- Linux-stable-mirror - lists.linaro.org

[PATCH AUTOSEL 6.1 1/5] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 9b1ba4aedbce7..c591255335058 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2685,7 +2685,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2712,6 +2712,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { @@ -2743,9 +2764,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -2860,28 +2883,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

3 months, 1 week

2
5
0 0

[PATCH] net: core: fix UNIX-STREAM alignment in /proc/net/protocols

by moyuanhao3676＠163.com

From: MoYuanhao <moyuanhao3676(a)163.com> Widen protocol name column from %-9s to %-11s to properly display UNIX-STREAM and keep table alignment. before modification： console:/ # cat /proc/net/protocols protocol size sockets memory press maxhdr slab module cl co di ac io in de sh ss gs se re sp bi br ha uh gp em PPPOL2TP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HIDP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n BNEP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n RFCOMM 840 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n KEY 864 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PACKET 1536 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PINGv6 1184 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAWv6 1184 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDPLITEv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n UDPv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n TCPv6 2352 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y PPTP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PPPOE 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n UNIX-STREAM 1024 29 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n y n n UNIX 1024 193 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n n n n UDP-Lite 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n PING 976 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAW 984 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDP 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n TCP 2192 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y SCO 848 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n L2CAP 824 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HCI 888 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n NETLINK 1104 18 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n after modification: console:/ # cat /proc/net/protocols protocol size sockets memory press maxhdr slab module cl co di ac io in de sh ss gs se re sp bi br ha uh gp em PPPOL2TP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HIDP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n BNEP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n RFCOMM 840 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n KEY 864 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PACKET 1536 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PINGv6 1184 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAWv6 1184 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDPLITEv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n UDPv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n TCPv6 2352 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y PPTP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PPPOE 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n UNIX-STREAM 1024 29 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n y n n UNIX 1024 193 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n n n n UDP-Lite 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n PING 976 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAW 984 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDP 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n TCP 2192 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y SCO 848 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n L2CAP 824 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HCI 888 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n NETLINK 1104 18 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: MoYuanhao <moyuanhao3676(a)163.com> --- net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 3b409bc8ef6d..d2de5459e94f 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -4284,7 +4284,7 @@ static const char *sock_prot_memory_pressure(struct proto *proto) static void proto_seq_printf(struct seq_file *seq, struct proto *proto) { - seq_printf(seq, "%-9s %4u %6d %6ld %-3s %6u %-3s %-10s " + seq_printf(seq, "%-11s %4u %6d %6ld %-3s %6u %-3s %-10s " "%2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c\n", proto->name, proto->obj_size, @@ -4317,7 +4317,7 @@ static void proto_seq_printf(struct seq_file *seq, struct proto *proto) static int proto_seq_show(struct seq_file *seq, void *v) { if (v == &proto_list) - seq_printf(seq, "%-9s %-4s %-8s %-6s %-5s %-7s %-4s %-10s %s", + seq_printf(seq, "%-11s %-4s %-8s %-6s %-5s %-7s %-4s %-10s %s", "protocol", "size", "sockets", -- 2.34.1

3 months, 1 week

3
2
0 0

[PATCH AUTOSEL 5.4 1/2] Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices"

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ] Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") changed IRQ handling on PCI driver probing. It inadvertently broke resume from system sleep on AMD platforms: https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/ This was fixed by two independent commits: * 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled") * cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices") The breaking change and one of these two fixes were subsequently reverted: * fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"") * 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"") This rendered the second fix unnecessary, so revert it as well. It used the match_driver flag in struct pci_dev, which is internal to the PCI core and not supposed to be touched by arbitrary drivers. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Acked-by: Joerg Roedel <jroedel(a)suse.de> Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.174557234… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Extensive Analysis:** **1. Context and Purpose:** This commit is part of a coordinated series of reverts addressing regressions introduced by commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") which broke system suspend/resume on AMD platforms in v4.3. The original issue was fixed by two independent commits, one of which (cbbc00be2ce3) added the line `iommu->dev->match_driver = false;` to prevent other PCI drivers from binding to IOMMU devices. **2. Code Change Analysis:** The commit removes exactly one line from `drivers/iommu/amd/init.c:2034`: ```c /* Prevent binding other PCI device drivers to IOMMU devices */ iommu->dev->match_driver = false; ``` This line was setting the `match_driver` field of `struct pci_dev`, which the commit message correctly identifies as "internal to the PCI core and not supposed to be touched by arbitrary drivers." **3. Why This Should Be Backported:** **a) Part of Coordinated Fix Series:** This revert is the logical completion of a series of reverts that fixed major regressions. Looking at the similar commits provided as examples: - Similar Commit #1 (YES): Revert of x86/PCI pcibios-irq allocation - Similar Commit #2 (YES): Revert of PCI IRQ management helpers - Similar Commit #5 (YES): Revert of the original problematic pcibios_alloc_irq implementation All these related reverts were marked for backporting, making this commit part of the same logical fix series. **b) Removes Inappropriate Code:** The commit eliminates code that violates kernel design principles by accessing internal PCI core structures from a driver. The `match_driver` field is not meant to be manipulated by individual drivers. **c) Cleanup After Main Fix:** Once the root cause (commit 991de2e59090) was reverted by commit 6c777e8799a9, the workaround became unnecessary. Keeping unnecessary workaround code, especially code that inappropriately accesses internal structures, is problematic. **d) Minimal Risk:** The change is extremely small and low-risk - it simply removes one line that was setting an internal field inappropriately. **e) Consistency and Completeness:** Since the other reverts in this series addressing the 991de2e59090 regressions were backported, this should be included for consistency and to ensure the cleanup is complete. **4. Stable Tree Criteria Met:** - ✅ Fixes inappropriate driver behavior (accessing internal PCI structures) - ✅ Small and contained change - ✅ Part of a series addressing known regressions - ✅ Minimal risk of introducing new issues - ✅ Consistent with backporting decisions for related commits The commit represents necessary cleanup after a coordinated regression fix and should be backported to maintain consistency with the related reverts and to remove code that inappropriately accesses internal kernel structures. drivers/iommu/amd_iommu_init.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c index de29512c75ccc..cd17deeedf349 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c @@ -1751,9 +1751,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) if (!iommu->dev) return -ENODEV; - /* Prevent binding other PCI device drivers to IOMMU devices */ - iommu->dev->match_driver = false; - /* ACPI _PRT won't have an IRQ for IOMMU */ iommu->dev->irq_managed = 1; -- 2.39.5

3 months, 1 week

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices"

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ] Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") changed IRQ handling on PCI driver probing. It inadvertently broke resume from system sleep on AMD platforms: https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/ This was fixed by two independent commits: * 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled") * cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices") The breaking change and one of these two fixes were subsequently reverted: * fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"") * 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"") This rendered the second fix unnecessary, so revert it as well. It used the match_driver flag in struct pci_dev, which is internal to the PCI core and not supposed to be touched by arbitrary drivers. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Acked-by: Joerg Roedel <jroedel(a)suse.de> Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.174557234… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Extensive Analysis:** **1. Context and Purpose:** This commit is part of a coordinated series of reverts addressing regressions introduced by commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") which broke system suspend/resume on AMD platforms in v4.3. The original issue was fixed by two independent commits, one of which (cbbc00be2ce3) added the line `iommu->dev->match_driver = false;` to prevent other PCI drivers from binding to IOMMU devices. **2. Code Change Analysis:** The commit removes exactly one line from `drivers/iommu/amd/init.c:2034`: ```c /* Prevent binding other PCI device drivers to IOMMU devices */ iommu->dev->match_driver = false; ``` This line was setting the `match_driver` field of `struct pci_dev`, which the commit message correctly identifies as "internal to the PCI core and not supposed to be touched by arbitrary drivers." **3. Why This Should Be Backported:** **a) Part of Coordinated Fix Series:** This revert is the logical completion of a series of reverts that fixed major regressions. Looking at the similar commits provided as examples: - Similar Commit #1 (YES): Revert of x86/PCI pcibios-irq allocation - Similar Commit #2 (YES): Revert of PCI IRQ management helpers - Similar Commit #5 (YES): Revert of the original problematic pcibios_alloc_irq implementation All these related reverts were marked for backporting, making this commit part of the same logical fix series. **b) Removes Inappropriate Code:** The commit eliminates code that violates kernel design principles by accessing internal PCI core structures from a driver. The `match_driver` field is not meant to be manipulated by individual drivers. **c) Cleanup After Main Fix:** Once the root cause (commit 991de2e59090) was reverted by commit 6c777e8799a9, the workaround became unnecessary. Keeping unnecessary workaround code, especially code that inappropriately accesses internal structures, is problematic. **d) Minimal Risk:** The change is extremely small and low-risk - it simply removes one line that was setting an internal field inappropriately. **e) Consistency and Completeness:** Since the other reverts in this series addressing the 991de2e59090 regressions were backported, this should be included for consistency and to ensure the cleanup is complete. **4. Stable Tree Criteria Met:** - ✅ Fixes inappropriate driver behavior (accessing internal PCI structures) - ✅ Small and contained change - ✅ Part of a series addressing known regressions - ✅ Minimal risk of introducing new issues - ✅ Consistent with backporting decisions for related commits The commit represents necessary cleanup after a coordinated regression fix and should be backported to maintain consistency with the related reverts and to remove code that inappropriately accesses internal kernel structures. drivers/iommu/amd/init.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index e09391ab3deb0..752edbf529f5f 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -1876,9 +1876,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) if (!iommu->dev) return -ENODEV; - /* Prevent binding other PCI device drivers to IOMMU devices */ - iommu->dev->match_driver = false; - /* ACPI _PRT won't have an IRQ for IOMMU */ iommu->dev->irq_managed = 1; -- 2.39.5

3 months, 1 week

1
1
0 0

[PATCH AUTOSEL 5.15 1/3] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/ksmbd/smb2pdu.c | 53 +++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b21601c0a457c..76334a983cd25 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2679,7 +2679,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2706,6 +2706,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { @@ -2737,9 +2758,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -2854,28 +2877,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

3 months, 1 week

1
2
0 0

[PATCH 6.15.y 0/2] rtc: backport support for handling dates before 1970

by Uwe Kleine-König

Hello, as described in the commit log of the two commits the rtc-mt6397 driver relies on these fixes as soon as it should store dates later than 2027-12-31. On one of the patches has a Fixes line, so this submission is done to ensure that both patches are backported. The patches sent in reply to this mail are (trivial) backports to v6.15.1, they should get backported to the older stable kernels, too, to (somewhat) ensure that in 2028 no surprises happen. `git am` is able to apply the patches as is to 6.14.y, 6.12.y, 6.6.y, 6.1.y and 5.15.y. 5.10 and 5.4 need an adaption, I didn't look into that yet but can follow up with backports for these. The two fixes were accompanied by 3 test updates: 46351921cbe1 ("rtc: test: Emit the seconds-since-1970 value instead of days-since-1970") da62b49830f8 ("rtc: test: Also test time and wday outcome of rtc_time64_to_tm()") ccb2dba3c19f ("rtc: test: Test date conversion for dates starting in 1900") that cover one of the patches. Would you consider it sensible to backport these, too? Best regards Uwe Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) base-commit: 3ef49626da6dd67013fc2cf0a4e4c9e158bb59f7 -- 2.47.2

3 months, 1 week

3
5
0 0

+ mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: close theoretical race where stale TLB entries could linger has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: close theoretical race where stale TLB entries could linger Date: Fri, 6 Jun 2025 10:28:07 +0100 Commit 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") described a theoretical race as such: """ Nadav Amit identified a theoretical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows: CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. """ The solution was to introduce flush_tlb_batched_pending() and call it under the PTL from mprotect/madvise/munmap/mremap to complete any pending tlb flushes. However, while madvise_free_pte_range() and madvise_cold_or_pageout_pte_range() were both retro-fitted to call flush_tlb_batched_pending() immediately after initially acquiring the PTL, they both temporarily release the PTL to split a large folio if they stumble upon one. In this case, where re-acquiring the PTL flush_tlb_batched_pending() must be called again, but it previously was not. Let's fix that. There are 2 Fixes: tags here: the first is the commit that fixed madvise_free_pte_range(). The second is the commit that added madvise_cold_or_pageout_pte_range(), which looks like it copy/pasted the faulty pattern from madvise_free_pte_range(). This is a theoretical bug discovered during code review. Link: https://lkml.kernel.org/r/20250606092809.4194056-1-ryan.roberts@arm.com Fixes: 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mel Gorman <mgorman <mgorman(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/madvise.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/madvise.c~mm-close-theoretical-race-where-stale-tlb-entries-could-linger +++ a/mm/madvise.c @@ -508,6 +508,7 @@ restart: pte_offset_map_lock(mm, pmd, addr, &ptl); if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; @@ -741,6 +742,7 @@ static int madvise_free_pte_range(pmd_t start_pte = pte; if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch

3 months, 1 week

1
0
0 0

+ mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure Date: Fri, 6 Jun 2025 13:50:32 +0100 While an OOM failure in commit_merge() isn't really feasible due to the allocation which might fail (a maple tree pre-allocation) being 'too small to fail', we do need to handle this case correctly regardless. In vma_merge_existing_range(), we can theoretically encounter failures which result in an OOM error in two ways - firstly dup_anon_vma() might fail with an OOM error, and secondly commit_merge() failing, ultimately, to pre-allocate a maple tree node. The abort logic for dup_anon_vma() resets the VMA iterator to the initial range, ensuring that any logic looping on this iterator will correctly proceed to the next VMA. However the commit_merge() abort logic does not do the same thing. This resulted in a syzbot report occurring because mlockall() iterates through VMAs, is tolerant of errors, but ended up with an incorrect previous VMA being specified due to incorrect iterator state. While making this change, it became apparent we are duplicating logic - the logic introduced in commit 41e6ddcaa0f1 ("mm/vma: add give_up_on_oom option on modify/merge, use in uffd release") duplicates the vmg->give_up_on_oom check in both abort branches. Additionally, we observe that we can perform the anon_dup check safely on dup_anon_vma() failure, as this will not be modified should this call fail. Finally, we need to reset the iterator in both cases, so now we can simply use the exact same code to abort for both. We remove the VM_WARN_ON(err != -ENOMEM) as it would be silly for this to be otherwise and it allows us to implement the abort check more neatly. Link: https://lkml.kernel.org/r/20250606125032.164249-1-lorenzo.stoakes@oracle.com Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: syzbot+d16409ea9ecc16ed261a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/6842cc67.a00a0220.29ac89.003b.GAE@google.c… Reviewed-by: Pedro Falcato <pfalcato(a)suse.de> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) --- a/mm/vma.c~mm-vma-reset-vma-iterator-on-commit_merge-oom-failure +++ a/mm/vma.c @@ -961,26 +961,9 @@ static __must_check struct vm_area_struc err = dup_anon_vma(next, middle, &anon_dup); } - if (err) + if (err || commit_merge(vmg)) goto abort; - err = commit_merge(vmg); - if (err) { - VM_WARN_ON(err != -ENOMEM); - - if (anon_dup) - unlink_anon_vmas(anon_dup); - - /* - * We've cleaned up any cloned anon_vma's, no VMAs have been - * modified, no harm no foul if the user requests that we not - * report this and just give up, leaving the VMAs unmerged. - */ - if (!vmg->give_up_on_oom) - vmg->state = VMA_MERGE_ERROR_NOMEM; - return NULL; - } - khugepaged_enter_vma(vmg->target, vmg->flags); vmg->state = VMA_MERGE_SUCCESS; return vmg->target; @@ -989,6 +972,9 @@ abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); + if (anon_dup) + unlink_anon_vmas(anon_dup); + /* * This means we have failed to clone anon_vma's correctly, but no * actual changes to VMAs have occurred, so no harm no foul - if the _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch docs-mm-expand-vma-doc-to-highlight-pte-freeing-non-vma-traversal.patch mm-ksm-have-ksm-vma-checks-not-require-a-vma-pointer.patch mm-ksm-refer-to-special-vmas-via-vm_special-in-ksm_compatible.patch mm-prevent-ksm-from-breaking-vma-merging-for-new-vmas.patch tools-testing-selftests-add-vma-merge-tests-for-ksm-merge.patch mm-pagewalk-split-walk_page_range_novma-into-kernel-user-parts.patch

3 months, 1 week

1
0
0 0

[PATCH v2] iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush

by Sean Nyekjaer

fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [...] _find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c irq_thread_fn from irq_thread+0x110/0x1f4 irq_thread from kthread+0xe0/0xfc kthread from ret_from_fork+0x14/0x2c Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling") Cc: stable(a)vger.kernel.org Suggested-by: David Lechner <dlechner(a)baylibre.com> Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> --- Changes in v2: - As per David's suggestion; switched to use synchronize_irq() instead. - Link to v1: https://lore.kernel.org/r/20250524-fxlsrace-v1-1-dec506dc87ae@geanix.com --- drivers/iio/accel/fxls8962af-core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/accel/fxls8962af-core.c b/drivers/iio/accel/fxls8962af-core.c index 6d23da3e7aa22c61f2d9348bb91d70cc5719a732..f2558fba491dffa78b26d47d2cd9f1f4d9811f54 100644 --- a/drivers/iio/accel/fxls8962af-core.c +++ b/drivers/iio/accel/fxls8962af-core.c @@ -866,6 +866,8 @@ static int fxls8962af_buffer_predisable(struct iio_dev *indio_dev) if (ret) return ret; + synchronize_irq(data->irq); + ret = __fxls8962af_fifo_set_mode(data, false); if (data->enable_event) --- base-commit: 5c3fcb36c92443a9a037683626a2e43d8825f783 change-id: 20250524-fxlsrace-f4d20e29fb29 Best regards, -- Sean Nyekjaer <sean(a)geanix.com>

3 months, 1 week

3
3
0 0

[PATCH 6.11 1/1] PCI/ASPM: Disable L1 before disabling L1 PM Substates

by Macpaul Lin

From: Ajay Agarwal <ajayagarwal(a)google.com> [ Upstream commit 7447990137bf06b2aeecad9c6081e01a9f47f2aa ] PCIe r6.2, sec 5.5.4, requires that: If setting either or both of the enable bits for ASPM L1 PM Substates, both ports must be configured as described in this section while ASPM L1 is disabled. Previously, pcie_config_aspm_l1ss() assumed that "setting enable bits" meant "setting them to 1", and it configured L1SS as follows: - Clear L1SS enable bits - Disable L1 - Configure L1SS enable bits as required - Enable L1 if required With this sequence, when disabling L1SS on an ARM A-core with a Synopsys DesignWare PCIe core, the CPU occasionally hangs when reading PCI_L1SS_CTL1, leading to a reboot when the CPU watchdog expires. Move the L1 disable to the caller (pcie_config_aspm_link(), where L1 was already enabled) so L1 is always disabled while updating the L1SS bits: - Disable L1 - Clear L1SS enable bits - Configure L1SS enable bits as required - Enable L1 if required Change pcie_aspm_cap_init() similarly. Link: https://lore.kernel.org/r/20241007032917.872262-1-ajayagarwal@google.com Signed-off-by: Ajay Agarwal <ajayagarwal(a)google.com> [bhelgaas: comments, commit log, compute L1SS setting before config access] Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Tested-by: Johnny-CC Chang <Johnny-CC.Chang(a)mediatek.com> Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- drivers/pci/pcie/aspm.c | 92 ++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 42 deletions(-) diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index cee2365e54b8..e943691bc931 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -805,6 +805,15 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) pcie_capability_read_word(parent, PCI_EXP_LNKCTL, &parent_lnkctl); pcie_capability_read_word(child, PCI_EXP_LNKCTL, &child_lnkctl); + /* Disable L0s/L1 before updating L1SS config */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(child, PCI_EXP_LNKCTL, + child_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, + parent_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + } + /* * Setup L0s state * @@ -829,6 +838,13 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) aspm_l1ss_init(link); + /* Restore L0s/L1 if they were enabled */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, parent_lnkctl); + pcie_capability_write_word(child, PCI_EXP_LNKCTL, child_lnkctl); + } + /* Save default state */ link->aspm_default = link->aspm_enabled; @@ -845,25 +861,28 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) } } -/* Configure the ASPM L1 substates */ +/* Configure the ASPM L1 substates. Caller must disable L1 first. */ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) { - u32 val, enable_req; + u32 val; struct pci_dev *child = link->downstream, *parent = link->pdev; - enable_req = (link->aspm_enabled ^ state) & state; + val = 0; + if (state & PCIE_LINK_STATE_L1_1) + val |= PCI_L1SS_CTL1_ASPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2) + val |= PCI_L1SS_CTL1_ASPM_L1_2; + if (state & PCIE_LINK_STATE_L1_1_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* - * Here are the rules specified in the PCIe spec for enabling L1SS: - * - When enabling L1.x, enable bit at parent first, then at child - * - When disabling L1.x, disable bit at child first, then at parent - * - When enabling ASPM L1.x, need to disable L1 - * (at child followed by parent). - * - The ASPM/PCIPM L1.2 must be disabled while programming timing + * PCIe r6.2, sec 5.5.4, rules for enabling L1 PM Substates: + * - Clear L1.x enable bits at child first, then at parent + * - Set L1.x enable bits at parent first, then at child + * - ASPM/PCIPM L1.2 must be disabled while programming timing * parameters - * - * To keep it simple, disable all L1SS bits first, and later enable - * what is needed. */ /* Disable all L1 substates */ @@ -871,26 +890,6 @@ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) PCI_L1SS_CTL1_L1SS_MASK, 0); pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, PCI_L1SS_CTL1_L1SS_MASK, 0); - /* - * If needed, disable L1, and it gets enabled later - * in pcie_config_aspm_link(). - */ - if (enable_req & (PCIE_LINK_STATE_L1_1 | PCIE_LINK_STATE_L1_2)) { - pcie_capability_clear_word(child, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - pcie_capability_clear_word(parent, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - } - - val = 0; - if (state & PCIE_LINK_STATE_L1_1) - val |= PCI_L1SS_CTL1_ASPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2) - val |= PCI_L1SS_CTL1_ASPM_L1_2; - if (state & PCIE_LINK_STATE_L1_1_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* Enable what we need to enable */ pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, @@ -937,21 +936,30 @@ static void pcie_config_aspm_link(struct pcie_link_state *link, u32 state) dwstream |= PCI_EXP_LNKCTL_ASPM_L1; } + /* + * Per PCIe r6.2, sec 5.5.4, setting either or both of the enable + * bits for ASPM L1 PM Substates must be done while ASPM L1 is + * disabled. Disable L1 here and apply new configuration after L1SS + * configuration has been completed. + * + * Per sec 7.5.3.7, when disabling ASPM L1, software must disable + * it in the Downstream component prior to disabling it in the + * Upstream component, and ASPM L1 must be enabled in the Upstream + * component prior to enabling it in the Downstream component. + * + * Sec 7.5.3.7 also recommends programming the same ASPM Control + * value for all functions of a multi-function device. + */ + list_for_each_entry(child, &linkbus->devices, bus_list) + pcie_config_aspm_dev(child, 0); + pcie_config_aspm_dev(parent, 0); + if (link->aspm_capable & PCIE_LINK_STATE_L1SS) pcie_config_aspm_l1ss(link, state); - /* - * Spec 2.0 suggests all functions should be configured the - * same setting for ASPM. Enabling ASPM L1 should be done in - * upstream component first and then downstream, and vice - * versa for disabling ASPM L1. Spec doesn't mention L0S. - */ - if (state & PCIE_LINK_STATE_L1) - pcie_config_aspm_dev(parent, upstream); + pcie_config_aspm_dev(parent, upstream); list_for_each_entry(child, &linkbus->devices, bus_list) pcie_config_aspm_dev(child, dwstream); - if (!(state & PCIE_LINK_STATE_L1)) - pcie_config_aspm_dev(parent, upstream); link->aspm_enabled = state; -- 2.45.2

3 months, 1 week

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror