1. 12 Jun, 2024 4 commits
    • Hector Martin's avatar
      xhci: Handle TD clearing for multiple streams case · 5ceac440
      Hector Martin authored
      When multiple streams are in use, multiple TDs might be in flight when
      an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for
      each, to ensure everything is reset properly and the caches cleared.
      Change the logic so that any N>1 TDs found active for different streams
      are deferred until after the first one is processed, calling
      xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to
      queue another command until we are done with all of them. Also change
      the error/"should never happen" paths to ensure we at least clear any
      affected TDs, even if we can't issue a command to clear the hardware
      cache, and complain loudly with an xhci_warn() if this ever happens.
      
      This problem case dates back to commit e9df17eb ("USB: xhci: Correct
      assumptions about number of rings per endpoint.") early on in the XHCI
      driver's life, when stream support was first added.
      It was then identified but not fixed nor made into a warning in commit
      674f8438 ("xhci: split handling halted endpoints into two steps"),
      which added a FIXME comment for the problem case (without materially
      changing the behavior as far as I can tell, though the new logic made
      the problem more obvious).
      
      Then later, in commit 94f33914 ("xhci: Fix failure to give back some
      cached cancelled URBs."), it was acknowledged again.
      
      [Mathias: commit 94f33914 ("xhci: Fix failure to give back some cached
      cancelled URBs.") was a targeted regression fix to the previously mentioned
      patch. Users reported issues with usb stuck after unmounting/disconnecting
      UAS devices. This rolled back the TD clearing of multiple streams to its
      original state.]
      
      Apparently the commit author was aware of the problem (yet still chose
      to submit it): It was still mentioned as a FIXME, an xhci_dbg() was
      added to log the problem condition, and the remaining issue was mentioned
      in the commit description. The choice of making the log type xhci_dbg()
      for what is, at this point, a completely unhandled and known broken
      condition is puzzling and unfortunate, as it guarantees that no actual
      users would see the log in production, thereby making it nigh
      undebuggable (indeed, even if you turn on DEBUG, the message doesn't
      really hint at there being a problem at all).
      
      It took me *months* of random xHC crashes to finally find a reliable
      repro and be able to do a deep dive debug session, which could all have
      been avoided had this unhandled, broken condition been actually reported
      with a warning, as it should have been as a bug intentionally left in
      unfixed (never mind that it shouldn't have been left in at all).
      
      > Another fix to solve clearing the caches of all stream rings with
      > cancelled TDs is needed, but not as urgent.
      
      3 years after that statement and 14 years after the original bug was
      introduced, I think it's finally time to fix it. And maybe next time
      let's not leave bugs unfixed (that are actually worse than the original
      bug), and let's actually get people to review kernel commits please.
      
      Fixes xHC crashes and IOMMU faults with UAS devices when handling
      errors/faults. Easiest repro is to use `hdparm` to mark an early sector
      (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.
      At least in the case of JMicron controllers, the read errors end up
      having to cancel two TDs (for two queued requests to different streams)
      and the one that didn't get cleared properly ends up faulting the xHC
      entirely when it tries to access DMA pages that have since been unmapped,
      referred to by the stale TDs. This normally happens quickly (after two
      or three loops). After this fix, I left the `cat` in a loop running
      overnight and experienced no xHC failures, with all read errors
      recovered properly. Repro'd and tested on an Apple M1 Mac Mini
      (dwc3 host).
      
      On systems without an IOMMU, this bug would instead silently corrupt
      freed memory, making this a security bug (even on systems with IOMMUs
      this could silently corrupt memory belonging to other USB devices on the
      same controller, so it's still a security bug). Given that the kernel
      autoprobes partition tables, I'm pretty sure a malicious USB device
      pretending to be a UAS device and reporting an error with the right
      timing could deliberately trigger a UAF and write to freed memory, with
      no user action.
      
      [Mathias: Commit message and code comment edit, original at:]
      https://lore.kernel.org/linux-usb/20240524-xhci-streams-v1-1-6b1f13819bea@marcan.st/
      
      Fixes: e9df17eb ("USB: xhci: Correct assumptions about number of rings per endpoint.")
      Fixes: 94f33914 ("xhci: Fix failure to give back some cached cancelled URBs.")
      Fixes: 674f8438 ("xhci: split handling halted endpoints into two steps")
      Cc: stable@vger.kernel.org
      Cc: security@kernel.org
      Reviewed-by: default avatarNeal Gompa <neal@gompa.dev>
      Signed-off-by: default avatarHector Martin <marcan@marcan.st>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20240611120610.3264502-5-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ceac440
    • Kuangyi Chiang's avatar
      xhci: Apply broken streams quirk to Etron EJ188 xHCI host · 91f7a152
      Kuangyi Chiang authored
      As described in commit 8f873c1f ("xhci: Blacklist using streams on the
      Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams
      do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188
      as well.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKuangyi Chiang <ki.chiang65@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20240611120610.3264502-4-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91f7a152
    • Kuangyi Chiang's avatar
      xhci: Apply reset resume quirk to Etron EJ188 xHCI host · 17bd5455
      Kuangyi Chiang authored
      As described in commit c877b3b2 ("xhci: Add reset on resume quirk for
      asrock p67 host"), EJ188 have the same issue as EJ168, where completely
      dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKuangyi Chiang <ki.chiang65@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20240611120610.3264502-3-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17bd5455
    • Mathias Nyman's avatar
      xhci: Set correct transferred length for cancelled bulk transfers · f0260589
      Mathias Nyman authored
      The transferred length is set incorrectly for cancelled bulk
      transfer TDs in case the bulk transfer ring stops on the last transfer
      block with a 'Stop - Length Invalid' completion code.
      
      length essentially ends up being set to the requested length:
      urb->actual_length = urb->transfer_buffer_length
      
      Length for 'Stop - Length Invalid' cases should be the sum of all
      TRB transfer block lengths up to the one the ring stopped on,
      _excluding_ the one stopped on.
      
      Fix this by always summing up TRB lengths for 'Stop - Length Invalid'
      bulk cases.
      
      This issue was discovered by Alan Stern while debugging
      https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not
      solve that bug. Issue is older than 4.10 kernel but fix won't apply
      to those due to major reworks in that area.
      Tested-by: default avatarPierre Tomon <pierretom+12@ik.me>
      Cc: stable@vger.kernel.org # v4.10+
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20240611120610.3264502-2-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0260589
  2. 07 Jun, 2024 1 commit
  3. 04 Jun, 2024 9 commits
  4. 02 Jun, 2024 8 commits
  5. 01 Jun, 2024 6 commits
  6. 31 May, 2024 12 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-06-01' of https://gitlab.freedesktop.org/drm/kernel · cc8ed4d0
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This is the weekly fixes. Lots of small fixes across the board, one
        BUG_ON fix in shmem seems most important, otherwise amdgpu, i915, xe
        mostly with small fixes to all the other drivers.
      
        shmem:
         - fix BUG_ON in COW handling
         - warn when trying to pin imported objects
      
        buddy:
         - fix page size handling
      
        dma-buf:
         - sw-sync: Don't interfere with IRQ handling
         - fix kthreads-handling error path
      
        i915:
         - fix a race in audio component by registering it later
         - make DPT object unshrinkable to avoid shrinking when framebuffer
           has not shrunk
         - fix CCS id calculation to fix a perf regression
         - fix selftest caching mode
         - fix FIELD_PREP compiler warnings
         - fix indefinite wait for GT wakeref release
         - revert overeager multi-gt pm reference removal
      
        xe:
         - pcode polling timeout change
         - fix for deadlocks for faulting VMs
         - error-path lock imbalance fix
      
        amdgpu:
         - RAS fix
         - fix colorspace property for MST connectors
         - fix for PCIe DPM
         - silence UBSAN warning
         - GPUVM robustness fix
         - partition fix
         - drop deprecated I2C_CLASS_SPD
      
        amdkfd:
         - revert unused changes for certain 11.0.3 devices
         - simplify APU VRAM handling
      
        lima:
         - fix dma_resv-related deadlock in object pin
      
        msm:
         - remove build-time dependency on Python 3.9
      
        nouveau:
         - nvif: Fix possible integer overflow
      
        panel:
         - lg-sw43408: Select DP helpers; Declare backlight ops as static
         - sitronix-st7789v: Various fixes for jt240mhqs_hwt_ek_e3 panel
      
        panfrost:
         - fix dma_resv-related deadlock in object pin"
      
      * tag 'drm-fixes-2024-06-01' of https://gitlab.freedesktop.org/drm/kernel: (35 commits)
        drm/msm: remove python 3.9 dependency for compiling msm
        drm/panel: sitronix-st7789v: fix display size for jt240mhqs_hwt_ek_e3 panel
        drm/panel: sitronix-st7789v: tweak timing for jt240mhqs_hwt_ek_e3 panel
        drm/panel: sitronix-st7789v: fix timing for jt240mhqs_hwt_ek_e3 panel
        drm/amd/pm: remove deprecated I2C_CLASS_SPD support from newly added SMU_14_0_2
        drm/amdgpu: Make CPX mode auto default in NPS4
        drm/amdkfd: simplify APU VRAM handling
        Revert "drm/amdkfd: fix gfx_target_version for certain 11.0.3 devices"
        drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
        drm/amdgpu: silence UBSAN warning
        drm/amdgpu: Adjust logic in amdgpu_device_partner_bandwidth()
        drm/i915: Fix audio component initialization
        drm/i915/dpt: Make DPT object unshrinkable
        drm/i915/gt: Fix CCS id's calculation for CCS mode setting
        drm/panel/lg-sw43408: mark sw43408_backlight_ops as static
        drm/i915/selftests: Set always_coherent to false when reading from CPU
        drm/panel/lg-sw43408: select CONFIG_DRM_DISPLAY_DP_HELPER
        drm/i915/guc: avoid FIELD_PREP warning
        drm/i915/gt: Disarm breadcrumbs if engines are already idle
        Revert "drm/i915: Remove extra multi-gt pm-references"
        ...
      cc8ed4d0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v6.10-rc2' of... · 1b907b83
      Linus Torvalds authored
      Merge tag 'hwmon-for-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - sttcs: Fix property spelling
      
       - intel-m10-bmc-hwmon: Fix multiplier for N6000 board power sensor
      
       - ltc2992: Fix memory leak
      
       - dell-smm: Add Dell G15 5511 to fan control whitelist
      
      * tag 'hwmon-for-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (shtc1) Fix property misspelling
        hwmon: (intel-m10-bmc-hwmon) Fix multiplier for N6000 board power sensor
        hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
        hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist
      1b907b83
    • Linus Torvalds's avatar
      Merge tag 'mailbox-fixes-v6.10-rc1' of... · b7087cb3
      Linus Torvalds authored
      Merge tag 'mailbox-fixes-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox
      
      Pull mailbox fix from Jassi Brar:
      
       - zynqmp-ipi: fix linker error on some configurations
      
      * tag 'mailbox-fixes-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox:
        mailbox: zynqmp-ipi: drop irq_to_desc() call
      b7087cb3
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · d5931dd0
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A series of fixes that came in since the merge window, the main thing
        being the fixes Andy did for DMA sync where we were calling into the
        DMA API in suprising ways and causing issues as a result, the main
        thing being confusing the IOMMU code.
      
        We've also got some fairly important fixes for the stm32 driver, it
        supports a wide range of hardware and some optimisations that were
        done recently have broken on some systems, and a fix to prevent
        glitched signals on the bus in the cadence driver"
      
      * tag 'spi-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: stm32: Don't warn about spurious interrupts
        spi: Assign dummy scatterlist to unidirectional transfers
        spi: cadence: Ensure data lines set to low during dummy-cycle period
        spi: stm32: Revert change that enabled controller before asserting CS
        spi: Check if transfer is mapped before calling DMA sync APIs
        spi: Don't mark message DMA mapped when no transfer in it is
      d5931dd0
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v6.10-rc1' of... · 28add42d
      Linus Torvalds authored
      Merge tag 'regulator-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fix from Mark Brown:
       "One fix that came in since -rc1, fixing misuse of a local variable in
        the DT parsing code in the RTQ2208 driver"
      
      * tag 'regulator-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: rtq2208: Fix invalid memory access when devm_of_regulator_put_matches is called
      28add42d
    • Linus Torvalds's avatar
      Merge tag 'regmap-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap · b7c05622
      Linus Torvalds authored
      Pull regmap fix from Mark Brown:
       "The I2C bus was not taking account of the register and any padding
        bytes when handling maximum write sizes supported by an I2C adaptor,
        this patch from Jim Wylder fixes that"
      
      * tag 'regmap-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap-i2c: Subtract reg size from max_write
      b7c05622
    • Linus Torvalds's avatar
      Merge tag 'block-6.10-20240530' of git://git.kernel.dk/linux · 0f9a7517
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe fixes via Keith:
            - Removing unused fields (Kanchan)
            - Large folio offsets support (Kundan)
            - Multipath NUMA node initialiazation fix (Nilay)
            - Multipath IO stats accounting fixes (Keith)
            - Circular lockdep fix (Keith)
            - Target race condition fix (Sagi)
            - Target memory leak fix (Sagi)
      
       - bcache fixes
      
       - null_blk fixes (Damien)
      
       - Fix regression in io.max due to throttle low removal (Waiman)
      
       - DM limit table fixes (Christoph)
      
       - SCSI and block limit fixes (Christoph)
      
       - zone fixes (Damien)
      
       - Misc fixes (Christoph, Hannes, hexue)
      
      * tag 'block-6.10-20240530' of git://git.kernel.dk/linux: (25 commits)
        blk-throttle: Fix incorrect display of io.max
        block: Fix zone write plugging handling of devices with a runt zone
        block: Fix validation of zoned device with a runt zone
        null_blk: Do not allow runt zone with zone capacity smaller then zone size
        nvmet: fix a possible leak when destroy a ctrl during qp establishment
        nvme: use srcu for iterating namespace list
        bcache: code cleanup in __bch_bucket_alloc_set()
        bcache: call force_wake_up_gc() if necessary in check_should_bypass()
        bcache: allow allocator to invalidate bucket in gc
        block: check for max_hw_sectors underflow
        block: stack max_user_sectors
        sd: also set max_user_sectors when setting max_sectors
        null_blk: Print correct max open zones limit in null_init_zoned_dev()
        block: delete redundant function declaration
        null_blk: Fix return value of nullb_device_power_store()
        dm: make dm_set_zones_restrictions work on the queue limits
        dm: remove dm_check_zoned
        dm: move setting zoned_enabled to dm_table_set_restrictions
        block: remove blk_queue_max_integrity_segments
        nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset
        ...
      0f9a7517
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.10-20240530' of git://git.kernel.dk/linux · 6d541d66
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A couple of minor fixes for issues introduced in the 6.10 merge window:
      
         - Ensure that all read/write ops have an appropriate cleanup handler
           set (Breno)
      
         - Regression for applications still doing multiple mmaps even if
           FEAT_SINGLE_MMAP is set (me)
      
         - Move kmsg inquiry setting above any potential failure point,
           avoiding a spurious NONEMPTY flag setting on early error (me)"
      
      * tag 'io_uring-6.10-20240530' of git://git.kernel.dk/linux:
        io_uring/net: assign kmsg inq/flags before buffer selection
        io_uring/rw: Free iovec before cleaning async data
        io_uring: don't attempt to mmap larger than what the user asks for
      6d541d66
    • Kees Cook's avatar
      kunit/fortify: Remove __kmalloc_node() test · 99a6087d
      Kees Cook authored
      __kmalloc_node() is considered an "internal" function to the Slab, so
      drop it from explicit testing.
      
      Link: https://lore.kernel.org/r/20240531185703.work.588-kees@kernel.orgSigned-off-by: default avatarKees Cook <kees@kernel.org>
      99a6087d
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.10-2024-05-31' of git://git.infradead.org/users/hch/dma-mapping · b0504965
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
      
       - dma-mapping benchmark error handling fixes (Fedor Pchelkin)
      
       - correct a config symbol reference in the DMA API documentation (Lukas
         Bulwahn)
      
      * tag 'dma-mapping-6.10-2024-05-31' of git://git.infradead.org/users/hch/dma-mapping:
        Documentation/core-api: correct reference to SWIOTLB_DYNAMIC
        dma-mapping: benchmark: handle NUMA_NO_NODE correctly
        dma-mapping: benchmark: fix node id validation
        dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails
        dma-mapping: benchmark: fix up kthread-related error handling
      b0504965
    • Linus Torvalds's avatar
      Merge tag 'sound-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7d88cc8e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Lots of small fixes:
      
         - A race fix for debugfs handling in ALSA core
      
         - A series of corrections for MIDI2 core format conversions
      
         - ASoC Intel fixes for 16 bit DMIC config
      
         - Updates for missing module parameters in ASoC code
      
         - HD-audio quirk, Cirrus codec fix, etc minor fixes"
      
      * tag 'sound-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (26 commits)
        ALSA: seq: ump: Fix swapped song position pointer data
        ASoC: SOF: ipc4-topology: Adjust the params based on DAI formats
        ASoC: SOF: ipc4-topology: Improve readability of sof_ipc4_prepare_dai_copier()
        ASoC: SOF: ipc4-topology/pcm: Rename sof_ipc4_copier_is_single_format()
        ASoC: SOF: ipc4-topology: Print out the channel count in sof_ipc4_dbg_audio_format
        ASoC: SOF: ipc4-topology: Add support for NHLT with 16-bit only DMIC blob
        ALSA: seq: Fix yet another spot for system message conversion
        ALSA: ump: Set default protocol when not given explicitly
        ALSA: ump: Don't accept an invalid UMP protocol number
        ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension
        ASoC: Intel: sof-sdw: fix missing SPI_MASTER dependency
        ALSA: pcm: fix typo in comment
        ALSA: ump: Don't clear bank selection after sending a program change
        ALSA: seq: Fix incorrect UMP type for system messages
        ALSA/hda: intel-dsp-config: reduce log verbosity
        ALSA: seq: Don't clear bank selection at event -> UMP MIDI2 conversion
        ALSA: seq: Fix missing bank setup between MIDI1/MIDI2 UMP conversion
        ASoC: SOF: add missing MODULE_DESCRIPTION()
        ASoC: SOF: reorder MODULE_ definitions
        ASoC: SOF: AMD: group all module related information
        ...
      7d88cc8e
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.10-2' of... · 87895a64
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
      
       - a use-after-free bugfix
      
       - Kconfig fixes for randconfig builds
      
       - allow setting touchscreen_dmi quirks from the cmdline for debugging
      
       - touchscreen_dmi quirks for two new laptop/tablet models
      
      * tag 'platform-drivers-x86-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro
        platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet
        platform/x86: touchscreen_dmi: Add support for setting touchscreen properties from cmdline
        platform/x86: thinkpad_acpi: Select INPUT_SPARSEKMAP in Kconfig
        platform/x86: x86-android-tablets: Add "select LEDS_CLASS"
        platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
      87895a64