- Linux-stable-mirror - lists.linaro.org

[PATCH v3] w1: therm: Fix off-by-one buffer overflow in alarms_store

by Thorsten Blum

The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtol() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable(a)vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- Compile-tested only. Changes in v3: - Add integer range check for 'temp' to match kstrtoint() behavior - Explicitly cast 'temp' to int when calling int_to_short() - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/ Changes in v2: - Fix buffer overflow instead of truncating the copy using strscpy() - Parse buffer directly using simple_strtol() as suggested by David - Update patch subject and description - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.de… --- drivers/w1/slaves/w1_therm.c | 102 ++++++++++++----------------------- 1 file changed, 35 insertions(+), 67 deletions(-) diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c index 9ccedb3264fb..1dad9fa1ec4a 100644 --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1836,59 +1836,32 @@ static ssize_t alarms_store(struct device *device, struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long temp; + int ret; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; + const char *p = buf; + char *endp; - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; + temp = simple_strtol(p, &endp, 10); + if (temp < INT_MIN || temp > INT_MAX || p == endp || *endp != ' ') { + dev_info(device, "%s: error parsing args %d\n", + __func__, -EINVAL); + goto err; } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); + /* Cast to short to eliminate out of range values */ + tl = int_to_short((int)temp); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); - if (ret) { - dev_info(device, - "%s: error parsing args %d\n", __func__, ret); - goto free_m; - } - - tl = int_to_short(temp); - - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); - if (ret) { - dev_info(device, - "%s: error parsing args %d\n", __func__, ret); - goto free_m; + p = endp + 1; + temp = simple_strtol(p, &endp, 10); + if (temp < INT_MIN || temp > INT_MAX || p == endp) { + dev_info(device, "%s: error parsing args %d\n", + __func__, -EINVAL); + goto err; } + /* Cast to short to eliminate out of range values */ + th = int_to_short((int)temp); - /* Prepare to cast to short by eliminating out of range values */ - th = int_to_short(temp); - - /* Reorder if required th and tl */ + /* Reorder if required */ if (tl > th) swap(tl, th); @@ -1897,35 +1870,30 @@ static ssize_t alarms_store(struct device *device, * (th : byte 2 - tl: byte 3) */ ret = read_scratchpad(sl, &info); - if (!ret) { - new_config_register[0] = th; /* Byte 2 */ - new_config_register[1] = tl; /* Byte 3 */ - new_config_register[2] = info.rom[4];/* Byte 4 */ - } else { - dev_info(device, - "%s: error reading from the slave device %d\n", - __func__, ret); - goto free_m; + if (ret) { + dev_info(device, "%s: error reading from the slave device %d\n", + __func__, ret); + goto err; } + new_config_register[0] = th; /* Byte 2 */ + new_config_register[1] = tl; /* Byte 3 */ + new_config_register[2] = info.rom[4]; /* Byte 4 */ /* Write data in the device RAM */ if (!SLAVE_SPECIFIC_FUNC(sl)) { - dev_info(device, - "%s: Device not supported by the driver %d\n", - __func__, -ENODEV); - goto free_m; + dev_info(device, "%s: Device not supported by the driver %d\n", + __func__, -ENODEV); + goto err; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); - if (ret) - dev_info(device, - "%s: error writing to the slave device %d\n", + if (ret) { + dev_info(device, "%s: error writing to the slave device %d\n", __func__, ret); + goto err; + } -free_m: - /* free allocated memory */ - kfree(orig); - +err: return size; } -- 2.51.0

2 weeks, 3 days

3
4
0 0

[PATCH] drm/sched: Fix UB in spsc_queue

by Philipp Stanner

The spsc_queue is an unlocked, highly asynchronous piece of infrastructure. Its inline function spsc_queue_peek() obtains the head entry of the queue. This access is performed without READ_ONCE() and is, therefore, undefined behavior. In order to prevent the compiler from ever reordering that access, or even optimizing it away, a READ_ONCE() is strictly necessary. This is easily proven by the fact that spsc_queue_pop() uses this very pattern to access the head. Add READ_ONCE() to spsc_queue_peek(). Cc: stable(a)vger.kernel.org # v4.16+ Fixes: 27105db6c63a ("drm/amdgpu: Add SPSC queue to scheduler.") Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- I think this makes it less broken, but I'm not even sure if it's enough or more memory barriers or an rcu_dereference() would be correct. The spsc_queue is, of course, not documented and the existing barrier comments are either false or not telling. If someone has an idea, shoot us the info. Otherwise I think this is the right thing to do for now. P. --- include/drm/spsc_queue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/drm/spsc_queue.h b/include/drm/spsc_queue.h index ee9df8cc67b7..39bada748ffc 100644 --- a/include/drm/spsc_queue.h +++ b/include/drm/spsc_queue.h @@ -54,7 +54,7 @@ static inline void spsc_queue_init(struct spsc_queue *queue) static inline struct spsc_node *spsc_queue_peek(struct spsc_queue *queue) { - return queue->head; + return READ_ONCE(queue->head); } static inline int spsc_queue_count(struct spsc_queue *queue) -- 2.49.0

2 weeks, 3 days

3
8
0 0

[PATCH] Revert "mm, swap: avoid redundant swap device pinning"

by Kairui Song via B4 Relay

From: Kairui Song <kasong(a)tencent.com> This reverts commit 78524b05f1a3e16a5d00cc9c6259c41a9d6003ce. While reviewing recent leaf entry changes, I noticed that commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") isn't correct. It's true that most all callers of __read_swap_cache_async are already holding a swap entry reference, so the repeated swap device pinning isn't needed on the same swap device, but it is possible that VMA readahead (swap_vma_readahead()) may encounter swap entries from a different swap device when there are multiple swap devices, and call __read_swap_cache_async without holding a reference to that swap device. So it is possible to cause a UAF if swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger but in theory possible to cause real issues. And besides, that commit made swap more vulnerable to issues like corrupted page tables. Just revert it. __read_swap_cache_async isn't that sensitive to performance after all, as it's mostly used for SSD/HDD swap devices with readahead. SYNCHRONOUS_IO devices may fallback onto it for swap count > 1 entries, but very soon we will have a new helper and routine for such devices, so they will never touch this helper or have redundant swap device reference overhead. Fixes: 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") Signed-off-by: Kairui Song <kasong(a)tencent.com> --- mm/swap_state.c | 14 ++++++-------- mm/zswap.c | 8 +------- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/mm/swap_state.c b/mm/swap_state.c index 3f85a1c4cfd9..0c25675de977 100644 --- a/mm/swap_state.c +++ b/mm/swap_state.c @@ -406,13 +406,17 @@ struct folio *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, struct mempolicy *mpol, pgoff_t ilx, bool *new_page_allocated, bool skip_if_exists) { - struct swap_info_struct *si = __swap_entry_to_info(entry); + struct swap_info_struct *si; struct folio *folio; struct folio *new_folio = NULL; struct folio *result = NULL; void *shadow = NULL; *new_page_allocated = false; + si = get_swap_device(entry); + if (!si) + return NULL; + for (;;) { int err; @@ -499,6 +503,7 @@ struct folio *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, put_swap_folio(new_folio, entry); folio_unlock(new_folio); put_and_return: + put_swap_device(si); if (!(*new_page_allocated) && new_folio) folio_put(new_folio); return result; @@ -518,16 +523,11 @@ struct folio *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, struct vm_area_struct *vma, unsigned long addr, struct swap_iocb **plug) { - struct swap_info_struct *si; bool page_allocated; struct mempolicy *mpol; pgoff_t ilx; struct folio *folio; - si = get_swap_device(entry); - if (!si) - return NULL; - mpol = get_vma_policy(vma, addr, 0, &ilx); folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, &page_allocated, false); @@ -535,8 +535,6 @@ struct folio *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, if (page_allocated) swap_read_folio(folio, plug); - - put_swap_device(si); return folio; } diff --git a/mm/zswap.c b/mm/zswap.c index 5d0f8b13a958..aefe71fd160c 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1005,18 +1005,12 @@ static int zswap_writeback_entry(struct zswap_entry *entry, struct folio *folio; struct mempolicy *mpol; bool folio_was_allocated; - struct swap_info_struct *si; int ret = 0; /* try to allocate swap cache folio */ - si = get_swap_device(swpentry); - if (!si) - return -EEXIST; - mpol = get_task_policy(current); folio = __read_swap_cache_async(swpentry, GFP_KERNEL, mpol, - NO_INTERLEAVE_INDEX, &folio_was_allocated, true); - put_swap_device(si); + NO_INTERLEAVE_INDEX, &folio_was_allocated, true); if (!folio) return -ENOMEM; --- base-commit: 02dafa01ec9a00c3758c1c6478d82fe601f5f1ba change-id: 20251109-revert-78524b05f1a3-04a1295bef8a Best regards, -- Kairui Song <kasong(a)tencent.com>

2 weeks, 3 days

4
8
0 0

[PATCH net v5 1/3] mptcp: disallow MPTCP subflows from sockmap

by Jiayuan Chen

The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' Consider two scenarios: 1. When the server has MPTCP enabled and the client also requests MPTCP, the sk passed to the BPF program is a subflow sk. Since subflows only handle partial data, replacing their sk_prot is meaningless and will cause traffic disruption. 2. When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() converts the subflow to plain TCP. For the first case, we should prevent it from being combined with sockmap by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by sockmap's own flow. For the second case, since subflow_syn_recv_sock() has already restored sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Cc: <stable(a)vger.kernel.org> Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/subflow.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e8325890a322..af707ce0f624 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -2144,6 +2144,10 @@ void __init mptcp_subflow_init(void) tcp_prot_override = tcp_prot; tcp_prot_override.release_cb = tcp_release_cb_override; tcp_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcp_prot_override.psock_update_sk_prot = NULL; +#endif #if IS_ENABLED(CONFIG_MPTCP_IPV6) /* In struct mptcp_subflow_request_sock, we assume the TCP request sock @@ -2180,6 +2184,10 @@ void __init mptcp_subflow_init(void) tcpv6_prot_override = tcpv6_prot; tcpv6_prot_override.release_cb = tcp_release_cb_override; tcpv6_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; +#endif #endif mptcp_diag_subflow_init(&subflow_ulp_ops); -- 2.43.0

2 weeks, 3 days

1
0
0 0

[REGRESSION] stable-rc/linux-6.12.y: (build) passing argument 1 of ‘linkmode_fill’ makes pointer from integer w...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.12.y: --- passing argument 1 of ‘linkmode_fill’ makes pointer from integer without a cast [-Werror=int-conversion] in drivers/net/phy/phy_device.o (drivers/net/phy/phy_device.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:5904322dbb62197106ccc331a9b38bcced1cdf30 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 44c21f603a9a2b315280fc66ec569fb726e51fac Log excerpt: ===================================================== drivers/net/phy/phy_device.c:3061:29: error: passing argument 1 of ‘linkmode_fill’ makes pointer from integer without a cast [-Werror=int-conversion] 3061 | linkmode_fill(phydev->eee_broken_modes); | ~~~~~~^~~~~~~~~~~~~~~~~~ | | | u32 {aka unsigned int} In file included from ./include/linux/mii.h:13, from ./include/uapi/linux/mdio.h:15, from ./include/linux/mdio.h:9, from drivers/net/phy/phy_device.c:23: ./include/linux/linkmode.h:13:49: note: expected ‘long unsigned int *’ but argument is of type ‘u32’ {aka ‘unsigned int’} 13 | static inline void linkmode_fill(unsigned long *dst) | ~~~~~~~~~~~~~~~^~~ CC drivers/input/ff-core.o CC drivers/net/phy/linkmode.o AR drivers/input/touchscreen/built-in.a CC drivers/input/touchscreen.o CC drivers/input/ff-memless.o CC drivers/rtc/nvmem.o CC drivers/input/matrix-keymap.o CC drivers/mtd/mtdchar.o CC drivers/net/phy/phy_link_topology.o CC drivers/input/vivaldi-fmap.o cc1: all warnings being treated as errors ===================================================== # Builds where the incident occurred: ## cros://chromeos-6.12/arm64/chromiumos-mediatek.flavour.config+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (arm64): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-arm64-chromeos-mediatek-691292a32f… - dashboard: https://d.kernelci.org/build/maestro:691292a32fd2377ea9956eb0 ## cros://chromeos-6.12/arm64/chromiumos-qualcomm.flavour.config+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (arm64): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-arm64-chromeos-qualcomm-691292a82f… - dashboard: https://d.kernelci.org/build/maestro:691292a82fd2377ea9956ed3 ## cros://chromeos-6.12/x86_64/chromeos-amd-stoneyridge.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (x86_64): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-x86-chromeos-amd-691292ad2fd2377ea… - dashboard: https://d.kernelci.org/build/maestro:691292ad2fd2377ea9956ed6 ## cros://chromeos-6.12/x86_64/chromeos-intel-pineview.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (x86_64): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-x86-chromeos-intel-691292b32fd2377… - dashboard: https://d.kernelci.org/build/maestro:691292b32fd2377ea9956ee6 ## defconfig+kcidebug+x86-board on (i386): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-x86-kcidebug-691292932fd2377ea9956… - dashboard: https://d.kernelci.org/build/maestro:691292932fd2377ea9956e4c ## x86_64_defconfig+lab-setup+x86-board+kselftest on (x86_64): - compiler: gcc-12 - config: https://files.kernelci.org/kbuild-gcc-12-x86-691292892fd2377ea9956e40/.conf… - dashboard: https://d.kernelci.org/build/maestro:691292892fd2377ea9956e40 #kernelci issue maestro:5904322dbb62197106ccc331a9b38bcced1cdf30 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 3 days

1
0
0 0

[REGRESSION] stable-rc/linux-6.12.y: (build) incompatible integer to pointer conversion passing 'u32' (aka 'uns...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.12.y: --- incompatible integer to pointer conversion passing 'u32' (aka 'unsigned int') to parameter of type 'unsigned long *' [-Wint-conversion] in drivers/net/phy/phy_device.o (drivers/net/phy/phy_device.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:ca6f6d9806fc2b70ae08b439179af266398dd55e - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 44c21f603a9a2b315280fc66ec569fb726e51fac Log excerpt: ===================================================== drivers/net/phy/phy_device.c:3061:16: error: incompatible integer to pointer conversion passing 'u32' (aka 'unsigned int') to parameter of type 'unsigned long *' [-Wint-conversion] 3061 | linkmode_fill(phydev->eee_broken_modes); | ^~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/linkmode.h:13:49: note: passing argument to parameter 'dst' here 13 | static inline void linkmode_fill(unsigned long *dst) | ^ CC drivers/gpu/drm/i915/gt/intel_gtt.o 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-arm-allmodconfig-6912921d2fd2377… - dashboard: https://d.kernelci.org/build/maestro:6912921d2fd2377ea9956acc ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-i386-allmodconfig-6912926a2fd237… - dashboard: https://d.kernelci.org/build/maestro:6912926a2fd2377ea9956bce ## multi_v7_defconfig on (arm): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-arm-691292192fd2377ea9956ac9/.co… - dashboard: https://d.kernelci.org/build/maestro:691292192fd2377ea9956ac9 ## x86_64_defconfig on (x86_64): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-x86-691292272fd2377ea9956ad4/.co… - dashboard: https://d.kernelci.org/build/maestro:691292272fd2377ea9956ad4 #kernelci issue maestro:ca6f6d9806fc2b70ae08b439179af266398dd55e Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 3 days

1
0
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) clang: error: linker command failed with exit code 1 (use -v to se...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- clang: error: linker command failed with exit code 1 (use -v to see invocation) in samples/seccomp/bpf-fancy (scripts/Makefile.host:116) [logspec:kbuild,kbuild.other] --- - dashboard: https://d.kernelci.org/i/maestro:9b282409ffe9399386349927812ed439dcc91837 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 350bc296cce9fcac34ec525a838f99ac76e33550 Log excerpt: ===================================================== .o /usr/bin/ld: cannot find crtbeginS.o: No such file or directory /usr/bin/ld: cannot find -lgcc: No such file or directory /usr/bin/ld: cannot find -lgcc_s: No such file or directory clang: error: linker command failed with exit code 1 (use -v to see invocation) ===================================================== # Builds where the incident occurred: ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-i386-allmodconfig-69128f652fd237… - dashboard: https://d.kernelci.org/build/maestro:69128f652fd2377ea99535c5 #kernelci issue maestro:9b282409ffe9399386349927812ed439dcc91837 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 3 days

1
0
0 0

[PATCH net v10 0/4] net: netpoll: fix memory leak and add comprehensive selftests

by Breno Leitao

Fix a memory leak in netpoll and introduce netconsole selftests that expose the issue when running with kmemleak detection enabled. This patchset includes a selftest for netpoll with multiple concurrent users (netconsole + bonding), which simulates the scenario from test[1] that originally demonstrated the issue allegedly fixed by commit efa95b01da18 ("netpoll: fix use after free") - a commit that is now being reverted. Sending this to "net" branch because this is a fix, and the selftest might help with the backports validation. Link: https://lore.kernel.org/lkml/96b940137a50e5c387687bb4f57de8b0435a653f.14048… [1] Signed-off-by: Breno Leitao <leitao(a)debian.org> --- Changes in v10: - Get rid of the create_and_enable_dynamic_target() (Simon) - Link to v9: https://lore.kernel.org/r/20251106-netconsole_torture-v9-0-f73cd147c13c@deb… Changes in v9: - Reordered the config entries in tools/testing/selftests/drivers/net/bonding/config (NIPA) - Link to v8: https://lore.kernel.org/r/20251104-netconsole_torture-v8-0-5288440e2fa0@deb… Changes in v8: - Sending it again, now that commit 1a8fed52f7be1 ("netdevsim: set the carrier when the device goes up") has landed in net - Created one namespace for TX and one for RX (Paolo) - Used additional helpers to create and delete netdevsim (Paolo) - Link to v7: https://lore.kernel.org/r/20251003-netconsole_torture-v7-0-aa92fcce62a9@deb… Changes in v7: - Rebased on top of `net` - Link to v6: https://lore.kernel.org/r/20251002-netconsole_torture-v6-0-543bf52f6b46@deb… Changes in v6: - Expand the tests even more and some small fixups - Moved the test to bonding selftests - Link to v5: https://lore.kernel.org/r/20250918-netconsole_torture-v5-0-77e25e0a4eb6@deb… Changes in v5: - Set CONFIG_BONDING=m in selftests/drivers/net/config. - Link to v4: https://lore.kernel.org/r/20250917-netconsole_torture-v4-0-0a5b3b8f81ce@deb… Changes in v4: - Added an additional selftest to test multiple netpoll users in parallel - Link to v3: https://lore.kernel.org/r/20250905-netconsole_torture-v3-0-875c7febd316@deb… Changes in v3: - This patchset is a merge of the fix and the selftest together as recommended by Jakub. Changes in v2: - Reuse the netconsole creation from lib_netcons.sh. Thus, refactoring the create_dynamic_target() (Jakub) - Move the "wait" to after all the messages has been sent. - Link to v1: https://lore.kernel.org/r/20250902-netconsole_torture-v1-1-03c6066598e9@deb… --- Breno Leitao (4): net: netpoll: fix incorrect refcount handling causing incorrect cleanup selftest: netcons: refactor target creation selftest: netcons: create a torture test selftest: netcons: add test for netconsole over bonded interfaces net/core/netpoll.c | 7 +- tools/testing/selftests/drivers/net/Makefile | 1 + .../testing/selftests/drivers/net/bonding/Makefile | 2 + tools/testing/selftests/drivers/net/bonding/config | 4 + .../drivers/net/bonding/netcons_over_bonding.sh | 361 +++++++++++++++++++++ .../selftests/drivers/net/lib/sh/lib_netcons.sh | 78 ++++- .../selftests/drivers/net/netcons_torture.sh | 130 ++++++++ 7 files changed, 566 insertions(+), 17 deletions(-) --- base-commit: 7d1988a943850c584e8e2e4bcc7a3b5275024072 change-id: 20250902-netconsole_torture-8fc23f0aca99 Best regards, -- Breno Leitao <leitao(a)debian.org>

2 weeks, 3 days

2
2
0 0

[PATCH] cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode

by Srinivas Pandruvada

When turbo mode is unavailable on a Skylake-X system, executing the command: "echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo" results in an unchecked MSR access error: WRMSR to 0x199 (attempted to write 0x0000000100001300). This issue was reproduced on an OEM (Original Equipment Manufacturer) system and is not a common problem across all Skylake-X systems. This error occurs because the MSR 0x199 Turbo Engage Bit (bit 32) is set when turbo mode is disabled. The issue arises when intel_pstate fails to detect that turbo mode is disabled. Here intel_pstate relies on MSR_IA32_MISC_ENABLE bit 38 to determine the status of turbo mode. However, on this system, bit 38 is not set even when turbo mode is disabled. According to the Intel Software Developer's Manual (SDM), the BIOS sets this bit during platform initialization to enable or disable opportunistic processor performance operations. Logically, this bit should be set in such cases. However, the SDM also specifies that "OS and applications must use CPUID leaf 06H to detect processors with opportunistic processor performance operations enabled." Therefore, in addition to checking MSR_IA32_MISC_ENABLE bit 38, verify that CPUID.06H:EAX[1] is 0 to accurately determine if turbo mode is disabled. Fixes: 4521e1a0ce17 ("cpufreq: intel_pstate: Reflect current no_turbo state correctly") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- drivers/cpufreq/intel_pstate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c index f41ed0b9e610..ba9bf06f1c77 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -598,6 +598,9 @@ static bool turbo_is_disabled(void) { u64 misc_en; + if (!cpu_feature_enabled(X86_FEATURE_IDA)) + return true; + rdmsrl(MSR_IA32_MISC_ENABLE, misc_en); return !!(misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE); -- 2.48.1

2 weeks, 3 days

4
10
0 0

FAILED: patch "[PATCH] drm/amd/display: Reject modes with too high pixel clock on" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 118800b0797a046adaa2a8e9dee9b971b78802a7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025111147-dean-facial-7b9b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 118800b0797a046adaa2a8e9dee9b971b78802a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timur=20Krist=C3=B3f?= <timur.kristof(a)gmail.com> Date: Wed, 24 Sep 2025 13:38:34 +0200 Subject: [PATCH] drm/amd/display: Reject modes with too high pixel clock on DCE6-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reject modes with a pixel clock higher than the maximum display clock. Use 400 MHz as a fallback value when the maximum display clock is not known. Pixel clocks that are higher than the display clock just won't work and are not supported. With the addition of the YUV422 fallback, DC can now accidentally select a mode requiring higher pixel clock than actually supported when the DP version supports the required bandwidth but the clock is otherwise too high for the display engine. DCE 6-10 don't support these modes but they don't have a bandwidth calculation to reject them properly. Fixes: db291ed1732e ("drm/amd/display: Add fallback path for YCBCR422") Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Timur Kristóf <timur.kristof(a)gmail.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c index dbd6ef1b60a0..6131ede2db7a 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c @@ -463,6 +463,9 @@ void dce_clk_mgr_construct( clk_mgr->max_clks_state = DM_PP_CLOCKS_STATE_NOMINAL; clk_mgr->cur_min_clks_state = DM_PP_CLOCKS_STATE_INVALID; + base->clks.max_supported_dispclk_khz = + clk_mgr->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz; + dce_clock_read_integrated_info(clk_mgr); dce_clock_read_ss_info(clk_mgr); } diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c index a39641a0ff09..69dd80d9f738 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c @@ -147,6 +147,8 @@ void dce60_clk_mgr_construct( struct dc_context *ctx, struct clk_mgr_internal *clk_mgr) { + struct clk_mgr *base = &clk_mgr->base; + dce_clk_mgr_construct(ctx, clk_mgr); memcpy(clk_mgr->max_clks_by_state, @@ -157,5 +159,8 @@ void dce60_clk_mgr_construct( clk_mgr->clk_mgr_shift = &disp_clk_shift; clk_mgr->clk_mgr_mask = &disp_clk_mask; clk_mgr->base.funcs = &dce60_funcs; + + base->clks.max_supported_dispclk_khz = + clk_mgr->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz; } diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c index 3a51be63f020..f36ec4edf0ae 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c @@ -29,6 +29,7 @@ #include "stream_encoder.h" #include "resource.h" +#include "clk_mgr.h" #include "include/irq_service_interface.h" #include "virtual/virtual_stream_encoder.h" #include "dce110/dce110_resource.h" @@ -843,10 +844,17 @@ static enum dc_status dce100_validate_bandwidth( { int i; bool at_least_one_pipe = false; + struct dc_stream_state *stream = NULL; + const uint32_t max_pix_clk_khz = max(dc->clk_mgr->clks.max_supported_dispclk_khz, 400000); for (i = 0; i < dc->res_pool->pipe_count; i++) { - if (context->res_ctx.pipe_ctx[i].stream) + stream = context->res_ctx.pipe_ctx[i].stream; + if (stream) { at_least_one_pipe = true; + + if (stream->timing.pix_clk_100hz >= max_pix_clk_khz * 10) + return DC_FAIL_BANDWIDTH_VALIDATE; + } } if (at_least_one_pipe) { diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c index c164d2500c2a..b5433349fc7a 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c @@ -34,6 +34,7 @@ #include "stream_encoder.h" #include "resource.h" +#include "clk_mgr.h" #include "include/irq_service_interface.h" #include "irq/dce60/irq_service_dce60.h" #include "dce110/dce110_timing_generator.h" @@ -870,10 +871,17 @@ static enum dc_status dce60_validate_bandwidth( { int i; bool at_least_one_pipe = false; + struct dc_stream_state *stream = NULL; + const uint32_t max_pix_clk_khz = max(dc->clk_mgr->clks.max_supported_dispclk_khz, 400000); for (i = 0; i < dc->res_pool->pipe_count; i++) { - if (context->res_ctx.pipe_ctx[i].stream) + stream = context->res_ctx.pipe_ctx[i].stream; + if (stream) { at_least_one_pipe = true; + + if (stream->timing.pix_clk_100hz >= max_pix_clk_khz * 10) + return DC_FAIL_BANDWIDTH_VALIDATE; + } } if (at_least_one_pipe) { diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c index 3e8b0ac11d90..538eafea82d5 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c @@ -32,6 +32,7 @@ #include "stream_encoder.h" #include "resource.h" +#include "clk_mgr.h" #include "include/irq_service_interface.h" #include "irq/dce80/irq_service_dce80.h" #include "dce110/dce110_timing_generator.h" @@ -876,10 +877,17 @@ static enum dc_status dce80_validate_bandwidth( { int i; bool at_least_one_pipe = false; + struct dc_stream_state *stream = NULL; + const uint32_t max_pix_clk_khz = max(dc->clk_mgr->clks.max_supported_dispclk_khz, 400000); for (i = 0; i < dc->res_pool->pipe_count; i++) { - if (context->res_ctx.pipe_ctx[i].stream) + stream = context->res_ctx.pipe_ctx[i].stream; + if (stream) { at_least_one_pipe = true; + + if (stream->timing.pix_clk_100hz >= max_pix_clk_khz * 10) + return DC_FAIL_BANDWIDTH_VALIDATE; + } } if (at_least_one_pipe) {

2 weeks, 3 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror