- Linux-stable-mirror - lists.linaro.org

[PATCH v7 2/3] PCI: dwc: Skip PME_Turn_Off message if there is no endpoint connected

by Richard Zhu

A chip freeze is observed on i.MX7D when PCIe RC kicks off the PM_PME message and no devices are connected on the port. To work aroud such kind of issue, skip PME_Turn_Off message if there is no endpoint connected. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 09b50a5ce19bb..a4d9838bc33f0 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1136,12 +1136,15 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) if (dw_pcie_readw_dbi(pci, offset + PCI_EXP_LNKCTL) & PCI_EXP_LNKCTL_ASPM_L1) return 0; - if (pci->pp.ops->pme_turn_off) { - pci->pp.ops->pme_turn_off(&pci->pp); - } else { - ret = dw_pcie_pme_turn_off(pci); - if (ret) - return ret; + /* Skip PME_Turn_Off message if there is no endpoint connected */ + if (dw_pcie_get_ltssm(pci) > DW_PCIE_LTSSM_DETECT_WAIT) { + if (pci->pp.ops->pme_turn_off) { + pci->pp.ops->pme_turn_off(&pci->pp); + } else { + ret = dw_pcie_pme_turn_off(pci); + if (ret) + return ret; + } } if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { -- 2.37.1

3 weeks, 4 days

1
0
0 0

[PATCH v7 1/3] PCI: dwc: Don't poll L2 if QUIRK_NOL2POLL_IN_PM is existing in suspend

by Richard Zhu

Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management State Flow Diagram. Both L0 and L2/L3 Ready can be transferred to LDn directly. It's harmless to let dw_pcie_suspend_noirq() proceed suspend after the PME_Turn_Off is sent out, whatever the LTSSM state is in L2 or L3 after a recommended 10ms max wait refer to PCIe r6.0, sec 5.3.3.2.1 PME Synchronization. The LTSSM states are inaccessible on i.MX6QP and i.MX7D after the PME_Turn_Off is sent out. To support this case, don't poll L2 state and apply a simple delay of PCIE_PME_TO_L2_TIMEOUT_US(10ms) if the QUIRK_NOL2POLL_IN_PM flag is set in suspend. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 4 +++ .../pci/controller/dwc/pcie-designware-host.c | 34 +++++++++++++------ drivers/pci/controller/dwc/pcie-designware.h | 4 +++ 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 4668fc9648bff..d84bfcd1079ce 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -125,6 +125,7 @@ struct imx_pcie_drvdata { enum imx_pcie_variants variant; enum dw_pcie_device_mode mode; u32 flags; + u32 quirk; int dbi_length; const char *gpr; const u32 ltssm_off; @@ -1765,6 +1766,7 @@ static int imx_pcie_probe(struct platform_device *pdev) if (ret) return ret; + pci->quirk_flag = imx_pcie->drvdata->quirk; pci->use_parent_dt_ranges = true; if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) { ret = imx_add_pcie_ep(imx_pcie, pdev); @@ -1849,6 +1851,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .enable_ref_clk = imx6q_pcie_enable_ref_clk, .core_reset = imx6qp_pcie_core_reset, .ops = &imx_pcie_host_ops, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX7D] = { .variant = IMX7D, @@ -1860,6 +1863,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, .enable_ref_clk = imx7d_pcie_enable_ref_clk, .core_reset = imx7d_pcie_core_reset, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX8MQ] = { .variant = IMX8MQ, diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 20c9333bcb1c4..09b50a5ce19bb 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1144,15 +1144,29 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) return ret; } - ret = read_poll_timeout(dw_pcie_get_ltssm, val, - val == DW_PCIE_LTSSM_L2_IDLE || - val <= DW_PCIE_LTSSM_DETECT_WAIT, - PCIE_PME_TO_L2_TIMEOUT_US/10, - PCIE_PME_TO_L2_TIMEOUT_US, false, pci); - if (ret) { - /* Only log message when LTSSM isn't in DETECT or POLL */ - dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); - return ret; + if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { + /* + * Add the QUIRK_NOL2_POLL_IN_PM case to avoid the read hang, + * when LTSSM is not powered in L2/L3/LDn properly. + * + * Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management + * State Flow Diagram. Both L0 and L2/L3 Ready can be + * transferred to LDn directly. On the LTSSM states poll broken + * platforms, add a max 10ms delay refer to PCIe r6.0, + * sec 5.3.3.2.1 PME Synchronization. + */ + mdelay(PCIE_PME_TO_L2_TIMEOUT_US/1000); + } else { + ret = read_poll_timeout(dw_pcie_get_ltssm, val, + val == DW_PCIE_LTSSM_L2_IDLE || + val <= DW_PCIE_LTSSM_DETECT_WAIT, + PCIE_PME_TO_L2_TIMEOUT_US/10, + PCIE_PME_TO_L2_TIMEOUT_US, false, pci); + if (ret) { + /* Only log message when LTSSM isn't in DETECT or POLL */ + dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); + return ret; + } } /* @@ -1168,7 +1182,7 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) pci->suspended = true; - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_suspend_noirq); diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h index e995f692a1ecd..1fdaed1562b7a 100644 --- a/drivers/pci/controller/dwc/pcie-designware.h +++ b/drivers/pci/controller/dwc/pcie-designware.h @@ -297,6 +297,9 @@ /* Default eDMA LLP memory size */ #define DMA_LLP_MEM_SIZE PAGE_SIZE +#define QUIRK_NOL2POLL_IN_PM BIT(0) +#define dwc_quirk(pci, val) (pci->quirk_flag & val) + struct dw_pcie; struct dw_pcie_rp; struct dw_pcie_ep; @@ -511,6 +514,7 @@ struct dw_pcie { const struct dw_pcie_ops *ops; u32 version; u32 type; + u32 quirk_flag; unsigned long caps; int num_lanes; int max_link_speed; -- 2.37.1

3 weeks, 4 days

1
0
0 0

[STATUS] stable/linux-6.12.y - 4fc43debf5047d2469bdef3b25c02121afa7ef3d

by KernelCI bot

Hello, Status summary for stable/linux-6.12.y Dashboard: https://d.kernelci.org/c/stable/linux-6.12.y/4fc43debf5047d2469bdef3b25c021… giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git branch: linux-6.12.y commit hash: 4fc43debf5047d2469bdef3b25c02121afa7ef3d origin: maestro test start time: 2025-10-23 14:29:15.692000+00:00 Builds: 37 ✅ 0 ❌ 0 ⚠️ Boots: 169 ✅ 0 ❌ 0 ⚠️ Tests: 9431 ✅ 5597 ❌ 2428 ⚠️ ### POSSIBLE REGRESSIONS Hardware: acer-chromebox-cxi4-puff > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.cpufreq.hibernate last run: https://d.kernelci.org/test/maestro:68fa48db8a79c348aff82bf9 history: > ✅ > ❌ - kselftest.cpufreq.hibernate.cpufreq_main_sh last run: https://d.kernelci.org/test/maestro:68fa4b9c8a79c348aff83bce history: > ✅ > ❌ Hardware: k3-am625-verdin-wifi-mallow > Config: defconfig+lab-setup+kselftest - Architecture/compiler: arm64/gcc-12 - kselftest.device_error_logs last run: https://d.kernelci.org/test/maestro:68fa9d408a79c348aff8def7 history: > ✅ > ❌ > ❌ ### FIXED REGRESSIONS Hardware: dell-latitude-5400-8665U-sarien > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.cpufreq.suspend last run: https://d.kernelci.org/test/maestro:68fa48e58a79c348aff82c7d history: > ❌ > ✅ - kselftest.cpufreq.suspend.cpufreq_main_sh last run: https://d.kernelci.org/test/maestro:68fa4c6c8a79c348aff8427e history: > ❌ > ✅ Hardware: hp-x360-14-G1-sona > Config: x86_64_defconfig+lab-setup+x86-board+kselftest - Architecture/compiler: x86_64/gcc-12 - kselftest.iommu last run: https://d.kernelci.org/test/maestro:68fa48fe8a79c348aff82d62 history: > ❌ > ❌ > ✅ ### UNSTABLE TESTS No unstable tests observed. Sent every day if there were changes in the past 24 hours. Legend: ✅ PASS ❌ FAIL ⚠️ INCONCLUSIVE -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 4 days

1
0
0 0

[STATUS] stable/linux-6.6.y - 4a243110dc884d8e1fe69eecbc2daef10d8e75d7

by KernelCI bot

Hello, Status summary for stable/linux-6.6.y Dashboard: https://d.kernelci.org/c/stable/linux-6.6.y/4a243110dc884d8e1fe69eecbc2daef… giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git branch: linux-6.6.y commit hash: 4a243110dc884d8e1fe69eecbc2daef10d8e75d7 origin: maestro test start time: 2025-10-23 14:29:15.250000+00:00 Builds: 38 ✅ 0 ❌ 0 ⚠️ Boots: 87 ✅ 0 ❌ 0 ⚠️ Tests: 3955 ✅ 1454 ❌ 1053 ⚠️ ### POSSIBLE REGRESSIONS Hardware: bcm2837-rpi-3-b-plus > Config: defconfig+lab-setup+kselftest - Architecture/compiler: arm64/gcc-12 - kselftest.ptrace last run: https://d.kernelci.org/test/maestro:68fa5f798a79c348aff889c4 history: > ✅ > ❌ > ❌ ### FIXED REGRESSIONS No fixed regressions observed. ### UNSTABLE TESTS No unstable tests observed. Sent every day if there were changes in the past 24 hours. Legend: ✅ PASS ❌ FAIL ⚠️ INCONCLUSIVE -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 4 days

1
0
0 0

[PATCH 5.10.y] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit 030ce919e114a111e83b7976ecb3597cefd33f26 upstream. The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Reviewed-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38126; the duplicate check removal in stmmac_ptp_register was skipped (function not present) ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index b8581a711514..d793bcb1b444 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -742,6 +742,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) return -EOPNOTSUPP; + if (!priv->plat->clk_ptp_rate) { + netdev_err(priv->dev, "Invalid PTP clock rate"); + return -EINVAL; + } + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); priv->systime_flags = systime_flags; -- 2.50.1

3 weeks, 4 days

1
0
0 0

[PATCH 5.15.y] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit 030ce919e114a111e83b7976ecb3597cefd33f26 upstream. The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Reviewed-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38126 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 21cc8cd9e023..468aeedf22eb 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -522,7 +522,7 @@ bool stmmac_eee_init(struct stmmac_priv *priv) static inline u32 stmmac_cdc_adjust(struct stmmac_priv *priv) { /* Correct the clk domain crossing(CDC) error */ - if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) + if (priv->plat->has_gmac4) return (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; return 0; } @@ -848,6 +848,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) return -EOPNOTSUPP; + if (!priv->plat->clk_ptp_rate) { + netdev_err(priv->dev, "Invalid PTP clock rate"); + return -EINVAL; + } + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); priv->systime_flags = systime_flags; -- 2.50.1

3 weeks, 4 days

1
0
0 0

[PATCH net v2] virtio-net: drop the multi-buffer XDP packet in zerocopy

by Bui Quang Minh

In virtio-net, we have not yet supported multi-buffer XDP packet in zerocopy mode when there is a binding XDP program. However, in that case, when receiving multi-buffer XDP packet, we skip the XDP program and return XDP_PASS. As a result, the packet is passed to normal network stack which is an incorrect behavior (e.g. a XDP program for packet count is installed, multi-buffer XDP packet arrives and does go through XDP program. As a result, the packet count does not increase but the packet is still received from network stack).This commit instead returns XDP_ABORTED in that case. Fixes: 99c861b44eb1 ("virtio_net: xsk: rx: support recv merge mode") Cc: stable(a)vger.kernel.org Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> --- Changes in v2: - Return XDP_ABORTED instead of XDP_DROP, make clearer explanation in commit message --- drivers/net/virtio_net.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..8e8a179aaa49 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1379,9 +1379,14 @@ static struct sk_buff *virtnet_receive_xsk_merge(struct net_device *dev, struct ret = XDP_PASS; rcu_read_lock(); prog = rcu_dereference(rq->xdp_prog); - /* TODO: support multi buffer. */ - if (prog && num_buf == 1) - ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, stats); + if (prog) { + /* TODO: support multi buffer. */ + if (num_buf == 1) + ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, + stats); + else + ret = XDP_ABORTED; + } rcu_read_unlock(); switch (ret) { -- 2.43.0

3 weeks, 4 days

2
1
0 0

[PATCH] ocxl: Fix race leading to use-after-free in file operations

by Yuhao Jiang

The file operations dereference the context pointer after checking status under ctx->status_mutex, then drop the lock before using the context. This allows afu_release() running on another CPU to free the context, leading to a use-after-free vulnerability. The race window exists in afu_ioctl(), afu_mmap(), afu_poll() and afu_read() between the status check and context usage. During device hot-unplug or rapid open/close cycles, this causes kernel crashes. Introduce reference counting via kref to prevent premature free. ocxl_context_get() atomically checks status and acquires a reference under status_mutex. File operations hold this reference for their duration, ensuring the context remains valid even if another thread calls afu_release(). ocxl_context_alloc() initializes refcount to 1 for the file's lifetime. afu_release() drops this reference, with the context freed when the last reference goes away. Preserve existing -EBUSY behavior where the context intentionally leaks on detach timeout. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/misc/ocxl/context.c | 69 ++++++++++++++---- drivers/misc/ocxl/file.c | 113 +++++++++++++++++++++++------- drivers/misc/ocxl/ocxl_internal.h | 4 ++ 3 files changed, 144 insertions(+), 42 deletions(-) diff --git a/drivers/misc/ocxl/context.c b/drivers/misc/ocxl/context.c index cded7d1caf32..e154adc972a5 100644 --- a/drivers/misc/ocxl/context.c +++ b/drivers/misc/ocxl/context.c @@ -28,6 +28,7 @@ int ocxl_context_alloc(struct ocxl_context **context, struct ocxl_afu *afu, ctx->pasid = pasid; ctx->status = OPENED; + kref_init(&ctx->kref); mutex_init(&ctx->status_mutex); ctx->mapping = mapping; mutex_init(&ctx->mapping_lock); @@ -47,6 +48,59 @@ int ocxl_context_alloc(struct ocxl_context **context, struct ocxl_afu *afu, } EXPORT_SYMBOL_GPL(ocxl_context_alloc); +/** + * ocxl_context_get() - Get a reference to the context if not closed + * @ctx: The context + * + * Atomically checks if context status is not CLOSED and acquires a reference. + * Must be called with ctx->status_mutex held. + * + * Return: true if reference acquired, false if context is CLOSED + */ +bool ocxl_context_get(struct ocxl_context *ctx) +{ + lockdep_assert_held(&ctx->status_mutex); + + if (ctx->status == CLOSED) + return false; + + kref_get(&ctx->kref); + return true; +} +EXPORT_SYMBOL_GPL(ocxl_context_get); + +/* + * kref release callback - called when last reference is dropped + */ +static void ocxl_context_release(struct kref *kref) +{ + struct ocxl_context *ctx = container_of(kref, struct ocxl_context, + kref); + + mutex_lock(&ctx->afu->contexts_lock); + ctx->afu->pasid_count--; + idr_remove(&ctx->afu->contexts_idr, ctx->pasid); + mutex_unlock(&ctx->afu->contexts_lock); + + ocxl_afu_irq_free_all(ctx); + idr_destroy(&ctx->irq_idr); + /* reference to the AFU taken in ocxl_context_alloc() */ + ocxl_afu_put(ctx->afu); + kfree(ctx); +} + +/** + * ocxl_context_put() - Release a reference to the context + * @ctx: The context + * + * Decrements the reference count. When it reaches zero, the context is freed. + */ +void ocxl_context_put(struct ocxl_context *ctx) +{ + kref_put(&ctx->kref, ocxl_context_release); +} +EXPORT_SYMBOL_GPL(ocxl_context_put); + /* * Callback for when a translation fault triggers an error * data: a pointer to the context which triggered the fault @@ -279,18 +333,3 @@ void ocxl_context_detach_all(struct ocxl_afu *afu) } mutex_unlock(&afu->contexts_lock); } - -void ocxl_context_free(struct ocxl_context *ctx) -{ - mutex_lock(&ctx->afu->contexts_lock); - ctx->afu->pasid_count--; - idr_remove(&ctx->afu->contexts_idr, ctx->pasid); - mutex_unlock(&ctx->afu->contexts_lock); - - ocxl_afu_irq_free_all(ctx); - idr_destroy(&ctx->irq_idr); - /* reference to the AFU taken in ocxl_context_alloc() */ - ocxl_afu_put(ctx->afu); - kfree(ctx); -} -EXPORT_SYMBOL_GPL(ocxl_context_free); diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c index 7eb74711ac96..c08724e7ff1e 100644 --- a/drivers/misc/ocxl/file.c +++ b/drivers/misc/ocxl/file.c @@ -204,17 +204,21 @@ static long afu_ioctl(struct file *file, unsigned int cmd, int irq_id; u64 irq_offset; long rc; - bool closed; - - pr_debug("%s for context %d, command %s\n", __func__, ctx->pasid, - CMD_STR(cmd)); + /* + * Hold a reference to the context for the duration of this operation. + * We check the status and acquire the reference atomically under the + * status_mutex to ensure the context remains valid. + */ mutex_lock(&ctx->status_mutex); - closed = (ctx->status == CLOSED); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } mutex_unlock(&ctx->status_mutex); - if (closed) - return -EIO; + pr_debug("%s for context %d, command %s\n", __func__, ctx->pasid, + CMD_STR(cmd)); switch (cmd) { case OCXL_IOCTL_ATTACH: @@ -230,7 +234,7 @@ static long afu_ioctl(struct file *file, unsigned int cmd, sizeof(irq_offset)); if (rc) { ocxl_afu_irq_free(ctx, irq_id); - return -EFAULT; + rc = -EFAULT; } } break; @@ -238,8 +242,10 @@ static long afu_ioctl(struct file *file, unsigned int cmd, case OCXL_IOCTL_IRQ_FREE: rc = copy_from_user(&irq_offset, (u64 __user *) args, sizeof(irq_offset)); - if (rc) - return -EFAULT; + if (rc) { + rc = -EFAULT; + break; + } irq_id = ocxl_irq_offset_to_id(ctx, irq_offset); rc = ocxl_afu_irq_free(ctx, irq_id); break; @@ -247,14 +253,20 @@ static long afu_ioctl(struct file *file, unsigned int cmd, case OCXL_IOCTL_IRQ_SET_FD: rc = copy_from_user(&irq_fd, (u64 __user *) args, sizeof(irq_fd)); - if (rc) - return -EFAULT; - if (irq_fd.reserved) - return -EINVAL; + if (rc) { + rc = -EFAULT; + break; + } + if (irq_fd.reserved) { + rc = -EINVAL; + break; + } irq_id = ocxl_irq_offset_to_id(ctx, irq_fd.irq_offset); ev_ctx = eventfd_ctx_fdget(irq_fd.eventfd); - if (IS_ERR(ev_ctx)) - return PTR_ERR(ev_ctx); + if (IS_ERR(ev_ctx)) { + rc = PTR_ERR(ev_ctx); + break; + } rc = ocxl_irq_set_handler(ctx, irq_id, irq_handler, irq_free, ev_ctx); if (rc) eventfd_ctx_put(ev_ctx); @@ -280,6 +292,8 @@ static long afu_ioctl(struct file *file, unsigned int cmd, default: rc = -EINVAL; } + + ocxl_context_put(ctx); return rc; } @@ -292,9 +306,23 @@ static long afu_compat_ioctl(struct file *file, unsigned int cmd, static int afu_mmap(struct file *file, struct vm_area_struct *vma) { struct ocxl_context *ctx = file->private_data; + int rc; + + /* + * Hold a reference during mmap setup to ensure the context + * remains valid. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } + mutex_unlock(&ctx->status_mutex); pr_debug("%s for context %d\n", __func__, ctx->pasid); - return ocxl_context_mmap(ctx, vma); + rc = ocxl_context_mmap(ctx, vma); + ocxl_context_put(ctx); + return rc; } static bool has_xsl_error(struct ocxl_context *ctx) @@ -324,21 +352,31 @@ static unsigned int afu_poll(struct file *file, struct poll_table_struct *wait) { struct ocxl_context *ctx = file->private_data; unsigned int mask = 0; - bool closed; + + /* + * Hold a reference to the context while checking for events. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return EPOLLERR; + } + mutex_unlock(&ctx->status_mutex); pr_debug("%s for context %d\n", __func__, ctx->pasid); poll_wait(file, &ctx->events_wq, wait); - mutex_lock(&ctx->status_mutex); - closed = (ctx->status == CLOSED); - mutex_unlock(&ctx->status_mutex); - if (afu_events_pending(ctx)) mask = EPOLLIN | EPOLLRDNORM; - else if (closed) - mask = EPOLLERR; + else { + mutex_lock(&ctx->status_mutex); + if (ctx->status == CLOSED) + mask = EPOLLERR; + mutex_unlock(&ctx->status_mutex); + } + ocxl_context_put(ctx); return mask; } @@ -410,6 +448,16 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, AFU_EVENT_BODY_MAX_SIZE)) return -EINVAL; + /* + * Hold a reference to the context for the duration of the read operation. + */ + mutex_lock(&ctx->status_mutex); + if (!ocxl_context_get(ctx)) { + mutex_unlock(&ctx->status_mutex); + return -EIO; + } + mutex_unlock(&ctx->status_mutex); + for (;;) { prepare_to_wait(&ctx->events_wq, &event_wait, TASK_INTERRUPTIBLE); @@ -422,11 +470,13 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, if (file->f_flags & O_NONBLOCK) { finish_wait(&ctx->events_wq, &event_wait); + ocxl_context_put(ctx); return -EAGAIN; } if (signal_pending(current)) { finish_wait(&ctx->events_wq, &event_wait); + ocxl_context_put(ctx); return -ERESTARTSYS; } @@ -437,19 +487,24 @@ static ssize_t afu_read(struct file *file, char __user *buf, size_t count, if (has_xsl_error(ctx)) { used = append_xsl_error(ctx, &header, buf + sizeof(header)); - if (used < 0) + if (used < 0) { + ocxl_context_put(ctx); return used; + } } if (!afu_events_pending(ctx)) header.flags |= OCXL_KERNEL_EVENT_FLAG_LAST; - if (copy_to_user(buf, &header, sizeof(header))) + if (copy_to_user(buf, &header, sizeof(header))) { + ocxl_context_put(ctx); return -EFAULT; + } used += sizeof(header); rc = used; + ocxl_context_put(ctx); return rc; } @@ -464,8 +519,12 @@ static int afu_release(struct inode *inode, struct file *file) ctx->mapping = NULL; mutex_unlock(&ctx->mapping_lock); wake_up_all(&ctx->events_wq); + /* + * Drop the initial reference from afu_open(). The context will be + * freed when all references are released. + */ if (rc != -EBUSY) - ocxl_context_free(ctx); + ocxl_context_put(ctx); return 0; } diff --git a/drivers/misc/ocxl/ocxl_internal.h b/drivers/misc/ocxl/ocxl_internal.h index d2028d6c6f08..6eab7806b43d 100644 --- a/drivers/misc/ocxl/ocxl_internal.h +++ b/drivers/misc/ocxl/ocxl_internal.h @@ -5,6 +5,7 @@ #include <linux/pci.h> #include <linux/cdev.h> +#include <linux/kref.h> #include <linux/list.h> #include <misc/ocxl.h> @@ -68,6 +69,7 @@ struct ocxl_xsl_error { }; struct ocxl_context { + struct kref kref; struct ocxl_afu *afu; int pasid; struct mutex status_mutex; @@ -140,6 +142,8 @@ int ocxl_link_update_pe(void *link_handle, int pasid, __u16 tid); int ocxl_context_mmap(struct ocxl_context *ctx, struct vm_area_struct *vma); +bool ocxl_context_get(struct ocxl_context *ctx); +void ocxl_context_put(struct ocxl_context *ctx); void ocxl_context_detach_all(struct ocxl_afu *afu); int ocxl_sysfs_register_afu(struct ocxl_file_info *info); -- 2.34.1

3 weeks, 4 days

1
0
0 0

[PATCH 5.10/5.15/6.1/6.6] net: stmmac: make sure that ptp_rate is not 0 before configuring EST

by Vasiliy Kovalev

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> commit cbefe2ffa7784525ec5d008ba87c7add19ec631a upstream. If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code. Suggested-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Fixes: 8572aec3d0dc ("net: stmmac: Add basic EST support for XGMAC") Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-2-d73340a794d5@bootl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38125; replaced netdev_warn with pr_warn due to missing dev pointer ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c index 8fd167501fa0..4df62268f852 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c @@ -597,6 +597,11 @@ int dwmac5_est_configure(void __iomem *ioaddr, struct stmmac_est *cfg, int i, ret = 0x0; u32 ctrl; + if (!ptp_rate) { + pr_warn("%s: Invalid PTP rate\n", __func__); + return -EINVAL; + } + ret |= dwmac5_est_write(ioaddr, BTR_LOW, cfg->btr[0], false); ret |= dwmac5_est_write(ioaddr, BTR_HIGH, cfg->btr[1], false); ret |= dwmac5_est_write(ioaddr, TER, cfg->ter, false); -- 2.50.1

3 weeks, 4 days

1
0
0 0

[PATCH] perf/x86/intel: Fix KASAN global-out-of-bounds warning

by Dapeng Mi

When running "perf mem record" command on CWF, the below KASAN global-out-of-bounds warning is seen. 196.273657] ================================================================== [ 196.273662] BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 [ 196.273669] Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 [ 196.273676] CPU: 126 UID: 0 PID: 9850 Comm: dtlb Kdump: loaded Not tainted 6.17.0-rc3-2025-08-29-intel-next-34160-g316938187eb0 #1 PREEMPT(none) [ 196.273680] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.IPC.3544.P83.2507110208 07/11/2025 [ 196.273682] Call Trace: [ 196.273683] <NMI> [ 196.273684] dump_stack_lvl+0x55/0x70 [ 196.273689] print_address_description.constprop.0+0x2c/0x3d0 [ 196.273694] ? cmt_latency_data+0x176/0x1b0 [ 196.273696] print_report+0xb4/0x270 [ 196.273699] ? kasan_addr_to_slab+0xd/0xa0 [ 196.273702] kasan_report+0xb8/0xf0 [ 196.273705] ? cmt_latency_data+0x176/0x1b0 [ 196.273707] cmt_latency_data+0x176/0x1b0 [ 196.273710] setup_arch_pebs_sample_data+0xf49/0x2560 [ 196.273713] intel_pmu_drain_arch_pebs+0x577/0xb00 [ 196.273716] ? __pfx_intel_pmu_drain_arch_pebs+0x10/0x10 [ 196.273719] ? perf_output_begin+0x3e4/0xa10 [ 196.273724] ? intel_pmu_drain_bts_buffer+0xc2/0x6a0 [ 196.273727] ? __pfx_intel_pmu_drain_bts_buffer+0x10/0x10 [ 196.273730] handle_pmi_common+0x6c4/0xc80 [ 196.273734] ? __pfx_handle_pmi_common+0x10/0x10 [ 196.273738] ? intel_bts_interrupt+0xd3/0x4d0 [ 196.273740] ? __pfx_intel_bts_interrupt+0x10/0x10 [ 196.273742] ? intel_pmu_lbr_enable_all+0x25/0x150 [ 196.273745] intel_pmu_handle_irq+0x388/0x700 [ 196.273748] perf_event_nmi_handler+0xff/0x150 [ 196.273751] nmi_handle.part.0+0xa8/0x2d0 [ 196.273755] ? perf_output_begin+0x3e9/0xa10 [ 196.273757] default_do_nmi+0x79/0x1a0 [ 196.273760] fred_exc_nmi+0x40/0x90 [ 196.273762] asm_fred_entrypoint_kernel+0x45/0x60 [ 196.273765] RIP: 0010:perf_output_begin+0x3e9/0xa10 [ 196.273768] Code: 54 24 1c 85 d2 0f 85 19 03 00 00 48 8b 44 24 18 48 c1 e8 03 42 0f b6 04 28 84 c0 74 08 3c 03 0f 8e 25 05 00 00 41 8b 44 24 18 <c1> e0 0c 48 98 48 83 e8 01 80 7c 24 2a 00 0f 85 f9 02 00 00 4c 29 [ 196.273770] RSP: 0018:ffffc9001cf575e8 EFLAGS: 00000246 [ 196.273774] RAX: 0000000000000080 RBX: ffff88c1a0f95028 RCX: 0000000000000004 [ 196.273775] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88c08c8f9408 [ 196.273777] RBP: 0000000000000028 R08: 0000000000000000 R09: ffffed18341f2a05 [ 196.273778] R10: ffff88c1a0f9502f R11: ffff88c1a0dbe1b8 R12: ffff88c1a0f95000 [ 196.273779] R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc9001cf577e0 [ 196.273782] </NMI> The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue. Reported-by: Xudong Hao <xudong.hao(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 090262439f66 ("perf/x86/intel: Rename model-specific pebs_latency_data functions") Signed-off-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> --- arch/x86/events/intel/ds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c index c0b7ac1c7594..d1ac1f1ceee9 100644 --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -317,7 +317,7 @@ static u64 __grt_latency_data(struct perf_event *event, u64 status, { u64 val; - WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big); + WARN_ON_ONCE(is_hybrid() && hybrid_pmu(event->pmu)->pmu_type == hybrid_big); dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK; val = hybrid_var(event->pmu, pebs_data_source)[dse]; base-commit: 16ed389227651330879e17bd83d43bd234006722 -- 2.34.1

3 weeks, 4 days

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror