- Linux-stable-mirror - lists.linaro.org

[PATCH v7 3/3] PCI: dwc: Don't return error when wait for link up in dw_pcie_resume_noirq()

by Richard Zhu

When waiting for the PCIe link to come up, both link up and link down are valid results depending on the device state. Since the link may come up later and to get rid of the following mis-reported PM errors. Do not return an -ETIMEDOUT error, as the outcome has already been reported in dw_pcie_wait_for_link(). PM error logs introduced by the -ETIMEDOUT error return. imx6q-pcie 33800000.pcie: Phy link never came up imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq returns -110 imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110 Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index a4d9838bc33f0..8430ac433d457 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1212,10 +1212,9 @@ int dw_pcie_resume_noirq(struct dw_pcie *pci) if (ret) return ret; - ret = dw_pcie_wait_for_link(pci); - if (ret) - return ret; + /* Ignore errors, the link may come up later */ + dw_pcie_wait_for_link(pci); - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_resume_noirq); -- 2.37.1

3 weeks, 2 days

1
0
0 0

[PATCH v7 2/3] PCI: dwc: Skip PME_Turn_Off message if there is no endpoint connected

by Richard Zhu

A chip freeze is observed on i.MX7D when PCIe RC kicks off the PM_PME message and no devices are connected on the port. To work aroud such kind of issue, skip PME_Turn_Off message if there is no endpoint connected. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 09b50a5ce19bb..a4d9838bc33f0 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1136,12 +1136,15 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) if (dw_pcie_readw_dbi(pci, offset + PCI_EXP_LNKCTL) & PCI_EXP_LNKCTL_ASPM_L1) return 0; - if (pci->pp.ops->pme_turn_off) { - pci->pp.ops->pme_turn_off(&pci->pp); - } else { - ret = dw_pcie_pme_turn_off(pci); - if (ret) - return ret; + /* Skip PME_Turn_Off message if there is no endpoint connected */ + if (dw_pcie_get_ltssm(pci) > DW_PCIE_LTSSM_DETECT_WAIT) { + if (pci->pp.ops->pme_turn_off) { + pci->pp.ops->pme_turn_off(&pci->pp); + } else { + ret = dw_pcie_pme_turn_off(pci); + if (ret) + return ret; + } } if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { -- 2.37.1

3 weeks, 2 days

1
0
0 0

[PATCH v7 1/3] PCI: dwc: Don't poll L2 if QUIRK_NOL2POLL_IN_PM is existing in suspend

by Richard Zhu

Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management State Flow Diagram. Both L0 and L2/L3 Ready can be transferred to LDn directly. It's harmless to let dw_pcie_suspend_noirq() proceed suspend after the PME_Turn_Off is sent out, whatever the LTSSM state is in L2 or L3 after a recommended 10ms max wait refer to PCIe r6.0, sec 5.3.3.2.1 PME Synchronization. The LTSSM states are inaccessible on i.MX6QP and i.MX7D after the PME_Turn_Off is sent out. To support this case, don't poll L2 state and apply a simple delay of PCIE_PME_TO_L2_TIMEOUT_US(10ms) if the QUIRK_NOL2POLL_IN_PM flag is set in suspend. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 4 +++ .../pci/controller/dwc/pcie-designware-host.c | 34 +++++++++++++------ drivers/pci/controller/dwc/pcie-designware.h | 4 +++ 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 4668fc9648bff..d84bfcd1079ce 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -125,6 +125,7 @@ struct imx_pcie_drvdata { enum imx_pcie_variants variant; enum dw_pcie_device_mode mode; u32 flags; + u32 quirk; int dbi_length; const char *gpr; const u32 ltssm_off; @@ -1765,6 +1766,7 @@ static int imx_pcie_probe(struct platform_device *pdev) if (ret) return ret; + pci->quirk_flag = imx_pcie->drvdata->quirk; pci->use_parent_dt_ranges = true; if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) { ret = imx_add_pcie_ep(imx_pcie, pdev); @@ -1849,6 +1851,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .enable_ref_clk = imx6q_pcie_enable_ref_clk, .core_reset = imx6qp_pcie_core_reset, .ops = &imx_pcie_host_ops, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX7D] = { .variant = IMX7D, @@ -1860,6 +1863,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, .enable_ref_clk = imx7d_pcie_enable_ref_clk, .core_reset = imx7d_pcie_core_reset, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX8MQ] = { .variant = IMX8MQ, diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 20c9333bcb1c4..09b50a5ce19bb 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1144,15 +1144,29 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) return ret; } - ret = read_poll_timeout(dw_pcie_get_ltssm, val, - val == DW_PCIE_LTSSM_L2_IDLE || - val <= DW_PCIE_LTSSM_DETECT_WAIT, - PCIE_PME_TO_L2_TIMEOUT_US/10, - PCIE_PME_TO_L2_TIMEOUT_US, false, pci); - if (ret) { - /* Only log message when LTSSM isn't in DETECT or POLL */ - dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); - return ret; + if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { + /* + * Add the QUIRK_NOL2_POLL_IN_PM case to avoid the read hang, + * when LTSSM is not powered in L2/L3/LDn properly. + * + * Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management + * State Flow Diagram. Both L0 and L2/L3 Ready can be + * transferred to LDn directly. On the LTSSM states poll broken + * platforms, add a max 10ms delay refer to PCIe r6.0, + * sec 5.3.3.2.1 PME Synchronization. + */ + mdelay(PCIE_PME_TO_L2_TIMEOUT_US/1000); + } else { + ret = read_poll_timeout(dw_pcie_get_ltssm, val, + val == DW_PCIE_LTSSM_L2_IDLE || + val <= DW_PCIE_LTSSM_DETECT_WAIT, + PCIE_PME_TO_L2_TIMEOUT_US/10, + PCIE_PME_TO_L2_TIMEOUT_US, false, pci); + if (ret) { + /* Only log message when LTSSM isn't in DETECT or POLL */ + dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); + return ret; + } } /* @@ -1168,7 +1182,7 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) pci->suspended = true; - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_suspend_noirq); diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h index e995f692a1ecd..1fdaed1562b7a 100644 --- a/drivers/pci/controller/dwc/pcie-designware.h +++ b/drivers/pci/controller/dwc/pcie-designware.h @@ -297,6 +297,9 @@ /* Default eDMA LLP memory size */ #define DMA_LLP_MEM_SIZE PAGE_SIZE +#define QUIRK_NOL2POLL_IN_PM BIT(0) +#define dwc_quirk(pci, val) (pci->quirk_flag & val) + struct dw_pcie; struct dw_pcie_rp; struct dw_pcie_ep; @@ -511,6 +514,7 @@ struct dw_pcie { const struct dw_pcie_ops *ops; u32 version; u32 type; + u32 quirk_flag; unsigned long caps; int num_lanes; int max_link_speed; -- 2.37.1

3 weeks, 2 days

1
0
0 0

[STATUS] stable/linux-6.12.y - 4fc43debf5047d2469bdef3b25c02121afa7ef3d

by KernelCI bot

Hello, Status summary for stable/linux-6.12.y Dashboard: https://d.kernelci.org/c/stable/linux-6.12.y/4fc43debf5047d2469bdef3b25c021… giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git branch: linux-6.12.y commit hash: 4fc43debf5047d2469bdef3b25c02121afa7ef3d origin: maestro test start time: 2025-10-23 14:29:15.692000+00:00 Builds: 37 ✅ 0 ❌ 0 ⚠️ Boots: 169 ✅ 0 ❌ 0 ⚠️ Tests: 9431 ✅ 5597 ❌ 2428 ⚠️ ### POSSIBLE REGRESSIONS Hardware: acer-chromebox-cxi4-puff > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.cpufreq.hibernate last run: https://d.kernelci.org/test/maestro:68fa48db8a79c348aff82bf9 history: > ✅ > ❌ - kselftest.cpufreq.hibernate.cpufreq_main_sh last run: https://d.kernelci.org/test/maestro:68fa4b9c8a79c348aff83bce history: > ✅ > ❌ Hardware: k3-am625-verdin-wifi-mallow > Config: defconfig+lab-setup+kselftest - Architecture/compiler: arm64/gcc-12 - kselftest.device_error_logs last run: https://d.kernelci.org/test/maestro:68fa9d408a79c348aff8def7 history: > ✅ > ❌ > ❌ ### FIXED REGRESSIONS Hardware: dell-latitude-5400-8665U-sarien > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.cpufreq.suspend last run: https://d.kernelci.org/test/maestro:68fa48e58a79c348aff82c7d history: > ❌ > ✅ - kselftest.cpufreq.suspend.cpufreq_main_sh last run: https://d.kernelci.org/test/maestro:68fa4c6c8a79c348aff8427e history: > ❌ > ✅ Hardware: hp-x360-14-G1-sona > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.iommu last run: https://d.kernelci.org/test/maestro:68fa48fe8a79c348aff82d62 history: > ❌ > ❌ > ✅ ### UNSTABLE TESTS No unstable tests observed. Sent every day if there were changes in the past 24 hours. Legend: ✅ PASS ❌ FAIL ⚠️ INCONCLUSIVE -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 2 days

1
0
0 0

[STATUS] stable/linux-6.6.y - 4a243110dc884d8e1fe69eecbc2daef10d8e75d7

by KernelCI bot

Hello, Status summary for stable/linux-6.6.y Dashboard: https://d.kernelci.org/c/stable/linux-6.6.y/4a243110dc884d8e1fe69eecbc2daef… giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git branch: linux-6.6.y commit hash: 4a243110dc884d8e1fe69eecbc2daef10d8e75d7 origin: maestro test start time: 2025-10-23 14:29:15.250000+00:00 Builds: 38 ✅ 0 ❌ 0 ⚠️ Boots: 87 ✅ 0 ❌ 0 ⚠️ Tests: 3955 ✅ 1454 ❌ 1053 ⚠️ ### POSSIBLE REGRESSIONS Hardware: bcm2837-rpi-3-b-plus > Config: defconfig+lab-setup+kselftest - Architecture/compiler: arm64/gcc-12 - kselftest.ptrace last run: https://d.kernelci.org/test/maestro:68fa5f798a79c348aff889c4 history: > ✅ > ❌ > ❌ ### FIXED REGRESSIONS No fixed regressions observed. ### UNSTABLE TESTS No unstable tests observed. Sent every day if there were changes in the past 24 hours. Legend: ✅ PASS ❌ FAIL ⚠️ INCONCLUSIVE -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 2 days

1
0
0 0

[PATCH 5.10.y] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit 030ce919e114a111e83b7976ecb3597cefd33f26 upstream. The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Reviewed-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38126; the duplicate check removal in stmmac_ptp_register was skipped (function not present) ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index b8581a711514..d793bcb1b444 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -742,6 +742,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) return -EOPNOTSUPP; + if (!priv->plat->clk_ptp_rate) { + netdev_err(priv->dev, "Invalid PTP clock rate"); + return -EINVAL; + } + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); priv->systime_flags = systime_flags; -- 2.50.1

3 weeks, 2 days

1
0
0 0

[PATCH 5.15.y] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit 030ce919e114a111e83b7976ecb3597cefd33f26 upstream. The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Reviewed-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38126 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 21cc8cd9e023..468aeedf22eb 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -522,7 +522,7 @@ bool stmmac_eee_init(struct stmmac_priv *priv) static inline u32 stmmac_cdc_adjust(struct stmmac_priv *priv) { /* Correct the clk domain crossing(CDC) error */ - if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) + if (priv->plat->has_gmac4) return (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; return 0; } @@ -848,6 +848,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) return -EOPNOTSUPP; + if (!priv->plat->clk_ptp_rate) { + netdev_err(priv->dev, "Invalid PTP clock rate"); + return -EINVAL; + } + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); priv->systime_flags = systime_flags; -- 2.50.1

3 weeks, 2 days

1
0
0 0

[PATCH net v2] virtio-net: drop the multi-buffer XDP packet in zerocopy

by Bui Quang Minh

In virtio-net, we have not yet supported multi-buffer XDP packet in zerocopy mode when there is a binding XDP program. However, in that case, when receiving multi-buffer XDP packet, we skip the XDP program and return XDP_PASS. As a result, the packet is passed to normal network stack which is an incorrect behavior (e.g. a XDP program for packet count is installed, multi-buffer XDP packet arrives and does go through XDP program. As a result, the packet count does not increase but the packet is still received from network stack).This commit instead returns XDP_ABORTED in that case. Fixes: 99c861b44eb1 ("virtio_net: xsk: rx: support recv merge mode") Cc: stable(a)vger.kernel.org Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> --- Changes in v2: - Return XDP_ABORTED instead of XDP_DROP, make clearer explanation in commit message --- drivers/net/virtio_net.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..8e8a179aaa49 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1379,9 +1379,14 @@ static struct sk_buff *virtnet_receive_xsk_merge(struct net_device *dev, struct ret = XDP_PASS; rcu_read_lock(); prog = rcu_dereference(rq->xdp_prog); - /* TODO: support multi buffer. */ - if (prog && num_buf == 1) - ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, stats); + if (prog) { + /* TODO: support multi buffer. */ + if (num_buf == 1) + ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, + stats); + else + ret = XDP_ABORTED; + } rcu_read_unlock(); switch (ret) { -- 2.43.0

3 weeks, 2 days

2
1
0 0

[PATCH] ocxl: Fix race leading to use-after-free in file operations

by Yuhao Jiang

The file operations dereference the context pointer after checking status under ctx->status_mutex, then drop the lock before using the context. This allows afu_release() running on another CPU to free the context, leading to a use-after-free vulnerability. The race window exists in afu_ioctl(), afu_mmap(), afu_poll() and afu_read() between the status check and context usage. During device hot-unplug or rapid open/close cycles, this causes kernel crashes. Introduce reference counting via kref to prevent premature free. ocxl_context_get() atomically checks status and acquires a reference under status_mutex. File operations hold this reference for their duration, ensuring the context remains valid even if another thread calls afu_release(). ocxl_context_alloc() initializes refcount to 1 for the file's lifetime. afu_release() drops this reference, with the context freed when the last reference goes away. Preserve existing -EBUSY behavior where the context intentionally leaks on detach timeout. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/misc/ocxl/context.c | 69 ++++++++++++++---- drivers/misc/ocxl/file.c | 113 +++++++++++++++++++++++------- drivers/misc/ocxl/ocxl_internal.h | 4 ++ 3 files changed, 144 insertions(+), 42 deletions(-) diff --git a/drivers/misc/ocxl/context.c b/drivers/misc/ocxl/context.c index cded7d1caf32..e154adc972a5 100644 --- a/drivers/misc/ocxl/context.c +++ b/drivers/misc/ocxl/context.c @@ -28,6 +28,7 @@ int ocxl_context_alloc(struct ocxl_context **context, struct ocxl_afu *afu, ctx->pasid = pasid; ctx->status = OPENED; + kref_init(&ctx->kref); mutex_init(&ctx->status_mutex); ctx->mapping = mapping; mutex_init(&ctx->mapping_lock); @@ -47,6 +48,59 @@ int ocxl_context_alloc(struct ocxl_context **context, struct ocxl_afu *afu, } EXPORT_SYMBOL_GPL(ocxl_context_alloc); +/** + * ocxl_context_get() - Get a reference to the context if not closed + * @ctx: The context + * + * Atomically checks if context status is not CLOSED and acquires a reference. + * Must be called with ctx->status_mutex held. + * + * Return: true if reference acquired, false if context is CLOSED + */ +bool ocxl_context_get(struct ocxl_context *ctx) +{ + lockdep_assert_held(&ctx->status_mutex); + + if (ctx->status == CLOSED) + return false; + + kref_get(&ctx->kref); + return true; +} +EXPORT_SYMBOL_GPL(ocxl_context_get); + +/* + * kref release callback - called when last reference is dropped + */ +static void ocxl_context_release(struct kref *kref) +{ + struct ocxl_context *ctx = container_of(kref, struct ocxl_context, + kref); + + mutex_lock(&ctx->afu->contexts_lock); + ctx->afu->pasid_count--; + idr_remove(&ctx->afu->contexts_idr, ctx->pasid); + mutex_unlock(&ctx->afu->contexts_lock); + + ocxl_afu_irq_free_all(ctx); + idr_destroy(&ctx->irq_idr); + /* reference to the AFU taken in ocxl_context_alloc() */ + ocxl_afu_put(ctx->afu); + kfree(ctx); +} + +/** + * ocxl_context_put() - Release a reference to the context + * @ctx: The context + * + * Decrements the reference count. When it reaches zero, the context is freed. + */ +void ocxl_context_put(struct ocxl_context *ctx) +{ + kref_put(&ctx->kref, ocxl_context_release); +} +EXPORT_SYMBOL_GPL(ocxl_context_put); + /* * Callback for when a translation fault triggers an error * data: a pointer to the context which triggered the fault @@ -279,18 +333,3 @@ void ocxl_context_detach_all(struct ocxl_afu *afu) } mutex_unlock(&afu->contexts_lock); } - -void ocxl_context_free(struct ocxl_context *ctx) -{ - mutex_lock(&ctx->afu->contexts_lock); - ctx->afu->pasid_count--; - idr_remove(&ctx->afu->contexts_idr, ctx->pasid); - mutex_unlock(&ctx->afu->contexts_lock); - - ocxl_afu_irq_free_all(ctx); - idr_destroy(&ctx->irq_idr); - /* reference to the AFU taken in ocxl_context_alloc() */ - ocxl_afu_put(ctx->afu); - kfree(ctx); -} -EXPORT_SYMBOL_GPL(ocxl_context_free); diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c index 7eb74711ac96..c08724e7ff1e 100644 --- a/drivers/misc/ocxl/file.c +++ b/drivers/misc/ocxl/file.c @@ -204,17 +204,21 @@ static long afu_ioctl(struct file *file, unsigned int cmd, int irq_id; u64 irq_offset; long rc; - bool closed; - - pr_debug("%s for context %d, command %s\n", __func__, ctx->pasid, - CMD_STR(cmd)); + /* + * Hold a reference to the context for the duration of this operation. + * We check the status and acquire the reference atomically under the + * status_mutex to ensure the context remains valid. + */ mutex_lock(&ctx->status_mutex); - closed = (ctx->status == CLOSED); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } mutex_unlock(&ctx->status_mutex); - if (closed) - return -EIO; + pr_debug("%s for context %d, command %s\n", __func__, ctx->pasid, + CMD_STR(cmd)); switch (cmd) { case OCXL_IOCTL_ATTACH: @@ -230,7 +234,7 @@ static long afu_ioctl(struct file *file, unsigned int cmd, sizeof(irq_offset)); if (rc) { ocxl_afu_irq_free(ctx, irq_id); - return -EFAULT; + rc = -EFAULT; } } break; @@ -238,8 +242,10 @@ static long afu_ioctl(struct file *file, unsigned int cmd, case OCXL_IOCTL_IRQ_FREE: rc = copy_from_user(&irq_offset, (u64 __user *) args, sizeof(irq_offset)); - if (rc) - return -EFAULT; + if (rc) { + rc = -EFAULT; + break; + } irq_id = ocxl_irq_offset_to_id(ctx, irq_offset); rc = ocxl_afu_irq_free(ctx, irq_id); break; @@ -247,14 +253,20 @@ static long afu_ioctl(struct file *file, unsigned int cmd, case OCXL_IOCTL_IRQ_SET_FD: rc = copy_from_user(&irq_fd, (u64 __user *) args, sizeof(irq_fd)); - if (rc) - return -EFAULT; - if (irq_fd.reserved) - return -EINVAL; + if (rc) { + rc = -EFAULT; + break; + } + if (irq_fd.reserved) { + rc = -EINVAL; + break; + } irq_id = ocxl_irq_offset_to_id(ctx, irq_fd.irq_offset); ev_ctx = eventfd_ctx_fdget(irq_fd.eventfd); - if (IS_ERR(ev_ctx)) - return PTR_ERR(ev_ctx); + if (IS_ERR(ev_ctx)) { + rc = PTR_ERR(ev_ctx); + break; + } rc = ocxl_irq_set_handler(ctx, irq_id, irq_handler, irq_free, ev_ctx); if (rc) eventfd_ctx_put(ev_ctx); @@ -280,6 +292,8 @@ static long afu_ioctl(struct file *file, unsigned int cmd, default: rc = -EINVAL; } + + ocxl_context_put(ctx); return rc; } @@ -292,9 +306,23 @@ static long afu_compat_ioctl(struct file *file, unsigned int cmd, static int afu_mmap(struct file *file, struct vm_area_struct *vma) { struct ocxl_context *ctx = file->private_data; + int rc; + + /* + * Hold a reference during mmap setup to ensure the context + * remains valid. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } + mutex_unlock(&ctx->status_mutex); pr_debug("%s for context %d\n", __func__, ctx->pasid); - return ocxl_context_mmap(ctx, vma); + rc = ocxl_context_mmap(ctx, vma); + ocxl_context_put(ctx); + return rc; } static bool has_xsl_error(struct ocxl_context *ctx) @@ -324,21 +352,31 @@ static unsigned int afu_poll(struct file *file, struct poll_table_struct *wait) { struct ocxl_context *ctx = file->private_data; unsigned int mask = 0; - bool closed; + + /* + * Hold a reference to the context while checking for events. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return EPOLLERR; + } + mutex_unlock(&ctx->status_mutex); pr_debug("%s for context %d\n", __func__, ctx->pasid); poll_wait(file, &ctx->events_wq, wait); - mutex_lock(&ctx->status_mutex); - closed = (ctx->status == CLOSED); - mutex_unlock(&ctx->status_mutex); - if (afu_events_pending(ctx)) mask = EPOLLIN | EPOLLRDNORM; - else if (closed) - mask = EPOLLERR; + else { + mutex_lock(&ctx->status_mutex); + if (ctx->status == CLOSED) + mask = EPOLLERR; + mutex_unlock(&ctx->status_mutex); + } + ocxl_context_put(ctx); return mask; } @@ -410,6 +448,16 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, AFU_EVENT_BODY_MAX_SIZE)) return -EINVAL; + /* + * Hold a reference to the context for the duration of the read operation. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } + mutex_unlock(&ctx->status_mutex); + for (;;) { prepare_to_wait(&ctx->events_wq, &event_wait, TASK_INTERRUPTIBLE); @@ -422,11 +470,13 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, if (file->f_flags & O_NONBLOCK) { finish_wait(&ctx->events_wq, &event_wait); + ocxl_context_put(ctx); return -EAGAIN; } if (signal_pending(current)) { finish_wait(&ctx->events_wq, &event_wait); + ocxl_context_put(ctx); return -ERESTARTSYS; } @@ -437,19 +487,24 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, if (has_xsl_error(ctx)) { used = append_xsl_error(ctx, &header, buf + sizeof(header)); - if (used < 0) + if (used < 0) { + ocxl_context_put(ctx); return used; + } } if (!afu_events_pending(ctx)) header.flags |= OCXL_KERNEL_EVENT_FLAG_LAST; - if (copy_to_user(buf, &header, sizeof(header))) + if (copy_to_user(buf, &header, sizeof(header))) { + ocxl_context_put(ctx); return -EFAULT; + } used += sizeof(header); rc = used; + ocxl_context_put(ctx); return rc; } @@ -464,8 +519,12 @@ static int afu_release(struct inode *inode, struct file *file) ctx->mapping = NULL; mutex_unlock(&ctx->mapping_lock); wake_up_all(&ctx->events_wq); + /* + * Drop the initial reference from afu_open(). The context will be + * freed when all references are released. + */ if (rc != -EBUSY) - ocxl_context_free(ctx); + ocxl_context_put(ctx); return 0; } diff --git a/drivers/misc/ocxl/ocxl_internal.h b/drivers/misc/ocxl/ocxl_internal.h index d2028d6c6f08..6eab7806b43d 100644 --- a/drivers/misc/ocxl/ocxl_internal.h +++ b/drivers/misc/ocxl/ocxl_internal.h @@ -5,6 +5,7 @@ #include <linux/pci.h> #include <linux/cdev.h> +#include <linux/kref.h> #include <linux/list.h> #include <misc/ocxl.h> @@ -68,6 +69,7 @@ struct ocxl_xsl_error { }; struct ocxl_context { + struct kref kref; struct ocxl_afu *afu; int pasid; struct mutex status_mutex; @@ -140,6 +142,8 @@ int ocxl_link_update_pe(void *link_handle, int pasid, __u16 tid); int ocxl_context_mmap(struct ocxl_context *ctx, struct vm_area_struct *vma); +bool ocxl_context_get(struct ocxl_context *ctx); +void ocxl_context_put(struct ocxl_context *ctx); void ocxl_context_detach_all(struct ocxl_afu *afu); int ocxl_sysfs_register_afu(struct ocxl_file_info *info); -- 2.34.1

3 weeks, 2 days

1
0
0 0

[PATCH 5.10/5.15/6.1/6.6] net: stmmac: make sure that ptp_rate is not 0 before configuring EST

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit cbefe2ffa7784525ec5d008ba87c7add19ec631a upstream. If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code. Suggested-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Fixes: 8572aec3d0dc ("net: stmmac: Add basic EST support for XGMAC") Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-2-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38125; replaced netdev_warn with pr_warn due to missing dev pointer ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c index 8fd167501fa0..4df62268f852 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c @@ -597,6 +597,11 @@ int dwmac5_est_configure(void __iomem *ioaddr, struct stmmac_est *cfg, int i, ret = 0x0; u32 ctrl; + if (!ptp_rate) { + pr_warn("%s: Invalid PTP rate\n", __func__); + return -EINVAL; + } + ret |= dwmac5_est_write(ioaddr, BTR_LOW, cfg->btr[0], false); ret |= dwmac5_est_write(ioaddr, BTR_HIGH, cfg->btr[1], false); ret |= dwmac5_est_write(ioaddr, TER, cfg->ter, false); -- 2.50.1

3 weeks, 2 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror