Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

84 participants
123770 discussions

[PATCH vhost 1/3] vhost-net: unbreak busy polling

by Jason Wang

Commit 67a873df0c41 ("vhost: basic in order support") pass the number of used elem to vhost_net_rx_peek_head_len() to make sure it can signal the used correctly before trying to do busy polling. But it forgets to clear the count, this would cause the count run out of sync with handle_rx() and break the busy polling. Fixing this by passing the pointer of the count and clearing it after the signaling the used. Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: 67a873df0c41 ("vhost: basic in order support") Signed-off-by: Jason Wang <jasowang(a)redhat.com> --- drivers/vhost/net.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index c6508fe0d5c8..16e39f3ab956 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -1014,7 +1014,7 @@ static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk) } static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, - bool *busyloop_intr, unsigned int count) + bool *busyloop_intr, unsigned int *count) { struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX]; struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX]; @@ -1024,7 +1024,8 @@ static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, if (!len && rvq->busyloop_timeout) { /* Flush batched heads first */ - vhost_net_signal_used(rnvq, count); + vhost_net_signal_used(rnvq, *count); + *count = 0; /* Both tx vq and rx socket were polled here */ vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true); @@ -1180,7 +1181,7 @@ static void handle_rx(struct vhost_net *net) do { sock_len = vhost_net_rx_peek_head_len(net, sock->sk, - &busyloop_intr, count); + &busyloop_intr, &count); if (!sock_len) break; sock_len += sock_hlen; -- 2.34.1

3 months, 2 weeks

[PATCH 6.1 00/78] 6.1.153-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.153 release. There are 78 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.153-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.153-rc1 Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize Dan Carpenter <dan.carpenter(a)linaro.org> soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Remove unused function Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add VLAN CTAG filter support Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add support for MC filtering at the slave device Ravi Gunasekaran <r-gunasekaran(a)ti.com> net: hsr: Disable promiscuous mode in offload mode Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Alexander Sverdlin <alexander.sverdlin(a)siemens.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alexander Dahl <ada(a)thorsis.com> mtd: nand: raw: atmel: Fix comment in timings preparation Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Oleksij Rempel <linux(a)rempel-privat.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call Borislav Petkov (AMD) <bp(a)alien8.de> KVM: SVM: Set synthesized TSA CPUID flags Boris Ostrovsky <boris.ostrovsky(a)oracle.com> KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() Kim Phillips <kim.phillips(a)amd.com> KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Fix link frequency validation Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Harry Yoo <harry.yoo(a)oracle.com> mm: introduce and use {pgd,p4d}_populate_kernel() Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/networking/can.rst | 2 +- Makefile | 4 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/x86/kvm/cpuid.c | 33 +++-- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 33 +++-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 - drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/media/i2c/imx214.c | 27 +++- .../platform/mediatek/vcodec/mtk_vcodec_fw_scp.c | 4 +- .../platform/mediatek/vcodec/venc/venc_h264_if.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 18 ++- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +++--- drivers/net/can/xilinx_can.c | 16 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-ti-pipe3.c | 13 ++ drivers/regulator/sy7636a-regulator.c | 7 +- drivers/soc/qcom/mdt_loader.c | 14 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/serial/option.c | 17 +++ fs/fuse/file.c | 5 +- fs/kernfs/file.c | 54 ++++--- fs/nfs/client.c | 2 + fs/nfs/flexfilelayout/flexfilelayout.c | 21 ++- fs/nfs/nfs4proc.c | 6 +- fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- include/linux/compiler-clang.h | 31 +++- include/linux/pgalloc.h | 29 ++++ include/linux/pgtable.h | 13 +- include/net/sock.h | 40 ++++- kernel/time/hrtimer.c | 50 ++----- kernel/trace/trace.c | 10 +- kernel/trace/trace_events_synth.c | 2 - mm/damon/lru_sort.c | 3 + mm/damon/reclaim.c | 3 + mm/damon/sysfs.c | 14 +- mm/kasan/init.c | 12 +- mm/kasan/kasan_test.c | 1 + mm/khugepaged.c | 22 +-- mm/memory-failure.c | 7 +- mm/percpu.c | 6 +- mm/sparse-vmemmap.c | 6 +- net/can/j1939/bus.c | 5 +- net/can/j1939/socket.c | 3 + net/ceph/messenger.c | 7 +- net/core/sock.c | 5 + net/hsr/hsr_device.c | 163 ++++++++++++++++++++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 4 + net/hsr/hsr_slave.c | 15 +- net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/sunrpc/sched.c | 2 - samples/ftrace/ftrace-direct-modify.c | 2 +- sound/soc/qcom/qdsp6/q6apm-dai.c | 28 +++- 68 files changed, 669 insertions(+), 285 deletions(-)

3 months, 2 weeks

[PATCH 1/1] iommu/vt-d: PRS isn't usable if PDS isn't supported

by Lu Baolu

The specification, Section 7.10, "Software Steps to Drain Page Requests & Responses," requires software to submit an Invalidation Wait Descriptor (inv_wait_dsc) with the Page-request Drain (PD=1) flag set, along with the Invalidation Wait Completion Status Write flag (SW=1). It then waits for the Invalidation Wait Descriptor's completion. However, the PD field in the Invalidation Wait Descriptor is optional, as stated in Section 6.5.2.9, "Invalidation Wait Descriptor": "Page-request Drain (PD): Remapping hardware implementations reporting Page-request draining as not supported (PDS = 0 in ECAP_REG) treat this field as reserved." This implies that if the IOMMU doesn't support the PDS capability, software can't drain page requests and group responses as expected. Do not enable PCI/PRI if the IOMMU doesn't support PDS. Reported-by: Joel Granados <joel.granados(a)kernel.org> Closes: https://lore.kernel.org/r/20250909-jag-pds-v1-1-ad8cba0e494e@kernel.org Fixes: 66ac4db36f4c ("iommu/vt-d: Add page request draining support") Cc: stable(a)vger.kernel.org Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/intel/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 9c3ab9d9f69a..92759a8f8330 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3812,7 +3812,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev) } if (info->ats_supported && ecap_prs(iommu->ecap) && - pci_pri_supported(pdev)) + ecap_pds(iommu->ecap) && pci_pri_supported(pdev)) info->pri_supported = 1; } } -- 2.43.0

3 months, 2 weeks

[PATCH v3] arm64: dts: st: Add memory-region-names property for stm32mp257f-ev1

by Patrice Chotard

In order to set the AMCR register, which configures the memory-region split between ospi1 and ospi2, we need to identify the ospi instance. By using memory-region-names, it allows to identify the ospi instance this memory-region belongs to. Fixes: cad2492de91c ("arm64: dts: st: Add SPI NOR flash support on stm32mp257f-ev1 board") Cc: stable(a)vger.kernel.org Signed-off-by: Patrice Chotard <patrice.chotard(a)foss.st.com> --- Changes in v3: - Set again "Cc: <stable(a)vger.kernel.org>" - Link to v2: https://lore.kernel.org/r/20250811-upstream_fix_dts_omm-v2-1-00ff55076bd5@f… Changes in v2: - Update commit message. - Use correct memory-region-names value. - Remove "Cc: <stable(a)vger.kernel.org>" tag as the fixed patch is not part of a LTS. - Link to v1: https://lore.kernel.org/r/20250806-upstream_fix_dts_omm-v1-1-e68c15ed422d@f… --- arch/arm64/boot/dts/st/stm32mp257f-ev1.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts b/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts index 2f561ad4066544445e93db78557bc4be1c27095a..7bd8433c1b4344bb5d58193a5e6314f9ae89e0a4 100644 --- a/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts +++ b/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts @@ -197,6 +197,7 @@ &i2c8 { &ommanager { memory-region = <&mm_ospi1>; + memory-region-names = "ospi1"; pinctrl-0 = <&ospi_port1_clk_pins_a &ospi_port1_io03_pins_a &ospi_port1_cs0_pins_a>; --- base-commit: 038d61fd642278bab63ee8ef722c50d10ab01e8f change-id: 20250806-upstream_fix_dts_omm-c006b69042f1 Best regards, -- Patrice Chotard <patrice.chotard(a)foss.st.com>

3 months, 2 weeks

[PATCH v5 8/8] iommu/sva: Invalidate stale IOTLB entries for kernel address space

by Lu Baolu

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. A Use-After-Free (UAF) and Write-After-Free (WAF) condition arises when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. To mitigate this, a new IOMMU interface is introduced to flush IOTLB entries for the kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused. This addresses the main issue with vfree() which is a common occurrence and can be triggered by unprivileged users. While this resolves the primary problem, it doesn't address some extremely rare case related to memory unplug of memory that was present as reserved memory at boot, which cannot be triggered by unprivileged users. The discussion can be found at the link below. Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Cc: stable(a)vger.kernel.org Suggested-by: Jann Horn <jannh(a)google.com> Co-developed-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Vasant Hegde <vasant.hegde(a)amd.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Link: https://lore.kernel.org/linux-iommu/04983c62-3b1d-40d4-93ae-34ca04b827e5@in… --- drivers/iommu/iommu-sva.c | 29 ++++++++++++++++++++++++++++- include/linux/iommu.h | 4 ++++ mm/pgtable-generic.c | 2 ++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c index 1a51cfd82808..d236aef80a8d 100644 --- a/drivers/iommu/iommu-sva.c +++ b/drivers/iommu/iommu-sva.c @@ -10,6 +10,8 @@ #include "iommu-priv.h" static DEFINE_MUTEX(iommu_sva_lock); +static bool iommu_sva_present; +static LIST_HEAD(iommu_sva_mms); static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, struct mm_struct *mm); @@ -42,6 +44,7 @@ static struct iommu_mm_data *iommu_alloc_mm_data(struct mm_struct *mm, struct de return ERR_PTR(-ENOSPC); } iommu_mm->pasid = pasid; + iommu_mm->mm = mm; INIT_LIST_HEAD(&iommu_mm->sva_domains); /* * Make sure the write to mm->iommu_mm is not reordered in front of @@ -132,8 +135,13 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm if (ret) goto out_free_domain; domain->users = 1; - list_add(&domain->next, &mm->iommu_mm->sva_domains); + if (list_empty(&iommu_mm->sva_domains)) { + if (list_empty(&iommu_sva_mms)) + iommu_sva_present = true; + list_add(&iommu_mm->mm_list_elm, &iommu_sva_mms); + } + list_add(&domain->next, &iommu_mm->sva_domains); out: refcount_set(&handle->users, 1); mutex_unlock(&iommu_sva_lock); @@ -175,6 +183,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) list_del(&domain->next); iommu_domain_free(domain); } + + if (list_empty(&iommu_mm->sva_domains)) { + list_del(&iommu_mm->mm_list_elm); + if (list_empty(&iommu_sva_mms)) + iommu_sva_present = false; + } + mutex_unlock(&iommu_sva_lock); kfree(handle); } @@ -312,3 +327,15 @@ static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, return domain; } + +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) +{ + struct iommu_mm_data *iommu_mm; + + guard(mutex)(&iommu_sva_lock); + if (!iommu_sva_present) + return; + + list_for_each_entry(iommu_mm, &iommu_sva_mms, mm_list_elm) + mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end); +} diff --git a/include/linux/iommu.h b/include/linux/iommu.h index c30d12e16473..66e4abb2df0d 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1134,7 +1134,9 @@ struct iommu_sva { struct iommu_mm_data { u32 pasid; + struct mm_struct *mm; struct list_head sva_domains; + struct list_head mm_list_elm; }; int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode); @@ -1615,6 +1617,7 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm); void iommu_sva_unbind_device(struct iommu_sva *handle); u32 iommu_sva_get_pasid(struct iommu_sva *handle); +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end); #else static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm) @@ -1639,6 +1642,7 @@ static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) } static inline void mm_pasid_drop(struct mm_struct *mm) {} +static inline void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) {} #endif /* CONFIG_IOMMU_SVA */ #ifdef CONFIG_IOMMU_IOPF diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 0279399d4910..2717dc9afff0 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -13,6 +13,7 @@ #include <linux/swap.h> #include <linux/swapops.h> #include <linux/mm_inline.h> +#include <linux/iommu.h> #include <asm/pgalloc.h> #include <asm/tlb.h> @@ -430,6 +431,7 @@ static void kernel_pgtable_work_func(struct work_struct *work) list_splice_tail_init(&kernel_pgtable_work.list, &page_list); spin_unlock(&kernel_pgtable_work.lock); + iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL); list_for_each_entry_safe(pt, next, &page_list, pt_list) __pagetable_free(pt); } -- 2.43.0

3 months, 2 weeks

[PATCH v2] clocksource: clps711x: Fix resource leaks in error paths

by Zhen Ni

The current implementation of clps711x_timer_init() has multiple error paths that directly return without releasing the base I/O memory mapped via of_iomap(). Fix of_iomap leaks in err paths. Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error") Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- changes in v2: - Add tags of 'Fixes' and 'Cc' - Reduce detailed enumeration of err paths - Omit a pointer check before iounmap() - Change goto target from out to unmap_io --- drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/clocksource/clps711x-timer.c b/drivers/clocksource/clps711x-timer.c index e95fdc49c226..bbceb0289d45 100644 --- a/drivers/clocksource/clps711x-timer.c +++ b/drivers/clocksource/clps711x-timer.c @@ -78,24 +78,33 @@ static int __init clps711x_timer_init(struct device_node *np) unsigned int irq = irq_of_parse_and_map(np, 0); struct clk *clock = of_clk_get(np, 0); void __iomem *base = of_iomap(np, 0); + int ret = 0; if (!base) return -ENOMEM; - if (!irq) - return -EINVAL; - if (IS_ERR(clock)) - return PTR_ERR(clock); + if (!irq) { + ret = -EINVAL; + goto unmap_io; + } + if (IS_ERR(clock)) { + ret = PTR_ERR(clock); + goto unmap_io; + } switch (of_alias_get_id(np, "timer")) { case CLPS711X_CLKSRC_CLOCKSOURCE: clps711x_clksrc_init(clock, base); break; case CLPS711X_CLKSRC_CLOCKEVENT: - return _clps711x_clkevt_init(clock, base, irq); + ret = _clps711x_clkevt_init(clock, base, irq); + break; default: - return -EINVAL; + ret = -EINVAL; + break; } - return 0; +unmap_io: + iounmap(base); + return ret; } TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init); -- 2.20.1

3 months, 2 weeks

New September Order. 49038 Friday, September 19, 2025 at 05:26:37 AM

by Info - Albinayah 004

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

3 months, 2 weeks

[PATCH] RDMA/rxe: Fix race in do_task() when draining

by Gui-Dong Han

When do_task() exhausts its RXE_MAX_ITERATIONS budget, it unconditionally sets the task state to TASK_STATE_IDLE to reschedule. This overwrites the TASK_STATE_DRAINING state that may have been concurrently set by rxe_cleanup_task() or rxe_disable_task(). This race condition breaks the cleanup and disable logic, which expects the task to stop processing new work. The cleanup code may proceed while do_task() reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, continue the loop by setting cont to 1. This allows new iterations to finish the remaining work and reach the switch statement, which properly transitions the state to TASK_STATE_DRAINED and stops the task as intended. Fixes: 9b4b7c1f9f54 ("RDMA/rxe: Add workqueue support for rxe tasks") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- drivers/infiniband/sw/rxe/rxe_task.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 6f8f353e9583..f522820b950c 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c @@ -132,8 +132,12 @@ static void do_task(struct rxe_task *task) * yield the cpu and reschedule the task */ if (!ret) { - task->state = TASK_STATE_IDLE; - resched = 1; + if (task->state != TASK_STATE_DRAINING) { + task->state = TASK_STATE_IDLE; + resched = 1; + } else { + cont = 1; + } goto exit; } -- 2.25.1

3 months, 2 weeks

[PATCH] scsi: hptiop: Add check for device-provided context pointer in ITL callback

by Guangshuo Li

An untrusted device may return a NULL context pointer in the request header. hptiop_iop_request_callback_itl() dereferences that pointer unconditionally to write result fields and to invoke arg->done(), which can cause a NULL pointer dereference. Add a NULL check for the reconstructed context pointer. If it is NULL, acknowledge the request by writing the tag to the outbound queue and return early. Fixes: ede1e6f8b432 ("[SCSI] hptiop: HighPoint RocketRAID 3xxx controller driver") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/scsi/hptiop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/hptiop.c b/drivers/scsi/hptiop.c index 21f1d9871a33..2b29cd83ce5e 100644 --- a/drivers/scsi/hptiop.c +++ b/drivers/scsi/hptiop.c @@ -812,6 +812,11 @@ static void hptiop_iop_request_callback_itl(struct hptiop_hba *hba, u32 tag) (readl(&req->context) | ((u64)readl(&req->context_hi32)<<32)); + if (!arg) { + writel(tag, &hba->u.itl.iop->outbound_queue); + return; + } + if (readl(&req->result) == IOP_RESULT_SUCCESS) { arg->result = HPT_IOCTL_RESULT_OK; -- 2.43.0

3 months, 2 weeks

[PATCH rtw v4 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

by Fedor Pchelkin

There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Suggested-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v4: - fill wait's fields before publishing (Zong-Zhe) - leave dev_kfree_skb_any + kfree_rcu for tx_wait release (Zong-Zhe) v3: - decrease waiting timeout in rtw89_tx_wait_work() (Zong-Zhe) - clear tx_waits list from rtw89_hci_reset(), too (Zong-Zhe) - keep RCU updating for skb_data->wait (Zong-Zhe) - keep the old order of calls in rtw89_pci_tx_status() (Zong-Zhe) - drop wait->finished as complete_all() would make the completion be done permanently v2: - use a work function to manage release of tx_waits and associated skbs (Zong-Zhe) drivers/net/wireless/realtek/rtw89/core.c | 29 ++++++++++++++---- drivers/net/wireless/realtek/rtw89/core.h | 36 +++++++++++++++++++++-- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 2 ++ 4 files changed, 61 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 57590f5577a3..438930b65631 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1073,6 +1073,14 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtwdev, } } +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) +{ + struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, + tx_wait_work); + + rtw89_tx_wait_list_clear(rtwdev); +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1090,6 +1098,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk unsigned long time_left; int ret = 0; + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait = kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1097,18 +1107,22 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk } init_completion(&wait->completion); + wait->skb = skb; rcu_assign_pointer(skb_data->wait, wait); rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left == 0) - ret = -ETIMEDOUT; - else if (!wait->tx_done) - ret = -EAGAIN; - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + if (time_left == 0) { + ret = -ETIMEDOUT; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work); + } else { + if (!wait->tx_done) + ret = -EAGAIN; + rtw89_tx_wait_release(wait); + } return ret; } @@ -4972,6 +4986,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) clear_bit(RTW89_FLAG_RUNNING, rtwdev->flags); wiphy_work_cancel(wiphy, &rtwdev->c2h_work); + wiphy_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_work_cancel(wiphy, &rtwdev->cancel_6ghz_probe_work); wiphy_work_cancel(wiphy, &btc->eapol_notify_work); wiphy_work_cancel(wiphy, &btc->arp_notify_work); @@ -5203,6 +5218,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); @@ -5233,6 +5249,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_work_init(&rtwdev->c2h_work, rtw89_fw_c2h_work); wiphy_work_init(&rtwdev->ips_work, rtw89_ips_work); wiphy_work_init(&rtwdev->cancel_6ghz_probe_work, rtw89_cancel_6ghz_probe_work); + wiphy_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_WORK(&rtwdev->load_firmware_work, rtw89_load_firmware_work); skb_queue_head_init(&rtwdev->c2h_queue); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index 43e10278e14d..b5586603f027 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3506,9 +3506,12 @@ struct rtw89_phy_rate_pattern { bool enable; }; +#define RTW89_TX_WAIT_DEFAULT_TIMEOUT msecs_to_jiffies(10) struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; bool tx_done; }; @@ -5925,6 +5928,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; + struct list_head tx_waits; + struct wiphy_work tx_wait_work; + struct rtw89_cam_info cam_info; struct sk_buff_head c2h_queue; @@ -6181,6 +6187,27 @@ rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid) list_first_entry_or_null(&p->dlink_pool, typeof(*p->links_inst), dlink_schd); \ }) +static inline void rtw89_tx_wait_release(struct rtw89_tx_wait_info *wait) +{ + dev_kfree_skb_any(wait->skb); + kfree_rcu(wait, rcu_head); +} + +static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev) +{ + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(rtwdev->hw->wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!wait_for_completion_timeout(&wait->completion, + RTW89_TX_WAIT_DEFAULT_TIMEOUT)) + continue; + list_del(&wait->list); + rtw89_tx_wait_release(wait); + } +} + static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, struct rtw89_core_tx_request *tx_req) { @@ -6190,6 +6217,7 @@ static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev) { rtwdev->hci.ops->reset(rtwdev); + rtw89_tx_wait_list_clear(rtwdev); } static inline int rtw89_hci_start(struct rtw89_dev *rtwdev) @@ -7258,11 +7286,12 @@ static inline struct sk_buff *rtw89_alloc_skb_for_rx(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; + bool ret = false; rcu_read_lock(); @@ -7270,11 +7299,14 @@ static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, if (!wait) goto out; + ret = true; wait->tx_done = tx_done; - complete(&wait->completion); + /* Don't access skb anymore after completion */ + complete_all(&wait->completion); out: rcu_read_unlock(); + return ret; } static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index a669f2f843aa..4e3034b44f56 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,7 +464,8 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) + return; info = IEEE80211_SKB_CB(skb); ieee80211_tx_info_clear_status(info); diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c index bb39fdbcba0d..fe7beff8c424 100644 --- a/drivers/net/wireless/realtek/rtw89/ser.c +++ b/drivers/net/wireless/realtek/rtw89/ser.c @@ -502,7 +502,9 @@ static void ser_reset_trx_st_hdl(struct rtw89_ser *ser, u8 evt) } drv_stop_rx(ser); + wiphy_lock(wiphy); drv_trx_reset(ser); + wiphy_unlock(wiphy); /* wait m3 */ hal_send_m2_event(ser); -- 2.51.0

3 months, 2 weeks

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror