- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] smb: client: fix use-after-free in crypt_message when using" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b220bed63330c0e1733dc06ea8e75d5b9962b6b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072141-jujitsu-ebay-6dbf@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Sat, 5 Jul 2025 10:51:18 +0800 Subject: [PATCH] smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweiclou… Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 1468c16ea9b8..cb659256d219 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4316,6 +4316,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; + DECLARE_CRYPTO_WAIT(wait); unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; size_t sensitive_size; @@ -4366,7 +4367,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &wait); + + rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) + : crypto_aead_decrypt(req), &wait); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] smb: client: fix use-after-free in crypt_message when using" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b220bed63330c0e1733dc06ea8e75d5b9962b6b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072141-busybody-favoring-f21d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Sat, 5 Jul 2025 10:51:18 +0800 Subject: [PATCH] smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweiclou… Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 1468c16ea9b8..cb659256d219 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4316,6 +4316,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; + DECLARE_CRYPTO_WAIT(wait); unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; size_t sensitive_size; @@ -4366,7 +4367,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &wait); + + rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) + : crypto_aead_decrypt(req), &wait); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072156-salt-despair-a696@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072155-viper-viewer-98bd@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072155-catering-series-cf00@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072154-unchain-champion-e3d6@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072153-clerical-autograph-74d4@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072153-splinter-buckshot-87f5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 1 week

2
1
0 0

[PATCH v2] PCI/pwrctrl: Skip creating pwrctrl device unless CONFIG_PCI_PWRCTRL is enabled

by Manivannan Sadhasivam

If devicetree describes power supplies related to a PCI device, we previously created a pwrctrl device even if CONFIG_PCI_PWRCTL was not enabled. When pci_pwrctrl_create_device() creates and returns a pwrctrl device, pci_scan_device() doesn't enumerate the PCI device. It assumes the pwrctrl core will rescan the bus after turning on the power. However, if CONFIG_PCI_PWRCTL is not enabled, the rescan never happens. This may break PCI enumeration on any system that describes power supplies in devicetree but does not use pwrctrl. Jim reported that some brcmstb platforms break this way. While the actual fix would be to convert all the platforms to use pwrctrl framework, we also need to skip creating the pwrctrl device if CONFIG_PCI_PWRCTL is not enabled and let the PCI core scan the device normally (assuming it is already powered on or by the controller driver). Cc: stable(a)vger.kernel.org # 6.15 Fixes: 957f40d039a9 ("PCI/pwrctrl: Move creation of pwrctrl devices to pci_scan_device()") Reported-by: Jim Quinlan <james.quinlan(a)broadcom.com> Closes: https://lore.kernel.org/r/CA+-6iNwgaByXEYD3j=-+H_PKAxXRU78svPMRHDKKci8AGXAU… Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- Changes in v2: * Used the stub instead of returning NULL inside the function drivers/pci/probe.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 4b8693ec9e4c..e6a34db77826 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -2508,6 +2508,7 @@ bool pci_bus_read_dev_vendor_id(struct pci_bus *bus, int devfn, u32 *l, } EXPORT_SYMBOL(pci_bus_read_dev_vendor_id); +#if IS_ENABLED(CONFIG_PCI_PWRCTRL) static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) { struct pci_host_bridge *host = pci_find_host_bridge(bus); @@ -2537,6 +2538,12 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in return pdev; } +#else +static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) +{ + return NULL; +} +#endif /* * Read the config data for a PCI device, sanity-check it, -- 2.43.0

1 month, 1 week

4
12
0 0

[PATCH 1/3] PCI/pwrctrl: Fix device leak at registration

by Johan Hovold

Make sure to drop the reference to the pwrctrl device taken by of_find_device_by_node() when registering a PCI device. Fixes: b458ff7e8176 ("PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers") Cc: stable(a)vger.kernel.org # 6.13 Cc: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/pci/bus.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c index 69048869ef1c..0394a9c77b38 100644 --- a/drivers/pci/bus.c +++ b/drivers/pci/bus.c @@ -362,11 +362,15 @@ void pci_bus_add_device(struct pci_dev *dev) * before PCI client drivers. */ pdev = of_find_device_by_node(dn); - if (pdev && of_pci_supply_present(dn)) { - if (!device_link_add(&dev->dev, &pdev->dev, - DL_FLAG_AUTOREMOVE_CONSUMER)) - pci_err(dev, "failed to add device link to power control device %s\n", - pdev->name); + if (pdev) { + if (of_pci_supply_present(dn)) { + if (!device_link_add(&dev->dev, &pdev->dev, + DL_FLAG_AUTOREMOVE_CONSUMER)) { + pci_err(dev, "failed to add device link to power control device %s\n", + pdev->name); + } + } + put_device(&pdev->dev); } if (!dn || of_device_is_available(dn)) -- 2.49.1

1 month, 1 week

4
3
0 0

[PATCH net] net: core: Fix the loop in default_device_exit_net()

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The loop in default_device_exit_net() won't be able to properly detect the head then stop, and will hit NULL pointer, when a driver, like hv_netvsc, automatically moves the slave device together with the master device. To fix this, add a helper function to return the first migratable netdev correctly, no matter one or two devices were removed from this net's list in the last iteration. Cc: stable(a)vger.kernel.org # 5.4+ Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- net/core/dev.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/net/core/dev.c b/net/core/dev.c index 621a639aeba1..d83f5f12cf70 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -12629,19 +12629,11 @@ static struct pernet_operations __net_initdata netdev_net_ops = { .exit = netdev_exit, }; -static void __net_exit default_device_exit_net(struct net *net) +static inline struct net_device *first_migratable_netdev(struct net *net) { - struct netdev_name_node *name_node, *tmp; struct net_device *dev, *aux; - /* - * Push all migratable network devices back to the - * initial network namespace - */ - ASSERT_RTNL(); - for_each_netdev_safe(net, dev, aux) { - int err; - char fb_name[IFNAMSIZ]; + for_each_netdev_safe(net, dev, aux) { /* Ignore unmoveable devices (i.e. loopback) */ if (dev->netns_immutable) continue; @@ -12650,6 +12642,25 @@ static void __net_exit default_device_exit_net(struct net *net) if (dev->rtnl_link_ops && !dev->rtnl_link_ops->netns_refund) continue; + return dev; + } + + return NULL; +} + +static void __net_exit default_device_exit_net(struct net *net) +{ + struct netdev_name_node *name_node, *tmp; + struct net_device *dev; + /* + * Push all migratable network devices back to the + * initial network namespace + */ + ASSERT_RTNL(); + while ((dev = first_migratable_netdev(net)) != NULL) { + int err; + char fb_name[IFNAMSIZ]; + /* Push remaining network devices to init_net */ snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); if (netdev_name_in_use(&init_net, fb_name)) -- 2.34.1

1 month, 1 week

3
2
0 0

[PATCH v2] sunvdc: Balance device refcount in vdc_port_mpgroup_check

by Ma Ke

Using device_find_child() to locate a probed virtual-device-port node causes a device refcount imbalance, as device_find_child() internally calls get_device() to increment the device’s reference count before returning its pointer. vdc_port_mpgroup_check() directly returns true upon finding a matching device without releasing the reference via put_device(). We should call put_device() to decrement refcount. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - keep the change style simple as suggestions. --- drivers/block/sunvdc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c index b5727dea15bd..7af21fe67671 100644 --- a/drivers/block/sunvdc.c +++ b/drivers/block/sunvdc.c @@ -957,8 +957,10 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev) dev = device_find_child(vdev->dev.parent, &port_data, vdc_device_probed); - if (dev) + if (dev) { + put_device(dev); return true; + } return false; } -- 2.25.1

1 month, 1 week

2
1
0 0

[PATCH] comedi: fix race between polling and detaching

by Ian Abbott

syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. Cc: <stable(a)vger.kernel.org> # 5.13+ Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment") Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/ Reported-by: syzbot+01523a0ae5600aef5895(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895 Co-developed-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm release series 5.10 and 5.4. --- drivers/comedi/comedi_fops.c | 31 ++++++++++++++++++++++++------- drivers/comedi/comedi_internal.h | 1 + drivers/comedi/drivers.c | 13 ++++++++++--- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..3007fe946e42 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -787,6 +787,7 @@ static int is_device_busy(struct comedi_device *dev) struct comedi_subdevice *s; int i; + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (!dev->attached) return 0; @@ -795,7 +796,16 @@ static int is_device_busy(struct comedi_device *dev) s = &dev->subdevices[i]; if (s->busy) return 1; - if (s->async && comedi_buf_is_mmapped(s)) + if (!s->async) + continue; + if (comedi_buf_is_mmapped(s)) + return 1; + /* + * There may be tasks still waiting on the subdevice's wait + * queue, although they should already be about to be removed + * from it since the subdevice has no active async command. + */ + if (wq_has_sleeper(&s->async->wait_head)) return 1; } @@ -825,15 +835,22 @@ static int do_devconfig_ioctl(struct comedi_device *dev, return -EPERM; if (!arg) { - if (is_device_busy(dev)) - return -EBUSY; + int rc = 0; + if (dev->attached) { - struct module *driver_module = dev->driver->module; + down_write(&dev->attach_lock); + if (is_device_busy(dev)) { + rc = -EBUSY; + } else { + struct module *driver_module = + dev->driver->module; - comedi_device_detach(dev); - module_put(driver_module); + comedi_device_detach_locked(dev); + module_put(driver_module); + } + up_write(&dev->attach_lock); } - return 0; + return rc; } if (copy_from_user(&it, arg, sizeof(it))) diff --git a/drivers/comedi/comedi_internal.h b/drivers/comedi/comedi_internal.h index 9b3631a654c8..cf10ba016ebc 100644 --- a/drivers/comedi/comedi_internal.h +++ b/drivers/comedi/comedi_internal.h @@ -50,6 +50,7 @@ extern struct mutex comedi_drivers_list_lock; int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s, struct comedi_insn *insn, unsigned int *data); +void comedi_device_detach_locked(struct comedi_device *dev); void comedi_device_detach(struct comedi_device *dev); int comedi_device_attach(struct comedi_device *dev, struct comedi_devconfig *it); diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..f5c2ee271d0e 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -158,7 +158,7 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) int i; struct comedi_subdevice *s; - lockdep_assert_held(&dev->attach_lock); + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (dev->subdevices) { for (i = 0; i < dev->n_subdevices; i++) { @@ -196,16 +196,23 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) comedi_clear_hw_dev(dev); } -void comedi_device_detach(struct comedi_device *dev) +void comedi_device_detach_locked(struct comedi_device *dev) { + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); comedi_device_cancel_all(dev); - down_write(&dev->attach_lock); dev->attached = false; dev->detach_count++; if (dev->driver) dev->driver->detach(dev); comedi_device_detach_cleanup(dev); +} + +void comedi_device_detach(struct comedi_device *dev) +{ + lockdep_assert_held(&dev->mutex); + down_write(&dev->attach_lock); + comedi_device_detach_locked(dev); up_write(&dev->attach_lock); } -- 2.47.2

1 month, 1 week

2
1
0 0

[PATCH v3] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data Changes since v2: - Add comment and reviewed by tag --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..e8ebf963f195c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared ath11k_hal_srng_src_hw_init() and + * ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

1 month, 1 week

3
4
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-perjury-dynamite-23ba@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-nutty-other-f178@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072114-matriarch-decline-2598@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-grill-thimble-5d5c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month, 1 week

2
1
0 0

[PATCH 6.1] crypto: qat - fix ring to service map for QAT GEN4

by Giovanni Cabiddu

[ Upstream commit a238487f7965d102794ed9f8aff0b667cd2ae886 ] The 4xxx drivers hardcode the ring to service mapping. However, when additional configurations where added to the driver, the mappings were not updated. This implies that an incorrect mapping might be reported through pfvf for certain configurations. This is a backport of the upstream commit with modifications, as the original patch does not apply cleanly to kernel v6.1.x. The logic has been simplified to reflect the limited configurations of the QAT driver in this version: crypto-only and compression. Instead of dynamically computing the ring to service mappings, these are now hardcoded to simplify the backport. Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Tero Kristo <tero.kristo(a)linux.intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: <stable(a)vger.kernel.org> # 6.1.x Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> Tested-by: Ahsan Atta <ahsan.atta(a)intel.com> --- drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 +++++++++++++ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 ++++++ drivers/crypto/qat/qat_common/adf_init.c | 3 +++ 4 files changed, 23 insertions(+) diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c index fda5f699ff57..65b52c692add 100644 --- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c @@ -297,6 +297,18 @@ static char *uof_get_name(struct adf_accel_dev *accel_dev, u32 obj_num) return NULL; } +static u16 get_ring_to_svc_map(struct adf_accel_dev *accel_dev) +{ + switch (get_service_enabled(accel_dev)) { + case SVC_CY: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP; + case SVC_DC: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC; + } + + return 0; +} + static u32 uof_get_ae_mask(struct adf_accel_dev *accel_dev, u32 obj_num) { switch (get_service_enabled(accel_dev)) { @@ -353,6 +365,7 @@ void adf_init_hw_data_4xxx(struct adf_hw_device_data *hw_data) hw_data->uof_get_ae_mask = uof_get_ae_mask; hw_data->set_msix_rttable = set_msix_default_rttable; hw_data->set_ssm_wdtimer = adf_gen4_set_ssm_wdtimer; + hw_data->get_ring_to_svc_map = get_ring_to_svc_map; hw_data->disable_iov = adf_disable_sriov; hw_data->ring_pair_reset = adf_gen4_ring_pair_reset; hw_data->enable_pm = adf_gen4_enable_pm; diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h index ad01d99e6e2b..7993d0f82dea 100644 --- a/drivers/crypto/qat/qat_common/adf_accel_devices.h +++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h @@ -176,6 +176,7 @@ struct adf_hw_device_data { void (*get_arb_info)(struct arb_info *arb_csrs_info); void (*get_admin_info)(struct admin_info *admin_csrs_info); enum dev_sku_info (*get_sku)(struct adf_hw_device_data *self); + u16 (*get_ring_to_svc_map)(struct adf_accel_dev *accel_dev); int (*alloc_irq)(struct adf_accel_dev *accel_dev); void (*free_irq)(struct adf_accel_dev *accel_dev); void (*enable_error_correction)(struct adf_accel_dev *accel_dev); diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h index 4fb4b3df5a18..5e653ec755e6 100644 --- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h @@ -95,6 +95,12 @@ do { \ ADF_RING_BUNDLE_SIZE * (bank) + \ ADF_RING_CSR_RING_SRV_ARB_EN, (value)) +#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC \ + (COMP << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_1_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_2_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_3_SHIFT) + /* Default ring mapping */ #define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP \ (ASYM << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c index 2e3481270c4b..49f07584f8c9 100644 --- a/drivers/crypto/qat/qat_common/adf_init.c +++ b/drivers/crypto/qat/qat_common/adf_init.c @@ -95,6 +95,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) return -EFAULT; } + if (hw_data->get_ring_to_svc_map) + hw_data->ring_to_svc_map = hw_data->get_ring_to_svc_map(accel_dev); + if (adf_ae_init(accel_dev)) { dev_err(&GET_DEV(accel_dev), "Failed to initialise Acceleration Engine\n"); -- 2.50.0

1 month, 1 week

3
6
0 0

Re: Patch "smb: client: make use of common smbdirect_socket_parameters" has been added to the 6.12-stable tree

by Stefan Metzmacher

Hi, any reason why this is only backported to 6.12, but not 6.15? I'm looking at v6.15.5 and v6.12.36 and the following are missing from 6.15: bced02aca343 David Howells Wed Apr 2 20:27:26 2025 +0100 cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code 87dcc7e33fc3 David Howells Wed Jun 25 14:15:04 2025 +0100 cifs: Fix the smbd_response slab to allow usercopy b8ddcca4391e Stefan Metzmacher Wed May 28 18:01:40 2025 +0200 smb: client: make use of common smbdirect_socket_parameters 69cafc413c2d Stefan Metzmacher Wed May 28 18:01:39 2025 +0200 smb: smbdirect: introduce smbdirect_socket_parameters c39639bc7723 Stefan Metzmacher Wed May 28 18:01:37 2025 +0200 smb: client: make use of common smbdirect_socket f4b05342c293 Stefan Metzmacher Wed May 28 18:01:36 2025 +0200 smb: smbdirect: add smbdirect_socket.h a6ec1fcafd41 Stefan Metzmacher Wed May 28 18:01:33 2025 +0200 smb: smbdirect: add smbdirect.h with public structures 6509de31b1b6 Stefan Metzmacher Wed May 28 18:01:31 2025 +0200 smb: client: make use of common smbdirect_pdu.h a9bb4006c4f3 Stefan Metzmacher Wed May 28 18:01:30 2025 +0200 smb: smbdirect: add smbdirect_pdu.h with protocol definitions With these being backported to 6.15 too, the following is missing in both: commit 1944f6ab4967db7ad8d4db527dceae8c77de76e9 Author: Stefan Metzmacher <metze(a)samba.org> AuthorDate: Wed Jun 25 10:16:38 2025 +0200 Commit: Steve French <stfrench(a)microsoft.com> CommitDate: Wed Jun 25 11:12:54 2025 -0500 smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data As it was marked as Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be info->max_send_size in backports But now that the patches up to b8ddcca4391e are backported it can be cherry-picked just fine to both branches. Thanks! metze Am 29.06.25 um 16:56 schrieb Steve French: >> Steve: Do you agree? > > Yes > > Thanks, > > Steve > > On Sun, Jun 29, 2025, 9:48 AM Stefan Metzmacher <metze(a)samba.org> wrote: > >> Hi, >> >> if these patches are backported to stable then >> 1944f6ab4967db7ad8d4db527dceae8c77de76e9 >> "smb: client: let smbd_post_send_iter() respect the peers max_send_size >> and transmit all data" >> can also be backported as is. >> >> I just added the >> "Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be >> info->max_send_size in backports" >> because I thought they would not be backported. >> >> I'm fine with backporting the header changes... >> >> @Steve: Do you agree? >> >> Thanks! >> metze >> >> Am 29.06.25 um 16:28 schrieb Sasha Levin: >>> This is a note to let you know that I've just added the patch titled >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> to the 6.12-stable tree which can be found at: >>> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… >>> >>> The filename of the patch is: >>> smb-client-make-use-of-common-smbdirect_socket_param.patch >>> and it can be found in the queue-6.12 subdirectory. >>> >>> If you, or anyone else, feels it should not be added to the stable tree, >>> please let <stable(a)vger.kernel.org> know about it. >>> >>> >>> >>> commit a1fa1698297356797d7a0379b7e056744fd133ac >>> Author: Stefan Metzmacher <metze(a)samba.org> >>> Date: Wed May 28 18:01:40 2025 +0200 >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> [ Upstream commit cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 ] >>> >>> Cc: Steve French <smfrench(a)gmail.com> >>> Cc: Tom Talpey <tom(a)talpey.com> >>> Cc: Long Li <longli(a)microsoft.com> >>> Cc: Namjae Jeon <linkinjeon(a)kernel.org> >>> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> >>> Cc: Meetakshi Setiya <meetakshisetiyaoss(a)gmail.com> >>> Cc: linux-cifs(a)vger.kernel.org >>> Cc: samba-technical(a)lists.samba.org >>> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> >>> Signed-off-by: Steve French <stfrench(a)microsoft.com> >>> Stable-dep-of: 43e7e284fc77 ("cifs: Fix the smbd_response slab to >> allow usercopy") >>> Signed-off-by: Sasha Levin <sashal(a)kernel.org> >>> >>> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c >>> index 56b0b5c82dd19..c0196be0e65fc 100644 >>> --- a/fs/smb/client/cifs_debug.c >>> +++ b/fs/smb/client/cifs_debug.c >>> @@ -362,6 +362,10 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> c = 0; >>> spin_lock(&cifs_tcp_ses_lock); >>> list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { >>> +#ifdef CONFIG_CIFS_SMB_DIRECT >>> + struct smbdirect_socket_parameters *sp; >>> +#endif >>> + >>> /* channel info will be printed as a part of sessions >> below */ >>> if (SERVER_IS_CHAN(server)) >>> continue; >>> @@ -383,6 +387,7 @@ static int cifs_debug_data_proc_show(struct seq_file >> *m, void *v) >>> seq_printf(m, "\nSMBDirect transport not >> available"); >>> goto skip_rdma; >>> } >>> + sp = &server->smbd_conn->socket.parameters; >>> >>> seq_printf(m, "\nSMBDirect (in hex) protocol version: %x " >>> "transport status: %x", >>> @@ -390,18 +395,18 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> server->smbd_conn->socket.status); >>> seq_printf(m, "\nConn receive_credit_max: %x " >>> "send_credit_target: %x max_send_size: %x", >>> - server->smbd_conn->receive_credit_max, >>> - server->smbd_conn->send_credit_target, >>> - server->smbd_conn->max_send_size); >>> + sp->recv_credit_max, >>> + sp->send_credit_target, >>> + sp->max_send_size); >>> seq_printf(m, "\nConn max_fragmented_recv_size: %x " >>> "max_fragmented_send_size: %x max_receive_size:%x", >>> - server->smbd_conn->max_fragmented_recv_size, >>> - server->smbd_conn->max_fragmented_send_size, >>> - server->smbd_conn->max_receive_size); >>> + sp->max_fragmented_recv_size, >>> + sp->max_fragmented_send_size, >>> + sp->max_recv_size); >>> seq_printf(m, "\nConn keep_alive_interval: %x " >>> "max_readwrite_size: %x rdma_readwrite_threshold: >> %x", >>> - server->smbd_conn->keep_alive_interval, >>> - server->smbd_conn->max_readwrite_size, >>> + sp->keepalive_interval_msec * 1000, >>> + sp->max_read_write_size, >>> server->smbd_conn->rdma_readwrite_threshold); >>> seq_printf(m, "\nDebug count_get_receive_buffer: %x " >>> "count_put_receive_buffer: %x count_send_empty: >> %x", >>> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c >>> index 74bcc51ccd32f..e596bc4837b68 100644 >>> --- a/fs/smb/client/smb2ops.c >>> +++ b/fs/smb/client/smb2ops.c >>> @@ -504,6 +504,9 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> wsize = min_t(unsigned int, wsize, server->max_write); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -511,12 +514,12 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> wsize = min_t(unsigned int, >>> wsize, >>> - >> server->smbd_conn->max_fragmented_send_size - >>> + sp->max_fragmented_send_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> wsize = min_t(unsigned int, >>> - wsize, >> server->smbd_conn->max_readwrite_size); >>> + wsize, sp->max_read_write_size); >>> } >>> #endif >>> if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) >>> @@ -552,6 +555,9 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> rsize = min_t(unsigned int, rsize, server->max_read); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -559,12 +565,12 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> rsize = min_t(unsigned int, >>> rsize, >>> - >> server->smbd_conn->max_fragmented_recv_size - >>> + sp->max_fragmented_recv_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> rsize = min_t(unsigned int, >>> - rsize, >> server->smbd_conn->max_readwrite_size); >>> + rsize, sp->max_read_write_size); >>> } >>> #endif >>> >>> diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c >>> index ac489df8151a1..cbc85bca006f7 100644 >>> --- a/fs/smb/client/smbdirect.c >>> +++ b/fs/smb/client/smbdirect.c >>> @@ -320,6 +320,8 @@ static bool process_negotiation_response( >>> struct smbd_response *response, int packet_length) >>> { >>> struct smbd_connection *info = response->info; >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smbdirect_negotiate_resp *packet = >> smbd_response_payload(response); >>> >>> if (packet_length < sizeof(struct smbdirect_negotiate_resp)) { >>> @@ -349,20 +351,20 @@ static bool process_negotiation_response( >>> >>> atomic_set(&info->receive_credits, 0); >>> >>> - if (le32_to_cpu(packet->preferred_send_size) > >> info->max_receive_size) { >>> + if (le32_to_cpu(packet->preferred_send_size) > sp->max_recv_size) { >>> log_rdma_event(ERR, "error: preferred_send_size=%d\n", >>> le32_to_cpu(packet->preferred_send_size)); >>> return false; >>> } >>> - info->max_receive_size = le32_to_cpu(packet->preferred_send_size); >>> + sp->max_recv_size = le32_to_cpu(packet->preferred_send_size); >>> >>> if (le32_to_cpu(packet->max_receive_size) < SMBD_MIN_RECEIVE_SIZE) >> { >>> log_rdma_event(ERR, "error: max_receive_size=%d\n", >>> le32_to_cpu(packet->max_receive_size)); >>> return false; >>> } >>> - info->max_send_size = min_t(int, info->max_send_size, >>> - >> le32_to_cpu(packet->max_receive_size)); >>> + sp->max_send_size = min_t(u32, sp->max_send_size, >>> + le32_to_cpu(packet->max_receive_size)); >>> >>> if (le32_to_cpu(packet->max_fragmented_size) < >>> SMBD_MIN_FRAGMENTED_SIZE) { >>> @@ -370,18 +372,18 @@ static bool process_negotiation_response( >>> le32_to_cpu(packet->max_fragmented_size)); >>> return false; >>> } >>> - info->max_fragmented_send_size = >>> + sp->max_fragmented_send_size = >>> le32_to_cpu(packet->max_fragmented_size); >>> info->rdma_readwrite_threshold = >>> - rdma_readwrite_threshold > info->max_fragmented_send_size ? >>> - info->max_fragmented_send_size : >>> + rdma_readwrite_threshold > sp->max_fragmented_send_size ? >>> + sp->max_fragmented_send_size : >>> rdma_readwrite_threshold; >>> >>> >>> - info->max_readwrite_size = min_t(u32, >>> + sp->max_read_write_size = min_t(u32, >>> le32_to_cpu(packet->max_readwrite_size), >>> info->max_frmr_depth * PAGE_SIZE); >>> - info->max_frmr_depth = info->max_readwrite_size / PAGE_SIZE; >>> + info->max_frmr_depth = sp->max_read_write_size / PAGE_SIZE; >>> >>> return true; >>> } >>> @@ -689,6 +691,7 @@ static int smbd_ia_open( >>> static int smbd_post_send_negotiate_req(struct smbd_connection *info) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc = -ENOMEM; >>> struct smbd_request *request; >>> @@ -704,11 +707,11 @@ static int smbd_post_send_negotiate_req(struct >> smbd_connection *info) >>> packet->min_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->max_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->reserved = 0; >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> - packet->preferred_send_size = cpu_to_le32(info->max_send_size); >>> - packet->max_receive_size = cpu_to_le32(info->max_receive_size); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> + packet->preferred_send_size = cpu_to_le32(sp->max_send_size); >>> + packet->max_receive_size = cpu_to_le32(sp->max_recv_size); >>> packet->max_fragmented_size = >>> - cpu_to_le32(info->max_fragmented_recv_size); >>> + cpu_to_le32(sp->max_fragmented_recv_size); >>> >>> request->num_sge = 1; >>> request->sge[0].addr = ib_dma_map_single( >>> @@ -800,6 +803,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> struct smbd_request *request) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc, i; >>> >>> @@ -831,7 +835,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> } else >>> /* Reset timer for idle connection after packet is sent */ >>> mod_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> return rc; >>> } >>> @@ -841,6 +845,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> int *_remaining_data_length) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> int i, rc; >>> int header_length; >>> int data_length; >>> @@ -868,7 +873,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> wait_send_queue: >>> wait_event(info->wait_post_send, >>> - atomic_read(&info->send_pending) < >> info->send_credit_target || >>> + atomic_read(&info->send_pending) < sp->send_credit_target >> || >>> sc->status != SMBDIRECT_SOCKET_CONNECTED); >>> >>> if (sc->status != SMBDIRECT_SOCKET_CONNECTED) { >>> @@ -878,7 +883,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> } >>> >>> if (unlikely(atomic_inc_return(&info->send_pending) > >>> - info->send_credit_target)) { >>> + sp->send_credit_target)) { >>> atomic_dec(&info->send_pending); >>> goto wait_send_queue; >>> } >>> @@ -917,7 +922,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> /* Fill in the packet header */ >>> packet = smbd_request_payload(request); >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> >>> new_credits = manage_credits_prior_sending(info); >>> atomic_add(new_credits, &info->receive_credits); >>> @@ -1017,16 +1022,17 @@ static int smbd_post_recv( >>> struct smbd_connection *info, struct smbd_response >> *response) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_recv_wr recv_wr; >>> int rc = -EIO; >>> >>> response->sge.addr = ib_dma_map_single( >>> sc->ib.dev, response->packet, >>> - info->max_receive_size, DMA_FROM_DEVICE); >>> + sp->max_recv_size, DMA_FROM_DEVICE); >>> if (ib_dma_mapping_error(sc->ib.dev, response->sge.addr)) >>> return rc; >>> >>> - response->sge.length = info->max_receive_size; >>> + response->sge.length = sp->max_recv_size; >>> response->sge.lkey = sc->ib.pd->local_dma_lkey; >>> >>> response->cqe.done = recv_done; >>> @@ -1274,6 +1280,8 @@ static void idle_connection_timer(struct >> work_struct *work) >>> struct smbd_connection *info = container_of( >>> work, struct smbd_connection, >>> idle_timer_work.work); >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> >>> if (info->keep_alive_requested != KEEP_ALIVE_NONE) { >>> log_keep_alive(ERR, >>> @@ -1288,7 +1296,7 @@ static void idle_connection_timer(struct >> work_struct *work) >>> >>> /* Setup the next idle timeout work */ >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> } >>> >>> /* >>> @@ -1300,6 +1308,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct smbd_response *response; >>> unsigned long flags; >>> >>> @@ -1308,6 +1317,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> return; >>> } >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> log_rdma_event(INFO, "destroying rdma session\n"); >>> if (sc->status != SMBDIRECT_SOCKET_DISCONNECTED) { >>> @@ -1349,7 +1359,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> log_rdma_event(INFO, "free receive buffers\n"); >>> wait_event(info->wait_receive_queues, >>> info->count_receive_queue + info->count_empty_packet_queue >>> - == info->receive_credit_max); >>> + == sp->recv_credit_max); >>> destroy_receive_buffers(info); >>> >>> /* >>> @@ -1437,6 +1447,8 @@ static void destroy_caches_and_workqueue(struct >> smbd_connection *info) >>> #define MAX_NAME_LEN 80 >>> static int allocate_caches_and_workqueue(struct smbd_connection *info) >>> { >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> char name[MAX_NAME_LEN]; >>> int rc; >>> >>> @@ -1451,7 +1463,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> return -ENOMEM; >>> >>> info->request_mempool = >>> - mempool_create(info->send_credit_target, >> mempool_alloc_slab, >>> + mempool_create(sp->send_credit_target, mempool_alloc_slab, >>> mempool_free_slab, info->request_cache); >>> if (!info->request_mempool) >>> goto out1; >>> @@ -1461,13 +1473,13 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> kmem_cache_create( >>> name, >>> sizeof(struct smbd_response) + >>> - info->max_receive_size, >>> + sp->max_recv_size, >>> 0, SLAB_HWCACHE_ALIGN, NULL); >>> if (!info->response_cache) >>> goto out2; >>> >>> info->response_mempool = >>> - mempool_create(info->receive_credit_max, >> mempool_alloc_slab, >>> + mempool_create(sp->recv_credit_max, mempool_alloc_slab, >>> mempool_free_slab, info->response_cache); >>> if (!info->response_mempool) >>> goto out3; >>> @@ -1477,7 +1489,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> if (!info->workqueue) >>> goto out4; >>> >>> - rc = allocate_receive_buffers(info, info->receive_credit_max); >>> + rc = allocate_receive_buffers(info, sp->recv_credit_max); >>> if (rc) { >>> log_rdma_event(ERR, "failed to allocate receive >> buffers\n"); >>> goto out5; >>> @@ -1505,6 +1517,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> int rc; >>> struct smbd_connection *info; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct rdma_conn_param conn_param; >>> struct ib_qp_init_attr qp_attr; >>> struct sockaddr_in *addr_in = (struct sockaddr_in *) dstaddr; >>> @@ -1515,6 +1528,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> if (!info) >>> return NULL; >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> sc->status = SMBDIRECT_SOCKET_CONNECTING; >>> rc = smbd_ia_open(info, dstaddr, port); >>> @@ -1541,12 +1555,12 @@ static struct smbd_connection >> *_smbd_get_connection( >>> goto config_failed; >>> } >>> >>> - info->receive_credit_max = smbd_receive_credit_max; >>> - info->send_credit_target = smbd_send_credit_target; >>> - info->max_send_size = smbd_max_send_size; >>> - info->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> - info->max_receive_size = smbd_max_receive_size; >>> - info->keep_alive_interval = smbd_keep_alive_interval; >>> + sp->recv_credit_max = smbd_receive_credit_max; >>> + sp->send_credit_target = smbd_send_credit_target; >>> + sp->max_send_size = smbd_max_send_size; >>> + sp->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> + sp->max_recv_size = smbd_max_receive_size; >>> + sp->keepalive_interval_msec = smbd_keep_alive_interval * 1000; >>> >>> if (sc->ib.dev->attrs.max_send_sge < SMBDIRECT_MAX_SEND_SGE || >>> sc->ib.dev->attrs.max_recv_sge < SMBDIRECT_MAX_RECV_SGE) { >>> @@ -1561,7 +1575,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.send_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->send_credit_target, IB_POLL_SOFTIRQ); >>> + sp->send_credit_target, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.send_cq)) { >>> sc->ib.send_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1569,7 +1583,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.recv_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->receive_credit_max, IB_POLL_SOFTIRQ); >>> + sp->recv_credit_max, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.recv_cq)) { >>> sc->ib.recv_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1578,8 +1592,8 @@ static struct smbd_connection >> *_smbd_get_connection( >>> memset(&qp_attr, 0, sizeof(qp_attr)); >>> qp_attr.event_handler = smbd_qp_async_error_upcall; >>> qp_attr.qp_context = info; >>> - qp_attr.cap.max_send_wr = info->send_credit_target; >>> - qp_attr.cap.max_recv_wr = info->receive_credit_max; >>> + qp_attr.cap.max_send_wr = sp->send_credit_target; >>> + qp_attr.cap.max_recv_wr = sp->recv_credit_max; >>> qp_attr.cap.max_send_sge = SMBDIRECT_MAX_SEND_SGE; >>> qp_attr.cap.max_recv_sge = SMBDIRECT_MAX_RECV_SGE; >>> qp_attr.cap.max_inline_data = 0; >>> @@ -1654,7 +1668,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> init_waitqueue_head(&info->wait_send_queue); >>> INIT_DELAYED_WORK(&info->idle_timer_work, idle_connection_timer); >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> init_waitqueue_head(&info->wait_send_pending); >>> atomic_set(&info->send_pending, 0); >>> @@ -1971,6 +1985,7 @@ int smbd_send(struct TCP_Server_Info *server, >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smb_rqst *rqst; >>> struct iov_iter iter; >>> unsigned int remaining_data_length, klen; >>> @@ -1988,10 +2003,10 @@ int smbd_send(struct TCP_Server_Info *server, >>> for (i = 0; i < num_rqst; i++) >>> remaining_data_length += smb_rqst_len(server, >> &rqst_array[i]); >>> >>> - if (unlikely(remaining_data_length > >> info->max_fragmented_send_size)) { >>> + if (unlikely(remaining_data_length > >> sp->max_fragmented_send_size)) { >>> /* assertion: payload never exceeds negotiated maximum */ >>> log_write(ERR, "payload size %d > max size %d\n", >>> - remaining_data_length, >> info->max_fragmented_send_size); >>> + remaining_data_length, >> sp->max_fragmented_send_size); >>> return -EINVAL; >>> } >>> >>> diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h >>> index 4b559a4147af1..3d552ab27e0f3 100644 >>> --- a/fs/smb/client/smbdirect.h >>> +++ b/fs/smb/client/smbdirect.h >>> @@ -69,15 +69,7 @@ struct smbd_connection { >>> spinlock_t lock_new_credits_offered; >>> int new_credits_offered; >>> >>> - /* Connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> - int receive_credit_max; >>> - int send_credit_target; >>> - int max_send_size; >>> - int max_fragmented_recv_size; >>> - int max_fragmented_send_size; >>> - int max_receive_size; >>> - int keep_alive_interval; >>> - int max_readwrite_size; >>> + /* dynamic connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> enum keep_alive_status keep_alive_requested; >>> int protocol; >>> atomic_t send_credits; >> >> >

1 month, 1 week

2
6
0 0

FAILED: patch "[PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072117-afraid-cyclic-e53c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf Mon Sep 17 00:00:00 2001 From: "Michael C. Pratt" <mcpratt(a)pm.me> Date: Wed, 16 Jul 2025 15:42:10 +0100 Subject: [PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness conversion On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: "Michael C. Pratt" <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> Link: https://lore.kernel.org/r/20250716144210.4804-1-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072115-gotten-sprout-e549@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf Mon Sep 17 00:00:00 2001 From: "Michael C. Pratt" <mcpratt(a)pm.me> Date: Wed, 16 Jul 2025 15:42:10 +0100 Subject: [PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness conversion On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: "Michael C. Pratt" <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> Link: https://lore.kernel.org/r/20250716144210.4804-1-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] drm/xe: Move page fault init after topology init" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 3155ac89251dcb5e35a3ec2f60a74a6ed22c56fd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072101-drastic-gentile-dc59@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3155ac89251dcb5e35a3ec2f60a74a6ed22c56fd Mon Sep 17 00:00:00 2001 From: Matthew Brost <matthew.brost(a)intel.com> Date: Thu, 10 Jul 2025 12:12:08 -0700 Subject: [PATCH] drm/xe: Move page fault init after topology init We need the topology to determine GT page fault queue size, move page fault init after topology init. Cc: stable(a)vger.kernel.org Fixes: 3338e4f90c14 ("drm/xe: Use topology to determine page fault queue size") Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Reviewed-by: Jonathan Cavitt <jonathan.cavitt(a)intel.com> Reviewed-by: Stuart Summers <stuart.summers(a)intel.com> Link: https://lore.kernel.org/r/20250710191208.1040215-1-matthew.brost@intel.com (cherry picked from commit beb72acb5b38dbe670d8eb752d1ad7a32f9c4119) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 9752a38c0162..d554a8cc565c 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -632,10 +632,6 @@ int xe_gt_init(struct xe_gt *gt) if (err) return err; - err = xe_gt_pagefault_init(gt); - if (err) - return err; - err = xe_gt_sysfs_init(gt); if (err) return err; @@ -644,6 +640,10 @@ int xe_gt_init(struct xe_gt *gt) if (err) return err; + err = xe_gt_pagefault_init(gt); + if (err) + return err; + err = xe_gt_idle_init(&gt->gtidle); if (err) return err;

1 month, 1 week

2
2
0 0

[tip: timers/urgent] timekeeping: Zero initialize system_counterval when querying time from phc drivers

by tip-bot2 for Markus Blöchl

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 67c632b4a7fbd6b76a08b86f4950f0f84de93439 Gitweb: https://git.kernel.org/tip/67c632b4a7fbd6b76a08b86f4950f0f84de93439 Author: Markus Blöchl <markus(a)blochl.de> AuthorDate: Sun, 20 Jul 2025 15:54:51 +02:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Tue, 22 Jul 2025 14:25:21 +02:00 timekeeping: Zero initialize system_counterval when querying time from phc drivers Most drivers only populate the fields cycles and cs_id of system_counterval in their get_time_fn() callback for get_device_system_crosststamp(), unless they explicitly provide nanosecond values. When the use_nsecs field was added to struct system_counterval, most drivers did not care. Clock sources other than CSID_GENERIC could then get converted in convert_base_to_cs() based on an uninitialized use_nsecs field, which usually results in -EINVAL during the following range check. Pass in a fully zero initialized system_counterval_t to cure that. Fixes: 6b2e29977518 ("timekeeping: Provide infrastructure for converting to/from a base clock") Signed-off-by: Markus Blöchl <markus(a)blochl.de> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: John Stultz <jstultz(a)google.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20250720-timekeeping_uninit_crossts-v2-1-f513c8… --- kernel/time/timekeeping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index a009c91..83c65f3 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -1256,7 +1256,7 @@ int get_device_system_crosststamp(int (*get_time_fn) struct system_time_snapshot *history_begin, struct system_device_crosststamp *xtstamp) { - struct system_counterval_t system_counterval; + struct system_counterval_t system_counterval = {}; struct timekeeper *tk = &tk_core.timekeeper; u64 cycles, now, interval_start; unsigned int clock_was_set_seq = 0;

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Move page fault init after topology init" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 3155ac89251dcb5e35a3ec2f60a74a6ed22c56fd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072101-canola-aspect-c5c7@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3155ac89251dcb5e35a3ec2f60a74a6ed22c56fd Mon Sep 17 00:00:00 2001 From: Matthew Brost <matthew.brost(a)intel.com> Date: Thu, 10 Jul 2025 12:12:08 -0700 Subject: [PATCH] drm/xe: Move page fault init after topology init We need the topology to determine GT page fault queue size, move page fault init after topology init. Cc: stable(a)vger.kernel.org Fixes: 3338e4f90c14 ("drm/xe: Use topology to determine page fault queue size") Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Reviewed-by: Jonathan Cavitt <jonathan.cavitt(a)intel.com> Reviewed-by: Stuart Summers <stuart.summers(a)intel.com> Link: https://lore.kernel.org/r/20250710191208.1040215-1-matthew.brost@intel.com (cherry picked from commit beb72acb5b38dbe670d8eb752d1ad7a32f9c4119) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 9752a38c0162..d554a8cc565c 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -632,10 +632,6 @@ int xe_gt_init(struct xe_gt *gt) if (err) return err; - err = xe_gt_pagefault_init(gt); - if (err) - return err; - err = xe_gt_sysfs_init(gt); if (err) return err; @@ -644,6 +640,10 @@ int xe_gt_init(struct xe_gt *gt) if (err) return err; + err = xe_gt_pagefault_init(gt); + if (err) + return err; + err = xe_gt_idle_init(&gt->gtidle); if (err) return err;

1 month, 1 week

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror