Skip to content

L
linux
Switch branch/tag
  1. 25 Oct, 2023 2 commits
    • Jinjie Ruan's avatar
      HID: uclogic: Fix a work->entry not empty bug in __queue_work() · d45f72b3
      Jinjie Ruan authored 
      When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch
kernel and then the below work->entry not empty bug occurs.

In hid_test_uclogic_exec_event_hook_test(), the filter->work is not
initialized to be added to p.event_hooks->list, and then the
schedule_work() in uclogic_exec_event_hook() will call __queue_work(),
which check whether the work->entry is empty and cause the below
warning call trace.

So call INIT_WORK() with a fake work to solve the issue. After applying
this patch, the below work->entry not empty bug never occurs.

 WARNING: CPU: 0 PID: 2177 at kernel/workqueue.c:1787 __queue_work.part.0+0x780/0xad0
 Modules linked in:
 CPU: 0 PID: 2177 Comm: kunit_try_catch Tainted: G    B   W        N 6.6.0-rc2+ #30
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 RIP: 0010:__queue_work.part.0+0x780/0xad0
 Code: 44 24 20 0f b6 00 84 c0 74 08 3c 03 0f 8e 52 03 00 00 f6 83 00 01 00 00 02 74 6f 4c 89 ef e8 c7 d8 f1 02 f3 90 e9 e5 f8 ff ff <0f> 0b e9 63 fc ff ff 89 e9 49 8d 57 68 4c 89 e6 4c 89 ff 83 c9 02
 RSP: 0000:ffff888102bb7ce8 EFLAGS: 00010086
 RAX: 0000000000000000 RBX: ffff888106b8e460 RCX: ffffffff84141cc7
 RDX: 1ffff11020d71c8c RSI: 0000000000000004 RDI: ffff8881001d0118
 RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed1020576f92
 R10: 0000000000000003 R11: ffff888102bb7980 R12: ffff888106b8e458
 R13: ffff888119c38800 R14: 0000000000000000 R15: ffff8881001d0100
 FS:  0000000000000000(0000) GS:ffff888119c00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff888119506000 CR3: 0000000005286001 CR4: 0000000000770ef0
 DR0: ffffffff8fdd6ce0 DR1: ffffffff8fdd6ce1 DR2: ffffffff8fdd6ce3
 DR3: ffffffff8fdd6ce5 DR6: 00000000fffe0ff0 DR7: 0000000000000600
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? __warn+0xc9/0x260
  ? __queue_work.part.0+0x780/0xad0
  ? report_bug+0x345/0x400
  ? handle_bug+0x3c/0x70
  ? exc_invalid_op+0x14/0x40
  ? asm_exc_invalid_op+0x16/0x20
  ? _raw_spin_lock+0x87/0xe0
  ? __queue_work.part.0+0x780/0xad0
  ? __queue_work.part.0+0x249/0xad0
  queue_work_on+0x48/0x50
  uclogic_exec_event_hook.isra.0+0xf7/0x160
  hid_test_uclogic_exec_event_hook_test+0x2f1/0x5d0
  ? try_to_wake_up+0x151/0x13e0
  ? uclogic_exec_event_hook.isra.0+0x160/0x160
  ? _raw_spin_lock_irqsave+0x8d/0xe0
  ? __sched_text_end+0xa/0xa
  ? __sched_text_end+0xa/0xa
  ? migrate_enable+0x260/0x260
  ? kunit_try_run_case_cleanup+0xe0/0xe0
  kunit_generic_run_threadfn_adapter+0x4a/0x90
  ? kunit_try_catch_throw+0x80/0x80
  kthread+0x2b5/0x380
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x2d/0x70
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork_asm+0x11/0x20
  </TASK>

Fixes: a251d657 ("HID: uclogic: Handle wireless device reconnection")
Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
Link: https://lore.kernel.org/r/20231009064245.3573397-3-ruanjinjie@huawei.comSigned-off-by: default avatarBenjamin Tissoires <bentiss@kernel.org>
      d45f72b3
    • Jinjie Ruan's avatar
      HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks() · 91cfe0bb
      Jinjie Ruan authored 
      When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and
then the below user-memory-access bug occurs.

In hid_test_uclogic_params_cleanup_event_hooks(),it call
uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so
when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()
will access hdev->dev with hdev=NULL, which will cause below
user-memory-access.

So add a fake_device with quirks member and call hid_set_drvdata()
to assign hdev->dev->driver_data which avoids the null-ptr-def bug
for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying
this patch, the below user-memory-access bug never occurs.

 general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN
 KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]
 CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G    B   W        N 6.6.0-rc2+ #30
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
 FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? die_addr+0x3d/0xa0
  ? exc_general_protection+0x144/0x220
  ? asm_exc_general_protection+0x22/0x30
  ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
  ? sched_clock_cpu+0x69/0x550
  ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70
  ? load_balance+0x2950/0x2950
  ? rcu_trc_cmpxchg_need_qs+0x67/0xa0
  hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0
  ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600
  ? __switch_to+0x5cf/0xe60
  ? migrate_enable+0x260/0x260
  ? __kthread_parkme+0x83/0x150
  ? kunit_try_run_case_cleanup+0xe0/0xe0
  kunit_generic_run_threadfn_adapter+0x4a/0x90
  ? kunit_try_catch_throw+0x80/0x80
  kthread+0x2b5/0x380
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x2d/0x70
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork_asm+0x11/0x20
  </TASK>
 Modules linked in:
 Dumping ftrace buffer:
    (ftrace buffer empty)
 ---[ end trace 0000000000000000 ]---
 RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600
 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00
 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202
 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948
 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0
 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92
 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080
 FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0
 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6
 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600
 PKRU: 55555554
 Kernel panic - not syncing: Fatal exception
 Dumping ftrace buffer:
    (ftrace buffer empty)
 Kernel Offset: disabled
 Rebooting in 1 seconds..

Fixes: a251d657 ("HID: uclogic: Handle wireless device reconnection")
Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
Link: https://lore.kernel.org/r/20231009064245.3573397-2-ruanjinjie@huawei.comSigned-off-by: default avatarBenjamin Tissoires <bentiss@kernel.org>
      91cfe0bb
  3. 11 Oct, 2023 3 commits
  5. 10 Oct, 2023 7 commits
    • Linus Torvalds's avatar
      Merge tag 'xsa441-6.6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 1c8b86a3
      Linus Torvalds authored 
      Pull xen fix from Juergen Gross:
 "A fix for the xen events driver:

  Closing of an event channel in the Linux kernel can result in a
  deadlock. This happens when the close is being performed in parallel
  to an unrelated Xen console action and the handling of a Xen console
  interrupt in an unprivileged guest.

  The closing of an event channel is e.g. triggered by removal of a
  paravirtual device on the other side. As this action will cause
  console messages to be issued on the other side quite often, the
  chance of triggering the deadlock is not negligible"

* tag 'xsa441-6.6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/events: replace evtchn_rwlock with RCU
      1c8b86a3
    • Sumit Garg's avatar
      KEYS: trusted: Remove redundant static calls usage · 01bbafc6
      Sumit Garg authored 
      Static calls invocations aren't well supported from module __init and
__exit functions. Especially the static call from cleanup_trusted() led
to a crash on x86 kernel with CONFIG_DEBUG_VIRTUAL=y.

However, the usage of static call invocations for trusted_key_init()
and trusted_key_exit() don't add any value from either a performance or
security perspective. Hence switch to use indirect function calls instead.

Note here that although it will fix the current crash report, ultimately
the static call infrastructure should be fixed to either support its
future usage from module __init and __exit functions or not.
Reported-and-tested-by: default avatarHyeonggon Yoo <42.hyeyoo@gmail.com>
Link: https://lore.kernel.org/lkml/ZRhKq6e5nF%2F4ZIV1@fedora/#t
Fixes: 5d0682be ("KEYS: trusted: Add generic trusted keys framework")
Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      01bbafc6
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2023-10-10-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 87813e13
      Linus Torvalds authored 
      Pull irq fixes from Thomas Gleixner:
 "A set of updates for interrupt chip drivers:

   - Fix the fail of the Qualcomm PDC driver on v3.2 hardware which is
     caused by a control bit being moved to a different location

   - Update the SM8150 device tree PDC resource so the version register
     can be read

   - Make the Renesas RZG2L driver correct for interrupts which are
     outside of the LSB in the TSSR register by using the proper macro
     for calculating the mask

   - Document the Renesas RZ2GL device tree binding correctly and update
     them for a few devices which faul to boot otherwise

   - Use the proper accessor in the RZ2GL driver instead of blindly
     dereferencing an unchecked pointer

   - Make GICv3 handle the dma-non-coherent attribute correctly

   - Ensure that all interrupt controller nodes on RISCV are marked as
     initialized correctly

  Maintainer changes:

   - Add a new entry for GIC interrupt controllers and assign Marc
     Zyngier as the maintainer

   - Remove Marc Zyngier from the core and driver maintainer entries as
     he is burried in work and short of time to handle that.

  Thanks to Marc for all the great work he has done in the past couple
  of years!

  Also note that commit 5873d380 ("irqchip/qcom-pdc: Add support for
  v3.2 HW") has a incorrect SOB chain.

  The real author is Neil. His patch was posted by Dmitry once and Neil
  picked it up from the list and reposted it with the bogus SOB chain.

  Not a big deal, but worth to mention. I wanted to fix that up, but
  then got distracted and Marc piled more changes on top. So I decided
  to leave it as is instead of rebasing world"

* tag 'irq-urgent-2023-10-10-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  MAINTAINERS: Remove myself from the general IRQ subsystem maintenance
  MAINTAINERS: Add myself as the ARM GIC maintainer
  irqchip/renesas-rzg2l: Convert to irq_data_get_irq_chip_data()
  irqchip/stm32-exti: add missing DT IRQ flag translation
  irqchip/riscv-intc: Mark all INTC nodes as initialized
  irqchip/gic-v3: Enable non-coherent redistributors/ITSes DT probing
  irqchip/gic-v3-its: Split allocation from initialisation of its_node
  dt-bindings: interrupt-controller: arm,gic-v3: Add dma-noncoherent property
  dt-bindings: interrupt-controller: renesas,irqc: Add r8a779f0 support
  dt-bindings: interrupt-controller: renesas,rzg2l-irqc: Document RZ/G2UL SoC
  irqchip: renesas-rzg2l: Fix logic to clear TINT interrupt source
  dt-bindings: interrupt-controller: renesas,rzg2l-irqc: Update description for '#interrupt-cells' property
  arm64: dts: qcom: sm8150: extend the size of the PDC resource
  irqchip/qcom-pdc: Add support for v3.2 HW
      87813e13
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20231009' of... · b711538a
      Linus Torvalds authored 
      Merge tag 'hyperv-fixes-signed-20231009' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux

Pull hyperv fixes from Wei Liu:

 - fixes for Hyper-V VTL code (Saurabh Sengar and Olaf Hering)

 - fix hv_kvp_daemon to support keyfile based connection profile
   (Shradha Gupta)

* tag 'hyperv-fixes-signed-20231009' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
  hv/hv_kvp_daemon:Support for keyfile based connection profile
  hyperv: reduce size of ms_hyperv_info
  x86/hyperv: Add common print prefix "Hyper-V" in hv_init
  x86/hyperv: Remove hv_vtl_early_init initcall
  x86/hyperv: Restrict get_vtl to only VTL platforms
      b711538a
    • Linus Torvalds's avatar
      Merge tag 'v6.6-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 832b5d0b
      Linus Torvalds authored 
      Pull crypto fix from Herbert Xu:
 "Fix a regression in dm-crypt"

* tag 'v6.6-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  dm crypt: Fix reqsize in crypt_iv_eboiv_gen
      832b5d0b
    • Linus Torvalds's avatar
      Merge tag 'sound-6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 68d187ec
      Linus Torvalds authored 
      Pull sound fixes from Takashi Iwai:
 "A collection of pending fixes since a couple of weeks ago, which
  became slightly bigger than usual due to my vacation.

  Most of changes are about ASoC device-specific fixes while USB- and
  HD-audio received quirks as usual. All fixes, including two ASoC core
  changes, are reasonably small and safe to apply"

* tag 'sound-6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (23 commits)
  ALSA: usb-audio: Fix microphone sound on Nexigo webcam.
  ALSA: hda/realtek: Change model for Intel RVP board
  ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
  ALSA: hda: cs35l41: Cleanup and fix double free in firmware request
  ASoC: dt-bindings: fsl,micfil: Document #sound-dai-cells
  ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM
  ASoC: tlv320adc3xxx: BUG: Correct micbias setting
  ASoC: rt5682: Fix regulator enable/disable sequence
  ASoC: hdmi-codec: Fix broken channel map reporting
  ASoC: core: Do not call link_exit() on uninitialized rtd objects
  ASoC: core: Print component name when printing log
  ASoC: SOF: amd: fix for firmware reload failure after playback
  ASoC: fsl-asoc-card: use integer type for fll_id and pll_id
  ASoC: fsl_sai: Don't disable bitclock for i.MX8MP
  dt-bindings: ASoC: rockchip: Add compatible for RK3128 spdif
  ASoC: soc-generic-dmaengine-pcm: Fix function name in comment
  ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP
  ASoC: simple-card: fixup asoc_simple_probe() error handling
  ASoC: simple-card-utils: fixup simple_util_startup() error handling
  ASoC: Intel: sof_sdw: add support for SKU 0B14
  ...
      68d187ec
    • Shradha Gupta's avatar
      hv/hv_kvp_daemon:Support for keyfile based connection profile · 42999c90
      Shradha Gupta authored 
      Ifcfg config file support in NetworkManger is deprecated. This patch
provides support for the new keyfile config format for connection
profiles in NetworkManager. The patch modifies the hv_kvp_daemon code
to generate the new network configuration in keyfile
format(.ini-style format) along with a ifcfg format configuration.
The ifcfg format configuration is also retained to support easy
backward compatibility for distro vendors. These configurations are
stored in temp files which are further translated using the
hv_set_ifconfig.sh script. This script is implemented by individual
distros based on the network management commands supported.
For example, RHEL's implementation could be found here:
https://gitlab.com/redhat/centos-stream/src/hyperv-daemons/-/blob/c9s/hv_set_ifconfig.sh
Debian's implementation could be found here:
https://github.com/endlessm/linux/blob/master/debian/cloud-tools/hv_set_ifconfig

The next part of this support is to let the Distro vendors consume
these modified implementations to the new configuration format.

Tested-on: Rhel9(Hyper-V, Azure)(nm and ifcfg files verified)
Signed-off-by: default avatarShradha Gupta <shradhagupta@linux.microsoft.com>
Reviewed-by: default avatarSaurabh Sengar <ssengar@linux.microsoft.com>
Reviewed-by: default avatarAni Sinha <anisinha@redhat.com>
Signed-off-by: default avatarWei Liu <wei.liu@kernel.org>
Link: https://lore.kernel.org/r/1696847920-31125-1-git-send-email-shradhagupta@linux.microsoft.com
      42999c90
  7. 09 Oct, 2023 4 commits
    • Thomas Gleixner's avatar
      Merge tag 'irqchip-fixes-6.6-2' of... · 4dc5af1f
      Thomas Gleixner authored 
      Merge tag 'irqchip-fixes-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent

Pull irqchip fixes from Marc Zyngier:

  - DT binding updates for Renesas r8a779f0 and rzg2l

  - Let GICv3 honor the "dma-non-coherent" attribute for systems that
    rely on SW guessing what the HW supports

  - Fix the RISC-V INTC probing by marking all devices as initialised
    at once

  - Properly translate interrupt numbers from DT on stm32-exti

  - Use irq_data_get_irq_chip_data() in the rzg2l driver instead of
    blindly dereferencing the irq_data structure

  - Add a MAINTAINERS entry for the various ARM GIC irqchip drivers

  - Remove myself as the top-level irqchip/irqdomain maintainer

Link: https://lore.kernel.org/all/20231007121933.3840357-1-maz@kernel.org
      4dc5af1f
    • John Ogness's avatar
      printk: flush consoles before checking progress · 054c22bd
      John Ogness authored 
      Commit 9e70a5e1 ("printk: Add per-console suspended state")
removed console lock usage during resume and replaced it with
the clearly defined console_list_lock and srcu mechanisms.

However, the console lock usage had an important side-effect
of flushing the consoles. After its removal, consoles were no
longer flushed before checking their progress.

Add the console_lock/console_unlock dance to the beginning
of __pr_flush() to actually flush the consoles before checking
their progress. Also add comments to clarify this additional
usage of the console lock.

Note that console_unlock() does not guarantee flushing all messages
since the commit dbdda842 ("printk: Add console owner and waiter
logic to load balance console writes").
Reported-by: default avatarTodd Brandt <todd.e.brandt@intel.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217955
Fixes: 9e70a5e1 ("printk: Add per-console suspended state")
Co-developed-by: default avatarPetr Mladek <pmladek@suse.com>
Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
Link: https://lore.kernel.org/r/20231006082151.6969-2-pmladek@suse.com
      054c22bd
    • Juergen Gross's avatar
      xen/events: replace evtchn_rwlock with RCU · 87797fad
      Juergen Gross authored 
      In unprivileged Xen guests event handling can cause a deadlock with
Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
opposite sequence in __hvc_poll() and in Xen console IRQ handling.
Normally this is no problem, as the evtchn_rwlock is taken as a reader
in both paths, but as soon as an event channel is being closed, the
lock will be taken as a writer, which will cause read_lock() to block:

CPU0                     CPU1                CPU2
(IRQ handling)           (__hvc_poll())      (closing event channel)

read_lock(evtchn_rwlock)
                         spin_lock(hvc_lock)
                                             write_lock(evtchn_rwlock)
                                                 [blocks]
spin_lock(hvc_lock)
    [blocks]
                        read_lock(evtchn_rwlock)
                            [blocks due to writer waiting,
                             and not in_interrupt()]

This issue can be avoided by replacing evtchn_rwlock with RCU in
xen_free_irq(). Note that RCU is used only to delay freeing of the
irq_info memory. There is no RCU based dereferencing or replacement of
pointers involved.

In order to avoid potential races between removing the irq_info
reference and handling of interrupts, set the irq_info pointer to NULL
only when freeing its memory. The IRQ itself must be freed at that
time, too, as otherwise the same IRQ number could be allocated again
before handling of the old instance would have been finished.

This is XSA-441 / CVE-2023-34324.

Fixes: 54c9de89 ("xen/events: add a new "late EOI" evtchn framework")
Reported-by: default avatarMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
Reviewed-by: default avatarJulien Grall <jgrall@amazon.com>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      87797fad
    • Christos Skevis's avatar
      ALSA: usb-audio: Fix microphone sound on Nexigo webcam. · 4a63e68a
      Christos Skevis authored 
      I own an external usb Webcam, model NexiGo N930AF, which had low mic volume and
inconsistent sound quality. Video works as expected.

(snip)
[  +0.047857] usb 5-1: new high-speed USB device number 2 using xhci_hcd
[  +0.003406] usb 5-1: New USB device found, idVendor=1bcf, idProduct=2283, bcdDevice=12.17
[  +0.000007] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  +0.000004] usb 5-1: Product: NexiGo N930AF FHD Webcam
[  +0.000003] usb 5-1: Manufacturer: SHENZHEN AONI ELECTRONIC CO., LTD
[  +0.000004] usb 5-1: SerialNumber: 20201217011
[  +0.003900] usb 5-1: Found UVC 1.00 device NexiGo N930AF FHD Webcam (1bcf:2283)
[  +0.025726] usb 5-1: 3:1: cannot get usb sound sample rate freq at ep 0x86
[  +0.071482] usb 5-1: 3:2: cannot get usb sound sample rate freq at ep 0x86
[  +0.004679] usb 5-1: 3:3: cannot get usb sound sample rate freq at ep 0x86
[  +0.051607] usb 5-1: Warning! Unlikely big volume range (=4096), cval->res is probably wrong.
[  +0.000005] usb 5-1: [7] FU [Mic Capture Volume] ch = 1, val = 0/4096/1

Set up quirk cval->res to 16 for 256 levels,
Set GET_SAMPLE_RATE quirk flag to stop trying to get the sample rate.
Confirmed that happened anyway later due to the backoff mechanism, after 3 failures

All audio stream on device interfaces share the same values,
apart from wMaxPacketSize and tSamFreq :

(snip)
Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       3
      bNumEndpoints           1
      bInterfaceClass         1 Audio
      bInterfaceSubClass      2 Streaming
      bInterfaceProtocol      0
      iInterface              0
      AudioStreaming Interface Descriptor:
        bLength                 7
        bDescriptorType        36
        bDescriptorSubtype      1 (AS_GENERAL)
        bTerminalLink           8
        bDelay                  1 frames
        wFormatTag         0x0001 PCM
      AudioStreaming Interface Descriptor:
        bLength                11
        bDescriptorType        36
        bDescriptorSubtype      2 (FORMAT_TYPE)
        bFormatType             1 (FORMAT_TYPE_I)
        bNrChannels             1
        bSubframeSize           2
        bBitResolution         16
        bSamFreqType            1 Discrete
        tSamFreq[ 0]        44100
      Endpoint Descriptor:
        bLength                 9
        bDescriptorType         5
        bEndpointAddress     0x86  EP 6 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x005c  1x 92 bytes
        bInterval               4
        bRefresh                0
        bSynchAddress           0
        AudioStreaming Endpoint Descriptor:
          bLength                 7
          bDescriptorType        37
          bDescriptorSubtype      1 (EP_GENERAL)
          bmAttributes         0x01
            Sampling Frequency
          bLockDelayUnits         0 Undefined
          wLockDelay         0x0000
(snip)

Based on the usb data about manufacturer, SPCA2281B3 is the most likely controller IC
Manufacturer does not provide link for datasheet nor detailed specs.
No way to confirm if the firmware supports any other way of getting the sample rate.

Testing patch provides consistent good sound recording quality and volume range.

(snip)
[  +0.045764] usb 5-1: new high-speed USB device number 2 using xhci_hcd
[  +0.106290] usb 5-1: New USB device found, idVendor=1bcf, idProduct=2283, bcdDevice=12.17
[  +0.000006] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  +0.000004] usb 5-1: Product: NexiGo N930AF FHD Webcam
[  +0.000003] usb 5-1: Manufacturer: SHENZHEN AONI ELECTRONIC CO., LTD
[  +0.000004] usb 5-1: SerialNumber: 20201217011
[  +0.043700] usb 5-1: set resolution quirk: cval->res = 16
[  +0.002585] usb 5-1: Found UVC 1.00 device NexiGo N930AF FHD Webcam (1bcf:2283)
Signed-off-by: default avatarChristos Skevis <xristos.thes@gmail.com>
Link: https://lore.kernel.org/r/20231006155330.399393-1-xristos.thes@gmail.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      4a63e68a
  9. 08 Oct, 2023 4 commits
  11. 07 Oct, 2023 20 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7