- Linux-stable-mirror - lists.linaro.org

[PATCH 6.6 ONLY] s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b

by Nathan Chancellor

Upstream commit ce971233242b ("s390/cpum_cf: Deny all sampling events by counter PMU"), backported to 6.6 as commit d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU"), implicitly depends on the unconditional initialization of err to -ENOENT added by upstream commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()"). The latter change is missing from 6.6, resulting in an instance of -Wuninitialized, which is fairly obvious from looking at the actual diff. arch/s390/kernel/perf_cpum_cf.c:858:10: warning: variable 'err' is uninitialized when used here [-Wuninitialized] 858 | return err; | ^~~ Commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") depends on commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path"), which is a part of a much larger series unsuitable for stable. Extract the unconditional initialization of err to -ENOENT from commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") and apply it to 6.6 as a standalone change to resolve the warning. Fixes: d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- This was reported on 6.1 and the offending commit was dropped but 6.6 suffered from the same issue (I am surprised LKFT's testing caught it in the 6.1 case but not 6.6...): https://lore.kernel.org/CADYN=9Li3gHMJ+weE0khMBmpS1Wcj-XaUeaUZg2Nxdz0qY9sdg… As it is already released, I figured I would just submit a fixup patch, which could also be used to fix the issue in 6.1. --- arch/s390/kernel/perf_cpum_cf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c index 771e1cb17540..e590b4c09625 100644 --- a/arch/s390/kernel/perf_cpum_cf.c +++ b/arch/s390/kernel/perf_cpum_cf.c @@ -852,7 +852,7 @@ static int cpumf_pmu_event_type(struct perf_event *event) static int cpumf_pmu_event_init(struct perf_event *event) { unsigned int type = event->attr.type; - int err; + int err = -ENOENT; if (is_sampling_event(event)) /* No sampling support */ return err; @@ -861,8 +861,6 @@ static int cpumf_pmu_event_init(struct perf_event *event) else if (event->pmu->type == type) /* Registered as unknown PMU */ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event)); - else - return -ENOENT; if (unlikely(err) && event->destroy) event->destroy(event); --- base-commit: af1544b5d072514b219695b0a9fba0b1e0d5e289 change-id: 20250922-6-6-s390-cpum_cf-fix-uninit-err-010876c3d58c Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks

1
0
0 0

[tip: x86/urgent] x86/topology: Implement topology_is_core_online() to address SMT regression

by tip-bot2 for Thomas Gleixner

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Gitweb: https://git.kernel.org/tip/2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Author: Thomas Gleixner <tglx(a)linutronix.de> AuthorDate: Sun, 21 Sep 2025 10:56:40 +02:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 21:25:36 +02:00 x86/topology: Implement topology_is_core_online() to address SMT regression Christian reported that commit a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") broke the use case in which both 'nosmt' and 'maxcpus' are on the kernel command line because it onlines primary threads, which were offline due to the maxcpus limit. The initially proposed fix to skip primary threads in the loop is inconsistent. While it prevents the primary thread to be onlined, it then onlines the corresponding hyperthread(s), which does not really make sense. The CPU iterator in cpuhp_smt_enable() contains a check which excludes all threads of a core, when the primary thread is offline. The default implementation is a NOOP and therefore not effective on x86. Implement topology_is_core_online() on x86 to address this issue. This makes the behaviour consistent between x86 and PowerPC. Fixes: a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") Fixes: f694481b1d31 ("ACPI: processor: Rescan "dead" SMT siblings during initialization") Closes: https://lore.kernel.org/linux-pm/724616a2-6374-4ba3-8ce3-ea9c45e2ae3b@arm.c… Reported-by: Christian Loehle <christian.loehle(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Rafael J. Wysocki (Intel) <rafael(a)kernel.org> Tested-by: Christian Loehle <christian.loehle(a)arm.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/12740505.O9o76ZdvQC@rafael.j.wysocki --- arch/x86/include/asm/topology.h | 10 ++++++++++ arch/x86/kernel/cpu/topology.c | 13 +++++++++++++ 2 files changed, 23 insertions(+) diff --git a/arch/x86/include/asm/topology.h b/arch/x86/include/asm/topology.h index 6c79ee7..2104189 100644 --- a/arch/x86/include/asm/topology.h +++ b/arch/x86/include/asm/topology.h @@ -231,6 +231,16 @@ static inline bool topology_is_primary_thread(unsigned int cpu) } #define topology_is_primary_thread topology_is_primary_thread +int topology_get_primary_thread(unsigned int cpu); + +static inline bool topology_is_core_online(unsigned int cpu) +{ + int pcpu = topology_get_primary_thread(cpu); + + return pcpu >= 0 ? cpu_online(pcpu) : false; +} +#define topology_is_core_online topology_is_core_online + #else /* CONFIG_SMP */ static inline int topology_phys_to_logical_pkg(unsigned int pkg) { return 0; } static inline int topology_max_smt_threads(void) { return 1; } diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index e35ccdc..6073a16 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -372,6 +372,19 @@ unsigned int topology_unit_count(u32 apicid, enum x86_topology_domains which_uni return topo_unit_count(lvlid, at_level, apic_maps[which_units].map); } +#ifdef CONFIG_SMP +int topology_get_primary_thread(unsigned int cpu) +{ + u32 apic_id = cpuid_to_apicid[cpu]; + + /* + * Get the core domain level APIC id, which is the primary thread + * and return the CPU number assigned to it. + */ + return topo_lookup_cpuid(topo_apicid(apic_id, TOPO_CORE_DOMAIN)); +} +#endif + #ifdef CONFIG_ACPI_HOTPLUG_CPU /** * topology_hotplug_apic - Handle a physical hotplugged APIC after boot

3 weeks

1
0
0 0

[PATCH] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify

by Ma Ke

In of_unittest_pci_node_verify(), when the add parameter is false, device_find_any_child() obtains a reference to a child device. This function implicitly calls get_device() to increment the device's reference count before returning the pointer. However, the caller fails to properly release this reference by calling put_device(), leading to a device reference count leak. As the comment of device_find_any_child states: "NOTE: you will need to drop the reference with put_device() after use". Cc: stable(a)vger.kernel.org Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/of/unittest.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c index e3503ec20f6c..d225e73781fe 100644 --- a/drivers/of/unittest.c +++ b/drivers/of/unittest.c @@ -4271,7 +4271,7 @@ static struct platform_driver unittest_pci_driver = { static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) { struct device_node *pnp, *np = NULL; - struct device *child_dev; + struct device *child_dev = NULL; char *path = NULL; const __be32 *reg; int rc = 0; @@ -4306,6 +4306,8 @@ static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) kfree(path); if (np) of_node_put(np); + if (child_dev) + put_device(child_dev); return rc; } -- 2.17.1

3 weeks

2
1
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092107-making-cough-9671@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

3 weeks

2
2
0 0

[PATCH v6] ACPI: battery: prevent sysfs_add_battery re-entry on rapid events

by GuangFei Luo

When removing and reinserting the laptop battery, ACPI can trigger two notifications in quick succession: - ACPI_BATTERY_NOTIFY_STATUS (0x80) - ACPI_BATTERY_NOTIFY_INFO (0x81) Both notifications call acpi_battery_update(). Because the events happen very close in time, sysfs_add_battery() can be re-entered before battery->bat is set, causing a duplicate sysfs entry error. When the ACPI battery driver uses acpi_dev_install_notify_handler() to register acpi_battery_notify, the callback may be triggered twice in a very short period of time. This patch ensures that sysfs_add_battery() is not re-entered when battery->bat is already non-NULL, preventing the duplicate sysfs creation and stabilizing battery hotplug handling. [ 476.117945] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 476.118896] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 476.118903] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 476.118906] Workqueue: kacpi_notify acpi_os_execute_deferred [ 476.118917] Call Trace: [ 476.118922] <TASK> [ 476.118929] dump_stack_lvl+0x5d/0x80 [ 476.118938] sysfs_warn_dup.cold+0x17/0x23 [ 476.118943] sysfs_create_dir_ns+0xce/0xe0 [ 476.118952] kobject_add_internal+0xba/0x250 [ 476.118959] kobject_add+0x96/0xc0 [ 476.118964] ? get_device_parent+0xde/0x1e0 [ 476.118970] device_add+0xe2/0x870 [ 476.118975] __power_supply_register.part.0+0x20f/0x3f0 [ 476.118981] ? wake_up_q+0x4e/0x90 [ 476.118990] sysfs_add_battery+0xa4/0x1d0 [battery] [ 476.118998] acpi_battery_update+0x19e/0x290 [battery] [ 476.119002] acpi_battery_notify+0x50/0x120 [battery] [ 476.119006] acpi_ev_notify_dispatch+0x49/0x70 [ 476.119012] acpi_os_execute_deferred+0x1a/0x30 [ 476.119015] process_one_work+0x177/0x330 [ 476.119022] worker_thread+0x251/0x390 [ 476.119026] ? __pfx_worker_thread+0x10/0x10 [ 476.119030] kthread+0xd2/0x100 [ 476.119033] ? __pfx_kthread+0x10/0x10 [ 476.119035] ret_from_fork+0x34/0x50 [ 476.119040] ? __pfx_kthread+0x10/0x10 [ 476.119042] ret_from_fork_asm+0x1a/0x30 [ 476.119049] </TASK> [ 476.142552] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. [ 476.415022] ata1.00: unexpected _GTF length (8) [ 476.428076] sd 0:0:0:0: [sda] Starting disk [ 476.835035] ata1.00: unexpected _GTF length (8) [ 476.839720] ata1.00: configured for UDMA/133 [ 491.328831] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 491.329720] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 491.329727] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 491.329731] Workqueue: kacpi_notify acpi_os_execute_deferred [ 491.329741] Call Trace: [ 491.329745] <TASK> [ 491.329751] dump_stack_lvl+0x5d/0x80 [ 491.329758] sysfs_warn_dup.cold+0x17/0x23 [ 491.329762] sysfs_create_dir_ns+0xce/0xe0 [ 491.329770] kobject_add_internal+0xba/0x250 [ 491.329775] kobject_add+0x96/0xc0 [ 491.329779] ? get_device_parent+0xde/0x1e0 [ 491.329784] device_add+0xe2/0x870 [ 491.329790] __power_supply_register.part.0+0x20f/0x3f0 [ 491.329797] sysfs_add_battery+0xa4/0x1d0 [battery] [ 491.329805] acpi_battery_update+0x19e/0x290 [battery] [ 491.329809] acpi_battery_notify+0x50/0x120 [battery] [ 491.329812] acpi_ev_notify_dispatch+0x49/0x70 [ 491.329817] acpi_os_execute_deferred+0x1a/0x30 [ 491.329820] process_one_work+0x177/0x330 [ 491.329826] worker_thread+0x251/0x390 [ 491.329830] ? __pfx_worker_thread+0x10/0x10 [ 491.329833] kthread+0xd2/0x100 [ 491.329836] ? __pfx_kthread+0x10/0x10 [ 491.329838] ret_from_fork+0x34/0x50 [ 491.329842] ? __pfx_kthread+0x10/0x10 [ 491.329844] ret_from_fork_asm+0x1a/0x30 [ 491.329850] </TASK> [ 491.329855] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. Fixes: 10666251554c ("ACPI: battery: Install Notify() handler directly") Signed-off-by: GuangFei Luo <luogf2025(a)163.com> Cc: stable(a)vger.kernel.org --- v6: - Update Fixes tag: point to commit 10666251554c ("ACPI: battery: Install Notify() handler directly"), which introduced the sysfs_add_battery() re-entry issue when acpi_battery_notify is registered via acpi_dev_install_notify_handler(). The problem does not occur with acpi_bus_register_driver(). v5: - Move changelog above the '---' line as per submission guidelines. v4: - Uses guard(mutex) for battery->sysfs_lock in sysfs_add_battery(). - Since sysfs_add_battery() now handles the battery->bat check with proper locking,the extra if (!battery->bat) check at the call site has become redundant. v3: - Modified the earlier approach: since sysfs_add_battery() is invoked from multiple places, the most reliable way is to add the lock inside the function itself. - sysfs_remove_battery() had a similar race issue in the past, which was fixed by adding a lock as well. Reference: https://lore.kernel.org/all/9c921c22a7f33397a6774d7fa076db9b6a0fd669 .1312318300.git.len.brown(a)intel.com/ v2: - Fix missing mutex_unlock in acpi_battery_update() (Reported-by: kernel test robot) v1: - Initial patch to handle race when hotplugging battery, preventing duplicate sysfs entries. --- drivers/acpi/battery.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6905b56bf3e4..20d68f3e881f 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -850,6 +850,10 @@ static void __exit battery_hook_exit(void) static int sysfs_add_battery(struct acpi_battery *battery) { + guard(mutex)(&battery->sysfs_lock); + if (battery->bat) + return 0; + struct power_supply_config psy_cfg = { .drv_data = battery, .attr_grp = acpi_battery_groups, @@ -1026,11 +1030,9 @@ static int acpi_battery_update(struct acpi_battery *battery, bool resume) return result; acpi_battery_quirks(battery); - if (!battery->bat) { - result = sysfs_add_battery(battery); - if (result) - return result; - } + result = sysfs_add_battery(battery); + if (result) + return result; /* * Wakeup the system if battery is critical low @@ -1112,12 +1114,12 @@ static int battery_notify(struct notifier_block *nb, result = acpi_battery_get_info(battery); if (result) return result; - - result = sysfs_add_battery(battery); - if (result) - return result; } + result = sysfs_add_battery(battery); + if (result) + return result; + acpi_battery_init_alarm(battery); acpi_battery_get_state(battery); break; -- 2.43.0

3 weeks

2
1
0 0

[PATCH] Revert "loop: Avoid updating block size under exclusive owner"

by Eric Hagberg

This reverts commit ce8da5d13d8c ("loop: Avoid updating block size under exclusive owner") for the 6.6 kernel, because if the LTP ioctl_loop06 test is run with this patch in place, the test will fail, it leaves the host unable to kexec into the kernel again (hangs forever) and "losetup -a" will hang on attempting to access the /dev/loopN device that the test has set up. The patch doesn't need to be reverted from 6.12, as it works fine there. Cc: stable(a)vger.kernel.org # 6.6.x Signed-off-by: Eric Hagberg <ehagberg(a)janestreet.com> --- --- b/drivers/block/loop.c +++ a/drivers/block/loop.c @@ -1472,36 +1472,19 @@ return error; } +static int loop_set_block_size(struct loop_device *lo, unsigned long arg) -static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode, - struct block_device *bdev, unsigned long arg) { int err = 0; + if (lo->lo_state != Lo_bound) + return -ENXIO; - /* - * If we don't hold exclusive handle for the device, upgrade to it - * here to avoid changing device under exclusive owner. - */ - if (!(mode & BLK_OPEN_EXCL)) { - err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL); - if (err) - return err; - } - - err = mutex_lock_killable(&lo->lo_mutex); - if (err) - goto abort_claim; - - if (lo->lo_state != Lo_bound) { - err = -ENXIO; - goto unlock; - } err = blk_validate_block_size(arg); if (err) return err; if (lo->lo_queue->limits.logical_block_size == arg) + return 0; - goto unlock; sync_blockdev(lo->lo_device); invalidate_bdev(lo->lo_device); @@ -1513,11 +1496,6 @@ loop_update_dio(lo); blk_mq_unfreeze_queue(lo->lo_queue); -unlock: - mutex_unlock(&lo->lo_mutex); -abort_claim: - if (!(mode & BLK_OPEN_EXCL)) - bd_abort_claiming(bdev, loop_set_block_size); return err; } @@ -1536,6 +1514,9 @@ case LOOP_SET_DIRECT_IO: err = loop_set_dio(lo, arg); break; + case LOOP_SET_BLOCK_SIZE: + err = loop_set_block_size(lo, arg); + break; default: err = -EINVAL; } @@ -1590,12 +1571,9 @@ break; case LOOP_GET_STATUS64: return loop_get_status64(lo, argp); - case LOOP_SET_BLOCK_SIZE: - if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) - return -EPERM; - return loop_set_block_size(lo, mode, bdev, arg); case LOOP_SET_CAPACITY: case LOOP_SET_DIRECT_IO: + case LOOP_SET_BLOCK_SIZE: if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) return -EPERM; fallthrough;

3 weeks

1
0
0 0

[PATCH v2] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Other changes: * Also slightly modify the formatting of the DC395x_* macros. Cc: stable(a)vger.kernel.org Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- Changes since v1 [1]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

3 weeks

2
1
0 0

[PATCH v2] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

3 weeks

3
4
0 0

[PATCH 6.17 REGRESSION FIX] gpiolib: acpi: Make set debounce errors non fatal

by Hans de Goede

Commit 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") adds a gpio_set_debounce_timeout() call to acpi_find_gpio() and makes acpi_find_gpio() fail if this fails. But gpio_set_debounce_timeout() failing is a somewhat normal occurrence, since not all debounce values are supported on all GPIO/pinctrl chips. Making this an error for example break getting the card-detect GPIO for the micro-sd slot found on many Bay Trail tablets, breaking support for the micro-sd slot on these tablets. acpi_request_own_gpiod() already treats gpio_set_debounce_timeout() failures as non-fatal, just warning about them. Add a acpi_gpio_set_debounce_timeout() helper which wraps gpio_set_debounce_timeout() and warns on failures and replace both existing gpio_set_debounce_timeout() calls with the helper. Since the helper only warns on failures this fixes the card-detect issue. Fixes: 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") Cc: stable(a)vger.kernel.org Cc: Mario Limonciello <superm1(a)kernel.org> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- drivers/gpio/gpiolib-acpi-core.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c index 284e762d92c4..67c4c38afb86 100644 --- a/drivers/gpio/gpiolib-acpi-core.c +++ b/drivers/gpio/gpiolib-acpi-core.c @@ -291,6 +291,19 @@ acpi_gpio_to_gpiod_flags(const struct acpi_resource_gpio *agpio, int polarity) return GPIOD_ASIS; } +static void acpi_gpio_set_debounce_timeout(struct gpio_desc *desc, + unsigned int acpi_debounce) +{ + int ret; + + /* ACPI uses hundredths of milliseconds units */ + acpi_debounce *= 10; + ret = gpio_set_debounce_timeout(desc, acpi_debounce); + if (ret) + gpiod_warn(desc, "Failed to set debounce-timeout %u: %d\n", + acpi_debounce, ret); +} + static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, struct acpi_resource_gpio *agpio, unsigned int index, @@ -300,18 +313,12 @@ static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, enum gpiod_flags flags = acpi_gpio_to_gpiod_flags(agpio, polarity); unsigned int pin = agpio->pin_table[index]; struct gpio_desc *desc; - int ret; desc = gpiochip_request_own_desc(chip, pin, label, polarity, flags); if (IS_ERR(desc)) return desc; - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10); - if (ret) - dev_warn(chip->parent, - "Failed to set debounce-timeout for pin 0x%04X, err %d\n", - pin, ret); + acpi_gpio_set_debounce_timeout(desc, agpio->debounce_timeout); return desc; } @@ -944,7 +951,6 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, bool can_fallback = acpi_can_fallback_to_crs(adev, con_id); struct acpi_gpio_info info = {}; struct gpio_desc *desc; - int ret; desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info); if (IS_ERR(desc)) @@ -959,10 +965,7 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, acpi_gpio_update_gpiod_flags(dflags, &info); acpi_gpio_update_gpiod_lookup_flags(lookupflags, &info); - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, info.debounce * 10); - if (ret) - return ERR_PTR(ret); + acpi_gpio_set_debounce_timeout(desc, info.debounce); return desc; } -- 2.51.0

3 weeks

4
6
0 0

[PATCH] drm: sti: fix device leaks at component probe

by Johan Hovold

Make sure to drop the references taken to the vtg devices by of_find_device_by_node() when looking up their driver data during component probe. Note that holding a reference to a platform device does not prevent its driver data from going away so there is no point in keeping the reference after the lookup helper returns. Fixes: cc6b741c6f63 ("drm: sti: remove useless fields from vtg structure") Cc: stable(a)vger.kernel.org # 4.16 Cc: Benjamin Gaignard <benjamin.gaignard(a)collabora.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/sti/sti_vtg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/sti/sti_vtg.c b/drivers/gpu/drm/sti/sti_vtg.c index ee81691b3203..ce6bc7e7b135 100644 --- a/drivers/gpu/drm/sti/sti_vtg.c +++ b/drivers/gpu/drm/sti/sti_vtg.c @@ -143,12 +143,17 @@ struct sti_vtg { struct sti_vtg *of_vtg_find(struct device_node *np) { struct platform_device *pdev; + struct sti_vtg *vtg; pdev = of_find_device_by_node(np); if (!pdev) return NULL; - return (struct sti_vtg *)platform_get_drvdata(pdev); + vtg = platform_get_drvdata(pdev); + + put_device(&pdev->dev); + + return vtg; } static void vtg_reset(struct sti_vtg *vtg) -- 2.49.1

3 weeks

2
1
0 0

[PATCH v2] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock via the existing error path to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure without goto/label. - Disable the main clock before returning to keep clock state balanced. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..55d832e05072 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1975,11 +1975,15 @@ static int mt8365_afe_suspend(struct device *dev) mt8365_afe_enable_main_clk(afe); - if (!afe->reg_back_up) + if (!afe->reg_back_up) { afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, - sizeof(unsigned int), GFP_KERNEL); - + sizeof(unsigned int), GFP_KERNEL); + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], &afe->reg_back_up[i]); -- 2.43.0

3 weeks

2
1
0 0

[tip: x86/urgent] x86/Kconfig: Reenable PTDUMP on i386

by tip-bot2 for Alexander Popov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 4f115596133fa168bac06bb34c6efd8f4d84c22e Gitweb: https://git.kernel.org/tip/4f115596133fa168bac06bb34c6efd8f4d84c22e Author: Alexander Popov <alex.popov(a)linux.com> AuthorDate: Sun, 21 Sep 2025 23:58:15 +03:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 14:40:17 +02:00 x86/Kconfig: Reenable PTDUMP on i386 The commit f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") has broken PTDUMP and the Kconfig options that use it on ARCH=i386, including CONFIG_DEBUG_WX. CONFIG_GENERIC_PTDUMP was renamed into CONFIG_ARCH_HAS_PTDUMP, but it was mistakenly moved from "config X86" to "config X86_64". That made PTDUMP unavailable for i386. Move CONFIG_ARCH_HAS_PTDUMP back to "config X86" to fix it. [ bp: Massage commit message. ] Fixes: f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") Signed-off-by: Alexander Popov <alex.popov(a)linux.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 52c8910..0588030 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -26,7 +26,6 @@ config X86_64 depends on 64BIT # Options that are inherently 64-bit kernel only: select ARCH_HAS_GIGANTIC_PAGE - select ARCH_HAS_PTDUMP select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 select ARCH_SUPPORTS_PER_VMA_LOCK @@ -99,6 +98,7 @@ config X86 select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE select ARCH_HAS_PMEM_API if X86_64 select ARCH_HAS_PREEMPT_LAZY + select ARCH_HAS_PTDUMP select ARCH_HAS_PTE_SPECIAL select ARCH_HAS_HW_PTE_YOUNG select ARCH_HAS_NONLEAF_PMD_YOUNG if PGTABLE_LEVELS > 2

3 weeks

1
0
0 0

[PATCH] powerpc/smp: Add check for kcalloc() in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..2da064e00d0d 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,9 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; + ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

3 weeks

1
0
0 0

[PATCH] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

3 weeks

2
1
0 0

[PATCH v2] gpiolib: Extend software-node support to support secondary software-nodes

by Hans de Goede

When a software-node gets added to a device which already has another fwnode as primary node it will become the secondary fwnode for that device. Currently if a software-node with GPIO properties ends up as the secondary fwnode then gpiod_find_by_fwnode() will fail to find the GPIOs. Add a new gpiod_fwnode_lookup() helper which falls back to calling gpiod_find_by_fwnode() with the secondary fwnode if the GPIO was not found in the primary fwnode. Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") Cc: stable(a)vger.kernel.org Cc: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- Changes in v2: - Add a new gpiod_fwnode_lookup() helper instead of putting the secondary fwnode check inside gpiod_find_by_fwnode() --- drivers/gpio/gpiolib.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 0d2b470a252e..74d54513730a 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4604,6 +4604,23 @@ static struct gpio_desc *gpiod_find_by_fwnode(struct fwnode_handle *fwnode, return desc; } +static struct gpio_desc *gpiod_fwnode_lookup(struct fwnode_handle *fwnode, + struct device *consumer, + const char *con_id, + unsigned int idx, + enum gpiod_flags *flags, + unsigned long *lookupflags) +{ + struct gpio_desc *desc; + + desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, flags, lookupflags); + if (gpiod_not_found(desc) && !IS_ERR_OR_NULL(fwnode)) + desc = gpiod_find_by_fwnode(fwnode->secondary, consumer, con_id, + idx, flags, lookupflags); + + return desc; +} + struct gpio_desc *gpiod_find_and_request(struct device *consumer, struct fwnode_handle *fwnode, const char *con_id, @@ -4622,8 +4639,8 @@ struct gpio_desc *gpiod_find_and_request(struct device *consumer, int ret = 0; scoped_guard(srcu, &gpio_devices_srcu) { - desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, - &flags, &lookupflags); + desc = gpiod_fwnode_lookup(fwnode, consumer, con_id, idx, + &flags, &lookupflags); if (gpiod_not_found(desc) && platform_lookup_allowed) { /* * Either we are not using DT or ACPI, or their lookup -- 2.51.0

3 weeks

4
4
0 0

Re: "loop: Avoid updating block size under exclusive owner" breaks on 6.6.103

by Jan Kara

On Wed 17-09-25 11:18:50, Eric Hagberg wrote: > I stumbled across a problem where the 6.6.103 kernel will fail when > running the ioctl_loop06 test from the LTP test suite... and worse > than failing the test, it leaves the system in a state where you can't > run "losetup -a" again because the /dev/loopN device that the test > created and failed the test on... hangs in a LOOP_GET_STATUS64 ioctl. > > It also leaves the system in a state where you can't re-kexec into a > copy of the kernel as it gets completely hung at the point where it > says "starting Reboot via kexec"... Thanks for the report! Please report issues with stable kernels to stable(a)vger.kernel.org (CCed now) because they can act on them. > If I revert just that patch from 6.6.103 (or newer) kernels, then the > test succeeds and doesn't leave the host in a bad state. The patch > applied to 6.12 doesn't cause this problem, but I also see that there > are quite a few other changes to the loop subsystem in 6.12 that never > made it to 6.6. > > For now, I'll probably just revert your patch in my 6.6 kernel builds, > but I wouldn't be surprised if others stumble across this issue as > well, so maybe it should be reverted or fixed some other way. Yes, I think revert from 6.6 stable kernel is warranted (unless somebody has time to figure out what else is missing to make the patch work with that stable branch). Honza -- Jan Kara <jack(a)suse.com> SUSE Labs, CR

3 weeks

3
3
0 0

Check this out at Amazon

by Info Marketing

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

3 weeks

1
0
0 0

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

by Tom Lendacky

On 9/22/25 00:52, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine. So this patch doesn't need to be part of the 6.12 stable tree. Thanks, Tom > > > From stable+bounces-180849-greg=kroah.com(a)vger.kernel.org Mon Sep 22 01:18:07 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 21 Sep 2025 19:17:59 -0400 > Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > To: stable(a)vger.kernel.org > Cc: Tom Lendacky <thomas.lendacky(a)amd.com>, "Borislav Petkov (AMD)" <bp(a)alien8.de>, stable(a)kernel.org, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20250921231759.3033314-1-sashal(a)kernel.org> > > From: Tom Lendacky <thomas.lendacky(a)amd.com> > > [ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ] > > The sev_evict_cache() is guest-related code and should be guarded by > CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. > > CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP > guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub > function of sev_evict_cache() instead of the version that performs the actual > eviction. Move the function declarations under the appropriate #ifdef. > > Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") > Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> > Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> > Cc: stable(a)kernel.org # 6.16.x > Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… > [ Move sev_evict_cache() out of shared.c ] > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > arch/x86/coco/sev/shared.c | 18 ------------------ > arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ > 2 files changed, 19 insertions(+), 18 deletions(-) > > --- a/arch/x86/coco/sev/shared.c > +++ b/arch/x86/coco/sev/shared.c > @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s > __pval_terminate(pfn, action, page_size, ret, svsm_ret); > } > > -static inline void sev_evict_cache(void *va, int npages) > -{ > - volatile u8 val __always_unused; > - u8 *bytes = va; > - int page_idx; > - > - /* > - * For SEV guests, a read from the first/last cache-lines of a 4K page > - * using the guest key is sufficient to cause a flush of all cache-lines > - * associated with that 4K page without incurring all the overhead of a > - * full CLFLUSH sequence. > - */ > - for (page_idx = 0; page_idx < npages; page_idx++) { > - val = bytes[page_idx * PAGE_SIZE]; > - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > - } > -} > - > static void svsm_pval_4k_page(unsigned long paddr, bool validate) > { > struct svsm_pvalidate_call *pc; > --- a/arch/x86/include/asm/sev.h > +++ b/arch/x86/include/asm/sev.h > @@ -400,6 +400,24 @@ u64 sev_get_status(void); > void sev_show_status(void); > void snp_update_svsm_ca(void); > > +static inline void sev_evict_cache(void *va, int npages) > +{ > + volatile u8 val __always_unused; > + u8 *bytes = va; > + int page_idx; > + > + /* > + * For SEV guests, a read from the first/last cache-lines of a 4K page > + * using the guest key is sufficient to cause a flush of all cache-lines > + * associated with that 4K page without incurring all the overhead of a > + * full CLFLUSH sequence. > + */ > + for (page_idx = 0; page_idx < npages; page_idx++) { > + val = bytes[page_idx * PAGE_SIZE]; > + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > + } > +} > + > #else /* !CONFIG_AMD_MEM_ENCRYPT */ > > #define snp_vmpl 0 > @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe > static inline u64 sev_get_status(void) { return 0; } > static inline void sev_show_status(void) { } > static inline void snp_update_svsm_ca(void) { } > +static inline void sev_evict_cache(void *va, int npages) {} > > #endif /* CONFIG_AMD_MEM_ENCRYPT */ > > > > Patches currently in stable-queue which might be from sashal(a)kernel.org are > > queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch > queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch > queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch > queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch > queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch > queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch > queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch > queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch > queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch > queue-6.12/nvme-fix-pi-insert-on-write.patch > queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch > queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch > queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch > queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch > queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch > queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch > queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch > queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch > queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch > queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch > queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch > queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch > queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch > queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch > queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch > queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch > queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch > queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch > queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch > queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch > queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch > queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch > queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch > queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch > queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch > queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch > queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch > queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch > queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch > queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch > queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch > queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch > queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch > queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch > queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch > queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch > queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch > queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch > queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch > queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch > queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch > queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch > queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch > queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch

3 weeks

2
1
0 0

[PATCH v2 3/3] PCI: tegra194: Handle errors in BPMP response

by Niklas Cassel

From: Vidya Sagar <vidyas(a)nvidia.com> The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED (even though the tegra_bpmp_transfer() command failed). Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op (will not trigger the hardware initialization sequence). This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7eb48cc13648e..c4265b3f72048 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1223,6 +1223,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1245,7 +1246,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1254,6 +1261,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1273,7 +1281,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) -- 2.51.0

3 weeks

1
0
0 0

[PATCH v2 2/3] PCI: tegra194: Reset BARs when running in PCIe endpoint mode

by Niklas Cassel

Tegra already defines all BARs expect for BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR get disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs, and will run tests against all enabled BARs. (I.e. it will run tests also against the BARs marked as BAR_RESERVED.) After running the BARs tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4. So when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 63d310e5335f4..7eb48cc13648e 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2030,6 +2039,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, }; -- 2.51.0

3 weeks

1
0
0 0

[PATCH] powerpc/Makefile: use $(objtree) for crtsavres.o

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> ... otherwise it could be problematic to build external modules: make[2]: Entering directory '.../kernel-module-hello-world' | CC [M] hello-world.o | MODPOST Module.symvers | CC [M] hello-world.mod.o | CC [M] .module-common.o | LD [M] hello-world.ko | powerpc-poky-linux-ld.bfd: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory Fixes: da3de6df33f5 ("[POWERPC] Fix -Os kernel builds with newer gcc versions") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- arch/powerpc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile index 9753fb87217c3..a58b1029592ce 100644 --- a/arch/powerpc/Makefile +++ b/arch/powerpc/Makefile @@ -58,7 +58,7 @@ ifeq ($(CONFIG_PPC64)$(CONFIG_LD_IS_BFD),yy) # There is a corresponding test in arch/powerpc/lib/Makefile KBUILD_LDFLAGS_MODULE += --save-restore-funcs else -KBUILD_LDFLAGS_MODULE += arch/powerpc/lib/crtsavres.o +KBUILD_LDFLAGS_MODULE += $(objtree)/arch/powerpc/lib/crtsavres.o endif ifdef CONFIG_CPU_LITTLE_ENDIAN -- 2.51.0

3 weeks

3
2
0 0

[PATCH v2] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 66 +++++++++++++++++++----- 1 file changed, 54 insertions(+), 12 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..f5be24b44238 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1396,7 +1396,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar retval = fmh_gpib_generic_attach(board); if (retval) - return retval; + goto err_put_device; e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; @@ -1404,14 +1404,16 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource\n"); - return -ENODEV; + retval = -ENODEV; + goto err_generic_detach; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_generic_detach; } e_priv->gpib_iomem_res = res; @@ -1419,7 +1421,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { dev_err(board->dev, "Could not map I/O memory\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_mmio_region; } dev_dbg(board->dev, "iobase %pr remapped to %p\n", e_priv->gpib_iomem_res, nec_priv->mmiobase); @@ -1427,34 +1430,41 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); - return -ENODEV; + retval = -ENODEV; + goto err_iounmap_mmio; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_iounmap_mmio; } e_priv->dma_port_res = res; + e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { dev_err(board->dev, "Could not map I/O memory for fifos\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_dma_region; } dev_dbg(board->dev, "dma fifos 0x%lx remapped to %p, length=%ld\n", (unsigned long)e_priv->dma_port_res->start, e_priv->fifo_base, (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) - return -EBUSY; + if (irq < 0) { + retval = -EBUSY; + goto err_iounmap_fifo; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); - return retval; + goto err_iounmap_fifo; } e_priv->irq = irq; @@ -1462,9 +1472,11 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); - return -EIO; + retval = -EIO; + goto err_free_irq; } } + /* * in the future we might want to know the half-fifo size * (dma_burst_length) even when not using dma, so go ahead an @@ -1473,7 +1485,32 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_burst_length = fifos_read(e_priv, FIFO_MAX_BURST_LENGTH_REG) & fifo_max_burst_length_mask; - return fmh_gpib_init(e_priv, board, handshake_mode); + retval = fmh_gpib_init(e_priv, board, handshake_mode); + if (retval) + goto err_release_dma; + + return 0; + +err_release_dma: + if (acquire_dma && e_priv->dma_channel) + dma_release_channel(e_priv->dma_channel); +err_free_irq: + free_irq(irq, board); +err_iounmap_fifo: + iounmap(e_priv->fifo_base); +err_release_dma_region: + release_mem_region(e_priv->dma_port_res->start, + resource_size(e_priv->dma_port_res)); +err_iounmap_mmio: + iounmap(nec_priv->mmiobase); +err_release_mmio_region: + release_mem_region(e_priv->gpib_iomem_res->start, + resource_size(e_priv->gpib_iomem_res)); +err_generic_detach: + fmh_gpib_generic_detach(board); +err_put_device: + put_device(board->dev); + return retval; } int fmh_gpib_attach_holdoff_all(struct gpib_board *board, const struct gpib_board_config *config) @@ -1517,6 +1554,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

3 weeks

2
2
0 0

[PATCH] fs: udf: fix OOB read in lengthAllocDescs handling

by Larshin Sergey

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index f24aa98e6869..a79d73f28aa7 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow(sizeof(struct allocExtDesc), le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.5

3 weeks

2
1
0 0

[PATCH 00/27 5.10.y] Backport minmax.h updates from v6.17-rc6

by Eliav Farber

This series includes a total of 27 patches, to align minmax.h of v5.15.y with v6.17-rc6. The set consists of 24 commits that directly update minmax.h: 1) 92d23c6e9415 ("overflow, tracing: Define the is_signed_type() macro once") 2) 5efcecd9a3b1 ("minmax: sanity check constant bounds when clamping") 3) 2122e2a4efc2 ("minmax: clamp more efficiently by avoiding extra comparison") 4) f9bff0e31881 ("minmax: add in_range() macro") 5) c952c748c7a9 ("minmax: Introduce {min,max}_array()") 6) 5e57418a2031 ("minmax: deduplicate __unconst_integer_typeof()") 7) f6e9d38f8eb0 ("minmax: fix header inclusions") 8) d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") 9) f4b84b2ff851 ("minmax: fix indentation of __cmp_once() and __clamp_once()") 10) 4ead534fba42 ("minmax: allow comparisons of 'int' against 'unsigned char/short'") 11) 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") 12) 3a7e02c040b1 ("minmax: avoid overly complicated constant expressions in VM code") 14) 017fa3e89187 ("minmax: simplify and clarify min_t()/max_t() implementation") 15) 1a251f52cfdc ("minmax: make generic MIN() and MAX() macros available everywhere") 18) dc1c8034e31b ("minmax: simplify min()/max()/clamp() implementation") 19) 22f546873149 ("minmax: improve macro expansion and type checking") 20) 21b136cc63d2 ("minmax: fix up min3() and max3() too") 21) 71ee9b16251e ("minmax.h: add whitespace around operators and after commas") 22) 10666e992048 ("minmax.h: update some comments") 23) b280bb27a9f7 ("minmax.h: reduce the #define expansion of min(), max() and clamp()") 24) a5743f32baec ("minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()") 25) c3939872ee4a ("minmax.h: move all the clamp() definitions after the min/max() ones") 26) 495bba17cdf9 ("minmax.h: simplify the variants of clamp()") 27) 2b97aaf74ed5 ("minmax.h: remove some #defines that are only expanded once") 2 prerequisite commits that adjust users of MIN and MAX macros (to prevent compilation issues): 13) 4477b39c32fd ("minmax: add a few more MIN_T/MAX_T users") 17) cb04e8b1d2f2 ("minmax: don't use max() in situations that want a C constant expression") 1 additional commit introduced to resolve a build failures during the backport: 16) lib: zstd: drop local MIN/MAX macros in favor of generic ones The primary motivation is to bring in commit (8). In mainline, this change allows min()/max()/clamp() to accept mixed argument types when both share the same signedness. Backported patches to v5.10.y that use such forms trigger compiler warnings, which in turn cause build failures when -Werror is enabled. Originaly I aligned 5.10.y to 5.15.y, but David Laight commented that I need to pick up the later changes (from Linus) as well. Andy Shevchenko (2): minmax: deduplicate __unconst_integer_typeof() minmax: fix header inclusions Bart Van Assche (1): overflow, tracing: Define the is_signed_type() macro once David Laight (11): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: fix indentation of __cmp_once() and __clamp_once() minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Eliav Farber (1): lib: zstd: drop local MIN/MAX macros in favor of generic ones Herve Codina (1): minmax: Introduce {min,max}_array() Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: add a few more MIN_T/MAX_T users minmax: simplify and clarify min_t()/max_t() implementation minmax: make generic MIN() and MAX() macros available everywhere minmax: don't use max() in situations that want a C constant expression minmax: simplify min()/max()/clamp() implementation minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too Matthew Wilcox (Oracle) (1): minmax: add in_range() macro arch/arm/mm/pageattr.c | 6 +- arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/arm/display/include/malidp_utils.h | 2 +- .../display/komeda/komeda_pipeline_state.c | 24 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 - drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/ethernet/chelsio/cxgb3/cxgb3_main.c | 18 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/misc.h | 2 - fs/btrfs/tree-checker.c | 2 +- fs/ext2/balloc.c | 2 - fs/ext4/ext4.h | 2 - fs/ufs/util.h | 6 - include/linux/compiler.h | 15 + include/linux/minmax.h | 267 ++++++++++++++---- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/logic_pio.c | 3 - lib/vsprintf.c | 2 +- lib/zstd/zstd_internal.h | 2 - mm/zsmalloc.c | 1 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- net/netfilter/nf_nat_core.c | 6 +- net/tipc/core.h | 2 +- net/tipc/link.c | 10 +- 44 files changed, 306 insertions(+), 164 deletions(-) -- 2.47.3

3 weeks

6
35
0 0

[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

3 weeks

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror