- Linux-stable-mirror - lists.linaro.org

Re: "loop: Avoid updating block size under exclusive owner" breaks on 6.6.103

by Jan Kara

On Wed 17-09-25 11:18:50, Eric Hagberg wrote: > I stumbled across a problem where the 6.6.103 kernel will fail when > running the ioctl_loop06 test from the LTP test suite... and worse > than failing the test, it leaves the system in a state where you can't > run "losetup -a" again because the /dev/loopN device that the test > created and failed the test on... hangs in a LOOP_GET_STATUS64 ioctl. > > It also leaves the system in a state where you can't re-kexec into a > copy of the kernel as it gets completely hung at the point where it > says "starting Reboot via kexec"... Thanks for the report! Please report issues with stable kernels to stable(a)vger.kernel.org (CCed now) because they can act on them. > If I revert just that patch from 6.6.103 (or newer) kernels, then the > test succeeds and doesn't leave the host in a bad state. The patch > applied to 6.12 doesn't cause this problem, but I also see that there > are quite a few other changes to the loop subsystem in 6.12 that never > made it to 6.6. > > For now, I'll probably just revert your patch in my 6.6 kernel builds, > but I wouldn't be surprised if others stumble across this issue as > well, so maybe it should be reverted or fixed some other way. Yes, I think revert from 6.6 stable kernel is warranted (unless somebody has time to figure out what else is missing to make the patch work with that stable branch). Honza -- Jan Kara <jack(a)suse.com> SUSE Labs, CR

1 month, 4 weeks

3
3
0 0

Check this out at Amazon

by Info Marketing

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 month, 4 weeks

1
0
0 0

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

by Tom Lendacky

On 9/22/25 00:52, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine. So this patch doesn't need to be part of the 6.12 stable tree. Thanks, Tom > > > From stable+bounces-180849-greg=kroah.com(a)vger.kernel.org Mon Sep 22 01:18:07 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 21 Sep 2025 19:17:59 -0400 > Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > To: stable(a)vger.kernel.org > Cc: Tom Lendacky <thomas.lendacky(a)amd.com>, "Borislav Petkov (AMD)" <bp(a)alien8.de>, stable(a)kernel.org, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20250921231759.3033314-1-sashal(a)kernel.org> > > From: Tom Lendacky <thomas.lendacky(a)amd.com> > > [ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ] > > The sev_evict_cache() is guest-related code and should be guarded by > CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. > > CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP > guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub > function of sev_evict_cache() instead of the version that performs the actual > eviction. Move the function declarations under the appropriate #ifdef. > > Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") > Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> > Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> > Cc: stable(a)kernel.org # 6.16.x > Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… > [ Move sev_evict_cache() out of shared.c ] > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > arch/x86/coco/sev/shared.c | 18 ------------------ > arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ > 2 files changed, 19 insertions(+), 18 deletions(-) > > --- a/arch/x86/coco/sev/shared.c > +++ b/arch/x86/coco/sev/shared.c > @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s > __pval_terminate(pfn, action, page_size, ret, svsm_ret); > } > > -static inline void sev_evict_cache(void *va, int npages) > -{ > - volatile u8 val __always_unused; > - u8 *bytes = va; > - int page_idx; > - > - /* > - * For SEV guests, a read from the first/last cache-lines of a 4K page > - * using the guest key is sufficient to cause a flush of all cache-lines > - * associated with that 4K page without incurring all the overhead of a > - * full CLFLUSH sequence. > - */ > - for (page_idx = 0; page_idx < npages; page_idx++) { > - val = bytes[page_idx * PAGE_SIZE]; > - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > - } > -} > - > static void svsm_pval_4k_page(unsigned long paddr, bool validate) > { > struct svsm_pvalidate_call *pc; > --- a/arch/x86/include/asm/sev.h > +++ b/arch/x86/include/asm/sev.h > @@ -400,6 +400,24 @@ u64 sev_get_status(void); > void sev_show_status(void); > void snp_update_svsm_ca(void); > > +static inline void sev_evict_cache(void *va, int npages) > +{ > + volatile u8 val __always_unused; > + u8 *bytes = va; > + int page_idx; > + > + /* > + * For SEV guests, a read from the first/last cache-lines of a 4K page > + * using the guest key is sufficient to cause a flush of all cache-lines > + * associated with that 4K page without incurring all the overhead of a > + * full CLFLUSH sequence. > + */ > + for (page_idx = 0; page_idx < npages; page_idx++) { > + val = bytes[page_idx * PAGE_SIZE]; > + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > + } > +} > + > #else /* !CONFIG_AMD_MEM_ENCRYPT */ > > #define snp_vmpl 0 > @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe > static inline u64 sev_get_status(void) { return 0; } > static inline void sev_show_status(void) { } > static inline void snp_update_svsm_ca(void) { } > +static inline void sev_evict_cache(void *va, int npages) {} > > #endif /* CONFIG_AMD_MEM_ENCRYPT */ > > > > Patches currently in stable-queue which might be from sashal(a)kernel.org are > > queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch > queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch > queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch > queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch > queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch > queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch > queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch > queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch > queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch > queue-6.12/nvme-fix-pi-insert-on-write.patch > queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch > queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch > queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch > queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch > queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch > queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch > queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch > queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch > queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch > queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch > queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch > queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch > queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch > queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch > queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch > queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch > queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch > queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch > queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch > queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch > queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch > queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch > queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch > queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch > queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch > queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch > queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch > queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch > queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch > queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch > queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch > queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch > queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch > queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch > queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch > queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch > queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch > queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch > queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch > queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch > queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch > queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch > queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch > queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch

1 month, 4 weeks

2
1
0 0

[PATCH v2 3/3] PCI: tegra194: Handle errors in BPMP response

by Niklas Cassel

From: Vidya Sagar <vidyas(a)nvidia.com> The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED (even though the tegra_bpmp_transfer() command failed). Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op (will not trigger the hardware initialization sequence). This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7eb48cc13648e..c4265b3f72048 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1223,6 +1223,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1245,7 +1246,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1254,6 +1261,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1273,7 +1281,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) -- 2.51.0

1 month, 4 weeks

1
0
0 0

[PATCH v2 2/3] PCI: tegra194: Reset BARs when running in PCIe endpoint mode

by Niklas Cassel

Tegra already defines all BARs expect for BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR get disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs, and will run tests against all enabled BARs. (I.e. it will run tests also against the BARs marked as BAR_RESERVED.) After running the BARs tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4. So when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 63d310e5335f4..7eb48cc13648e 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2030,6 +2039,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, }; -- 2.51.0

1 month, 4 weeks

1
0
0 0

[PATCH] powerpc/Makefile: use $(objtree) for crtsavres.o

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> ... otherwise it could be problematic to build external modules: make[2]: Entering directory '.../kernel-module-hello-world' | CC [M] hello-world.o | MODPOST Module.symvers | CC [M] hello-world.mod.o | CC [M] .module-common.o | LD [M] hello-world.ko | powerpc-poky-linux-ld.bfd: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory Fixes: da3de6df33f5 ("[POWERPC] Fix -Os kernel builds with newer gcc versions") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- arch/powerpc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile index 9753fb87217c3..a58b1029592ce 100644 --- a/arch/powerpc/Makefile +++ b/arch/powerpc/Makefile @@ -58,7 +58,7 @@ ifeq ($(CONFIG_PPC64)$(CONFIG_LD_IS_BFD),yy) # There is a corresponding test in arch/powerpc/lib/Makefile KBUILD_LDFLAGS_MODULE += --save-restore-funcs else -KBUILD_LDFLAGS_MODULE += arch/powerpc/lib/crtsavres.o +KBUILD_LDFLAGS_MODULE += $(objtree)/arch/powerpc/lib/crtsavres.o endif ifdef CONFIG_CPU_LITTLE_ENDIAN -- 2.51.0

1 month, 4 weeks

3
2
0 0

[PATCH v2] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 66 +++++++++++++++++++----- 1 file changed, 54 insertions(+), 12 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..f5be24b44238 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1396,7 +1396,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar retval = fmh_gpib_generic_attach(board); if (retval) - return retval; + goto err_put_device; e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; @@ -1404,14 +1404,16 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource\n"); - return -ENODEV; + retval = -ENODEV; + goto err_generic_detach; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_generic_detach; } e_priv->gpib_iomem_res = res; @@ -1419,7 +1421,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { dev_err(board->dev, "Could not map I/O memory\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_mmio_region; } dev_dbg(board->dev, "iobase %pr remapped to %p\n", e_priv->gpib_iomem_res, nec_priv->mmiobase); @@ -1427,34 +1430,41 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); - return -ENODEV; + retval = -ENODEV; + goto err_iounmap_mmio; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_iounmap_mmio; } e_priv->dma_port_res = res; + e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { dev_err(board->dev, "Could not map I/O memory for fifos\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_dma_region; } dev_dbg(board->dev, "dma fifos 0x%lx remapped to %p, length=%ld\n", (unsigned long)e_priv->dma_port_res->start, e_priv->fifo_base, (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) - return -EBUSY; + if (irq < 0) { + retval = -EBUSY; + goto err_iounmap_fifo; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); - return retval; + goto err_iounmap_fifo; } e_priv->irq = irq; @@ -1462,9 +1472,11 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); - return -EIO; + retval = -EIO; + goto err_free_irq; } } + /* * in the future we might want to know the half-fifo size * (dma_burst_length) even when not using dma, so go ahead an @@ -1473,7 +1485,32 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_burst_length = fifos_read(e_priv, FIFO_MAX_BURST_LENGTH_REG) & fifo_max_burst_length_mask; - return fmh_gpib_init(e_priv, board, handshake_mode); + retval = fmh_gpib_init(e_priv, board, handshake_mode); + if (retval) + goto err_release_dma; + + return 0; + +err_release_dma: + if (acquire_dma && e_priv->dma_channel) + dma_release_channel(e_priv->dma_channel); +err_free_irq: + free_irq(irq, board); +err_iounmap_fifo: + iounmap(e_priv->fifo_base); +err_release_dma_region: + release_mem_region(e_priv->dma_port_res->start, + resource_size(e_priv->dma_port_res)); +err_iounmap_mmio: + iounmap(nec_priv->mmiobase); +err_release_mmio_region: + release_mem_region(e_priv->gpib_iomem_res->start, + resource_size(e_priv->gpib_iomem_res)); +err_generic_detach: + fmh_gpib_generic_detach(board); +err_put_device: + put_device(board->dev); + return retval; } int fmh_gpib_attach_holdoff_all(struct gpib_board *board, const struct gpib_board_config *config) @@ -1517,6 +1554,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 month, 4 weeks

2
2
0 0

[PATCH] fs: udf: fix OOB read in lengthAllocDescs handling

by Larshin Sergey

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index f24aa98e6869..a79d73f28aa7 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow(sizeof(struct allocExtDesc), le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.5

1 month, 4 weeks

2
1
0 0

[PATCH 00/27 5.10.y] Backport minmax.h updates from v6.17-rc6

by Eliav Farber

This series includes a total of 27 patches, to align minmax.h of v5.15.y with v6.17-rc6. The set consists of 24 commits that directly update minmax.h: 1) 92d23c6e9415 ("overflow, tracing: Define the is_signed_type() macro once") 2) 5efcecd9a3b1 ("minmax: sanity check constant bounds when clamping") 3) 2122e2a4efc2 ("minmax: clamp more efficiently by avoiding extra comparison") 4) f9bff0e31881 ("minmax: add in_range() macro") 5) c952c748c7a9 ("minmax: Introduce {min,max}_array()") 6) 5e57418a2031 ("minmax: deduplicate __unconst_integer_typeof()") 7) f6e9d38f8eb0 ("minmax: fix header inclusions") 8) d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") 9) f4b84b2ff851 ("minmax: fix indentation of __cmp_once() and __clamp_once()") 10) 4ead534fba42 ("minmax: allow comparisons of 'int' against 'unsigned char/short'") 11) 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") 12) 3a7e02c040b1 ("minmax: avoid overly complicated constant expressions in VM code") 14) 017fa3e89187 ("minmax: simplify and clarify min_t()/max_t() implementation") 15) 1a251f52cfdc ("minmax: make generic MIN() and MAX() macros available everywhere") 18) dc1c8034e31b ("minmax: simplify min()/max()/clamp() implementation") 19) 22f546873149 ("minmax: improve macro expansion and type checking") 20) 21b136cc63d2 ("minmax: fix up min3() and max3() too") 21) 71ee9b16251e ("minmax.h: add whitespace around operators and after commas") 22) 10666e992048 ("minmax.h: update some comments") 23) b280bb27a9f7 ("minmax.h: reduce the #define expansion of min(), max() and clamp()") 24) a5743f32baec ("minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()") 25) c3939872ee4a ("minmax.h: move all the clamp() definitions after the min/max() ones") 26) 495bba17cdf9 ("minmax.h: simplify the variants of clamp()") 27) 2b97aaf74ed5 ("minmax.h: remove some #defines that are only expanded once") 2 prerequisite commits that adjust users of MIN and MAX macros (to prevent compilation issues): 13) 4477b39c32fd ("minmax: add a few more MIN_T/MAX_T users") 17) cb04e8b1d2f2 ("minmax: don't use max() in situations that want a C constant expression") 1 additional commit introduced to resolve a build failures during the backport: 16) lib: zstd: drop local MIN/MAX macros in favor of generic ones The primary motivation is to bring in commit (8). In mainline, this change allows min()/max()/clamp() to accept mixed argument types when both share the same signedness. Backported patches to v5.10.y that use such forms trigger compiler warnings, which in turn cause build failures when -Werror is enabled. Originaly I aligned 5.10.y to 5.15.y, but David Laight commented that I need to pick up the later changes (from Linus) as well. Andy Shevchenko (2): minmax: deduplicate __unconst_integer_typeof() minmax: fix header inclusions Bart Van Assche (1): overflow, tracing: Define the is_signed_type() macro once David Laight (11): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: fix indentation of __cmp_once() and __clamp_once() minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Eliav Farber (1): lib: zstd: drop local MIN/MAX macros in favor of generic ones Herve Codina (1): minmax: Introduce {min,max}_array() Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: add a few more MIN_T/MAX_T users minmax: simplify and clarify min_t()/max_t() implementation minmax: make generic MIN() and MAX() macros available everywhere minmax: don't use max() in situations that want a C constant expression minmax: simplify min()/max()/clamp() implementation minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too Matthew Wilcox (Oracle) (1): minmax: add in_range() macro arch/arm/mm/pageattr.c | 6 +- arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/arm/display/include/malidp_utils.h | 2 +- .../display/komeda/komeda_pipeline_state.c | 24 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 - drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/ethernet/chelsio/cxgb3/cxgb3_main.c | 18 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/misc.h | 2 - fs/btrfs/tree-checker.c | 2 +- fs/ext2/balloc.c | 2 - fs/ext4/ext4.h | 2 - fs/ufs/util.h | 6 - include/linux/compiler.h | 15 + include/linux/minmax.h | 267 ++++++++++++++---- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/logic_pio.c | 3 - lib/vsprintf.c | 2 +- lib/zstd/zstd_internal.h | 2 - mm/zsmalloc.c | 1 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- net/netfilter/nf_nat_core.c | 6 +- net/tipc/core.h | 2 +- net/tipc/link.c | 10 +- 44 files changed, 306 insertions(+), 164 deletions(-) -- 2.47.3

1 month, 4 weeks

6
35
0 0

[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

1 month, 4 weeks

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror