFlags flags = SVGA3D_SURFACE_HINT_TEXTURE | + SVGA3D_SURFACE_HINT_RENDERTARGET | + SVGA3D_SURFACE_SCREENTARGET | + SVGA3D_SURFACE_BIND_SHADER_RESOURCE | + SVGA3D_SURFACE_BIND_RENDER_TARGET; + + /* + * Without mob support we're just going to use raw memory buffer + * because we wouldn't be able to support full surface coherency + * without mobs + */ + if (!dev_priv->has_mob) { + int cpp = DIV_ROUND_UP(args->bpp, 8); + + switch (cpp) { + case 1: /* DRM_FORMAT_C8 */ + case 2: /* DRM_FORMAT_RGB565 */ + case 4: /* DRM_FORMAT_XRGB8888 */ + break; + default: + /* + * Dumb buffers don't allow anything else. + * This is tested via IGT's dumb_buffers + */ + return -EINVAL; + } + + args->pitch = args->width * cpp; + args->size = ALIGN(args->pitch * args->height, PAGE_SIZE); + + ret = vmw_gem_object_create_with_handle(dev_priv, file_priv, + args->size, &args->handle, + &vbo); + /* drop reference from allocate - handle holds it now */ + drm_gem_object_put(&vbo->tbo.base); + return ret; + } + + req->version = drm_vmw_gb_surface_v1; + req->multisample_pattern = SVGA3D_MS_PATTERN_NONE; + req->quality_level = SVGA3D_MS_QUALITY_NONE; + req->buffer_byte_stride = 0; + req->must_be_zero = 0; + req->base.svga3d_flags = SVGA3D_FLAGS_LOWER_32(flags); + req->svga3d_flags_upper_32_bits = SVGA3D_FLAGS_UPPER_32(flags); + req->base.format = (uint32_t)format; + req->base.drm_surface_flags = drm_vmw_surface_flag_scanout; + req->base.drm_surface_flags |= drm_vmw_surface_flag_shareable; + req->base.drm_surface_flags |= drm_vmw_surface_flag_create_buffer; + req->base.drm_surface_flags |= drm_vmw_surface_flag_coherent; + req->base.base_size.width = args->width; + req->base.base_size.height = args->height; + req->base.base_size.depth = 1; + req->base.array_size = 0; + req->base.mip_levels = 1; + req->base.multisample_count = 0; + req->base.buffer_handle = SVGA3D_INVALID_ID; + req->base.autogen_filter = SVGA3D_TEX_FILTER_NONE; + ret = vmw_gb_surface_define_ext_ioctl(dev, &arg, file_priv); + if (ret) { + drm_warn(dev, "Unable to create a dumb buffer\n"); + return ret; + } + + args->handle = arg.rep.buffer_handle; + args->size = arg.rep.buffer_size; + args->pitch = vmw_surface_calculate_pitch(desc, &drm_size); + + ret = vmw_user_resource_lookup_handle(dev_priv, tfile, arg.rep.handle, + user_surface_converter, + &res); + if (ret) { + drm_err(dev, "Created resource handle doesn't exist!\n"); + goto err; + } + + vbo = res->guest_memory_bo; + vbo->is_dumb = true; + vbo->dumb_surface = vmw_res_to_srf(res); + +err: + if (res) + vmw_resource_unreference(&res); + if (ret) + ttm_ref_object_base_unref(tfile, arg.rep.handle); + + return ret; +} -- 2.40.1

1 year, 2 months

1
0
0 0

[PATCH v4 0/5] Pinephone video out fixes (flipping between two frames)

by Frank Oltmanns

On some pinephones the video output sometimes freezes (flips between two frames) [1]. It seems to be that the reason for this behaviour is that PLL-MIPI is outside its limits, and the GPU is not running at a fixed rate. In this patch series I propose the following changes: 1. sunxi-ng: Adhere to the following constraints given in the Allwinner A64 Manual regarding PLL-MIPI: * M/N <= 3 * (PLL_VIDEO0)/M >= 24MHz * 500MHz <= clockrate <= 1400MHz 2. Remove two operating points from the A64 DTS OPPs, so that the GPU runs at a fixed rate of 432 MHz. Note, that when pinning the GPU to 432 MHz the issue [1] completely disappears for me. I've searched the BSP and could not find any indication that supports the idea of having the three OPPs. The only frequency I found in the BPSs for A64 is 432 MHz, which has also proven stable for me. I very much appreciate your feedback! [1] https://gitlab.com/postmarketOS/pmaports/-/issues/805 Signed-off-by: Frank Oltmanns <frank(a)oltmanns.dev> --- Changes in v4: - sunxi-ng: common: Address review comments. - Link to v3: https://lore.kernel.org/r/20240304-pinephone-pll-fixes-v3-0-94ab828f269a@ol… Changes in v3: - dts: Pin GPU to 432 MHz. - nkm and a64: Move minimum and maximum rate handling to the common part of the sunxi-ng driver. - Removed st7703 patch from series. - Link to v2: https://lore.kernel.org/r/20240205-pinephone-pll-fixes-v2-0-96a46a2d8c9b@ol… Changes in v2: - dts: Increase minimum GPU frequency to 192 MHz. - nkm and a64: Add minimum and maximum rate for PLL-MIPI. - nkm: Use the same approach for skipping invalid rates in ccu_nkm_find_best() as in ccu_nkm_find_best_with_parent_adj(). - nkm: Improve names for ratio struct members and hence get rid of describing comments. - nkm and a64: Correct description in the commit messages: M/N <= 3 - Remove patches for nm as they were not needed. - st7703: Rework the commit message to cover more background for the change. - Link to v1: https://lore.kernel.org/r/20231218-pinephone-pll-fixes-v1-0-e238b6ed6dc1@ol… --- Frank Oltmanns (5): clk: sunxi-ng: common: Support minimum and maximum rate clk: sunxi-ng: a64: Set minimum and maximum rate for PLL-MIPI clk: sunxi-ng: nkm: Support constraints on m/n ratio and parent rate clk: sunxi-ng: a64: Add constraints on PLL-MIPI's n/m ratio and parent rate arm64: dts: allwinner: a64: Run GPU at 432 MHz arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 8 -------- drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 14 +++++++++----- drivers/clk/sunxi-ng/ccu_common.c | 19 +++++++++++++++++++ drivers/clk/sunxi-ng/ccu_common.h | 3 +++ drivers/clk/sunxi-ng/ccu_nkm.c | 21 +++++++++++++++++++++ drivers/clk/sunxi-ng/ccu_nkm.h | 2 ++ 6 files changed, 54 insertions(+), 13 deletions(-) --- base-commit: dcb6c8ee6acc6c347caec1e73fb900c0f4ff9806 change-id: 20231218-pinephone-pll-fixes-0ccdfde273e4 Best regards, -- Frank Oltmanns <frank(a)oltmanns.dev>

1 year, 2 months

9
20
0 0

+ mm-shmem-disable-pmd-sized-page-cache-if-needed.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/shmem: disable PMD-sized page cache if needed has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-shmem-disable-pmd-sized-page-cache-if-needed.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gavin Shan <gshan(a)redhat.com> Subject: mm/shmem: disable PMD-sized page cache if needed Date: Thu, 27 Jun 2024 10:39:52 +1000 For shmem files, it's possible that PMD-sized page cache can't be supported by xarray. For example, 512MB page cache on ARM64 when the base page size is 64KB can't be supported by xarray. It leads to errors as the following messages indicate when this sort of xarray entry is split. WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \ nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \ nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \ libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \ net_failover virtio_console virtio_blk failover dimlib virtio_mmio CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff8000882af5f0 x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858 x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0 x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger than MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a shmem file isn't represented by a multi-index entry and doesn't have this limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache"). Link: https://lkml.kernel.org/r/20240627003953.1262512-5-gshan@redhat.com Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") Signed-off-by: Gavin Shan <gshan(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Darrick J. Wong <djwong(a)kernel.org> Cc: Don Dutile <ddutile(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: William Kucharski <william.kucharski(a)oracle.com> Cc: Zhenyu Zhang <zhenyzha(a)redhat.com> Cc: <stable(a)vger.kernel.org> [5.17+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/mm/shmem.c~mm-shmem-disable-pmd-sized-page-cache-if-needed +++ a/mm/shmem.c @@ -541,8 +541,9 @@ static bool shmem_confirm_swap(struct ad static int shmem_huge __read_mostly = SHMEM_HUGE_NEVER; -bool shmem_is_huge(struct inode *inode, pgoff_t index, bool shmem_huge_force, - struct mm_struct *mm, unsigned long vm_flags) +static bool __shmem_is_huge(struct inode *inode, pgoff_t index, + bool shmem_huge_force, struct mm_struct *mm, + unsigned long vm_flags) { loff_t i_size; @@ -573,6 +574,16 @@ bool shmem_is_huge(struct inode *inode, } } +bool shmem_is_huge(struct inode *inode, pgoff_t index, + bool shmem_huge_force, struct mm_struct *mm, + unsigned long vm_flags) +{ + if (HPAGE_PMD_ORDER > MAX_PAGECACHE_ORDER) + return false; + + return __shmem_is_huge(inode, index, shmem_huge_force, mm, vm_flags); +} + #if defined(CONFIG_SYSFS) static int shmem_parse_huge(const char *str) { _ Patches currently in -mm which might be from gshan(a)redhat.com are mm-filemap-make-max_pagecache_order-acceptable-to-xarray.patch mm-readahead-limit-page-cache-size-in-page_cache_ra_order.patch mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed.patch mm-shmem-disable-pmd-sized-page-cache-if-needed.patch

1 year, 2 months

1
0
0 0

+ mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/filemap: skip to create PMD-sized page cache if needed has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gavin Shan <gshan(a)redhat.com> Subject: mm/filemap: skip to create PMD-sized page cache if needed Date: Thu, 27 Jun 2024 10:39:51 +1000 On ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The PMD-sized page cache can't be supported by xarray as the following error messages indicate. ------------[ cut here ]------------ WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \ fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ sha1_ce virtio_net net_failover virtio_console virtio_blk failover \ dimlib virtio_mmio CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff800087a4f6c0 x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858 x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000 x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28 x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8 x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa0 xfs_flush_unmap_range+0x70/0x90 [xfs] xfs_file_fallocate+0xfc/0x4d8 [xfs] vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by skipping to allocate PMD-sized page cache when its size is larger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to regular path where the readahead window is determined by BDI's sysfs file (read_ahead_kb). Link: https://lkml.kernel.org/r/20240627003953.1262512-4-gshan@redhat.com Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") Signed-off-by: Gavin Shan <gshan(a)redhat.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Darrick J. Wong <djwong(a)kernel.org> Cc: Don Dutile <ddutile(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: William Kucharski <william.kucharski(a)oracle.com> Cc: Zhenyu Zhang <zhenyzha(a)redhat.com> Cc: <stable(a)vger.kernel.org> [5.18+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/filemap.c~mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed +++ a/mm/filemap.c @@ -3124,7 +3124,7 @@ static struct file *do_sync_mmap_readahe #ifdef CONFIG_TRANSPARENT_HUGEPAGE /* Use the readahead code, even if readahead is disabled */ - if (vm_flags & VM_HUGEPAGE) { + if ((vm_flags & VM_HUGEPAGE) && HPAGE_PMD_ORDER <= MAX_PAGECACHE_ORDER) { fpin = maybe_unlock_mmap_for_io(vmf, fpin); ractl._index &= ~((unsigned long)HPAGE_PMD_NR - 1); ra->size = HPAGE_PMD_NR; _ Patches currently in -mm which might be from gshan(a)redhat.com are mm-filemap-make-max_pagecache_order-acceptable-to-xarray.patch mm-readahead-limit-page-cache-size-in-page_cache_ra_order.patch mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed.patch mm-shmem-disable-pmd-sized-page-cache-if-needed.patch

1 year, 2 months

1
0
0 0

+ mm-filemap-make-max_pagecache_order-acceptable-to-xarray.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-filemap-make-max_pagecache_order-acceptable-to-xarray.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gavin Shan <gshan(a)redhat.com> Subject: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Date: Thu, 27 Jun 2024 10:39:49 +1000 Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2. Currently, xarray can't support arbitrary page cache size. More details can be found from the WARN_ON() statement in xas_split_alloc(). In our test whose code is attached below, we hit the WARN_ON() on ARM64 system where the base page size is 64KB and huge page size is 512MB. The issue was reported long time ago and some discussions on it can be found here [1]. [1] https://www.spinics.net/lists/linux-xfs/msg75404.html In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one supported by xarray and avoid PMD-sized page cache if needed. The code changes are suggested by David Hildenbrand. PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path PATCH[4] avoids PMD-sized page cache for shmem files if needed Test program ============ # cat test.c #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/syscall.h> #include <sys/mman.h> #define TEST_XFS_FILENAME "/tmp/data" #define TEST_SHMEM_FILENAME "/dev/shm/data" #define TEST_MEM_SIZE 0x20000000 int main(int argc, char **argv) { const char *filename; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret; if (pgsize != 0x10000) { fprintf(stderr, "64KB base page size is required\n"); return -EPERM; } system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled"); system("rm -fr /tmp/data"); system("rm -fr /dev/shm/data"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open xfs or shmem file */ filename = TEST_XFS_FILENAME; if (argc > 1 && !strcmp(argv[1], "shmem")) filename = TEST_SHMEM_FILENAME; fd = open(filename, O_CREAT | O_RDWR | O_TRUNC); if (fd < 0) { fprintf(stderr, "Unable to open <%s>\n", filename); return -EIO; } /* Extend file size */ ret = ftruncate(fd, TEST_MEM_SIZE); if (ret) { fprintf(stderr, "Error %d to ftruncate()\n", ret); goto cleanup; } /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (buf == (void *)-1) { fprintf(stderr, "Unable to mmap <%s>\n", filename); goto cleanup; } fprintf(stdout, "mapped buffer at 0x%p\n", buf); ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); if (ret) { fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n"); goto cleanup; } /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE); if (ret) { fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret); goto cleanup; } /* Punch the file to enforce xarray split */ ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); if (ret) fprintf(stderr, "Error %d to fallocate()\n", ret); cleanup: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return 0; } # gcc test.c -o test # cat /proc/1/smaps | grep KernelPageSize | head -n 1 KernelPageSize: 64 kB # ./test shmem : ------------[ cut here ]------------ WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \ drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ virtio_net sha1_ce net_failover failover virtio_console virtio_blk \ dimlib virtio_mmio CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff80008a92f5b0 x29: ffff80008a92f5b0 x28: ffff80008a92f610 x27: ffff80008a92f728 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff0000cf00c858 x23: ffff80008a92f610 x22: ffffffdfc0600000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0600000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 3374004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 3374000000000000 x10: 3374e1c0ffff6000 x9 : ffffb463a84c681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00011c976ce0 x5 : ffffb463aa47e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 This patch (of 4): The largest page cache order can be HPAGE_PMD_ORDER (13) on ARM64 with 64KB base page size. The xarray entry with this order can't be split as the following error messages indicate. ------------[ cut here ]------------ WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \ fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ sha1_ce virtio_net net_failover virtio_console virtio_blk failover \ dimlib virtio_mmio CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff800087a4f6c0 x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858 x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000 x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28 x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8 x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa0 xfs_flush_unmap_range+0x70/0x90 [xfs] xfs_file_fallocate+0xfc/0x4d8 [xfs] vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by decreasing MAX_PAGECACHE_ORDER to the largest supported order by xarray. For this specific case, MAX_PAGECACHE_ORDER is dropped from 13 to 11 when CONFIG_BASE_SMALL is disabled. Link: https://lkml.kernel.org/r/20240627003953.1262512-1-gshan@redhat.com Link: https://lkml.kernel.org/r/20240627003953.1262512-2-gshan@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: Gavin Shan <gshan(a)redhat.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Darrick J. Wong <djwong(a)kernel.org> Cc: Don Dutile <ddutile(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: William Kucharski <william.kucharski(a)oracle.com> Cc: Zhenyu Zhang <zhenyzha(a)redhat.com> Cc: <stable(a)vger.kernel.org> [5.18+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/pagemap.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/include/linux/pagemap.h~mm-filemap-make-max_pagecache_order-acceptable-to-xarray +++ a/include/linux/pagemap.h @@ -354,11 +354,18 @@ static inline void mapping_set_gfp_mask( * a good order (that's 1MB if you're using 4kB pages) */ #ifdef CONFIG_TRANSPARENT_HUGEPAGE -#define MAX_PAGECACHE_ORDER HPAGE_PMD_ORDER +#define PREFERRED_MAX_PAGECACHE_ORDER HPAGE_PMD_ORDER #else -#define MAX_PAGECACHE_ORDER 8 +#define PREFERRED_MAX_PAGECACHE_ORDER 8 #endif +/* + * xas_split_alloc() does not support arbitrary orders. This implies no + * 512MB THP on ARM64 with 64KB base page size. + */ +#define MAX_XAS_ORDER (XA_CHUNK_SHIFT * 2 - 1) +#define MAX_PAGECACHE_ORDER min(MAX_XAS_ORDER, PREFERRED_MAX_PAGECACHE_ORDER) + /** * mapping_set_large_folios() - Indicate the file supports large folios. * @mapping: The file. _ Patches currently in -mm which might be from gshan(a)redhat.com are mm-filemap-make-max_pagecache_order-acceptable-to-xarray.patch mm-readahead-limit-page-cache-size-in-page_cache_ra_order.patch mm-filemap-skip-to-create-pmd-sized-page-cache-if-needed.patch mm-shmem-disable-pmd-sized-page-cache-if-needed.patch

1 year, 2 months

1
0
0 0

+ fix-userfaultfd_api-to-return-einval-as-expected.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Fix userfaultfd_api to return EINVAL as expected has been added to the -mm mm-hotfixes-unstable branch. Its filename is fix-userfaultfd_api-to-return-einval-as-expected.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Audra Mitchell <audra(a)redhat.com> Subject: Fix userfaultfd_api to return EINVAL as expected Date: Wed, 26 Jun 2024 09:05:11 -0400 Currently if we request a feature that is not set in the Kernel config we fail silently and return all the available features. However, the man page indicates we should return an EINVAL. We need to fix this issue since we can end up with a Kernel warning should a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with the config not set with this feature. [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660 [ 200.820738] Modules linked in: [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8 [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022 [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660 Link: https://lkml.kernel.org/r/20240626130513.120193-1-audra@redhat.com Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") Signed-off-by: Audra Mitchell <audra(a)redhat.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jan Kara <jack(a)suse.cz> Cc: Mike Rapoport <rppt(a)linux.vnet.ibm.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rafael Aquini <raquini(a)redhat.com> Cc: Shaohua Li <shli(a)fb.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/userfaultfd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/fs/userfaultfd.c~fix-userfaultfd_api-to-return-einval-as-expected +++ a/fs/userfaultfd.c @@ -2057,7 +2057,7 @@ static int userfaultfd_api(struct userfa goto out; features = uffdio_api.features; ret = -EINVAL; - if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) + if (uffdio_api.api != UFFD_API) goto err_out; ret = -EPERM; if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) @@ -2081,6 +2081,11 @@ static int userfaultfd_api(struct userfa uffdio_api.features &= ~UFFD_FEATURE_WP_UNPOPULATED; uffdio_api.features &= ~UFFD_FEATURE_WP_ASYNC; #endif + + ret = -EINVAL; + if (features & ~uffdio_api.features) + goto err_out; + uffdio_api.ioctls = UFFD_API_IOCTLS; ret = -EFAULT; if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) _ Patches currently in -mm which might be from audra(a)redhat.com are fix-userfaultfd_api-to-return-einval-as-expected.patch

1 year, 2 months

1
0
0 0

+ mm-vmalloc-check-if-a-hash-index-is-in-cpu_possible_mask.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmalloc: check if a hash-index is in cpu_possible_mask has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmalloc-check-if-a-hash-index-is-in-cpu_possible_mask.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Subject: mm: vmalloc: check if a hash-index is in cpu_possible_mask Date: Wed, 26 Jun 2024 16:03:30 +0200 The problem is that there are systems where cpu_possible_mask has gaps between set CPUs, for example SPARC. In this scenario addr_to_vb_xa() hash function can return an index which accesses to not-possible and not setup CPU area using per_cpu() macro. This results in an oops on SPARC. A per-cpu vmap_block_queue is also used as hash table, incorrectly assuming the cpu_possible_mask has no gaps. Fix it by adjusting an index to a next possible CPU. Link: https://lkml.kernel.org/r/20240626140330.89836-1-urezki@gmail.com Fixes: 062eacf57ad9 ("mm: vmalloc: remove a global vmap_blocks xarray") Reported-by: Nick Bowler <nbowler(a)draconx.ca> Closes: https://lore.kernel.org/linux-kernel/ZntjIE6msJbF8zTa@MiWiFi-R3L-srv/T/ Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Hailong.Liu <hailong.liu(a)oppo.com> Cc: Oleksiy Avramchenko <oleksiy.avramchenko(a)sony.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/mm/vmalloc.c~mm-vmalloc-check-if-a-hash-index-is-in-cpu_possible_mask +++ a/mm/vmalloc.c @@ -2543,7 +2543,15 @@ static DEFINE_PER_CPU(struct vmap_block_ static struct xarray * addr_to_vb_xa(unsigned long addr) { - int index = (addr / VMAP_BLOCK_SIZE) % num_possible_cpus(); + int index = (addr / VMAP_BLOCK_SIZE) % nr_cpu_ids; + + /* + * Please note, nr_cpu_ids points on a highest set + * possible bit, i.e. we never invoke cpumask_next() + * if an index points on it which is nr_cpu_ids - 1. + */ + if (!cpu_possible(index)) + index = cpumask_next(index, cpu_possible_mask); return &per_cpu(vmap_block_queue, index).vmap_blocks; } _ Patches currently in -mm which might be from urezki(a)gmail.com are mm-vmalloc-check-if-a-hash-index-is-in-cpu_possible_mask.patch

1 year, 2 months

1
0
0 0

[PATCH 5.10 0/5] Five missing NFSD fixes for v5.10.y

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Hi- It was pointed out that the NFSD fixes that went into 5.10.220 were missing a few forward fixes from upstream. These five are the ones I identified. I've run them through the usual NFSD CI tests and found no new issues. Chuck Lever (3): SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation SUNRPC: Fix svcxdr_init_encode's buflen calculation Jeff Layton (1): nfsd: hold a lighter-weight client reference over CB_RECALL_ANY Yunjian Wang (1): SUNRPC: Fix null pointer dereference in svc_rqst_free() fs/nfsd/nfs4state.c | 7 ++----- include/linux/sunrpc/svc.h | 20 ++++++++++++++++---- include/trace/events/sunrpc.h | 8 ++++---- net/sunrpc/svc.c | 18 +++++++++++++++++- 4 files changed, 39 insertions(+), 14 deletions(-) -- 2.45.1

1 year, 2 months

1
5
0 0

[PATCH] nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[]

by Nathan Chancellor

Work for __counted_by on generic pointers in structures (not just flexible array members) has started landing in Clang 19 (current tip of tree). During the development of this feature, a restriction was added to __counted_by to prevent the flexible array member's element type from including a flexible array member itself such as: struct foo { int count; char buf[]; }; struct bar { int count; struct foo data[] __counted_by(count); }; because the size of data cannot be calculated with the standard array size formula: sizeof(struct foo) * count This restriction was downgraded to a warning but due to CONFIG_WERROR, it can still break the build. The application of __counted_by on the fod member of 'struct nvmet_fc_tgt_queue' triggers this restriction, resulting in: drivers/nvme/target/fc.c:151:2: error: 'counted_by' should not be applied to an array with element of unknown size because 'struct nvmet_fc_fcp_iod' is a struct type with a flexible array member. This will be an error in a future compiler version [-Werror,-Wbounds-safety-counted-by-elt-type-unknown-size] 151 | struct nvmet_fc_fcp_iod fod[] __counted_by(sqsize); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. Remove this use of __counted_by to fix the warning/error. However, rather than remove it altogether, leave it commented, as it may be possible to support this in future compiler releases. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2027 Fixes: ccd3129aca28 ("nvmet-fc: Annotate struct nvmet_fc_tgt_queue with __counted_by") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/nvme/target/fc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index 337ee1cb09ae..381b4394731f 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -148,7 +148,7 @@ struct nvmet_fc_tgt_queue { struct workqueue_struct *work_q; struct kref ref; /* array of fcp_iods */ - struct nvmet_fc_fcp_iod fod[] __counted_by(sqsize); + struct nvmet_fc_fcp_iod fod[] /* __counted_by(sqsize) */; } __aligned(sizeof(unsigned long long)); struct nvmet_fc_hostport { --- base-commit: c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4 change-id: 20240529-drop-counted-by-fod-nvmet-fc-tgt-queue-50edd2f8d60e Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 2 months

3
5
0 0

[PATCH 1/8] arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB

by Krishna Kurapati

For Gen-1 targets like IPQ6018, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for IPQ6018 to mitigate this issue. Cc: <stable(a)vger.kernel.org> Fixes: 20bb9e3dd2e4 ("arm64: dts: qcom: ipq6018: add usb3 DT description") Signed-off-by: Krishna Kurapati <quic_kriskura(a)quicinc.com> --- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/ipq6018.dtsi b/arch/arm64/boot/dts/qcom/ipq6018.dtsi index 9694140881c6..8b63c1a6da10 100644 --- a/arch/arm64/boot/dts/qcom/ipq6018.dtsi +++ b/arch/arm64/boot/dts/qcom/ipq6018.dtsi @@ -685,6 +685,7 @@ dwc_0: usb@8a00000 { clocks = <&xo>; clock-names = "ref"; tx-fifo-resize; + snps,parkmode-disable-ss-quirk; snps,is-utmi-l1-suspend; snps,hird-threshold = /bits/ 8 <0x0>; snps,dis_u2_susphy_quirk; -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH 3/8] arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB

by Krishna Kurapati

For Gen-1 targets like MSM8998, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for MSM8998 to mitigate this issue. Cc: <stable(a)vger.kernel.org> Fixes: 026dad8f5873 ("arm64: dts: qcom: msm8998: Add USB-related nodes") Signed-off-by: Krishna Kurapati <quic_kriskura(a)quicinc.com> --- arch/arm64/boot/dts/qcom/msm8998.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi index 3c94d823a514..6d5e1c7b2da5 100644 --- a/arch/arm64/boot/dts/qcom/msm8998.dtsi +++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi @@ -2144,6 +2144,7 @@ usb3_dwc3: usb@a800000 { interrupts = <GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>; snps,dis_u2_susphy_quirk; snps,dis_enblslpm_quirk; + snps,parkmode-disable-ss-quirk; phys = <&qusb2phy>, <&usb3phy>; phy-names = "usb2-phy", "usb3-phy"; snps,has-lpm-erratum; -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH 2/8] arm64: dts: ipq8074: Disable SS instance in Parkmode for USB

by Krishna Kurapati

For Gen-1 targets like IPQ8074, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for IPQ8074 to mitigate this issue. Cc: <stable(a)vger.kernel.org> Fixes: 5e09bc51d07b ("arm64: dts: ipq8074: enable USB support") Signed-off-by: Krishna Kurapati <quic_kriskura(a)quicinc.com> --- arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/ipq8074.dtsi b/arch/arm64/boot/dts/qcom/ipq8074.dtsi index 92682d3c9478..284a4553070f 100644 --- a/arch/arm64/boot/dts/qcom/ipq8074.dtsi +++ b/arch/arm64/boot/dts/qcom/ipq8074.dtsi @@ -666,6 +666,7 @@ dwc_0: usb@8a00000 { interrupts = <GIC_SPI 140 IRQ_TYPE_LEVEL_HIGH>; phys = <&qusb_phy_0>, <&ssphy_0>; phy-names = "usb2-phy", "usb3-phy"; + snps,parkmode-disable-ss-quirk; snps,is-utmi-l1-suspend; snps,hird-threshold = /bits/ 8 <0x0>; snps,dis_u2_susphy_quirk; @@ -715,6 +716,7 @@ dwc_1: usb@8c00000 { interrupts = <GIC_SPI 99 IRQ_TYPE_LEVEL_HIGH>; phys = <&qusb_phy_1>, <&ssphy_1>; phy-names = "usb2-phy", "usb3-phy"; + snps,parkmode-disable-ss-quirk; snps,is-utmi-l1-suspend; snps,hird-threshold = /bits/ 8 <0x0>; snps,dis_u2_susphy_quirk; -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH 1/3] drm/dp_mst: Fix all mstb marked as not probed after suspend/resume

by Wayne Lin

[Why] After supend/resume, with topology unchanged, observe that link_address_sent of all mstb are marked as false even the topology probing is done without any error. It is caused by wrongly also include "ret == 0" case as a probing failure case. [How] Remove inappropriate checking conditions. Cc: Lyude Paul <lyude(a)redhat.com> Cc: Harry Wentland <hwentlan(a)amd.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Imre Deak <imre.deak(a)intel.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: stable(a)vger.kernel.org Fixes: 37dfdc55ffeb ("drm/dp_mst: Cleanup drm_dp_send_link_address() a bit") Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_mst_topology.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c index 7f8e1cfbe19d..68831f4e502a 100644 --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c @@ -2929,7 +2929,7 @@ static int drm_dp_send_link_address(struct drm_dp_mst_topology_mgr *mgr, /* FIXME: Actually do some real error handling here */ ret = drm_dp_mst_wait_tx_reply(mstb, txmsg); - if (ret <= 0) { + if (ret < 0) { drm_err(mgr->dev, "Sending link address failed with %d\n", ret); goto out; } @@ -2981,7 +2981,7 @@ static int drm_dp_send_link_address(struct drm_dp_mst_topology_mgr *mgr, mutex_unlock(&mgr->lock); out: - if (ret <= 0) + if (ret < 0) mstb->link_address_sent = false; kfree(txmsg); return ret < 0 ? ret : changed; -- 2.37.3

1 year, 2 months

2
1
0 0

[PATCH 20/21] xhci: Apply XHCI_RESET_TO_DEFAULT quirk to TGL

by Mathias Nyman

From: Reka Norman <rekanorman(a)chromium.org> TGL systems have the same issue as ADL, where a large boot firmware delay is seen if USB ports are left in U3 at shutdown. So apply the XHCI_RESET_TO_DEFAULT quirk to TGL as well. The issue it fixes is a ~20s boot time delay when booting from S5. It affects TGL devices, and TGL support was added starting from v5.3. Cc: stable(a)vger.kernel.org Signed-off-by: Reka Norman <rekanorman(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 05881153883e..dc1e345ab67e 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -50,6 +50,7 @@ #define PCI_DEVICE_ID_INTEL_DENVERTON_XHCI 0x19d0 #define PCI_DEVICE_ID_INTEL_ICE_LAKE_XHCI 0x8a13 #define PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI 0x9a13 +#define PCI_DEVICE_ID_INTEL_TIGER_LAKE_PCH_XHCI 0xa0ed #define PCI_DEVICE_ID_INTEL_COMET_LAKE_XHCI 0xa3af #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed @@ -373,7 +374,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_MISSING_CAS; if (pdev->vendor == PCI_VENDOR_ID_INTEL && - (pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI || + (pdev->device == PCI_DEVICE_ID_INTEL_TIGER_LAKE_PCH_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI || pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI)) xhci->quirks |= XHCI_RESET_TO_DEFAULT; -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH bpf v2 2/2] bpf: Harden __bpf_kfunc tag against linker kfunc removal

by Tony Ambardar

BPF kfuncs are often not directly referenced and may be inadvertently removed by optimization steps during kernel builds, thus the __bpf_kfunc tag mitigates against this removal by including the __used macro. However, this macro alone does not prevent removal during linking, and may still yield build warnings (e.g. on mips64el): LD vmlinux BTFIDS vmlinux WARN: resolve_btfids: unresolved symbol bpf_verify_pkcs7_signature WARN: resolve_btfids: unresolved symbol bpf_lookup_user_key WARN: resolve_btfids: unresolved symbol bpf_lookup_system_key WARN: resolve_btfids: unresolved symbol bpf_key_put WARN: resolve_btfids: unresolved symbol bpf_iter_task_next WARN: resolve_btfids: unresolved symbol bpf_iter_css_task_new WARN: resolve_btfids: unresolved symbol bpf_get_file_xattr WARN: resolve_btfids: unresolved symbol bpf_ct_insert_entry WARN: resolve_btfids: unresolved symbol bpf_cgroup_release WARN: resolve_btfids: unresolved symbol bpf_cgroup_from_id WARN: resolve_btfids: unresolved symbol bpf_cgroup_acquire WARN: resolve_btfids: unresolved symbol bpf_arena_free_pages NM System.map SORTTAB vmlinux OBJCOPY vmlinux.32 Update the __bpf_kfunc tag to better guard against linker optimization by including the new __retain compiler macro, which fixes the warnings above. Verify the __retain macro with readelf by checking object flags for 'R': $ readelf -Wa kernel/trace/bpf_trace.o Section Headers: [Nr] Name Type Address Off Size ES Flg Lk Inf Al ... [178] .text.bpf_key_put PROGBITS 00000000 6420 0050 00 AXR 0 0 8 ... Key to Flags: ... R (retain), D (mbind), p (processor specific) Link: https://lore.kernel.org/bpf/ZlmGoT9KiYLZd91S@krava/T/ Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/r/202401211357.OCX9yllM-lkp@intel.com/ Fixes: 57e7c169cd6a ("bpf: Add __bpf_kfunc tag for marking kernel functions as kfuncs") Cc: stable(a)vger.kernel.org # v6.6+ Signed-off-by: Tony Ambardar <Tony.Ambardar(a)gmail.com> --- include/linux/btf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/btf.h b/include/linux/btf.h index f9e56fd12a9f..7c3e40c3295e 100644 --- a/include/linux/btf.h +++ b/include/linux/btf.h @@ -82,7 +82,7 @@ * as to avoid issues such as the compiler inlining or eliding either a static * kfunc, or a global kfunc in an LTO build. */ -#define __bpf_kfunc __used noinline +#define __bpf_kfunc __used __retain noinline #define __bpf_kfunc_start_defs() \ __diag_push(); \ -- 2.34.1

1 year, 2 months

3
4
0 0

[PATCH 3/3] serial: qcom-geni: fix garbage output after buffer flush

by Johan Hovold

The Qualcomm GENI serial driver does not handle buffer flushing and outputs garbage (or NUL) characters for the remainder of any active TX command after the write buffer has been cleared. Implement the flush_buffer() callback and use it to cancel any active TX command when the write buffer has been emptied. Fixes: a1fee899e5be ("tty: serial: qcom_geni_serial: Fix softlock") Cc: stable(a)vger.kernel.org # 5.0 Reported-by: Douglas Anderson <dianders(a)chromium.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 72addeb9f461..5fbb72f1c0c7 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1084,6 +1084,11 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) qcom_geni_serial_clear_tx_fifo(uport); } +static void qcom_geni_serial_flush_buffer(struct uart_port *uport) +{ + qcom_geni_serial_clear_tx_fifo(uport); +} + static int qcom_geni_serial_port_setup(struct uart_port *uport) { struct qcom_geni_serial_port *port = to_dev_port(uport); @@ -1540,6 +1545,7 @@ static const struct uart_ops qcom_geni_console_pops = { .request_port = qcom_geni_serial_request_port, .config_port = qcom_geni_serial_config_port, .shutdown = qcom_geni_serial_shutdown, + .flush_buffer = qcom_geni_serial_flush_buffer, .type = qcom_geni_serial_get_type, .set_mctrl = qcom_geni_serial_set_mctrl, .get_mctrl = qcom_geni_serial_get_mctrl, -- 2.44.1

1 year, 2 months

3
2
0 0

[PATCH v2 2/6] ata: libata-scsi: Fix offsets for the fixed format sense data

by Igor Pylypiv

Correct the ATA PASS-THROUGH fixed format sense data offsets to conform to SPC-6 and SAT-5 specifications. Additionally, set the VALID bit to indicate that the INFORMATION field contains valid information. INFORMATION =========== SAT-5 Table 212 — "Fixed format sense data INFORMATION field for the ATA PASS-THROUGH commands" defines the following format: +------+------------+ | Byte | Field | +------+------------+ | 0 | ERROR | | 1 | STATUS | | 2 | DEVICE | | 3 | COUNT(7:0) | +------+------------+ SPC-6 Table 48 - "Fixed format sense data" specifies that the INFORMATION field starts at byte 3 in sense buffer resulting in the following offsets for the ATA PASS-THROUGH commands: +------------+-------------------------+ | Field | Offset in sense buffer | +------------+-------------------------+ | ERROR | 3 | | STATUS | 4 | | DEVICE | 5 | | COUNT(7:0) | 6 | +------------+-------------------------+ COMMAND-SPECIFIC INFORMATION ============================ SAT-5 Table 213 - "Fixed format sense data COMMAND-SPECIFIC INFORMATION field for ATA PASS-THROUGH" defines the following format: +------+-------------------+ | Byte | Field | +------+-------------------+ | 0 | FLAGS | LOG INDEX | | 1 | LBA (7:0) | | 2 | LBA (15:8) | | 3 | LBA (23:16) | +------+-------------------+ SPC-6 Table 48 - "Fixed format sense data" specifies that the COMMAND-SPECIFIC-INFORMATION field starts at byte 8 in sense buffer resulting in the following offsets for the ATA PASS-THROUGH commands: Offsets of these fields in the fixed sense format are as follows: +-------------------+-------------------------+ | Field | Offset in sense buffer | +-------------------+-------------------------+ | FLAGS | LOG INDEX | 8 | | LBA (7:0) | 9 | | LBA (15:8) | 10 | | LBA (23:16) | 11 | +-------------------+-------------------------+ Reported-by: Akshat Jain <akshatzen(a)google.com> Fixes: 11093cb1ef56 ("libata-scsi: generate correct ATA pass-through sense") Cc: stable(a)vger.kernel.org Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> --- drivers/ata/libata-scsi.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 54fed6a427b1..26b1263f5c7c 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -245,9 +245,9 @@ static void ata_scsi_set_passthru_sense_fields(struct ata_queued_cmd *qc) struct scsi_cmnd *cmd = qc->scsicmd; struct ata_taskfile *tf = &qc->result_tf; unsigned char *sb = cmd->sense_buffer; - unsigned char *desc = sb + 8; - if ((cmd->sense_buffer[0] & 0x7f) >= 0x72) { + if ((sb[0] & 0x7f) >= 0x72) { + unsigned char *desc; u8 len; /* descriptor format */ @@ -286,21 +286,21 @@ static void ata_scsi_set_passthru_sense_fields(struct ata_queued_cmd *qc) } } else { /* Fixed sense format */ - desc[0] = tf->error; - desc[1] = tf->status; - desc[2] = tf->device; - desc[3] = tf->nsect; - desc[7] = 0; + sb[0] |= 0x80; + sb[3] = tf->error; + sb[4] = tf->status; + sb[5] = tf->device; + sb[6] = tf->nsect; if (tf->flags & ATA_TFLAG_LBA48) { - desc[8] |= 0x80; + sb[8] |= 0x80; if (tf->hob_nsect) - desc[8] |= 0x40; + sb[8] |= 0x40; if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) - desc[8] |= 0x20; + sb[8] |= 0x20; } - desc[9] = tf->lbal; - desc[10] = tf->lbam; - desc[11] = tf->lbah; + sb[9] = tf->lbal; + sb[10] = tf->lbam; + sb[11] = tf->lbah; } } -- 2.45.2.741.gdbec12cfda-goog

1 year, 2 months

3
2
0 0

[PATCH v2 1/6] ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1

by Igor Pylypiv

Current ata_gen_passthru_sense() code performs two actions: 1. Generates sense data based on the ATA 'status' and ATA 'error' fields. 2. Populates "ATA Status Return sense data descriptor" / "Fixed format sense data" with ATA taskfile fields. The problem is that #1 generates sense data even when a valid sense data is already present (ATA_QCFLAG_SENSE_VALID is set). Factoring out #2 into a separate function allows us to generate sense data only when there is no valid sense data (ATA_QCFLAG_SENSE_VALID is not set). As a bonus, we can now delete a FIXME comment in atapi_qc_complete() which states that we don't want to translate taskfile registers into sense descriptors for ATAPI. Cc: <stable(a)vger.kernel.org> Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> --- drivers/ata/libata-scsi.c | 158 +++++++++++++++++++++----------------- 1 file changed, 86 insertions(+), 72 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index bb4d30d377ae..54fed6a427b1 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -230,6 +230,80 @@ void ata_scsi_set_sense_information(struct ata_device *dev, SCSI_SENSE_BUFFERSIZE, information); } +/** + * ata_scsi_set_passthru_sense_fields - Set ATA fields in sense buffer + * @qc: ATA PASS-THROUGH command. + * + * Populates "ATA Status Return sense data descriptor" / "Fixed format + * sense data" with ATA taskfile fields. + * + * LOCKING: + * None. + */ +static void ata_scsi_set_passthru_sense_fields(struct ata_queued_cmd *qc) +{ + struct scsi_cmnd *cmd = qc->scsicmd; + struct ata_taskfile *tf = &qc->result_tf; + unsigned char *sb = cmd->sense_buffer; + unsigned char *desc = sb + 8; + + if ((cmd->sense_buffer[0] & 0x7f) >= 0x72) { + u8 len; + + /* descriptor format */ + len = sb[7]; + desc = (char *)scsi_sense_desc_find(sb, len + 8, 9); + if (!desc) { + if (SCSI_SENSE_BUFFERSIZE < len + 14) + return; + sb[7] = len + 14; + desc = sb + 8 + len; + } + desc[0] = 9; + desc[1] = 12; + /* + * Copy registers into sense buffer. + */ + desc[2] = 0x00; + desc[3] = tf->error; + desc[5] = tf->nsect; + desc[7] = tf->lbal; + desc[9] = tf->lbam; + desc[11] = tf->lbah; + desc[12] = tf->device; + desc[13] = tf->status; + + /* + * Fill in Extend bit, and the high order bytes + * if applicable. + */ + if (tf->flags & ATA_TFLAG_LBA48) { + desc[2] |= 0x01; + desc[4] = tf->hob_nsect; + desc[6] = tf->hob_lbal; + desc[8] = tf->hob_lbam; + desc[10] = tf->hob_lbah; + } + } else { + /* Fixed sense format */ + desc[0] = tf->error; + desc[1] = tf->status; + desc[2] = tf->device; + desc[3] = tf->nsect; + desc[7] = 0; + if (tf->flags & ATA_TFLAG_LBA48) { + desc[8] |= 0x80; + if (tf->hob_nsect) + desc[8] |= 0x40; + if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) + desc[8] |= 0x20; + } + desc[9] = tf->lbal; + desc[10] = tf->lbam; + desc[11] = tf->lbah; + } +} + static void ata_scsi_set_invalid_field(struct ata_device *dev, struct scsi_cmnd *cmd, u16 field, u8 bit) { @@ -837,10 +911,8 @@ static void ata_to_sense_error(unsigned id, u8 drv_stat, u8 drv_err, u8 *sk, * ata_gen_passthru_sense - Generate check condition sense block. * @qc: Command that completed. * - * This function is specific to the ATA descriptor format sense - * block specified for the ATA pass through commands. Regardless - * of whether the command errored or not, return a sense - * block. Copy all controller registers into the sense + * This function is specific to the ATA pass through commands. + * Regardless of whether the command errored or not, return a sense * block. If there was no error, we get the request from an ATA * passthrough command, so we use the following sense data: * sk = RECOVERED ERROR @@ -855,7 +927,6 @@ static void ata_gen_passthru_sense(struct ata_queued_cmd *qc) struct scsi_cmnd *cmd = qc->scsicmd; struct ata_taskfile *tf = &qc->result_tf; unsigned char *sb = cmd->sense_buffer; - unsigned char *desc = sb + 8; u8 sense_key, asc, ascq; memset(sb, 0, SCSI_SENSE_BUFFERSIZE); @@ -876,62 +947,6 @@ static void ata_gen_passthru_sense(struct ata_queued_cmd *qc) */ scsi_build_sense(cmd, 1, RECOVERED_ERROR, 0, 0x1D); } - - if ((cmd->sense_buffer[0] & 0x7f) >= 0x72) { - u8 len; - - /* descriptor format */ - len = sb[7]; - desc = (char *)scsi_sense_desc_find(sb, len + 8, 9); - if (!desc) { - if (SCSI_SENSE_BUFFERSIZE < len + 14) - return; - sb[7] = len + 14; - desc = sb + 8 + len; - } - desc[0] = 9; - desc[1] = 12; - /* - * Copy registers into sense buffer. - */ - desc[2] = 0x00; - desc[3] = tf->error; - desc[5] = tf->nsect; - desc[7] = tf->lbal; - desc[9] = tf->lbam; - desc[11] = tf->lbah; - desc[12] = tf->device; - desc[13] = tf->status; - - /* - * Fill in Extend bit, and the high order bytes - * if applicable. - */ - if (tf->flags & ATA_TFLAG_LBA48) { - desc[2] |= 0x01; - desc[4] = tf->hob_nsect; - desc[6] = tf->hob_lbal; - desc[8] = tf->hob_lbam; - desc[10] = tf->hob_lbah; - } - } else { - /* Fixed sense format */ - desc[0] = tf->error; - desc[1] = tf->status; - desc[2] = tf->device; - desc[3] = tf->nsect; - desc[7] = 0; - if (tf->flags & ATA_TFLAG_LBA48) { - desc[8] |= 0x80; - if (tf->hob_nsect) - desc[8] |= 0x40; - if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) - desc[8] |= 0x20; - } - desc[9] = tf->lbal; - desc[10] = tf->lbam; - desc[11] = tf->lbah; - } } /** @@ -1634,6 +1649,8 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc) u8 *cdb = cmd->cmnd; int need_sense = (qc->err_mask != 0) && !(qc->flags & ATA_QCFLAG_SENSE_VALID); + int need_passthru_sense = (qc->err_mask != 0) || + (qc->flags & ATA_QCFLAG_SENSE_VALID); /* For ATA pass thru (SAT) commands, generate a sense block if * user mandated it or if there's an error. Note that if we @@ -1645,13 +1662,16 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc) * asc,ascq = ATA PASS-THROUGH INFORMATION AVAILABLE */ if (((cdb[0] == ATA_16) || (cdb[0] == ATA_12)) && - ((cdb[2] & 0x20) || need_sense)) - ata_gen_passthru_sense(qc); - else if (need_sense) + ((cdb[2] & 0x20) || need_passthru_sense)) { + if (!(qc->flags & ATA_QCFLAG_SENSE_VALID)) + ata_gen_passthru_sense(qc); + ata_scsi_set_passthru_sense_fields(qc); + } else if (need_sense) { ata_gen_ata_sense(qc); - else + } else { /* Keep the SCSI ML and status byte, clear host byte. */ cmd->result &= 0x0000ffff; + } ata_qc_done(qc); } @@ -2590,14 +2610,8 @@ static void atapi_qc_complete(struct ata_queued_cmd *qc) /* handle completion from EH */ if (unlikely(err_mask || qc->flags & ATA_QCFLAG_SENSE_VALID)) { - if (!(qc->flags & ATA_QCFLAG_SENSE_VALID)) { - /* FIXME: not quite right; we don't want the - * translation of taskfile registers into a - * sense descriptors, since that's only - * correct for ATA, not ATAPI - */ + if (!(qc->flags & ATA_QCFLAG_SENSE_VALID)) ata_gen_passthru_sense(qc); - } /* SCSI EH automatically locks door if sdev->locked is * set. Sometimes door lock request continues to -- 2.45.2.741.gdbec12cfda-goog

1 year, 2 months

3
2
0 0

[git:media_stage/master] media: i2c: Kconfig: Fix missing firmware upload config select

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: i2c: Kconfig: Fix missing firmware upload config select Author: Kory Maincent <kory.maincent(a)bootlin.com> Date: Thu Jun 20 12:25:43 2024 +0200 FW_LOADER config only selects the firmware loader API, but we also need the sysfs_upload symbols for firmware_upload_unregister() and firmware_upload_register() to function properly. Fixes: 7a52ab415b43 ("media: i2c: Add driver for THine THP7312") Cc: stable(a)vger.kernel.org Signed-off-by: Kory Maincent <kory.maincent(a)bootlin.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Paul Elder <paul.elder(a)ideasonboard.com> Link: https://lore.kernel.org/r/20240620102544.1918105-1-kory.maincent@bootlin.com Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drivers/media/i2c/Kconfig | 1 + 1 file changed, 1 insertion(+) --- diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig index 8aac41513b59..8ba096b8ebca 100644 --- a/drivers/media/i2c/Kconfig +++ b/drivers/media/i2c/Kconfig @@ -710,6 +710,7 @@ config VIDEO_THP7312 tristate "THine THP7312 support" depends on I2C select FW_LOADER + select FW_UPLOAD select MEDIA_CONTROLLER select V4L2_CCI_I2C select V4L2_FWNODE

1 year, 2 months

1
0
0 0

[git:media_stage/master] media: imx-pxp: Fix ERR_PTR dereference in pxp_probe()

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() Author: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Date: Tue May 14 02:50:38 2024 -0700 devm_regmap_init_mmio() can fail, add a check and bail out in case of error. Fixes: 4e5bd3fdbeb3 ("media: imx-pxp: convert to regmap") Cc: stable(a)vger.kernel.org Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/20240514095038.3464191-1-harshit.m.mogalapalli@or… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drivers/media/platform/nxp/imx-pxp.c | 3 +++ 1 file changed, 3 insertions(+) --- diff --git a/drivers/media/platform/nxp/imx-pxp.c b/drivers/media/platform/nxp/imx-pxp.c index e62dc5c1a4ae..e4427e6487fb 100644 --- a/drivers/media/platform/nxp/imx-pxp.c +++ b/drivers/media/platform/nxp/imx-pxp.c @@ -1805,6 +1805,9 @@ static int pxp_probe(struct platform_device *pdev) return PTR_ERR(mmio); dev->regmap = devm_regmap_init_mmio(&pdev->dev, mmio, &pxp_regmap_config); + if (IS_ERR(dev->regmap)) + return dev_err_probe(&pdev->dev, PTR_ERR(dev->regmap), + "Failed to init regmap\n"); irq = platform_get_irq(pdev, 0); if (irq < 0)

1 year, 2 months

1
0
0 0

[tip: x86/urgent] x86/tdx: Support vmalloc() for tdx_enc_status_changed()

by tip-bot2 for Dexuan Cui

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: e1b8ac3aae589bb57a2c2e49fa76235c687c4d23 Gitweb: https://git.kernel.org/tip/e1b8ac3aae589bb57a2c2e49fa76235c687c4d23 Author: Dexuan Cui <decui(a)microsoft.com> AuthorDate: Mon, 20 May 2024 19:12:38 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 25 Jun 2024 14:45:22 -07:00 x86/tdx: Support vmalloc() for tdx_enc_status_changed() When a TDX guest runs on Hyper-V, the hv_netvsc driver's netvsc_init_buf() allocates buffers using vzalloc(), and needs to share the buffers with the host OS by calling set_memory_decrypted(), which is not working for vmalloc() yet. Add the support by handling the pages one by one. Co-developed-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Michael Kelley <mikelley(a)microsoft.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Reviewed-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Reviewed-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kai Huang <kai.huang(a)intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240521021238.1803-1-decui%40microsoft.com --- arch/x86/coco/tdx/tdx.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index c1cb903..abf3cd5 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -7,6 +7,7 @@ #include <linux/cpufeature.h> #include <linux/export.h> #include <linux/io.h> +#include <linux/mm.h> #include <asm/coco.h> #include <asm/tdx.h> #include <asm/vmx.h> @@ -778,6 +779,19 @@ static bool tdx_map_gpa(phys_addr_t start, phys_addr_t end, bool enc) return false; } +static bool tdx_enc_status_changed_phys(phys_addr_t start, phys_addr_t end, + bool enc) +{ + if (!tdx_map_gpa(start, end, enc)) + return false; + + /* shared->private conversion requires memory to be accepted before use */ + if (enc) + return tdx_accept_memory(start, end); + + return true; +} + /* * Inform the VMM of the guest's intent for this physical page: shared with * the VMM or private to the guest. The VMM is expected to change its mapping @@ -785,15 +799,22 @@ static bool tdx_map_gpa(phys_addr_t start, phys_addr_t end, bool enc) */ static bool tdx_enc_status_changed(unsigned long vaddr, int numpages, bool enc) { - phys_addr_t start = __pa(vaddr); - phys_addr_t end = __pa(vaddr + numpages * PAGE_SIZE); + unsigned long start = vaddr; + unsigned long end = start + numpages * PAGE_SIZE; + unsigned long step = end - start; + unsigned long addr; - if (!tdx_map_gpa(start, end, enc)) - return false; + /* Step through page-by-page for vmalloc() mappings */ + if (is_vmalloc_addr((void *)vaddr)) + step = PAGE_SIZE; - /* shared->private conversion requires memory to be accepted before use */ - if (enc) - return tdx_accept_memory(start, end); + for (addr = start; addr < end; addr += step) { + phys_addr_t start_pa = slow_virt_to_phys((void *)addr); + phys_addr_t end_pa = start_pa + step; + + if (!tdx_enc_status_changed_phys(start_pa, end_pa, enc)) + return false; + } return true; }

1 year, 2 months

1
0
0 0

+ mm-page_ref-remove-folio_try_get_rcu.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: page_ref: remove folio_try_get_rcu() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-page_ref-remove-folio_try_get_rcu.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yang Shi <yang(a)os.amperecomputing.com> Subject: mm: page_ref: remove folio_try_get_rcu() Date: Tue, 25 Jun 2024 13:53:50 -0700 The below bug was reported on a non-SMP kernel: [ 275.267158][ T4335] ------------[ cut here ]------------ [ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275! [ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI [ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1 [ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202 [ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000 [ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034 [ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006 [ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136 [ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008 [ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000 [ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0 [ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 275.280201][ T4335] Call Trace: [ 275.280499][ T4335] <TASK> [ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153) [ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174) [ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212) [ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264) [ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568) [ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.285278][ T4335] try_grab_folio (mm/gup.c:148) [ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1)) [ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188) [ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825) [ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1)) [ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209) [ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204) [ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722) [ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106) [ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350) [ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350) [ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1)) [ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360 [ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10 [ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0 [ 275.293384][ T4335] ? hlock_class (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) [ 275.293780][ T4335] ? __pfx_process_vm_rw_core+0x10/0x10 [ 275.294350][ T4335] process_vm_rw (mm/process_vm_access.c:284) [ 275.294748][ T4335] ? __pfx_process_vm_rw (mm/process_vm_access.c:259) [ 275.295197][ T4335] ? __task_pid_nr_ns (include/linux/rcupdate.h:306 (discriminator 1) include/linux/rcupdate.h:780 (discriminator 1) kernel/pid.c:504 (discriminator 1)) [ 275.295634][ T4335] __x64_sys_process_vm_readv (mm/process_vm_access.c:291) [ 275.296139][ T4335] ? syscall_enter_from_user_mode (kernel/entry/common.c:94 kernel/entry/common.c:112) [ 275.296642][ T4335] do_syscall_64 (arch/x86/entry/common.c:51 (discriminator 1) arch/x86/entry/common.c:82 (discriminator 1)) [ 275.297032][ T4335] ? __task_pid_nr_ns (include/linux/rcupdate.h:306 (discriminator 1) include/linux/rcupdate.h:780 (discriminator 1) kernel/pid.c:504 (discriminator 1)) [ 275.297470][ T4335] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [ 275.297988][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.298389][ T4335] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [ 275.298906][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.299304][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.299703][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.300115][ T4335] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) This BUG is the VM_BUG_ON(!in_atomic() && !irqs_disabled()) assertion in folio_ref_try_add_rcu() for non-SMP kernel. The process_vm_readv() calls GUP to pin the THP. An optimization for pinning THP instroduced by commit 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") calls try_grab_folio() to pin the THP, but try_grab_folio() is supposed to be called in atomic context for non-SMP kernel, for example, irq disabled or preemption disabled, due to the optimization introduced by commit e286781d5f2e ("mm: speculative page references"). The commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") is not actually the root cause although it was bisected to. It just makes the problem exposed more likely. The follow up discussion suggested the optimization for non-SMP kernel may be out-dated and not worth it anymore [1]. So removing the optimization to silence the BUG. However calling try_grab_folio() in GUP slow path actually is unnecessary, so the following patch will clean this up. [1] https://lore.kernel.org/linux-mm/821cf1d6-92b9-4ac4-bacc-d8f2364ac14f@paulm… Link: https://lkml.kernel.org/r/20240625205350.1777481-1-yang@os.amperecomputing.… Fixes: 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Tested-by: Oliver Sang <oliver.sang(a)intel.com> Acked-by: Peter Xu <peterx(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Christoph Lameter <cl(a)linux.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Paul E. McKenney <paulmck(a)kernel.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page_ref.h | 49 +------------------------------------ mm/filemap.c | 10 +++---- mm/gup.c | 2 - 3 files changed, 8 insertions(+), 53 deletions(-) --- a/include/linux/page_ref.h~mm-page_ref-remove-folio_try_get_rcu +++ a/include/linux/page_ref.h @@ -258,54 +258,9 @@ static inline bool folio_try_get(struct return folio_ref_add_unless(folio, 1, 0); } -static inline bool folio_ref_try_add_rcu(struct folio *folio, int count) +static inline bool folio_ref_try_add(struct folio *folio, int count) { -#ifdef CONFIG_TINY_RCU - /* - * The caller guarantees the folio will not be freed from interrupt - * context, so (on !SMP) we only need preemption to be disabled - * and TINY_RCU does that for us. - */ -# ifdef CONFIG_PREEMPT_COUNT - VM_BUG_ON(!in_atomic() && !irqs_disabled()); -# endif - VM_BUG_ON_FOLIO(folio_ref_count(folio) == 0, folio); - folio_ref_add(folio, count); -#else - if (unlikely(!folio_ref_add_unless(folio, count, 0))) { - /* Either the folio has been freed, or will be freed. */ - return false; - } -#endif - return true; -} - -/** - * folio_try_get_rcu - Attempt to increase the refcount on a folio. - * @folio: The folio. - * - * This is a version of folio_try_get() optimised for non-SMP kernels. - * If you are still holding the rcu_read_lock() after looking up the - * page and know that the page cannot have its refcount decreased to - * zero in interrupt context, you can use this instead of folio_try_get(). - * - * Example users include get_user_pages_fast() (as pages are not unmapped - * from interrupt context) and the page cache lookups (as pages are not - * truncated from interrupt context). We also know that pages are not - * frozen in interrupt context for the purposes of splitting or migration. - * - * You can also use this function if you're holding a lock that prevents - * pages being frozen & removed; eg the i_pages lock for the page cache - * or the mmap_lock or page table lock for page tables. In this case, - * it will always succeed, and you could have used a plain folio_get(), - * but it's sometimes more convenient to have a common function called - * from both locked and RCU-protected contexts. - * - * Return: True if the reference count was successfully incremented. - */ -static inline bool folio_try_get_rcu(struct folio *folio) -{ - return folio_ref_try_add_rcu(folio, 1); + return folio_ref_add_unless(folio, count, 0); } static inline int page_ref_freeze(struct page *page, int count) --- a/mm/filemap.c~mm-page_ref-remove-folio_try_get_rcu +++ a/mm/filemap.c @@ -1847,7 +1847,7 @@ repeat: if (!folio || xa_is_value(folio)) goto out; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto repeat; if (unlikely(folio != xas_reload(&xas))) { @@ -2001,7 +2001,7 @@ retry: if (!folio || xa_is_value(folio)) return folio; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto reset; if (unlikely(folio != xas_reload(xas))) { @@ -2181,7 +2181,7 @@ unsigned filemap_get_folios_contig(struc if (xa_is_value(folio)) goto update_start; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto retry; if (unlikely(folio != xas_reload(&xas))) @@ -2313,7 +2313,7 @@ static void filemap_get_read_batch(struc break; if (xa_is_sibling(folio)) break; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto retry; if (unlikely(folio != xas_reload(&xas))) @@ -3472,7 +3472,7 @@ static struct folio *next_uptodate_folio continue; if (folio_test_locked(folio)) continue; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) continue; /* Has the page moved or been split? */ if (unlikely(folio != xas_reload(xas))) --- a/mm/gup.c~mm-page_ref-remove-folio_try_get_rcu +++ a/mm/gup.c @@ -76,7 +76,7 @@ retry: folio = page_folio(page); if (WARN_ON_ONCE(folio_ref_count(folio) < 0)) return NULL; - if (unlikely(!folio_ref_try_add_rcu(folio, refs))) + if (unlikely(!folio_ref_try_add(folio, refs))) return NULL; /* _ Patches currently in -mm which might be from yang(a)os.amperecomputing.com are mm-page_ref-remove-folio_try_get_rcu.patch

1 year, 2 months

1
0
0 0

[RESEND PATCH] mm: page_ref: remove folio_try_get_rcu()

by Yang Shi

The below bug was reported on a non-SMP kernel: [ 275.267158][ T4335] ------------[ cut here ]------------ [ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275! [ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI [ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1 [ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202 [ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000 [ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034 [ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006 [ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136 [ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008 [ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000 [ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0 [ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 275.280201][ T4335] Call Trace: [ 275.280499][ T4335] <TASK> [ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153) [ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174) [ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212) [ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264) [ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568) [ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.285278][ T4335] try_grab_folio (mm/gup.c:148) [ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1)) [ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188) [ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825) [ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1)) [ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209) [ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204) [ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722) [ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106) [ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350) [ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350) [ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1)) [ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360 [ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10 [ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0 [ 275.293384][ T4335] ? hlock_class (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) [ 275.293780][ T4335] ? __pfx_process_vm_rw_core+0x10/0x10 [ 275.294350][ T4335] process_vm_rw (mm/process_vm_access.c:284) [ 275.294748][ T4335] ? __pfx_process_vm_rw (mm/process_vm_access.c:259) [ 275.295197][ T4335] ? __task_pid_nr_ns (include/linux/rcupdate.h:306 (discriminator 1) include/linux/rcupdate.h:780 (discriminator 1) kernel/pid.c:504 (discriminator 1)) [ 275.295634][ T4335] __x64_sys_process_vm_readv (mm/process_vm_access.c:291) [ 275.296139][ T4335] ? syscall_enter_from_user_mode (kernel/entry/common.c:94 kernel/entry/common.c:112) [ 275.296642][ T4335] do_syscall_64 (arch/x86/entry/common.c:51 (discriminator 1) arch/x86/entry/common.c:82 (discriminator 1)) [ 275.297032][ T4335] ? __task_pid_nr_ns (include/linux/rcupdate.h:306 (discriminator 1) include/linux/rcupdate.h:780 (discriminator 1) kernel/pid.c:504 (discriminator 1)) [ 275.297470][ T4335] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [ 275.297988][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.298389][ T4335] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [ 275.298906][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.299304][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.299703][ T4335] ? do_syscall_64 (arch/x86/include/asm/cpufeature.h:171 arch/x86/entry/common.c:97) [ 275.300115][ T4335] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) This BUG is the VM_BUG_ON(!in_atomic() && !irqs_disabled()) assertion in folio_ref_try_add_rcu() for non-SMP kernel. The process_vm_readv() calls GUP to pin the THP. An optimization for pinning THP instroduced by commit 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") calls try_grab_folio() to pin the THP, but try_grab_folio() is supposed to be called in atomic context for non-SMP kernel, for example, irq disabled or preemption disabled, due to the optimization introduced by commit e286781d5f2e ("mm: speculative page references"). The commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") is not actually the root cause although it was bisected to. It just makes the problem exposed more likely. The follow up discussion suggested the optimization for non-SMP kernel may be out-dated and not worth it anymore [1]. So removing the optimization to silence the BUG. However calling try_grab_folio() in GUP slow path actually is unnecessary, so the following patch will clean this up. [1] https://lore.kernel.org/linux-mm/821cf1d6-92b9-4ac4-bacc-d8f2364ac14f@paulm… Fixes: 57edfcfd3419 ("mm/gup: accelerate thp gup even for "pages != NULL"") Reported-by: kernel test robot <oliver.sang(a)intel.com> Tested-by: Oliver Sang <oliver.sang(a)intel.com> Acked-by: Peter Xu <peterx(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: linux-stable <stable(a)vger.kernel.org> v6.6+ Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> --- include/linux/page_ref.h | 49 ++-------------------------------------- mm/filemap.c | 10 ++++---- mm/gup.c | 2 +- 3 files changed, 8 insertions(+), 53 deletions(-) * Added Tested-by tag and collected Acked-by tags diff --git a/include/linux/page_ref.h b/include/linux/page_ref.h index 1acf5bac7f50..490d0ad6e56d 100644 --- a/include/linux/page_ref.h +++ b/include/linux/page_ref.h @@ -258,54 +258,9 @@ static inline bool folio_try_get(struct folio *folio) return folio_ref_add_unless(folio, 1, 0); } -static inline bool folio_ref_try_add_rcu(struct folio *folio, int count) -{ -#ifdef CONFIG_TINY_RCU - /* - * The caller guarantees the folio will not be freed from interrupt - * context, so (on !SMP) we only need preemption to be disabled - * and TINY_RCU does that for us. - */ -# ifdef CONFIG_PREEMPT_COUNT - VM_BUG_ON(!in_atomic() && !irqs_disabled()); -# endif - VM_BUG_ON_FOLIO(folio_ref_count(folio) == 0, folio); - folio_ref_add(folio, count); -#else - if (unlikely(!folio_ref_add_unless(folio, count, 0))) { - /* Either the folio has been freed, or will be freed. */ - return false; - } -#endif - return true; -} - -/** - * folio_try_get_rcu - Attempt to increase the refcount on a folio. - * @folio: The folio. - * - * This is a version of folio_try_get() optimised for non-SMP kernels. - * If you are still holding the rcu_read_lock() after looking up the - * page and know that the page cannot have its refcount decreased to - * zero in interrupt context, you can use this instead of folio_try_get(). - * - * Example users include get_user_pages_fast() (as pages are not unmapped - * from interrupt context) and the page cache lookups (as pages are not - * truncated from interrupt context). We also know that pages are not - * frozen in interrupt context for the purposes of splitting or migration. - * - * You can also use this function if you're holding a lock that prevents - * pages being frozen & removed; eg the i_pages lock for the page cache - * or the mmap_lock or page table lock for page tables. In this case, - * it will always succeed, and you could have used a plain folio_get(), - * but it's sometimes more convenient to have a common function called - * from both locked and RCU-protected contexts. - * - * Return: True if the reference count was successfully incremented. - */ -static inline bool folio_try_get_rcu(struct folio *folio) +static inline bool folio_ref_try_add(struct folio *folio, int count) { - return folio_ref_try_add_rcu(folio, 1); + return folio_ref_add_unless(folio, count, 0); } static inline int page_ref_freeze(struct page *page, int count) diff --git a/mm/filemap.c b/mm/filemap.c index 78c8767c0a5a..37e2b2bb4a63 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -1847,7 +1847,7 @@ void *filemap_get_entry(struct address_space *mapping, pgoff_t index) if (!folio || xa_is_value(folio)) goto out; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto repeat; if (unlikely(folio != xas_reload(&xas))) { @@ -2001,7 +2001,7 @@ static inline struct folio *find_get_entry(struct xa_state *xas, pgoff_t max, if (!folio || xa_is_value(folio)) return folio; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto reset; if (unlikely(folio != xas_reload(xas))) { @@ -2181,7 +2181,7 @@ unsigned filemap_get_folios_contig(struct address_space *mapping, if (xa_is_value(folio)) goto update_start; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto retry; if (unlikely(folio != xas_reload(&xas))) @@ -2313,7 +2313,7 @@ static void filemap_get_read_batch(struct address_space *mapping, break; if (xa_is_sibling(folio)) break; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) goto retry; if (unlikely(folio != xas_reload(&xas))) @@ -3473,7 +3473,7 @@ static struct folio *next_uptodate_folio(struct xa_state *xas, continue; if (folio_test_locked(folio)) continue; - if (!folio_try_get_rcu(folio)) + if (!folio_try_get(folio)) continue; /* Has the page moved or been split? */ if (unlikely(folio != xas_reload(xas))) diff --git a/mm/gup.c b/mm/gup.c index 6ff9f95a99a7..d1d85c41371c 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -76,7 +76,7 @@ static inline struct folio *try_get_folio(struct page *page, int refs) folio = page_folio(page); if (WARN_ON_ONCE(folio_ref_count(folio) < 0)) return NULL; - if (unlikely(!folio_ref_try_add_rcu(folio, refs))) + if (unlikely(!folio_ref_try_add(folio, refs))) return NULL; /* -- 2.41.0

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] ima: Avoid blocking in RCU read-side critical section" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062438-shaft-herbicide-4e7d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 9a95c5bfbf02 ("ima: Avoid blocking in RCU read-side critical section") 260017f31a8c ("lsm: use default hook return value in call_int_hook()") 923831117611 ("evm: Move to LSM infrastructure") 84594c9ecdca ("ima: Move IMA-Appraisal to LSM infrastructure") cd3cec0a02c7 ("ima: Move to LSM infrastructure") 06cca5110774 ("integrity: Move integrity_kernel_module_request() to IMA") b8d997032a46 ("security: Introduce key_post_create_or_update hook") 2d705d802414 ("security: Introduce inode_post_remove_acl hook") 8b9d0b825c65 ("security: Introduce inode_post_set_acl hook") a7811e34d100 ("security: Introduce inode_post_create_tmpfile hook") f09068b5a114 ("security: Introduce file_release hook") 8f46ff5767b0 ("security: Introduce file_post_open hook") dae52cbf5887 ("security: Introduce inode_post_removexattr hook") 77fa6f314f03 ("security: Introduce inode_post_setattr hook") 314a8dc728d0 ("security: Align inode_setattr hook definition with EVM") 779cb1947e27 ("evm: Align evm_inode_post_setxattr() definition with LSM infrastructure") 2b6a4054f8c2 ("evm: Align evm_inode_setxattr() definition with LSM infrastructure") 784111d0093e ("evm: Align evm_inode_post_setattr() definition with LSM infrastructure") fec5f85e468d ("ima: Align ima_post_read_file() definition with LSM infrastructure") 526864dd2f60 ("ima: Align ima_inode_removexattr() definition with LSM infrastructure") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 From: GUO Zihua <guozihua(a)huawei.com> Date: Tue, 7 May 2024 01:25:41 +0000 Subject: [PATCH] ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable(a)vger.kernel.org Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Acked-by: John Johansen <john.johansen(a)canonical.com> Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Reviewed-by: Casey Schaufler <casey(a)schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..44488b1ab9a9 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..de3af33e6ff5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, #ifdef CONFIG_AUDIT #ifdef CONFIG_SECURITY -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); void security_audit_rule_free(void *lsmrule); @@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); #else static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index be8c680121e4..d6ef4f4f9cba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.buflen += f_val; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + (void **)&f->lsm_rule, + GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, /* our own (refreshed) copy of lsm_rule */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + (void **)&df->lsm_rule, GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..6b5181c668b5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) { struct aa_audit_rule *rule; @@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); if (!rule) return -ENOMEM; /* Currently rules are treated as coming from the root ns */ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, - GFP_KERNEL, true, false); + gfp, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..0c8cc86b417b 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -200,7 +200,7 @@ static inline int complain_error(int error) } void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3e568126cd48..c51e24d24d1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -546,7 +546,7 @@ static inline void ima_free_modsig(struct modsig *modsig) #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c0556907c2e6..09da8e639239 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry) kfree(entry); } -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, + gfp_t gfp) { struct ima_rule_entry *nentry; int i; @@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) * Immutable elements are copied over as pointers and data; only * lsm rules can change */ - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); + nentry = kmemdup(entry, sizeof(*nentry), gfp); if (!nentry) return NULL; @@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + gfp); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) int i; struct ima_rule_entry *nentry; - nentry = ima_lsm_copy_rule(entry); + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); if (!nentry) return -ENOMEM; @@ -664,7 +666,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, } if (rc == -ESTALE && !rule_reinitialized) { - lsm_rule = ima_lsm_copy_rule(rule); + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); if (lsm_rule) { rule_reinitialized = true; goto retry; @@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + GFP_KERNEL); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); diff --git a/security/security.c b/security/security.c index e5da848c50b9..e5ca08789f74 100644 --- a/security/security.c +++ b/security/security.c @@ -5332,15 +5332,17 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, * @op: rule operator * @rulestr: rule context * @lsmrule: receive buffer for audit rule struct + * @gfp: GFP flag used for kmalloc * * Allocate and initialize an LSM audit rule structure. * * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); } /** diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 52aca71210b4..29c7d4c86f6d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,12 +21,14 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + gfp_t gfp); /** * selinux_audit_rule_free - free an selinux audit rule structure. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f20e1968b7f7..e33e55384b75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3507,7 +3507,8 @@ void selinux_audit_rule_free(void *vrule) } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3548,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 70ba2841e181..f5cbec1e6a92 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4693,11 +4693,13 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @gfp: type of the memory for the allocation * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct smack_known *skp; char **rule = (char **)vrule;

1 year, 2 months

3
4
0 0

[PATCH] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes

by Ma Ke

In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). Add a check to avoid null pointer dereference. Cc: stable(a)vger.kernel.org Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c index 670c9739e5e1..9c3dc9a5bb46 100644 --- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c @@ -258,6 +258,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder, if (modes[i].hdisplay == output_mode->hdisplay && modes[i].vdisplay == output_mode->vdisplay) { mode = drm_mode_duplicate(encoder->dev, output_mode); + if (!mode) + continue; mode->type |= DRM_MODE_TYPE_PREFERRED; } else { @@ -265,6 +267,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder, modes[i].vdisplay, 60, false, (output_mode->flags & DRM_MODE_FLAG_INTERLACE), false); + if (!mode) + continue; } /* CVT modes are sometimes unsuitable... */ -- 2.25.1

1 year, 2 months

3
2
0 0

[PATCH] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

by Ma Ke

In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable(a)vger.kernel.org Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c index 670c9739e5e1..4a08e61f3336 100644 --- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c @@ -209,6 +209,8 @@ static int nv17_tv_get_ld_modes(struct drm_encoder *encoder, struct drm_display_mode *mode; mode = drm_mode_duplicate(encoder->dev, tv_mode); + if (!mode) + continue; mode->clock = tv_norm->tv_enc_mode.vrefresh * mode->htotal / 1000 * -- 2.25.1

1 year, 2 months

4
3
0 0

FAILED: patch "[PATCH] selftests: mptcp: userspace_pm: fixed subtest names" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e874557fce1b6023efafd523aee0c347bf7f1694 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062405-railway-unpack-e903@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: e874557fce1b ("selftests: mptcp: userspace_pm: fixed subtest names") 8ebb44196585 ("selftests: mptcp: print_test out of verify_listener_events") 2ef0d804c090 ("selftests: mptcp: userspace_pm: unique subtest names") 06848c0f341e ("selftests: mptcp: add evts_get_info helper") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e874557fce1b6023efafd523aee0c347bf7f1694 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 14 Jun 2024 19:15:29 +0200 Subject: [PATCH] selftests: mptcp: userspace_pm: fixed subtest names It is important to have fixed (sub)test names in TAP, because these names are used to identify them. If they are not fixed, tracking cannot be done. Some subtests from the userspace_pm selftest were using random numbers in their names: the client and server address IDs from $RANDOM, and the client port number randomly picked by the kernel when creating the connection. These values have been replaced by 'client' and 'server' words: that's even more helpful than showing random numbers. Note that the addresses IDs are incremented and decremented in the test: +1 or -1 are then displayed in these cases. Not to loose info that can be useful for debugging in case of issues, these random numbers are now displayed at the beginning of the test. Fixes: f589234e1af0 ("selftests: mptcp: userspace_pm: format subtests results in TAP") Cc: stable(a)vger.kernel.org Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://lore.kernel.org/r/20240614-upstream-net-20240614-selftests-mptcp-us… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/userspace_pm.sh b/tools/testing/selftests/net/mptcp/userspace_pm.sh index 9e2981f2d7f5..9cb05978269d 100755 --- a/tools/testing/selftests/net/mptcp/userspace_pm.sh +++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh @@ -160,10 +160,12 @@ make_connection() local is_v6=$1 local app_port=$app4_port local connect_addr="10.0.1.1" + local client_addr="10.0.1.2" local listen_addr="0.0.0.0" if [ "$is_v6" = "v6" ] then connect_addr="dead:beef:1::1" + client_addr="dead:beef:1::2" listen_addr="::" app_port=$app6_port else @@ -206,6 +208,7 @@ make_connection() [ "$server_serverside" = 1 ] then test_pass + print_title "Connection info: ${client_addr}:${client_port} -> ${connect_addr}:${app_port}" else test_fail "Expected tokens (c:${client_token} - s:${server_token}) and server (c:${client_serverside} - s:${server_serverside})" mptcp_lib_result_print_all_tap @@ -297,7 +300,7 @@ test_announce() ip netns exec "$ns2"\ ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id $client_addr_id dev\ ns2eth1 - print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, reuse port" + print_test "ADD_ADDR id:client 10.0.2.2 (ns2) => ns1, reuse port" sleep 0.5 verify_announce_event $server_evts $ANNOUNCED $server4_token "10.0.2.2" $client_addr_id \ "$client4_port" @@ -306,7 +309,7 @@ test_announce() :>"$server_evts" ip netns exec "$ns2" ./pm_nl_ctl ann\ dead:beef:2::2 token "$client6_token" id $client_addr_id dev ns2eth1 - print_test "ADD_ADDR6 id:${client_addr_id} dead:beef:2::2 (ns2) => ns1, reuse port" + print_test "ADD_ADDR6 id:client dead:beef:2::2 (ns2) => ns1, reuse port" sleep 0.5 verify_announce_event "$server_evts" "$ANNOUNCED" "$server6_token" "dead:beef:2::2"\ "$client_addr_id" "$client6_port" "v6" @@ -316,7 +319,7 @@ test_announce() client_addr_id=$((client_addr_id+1)) ip netns exec "$ns2" ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id\ $client_addr_id dev ns2eth1 port $new4_port - print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, new port" + print_test "ADD_ADDR id:client+1 10.0.2.2 (ns2) => ns1, new port" sleep 0.5 verify_announce_event "$server_evts" "$ANNOUNCED" "$server4_token" "10.0.2.2"\ "$client_addr_id" "$new4_port" @@ -327,7 +330,7 @@ test_announce() # ADD_ADDR from the server to client machine reusing the subflow port ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\ $server_addr_id dev ns1eth2 - print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port" + print_test "ADD_ADDR id:server 10.0.2.1 (ns1) => ns2, reuse port" sleep 0.5 verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\ "$server_addr_id" "$app4_port" @@ -336,7 +339,7 @@ test_announce() :>"$client_evts" ip netns exec "$ns1" ./pm_nl_ctl ann dead:beef:2::1 token "$server6_token" id\ $server_addr_id dev ns1eth2 - print_test "ADD_ADDR6 id:${server_addr_id} dead:beef:2::1 (ns1) => ns2, reuse port" + print_test "ADD_ADDR6 id:server dead:beef:2::1 (ns1) => ns2, reuse port" sleep 0.5 verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "dead:beef:2::1"\ "$server_addr_id" "$app6_port" "v6" @@ -346,7 +349,7 @@ test_announce() server_addr_id=$((server_addr_id+1)) ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\ $server_addr_id dev ns1eth2 port $new4_port - print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, new port" + print_test "ADD_ADDR id:server+1 10.0.2.1 (ns1) => ns2, new port" sleep 0.5 verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\ "$server_addr_id" "$new4_port" @@ -380,7 +383,7 @@ test_remove() local invalid_token=$(( client4_token - 1 )) ip netns exec "$ns2" ./pm_nl_ctl rem token $invalid_token id\ $client_addr_id > /dev/null 2>&1 - print_test "RM_ADDR id:${client_addr_id} ns2 => ns1, invalid token" + print_test "RM_ADDR id:client ns2 => ns1, invalid token" local type type=$(mptcp_lib_evts_get_info type "$server_evts") if [ "$type" = "" ] @@ -394,7 +397,7 @@ test_remove() local invalid_id=$(( client_addr_id + 1 )) ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ $invalid_id > /dev/null 2>&1 - print_test "RM_ADDR id:${invalid_id} ns2 => ns1, invalid id" + print_test "RM_ADDR id:client+1 ns2 => ns1, invalid id" type=$(mptcp_lib_evts_get_info type "$server_evts") if [ "$type" = "" ] then @@ -407,7 +410,7 @@ test_remove() :>"$server_evts" ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ $client_addr_id - print_test "RM_ADDR id:${client_addr_id} ns2 => ns1" + print_test "RM_ADDR id:client ns2 => ns1" sleep 0.5 verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id" @@ -416,7 +419,7 @@ test_remove() client_addr_id=$(( client_addr_id - 1 )) ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ $client_addr_id - print_test "RM_ADDR id:${client_addr_id} ns2 => ns1" + print_test "RM_ADDR id:client-1 ns2 => ns1" sleep 0.5 verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id" @@ -424,7 +427,7 @@ test_remove() :>"$server_evts" ip netns exec "$ns2" ./pm_nl_ctl rem token "$client6_token" id\ $client_addr_id - print_test "RM_ADDR6 id:${client_addr_id} ns2 => ns1" + print_test "RM_ADDR6 id:client-1 ns2 => ns1" sleep 0.5 verify_remove_event "$server_evts" "$REMOVED" "$server6_token" "$client_addr_id" @@ -434,7 +437,7 @@ test_remove() # RM_ADDR from the server to client machine ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\ $server_addr_id - print_test "RM_ADDR id:${server_addr_id} ns1 => ns2" + print_test "RM_ADDR id:server ns1 => ns2" sleep 0.5 verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id" @@ -443,7 +446,7 @@ test_remove() server_addr_id=$(( server_addr_id - 1 )) ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\ $server_addr_id - print_test "RM_ADDR id:${server_addr_id} ns1 => ns2" + print_test "RM_ADDR id:server-1 ns1 => ns2" sleep 0.5 verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id" @@ -451,7 +454,7 @@ test_remove() :>"$client_evts" ip netns exec "$ns1" ./pm_nl_ctl rem token "$server6_token" id\ $server_addr_id - print_test "RM_ADDR6 id:${server_addr_id} ns1 => ns2" + print_test "RM_ADDR6 id:server-1 ns1 => ns2" sleep 0.5 verify_remove_event "$client_evts" "$REMOVED" "$client6_token" "$server_addr_id" } @@ -479,8 +482,14 @@ verify_subflow_events() local locid local remid local info + local e_dport_txt - info="${e_saddr} (${e_from}) => ${e_daddr}:${e_dport} (${e_to})" + # only display the fixed ports + if [ "${e_dport}" -ge "${app4_port}" ] && [ "${e_dport}" -le "${app6_port}" ]; then + e_dport_txt=":${e_dport}" + fi + + info="${e_saddr} (${e_from}) => ${e_daddr}${e_dport_txt} (${e_to})" if [ "$e_type" = "$SUB_ESTABLISHED" ] then @@ -766,7 +775,7 @@ test_subflows_v4_v6_mix() :>"$client_evts" ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server6_token" id\ $server_addr_id dev ns1eth2 - print_test "ADD_ADDR4 id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port" + print_test "ADD_ADDR4 id:server 10.0.2.1 (ns1) => ns2, reuse port" sleep 0.5 verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "10.0.2.1"\ "$server_addr_id" "$app6_port" @@ -861,7 +870,7 @@ test_listener() local listener_pid=$! sleep 0.5 - print_test "CREATE_LISTENER 10.0.2.2:$client4_port" + print_test "CREATE_LISTENER 10.0.2.2 (client port)" verify_listener_events $client_evts $LISTENER_CREATED $AF_INET 10.0.2.2 $client4_port # ADD_ADDR from client to server machine reusing the subflow port @@ -878,13 +887,14 @@ test_listener() mptcp_lib_kill_wait $listener_pid sleep 0.5 - print_test "CLOSE_LISTENER 10.0.2.2:$client4_port" + print_test "CLOSE_LISTENER 10.0.2.2 (client port)" verify_listener_events $client_evts $LISTENER_CLOSED $AF_INET 10.0.2.2 $client4_port } print_title "Make connections" make_connection make_connection "v6" +print_title "Will be using address IDs ${client_addr_id} (client) and ${server_addr_id} (server)" test_announce test_remove

1 year, 2 months

2
3
0 0

[PATCH v2] serial: 8250_omap: Fix Errata i2310 with RX FIFO level check

by Udit Kumar

Errata i2310[0] says, Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts. Commit 9d141c1e6157 ("serial: 8250_omap: Implementation of Errata i2310") which added the workaround but missed ensuring RX FIFO is really empty before applying the errata workaround as recommended in the errata text. Fix this by adding back check for UART_OMAP_RX_LVL to be 0 for workaround to take effect. [0] https://www.ti.com/lit/pdf/sprz536 page 23 Fixes: 9d141c1e6157 ("serial: 8250_omap: Implementation of Errata i2310") Cc: stable(a)vger.kernel.org Reported-by: Vignesh Raghavendra <vigneshr(a)ti.com> Closes: https://lore.kernel.org/all/e96d0c55-0b12-4cbf-9d23-48963543de49@ti.com/ Signed-off-by: Udit Kumar <u-kumar1(a)ti.com> --- Testlogs https://gist.github.com/uditkumarti/4f5120f203a238fbebe411eb82b63753 Changelog: Changes in v2 - Update commit message, subject, Fixes tag link to v1: https://lore.kernel.org/all/20240625051338.2761599-1-u-kumar1@ti.com/ drivers/tty/serial/8250/8250_omap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index ddac0a13cf84..1af9aed99c65 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -672,7 +672,8 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) * https://www.ti.com/lit/pdf/sprz536 */ if (priv->habit & UART_RX_TIMEOUT_QUIRK && - (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT) { + (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT && + serial_port_in(port, UART_OMAP_RX_LVL) == 0) { unsigned char efr2, timeout_h, timeout_l; efr2 = serial_in(up, UART_OMAP_EFR2); -- 2.34.1

1 year, 2 months

1
0
0 0

Re: [PATCH 6.9 000/250] 6.9.7-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

1 year, 2 months

1
0
0 0

Re: [PATCH 6.6 100/192] netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core

by wujianguo

Hi Greg, This commit causes a compilation error when CONFIG_SYSFS is not enabled in config I have sent a fix patch: https://lkml.org/lkml/2024/6/21/123 在 2024/6/25 17:32, Greg Kroah-Hartman 写道: > 6.6-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Jianguo Wu <wujianguo(a)chinatelecom.cn> > > [ Upstream commit a2225e0250c5fa397dcebf6ce65a9f05a114e0cf ] > > Currently, the sysctl net.netfilter.nf_hooks_lwtunnel depends on the > nf_conntrack module, but the nf_conntrack module is not always loaded. > Therefore, accessing net.netfilter.nf_hooks_lwtunnel may have an error. > > Move sysctl nf_hooks_lwtunnel into the netfilter core. > > Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane") > Suggested-by: Pablo Neira Ayuso <pablo(a)netfilter.org> > Signed-off-by: Jianguo Wu <wujianguo(a)chinatelecom.cn> > Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > --- > include/net/netns/netfilter.h | 3 + > net/netfilter/core.c | 13 +++++- > net/netfilter/nf_conntrack_standalone.c | 15 ------- > net/netfilter/nf_hooks_lwtunnel.c | 67 ++++++++++++++++++++++++++++++++ > net/netfilter/nf_internals.h | 6 ++ > 5 files changed, 87 insertions(+), 17 deletions(-) > > --- a/include/net/netns/netfilter.h > +++ b/include/net/netns/netfilter.h > @@ -15,6 +15,9 @@ struct netns_nf { > const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO]; > #ifdef CONFIG_SYSCTL > struct ctl_table_header *nf_log_dir_header; > +#ifdef CONFIG_LWTUNNEL > + struct ctl_table_header *nf_lwtnl_dir_header; > +#endif > #endif > struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS]; > struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS]; > --- a/net/netfilter/core.c > +++ b/net/netfilter/core.c > @@ -815,12 +815,21 @@ int __init netfilter_init(void) > if (ret < 0) > goto err; > > +#ifdef CONFIG_LWTUNNEL > + ret = netfilter_lwtunnel_init(); > + if (ret < 0) > + goto err_lwtunnel_pernet; > +#endif > ret = netfilter_log_init(); > if (ret < 0) > - goto err_pernet; > + goto err_log_pernet; > > return 0; > -err_pernet: > +err_log_pernet: > +#ifdef CONFIG_LWTUNNEL > + netfilter_lwtunnel_fini(); > +err_lwtunnel_pernet: > +#endif > unregister_pernet_subsys(&netfilter_net_ops); > err: > return ret; > --- a/net/netfilter/nf_conntrack_standalone.c > +++ b/net/netfilter/nf_conntrack_standalone.c > @@ -22,9 +22,6 @@ > #include <net/netfilter/nf_conntrack_acct.h> > #include <net/netfilter/nf_conntrack_zones.h> > #include <net/netfilter/nf_conntrack_timestamp.h> > -#ifdef CONFIG_LWTUNNEL > -#include <net/netfilter/nf_hooks_lwtunnel.h> > -#endif > #include <linux/rculist_nulls.h> > > static bool enable_hooks __read_mostly; > @@ -612,9 +609,6 @@ enum nf_ct_sysctl_index { > NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, > NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, > #endif > -#ifdef CONFIG_LWTUNNEL > - NF_SYSCTL_CT_LWTUNNEL, > -#endif > > __NF_SYSCTL_CT_LAST_SYSCTL, > }; > @@ -948,15 +942,6 @@ static struct ctl_table nf_ct_sysctl_tab > .proc_handler = proc_dointvec_jiffies, > }, > #endif > -#ifdef CONFIG_LWTUNNEL > - [NF_SYSCTL_CT_LWTUNNEL] = { > - .procname = "nf_hooks_lwtunnel", > - .data = NULL, > - .maxlen = sizeof(int), > - .mode = 0644, > - .proc_handler = nf_hooks_lwtunnel_sysctl_handler, > - }, > -#endif > {} > }; > > --- a/net/netfilter/nf_hooks_lwtunnel.c > +++ b/net/netfilter/nf_hooks_lwtunnel.c > @@ -3,6 +3,9 @@ > #include <linux/sysctl.h> > #include <net/lwtunnel.h> > #include <net/netfilter/nf_hooks_lwtunnel.h> > +#include <linux/netfilter.h> > + > +#include "nf_internals.h" > > static inline int nf_hooks_lwtunnel_get(void) > { > @@ -50,4 +53,68 @@ int nf_hooks_lwtunnel_sysctl_handler(str > return ret; > } > EXPORT_SYMBOL_GPL(nf_hooks_lwtunnel_sysctl_handler); > + > +static struct ctl_table nf_lwtunnel_sysctl_table[] = { > + { > + .procname = "nf_hooks_lwtunnel", > + .data = NULL, > + .maxlen = sizeof(int), > + .mode = 0644, > + .proc_handler = nf_hooks_lwtunnel_sysctl_handler, > + }, > +}; > + > +static int __net_init nf_lwtunnel_net_init(struct net *net) > +{ > + struct ctl_table_header *hdr; > + struct ctl_table *table; > + > + table = nf_lwtunnel_sysctl_table; > + if (!net_eq(net, &init_net)) { > + table = kmemdup(nf_lwtunnel_sysctl_table, > + sizeof(nf_lwtunnel_sysctl_table), > + GFP_KERNEL); > + if (!table) > + goto err_alloc; > + } > + > + hdr = register_net_sysctl_sz(net, "net/netfilter", table, > + ARRAY_SIZE(nf_lwtunnel_sysctl_table)); > + if (!hdr) > + goto err_reg; > + > + net->nf.nf_lwtnl_dir_header = hdr; > + > + return 0; > +err_reg: > + if (!net_eq(net, &init_net)) > + kfree(table); > +err_alloc: > + return -ENOMEM; > +} > + > +static void __net_exit nf_lwtunnel_net_exit(struct net *net) > +{ > + const struct ctl_table *table; > + > + table = net->nf.nf_lwtnl_dir_header->ctl_table_arg; > + unregister_net_sysctl_table(net->nf.nf_lwtnl_dir_header); > + if (!net_eq(net, &init_net)) > + kfree(table); > +} > + > +static struct pernet_operations nf_lwtunnel_net_ops = { > + .init = nf_lwtunnel_net_init, > + .exit = nf_lwtunnel_net_exit, > +}; > + > +int __init netfilter_lwtunnel_init(void) > +{ > + return register_pernet_subsys(&nf_lwtunnel_net_ops); > +} > + > +void netfilter_lwtunnel_fini(void) > +{ > + unregister_pernet_subsys(&nf_lwtunnel_net_ops); > +} > #endif /* CONFIG_SYSCTL */ > --- a/net/netfilter/nf_internals.h > +++ b/net/netfilter/nf_internals.h > @@ -29,6 +29,12 @@ void nf_queue_nf_hook_drop(struct net *n > /* nf_log.c */ > int __init netfilter_log_init(void); > > +#ifdef CONFIG_LWTUNNEL > +/* nf_hooks_lwtunnel.c */ > +int __init netfilter_lwtunnel_init(void); > +void netfilter_lwtunnel_fini(void); > +#endif > + > /* core.c */ > void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp, > const struct nf_hook_ops *reg); > > >

1 year, 2 months

3
3
0 0

[PATCH v2] aoe: fix the potential use-after-free problem in more places

by Chun-Yi Lee

For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") Reported-by: Nicolai Stange <nstange(a)suse.com> Signed-off-by: Chun-Yi Lee <jlee(a)suse.com> --- v2: - Improve patch description - Improved wording - Add oneline summary of the commit f98364e92662 - Used curly brackets in the if-else blocks. drivers/block/aoe/aoecmd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c index cc9077b588d7..d1f4ddc57645 100644 --- a/drivers/block/aoe/aoecmd.c +++ b/drivers/block/aoe/aoecmd.c @@ -361,6 +361,7 @@ ata_rw_frameinit(struct frame *f) } ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; } @@ -401,6 +402,8 @@ aoecmd_ata_rw(struct aoedev *d) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } return 1; } @@ -483,10 +486,13 @@ resend(struct aoedev *d, struct frame *f) memcpy(h->dst, t->addr, sizeof h->dst); memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src); + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; skb = skb_clone(skb, GFP_ATOMIC); - if (skb == NULL) + if (skb == NULL) { + dev_put(t->ifp->nd); return; + } f->sent = ktime_get(); __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); @@ -617,6 +623,8 @@ probe(struct aoetgt *t) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } } @@ -1395,6 +1403,7 @@ aoecmd_ata_id(struct aoedev *d) ah->cmdstat = ATA_CMD_ID_ATA; ah->lba3 = 0xa0; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; d->rttavg = RTTAVG_INIT; @@ -1404,6 +1413,8 @@ aoecmd_ata_id(struct aoedev *d) skb = skb_clone(skb, GFP_ATOMIC); if (skb) f->sent = ktime_get(); + else + dev_put(t->ifp->nd); return skb; } -- 2.35.3

1 year, 2 months

6
12
0 0

[PATCH] ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models

by Niklas Cassel

We got another report that CT1000BX500SSD1 does not work with LPM. If you look in libata-core.c, we have six different Crucial devices that are marked with ATA_HORKAGE_NOLPM. This model would have been the seventh. (This quirk is used on Crucial models starting with both CT* and Crucial_CT*) It is obvious that this vendor does not have a great history of supporting LPM properly, therefore, add the ATA_HORKAGE_NOLPM quirk for all Crucial BX SSD1 models. Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type") Cc: stable(a)vger.kernel.org Reported-by: Tkd-Alex <alex.tkd.alex(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218832 Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/ata/libata-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index e1bf8a19b3c8..efb5195da60c 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4137,8 +4137,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { { "PIONEER BD-RW BDR-205", NULL, ATA_HORKAGE_NOLPM }, /* Crucial devices with broken LPM support */ - { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, - { "CT240BX500SSD1", NULL, ATA_HORKAGE_NOLPM }, + { "CT*0BX*00SSD1", NULL, ATA_HORKAGE_NOLPM }, /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | -- 2.45.2

1 year, 2 months

2
2
0 0

[PATCH v4 3/5] mei: vsc: Utilize the appropriate byte order swap function

by Wentong Wu

Switch from cpu_to_be32_array() to be32_to_cpu_array() for the received ROM data. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index 5f3195636e53..876330474444 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -336,7 +336,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) return ret; if (ibuf) - cpu_to_be32_array(ibuf, tp->rx_buf, words); + be32_to_cpu_array(ibuf, tp->rx_buf, words); return ret; } -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v4 2/5] mei: vsc: Prevent timeout error with added delay post-firmware download

by Wentong Wu

After completing the firmware download, the firmware requires some time to become functional. This change introduces additional sleep time before the first read operation to prevent a confusing timeout error in vsc_tp_xfer(). Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/platform-vsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c index 1ec65d87488a..d02f6e881139 100644 --- a/drivers/misc/mei/platform-vsc.c +++ b/drivers/misc/mei/platform-vsc.c @@ -28,8 +28,8 @@ #define MEI_VSC_MAX_MSG_SIZE 512 -#define MEI_VSC_POLL_DELAY_US (50 * USEC_PER_MSEC) -#define MEI_VSC_POLL_TIMEOUT_US (200 * USEC_PER_MSEC) +#define MEI_VSC_POLL_DELAY_US (100 * USEC_PER_MSEC) +#define MEI_VSC_POLL_TIMEOUT_US (400 * USEC_PER_MSEC) #define mei_dev_to_vsc_hw(dev) ((struct mei_vsc_hw *)((dev)->hw)) -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v4 1/5] mei: vsc: Enhance IVSC chipset stability during warm reboot

by Wentong Wu

During system shutdown, incorporate reset logic to ensure the IVSC chipset remains in a valid state. This adjustment guarantees that the IVSC chipset operates in a known state following a warm reboot. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index e6a98dba8a73..5f3195636e53 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -568,6 +568,19 @@ static void vsc_tp_remove(struct spi_device *spi) free_irq(spi->irq, tp); } +static void vsc_tp_shutdown(struct spi_device *spi) +{ + struct vsc_tp *tp = spi_get_drvdata(spi); + + platform_device_unregister(tp->pdev); + + mutex_destroy(&tp->mutex); + + vsc_tp_reset(tp); + + free_irq(spi->irq, tp); +} + static const struct acpi_device_id vsc_tp_acpi_ids[] = { { "INTC1009" }, /* Raptor Lake */ { "INTC1058" }, /* Tiger Lake */ @@ -580,6 +593,7 @@ MODULE_DEVICE_TABLE(acpi, vsc_tp_acpi_ids); static struct spi_driver vsc_tp_driver = { .probe = vsc_tp_probe, .remove = vsc_tp_remove, + .shutdown = vsc_tp_shutdown, .driver = { .name = "vsc-tp", .acpi_match_table = vsc_tp_acpi_ids, -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v1] pmdomain: imx8m-blk-ctrl: fix suspend/resume order

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> During the probe, the genpd power_dev is added to the dpm_list after blk_ctrl due to its parent/child relationship. Making the blk_ctrl suspend after and resume before the genpd power_dev. As a consequence, the system hangs when resuming the VPU due to the power domain dependency. To ensure the proper suspend/resume order, add a device link betweem blk_ctrl and genpd power_dev. It guarantees genpd power_dev is suspended after and resumed before blk-ctrl. Cc: <stable(a)vger.kernel.org> Closes: https://lore.kernel.org/all/fccbb040330a706a4f7b34875db1d896a0bf81c8.camel@… Link: https://lore.kernel.org/all/20240409085802.290439-1-ivitro@gmail.com/ Fixes: 2684ac05a8c4 ("soc: imx: add i.MX8M blk-ctrl driver") Suggested-by: Lucas Stach <l.stach(a)pengutronix.de> Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- This is a new patch, but is a follow-up of: https://lore.kernel.org/all/20240409085802.290439-1-ivitro@gmail.com/ As suggested by Lucas, we are addressing this PM issue in the imx8m-blk-ctrl driver instead of in the imx8mm.dtsi. drivers/pmdomain/imx/imx8m-blk-ctrl.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/pmdomain/imx/imx8m-blk-ctrl.c b/drivers/pmdomain/imx/imx8m-blk-ctrl.c index ca942d7929c2..cd0d2296080d 100644 --- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c +++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c @@ -283,6 +283,20 @@ static int imx8m_blk_ctrl_probe(struct platform_device *pdev) goto cleanup_pds; } + /* + * Enforce suspend/resume ordering by making genpd power_dev a + * provider of blk-ctrl. Genpd power_dev is suspended after and + * resumed before blk-ctrl. + */ + if (!device_link_add(dev, domain->power_dev, DL_FLAG_STATELESS)) { + ret = -EINVAL; + dev_err_probe(dev, ret, + "failed to link to %s\n", data->name); + pm_genpd_remove(&domain->genpd); + dev_pm_domain_detach(domain->power_dev, true); + goto cleanup_pds; + } + /* * We use runtime PM to trigger power on/off of the upstream GPC * domain, as a strict hierarchical parent/child power domain @@ -324,6 +338,7 @@ static int imx8m_blk_ctrl_probe(struct platform_device *pdev) of_genpd_del_provider(dev->of_node); cleanup_pds: for (i--; i >= 0; i--) { + device_link_remove(dev, bc->domains[i].power_dev); pm_genpd_remove(&bc->domains[i].genpd); dev_pm_domain_detach(bc->domains[i].power_dev, true); } @@ -343,6 +358,7 @@ static void imx8m_blk_ctrl_remove(struct platform_device *pdev) for (i = 0; bc->onecell_data.num_domains; i++) { struct imx8m_blk_ctrl_domain *domain = &bc->domains[i]; + device_link_remove(&pdev->dev, domain->power_dev); pm_genpd_remove(&domain->genpd); dev_pm_domain_detach(domain->power_dev, true); } -- 2.34.1

1 year, 2 months

6
7
0 0

[PATCH v5.4.y v4] mtd: spinand: macronix: Add support for serial NAND flash

by Cheng Ming Lin

From: Cheng Ming Lin <chengminglin(a)mxic.com.tw> commit c374839f9b4475173e536d1eaddff45cb481dbdf upstream. Macronix NAND Flash devices are available in different configurations and densities. MX"35" means SPI NAND MX35"LF"/"UF" , LF means 3V and UF meands 1.8V MX35LF"2G" , 2G means 2Gbits MX35LF2G"E4"/"24"/"14", E4 means internal ECC and Quad I/O(x4) 24 means 8-bit ecc requirement and Quad I/O(x4) 14 means 4-bit ecc requirement and Quad I/O(x4) MX35LF2G14AC is 3V 2Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7926/MX35LF2G14AC,%203V… MX35UF4G24AD/MX35UF2G24AD/MX35UF1G24AD is 1.8V 4Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7980/MX35UF4G24AD,%201.… MX35UF4GE4AD/MX35UF2GE4AD/MX35UF1GE4AD are 1.8V 4G/2Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7983/MX35UF4GE4AD,%201.… MX35UF2GE4AC/MX35UF1GE4AC are 1.8V 2G/1Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7974/MX35UF2GE4AC,%201.… MX35UF2G14AC/MX35UF1G14AC are 1.8V 2G/1Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7931/MX35UF2G14AC,%201.… Validated via normal(default) and QUAD mode by read, erase, read back, on Xilinx Zynq PicoZed FPGA board which included Macronix SPI Host(drivers/spi/spi-mxic.c). Cc: stable(a)vger.kernel.org # 5.4.y Signed-off-by: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Signed-off-by: Jaime Liao <jaimeliao(a)mxic.com.tw> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/1621475108-22523-1-git-send-email-jaimeli… --- drivers/mtd/nand/spi/macronix.c | 99 +++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/drivers/mtd/nand/spi/macronix.c b/drivers/mtd/nand/spi/macronix.c index f18c6cfe8ff5..a38d0de5f765 100644 --- a/drivers/mtd/nand/spi/macronix.c +++ b/drivers/mtd/nand/spi/macronix.c @@ -132,6 +132,105 @@ static const struct spinand_info macronix_spinand_table[] = { &update_cache_variants), SPINAND_HAS_QE_BIT, SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, NULL)), + SPINAND_INFO("MX35LF2G14AC", 0x20, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4G24AD", 0xb5, + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4GE4AD", 0xb7, + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G14AC", 0xa0, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G24AD", 0xa4, + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AD", 0xa6, + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AC", 0xa2, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G14AC", 0x90, + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G24AD", 0x94, + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AD", 0x96, + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AC", 0x92, + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), }; static int macronix_spinand_detect(struct spinand_device *spinand) -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH v5.10.y v2] mtd: spinand: macronix: Add support for serial NAND flash

by Cheng Ming Lin

From: Cheng Ming Lin <chengminglin(a)mxic.com.tw> [ Upstream commit c374839f9b4475173e536d1eaddff45cb481dbdf ] Macronix NAND Flash devices are available in different configurations and densities. MX"35" means SPI NAND MX35"LF"/"UF" , LF means 3V and UF meands 1.8V MX35LF"2G" , 2G means 2Gbits MX35LF2G"E4"/"24"/"14", E4 means internal ECC and Quad I/O(x4) 24 means 8-bit ecc requirement and Quad I/O(x4) 14 means 4-bit ecc requirement and Quad I/O(x4) MX35LF2G14AC is 3V 2Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7926/MX35LF2G14AC,%203V… MX35UF4G24AD/MX35UF2G24AD/MX35UF1G24AD is 1.8V 4Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7980/MX35UF4G24AD,%201.… MX35UF4GE4AD/MX35UF2GE4AD/MX35UF1GE4AD are 1.8V 4G/2Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7983/MX35UF4GE4AD,%201.… MX35UF2GE4AC/MX35UF1GE4AC are 1.8V 2G/1Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7974/MX35UF2GE4AC,%201.… MX35UF2G14AC/MX35UF1G14AC are 1.8V 2G/1Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7931/MX35UF2G14AC,%201.… Validated via normal(default) and QUAD mode by read, erase, read back, on Xilinx Zynq PicoZed FPGA board which included Macronix SPI Host(drivers/spi/spi-mxic.c). Cc: stable(a)vger.kernel.org # 5.10.y Signed-off-by: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Signed-off-by: Jaime Liao <jaimeliao(a)mxic.com.tw> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/1621475108-22523-1-git-send-email-jaimeli… --- drivers/mtd/nand/spi/macronix.c | 110 ++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/drivers/mtd/nand/spi/macronix.c b/drivers/mtd/nand/spi/macronix.c index 8bd3f6bf9b10..e42524687b5c 100644 --- a/drivers/mtd/nand/spi/macronix.c +++ b/drivers/mtd/nand/spi/macronix.c @@ -139,6 +139,116 @@ static const struct spinand_info macronix_spinand_table[] = { 0, SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35LF2G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x20), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xb5), + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xb7), + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa0), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa4), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa6), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa2), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x90), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x94), + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x96), + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x92), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), SPINAND_INFO("MX31LF1GE4BC", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x1e), NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH v5.4.y v3] mtd: spinand: macronix: Add support for serial NAND flash

by Cheng Ming Lin

From: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Macronix NAND Flash devices are available in different configurations and densities. MX"35" means SPI NAND MX35"LF"/"UF" , LF means 3V and UF meands 1.8V MX35LF"2G" , 2G means 2Gbits MX35LF2G"E4"/"24"/"14", E4 means internal ECC and Quad I/O(x4) 24 means 8-bit ecc requirement and Quad I/O(x4) 14 means 4-bit ecc requirement and Quad I/O(x4) MX35LF2G14AC is 3V 2Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7926/MX35LF2G14AC,%203V… MX35UF4G24AD/MX35UF2G24AD/MX35UF1G24AD is 1.8V 4Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7980/MX35UF4G24AD,%201.… MX35UF4GE4AD/MX35UF2GE4AD/MX35UF1GE4AD are 1.8V 4G/2Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7983/MX35UF4GE4AD,%201.… MX35UF2GE4AC/MX35UF1GE4AC are 1.8V 2G/1Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7974/MX35UF2GE4AC,%201.… MX35UF2G14AC/MX35UF1G14AC are 1.8V 2G/1Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7931/MX35UF2G14AC,%201.… Validated via normal(default) and QUAD mode by read, erase, read back, on Xilinx Zynq PicoZed FPGA board which included Macronix SPI Host(drivers/spi/spi-mxic.c). Cc: stable(a)vger.kernel.org # 5.4.y Signed-off-by: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Signed-off-by: Jaime Liao <jaimeliao(a)mxic.com.tw> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/1621475108-22523-1-git-send-email-jaimeli… --- drivers/mtd/nand/spi/macronix.c | 99 +++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/drivers/mtd/nand/spi/macronix.c b/drivers/mtd/nand/spi/macronix.c index f18c6cfe8ff5..a38d0de5f765 100644 --- a/drivers/mtd/nand/spi/macronix.c +++ b/drivers/mtd/nand/spi/macronix.c @@ -132,6 +132,105 @@ static const struct spinand_info macronix_spinand_table[] = { &update_cache_variants), SPINAND_HAS_QE_BIT, SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, NULL)), + SPINAND_INFO("MX35LF2G14AC", 0x20, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4G24AD", 0xb5, + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4GE4AD", 0xb7, + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G14AC", 0xa0, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G24AD", 0xa4, + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AD", 0xa6, + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AC", 0xa2, + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G14AC", 0x90, + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G24AD", 0x94, + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AD", 0x96, + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AC", 0x92, + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), }; static int macronix_spinand_detect(struct spinand_device *spinand) -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH v5.10.y] mtd: spinand: macronix: Add support for serial NAND flash

by Cheng Ming Lin

From: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Macronix NAND Flash devices are available in different configurations and densities. MX"35" means SPI NAND MX35"LF"/"UF" , LF means 3V and UF meands 1.8V MX35LF"2G" , 2G means 2Gbits MX35LF2G"E4"/"24"/"14", E4 means internal ECC and Quad I/O(x4) 24 means 8-bit ecc requirement and Quad I/O(x4) 14 means 4-bit ecc requirement and Quad I/O(x4) MX35LF2G14AC is 3V 2Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7926/MX35LF2G14AC,%203V… MX35UF4G24AD/MX35UF2G24AD/MX35UF1G24AD is 1.8V 4Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7980/MX35UF4G24AD,%201.… MX35UF4GE4AD/MX35UF2GE4AD/MX35UF1GE4AD are 1.8V 4G/2Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7983/MX35UF4GE4AD,%201.… MX35UF2GE4AC/MX35UF1GE4AC are 1.8V 2G/1Gbit serial NAND flash device with 8-bit on-die ECC https://www.mxic.com.tw/Lists/Datasheet/Attachments/7974/MX35UF2GE4AC,%201.… MX35UF2G14AC/MX35UF1G14AC are 1.8V 2G/1Gbit serial NAND flash device (without on-die ECC) https://www.mxic.com.tw/Lists/Datasheet/Attachments/7931/MX35UF2G14AC,%201.… Validated via normal(default) and QUAD mode by read, erase, read back, on Xilinx Zynq PicoZed FPGA board which included Macronix SPI Host(drivers/spi/spi-mxic.c). Cc: stable(a)vger.kernel.org # 5.10.y Signed-off-by: Cheng Ming Lin <chengminglin(a)mxic.com.tw> Signed-off-by: Jaime Liao <jaimeliao(a)mxic.com.tw> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/1621475108-22523-1-git-send-email-jaimeli… --- drivers/mtd/nand/spi/macronix.c | 110 ++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/drivers/mtd/nand/spi/macronix.c b/drivers/mtd/nand/spi/macronix.c index 8bd3f6bf9b10..e42524687b5c 100644 --- a/drivers/mtd/nand/spi/macronix.c +++ b/drivers/mtd/nand/spi/macronix.c @@ -139,6 +139,116 @@ static const struct spinand_info macronix_spinand_table[] = { 0, SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35LF2G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x20), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xb5), + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF4GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xb7), + NAND_MEMORG(1, 4096, 256, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa0), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa4), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 2, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa6), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF2GE4AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xa2), + NAND_MEMORG(1, 2048, 64, 64, 2048, 40, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G14AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x90), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1G24AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x94), + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AD", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x96), + NAND_MEMORG(1, 2048, 128, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(8, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), + SPINAND_INFO("MX35UF1GE4AC", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x92), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), + NAND_ECCREQ(4, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&mx35lfxge4ab_ooblayout, + mx35lf1ge4ab_ecc_get_status)), SPINAND_INFO("MX31LF1GE4BC", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0x1e), NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), -- 2.25.1

1 year, 2 months

1
0
0 0

Re: Patch "MIPS: pci: lantiq: restore reset gpio polarity" has been added to the 6.9-stable tree

by Martin Schiller

On 2024-06-24 19:01, gregkh(a)linuxfoundation.org wrote: > This is a note to let you know that I've just added the patch titled > > MIPS: pci: lantiq: restore reset gpio polarity > > to the 6.9-stable tree which can be found at: > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > mips-pci-lantiq-restore-reset-gpio-polarity.patch > and it can be found in the queue-6.9 subdirectory. > > If you, or anyone else, feels it should not be added to the stable > tree, > please let <stable(a)vger.kernel.org> know about it. This patch is buggy and should not go into the stable trees. It has already been reverted upstream in the mips-fixes. Thank you very much and sorry for the inconvenience, Martin > > > From 277a0363120276645ae598d8d5fea7265e076ae9 Mon Sep 17 00:00:00 2001 > From: Martin Schiller <ms(a)dev.tdt.de> > Date: Fri, 7 Jun 2024 11:04:00 +0200 > Subject: MIPS: pci: lantiq: restore reset gpio polarity > > From: Martin Schiller <ms(a)dev.tdt.de> > > commit 277a0363120276645ae598d8d5fea7265e076ae9 upstream. > > Commit 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") > not > only switched to the gpiod API, but also inverted / changed the > polarity > of the GPIO. > > According to the PCI specification, the RST# pin is an active-low > signal. However, most of the device trees that have been widely used > for > a long time (mainly in the openWrt project) define this GPIO as > active-high and the old driver code inverted the signal internally. > > Apparently there are actually boards where the reset gpio must be > operated inverted. For this reason, we cannot use the > GPIOD_OUT_LOW/HIGH > flag for initialization. Instead, we must explicitly set the gpio to > value 1 in order to take into account any "GPIO_ACTIVE_LOW" flag that > may have been set. > > In order to remain compatible with all these existing device trees, we > should therefore keep the logic as it was before the commit. > > Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") > Cc: stable(a)vger.kernel.org > Signed-off-by: Martin Schiller <ms(a)dev.tdt.de> > Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > arch/mips/pci/pci-lantiq.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > --- a/arch/mips/pci/pci-lantiq.c > +++ b/arch/mips/pci/pci-lantiq.c > @@ -124,14 +124,14 @@ static int ltq_pci_startup(struct platfo > clk_disable(clk_external); > > /* setup reset gpio used by pci */ > - reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", > - GPIOD_OUT_LOW); > + reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", > GPIOD_ASIS); > error = PTR_ERR_OR_ZERO(reset_gpio); > if (error) { > dev_err(&pdev->dev, "failed to request gpio: %d\n", error); > return error; > } > gpiod_set_consumer_name(reset_gpio, "pci_reset"); > + gpiod_direction_output(reset_gpio, 1); > > /* enable auto-switching between PCI and EBU */ > ltq_pci_w32(0xa, PCI_CR_CLK_CTRL); > @@ -194,10 +194,10 @@ static int ltq_pci_startup(struct platfo > > /* toggle reset pin */ > if (reset_gpio) { > - gpiod_set_value_cansleep(reset_gpio, 1); > + gpiod_set_value_cansleep(reset_gpio, 0); > wmb(); > mdelay(1); > - gpiod_set_value_cansleep(reset_gpio, 0); > + gpiod_set_value_cansleep(reset_gpio, 1); > } > return 0; > } > > > Patches currently in stable-queue which might be from ms(a)dev.tdt.de are > > queue-6.9/mips-pci-lantiq-restore-reset-gpio-polarity.patch

1 year, 2 months

2
1
0 0

Re: Patch "arm64: dts: qcom: qcs404: fix bluetooth device address" has been added to the 5.4-stable tree

by Johan Hovold

On Mon, Jun 24, 2024 at 11:30:42PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > arm64: dts: qcom: qcs404: fix bluetooth device address > > to the 5.4-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > commit a48b0e85558565dc3a10c8021b1514099cada102 > Author: Johan Hovold <johan+linaro(a)kernel.org> > Date: Wed May 1 09:52:01 2024 +0200 > > arm64: dts: qcom: qcs404: fix bluetooth device address > > [ Upstream commit f5f390a77f18eaeb2c93211a1b7c5e66b5acd423 ] > > The 'local-bd-address' property is used to pass a unique Bluetooth > device address from the boot firmware to the kernel and should otherwise > be left unset so that the OS can prevent the controller from being used > until a valid address has been provided through some other means (e.g. > using btmgmt). > > Fixes: 60f77ae7d1c1 ("arm64: dts: qcom: qcs404-evb: Enable uart3 and add Bluetooth") > Cc: stable(a)vger.kernel.org # 5.10 This was supposed to say 5.2. Thanks for catching this. Johan

1 year, 2 months

1
0
0 0

[PATCH v2 08/13] sh: rework sync_file_range ABI

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> The unusual function calling conventions on SuperH ended up causing sync_file_range to have the wrong argument order, with the 'flags' argument getting sorted before 'nbytes' by the compiler. In userspace, I found that musl, glibc, uclibc and strace all expect the normal calling conventions with 'nbytes' last, so changing the kernel to match them should make all of those work. In order to be able to also fix libc implementations to work with existing kernels, they need to be able to tell which ABI is used. An easy way to do this is to add yet another system call using the sync_file_range2 ABI that works the same on all architectures. Old user binaries can now work on new kernels, and new binaries can try the new sync_file_range2() to work with new kernels or fall back to the old sync_file_range() version if that doesn't exist. Cc: stable(a)vger.kernel.org Fixes: 75c92acdd5b1 ("sh: Wire up new syscalls.") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- arch/sh/kernel/sys_sh32.c | 11 +++++++++++ arch/sh/kernel/syscalls/syscall.tbl | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/sh/kernel/sys_sh32.c b/arch/sh/kernel/sys_sh32.c index 9dca568509a5..d6f4afcb0e87 100644 --- a/arch/sh/kernel/sys_sh32.c +++ b/arch/sh/kernel/sys_sh32.c @@ -59,3 +59,14 @@ asmlinkage int sys_fadvise64_64_wrapper(int fd, u32 offset0, u32 offset1, (u64)len0 << 32 | len1, advice); #endif } + +/* + * swap the arguments the way that libc wants them instead of + * moving flags ahead of the 64-bit nbytes argument + */ +SYSCALL_DEFINE6(sh_sync_file_range6, int, fd, SC_ARG64(offset), + SC_ARG64(nbytes), unsigned int, flags) +{ + return ksys_sync_file_range(fd, SC_VAL64(loff_t, offset), + SC_VAL64(loff_t, nbytes), flags); +} diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl index bbf83a2db986..c55fd7696d40 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -321,7 +321,7 @@ 311 common set_robust_list sys_set_robust_list 312 common get_robust_list sys_get_robust_list 313 common splice sys_splice -314 common sync_file_range sys_sync_file_range +314 common sync_file_range sys_sh_sync_file_range6 315 common tee sys_tee 316 common vmsplice sys_vmsplice 317 common move_pages sys_move_pages @@ -395,6 +395,7 @@ 385 common pkey_alloc sys_pkey_alloc 386 common pkey_free sys_pkey_free 387 common rseq sys_rseq +388 common sync_file_range2 sys_sync_file_range2 # room for arch specific syscalls 393 common semget sys_semget 394 common semctl sys_semctl -- 2.39.2

1 year, 2 months

2
1
0 0

Re: Patch "nfsd: fix oops when reading pool_stats before server is started" has been added to the 6.9-stable tree

by NeilBrown

On Mon, 24 Jun 2024, stable(a)vger.kernel.org wrote: > This is a note to let you know that I've just added the patch titled > > nfsd: fix oops when reading pool_stats before server is started > > to the 6.9-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > nfsd-fix-oops-when-reading-pool_stats-before-server-.patch > and it can be found in the queue-6.9 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. I feel this should not be added to the stable tree. It moves at test on a field protected by a mutex outside of the protection of that mutex, and so is obviously racey. Depending on how the race goes, si->serv might be NULL when dereferenced in svc_pool_stats_start(), or svc_pool_stats_stop() might unlock a mutex that hadn't been locked. I'll post a revert and a better fix for mainline. Thanks, NeilBrown > > > > commit 388a527c6cf55bde74bc0891d0b4c38f50d896be > Author: Jeff Layton <jlayton(a)kernel.org> > Date: Mon Jun 17 07:54:08 2024 -0400 > > nfsd: fix oops when reading pool_stats before server is started > > [ Upstream commit 8e948c365d9c10b685d1deb946bd833d6a9b43e0 ] > > Sourbh reported an oops that is triggerable by trying to read the > pool_stats procfile before nfsd had been started. Move the check for a > NULL serv in svc_pool_stats_start above the mutex acquisition, and fix > the stop routine not to unlock the mutex if there is no serv yet. > > Fixes: 7b207ccd9833 ("svc: don't hold reference for poolstats, only mutex.") > Reported-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> > Signed-off-by: Jeff Layton <jlayton(a)kernel.org> > Tested-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> > Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c > index b4a85a227bd7d..1a2982051f986 100644 > --- a/net/sunrpc/svc_xprt.c > +++ b/net/sunrpc/svc_xprt.c > @@ -1371,12 +1371,13 @@ static void *svc_pool_stats_start(struct seq_file *m, loff_t *pos) > > dprintk("svc_pool_stats_start, *pidx=%u\n", pidx); > > + if (!si->serv) > + return NULL; > + > mutex_lock(si->mutex); > > if (!pidx) > return SEQ_START_TOKEN; > - if (!si->serv) > - return NULL; > return pidx > si->serv->sv_nrpools ? NULL > : &si->serv->sv_pools[pidx - 1]; > } > @@ -1408,7 +1409,8 @@ static void svc_pool_stats_stop(struct seq_file *m, void *p) > { > struct svc_info *si = m->private; > > - mutex_unlock(si->mutex); > + if (si->serv) > + mutex_unlock(si->mutex); > } > > static int svc_pool_stats_show(struct seq_file *m, void *p) >

1 year, 2 months

2
1
0 0

Re: Patch "KVM: Use gfn instead of hva for mmu_notifier_retry" has been added to the 6.6-stable tree

by Sean Christopherson

On Mon, Jun 24, 2024, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > KVM: Use gfn instead of hva for mmu_notifier_retry > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > kvm-use-gfn-instead-of-hva-for-mmu_notifier_retry.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 68a14ccc3fb35047cc4900c8ddd4b6f959e25b77 > Author: Chao Peng <chao.p.peng(a)linux.intel.com> > Date: Fri Oct 27 11:21:45 2023 -0700 > > KVM: Use gfn instead of hva for mmu_notifier_retry > > [ Upstream commit 8569992d64b8f750e34b7858eac5d7daaf0f80fd ] > > Currently in mmu_notifier invalidate path, hva range is recorded and then > checked against by mmu_invalidate_retry_hva() in the page fault handling > path. However, for the soon-to-be-introduced private memory, a page fault > may not have a hva associated, checking gfn(gpa) makes more sense. > > For existing hva based shared memory, gfn is expected to also work. The > only downside is when aliasing multiple gfns to a single hva, the > current algorithm of checking multiple ranges could result in a much > larger range being rejected. Such aliasing should be uncommon, so the > impact is expected small. > > Suggested-by: Sean Christopherson <seanjc(a)google.com> > Cc: Xu Yilun <yilun.xu(a)intel.com> > Signed-off-by: Chao Peng <chao.p.peng(a)linux.intel.com> > Reviewed-by: Fuad Tabba <tabba(a)google.com> > Tested-by: Fuad Tabba <tabba(a)google.com> > [sean: convert vmx_set_apic_access_page_addr() to gfn-based API] > Signed-off-by: Sean Christopherson <seanjc(a)google.com> > Reviewed-by: Paolo Bonzini <pbonzini(a)redhat.com> > Reviewed-by: Xu Yilun <yilun.xu(a)linux.intel.com> > Message-Id: <20231027182217.3615211-4-seanjc(a)google.com> > Reviewed-by: Kai Huang <kai.huang(a)intel.com> > Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> > Stable-dep-of: c3f3edf73a8f ("KVM: Stop processing *all* memslots when "null" mmu_notifier handler is found") Please drop this, and all other related patches. This is not at all appropriate for stable trees. I'm pretty sure your scripts are borked too, at least from KVM's perspective. I specifically didn't tag c3f3edf73a8f for stable[*], and I thought we had agreed a while back that only KVM (x86?) fixes with an explicit "Cc: stable@" would be automatically included. [*] https://lore.kernel.org/all/20240620230937.2214992-1-seanjc@google.com

1 year, 2 months

2
1
0 0

[PATCH] serial: 8250_omap: Implementation of Errata i2310 adding fifo level check

by Udit Kumar

As per Errata i2310[0], Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts. This patch adding fifo empty check before applying errata. [0] https://www.ti.com/lit/pdf/sprz536 page 23 Fixes: b67e830d38fa ("serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs") Cc: stable(a)vger.kernel.org Signed-off-by: Udit Kumar <u-kumar1(a)ti.com> --- This is check is added on top of errata implementation v3 patch https://lore.kernel.org/all/20240619105903.165434-1-u-kumar1@ti.com/ drivers/tty/serial/8250/8250_omap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index ddac0a13cf84..1af9aed99c65 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -672,7 +672,8 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) * https://www.ti.com/lit/pdf/sprz536 */ if (priv->habit & UART_RX_TIMEOUT_QUIRK && - (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT) { + (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT && + serial_port_in(port, UART_OMAP_RX_LVL) == 0) { unsigned char efr2, timeout_h, timeout_l; efr2 = serial_in(up, UART_OMAP_EFR2); -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v4] serial: 8250_omap: Implementation of Errata i2310

by Udit Kumar

As per Errata i2310[0], Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts, therefore apply Errata i2310 solution. [0] https://www.ti.com/lit/pdf/sprz536 page 23 Fixes: b67e830d38fa ("serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs") Cc: stable(a)vger.kernel.org Signed-off-by: Udit Kumar <u-kumar1(a)ti.com> --- Test logs: https://gist.github.com/uditkumarti/48e239540db4e761861fbd1d7d31cfed Change logs Changes in v4: - Reverted fifo empty check before applying errata Link to v3: https://lore.kernel.org/all/20240619105903.165434-1-u-kumar1@ti.com/ Changes in v3: - CC stable in commit message Link to v2: https://lore.kernel.org/all/20240617052253.2188140-1-u-kumar1@ti.com/ Changes in v2: - Added Fixes Tag and typo correction in commit message - Corrected bit position to UART_OMAP_EFR2_TIMEOUT_BEHAVE Link to v1 https://lore.kernel.org/all/20240614061314.290840-1-u-kumar1@ti.com/ drivers/tty/serial/8250/8250_omap.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index 170639d12b2a..1af9aed99c65 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -115,6 +115,10 @@ /* RX FIFO occupancy indicator */ #define UART_OMAP_RX_LVL 0x19 +/* Timeout low and High */ +#define UART_OMAP_TO_L 0x26 +#define UART_OMAP_TO_H 0x27 + /* * Copy of the genpd flags for the console. * Only used if console suspend is disabled @@ -663,13 +667,25 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) /* * On K3 SoCs, it is observed that RX TIMEOUT is signalled after - * FIFO has been drained, in which case a dummy read of RX FIFO - * is required to clear RX TIMEOUT condition. + * FIFO has been drained or erroneously. + * So apply solution of Errata i2310 as mentioned in + * https://www.ti.com/lit/pdf/sprz536 */ if (priv->habit & UART_RX_TIMEOUT_QUIRK && (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT && serial_port_in(port, UART_OMAP_RX_LVL) == 0) { - serial_port_in(port, UART_RX); + unsigned char efr2, timeout_h, timeout_l; + + efr2 = serial_in(up, UART_OMAP_EFR2); + timeout_h = serial_in(up, UART_OMAP_TO_H); + timeout_l = serial_in(up, UART_OMAP_TO_L); + serial_out(up, UART_OMAP_TO_H, 0xFF); + serial_out(up, UART_OMAP_TO_L, 0xFF); + serial_out(up, UART_OMAP_EFR2, UART_OMAP_EFR2_TIMEOUT_BEHAVE); + serial_in(up, UART_IIR); + serial_out(up, UART_OMAP_EFR2, efr2); + serial_out(up, UART_OMAP_TO_H, timeout_h); + serial_out(up, UART_OMAP_TO_L, timeout_l); } /* Stop processing interrupts on input overrun */ -- 2.34.1

1 year, 2 months

4
3
0 0

[merged mm-hotfixes-stable] mm-memory-dont-require-head-page-for-do_set_pmd.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory: don't require head page for do_set_pmd() has been removed from the -mm tree. Its filename was mm-memory-dont-require-head-page-for-do_set_pmd.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrew Bresticker <abrestic(a)rivosinc.com> Subject: mm/memory: don't require head page for do_set_pmd() Date: Tue, 11 Jun 2024 08:32:16 -0700 The requirement that the head page be passed to do_set_pmd() was added in commit ef37b2ea08ac ("mm/memory: page_add_file_rmap() -> folio_add_file_rmap_[pte|pmd]()") and prevents pmd-mapping in the finish_fault() and filemap_map_pages() paths if the page to be inserted is anything but the head page for an otherwise suitable vma and pmd-sized page. Matthew said: : We're going to stop using PMDs to map large folios unless the fault is : within the first 4KiB of the PMD. No idea how many workloads that : affects, but it only needs to be backported as far as v6.8, so we may : as well backport it. Link: https://lkml.kernel.org/r/20240611153216.2794513-1-abrestic@rivosinc.com Fixes: ef37b2ea08ac ("mm/memory: page_add_file_rmap() -> folio_add_file_rmap_[pte|pmd]()") Signed-off-by: Andrew Bresticker <abrestic(a)rivosinc.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/memory.c~mm-memory-dont-require-head-page-for-do_set_pmd +++ a/mm/memory.c @@ -4608,8 +4608,9 @@ vm_fault_t do_set_pmd(struct vm_fault *v if (!thp_vma_suitable_order(vma, haddr, PMD_ORDER)) return ret; - if (page != &folio->page || folio_order(folio) != HPAGE_PMD_ORDER) + if (folio_order(folio) != HPAGE_PMD_ORDER) return ret; + page = &folio->page; /* * Just backoff if any subpage of a THP is corrupted otherwise _ Patches currently in -mm which might be from abrestic(a)rivosinc.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] mm-page_alloc-separate-thp-pcp-into-movable-and-non-movable-categories.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/page_alloc: Separate THP PCP into movable and non-movable categories has been removed from the -mm tree. Its filename was mm-page_alloc-separate-thp-pcp-into-movable-and-non-movable-categories.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: yangge <yangge1116(a)126.com> Subject: mm/page_alloc: Separate THP PCP into movable and non-movable categories Date: Thu, 20 Jun 2024 08:59:50 +0800 Since commit 5d0a661d808f ("mm/page_alloc: use only one PCP list for THP-sized allocations") no longer differentiates the migration type of pages in THP-sized PCP list, it's possible that non-movable allocation requests may get a CMA page from the list, in some cases, it's not acceptable. If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual machine with device passthrough will get stuck. During starting the virtual machine, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But if non-movable allocation requests return CMA memory, migrate_longterm_unpinnable_pages() will migrate a CMA page to another CMA page, which will fail to pass the check in check_and_migrate_movable_pages() and cause migration endless. Call trace: pin_user_pages_remote --__gup_longterm_locked // endless loops in this function ----_get_user_pages_locked ----check_and_migrate_movable_pages ------migrate_longterm_unpinnable_pages --------alloc_migration_target This problem will also have a negative impact on CMA itself. For example, when CMA is borrowed by THP, and we need to reclaim it through cma_alloc() or dma_alloc_coherent(), we must move those pages out to ensure CMA's users can retrieve that contigous memory. Currently, CMA's memory is occupied by non-movable pages, meaning we can't relocate them. As a result, cma_alloc() is more likely to fail. To fix the problem above, we add one PCP list for THP, which will not introduce a new cacheline for struct per_cpu_pages. THP will have 2 PCP lists, one PCP list is used by MOVABLE allocation, and the other PCP list is used by UNMOVABLE allocation. MOVABLE allocation contains GPF_MOVABLE, and UNMOVABLE allocation contains GFP_UNMOVABLE and GFP_RECLAIMABLE. Link: https://lkml.kernel.org/r/1718845190-4456-1-git-send-email-yangge1116@126.c… Fixes: 5d0a661d808f ("mm/page_alloc: use only one PCP list for THP-sized allocations") Signed-off-by: yangge <yangge1116(a)126.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 9 ++++----- mm/page_alloc.c | 9 +++++++-- 2 files changed, 11 insertions(+), 7 deletions(-) --- a/include/linux/mmzone.h~mm-page_alloc-separate-thp-pcp-into-movable-and-non-movable-categories +++ a/include/linux/mmzone.h @@ -654,13 +654,12 @@ enum zone_watermarks { }; /* - * One per migratetype for each PAGE_ALLOC_COSTLY_ORDER. One additional list - * for THP which will usually be GFP_MOVABLE. Even if it is another type, - * it should not contribute to serious fragmentation causing THP allocation - * failures. + * One per migratetype for each PAGE_ALLOC_COSTLY_ORDER. Two additional lists + * are added for THP. One PCP list is used by GPF_MOVABLE, and the other PCP list + * is used by GFP_UNMOVABLE and GFP_RECLAIMABLE. */ #ifdef CONFIG_TRANSPARENT_HUGEPAGE -#define NR_PCP_THP 1 +#define NR_PCP_THP 2 #else #define NR_PCP_THP 0 #endif --- a/mm/page_alloc.c~mm-page_alloc-separate-thp-pcp-into-movable-and-non-movable-categories +++ a/mm/page_alloc.c @@ -504,10 +504,15 @@ out: static inline unsigned int order_to_pindex(int migratetype, int order) { + bool __maybe_unused movable; + #ifdef CONFIG_TRANSPARENT_HUGEPAGE if (order > PAGE_ALLOC_COSTLY_ORDER) { VM_BUG_ON(order != HPAGE_PMD_ORDER); - return NR_LOWORDER_PCP_LISTS; + + movable = migratetype == MIGRATE_MOVABLE; + + return NR_LOWORDER_PCP_LISTS + movable; } #else VM_BUG_ON(order > PAGE_ALLOC_COSTLY_ORDER); @@ -521,7 +526,7 @@ static inline int pindex_to_order(unsign int order = pindex / MIGRATE_PCPTYPES; #ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (pindex == NR_LOWORDER_PCP_LISTS) + if (pindex >= NR_LOWORDER_PCP_LISTS) order = HPAGE_PMD_ORDER; #else VM_BUG_ON(order > PAGE_ALLOC_COSTLY_ORDER); _ Patches currently in -mm which might be from yangge1116(a)126.com are mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] nfs-drop-the-incorrect-assertion-in-nfs_swap_rw.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nfs: drop the incorrect assertion in nfs_swap_rw() has been removed from the -mm tree. Its filename was nfs-drop-the-incorrect-assertion-in-nfs_swap_rw.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Christoph Hellwig <hch(a)lst.de> Subject: nfs: drop the incorrect assertion in nfs_swap_rw() Date: Tue, 18 Jun 2024 18:56:47 +1200 Since commit 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space"), we can plug multiple pages then unplug them all together. That means iov_iter_count(iter) could be way bigger than PAGE_SIZE, it actually equals the size of iov_iter_npages(iter, INT_MAX). Note this issue has nothing to do with large folios as we don't support THP_SWPOUT to non-block devices. [v-songbaohua(a)oppo.com: figure out the cause and correct the commit message] Link: https://lkml.kernel.org/r/20240618065647.21791-1-21cnbao@gmail.com Fixes: 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space") Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Closes: https://lore.kernel.org/linux-mm/20240617053201.GA16852@lst.de/ Reviewed-by: Martin Wege <martin.l.wege(a)gmail.com> Cc: NeilBrown <neilb(a)suse.de> Cc: Anna Schumaker <anna(a)kernel.org> Cc: Steve French <sfrench(a)samba.org> Cc: Trond Myklebust <trondmy(a)kernel.org> Cc: Chuanhua Han <hanchuanhua(a)oppo.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Jeff Layton <jlayton(a)kernel.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nfs/direct.c | 2 -- 1 file changed, 2 deletions(-) --- a/fs/nfs/direct.c~nfs-drop-the-incorrect-assertion-in-nfs_swap_rw +++ a/fs/nfs/direct.c @@ -141,8 +141,6 @@ int nfs_swap_rw(struct kiocb *iocb, stru { ssize_t ret; - VM_BUG_ON(iov_iter_count(iter) != PAGE_SIZE); - if (iov_iter_rw(iter) == READ) ret = nfs_file_direct_read(iocb, iter, true); else _ Patches currently in -mm which might be from hch(a)lst.de are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-test_prctl_fork_exec-return-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm:fix test_prctl_fork_exec return failure has been removed from the -mm tree. Its filename was selftests-mm-fix-test_prctl_fork_exec-return-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: aigourensheng <shechenglong001(a)gmail.com> Subject: selftests/mm:fix test_prctl_fork_exec return failure Date: Mon, 17 Jun 2024 01:29:34 -0400 After calling fork() in test_prctl_fork_exec(), the global variable ksm_full_scans_fd is initialized to 0 in the child process upon entering the main function of ./ksm_functional_tests. In the function call chain test_child_ksm() -> __mmap_and_merge_range -> ksm_merge-> ksm_get_full_scans, start_scans = ksm_get_full_scans() will return an error. Therefore, the value of ksm_full_scans_fd needs to be initialized before calling test_child_ksm in the child process. Link: https://lkml.kernel.org/r/20240617052934.5834-1-shechenglong001@gmail.com Signed-off-by: aigourensheng <shechenglong001(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/ksm_functional_tests.c | 38 ++++++------ 1 file changed, 22 insertions(+), 16 deletions(-) --- a/tools/testing/selftests/mm/ksm_functional_tests.c~selftests-mm-fix-test_prctl_fork_exec-return-failure +++ a/tools/testing/selftests/mm/ksm_functional_tests.c @@ -656,12 +656,33 @@ unmap: munmap(map, size); } +static void init_global_file_handles(void) +{ + mem_fd = open("/proc/self/mem", O_RDWR); + if (mem_fd < 0) + ksft_exit_fail_msg("opening /proc/self/mem failed\n"); + ksm_fd = open("/sys/kernel/mm/ksm/run", O_RDWR); + if (ksm_fd < 0) + ksft_exit_skip("open(\"/sys/kernel/mm/ksm/run\") failed\n"); + ksm_full_scans_fd = open("/sys/kernel/mm/ksm/full_scans", O_RDONLY); + if (ksm_full_scans_fd < 0) + ksft_exit_skip("open(\"/sys/kernel/mm/ksm/full_scans\") failed\n"); + pagemap_fd = open("/proc/self/pagemap", O_RDONLY); + if (pagemap_fd < 0) + ksft_exit_skip("open(\"/proc/self/pagemap\") failed\n"); + proc_self_ksm_stat_fd = open("/proc/self/ksm_stat", O_RDONLY); + proc_self_ksm_merging_pages_fd = open("/proc/self/ksm_merging_pages", + O_RDONLY); + ksm_use_zero_pages_fd = open("/sys/kernel/mm/ksm/use_zero_pages", O_RDWR); +} + int main(int argc, char **argv) { unsigned int tests = 8; int err; if (argc > 1 && !strcmp(argv[1], FORK_EXEC_CHILD_PRG_NAME)) { + init_global_file_handles(); exit(test_child_ksm()); } @@ -674,22 +695,7 @@ int main(int argc, char **argv) pagesize = getpagesize(); - mem_fd = open("/proc/self/mem", O_RDWR); - if (mem_fd < 0) - ksft_exit_fail_msg("opening /proc/self/mem failed\n"); - ksm_fd = open("/sys/kernel/mm/ksm/run", O_RDWR); - if (ksm_fd < 0) - ksft_exit_skip("open(\"/sys/kernel/mm/ksm/run\") failed\n"); - ksm_full_scans_fd = open("/sys/kernel/mm/ksm/full_scans", O_RDONLY); - if (ksm_full_scans_fd < 0) - ksft_exit_skip("open(\"/sys/kernel/mm/ksm/full_scans\") failed\n"); - pagemap_fd = open("/proc/self/pagemap", O_RDONLY); - if (pagemap_fd < 0) - ksft_exit_skip("open(\"/proc/self/pagemap\") failed\n"); - proc_self_ksm_stat_fd = open("/proc/self/ksm_stat", O_RDONLY); - proc_self_ksm_merging_pages_fd = open("/proc/self/ksm_merging_pages", - O_RDONLY); - ksm_use_zero_pages_fd = open("/sys/kernel/mm/ksm/use_zero_pages", O_RDWR); + init_global_file_handles(); test_unmerge(); test_unmerge_zero_pages(); _ Patches currently in -mm which might be from shechenglong001(a)gmail.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix DIO failure due to insufficient transaction credits has been removed from the -mm tree. Its filename was ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: ocfs2: fix DIO failure due to insufficient transaction credits Date: Fri, 14 Jun 2024 16:52:43 +0200 The code in ocfs2_dio_end_io_write() estimates number of necessary transaction credits using ocfs2_calc_extend_credits(). This however does not take into account that the IO could be arbitrarily large and can contain arbitrary number of extents. Extent tree manipulations do often extend the current transaction but not in all of the cases. For example if we have only single block extents in the tree, ocfs2_mark_extent_written() will end up calling ocfs2_replace_extent_rec() all the time and we will never extend the current transaction and eventually exhaust all the transaction credits if the IO contains many single block extents. Once that happens a WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to this error. This was actually triggered by one of our customers on a heavily fragmented OCFS2 filesystem. To fix the issue make sure the transaction always has enough credits for one extent insert before each call of ocfs2_mark_extent_written(). Heming Zhao said: ------ PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error" PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA" #0 machine_kexec at ffffffff8c069932 #1 __crash_kexec at ffffffff8c1338fa #2 panic at ffffffff8c1d69b9 #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2] #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2] #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2] #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2] #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2] #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2] #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2] #10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2] #11 dio_complete at ffffffff8c2b9fa7 #12 do_blockdev_direct_IO at ffffffff8c2bc09f #13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2] #14 generic_file_direct_write at ffffffff8c1dcf14 #15 __generic_file_write_iter at ffffffff8c1dd07b #16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2] #17 aio_write at ffffffff8c2cc72e #18 kmem_cache_alloc at ffffffff8c248dde #19 do_io_submit at ffffffff8c2ccada #20 do_syscall_64 at ffffffff8c004984 #21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba Link: https://lkml.kernel.org/r/20240617095543.6971-1-jack@suse.cz Link: https://lkml.kernel.org/r/20240614145243.8837-1-jack@suse.cz Fixes: c15471f79506 ("ocfs2: fix sparse file & data ordering issue in direct io") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/aops.c | 5 +++++ fs/ocfs2/journal.c | 17 +++++++++++++++++ fs/ocfs2/journal.h | 2 ++ fs/ocfs2/ocfs2_trace.h | 2 ++ 4 files changed, 26 insertions(+) --- a/fs/ocfs2/aops.c~ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits +++ a/fs/ocfs2/aops.c @@ -2366,6 +2366,11 @@ static int ocfs2_dio_end_io_write(struct } list_for_each_entry(ue, &dwc->dw_zero_list, ue_node) { + ret = ocfs2_assure_trans_credits(handle, credits); + if (ret < 0) { + mlog_errno(ret); + break; + } ret = ocfs2_mark_extent_written(inode, &et, handle, ue->ue_cpos, 1, ue->ue_phys, --- a/fs/ocfs2/journal.c~ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits +++ a/fs/ocfs2/journal.c @@ -446,6 +446,23 @@ bail: } /* + * Make sure handle has at least 'nblocks' credits available. If it does not + * have that many credits available, we will try to extend the handle to have + * enough credits. If that fails, we will restart transaction to have enough + * credits. Similar notes regarding data consistency and locking implications + * as for ocfs2_extend_trans() apply here. + */ +int ocfs2_assure_trans_credits(handle_t *handle, int nblocks) +{ + int old_nblks = jbd2_handle_buffer_credits(handle); + + trace_ocfs2_assure_trans_credits(old_nblks); + if (old_nblks >= nblocks) + return 0; + return ocfs2_extend_trans(handle, nblocks - old_nblks); +} + +/* * If we have fewer than thresh credits, extend by OCFS2_MAX_TRANS_DATA. * If that fails, restart the transaction & regain write access for the * buffer head which is used for metadata modifications. --- a/fs/ocfs2/journal.h~ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits +++ a/fs/ocfs2/journal.h @@ -243,6 +243,8 @@ handle_t *ocfs2_start_trans(struct int ocfs2_commit_trans(struct ocfs2_super *osb, handle_t *handle); int ocfs2_extend_trans(handle_t *handle, int nblocks); +int ocfs2_assure_trans_credits(handle_t *handle, + int nblocks); int ocfs2_allocate_extend_trans(handle_t *handle, int thresh); --- a/fs/ocfs2/ocfs2_trace.h~ocfs2-fix-dio-failure-due-to-insufficient-transaction-credits +++ a/fs/ocfs2/ocfs2_trace.h @@ -2577,6 +2577,8 @@ DEFINE_OCFS2_ULL_UINT_EVENT(ocfs2_commit DEFINE_OCFS2_INT_INT_EVENT(ocfs2_extend_trans); +DEFINE_OCFS2_INT_EVENT(ocfs2_assure_trans_credits); + DEFINE_OCFS2_INT_EVENT(ocfs2_extend_trans_restart); DEFINE_OCFS2_INT_INT_EVENT(ocfs2_allocate_extend_trans); _ Patches currently in -mm which might be from jack(a)suse.cz are revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch mm-avoid-overflows-in-dirty-throttling-logic.patch

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] kasan-fix-bad-call-to-unpoison_slab_object.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kasan: fix bad call to unpoison_slab_object has been removed from the -mm tree. Its filename was kasan-fix-bad-call-to-unpoison_slab_object.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrey Konovalov <andreyknvl(a)gmail.com> Subject: kasan: fix bad call to unpoison_slab_object Date: Fri, 14 Jun 2024 16:32:38 +0200 Commit 29d7355a9d05 ("kasan: save alloc stack traces for mempool") messed up one of the calls to unpoison_slab_object: the last two arguments are supposed to be GFP flags and whether to init the object memory. Fix the call. Without this fix, __kasan_mempool_unpoison_object provides the object's size as GFP flags to unpoison_slab_object, which can cause LOCKDEP reports (and probably other issues). Link: https://lkml.kernel.org/r/20240614143238.60323-1-andrey.konovalov@linux.dev Fixes: 29d7355a9d05 ("kasan: save alloc stack traces for mempool") Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> Reported-by: Brad Spengler <spender(a)grsecurity.net> Acked-by: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/kasan/common.c~kasan-fix-bad-call-to-unpoison_slab_object +++ a/mm/kasan/common.c @@ -532,7 +532,7 @@ void __kasan_mempool_unpoison_object(voi return; /* Unpoison the object and save alloc info for non-kmalloc() allocations. */ - unpoison_slab_object(slab->slab_cache, ptr, size, flags); + unpoison_slab_object(slab->slab_cache, ptr, flags, false); /* Poison the redzone and save alloc info for kmalloc() allocations. */ if (is_kmalloc_cache(slab->slab_cache)) _ Patches currently in -mm which might be from andreyknvl(a)gmail.com are

1 year, 2 months

1
0
0 0

[merged mm-hotfixes-stable] mm-fix-incorrect-vbq-reference-in-purge_fragmented_block.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix incorrect vbq reference in purge_fragmented_block has been removed from the -mm tree. Its filename was mm-fix-incorrect-vbq-reference-in-purge_fragmented_block.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Subject: mm: fix incorrect vbq reference in purge_fragmented_block Date: Fri, 7 Jun 2024 10:31:16 +0800 xa_for_each() in _vm_unmap_aliases() loops through all vbs. However, since commit 062eacf57ad9 ("mm: vmalloc: remove a global vmap_blocks xarray") the vb from xarray may not be on the corresponding CPU vmap_block_queue. Consequently, purge_fragmented_block() might use the wrong vbq->lock to protect the free list, leading to vbq->free breakage. Incorrect lock protection can exhaust all vmalloc space as follows: CPU0 CPU1 +--------------------------------------------+ | +--------------------+ +-----+ | +--> | |---->| |------+ | CPU1:vbq free_list | | vb1 | +--- | |<----| |<-----+ | +--------------------+ +-----+ | +--------------------------------------------+ _vm_unmap_aliases() vb_alloc() new_vmap_block() xa_for_each(&vbq->vmap_blocks, idx, vb) --> vb in CPU1:vbq->freelist purge_fragmented_block(vb) spin_lock(&vbq->lock) spin_lock(&vbq->lock) --> use CPU0:vbq->lock --> use CPU1:vbq->lock list_del_rcu(&vb->free_list) list_add_tail_rcu(&vb->free_list, &vbq->free) __list_del(vb->prev, vb->next) next->prev = prev +--------------------+ | | | CPU1:vbq free_list | +---| |<--+ | +--------------------+ | +----------------------------+ __list_add(new, head->prev, head) +--------------------------------------------+ | +--------------------+ +-----+ | +--> | |---->| |------+ | CPU1:vbq free_list | | vb2 | +--- | |<----| |<-----+ | +--------------------+ +-----+ | +--------------------------------------------+ prev->next = next +--------------------------------------------+ |----------------------------+ | | +--------------------+ | +-----+ | +--> | |--+ | |------+ | CPU1:vbq free_list | | vb2 | +--- | |<----| |<-----+ | +--------------------+ +-----+ | +--------------------------------------------+ Here��s a list breakdown. All vbs, which were to be added to ��prev��, cannot be used by list_for_each_entry_rcu(vb, &vbq->free, free_list) in vb_alloc(). Thus, vmalloc space is exhausted. This issue affects both erofs and f2fs, the stacktrace is as follows: erofs: [<ffffffd4ffb93ad4>] __switch_to+0x174 [<ffffffd4ffb942f0>] __schedule+0x624 [<ffffffd4ffb946f4>] schedule+0x7c [<ffffffd4ffb947cc>] schedule_preempt_disabled+0x24 [<ffffffd4ffb962ec>] __mutex_lock+0x374 [<ffffffd4ffb95998>] __mutex_lock_slowpath+0x14 [<ffffffd4ffb95954>] mutex_lock+0x24 [<ffffffd4fef2900c>] reclaim_and_purge_vmap_areas+0x44 [<ffffffd4fef25908>] alloc_vmap_area+0x2e0 [<ffffffd4fef24ea0>] vm_map_ram+0x1b0 [<ffffffd4ff1b46f4>] z_erofs_lz4_decompress+0x278 [<ffffffd4ff1b8ac4>] z_erofs_decompress_queue+0x650 [<ffffffd4ff1b8328>] z_erofs_runqueue+0x7f4 [<ffffffd4ff1b66a8>] z_erofs_read_folio+0x104 [<ffffffd4feeb6fec>] filemap_read_folio+0x6c [<ffffffd4feeb68c4>] filemap_fault+0x300 [<ffffffd4fef0ecac>] __do_fault+0xc8 [<ffffffd4fef0c908>] handle_mm_fault+0xb38 [<ffffffd4ffb9f008>] do_page_fault+0x288 [<ffffffd4ffb9ed64>] do_translation_fault[jt]+0x40 [<ffffffd4fec39c78>] do_mem_abort+0x58 [<ffffffd4ffb8c3e4>] el0_ia+0x70 [<ffffffd4ffb8c260>] el0t_64_sync_handler[jt]+0xb0 [<ffffffd4fec11588>] ret_to_user[jt]+0x0 f2fs: [<ffffffd4ffb93ad4>] __switch_to+0x174 [<ffffffd4ffb942f0>] __schedule+0x624 [<ffffffd4ffb946f4>] schedule+0x7c [<ffffffd4ffb947cc>] schedule_preempt_disabled+0x24 [<ffffffd4ffb962ec>] __mutex_lock+0x374 [<ffffffd4ffb95998>] __mutex_lock_slowpath+0x14 [<ffffffd4ffb95954>] mutex_lock+0x24 [<ffffffd4fef2900c>] reclaim_and_purge_vmap_areas+0x44 [<ffffffd4fef25908>] alloc_vmap_area+0x2e0 [<ffffffd4fef24ea0>] vm_map_ram+0x1b0 [<ffffffd4ff1a3b60>] f2fs_prepare_decomp_mem+0x144 [<ffffffd4ff1a6c24>] f2fs_alloc_dic+0x264 [<ffffffd4ff175468>] f2fs_read_multi_pages+0x428 [<ffffffd4ff17b46c>] f2fs_mpage_readpages+0x314 [<ffffffd4ff1785c4>] f2fs_readahead+0x50 [<ffffffd4feec3384>] read_pages+0x80 [<ffffffd4feec32c0>] page_cache_ra_unbounded+0x1a0 [<ffffffd4feec39e8>] page_cache_ra_order+0x274 [<ffffffd4feeb6cec>] do_sync_mmap_readahead+0x11c [<ffffffd4feeb6764>] filemap_fault+0x1a0 [<ffffffd4ff1423bc>] f2fs_filemap_fault+0x28 [<ffffffd4fef0ecac>] __do_fault+0xc8 [<ffffffd4fef0c908>] handle_mm_fault+0xb38 [<ffffffd4ffb9f008>] do_page_fault+0x288 [<ffffffd4ffb9ed64>] do_translation_fault[jt]+0x40 [<ffffffd4fec39c78>] do_mem_abort+0x58 [<ffffffd4ffb8c3e4>] el0_ia+0x70 [<ffffffd4ffb8c260>] el0t_64_sync_handler[jt]+0xb0 [<ffffffd4fec11588>] ret_to_user[jt]+0x0 To fix this, introducee cpu within vmap_block to record which this vb belongs to. Link: https://lkml.kernel.org/r/20240614021352.1822225-1-zhaoyang.huang@unisoc.com Link: https://lkml.kernel.org/r/20240607023116.1720640-1-zhaoyang.huang@unisoc.com Fixes: fc1e0d980037 ("mm/vmalloc: prevent stale TLBs in fully utilized blocks") Signed-off-by: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Suggested-by: Hailong.Liu <hailong.liu(a)oppo.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Lorenzo Stoakes <lstoakes(a)gmail.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) --- a/mm/vmalloc.c~mm-fix-incorrect-vbq-reference-in-purge_fragmented_block +++ a/mm/vmalloc.c @@ -2498,6 +2498,7 @@ struct vmap_block { struct list_head free_list; struct rcu_head rcu_head; struct list_head purge; + unsigned int cpu; }; /* Queue of free and dirty vmap blocks, for allocation and flushing purposes */ @@ -2625,8 +2626,15 @@ static void *new_vmap_block(unsigned int free_vmap_area(va); return ERR_PTR(err); } - - vbq = raw_cpu_ptr(&vmap_block_queue); + /* + * list_add_tail_rcu could happened in another core + * rather than vb->cpu due to task migration, which + * is safe as list_add_tail_rcu will ensure the list's + * integrity together with list_for_each_rcu from read + * side. + */ + vb->cpu = raw_smp_processor_id(); + vbq = per_cpu_ptr(&vmap_block_queue, vb->cpu); spin_lock(&vbq->lock); list_add_tail_rcu(&vb->free_list, &vbq->free); spin_unlock(&vbq->lock); @@ -2654,9 +2662,10 @@ static void free_vmap_block(struct vmap_ } static bool purge_fragmented_block(struct vmap_block *vb, - struct vmap_block_queue *vbq, struct list_head *purge_list, - bool force_purge) + struct list_head *purge_list, bool force_purge) { + struct vmap_block_queue *vbq = &per_cpu(vmap_block_queue, vb->cpu); + if (vb->free + vb->dirty != VMAP_BBMAP_BITS || vb->dirty == VMAP_BBMAP_BITS) return false; @@ -2704,7 +2713,7 @@ static void purge_fragmented_blocks(int continue; spin_lock(&vb->lock); - purge_fragmented_block(vb, vbq, &purge, true); + purge_fragmented_block(vb, &purge, true); spin_unlock(&vb->lock); } rcu_read_unlock(); @@ -2841,7 +2850,7 @@ static void _vm_unmap_aliases(unsigned l * not purgeable, check whether there is dirty * space to be flushed. */ - if (!purge_fragmented_block(vb, vbq, &purge_list, false) && + if (!purge_fragmented_block(vb, &purge_list, false) && vb->dirty_max && vb->dirty != VMAP_BBMAP_BITS) { unsigned long va_start = vb->va->va_start; unsigned long s, e; _ Patches currently in -mm which might be from zhaoyang.huang(a)unisoc.com are mm-optimization-on-page-allocation-when-cma-enabled.patch

1 year, 2 months

1
0
0 0

[PATCH 6.6~6.9] cifs: fix pagecache leak when do writepages

by Yang Erkun

After commit f3dc1bdb6b0b("cifs: Fix writeback data corruption"), the writepages for cifs will find all folio needed writepage with two phase. The first folio will be found in cifs_writepages_begin, and the latter various folios will be found in cifs_extend_writeback. All those will first get folio, and for normal case, once we set page writeback and after do really write, we should put the reference, folio found in cifs_extend_writeback do this with folio_batch_release. But the folio found in cifs_writepages_begin never get the chance do it. And every writepages call, we will leak a folio(found this problem while do xfstests over cifs). Besides, the exist path seem never handle this folio correctly, fix it too with this patch. The problem does not exist in mainline since writepages path for cifs has changed to netfs. It's had to backport all related change, so try fix this problem with this single patch. Fixes: f3dc1bdb6b0b ("cifs: Fix writeback data corruption") Signed-off-by: Yang Erkun <yangerkun(a)huawei.com> --- fs/smb/client/file.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 9be37d0fe724..0a48d80b3871 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2860,17 +2860,21 @@ static ssize_t cifs_write_back_from_locked_folio(struct address_space *mapping, rc = cifs_get_writable_file(CIFS_I(inode), FIND_WR_ANY, &cfile); if (rc) { cifs_dbg(VFS, "No writable handle in writepages rc=%d\n", rc); + folio_unlock(folio); goto err_xid; } rc = server->ops->wait_mtu_credits(server, cifs_sb->ctx->wsize, &wsize, credits); - if (rc != 0) + if (rc != 0) { + folio_unlock(folio); goto err_close; + } wdata = cifs_writedata_alloc(cifs_writev_complete); if (!wdata) { rc = -ENOMEM; + folio_unlock(folio); goto err_uncredit; } @@ -3017,17 +3021,22 @@ static ssize_t cifs_writepages_begin(struct address_space *mapping, lock_again: if (wbc->sync_mode != WB_SYNC_NONE) { ret = folio_lock_killable(folio); - if (ret < 0) + if (ret < 0) { + folio_put(folio); return ret; + } } else { - if (!folio_trylock(folio)) + if (!folio_trylock(folio)) { + folio_put(folio); goto search_again; + } } if (folio->mapping != mapping || !folio_test_dirty(folio)) { start += folio_size(folio); folio_unlock(folio); + folio_put(folio); goto search_again; } @@ -3057,6 +3066,7 @@ static ssize_t cifs_writepages_begin(struct address_space *mapping, out: if (ret > 0) *_start = start + ret; + folio_put(folio); return ret; } -- 2.39.2

1 year, 2 months

3
2
0 0

+ mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: yangge <yangge1116(a)126.com> Subject: mm/gup: clear the LRU flag of a page before adding to LRU batch Date: Sat, 22 Jun 2024 14:48:04 +0800 If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual machine, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But the current code will cause the migration failure due to unexpected page refcounts, and eventually cause the virtual machine fail to start. If a page is added in LRU batch, its refcount increases one, remove the page from LRU batch decreases one. Page migration requires the page is not referenced by others except page mapping. Before migrating a page, we should try to drain the page from LRU batch in case the page is in it, however, folio_test_lru() is not sufficient to tell whether the page is in LRU batch or not, if the page is in LRU batch, the migration will fail. To solve the problem above, we modify the logic of adding to LRU batch. Before adding a page to LRU batch, we clear the LRU flag of the page so that we can check whether the page is in LRU batch by folio_test_lru(page). Seems making the LRU flag of the page invisible a long time is no problem, because a new page is allocated from buddy and added to the lru batch, its LRU flag is also not visible for a long time. Link: https://lkml.kernel.org/r/1719038884-1903-1-git-send-email-yangge1116@126.c… Signed-off-by: yangge <yangge1116(a)126.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Alex Shi <alex.shi(a)linux.alibaba.com> Cc: Shaohua Li <shli(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap.c | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) --- a/mm/swap.c~mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch +++ a/mm/swap.c @@ -212,10 +212,6 @@ static void folio_batch_move_lru(struct for (i = 0; i < folio_batch_count(fbatch); i++) { struct folio *folio = fbatch->folios[i]; - /* block memcg migration while the folio moves between lru */ - if (move_fn != lru_add_fn && !folio_test_clear_lru(folio)) - continue; - folio_lruvec_relock_irqsave(folio, &lruvec, &flags); move_fn(lruvec, folio); @@ -256,11 +252,16 @@ static void lru_move_tail_fn(struct lruv void folio_rotate_reclaimable(struct folio *folio) { if (!folio_test_locked(folio) && !folio_test_dirty(folio) && - !folio_test_unevictable(folio) && folio_test_lru(folio)) { + !folio_test_unevictable(folio)) { struct folio_batch *fbatch; unsigned long flags; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock_irqsave(&lru_rotate.lock, flags); fbatch = this_cpu_ptr(&lru_rotate.fbatch); folio_batch_add_and_move(fbatch, folio, lru_move_tail_fn); @@ -353,11 +354,15 @@ static void folio_activate_drain(int cpu void folio_activate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_active(folio) && - !folio_test_unevictable(folio)) { + if (!folio_test_active(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.activate); folio_batch_add_and_move(fbatch, folio, folio_activate_fn); @@ -701,6 +706,11 @@ void deactivate_file_folio(struct folio return; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate_file); folio_batch_add_and_move(fbatch, folio, lru_deactivate_file_fn); @@ -717,11 +727,16 @@ void deactivate_file_folio(struct folio */ void folio_deactivate(struct folio *folio) { - if (folio_test_lru(folio) && !folio_test_unevictable(folio) && - (folio_test_active(folio) || lru_gen_enabled())) { + if (!folio_test_unevictable(folio) && (folio_test_active(folio) || + lru_gen_enabled())) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_deactivate); folio_batch_add_and_move(fbatch, folio, lru_deactivate_fn); @@ -738,12 +753,16 @@ void folio_deactivate(struct folio *foli */ void folio_mark_lazyfree(struct folio *folio) { - if (folio_test_lru(folio) && folio_test_anon(folio) && - folio_test_swapbacked(folio) && !folio_test_swapcache(folio) && - !folio_test_unevictable(folio)) { + if (folio_test_anon(folio) && folio_test_swapbacked(folio) && + !folio_test_swapcache(folio) && !folio_test_unevictable(folio)) { struct folio_batch *fbatch; folio_get(folio); + if (!folio_test_clear_lru(folio)) { + folio_put(folio); + return; + } + local_lock(&cpu_fbatches.lock); fbatch = this_cpu_ptr(&cpu_fbatches.lru_lazyfree); folio_batch_add_and_move(fbatch, folio, lru_lazyfree_fn); _ Patches currently in -mm which might be from yangge1116(a)126.com are mm-page_alloc-separate-thp-pcp-into-movable-and-non-movable-categories.patch mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch

1 year, 2 months

1
0
0 0

+ nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix incorrect inode allocation from reserved inodes has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix incorrect inode allocation from reserved inodes Date: Sun, 23 Jun 2024 14:11:35 +0900 If the bitmap block that manages the inode allocation status is corrupted, nilfs_ifile_create_inode() may allocate a new inode from the reserved inode area where it should not be allocated. Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of struct nilfs_root"), fixed the problem that reserved inodes with inode numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to bitmap corruption, but since the start number of non-reserved inodes is read from the super block and may change, in which case inode allocation may occur from the extended reserved inode area. If that happens, access to that inode will cause an IO error, causing the file system to degrade to an error state. Fix this potential issue by adding a wraparound option to the common metadata object allocation routine and by modifying nilfs_ifile_create_inode() to disable the option so that it only allocates inodes with inode numbers greater than or equal to the inode number read in "nilfs->ns_first_ino", regardless of the bitmap status of reserved inodes. Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/alloc.c | 19 +++++++++++++++---- fs/nilfs2/alloc.h | 4 ++-- fs/nilfs2/dat.c | 2 +- fs/nilfs2/ifile.c | 7 ++----- 4 files changed, 20 insertions(+), 12 deletions(-) --- a/fs/nilfs2/alloc.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/alloc.c @@ -377,11 +377,12 @@ void *nilfs_palloc_block_get_entry(const * @target: offset number of an entry in the group (start point) * @bsize: size in bits * @lock: spin lock protecting @bitmap + * @wrap: whether to wrap around */ static int nilfs_palloc_find_available_slot(unsigned char *bitmap, unsigned long target, unsigned int bsize, - spinlock_t *lock) + spinlock_t *lock, bool wrap) { int pos, end = bsize; @@ -397,6 +398,8 @@ static int nilfs_palloc_find_available_s end = target; } + if (!wrap) + return -ENOSPC; /* wrap around */ for (pos = 0; pos < end; pos++) { @@ -495,9 +498,10 @@ int nilfs_palloc_count_max_entries(struc * nilfs_palloc_prepare_alloc_entry - prepare to allocate a persistent object * @inode: inode of metadata file using this allocator * @req: nilfs_palloc_req structure exchanged for the allocation + * @wrap: whether to wrap around */ int nilfs_palloc_prepare_alloc_entry(struct inode *inode, - struct nilfs_palloc_req *req) + struct nilfs_palloc_req *req, bool wrap) { struct buffer_head *desc_bh, *bitmap_bh; struct nilfs_palloc_group_desc *desc; @@ -516,7 +520,7 @@ int nilfs_palloc_prepare_alloc_entry(str entries_per_group = nilfs_palloc_entries_per_group(inode); for (i = 0; i < ngroups; i += n) { - if (group >= ngroups) { + if (group >= ngroups && wrap) { /* wrap around */ group = 0; maxgroup = nilfs_palloc_group(inode, req->pr_entry_nr, @@ -550,7 +554,14 @@ int nilfs_palloc_prepare_alloc_entry(str bitmap_kaddr = kmap_local_page(bitmap_bh->b_page); bitmap = bitmap_kaddr + bh_offset(bitmap_bh); pos = nilfs_palloc_find_available_slot( - bitmap, group_offset, entries_per_group, lock); + bitmap, group_offset, entries_per_group, lock, + wrap); + /* + * Since the search for a free slot in the second and + * subsequent bitmap blocks always starts from the + * beginning, the wrap flag only has an effect on the + * first search. + */ kunmap_local(bitmap_kaddr); if (pos >= 0) goto found; --- a/fs/nilfs2/alloc.h~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/alloc.h @@ -50,8 +50,8 @@ struct nilfs_palloc_req { struct buffer_head *pr_entry_bh; }; -int nilfs_palloc_prepare_alloc_entry(struct inode *, - struct nilfs_palloc_req *); +int nilfs_palloc_prepare_alloc_entry(struct inode *inode, + struct nilfs_palloc_req *req, bool wrap); void nilfs_palloc_commit_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *); --- a/fs/nilfs2/dat.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/dat.c @@ -75,7 +75,7 @@ int nilfs_dat_prepare_alloc(struct inode { int ret; - ret = nilfs_palloc_prepare_alloc_entry(dat, req); + ret = nilfs_palloc_prepare_alloc_entry(dat, req, true); if (ret < 0) return ret; --- a/fs/nilfs2/ifile.c~nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes +++ a/fs/nilfs2/ifile.c @@ -56,13 +56,10 @@ int nilfs_ifile_create_inode(struct inod struct nilfs_palloc_req req; int ret; - req.pr_entry_nr = 0; /* - * 0 says find free inode from beginning - * of a group. dull code!! - */ + req.pr_entry_nr = NILFS_FIRST_INO(ifile->i_sb); req.pr_entry_bh = NULL; - ret = nilfs_palloc_prepare_alloc_entry(ifile, &req); + ret = nilfs_palloc_prepare_alloc_entry(ifile, &req, false); if (!ret) { ret = nilfs_palloc_get_entry_block(ifile, req.pr_entry_nr, 1, &req.pr_entry_bh); _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-inode-number-range-checks.patch nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch nilfs2-prepare-backing-device-folios-for-writing-after-adding-checksums.patch nilfs2-do-not-call-inode_attach_wb-directly.patch

1 year, 2 months

1
0
0 0

+ nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: add missing check for inode numbers on directory entries has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: add missing check for inode numbers on directory entries Date: Sun, 23 Jun 2024 14:11:34 +0900 Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d79afb004be235636ee8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara <jack(a)suse.cz> Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/dir.c | 6 ++++++ fs/nilfs2/nilfs.h | 5 +++++ 2 files changed, 11 insertions(+) --- a/fs/nilfs2/dir.c~nilfs2-add-missing-check-for-inode-numbers-on-directory-entries +++ a/fs/nilfs2/dir.c @@ -135,6 +135,9 @@ static bool nilfs_check_folio(struct fol goto Enamelen; if (((offs + rec_len - 1) ^ offs) & ~(chunk_size-1)) goto Espan; + if (unlikely(p->inode && + NILFS_PRIVATE_INODE(le64_to_cpu(p->inode)))) + goto Einumber; } if (offs != limit) goto Eend; @@ -160,6 +163,9 @@ Enamelen: goto bad_entry; Espan: error = "directory entry across blocks"; + goto bad_entry; +Einumber: + error = "disallowed inode number"; bad_entry: nilfs_error(sb, "bad entry in directory #%lu: %s - offset=%lu, inode=%lu, rec_len=%zd, name_len=%d", --- a/fs/nilfs2/nilfs.h~nilfs2-add-missing-check-for-inode-numbers-on-directory-entries +++ a/fs/nilfs2/nilfs.h @@ -121,6 +121,11 @@ enum { ((ino) >= NILFS_FIRST_INO(sb) || \ ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) +#define NILFS_PRIVATE_INODE(ino) ({ \ + ino_t __ino = (ino); \ + ((__ino) < NILFS_USER_INO && (__ino) != NILFS_ROOT_INO && \ + (__ino) != NILFS_SKETCH_INO); }) + /** * struct nilfs_transaction_info: context information for synchronization * @ti_magic: Magic number _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-inode-number-range-checks.patch nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch nilfs2-prepare-backing-device-folios-for-writing-after-adding-checksums.patch nilfs2-do-not-call-inode_attach_wb-directly.patch

1 year, 2 months

1
0
0 0

+ nilfs2-fix-inode-number-range-checks.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix inode number range checks has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-inode-number-range-checks.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix inode number range checks Date: Sun, 23 Jun 2024 14:11:33 +0900 Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Hillf Danton <hdanton(a)sina.com> Cc: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/nilfs.h | 5 +++-- fs/nilfs2/the_nilfs.c | 6 ++++++ fs/nilfs2/the_nilfs.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) --- a/fs/nilfs2/nilfs.h~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/nilfs.h @@ -116,9 +116,10 @@ enum { #define NILFS_FIRST_INO(sb) (((struct the_nilfs *)sb->s_fs_info)->ns_first_ino) #define NILFS_MDT_INODE(sb, ino) \ - ((ino) < NILFS_FIRST_INO(sb) && (NILFS_MDT_INO_BITS & BIT(ino))) + ((ino) < NILFS_USER_INO && (NILFS_MDT_INO_BITS & BIT(ino))) #define NILFS_VALID_INODE(sb, ino) \ - ((ino) >= NILFS_FIRST_INO(sb) || (NILFS_SYS_INO_BITS & BIT(ino))) + ((ino) >= NILFS_FIRST_INO(sb) || \ + ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) /** * struct nilfs_transaction_info: context information for synchronization --- a/fs/nilfs2/the_nilfs.c~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/the_nilfs.c @@ -452,6 +452,12 @@ static int nilfs_store_disk_layout(struc } nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino); + if (nilfs->ns_first_ino < NILFS_USER_INO) { + nilfs_err(nilfs->ns_sb, + "too small lower limit for non-reserved inode numbers: %u", + nilfs->ns_first_ino); + return -EINVAL; + } nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); if (nilfs->ns_blocks_per_segment < NILFS_SEG_MIN_BLOCKS) { --- a/fs/nilfs2/the_nilfs.h~nilfs2-fix-inode-number-range-checks +++ a/fs/nilfs2/the_nilfs.h @@ -182,7 +182,7 @@ struct the_nilfs { unsigned long ns_nrsvsegs; unsigned long ns_first_data_block; int ns_inode_size; - int ns_first_ino; + unsigned int ns_first_ino; u32 ns_crc_seed; /* /sys/fs/<nilfs>/<device> */ _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-inode-number-range-checks.patch nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch nilfs2-prepare-backing-device-folios-for-writing-after-adding-checksums.patch nilfs2-do-not-call-inode_attach_wb-directly.patch

1 year, 2 months

1
0
0 0

[tip: irq/urgent] PCI/MSI: Fix UAF in msi_capability_init

by tip-bot2 for Mostafa Saleh

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1 Gitweb: https://git.kernel.org/tip/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1 Author: Mostafa Saleh <smostafa(a)google.com> AuthorDate: Mon, 24 Jun 2024 20:37:28 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Mon, 24 Jun 2024 23:33:38 +02:00 PCI/MSI: Fix UAF in msi_capability_init KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): __pci_enable_msi_range+0x2c0/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128 allocated by task 81 on cpu 7 at 10.808142s: __kmem_cache_alloc_node+0x1f0/0x2bc kmalloc_trace+0x44/0x138 msi_alloc_desc+0x3c/0x9c msi_domain_insert_msi_desc+0x30/0x78 msi_setup_msi_desc+0x13c/0x184 __pci_enable_msi_range+0x258/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 freed by task 81 on cpu 7 at 10.811436s: msi_domain_free_descs+0xd4/0x10c msi_domain_free_locked.part.0+0xc0/0x1d8 msi_domain_alloc_irqs_all_locked+0xb4/0xbc pci_msi_setup_msi_irqs+0x30/0x4c __pci_enable_msi_range+0x2a8/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 Descriptor allocation done in: __pci_enable_msi_range msi_capability_init msi_setup_msi_desc msi_insert_msi_desc msi_domain_insert_msi_desc msi_alloc_desc ... Freed in case of failure in __msi_domain_alloc_locked() __pci_enable_msi_range msi_capability_init pci_msi_setup_msi_irqs msi_domain_alloc_irqs_all_locked msi_domain_alloc_locked __msi_domain_alloc_locked => fails msi_domain_free_locked ... That failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init() which accesses the descriptor for unmasking in the error exit path. Cure it by copying the descriptor and using the copy for the error exit path unmask operation. [ tglx: Massaged change log ] Fixes: bf6e054e0e3f ("genirq/msi: Provide msi_device_populate/destroy_sysfs()") Suggested-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Mostafa Saleh <smostafa(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Bjorn Heelgas <bhelgaas(a)google.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com --- drivers/pci/msi/msi.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c index c5625dd..3a45879 100644 --- a/drivers/pci/msi/msi.c +++ b/drivers/pci/msi/msi.c @@ -352,7 +352,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec, struct irq_affinity *affd) { struct irq_affinity_desc *masks = NULL; - struct msi_desc *entry; + struct msi_desc *entry, desc; int ret; /* Reject multi-MSI early on irq domain enabled architectures */ @@ -377,6 +377,12 @@ static int msi_capability_init(struct pci_dev *dev, int nvec, /* All MSIs are unmasked by default; mask them all */ entry = msi_first_desc(&dev->dev, MSI_DESC_ALL); pci_msi_mask(entry, msi_multi_mask(entry)); + /* + * Copy the MSI descriptor for the error path because + * pci_msi_setup_msi_irqs() will free it for the hierarchical + * interrupt domain case. + */ + memcpy(&desc, entry, sizeof(desc)); /* Configure MSI capability structure */ ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI); @@ -396,7 +402,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec, goto unlock; err: - pci_msi_unmask(entry, msi_multi_mask(entry)); + pci_msi_unmask(&desc, msi_multi_mask(&desc)); pci_free_msi_irqs(dev); fail: dev->msi_enabled = 0;

1 year, 2 months

1
0
0 0

+ mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: merge regions aggressively when max_nr_regions is unmet has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: merge regions aggressively when max_nr_regions is unmet Date: Mon, 24 Jun 2024 10:58:14 -0700 DAMON keeps the number of regions under max_nr_regions by skipping regions split operations when doing so can make the number higher than the limit. It works well for preventing violation of the limit. But, if somehow the violation happens, it cannot recovery well depending on the situation. In detail, if the real number of regions having different access pattern is higher than the limit, the mechanism cannot reduce the number below the limit. In such a case, the system could suffer from high monitoring overhead of DAMON. The violation can actually happen. For an example, the user could reduce max_nr_regions while DAMON is running, to be lower than the current number of regions. Fix the problem by repeating the merge operations with increasing aggressiveness in kdamond_merge_regions() for the case, until the limit is met. Link: https://lkml.kernel.org/r/20240624175814.89611-1-sj@kernel.org Fixes: b9a6ac4e4ede ("mm/damon: adaptively adjust regions") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) --- a/mm/damon/core.c~mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet +++ a/mm/damon/core.c @@ -1358,14 +1358,30 @@ static void damon_merge_regions_of(struc * access frequencies are similar. This is for minimizing the monitoring * overhead under the dynamically changeable access pattern. If a merge was * unnecessarily made, later 'kdamond_split_regions()' will revert it. + * + * The total number of regions could be temporarily higher than the + * user-defined limit, max_nr_regions for some cases. For an example, the user + * updates max_nr_regions to a number that lower than the current number of + * regions while DAMON is running. Depending on the access pattern, it could + * take indefinitve time to reduce the number below the limit. For such a + * case, repeat merging until the limit is met while increasing @threshold and + * @sz_limit. */ static void kdamond_merge_regions(struct damon_ctx *c, unsigned int threshold, unsigned long sz_limit) { struct damon_target *t; + unsigned int nr_regions; - damon_for_each_target(t, c) - damon_merge_regions_of(t, threshold, sz_limit); + do { + nr_regions = 0; + damon_for_each_target(t, c) { + damon_merge_regions_of(t, threshold, sz_limit); + nr_regions += damon_nr_regions(t); + } + threshold = max(1, threshold * 2); + sz_limit = max(1, sz_limit * 2); + } while (nr_regions > c->attrs.max_nr_regions); } /* _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet.patch mm-damon-sysfs-schemes-add-target_nid-on-sysfs-schemes-fix.patch docs-damon-document-damos_migrate_hotcold-fix.patch mm-damon-core-implement-damos-quota-goals-online-commit-function.patch mm-damon-core-implement-damon-context-commit-function.patch mm-damon-sysfs-use-damon_commit_ctx.patch mm-damon-sysfs-schemes-use-damos_commit_quota_goals.patch mm-damon-sysfs-remove-unnecessary-online-tuning-handling-code.patch mm-damon-sysfs-rename-damon_sysfs_set_targets-to-add_targets.patch mm-damon-sysfs-schemes-remove-unnecessary-online-tuning-handling-code.patch mm-damon-sysfs-schemes-rename-_set_schemesscheme_filtersquota_scoreschemes.patch mm-damon-reclaim-use-damon_commit_ctx.patch mm-damon-reclaim-remove-unnecessary-code-for-online-tuning.patch mm-damon-lru_sort-use-damon_commit_ctx.patch mm-damon-lru_sort-remove-unnecessary-online-tuning-handling-code.patch docs-mm-damon-maintainer-profile-introduce-hackermail.patch docs-mm-damon-maintainer-profile-document-damon-community-meetups.patch

1 year, 2 months

1
0
0 0

[PATCH v4 2/2] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066

by Val Packett

The RK3066 does have RGB display output, so it should be marked as such. Fixes: f4a6de8 ("drm: rockchip: vop: add rk3066 vop definitions") Cc: stable(a)vger.kernel.org Signed-off-by: Val Packett <val(a)packett.cool> --- drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c index 9bcb40a64..e2c6ba26f 100644 --- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c @@ -515,6 +515,7 @@ static const struct vop_data rk3066_vop = { .output = &rk3066_output, .win = rk3066_vop_win_data, .win_size = ARRAY_SIZE(rk3066_vop_win_data), + .feature = VOP_FEATURE_INTERNAL_RGB, .max_output = { 1920, 1080 }, }; -- 2.45.2

1 year, 2 months

1
0
0 0

[PATCH v4 1/2] drm/rockchip: vop: clear DMA stop bit on RK3066

by Val Packett

The RK3066 VOP sets a dma_stop bit when it's done scanning out a frame and needs the driver to acknowledge that by clearing the bit. Unless we clear it "between" frames, the RGB output only shows noise instead of the picture. atomic_flush is the place for it that least affects other code (doing it on vblank would require converting all other usages of the reg_lock to spin_(un)lock_irq, which would affect performance for everyone). This seems to be a redundant synchronization mechanism that was removed in later iterations of the VOP hardware block. Fixes: f4a6de8 ("drm: rockchip: vop: add rk3066 vop definitions") Cc: stable(a)vger.kernel.org Signed-off-by: Val Packett <val(a)packett.cool> --- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++++ drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 1 + 3 files changed, 6 insertions(+) diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c index a13473b2d..e88fbd568 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c @@ -1583,6 +1583,10 @@ static void vop_crtc_atomic_flush(struct drm_crtc *crtc, VOP_AFBC_SET(vop, enable, s->enable_afbc); vop_cfg_done(vop); + /* Ack the DMA transfer of the previous frame (RK3066). */ + if (VOP_HAS_REG(vop, common, dma_stop)) + VOP_REG_SET(vop, common, dma_stop, 0); + spin_unlock(&vop->reg_lock); /* diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.h b/drivers/gpu/drm/rockchip/rockchip_drm_vop.h index b33e5bdc2..0cf512cc1 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.h +++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.h @@ -122,6 +122,7 @@ struct vop_common { struct vop_reg lut_buffer_index; struct vop_reg gate_en; struct vop_reg mmu_en; + struct vop_reg dma_stop; struct vop_reg out_mode; struct vop_reg standby; }; diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c index b9ee02061..9bcb40a64 100644 --- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c @@ -466,6 +466,7 @@ static const struct vop_output rk3066_output = { }; static const struct vop_common rk3066_common = { + .dma_stop = VOP_REG(RK3066_SYS_CTRL0, 0x1, 0), .standby = VOP_REG(RK3066_SYS_CTRL0, 0x1, 1), .out_mode = VOP_REG(RK3066_DSP_CTRL0, 0xf, 0), .cfg_done = VOP_REG(RK3066_REG_CFG_DONE, 0x1, 0), -- 2.45.2

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/i915/gt: Disarm breadcrumbs if engines are already idle" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 70cb9188ffc75e643debf292fcddff36c9dbd4ae # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061929-scalding-tweak-f522@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 70cb9188ffc7 ("drm/i915/gt: Disarm breadcrumbs if engines are already idle") c877bed82e10 ("drm/i915/gt: Only kick the signal worker if there's been an update") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 70cb9188ffc75e643debf292fcddff36c9dbd4ae Mon Sep 17 00:00:00 2001 From: Chris Wilson <chris(a)chris-wilson.co.uk> Date: Tue, 23 Apr 2024 18:23:10 +0200 Subject: [PATCH] drm/i915/gt: Disarm breadcrumbs if engines are already idle The breadcrumbs use a GT wakeref for guarding the interrupt, but are disarmed during release of the engine wakeref. This leaves a hole where we may attach a breadcrumb just as the engine is parking (after it has parked its breadcrumbs), execute the irq worker with some signalers still attached, but never be woken again. That issue manifests itself in CI with IGT runner timeouts while tests are waiting indefinitely for release of all GT wakerefs. <6> [209.151778] i915: Running live_engine_pm_selftests/live_engine_busy_stats <7> [209.231628] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_5 <7> [209.231816] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_4 <7> [209.231944] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_3 <7> [209.232056] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_2 <7> [209.232166] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling DC_off <7> [209.232270] i915 0000:00:02.0: [drm:skl_enable_dc6 [i915]] Enabling DC6 <7> [209.232368] i915 0000:00:02.0: [drm:gen9_set_dc_state.part.0 [i915]] Setting DC state from 00 to 02 <4> [299.356116] [IGT] Inactivity timeout exceeded. Killing the current test with SIGQUIT. ... <6> [299.356526] sysrq: Show State ... <6> [299.373964] task:i915_selftest state:D stack:11784 pid:5578 tgid:5578 ppid:873 flags:0x00004002 <6> [299.373967] Call Trace: <6> [299.373968] <TASK> <6> [299.373970] __schedule+0x3bb/0xda0 <6> [299.373974] schedule+0x41/0x110 <6> [299.373976] intel_wakeref_wait_for_idle+0x82/0x100 [i915] <6> [299.374083] ? __pfx_var_wake_function+0x10/0x10 <6> [299.374087] live_engine_busy_stats+0x9b/0x500 [i915] <6> [299.374173] __i915_subtests+0xbe/0x240 [i915] <6> [299.374277] ? __pfx___intel_gt_live_setup+0x10/0x10 [i915] <6> [299.374369] ? __pfx___intel_gt_live_teardown+0x10/0x10 [i915] <6> [299.374456] intel_engine_live_selftests+0x1c/0x30 [i915] <6> [299.374547] __run_selftests+0xbb/0x190 [i915] <6> [299.374635] i915_live_selftests+0x4b/0x90 [i915] <6> [299.374717] i915_pci_probe+0x10d/0x210 [i915] At the end of the interrupt worker, if there are no more engines awake, disarm the breadcrumb and go to sleep. Fixes: 9d5612ca165a ("drm/i915/gt: Defer enabling the breadcrumb interrupt to after submission") Closes: https://gitlab.freedesktop.org/drm/intel/issues/10026 Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Andrzej Hajda <andrzej.hajda(a)intel.com> Cc: <stable(a)vger.kernel.org> # v5.12+ Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> Acked-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Andrzej Hajda <andrzej.hajda(a)intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240423165505.465734-2-janus… (cherry picked from commit fbad43eccae5cb14594195c20113369aabaa22b5) Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> diff --git a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c index d650beb8ed22..20b9b04ec1e0 100644 --- a/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c +++ b/drivers/gpu/drm/i915/gt/intel_breadcrumbs.c @@ -263,8 +263,13 @@ static void signal_irq_work(struct irq_work *work) i915_request_put(rq); } + /* Lazy irq enabling after HW submission */ if (!READ_ONCE(b->irq_armed) && !list_empty(&b->signalers)) intel_breadcrumbs_arm_irq(b); + + /* And confirm that we still want irqs enabled before we yield */ + if (READ_ONCE(b->irq_armed) && !atomic_read(&b->active)) + intel_breadcrumbs_disarm_irq(b); } struct intel_breadcrumbs * @@ -315,13 +320,7 @@ void __intel_breadcrumbs_park(struct intel_breadcrumbs *b) return; /* Kick the work once more to drain the signalers, and disarm the irq */ - irq_work_sync(&b->irq_work); - while (READ_ONCE(b->irq_armed) && !atomic_read(&b->active)) { - local_irq_disable(); - signal_irq_work(&b->irq_work); - local_irq_enable(); - cond_resched(); - } + irq_work_queue(&b->irq_work); } void intel_breadcrumbs_free(struct kref *kref) @@ -404,7 +403,7 @@ static void insert_breadcrumb(struct i915_request *rq) * the request as it may have completed and raised the interrupt as * we were attaching it into the lists. */ - if (!b->irq_armed || __i915_request_is_complete(rq)) + if (!READ_ONCE(b->irq_armed) || __i915_request_is_complete(rq)) irq_work_queue(&b->irq_work); }

1 year, 2 months

2
1
0 0

[PATCH 2/3] ASoC: SOF: ipc4-topology: Use correct queue_id for requesting input pin format

by Pierre-Louis Bossart

From: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> It is incorrect to request the input pin format of the destination widget using the output pin index of the source module as the indexes are not necessarily matching. moduleA.out_pin1 can be connected to moduleB.in_pin0 for example. Use the dst_queue_id to request the input format of the destination module. This bug remained unnoticed likely because in nocodec topologies we don't have process modules after a module copier, thus the pin/queue index is ignored. For the process module case, the code was likely have been tested in a controlled way where all the pin/queue/format properties were present to work. Update the debug prints to have better information. Reviewed-by: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- sound/soc/sof/ipc4-topology.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index ce2910f70e65..90f6856ee80c 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -2869,7 +2869,7 @@ static void sof_ipc4_put_queue_id(struct snd_sof_widget *swidget, int queue_id, static int sof_ipc4_set_copier_sink_format(struct snd_sof_dev *sdev, struct snd_sof_widget *src_widget, struct snd_sof_widget *sink_widget, - int sink_id) + struct snd_sof_route *sroute) { struct sof_ipc4_copier_config_set_sink_format format; const struct sof_ipc_ops *iops = sdev->ipc->ops; @@ -2878,9 +2878,6 @@ static int sof_ipc4_set_copier_sink_format(struct snd_sof_dev *sdev, struct sof_ipc4_fw_module *fw_module; struct sof_ipc4_msg msg = {{ 0 }}; - dev_dbg(sdev->dev, "%s set copier sink %d format\n", - src_widget->widget->name, sink_id); - if (WIDGET_IS_DAI(src_widget->id)) { struct snd_sof_dai *dai = src_widget->private; @@ -2891,13 +2888,15 @@ static int sof_ipc4_set_copier_sink_format(struct snd_sof_dev *sdev, fw_module = src_widget->module_info; - format.sink_id = sink_id; + format.sink_id = sroute->src_queue_id; memcpy(&format.source_fmt, &src_config->audio_fmt, sizeof(format.source_fmt)); - pin_fmt = sof_ipc4_get_input_pin_audio_fmt(sink_widget, sink_id); + pin_fmt = sof_ipc4_get_input_pin_audio_fmt(sink_widget, sroute->dst_queue_id); if (!pin_fmt) { - dev_err(sdev->dev, "Unable to get pin %d format for %s", - sink_id, sink_widget->widget->name); + dev_err(sdev->dev, + "Failed to get input audio format of %s:%d for output of %s:%d\n", + sink_widget->widget->name, sroute->dst_queue_id, + src_widget->widget->name, sroute->src_queue_id); return -EINVAL; } @@ -2955,7 +2954,8 @@ static int sof_ipc4_route_setup(struct snd_sof_dev *sdev, struct snd_sof_route * sroute->src_queue_id = sof_ipc4_get_queue_id(src_widget, sink_widget, SOF_PIN_TYPE_OUTPUT); if (sroute->src_queue_id < 0) { - dev_err(sdev->dev, "failed to get queue ID for source widget: %s\n", + dev_err(sdev->dev, + "failed to get src_queue_id ID from source widget %s\n", src_widget->widget->name); return sroute->src_queue_id; } @@ -2963,7 +2963,8 @@ static int sof_ipc4_route_setup(struct snd_sof_dev *sdev, struct snd_sof_route * sroute->dst_queue_id = sof_ipc4_get_queue_id(src_widget, sink_widget, SOF_PIN_TYPE_INPUT); if (sroute->dst_queue_id < 0) { - dev_err(sdev->dev, "failed to get queue ID for sink widget: %s\n", + dev_err(sdev->dev, + "failed to get dst_queue_id ID from sink widget %s\n", sink_widget->widget->name); sof_ipc4_put_queue_id(src_widget, sroute->src_queue_id, SOF_PIN_TYPE_OUTPUT); @@ -2972,10 +2973,11 @@ static int sof_ipc4_route_setup(struct snd_sof_dev *sdev, struct snd_sof_route * /* Pin 0 format is already set during copier module init */ if (sroute->src_queue_id > 0 && WIDGET_IS_COPIER(src_widget->id)) { - ret = sof_ipc4_set_copier_sink_format(sdev, src_widget, sink_widget, - sroute->src_queue_id); + ret = sof_ipc4_set_copier_sink_format(sdev, src_widget, + sink_widget, sroute); if (ret < 0) { - dev_err(sdev->dev, "failed to set sink format for %s source queue ID %d\n", + dev_err(sdev->dev, + "failed to set sink format for source %s:%d\n", src_widget->widget->name, sroute->src_queue_id); goto out; } -- 2.43.0

1 year, 2 months

2
3
0 0

[PATCH] mm/damon/core: merge regions aggressively when max_nr_regions is unmet

by SeongJae Park

DAMON keeps the number of regions under max_nr_regions by skipping regions split operations when doing so can make the number higher than the limit. It works well for preventing violation of the limit. But, if somehow the violation happens, it cannot recovery well depending on the situation. In detail, if the real number of regions having different access pattern is higher than the limit, the mechanism cannot reduce the number below the limit. In such a case, the system could suffer from high monitoring overhead of DAMON. The violation can actually happen. For an example, the user could reduce max_nr_regions while DAMON is running, to be lower than the current number of regions. Fix the problem by repeating the merge operations with increasing aggressiveness in kdamond_merge_regions() for the case, until the limit is met. Fixes: b9a6ac4e4ede ("mm/damon: adaptively adjust regions") Cc: <stable(a)vger.kernel.org> # 5.15.x Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index f69250b68bcc..e6598c44b53c 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1694,14 +1694,30 @@ static void damon_merge_regions_of(struct damon_target *t, unsigned int thres, * access frequencies are similar. This is for minimizing the monitoring * overhead under the dynamically changeable access pattern. If a merge was * unnecessarily made, later 'kdamond_split_regions()' will revert it. + * + * The total number of regions could be temporarily higher than the + * user-defined limit, max_nr_regions for some cases. For an example, the user + * updates max_nr_regions to a number that lower than the current number of + * regions while DAMON is running. Depending on the access pattern, it could + * take indefinitve time to reduce the number below the limit. For such a + * case, repeat merging until the limit is met while increasing @threshold and + * @sz_limit. */ static void kdamond_merge_regions(struct damon_ctx *c, unsigned int threshold, unsigned long sz_limit) { struct damon_target *t; + unsigned int nr_regions; - damon_for_each_target(t, c) - damon_merge_regions_of(t, threshold, sz_limit); + do { + nr_regions = 0; + damon_for_each_target(t, c) { + damon_merge_regions_of(t, threshold, sz_limit); + nr_regions += damon_nr_regions(t); + } + threshold = max(1, threshold * 2); + sz_limit = max(1, sz_limit * 2); + } while (nr_regions > c->attrs.max_nr_regions); } /* -- 2.39.2

1 year, 2 months

1
0
0 0

[PATCH V2] perf stat: Fix the hard-coded metrics calculation on the hybrid

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The hard-coded metrics is wrongly calculated on the hybrid machine. $ perf stat -e cycles,instructions -a sleep 1 Performance counter stats for 'system wide': 18,205,487 cpu_atom/cycles/ 9,733,603 cpu_core/cycles/ 9,423,111 cpu_atom/instructions/ # 0.52 insn per cycle 4,268,965 cpu_core/instructions/ # 0.23 insn per cycle The insn per cycle for cpu_core should be 4,268,965 / 9,733,603 = 0.44. When finding the metric events, the find_stat() doesn't take the PMU type into account. The cpu_atom/cycles/ is wrongly used to calculate the IPC of the cpu_core. In the hard-coded metrics, the events from a different PMU are only SW_CPU_CLOCK and SW_TASK_CLOCK. They both have the stat type, STAT_NSECS. Except the SW CLOCK events, check the PMU type as well. Fixes: 0a57b910807a ("perf stat: Use counts rather than saved_value") Reported-by: "Khalil, Amiri" <amiri.khalil(a)intel.com> Reviewed-by: Ian Rogers <irogers(a)google.com> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- Changes since V1: - Don't check the PMU of the SW CLOCK events tools/perf/util/stat-shadow.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c index 3466aa952442..6bb975e46de3 100644 --- a/tools/perf/util/stat-shadow.c +++ b/tools/perf/util/stat-shadow.c @@ -176,6 +176,13 @@ static double find_stat(const struct evsel *evsel, int aggr_idx, enum stat_type if (type != evsel__stat_type(cur)) continue; + /* + * Except the SW CLOCK events, + * ignore if not the PMU we're looking for. + */ + if ((type != STAT_NSECS) && (evsel->pmu != cur->pmu)) + continue; + aggr = &cur->stats->aggr[aggr_idx]; if (type == STAT_NSECS) return aggr->counts.val; -- 2.35.1

1 year, 2 months

2
2
0 0

[PATCH] f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid

by Jaegeuk Kim

mkdir /mnt/test/comp f2fs_io setflags compression /mnt/test/comp dd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1 truncate --size 13 /mnt/test/comp/testfile In the above scenario, we can get a BUG_ON. kernel BUG at fs/f2fs/segment.c:3589! Call Trace: do_write_page+0x78/0x390 [f2fs] f2fs_outplace_write_data+0x62/0xb0 [f2fs] f2fs_do_write_data_page+0x275/0x740 [f2fs] f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs] f2fs_write_multi_pages+0x1e5/0xae0 [f2fs] f2fs_write_cache_pages+0xab1/0xc60 [f2fs] f2fs_write_data_pages+0x2d8/0x330 [f2fs] do_writepages+0xcf/0x270 __writeback_single_inode+0x44/0x350 writeback_sb_inodes+0x242/0x530 __writeback_inodes_wb+0x54/0xf0 wb_writeback+0x192/0x310 wb_workfn+0x30d/0x400 The reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the page was set the gcing flag by set_cluster_dirty(). Cc: stable(a)vger.kernel.org Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration") Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> --- fs/f2fs/segment.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 6e8a4b332ad5..ce2300391031 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -3484,6 +3484,7 @@ static int __get_segment_type_6(struct f2fs_io_info *fio) if (fio->sbi->am.atgc_enabled && (fio->io_type == FS_DATA_IO) && (fio->sbi->gc_mode != GC_URGENT_HIGH) && + __is_valid_data_blkaddr(fio->old_blkaddr) && !is_inode_flag_set(inode, FI_OPU_WRITE)) return CURSEG_ALL_DATA_ATGC; else -- 2.45.2.627.g7a2c4fd464-goog

1 year, 2 months

4
3
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062418-serotonin-immobile-a6f4@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062417-scribing-deluge-54e8@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062417-data-circling-74b0@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062416-gumdrop-tinfoil-9210@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062415-acquire-poise-3326@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062415-shakable-matching-e69e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz" failed to apply to 6.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.9.y git checkout FETCH_HEAD git cherry-pick -x 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062414-convent-usage-bb3a@gregkh' --subject-prefix 'PATCH 6.9.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60980cf5b8c8cc9182e5e9dbb62cbfd345c54074 Mon Sep 17 00:00:00 2001 From: Charles Keepax <ckeepax(a)opensource.cirrus.com> Date: Fri, 7 Jun 2024 11:34:23 +0100 Subject: [PATCH] spi: cs42l43: Drop cs35l56 SPI speed down to 11MHz Some internals of the cs35l56 can only support SPI speeds of up to 11MHz. Whilst some use-cases could support higher rates, keep things simple by dropping the SPI speed down to this avoid any potential issues. Signed-off-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240607103423.4159834-1-ckeepax@opensource.cirru… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cs42l43.c b/drivers/spi/spi-cs42l43.c index 902a0734cc36..8b618ef0f711 100644 --- a/drivers/spi/spi-cs42l43.c +++ b/drivers/spi/spi-cs42l43.c @@ -54,7 +54,7 @@ static const struct software_node ampr = { static struct spi_board_info ampl_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 0, .mode = SPI_MODE_0, .swnode = &ampl, @@ -62,7 +62,7 @@ static struct spi_board_info ampl_info = { static struct spi_board_info ampr_info = { .modalias = "cs35l56", - .max_speed_hz = 20 * HZ_PER_MHZ, + .max_speed_hz = 11 * HZ_PER_MHZ, .chip_select = 1, .mode = SPI_MODE_0, .swnode = &ampr,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] dt-bindings: i2c: atmel,at91sam: correct path to" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d4e001ffeccfc128c715057e866f301ac9b95728 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062426-sleeve-manicure-e52d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d4e001ffeccfc128c715057e866f301ac9b95728 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Thu, 20 Jun 2024 13:34:49 +0200 Subject: [PATCH] dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema The referenced i2c-controller.yaml schema is provided by dtschema package (outside of Linux kernel), so use full path to reference it. Cc: stable(a)vger.kernel.org Fixes: 7ea75dd386be ("dt-bindings: i2c: convert i2c-at91 to json-schema") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Conor Dooley <conor.dooley(a)microchip.com> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> diff --git a/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml b/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml index b1c13bab2472..b2d19cfb87ad 100644 --- a/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml +++ b/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml @@ -77,7 +77,7 @@ required: - clocks allOf: - - $ref: i2c-controller.yaml + - $ref: /schemas/i2c/i2c-controller.yaml# - if: properties: compatible:

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] i2c: ocores: set IACK bit after core is enabled" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 5a72477273066b5b357801ab2d315ef14949d402 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062412-mobster-doable-acc6@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5a72477273066b5b357801ab2d315ef14949d402 Mon Sep 17 00:00:00 2001 From: Grygorii Tertychnyi <grembeter(a)gmail.com> Date: Mon, 20 May 2024 17:39:32 +0200 Subject: [PATCH] i2c: ocores: set IACK bit after core is enabled Setting IACK bit when core is disabled does not clear the "Interrupt Flag" bit in the status register, and the interrupt remains pending. Sometimes it causes failure for the very first message transfer, that is usually a device probe. Hence, set IACK bit after core is enabled to clear pending interrupt. Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller") Signed-off-by: Grygorii Tertychnyi <grygorii.tertychnyi(a)leica-geosystems.com> Acked-by: Peter Korsgaard <peter(a)korsgaard.com> Cc: stable(a)vger.kernel.org Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> diff --git a/drivers/i2c/busses/i2c-ocores.c b/drivers/i2c/busses/i2c-ocores.c index 56a4dabf5a38..4ad670a80a63 100644 --- a/drivers/i2c/busses/i2c-ocores.c +++ b/drivers/i2c/busses/i2c-ocores.c @@ -431,8 +431,8 @@ static int ocores_init(struct device *dev, struct ocores_i2c *i2c) oc_setreg(i2c, OCI2C_PREHIGH, prescale >> 8); /* Init the device */ - oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); oc_setreg(i2c, OCI2C_CONTROL, ctrl | OCI2C_CTRL_EN); + oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); return 0; }

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062459-ebay-electable-e94e@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062458-try-bouncing-bb82@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062457-reversal-unkind-166b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062457-irritant-squatter-ff51@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062456-unvocal-anyone-3135@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] pwm: stm32: Refuse too small period requests" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c45fcf46ca2368dafe7e5c513a711a6f0f974308 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062455-magnetism-backing-fbef@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c45fcf46ca2368dafe7e5c513a711a6f0f974308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 21 Jun 2024 16:37:12 +0200 Subject: [PATCH] pwm: stm32: Refuse too small period requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If period_ns is small, prd might well become 0. Catch that case because otherwise with regmap_write(priv->regmap, TIM_ARR, prd - 1); a few lines down quite a big period is configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Cc: stable(a)vger.kernel.org Reviewed-by: Trevor Gamblin <tgamblin(a)baylibre.com> Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.17189791… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index a2f231d13a9f..3e7b2a8e34e7 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -337,6 +337,8 @@ static int stm32_pwm_config(struct stm32_pwm *priv, unsigned int ch, prd = mul_u64_u64_div_u64(period_ns, clk_get_rate(priv->clk), (u64)NSEC_PER_SEC * (prescaler + 1)); + if (!prd) + return -EINVAL; /* * All channels share the same prescaler and counter so when two

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] ima: Avoid blocking in RCU read-side critical section" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062445-fastness-juniper-7dfe@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 9a95c5bfbf02 ("ima: Avoid blocking in RCU read-side critical section") 260017f31a8c ("lsm: use default hook return value in call_int_hook()") 923831117611 ("evm: Move to LSM infrastructure") 84594c9ecdca ("ima: Move IMA-Appraisal to LSM infrastructure") cd3cec0a02c7 ("ima: Move to LSM infrastructure") 06cca5110774 ("integrity: Move integrity_kernel_module_request() to IMA") b8d997032a46 ("security: Introduce key_post_create_or_update hook") 2d705d802414 ("security: Introduce inode_post_remove_acl hook") 8b9d0b825c65 ("security: Introduce inode_post_set_acl hook") a7811e34d100 ("security: Introduce inode_post_create_tmpfile hook") f09068b5a114 ("security: Introduce file_release hook") 8f46ff5767b0 ("security: Introduce file_post_open hook") dae52cbf5887 ("security: Introduce inode_post_removexattr hook") 77fa6f314f03 ("security: Introduce inode_post_setattr hook") 314a8dc728d0 ("security: Align inode_setattr hook definition with EVM") 779cb1947e27 ("evm: Align evm_inode_post_setxattr() definition with LSM infrastructure") 2b6a4054f8c2 ("evm: Align evm_inode_setxattr() definition with LSM infrastructure") 784111d0093e ("evm: Align evm_inode_post_setattr() definition with LSM infrastructure") fec5f85e468d ("ima: Align ima_post_read_file() definition with LSM infrastructure") 526864dd2f60 ("ima: Align ima_inode_removexattr() definition with LSM infrastructure") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 From: GUO Zihua <guozihua(a)huawei.com> Date: Tue, 7 May 2024 01:25:41 +0000 Subject: [PATCH] ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable(a)vger.kernel.org Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Acked-by: John Johansen <john.johansen(a)canonical.com> Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Reviewed-by: Casey Schaufler <casey(a)schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..44488b1ab9a9 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..de3af33e6ff5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, #ifdef CONFIG_AUDIT #ifdef CONFIG_SECURITY -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); void security_audit_rule_free(void *lsmrule); @@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); #else static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index be8c680121e4..d6ef4f4f9cba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.buflen += f_val; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + (void **)&f->lsm_rule, + GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, /* our own (refreshed) copy of lsm_rule */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + (void **)&df->lsm_rule, GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..6b5181c668b5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) { struct aa_audit_rule *rule; @@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); if (!rule) return -ENOMEM; /* Currently rules are treated as coming from the root ns */ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, - GFP_KERNEL, true, false); + gfp, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..0c8cc86b417b 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -200,7 +200,7 @@ static inline int complain_error(int error) } void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3e568126cd48..c51e24d24d1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -546,7 +546,7 @@ static inline void ima_free_modsig(struct modsig *modsig) #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c0556907c2e6..09da8e639239 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry) kfree(entry); } -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, + gfp_t gfp) { struct ima_rule_entry *nentry; int i; @@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) * Immutable elements are copied over as pointers and data; only * lsm rules can change */ - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); + nentry = kmemdup(entry, sizeof(*nentry), gfp); if (!nentry) return NULL; @@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + gfp); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) int i; struct ima_rule_entry *nentry; - nentry = ima_lsm_copy_rule(entry); + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); if (!nentry) return -ENOMEM; @@ -664,7 +666,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, } if (rc == -ESTALE && !rule_reinitialized) { - lsm_rule = ima_lsm_copy_rule(rule); + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); if (lsm_rule) { rule_reinitialized = true; goto retry; @@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + GFP_KERNEL); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); diff --git a/security/security.c b/security/security.c index e5da848c50b9..e5ca08789f74 100644 --- a/security/security.c +++ b/security/security.c @@ -5332,15 +5332,17 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, * @op: rule operator * @rulestr: rule context * @lsmrule: receive buffer for audit rule struct + * @gfp: GFP flag used for kmalloc * * Allocate and initialize an LSM audit rule structure. * * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); } /** diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 52aca71210b4..29c7d4c86f6d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,12 +21,14 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + gfp_t gfp); /** * selinux_audit_rule_free - free an selinux audit rule structure. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f20e1968b7f7..e33e55384b75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3507,7 +3507,8 @@ void selinux_audit_rule_free(void *vrule) } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3548,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 70ba2841e181..f5cbec1e6a92 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4693,11 +4693,13 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @gfp: type of the memory for the allocation * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct smack_known *skp; char **rule = (char **)vrule;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] ima: Avoid blocking in RCU read-side critical section" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062443-rocket-emptiness-09d2@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 9a95c5bfbf02 ("ima: Avoid blocking in RCU read-side critical section") 260017f31a8c ("lsm: use default hook return value in call_int_hook()") 923831117611 ("evm: Move to LSM infrastructure") 84594c9ecdca ("ima: Move IMA-Appraisal to LSM infrastructure") cd3cec0a02c7 ("ima: Move to LSM infrastructure") 06cca5110774 ("integrity: Move integrity_kernel_module_request() to IMA") b8d997032a46 ("security: Introduce key_post_create_or_update hook") 2d705d802414 ("security: Introduce inode_post_remove_acl hook") 8b9d0b825c65 ("security: Introduce inode_post_set_acl hook") a7811e34d100 ("security: Introduce inode_post_create_tmpfile hook") f09068b5a114 ("security: Introduce file_release hook") 8f46ff5767b0 ("security: Introduce file_post_open hook") dae52cbf5887 ("security: Introduce inode_post_removexattr hook") 77fa6f314f03 ("security: Introduce inode_post_setattr hook") 314a8dc728d0 ("security: Align inode_setattr hook definition with EVM") 779cb1947e27 ("evm: Align evm_inode_post_setxattr() definition with LSM infrastructure") 2b6a4054f8c2 ("evm: Align evm_inode_setxattr() definition with LSM infrastructure") 784111d0093e ("evm: Align evm_inode_post_setattr() definition with LSM infrastructure") fec5f85e468d ("ima: Align ima_post_read_file() definition with LSM infrastructure") 526864dd2f60 ("ima: Align ima_inode_removexattr() definition with LSM infrastructure") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 From: GUO Zihua <guozihua(a)huawei.com> Date: Tue, 7 May 2024 01:25:41 +0000 Subject: [PATCH] ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable(a)vger.kernel.org Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Acked-by: John Johansen <john.johansen(a)canonical.com> Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Reviewed-by: Casey Schaufler <casey(a)schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..44488b1ab9a9 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..de3af33e6ff5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, #ifdef CONFIG_AUDIT #ifdef CONFIG_SECURITY -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); void security_audit_rule_free(void *lsmrule); @@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); #else static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index be8c680121e4..d6ef4f4f9cba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.buflen += f_val; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + (void **)&f->lsm_rule, + GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, /* our own (refreshed) copy of lsm_rule */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + (void **)&df->lsm_rule, GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..6b5181c668b5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) { struct aa_audit_rule *rule; @@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); if (!rule) return -ENOMEM; /* Currently rules are treated as coming from the root ns */ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, - GFP_KERNEL, true, false); + gfp, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..0c8cc86b417b 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -200,7 +200,7 @@ static inline int complain_error(int error) } void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3e568126cd48..c51e24d24d1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -546,7 +546,7 @@ static inline void ima_free_modsig(struct modsig *modsig) #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c0556907c2e6..09da8e639239 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry) kfree(entry); } -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, + gfp_t gfp) { struct ima_rule_entry *nentry; int i; @@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) * Immutable elements are copied over as pointers and data; only * lsm rules can change */ - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); + nentry = kmemdup(entry, sizeof(*nentry), gfp); if (!nentry) return NULL; @@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + gfp); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) int i; struct ima_rule_entry *nentry; - nentry = ima_lsm_copy_rule(entry); + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); if (!nentry) return -ENOMEM; @@ -664,7 +666,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, } if (rc == -ESTALE && !rule_reinitialized) { - lsm_rule = ima_lsm_copy_rule(rule); + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); if (lsm_rule) { rule_reinitialized = true; goto retry; @@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + GFP_KERNEL); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); diff --git a/security/security.c b/security/security.c index e5da848c50b9..e5ca08789f74 100644 --- a/security/security.c +++ b/security/security.c @@ -5332,15 +5332,17 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, * @op: rule operator * @rulestr: rule context * @lsmrule: receive buffer for audit rule struct + * @gfp: GFP flag used for kmalloc * * Allocate and initialize an LSM audit rule structure. * * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); } /** diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 52aca71210b4..29c7d4c86f6d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,12 +21,14 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + gfp_t gfp); /** * selinux_audit_rule_free - free an selinux audit rule structure. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f20e1968b7f7..e33e55384b75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3507,7 +3507,8 @@ void selinux_audit_rule_free(void *vrule) } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3548,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 70ba2841e181..f5cbec1e6a92 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4693,11 +4693,13 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @gfp: type of the memory for the allocation * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct smack_known *skp; char **rule = (char **)vrule;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] ima: Avoid blocking in RCU read-side critical section" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062441-botanical-utensil-bb06@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 9a95c5bfbf02 ("ima: Avoid blocking in RCU read-side critical section") 260017f31a8c ("lsm: use default hook return value in call_int_hook()") 923831117611 ("evm: Move to LSM infrastructure") 84594c9ecdca ("ima: Move IMA-Appraisal to LSM infrastructure") cd3cec0a02c7 ("ima: Move to LSM infrastructure") 06cca5110774 ("integrity: Move integrity_kernel_module_request() to IMA") b8d997032a46 ("security: Introduce key_post_create_or_update hook") 2d705d802414 ("security: Introduce inode_post_remove_acl hook") 8b9d0b825c65 ("security: Introduce inode_post_set_acl hook") a7811e34d100 ("security: Introduce inode_post_create_tmpfile hook") f09068b5a114 ("security: Introduce file_release hook") 8f46ff5767b0 ("security: Introduce file_post_open hook") dae52cbf5887 ("security: Introduce inode_post_removexattr hook") 77fa6f314f03 ("security: Introduce inode_post_setattr hook") 314a8dc728d0 ("security: Align inode_setattr hook definition with EVM") 779cb1947e27 ("evm: Align evm_inode_post_setxattr() definition with LSM infrastructure") 2b6a4054f8c2 ("evm: Align evm_inode_setxattr() definition with LSM infrastructure") 784111d0093e ("evm: Align evm_inode_post_setattr() definition with LSM infrastructure") fec5f85e468d ("ima: Align ima_post_read_file() definition with LSM infrastructure") 526864dd2f60 ("ima: Align ima_inode_removexattr() definition with LSM infrastructure") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 From: GUO Zihua <guozihua(a)huawei.com> Date: Tue, 7 May 2024 01:25:41 +0000 Subject: [PATCH] ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable(a)vger.kernel.org Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Acked-by: John Johansen <john.johansen(a)canonical.com> Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Reviewed-by: Casey Schaufler <casey(a)schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..44488b1ab9a9 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..de3af33e6ff5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, #ifdef CONFIG_AUDIT #ifdef CONFIG_SECURITY -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); void security_audit_rule_free(void *lsmrule); @@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); #else static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index be8c680121e4..d6ef4f4f9cba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.buflen += f_val; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + (void **)&f->lsm_rule, + GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, /* our own (refreshed) copy of lsm_rule */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + (void **)&df->lsm_rule, GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..6b5181c668b5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) { struct aa_audit_rule *rule; @@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); if (!rule) return -ENOMEM; /* Currently rules are treated as coming from the root ns */ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, - GFP_KERNEL, true, false); + gfp, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..0c8cc86b417b 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -200,7 +200,7 @@ static inline int complain_error(int error) } void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3e568126cd48..c51e24d24d1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -546,7 +546,7 @@ static inline void ima_free_modsig(struct modsig *modsig) #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c0556907c2e6..09da8e639239 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry) kfree(entry); } -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, + gfp_t gfp) { struct ima_rule_entry *nentry; int i; @@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) * Immutable elements are copied over as pointers and data; only * lsm rules can change */ - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); + nentry = kmemdup(entry, sizeof(*nentry), gfp); if (!nentry) return NULL; @@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + gfp); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) int i; struct ima_rule_entry *nentry; - nentry = ima_lsm_copy_rule(entry); + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); if (!nentry) return -ENOMEM; @@ -664,7 +666,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, } if (rc == -ESTALE && !rule_reinitialized) { - lsm_rule = ima_lsm_copy_rule(rule); + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); if (lsm_rule) { rule_reinitialized = true; goto retry; @@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + GFP_KERNEL); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); diff --git a/security/security.c b/security/security.c index e5da848c50b9..e5ca08789f74 100644 --- a/security/security.c +++ b/security/security.c @@ -5332,15 +5332,17 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, * @op: rule operator * @rulestr: rule context * @lsmrule: receive buffer for audit rule struct + * @gfp: GFP flag used for kmalloc * * Allocate and initialize an LSM audit rule structure. * * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); } /** diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 52aca71210b4..29c7d4c86f6d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,12 +21,14 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + gfp_t gfp); /** * selinux_audit_rule_free - free an selinux audit rule structure. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f20e1968b7f7..e33e55384b75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3507,7 +3507,8 @@ void selinux_audit_rule_free(void *vrule) } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3548,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 70ba2841e181..f5cbec1e6a92 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4693,11 +4693,13 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @gfp: type of the memory for the allocation * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct smack_known *skp; char **rule = (char **)vrule;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] ima: Avoid blocking in RCU read-side critical section" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062440-setting-progeny-529f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 9a95c5bfbf02 ("ima: Avoid blocking in RCU read-side critical section") 260017f31a8c ("lsm: use default hook return value in call_int_hook()") 923831117611 ("evm: Move to LSM infrastructure") 84594c9ecdca ("ima: Move IMA-Appraisal to LSM infrastructure") cd3cec0a02c7 ("ima: Move to LSM infrastructure") 06cca5110774 ("integrity: Move integrity_kernel_module_request() to IMA") b8d997032a46 ("security: Introduce key_post_create_or_update hook") 2d705d802414 ("security: Introduce inode_post_remove_acl hook") 8b9d0b825c65 ("security: Introduce inode_post_set_acl hook") a7811e34d100 ("security: Introduce inode_post_create_tmpfile hook") f09068b5a114 ("security: Introduce file_release hook") 8f46ff5767b0 ("security: Introduce file_post_open hook") dae52cbf5887 ("security: Introduce inode_post_removexattr hook") 77fa6f314f03 ("security: Introduce inode_post_setattr hook") 314a8dc728d0 ("security: Align inode_setattr hook definition with EVM") 779cb1947e27 ("evm: Align evm_inode_post_setxattr() definition with LSM infrastructure") 2b6a4054f8c2 ("evm: Align evm_inode_setxattr() definition with LSM infrastructure") 784111d0093e ("evm: Align evm_inode_post_setattr() definition with LSM infrastructure") fec5f85e468d ("ima: Align ima_post_read_file() definition with LSM infrastructure") 526864dd2f60 ("ima: Align ima_inode_removexattr() definition with LSM infrastructure") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 From: GUO Zihua <guozihua(a)huawei.com> Date: Tue, 7 May 2024 01:25:41 +0000 Subject: [PATCH] ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable(a)vger.kernel.org Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Acked-by: John Johansen <john.johansen(a)canonical.com> Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Reviewed-by: Casey Schaufler <casey(a)schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..44488b1ab9a9 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..de3af33e6ff5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, #ifdef CONFIG_AUDIT #ifdef CONFIG_SECURITY -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); void security_audit_rule_free(void *lsmrule); @@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); #else static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index be8c680121e4..d6ef4f4f9cba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, entry->rule.buflen += f_val; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + (void **)&f->lsm_rule, + GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, /* our own (refreshed) copy of lsm_rule */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + (void **)&df->lsm_rule, GFP_KERNEL); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..6b5181c668b5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) { struct aa_audit_rule *rule; @@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); if (!rule) return -ENOMEM; /* Currently rules are treated as coming from the root ns */ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, - GFP_KERNEL, true, false); + gfp, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..0c8cc86b417b 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -200,7 +200,7 @@ static inline int complain_error(int error) } void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3e568126cd48..c51e24d24d1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -546,7 +546,7 @@ static inline void ima_free_modsig(struct modsig *modsig) #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, gfp_t gfp) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c0556907c2e6..09da8e639239 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry) kfree(entry); } -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, + gfp_t gfp) { struct ima_rule_entry *nentry; int i; @@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) * Immutable elements are copied over as pointers and data; only * lsm rules can change */ - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); + nentry = kmemdup(entry, sizeof(*nentry), gfp); if (!nentry) return NULL; @@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + gfp); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) int i; struct ima_rule_entry *nentry; - nentry = ima_lsm_copy_rule(entry); + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); if (!nentry) return -ENOMEM; @@ -664,7 +666,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, } if (rc == -ESTALE && !rule_reinitialized) { - lsm_rule = ima_lsm_copy_rule(rule); + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); if (lsm_rule) { rule_reinitialized = true; goto retry; @@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + GFP_KERNEL); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); diff --git a/security/security.c b/security/security.c index e5da848c50b9..e5ca08789f74 100644 --- a/security/security.c +++ b/security/security.c @@ -5332,15 +5332,17 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, * @op: rule operator * @rulestr: rule context * @lsmrule: receive buffer for audit rule struct + * @gfp: GFP flag used for kmalloc * * Allocate and initialize an LSM audit rule structure. * * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); } /** diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 52aca71210b4..29c7d4c86f6d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,12 +21,14 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @gfp: GFP flag used for kmalloc * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + gfp_t gfp); /** * selinux_audit_rule_free - free an selinux audit rule structure. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f20e1968b7f7..e33e55384b75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3507,7 +3507,8 @@ void selinux_audit_rule_free(void *vrule) } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3548,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) return -EINVAL; } - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 70ba2841e181..f5cbec1e6a92 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4693,11 +4693,13 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @gfp: type of the memory for the allocation * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + gfp_t gfp) { struct smack_known *skp; char **rule = (char **)vrule;

1 year, 2 months

1
0
0 0

[PATCH v3] serial: 8250_omap: Implementation of Errata i2310

by Udit Kumar

As per Errata i2310[0], Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts, therefore apply Errata i2310 solution. [0] https://www.ti.com/lit/pdf/sprz536 page 23 Fixes: b67e830d38fa ("serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs") Cc: stable(a)vger.kernel.org Signed-off-by: Udit Kumar <u-kumar1(a)ti.com> --- Change logs Changes in v3: - CC stable in commit message Link to v2: https://lore.kernel.org/all/20240617052253.2188140-1-u-kumar1@ti.com/ Changes in v2: - Added Fixes Tag and typo correction in commit message - Corrected bit position to UART_OMAP_EFR2_TIMEOUT_BEHAVE Link to v1 https://lore.kernel.org/all/20240614061314.290840-1-u-kumar1@ti.com/ drivers/tty/serial/8250/8250_omap.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index 170639d12b2a..ddac0a13cf84 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -115,6 +115,10 @@ /* RX FIFO occupancy indicator */ #define UART_OMAP_RX_LVL 0x19 +/* Timeout low and High */ +#define UART_OMAP_TO_L 0x26 +#define UART_OMAP_TO_H 0x27 + /* * Copy of the genpd flags for the console. * Only used if console suspend is disabled @@ -663,13 +667,24 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) /* * On K3 SoCs, it is observed that RX TIMEOUT is signalled after - * FIFO has been drained, in which case a dummy read of RX FIFO - * is required to clear RX TIMEOUT condition. + * FIFO has been drained or erroneously. + * So apply solution of Errata i2310 as mentioned in + * https://www.ti.com/lit/pdf/sprz536 */ if (priv->habit & UART_RX_TIMEOUT_QUIRK && - (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT && - serial_port_in(port, UART_OMAP_RX_LVL) == 0) { - serial_port_in(port, UART_RX); + (iir & UART_IIR_RX_TIMEOUT) == UART_IIR_RX_TIMEOUT) { + unsigned char efr2, timeout_h, timeout_l; + + efr2 = serial_in(up, UART_OMAP_EFR2); + timeout_h = serial_in(up, UART_OMAP_TO_H); + timeout_l = serial_in(up, UART_OMAP_TO_L); + serial_out(up, UART_OMAP_TO_H, 0xFF); + serial_out(up, UART_OMAP_TO_L, 0xFF); + serial_out(up, UART_OMAP_EFR2, UART_OMAP_EFR2_TIMEOUT_BEHAVE); + serial_in(up, UART_IIR); + serial_out(up, UART_OMAP_EFR2, efr2); + serial_out(up, UART_OMAP_TO_H, timeout_h); + serial_out(up, UART_OMAP_TO_L, timeout_l); } /* Stop processing interrupts on input overrun */ -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v2 02/13] syscalls: fix compat_sys_io_pgetevents_time64 usage

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Using sys_io_pgetevents() as the entry point for compat mode tasks works almost correctly, but misses the sign extension for the min_nr and nr arguments. This was addressed on parisc by switching to compat_sys_io_pgetevents_time64() in commit 6431e92fc827 ("parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode"), as well as by using more sophisticated system call wrappers on x86 and s390. However, arm64, mips, powerpc, sparc and riscv still have the same bug. Change all of them over to use compat_sys_io_pgetevents_time64() like parisc already does. This was clearly the intention when the function was originally added, but it got hooked up incorrectly in the tables. Cc: stable(a)vger.kernel.org Fixes: 48166e6ea47d ("y2038: add 64-bit time_t syscalls to all 32-bit architectures") Acked-by: Heiko Carstens <hca(a)linux.ibm.com> # s390 Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- v2: fix kernel/sys_ni.c which was previously broken only on parisc. found by kernel build bot. --- arch/arm64/include/asm/unistd32.h | 2 +- arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +- arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- arch/powerpc/kernel/syscalls/syscall.tbl | 2 +- arch/s390/kernel/syscalls/syscall.tbl | 2 +- arch/sparc/kernel/syscalls/syscall.tbl | 2 +- arch/x86/entry/syscalls/syscall_32.tbl | 2 +- include/uapi/asm-generic/unistd.h | 2 +- kernel/sys_ni.c | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 266b96acc014..1386e8e751f2 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -840,7 +840,7 @@ __SYSCALL(__NR_pselect6_time64, compat_sys_pselect6_time64) #define __NR_ppoll_time64 414 __SYSCALL(__NR_ppoll_time64, compat_sys_ppoll_time64) #define __NR_io_pgetevents_time64 416 -__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents) +__SYSCALL(__NR_io_pgetevents_time64, compat_sys_io_pgetevents_time64) #define __NR_recvmmsg_time64 417 __SYSCALL(__NR_recvmmsg_time64, compat_sys_recvmmsg_time64) #define __NR_mq_timedsend_time64 418 diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl index cc869f5d5693..953f5b7dc723 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -354,7 +354,7 @@ 412 n32 utimensat_time64 sys_utimensat 413 n32 pselect6_time64 compat_sys_pselect6_time64 414 n32 ppoll_time64 compat_sys_ppoll_time64 -416 n32 io_pgetevents_time64 sys_io_pgetevents +416 n32 io_pgetevents_time64 compat_sys_io_pgetevents_time64 417 n32 recvmmsg_time64 compat_sys_recvmmsg_time64 418 n32 mq_timedsend_time64 sys_mq_timedsend 419 n32 mq_timedreceive_time64 sys_mq_timedreceive diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl index 008ebe60263e..85751c9b9cdb 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -403,7 +403,7 @@ 412 o32 utimensat_time64 sys_utimensat sys_utimensat 413 o32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 o32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 o32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 o32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 o32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 o32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 o32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl index 3656f1ca7a21..c6b0546b284d 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -502,7 +502,7 @@ 412 32 utimensat_time64 sys_utimensat sys_utimensat 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl index bd0fee24ad10..01071182763e 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -418,7 +418,7 @@ 412 32 utimensat_time64 - sys_utimensat 413 32 pselect6_time64 - compat_sys_pselect6_time64 414 32 ppoll_time64 - compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 - sys_io_pgetevents +416 32 io_pgetevents_time64 - compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 - compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 - sys_mq_timedsend 419 32 mq_timedreceive_time64 - sys_mq_timedreceive diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl index ac6c281ccfe0..b354139b40be 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -461,7 +461,7 @@ 412 32 utimensat_time64 sys_utimensat sys_utimensat 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 7fd1f57ad3d3..d6ebcab1d8b2 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -420,7 +420,7 @@ 412 i386 utimensat_time64 sys_utimensat 413 i386 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 i386 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 i386 io_pgetevents_time64 sys_io_pgetevents +416 i386 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 i386 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 i386 mq_timedsend_time64 sys_mq_timedsend 419 i386 mq_timedreceive_time64 sys_mq_timedreceive diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index d983c48a3b6a..3fdaa573d661 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -737,7 +737,7 @@ __SC_COMP(__NR_pselect6_time64, sys_pselect6, compat_sys_pselect6_time64) #define __NR_ppoll_time64 414 __SC_COMP(__NR_ppoll_time64, sys_ppoll, compat_sys_ppoll_time64) #define __NR_io_pgetevents_time64 416 -__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents) +__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents, compat_sys_io_pgetevents_time64) #define __NR_recvmmsg_time64 417 __SC_COMP(__NR_recvmmsg_time64, sys_recvmmsg, compat_sys_recvmmsg_time64) #define __NR_mq_timedsend_time64 418 diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index d7eee421d4bc..b696b85ac63e 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -46,8 +46,8 @@ COND_SYSCALL(io_getevents_time32); COND_SYSCALL(io_getevents); COND_SYSCALL(io_pgetevents_time32); COND_SYSCALL(io_pgetevents); -COND_SYSCALL_COMPAT(io_pgetevents_time32); COND_SYSCALL_COMPAT(io_pgetevents); +COND_SYSCALL_COMPAT(io_pgetevents_time64); COND_SYSCALL(io_uring_setup); COND_SYSCALL(io_uring_enter); COND_SYSCALL(io_uring_register); -- 2.39.2

1 year, 2 months

1
0
0 0

[PATCH v2 01/13] ftruncate: pass a signed offset

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> The old ftruncate() syscall, using the 32-bit off_t misses a sign extension when called in compat mode on 64-bit architectures. As a result, passing a negative length accidentally succeeds in truncating to file size between 2GiB and 4GiB. Changing the type of the compat syscall to the signed compat_off_t changes the behavior so it instead returns -EINVAL. The native entry point, the truncate() syscall and the corresponding loff_t based variants are all correct already and do not suffer from this mistake. Fixes: 3f6d078d4acc ("fix compat truncate/ftruncate") Reviewed-by: Christian Brauner <brauner(a)kernel.org> Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- fs/open.c | 4 ++-- include/linux/compat.h | 2 +- include/linux/syscalls.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/open.c b/fs/open.c index 89cafb572061..50e45bc7c4d8 100644 --- a/fs/open.c +++ b/fs/open.c @@ -202,13 +202,13 @@ long do_sys_ftruncate(unsigned int fd, loff_t length, int small) return error; } -SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length) +SYSCALL_DEFINE2(ftruncate, unsigned int, fd, off_t, length) { return do_sys_ftruncate(fd, length, 1); } #ifdef CONFIG_COMPAT -COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length) +COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_off_t, length) { return do_sys_ftruncate(fd, length, 1); } diff --git a/include/linux/compat.h b/include/linux/compat.h index 233f61ec8afc..56cebaff0c91 100644 --- a/include/linux/compat.h +++ b/include/linux/compat.h @@ -608,7 +608,7 @@ asmlinkage long compat_sys_fstatfs(unsigned int fd, asmlinkage long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf); asmlinkage long compat_sys_truncate(const char __user *, compat_off_t); -asmlinkage long compat_sys_ftruncate(unsigned int, compat_ulong_t); +asmlinkage long compat_sys_ftruncate(unsigned int, compat_off_t); /* No generic prototype for truncate64, ftruncate64, fallocate */ asmlinkage long compat_sys_openat(int dfd, const char __user *filename, int flags, umode_t mode); diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 9104952d323d..ba9337709878 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -418,7 +418,7 @@ asmlinkage long sys_listmount(const struct mnt_id_req __user *req, u64 __user *mnt_ids, size_t nr_mnt_ids, unsigned int flags); asmlinkage long sys_truncate(const char __user *path, long length); -asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length); +asmlinkage long sys_ftruncate(unsigned int fd, off_t length); #if BITS_PER_LONG == 32 asmlinkage long sys_truncate64(const char __user *path, loff_t length); asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length); -- 2.39.2

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: prevent register access while in IPS" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 56342da3d8cc15efe9df7f29985ba8d256bdc258 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062453-fretted-sulfur-3c0f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56342da3d8cc15efe9df7f29985ba8d256bdc258 Mon Sep 17 00:00:00 2001 From: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Date: Mon, 3 Jun 2024 10:16:45 -0400 Subject: [PATCH] drm/amd/display: prevent register access while in IPS We can't read/write to DCN registers while in IPS. Since, that can cause the system to hang. So, before proceeding with the access in that scenario, force the system out of IPS. Cc: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index e426adf95d7d..e9ac20bed0f2 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -11437,6 +11437,12 @@ void amdgpu_dm_trigger_timing_sync(struct drm_device *dev) mutex_unlock(&adev->dm.dc_lock); } +static inline void amdgpu_dm_exit_ips_for_hw_access(struct dc *dc) +{ + if (dc->ctx->dmub_srv && !dc->ctx->dmub_srv->idle_exit_counter) + dc_exit_ips_for_hw_access(dc); +} + void dm_write_reg_func(const struct dc_context *ctx, uint32_t address, u32 value, const char *func_name) { @@ -11447,6 +11453,8 @@ void dm_write_reg_func(const struct dc_context *ctx, uint32_t address, return; } #endif + + amdgpu_dm_exit_ips_for_hw_access(ctx->dc); cgs_write_register(ctx->cgs_device, address, value); trace_amdgpu_dc_wreg(&ctx->perf_trace->write_count, address, value); } @@ -11470,6 +11478,8 @@ uint32_t dm_read_reg_func(const struct dc_context *ctx, uint32_t address, return 0; } + amdgpu_dm_exit_ips_for_hw_access(ctx->dc); + value = cgs_read_register(ctx->cgs_device, address); trace_amdgpu_dc_rreg(&ctx->perf_trace->read_count, address, value);

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: prevent register access while in IPS" failed to apply to 6.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.9.y git checkout FETCH_HEAD git cherry-pick -x 56342da3d8cc15efe9df7f29985ba8d256bdc258 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062454-portable-grinch-582f@gregkh' --subject-prefix 'PATCH 6.9.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56342da3d8cc15efe9df7f29985ba8d256bdc258 Mon Sep 17 00:00:00 2001 From: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Date: Mon, 3 Jun 2024 10:16:45 -0400 Subject: [PATCH] drm/amd/display: prevent register access while in IPS We can't read/write to DCN registers while in IPS. Since, that can cause the system to hang. So, before proceeding with the access in that scenario, force the system out of IPS. Cc: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index e426adf95d7d..e9ac20bed0f2 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -11437,6 +11437,12 @@ void amdgpu_dm_trigger_timing_sync(struct drm_device *dev) mutex_unlock(&adev->dm.dc_lock); } +static inline void amdgpu_dm_exit_ips_for_hw_access(struct dc *dc) +{ + if (dc->ctx->dmub_srv && !dc->ctx->dmub_srv->idle_exit_counter) + dc_exit_ips_for_hw_access(dc); +} + void dm_write_reg_func(const struct dc_context *ctx, uint32_t address, u32 value, const char *func_name) { @@ -11447,6 +11453,8 @@ void dm_write_reg_func(const struct dc_context *ctx, uint32_t address, return; } #endif + + amdgpu_dm_exit_ips_for_hw_access(ctx->dc); cgs_write_register(ctx->cgs_device, address, value); trace_amdgpu_dc_wreg(&ctx->perf_trace->write_count, address, value); } @@ -11470,6 +11478,8 @@ uint32_t dm_read_reg_func(const struct dc_context *ctx, uint32_t address, return 0; } + amdgpu_dm_exit_ips_for_hw_access(ctx->dc); + value = cgs_read_register(ctx->cgs_device, address); trace_amdgpu_dc_rreg(&ctx->perf_trace->read_count, address, value);

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Attempt to avoid empty TUs when endpoint is" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c03d770c0b014a3007a5874bf6b3c3e64d32aaac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062458-impotency-swifter-6e17@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c03d770c0b014a3007a5874bf6b3c3e64d32aaac Mon Sep 17 00:00:00 2001 From: Michael Strauss <michael.strauss(a)amd.com> Date: Tue, 7 May 2024 12:03:15 -0400 Subject: [PATCH] drm/amd/display: Attempt to avoid empty TUs when endpoint is DPIA [WHY] Empty SST TUs are illegal to transmit over a USB4 DP tunnel. Current policy is to configure stream encoder to pack 2 pixels per pclk even when ODM combine is not in use, allowing seamless dynamic ODM reconfiguration. However, in extreme edge cases where average pixel count per TU is less than 2, this can lead to unexpected empty TU generation during compliance testing. For example, VIC 1 with a 1xHBR3 link configuration will average 1.98 pix/TU. [HOW] Calculate average pixel count per TU, and block 2 pixels per clock if endpoint is a DPIA tunnel and pixel clock is low enough that we will never require 2:1 ODM combine. Cc: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Wenjing Liu <wenjing.liu(a)amd.com> Acked-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Michael Strauss <michael.strauss(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index 5295f52e4fc8..dcced89c07b3 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -1439,3 +1439,75 @@ void dcn35_set_long_vblank(struct pipe_ctx **pipe_ctx, } } } + +static bool should_avoid_empty_tu(struct pipe_ctx *pipe_ctx) +{ + /* Calculate average pixel count per TU, return false if under ~2.00 to + * avoid empty TUs. This is only required for DPIA tunneling as empty TUs + * are legal to generate for native DP links. Assume TU size 64 as there + * is currently no scenario where it's reprogrammed from HW default. + * MTPs have no such limitation, so this does not affect MST use cases. + */ + unsigned int pix_clk_mhz; + unsigned int symclk_mhz; + unsigned int avg_pix_per_tu_x1000; + unsigned int tu_size_bytes = 64; + struct dc_crtc_timing *timing = &pipe_ctx->stream->timing; + struct dc_link_settings *link_settings = &pipe_ctx->link_config.dp_link_settings; + const struct dc *dc = pipe_ctx->stream->link->dc; + + if (pipe_ctx->stream->link->ep_type != DISPLAY_ENDPOINT_USB4_DPIA) + return false; + + // Not necessary for MST configurations + if (pipe_ctx->stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST) + return false; + + pix_clk_mhz = timing->pix_clk_100hz / 10000; + + // If this is true, can't block due to dynamic ODM + if (pix_clk_mhz > dc->clk_mgr->bw_params->clk_table.entries[0].dispclk_mhz) + return false; + + switch (link_settings->link_rate) { + case LINK_RATE_LOW: + symclk_mhz = 162; + break; + case LINK_RATE_HIGH: + symclk_mhz = 270; + break; + case LINK_RATE_HIGH2: + symclk_mhz = 540; + break; + case LINK_RATE_HIGH3: + symclk_mhz = 810; + break; + default: + // We shouldn't be tunneling any other rates, something is wrong + ASSERT(0); + return false; + } + + avg_pix_per_tu_x1000 = (1000 * pix_clk_mhz * tu_size_bytes) + / (symclk_mhz * link_settings->lane_count); + + // Add small empirically-decided margin to account for potential jitter + return (avg_pix_per_tu_x1000 < 2020); +} + +bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx) +{ + struct dc *dc = pipe_ctx->stream->ctx->dc; + + if (!is_h_timing_divisible_by_2(pipe_ctx->stream)) + return false; + + if (should_avoid_empty_tu(pipe_ctx)) + return false; + + if (dc_is_dp_signal(pipe_ctx->stream->signal) && !dc->link_srv->dp_is_128b_132b_signal(pipe_ctx) && + dc->debug.enable_dp_dig_pixel_rate_div_policy) + return true; + + return false; +} diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h index a731c8880d60..f0ea7d1511ae 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h @@ -95,4 +95,6 @@ void dcn35_set_static_screen_control(struct pipe_ctx **pipe_ctx, void dcn35_set_long_vblank(struct pipe_ctx **pipe_ctx, int num_pipes, uint32_t v_total_min, uint32_t v_total_max); +bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx); + #endif /* __DC_HWSS_DCN35_H__ */ diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c index df3bf77f3fb4..199781233fd5 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c @@ -158,7 +158,7 @@ static const struct hwseq_private_funcs dcn35_private_funcs = { .setup_hpo_hw_control = dcn35_setup_hpo_hw_control, .calculate_dccg_k1_k2_values = dcn32_calculate_dccg_k1_k2_values, .set_pixels_per_cycle = dcn32_set_pixels_per_cycle, - .is_dp_dig_pixel_rate_div_policy = dcn32_is_dp_dig_pixel_rate_div_policy, + .is_dp_dig_pixel_rate_div_policy = dcn35_is_dp_dig_pixel_rate_div_policy, .dsc_pg_control = dcn35_dsc_pg_control, .dsc_pg_status = dcn32_dsc_pg_status, .enable_plane = dcn35_enable_plane,

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: revert "take runtime pm reference when we attach" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8bd82363e2ee2eb3a9a8ea1fa94ebe1900d05a71 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062437-coveted-renounce-4f9a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8bd82363e2ee2eb3a9a8ea1fa94ebe1900d05a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig(a)amd.com> Date: Wed, 5 Jun 2024 13:27:20 +0200 Subject: [PATCH] drm/amdgpu: revert "take runtime pm reference when we attach a buffer" v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit b8c415e3bf98 ("drm/amdgpu: take runtime pm reference when we attach a buffer") and commit 425285d39afd ("drm/amdgpu: add amdgpu runpm usage trace for separate funcs"). Taking a runtime pm reference for DMA-buf is actually completely unnecessary and even dangerous. The problem is that calling pm_runtime_get_sync() from the DMA-buf callbacks is illegal because we have the reservation locked here which is also taken during resume. So this would deadlock. When the buffer is in GTT it is still accessible even when the GPU is powered down and when it is in VRAM the buffer gets migrated to GTT before powering down. The only use case which would make it mandatory to keep the runtime pm reference would be if we pin the buffer into VRAM, and that's not something we currently do. v2: improve the commit message Signed-off-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> CC: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c index 055ba2ea4c12..662d0f28f358 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c @@ -41,8 +41,6 @@ #include <linux/dma-buf.h> #include <linux/dma-fence-array.h> #include <linux/pci-p2pdma.h> -#include <linux/pm_runtime.h> -#include "amdgpu_trace.h" /** * amdgpu_dma_buf_attach - &dma_buf_ops.attach implementation @@ -58,42 +56,11 @@ static int amdgpu_dma_buf_attach(struct dma_buf *dmabuf, struct drm_gem_object *obj = dmabuf->priv; struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); - int r; if (pci_p2pdma_distance(adev->pdev, attach->dev, false) < 0) attach->peer2peer = false; - r = pm_runtime_get_sync(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(1, __func__); - if (r < 0) - goto out; - return 0; - -out: - pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); - return r; -} - -/** - * amdgpu_dma_buf_detach - &dma_buf_ops.detach implementation - * - * @dmabuf: DMA-buf where we remove the attachment from - * @attach: the attachment to remove - * - * Called when an attachment is removed from the DMA-buf. - */ -static void amdgpu_dma_buf_detach(struct dma_buf *dmabuf, - struct dma_buf_attachment *attach) -{ - struct drm_gem_object *obj = dmabuf->priv; - struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); - struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); - - pm_runtime_mark_last_busy(adev_to_drm(adev)->dev); - pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); } /** @@ -267,7 +234,6 @@ static int amdgpu_dma_buf_begin_cpu_access(struct dma_buf *dma_buf, const struct dma_buf_ops amdgpu_dmabuf_ops = { .attach = amdgpu_dma_buf_attach, - .detach = amdgpu_dma_buf_detach, .pin = amdgpu_dma_buf_pin, .unpin = amdgpu_dma_buf_unpin, .map_dma_buf = amdgpu_dma_buf_map, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c index 10832b470448..bc3ac73b6b8d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c @@ -181,7 +181,6 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f, struct amd amdgpu_ring_emit_fence(ring, ring->fence_drv.gpu_addr, seq, flags | AMDGPU_FENCE_FLAG_INT); pm_runtime_get_noresume(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(1, __func__); ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask]; if (unlikely(rcu_dereference_protected(*ptr, 1))) { struct dma_fence *old; @@ -309,7 +308,6 @@ bool amdgpu_fence_process(struct amdgpu_ring *ring) dma_fence_put(fence); pm_runtime_mark_last_busy(adev_to_drm(adev)->dev); pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); } while (last_seq != seq); return true; diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h index 7aafeb763e5d..383fce40d4dd 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h @@ -554,21 +554,6 @@ TRACE_EVENT(amdgpu_reset_reg_dumps, __entry->value) ); -TRACE_EVENT(amdgpu_runpm_reference_dumps, - TP_PROTO(uint32_t index, const char *func), - TP_ARGS(index, func), - TP_STRUCT__entry( - __field(uint32_t, index) - __string(func, func) - ), - TP_fast_assign( - __entry->index = index; - __assign_str(func); - ), - TP_printk("amdgpu runpm reference dump 0x%x: 0x%s\n", - __entry->index, - __get_str(func)) -); #undef AMDGPU_JOB_GET_TIMELINE_NAME #endif

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: revert "take runtime pm reference when we attach" failed to apply to 6.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.9.y git checkout FETCH_HEAD git cherry-pick -x 8bd82363e2ee2eb3a9a8ea1fa94ebe1900d05a71 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062432-cinch-refining-262b@gregkh' --subject-prefix 'PATCH 6.9.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8bd82363e2ee2eb3a9a8ea1fa94ebe1900d05a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig(a)amd.com> Date: Wed, 5 Jun 2024 13:27:20 +0200 Subject: [PATCH] drm/amdgpu: revert "take runtime pm reference when we attach a buffer" v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit b8c415e3bf98 ("drm/amdgpu: take runtime pm reference when we attach a buffer") and commit 425285d39afd ("drm/amdgpu: add amdgpu runpm usage trace for separate funcs"). Taking a runtime pm reference for DMA-buf is actually completely unnecessary and even dangerous. The problem is that calling pm_runtime_get_sync() from the DMA-buf callbacks is illegal because we have the reservation locked here which is also taken during resume. So this would deadlock. When the buffer is in GTT it is still accessible even when the GPU is powered down and when it is in VRAM the buffer gets migrated to GTT before powering down. The only use case which would make it mandatory to keep the runtime pm reference would be if we pin the buffer into VRAM, and that's not something we currently do. v2: improve the commit message Signed-off-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> CC: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c index 055ba2ea4c12..662d0f28f358 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c @@ -41,8 +41,6 @@ #include <linux/dma-buf.h> #include <linux/dma-fence-array.h> #include <linux/pci-p2pdma.h> -#include <linux/pm_runtime.h> -#include "amdgpu_trace.h" /** * amdgpu_dma_buf_attach - &dma_buf_ops.attach implementation @@ -58,42 +56,11 @@ static int amdgpu_dma_buf_attach(struct dma_buf *dmabuf, struct drm_gem_object *obj = dmabuf->priv; struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); - int r; if (pci_p2pdma_distance(adev->pdev, attach->dev, false) < 0) attach->peer2peer = false; - r = pm_runtime_get_sync(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(1, __func__); - if (r < 0) - goto out; - return 0; - -out: - pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); - return r; -} - -/** - * amdgpu_dma_buf_detach - &dma_buf_ops.detach implementation - * - * @dmabuf: DMA-buf where we remove the attachment from - * @attach: the attachment to remove - * - * Called when an attachment is removed from the DMA-buf. - */ -static void amdgpu_dma_buf_detach(struct dma_buf *dmabuf, - struct dma_buf_attachment *attach) -{ - struct drm_gem_object *obj = dmabuf->priv; - struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); - struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); - - pm_runtime_mark_last_busy(adev_to_drm(adev)->dev); - pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); } /** @@ -267,7 +234,6 @@ static int amdgpu_dma_buf_begin_cpu_access(struct dma_buf *dma_buf, const struct dma_buf_ops amdgpu_dmabuf_ops = { .attach = amdgpu_dma_buf_attach, - .detach = amdgpu_dma_buf_detach, .pin = amdgpu_dma_buf_pin, .unpin = amdgpu_dma_buf_unpin, .map_dma_buf = amdgpu_dma_buf_map, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c index 10832b470448..bc3ac73b6b8d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c @@ -181,7 +181,6 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f, struct amd amdgpu_ring_emit_fence(ring, ring->fence_drv.gpu_addr, seq, flags | AMDGPU_FENCE_FLAG_INT); pm_runtime_get_noresume(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(1, __func__); ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask]; if (unlikely(rcu_dereference_protected(*ptr, 1))) { struct dma_fence *old; @@ -309,7 +308,6 @@ bool amdgpu_fence_process(struct amdgpu_ring *ring) dma_fence_put(fence); pm_runtime_mark_last_busy(adev_to_drm(adev)->dev); pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); - trace_amdgpu_runpm_reference_dumps(0, __func__); } while (last_seq != seq); return true; diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h index 7aafeb763e5d..383fce40d4dd 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_trace.h @@ -554,21 +554,6 @@ TRACE_EVENT(amdgpu_reset_reg_dumps, __entry->value) ); -TRACE_EVENT(amdgpu_runpm_reference_dumps, - TP_PROTO(uint32_t index, const char *func), - TP_ARGS(index, func), - TP_STRUCT__entry( - __field(uint32_t, index) - __string(func, func) - ), - TP_fast_assign( - __entry->index = index; - __assign_str(func); - ), - TP_printk("amdgpu runpm reference dump 0x%x: 0x%s\n", - __entry->index, - __get_str(func)) -); #undef AMDGPU_JOB_GET_TIMELINE_NAME #endif

1 year, 2 months

1
0
0 0

[PATCH v3] tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()

by yskelg＠gmail.com

From: Yunseong Kim <yskelg(a)gmail.com> In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from qdisc->dev_queue->dev <NULL> ->name This situation simulated from bunch of veths and Bluetooth dis/reconnection. During qdisc initialization, qdisc was being set to noop_queue. In veth_init_queue, the initial tx_num was reduced back to one, causing the qdisc reset to be called with noop, which led to the kernel panic. I've attached the GitHub gist link that C converted syz-execprogram source code and 3 log of reproduced vmcore-dmesg. https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740 Yeoreum and I use two fuzzing tool simultaneously. One process with syz-executor : https://github.com/google/syzkaller $ ./syz-execprog -executor=./syz-executor -repeat=1 -sandbox=setuid \ -enable=none -collide=false log1 The other process with perf fuzzer: https://github.com/deater/perf_event_tests/tree/master/fuzzer $ perf_event_tests/fuzzer/perf_fuzzer I think this will happen on the kernel version. Linux kernel version +v6.7.10, +v6.8, +v6.9 and it could happen in v6.10. This occurred from 51270d573a8d. I think this patch is absolutely necessary. Previously, It was showing not intended string value of name. I've reproduced 3 time from my fedora 40 Debug Kernel with any other module or patched. version: 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug [ 5287.164555] veth0_vlan: left promiscuous mode [ 5287.164929] veth1_macvtap: left promiscuous mode [ 5287.164950] veth0_macvtap: left promiscuous mode [ 5287.164983] veth1_vlan: left promiscuous mode [ 5287.165008] veth0_vlan: left promiscuous mode [ 5287.165450] veth1_macvtap: left promiscuous mode [ 5287.165472] veth0_macvtap: left promiscuous mode [ 5287.165502] veth1_vlan: left promiscuous mode … [ 5297.598240] bridge0: port 2(bridge_slave_1) entered blocking state [ 5297.598262] bridge0: port 2(bridge_slave_1) entered forwarding state [ 5297.598296] bridge0: port 1(bridge_slave_0) entered blocking state [ 5297.598313] bridge0: port 1(bridge_slave_0) entered forwarding state [ 5297.616090] 8021q: adding VLAN 0 to HW filter on device bond0 [ 5297.620405] bridge0: port 1(bridge_slave_0) entered disabled state [ 5297.620730] bridge0: port 2(bridge_slave_1) entered disabled state [ 5297.627247] 8021q: adding VLAN 0 to HW filter on device team0 [ 5297.629636] bridge0: port 1(bridge_slave_0) entered blocking state … [ 5298.002798] bridge_slave_0: left promiscuous mode [ 5298.002869] bridge0: port 1(bridge_slave_0) entered disabled state [ 5298.309444] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 5298.315206] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 5298.320207] bond0 (unregistering): Released all slaves [ 5298.354296] hsr_slave_0: left promiscuous mode [ 5298.360750] hsr_slave_1: left promiscuous mode [ 5298.374889] veth1_macvtap: left promiscuous mode [ 5298.374931] veth0_macvtap: left promiscuous mode [ 5298.374988] veth1_vlan: left promiscuous mode [ 5298.375024] veth0_vlan: left promiscuous mode [ 5299.109741] team0 (unregistering): Port device team_slave_1 removed [ 5299.185870] team0 (unregistering): Port device team_slave_0 removed … [ 5300.155443] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 5300.155724] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 5300.155988] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 …. [ 5301.075531] team0: Port device team_slave_1 added [ 5301.085515] bridge0: port 1(bridge_slave_0) entered blocking state [ 5301.085531] bridge0: port 1(bridge_slave_0) entered disabled state [ 5301.085588] bridge_slave_0: entered allmulticast mode [ 5301.085800] bridge_slave_0: entered promiscuous mode [ 5301.095617] bridge0: port 1(bridge_slave_0) entered blocking state [ 5301.095633] bridge0: port 1(bridge_slave_0) entered disabled state … [ 5301.149734] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.173234] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.180517] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 5301.193481] hsr_slave_0: entered promiscuous mode [ 5301.204425] hsr_slave_1: entered promiscuous mode [ 5301.210172] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.210185] Cannot create hsr debugfs directory [ 5301.224061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 5301.246901] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 5301.255934] team0: Port device team_slave_0 added [ 5301.256480] team0: Port device team_slave_1 added [ 5301.256948] team0: Port device team_slave_0 added … [ 5301.435928] hsr_slave_0: entered promiscuous mode [ 5301.446029] hsr_slave_1: entered promiscuous mode [ 5301.455872] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.455884] Cannot create hsr debugfs directory [ 5301.502664] hsr_slave_0: entered promiscuous mode [ 5301.513675] hsr_slave_1: entered promiscuous mode [ 5301.526155] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.526164] Cannot create hsr debugfs directory [ 5301.563662] hsr_slave_0: entered promiscuous mode [ 5301.576129] hsr_slave_1: entered promiscuous mode [ 5301.580259] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 5301.580270] Cannot create hsr debugfs directory [ 5301.590269] 8021q: adding VLAN 0 to HW filter on device bond0 [ 5301.595872] KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137] [ 5301.595877] Mem abort info: [ 5301.595881] ESR = 0x0000000096000006 [ 5301.595885] EC = 0x25: DABT (current EL), IL = 32 bits [ 5301.595889] SET = 0, FnV = 0 [ 5301.595893] EA = 0, S1PTW = 0 [ 5301.595896] FSC = 0x06: level 2 translation fault [ 5301.595900] Data abort info: [ 5301.595903] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 5301.595907] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 5301.595911] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 5301.595915] [dfff800000000026] address between user and kernel address ranges [ 5301.595971] Internal error: Oops: 0000000096000006 [#1] SMP … [ 5301.596076] CPU: 2 PID: 102769 Comm: syz-executor.3 Kdump: loaded Tainted: G W ------- --- 6.10.0-0.rc2.20240608gitdc772f8237f9.29.fc41.aarch64+debug #1 [ 5301.596080] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023 [ 5301.596082] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 5301.596085] pc : strnlen+0x40/0x88 [ 5301.596114] lr : trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 [ 5301.596124] sp : ffff8000beef6b40 [ 5301.596126] x29: ffff8000beef6b40 x28: dfff800000000000 x27: 0000000000000001 [ 5301.596131] x26: 6de1800082c62bd0 x25: 1ffff000110aa9e0 x24: ffff800088554f00 [ 5301.596136] x23: ffff800088554ec0 x22: 0000000000000130 x21: 0000000000000140 [ 5301.596140] x20: dfff800000000000 x19: ffff8000beef6c60 x18: ffff7000115106d8 [ 5301.596143] x17: ffff800121bad000 x16: ffff800080020000 x15: 0000000000000006 [ 5301.596147] x14: 0000000000000002 x13: ffff0001f3ed8d14 x12: ffff700017ddeda5 [ 5301.596151] x11: 1ffff00017ddeda4 x10: ffff700017ddeda4 x9 : ffff800082cc5eec [ 5301.596155] x8 : 0000000000000004 x7 : 00000000f1f1f1f1 x6 : 00000000f2f2f200 [ 5301.596158] x5 : 00000000f3f3f3f3 x4 : ffff700017dded80 x3 : 00000000f204f1f1 [ 5301.596162] x2 : 0000000000000026 x1 : 0000000000000000 x0 : 0000000000000130 [ 5301.596166] Call trace: [ 5301.596175] strnlen+0x40/0x88 [ 5301.596179] trace_event_get_offsets_qdisc_reset+0x6c/0x2b0 [ 5301.596182] perf_trace_qdisc_reset+0xb0/0x538 [ 5301.596184] __traceiter_qdisc_reset+0x68/0xc0 [ 5301.596188] qdisc_reset+0x43c/0x5e8 [ 5301.596190] netif_set_real_num_tx_queues+0x288/0x770 [ 5301.596194] veth_init_queues+0xfc/0x130 [veth] [ 5301.596198] veth_newlink+0x45c/0x850 [veth] [ 5301.596202] rtnl_newlink_create+0x2c8/0x798 [ 5301.596205] __rtnl_newlink+0x92c/0xb60 [ 5301.596208] rtnl_newlink+0xd8/0x130 [ 5301.596211] rtnetlink_rcv_msg+0x2e0/0x890 [ 5301.596214] netlink_rcv_skb+0x1c4/0x380 [ 5301.596225] rtnetlink_rcv+0x20/0x38 [ 5301.596227] netlink_unicast+0x3c8/0x640 [ 5301.596231] netlink_sendmsg+0x658/0xa60 [ 5301.596234] __sock_sendmsg+0xd0/0x180 [ 5301.596243] __sys_sendto+0x1c0/0x280 [ 5301.596246] __arm64_sys_sendto+0xc8/0x150 [ 5301.596249] invoke_syscall+0xdc/0x268 [ 5301.596256] el0_svc_common.constprop.0+0x16c/0x240 [ 5301.596259] do_el0_svc+0x48/0x68 [ 5301.596261] el0_svc+0x50/0x188 [ 5301.596265] el0t_64_sync_handler+0x120/0x130 [ 5301.596268] el0t_64_sync+0x194/0x198 [ 5301.596272] Code: eb15001f 54000120 d343fc02 12000801 (38f46842) [ 5301.596285] SMP: stopping secondary CPUs [ 5301.597053] Starting crashdump kernel... [ 5301.597057] Bye! Yeoreum and I don't know if the patch we wrote will fix the underlying cause, but we think that priority is to prevent kernel panic happening. So, we're sending this patch. Link: https://lore.kernel.org/lkml/20240229143432.273b4871@gandalf.local.home/t/ Fixes: 51270d573a8d ("tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string") Cc: netdev(a)vger.kernel.org Cc: stable(a)vger.kernel.org # +v6.7.10, +v6.8 Signed-off-by: Yunseong Kim <yskelg(a)gmail.com> Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> --- include/trace/events/qdisc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h index f1b5e816e7e5..170b51fbe47a 100644 --- a/include/trace/events/qdisc.h +++ b/include/trace/events/qdisc.h @@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset, TP_ARGS(q), TP_STRUCT__entry( - __string( dev, qdisc_dev(q)->name ) + __string(dev, qdisc_dev(q) ? qdisc_dev(q)->name : "noop_queue") __string( kind, q->ops->id ) __field( u32, parent ) __field( u32, handle ) -- 2.45.2

1 year, 2 months

4
7
0 0

[PATCH] ext2: Verify bitmap and itable block numbers before using them

by Jan Kara

Verify bitmap block numbers and inode table blocks are sane before using them for checking bits in the block bitmap. CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext2/balloc.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) I plan to merge this patch through my tree. diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c index 1bfd6ab11038..b8cfab8f98b9 100644 --- a/fs/ext2/balloc.c +++ b/fs/ext2/balloc.c @@ -77,26 +77,33 @@ static int ext2_valid_block_bitmap(struct super_block *sb, ext2_grpblk_t next_zero_bit; ext2_fsblk_t bitmap_blk; ext2_fsblk_t group_first_block; + ext2_grpblk_t max_bit; group_first_block = ext2_group_first_block_no(sb, block_group); + max_bit = ext2_group_last_block_no(sb, block_group) - group_first_block; /* check whether block bitmap block number is set */ bitmap_blk = le32_to_cpu(desc->bg_block_bitmap); offset = bitmap_blk - group_first_block; - if (!ext2_test_bit(offset, bh->b_data)) + if (offset < 0 || offset > max_bit || + !ext2_test_bit(offset, bh->b_data)) /* bad block bitmap */ goto err_out; /* check whether the inode bitmap block number is set */ bitmap_blk = le32_to_cpu(desc->bg_inode_bitmap); offset = bitmap_blk - group_first_block; - if (!ext2_test_bit(offset, bh->b_data)) + if (offset < 0 || offset > max_bit || + !ext2_test_bit(offset, bh->b_data)) /* bad block bitmap */ goto err_out; /* check whether the inode table block number is set */ bitmap_blk = le32_to_cpu(desc->bg_inode_table); offset = bitmap_blk - group_first_block; + if (offset < 0 || offset > max_bit || + offset + EXT2_SB(sb)->s_itb_per_group - 1 > max_bit) + goto err_out; next_zero_bit = ext2_find_next_zero_bit(bh->b_data, offset + EXT2_SB(sb)->s_itb_per_group, offset); -- 2.35.3

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] KVM: arm64: Disassociate vcpus from redistributor region on" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062438-dean-sacrifice-9c3b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 Mon Sep 17 00:00:00 2001 From: Marc Zyngier <maz(a)kernel.org> Date: Wed, 5 Jun 2024 18:56:37 +0100 Subject: [PATCH] KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()") Reported-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: Oliver Upton <oliver.upton(a)linux.dev> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Link: https://lore.kernel.org/r/20240605175637.1635653-1-maz@kernel.org Cc: stable(a)vger.kernel.org diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c index 8f5b7a3e7009..7f68cf58b978 100644 --- a/arch/arm64/kvm/vgic/vgic-init.c +++ b/arch/arm64/kvm/vgic/vgic-init.c @@ -391,7 +391,7 @@ static void kvm_vgic_dist_destroy(struct kvm *kvm) if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list) - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); INIT_LIST_HEAD(&dist->rd_regions); } else { dist->vgic_cpu_base = VGIC_ADDR_UNDEF; diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index a3983a631b5a..9e50928f5d7d 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -919,8 +919,19 @@ static int vgic_v3_alloc_redist_region(struct kvm *kvm, uint32_t index, return ret; } -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg) +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg) { + struct kvm_vcpu *vcpu; + unsigned long c; + + lockdep_assert_held(&kvm->arch.config_lock); + + /* Garbage collect the region */ + kvm_for_each_vcpu(c, vcpu, kvm) { + if (vcpu->arch.vgic_cpu.rdreg == rdreg) + vcpu->arch.vgic_cpu.rdreg = NULL; + } + list_del(&rdreg->list); kfree(rdreg); } @@ -945,7 +956,7 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count) mutex_lock(&kvm->arch.config_lock); rdreg = vgic_v3_rdist_region_from_index(kvm, index); - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); mutex_unlock(&kvm->arch.config_lock); return ret; } diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h index 6106ebd5ba42..03d356a12377 100644 --- a/arch/arm64/kvm/vgic/vgic.h +++ b/arch/arm64/kvm/vgic/vgic.h @@ -316,7 +316,7 @@ vgic_v3_rd_region_size(struct kvm *kvm, struct vgic_redist_region *rdreg) struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm, u32 index); -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg); +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg); bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size);

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] KVM: Fix a data race on last_boosted_vcpu in" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 49f683b41f28918df3e51ddc0d928cb2e934ccdb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062422-composer-engaging-202c@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 10 May 2024 02:23:52 -0700 Subject: [PATCH] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 14841acb8b95..843aa68cbcd0 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4025,12 +4025,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; unsigned long i; int yielded = 0; int try = 3; int pass; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -4068,7 +4069,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] KVM: Fix a data race on last_boosted_vcpu in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 49f683b41f28918df3e51ddc0d928cb2e934ccdb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062420-pendant-avenging-0263@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 10 May 2024 02:23:52 -0700 Subject: [PATCH] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 14841acb8b95..843aa68cbcd0 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4025,12 +4025,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; unsigned long i; int yielded = 0; int try = 3; int pass; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -4068,7 +4069,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] KVM: Fix a data race on last_boosted_vcpu in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 49f683b41f28918df3e51ddc0d928cb2e934ccdb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062419-goes-tingling-5681@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 10 May 2024 02:23:52 -0700 Subject: [PATCH] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 14841acb8b95..843aa68cbcd0 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4025,12 +4025,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; unsigned long i; int yielded = 0; int try = 3; int pass; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -4068,7 +4069,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] KVM: Fix a data race on last_boosted_vcpu in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 49f683b41f28918df3e51ddc0d928cb2e934ccdb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062418-emboss-transpose-5310@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 10 May 2024 02:23:52 -0700 Subject: [PATCH] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 14841acb8b95..843aa68cbcd0 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4025,12 +4025,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; unsigned long i; int yielded = 0; int try = 3; int pass; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -4068,7 +4069,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--;

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] LoongArch: KVM: Remove an unneeded semicolon" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d0a1c07739e1b7f74683fe061545669156d102f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062452-savage-commotion-3ab2@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d0a1c07739e1b7f74683fe061545669156d102f2 Mon Sep 17 00:00:00 2001 From: Yang Li <yang.lee(a)linux.alibaba.com> Date: Fri, 21 Jun 2024 10:18:40 +0800 Subject: [PATCH] LoongArch: KVM: Remove an unneeded semicolon Remove an unneeded semicolon to avoid build warnings: ./arch/loongarch/kvm/exit.c:764:2-3: Unneeded semicolon Cc: stable(a)vger.kernel.org Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=9343 Signed-off-by: Yang Li <yang.lee(a)linux.alibaba.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kvm/exit.c b/arch/loongarch/kvm/exit.c index c86e099af5ca..a68573e091c0 100644 --- a/arch/loongarch/kvm/exit.c +++ b/arch/loongarch/kvm/exit.c @@ -761,7 +761,7 @@ static void kvm_handle_service(struct kvm_vcpu *vcpu) default: ret = KVM_HCALL_INVALID_CODE; break; - }; + } kvm_write_reg(vcpu, LOONGARCH_GPR_A0, ret); }

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] LoongArch: KVM: Remove an unneeded semicolon" failed to apply to 6.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.9.y git checkout FETCH_HEAD git cherry-pick -x d0a1c07739e1b7f74683fe061545669156d102f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062451-unsalted-unvalued-9498@gregkh' --subject-prefix 'PATCH 6.9.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d0a1c07739e1b7f74683fe061545669156d102f2 Mon Sep 17 00:00:00 2001 From: Yang Li <yang.lee(a)linux.alibaba.com> Date: Fri, 21 Jun 2024 10:18:40 +0800 Subject: [PATCH] LoongArch: KVM: Remove an unneeded semicolon Remove an unneeded semicolon to avoid build warnings: ./arch/loongarch/kvm/exit.c:764:2-3: Unneeded semicolon Cc: stable(a)vger.kernel.org Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=9343 Signed-off-by: Yang Li <yang.lee(a)linux.alibaba.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kvm/exit.c b/arch/loongarch/kvm/exit.c index c86e099af5ca..a68573e091c0 100644 --- a/arch/loongarch/kvm/exit.c +++ b/arch/loongarch/kvm/exit.c @@ -761,7 +761,7 @@ static void kvm_handle_service(struct kvm_vcpu *vcpu) default: ret = KVM_HCALL_INVALID_CODE; break; - }; + } kvm_write_reg(vcpu, LOONGARCH_GPR_A0, ret); }

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] cifs: drop the incorrect assertion in cifs_swap_rw()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 29433a17a79caa8680b9c0761f2b10502fda9ce3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062429-swinging-gully-4fc8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29433a17a79caa8680b9c0761f2b10502fda9ce3 Mon Sep 17 00:00:00 2001 From: Barry Song <baohua(a)kernel.org> Date: Tue, 18 Jun 2024 19:22:58 +1200 Subject: [PATCH] cifs: drop the incorrect assertion in cifs_swap_rw() Since commit 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space"), we can plug multiple pages then unplug them all together. That means iov_iter_count(iter) could be way bigger than PAGE_SIZE, it actually equals the size of iov_iter_npages(iter, INT_MAX). Note this issue has nothing to do with large folios as we don't support THP_SWPOUT to non-block devices. Fixes: 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space") Reported-by: Christoph Hellwig <hch(a)lst.de> Closes: https://lore.kernel.org/linux-mm/20240614100329.1203579-1-hch@lst.de/ Cc: NeilBrown <neilb(a)suse.de> Cc: Anna Schumaker <anna(a)kernel.org> Cc: Steve French <sfrench(a)samba.org> Cc: Trond Myklebust <trondmy(a)kernel.org> Cc: Chuanhua Han <hanchuanhua(a)oppo.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Jeff Layton <jlayton(a)kernel.org> Cc: Paulo Alcantara <pc(a)manguebit.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Shyam Prasad N <sprasad(a)microsoft.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: Bharath SM <bharathsm(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 9d5c2440abfc..1e269e0bc75b 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -3200,8 +3200,6 @@ static int cifs_swap_rw(struct kiocb *iocb, struct iov_iter *iter) { ssize_t ret; - WARN_ON_ONCE(iov_iter_count(iter) != PAGE_SIZE); - if (iov_iter_rw(iter) == READ) ret = netfs_unbuffered_read_iter_locked(iocb, iter); else

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] cifs: drop the incorrect assertion in cifs_swap_rw()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 29433a17a79caa8680b9c0761f2b10502fda9ce3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062428-juggle-shrine-cd22@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29433a17a79caa8680b9c0761f2b10502fda9ce3 Mon Sep 17 00:00:00 2001 From: Barry Song <baohua(a)kernel.org> Date: Tue, 18 Jun 2024 19:22:58 +1200 Subject: [PATCH] cifs: drop the incorrect assertion in cifs_swap_rw() Since commit 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space"), we can plug multiple pages then unplug them all together. That means iov_iter_count(iter) could be way bigger than PAGE_SIZE, it actually equals the size of iov_iter_npages(iter, INT_MAX). Note this issue has nothing to do with large folios as we don't support THP_SWPOUT to non-block devices. Fixes: 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space") Reported-by: Christoph Hellwig <hch(a)lst.de> Closes: https://lore.kernel.org/linux-mm/20240614100329.1203579-1-hch@lst.de/ Cc: NeilBrown <neilb(a)suse.de> Cc: Anna Schumaker <anna(a)kernel.org> Cc: Steve French <sfrench(a)samba.org> Cc: Trond Myklebust <trondmy(a)kernel.org> Cc: Chuanhua Han <hanchuanhua(a)oppo.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Jeff Layton <jlayton(a)kernel.org> Cc: Paulo Alcantara <pc(a)manguebit.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Shyam Prasad N <sprasad(a)microsoft.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: Bharath SM <bharathsm(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 9d5c2440abfc..1e269e0bc75b 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -3200,8 +3200,6 @@ static int cifs_swap_rw(struct kiocb *iocb, struct iov_iter *iter) { ssize_t ret; - WARN_ON_ONCE(iov_iter_count(iter) != PAGE_SIZE); - if (iov_iter_rw(iter) == READ) ret = netfs_unbuffered_read_iter_locked(iocb, iter); else

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] cifs: drop the incorrect assertion in cifs_swap_rw()" failed to apply to 6.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.9.y git checkout FETCH_HEAD git cherry-pick -x 29433a17a79caa8680b9c0761f2b10502fda9ce3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062428-captivate-grasp-a4cf@gregkh' --subject-prefix 'PATCH 6.9.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29433a17a79caa8680b9c0761f2b10502fda9ce3 Mon Sep 17 00:00:00 2001 From: Barry Song <baohua(a)kernel.org> Date: Tue, 18 Jun 2024 19:22:58 +1200 Subject: [PATCH] cifs: drop the incorrect assertion in cifs_swap_rw() Since commit 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space"), we can plug multiple pages then unplug them all together. That means iov_iter_count(iter) could be way bigger than PAGE_SIZE, it actually equals the size of iov_iter_npages(iter, INT_MAX). Note this issue has nothing to do with large folios as we don't support THP_SWPOUT to non-block devices. Fixes: 2282679fb20b ("mm: submit multipage write for SWP_FS_OPS swap-space") Reported-by: Christoph Hellwig <hch(a)lst.de> Closes: https://lore.kernel.org/linux-mm/20240614100329.1203579-1-hch@lst.de/ Cc: NeilBrown <neilb(a)suse.de> Cc: Anna Schumaker <anna(a)kernel.org> Cc: Steve French <sfrench(a)samba.org> Cc: Trond Myklebust <trondmy(a)kernel.org> Cc: Chuanhua Han <hanchuanhua(a)oppo.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Jeff Layton <jlayton(a)kernel.org> Cc: Paulo Alcantara <pc(a)manguebit.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Shyam Prasad N <sprasad(a)microsoft.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: Bharath SM <bharathsm(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 9d5c2440abfc..1e269e0bc75b 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -3200,8 +3200,6 @@ static int cifs_swap_rw(struct kiocb *iocb, struct iov_iter *iter) { ssize_t ret; - WARN_ON_ONCE(iov_iter_count(iter) != PAGE_SIZE); - if (iov_iter_rw(iter) == READ) ret = netfs_unbuffered_read_iter_locked(iocb, iter); else

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] cifs: fix typo in module parameter enable_gcm_256" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8bf0287528da1992c5e49d757b99ad6bbc34b522 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062411-ipad-conical-35fb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8bf0287528da1992c5e49d757b99ad6bbc34b522 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Wed, 19 Jun 2024 14:46:48 -0500 Subject: [PATCH] cifs: fix typo in module parameter enable_gcm_256 enable_gcm_256 (which allows the server to require the strongest encryption) is enabled by default, but the modinfo description incorrectly showed it disabled by default. Fix the typo. Cc: stable(a)vger.kernel.org Fixes: fee742b50289 ("smb3.1.1: enable negotiating stronger encryption by default") Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c index bb86fc0641d8..6397fdefd876 100644 --- a/fs/smb/client/cifsfs.c +++ b/fs/smb/client/cifsfs.c @@ -134,7 +134,7 @@ module_param(enable_oplocks, bool, 0644); MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); module_param(enable_gcm_256, bool, 0644); -MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0"); +MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); module_param(require_gcm_256, bool, 0644); MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] net: stmmac: Assign configured channel value to EXTTS event" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8851346912a1fa33e7a5966fe51f07313b274627 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024062402-reabsorb-plausible-88b5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 8851346912a1 ("net: stmmac: Assign configured channel value to EXTTS event") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8851346912a1fa33e7a5966fe51f07313b274627 Mon Sep 17 00:00:00 2001 From: Oleksij Rempel <o.rempel(a)pengutronix.de> Date: Tue, 18 Jun 2024 09:38:21 +0200 Subject: [PATCH] net: stmmac: Assign configured channel value to EXTTS event Assign the configured channel value to the EXTTS event in the timestamp interrupt handler. Without assigning the correct channel, applications like ts2phc will refuse to accept the event, resulting in errors such as: ... ts2phc[656.834]: config item end1.ts2phc.pin_index is 0 ts2phc[656.834]: config item end1.ts2phc.channel is 3 ts2phc[656.834]: config item end1.ts2phc.extts_polarity is 2 ts2phc[656.834]: config item end1.ts2phc.extts_correction is 0 ... ts2phc[656.862]: extts on unexpected channel ts2phc[658.141]: extts on unexpected channel ts2phc[659.140]: extts on unexpected channel Fixes: f4da56529da60 ("net: stmmac: Add support for external trigger timestamping") Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Reviewed-by: Wojciech Drewek <wojciech.drewek(a)intel.com> Link: https://lore.kernel.org/r/20240618073821.619751-1-o.rempel@pengutronix.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c index f05bd757dfe5..5ef52ef2698f 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c @@ -218,6 +218,7 @@ static void timestamp_interrupt(struct stmmac_priv *priv) { u32 num_snapshot, ts_status, tsync_int; struct ptp_clock_event event; + u32 acr_value, channel; unsigned long flags; u64 ptp_time; int i; @@ -243,12 +244,15 @@ static void timestamp_interrupt(struct stmmac_priv *priv) num_snapshot = (ts_status & GMAC_TIMESTAMP_ATSNS_MASK) >> GMAC_TIMESTAMP_ATSNS_SHIFT; + acr_value = readl(priv->ptpaddr + PTP_ACR); + channel = ilog2(FIELD_GET(PTP_ACR_MASK, acr_value)); + for (i = 0; i < num_snapshot; i++) { read_lock_irqsave(&priv->ptp_lock, flags); get_ptptime(priv->ptpaddr, &ptp_time); read_unlock_irqrestore(&priv->ptp_lock, flags); event.type = PTP_CLOCK_EXTTS; - event.index = 0; + event.index = channel; event.timestamp = ptp_time; ptp_clock_event(priv->ptp_clock, &event); }

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] locking/atomic: scripts: fix ${atomic}_sub_and_test()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f92a59f6d12e31ead999fee9585471b95a8ae8a3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061810-overflow-president-399a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: f92a59f6d12e ("locking/atomic: scripts: fix ${atomic}_sub_and_test() kerneldoc") 6dfee110c6cc ("locking/atomic: scripts: Clarify ordering of conditional atomics") e01cc1e8c2ad ("locking/atomic: Add generic support for sync_try_cmpxchg() and its fallback") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f92a59f6d12e31ead999fee9585471b95a8ae8a3 Mon Sep 17 00:00:00 2001 From: Carlos Llamas <cmllamas(a)google.com> Date: Wed, 15 May 2024 13:37:10 +0000 Subject: [PATCH] locking/atomic: scripts: fix ${atomic}_sub_and_test() kerneldoc For ${atomic}_sub_and_test() the @i parameter is the value to subtract, not add. Fix the typo in the kerneldoc template and generate the headers with this update. Fixes: ad8110706f38 ("locking/atomic: scripts: generate kerneldoc comments") Suggested-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Acked-by: Mark Rutland <mark.rutland(a)arm.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20240515133844.3502360-1-cmllamas@google.com diff --git a/include/linux/atomic/atomic-arch-fallback.h b/include/linux/atomic/atomic-arch-fallback.h index 956bcba5dbf2..2f9d36b72bd8 100644 --- a/include/linux/atomic/atomic-arch-fallback.h +++ b/include/linux/atomic/atomic-arch-fallback.h @@ -2242,7 +2242,7 @@ raw_atomic_try_cmpxchg_relaxed(atomic_t *v, int *old, int new) /** * raw_atomic_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: int value to add + * @i: int value to subtract * @v: pointer to atomic_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -4368,7 +4368,7 @@ raw_atomic64_try_cmpxchg_relaxed(atomic64_t *v, s64 *old, s64 new) /** * raw_atomic64_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: s64 value to add + * @i: s64 value to subtract * @v: pointer to atomic64_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -4690,4 +4690,4 @@ raw_atomic64_dec_if_positive(atomic64_t *v) } #endif /* _LINUX_ATOMIC_FALLBACK_H */ -// 14850c0b0db20c62fdc78ccd1d42b98b88d76331 +// b565db590afeeff0d7c9485ccbca5bb6e155749f diff --git a/include/linux/atomic/atomic-instrumented.h b/include/linux/atomic/atomic-instrumented.h index debd487fe971..9409a6ddf3e0 100644 --- a/include/linux/atomic/atomic-instrumented.h +++ b/include/linux/atomic/atomic-instrumented.h @@ -1349,7 +1349,7 @@ atomic_try_cmpxchg_relaxed(atomic_t *v, int *old, int new) /** * atomic_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: int value to add + * @i: int value to subtract * @v: pointer to atomic_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -2927,7 +2927,7 @@ atomic64_try_cmpxchg_relaxed(atomic64_t *v, s64 *old, s64 new) /** * atomic64_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: s64 value to add + * @i: s64 value to subtract * @v: pointer to atomic64_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -4505,7 +4505,7 @@ atomic_long_try_cmpxchg_relaxed(atomic_long_t *v, long *old, long new) /** * atomic_long_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: long value to add + * @i: long value to subtract * @v: pointer to atomic_long_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -5050,4 +5050,4 @@ atomic_long_dec_if_positive(atomic_long_t *v) #endif /* _LINUX_ATOMIC_INSTRUMENTED_H */ -// ce5b65e0f1f8a276268b667194581d24bed219d4 +// 8829b337928e9508259079d32581775ececd415b diff --git a/include/linux/atomic/atomic-long.h b/include/linux/atomic/atomic-long.h index 3ef844b3ab8a..f86b29d90877 100644 --- a/include/linux/atomic/atomic-long.h +++ b/include/linux/atomic/atomic-long.h @@ -1535,7 +1535,7 @@ raw_atomic_long_try_cmpxchg_relaxed(atomic_long_t *v, long *old, long new) /** * raw_atomic_long_sub_and_test() - atomic subtract and test if zero with full ordering - * @i: long value to add + * @i: long value to subtract * @v: pointer to atomic_long_t * * Atomically updates @v to (@v - @i) with full ordering. @@ -1809,4 +1809,4 @@ raw_atomic_long_dec_if_positive(atomic_long_t *v) } #endif /* _LINUX_ATOMIC_LONG_H */ -// 1c4a26fc77f345342953770ebe3c4d08e7ce2f9a +// eadf183c3600b8b92b91839dd3be6bcc560c752d diff --git a/scripts/atomic/kerneldoc/sub_and_test b/scripts/atomic/kerneldoc/sub_and_test index d3760f7749d4..96615e50836b 100644 --- a/scripts/atomic/kerneldoc/sub_and_test +++ b/scripts/atomic/kerneldoc/sub_and_test @@ -1,7 +1,7 @@ cat <<EOF /** * ${class}${atomicname}() - atomic subtract and test if zero with ${desc_order} ordering - * @i: ${int} value to add + * @i: ${int} value to subtract * @v: pointer to ${atomic}_t * * Atomically updates @v to (@v - @i) with ${desc_order} ordering.

1 year, 2 months

3
2
0 0

[PATCH 5.15] serial: stm32: rework RX over DMA

by Dario Binacchi

From: Erwan Le Ray <erwan.leray(a)foss.st.com> commit 33bb2f6ac3088936b7aad3cab6f439f91af0223c upstream. This patch reworks RX support over DMA to improve reliability: - change dma buffer cyclic configuration by using 2 periods. DMA buffer data are handled by a flip-flop between the 2 periods in order to avoid risk of data loss/corruption - change the size of dma buffer to 4096 to limit overruns - add rx errors management (breaks, parity, framing and overrun). When an error occurs on the uart line, the dma request line is masked at HW level. The SW must 1st clear DMAR (dma request line enable), to handle the error, then re-enable DMAR to recover. So, any correct data is taken from the DMA buffer, before handling the error itself. Then errors are handled from RDR/ISR/FIFO (e.g. in PIO mode). Last, DMA reception is resumed. - add a condition on DMA request line in DMA RX routines in order to switch to PIO mode when no DMA request line is disabled, even if the DMA channel is still enabled. When the UART is wakeup source and is configured to use DMA for RX, any incoming data that wakes up the system isn't correctly received. At data reception, the irq_handler handles the WUF irq, and then the data reception over DMA. As the DMA transfer has been terminated at suspend, and will be restored by resume callback (which has no yet been called by system), the data can't be received. The wake-up data has to be handled in PIO mode while suspend callback has not been called. Signed-off-by: Valentin Caron <valentin.caron(a)foss.st.com> Signed-off-by: Erwan Le Ray <erwan.leray(a)foss.st.com> Link: https://lore.kernel.org/r/20211020150332.10214-3-erwan.leray@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ dario: fix conflicts for backport to v5.15. From the [1] series, only the first patch was applied to the v5.15 branch. This caused a regression in character reception, which can be fixed by applying the second patch. The patch has been tested on the stm32f469-disco board. [1] https://lore.kernel.org/all/20211020150332.10214-1-erwan.leray@foss.st.com/. ] Signed-off-by: Dario Binacchi <dario.binacchi(a)amarulasolutions.com> --- drivers/tty/serial/stm32-usart.c | 206 ++++++++++++++++++++++++------- drivers/tty/serial/stm32-usart.h | 12 +- 2 files changed, 165 insertions(+), 53 deletions(-) diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c index 3b7d4481edbe..c20f8917ebff 100644 --- a/drivers/tty/serial/stm32-usart.c +++ b/drivers/tty/serial/stm32-usart.c @@ -220,66 +220,60 @@ static int stm32_usart_init_rs485(struct uart_port *port, return uart_get_rs485_mode(port); } -static int stm32_usart_pending_rx(struct uart_port *port, u32 *sr, - int *last_res, bool threaded) +static bool stm32_usart_rx_dma_enabled(struct uart_port *port) { struct stm32_port *stm32_port = to_stm32_port(port); const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; - enum dma_status status; - struct dma_tx_state state; - *sr = readl_relaxed(port->membase + ofs->isr); + if (!stm32_port->rx_ch) + return false; - if (threaded && stm32_port->rx_ch) { - status = dmaengine_tx_status(stm32_port->rx_ch, - stm32_port->rx_ch->cookie, - &state); - if (status == DMA_IN_PROGRESS && (*last_res != state.residue)) - return 1; - else - return 0; - } else if (*sr & USART_SR_RXNE) { - return 1; + return !!(readl_relaxed(port->membase + ofs->cr3) & USART_CR3_DMAR); +} + +/* Return true when data is pending (in pio mode), and false when no data is pending. */ +static bool stm32_usart_pending_rx_pio(struct uart_port *port, u32 *sr) +{ + struct stm32_port *stm32_port = to_stm32_port(port); + const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; + + *sr = readl_relaxed(port->membase + ofs->isr); + /* Get pending characters in RDR or FIFO */ + if (*sr & USART_SR_RXNE) { + /* Get all pending characters from the RDR or the FIFO when using interrupts */ + if (!stm32_usart_rx_dma_enabled(port)) + return true; + + /* Handle only RX data errors when using DMA */ + if (*sr & USART_SR_ERR_MASK) + return true; } - return 0; + + return false; } -static unsigned long stm32_usart_get_char(struct uart_port *port, u32 *sr, - int *last_res) +static unsigned long stm32_usart_get_char_pio(struct uart_port *port) { struct stm32_port *stm32_port = to_stm32_port(port); const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; unsigned long c; - if (stm32_port->rx_ch) { - c = stm32_port->rx_buf[RX_BUF_L - (*last_res)--]; - if ((*last_res) == 0) - *last_res = RX_BUF_L; - } else { - c = readl_relaxed(port->membase + ofs->rdr); - /* apply RDR data mask */ - c &= stm32_port->rdr_mask; - } + c = readl_relaxed(port->membase + ofs->rdr); + /* Apply RDR data mask */ + c &= stm32_port->rdr_mask; return c; } -static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag) +static void stm32_usart_receive_chars_pio(struct uart_port *port) { - struct tty_port *tport = &port->state->port; struct stm32_port *stm32_port = to_stm32_port(port); const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; - unsigned long c, flags; + unsigned long c; u32 sr; char flag; - if (irqflag) - spin_lock_irqsave(&port->lock, flags); - else - spin_lock(&port->lock); - - while (stm32_usart_pending_rx(port, &sr, &stm32_port->last_res, - irqflag)) { + while (stm32_usart_pending_rx_pio(port, &sr)) { sr |= USART_SR_DUMMY_RX; flag = TTY_NORMAL; @@ -298,7 +292,7 @@ static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag) writel_relaxed(sr & USART_SR_ERR_MASK, port->membase + ofs->icr); - c = stm32_usart_get_char(port, &sr, &stm32_port->last_res); + c = stm32_usart_get_char_pio(port); port->icount.rx++; if (sr & USART_SR_ERR_MASK) { if (sr & USART_SR_ORE) { @@ -332,6 +326,94 @@ static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag) continue; uart_insert_char(port, sr, USART_SR_ORE, c, flag); } +} + +static void stm32_usart_push_buffer_dma(struct uart_port *port, unsigned int dma_size) +{ + struct stm32_port *stm32_port = to_stm32_port(port); + struct tty_port *ttyport = &stm32_port->port.state->port; + unsigned char *dma_start; + int dma_count, i; + + dma_start = stm32_port->rx_buf + (RX_BUF_L - stm32_port->last_res); + + /* + * Apply rdr_mask on buffer in order to mask parity bit. + * This loop is useless in cs8 mode because DMA copies only + * 8 bits and already ignores parity bit. + */ + if (!(stm32_port->rdr_mask == (BIT(8) - 1))) + for (i = 0; i < dma_size; i++) + *(dma_start + i) &= stm32_port->rdr_mask; + + dma_count = tty_insert_flip_string(ttyport, dma_start, dma_size); + port->icount.rx += dma_count; + if (dma_count != dma_size) + port->icount.buf_overrun++; + stm32_port->last_res -= dma_count; + if (stm32_port->last_res == 0) + stm32_port->last_res = RX_BUF_L; +} + +static void stm32_usart_receive_chars_dma(struct uart_port *port) +{ + struct stm32_port *stm32_port = to_stm32_port(port); + unsigned int dma_size; + + /* DMA buffer is configured in cyclic mode and handles the rollback of the buffer. */ + if (stm32_port->rx_dma_state.residue > stm32_port->last_res) { + /* Conditional first part: from last_res to end of DMA buffer */ + dma_size = stm32_port->last_res; + stm32_usart_push_buffer_dma(port, dma_size); + } + + dma_size = stm32_port->last_res - stm32_port->rx_dma_state.residue; + stm32_usart_push_buffer_dma(port, dma_size); +} + +static void stm32_usart_receive_chars(struct uart_port *port, bool irqflag) +{ + struct tty_port *tport = &port->state->port; + struct stm32_port *stm32_port = to_stm32_port(port); + const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; + enum dma_status rx_dma_status; + unsigned long flags; + u32 sr; + + if (irqflag) + spin_lock_irqsave(&port->lock, flags); + else + spin_lock(&port->lock); + + if (stm32_usart_rx_dma_enabled(port)) { + rx_dma_status = dmaengine_tx_status(stm32_port->rx_ch, + stm32_port->rx_ch->cookie, + &stm32_port->rx_dma_state); + if (rx_dma_status == DMA_IN_PROGRESS) { + /* Empty DMA buffer */ + stm32_usart_receive_chars_dma(port); + sr = readl_relaxed(port->membase + ofs->isr); + if (sr & USART_SR_ERR_MASK) { + /* Disable DMA request line */ + stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR); + + /* Switch to PIO mode to handle the errors */ + stm32_usart_receive_chars_pio(port); + + /* Switch back to DMA mode */ + stm32_usart_set_bits(port, ofs->cr3, USART_CR3_DMAR); + } + } else { + /* Disable RX DMA */ + dmaengine_terminate_async(stm32_port->rx_ch); + stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR); + /* Fall back to interrupt mode */ + dev_dbg(port->dev, "DMA error, fallback to irq mode\n"); + stm32_usart_receive_chars_pio(port); + } + } else { + stm32_usart_receive_chars_pio(port); + } if (irqflag) uart_unlock_and_check_sysrq_irqrestore(port, irqflag); @@ -373,6 +455,13 @@ static void stm32_usart_tx_interrupt_enable(struct uart_port *port) stm32_usart_set_bits(port, ofs->cr1, USART_CR1_TXEIE); } +static void stm32_usart_rx_dma_complete(void *arg) +{ + struct uart_port *port = arg; + + stm32_usart_receive_chars(port, true); +} + static void stm32_usart_tc_interrupt_enable(struct uart_port *port) { struct stm32_port *stm32_port = to_stm32_port(port); @@ -588,7 +677,12 @@ static irqreturn_t stm32_usart_interrupt(int irq, void *ptr) pm_wakeup_event(tport->tty->dev, 0); } - if ((sr & USART_SR_RXNE) && !(stm32_port->rx_ch)) + /* + * rx errors in dma mode has to be handled ASAP to avoid overrun as the DMA request + * line has been masked by HW and rx data are stacking in FIFO. + */ + if (((sr & USART_SR_RXNE) && !stm32_usart_rx_dma_enabled(port)) || + ((sr & USART_SR_ERR_MASK) && stm32_usart_rx_dma_enabled(port))) stm32_usart_receive_chars(port, false); if ((sr & USART_SR_TXE) && !(stm32_port->tx_ch)) { @@ -597,7 +691,7 @@ static irqreturn_t stm32_usart_interrupt(int irq, void *ptr) spin_unlock(&port->lock); } - if (stm32_port->rx_ch) + if (stm32_usart_rx_dma_enabled(port)) return IRQ_WAKE_THREAD; else return IRQ_HANDLED; @@ -903,9 +997,11 @@ static void stm32_usart_set_termios(struct uart_port *port, stm32_port->cr1_irq = USART_CR1_RTOIE; writel_relaxed(bits, port->membase + ofs->rtor); cr2 |= USART_CR2_RTOEN; - /* Not using dma, enable fifo threshold irq */ - if (!stm32_port->rx_ch) - stm32_port->cr3_irq = USART_CR3_RXFTIE; + /* + * Enable fifo threshold irq in two cases, either when there is no DMA, or when + * wake up over usart, from low power until the DMA gets re-enabled by resume. + */ + stm32_port->cr3_irq = USART_CR3_RXFTIE; } cr1 |= stm32_port->cr1_irq; @@ -968,8 +1064,16 @@ static void stm32_usart_set_termios(struct uart_port *port, if ((termios->c_cflag & CREAD) == 0) port->ignore_status_mask |= USART_SR_DUMMY_RX; - if (stm32_port->rx_ch) + if (stm32_port->rx_ch) { + /* + * Setup DMA to collect only valid data and enable error irqs. + * This also enables break reception when using DMA. + */ + cr1 |= USART_CR1_PEIE; + cr3 |= USART_CR3_EIE; cr3 |= USART_CR3_DMAR; + cr3 |= USART_CR3_DDRE; + } if (rs485conf->flags & SER_RS485_ENABLED) { stm32_usart_config_reg_rs485(&cr1, &cr3, @@ -1298,9 +1402,9 @@ static int stm32_usart_of_dma_rx_probe(struct stm32_port *stm32port, return -ENODEV; } - /* No callback as dma buffer is drained on usart interrupt */ - desc->callback = NULL; - desc->callback_param = NULL; + /* Set DMA callback */ + desc->callback = stm32_usart_rx_dma_complete; + desc->callback_param = port; /* Push current DMA transaction in the pending queue */ ret = dma_submit_error(dmaengine_submit(desc)); @@ -1464,6 +1568,7 @@ static int stm32_usart_serial_remove(struct platform_device *pdev) struct stm32_port *stm32_port = to_stm32_port(port); const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; int err; + u32 cr3; pm_runtime_get_sync(&pdev->dev); err = uart_remove_one_port(&stm32_usart_driver, port); @@ -1474,7 +1579,12 @@ static int stm32_usart_serial_remove(struct platform_device *pdev) pm_runtime_set_suspended(&pdev->dev); pm_runtime_put_noidle(&pdev->dev); - stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAR); + stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_PEIE); + cr3 = readl_relaxed(port->membase + ofs->cr3); + cr3 &= ~USART_CR3_EIE; + cr3 &= ~USART_CR3_DMAR; + cr3 &= ~USART_CR3_DDRE; + writel_relaxed(cr3, port->membase + ofs->cr3); if (stm32_port->tx_ch) { stm32_usart_of_dma_tx_remove(stm32_port, pdev); diff --git a/drivers/tty/serial/stm32-usart.h b/drivers/tty/serial/stm32-usart.h index ad6335155de2..852573e1a690 100644 --- a/drivers/tty/serial/stm32-usart.h +++ b/drivers/tty/serial/stm32-usart.h @@ -109,7 +109,7 @@ struct stm32_usart_info stm32h7_info = { /* USART_SR (F4) / USART_ISR (F7) */ #define USART_SR_PE BIT(0) #define USART_SR_FE BIT(1) -#define USART_SR_NF BIT(2) +#define USART_SR_NE BIT(2) /* F7 (NF for F4) */ #define USART_SR_ORE BIT(3) #define USART_SR_IDLE BIT(4) #define USART_SR_RXNE BIT(5) @@ -126,7 +126,8 @@ struct stm32_usart_info stm32h7_info = { #define USART_SR_SBKF BIT(18) /* F7 */ #define USART_SR_WUF BIT(20) /* H7 */ #define USART_SR_TEACK BIT(21) /* F7 */ -#define USART_SR_ERR_MASK (USART_SR_ORE | USART_SR_FE | USART_SR_PE) +#define USART_SR_ERR_MASK (USART_SR_ORE | USART_SR_NE | USART_SR_FE |\ + USART_SR_PE) /* Dummy bits */ #define USART_SR_DUMMY_RX BIT(16) @@ -246,9 +247,9 @@ struct stm32_usart_info stm32h7_info = { #define STM32_SERIAL_NAME "ttySTM" #define STM32_MAX_PORTS 8 -#define RX_BUF_L 200 /* dma rx buffer length */ -#define RX_BUF_P RX_BUF_L /* dma rx buffer period */ -#define TX_BUF_L 200 /* dma tx buffer length */ +#define RX_BUF_L 4096 /* dma rx buffer length */ +#define RX_BUF_P (RX_BUF_L / 2) /* dma rx buffer period */ +#define TX_BUF_L RX_BUF_L /* dma tx buffer length */ struct stm32_port { struct uart_port port; @@ -273,6 +274,7 @@ struct stm32_port { bool wakeup_src; int rdr_mask; /* receive data register mask */ struct mctrl_gpios *gpios; /* modem control gpios */ + struct dma_tx_state rx_dma_state; }; static struct stm32_port stm32_ports[STM32_MAX_PORTS]; -- 2.43.0

1 year, 2 months

2
1
0 0

FAILED: patch "[PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061320-handcart-crook-0519@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") 4f83145721f3 ("mm: avoid unnecessary flush on change_huge_pmd()") c9fe66560bf2 ("mm/mprotect: do not flush when not required architecturally") 4a18419f71cd ("mm/mprotect: use mmu_gather") e346e6688c4a ("mm: thp: skip make PMD PROT_NONE if THP migration is not supported") f0953a1bbaca ("mm: fix typos in comments") e2db1a9aa381 ("kasan, mm: optimize kmalloc poisoning") 928501344fc6 ("kasan, mm: don't save alloc stacks twice") 2b8305260fb3 ("kfence, kasan: make KFENCE compatible with KASAN") 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") 41139aa4c3a3 ("mm/filemap: add mapping_seek_hole_data") a1ba9da8f0f9 ("mm/hugetlb.c: fix unnecessary address expansion of pmd sharing") 611806b4bf8d ("kasan: fix bug detection via ksize for HW_TAGS mode") 027b37b552f3 ("kasan: move _RET_IP_ to inline wrappers") 573a48092313 ("kasan: add match-all tag tests") f00748bfa024 ("kasan: prefix global functions with kasan_") dbf53f7597be ("mm/mprotect.c: optimize error detection in do_mprotect_pkey()") 96667f8a4382 ("mm: Close race in generic_access_phys") 97593cad003c ("kasan: sanitize objects when metadata doesn't fit") 1ef3133bd3b8 ("kasan: simplify assign_tag and set_tag calls") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 Mon Sep 17 00:00:00 2001 From: Ryan Roberts <ryan.roberts(a)arm.com> Date: Wed, 1 May 2024 15:33:10 +0100 Subject: [PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast __split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 2cb2a2e7b34b..558902edbfec 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1769,8 +1769,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index 19642f7ffb52..8648a50afe88 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 94767c82fc0d..93e54ba91fbf 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 08e4f3343bcd..ccdcff73284a 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2430,32 +2430,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2466,6 +2445,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif

1 year, 2 months

3
2
0 0

Re: Patch "netfilter: Remove the now superfluous sentinel elements from ctl_table array" has been added to the 6.6-stable tree

by Joel Granados

On Sat, Jun 22, 2024 at 07:45:37PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > netfilter: Remove the now superfluous sentinel elements from ctl_table array > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > netfilter-remove-the-now-superfluous-sentinel-elemen.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. I don't understand why we are putting these in stable. IMO, they should not go there and this is why: 1. This is not a fix. The main motivation for doing these sentinel removals is to avoid bloat in the boot and compiled image (read more in cover letters for [1,2,3,4,5,6]) in future kernel versions. This makes no sense in stable IMO. 2. There are lots of moving parts and no "bang for the buck" If you are going to bring one of them, you need to bring all of them. This means brining in the preparation [7], the intermediate [1,2,3,4,5,6] and the final patch [8]. This is not only prone to error, but there is no real reason to do that in stable. If I'm missing something, please let me know. Best Joel [1] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [2] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [3] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [4] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [5] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [6] https://git.kernel.org/pub/scm/linux/kernel/git/joel.granados/linux.git/log… [7] https://lore.kernel.org/20230731071728.3493794-1-j.granados@samsung.com [8] https://lore.kernel.org/20240604-jag-sysctl_remset-v1-0-2df7ecdba0bd@samsun…

1 year, 2 months

2
1
0 0

[PATCH] arm64: defconfig: enable the vf610 gpio driver

by Fabio Estevam

From: Martin Kaiser <martin(a)kaiser.cx> commit a73bda63a102a5f1feb730d4d809de098a3d1886 upstream. The vf610 gpio driver is used in i.MX8QM, DXL, ULP and i.MX93 chips. Enable it in arm64 defconfig. (vf610 gpio used to be enabled by default for all i.MX chips. This was changed recently as most i.MX chips don't need this driver.) Cc: <stable(a)vger.kernel.org> # 6.6.x Signed-off-by: Martin Kaiser <martin(a)kaiser.cx> Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> Signed-off-by: Fabio Estevam <festevam(a)gmail.com> --- Hi, This fixes a boot regression on imx93-evk running 6.6.32. Please apply it to the 6.6.y stable tree. arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index 24f395d9ce2a36..9f82eb906a8a34 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -632,6 +632,7 @@ CONFIG_GPIO_SYSCON=y CONFIG_GPIO_UNIPHIER=y CONFIG_GPIO_VISCONTI=y CONFIG_GPIO_WCD934X=m +CONFIG_GPIO_VF610=y CONFIG_GPIO_XGENE=y CONFIG_GPIO_XGENE_SB=y CONFIG_GPIO_MAX732X=y

1 year, 2 months

2
2
0 0

FAILED: patch "[PATCH] kbuild: Remove support for Clang's ThinLTO caching" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x aba091547ef6159d52471f42a3ef531b7b660ed8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061340-troubling-automated-9989@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: aba091547ef6 ("kbuild: Remove support for Clang's ThinLTO caching") 1db773da58df ("kbuild: remove old Rust docs output path") 7ea01d3169a2 ("rust: delete rust-project.json when running make clean") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From aba091547ef6159d52471f42a3ef531b7b660ed8 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor <nathan(a)kernel.org> Date: Wed, 1 May 2024 15:55:25 -0700 Subject: [PATCH] kbuild: Remove support for Clang's ThinLTO caching MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There is an issue in clang's ThinLTO caching (enabled for the kernel via '--thinlto-cache-dir') with .incbin, which the kernel occasionally uses to include data within the kernel, such as the .config file for /proc/config.gz. For example, when changing the .config and rebuilding vmlinux, the copy of .config in vmlinux does not match the copy of .config in the build folder: $ echo 'CONFIG_LTO_NONE=n CONFIG_LTO_CLANG_THIN=y CONFIG_IKCONFIG=y CONFIG_HEADERS_INSTALL=y' >kernel/configs/repro.config $ make -skj"$(nproc)" ARCH=x86_64 LLVM=1 clean defconfig repro.config vmlinux ... $ grep CONFIG_HEADERS_INSTALL .config CONFIG_HEADERS_INSTALL=y $ scripts/extract-ikconfig vmlinux | grep CONFIG_HEADERS_INSTALL CONFIG_HEADERS_INSTALL=y $ scripts/config -d HEADERS_INSTALL $ make -kj"$(nproc)" ARCH=x86_64 LLVM=1 vmlinux ... UPD kernel/config_data GZIP kernel/config_data.gz CC kernel/configs.o ... LD vmlinux ... $ grep CONFIG_HEADERS_INSTALL .config # CONFIG_HEADERS_INSTALL is not set $ scripts/extract-ikconfig vmlinux | grep CONFIG_HEADERS_INSTALL CONFIG_HEADERS_INSTALL=y Without '--thinlto-cache-dir' or when using full LTO, this issue does not occur. Benchmarking incremental builds on a few different machines with and without the cache shows a 20% increase in incremental build time without the cache when measured by touching init/main.c and running 'make all'. ARCH=arm64 defconfig + CONFIG_LTO_CLANG_THIN=y on an arm64 host: Benchmark 1: With ThinLTO cache Time (mean ± σ): 56.347 s ± 0.163 s [User: 83.768 s, System: 24.661 s] Range (min … max): 56.109 s … 56.594 s 10 runs Benchmark 2: Without ThinLTO cache Time (mean ± σ): 67.740 s ± 0.479 s [User: 718.458 s, System: 31.797 s] Range (min … max): 67.059 s … 68.556 s 10 runs Summary With ThinLTO cache ran 1.20 ± 0.01 times faster than Without ThinLTO cache ARCH=x86_64 defconfig + CONFIG_LTO_CLANG_THIN=y on an x86_64 host: Benchmark 1: With ThinLTO cache Time (mean ± σ): 85.772 s ± 0.252 s [User: 91.505 s, System: 8.408 s] Range (min … max): 85.447 s … 86.244 s 10 runs Benchmark 2: Without ThinLTO cache Time (mean ± σ): 103.833 s ± 0.288 s [User: 232.058 s, System: 8.569 s] Range (min … max): 103.286 s … 104.124 s 10 runs Summary With ThinLTO cache ran 1.21 ± 0.00 times faster than Without ThinLTO cache While it is unfortunate to take this performance improvement off the table, correctness is more important. If/when this is fixed in LLVM, it can potentially be brought back in a conditional manner. Alternatively, a developer can just disable LTO if doing incremental compiles quickly is important, as a full compile cycle can still take over a minute even with the cache and it is unlikely that LTO will result in functional differences for a kernel change. Cc: stable(a)vger.kernel.org Fixes: dc5723b02e52 ("kbuild: add support for Clang LTO") Reported-by: Yifan Hong <elsk(a)google.com> Closes: https://github.com/ClangBuiltLinux/linux/issues/2021 Reported-by: Masami Hiramatsu <mhiramat(a)kernel.org> Closes: https://lore.kernel.org/r/20220327115526.cc4b0ff55fc53c97683c3e4d@kernel.or… Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Masahiro Yamada <masahiroy(a)kernel.org> diff --git a/Makefile b/Makefile index 026971f9f6bc..12e1a792b8de 100644 --- a/Makefile +++ b/Makefile @@ -942,7 +942,6 @@ endif ifdef CONFIG_LTO_CLANG ifdef CONFIG_LTO_CLANG_THIN CC_FLAGS_LTO := -flto=thin -fsplit-lto-unit -KBUILD_LDFLAGS += --thinlto-cache-dir=$(extmod_prefix).thinlto-cache else CC_FLAGS_LTO := -flto endif @@ -1480,7 +1479,7 @@ endif # CONFIG_MODULES # Directories & files removed with 'make clean' CLEAN_FILES += vmlinux.symvers modules-only.symvers \ modules.builtin modules.builtin.modinfo modules.nsdeps \ - compile_commands.json .thinlto-cache rust/test \ + compile_commands.json rust/test \ rust-project.json .vmlinux.objs .vmlinux.export.c # Directories & files removed with 'make mrproper' @@ -1787,7 +1786,7 @@ PHONY += compile_commands.json clean-dirs := $(KBUILD_EXTMOD) clean: rm-files := $(KBUILD_EXTMOD)/Module.symvers $(KBUILD_EXTMOD)/modules.nsdeps \ - $(KBUILD_EXTMOD)/compile_commands.json $(KBUILD_EXTMOD)/.thinlto-cache + $(KBUILD_EXTMOD)/compile_commands.json PHONY += prepare # now expand this into a simple variable to reduce the cost of shell evaluations

1 year, 2 months

3
4
0 0

Re: Patch "ACPI: EC: Install address space handler at the namespace root" has been added to the 6.6-stable tree

by Wysocki, Rafael J

On 6/21/2024 5:47 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > ACPI: EC: Install address space handler at the namespace root For this, you need https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git/commit/… too (here and for 6.9). Thanks! > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > acpi-ec-install-address-space-handler-at-the-namespa.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit ee44236dfbf5541d5fbcb52db961616292c84c0d > Author: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> > Date: Wed May 15 21:40:54 2024 +0200 > > ACPI: EC: Install address space handler at the namespace root > > [ Upstream commit 60fa6ae6e6d09e377fce6f8d9b6f6a4d88769f63 ] > > It is reported that _DSM evaluation fails in ucsi_acpi_dsm() on Lenovo > IdeaPad Pro 5 due to a missing address space handler for the EC address > space: > > ACPI Error: No handler for Region [ECSI] (000000007b8176ee) [EmbeddedControl] (20230628/evregion-130) > > This happens because if there is no ECDT, the EC driver only registers > the EC address space handler for operation regions defined in the EC > device scope of the ACPI namespace while the operation region being > accessed by the _DSM in question is located beyond that scope. > > To address this, modify the ACPI EC driver to install the EC address > space handler at the root of the ACPI namespace for the first EC that > can be found regardless of whether or not an ECDT is present. > > Note that this change is consistent with some examples in the ACPI > specification in which EC operation regions located outside the EC > device scope are used (for example, see Section 9.17.15 in ACPI 6.5), > so the current behavior of the EC driver is arguably questionable. > > Reported-by: webcaptcha <webcapcha(a)gmail.com> > Link: https://bugzilla.kernel.org/show_bug.cgi?id=218789 > Link: https://uefi.org/specs/ACPI/6.5/09_ACPI_Defined_Devices_and_Device_Specific… > Link: https://lore.kernel.org/linux-acpi/Zi+0whTvDbAdveHq@kuha.fi.intel.com > Suggested-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> > Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> > Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> > Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c > index a59c11df73754..0795f92d8927d 100644 > --- a/drivers/acpi/ec.c > +++ b/drivers/acpi/ec.c > @@ -1482,13 +1482,14 @@ static bool install_gpio_irq_event_handler(struct acpi_ec *ec) > static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device, > bool call_reg) > { > + acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle; > acpi_status status; > > acpi_ec_start(ec, false); > > if (!test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) { > acpi_ec_enter_noirq(ec); > - status = acpi_install_address_space_handler_no_reg(ec->handle, > + status = acpi_install_address_space_handler_no_reg(scope_handle, > ACPI_ADR_SPACE_EC, > &acpi_ec_space_handler, > NULL, ec); > @@ -1497,11 +1498,10 @@ static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device, > return -ENODEV; > } > set_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags); > - ec->address_space_handler_holder = ec->handle; > } > > if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) { > - acpi_execute_reg_methods(ec->handle, ACPI_ADR_SPACE_EC); > + acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC); > set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags); > } > > @@ -1553,10 +1553,13 @@ static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device, > > static void ec_remove_handlers(struct acpi_ec *ec) > { > + acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle; > + > if (test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) { > if (ACPI_FAILURE(acpi_remove_address_space_handler( > - ec->address_space_handler_holder, > - ACPI_ADR_SPACE_EC, &acpi_ec_space_handler))) > + scope_handle, > + ACPI_ADR_SPACE_EC, > + &acpi_ec_space_handler))) > pr_err("failed to remove space handler\n"); > clear_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags); > } > @@ -1595,14 +1598,18 @@ static int acpi_ec_setup(struct acpi_ec *ec, struct acpi_device *device, bool ca > { > int ret; > > - ret = ec_install_handlers(ec, device, call_reg); > - if (ret) > - return ret; > - > /* First EC capable of handling transactions */ > if (!first_ec) > first_ec = ec; > > + ret = ec_install_handlers(ec, device, call_reg); > + if (ret) { > + if (ec == first_ec) > + first_ec = NULL; > + > + return ret; > + } > + > pr_info("EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n", ec->command_addr, > ec->data_addr); > > diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h > index 866c7c4ed2331..6db1a03dd5399 100644 > --- a/drivers/acpi/internal.h > +++ b/drivers/acpi/internal.h > @@ -167,7 +167,6 @@ enum acpi_ec_event_state { > > struct acpi_ec { > acpi_handle handle; > - acpi_handle address_space_handler_holder; > int gpe; > int irq; > unsigned long command_addr;

1 year, 2 months

2
1
0 0

Re: Patch "ASoC: Intel: sof_cs42l42: rename BT offload quirk" has been added to the 6.9-stable tree

by Mark Brown

On Fri, Jun 21, 2024 at 11:42:01AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > ASoC: Intel: sof_cs42l42: rename BT offload quirk This is not obvious stable material. > > Reviewed-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> > Signed-off-by: Brent Lu <brent.lu(a)intel.com> > Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> > Link: https://msgid.link/r/20240325221059.206042-7-pierre-louis.bossart@linux.int… > Signed-off-by: Mark Brown <broonie(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> I'm also not seeing any stable-dep-of r anything in here.

1 year, 2 months

2
1
0 0

[PATCH v3 2/5] mei: vsc: Enhance SPI transfer of IVSC rom

by Wentong Wu

Constructing the SPI transfer command as per the specific request. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index 5f3195636e53..26387e2f1dd7 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -331,7 +331,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) return ret; } - ret = vsc_tp_dev_xfer(tp, tp->tx_buf, tp->rx_buf, len); + ret = vsc_tp_dev_xfer(tp, tp->tx_buf, ibuf ? tp->rx_buf : NULL, len); if (ret) return ret; -- 2.34.1

1 year, 2 months

2
1
0 0

[PATCH v3 4/5] mei: vsc: Prevent timeout error with added delay post-firmware download

by Wentong Wu

After completing the firmware download, the firmware requires some time to become functional. This change introduces additional sleep time before the first read operation to prevent a confusing timeout error in vsc_tp_xfer(). Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/platform-vsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c index 1ec65d87488a..d02f6e881139 100644 --- a/drivers/misc/mei/platform-vsc.c +++ b/drivers/misc/mei/platform-vsc.c @@ -28,8 +28,8 @@ #define MEI_VSC_MAX_MSG_SIZE 512 -#define MEI_VSC_POLL_DELAY_US (50 * USEC_PER_MSEC) -#define MEI_VSC_POLL_TIMEOUT_US (200 * USEC_PER_MSEC) +#define MEI_VSC_POLL_DELAY_US (100 * USEC_PER_MSEC) +#define MEI_VSC_POLL_TIMEOUT_US (400 * USEC_PER_MSEC) #define mei_dev_to_vsc_hw(dev) ((struct mei_vsc_hw *)((dev)->hw)) -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH v3 3/5] mei: vsc: Utilize the appropriate byte order swap function

by Wentong Wu

Switch from cpu_to_be32_array() to be32_to_cpu_array() for the received rom data. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index 26387e2f1dd7..1618cca9a731 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -336,7 +336,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) return ret; if (ibuf) - cpu_to_be32_array(ibuf, tp->rx_buf, words); + be32_to_cpu_array(ibuf, tp->rx_buf, words); return ret; } -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH v3 1/5] mei: vsc: Enhance IVSC chipset stability during warm reboot

by Wentong Wu

During system shutdown, incorporate reset logic to ensure the IVSC chipset remains in a valid state. This adjustment guarantees that the IVSC chipset operates in a known state following a warm reboot. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index e6a98dba8a73..5f3195636e53 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -568,6 +568,19 @@ static void vsc_tp_remove(struct spi_device *spi) free_irq(spi->irq, tp); } +static void vsc_tp_shutdown(struct spi_device *spi) +{ + struct vsc_tp *tp = spi_get_drvdata(spi); + + platform_device_unregister(tp->pdev); + + mutex_destroy(&tp->mutex); + + vsc_tp_reset(tp); + + free_irq(spi->irq, tp); +} + static const struct acpi_device_id vsc_tp_acpi_ids[] = { { "INTC1009" }, /* Raptor Lake */ { "INTC1058" }, /* Tiger Lake */ @@ -580,6 +593,7 @@ MODULE_DEVICE_TABLE(acpi, vsc_tp_acpi_ids); static struct spi_driver vsc_tp_driver = { .probe = vsc_tp_probe, .remove = vsc_tp_remove, + .shutdown = vsc_tp_shutdown, .driver = { .name = "vsc-tp", .acpi_match_table = vsc_tp_acpi_ids, -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH net 3/4] ipv6: take care of scope when choosing the src addr

by Nicolas Dichtel

When the source address is selected, the scope must be checked. For example, if a loopback address is assigned to the vrf device, it must not be chosen for packets sent outside. CC: stable(a)vger.kernel.org Fixes: afbac6010aec ("net: ipv6: Address selection needs to consider L3 domains") Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- net/ipv6/addrconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 5c424a0e7232..4f2c5cc31015 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1873,7 +1873,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev, master, &dst, scores, hiscore_idx); - if (scores[hiscore_idx].ifa) + if (scores[hiscore_idx].ifa && + scores[hiscore_idx].scopedist >= 0) goto out; } -- 2.43.1

1 year, 2 months

1
0
0 0

[PATCH net 2/4] ipv6: fix source address selection with route leak

by Nicolas Dichtel

By default, an address assigned to the output interface is selected when the source address is not specified. This is problematic when a route, configured in a vrf, uses an interface from another vrf (aka route leak). The original vrf does not own the selected source address. Let's add a check against the output interface and call the appropriate function to select the source address. CC: stable(a)vger.kernel.org Fixes: 0d240e7811c4 ("net: vrf: Implement get_saddr for IPv6") Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- include/net/ip6_route.h | 19 ++++++++++++------- net/ipv6/ip6_output.c | 1 + net/ipv6/route.c | 2 +- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h index a18ed24fed94..62755fab1b52 100644 --- a/include/net/ip6_route.h +++ b/include/net/ip6_route.h @@ -127,18 +127,23 @@ void rt6_age_exceptions(struct fib6_info *f6i, struct fib6_gc_args *gc_args, static inline int ip6_route_get_saddr(struct net *net, struct fib6_info *f6i, const struct in6_addr *daddr, - unsigned int prefs, + unsigned int prefs, int l3mdev_index, struct in6_addr *saddr) { + struct net_device *l3mdev; + struct net_device *dev; + bool same_vrf; int err = 0; - if (f6i && f6i->fib6_prefsrc.plen) { + rcu_read_lock(); + l3mdev = dev_get_by_index_rcu(net, l3mdev_index); + dev = f6i ? fib6_info_nh_dev(f6i) : NULL; + same_vrf = l3mdev && l3mdev_master_dev_rcu(dev) == l3mdev; + if (f6i && f6i->fib6_prefsrc.plen && same_vrf) *saddr = f6i->fib6_prefsrc.addr; - } else { - struct net_device *dev = f6i ? fib6_info_nh_dev(f6i) : NULL; - - err = ipv6_dev_get_saddr(net, dev, daddr, prefs, saddr); - } + else + err = ipv6_dev_get_saddr(net, same_vrf ? dev : l3mdev, daddr, prefs, saddr); + rcu_read_unlock(); return err; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 27d8725445e3..784424ac4147 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1124,6 +1124,7 @@ static int ip6_dst_lookup_tail(struct net *net, const struct sock *sk, from = rt ? rcu_dereference(rt->from) : NULL; err = ip6_route_get_saddr(net, from, &fl6->daddr, sk ? READ_ONCE(inet6_sk(sk)->srcprefs) : 0, + fl6->flowi6_l3mdev, &fl6->saddr); rcu_read_unlock(); diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 8d72ca0b086d..c9a9506b714d 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5689,7 +5689,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, goto nla_put_failure; } else if (dest) { struct in6_addr saddr_buf; - if (ip6_route_get_saddr(net, rt, dest, 0, &saddr_buf) == 0 && + if (ip6_route_get_saddr(net, rt, dest, 0, 0, &saddr_buf) == 0 && nla_put_in6_addr(skb, RTA_PREFSRC, &saddr_buf)) goto nla_put_failure; } -- 2.43.1

1 year, 2 months

1
0
0 0

[PATCH net 1/4] ipv4: fix source address selection with route leak

by Nicolas Dichtel

By default, an address assigned to the output interface is selected when the source address is not specified. This is problematic when a route, configured in a vrf, uses an interface from another vrf (aka route leak). The original vrf does not own the selected source address. Let's add a check against the output interface and call the appropriate function to select the source address. CC: stable(a)vger.kernel.org Fixes: 8cbb512c923d ("net: Add source address lookup op for VRF") Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- net/ipv4/fib_semantics.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index f669da98d11d..459082f4936d 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -2270,6 +2270,13 @@ void fib_select_path(struct net *net, struct fib_result *res, fib_select_default(fl4, res); check_saddr: - if (!fl4->saddr) - fl4->saddr = fib_result_prefsrc(net, res); + if (!fl4->saddr) { + struct net_device *l3mdev = dev_get_by_index_rcu(net, fl4->flowi4_l3mdev); + + if (!l3mdev || + l3mdev_master_dev_rcu(FIB_RES_DEV(*res)) == l3mdev) + fl4->saddr = fib_result_prefsrc(net, res); + else + fl4->saddr = inet_select_addr(l3mdev, 0, RT_SCOPE_LINK); + } } -- 2.43.1

1 year, 2 months

1
0
0 0

[PATCH 02/15] syscalls: fix compat_sys_io_pgetevents_time64 usage

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Using sys_io_pgetevents() as the entry point for compat mode tasks works almost correctly, but misses the sign extension for the min_nr and nr arguments. This was addressed on parisc by switching to compat_sys_io_pgetevents_time64() in commit 6431e92fc827 ("parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode"), as well as by using more sophisticated system call wrappers on x86 and s390. However, arm64, mips, powerpc, sparc and riscv still have the same bug. Changes all of them over to use compat_sys_io_pgetevents_time64() like parisc already does. This was clearly the intention when the function was originally added, but it got hooked up incorrectly in the tables. Cc: stable(a)vger.kernel.org Fixes: 48166e6ea47d ("y2038: add 64-bit time_t syscalls to all 32-bit architectures") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- arch/arm64/include/asm/unistd32.h | 2 +- arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +- arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- arch/powerpc/kernel/syscalls/syscall.tbl | 2 +- arch/s390/kernel/syscalls/syscall.tbl | 2 +- arch/sparc/kernel/syscalls/syscall.tbl | 2 +- arch/x86/entry/syscalls/syscall_32.tbl | 2 +- include/uapi/asm-generic/unistd.h | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 266b96acc014..1386e8e751f2 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -840,7 +840,7 @@ __SYSCALL(__NR_pselect6_time64, compat_sys_pselect6_time64) #define __NR_ppoll_time64 414 __SYSCALL(__NR_ppoll_time64, compat_sys_ppoll_time64) #define __NR_io_pgetevents_time64 416 -__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents) +__SYSCALL(__NR_io_pgetevents_time64, compat_sys_io_pgetevents_time64) #define __NR_recvmmsg_time64 417 __SYSCALL(__NR_recvmmsg_time64, compat_sys_recvmmsg_time64) #define __NR_mq_timedsend_time64 418 diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl index cc869f5d5693..953f5b7dc723 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -354,7 +354,7 @@ 412 n32 utimensat_time64 sys_utimensat 413 n32 pselect6_time64 compat_sys_pselect6_time64 414 n32 ppoll_time64 compat_sys_ppoll_time64 -416 n32 io_pgetevents_time64 sys_io_pgetevents +416 n32 io_pgetevents_time64 compat_sys_io_pgetevents_time64 417 n32 recvmmsg_time64 compat_sys_recvmmsg_time64 418 n32 mq_timedsend_time64 sys_mq_timedsend 419 n32 mq_timedreceive_time64 sys_mq_timedreceive diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl index 008ebe60263e..85751c9b9cdb 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -403,7 +403,7 @@ 412 o32 utimensat_time64 sys_utimensat sys_utimensat 413 o32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 o32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 o32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 o32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 o32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 o32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 o32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl index 3656f1ca7a21..c6b0546b284d 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -502,7 +502,7 @@ 412 32 utimensat_time64 sys_utimensat sys_utimensat 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl index bd0fee24ad10..01071182763e 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -418,7 +418,7 @@ 412 32 utimensat_time64 - sys_utimensat 413 32 pselect6_time64 - compat_sys_pselect6_time64 414 32 ppoll_time64 - compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 - sys_io_pgetevents +416 32 io_pgetevents_time64 - compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 - compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 - sys_mq_timedsend 419 32 mq_timedreceive_time64 - sys_mq_timedreceive diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl index ac6c281ccfe0..b354139b40be 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -461,7 +461,7 @@ 412 32 utimensat_time64 sys_utimensat sys_utimensat 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents +416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 7fd1f57ad3d3..d6ebcab1d8b2 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -420,7 +420,7 @@ 412 i386 utimensat_time64 sys_utimensat 413 i386 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 414 i386 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 -416 i386 io_pgetevents_time64 sys_io_pgetevents +416 i386 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 417 i386 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 418 i386 mq_timedsend_time64 sys_mq_timedsend 419 i386 mq_timedreceive_time64 sys_mq_timedreceive diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index d983c48a3b6a..3fdaa573d661 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -737,7 +737,7 @@ __SC_COMP(__NR_pselect6_time64, sys_pselect6, compat_sys_pselect6_time64) #define __NR_ppoll_time64 414 __SC_COMP(__NR_ppoll_time64, sys_ppoll, compat_sys_ppoll_time64) #define __NR_io_pgetevents_time64 416 -__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents) +__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents, compat_sys_io_pgetevents_time64) #define __NR_recvmmsg_time64 417 __SC_COMP(__NR_recvmmsg_time64, sys_recvmmsg, compat_sys_recvmmsg_time64) #define __NR_mq_timedsend_time64 418 -- 2.39.2

1 year, 2 months

3
2
0 0

[PATCH 09/15] sh: rework sync_file_range ABI

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> The unusual function calling conventions on superh ended up causing sync_file_range to have the wrong argument order, with the 'flags' argument getting sorted before 'nbytes' by the compiler. In userspace, I found that musl, glibc, uclibc and strace all expect the normal calling conventions with 'nbytes' last, so changing the kernel to match them should make all of those work. In order to be able to also fix libc implementations to work with existing kernels, they need to be able to tell which ABI is used. An easy way to do this is to add yet another system call using the sync_file_range2 ABI that works the same on all architectures. Old user binaries can now work on new kernels, and new binaries can try the new sync_file_range2() to work with new kernels or fall back to the old sync_file_range() version if that doesn't exist. Cc: stable(a)vger.kernel.org Fixes: 75c92acdd5b1 ("sh: Wire up new syscalls.") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- arch/sh/kernel/sys_sh32.c | 11 +++++++++++ arch/sh/kernel/syscalls/syscall.tbl | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/sh/kernel/sys_sh32.c b/arch/sh/kernel/sys_sh32.c index 9dca568509a5..d5a4f7c697d8 100644 --- a/arch/sh/kernel/sys_sh32.c +++ b/arch/sh/kernel/sys_sh32.c @@ -59,3 +59,14 @@ asmlinkage int sys_fadvise64_64_wrapper(int fd, u32 offset0, u32 offset1, (u64)len0 << 32 | len1, advice); #endif } + +/* + * swap the arguments the way that libc wants it instead of + * moving flags ahead of the 64-bit nbytes argument + */ +SYSCALL_DEFINE6(sh_sync_file_range6, int, fd, SC_ARG64(offset), + SC_ARG64(nbytes), unsigned int, flags) +{ + return ksys_sync_file_range(fd, SC_VAL64(loff_t, offset), + SC_VAL64(loff_t, nbytes), flags); +} diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl index bbf83a2db986..c55fd7696d40 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -321,7 +321,7 @@ 311 common set_robust_list sys_set_robust_list 312 common get_robust_list sys_get_robust_list 313 common splice sys_splice -314 common sync_file_range sys_sync_file_range +314 common sync_file_range sys_sh_sync_file_range6 315 common tee sys_tee 316 common vmsplice sys_vmsplice 317 common move_pages sys_move_pages @@ -395,6 +395,7 @@ 385 common pkey_alloc sys_pkey_alloc 386 common pkey_free sys_pkey_free 387 common rseq sys_rseq +388 common sync_file_range2 sys_sync_file_range2 # room for arch specific syscalls 393 common semget sys_semget 394 common semctl sys_semctl -- 2.39.2

1 year, 2 months

4
5
0 0

[PATCH 14/15] asm-generic: unistd: fix time32 compat syscall handling

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> arch/riscv/ appears to have accidentally enabled the compat time32 syscalls in 64-bit kernels even though the native 32-bit ABI does not expose those. Address this by adding another level of indirection, checking for both the target ABI (32 or 64) and the __ARCH_WANT_TIME32_SYSCALLS macro. The macro arguments are meant to follow the syscall.tbl format, the idea here is that by the end of the series, all other syscalls are changed to the same format to make it possible to move all architectures over to generating the system call table consistently. Only this patch needs to be backported though. Cc: stable(a)vger.kernel.org # v5.19+ Fixes: 7eb6369d7acf ("RISC-V: Add support for rv32 userspace via COMPAT") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- include/uapi/asm-generic/unistd.h | 146 +++++++++++++++++++----------- 1 file changed, 94 insertions(+), 52 deletions(-) diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index 3fdaa573d661..e47c966557d0 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -16,10 +16,32 @@ #define __SYSCALL(x, y) #endif +#ifndef __SC +#define __SC(_cond, _nr, _sys) __SYSCALL_ ## _cond (_nr, _sys) +#endif + +#ifndef __SCC +#ifdef __SYSCALL_COMPAT +#define __SCC(_cond, _nr, _sys, _comp) __SC(_cond, _nr, _comp) +#else +#define __SCC(_cond, _nr, _sys, _comp) __SC(_cond, _nr, _sys) +#endif +#endif + #if __BITS_PER_LONG == 32 || defined(__SYSCALL_COMPAT) #define __SC_3264(_nr, _32, _64) __SYSCALL(_nr, _32) +#define __SYSCALL_32(_nr, _sys) __SYSCALL(__NR_ ## _nr, _sys) +#define __SYSCALL_64(_nr, _sys) #else #define __SC_3264(_nr, _32, _64) __SYSCALL(_nr, _64) +#define __SYSCALL_32(_nr, _sys) +#define __SYSCALL_64(_nr, _sys) __SYSCALL(__NR_ ## _nr, _sys) +#endif + +#if defined(__ARCH_WANT_TIME32_SYSCALLS) +#define __SYSCALL_time32(_nr, _sys) __SYSCALL_32(__NR_ ## _nr, _sys) +#else +#define __SYSCALL_time32(_nr, _sys) #endif #ifdef __SYSCALL_COMPAT @@ -41,7 +63,8 @@ __SYSCALL(__NR_io_cancel, sys_io_cancel) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_io_getevents 4 -__SC_3264(__NR_io_getevents, sys_io_getevents_time32, sys_io_getevents) +__SC(time32, io_getevents, sys_io_getevents_time32) +__SC(64, io_getevents, sys_io_getevents) #endif #define __NR_setxattr 5 @@ -190,9 +213,11 @@ __SYSCALL(__NR3264_sendfile, sys_sendfile64) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_pselect6 72 -__SC_COMP_3264(__NR_pselect6, sys_pselect6_time32, sys_pselect6, compat_sys_pselect6_time32) +__SCC(time32, pselect6, sys_pselect6_time32, compat_sys_pselect6_time32) +__SC(64, pselect6, sys_pselect6) #define __NR_ppoll 73 -__SC_COMP_3264(__NR_ppoll, sys_ppoll_time32, sys_ppoll, compat_sys_ppoll_time32) +__SCC(time32, ppoll, sys_ppoll_time32, compat_sys_ppoll_time32) +__SC(64, ppoll, sys_ppoll) #endif #define __NR_signalfd4 74 @@ -235,16 +260,17 @@ __SYSCALL(__NR_timerfd_create, sys_timerfd_create) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_timerfd_settime 86 -__SC_3264(__NR_timerfd_settime, sys_timerfd_settime32, \ - sys_timerfd_settime) +__SC(time32, timerfd_settime, sys_timerfd_settime32) +__SC(64, timerfd_settime, sys_timerfd_settime) #define __NR_timerfd_gettime 87 -__SC_3264(__NR_timerfd_gettime, sys_timerfd_gettime32, \ - sys_timerfd_gettime) +__SC(time32, timerfd_gettime, sys_timerfd_gettime32) +__SC(64, timerfd_gettime, sys_timerfd_gettime) #endif #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_utimensat 88 -__SC_3264(__NR_utimensat, sys_utimensat_time32, sys_utimensat) +__SC(time32, utimensat, sys_utimensat_time32) +__SC(64, utimensat, sys_utimensat) #endif #define __NR_acct 89 @@ -268,7 +294,8 @@ __SYSCALL(__NR_unshare, sys_unshare) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_futex 98 -__SC_3264(__NR_futex, sys_futex_time32, sys_futex) +__SC(time32, futex, sys_futex_time32) +__SC(64, futex, sys_futex) #endif #define __NR_set_robust_list 99 @@ -280,7 +307,8 @@ __SC_COMP(__NR_get_robust_list, sys_get_robust_list, \ #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_nanosleep 101 -__SC_3264(__NR_nanosleep, sys_nanosleep_time32, sys_nanosleep) +__SC(time32, nanosleep, sys_nanosleep_time32) +__SC(64, nanosleep, sys_nanosleep) #endif #define __NR_getitimer 102 @@ -298,7 +326,8 @@ __SC_COMP(__NR_timer_create, sys_timer_create, compat_sys_timer_create) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_timer_gettime 108 -__SC_3264(__NR_timer_gettime, sys_timer_gettime32, sys_timer_gettime) +__SC(time32, timer_gettime, sys_timer_gettime32) +__SC(64, timer_gettime, sys_timer_gettime) #endif #define __NR_timer_getoverrun 109 @@ -306,7 +335,8 @@ __SYSCALL(__NR_timer_getoverrun, sys_timer_getoverrun) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_timer_settime 110 -__SC_3264(__NR_timer_settime, sys_timer_settime32, sys_timer_settime) +__SC(time32, timer_settime, sys_timer_settime32) +__SC(64, timer_settime, sys_timer_settime) #endif #define __NR_timer_delete 111 @@ -314,14 +344,17 @@ __SYSCALL(__NR_timer_delete, sys_timer_delete) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_clock_settime 112 -__SC_3264(__NR_clock_settime, sys_clock_settime32, sys_clock_settime) +__SC(time32, clock_settime, sys_clock_settime32) +__SC(64, clock_settime, sys_clock_settime) #define __NR_clock_gettime 113 -__SC_3264(__NR_clock_gettime, sys_clock_gettime32, sys_clock_gettime) +__SC(time32, clock_gettime, sys_clock_gettime32) +__SC(64, clock_gettime, sys_clock_gettime) #define __NR_clock_getres 114 -__SC_3264(__NR_clock_getres, sys_clock_getres_time32, sys_clock_getres) +__SC(time32, clock_getres, sys_clock_getres_time32) +__SC(64, clock_getres, sys_clock_getres) #define __NR_clock_nanosleep 115 -__SC_3264(__NR_clock_nanosleep, sys_clock_nanosleep_time32, \ - sys_clock_nanosleep) +__SC(time32, clock_nanosleep, sys_clock_nanosleep_time32) +__SC(64, clock_nanosleep, sys_clock_nanosleep) #endif #define __NR_syslog 116 @@ -351,8 +384,8 @@ __SYSCALL(__NR_sched_get_priority_min, sys_sched_get_priority_min) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_sched_rr_get_interval 127 -__SC_3264(__NR_sched_rr_get_interval, sys_sched_rr_get_interval_time32, \ - sys_sched_rr_get_interval) +__SC(time32, sched_rr_get_interval, sys_sched_rr_get_interval_time32) +__SC(64, sched_rr_get_interval, sys_sched_rr_get_interval) #endif #define __NR_restart_syscall 128 @@ -376,8 +409,8 @@ __SC_COMP(__NR_rt_sigpending, sys_rt_sigpending, compat_sys_rt_sigpending) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_rt_sigtimedwait 137 -__SC_COMP_3264(__NR_rt_sigtimedwait, sys_rt_sigtimedwait_time32, \ - sys_rt_sigtimedwait, compat_sys_rt_sigtimedwait_time32) +__SCC(time32, rt_sigtimedwait, sys_rt_sigtimedwait_time32, compat_sys_rt_sigtimedwait_time32) +__SC(64, rt_sigtimedwait, sys_rt_sigtimedwait) #endif #define __NR_rt_sigqueueinfo 138 @@ -451,11 +484,14 @@ __SYSCALL(__NR_getcpu, sys_getcpu) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_gettimeofday 169 -__SC_COMP(__NR_gettimeofday, sys_gettimeofday, compat_sys_gettimeofday) +__SCC(time32, gettimeofday, sys_gettimeofday, compat_sys_gettimeofday) +__SC(64, gettimeofday, sys_gettimeofday) #define __NR_settimeofday 170 -__SC_COMP(__NR_settimeofday, sys_settimeofday, compat_sys_settimeofday) +__SCC(time32, settimeofday, sys_settimeofday, compat_sys_settimeofday) +__SC(64, settimeofday, sys_settimeofday) #define __NR_adjtimex 171 -__SC_3264(__NR_adjtimex, sys_adjtimex_time32, sys_adjtimex) +__SC(time32, adjtimex, sys_adjtimex_time32) +__SC(64, adjtimex, sys_adjtimex) #endif #define __NR_getpid 172 @@ -481,10 +517,11 @@ __SYSCALL(__NR_mq_unlink, sys_mq_unlink) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_mq_timedsend 182 -__SC_3264(__NR_mq_timedsend, sys_mq_timedsend_time32, sys_mq_timedsend) +__SC(time32, mq_timedsend, sys_mq_timedsend_time32) +__SC(64, mq_timedsend, sys_mq_timedsend) #define __NR_mq_timedreceive 183 -__SC_3264(__NR_mq_timedreceive, sys_mq_timedreceive_time32, \ - sys_mq_timedreceive) +__SC(time32, mq_timedreceive, sys_mq_timedreceive_time32) +__SC(64, mq_timedreceive, sys_mq_timedreceive) #endif #define __NR_mq_notify 184 @@ -506,7 +543,8 @@ __SC_COMP(__NR_semctl, sys_semctl, compat_sys_semctl) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_semtimedop 192 -__SC_3264(__NR_semtimedop, sys_semtimedop_time32, sys_semtimedop) +__SC(time32, semtimedop, sys_semtimedop_time32) +__SC(64, semtimedop, sys_semtimedop) #endif #define __NR_semop 193 @@ -618,7 +656,8 @@ __SYSCALL(__NR_accept4, sys_accept4) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_recvmmsg 243 -__SC_COMP_3264(__NR_recvmmsg, sys_recvmmsg_time32, sys_recvmmsg, compat_sys_recvmmsg_time32) +__SCC(time32, recvmmsg, sys_recvmmsg_time32, compat_sys_recvmmsg_time32) +__SC(64, recvmmsg, sys_recvmmsg) #endif /* @@ -629,7 +668,8 @@ __SC_COMP_3264(__NR_recvmmsg, sys_recvmmsg_time32, sys_recvmmsg, compat_sys_recv #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_wait4 260 -__SC_COMP(__NR_wait4, sys_wait4, compat_sys_wait4) +__SCC(time32, wait4, sys_wait4, compat_sys_wait4) +__SC(64, wait4, sys_wait4) #endif #define __NR_prlimit64 261 @@ -645,7 +685,8 @@ __SYSCALL(__NR_open_by_handle_at, sys_open_by_handle_at) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_clock_adjtime 266 -__SC_3264(__NR_clock_adjtime, sys_clock_adjtime32, sys_clock_adjtime) +__SC(time32, clock_adjtime, sys_clock_adjtime32) +__SC(64, clock_adjtime, sys_clock_adjtime) #endif #define __NR_syncfs 267 @@ -701,7 +742,8 @@ __SYSCALL(__NR_statx, sys_statx) #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 #define __NR_io_pgetevents 292 -__SC_COMP_3264(__NR_io_pgetevents, sys_io_pgetevents_time32, sys_io_pgetevents, compat_sys_io_pgetevents) +__SCC(time32, io_pgetevents, sys_io_pgetevents_time32, compat_sys_io_pgetevents) +__SC(64, io_pgetevents, sys_io_pgetevents) #endif #define __NR_rseq 293 @@ -713,45 +755,45 @@ __SYSCALL(__NR_kexec_file_load, sys_kexec_file_load) #if defined(__SYSCALL_COMPAT) || __BITS_PER_LONG == 32 #define __NR_clock_gettime64 403 -__SYSCALL(__NR_clock_gettime64, sys_clock_gettime) +__SC(32, clock_gettime64, sys_clock_gettime) #define __NR_clock_settime64 404 -__SYSCALL(__NR_clock_settime64, sys_clock_settime) +__SC(32, clock_settime64, sys_clock_settime) #define __NR_clock_adjtime64 405 -__SYSCALL(__NR_clock_adjtime64, sys_clock_adjtime) +__SC(32, clock_adjtime64, sys_clock_adjtime) #define __NR_clock_getres_time64 406 -__SYSCALL(__NR_clock_getres_time64, sys_clock_getres) +__SC(32, clock_getres_time64, sys_clock_getres) #define __NR_clock_nanosleep_time64 407 -__SYSCALL(__NR_clock_nanosleep_time64, sys_clock_nanosleep) +__SC(32, clock_nanosleep_time64, sys_clock_nanosleep) #define __NR_timer_gettime64 408 -__SYSCALL(__NR_timer_gettime64, sys_timer_gettime) +__SC(32, timer_gettime64, sys_timer_gettime) #define __NR_timer_settime64 409 -__SYSCALL(__NR_timer_settime64, sys_timer_settime) +__SC(32, timer_settime64, sys_timer_settime) #define __NR_timerfd_gettime64 410 -__SYSCALL(__NR_timerfd_gettime64, sys_timerfd_gettime) +__SC(32, timerfd_gettime64, sys_timerfd_gettime) #define __NR_timerfd_settime64 411 -__SYSCALL(__NR_timerfd_settime64, sys_timerfd_settime) +__SC(32, timerfd_settime64, sys_timerfd_settime) #define __NR_utimensat_time64 412 -__SYSCALL(__NR_utimensat_time64, sys_utimensat) +__SC(32, utimensat_time64, sys_utimensat) #define __NR_pselect6_time64 413 -__SC_COMP(__NR_pselect6_time64, sys_pselect6, compat_sys_pselect6_time64) +__SCC(32, pselect6_time64, sys_pselect6, compat_sys_pselect6_time64) #define __NR_ppoll_time64 414 -__SC_COMP(__NR_ppoll_time64, sys_ppoll, compat_sys_ppoll_time64) +__SCC(32, ppoll_time64, sys_ppoll, compat_sys_ppoll_time64) #define __NR_io_pgetevents_time64 416 -__SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents, compat_sys_io_pgetevents_time64) +__SCC(32, io_pgetevents_time64, sys_io_pgetevents, compat_sys_io_pgetevents_time64) #define __NR_recvmmsg_time64 417 -__SC_COMP(__NR_recvmmsg_time64, sys_recvmmsg, compat_sys_recvmmsg_time64) +__SCC(32, recvmmsg_time64, sys_recvmmsg, compat_sys_recvmmsg_time64) #define __NR_mq_timedsend_time64 418 -__SYSCALL(__NR_mq_timedsend_time64, sys_mq_timedsend) +__SC(32, mq_timedsend_time64, sys_mq_timedsend) #define __NR_mq_timedreceive_time64 419 -__SYSCALL(__NR_mq_timedreceive_time64, sys_mq_timedreceive) +__SC(32, mq_timedreceive_time64, sys_mq_timedreceive) #define __NR_semtimedop_time64 420 -__SYSCALL(__NR_semtimedop_time64, sys_semtimedop) +__SC(32, semtimedop_time64, sys_semtimedop) #define __NR_rt_sigtimedwait_time64 421 -__SC_COMP(__NR_rt_sigtimedwait_time64, sys_rt_sigtimedwait, compat_sys_rt_sigtimedwait_time64) +__SCC(32, rt_sigtimedwait_time64, sys_rt_sigtimedwait, compat_sys_rt_sigtimedwait_time64) #define __NR_futex_time64 422 -__SYSCALL(__NR_futex_time64, sys_futex) +__SC(32, futex_time64, sys_futex) #define __NR_sched_rr_get_interval_time64 423 -__SYSCALL(__NR_sched_rr_get_interval_time64, sys_sched_rr_get_interval) +__SC(32, sched_rr_get_interval_time64, sys_sched_rr_get_interval) #endif #define __NR_pidfd_send_signal 424 -- 2.39.2

1 year, 2 months

2
1
0 0

[PATCH v2] powerpc: Fix unnecessary copy to 0 when kernel is booted at address 0.

by Jinglin Wen

According to the code logic, when the kernel is loaded to address 0, no copying operation should be performed, but it is currently being done. This patch fixes the issue where the kernel code was incorrectly duplicated to address 0 when booting from address 0. Fixes: b270bebd34e3 ("powerpc/64s: Run at the kernel virtual address earlier in boot") Signed-off-by: Jinglin Wen <jinglin.wen(a)shingroup.cn> Suggested-by: Michael Ellerman <mpe(a)ellerman.id.au> Cc: <stable(a)vger.kernel.org> --- v2: - According to 87le336c6k.fsf(a)mail.lhotse, improve this patch. v1: - 20240617023509.5674-1-jinglin.wen(a)shingroup.cn arch/powerpc/kernel/head_64.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S index 4690c219bfa4..63432a33ec49 100644 --- a/arch/powerpc/kernel/head_64.S +++ b/arch/powerpc/kernel/head_64.S @@ -647,8 +647,9 @@ __after_prom_start: * Note: This process overwrites the OF exception vectors. */ LOAD_REG_IMMEDIATE(r3, PAGE_OFFSET) - mr. r4,r26 /* In some cases the loader may */ - beq 9f /* have already put us at zero */ + mr r4,r26 /* Load the virtual source address into r4 */ + cmpld r3,r4 /* Check if source == dest */ + beq 9f /* If so skip the copy */ li r6,0x100 /* Start offset, the first 0x100 */ /* bytes were copied earlier. */ -- 2.25.1

1 year, 2 months

2
1
0 0

[PATCHv5 2/4] x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup()

by Kirill A. Shutemov

Rename tdx_parse_tdinfo() to tdx_setup() and move setting NOTIFY_ENABLES there. The function will be extended to adjust TD configuration. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 64717a96a936..08ce488b54d0 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -193,7 +193,7 @@ static void __noreturn tdx_panic(const char *msg) __tdx_hypercall(&args); } -static void tdx_parse_tdinfo(u64 *cc_mask) +static void tdx_setup(u64 *cc_mask) { struct tdx_module_args args = {}; unsigned int gpa_width; @@ -218,6 +218,9 @@ static void tdx_parse_tdinfo(u64 *cc_mask) gpa_width = args.rcx & GENMASK(5, 0); *cc_mask = BIT_ULL(gpa_width - 1); + /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ + tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); + /* * The kernel can not handle #VE's when accessing normal kernel * memory. Ensure that no #VE will be delivered for accesses to @@ -964,11 +967,11 @@ void __init tdx_early_init(void) setup_force_cpu_cap(X86_FEATURE_TSC_RELIABLE); cc_vendor = CC_VENDOR_INTEL; - tdx_parse_tdinfo(&cc_mask); - cc_set_mask(cc_mask); - /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ - tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); + /* Configure the TD */ + tdx_setup(&cc_mask); + + cc_set_mask(cc_mask); /* * All bits above GPA width are reserved and kernel treats shared bit -- 2.43.0

1 year, 2 months

1
0
0 0

[PATCHv5 1/4] x86/tdx: Introduce wrappers to read and write TD metadata

by Kirill A. Shutemov

The TDG_VM_WR TDCALL is used to ask the TDX module to change some TD-specific VM configuration. There is currently only one user in the kernel of this TDCALL leaf. More will be added shortly. Refactor to make way for more users of TDG_VM_WR who will need to modify other TD configuration values. Add a wrapper for the TDG_VM_RD TDCALL that requests TD-specific metadata from the TDX module. There are currently no users for TDG_VM_RD. Mark it as __maybe_unused until the first user appears. This is preparation for enumeration and enabling optional TD features. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 32 ++++++++++++++++++++++++++----- arch/x86/include/asm/shared/tdx.h | 1 + 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2bac2553..64717a96a936 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -77,6 +77,32 @@ static inline void tdcall(u64 fn, struct tdx_module_args *args) panic("TDCALL %lld failed (Buggy TDX module!)\n", fn); } +/* Read TD-scoped metadata */ +static inline u64 __maybe_unused tdg_vm_rd(u64 field, u64 *value) +{ + struct tdx_module_args args = { + .rdx = field, + }; + u64 ret; + + ret = __tdcall_ret(TDG_VM_RD, &args); + *value = args.r8; + + return ret; +} + +/* Write TD-scoped metadata */ +static inline u64 tdg_vm_wr(u64 field, u64 value, u64 mask) +{ + struct tdx_module_args args = { + .rdx = field, + .r8 = value, + .r9 = mask, + }; + + return __tdcall(TDG_VM_WR, &args); +} + /** * tdx_mcall_get_report0() - Wrapper to get TDREPORT0 (a.k.a. TDREPORT * subtype 0) using TDG.MR.REPORT TDCALL. @@ -924,10 +950,6 @@ static void tdx_kexec_finish(void) void __init tdx_early_init(void) { - struct tdx_module_args args = { - .rdx = TDCS_NOTIFY_ENABLES, - .r9 = -1ULL, - }; u64 cc_mask; u32 eax, sig[3]; @@ -946,7 +968,7 @@ void __init tdx_early_init(void) cc_set_mask(cc_mask); /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ - tdcall(TDG_VM_WR, &args); + tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); /* * All bits above GPA width are reserved and kernel treats shared bit diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h index fdfd41511b02..7e12cfa28bec 100644 --- a/arch/x86/include/asm/shared/tdx.h +++ b/arch/x86/include/asm/shared/tdx.h @@ -16,6 +16,7 @@ #define TDG_VP_VEINFO_GET 3 #define TDG_MR_REPORT 4 #define TDG_MEM_PAGE_ACCEPT 6 +#define TDG_VM_RD 7 #define TDG_VM_WR 8 /* TDCS fields. To be used by TDG.VM.WR and TDG.VM.RD module calls */ -- 2.43.0

1 year, 2 months

1
0
0 0

[PATCH v2 2/5] mei: vsc: Enhance SPI transfer of IVSC rom

by Wentong Wu

Constructing the SPI transfer command as per the specific request. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index 5f3195636e53..fed156919fda 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -331,7 +331,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) return ret; } - ret = vsc_tp_dev_xfer(tp, tp->tx_buf, tp->rx_buf, len); + ret = vsc_tp_dev_xfer(tp, tp->tx_buf, ibuf ? tp->rx_buf : ibuf, len); if (ret) return ret; -- 2.34.1

1 year, 2 months

3
2
0 0

FAILED: patch "[PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061319-skater-sculptor-905f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") 4f83145721f3 ("mm: avoid unnecessary flush on change_huge_pmd()") c9fe66560bf2 ("mm/mprotect: do not flush when not required architecturally") 4a18419f71cd ("mm/mprotect: use mmu_gather") e346e6688c4a ("mm: thp: skip make PMD PROT_NONE if THP migration is not supported") f0953a1bbaca ("mm: fix typos in comments") e2db1a9aa381 ("kasan, mm: optimize kmalloc poisoning") 928501344fc6 ("kasan, mm: don't save alloc stacks twice") 2b8305260fb3 ("kfence, kasan: make KFENCE compatible with KASAN") 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") 41139aa4c3a3 ("mm/filemap: add mapping_seek_hole_data") a1ba9da8f0f9 ("mm/hugetlb.c: fix unnecessary address expansion of pmd sharing") 611806b4bf8d ("kasan: fix bug detection via ksize for HW_TAGS mode") 027b37b552f3 ("kasan: move _RET_IP_ to inline wrappers") 573a48092313 ("kasan: add match-all tag tests") f00748bfa024 ("kasan: prefix global functions with kasan_") dbf53f7597be ("mm/mprotect.c: optimize error detection in do_mprotect_pkey()") 96667f8a4382 ("mm: Close race in generic_access_phys") 97593cad003c ("kasan: sanitize objects when metadata doesn't fit") 1ef3133bd3b8 ("kasan: simplify assign_tag and set_tag calls") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 Mon Sep 17 00:00:00 2001 From: Ryan Roberts <ryan.roberts(a)arm.com> Date: Wed, 1 May 2024 15:33:10 +0100 Subject: [PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast __split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 2cb2a2e7b34b..558902edbfec 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1769,8 +1769,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index 19642f7ffb52..8648a50afe88 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 94767c82fc0d..93e54ba91fbf 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 08e4f3343bcd..ccdcff73284a 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2430,32 +2430,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2466,6 +2445,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif

1 year, 2 months

2
1
0 0

[PATCH net v3] net: usb: ax88179_178a: improve link status logs

by Jose Ignacio Tornos Martinez

Avoid spurious link status logs that may ultimately be wrong; for example, if the link is set to down with the cable plugged, then the cable is unplugged and after this the link is set to up, the last new log that is appearing is incorrectly telling that the link is up. In order to avoid errors, show link status logs after link_reset processing, and in order to avoid spurious as much as possible, only show the link loss when some link status change is detected. cc: stable(a)vger.kernel.org Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> --- v3: - Add net as target tree in the subject. - Use constant string instead of variable because no other value is possible. v2: https://lore.kernel.org/netdev/20240618115054.101577-1-jtornosm@redhat.com/ - Fix the nits v1: https://lore.kernel.org/netdev/20240617103405.654567-1-jtornosm@redhat.com/ drivers/net/usb/ax88179_178a.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c index c2fb736f78b2..b034ef8a73ea 100644 --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -326,7 +326,8 @@ static void ax88179_status(struct usbnet *dev, struct urb *urb) if (netif_carrier_ok(dev->net) != link) { usbnet_link_change(dev, link, 1); - netdev_info(dev->net, "ax88179 - Link status is: %d\n", link); + if (!link) + netdev_info(dev->net, "ax88179 - Link status is: 0\n"); } } @@ -1542,6 +1543,7 @@ static int ax88179_link_reset(struct usbnet *dev) GMII_PHY_PHYSR, 2, &tmp16); if (!(tmp16 & GMII_PHY_PHYSR_LINK)) { + netdev_info(dev->net, "ax88179 - Link status is: 0\n"); return 0; } else if (GMII_PHY_PHYSR_GIGA == (tmp16 & GMII_PHY_PHYSR_SMASK)) { mode |= AX_MEDIUM_GIGAMODE | AX_MEDIUM_EN_125MHZ; @@ -1579,6 +1581,8 @@ static int ax88179_link_reset(struct usbnet *dev) netif_carrier_on(dev->net); + netdev_info(dev->net, "ax88179 - Link status is: 1\n"); + return 0; } -- 2.45.1

1 year, 2 months

3
2
0 0

FAILED: patch "[PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061316-brook-imaging-a202@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") 4f83145721f3 ("mm: avoid unnecessary flush on change_huge_pmd()") c9fe66560bf2 ("mm/mprotect: do not flush when not required architecturally") 4a18419f71cd ("mm/mprotect: use mmu_gather") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 Mon Sep 17 00:00:00 2001 From: Ryan Roberts <ryan.roberts(a)arm.com> Date: Wed, 1 May 2024 15:33:10 +0100 Subject: [PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast __split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 2cb2a2e7b34b..558902edbfec 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1769,8 +1769,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index 19642f7ffb52..8648a50afe88 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 94767c82fc0d..93e54ba91fbf 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 08e4f3343bcd..ccdcff73284a 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2430,32 +2430,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2466,6 +2445,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif

1 year, 2 months

3
5
0 0

FAILED: patch "[PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061317-promoter-record-bc91@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") 4f83145721f3 ("mm: avoid unnecessary flush on change_huge_pmd()") c9fe66560bf2 ("mm/mprotect: do not flush when not required architecturally") 4a18419f71cd ("mm/mprotect: use mmu_gather") e346e6688c4a ("mm: thp: skip make PMD PROT_NONE if THP migration is not supported") f0953a1bbaca ("mm: fix typos in comments") e2db1a9aa381 ("kasan, mm: optimize kmalloc poisoning") 928501344fc6 ("kasan, mm: don't save alloc stacks twice") 2b8305260fb3 ("kfence, kasan: make KFENCE compatible with KASAN") 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") 41139aa4c3a3 ("mm/filemap: add mapping_seek_hole_data") a1ba9da8f0f9 ("mm/hugetlb.c: fix unnecessary address expansion of pmd sharing") 611806b4bf8d ("kasan: fix bug detection via ksize for HW_TAGS mode") 027b37b552f3 ("kasan: move _RET_IP_ to inline wrappers") 573a48092313 ("kasan: add match-all tag tests") f00748bfa024 ("kasan: prefix global functions with kasan_") dbf53f7597be ("mm/mprotect.c: optimize error detection in do_mprotect_pkey()") 96667f8a4382 ("mm: Close race in generic_access_phys") 97593cad003c ("kasan: sanitize objects when metadata doesn't fit") 1ef3133bd3b8 ("kasan: simplify assign_tag and set_tag calls") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 Mon Sep 17 00:00:00 2001 From: Ryan Roberts <ryan.roberts(a)arm.com> Date: Wed, 1 May 2024 15:33:10 +0100 Subject: [PATCH] mm: fix race between __split_huge_pmd_locked() and GUP-fast __split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 2cb2a2e7b34b..558902edbfec 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1769,8 +1769,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index 19642f7ffb52..8648a50afe88 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 94767c82fc0d..93e54ba91fbf 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 08e4f3343bcd..ccdcff73284a 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2430,32 +2430,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2466,6 +2445,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif

1 year, 2 months

2
1
0 0

[PATCH 6.1 00/85] 6.1.94-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.94 release. There are 85 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 15 Jun 2024 11:31:50 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.94-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.94-rc1 Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix deadlock in smb2_find_smb_tcon() Puranjay Mohan <puranjay(a)kernel.org> powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH Omar Sandoval <osandov(a)fb.com> btrfs: fix crash on racing fsync and size-extending write into prealloc Anna Schumaker <Anna.Schumaker(a)Netapp.com> NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS Sergey Shtylyov <s.shtylyov(a)omp.ru> nfs: fix undefined behavior in nfs_block_bits() Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> EDAC/igen6: Convert PCIBIOS_* return codes to errnos Frank Li <Frank.Li(a)nxp.com> i3c: master: svc: fix invalidate IBI type and miss call client IBI handler Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Make use of invalid opcode produce a link error Harald Freudenberger <freude(a)linux.ibm.com> s390/cpacf: Split and rework cpacf query functions Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Fix crash in AP internal function modify_bitmap() Helge Deller <deller(a)kernel.org> parisc: Define sigset_t in parisc uapi header Helge Deller <deller(a)gmx.de> parisc: Define HAVE_ARCH_HUGETLB_UNMAPPED_AREA Baokun Li <libaokun1(a)huawei.com> ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Baokun Li <libaokun1(a)huawei.com> ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow Mike Gilbert <floppym(a)gentoo.org> sparc: move struct termio to asm/termios.h Eric Dumazet <edumazet(a)google.com> net: fix __dst_negative_advice() race Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-specifiers rather than memset() for padding in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Merge identical case statements in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix console handling when editing and tab-completing commands Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-strings rather than '\0' injection in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix buffer overflow during tab-complete Judith Mendez <jm(a)ti.com> watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin Frank van der Linden <fvdl(a)google.com> mm/hugetlb: pass correct order_per_bit to cma_declare_contiguous_nid Frank van der Linden <fvdl(a)google.com> mm/cma: drop incorrect alignment check in cma_init_reserved_mem Sam Ravnborg <sam(a)ravnborg.org> sparc64: Fix number of online CPUs Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S CPU support Dhananjay Ugwekar <Dhananjay.Ugwekar(a)amd.com> cpufreq: amd-pstate: Fix the inconsistency in max frequency units Alexander Potapenko <glider(a)google.com> kmsan: do not wipe out origin when doing partial unpoisoning Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net/9p: fix uninit-value in p9_client_rpc() xu xin <xu.xin16(a)zte.com.cn> net/ipv6: Fix route deleting failure when metric equals 0 Martin K. Petersen <martin.petersen(a)oracle.com> scsi: core: Handle devices which return an unusually large VPD page count Ryan Roberts <ryan.roberts(a)arm.com> mm: fix race between __split_huge_pmd_locked() and GUP-fast Herbert Xu <herbert(a)gondor.apana.org.au> crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Vitaly Chikunov <vt(a)altlinux.org> crypto: ecrdsa - Fix module auto-load on add_key Stefan Berger <stefanb(a)linux.ibm.com> crypto: ecdsa - Fix module auto-load on add-key Marc Zyngier <maz(a)kernel.org> KVM: arm64: AArch32: Fix spurious trapping of conditional instructions Marc Zyngier <maz(a)kernel.org> KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode Marc Zyngier <maz(a)kernel.org> KVM: arm64: Fix AArch32 register narrowing on userspace write Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms Dominique Martinet <asmadeus(a)codewreck.org> 9p: add missing locking around taking dentry fid list Li Ma <li.ma(a)amd.com> drm/amdgpu/atomfirmware: add intergrated info v2.3 table Cai Xinchen <caixinchen1(a)huawei.com> fbdev: savage: Handle err return when savagefb_check_var failed Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Add quirk to enable pull-up on the card-detect GPIO on Asus T100TA Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Sort DMI quirks alphabetically Adrian Hunter <adrian.hunter(a)intel.com> mmc: sdhci: Add support for "Tuning Error" interrupts Hans de Goede <hdegoede(a)redhat.com> mmc: core: Add mmc_gpiod_set_cd_config() function Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-core: hold videodev_lock until dev reg, finishes Nathan Chancellor <nathan(a)kernel.org> media: mxl5xx: Move xpt structures off stack Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: mc: mark the media devnode as registered from the, start Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: mc: Fix graph walk in media_pipeline_start Yang Xiwen <forbidden405(a)outlook.com> arm64: dts: hi3798cv200: fix the size of GICR Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of firmware command Yu Kuai <yukuai3(a)huawei.com> md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: qcs404: fix bluetooth device address Krzysztof Kozlowski <krzk(a)kernel.org> arm64: tegra: Correct Tegra132 I2C alias Christoffer Sandberg <cs(a)tuxedo.de> ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx Maulik Shah <quic_mkshah(a)quicinc.com> soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request Konrad Dybcio <konrad.dybcio(a)linaro.org> thermal/drivers/qcom/lmh: Check for SCM availability at probe Sergey Shtylyov <s.shtylyov(a)omp.ru> ata: pata_legacy: make legacy_exit() work again Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: correct aSIFSTime for 6GHz band Matthew Mirvish <matthew(a)mm12.xyz> bcache: fix variable length array abuse in btree_iter Bob Zhou <bob.zhou(a)amd.com> drm/amdgpu: add error handle to avoid out-of-bounds Zheyu Ma <zheyuma97(a)gmail.com> media: lgdt3306a: Add a check against null-pointer-def Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix SB_* constants parsing Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: fix full TCP keep-alive support Paolo Abeni <pabeni(a)redhat.com> mptcp: cleanup SOL_TCP handling Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid some duplicate code in socket option handling Chaitanya Kumar Borah <chaitanya.kumar.borah(a)intel.com> drm/i915/audio: Fix audio time stamp programming for DP Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix use-after-free of timer for log writer thread Haorong Lu <ancientmodern4(a)gmail.com> riscv: signal: handle syscall restart before get_signal Marc Dionne <marc.dionne(a)auristor.com> afs: Don't cross .backup mountpoint from backup volume Jorge Ramirez-Ortiz <jorge(a)foundries.io> mmc: core: Do not force a retune before RPMB switch Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix mas_empty_area_rev() null pointer dereference Peng Zhang <zhangpeng.00(a)bytedance.com> maple_tree: fix allocation in mas_sparse_area() Dan Gora <dan.gora(a)gmail.com> Bluetooth: btrtl: Add missing MODULE_FIRMWARE declarations Shradha Gupta <shradhagupta(a)linux.microsoft.com> drm: Check polling initialized before enabling in drm_helper_probe_single_connector_modes Shradha Gupta <shradhagupta(a)linux.microsoft.com> drm: Check output polling initialized before disabling ------------- Diffstat: Documentation/mm/arch_pgtable_helpers.rst | 6 +- Makefile | 4 +- arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 2 +- arch/arm64/boot/dts/nvidia/tegra132-norrin.dts | 4 +- arch/arm64/boot/dts/nvidia/tegra132.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- arch/arm64/kvm/guest.c | 3 +- arch/arm64/kvm/hyp/aarch32.c | 18 ++- arch/parisc/include/asm/page.h | 1 + arch/parisc/include/asm/signal.h | 12 -- arch/parisc/include/uapi/asm/signal.h | 10 ++ arch/powerpc/mm/book3s64/pgtable.c | 1 + arch/powerpc/net/bpf_jit_comp32.c | 12 ++ arch/powerpc/net/bpf_jit_comp64.c | 12 ++ arch/riscv/kernel/signal.c | 95 +++++++------- arch/s390/include/asm/cpacf.h | 109 +++++++++++++--- arch/s390/include/asm/pgtable.h | 4 +- arch/sparc/include/asm/smp_64.h | 2 - arch/sparc/include/uapi/asm/termbits.h | 10 -- arch/sparc/include/uapi/asm/termios.h | 9 ++ arch/sparc/kernel/prom_64.c | 4 +- arch/sparc/kernel/setup_64.c | 1 - arch/sparc/kernel/smp_64.c | 14 -- arch/sparc/mm/tlb.c | 1 + arch/x86/mm/pgtable.c | 2 + crypto/ecdsa.c | 3 + crypto/ecrdsa.c | 1 + drivers/acpi/resource.c | 12 ++ drivers/ata/pata_legacy.c | 8 +- drivers/bluetooth/btrtl.c | 18 ++- drivers/cpufreq/amd-pstate.c | 2 +- drivers/crypto/qat/qat_common/adf_aer.c | 19 +-- drivers/edac/igen6_edac.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_atomfirmware.c | 15 +++ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 3 + drivers/gpu/drm/amd/include/atomfirmware.h | 43 ++++++ .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c | 20 +-- drivers/gpu/drm/drm_modeset_helper.c | 19 ++- drivers/gpu/drm/drm_probe_helper.c | 15 ++- drivers/gpu/drm/i915/display/intel_audio.c | 116 ++--------------- drivers/hwtracing/intel_th/pci.c | 5 + drivers/i3c/master/svc-i3c-master.c | 16 ++- drivers/md/bcache/bset.c | 44 +++---- drivers/md/bcache/bset.h | 28 ++-- drivers/md/bcache/btree.c | 40 +++--- drivers/md/bcache/super.c | 5 +- drivers/md/bcache/sysfs.c | 2 +- drivers/md/bcache/writeback.c | 10 +- drivers/md/raid5.c | 15 +-- drivers/media/dvb-frontends/lgdt3306a.c | 5 + drivers/media/dvb-frontends/mxl5xx.c | 22 ++-- drivers/media/mc/mc-devnode.c | 5 +- drivers/media/mc/mc-entity.c | 6 + drivers/media/v4l2-core/v4l2-dev.c | 3 + drivers/mmc/core/host.c | 3 +- drivers/mmc/core/slot-gpio.c | 20 +++ drivers/mmc/host/sdhci-acpi.c | 61 ++++++++- drivers/mmc/host/sdhci.c | 10 +- drivers/mmc/host/sdhci.h | 3 +- drivers/net/vxlan/vxlan_core.c | 4 - .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 25 ++-- .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 4 +- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 21 ++- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.h | 79 +++-------- drivers/net/wireless/realtek/rtw89/mac80211.c | 2 +- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/s390/crypto/ap_bus.c | 2 +- drivers/scsi/scsi.c | 7 + drivers/soc/qcom/cmd-db.c | 32 ++++- drivers/soc/qcom/rpmh-rsc.c | 3 +- drivers/thermal/qcom/lmh.c | 3 + drivers/video/fbdev/savage/savagefb_driver.c | 5 +- drivers/watchdog/rti_wdt.c | 34 +++-- fs/9p/vfs_dentry.c | 9 +- fs/afs/mntpt.c | 5 + fs/btrfs/tree-log.c | 17 ++- fs/ext4/mballoc.h | 2 +- fs/ext4/xattr.c | 4 +- fs/f2fs/inode.c | 6 + fs/nfs/internal.h | 4 +- fs/nfs/nfs4proc.c | 2 +- fs/nilfs2/segment.c | 25 +++- fs/smb/client/smb2transport.c | 2 +- include/linux/mmc/slot-gpio.h | 1 + include/net/dst_ops.h | 2 +- include/net/sock.h | 13 +- include/soc/qcom/cmd-db.h | 10 +- kernel/debug/kdb/kdb_io.c | 99 ++++++++------ lib/maple_tree.c | 55 ++++---- mm/cma.c | 4 - mm/huge_memory.c | 49 +++---- mm/hugetlb.c | 6 +- mm/kmsan/core.c | 15 ++- mm/pgtable-generic.c | 2 + net/9p/client.c | 2 + net/ipv4/route.c | 22 ++-- net/ipv6/route.c | 34 ++--- net/mptcp/protocol.h | 3 + net/mptcp/sockopt.c | 144 +++++++++++++++------ net/xfrm/xfrm_policy.c | 11 +- scripts/gdb/linux/constants.py.in | 12 +- 101 files changed, 1030 insertions(+), 695 deletions(-)

1 year, 2 months

13
98
0 0

[PATCH] MIPS: pci: lantiq: restore reset gpio polarity

by Martin Schiller

Commit 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") not only switched to the gpiod API, but also inverted / changed the polarity of the GPIO. According to the PCI specification, the RST# pin is an active-low signal. However, most of the device trees that have been widely used for a long time (mainly in the openWrt project) define this GPIO as active-high and the old driver code inverted the signal internally. Apparently there are actually boards where the reset gpio must be operated inverted. For this reason, we cannot use the GPIOD_OUT_LOW/HIGH flag for initialization. Instead, we must explicitly set the gpio to value 1 in order to take into account any "GPIO_ACTIVE_LOW" flag that may have been set. In order to remain compatible with all these existing device trees, we should therefore keep the logic as it was before the commit. Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") Cc: stable(a)vger.kernel.org Signed-off-by: Martin Schiller <ms(a)dev.tdt.de> --- arch/mips/pci/pci-lantiq.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/mips/pci/pci-lantiq.c b/arch/mips/pci/pci-lantiq.c index 68a8cefed420..0844db34022e 100644 --- a/arch/mips/pci/pci-lantiq.c +++ b/arch/mips/pci/pci-lantiq.c @@ -124,14 +124,14 @@ static int ltq_pci_startup(struct platform_device *pdev) clk_disable(clk_external); /* setup reset gpio used by pci */ - reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", - GPIOD_OUT_LOW); + reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS); error = PTR_ERR_OR_ZERO(reset_gpio); if (error) { dev_err(&pdev->dev, "failed to request gpio: %d\n", error); return error; } gpiod_set_consumer_name(reset_gpio, "pci_reset"); + gpiod_direction_output(reset_gpio, 1); /* enable auto-switching between PCI and EBU */ ltq_pci_w32(0xa, PCI_CR_CLK_CTRL); @@ -194,10 +194,10 @@ static int ltq_pci_startup(struct platform_device *pdev) /* toggle reset pin */ if (reset_gpio) { - gpiod_set_value_cansleep(reset_gpio, 1); + gpiod_set_value_cansleep(reset_gpio, 0); wmb(); mdelay(1); - gpiod_set_value_cansleep(reset_gpio, 0); + gpiod_set_value_cansleep(reset_gpio, 1); } return 0; } -- 2.39.2

1 year, 2 months

4
14
0 0

[PATCH v2] clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor

by Dexuan Cui

In a TDX VM without paravisor, currently the default timer is the Hyper-V timer, which depends on the slow VM Reference Counter MSR: the Hyper-V TSC page is not enabled in such a VM because the VM uses Invariant TSC as a better clocksource and it's challenging to mark the Hyper-V TSC page shared in very early boot. Lower the rating of the Hyper-V timer so the local APIC timer becomes the the default timer in such a VM, and print a warning in case Invariant TSC is unavailable in such a VM. This change should cause no perceivable performance difference. Cc: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> --- Changes in v2: Improved the comments in ms_hyperv_init_platform() [Michael Kelley] Added "print a warning in case Invariant TSC unavailable" in the changelog. Added Roman's Reviewed-by. arch/x86/kernel/cpu/mshyperv.c | 16 +++++++++++++++- drivers/clocksource/hyperv_timer.c | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index e0fd57a8ba840..954b7cbfa2f02 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -449,9 +449,23 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.hints &= ~HV_X64_APIC_ACCESS_RECOMMENDED; if (!ms_hyperv.paravisor_present) { - /* To be supported: more work is required. */ + /* + * Mark the Hyper-V TSC page feature as disabled + * in a TDX VM without paravisor so that the + * Invariant TSC, which is a better clocksource + * anyway, is used instead. + */ ms_hyperv.features &= ~HV_MSR_REFERENCE_TSC_AVAILABLE; + /* + * The Invariant TSC is expected to be available + * in a TDX VM without paravisor, but if not, + * print a warning message. The slower Hyper-V MSR-based + * Ref Counter should end up being the clocksource. + */ + if (!(ms_hyperv.features & HV_ACCESS_TSC_INVARIANT)) + pr_warn("Hyper-V: Invariant TSC is unavailable\n"); + /* HV_MSR_CRASH_CTL is unsupported. */ ms_hyperv.misc_features &= ~HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE; diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c index b2a080647e413..99177835cadec 100644 --- a/drivers/clocksource/hyperv_timer.c +++ b/drivers/clocksource/hyperv_timer.c @@ -137,7 +137,21 @@ static int hv_stimer_init(unsigned int cpu) ce->name = "Hyper-V clockevent"; ce->features = CLOCK_EVT_FEAT_ONESHOT; ce->cpumask = cpumask_of(cpu); - ce->rating = 1000; + + /* + * Lower the rating of the Hyper-V timer in a TDX VM without paravisor, + * so the local APIC timer (lapic_clockevent) is the default timer in + * such a VM. The Hyper-V timer is not preferred in such a VM because + * it depends on the slow VM Reference Counter MSR (the Hyper-V TSC + * page is not enbled in such a VM because the VM uses Invariant TSC + * as a better clocksource and it's challenging to mark the Hyper-V + * TSC page shared in very early boot). + */ + if (!ms_hyperv.paravisor_present && hv_isolation_type_tdx()) + ce->rating = 90; + else + ce->rating = 1000; + ce->set_state_shutdown = hv_ce_shutdown; ce->set_state_oneshot = hv_ce_set_oneshot; ce->set_next_event = hv_ce_set_next_event; -- 2.25.1

1 year, 2 months

3
2
0 0

[PATCH v2 4/5] mei: vsc: Prevent timeout error with added delay post-firmware download

by Wentong Wu

After completing the firmware download, the firmware requires some time to become functional. This change introduces additional sleep time before the first read operation to prevent a confusing timeout error in vsc_tp_xfer(). Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/platform-vsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c index 1ec65d87488a..d02f6e881139 100644 --- a/drivers/misc/mei/platform-vsc.c +++ b/drivers/misc/mei/platform-vsc.c @@ -28,8 +28,8 @@ #define MEI_VSC_MAX_MSG_SIZE 512 -#define MEI_VSC_POLL_DELAY_US (50 * USEC_PER_MSEC) -#define MEI_VSC_POLL_TIMEOUT_US (200 * USEC_PER_MSEC) +#define MEI_VSC_POLL_DELAY_US (100 * USEC_PER_MSEC) +#define MEI_VSC_POLL_TIMEOUT_US (400 * USEC_PER_MSEC) #define mei_dev_to_vsc_hw(dev) ((struct mei_vsc_hw *)((dev)->hw)) -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH v2 3/5] mei: vsc: Utilize the appropriate byte order swap function

by Wentong Wu

Switch from cpu_to_be32_array() to be32_to_cpu_array() for the received rom data. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index fed156919fda..12236599649e 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -336,7 +336,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) return ret; if (ibuf) - cpu_to_be32_array(ibuf, tp->rx_buf, words); + be32_to_cpu_array(ibuf, tp->rx_buf, words); return ret; } -- 2.34.1

1 year, 2 months

1
0
0 0

[PATCH v2 1/5] mei: vsc: Enhance IVSC chipset stability during warm reboot

by Wentong Wu

During system shutdown, incorporate reset logic to ensure the IVSC chipset remains in a valid state. This adjustment guarantees that the IVSC chipset operates in a known state following a warm reboot. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index e6a98dba8a73..5f3195636e53 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -568,6 +568,19 @@ static void vsc_tp_remove(struct spi_device *spi) free_irq(spi->irq, tp); } +static void vsc_tp_shutdown(struct spi_device *spi) +{ + struct vsc_tp *tp = spi_get_drvdata(spi); + + platform_device_unregister(tp->pdev); + + mutex_destroy(&tp->mutex); + + vsc_tp_reset(tp); + + free_irq(spi->irq, tp); +} + static const struct acpi_device_id vsc_tp_acpi_ids[] = { { "INTC1009" }, /* Raptor Lake */ { "INTC1058" }, /* Tiger Lake */ @@ -580,6 +593,7 @@ MODULE_DEVICE_TABLE(acpi, vsc_tp_acpi_ids); static struct spi_driver vsc_tp_driver = { .probe = vsc_tp_probe, .remove = vsc_tp_remove, + .shutdown = vsc_tp_shutdown, .driver = { .name = "vsc-tp", .acpi_match_table = vsc_tp_acpi_ids, -- 2.34.1

1 year, 2 months

1
0
0 0

Re: Patch "netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type" has been added to the 6.9-stable tree

by Pablo Neira Ayuso

Hi Sasha, This fix requires a follow up to silence a RCU suspicious usage warning. Please, hold on until end of the week with this. I will get back to you with a reminder if it helps. Thanks. On Mon, Jun 17, 2024 at 07:33:41AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type > > to the 6.9-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > netfilter-ipset-fix-race-between-namespace-cleanup-a.patch > and it can be found in the queue-6.9 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit c93a9ac4a5e09f694873b3abca7eb42c93f34220 > Author: Jozsef Kadlecsik <kadlec(a)netfilter.org> > Date: Tue Jun 4 15:58:03 2024 +0200 > > netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type > > [ Upstream commit 4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10 ] > > Lion Ackermann reported that there is a race condition between namespace cleanup > in ipset and the garbage collection of the list:set type. The namespace > cleanup can destroy the list:set type of sets while the gc of the set type is > waiting to run in rcu cleanup. The latter uses data from the destroyed set which > thus leads use after free. The patch contains the following parts: > > - When destroying all sets, first remove the garbage collectors, then wait > if needed and then destroy the sets. > - Fix the badly ordered "wait then remove gc" for the destroy a single set > case. > - Fix the missing rcu locking in the list:set type in the userspace test > case. > - Use proper RCU list handlings in the list:set type. > > The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc). > > Fixes: 97f7cf1cd80e (netfilter: ipset: fix performance regression in swap operation) > Reported-by: Lion Ackermann <nnamrec(a)gmail.com> > Tested-by: Lion Ackermann <nnamrec(a)gmail.com> > Signed-off-by: Jozsef Kadlecsik <kadlec(a)netfilter.org> > Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c > index 3184cc6be4c9d..c7ae4d9bf3d24 100644 > --- a/net/netfilter/ipset/ip_set_core.c > +++ b/net/netfilter/ipset/ip_set_core.c > @@ -1172,23 +1172,50 @@ ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = { > .len = IPSET_MAXNAMELEN - 1 }, > }; > > +/* In order to return quickly when destroying a single set, it is split > + * into two stages: > + * - Cancel garbage collector > + * - Destroy the set itself via call_rcu() > + */ > + > static void > -ip_set_destroy_set(struct ip_set *set) > +ip_set_destroy_set_rcu(struct rcu_head *head) > { > - pr_debug("set: %s\n", set->name); > + struct ip_set *set = container_of(head, struct ip_set, rcu); > > - /* Must call it without holding any lock */ > set->variant->destroy(set); > module_put(set->type->me); > kfree(set); > } > > static void > -ip_set_destroy_set_rcu(struct rcu_head *head) > +_destroy_all_sets(struct ip_set_net *inst) > { > - struct ip_set *set = container_of(head, struct ip_set, rcu); > + struct ip_set *set; > + ip_set_id_t i; > + bool need_wait = false; > > - ip_set_destroy_set(set); > + /* First cancel gc's: set:list sets are flushed as well */ > + for (i = 0; i < inst->ip_set_max; i++) { > + set = ip_set(inst, i); > + if (set) { > + set->variant->cancel_gc(set); > + if (set->type->features & IPSET_TYPE_NAME) > + need_wait = true; > + } > + } > + /* Must wait for flush to be really finished */ > + if (need_wait) > + rcu_barrier(); > + for (i = 0; i < inst->ip_set_max; i++) { > + set = ip_set(inst, i); > + if (set) { > + ip_set(inst, i) = NULL; > + set->variant->destroy(set); > + module_put(set->type->me); > + kfree(set); > + } > + } > } > > static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info, > @@ -1202,11 +1229,10 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info, > if (unlikely(protocol_min_failed(attr))) > return -IPSET_ERR_PROTOCOL; > > - > /* Commands are serialized and references are > * protected by the ip_set_ref_lock. > * External systems (i.e. xt_set) must call > - * ip_set_put|get_nfnl_* functions, that way we > + * ip_set_nfnl_get_* functions, that way we > * can safely check references here. > * > * list:set timer can only decrement the reference > @@ -1214,8 +1240,6 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info, > * without holding the lock. > */ > if (!attr[IPSET_ATTR_SETNAME]) { > - /* Must wait for flush to be really finished in list:set */ > - rcu_barrier(); > read_lock_bh(&ip_set_ref_lock); > for (i = 0; i < inst->ip_set_max; i++) { > s = ip_set(inst, i); > @@ -1226,15 +1250,7 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info, > } > inst->is_destroyed = true; > read_unlock_bh(&ip_set_ref_lock); > - for (i = 0; i < inst->ip_set_max; i++) { > - s = ip_set(inst, i); > - if (s) { > - ip_set(inst, i) = NULL; > - /* Must cancel garbage collectors */ > - s->variant->cancel_gc(s); > - ip_set_destroy_set(s); > - } > - } > + _destroy_all_sets(inst); > /* Modified by ip_set_destroy() only, which is serialized */ > inst->is_destroyed = false; > } else { > @@ -1255,12 +1271,12 @@ static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info, > features = s->type->features; > ip_set(inst, i) = NULL; > read_unlock_bh(&ip_set_ref_lock); > + /* Must cancel garbage collectors */ > + s->variant->cancel_gc(s); > if (features & IPSET_TYPE_NAME) { > /* Must wait for flush to be really finished */ > rcu_barrier(); > } > - /* Must cancel garbage collectors */ > - s->variant->cancel_gc(s); > call_rcu(&s->rcu, ip_set_destroy_set_rcu); > } > return 0; > @@ -2365,30 +2381,25 @@ ip_set_net_init(struct net *net) > } > > static void __net_exit > -ip_set_net_exit(struct net *net) > +ip_set_net_pre_exit(struct net *net) > { > struct ip_set_net *inst = ip_set_pernet(net); > > - struct ip_set *set = NULL; > - ip_set_id_t i; > - > inst->is_deleted = true; /* flag for ip_set_nfnl_put */ > +} > > - nfnl_lock(NFNL_SUBSYS_IPSET); > - for (i = 0; i < inst->ip_set_max; i++) { > - set = ip_set(inst, i); > - if (set) { > - ip_set(inst, i) = NULL; > - set->variant->cancel_gc(set); > - ip_set_destroy_set(set); > - } > - } > - nfnl_unlock(NFNL_SUBSYS_IPSET); > +static void __net_exit > +ip_set_net_exit(struct net *net) > +{ > + struct ip_set_net *inst = ip_set_pernet(net); > + > + _destroy_all_sets(inst); > kvfree(rcu_dereference_protected(inst->ip_set_list, 1)); > } > > static struct pernet_operations ip_set_net_ops = { > .init = ip_set_net_init, > + .pre_exit = ip_set_net_pre_exit, > .exit = ip_set_net_exit, > .id = &ip_set_net_id, > .size = sizeof(struct ip_set_net), > diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c > index 54e2a1dd7f5f5..bfae7066936bb 100644 > --- a/net/netfilter/ipset/ip_set_list_set.c > +++ b/net/netfilter/ipset/ip_set_list_set.c > @@ -79,7 +79,7 @@ list_set_kadd(struct ip_set *set, const struct sk_buff *skb, > struct set_elem *e; > int ret; > > - list_for_each_entry(e, &map->members, list) { > + list_for_each_entry_rcu(e, &map->members, list) { > if (SET_WITH_TIMEOUT(set) && > ip_set_timeout_expired(ext_timeout(e, set))) > continue; > @@ -99,7 +99,7 @@ list_set_kdel(struct ip_set *set, const struct sk_buff *skb, > struct set_elem *e; > int ret; > > - list_for_each_entry(e, &map->members, list) { > + list_for_each_entry_rcu(e, &map->members, list) { > if (SET_WITH_TIMEOUT(set) && > ip_set_timeout_expired(ext_timeout(e, set))) > continue; > @@ -188,9 +188,10 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext, > struct list_set *map = set->data; > struct set_adt_elem *d = value; > struct set_elem *e, *next, *prev = NULL; > - int ret; > + int ret = 0; > > - list_for_each_entry(e, &map->members, list) { > + rcu_read_lock(); > + list_for_each_entry_rcu(e, &map->members, list) { > if (SET_WITH_TIMEOUT(set) && > ip_set_timeout_expired(ext_timeout(e, set))) > continue; > @@ -201,6 +202,7 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext, > > if (d->before == 0) { > ret = 1; > + goto out; > } else if (d->before > 0) { > next = list_next_entry(e, list); > ret = !list_is_last(&e->list, &map->members) && > @@ -208,9 +210,11 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext, > } else { > ret = prev && prev->id == d->refid; > } > - return ret; > + goto out; > } > - return 0; > +out: > + rcu_read_unlock(); > + return ret; > } > > static void > @@ -239,7 +243,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext, > > /* Find where to add the new entry */ > n = prev = next = NULL; > - list_for_each_entry(e, &map->members, list) { > + list_for_each_entry_rcu(e, &map->members, list) { > if (SET_WITH_TIMEOUT(set) && > ip_set_timeout_expired(ext_timeout(e, set))) > continue; > @@ -316,9 +320,9 @@ list_set_udel(struct ip_set *set, void *value, const struct ip_set_ext *ext, > { > struct list_set *map = set->data; > struct set_adt_elem *d = value; > - struct set_elem *e, *next, *prev = NULL; > + struct set_elem *e, *n, *next, *prev = NULL; > > - list_for_each_entry(e, &map->members, list) { > + list_for_each_entry_safe(e, n, &map->members, list) { > if (SET_WITH_TIMEOUT(set) && > ip_set_timeout_expired(ext_timeout(e, set))) > continue; > @@ -424,14 +428,8 @@ static void > list_set_destroy(struct ip_set *set) > { > struct list_set *map = set->data; > - struct set_elem *e, *n; > > - list_for_each_entry_safe(e, n, &map->members, list) { > - list_del(&e->list); > - ip_set_put_byindex(map->net, e->id); > - ip_set_ext_destroy(set, e); > - kfree(e); > - } > + WARN_ON_ONCE(!list_empty(&map->members)); > kfree(map); > > set->data = NULL;

1 year, 2 months

2
2
0 0

Re: Patch "netfilter: ipset: Fix suspicious rcu_dereference_protected()" has been added to the 6.9-stable tree

by Pablo Neira Ayuso

Hi Side note: This fix requires 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type" in first place, as a dependency. Thanks On Sat, Jun 22, 2024 at 07:41:24PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > netfilter: ipset: Fix suspicious rcu_dereference_protected() > > to the 6.9-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch > and it can be found in the queue-6.9 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 0226dfa53edc90463c1b0d50167da948c88025ef > Author: Jozsef Kadlecsik <kadlec(a)netfilter.org> > Date: Mon Jun 17 11:18:15 2024 +0200 > > netfilter: ipset: Fix suspicious rcu_dereference_protected() > > [ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ] > > When destroying all sets, we are either in pernet exit phase or > are executing a "destroy all sets command" from userspace. The latter > was taken into account in ip_set_dereference() (nfnetlink mutex is held), > but the former was not. The patch adds the required check to > rcu_dereference_protected() in ip_set_dereference(). > > Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type") > Reported-by: syzbot+b62c37cdd58103293a5a(a)syzkaller.appspotmail.com > Reported-by: syzbot+cfbe1da5fdfc39efc293(a)syzkaller.appspotmail.com > Reported-by: kernel test robot <oliver.sang(a)intel.com> > Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com > Signed-off-by: Jozsef Kadlecsik <kadlec(a)netfilter.org> > Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c > index c7ae4d9bf3d24..61431690cbd5f 100644 > --- a/net/netfilter/ipset/ip_set_core.c > +++ b/net/netfilter/ipset/ip_set_core.c > @@ -53,12 +53,13 @@ MODULE_DESCRIPTION("core IP set support"); > MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); > > /* When the nfnl mutex or ip_set_ref_lock is held: */ > -#define ip_set_dereference(p) \ > - rcu_dereference_protected(p, \ > +#define ip_set_dereference(inst) \ > + rcu_dereference_protected((inst)->ip_set_list, \ > lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \ > - lockdep_is_held(&ip_set_ref_lock)) > + lockdep_is_held(&ip_set_ref_lock) || \ > + (inst)->is_deleted) > #define ip_set(inst, id) \ > - ip_set_dereference((inst)->ip_set_list)[id] > + ip_set_dereference(inst)[id] > #define ip_set_ref_netlink(inst,id) \ > rcu_dereference_raw((inst)->ip_set_list)[id] > #define ip_set_dereference_nfnl(p) \ > @@ -1133,7 +1134,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info, > if (!list) > goto cleanup; > /* nfnl mutex is held, both lists are valid */ > - tmp = ip_set_dereference(inst->ip_set_list); > + tmp = ip_set_dereference(inst); > memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max); > rcu_assign_pointer(inst->ip_set_list, list); > /* Make sure all current packets have passed through */

1 year, 2 months

1
0
0 0

[tip: smp/urgent] cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()

by tip-bot2 for Yuntao Wang

The following commit has been merged into the smp/urgent branch of tip: Commit-ID: 932d8476399f622aa0767a4a0a9e78e5341dc0e1 Gitweb: https://git.kernel.org/tip/932d8476399f622aa0767a4a0a9e78e5341dc0e1 Author: Yuntao Wang <ytcoode(a)gmail.com> AuthorDate: Wed, 15 May 2024 21:45:54 +08:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Mon, 17 Jun 2024 15:08:04 +02:00 cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() Commit 4205e4786d0b ("cpu/hotplug: Provide dynamic range for prepare stage") added a dynamic range for the prepare states, but did not handle the assignment of the dynstate variable in __cpuhp_setup_state_cpuslocked(). This causes the corresponding startup callback not to be invoked when calling __cpuhp_setup_state_cpuslocked() with the CPUHP_BP_PREPARE_DYN parameter, even though it should be. Currently, the users of __cpuhp_setup_state_cpuslocked(), for one reason or another, have not triggered this bug. Fixes: 4205e4786d0b ("cpu/hotplug: Provide dynamic range for prepare stage") Signed-off-by: Yuntao Wang <ytcoode(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240515134554.427071-1-ytcoode@gmail.com --- kernel/cpu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/cpu.c b/kernel/cpu.c index 563877d..74cfdb6 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -2446,7 +2446,7 @@ EXPORT_SYMBOL_GPL(__cpuhp_state_add_instance); * The caller needs to hold cpus read locked while calling this function. * Return: * On success: - * Positive state number if @state is CPUHP_AP_ONLINE_DYN; + * Positive state number if @state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN; * 0 for all other states * On failure: proper (negative) error code */ @@ -2469,7 +2469,7 @@ int __cpuhp_setup_state_cpuslocked(enum cpuhp_state state, ret = cpuhp_store_callbacks(state, name, startup, teardown, multi_instance); - dynstate = state == CPUHP_AP_ONLINE_DYN; + dynstate = state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN; if (ret > 0 && dynstate) { state = ret; ret = 0; @@ -2500,8 +2500,8 @@ int __cpuhp_setup_state_cpuslocked(enum cpuhp_state state, out: mutex_unlock(&cpuhp_state_mutex); /* - * If the requested state is CPUHP_AP_ONLINE_DYN, return the - * dynamically allocated state in case of success. + * If the requested state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN, + * return the dynamically allocated state in case of success. */ if (!ret && dynstate) return state;

1 year, 2 months

1
0
0 0

[PATCH] cpu: Fix broken cmdline "nosmp" and "maxcpus=0"

by Huacai Chen

After the reworking of "Parallel CPU bringup", the cmdline "nosmp" and "maxcpus=0" is broken. Because these parameters make setup_max_cpus be zero, and setup_max_cpus is the "max_cpus" of bringup_nonboot_cpus(). In this case, "if (!--ncpus)" will not be true in cpuhp_bringup_mask(), and the result is all the possible cpus are brought up. We can fix it by changing "if (!--ncpus)" to "if (!ncpus--)". But to make logic more clear and save some cpu cycles, it is better to check "max_cpus" in bringup_nonboot_cpus(), return early if it is zero. Cc: stable(a)vger.kernel.org Fixes: 18415f33e2ac4ab382 ("cpu/hotplug: Allow "parallel" bringup up to CPUHP_BP_KICK_AP_STATE") Fixes: 06c6796e0304234da6 ("cpu/hotplug: Fix off by one in cpuhp_bringup_mask()") Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- kernel/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/cpu.c b/kernel/cpu.c index 563877d6c28b..200974a31de8 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1859,6 +1859,9 @@ static inline bool cpuhp_bringup_cpus_parallel(unsigned int ncpus) { return fals void __init bringup_nonboot_cpus(unsigned int max_cpus) { + if (!max_cpus) + return; + /* Try parallel bringup optimization if enabled */ if (cpuhp_bringup_cpus_parallel(max_cpus)) return; -- 2.43.0

1 year, 2 months

2
1
0 0

[PATCH 1/4] x86/of: Return consistent error type from x86_of_pci_irq_enable()

by Ilpo Järvinen

x86_of_pci_irq_enable() returns PCIBIOS_* code received from pci_read_config_byte() directly and also -EINVAL which are not compatible error types. x86_of_pci_irq_enable() is used as (*pcibios_enable_irq) function which should not return PCIBIOS_* codes. Convert the PCIBIOS_* return code from pci_read_config_byte() into normal errno using pcibios_err_to_errno(). Fixes: 96e0a0797eba ("x86: dtb: Add support for PCI devices backed by dtb nodes") Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/devicetree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/devicetree.c b/arch/x86/kernel/devicetree.c index 8e3c53b4d070..64280879c68c 100644 --- a/arch/x86/kernel/devicetree.c +++ b/arch/x86/kernel/devicetree.c @@ -83,7 +83,7 @@ static int x86_of_pci_irq_enable(struct pci_dev *dev) ret = pci_read_config_byte(dev, PCI_INTERRUPT_PIN, &pin); if (ret) - return ret; + return pcibios_err_to_errno(ret); if (!pin) return 0; -- 2.39.2

1 year, 2 months

4
7
0 0

[PATCH 10/15] csky, hexagon: fix broken sys_sync_file_range

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Both of these architectures require u64 function arguments to be passed in even/odd pairs of registers or stack slots, which in case of sync_file_range would result in a seven-argument system call that is not currently possible. The system call is therefore incompatible with all existing binaries. While it would be possible to implement support for seven arguments like on mips, it seems better to use a six-argument version, either with the normal argument order but misaligned as on most architectures or with the reordered sync_file_range2() calling conventions as on arm and powerpc. Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- arch/csky/include/uapi/asm/unistd.h | 1 + arch/hexagon/include/uapi/asm/unistd.h | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/csky/include/uapi/asm/unistd.h b/arch/csky/include/uapi/asm/unistd.h index 7ff6a2466af1..e0594b6370a6 100644 --- a/arch/csky/include/uapi/asm/unistd.h +++ b/arch/csky/include/uapi/asm/unistd.h @@ -6,6 +6,7 @@ #define __ARCH_WANT_SYS_CLONE3 #define __ARCH_WANT_SET_GET_RLIMIT #define __ARCH_WANT_TIME32_SYSCALLS +#define __ARCH_WANT_SYNC_FILE_RANGE2 #include <asm-generic/unistd.h> #define __NR_set_thread_area (__NR_arch_specific_syscall + 0) diff --git a/arch/hexagon/include/uapi/asm/unistd.h b/arch/hexagon/include/uapi/asm/unistd.h index 432c4db1b623..21ae22306b5d 100644 --- a/arch/hexagon/include/uapi/asm/unistd.h +++ b/arch/hexagon/include/uapi/asm/unistd.h @@ -36,5 +36,6 @@ #define __ARCH_WANT_SYS_VFORK #define __ARCH_WANT_SYS_FORK #define __ARCH_WANT_TIME32_SYSCALLS +#define __ARCH_WANT_SYNC_FILE_RANGE2 #include <asm-generic/unistd.h> -- 2.39.2

1 year, 2 months

2
1
0 0

Linux 6.9.6

by Greg Kroah-Hartman

I'm announcing the release of the 6.9.6 kernel. All users of the 6.9 kernel series must upgrade. The updated 6.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.9.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ .editorconfig | 3 Documentation/devicetree/bindings/usb/realtek,rts5411.yaml | 1 MAINTAINERS | 1 Makefile | 2 arch/parisc/include/asm/cacheflush.h | 15 arch/parisc/include/asm/pgtable.h | 27 arch/parisc/kernel/cache.c | 413 ++++++---- arch/powerpc/include/asm/uaccess.h | 16 arch/powerpc/platforms/85xx/smp.c | 9 arch/riscv/kvm/aia_device.c | 7 arch/riscv/kvm/vcpu_onereg.c | 4 arch/riscv/mm/init.c | 24 arch/riscv/mm/pageattr.c | 28 arch/x86/boot/compressed/Makefile | 4 arch/x86/boot/main.c | 4 arch/x86/include/asm/alternative.h | 22 arch/x86/include/asm/atomic64_32.h | 2 arch/x86/include/asm/cpufeature.h | 2 arch/x86/include/asm/irq_stack.h | 2 arch/x86/include/asm/uaccess.h | 6 arch/x86/kernel/amd_nb.c | 9 arch/x86/kernel/cpu/common.c | 21 arch/x86/kernel/machine_kexec_64.c | 11 arch/x86/kvm/svm/sev.c | 19 arch/x86/kvm/svm/svm.c | 24 arch/x86/kvm/svm/svm.h | 4 arch/x86/lib/getuser.S | 6 arch/x86/mm/numa.c | 6 block/blk-flush.c | 3 block/sed-opal.c | 2 drivers/acpi/thermal.c | 8 drivers/acpi/x86/utils.c | 24 drivers/ata/ahci.c | 1 drivers/ata/libata-core.c | 9 drivers/ata/libata-scsi.c | 8 drivers/base/core.c | 3 drivers/block/null_blk/zoned.c | 2 drivers/clk/sifive/sifive-prci.c | 8 drivers/cpufreq/amd-pstate-ut.c | 3 drivers/cpufreq/amd-pstate.c | 209 +++-- drivers/cpufreq/amd-pstate.h | 100 ++ drivers/cxl/core/region.c | 18 drivers/dma-buf/st-dma-fence.c | 6 drivers/dma/dma-axi-dmac.c | 2 drivers/gpio/Kconfig | 2 drivers/gpio/gpio-tqmx86.c | 110 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 2 drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c | 2 drivers/gpu/drm/bridge/panel.c | 7 drivers/gpu/drm/display/drm_dp_mst_topology.c | 4 drivers/gpu/drm/drm_gem_shmem_helper.c | 3 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 drivers/gpu/drm/exynos/exynos_hdmi.c | 7 drivers/gpu/drm/i915/display/intel_audio.c | 32 drivers/gpu/drm/i915/display/intel_audio.h | 1 drivers/gpu/drm/i915/display/intel_display_driver.c | 2 drivers/gpu/drm/i915/display/intel_dp_mst.c | 2 drivers/gpu/drm/i915/gem/i915_gem_object.h | 4 drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 15 drivers/gpu/drm/nouveau/dispnv04/disp.c | 2 drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 drivers/gpu/drm/nouveau/nouveau_display.c | 6 drivers/gpu/drm/nouveau/nouveau_drv.h | 1 drivers/gpu/drm/panel/panel-sitronix-st7789v.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 28 drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 45 + drivers/gpu/drm/xe/xe_gt_idle.c | 9 drivers/gpu/drm/xe/xe_guc_pc.c | 70 - drivers/gpu/drm/xe/xe_guc_submit.c | 1 drivers/gpu/drm/xe/xe_ring_ops.c | 18 drivers/greybus/interface.c | 1 drivers/hid/hid-core.c | 1 drivers/hid/hid-logitech-dj.c | 4 drivers/hid/hid-nvidia-shield.c | 4 drivers/hwtracing/intel_th/pci.c | 25 drivers/i2c/busses/i2c-at91-slave.c | 3 drivers/i2c/busses/i2c-designware-slave.c | 2 drivers/iio/adc/ad9467.c | 4 drivers/iio/adc/adi-axi-adc.c | 5 drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 15 drivers/iio/dac/ad5592r-base.c | 2 drivers/iio/imu/bmi323/bmi323_core.c | 5 drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 drivers/iio/pressure/bmp280-core.c | 10 drivers/iio/temperature/mcp9600.c | 3 drivers/iio/temperature/mlx90635.c | 6 drivers/iommu/amd/init.c | 9 drivers/irqchip/irq-gic-v3-its.c | 44 - drivers/irqchip/irq-sifive-plic.c | 34 drivers/leds/led-class.c | 6 drivers/md/dm-integrity.c | 1 drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 9 drivers/misc/mei/pci-me.c | 4 drivers/misc/mei/platform-vsc.c | 39 drivers/misc/mei/vsc-fw-loader.c | 2 drivers/misc/vmw_vmci/vmci_event.c | 6 drivers/net/dsa/qca/qca8k-leds.c | 12 drivers/net/ethernet/broadcom/bnxt/bnxt.h | 51 + drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 12 drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 drivers/net/ethernet/google/gve/gve_rx_dqo.c | 8 drivers/net/ethernet/google/gve/gve_tx_dqo.c | 20 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 21 drivers/net/ethernet/intel/ice/ice.h | 44 - drivers/net/ethernet/intel/ice/ice_base.c | 3 drivers/net/ethernet/intel/ice/ice_lib.c | 27 drivers/net/ethernet/intel/ice/ice_main.c | 118 +- drivers/net/ethernet/intel/ice/ice_nvm.c | 116 ++ drivers/net/ethernet/intel/ice/ice_type.h | 14 drivers/net/ethernet/intel/ice/ice_xsk.c | 13 drivers/net/ethernet/intel/igc/igc_ethtool.c | 9 drivers/net/ethernet/intel/igc/igc_main.c | 4 drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 33 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 104 +- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 9 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 drivers/net/ethernet/mellanox/mlx5/core/fw.c | 4 drivers/net/ethernet/mellanox/mlx5/core/health.c | 8 drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 8 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 4 drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 1 drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 4 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 25 drivers/net/geneve.c | 10 drivers/net/netdevsim/netdev.c | 3 drivers/net/phy/micrel.c | 104 ++ drivers/net/phy/sfp.c | 3 drivers/net/virtio_net.c | 2 drivers/net/vmxnet3/vmxnet3_drv.c | 2 drivers/net/wireless/ath/ath11k/core.c | 2 drivers/net/wireless/ath/ath11k/mac.c | 38 drivers/net/wireless/intel/iwlwifi/fw/api/power.h | 30 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 18 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 drivers/net/wireless/realtek/rtlwifi/core.c | 15 drivers/net/wwan/iosm/iosm_ipc_devlink.c | 2 drivers/nvme/host/pr.c | 2 drivers/nvme/target/passthru.c | 6 drivers/pci/controller/pcie-rockchip-ep.c | 6 drivers/platform/x86/dell/dell-smbios-base.c | 92 -- drivers/pmdomain/ti/ti_sci_pm_domains.c | 20 drivers/ptp/ptp_chardev.c | 3 drivers/ras/amd/atl/internal.h | 2 drivers/ras/amd/atl/system.c | 2 drivers/ras/amd/atl/umc.c | 160 ++- drivers/remoteproc/ti_k3_r5_remoteproc.c | 58 + drivers/scsi/mpi3mr/mpi3mr_app.c | 62 + drivers/scsi/mpt3sas/mpt3sas_base.c | 19 drivers/scsi/mpt3sas/mpt3sas_base.h | 3 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 23 drivers/scsi/scsi.c | 7 drivers/scsi/scsi_transport_sas.c | 23 drivers/scsi/sd.c | 17 drivers/spmi/hisi-spmi-controller.c | 1 drivers/thermal/thermal_core.c | 13 drivers/thunderbolt/debugfs.c | 5 drivers/tty/n_tty.c | 22 drivers/tty/serial/8250/8250_dw.c | 9 drivers/tty/serial/8250/8250_dwlib.c | 3 drivers/tty/serial/8250/8250_dwlib.h | 3 drivers/tty/serial/8250/8250_pxa.c | 1 drivers/tty/serial/serial_port.c | 7 drivers/ufs/core/ufs-mcq.c | 17 drivers/ufs/core/ufshcd.c | 6 drivers/usb/Makefile | 1 drivers/usb/class/cdc-wdm.c | 4 drivers/usb/core/hcd.c | 12 drivers/usb/host/xhci-pci.c | 7 drivers/usb/host/xhci-ring.c | 59 + drivers/usb/host/xhci.h | 1 drivers/usb/storage/alauda.c | 9 drivers/usb/typec/tcpm/tcpm.c | 5 fs/btrfs/zoned.c | 13 fs/cachefiles/daemon.c | 3 fs/cachefiles/internal.h | 5 fs/cachefiles/ondemand.c | 165 ++- fs/jfs/xattr.c | 4 fs/nfs/dir.c | 47 - fs/nfs/nfs4proc.c | 23 fs/nfsd/nfsfh.c | 4 fs/ocfs2/file.c | 2 fs/ocfs2/namei.c | 4 fs/proc/vmcore.c | 2 fs/smb/server/smb2pdu.c | 22 fs/smb/server/vfs.c | 17 fs/smb/server/vfs.h | 3 fs/smb/server/vfs_cache.c | 3 fs/tracefs/event_inode.c | 51 - include/drm/bridge/aux-bridge.h | 2 include/drm/display/drm_dp_mst_helper.h | 1 include/linux/amd-pstate.h | 127 --- include/linux/atomic/atomic-arch-fallback.h | 6 include/linux/atomic/atomic-instrumented.h | 8 include/linux/atomic/atomic-long.h | 4 include/linux/io_uring_types.h | 3 include/linux/iommu.h | 2 include/linux/kcov.h | 47 - include/linux/kexec.h | 6 include/linux/pse-pd/pse.h | 4 include/net/bluetooth/hci_core.h | 36 include/net/ip_tunnels.h | 5 include/net/rtnetlink.h | 1 include/scsi/scsi_transport_sas.h | 2 include/trace/events/cachefiles.h | 8 io_uring/cancel.h | 4 io_uring/io-wq.c | 57 - io_uring/io_uring.c | 1 io_uring/rsrc.c | 1 kernel/bpf/syscall.c | 11 kernel/events/core.c | 13 kernel/gen_kheaders.sh | 2 kernel/pid_namespace.c | 1 kernel/time/tick-common.c | 42 - mm/memblock.c | 4 mm/memory-failure.c | 7 net/ax25/af_ax25.c | 6 net/ax25/ax25_dev.c | 2 net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_core.c | 12 net/bpf/test_run.c | 6 net/bridge/br_mst.c | 13 net/core/rtnetlink.c | 44 + net/core/sock_map.c | 16 net/ethtool/ioctl.c | 2 net/ipv4/devinet.c | 2 net/ipv4/fib_frontend.c | 7 net/ipv4/tcp.c | 9 net/ipv4/tcp_timer.c | 6 net/ipv6/ioam6_iptunnel.c | 8 net/ipv6/ip6_fib.c | 6 net/ipv6/route.c | 5 net/ipv6/seg6_iptunnel.c | 14 net/ipv6/tcp_ipv6.c | 3 net/mac80211/cfg.c | 4 net/mac80211/he.c | 10 net/mac80211/mesh_pathtbl.c | 13 net/mac80211/parse.c | 2 net/mac80211/sta_info.c | 4 net/mptcp/pm_netlink.c | 21 net/mptcp/protocol.c | 10 net/ncsi/internal.h | 2 net/ncsi/ncsi-manage.c | 73 - net/ncsi/ncsi-rsp.c | 4 net/netfilter/ipset/ip_set_core.c | 81 + net/netfilter/ipset/ip_set_list_set.c | 30 net/netfilter/nft_meta.c | 3 net/netfilter/nft_payload.c | 4 net/sched/sch_generic.c | 1 net/sched/sch_multiq.c | 2 net/sched/sch_taprio.c | 15 net/smc/af_smc.c | 22 net/sunrpc/auth_gss/auth_gss.c | 4 net/unix/af_unix.c | 108 +- net/unix/diag.c | 12 net/wireless/core.c | 2 net/wireless/pmsr.c | 8 net/wireless/scan.c | 3 net/wireless/sysfs.c | 4 net/wireless/util.c | 7 scripts/atomic/kerneldoc/sub_and_test | 2 scripts/mod/modpost.c | 5 security/integrity/ima/ima_api.c | 16 security/integrity/ima/ima_template_lib.c | 17 security/landlock/fs.c | 13 tools/perf/builtin-script.c | 2 tools/perf/util/auxtrace.c | 4 tools/testing/cxl/test/mem.c | 1 tools/testing/selftests/alsa/Makefile | 2 tools/testing/selftests/ftrace/test.d/dynevent/test_duplicates.tc | 2 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 20 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc | 3 tools/testing/selftests/futex/functional/futex_requeue_pi.c | 2 tools/testing/selftests/mm/compaction_test.c | 77 + tools/testing/selftests/mm/cow.c | 2 tools/testing/selftests/mm/gup_longterm.c | 2 tools/testing/selftests/mm/gup_test.c | 4 tools/testing/selftests/mm/ksm_functional_tests.c | 2 tools/testing/selftests/mm/madv_populate.c | 2 tools/testing/selftests/mm/mkdirty.c | 2 tools/testing/selftests/mm/pagemap_ioctl.c | 4 tools/testing/selftests/mm/soft-dirty.c | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 5 tools/tracing/rtla/src/timerlat_aa.c | 109 +- tools/tracing/rtla/src/timerlat_top.c | 17 299 files changed, 3274 insertions(+), 1830 deletions(-) Aapo Vienamo (1): thunderbolt: debugfs: Fix margin debugfs node creation condition Adam Miotk (1): drm/bridge/panel: Fix runtime warning on panel bridge release Adam Rizkalla (1): iio: pressure: bmp280: Fix BMP580 temperature reading Aditya Kumar Singh (1): wifi: mac80211: pass proper link id for channel switch started notification Adrian Hunter (2): perf auxtrace: Fix multiple use of --itrace option perf script: Show also errors for --insn-trace option Alan Stern (1): USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Aleksandr Mishin (4): net/mlx5: Fix tainted pointer delete is case of flow rules creation fail net: wwan: iosm: Fix tainted pointer delete is case of region creation fail liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() Alexander Shishkin (5): intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support Amit Sunil Dhamne (1): usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps Amjad Ouled-Ameur (1): drm/komeda: check for error-valued pointer Andrey Konovalov (1): kcov, usb: disable interrupts in kcov_remote_start_usb_softirq Andrzej Hajda (1): drm/xe: flush engine buffers before signalling user fence on all engines Andy Shevchenko (2): net dsa: qca8k: fix usages of device_get_named_child_node() serial: 8250_dw: Don't use struct dw8250_data outside of 8250_dw Apurva Nandan (1): remoteproc: k3-r5: Wait for core0 power-up before powering up core1 Armin Wolf (1): platform/x86: dell-smbios: Fix wrong token data in sysfs Arnd Bergmann (1): cpufreq: amd-pstate: remove global header file Baochen Qiang (1): wifi: ath11k: move power type check to ASSOC stage when connecting to 6 GHz AP Baokun Li (9): cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd cachefiles: remove requests from xarray during flushing requests cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() cachefiles: add spin_lock for cachefiles_ondemand_info cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() cachefiles: never get a new anonymous fd if ondemand_id is valid cachefiles: defer exposing anon_fd until after copy_to_user() succeeds cachefiles: flush all requests after setting CACHEFILES_DEAD Baoquan He (1): kexec: fix the unexpected kexec_dprintk() macro Beleswar Padhi (2): remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs remoteproc: k3-r5: Jump to error handling labels in start/stop errors Benjamin Segall (1): x86/boot: Don't add the EFI stub to targets, again Bitterblue Smith (1): wifi: rtlwifi: Ignore IEEE80211_CONF_CHANGE_RETRY_LIMITS Borislav Petkov (AMD) (1): x86/cpu: Get rid of an unnecessary local variable in get_cpu_address_sizes() Breno Leitao (2): scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Carl Huang (1): wifi: ath11k: fix WCN6750 firmware crash caused by 17 num_vdevs Carlos Llamas (1): locking/atomic: scripts: fix ${atomic}_sub_and_test() kerneldoc Chanwoo Lee (1): scsi: ufs: mcq: Fix error output and clean up ufshcd_mcq_abort() Chen Hanxiao (1): SUNRPC: return proper error from gss_wrap_req_priv Chen Ni (2): HID: nvidia-shield: Add missing check for input_ff_create_memless drm/panel: sitronix-st7789v: Add check for of_drm_get_panel_orientation Chengming Zhou (1): block: fix request.queuelist usage in flush Chris Wilson (1): drm/i915/gt: Disarm breadcrumbs if engines are already idle Cong Wang (1): bpf: Fix a potential use-after-free in bpf_link_free() Csókás, Bence (1): net: sfp: Always call `sfp_sm_mod_remove()` on remove Damien Le Moal (4): ata: libata-scsi: Set the RMB bit only for removable media devices scsi: core: Disable CDL by default scsi: mpi3mr: Fix ATA NCQ priority support null_blk: Print correct max open zones limit in null_init_zoned_dev() Daniel Bristot de Oliveira (2): rtla/timerlat: Simplify "no value" printing on top rtla/auto-analysis: Replace \t with spaces Daniel Wagner (1): nvmet-passthru: propagate status from id override functions Dave Hansen (1): x86/cpu: Provide default cache line size if not enumerated Dave Jiang (1): cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c David Kaplan (1): x86/kexec: Fix bug with call depth tracking David Lechner (1): iio: adc: ad9467: fix scan type sign David Wei (1): netdevsim: fix backwards compatibility in nsim_get_iflink() Davide Ornaghi (1): netfilter: nft_inner: validate mandatory meta and payload DelphineCCChiu (1): net/ncsi: Fix the multi thread manner of NCSI driver Dev Jain (1): selftests/mm: compaction_test: fix bogus test success and reduce probability of OOM-killer invocation Dimitri Fedrau (1): iio: temperature: mcp9600: Fix temperature reading for negative values Dirk Behme (1): drivers: core: synchronize really_probe() and dev_uevent() Dmitry Baryshkov (1): drm/bridge: aux-hpd-bridge: correct devm_drm_dp_hpd_bridge_add() stub Doug Brown (1): serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Douglas Anderson (1): serial: port: Don't block system suspend even if bytes are left to xmit Duoming Zhou (1): ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() Emmanuel Grumbach (3): wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: iwlwifi: mvm: support iwl_dev_tx_power_cmd_v8 wifi: iwlwifi: mvm: fix a crash on 7265 Eric Dumazet (6): ipv6: ioam: block BH from ioam6_output() ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ipv6: fix possible race in __fib6_drop_pcpu_from() tcp: fix race in tcp_v6_syn_recv_sock() tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() Fedor Pchelkin (1): dma-buf: handle testing kthreads creation failure Filipe Manana (1): btrfs: zoned: fix use-after-free due to race with dev replace Frank Wunderlich (1): net: ethernet: mtk_eth_soc: handle dma buffer size soc specific Gal Pressman (2): geneve: Fix incorrect inner network header offset when innerprotoinherit is set net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Greg Kroah-Hartman (3): .editorconfig: remove trim_trailing_whitespace option jfs: xattr: fix buffer overflow for invalid xattr Linux 6.9.6 Gregor Herburger (1): gpio: tqmx86: fix typo in Kconfig label Hagar Gamal Halim Hemdan (1): vmci: prevent speculation leaks by sanitizing event in event_deliver() Hagar Hemdan (1): irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() Haifeng Xu (1): perf/core: Fix missing wakeup when waiting for context reference Hangyu Hua (1): net: sched: sch_multiq: fix possible OOB write in multiq_tune() Hans de Goede (2): leds: class: Revert: "If no default trigger is given, make hw_control trigger the default trigger" mei: vsc: Fix wrong invocation of ACPI SID method Hari Bathini (1): powerpc/85xx: fix compile error without CONFIG_CRASH_DUMP Harshit Mogalapalli (1): iio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe() Hector Martin (1): xhci: Handle TD clearing for multiple streams case Heng Qi (1): virtio_net: fix possible dim status unrecoverable Ian Forbes (4): drm/vmwgfx: Filter modes which exceed graphics memory drm/vmwgfx: 3D disabled should not effect STDU memory limits drm/vmwgfx: Remove STDU logic from generic mode_valid function drm/vmwgfx: Don't memcmp equivalent pointers Ilpo Järvinen (1): tty: n_tty: Fix buffer offsets when lookahead is used Imre Deak (1): drm/i915: Fix audio component initialization Jacob Keller (2): ice: fix iteration of TLVs in Preserved Fields Area ice: fix reads from NVM Shadow RAM on E830 and E825-C devices Jakub Kicinski (2): net: tls: fix marking packets as decrypted rtnetlink: make the "split" NLM_DONE handling generic Jan Beulich (2): x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() memblock: make memblock_set_node() also warn about use of MAX_NUMNODES Jani Nikula (1): drm/exynos/vidi: fix memory leak in .get_modes() Jason Nader (1): ata: ahci: Do not apply Intel PCS quirk on Intel Alder Lake Jason Xing (2): tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB mptcp: count CLOSE-WAIT sockets for MPTCP_MIB_CURRESTAB Jean Delvare (2): i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface Jean-Baptiste Maneyrol (3): iio: invensense: fix odr switching to same value iio: imu: inv_icm42600: delete unneeded update watermark call iio: invensense: fix interrupt timestamp alignment Jie Wang (1): net: hns3: add cond_resched() to hns3 ring buffer init process Jiri Olsa (1): bpf: Set run context for rawtp test_run callback Johannes Berg (5): wifi: cfg80211: fully move wiphy work to unbound workqueue wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 net/sched: initialize noop_qdisc owner wifi: cfg80211: validate HE operation element parsing wifi: mt76: mt7615: add missing chanctx ops John David Anglin (1): parisc: Try to fix random segmentation faults in package builds John Ernberg (1): USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected John Hubbard (1): selftests/futex: don't pass a const char* to asprintf(3) Joshua Washington (1): gve: ignore nonrelevant GSO type bits when processing TSO headers José Expósito (1): HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Jozsef Kadlecsik (1): netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Karol Kolacinski (1): ptp: Fix error message on failed pin verification Kees Cook (1): x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking Kory Maincent (1): net: pse-pd: Use EOPNOTSUPP error code instead of ENOTSUPP Kuangyi Chiang (2): xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Apply broken streams quirk to Etron EJ188 xHCI host Kun(llfl) (1): iommu/amd: Fix sysfs leak in iommu init Kuniyuki Iwashima (15): af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. af_unix: Annodate data-races around sk->sk_state for writers. af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-races around sk->sk_sndbuf. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). af_unix: Annotate data-race of sk->sk_state in unix_accept(). Kyle Tso (1): usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Lars Kellogg-Stedman (1): ax25: Fix refcount imbalance on inbound connections Larysa Zaremba (3): ice: remove af_xdp_zc_qps bitmap ice: add flag to distinguish reset from .ndo_bpf in XDP rings config ice: map XDP queues to vectors in ice_vsi_map_rings_to_vectors() Li Zhijian (1): cxl/region: Fix memregion leaks in devm_cxl_add_region() Lin Ma (1): wifi: cfg80211: pmsr: use correct nla_get_uX functions Lingbo Kong (2): wifi: mac80211: fix Spatial Reuse element size check wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Lu Baolu (1): iommu: Return right value in iommu_sva_bind_device() Luiz Augusto von Dentz (2): Bluetooth: hci_sync: Fix not using correct handle Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Marc Ferland (1): iio: dac: ad5592r: fix temperature channel scaling value Marek Szyprowski (1): drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Mario Limonciello (1): ACPI: x86: Force StorageD3Enable on more products Mark Brown (1): kselftest/alsa: Ensure _GNU_SOURCE is defined Martin K. Petersen (1): scsi: sd: Use READ(16) when reading block zero on large capacity disks Masahiro Yamada (1): modpost: do not warn about missing MODULE_DESCRIPTION() for vmlinux.o Masami Hiramatsu (Google) (2): selftests/ftrace: Fix to check required event file selftests/tracing: Fix event filter test to retry up to 10 times Mathias Nyman (1): xhci: Set correct transferred length for cancelled bulk transfers Matthias Maennich (1): kheaders: explicitly define file modes for archived headers Matthias Schiffer (3): gpio: tqmx86: introduce shadow register for GPIO output value gpio: tqmx86: store IRQ trigger type and unmask status separately gpio: tqmx86: fix broken IRQ_TYPE_EDGE_BOTH interrupt type Matthias Stocker (1): vmxnet3: disable rx data ring on dma allocation failure Miaohe Lin (1): mm/huge_memory: don't unpoison huge_zero_folio Michael Chan (1): bnxt_en: Cap the size of HWRM_PORT_PHY_QCFG forwarded response Michael Ellerman (1): powerpc/uaccess: Fix build errors seen with GCC 13/14 Mickaël Salaün (1): landlock: Fix d_parent walk Mikulas Patocka (1): dm-integrity: set discard_granularity to logical block size Miri Korenblit (2): wifi: iwlwifi: mvm: don't initialize csa_work twice wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Mordechay Goodstein (1): wifi: iwlwifi: mvm: set properly mac header Moshe Shemesh (1): net/mlx5: Stop waiting for PCI if pci channel is offline Nam Cao (3): riscv: fix overlap of allocated page and PTR_ERR riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context riscv: force PAGE_SIZE linear mapping if debug_pagealloc is enabled Namjae Jeon (2): ksmbd: move leading slash check to smb2_get_name() ksmbd: fix missing use of get_write in in smb2_set_ea() Nathan Chancellor (1): selftests/mm: ksft_exit functions do not return NeilBrown (1): NFS: add barriers when testing for NFS_FSDATA_BLOCKED Nicolas Escande (1): wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Nikita Zhandarovich (1): HID: core: remove unnecessary WARN_ON() in implement() Niklas Cassel (3): ata: libata-core: Add ATA_HORKAGE_NOLPM for Apacer AS340 ata: libata-core: Add ATA_HORKAGE_NOLPM for Crucial CT240BX500SSD1 ata: libata-core: Add ATA_HORKAGE_NOLPM for AMD Radeon S3 SSD Nikolay Aleksandrov (2): net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state net: bridge: mst: fix suspicious rcu usage in br_mst_set_state Niranjana Vishwanathapura (1): drm/xe: Properly handle alloc_guc_id() failure Nuno Sa (2): dmaengine: axi-dmac: fix possible race in remove() iio: adc: axi-adc: make sure AXI clock is enabled Oleg Nesterov (2): tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Olga Kornievskaia (1): NFSv4.1 enforce rootpath check in fs_location query Paolo Abeni (1): mptcp: ensure snd_una is properly initialized on connect Pauli Virtanen (1): Bluetooth: fix connection setup in l2cap_connect Pavel Begunkov (2): io_uring/rsrc: don't lock while !TASK_RUNNING io_uring: fix cancellation overwriting req->flags Perry Yuan (2): cpufreq: amd-pstate: Unify computation of {max,min,nominal,lowest_nonlinear}_freq cpufreq: amd-pstate: Add quirk for the pstate CPPC capabilities missing Petr Pavlu (1): net/ipv6: Fix the RT cache flush via sysctl using a previous delay Quan Zhou (1): RISC-V: KVM: Fix incorrect reg_subtype labels in kvm_riscv_vcpu_set_reg_isa_ext function Rafael J. Wysocki (2): thermal: core: Do not fail cdev registration because of invalid initial state thermal: ACPI: Invalidate trip points with temperature of 0 or below Rao Shoaib (1): af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Ravi Bangoria (2): KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent KVM: SEV-ES: Delegate LBR virtualization to the processor Remi Pommarel (2): wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: Lock wiphy in cfg80211_get_station Riana Tauro (2): drm/xe/xe_gt_idle: use GT forcewake domain assertion drm/xe: move disable_c6 call Rick Wertenbroek (1): PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore Rob Herring (Arm) (1): dt-bindings: usb: realtek,rts5411: Add missing "additionalProperties" on child nodes Rodrigo Vivi (1): drm/xe: Remove mem_access from guc_pc calls Sagar Cheluvegowda (1): net: stmmac: dwmac-qcom-ethqos: Configure host DMA width Samuel Holland (2): clk: sifive: Do not register clkdevs for PRCI clocks irqchip/sifive-plic: Chain to parent IRQ after handlers are ready Sasha Neftin (1): igc: Fix Energy Efficient Ethernet support declaration Shahar S Matityahu (1): wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Shay Drory (1): net/mlx5: Always stop health timer during driver removal Shichao Lai (1): usb-storage: alauda: Check whether the media is initialized Sicong Huang (1): greybus: Fix use-after-free bug in gb_interface_release due to race condition. Stefan Berger (1): ima: Fix use-after-free on a dentry's dname.name Steven Rostedt (Google) (2): eventfs: Update all the eventfs_inodes from the events descriptor tracing/selftests: Fix kprobe event name test for .isra. functions Su Hui (3): net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() io_uring/io-wq: avoid garbage value of 'match' in io_wq_enqueue() block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() Su Yue (3): ocfs2: update inode fsync transaction id in ocfs2_unlink and ocfs2_link ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO Subbaraya Sundeep (1): octeontx2-af: Always allocate PF entries from low prioriy zone Taehee Yoo (2): ionic: fix kernel panic in XDP_TX action ionic: fix use after netif_napi_del() Thadeu Lima de Souza Cascardo (1): sock_map: avoid race between sock_map_close and sk_psock_put Tomas Winkler (1): mei: me: release irq in mei_me_pci_resume error path Tomi Valkeinen (1): pmdomain: ti-sci: Fix duplicate PD referrals Tristram Ha (2): net: phy: micrel: fix KSZ9477 PHY issues after suspend/resume net: phy: Micrel KSZ8061: fix errata solution not taking effect problem Trond Myklebust (1): knfsd: LOOKUP can return an illegal error value Uros Bizjak (1): x86/asm: Use %c/%n instead of %P operand modifier in asm templates Vamshi Gajjela (1): spmi: hisi-spmi-controller: Do not override device identifier Vasileios Amoiridis (1): iio: imu: bmi323: Fix trigger notification in case of error Vasily Khoruzhick (1): drm/nouveau: don't attempt to schedule hpd_work on headless cards Vidya Srinivas (1): drm/i915/dpt: Make DPT object unshrinkable Wachowski, Karol (1): drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Wayne Lin (1): drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 Weiwen Hu (1): nvme: fix nvme_pr_* status code parsing Wen Gu (1): net/smc: avoid overwriting when adjusting sock bufsizes Wentong Wu (1): mei: vsc: Don't stop/restart mei device during system suspend/resume Xiaolei Wang (1): net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Yazen Ghannam (3): RAS/AMD/ATL: Fix MI300 bank hash RAS/AMD/ATL: Use system settings for MI300 DRAM to normalized address translation x86/amd_nb: Check for invalid SMN reads Yong-Xuan Wang (1): RISC-V: KVM: No need to use mask when hart-index-bit is 0 Yonglong Liu (1): net: hns3: fix kernel crash problem in concurrent scenario YonglongLi (2): mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect Yongzhi Liu (2): misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() Ziqi Chen (1): scsi: ufs: core: Quiesce request queues before checking pending cmds Ziwei Xiao (1): gve: Clear napi->skb before dev_kfree_skb_any()

1 year, 2 months

4
5
0 0

[tip: irq/urgent] irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()

by tip-bot2 for Huacai Chen

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 2d64eaeeeda5659d52da1af79d237269ba3c2d2c Gitweb: https://git.kernel.org/tip/2d64eaeeeda5659d52da1af79d237269ba3c2d2c Author: Huacai Chen <chenhuacai(a)loongson.cn> AuthorDate: Sun, 23 Jun 2024 11:41:13 +08:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Sun, 23 Jun 2024 17:09:26 +02:00 irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node() Multi-bridge machines required that all eiointc controllers in the system are initialized, otherwise the system does not boot. The initialization happens on the boot CPU during early boot and relies on cpu_to_node() for identifying the individual nodes. That works when the number of possible CPUs is large enough, but with a command line limit, e.g. "nr_cpus=$N" for kdump, but fails when the CPUs of the secondary nodes are not covered. During early ACPI enumeration all CPU to node mappings are recorded up to CONFIG_NR_CPUS. These are accessible via early_cpu_to_node() even in the case that "nr_cpus=N" truncates the number of possible CPUs and only provides the possible CPUs via cpu_to_node() translation. Change the node lookup in the driver to use early_cpu_to_node() so that even with a limitation on the number of possible CPUs all eointc instances are initialized. This can't obviously cure the case where CONFIG_NR_CPUS is too small. [ tglx: Massaged changelog ] Fixes: 64cc451e45e1 ("irqchip/loongson-eiointc: Fix incorrect use of acpi_get_vec_parent") Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240623034113.1808727-1-chenhuacai@loongson.cn --- drivers/irqchip/irq-loongson-eiointc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-loongson-eiointc.c b/drivers/irqchip/irq-loongson-eiointc.c index c7ddebf..b1f2080 100644 --- a/drivers/irqchip/irq-loongson-eiointc.c +++ b/drivers/irqchip/irq-loongson-eiointc.c @@ -15,6 +15,7 @@ #include <linux/irqchip/chained_irq.h> #include <linux/kernel.h> #include <linux/syscore_ops.h> +#include <asm/numa.h> #define EIOINTC_REG_NODEMAP 0x14a0 #define EIOINTC_REG_IPMAP 0x14c0 @@ -339,7 +340,7 @@ static int __init pch_msi_parse_madt(union acpi_subtable_headers *header, int node; if (cpu_has_flatmode) - node = cpu_to_node(eiointc_priv[nr_pics - 1]->node * CORES_PER_EIO_NODE); + node = early_cpu_to_node(eiointc_priv[nr_pics - 1]->node * CORES_PER_EIO_NODE); else node = eiointc_priv[nr_pics - 1]->node; @@ -431,7 +432,7 @@ int __init eiointc_acpi_init(struct irq_domain *parent, goto out_free_handle; if (cpu_has_flatmode) - node = cpu_to_node(acpi_eiointc->node * CORES_PER_EIO_NODE); + node = early_cpu_to_node(acpi_eiointc->node * CORES_PER_EIO_NODE); else node = acpi_eiointc->node; acpi_set_vec_parent(node, priv->eiointc_domain, pch_group);

1 year, 2 months

1
0
0 0

[PATCH V2] irqchip/loongson-liointc: Set different ISRs for different cores

by Huacai Chen

In the liointc hardware, there are different ISRs (i.e. Interrupt Status Registers) for different cores. We always use core#0's ISR before but it has no problem, this is because the interrupts are routed to core#0 by default. If we change the routing (which can be done by changing firmware configuration) then we will lose interrupts while CPU hotplugging, so we should set correct ISRs for different cores. Cc: <stable(a)vger.kernel.org> Co-developed-by: Tianli Xiong <xiongtianli(a)loongson.cn> Signed-off-by: Tianli Xiong <xiongtianli(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Update commit messages. drivers/irqchip/irq-loongson-liointc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-loongson-liointc.c b/drivers/irqchip/irq-loongson-liointc.c index e4b33aed1c97..7c4fe7ab4b83 100644 --- a/drivers/irqchip/irq-loongson-liointc.c +++ b/drivers/irqchip/irq-loongson-liointc.c @@ -28,7 +28,7 @@ #define LIOINTC_INTC_CHIP_START 0x20 -#define LIOINTC_REG_INTC_STATUS (LIOINTC_INTC_CHIP_START + 0x20) +#define LIOINTC_REG_INTC_STATUS(core) (LIOINTC_INTC_CHIP_START + 0x20 + (core) * 8) #define LIOINTC_REG_INTC_EN_STATUS (LIOINTC_INTC_CHIP_START + 0x04) #define LIOINTC_REG_INTC_ENABLE (LIOINTC_INTC_CHIP_START + 0x08) #define LIOINTC_REG_INTC_DISABLE (LIOINTC_INTC_CHIP_START + 0x0c) @@ -217,7 +217,7 @@ static int liointc_init(phys_addr_t addr, unsigned long size, int revision, goto out_free_priv; for (i = 0; i < LIOINTC_NUM_CORES; i++) - priv->core_isr[i] = base + LIOINTC_REG_INTC_STATUS; + priv->core_isr[i] = base + LIOINTC_REG_INTC_STATUS(i); for (i = 0; i < LIOINTC_NUM_PARENT; i++) priv->handler[i].parent_int_map = parent_int_map[i]; -- 2.43.0

1 year, 2 months

2
1
0 0

[PATCH 6.1 000/217] 6.1.95-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.95 release. There are 217 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 21 Jun 2024 12:55:11 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.95-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.95-rc1 Oleg Nesterov <oleg(a)redhat.com> zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Jean Delvare <jdelvare(a)suse.de> i2c: designware: Fix the functionality flags of the slave-only interface Jean Delvare <jdelvare(a)suse.de> i2c: at91: Fix the functionality flags of the slave-only interface Yongzhi Liu <hyperlyzcs(a)gmail.com> misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() Shichao Lai <shichaorai(a)gmail.com> usb-storage: alauda: Check whether the media is initialized Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: core: Add UPIO_UNKNOWN constant for unknown port type Jisheng Zhang <jszhang(a)kernel.org> serial: 8250_dw: fall back to poll if there's no interrupt Sicong Huang <congei42(a)163.com> greybus: Fix use-after-free bug in gb_interface_release due to race condition. Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: qca: generalise device address check Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: qca: fix wcn3991 device address check David Howells <dhowells(a)redhat.com> cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Jump to error handling labels in start/stop errors Sam James <sam(a)gentoo.org> Revert "fork: defer linking file vma until vma is fully initialized" YonglongLi <liyonglong(a)chinatelecom.cn> mptcp: pm: update add_addr counters after connect Doug Brown <doug(a)schmorgal.com> serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix handling of dissolved but not taken off from buddy pages Miaohe Lin <linmiaohe(a)huawei.com> mm/huge_memory: don't unpoison huge_zero_folio Oleg Nesterov <oleg(a)redhat.com> tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential kernel bug due to lack of writeback flag waiting Filipe Manana <fdmanana(a)suse.com> btrfs: zoned: fix use-after-free due to race with dev replace Christoph Hellwig <hch(a)lst.de> btrfs: zoned: factor out DUP bg handling from btrfs_load_block_group_zone_info Christoph Hellwig <hch(a)lst.de> btrfs: zoned: factor out single bg handling from btrfs_load_block_group_zone_info Christoph Hellwig <hch(a)lst.de> btrfs: zoned: factor out per-zone logic from btrfs_load_block_group_zone_info Christoph Hellwig <hch(a)lst.de> btrfs: zoned: introduce a zone_info struct in btrfs_load_block_group_zone_info Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Lunar Lake support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Sapphire Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids SOC support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Granite Rapids support Vidya Srinivas <vidya.srinivas(a)intel.com> drm/i915/dpt: Make DPT object unshrinkable Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/gt: Disarm breadcrumbs if engines are already idle Nam Cao <namcao(a)linutronix.de> riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs Apurva Nandan <a-nandan(a)ti.com> remoteproc: k3-r5: Wait for core0 power-up before powering up core1 Nuno Sa <nuno.sa(a)analog.com> dmaengine: axi-dmac: fix possible race in remove() Rick Wertenbroek <rick.wertenbroek(a)gmail.com> PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Su Yue <glass.su(a)suse.com> ocfs2: fix races between hole punching and AIO+DIO Su Yue <glass.su(a)suse.com> ocfs2: use coarse time for new created files Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore Trond Myklebust <trond.myklebust(a)hammerspace.com> knfsd: LOOKUP can return an illegal error value Vamshi Gajjela <vamshigajjela(a)google.com> spmi: hisi-spmi-controller: Do not override device identifier Hagar Gamal Halim Hemdan <hagarhem(a)amazon.com> vmci: prevent speculation leaks by sanitizing event in event_deliver() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> sock_map: avoid race between sock_map_close and sk_psock_put Damien Le Moal <dlemoal(a)kernel.org> null_blk: Print correct max open zones limit in null_init_zoned_dev() Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing/selftests: Fix kprobe event name test for .isra. functions Nam Cao <namcao(a)linutronix.de> riscv: fix overlap of allocated page and PTR_ERR Haifeng Xu <haifeng.xu(a)shopee.com> perf/core: Fix missing wakeup when waiting for context reference Yazen Ghannam <yazen.ghannam(a)amd.com> x86/amd_nb: Check for invalid SMN reads Hagar Hemdan <hagarhem(a)amazon.com> irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() YonglongLi <liyonglong(a)chinatelecom.cn> mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID Paolo Abeni <pabeni(a)redhat.com> mptcp: ensure snd_una is properly initialized on connect Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Jani Nikula <jani.nikula(a)intel.com> drm/exynos/vidi: fix memory leak in .get_modes() Dirk Behme <dirk.behme(a)de.bosch.com> drivers: core: synchronize really_probe() and dev_uevent() Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: delete unneeded update watermark call Marc Ferland <marc.ferland(a)sonatest.com> iio: dac: ad5592r: fix temperature channel scaling value David Lechner <dlechner(a)baylibre.com> iio: adc: ad9467: fix scan type sign Benjamin Segall <bsegall(a)google.com> x86/boot: Don't add the EFI stub to targets, again Yongzhi Liu <hyperlyzcs(a)gmail.com> misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() Aleksandr Mishin <amishin(a)t-argos.ru> bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() Rao Shoaib <Rao.Shoaib(a)oracle.com> af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Taehee Yoo <ap420073(a)gmail.com> ionic: fix use after netif_napi_del() Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: mst: fix suspicious rcu usage in br_mst_set_state Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state Petr Pavlu <petr.pavlu(a)suse.com> net/ipv6: Fix the RT cache flush via sysctl using a previous delay Daniel Wagner <dwagner(a)suse.de> nvmet-passthru: propagate status from id override functions Xiaolei Wang <xiaolei.wang(a)windriver.com> net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Joshua Washington <joshwash(a)google.com> gve: ignore nonrelevant GSO type bits when processing TSO headers Kory Maincent <kory.maincent(a)bootlin.com> net: pse-pd: Use EOPNOTSUPP error code instead of ENOTSUPP Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Gal Pressman <gal(a)nvidia.com> geneve: Fix incorrect inner network header offset when innerprotoinherit is set Eric Dumazet <edumazet(a)google.com> tcp: fix race in tcp_v6_syn_recv_sock() Adam Miotk <adam.miotk(a)arm.com> drm/bridge/panel: Fix runtime warning on panel bridge release Amjad Ouled-Ameur <amjad.ouled-ameur(a)arm.com> drm/komeda: check for error-valued pointer Aleksandr Mishin <amishin(a)t-argos.ru> liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet Jie Wang <wangjie125(a)huawei.com> net: hns3: add cond_resched() to hns3 ring buffer init process Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix kernel crash problem in concurrent scenario Csókás, Bence <csokas.bence(a)prolan.hu> net: sfp: Always call `sfp_sm_mod_remove()` on remove Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Remove STDU logic from generic mode_valid function Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: 3D disabled should not effect STDU memory limits Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Filter modes which exceed graphics memory Martin Krastev <martin.krastev(a)broadcom.com> drm/vmwgfx: Refactor drm connector probing for display modes Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Port the framebuffer code to drm fb helpers José Expósito <jose.exposito89(a)gmail.com> HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Kun(llfl) <llfl(a)linux.alibaba.com> iommu/amd: Fix sysfs leak in iommu init Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> HID: core: remove unnecessary WARN_ON() in implement() Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> gpio: tqmx86: fix broken IRQ_TYPE_EDGE_BOTH interrupt type Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> gpio: tqmx86: store IRQ trigger type and unmask status separately Linus Walleij <linus.walleij(a)linaro.org> gpio: tqmx86: Convert to immutable irq_chip Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> gpio: tqmx86: introduce shadow register for GPIO output value Andrei Coardos <aboutphysycs(a)gmail.com> gpio: tqmx86: remove unneeded call to platform_set_drvdata() Gregor Herburger <gregor.herburger(a)tq-group.com> gpio: tqmx86: fix typo in Kconfig label Armin Wolf <W_Armin(a)gmx.de> platform/x86: dell-smbios: Fix wrong token data in sysfs NeilBrown <neilb(a)suse.de> NFS: add barriers when testing for NFS_FSDATA_BLOCKED Chen Hanxiao <chenhx.fnst(a)fujitsu.com> SUNRPC: return proper error from gss_wrap_req_priv Olga Kornievskaia <kolga(a)netapp.com> NFSv4.1 enforce rootpath check in fs_location query Samuel Holland <samuel.holland(a)sifive.com> clk: sifive: Do not register clkdevs for PRCI clocks Masami Hiramatsu (Google) <mhiramat(a)kernel.org> selftests/ftrace: Fix to check required event file Baokun Li <libaokun1(a)huawei.com> cachefiles: flush all requests after setting CACHEFILES_DEAD Baokun Li <libaokun1(a)huawei.com> cachefiles: defer exposing anon_fd until after copy_to_user() succeeds Baokun Li <libaokun1(a)huawei.com> cachefiles: never get a new anonymous fd if ondemand_id is valid Baokun Li <libaokun1(a)huawei.com> cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() Baokun Li <libaokun1(a)huawei.com> cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() Baokun Li <libaokun1(a)huawei.com> cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() Jia Zhu <zhujia.zj(a)bytedance.com> cachefiles: add restore command to recover inflight ondemand read requests Baokun Li <libaokun1(a)huawei.com> cachefiles: add spin_lock for cachefiles_ondemand_info Jia Zhu <zhujia.zj(a)bytedance.com> cachefiles: resend an open request if the read request's object is closed Jia Zhu <zhujia.zj(a)bytedance.com> cachefiles: extract ondemand info field from cachefiles_object Jia Zhu <zhujia.zj(a)bytedance.com> cachefiles: introduce object ondemand state Baokun Li <libaokun1(a)huawei.com> cachefiles: remove requests from xarray during flushing requests Baokun Li <libaokun1(a)huawei.com> cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd Dave Jiang <dave.jiang(a)intel.com> cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: try trimming too long modalias strings Michael Ellerman <mpe(a)ellerman.id.au> powerpc/uaccess: Fix build errors seen with GCC 13/14 Ziwei Xiao <ziweixiao(a)google.com> gve: Clear napi->skb before dev_kfree_skb_any() Martin K. Petersen <martin.petersen(a)oracle.com> scsi: sd: Use READ(16) when reading block zero on large capacity disks Breno Leitao <leitao(a)debian.org> scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory Damien Le Moal <dlemoal(a)kernel.org> scsi: mpi3mr: Fix ATA NCQ priority support Aapo Vienamo <aapo.vienamo(a)linux.intel.com> thunderbolt: debugfs: Fix margin debugfs node creation condition Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply broken streams quirk to Etron EJ188 xHCI host Hector Martin <marcan(a)marcan.st> xhci: Handle TD clearing for multiple streams case Kuangyi Chiang <ki.chiang65(a)gmail.com> xhci: Apply reset resume quirk to Etron EJ188 xHCI host Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set correct transferred length for cancelled bulk transfers Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> jfs: xattr: fix buffer overflow for invalid xattr Mickaël Salaün <mic(a)digikod.net> landlock: Fix d_parent walk Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> tty: n_tty: Fix buffer offsets when lookahead is used Tomas Winkler <tomas.winkler(a)intel.com> mei: me: release irq in mei_me_pci_resume error path Kyle Tso <kyletso(a)google.com> usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps John Ernberg <john.ernberg(a)actia.se> USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected Alan Stern <stern(a)rowland.harvard.edu> USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Jens Axboe <axboe(a)kernel.dk> io_uring: check for non-NULL file pointer in io_file_can_poll() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Matthew Wilcox (Oracle) <willy(a)infradead.org> nilfs2: return the mapped address from nilfs_get_page() Filipe Manana <fdmanana(a)suse.com> btrfs: fix leak of qgroup extent records after transaction abort Filipe Manana <fdmanana(a)suse.com> btrfs: make btrfs_destroy_delayed_refs() return void Filipe Manana <fdmanana(a)suse.com> btrfs: remove unnecessary prototype declarations at disk-io.c Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> wifi: ath10k: fix QCOM_RPROC_COMMON dependency Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix bogus test success on Aarch64 Mark Brown <broonie(a)kernel.org> selftests/mm: log a consistent test name for check_compaction Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests/mm: conform test to TAP format output Dev Jain <dev.jain(a)arm.com> selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages Hailong.Liu <hailong.liu(a)oppo.com> mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL Michal Hocko <mhocko(a)suse.com> mm, vmalloc: fix high order __GFP_NOFAIL allocations Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> i2c: acpi: Unbind mux adapters before delete Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> i2c: add fwnode APIs Johan Hovold <johan+linaro(a)kernel.org> HID: i2c-hid: elan: fix reset suspend current leakage Cong Yang <yangcong5(a)huaqin.corp-partner.google.com> HID: i2c-hid: elan: Add ili9882t timing Gabor Juhos <j4g8y7(a)gmail.com> firmware: qcom_scm: disable clocks if qcom_scm_bw_enable() fails Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> mmc: davinci: Don't strip remove function when driver is builtin Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: replace hardcoded divisor value with BIT() macro Thomas Weißschuh <linux(a)weissschuh.net> misc/pvpanic-pci: register attributes via pci_driver Thomas Weißschuh <linux(a)weissschuh.net> misc/pvpanic: deduplicate common code Volodymyr Babchuk <Volodymyr_Babchuk(a)epam.com> arm64: dts: qcom: sa8155p-adp: fix SDHC2 CD pin configuration Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8150: align TLMM pin configuration with DT schema Hersen Wu <hersenxs.wu(a)amd.com> drm/amd/display: Fix incorrect DSC instance for MST Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> drm/amd/display: drop unnecessary NULL checks in debugfs Max Filippov <jcmvbkbc(a)gmail.com> xtensa: fix MAKE_PC_FROM_RA second argument Randy Dunlap <rdunlap(a)infradead.org> xtensa: stacktrace: include <asm/ftrace.h> for prototype Hans de Goede <hdegoede(a)redhat.com> iio: accel: mxc4005: Reset chip on probe() and resume() Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: accel: mxc4005: allow module autoloading via OF compatible Wesley Cheng <quic_wcheng(a)quicinc.com> usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete John Keeping <john(a)metanate.com> usb: gadget: f_fs: use io_data->status consistently Qu Wenruo <wqu(a)suse.com> btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: qca: fix invalid device address check Eric Dumazet <edumazet(a)google.com> ipv6: fix possible race in __fib6_drop_pcpu_from() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). Eric Dumazet <edumazet(a)google.com> af_unix: annotate lockless accesses to sk->sk_err Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Annodate data-races around sk->sk_state for writers. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. Aleksandr Mishin <amishin(a)t-argos.ru> net: wwan: iosm: Fix tainted pointer delete is case of region creation fail Larysa Zaremba <larysa.zaremba(a)intel.com> ice: remove af_xdp_zc_qps bitmap Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ice: remove null checks before devm_kfree() calls Michal Wilczynski <michal.wilczynski(a)intel.com> ice: Introduce new parameters in ice_sched_node Jacob Keller <jacob.e.keller(a)intel.com> ice: fix iteration of TLVs in Preserved Fields Area Karol Kolacinski <karol.kolacinski(a)intel.com> ptp: Fix error message on failed pin verification Eric Dumazet <edumazet(a)google.com> net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP Aleksandr Mishin <amishin(a)t-argos.ru> net/mlx5: Fix tainted pointer delete is case of flow rules creation fail Shay Drory <shayd(a)nvidia.com> net/mlx5: Always stop health timer during driver removal Shay Drory <shayd(a)nvidia.com> net/mlx5: Split function_setup() to enable and open functions Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Stop waiting for PCI if pci channel is offline Moshe Shemesh <moshe(a)mellanox.com> net/mlx5: Stop waiting for PCI up if teardown was triggered Jason Xing <kernelxing(a)tencent.com> tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Hangyu Hua <hbh25y(a)gmail.com> net: sched: sch_multiq: fix possible OOB write in multiq_tune() Wen Gu <guwen(a)linux.alibaba.com> net/smc: avoid overwriting when adjusting sock bufsizes Subbaraya Sundeep <sbhatta(a)marvell.com> octeontx2-af: Always allocate PF entries from low prioriy zone Jiri Olsa <jolsa(a)kernel.org> bpf: Set run context for rawtp test_run callback Eric Dumazet <edumazet(a)google.com> ipv6: sr: block BH in seg6_output_core() and seg6_input_core() Eric Dumazet <edumazet(a)google.com> ipv6: ioam: block BH from ioam6_output() DelphineCCChiu <delphine_cc_chiu(a)wiwynn.com> net/ncsi: Fix the multi thread manner of NCSI driver Peter Delevoryas <peter(a)pjd.dev> net/ncsi: Simplify Kconfig/dts control flow Duoming Zhou <duoming(a)zju.edu.cn> ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() Lars Kellogg-Stedman <lars(a)oddbit.com> ax25: Fix refcount imbalance on inbound connections Lingbo Kong <quic_lingbok(a)quicinc.com> wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't read past the mfuart notifcation Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Shahar S Matityahu <shahar.s.matityahu(a)intel.com> wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 Lin Ma <linma(a)zju.edu.cn> wifi: cfg80211: pmsr: use correct nla_get_uX functions Remi Pommarel <repk(a)triplefau.lt> wifi: cfg80211: Lock wiphy in cfg80211_get_station Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: fully move wiphy work to unbound workqueue Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() Nicolas Escande <nico.escande(a)gmail.com> wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/qcom/sa8155p-adp.dts | 86 +-- .../boot/dts/qcom/sm8150-microsoft-surface-duo.dts | 2 +- arch/arm64/boot/dts/qcom/sm8150.dtsi | 376 ++++------ arch/powerpc/include/asm/uaccess.h | 15 +- arch/riscv/mm/init.c | 21 +- arch/riscv/mm/pageattr.c | 28 +- arch/x86/boot/compressed/Makefile | 4 +- arch/x86/kernel/amd_nb.c | 9 +- arch/xtensa/include/asm/processor.h | 8 +- arch/xtensa/include/asm/ptrace.h | 2 +- arch/xtensa/kernel/process.c | 5 +- arch/xtensa/kernel/stacktrace.c | 4 +- drivers/base/core.c | 3 + drivers/block/null_blk/zoned.c | 2 +- drivers/bluetooth/btqca.c | 46 +- drivers/bluetooth/btqca.h | 2 + drivers/bluetooth/hci_qca.c | 2 - drivers/clk/sifive/sifive-prci.c | 8 - drivers/dma/dma-axi-dmac.c | 2 +- drivers/firmware/qcom_scm.c | 18 +- drivers/gpio/Kconfig | 2 +- drivers/gpio/gpio-tqmx86.c | 136 +++- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 120 ++- .../drm/arm/display/komeda/komeda_pipeline_state.c | 2 +- drivers/gpu/drm/bridge/panel.c | 7 +- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 +- drivers/gpu/drm/exynos/exynos_hdmi.c | 7 +- drivers/gpu/drm/i915/gem/i915_gem_object.h | 4 +- drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 15 +- drivers/gpu/drm/vmwgfx/Kconfig | 7 - drivers/gpu/drm/vmwgfx/Makefile | 2 - drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 65 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 38 +- drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 831 --------------------- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 353 +++------ drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 13 +- drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 5 +- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 5 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 47 +- drivers/greybus/interface.c | 1 + drivers/hid/hid-core.c | 1 - drivers/hid/hid-logitech-dj.c | 4 +- drivers/hid/i2c-hid/i2c-hid-of-elan.c | 103 ++- drivers/hwtracing/intel_th/pci.c | 25 + drivers/i2c/busses/i2c-at91-slave.c | 3 +- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/i2c/i2c-core-acpi.c | 30 +- drivers/i2c/i2c-core-base.c | 98 +++ drivers/i2c/i2c-core-of.c | 66 -- drivers/iio/accel/mxc4005.c | 76 ++ drivers/iio/adc/ad9467.c | 4 +- drivers/iio/dac/ad5592r-base.c | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 - drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 - drivers/input/input.c | 104 ++- drivers/iommu/amd/init.c | 9 + drivers/irqchip/irq-gic-v3-its.c | 44 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 9 +- drivers/misc/mei/pci-me.c | 4 +- drivers/misc/pvpanic/pvpanic-mmio.c | 58 +- drivers/misc/pvpanic/pvpanic-pci.c | 60 +- drivers/misc/pvpanic/pvpanic.c | 76 +- drivers/misc/pvpanic/pvpanic.h | 10 +- drivers/misc/vmw_vmci/vmci_event.c | 6 +- drivers/mmc/host/davinci_mmc.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c | 2 +- drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 8 +- drivers/net/ethernet/google/gve/gve_tx_dqo.c | 20 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 + drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 21 +- drivers/net/ethernet/intel/ice/ice.h | 32 +- drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 4 +- drivers/net/ethernet/intel/ice/ice_common.c | 9 +- drivers/net/ethernet/intel/ice/ice_controlq.c | 3 +- drivers/net/ethernet/intel/ice/ice_flow.c | 23 +- drivers/net/ethernet/intel/ice/ice_lib.c | 46 +- drivers/net/ethernet/intel/ice/ice_nvm.c | 28 +- drivers/net/ethernet/intel/ice/ice_sched.c | 90 ++- drivers/net/ethernet/intel/ice/ice_sched.h | 27 + drivers/net/ethernet/intel/ice/ice_switch.c | 19 +- drivers/net/ethernet/intel/ice/ice_type.h | 8 + drivers/net/ethernet/intel/ice/ice_xsk.c | 13 +- .../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 33 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/fw.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/health.c | 12 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 8 +- .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/main.c | 116 ++- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 25 +- drivers/net/geneve.c | 10 +- drivers/net/phy/sfp.c | 3 +- drivers/net/vxlan/vxlan_core.c | 4 + drivers/net/wireless/ath/ath10k/Kconfig | 1 + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 - drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 +- drivers/net/wwan/iosm/iosm_ipc_devlink.c | 2 +- drivers/nvme/target/passthru.c | 6 +- drivers/pci/controller/pcie-rockchip-ep.c | 6 +- drivers/platform/x86/dell/dell-smbios-base.c | 92 +-- drivers/ptp/ptp_chardev.c | 3 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 58 +- drivers/scsi/mpi3mr/mpi3mr_app.c | 62 ++ drivers/scsi/mpt3sas/mpt3sas_base.c | 19 + drivers/scsi/mpt3sas/mpt3sas_base.h | 3 - drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 23 - drivers/scsi/scsi_transport_sas.c | 23 + drivers/scsi/sd.c | 17 +- drivers/spmi/hisi-spmi-controller.c | 1 - drivers/thunderbolt/debugfs.c | 5 +- drivers/tty/n_tty.c | 22 +- drivers/tty/serial/8250/8250_dw.c | 5 +- drivers/tty/serial/8250/8250_pxa.c | 1 + drivers/tty/serial/sc16is7xx.c | 25 +- drivers/usb/Makefile | 1 + drivers/usb/class/cdc-wdm.c | 4 +- drivers/usb/gadget/function/f_fs.c | 9 +- drivers/usb/host/xhci-pci.c | 7 + drivers/usb/host/xhci-ring.c | 59 +- drivers/usb/host/xhci.h | 1 + drivers/usb/storage/alauda.c | 9 +- drivers/usb/typec/tcpm/tcpm.c | 5 +- fs/btrfs/disk-io.c | 26 +- fs/btrfs/extent_map.c | 2 +- fs/btrfs/zoned.c | 330 ++++---- fs/cachefiles/daemon.c | 4 +- fs/cachefiles/interface.c | 7 +- fs/cachefiles/internal.h | 52 +- fs/cachefiles/ondemand.c | 324 ++++++-- fs/jfs/xattr.c | 4 +- fs/nfs/dir.c | 47 +- fs/nfs/nfs4proc.c | 23 +- fs/nfsd/nfsfh.c | 4 +- fs/nilfs2/dir.c | 59 +- fs/nilfs2/segment.c | 3 + fs/ocfs2/file.c | 2 + fs/ocfs2/namei.c | 2 +- fs/proc/vmcore.c | 2 + include/linux/i2c.h | 26 +- include/linux/pse-pd/pse.h | 4 +- include/linux/serial_core.h | 1 + include/net/bluetooth/hci_core.h | 36 +- include/net/ip_tunnels.h | 5 +- include/scsi/scsi_transport_sas.h | 2 + include/trace/events/cachefiles.h | 8 +- io_uring/kbuf.c | 3 +- kernel/events/core.c | 13 + kernel/fork.c | 18 +- kernel/pid_namespace.c | 1 + kernel/time/tick-common.c | 42 +- mm/memory-failure.c | 11 +- mm/vmalloc.c | 29 +- net/ax25/af_ax25.c | 6 + net/ax25/ax25_dev.c | 2 +- net/bluetooth/l2cap_core.c | 8 +- net/bpf/test_run.c | 6 + net/bridge/br_mst.c | 13 +- net/core/sock_map.c | 16 +- net/ipv4/tcp.c | 6 +- net/ipv6/ioam6_iptunnel.c | 8 +- net/ipv6/ip6_fib.c | 6 +- net/ipv6/route.c | 5 +- net/ipv6/seg6_iptunnel.c | 14 +- net/ipv6/tcp_ipv6.c | 3 +- net/mac80211/he.c | 10 +- net/mac80211/mesh_pathtbl.c | 13 + net/mac80211/sta_info.c | 4 +- net/mptcp/pm_netlink.c | 21 +- net/mptcp/protocol.c | 1 + net/ncsi/internal.h | 2 + net/ncsi/ncsi-manage.c | 95 +-- net/ncsi/ncsi-rsp.c | 4 +- net/netfilter/ipset/ip_set_core.c | 93 ++- net/netfilter/ipset/ip_set_list_set.c | 30 +- net/sched/sch_multiq.c | 2 +- net/sched/sch_taprio.c | 15 +- net/smc/af_smc.c | 22 +- net/sunrpc/auth_gss/auth_gss.c | 4 +- net/unix/af_unix.c | 109 ++- net/unix/diag.c | 12 +- net/wireless/core.c | 2 +- net/wireless/pmsr.c | 8 +- net/wireless/sysfs.c | 4 +- net/wireless/util.c | 7 +- security/landlock/fs.c | 13 +- tools/testing/cxl/test/mem.c | 1 + .../ftrace/test.d/dynevent/test_duplicates.tc | 2 +- .../ftrace/test.d/kprobe/kprobe_eventname.tc | 3 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 5 +- tools/testing/selftests/vm/compaction_test.c | 108 +-- 197 files changed, 2950 insertions(+), 3037 deletions(-)

1 year, 2 months

15
236
0 0

[PATCH AUTOSEL 4.19 1/2] fs/file: fix the check in find_next_fd()

by Sasha Levin

From: Yuntao Wang <yuntao.wang(a)linux.dev> [ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang <yuntao.wang(a)linux.dev> Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index 928ba7b8df1e9..f5ba0e6f1a4c6 100644 --- a/fs/file.c +++ b/fs/file.c @@ -462,12 +462,12 @@ struct files_struct init_files = { static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) { - unsigned int maxfd = fdt->max_fds; + unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ unsigned int maxbit = maxfd / BITS_PER_LONG; unsigned int bitbit = start / BITS_PER_LONG; bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; - if (bitbit > maxfd) + if (bitbit >= maxfd) return maxfd; if (bitbit > start) start = bitbit; -- 2.43.0

1 year, 2 months

1
1
0 0

[PATCH AUTOSEL 5.4 1/2] fs/file: fix the check in find_next_fd()

by Sasha Levin

From: Yuntao Wang <yuntao.wang(a)linux.dev> [ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang <yuntao.wang(a)linux.dev> Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index e56059fa1b309..64892b7444191 100644 --- a/fs/file.c +++ b/fs/file.c @@ -462,12 +462,12 @@ struct files_struct init_files = { static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) { - unsigned int maxfd = fdt->max_fds; + unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ unsigned int maxbit = maxfd / BITS_PER_LONG; unsigned int bitbit = start / BITS_PER_LONG; bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; - if (bitbit > maxfd) + if (bitbit >= maxfd) return maxfd; if (bitbit > start) start = bitbit; -- 2.43.0

1 year, 2 months

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] fs/file: fix the check in find_next_fd()

by Sasha Levin

From: Yuntao Wang <yuntao.wang(a)linux.dev> [ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang <yuntao.wang(a)linux.dev> Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index fdb84a64724b7..913f7d897d2fc 100644 --- a/fs/file.c +++ b/fs/file.c @@ -494,12 +494,12 @@ struct files_struct init_files = { static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) { - unsigned int maxfd = fdt->max_fds; + unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ unsigned int maxbit = maxfd / BITS_PER_LONG; unsigned int bitbit = start / BITS_PER_LONG; bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; - if (bitbit > maxfd) + if (bitbit >= maxfd) return maxfd; if (bitbit > start) start = bitbit; -- 2.43.0

1 year, 2 months

1
1
0 0

[PATCH AUTOSEL 5.15 1/3] fs/file: fix the check in find_next_fd()

by Sasha Levin

From: Yuntao Wang <yuntao.wang(a)linux.dev> [ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang <yuntao.wang(a)linux.dev> Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index 69a51d37b66d9..b46a4a725a0ef 100644 --- a/fs/file.c +++ b/fs/file.c @@ -481,12 +481,12 @@ struct files_struct init_files = { static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) { - unsigned int maxfd = fdt->max_fds; + unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ unsigned int maxbit = maxfd / BITS_PER_LONG; unsigned int bitbit = start / BITS_PER_LONG; bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; - if (bitbit > maxfd) + if (bitbit >= maxfd) return maxfd; if (bitbit > start) start = bitbit; -- 2.43.0

1 year, 2 months

1
2
0 0

[PATCH AUTOSEL 6.1 01/12] NFSv4: Fix memory leak in nfs4_set_security_label

by Sasha Levin

From: Dmitry Mastykin <mastichi(a)gmail.com> [ Upstream commit aad11473f8f4be3df86461081ce35ec5b145ba68 ] We leak nfs_fattr and nfs4_label every time we set a security xattr. Signed-off-by: Dmitry Mastykin <mastichi(a)gmail.com> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/nfs/nfs4proc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index ec641a8f6604b..cc620fc7aaf7b 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6274,6 +6274,7 @@ nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen) if (status == 0) nfs_setsecurity(inode, fattr); + nfs_free_fattr(fattr); return status; } #endif /* CONFIG_NFS_V4_SECURITY_LABEL */ -- 2.43.0

1 year, 2 months

1
11
0 0

[PATCH AUTOSEL 6.6 01/16] NFSv4: Fix memory leak in nfs4_set_security_label

by Sasha Levin

From: Dmitry Mastykin <mastichi(a)gmail.com> [ Upstream commit aad11473f8f4be3df86461081ce35ec5b145ba68 ] We leak nfs_fattr and nfs4_label every time we set a security xattr. Signed-off-by: Dmitry Mastykin <mastichi(a)gmail.com> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/nfs/nfs4proc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index f0953200acd08..05490d4784f1a 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6268,6 +6268,7 @@ nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen) if (status == 0) nfs_setsecurity(inode, fattr); + nfs_free_fattr(fattr); return status; } #endif /* CONFIG_NFS_V4_SECURITY_LABEL */ -- 2.43.0

1 year, 2 months

1
15
0 0

[PATCH AUTOSEL 6.9 01/21] NFSv4: Fix memory leak in nfs4_set_security_label

by Sasha Levin

From: Dmitry Mastykin <mastichi(a)gmail.com> [ Upstream commit aad11473f8f4be3df86461081ce35ec5b145ba68 ] We leak nfs_fattr and nfs4_label every time we set a security xattr. Signed-off-by: Dmitry Mastykin <mastichi(a)gmail.com> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/nfs/nfs4proc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 3a816c4a6d5e2..a691fa10b3e95 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6289,6 +6289,7 @@ nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen) if (status == 0) nfs_setsecurity(inode, fattr); + nfs_free_fattr(fattr); return status; } #endif /* CONFIG_NFS_V4_SECURITY_LABEL */ -- 2.43.0

1 year, 2 months

1
20
0 0

[PATCH 1/6] mei: vsc: Enhance IVSC chipset reset toggling

by Wentong Wu

Implementing the hardware recommendation to toggle the chipset reset. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable(a)vger.kernel.org # for 6.8+ Signed-off-by: Wentong Wu <wentong.wu(a)intel.com> Tested-by: Jason Chen <jason.z.chen(a)intel.com> --- drivers/misc/mei/vsc-tp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index e6a98dba8a73..dcab5174bf00 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -350,6 +350,8 @@ void vsc_tp_reset(struct vsc_tp *tp) disable_irq(tp->spi->irq); /* toggle reset pin */ + gpiod_set_value_cansleep(tp->resetfw, 1); + msleep(VSC_TP_RESET_PIN_TOGGLE_INTERVAL_MS); gpiod_set_value_cansleep(tp->resetfw, 0); msleep(VSC_TP_RESET_PIN_TOGGLE_INTERVAL_MS); gpiod_set_value_cansleep(tp->resetfw, 1); -- 2.34.1

1 year, 2 months

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror