[PATCH AUTOSEL 5.4 01/25] drm/r128: Fix undefined behavior due to shift overflowing the constant

List overview All Threads
Download

newer

older

FAILED: patch "[PATCH] KVM: nVMX:...

[PATCH 4.14 1/3] KVM: Add...

Sasha Levin

11 Aug 2022 11 Aug '22

4:07 p.m.

From: Borislav Petkov bp@suse.de

[ Upstream commit 6556551f8848f98eff356c8aacae42c8dd65b2df ]

Fix:

drivers/gpu/drm/r128/r128_cce.c: In function ‘r128_do_init_cce’: drivers/gpu/drm/r128/r128_cce.c:417:2: error: case label does not reduce to an integer constant case R128_PM4_64BM_64VCBM_64INDBM: ^~~~ drivers/gpu/drm/r128/r128_cce.c:418:2: error: case label does not reduce to an integer constant case R128_PM4_64PIO_64VCPIO_64INDPIO: ^~~~

See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory details as to why it triggers with older gccs only.

Reviewed-by: Randy Dunlap rdunlap@infradead.org Signed-off-by: Borislav Petkov bp@suse.de Cc: David Airlie airlied@linux.ie Cc: Daniel Vetter daniel@ffwll.ch Cc: Alex Deucher alexander.deucher@amd.com Cc: dri-devel@lists.freedesktop.org Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/20220405151517.29753-5-bp@alie... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/r128/r128_drv.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h index ba8c30ed91d1..9a9f2279408b 100644 --- a/drivers/gpu/drm/r128/r128_drv.h +++ b/drivers/gpu/drm/r128/r128_drv.h @@ -299,8 +299,8 @@ extern long r128_compat_ioctl(struct file *filp, unsigned int cmd, # define R128_PM4_64PIO_128INDBM (5 << 28) # define R128_PM4_64BM_128INDBM (6 << 28) # define R128_PM4_64PIO_64VCBM_64INDBM (7 << 28) -# define R128_PM4_64BM_64VCBM_64INDBM (8 << 28) -# define R128_PM4_64PIO_64VCPIO_64INDPIO (15 << 28) +# define R128_PM4_64BM_64VCBM_64INDBM (8U << 28) +# define R128_PM4_64PIO_64VCPIO_64INDPIO (15U << 28) # define R128_PM4_BUFFER_CNTL_NOUPDATE (1 << 27)

#define R128_PM4_BUFFER_WM_CNTL 0x0708

-- 2.35.1

Show replies by date

Sasha Levin

11 Aug 11 Aug

4:07 p.m.

New subject: [PATCH AUTOSEL 5.4 02/25] ath10k: htt_tx: do not interpret Eth frames as WiFi

From: Sergey Ryazanov ryazanov.s.a@gmail.com

[ Upstream commit 70f119fb82af7f7417dc659faf02c91e1f853739 ]

The xmit path for the Ethernet encapsulated frames become more or less usable since d740d8fd2439 ("ath10k: unify tx mode and dispatch"). This change reorganize the xmit path in a manageable way to properly support various tx modes, but misses that the Ethernet encapsulated frame is a special case. We do not have an IEEE 802.11 header at the begining of them. But the HTT Tx handler still interprets first bytes of each frame as an IEEE 802.11 Frame Control field.

Than this code was copied by e62ee5c381c5 ("ath10k: Add support for htt_data_tx_desc_64 descriptor") and a2097d6444c3 ("ath10k: htt: High latency TX support") to another handlers. In fact the issue in the high latency (HL) handler was introduced by 83ac260151e7 ("ath10k: add mic bytes for pmf management packet").

Ethernet encapsulated frame tx mode stay unused until 75d85fd9993c ("ath10k: introduce basic tdls functionality") started using it for TDLS frames to avoid key selection issue in some firmwares.

Trying to interpret the begining of an Ethernet encapsulated frame as an IEEE 802.11 header was not hurt us noticeably since we need to meet two conditions: (1) xmit should be performed towards a TDLS peer, and (2) the TDLS peer should have a specific OUI part of its MAC address. Looks like that the rareness in TDLS communications of OUIs that can be interpreted as an 802.11 management frame saves users from facing this issue earlier.

Improve Ethernet tx mode support in the HTT Tx handler by avoiding interpreting its first bytes as an IEEE 802.11 header. While at it, make the ieee80211_hdr variable local to the code block that is guarded by !is_eth check. In this way, we clarify in which cases a frame can be interpreted as IEEE 802.11, and saves us from similar issues in the future.

Credits: this change as part of xmit encapsulation offloading support was originally made by QCA and then submitted for inclusion by John Crispin [1]. But the whole work was not accepted due to the lack of a part for 64-bits descriptors [2]. Zhijun You then pointed this out to me in a reply to my initial RFC patch series. And I made this slightly reworked version that covered all the HTT Tx handler variants.

1. https://lore.kernel.org/all/20191216092207.31032-1-john@phrozen.org/ 2. https://patchwork.kernel.org/project/linux-wireless/patch/20191216092207.310...

Reported-by: Zhijun You hujy652@gmail.com Signed-off-by: Vasanthakumar Thiagarajan vthiagar@qti.qualcomm.com Signed-off-by: John Crispin john@phrozen.org Signed-off-by: Sergey Ryazanov ryazanov.s.a@gmail.com Signed-off-by: Kalle Valo quic_kvalo@quicinc.com Link: https://lore.kernel.org/r/20220516032519.29831-3-ryazanov.s.a@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/ath/ath10k/htt_tx.c | 61 ++++++++++++++---------- 1 file changed, 35 insertions(+), 26 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c index f73ed1044390..dac1b202cfb9 100644 --- a/drivers/net/wireless/ath/ath10k/htt_tx.c +++ b/drivers/net/wireless/ath/ath10k/htt_tx.c @@ -1245,7 +1245,6 @@ static int ath10k_htt_tx_hl(struct ath10k_htt *htt, enum ath10k_hw_txrx_mode txm struct ath10k *ar = htt->ar; int res, data_len; struct htt_cmd_hdr *cmd_hdr; - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; struct htt_data_tx_desc *tx_desc; struct ath10k_skb_cb *skb_cb = ATH10K_SKB_CB(msdu); struct sk_buff *tmp_skb; @@ -1256,11 +1255,15 @@ static int ath10k_htt_tx_hl(struct ath10k_htt *htt, enum ath10k_hw_txrx_mode txm u16 flags1 = 0; u16 msdu_id = 0;

- if ((ieee80211_is_action(hdr->frame_control) || - ieee80211_is_deauth(hdr->frame_control) || - ieee80211_is_disassoc(hdr->frame_control)) && - ieee80211_has_protected(hdr->frame_control)) { - skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + if (!is_eth) { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; + + if ((ieee80211_is_action(hdr->frame_control) || + ieee80211_is_deauth(hdr->frame_control) || + ieee80211_is_disassoc(hdr->frame_control)) && + ieee80211_has_protected(hdr->frame_control)) { + skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + } }

data_len = msdu->len; @@ -1354,7 +1357,6 @@ static int ath10k_htt_tx_32(struct ath10k_htt *htt, { struct ath10k *ar = htt->ar; struct device *dev = ar->dev; - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; struct ieee80211_tx_info *info = IEEE80211_SKB_CB(msdu); struct ath10k_skb_cb *skb_cb = ATH10K_SKB_CB(msdu); struct ath10k_hif_sg_item sg_items[2]; @@ -1386,15 +1388,19 @@ static int ath10k_htt_tx_32(struct ath10k_htt *htt, txbuf_paddr = htt->txbuf.paddr + (sizeof(struct ath10k_htt_txbuf_32) * msdu_id);

- if ((ieee80211_is_action(hdr->frame_control) || - ieee80211_is_deauth(hdr->frame_control) || - ieee80211_is_disassoc(hdr->frame_control)) && - ieee80211_has_protected(hdr->frame_control)) { - skb_put(msdu, IEEE80211_CCMP_MIC_LEN); - } else if (!(skb_cb->flags & ATH10K_SKB_F_NO_HWCRYPT) && - txmode == ATH10K_HW_TXRX_RAW && - ieee80211_has_protected(hdr->frame_control)) { - skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + if (!is_eth) { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; + + if ((ieee80211_is_action(hdr->frame_control) || + ieee80211_is_deauth(hdr->frame_control) || + ieee80211_is_disassoc(hdr->frame_control)) && + ieee80211_has_protected(hdr->frame_control)) { + skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + } else if (!(skb_cb->flags & ATH10K_SKB_F_NO_HWCRYPT) && + txmode == ATH10K_HW_TXRX_RAW && + ieee80211_has_protected(hdr->frame_control)) { + skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + } }

skb_cb->paddr = dma_map_single(dev, msdu->data, msdu->len, @@ -1556,7 +1562,6 @@ static int ath10k_htt_tx_64(struct ath10k_htt *htt, { struct ath10k *ar = htt->ar; struct device *dev = ar->dev; - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; struct ieee80211_tx_info *info = IEEE80211_SKB_CB(msdu); struct ath10k_skb_cb *skb_cb = ATH10K_SKB_CB(msdu); struct ath10k_hif_sg_item sg_items[2]; @@ -1588,15 +1593,19 @@ static int ath10k_htt_tx_64(struct ath10k_htt *htt, txbuf_paddr = htt->txbuf.paddr + (sizeof(struct ath10k_htt_txbuf_64) * msdu_id);

- if ((ieee80211_is_action(hdr->frame_control) || - ieee80211_is_deauth(hdr->frame_control) || - ieee80211_is_disassoc(hdr->frame_control)) && - ieee80211_has_protected(hdr->frame_control)) { - skb_put(msdu, IEEE80211_CCMP_MIC_LEN); - } else if (!(skb_cb->flags & ATH10K_SKB_F_NO_HWCRYPT) && - txmode == ATH10K_HW_TXRX_RAW && - ieee80211_has_protected(hdr->frame_control)) { - skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + if (!is_eth) { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)msdu->data; + + if ((ieee80211_is_action(hdr->frame_control) || + ieee80211_is_deauth(hdr->frame_control) || + ieee80211_is_disassoc(hdr->frame_control)) && + ieee80211_has_protected(hdr->frame_control)) { + skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + } else if (!(skb_cb->flags & ATH10K_SKB_F_NO_HWCRYPT) && + txmode == ATH10K_HW_TXRX_RAW && + ieee80211_has_protected(hdr->frame_control)) { + skb_put(msdu, IEEE80211_CCMP_MIC_LEN); + } }

skb_cb->paddr = dma_map_single(dev, msdu->data, msdu->len,

-- 2.35.1

Sasha Levin

4:07 p.m.

New subject: [PATCH AUTOSEL 5.4 03/25] ath10k: fix misreported tx bandwidth for 160Mhz

From: Maxime Bizon mbizon@freebox.fr

[ Upstream commit 75a7062e533e309a9ca0812c69f3ac3cefadb8b1 ]

Because of this missing switch case, 160Mhz transmit was reported as 20Mhz, leading to wrong airtime calculation and AQL limiting max throughput.

Tested-on: QCA9984 hw2.0 PCI 10.4-3.10-00047

Signed-off-by: Maxime Bizon mbizon@freebox.fr Signed-off-by: Kalle Valo quic_kvalo@quicinc.com Link: https://lore.kernel.org/r/cd2735a40da7f4fcc5323e3fca3775e7b5402ece.camel@fre... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/ath/ath10k/htt_rx.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index 760d24a28f39..3aa9536b95d7 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -3748,6 +3748,10 @@ ath10k_update_per_peer_tx_stats(struct ath10k *ar, arsta->tx_info.status.rates[0].flags |= IEEE80211_TX_RC_80_MHZ_WIDTH; break; + case RATE_INFO_BW_160: + arsta->tx_info.status.rates[0].flags |= + IEEE80211_TX_RC_160_MHZ_WIDTH; + break; }

if (peer_stats->succ_pkts) {

-- 2.35.1

Sasha Levin

4:07 p.m.

New subject: [PATCH AUTOSEL 5.4 04/25] drm/nouveau: clear output poll workers before nouveau_fbcon_destroy()

From: Mark Menzynski mmenzyns@redhat.com

[ Upstream commit 6b03816f869529393b37d03e5d75b68f7365a7a4 ]

Resources needed for output poll workers are destroyed in nouveau_fbcon_fini() before output poll workers are cleared in nouveau_display_fini(). This means there is a time between fbcon_fini() and display_fini(), where if output poll happens, it crashes.

This patch introduces another output poll clearing before fbcon resources are destroyed.

BUG: KASAN: use-after-free in __drm_fb_helper_initial_config_and_unlock.cold+0x1f3/0x291 [drm_kms_helper]

Cc: Ben Skeggs bskeggs@redhat.com Cc: Karol Herbst kherbst@redhat.com Cc: Lyude Paul lyude@redhat.com Cc: David Airlie airlied@linux.ie Cc: Daniel Vetter daniel@ffwll.ch Cc: dri-devel@lists.freedesktop.org Cc: nouveau@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Mark Menzynski mmenzyns@redhat.com Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lyude Paul lyude@redhat.com Link: https://patchwork.freedesktop.org/patch/msgid/20220523113541.10562-1-mmenzyn... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c index c09ea357e88f..325fc94791c6 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c +++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c @@ -39,6 +39,7 @@

#include <drm/drm_crtc.h> #include <drm/drm_crtc_helper.h> +#include <drm/drm_probe_helper.h> #include <drm/drm_fb_helper.h> #include <drm/drm_fourcc.h> #include <drm/drm_atomic.h> @@ -606,6 +607,7 @@ nouveau_fbcon_fini(struct drm_device *dev) if (!drm->fbcon) return;

+ drm_kms_helper_poll_fini(dev); nouveau_fbcon_accel_fini(dev); nouveau_fbcon_destroy(dev, drm->fbcon); kfree(drm->fbcon);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 05/25] drm/panfrost: Don't set L2_MMU_CONFIG quirks

From: Alyssa Rosenzweig alyssa.rosenzweig@collabora.com

[ Upstream commit d8e53d8a4e0ae842ef5e83e0dfb0796980f710cf ]

L2_MMU_CONFIG is an implementation-defined register. Different Mali GPUs define slightly different MAX_READS and MAX_WRITES fields, which throttle outstanding reads and writes when set to non-zero values. When left as zero, reads and writes are not throttled.

Both kbase and panfrost always zero these registers. Per discussion with Steven Price, there are two reasons these quirks may be used:

1. Simulating slower memory subsystems. This use case is only of interest to system-on-chip designers; it is not relevant to mainline.

2. Working around broken memory subsystems. Hopefully we never see this case in mainline. If we do, we'll need to set this register based on an SoC-compatible, rather than generally matching on the GPU model.

To the best of our knowledge, these fields are zero at reset, so the write is not necessary. Let's remove the write to aid porting to new Mali GPUs, which have different layouts for the L2_MMU_CONFIG register.

Suggested-by: Steven Price steven.price@arm.com Reviewed-by: Steven Price steven.price@arm.com Signed-off-by: Alyssa Rosenzweig alyssa.rosenzweig@collabora.com Link: https://patchwork.freedesktop.org/patch/msgid/20220525145754.25866-8-alyssa.... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/panfrost/panfrost_gpu.c | 12 ------------ 1 file changed, 12 deletions(-)

diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c index 0d39a201c759..67b193bd0826 100644 --- a/drivers/gpu/drm/panfrost/panfrost_gpu.c +++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c @@ -123,18 +123,6 @@ static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev) gpu_write(pfdev, GPU_TILER_CONFIG, quirks);

- quirks = gpu_read(pfdev, GPU_L2_MMU_CONFIG); - - /* Limit read & write ID width for AXI */ - if (panfrost_has_hw_feature(pfdev, HW_FEATURE_3BIT_EXT_RW_L2_MMU_CONFIG)) - quirks &= ~(L2_MMU_CONFIG_3BIT_LIMIT_EXTERNAL_READS | - L2_MMU_CONFIG_3BIT_LIMIT_EXTERNAL_WRITES); - else - quirks &= ~(L2_MMU_CONFIG_LIMIT_EXTERNAL_READS | - L2_MMU_CONFIG_LIMIT_EXTERNAL_WRITES); - - gpu_write(pfdev, GPU_L2_MMU_CONFIG, quirks); - quirks = 0; if ((panfrost_model_eq(pfdev, 0x860) || panfrost_model_eq(pfdev, 0x880)) && pfdev->features.revision >= 0x2000)

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 06/25] ath10k: fix regdomain info of iw reg set/get

From: Wen Gong quic_wgong@quicinc.com

[ Upstream commit 8723750e2753868591ba86a57b0041c5e38047ad ]

When wlan load, firmware report the reg code with 0x6C for QCA6174, it is world reg which checked by ath_is_world_regd(), then the reg will be save into reg_world_copy of ath_common in ath_regd_init(). Later the regulatory of ath_common is updated to another country code such as "US" in ath_reg_notifier_apply() by below call stack. After that, regulatory_hint() is called in ath10k_mac_register() and it lead "iw reg get" show two regdomain info as below.

global country US: DFS-FCC (2400 - 2472 @ 40), (N/A, 30), (N/A) (5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW (5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW (5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS (5730 - 5850 @ 80), (N/A, 30), (N/A) (57240 - 71000 @ 2160), (N/A, 40), (N/A)

phy#0 country US: DFS-FCC (2400 - 2472 @ 40), (N/A, 30), (N/A) (5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW (5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW (5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS (5730 - 5850 @ 80), (N/A, 30), (N/A) (57240 - 71000 @ 2160), (N/A, 40), (N/A)

[ 4255.704975] Call Trace: [ 4255.704983] ath_reg_notifier_apply+0xa6/0xc5 [ath] [ 4255.704991] ath10k_reg_notifier+0x2f/0xd2 [ath10k_core] [ 4255.705010] wiphy_regulatory_register+0x5f/0x69 [cfg80211] [ 4255.705020] wiphy_register+0x459/0x8f0 [cfg80211] [ 4255.705042] ? ieee80211_register_hw+0x3a6/0x7d1 [mac80211] [ 4255.705049] ? __kmalloc+0xf4/0x218 [ 4255.705058] ? ieee80211_register_hw+0x3a6/0x7d1 [mac80211] [ 4255.705066] ? ath10k_mac_register+0x70/0xaab [ath10k_core] [ 4255.705075] ieee80211_register_hw+0x51a/0x7d1 [mac80211] [ 4255.705084] ath10k_mac_register+0x8b4/0xaab [ath10k_core] [ 4255.705094] ath10k_core_register_work+0xa5e/0xb45 [ath10k_core] [ 4255.705100] ? __schedule+0x61f/0x7d3 [ 4255.705105] process_one_work+0x1b7/0x392 [ 4255.705109] worker_thread+0x271/0x35d [ 4255.705112] ? pr_cont_work+0x58/0x58 [ 4255.705116] kthread+0x13f/0x147 [ 4255.705119] ? pr_cont_work+0x58/0x58 [ 4255.705123] ? kthread_destroy_worker+0x62/0x62 [ 4255.705126] ret_from_fork+0x22/0x40

At this moment, the two regdomain info is same, when run "iw reg set KR", the global regdomain info changed to KR, but the regdomain of phy#0 does not change again. It leads inconsistent values between global and phy#0 as below.

global country KR: DFS-JP (2402 - 2482 @ 40), (N/A, 13), (N/A) (5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW (5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW (5490 - 5710 @ 160), (N/A, 30), (0 ms), DFS (5735 - 5835 @ 80), (N/A, 30), (N/A) (57000 - 66000 @ 2160), (N/A, 43), (N/A)

The initial reg code is 0x6C which saved in reg_world_copy of ath_common, and the code US is updated from cfg80211 later, so ath10k should also check the initial reg code before regulatory_hint().

After this fix, regdomain info is same between "iw reg get" and "iw reg set xx", it does not have the regdomain info of phy#0 again.

This does not effect the channel list and power which ath10k used. When the country code for regulatory_hint() in ath10k_mac_register() is same with the global country code, then reg_set_rd_driver() of cfg80211 called from crda which return -EALREADY to set_regdom() and then update_all_wiphy_regulatory() will not be called while wlan load. When run "iw reg set xx", reg_get_regdomain() which used by function handle_channel() in net/wirelss/reg.c always use the regdomain returned by get_cfg80211_regdom() because the initiator of last regulatory_request is NL80211_REGDOM_SET_BY_USER, get_cfg80211_regdom() is the global regdomain, then all the ieee80211_channel info is updated in handle_channel() with the global regdomain.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Tested-on: QCA9984 hw1.0 PCI 10.4-3.6-00104

Signed-off-by: Wen Gong quic_wgong@quicinc.com Signed-off-by: Kalle Valo quic_kvalo@quicinc.com Link: https://lore.kernel.org/r/20220525132247.23459-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/ath/ath10k/mac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 3026eb54a7f2..95687e41006b 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -9030,7 +9030,8 @@ int ath10k_mac_register(struct ath10k *ar) ar->hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_AP_VLAN); }

- if (!ath_is_world_regd(&ar->ath_common.regulatory)) { + if (!ath_is_world_regd(&ar->ath_common.reg_world_copy) && + !ath_is_world_regd(&ar->ath_common.regulatory)) { ret = regulatory_hint(ar->hw->wiphy, ar->ath_common.regulatory.alpha2); if (ret)

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 07/25] drm/radeon: integer overflow in radeon_mode_dumb_create()

From: Xiaohui Zhang xiaohuizhang@ruc.edu.cn

[ Upstream commit feb54650bae25f2a2adfc493e3e254e7c27a3fba ]

Similar to the handling of amdgpu_mode_dumb_create in commit 54ef0b5461c0 ("drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()"), we thought a patch might be needed here as well.

args->size is a u64. arg->pitch and args->height are u32. The multiplication will overflow instead of using the high 32 bits as intended.

Signed-off-by: Xiaohui Zhang xiaohuizhang@ruc.edu.cn Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/radeon/radeon_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c index b2b076606f54..cb7ef7ea7138 100644 --- a/drivers/gpu/drm/radeon/radeon_gem.c +++ b/drivers/gpu/drm/radeon/radeon_gem.c @@ -757,7 +757,7 @@ int radeon_mode_dumb_create(struct drm_file *file_priv,

args->pitch = radeon_align_pitch(rdev, args->width, DIV_ROUND_UP(args->bpp, 8), 0); - args->size = args->pitch * args->height; + args->size = (u64)args->pitch * args->height; args->size = ALIGN(args->size, PAGE_SIZE);

r = radeon_gem_object_create(rdev, args->size, 0,

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 08/25] drm/radeon: Initialize fences array entries in radeon_sa_bo_next_hole

From: Xiaohui Zhang xiaohuizhang@ruc.edu.cn

[ Upstream commit 0381ac3ca2e727d4dfb7264d9416a8ba6bb6c18b ]

Similar to the handling of amdgpu_sa_bo_next_hole in commit 6a15f3ff19a8 ("drm/amdgpu: Initialize fences array entries in amdgpu_sa_bo_next_hole"), we thought a patch might be needed here as well.

The entries were only initialized once in radeon_sa_bo_new. If a fence wasn't signalled yet in the first radeon_sa_bo_next_hole call, but then got signalled before a later radeon_sa_bo_next_hole call, it could destroy the fence but leave its pointer in the array, resulting in use-after-free in radeon_sa_bo_new.

Signed-off-by: Xiaohui Zhang xiaohuizhang@ruc.edu.cn Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/radeon/radeon_sa.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c index 310c322c7112..0981948bd9ed 100644 --- a/drivers/gpu/drm/radeon/radeon_sa.c +++ b/drivers/gpu/drm/radeon/radeon_sa.c @@ -267,6 +267,8 @@ static bool radeon_sa_bo_next_hole(struct radeon_sa_manager *sa_manager, for (i = 0; i < RADEON_NUM_RINGS; ++i) { struct radeon_sa_bo *sa_bo;

+ fences[i] = NULL; + if (list_empty(&sa_manager->flist[i])) { continue; } @@ -332,10 +334,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev,

spin_lock(&sa_manager->wq.lock); do { - for (i = 0; i < RADEON_NUM_RINGS; ++i) { - fences[i] = NULL; + for (i = 0; i < RADEON_NUM_RINGS; ++i) tries[i] = 0; - }

do { radeon_sa_bo_try_free(sa_manager);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 09/25] udmabuf: Set the DMA mask for the udmabuf device (v2)

From: Vivek Kasireddy vivek.kasireddy@intel.com

[ Upstream commit 9e9fa6a9198b767b00f48160800128e83a038f9f ]

If the DMA mask is not set explicitly, the following warning occurs when the userspace tries to access the dma-buf via the CPU as reported by syzbot here:

WARNING: CPU: 1 PID: 3595 at kernel/dma/mapping.c:188 __dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Modules linked in: CPU: 0 PID: 3595 Comm: syz-executor249 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 71 4c 8b 3d c0 83 b5 0d e9 db fe ff ff e8 b6 0f 13 00 0f 0b e8 af 0f 13 00 <0f> 0b 45 31 e4 e9 54 ff ff ff e8 a0 0f 13 00 49 8d 7f 50 48 b8 00 RSP: 0018:ffffc90002a07d68 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88807e25e2c0 RSI: ffffffff81649e91 RDI: ffff88801b848408 RBP: ffff88801b848000 R08: 0000000000000002 R09: ffff88801d86c74f R10: ffffffff81649d72 R11: 0000000000000001 R12: 0000000000000002 R13: ffff88801d86c680 R14: 0000000000000001 R15: 0000000000000000 FS: 0000555556e30300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200000cc CR3: 000000001d74a000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dma_map_sgtable+0x70/0xf0 kernel/dma/mapping.c:264 get_sg_table.isra.0+0xe0/0x160 drivers/dma-buf/udmabuf.c:72 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1164 dma_buf_ioctl+0x259/0x2b0 drivers/dma-buf/dma-buf.c:363 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f62fcf530f9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe3edab9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f62fcf530f9 RDX: 0000000020000200 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 00007f62fcf170e0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f62fcf17170 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK>

v2: Dont't forget to deregister if DMA mask setup fails.

Reported-by: syzbot+10e27961f4da37c443b2@syzkaller.appspotmail.com Cc: Gerd Hoffmann kraxel@redhat.com Signed-off-by: Vivek Kasireddy vivek.kasireddy@intel.com Link: http://patchwork.freedesktop.org/patch/msgid/20220520205235.3687336-1-vivek.... Signed-off-by: Gerd Hoffmann kraxel@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma-buf/udmabuf.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index c6e9b7bd7618..80ccdf96093f 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -287,7 +287,23 @@ static struct miscdevice udmabuf_misc = {

static int __init udmabuf_dev_init(void) { - return misc_register(&udmabuf_misc); + int ret; + + ret = misc_register(&udmabuf_misc); + if (ret < 0) { + pr_err("Could not initialize udmabuf device\n"); + return ret; + } + + ret = dma_coerce_mask_and_coherent(udmabuf_misc.this_device, + DMA_BIT_MASK(64)); + if (ret < 0) { + pr_err("Could not setup DMA mask for udmabuf device\n"); + misc_deregister(&udmabuf_misc); + return ret; + } + + return 0; }

static void __exit udmabuf_dev_exit(void)

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 10/25] net/mlx5: Add HW definitions of vport debug counters

From: Saeed Mahameed saeedm@nvidia.com

[ Upstream commit 3e94e61bd44d90070dcda53b647fdc826097ef26 ]

total_q_under_processor_handle - number of queues in error state due to an async error or errored command.

send_queue_priority_update_flow - number of QP/SQ priority/SL update events.

cq_overrun - number of times CQ entered an error state due to an overflow.

async_eq_overrun -number of time an EQ mapped to async events was overrun.

comp_eq_overrun - number of time an EQ mapped to completion events was overrun.

quota_exceeded_command - number of commands issued and failed due to quota exceeded.

invalid_command - number of commands issued and failed dues to any reason other than quota exceeded.

Signed-off-by: Saeed Mahameed saeedm@nvidia.com Signed-off-by: Michael Guralnik michaelgur@nvidia.com Signed-off-by: Saeed Mahameed saeedm@nvidia.com Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/mlx5/mlx5_ifc.h | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h index 031022e32635..e132609c3269 100644 --- a/include/linux/mlx5/mlx5_ifc.h +++ b/include/linux/mlx5/mlx5_ifc.h @@ -1188,7 +1188,8 @@ struct mlx5_ifc_cmd_hca_cap_bits {

u8 reserved_at_120[0xa]; u8 log_max_ra_req_dc[0x6]; - u8 reserved_at_130[0xa]; + u8 reserved_at_130[0x9]; + u8 vnic_env_cq_overrun[0x1]; u8 log_max_ra_res_dc[0x6];

u8 reserved_at_140[0xa]; @@ -1367,7 +1368,11 @@ struct mlx5_ifc_cmd_hca_cap_bits { u8 nic_receive_steering_discard[0x1]; u8 receive_discard_vport_down[0x1]; u8 transmit_discard_vport_down[0x1]; - u8 reserved_at_343[0x5]; + u8 eq_overrun_count[0x1]; + u8 reserved_at_344[0x1]; + u8 invalid_command_count[0x1]; + u8 quota_exceeded_count[0x1]; + u8 reserved_at_347[0x1]; u8 log_max_flow_counter_bulk[0x8]; u8 max_flow_counter_15_0[0x10];

@@ -2890,11 +2895,21 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits {

u8 transmit_discard_vport_down[0x40];

- u8 reserved_at_140[0xa0]; + u8 async_eq_overrun[0x20]; + + u8 comp_eq_overrun[0x20]; + + u8 reserved_at_180[0x20]; + + u8 invalid_command[0x20]; + + u8 quota_exceeded_command[0x20];

u8 internal_rq_out_of_buffer[0x20];

- u8 reserved_at_200[0xe00]; + u8 cq_overrun[0x20]; + + u8 reserved_at_220[0xde0]; };

struct mlx5_ifc_traffic_counter_bits {

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 11/25] media: davinci: vpif: add missing of_node_put() in vpif_probe()

From: Yang Yingliang yangyingliang@huawei.com

[ Upstream commit bb45f5433f23cf103ba29c9692ee553e061f2cb4 ]

of_graph_get_next_endpoint() returns an 'endpoint' node pointer with refcount incremented. The refcount should be decremented before returning from vpif_probe().

Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/platform/davinci/vpif.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/media/platform/davinci/vpif.c b/drivers/media/platform/davinci/vpif.c index e7e8eba048ac..a05fbb367d3a 100644 --- a/drivers/media/platform/davinci/vpif.c +++ b/drivers/media/platform/davinci/vpif.c @@ -450,6 +450,7 @@ static int vpif_probe(struct platform_device *pdev) endpoint); if (!endpoint) return 0; + of_node_put(endpoint);

/* * For DT platforms, manually create platform_devices for

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 12/25] media: airspy: respect the DMA coherency rules

From: Oliver Neukum oneukum@suse.com

[ Upstream commit ca9dc8d06ab64543a6a31adac5003349c5671218 ]

If we want to avoid memory corruption on incoherent architectures, buffers for DMA must not reside - on the stack - embedded within other structures

Allocate them separately.

v2: fix uninitialized return value

Signed-off-by: Oliver Neukum oneukum@suse.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/airspy/airspy.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c index 751703db06f5..c7499787bffe 100644 --- a/drivers/media/usb/airspy/airspy.c +++ b/drivers/media/usb/airspy/airspy.c @@ -123,7 +123,7 @@ struct airspy {

/* USB control message buffer */ #define BUF_SIZE 128 - u8 buf[BUF_SIZE]; + u8 *buf;

/* Current configuration */ unsigned int f_adc; @@ -856,6 +856,7 @@ static void airspy_video_release(struct v4l2_device *v)

v4l2_ctrl_handler_free(&s->hdl); v4l2_device_unregister(&s->v4l2_dev); + kfree(s->buf); kfree(s); }

@@ -963,7 +964,10 @@ static int airspy_probe(struct usb_interface *intf, { struct airspy *s; int ret; - u8 u8tmp, buf[BUF_SIZE]; + u8 u8tmp, *buf; + + buf = NULL; + ret = -ENOMEM;

s = kzalloc(sizeof(struct airspy), GFP_KERNEL); if (s == NULL) { @@ -971,6 +975,13 @@ static int airspy_probe(struct usb_interface *intf, return -ENOMEM; }

+ s->buf = kzalloc(BUF_SIZE, GFP_KERNEL); + if (!s->buf) + goto err_free_mem; + buf = kzalloc(BUF_SIZE, GFP_KERNEL); + if (!buf) + goto err_free_mem; + mutex_init(&s->v4l2_lock); mutex_init(&s->vb_queue_lock); spin_lock_init(&s->queued_bufs_lock); @@ -1068,6 +1079,8 @@ static int airspy_probe(struct usb_interface *intf, v4l2_ctrl_handler_free(&s->hdl); v4l2_device_unregister(&s->v4l2_dev); err_free_mem: + kfree(buf); + kfree(s->buf); kfree(s); return ret; }

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 13/25] media: pvrusb2: fix memory leak in pvr_probe

From: Dongliang Mu mudongliangabcd@gmail.com

[ Upstream commit 945a9a8e448b65bec055d37eba58f711b39f66f0 ]

The error handling code in pvr2_hdw_create forgets to unregister the v4l2 device. When pvr2_hdw_create returns back to pvr2_context_create, it calls pvr2_context_destroy to destroy context, but mp->hdw is NULL, which leads to that pvr2_hdw_destroy directly returns.

Fix this by adding v4l2_device_unregister to decrease the refcount of usb interface.

Reported-by: syzbot+77b432d57c4791183ed4@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu mudongliangabcd@gmail.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c index 11e7fcfc3f19..d101fa8d61bb 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -2611,6 +2611,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf, del_timer_sync(&hdw->encoder_run_timer); del_timer_sync(&hdw->encoder_wait_timer); flush_work(&hdw->workpoll); + v4l2_device_unregister(&hdw->v4l2_dev); usb_free_urb(hdw->ctl_read_urb); usb_free_urb(hdw->ctl_write_urb); kfree(hdw->ctl_read_buffer);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 14/25] mlxsw: cmd: Increase 'config_profile.flood_mode' length

From: Amit Cohen amcohen@nvidia.com

[ Upstream commit 89df3c6261f271c550f120b5ccf4d9c5132e870c ]

Currently, the length of 'config_profile.flood_mode' is defined as 2 bits, while the correct length is 3 bits.

As preparation for unified bridge model, which will use the whole field length, fix it and increase the field to the correct size.

Signed-off-by: Amit Cohen amcohen@nvidia.com Signed-off-by: Ido Schimmel idosch@nvidia.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/mellanox/mlxsw/cmd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/cmd.h b/drivers/net/ethernet/mellanox/mlxsw/cmd.h index 5ffdfb532cb7..b72aa4862cfd 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/cmd.h +++ b/drivers/net/ethernet/mellanox/mlxsw/cmd.h @@ -722,7 +722,7 @@ MLXSW_ITEM32(cmd_mbox, config_profile, max_vid_flood_tables, 0x30, 8, 4); * max_fid_offset_flood_tables indicates the number of FID-offset tables. * max_fid_flood_tables indicates the number of per-FID tables. */ -MLXSW_ITEM32(cmd_mbox, config_profile, flood_mode, 0x30, 0, 2); +MLXSW_ITEM32(cmd_mbox, config_profile, flood_mode, 0x30, 0, 3);

/* cmd_mbox_config_profile_max_fid_offset_flood_tables * Maximum number of FID-offset flooding tables.

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 15/25] crypto: vmx - Fix warning on p8_ghash_alg

From: Herbert Xu herbert@gondor.apana.org.au

[ Upstream commit cc8166bfc829043020b5cc3b7cdba02a17d03b6d ]

The compiler complains that p8_ghash_alg isn't declared which is because the header file aesp8-ppc.h isn't included in ghash.c. This patch fixes the warning.

Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Acked-by: Breno Leitao leitao@debian.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/crypto/vmx/ghash.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c index 14807ac2e3b9..e419be7381c9 100644 --- a/drivers/crypto/vmx/ghash.c +++ b/drivers/crypto/vmx/ghash.c @@ -23,6 +23,7 @@ #include <crypto/internal/hash.h> #include <crypto/internal/simd.h> #include <crypto/b128ops.h> +#include "aesp8-ppc.h"

void gcm_init_p8(u128 htable[16], const u64 Xi[2]); void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 16/25] drm/nouveau/nvkm: use list_add_tail() when building object tree

From: Ben Skeggs bskeggs@redhat.com

[ Upstream commit 61c1f340bc809a1ca1e3c8794207a91cde1a7c78 ]

Fixes resume from hibernate failing on (at least) TU102, where cursor channel init failed due to being performed before the core channel.

Not solid idea why suspend-to-ram worked, but, presumably HW being in an entirely clean state has something to do with it.

Signed-off-by: Ben Skeggs bskeggs@redhat.com Reviewed-by: Dave Airlie airlied@redhat.com Signed-off-by: Dave Airlie airlied@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/nouveau/nvkm/core/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c b/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c index d777df5a64e6..2aa0d6fed580 100644 --- a/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c +++ b/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c @@ -128,7 +128,7 @@ nvkm_ioctl_new(struct nvkm_client *client, if (ret == 0) { ret = nvkm_object_init(object); if (ret == 0) { - list_add(&object->head, &parent->tree); + list_add_tail(&object->head, &parent->tree); if (nvkm_object_insert(object)) { client->data = object; return 0;

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 17/25] crypto: ccree - Add missing clk_disable_unprepare() in cc_pm_resume()

From: Yuan Can yuancan@huawei.com

[ Upstream commit 30fb034361ff1b9bfc569b2d8d66b544ea3eb18f ]

Add clk_disable_unprepare() on error path in cc_pm_resume().

Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Yuan Can yuancan@huawei.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/crypto/ccree/cc_pm.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/drivers/crypto/ccree/cc_pm.c b/drivers/crypto/ccree/cc_pm.c index 452bd77a9ba0..96ad33507e60 100644 --- a/drivers/crypto/ccree/cc_pm.c +++ b/drivers/crypto/ccree/cc_pm.c @@ -45,6 +45,7 @@ int cc_pm_resume(struct device *dev) /* wait for Crytpcell reset completion */ if (!cc_wait_for_reset_completion(drvdata)) { dev_err(dev, "Cryptocell reset not completed"); + clk_disable_unprepare(drvdata->clk); return -EBUSY; }

@@ -52,6 +53,7 @@ int cc_pm_resume(struct device *dev) rc = init_cc_regs(drvdata, false); if (rc) { dev_err(dev, "init_cc_regs (%x)\n", rc); + clk_disable_unprepare(drvdata->clk); return rc; } /* check if tee fips error occurred during power down */

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 18/25] bpf: Don't redirect packets with invalid pkt_len

From: Zhengchao Shao shaozhengchao@huawei.com

[ Upstream commit fd1894224407c484f652ad456e1ce423e89bb3eb ]

Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any skbs, that is, the flow->head is null. The root cause, as the [2] says, is because that bpf_prog_test_run_skb() run a bpf prog which redirects empty skbs. So we should determine whether the length of the packet modified by bpf prog or others like bpf_prog_test is valid before forwarding it directly.

LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c... LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html

Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com Reviewed-by: Stanislav Fomichev sdf@google.com Link: https://lore.kernel.org/r/20220715115559.139691-1-shaozhengchao@huawei.com Signed-off-by: Alexei Starovoitov ast@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/skbuff.h | 8 ++++++++ net/bpf/test_run.c | 3 +++ net/core/dev.c | 1 + 3 files changed, 12 insertions(+)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b04b5bd43f54..680f71ecdc08 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2201,6 +2201,14 @@ static inline void skb_set_tail_pointer(struct sk_buff *skb, const int offset)

#endif /* NET_SKBUFF_DATA_USES_OFFSET */

+static inline void skb_assert_len(struct sk_buff *skb) +{ +#ifdef CONFIG_DEBUG_NET + if (WARN_ONCE(!skb->len, "%s\n", __func__)) + DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false); +#endif /* CONFIG_DEBUG_NET */ +} + /* * Add data to an sk_buff */ diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index 1153bbcdff72..5e6428cbd758 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -200,6 +200,9 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) { struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;

+ if (!skb->len) + return -EINVAL; + if (!__skb) return 0;

diff --git a/net/core/dev.c b/net/core/dev.c index a03036456221..60cea97132f2 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3712,6 +3712,7 @@ static int __dev_queue_xmit(struct sk_buff *skb, struct net_device *sb_dev) bool again = false;

skb_reset_mac_header(skb); + skb_assert_len(skb);

if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_SCHED_TSTAMP)) __skb_tstamp_tx(skb, NULL, skb->sk, SCM_TSTAMP_SCHED);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 19/25] can: sja1000: Add Quirk for RZ/N1 SJA1000 CAN controller

From: Biju Das biju.das.jz@bp.renesas.com

[ Upstream commit 2d99bfbf3386962692dcccd73931cb0db07a1a43 ]

As per Chapter 6.5.16 of the RZ/N1 Peripheral Manual, The SJA1000 CAN controller does not support Clock Divider Register compared to the reference Philips SJA1000 device.

This patch adds a device quirk to handle this difference.

Link: https://lore.kernel.org/all/20220710115248.190280-4-biju.das.jz@bp.renesas.c... Signed-off-by: Biju Das biju.das.jz@bp.renesas.com Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/sja1000/sja1000.c | 8 +++++--- drivers/net/can/sja1000/sja1000.h | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c index 9f107798f904..ae0ca0ab371f 100644 --- a/drivers/net/can/sja1000/sja1000.c +++ b/drivers/net/can/sja1000/sja1000.c @@ -184,8 +184,9 @@ static void chipset_init(struct net_device *dev) { struct sja1000_priv *priv = netdev_priv(dev);

- /* set clock divider and output control register */ - priv->write_reg(priv, SJA1000_CDR, priv->cdr | CDR_PELICAN); + if (!(priv->flags & SJA1000_QUIRK_NO_CDR_REG)) + /* set clock divider and output control register */ + priv->write_reg(priv, SJA1000_CDR, priv->cdr | CDR_PELICAN);

/* set acceptance filter (accept all) */ priv->write_reg(priv, SJA1000_ACCC0, 0x00); @@ -210,7 +211,8 @@ static void sja1000_start(struct net_device *dev) set_reset_mode(dev);

/* Initialize chip if uninitialized at this stage */ - if (!(priv->read_reg(priv, SJA1000_CDR) & CDR_PELICAN)) + if (!(priv->flags & SJA1000_QUIRK_NO_CDR_REG || + priv->read_reg(priv, SJA1000_CDR) & CDR_PELICAN)) chipset_init(dev);

/* Clear error counters and error code capture */ diff --git a/drivers/net/can/sja1000/sja1000.h b/drivers/net/can/sja1000/sja1000.h index 9d46398f8154..7f736f1df547 100644 --- a/drivers/net/can/sja1000/sja1000.h +++ b/drivers/net/can/sja1000/sja1000.h @@ -145,7 +145,8 @@ /* * Flags for sja1000priv.flags */ -#define SJA1000_CUSTOM_IRQ_HANDLER 0x1 +#define SJA1000_CUSTOM_IRQ_HANDLER BIT(0) +#define SJA1000_QUIRK_NO_CDR_REG BIT(1)

/* * SJA1000 private data structure

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 20/25] net/cdc_ncm: Increase NTB max RX/TX values to 64kb

From: Łukasz Spintzyk lukasz.spintzyk@synaptics.com

[ Upstream commit 5588d628027092e66195097bdf6835ddf64418b3 ]

DisplayLink ethernet devices require NTB buffers larger then 32kb in order to run with highest performance.

This patch is changing upper limit of the rx and tx buffers. Those buffers are initialized with CDC_NCM_NTB_DEF_SIZE_RX and CDC_NCM_NTB_DEF_SIZE_TX which is 16kb so by default no device is affected by increased limit.

Rx and tx buffer is increased under two conditions: - Device need to advertise that it supports higher buffer size in dwNtbMaxInMaxSize and dwNtbMaxOutMaxSize. - cdc_ncm/rx_max and cdc_ncm/tx_max driver parameters must be adjusted with udev rule or ethtool.

Summary of testing and performance results: Tests were performed on following devices: - DisplayLink DL-3xxx family device - DisplayLink DL-6xxx family device - ASUS USB-C2500 2.5G USB3 ethernet adapter - Plugable USB3 1G USB3 ethernet adapter - EDIMAX EU-4307 USB-C ethernet adapter - Dell DBQBCBC064 USB-C ethernet adapter

Performance measurements were done with: - iperf3 between two linux boxes - http://openspeedtest.com/ instance running on local test machine

Insights from tests results: - All except one from third party usb adapters were not affected by increased buffer size to their advertised dwNtbOutMaxSize and dwNtbInMaxSize. Devices were generally reaching 912-940Mbps both download and upload.

Only EDIMAX adapter experienced decreased download size from 929Mbps to 827Mbps with iper3, with openspeedtest decrease was from 968Mbps to 886Mbps.

- DisplayLink DL-3xxx family devices experienced performance increase with iperf3 download from 300Mbps to 870Mbps and upload from 782Mbps to 844Mbps. With openspeedtest download increased from 556Mbps to 873Mbps and upload from 727Mbps to 973Mbps

- DiplayLink DL-6xxx family devices are not affected by increased buffer size.

Signed-off-by: Łukasz Spintzyk lukasz.spintzyk@synaptics.com Acked-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Link: https://lore.kernel.org/r/20220720060518.541-2-lukasz.spintzyk@synaptics.com Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/usb/cdc_ncm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h index 1646c06989df..78cc32168640 100644 --- a/include/linux/usb/cdc_ncm.h +++ b/include/linux/usb/cdc_ncm.h @@ -50,8 +50,8 @@ #define USB_CDC_NCM_NDP16_LENGTH_MIN 0x10

/* Maximum NTB length */ -#define CDC_NCM_NTB_MAX_SIZE_TX 32768 /* bytes */ -#define CDC_NCM_NTB_MAX_SIZE_RX 32768 /* bytes */ +#define CDC_NCM_NTB_MAX_SIZE_TX 65536 /* bytes */ +#define CDC_NCM_NTB_MAX_SIZE_RX 65536 /* bytes */

/* Initial NTB length */ #define CDC_NCM_NTB_DEF_SIZE_TX 16384 /* bytes */

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 21/25] Bluetooth: use memset avoid memory leaks

From: Xiaohui Zhang xiaohuizhang@ruc.edu.cn

[ Upstream commit d3715b2333e9a21692ba16ef8645eda584a9515d ]

Use memset to initialize structs to prevent memory leaks in l2cap_ecred_connect

Reported-by: Zeal Robot zealci@zte.com.cn Signed-off-by: Minghao Chi (CGEL ZTE) chi.minghao@zte.com.cn Signed-off-by: Marcel Holtmann marcel@holtmann.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/bluetooth/l2cap_core.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 959a16b13303..aef4d172c0d5 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -1298,6 +1298,7 @@ static void l2cap_le_connect(struct l2cap_chan *chan)

l2cap_le_flowctl_init(chan, 0);

+ memset(&req, 0, sizeof(req)); req.psm = chan->psm; req.scid = cpu_to_le16(chan->scid); req.mtu = cpu_to_le16(chan->imtu);

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 22/25] bpf/selftests: Fix couldn't retrieve pinned program in xdp veth test

From: Jie2x Zhou jie2x.zhou@intel.com

[ Upstream commit f664f9c6b4a1bb9a10af812df0fbbf6aac28fcc6 ]

Before change:

selftests: bpf: test_xdp_veth.sh Couldn't retrieve pinned program '/sys/fs/bpf/test_xdp_veth/progs/redirect_map_0': No such file or directory selftests: xdp_veth [SKIP] ok 20 selftests: bpf: test_xdp_veth.sh # SKIP

After change:

PING 10.1.1.33 (10.1.1.33) 56(84) bytes of data. 64 bytes from 10.1.1.33: icmp_seq=1 ttl=64 time=0.320 ms --- 10.1.1.33 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.320/0.320/0.320/0.000 ms selftests: xdp_veth [PASS]

For the test case, the following can be found:

ls /sys/fs/bpf/test_xdp_veth/progs/redirect_map_0 ls: cannot access '/sys/fs/bpf/test_xdp_veth/progs/redirect_map_0': No such file or directory ls /sys/fs/bpf/test_xdp_veth/progs/ xdp_redirect_map_0 xdp_redirect_map_1 xdp_redirect_map_2

Reported-by: kernel test robot lkp@intel.com Signed-off-by: Jie2x Zhou jie2x.zhou@intel.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Link: https://lore.kernel.org/bpf/20220719082430.9916-1-jie2x.zhou@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- tools/testing/selftests/bpf/test_xdp_veth.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/test_xdp_veth.sh b/tools/testing/selftests/bpf/test_xdp_veth.sh index 995278e684b6..f2ad31558963 100755 --- a/tools/testing/selftests/bpf/test_xdp_veth.sh +++ b/tools/testing/selftests/bpf/test_xdp_veth.sh @@ -103,9 +103,9 @@ bpftool prog loadall \ bpftool map update pinned $BPF_DIR/maps/tx_port key 0 0 0 0 value 122 0 0 0 bpftool map update pinned $BPF_DIR/maps/tx_port key 1 0 0 0 value 133 0 0 0 bpftool map update pinned $BPF_DIR/maps/tx_port key 2 0 0 0 value 111 0 0 0 -ip link set dev veth1 xdp pinned $BPF_DIR/progs/redirect_map_0 -ip link set dev veth2 xdp pinned $BPF_DIR/progs/redirect_map_1 -ip link set dev veth3 xdp pinned $BPF_DIR/progs/redirect_map_2 +ip link set dev veth1 xdp pinned $BPF_DIR/progs/xdp_redirect_map_0 +ip link set dev veth2 xdp pinned $BPF_DIR/progs/xdp_redirect_map_1 +ip link set dev veth3 xdp pinned $BPF_DIR/progs/xdp_redirect_map_2

ip -n ns1 link set dev veth11 xdp obj xdp_dummy.o sec xdp_dummy ip -n ns2 link set dev veth22 xdp obj xdp_tx.o sec xdp

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 23/25] wifi: rtl8xxxu: Fix the error handling of the probe function

From: Zheyu Ma zheyuma97@gmail.com

[ Upstream commit 13876f2a087ad352bf640a7a0a4a4229ea6e9e4f ]

When the driver fails at ieee80211_alloc_hw() at the probe time, the driver will free the 'hw' which is not allocated, causing a bug.

The following log can reveal it:

[ 15.981294] BUG: KASAN: user-memory-access in mutex_is_locked+0xe/0x40 [ 15.981558] Read of size 8 at addr 0000000000001ab0 by task modprobe/373 [ 15.982583] Call Trace: [ 15.984282] ieee80211_free_hw+0x22/0x390 [ 15.984446] rtl8xxxu_probe+0x3a1/0xab30 [rtl8xxxu]

Fix the bug by changing the order of the error handling.

Signed-off-by: Zheyu Ma zheyuma97@gmail.com Signed-off-by: Kalle Valo kvalo@kernel.org Link: https://lore.kernel.org/r/20220716130444.2950690-1-zheyuma97@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index 048984ca81fd..417dd9d0a4e2 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -6049,7 +6049,7 @@ static int rtl8xxxu_probe(struct usb_interface *interface, if (!hw) { ret = -ENOMEM; priv = NULL; - goto exit; + goto err_put_dev; }

priv = hw->priv; @@ -6068,24 +6068,24 @@ static int rtl8xxxu_probe(struct usb_interface *interface,

ret = rtl8xxxu_parse_usb(priv, interface); if (ret) - goto exit; + goto err_set_intfdata;

ret = rtl8xxxu_identify_chip(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to identify chip\n"); - goto exit; + goto err_set_intfdata; }

ret = rtl8xxxu_read_efuse(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to read EFuse\n"); - goto exit; + goto err_set_intfdata; }

ret = priv->fops->parse_efuse(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to parse EFuse\n"); - goto exit; + goto err_set_intfdata; }

rtl8xxxu_print_chipinfo(priv); @@ -6093,12 +6093,12 @@ static int rtl8xxxu_probe(struct usb_interface *interface, ret = priv->fops->load_firmware(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to load firmware\n"); - goto exit; + goto err_set_intfdata; }

ret = rtl8xxxu_init_device(hw); if (ret) - goto exit; + goto err_set_intfdata;

hw->wiphy->max_scan_ssids = 1; hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN; @@ -6148,12 +6148,12 @@ static int rtl8xxxu_probe(struct usb_interface *interface, if (ret) { dev_err(&udev->dev, "%s: Failed to register: %i\n", __func__, ret); - goto exit; + goto err_set_intfdata; }

return 0;

-exit: +err_set_intfdata: usb_set_intfdata(interface, NULL);

if (priv) { @@ -6161,9 +6161,10 @@ static int rtl8xxxu_probe(struct usb_interface *interface, mutex_destroy(&priv->usb_buf_mutex); mutex_destroy(&priv->h2c_mutex); } - usb_put_dev(udev);

ieee80211_free_hw(hw); +err_put_dev: + usb_put_dev(udev);

return ret; }

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 24/25] d_add_ci(): make sure we don't miss d_lookup_done()

From: Al Viro viro@zeniv.linux.org.uk

[ Upstream commit 40a3cb0d2314a41975aa385a74643878454f6eac ]

All callers of d_alloc_parallel() must make sure that resulting in-lookup dentry (if any) will encounter __d_lookup_done() before the final dput(). d_add_ci() might end up creating in-lookup dentries; they are fed to d_splice_alias(), which will normally make sure they meet __d_lookup_done(). However, it is possible to end up with d_splice_alias() failing with ERR_PTR(-ELOOP) without having done so. It takes a corrupted ntfs or case-insensitive xfs image, but neither should end up with memory corruption...

Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- fs/dcache.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/fs/dcache.c b/fs/dcache.c index b2a7f1765f0b..64b8f737af1b 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2160,6 +2160,7 @@ struct dentry *d_add_ci(struct dentry *dentry, struct inode *inode, } res = d_splice_alias(inode, found); if (res) { + d_lookup_done(found); dput(found); return res; }

-- 2.35.1

Sasha Levin

4:08 p.m.

New subject: [PATCH AUTOSEL 5.4 25/25] fs/dcache: Disable preemption on i_dir_seq write side on PREEMPT_RT

From: Sebastian Andrzej Siewior bigeasy@linutronix.de

[ Upstream commit cf634d540a29018e8d69ab1befb7e08182bc6594 ]

i_dir_seq is a sequence counter with a lock which is represented by the lowest bit. The writer atomically updates the counter which ensures that it can be modified by only one writer at a time. This requires preemption to be disabled across the write side critical section.

On !PREEMPT_RT kernels this is implicit by the caller acquiring dentry::lock. On PREEMPT_RT kernels spin_lock() does not disable preemption which means that a preempting writer or reader would live lock. It's therefore required to disable preemption explicitly.

An alternative solution would be to replace i_dir_seq with a seqlock_t for PREEMPT_RT, but that comes with its own set of problems due to arbitrary lock nesting. A pure sequence count with an associated spinlock is not possible because the locks held by the caller are not necessarily related.

As the critical section is small, disabling preemption is a sensible solution.

Reported-by: Oleg.Karfich@wago.com Signed-off-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Link: https://lkml.kernel.org/r/20220613140712.77932-2-bigeasy@linutronix.de Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- fs/dcache.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c index 64b8f737af1b..dc8092e2053a 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2484,7 +2484,15 @@ EXPORT_SYMBOL(d_rehash);

static inline unsigned start_dir_add(struct inode *dir) { - + /* + * The caller holds a spinlock (dentry::d_lock). On !PREEMPT_RT + * kernels spin_lock() implicitly disables preemption, but not on + * PREEMPT_RT. So for RT it has to be done explicitly to protect + * the sequence count write side critical section against a reader + * or another writer preempting, which would result in a live lock. + */ + if (IS_ENABLED(CONFIG_PREEMPT_RT)) + preempt_disable(); for (;;) { unsigned n = dir->i_dir_seq; if (!(n & 1) && cmpxchg(&dir->i_dir_seq, n, n + 1) == n) @@ -2496,6 +2504,8 @@ static inline unsigned start_dir_add(struct inode *dir) static inline void end_dir_add(struct inode *dir, unsigned n) { smp_store_release(&dir->i_dir_seq, n + 2); + if (IS_ENABLED(CONFIG_PREEMPT_RT)) + preempt_enable(); }

static void d_wait_lookup(struct dentry *dentry)

-- 2.35.1

Sebastian Andrzej Siewior

12 Aug 12 Aug

8:39 a.m.

New subject: [PATCH AUTOSEL 5.4 25/25] fs/dcache: Disable preemption on i_dir_seq write side on PREEMPT_RT

On 2022-08-11 12:08:20 [-0400], Sasha Levin wrote:

...

From: Sebastian Andrzej Siewior bigeasy@linutronix.de

[ Upstream commit cf634d540a29018e8d69ab1befb7e08182bc6594 ]

Could please drop that one from the stable series? It does not effect !PREEMPT_RT / mainline. Linus was not to happy about the ifdef PREEMPT_RT here. This one is about to be reworked…

Sebastian

887

days inactive

888

days old

linux-stable-mirror@lists.linaro.org

25 comments

participants

tags (0)

participants (2)

Sasha Levin
Sebastian Andrzej Siewior