Searched hist:1556 (Results 1 - 25 of 42) sorted by relevance
| /linux-master/sound/soc/codecs/ | ||
| H A D | max98396.c | diff 0b7f644f Thu May 12 01:46:39 MDT 2022 Hui Tang <tanghui20@huawei.com> ASoC: max98396: Fix build error for implicit function declaration sound/soc/codecs/max98396.c: In function ‘max98396_i2c_probe’: sound/soc/codecs/max98396.c:1555:25: error: implicit declaration of function ‘devm_gpiod_get_optional’; did you mean ‘devm_regulator_get_optional’? [-Werror=implicit-function-declaration] max98396->reset_gpio = devm_gpiod_get_optional(&i2c->dev, ^~~~~~~~~~~~~~~~~~~~~~~ devm_regulator_get_optional sound/soc/codecs/max98396.c:1556:23: error: ‘GPIOD_OUT_HIGH’ undeclared (first use in this function); did you mean ‘GPIOF_INIT_HIGH’? "reset", GPIOD_OUT_HIGH); ^~~~~~~~~~~~~~ GPIOF_INIT_HIGH sound/soc/codecs/max98396.c:1556:23: note: each undeclared identifier is reported only once for each function it appears in sound/soc/codecs/max98396.c:1565:3: error: implicit declaration of function ‘gpiod_set_value_cansleep’; did you mean ‘gpio_set_value_cansleep’? [-Werror=implicit-function-declaration] gpiod_set_value_cansleep(max98396->reset_gpio, 0); ^~~~~~~~~~~~~~~~~~~~~~~~ gpio_set_value_cansleep cc1: all warnings being treated as errors Include header file <linux/gpio/consumer.h> Fixes: b58581136770 ("ASoC: max98396: add amplifier driver") Signed-off-by: Hui Tang <tanghui20@huawei.com> Link: https://lore.kernel.org/r/20220512074640.75550-2-tanghui20@huawei.com Signed-off-by: Mark Brown <broonie@kernel.org> diff 0b7f644f Thu May 12 01:46:39 MDT 2022 Hui Tang <tanghui20@huawei.com> ASoC: max98396: Fix build error for implicit function declaration sound/soc/codecs/max98396.c: In function ‘max98396_i2c_probe’: sound/soc/codecs/max98396.c:1555:25: error: implicit declaration of function ‘devm_gpiod_get_optional’; did you mean ‘devm_regulator_get_optional’? [-Werror=implicit-function-declaration] max98396->reset_gpio = devm_gpiod_get_optional(&i2c->dev, ^~~~~~~~~~~~~~~~~~~~~~~ devm_regulator_get_optional sound/soc/codecs/max98396.c:1556:23: error: ‘GPIOD_OUT_HIGH’ undeclared (first use in this function); did you mean ‘GPIOF_INIT_HIGH’? "reset", GPIOD_OUT_HIGH); ^~~~~~~~~~~~~~ GPIOF_INIT_HIGH sound/soc/codecs/max98396.c:1556:23: note: each undeclared identifier is reported only once for each function it appears in sound/soc/codecs/max98396.c:1565:3: error: implicit declaration of function ‘gpiod_set_value_cansleep’; did you mean ‘gpio_set_value_cansleep’? [-Werror=implicit-function-declaration] gpiod_set_value_cansleep(max98396->reset_gpio, 0); ^~~~~~~~~~~~~~~~~~~~~~~~ gpio_set_value_cansleep cc1: all warnings being treated as errors Include header file <linux/gpio/consumer.h> Fixes: b58581136770 ("ASoC: max98396: add amplifier driver") Signed-off-by: Hui Tang <tanghui20@huawei.com> Link: https://lore.kernel.org/r/20220512074640.75550-2-tanghui20@huawei.com Signed-off-by: Mark Brown <broonie@kernel.org> |
| /linux-master/drivers/mailbox/ | ||
| H A D | mailbox-xgene-slimpro.c | diff 8ce33c6f Thu Jan 05 00:30:43 MST 2017 Bhumika Goyal <bhumirks@gmail.com> mailbox: constify mbox_chan_ops structures Check for mbox_chan_ops structures that are only stored in the ops field of a mbox_controller structure. This field is of type const struct mbox_chan_ops *, so mbox_chan_ops structures having this property can be declared as const. Done using Coccinelle: @r1 disable optional_qualifier @ identifier i; position p; @@ struct mbox_chan_ops i@p = {...}; @ok1@ identifier r1.i; struct hi6220_mbox mbox; struct slimpro_mbox ctx; position p; @@ ( mbox.controller.ops=&i@p | ctx.mb_ctrl.ops=&i@p ) @bad@ position p!={r1.p,ok1.p}; identifier r1.i; @@ i@p @depends on !bad disable optional_qualifier@ identifier r1.i; @@ +const struct mbox_chan_ops i; File size details: text data bss dec hex filename 2310 248 0 2558 9fe drivers/mailbox/hi6220-mailbox.o 2366 192 0 2558 9fe drivers/mailbox/hi6220-mailbox.o 1500 248 0 1748 6d4 mailbox/mailbox-xgene-slimpro.o 1556 192 0 1748 6d4 mailbox/mailbox-xgene-slimpro.o Signed-off-by: Bhumika Goyal <bhumirks@gmail.com> Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org> |
| H A D | hi6220-mailbox.c | diff 8ce33c6f Thu Jan 05 00:30:43 MST 2017 Bhumika Goyal <bhumirks@gmail.com> mailbox: constify mbox_chan_ops structures Check for mbox_chan_ops structures that are only stored in the ops field of a mbox_controller structure. This field is of type const struct mbox_chan_ops *, so mbox_chan_ops structures having this property can be declared as const. Done using Coccinelle: @r1 disable optional_qualifier @ identifier i; position p; @@ struct mbox_chan_ops i@p = {...}; @ok1@ identifier r1.i; struct hi6220_mbox mbox; struct slimpro_mbox ctx; position p; @@ ( mbox.controller.ops=&i@p | ctx.mb_ctrl.ops=&i@p ) @bad@ position p!={r1.p,ok1.p}; identifier r1.i; @@ i@p @depends on !bad disable optional_qualifier@ identifier r1.i; @@ +const struct mbox_chan_ops i; File size details: text data bss dec hex filename 2310 248 0 2558 9fe drivers/mailbox/hi6220-mailbox.o 2366 192 0 2558 9fe drivers/mailbox/hi6220-mailbox.o 1500 248 0 1748 6d4 mailbox/mailbox-xgene-slimpro.o 1556 192 0 1748 6d4 mailbox/mailbox-xgene-slimpro.o Signed-off-by: Bhumika Goyal <bhumirks@gmail.com> Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org> |
| /linux-master/drivers/net/ethernet/hisilicon/hns3/ | ||
| H A D | hns3_debugfs.h | diff 1556ea91 Thu May 13 21:25:14 MDT 2021 Huazhong Tan <tanhuazhong@huawei.com> net: hns3: refactor dump mac list of debugfs Currently, the debugfs command for mac list info is implemented by "echo xxxx > cmd", and record the information in dmesg. It's unnecessary and heavy. To improve it, create two files "uc" and "mc" under directory "mac_list" for it, and query mac list info by "cat mac_list/uc" and "mac_list/mc", return the result to userspace, rather than record in dmesg. The display style is below: $ cat mac_list/uc UC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 00:18:2d:00:00:71 ACTIVE $ cat mac_list/mc MC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 01:80:c2:00:00:21 ACTIVE Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| H A D | hns3_debugfs.c | diff c7a6e397 Wed Oct 27 06:11:48 MDT 2021 Guangbin Huang <huangguangbin2@huawei.com> net: hns3: expand buffer len for some debugfs command The specified buffer length for three debugfs files fd_tcam, uc and tqp is not enough for their maximum needs, so this patch fixes them. Fixes: b5a0b70d77b9 ("net: hns3: refactor dump fd tcam of debugfs") Fixes: 1556ea9120ff ("net: hns3: refactor dump mac list of debugfs") Fixes: d96b0e59468d ("net: hns3: refactor dump reg of debugfs") Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> diff 1556ea91 Thu May 13 21:25:14 MDT 2021 Huazhong Tan <tanhuazhong@huawei.com> net: hns3: refactor dump mac list of debugfs Currently, the debugfs command for mac list info is implemented by "echo xxxx > cmd", and record the information in dmesg. It's unnecessary and heavy. To improve it, create two files "uc" and "mc" under directory "mac_list" for it, and query mac list info by "cat mac_list/uc" and "mac_list/mc", return the result to userspace, rather than record in dmesg. The display style is below: $ cat mac_list/uc UC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 00:18:2d:00:00:71 ACTIVE $ cat mac_list/mc MC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 01:80:c2:00:00:21 ACTIVE Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/drivers/input/touchscreen/ | ||
| H A D | cyttsp4_core.c | diff ca0abe3d Thu Aug 29 09:40:42 MDT 2013 Geert Uytterhoeven <geert@linux-m68k.org> Input: cyttsp4 - kill 'defined but not used' compiler warnings If both CONFIG_PM_SLEEP and CONFIG_PM_RUNTIME are unset: drivers/input/touchscreen/cyttsp4_core.c:1556: warning: ‘cyttsp4_core_sleep’ defined but not used drivers/input/touchscreen/cyttsp4_core.c:1634: warning: ‘cyttsp4_core_wake’ defined but not used Move cyttsp4_core_sleep(), cyttsp4_core_wake(), and cyttsp4_core_wake_() (which is called from cyttsp4_core_wake() only) inside the existing section protected by #if defined(CONFIG_PM_SLEEP) || defined(CONFIG_PM_RUNTIME) Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| /linux-master/drivers/net/ethernet/hisilicon/hns3/hns3pf/ | ||
| H A D | hclge_debugfs.h | diff 1556ea91 Thu May 13 21:25:14 MDT 2021 Huazhong Tan <tanhuazhong@huawei.com> net: hns3: refactor dump mac list of debugfs Currently, the debugfs command for mac list info is implemented by "echo xxxx > cmd", and record the information in dmesg. It's unnecessary and heavy. To improve it, create two files "uc" and "mc" under directory "mac_list" for it, and query mac list info by "cat mac_list/uc" and "mac_list/mc", return the result to userspace, rather than record in dmesg. The display style is below: $ cat mac_list/uc UC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 00:18:2d:00:00:71 ACTIVE $ cat mac_list/mc MC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 01:80:c2:00:00:21 ACTIVE Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| H A D | hclge_debugfs.c | diff 1556ea91 Thu May 13 21:25:14 MDT 2021 Huazhong Tan <tanhuazhong@huawei.com> net: hns3: refactor dump mac list of debugfs Currently, the debugfs command for mac list info is implemented by "echo xxxx > cmd", and record the information in dmesg. It's unnecessary and heavy. To improve it, create two files "uc" and "mc" under directory "mac_list" for it, and query mac list info by "cat mac_list/uc" and "mac_list/mc", return the result to userspace, rather than record in dmesg. The display style is below: $ cat mac_list/uc UC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 00:18:2d:00:00:71 ACTIVE $ cat mac_list/mc MC MAC_LIST: FUNC_ID MAC_ADDR STATE pf 01:80:c2:00:00:21 ACTIVE Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/scripts/ | ||
| H A D | decodecode | diff 00b24250 Thu Jan 19 00:47:38 MST 2023 Björn Töpel <bjorn@rivosinc.com> scripts/decodecode: Add support for RISC-V RISC-V has some GNU disassembly quirks, e.g. it requires '-D' to properly disassemble .2byte directives similar to Arm [1]. Further, GNU objdump groups RISC-V instruction by 2 or 4 byte chunks, instead doing byte-for-byte. Add the required switches, and translate from short/word to bytes when ARCH is "riscv". An example how to invoke decodecode for RISC-V: $ echo 'Code: bf45 f793 1007 f7d9 50ef 37af d541 b7d9 7097 00c8 (80e7) 6140' | AFLAGS="-march=rv64imac_zicbom_zihintpause" \ ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- ./scripts/decodecode Code: bf45 f793 1007 f7d9 50ef 37af d541 b7d9 7097 00c8 (80e7) 6140 All code ======== 0: bf45 c.j 0xffffffffffffffb0 2: 1007f793 andi a5,a5,256 6: f7d9 c.bnez a5,0xffffffffffffff94 8: 37af50ef jal ra,0xf5382 c: d541 c.beqz a0,0xffffffffffffff94 e: b7d9 c.j 0xffffffffffffffd4 10: 00c87097 auipc ra,0xc87 14:* 614080e7 jalr ra,1556(ra) # 0xc87624 <-- trapping instruction Code starting with the faulting instruction =========================================== 0: 614080e7 jalr ra,1556(ra) [1] https://sourceware.org/bugzilla/show_bug.cgi?id=10263 Signed-off-by: Björn Töpel <bjorn@rivosinc.com> Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com> Link: https://lore.kernel.org/r/20230119074738.708301-3-bjorn@kernel.org Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> diff 00b24250 Thu Jan 19 00:47:38 MST 2023 Björn Töpel <bjorn@rivosinc.com> scripts/decodecode: Add support for RISC-V RISC-V has some GNU disassembly quirks, e.g. it requires '-D' to properly disassemble .2byte directives similar to Arm [1]. Further, GNU objdump groups RISC-V instruction by 2 or 4 byte chunks, instead doing byte-for-byte. Add the required switches, and translate from short/word to bytes when ARCH is "riscv". An example how to invoke decodecode for RISC-V: $ echo 'Code: bf45 f793 1007 f7d9 50ef 37af d541 b7d9 7097 00c8 (80e7) 6140' | AFLAGS="-march=rv64imac_zicbom_zihintpause" \ ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- ./scripts/decodecode Code: bf45 f793 1007 f7d9 50ef 37af d541 b7d9 7097 00c8 (80e7) 6140 All code ======== 0: bf45 c.j 0xffffffffffffffb0 2: 1007f793 andi a5,a5,256 6: f7d9 c.bnez a5,0xffffffffffffff94 8: 37af50ef jal ra,0xf5382 c: d541 c.beqz a0,0xffffffffffffff94 e: b7d9 c.j 0xffffffffffffffd4 10: 00c87097 auipc ra,0xc87 14:* 614080e7 jalr ra,1556(ra) # 0xc87624 <-- trapping instruction Code starting with the faulting instruction =========================================== 0: 614080e7 jalr ra,1556(ra) [1] https://sourceware.org/bugzilla/show_bug.cgi?id=10263 Signed-off-by: Björn Töpel <bjorn@rivosinc.com> Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com> Link: https://lore.kernel.org/r/20230119074738.708301-3-bjorn@kernel.org Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> |
| /linux-master/drivers/net/wireless/ath/ath10k/ | ||
| H A D | htc.h | diff 2f918ea9 Tue Apr 21 06:09:35 MDT 2020 Wen Gong <wgong@codeaurora.org> ath10k: enable alt data of TX path for sdio The default credit size is 1792 bytes, but the IP mtu is 1500 bytes, then it has about 290 bytes's waste for each data packet on sdio transfer path for TX bundle, it will reduce the transmission utilization ratio for data packet. This patch enable the small credit size in firmware, firmware will use the new credit size 1556 bytes, it will increase the transmission utilization ratio for data packet on TX patch. It results in significant performance improvement on TX path. This patch only effect sdio chip, it will not effect PCI, SNOC etc. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00017-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200410061400.14231-3-wgong@codeaurora.org |
| H A D | sdio.c | diff 376a30c7 Tue Nov 26 19:59:29 MST 2019 Wen Gong <wgong@codeaurora.org> ath10k: set max mtu to 1500 for sdio chip For sdio chip, the max credit size in firmware is 1556, the 1556 include payload, ieee80211 header, htt header, htc header. So it need to set the max mtu to 1500 to forbidden TX packet which exceed 1500 form application. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00017-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> diff 376a30c7 Tue Nov 26 19:59:29 MST 2019 Wen Gong <wgong@codeaurora.org> ath10k: set max mtu to 1500 for sdio chip For sdio chip, the max credit size in firmware is 1556, the 1556 include payload, ieee80211 header, htt header, htc header. So it need to set the max mtu to 1500 to forbidden TX packet which exceed 1500 form application. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00017-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| H A D | htc.c | diff 2f918ea9 Tue Apr 21 06:09:35 MDT 2020 Wen Gong <wgong@codeaurora.org> ath10k: enable alt data of TX path for sdio The default credit size is 1792 bytes, but the IP mtu is 1500 bytes, then it has about 290 bytes's waste for each data packet on sdio transfer path for TX bundle, it will reduce the transmission utilization ratio for data packet. This patch enable the small credit size in firmware, firmware will use the new credit size 1556 bytes, it will increase the transmission utilization ratio for data packet on TX patch. It results in significant performance improvement on TX path. This patch only effect sdio chip, it will not effect PCI, SNOC etc. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00017-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200410061400.14231-3-wgong@codeaurora.org |
| /linux-master/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ | ||
| H A D | vega10_hwmgr.c | diff d031aa06 Fri Jan 08 13:14:44 MST 2021 Lee Jones <lee.jones@linaro.org> drm/amd/pm/powerplay/hwmgr/vega10_hwmgr: Fix worthy function headers, demote barely documented one Fixes the following W=1 kernel build warning(s): drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1556: warning: Function parameter or member 'acg_freq' not described in 'vega10_populate_single_gfx_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1621: warning: Function parameter or member 'current_soc_did' not described in 'vega10_populate_single_soc_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1621: warning: Function parameter or member 'current_vol_index' not described in 'vega10_populate_single_soc_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1621: warning: Excess function parameter 'current_socclk_level' description in 'vega10_populate_single_soc_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1757: warning: Function parameter or member 'current_mem_vid' not described in 'vega10_populate_single_memory_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1757: warning: Function parameter or member 'current_memclk_level' not described in 'vega10_populate_single_memory_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:1757: warning: Function parameter or member 'current_mem_soc_vind' not described in 'vega10_populate_single_memory_level' drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/vega10_hwmgr.c:2871: warning: Function parameter or member 'bitmap' not described in 'vega10_start_dpm' Cc: Evan Quan <evan.quan@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: "Christian König" <christian.koenig@amd.com> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: amd-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
| /linux-master/net/tipc/ | ||
| H A D | udp_media.c | diff c3bcde02 Mon Jun 17 07:34:15 MDT 2019 Xin Long <lucien.xin@gmail.com> tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device to count packets on dev->tstats, a perpcu variable. However, TIPC is using udp tunnel with no tunnel device, and pass the lower dev, like veth device that only initializes dev->lstats(a perpcu variable) when creating it. Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each pointer points to a bigger struct than lstats, so when tstats->tx_bytes is increased, other percpu variable's members could be overwritten. syzbot has reported quite a few crashes due to fib_nh_common percpu member 'nhc_pcpu_rth_output' overwritten, call traces are like: BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 __mkroute_output net/ipv4/route.c:2332 [inline] ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564 ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651 ip_route_output_key include/net/route.h:135 [inline] ... or: kasan: GPF could be caused by NULL-ptr deref or user memory access RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168 <IRQ> rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline] free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 ... The issue exists since tunnel stats update is moved to iptunnel_xmit by Commit 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()"), and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb so that the packets counting won't happen on dev->tstats. Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> diff c3bcde02 Mon Jun 17 07:34:15 MDT 2019 Xin Long <lucien.xin@gmail.com> tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device to count packets on dev->tstats, a perpcu variable. However, TIPC is using udp tunnel with no tunnel device, and pass the lower dev, like veth device that only initializes dev->lstats(a perpcu variable) when creating it. Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each pointer points to a bigger struct than lstats, so when tstats->tx_bytes is increased, other percpu variable's members could be overwritten. syzbot has reported quite a few crashes due to fib_nh_common percpu member 'nhc_pcpu_rth_output' overwritten, call traces are like: BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 __mkroute_output net/ipv4/route.c:2332 [inline] ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564 ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651 ip_route_output_key include/net/route.h:135 [inline] ... or: kasan: GPF could be caused by NULL-ptr deref or user memory access RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168 <IRQ> rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline] free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 ... The issue exists since tunnel stats update is moved to iptunnel_xmit by Commit 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()"), and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb so that the packets counting won't happen on dev->tstats. Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/drivers/gpu/drm/bridge/ | ||
| H A D | sil-sii8620.c | diff 56df51d0 Wed Oct 26 10:58:36 MDT 2016 kbuild test robot <fengguang.wu@intel.com> drm/bridge: fix platform_no_drv_owner.cocci warnings drivers/gpu/drm/bridge/sil-sii8620.c:1556:3-8: No need to set .owner here. The core will do it. Remove .owner field if calls are used which set it automatically Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci CC: Andrzej Hajda <a.hajda@samsung.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Archit Taneja <architt@codeaurora.org> Link: http://patchwork.freedesktop.org/patch/msgid/20161026165836.GA98766@lkp-sb04.lkp.intel.com |
| /linux-master/net/sctp/ | ||
| H A D | associola.c | diff 9b87d465 Wed Jun 11 10:19:32 MDT 2014 Daniel Borkmann <daniel@iogearbox.net> net: sctp: fix incorrect type in gfp initializer This fixes the following sparse warning: net/sctp/associola.c:1556:29: warning: incorrect type in initializer (different base types) net/sctp/associola.c:1556:29: expected bool [unsigned] [usertype] preload net/sctp/associola.c:1556:29: got restricted gfp_t Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> diff 9b87d465 Wed Jun 11 10:19:32 MDT 2014 Daniel Borkmann <daniel@iogearbox.net> net: sctp: fix incorrect type in gfp initializer This fixes the following sparse warning: net/sctp/associola.c:1556:29: warning: incorrect type in initializer (different base types) net/sctp/associola.c:1556:29: expected bool [unsigned] [usertype] preload net/sctp/associola.c:1556:29: got restricted gfp_t Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> diff 9b87d465 Wed Jun 11 10:19:32 MDT 2014 Daniel Borkmann <daniel@iogearbox.net> net: sctp: fix incorrect type in gfp initializer This fixes the following sparse warning: net/sctp/associola.c:1556:29: warning: incorrect type in initializer (different base types) net/sctp/associola.c:1556:29: expected bool [unsigned] [usertype] preload net/sctp/associola.c:1556:29: got restricted gfp_t Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/net/iucv/ | ||
| H A D | iucv.c | diff f8a6d970 Thu Apr 26 02:02:51 MDT 2007 Alexey Dobriyan <adobriyan@gmail.com> [AF_IUCV]: Fix compilation on s390-up CC [M] net/iucv/iucv.o net/iucv/iucv.c: In function 'iucv_init': net/iucv/iucv.c:1556: error: 'iucv_cpu_notifier' undeclared (first use in this function) Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/drivers/gpu/drm/amd/amdgpu/ | ||
| H A D | amdgpu_trace.h | diff 2c2fdb8b Tue Oct 15 20:51:32 MDT 2019 Kevin Wang <kevin1.wang@amd.com> drm/amdgpu: fix amdgpu trace event print string format error the trace event print string format error. (use integer type to handle string) before: amdgpu_test_kev-1556 [002] 138.508781: amdgpu_cs_ioctl: sched_job=8, timeline=gfx_0.0.0, context=177, seqno=1, ring_name=ffff94d01c207bf0, num_ibs=2 after: amdgpu_test_kev-1506 [004] 370.703783: amdgpu_cs_ioctl: sched_job=12, timeline=gfx_0.0.0, context=234, seqno=2, ring_name=gfx_0.0.0, num_ibs=1 change trace event list: 1.amdgpu_cs_ioctl 2.amdgpu_sched_run_job 3.amdgpu_ib_pipe_sync Signed-off-by: Kevin Wang <kevin1.wang@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
| /linux-master/drivers/usb/chipidea/ | ||
| H A D | udc.c | diff 92d08e07 Fri Jul 03 11:41:30 MDT 2020 Lee Jones <lee.jones@linaro.org> usb: chipidea: udc: Help out kerneldoc headers that have tried, demote the others Help with adding the odd description where they have been omitted or where the format isn't quite right. Demote all function headers which are lacking any attempt of describing their arguments. Fixes the following W=1 kernel build warning(s): drivers/usb/chipidea/udc.c:645: warning: Function parameter or member 'hwreq' not described in '_hardware_dequeue' drivers/usb/chipidea/udc.c:645: warning: Excess function parameter 'gadget' description in '_hardware_dequeue' drivers/usb/chipidea/udc.c:1326: warning: Function parameter or member 'ep' not described in 'ep_enable' drivers/usb/chipidea/udc.c:1326: warning: Function parameter or member 'desc' not described in 'ep_enable' drivers/usb/chipidea/udc.c:1393: warning: Function parameter or member 'ep' not described in 'ep_disable' drivers/usb/chipidea/udc.c:1433: warning: Function parameter or member 'ep' not described in 'ep_alloc_request' drivers/usb/chipidea/udc.c:1433: warning: Function parameter or member 'gfp_flags' not described in 'ep_alloc_request' drivers/usb/chipidea/udc.c:1454: warning: Function parameter or member 'ep' not described in 'ep_free_request' drivers/usb/chipidea/udc.c:1454: warning: Function parameter or member 'req' not described in 'ep_free_request' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'ep' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'req' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'gfp_flags' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1512: warning: Function parameter or member 'ep' not described in 'ep_dequeue' drivers/usb/chipidea/udc.c:1512: warning: Function parameter or member 'req' not described in 'ep_dequeue' drivers/usb/chipidea/udc.c:1556: warning: Function parameter or member 'ep' not described in 'ep_set_halt' drivers/usb/chipidea/udc.c:1556: warning: Function parameter or member 'value' not described in 'ep_set_halt' drivers/usb/chipidea/udc.c:1566: warning: Function parameter or member 'ep' not described in 'ep_set_wedge' drivers/usb/chipidea/udc.c:1586: warning: Function parameter or member 'ep' not described in 'ep_fifo_flush' drivers/usb/chipidea/udc.c:1610: warning: cannot understand function prototype: 'const struct usb_ep_ops usb_ep_ops = ' drivers/usb/chipidea/udc.c:1629: warning: Function parameter or member '_gadget' not described in 'ci_hdrc_gadget_connect' drivers/usb/chipidea/udc.c:1629: warning: Function parameter or member 'is_active' not described in 'ci_hdrc_gadget_connect' drivers/usb/chipidea/udc.c:1780: warning: cannot understand function prototype: 'const struct usb_gadget_ops usb_gadget_ops = ' drivers/usb/chipidea/udc.c:1931: warning: Function parameter or member 'gadget' not described in 'ci_udc_stop' drivers/usb/chipidea/udc.c:1965: warning: Function parameter or member 'ci' not described in 'udc_irq' drivers/usb/chipidea/udc.c:2095: warning: Function parameter or member 'ci' not described in 'ci_hdrc_gadget_destroy' drivers/usb/chipidea/udc.c:2144: warning: Function parameter or member 'ci' not described in 'ci_hdrc_gadget_init' Cc: Peter Chen <Peter.Chen@nxp.com> Signed-off-by: Lee Jones <lee.jones@linaro.org> Link: https://lore.kernel.org/r/20200703174148.2749969-13-lee.jones@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> diff 92d08e07 Fri Jul 03 11:41:30 MDT 2020 Lee Jones <lee.jones@linaro.org> usb: chipidea: udc: Help out kerneldoc headers that have tried, demote the others Help with adding the odd description where they have been omitted or where the format isn't quite right. Demote all function headers which are lacking any attempt of describing their arguments. Fixes the following W=1 kernel build warning(s): drivers/usb/chipidea/udc.c:645: warning: Function parameter or member 'hwreq' not described in '_hardware_dequeue' drivers/usb/chipidea/udc.c:645: warning: Excess function parameter 'gadget' description in '_hardware_dequeue' drivers/usb/chipidea/udc.c:1326: warning: Function parameter or member 'ep' not described in 'ep_enable' drivers/usb/chipidea/udc.c:1326: warning: Function parameter or member 'desc' not described in 'ep_enable' drivers/usb/chipidea/udc.c:1393: warning: Function parameter or member 'ep' not described in 'ep_disable' drivers/usb/chipidea/udc.c:1433: warning: Function parameter or member 'ep' not described in 'ep_alloc_request' drivers/usb/chipidea/udc.c:1433: warning: Function parameter or member 'gfp_flags' not described in 'ep_alloc_request' drivers/usb/chipidea/udc.c:1454: warning: Function parameter or member 'ep' not described in 'ep_free_request' drivers/usb/chipidea/udc.c:1454: warning: Function parameter or member 'req' not described in 'ep_free_request' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'ep' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'req' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1488: warning: Function parameter or member 'gfp_flags' not described in 'ep_queue' drivers/usb/chipidea/udc.c:1512: warning: Function parameter or member 'ep' not described in 'ep_dequeue' drivers/usb/chipidea/udc.c:1512: warning: Function parameter or member 'req' not described in 'ep_dequeue' drivers/usb/chipidea/udc.c:1556: warning: Function parameter or member 'ep' not described in 'ep_set_halt' drivers/usb/chipidea/udc.c:1556: warning: Function parameter or member 'value' not described in 'ep_set_halt' drivers/usb/chipidea/udc.c:1566: warning: Function parameter or member 'ep' not described in 'ep_set_wedge' drivers/usb/chipidea/udc.c:1586: warning: Function parameter or member 'ep' not described in 'ep_fifo_flush' drivers/usb/chipidea/udc.c:1610: warning: cannot understand function prototype: 'const struct usb_ep_ops usb_ep_ops = ' drivers/usb/chipidea/udc.c:1629: warning: Function parameter or member '_gadget' not described in 'ci_hdrc_gadget_connect' drivers/usb/chipidea/udc.c:1629: warning: Function parameter or member 'is_active' not described in 'ci_hdrc_gadget_connect' drivers/usb/chipidea/udc.c:1780: warning: cannot understand function prototype: 'const struct usb_gadget_ops usb_gadget_ops = ' drivers/usb/chipidea/udc.c:1931: warning: Function parameter or member 'gadget' not described in 'ci_udc_stop' drivers/usb/chipidea/udc.c:1965: warning: Function parameter or member 'ci' not described in 'udc_irq' drivers/usb/chipidea/udc.c:2095: warning: Function parameter or member 'ci' not described in 'ci_hdrc_gadget_destroy' drivers/usb/chipidea/udc.c:2144: warning: Function parameter or member 'ci' not described in 'ci_hdrc_gadget_init' Cc: Peter Chen <Peter.Chen@nxp.com> Signed-off-by: Lee Jones <lee.jones@linaro.org> Link: https://lore.kernel.org/r/20200703174148.2749969-13-lee.jones@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| /linux-master/net/ipv4/ | ||
| H A D | ip_tunnel.c | diff b0ec2abf Thu Mar 07 03:07:16 MST 2024 Eric Dumazet <edumazet@google.com> net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> diff 5ae1e992 Tue Feb 20 06:56:02 MST 2024 Florian Westphal <fw@strlen.de> net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel. The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k. Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely. Reported-and-tested-by: syzbot+bfde3bef047a81b8fde6@syzkaller.appspotmail.com Closes: https://groups.google.com/g/syzkaller-bugs/c/fL9G6GtWskY/m/VKk_PR5FBAAJ Fixes: 243aad830e8a ("ip_gre: include route header_len in max_headroom calculation") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240220135606.4939-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| /linux-master/drivers/net/ethernet/mellanox/mlx4/ | ||
| H A D | en_ethtool.c | diff 1556b874 Sat Oct 04 15:35:22 MDT 2014 Eric Dumazet <edumazet@google.com> net/mlx4_en: Use the new tx_copybreak to set inline threshold Instead of setting inline threshold using module parameter only on driver load, use set_tunable() to set it dynamically. No need to store the threshold per ring, using instead the netdev global priv->prof->inline_thold Initial value still is set using the module parameter, therefore backward compatability is kept. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Amir Vadai <amirv@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
| /linux-master/include/linux/ | ||
| H A D | smp.h | diff 9ed7d75b Wed Feb 27 01:48:51 MST 2019 Peter Zijlstra <peterz@infradead.org> x86/percpu: Relax smp_processor_id() Nadav reported that since this_cpu_read() became asm-volatile, many smp_processor_id() users generated worse code due to the extra constraints. However since smp_processor_id() is reading a stable value, we can use __this_cpu_read(). While this does reduce text size somewhat, this mostly results in code movement to .text.unlikely as a result of more/larger .cold. subfunctions. Less text on the hotpath is good for I$. $ ./compare.sh defconfig-build1 defconfig-build2 vmlinux.o setup_APIC_ibs 90 98 -12,+20 force_ibs_eilvt_setup 400 413 -57,+70 pci_serr_error 109 104 -54,+49 pci_serr_error 109 104 -54,+49 unknown_nmi_error 125 120 -76,+71 unknown_nmi_error 125 120 -76,+71 io_check_error 125 132 -97,+104 intel_thermal_interrupt 730 822 +92,+0 intel_init_thermal 951 945 -6,+0 generic_get_mtrr 301 294 -7,+0 generic_get_mtrr 301 294 -7,+0 generic_set_all 749 754 -44,+49 get_fixed_ranges 352 360 -41,+49 x86_acpi_suspend_lowlevel 369 363 -6,+0 check_tsc_sync_source 412 412 -71,+71 irq_migrate_all_off_this_cpu 662 674 -14,+26 clocksource_watchdog 748 748 -113,+113 __perf_event_account_interrupt 204 197 -7,+0 attempt_merge 1748 1741 -7,+0 intel_guc_send_ct 1424 1409 -15,+0 __fini_doorbell 235 231 -4,+0 bdw_set_cdclk 928 923 -5,+0 gen11_dsi_disable 1571 1556 -15,+0 gmbus_wait 493 488 -5,+0 md_make_request 376 369 -7,+0 __split_and_process_bio 543 536 -7,+0 delay_tsc 96 89 -7,+0 hsw_disable_pc8 696 691 -5,+0 tsc_verify_tsc_adjust 215 228 -22,+35 cpuidle_driver_unref 56 49 -7,+0 blk_account_io_completion 159 148 -11,+0 mtrr_wrmsr 95 99 -29,+33 __intel_wait_for_register_fw 401 419 +18,+0 cpuidle_driver_ref 43 36 -7,+0 cpuidle_get_driver 15 8 -7,+0 blk_account_io_done 535 528 -7,+0 irq_migrate_all_off_this_cpu 662 674 -14,+26 check_tsc_sync_source 412 412 -71,+71 irq_wait_for_poll 170 163 -7,+0 generic_end_io_acct 329 322 -7,+0 x86_acpi_suspend_lowlevel 369 363 -6,+0 nohz_balance_enter_idle 198 191 -7,+0 generic_start_io_acct 254 247 -7,+0 blk_account_io_start 341 334 -7,+0 perf_event_task_tick 682 675 -7,+0 intel_init_thermal 951 945 -6,+0 amd_e400_c1e_apic_setup 47 51 -28,+32 setup_APIC_eilvt 350 328 -22,+0 hsw_enable_pc8 1611 1605 -6,+0 total 12985947 12985892 -994,+939 Reported-by: Nadav Amit <nadav.amit@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| H A D | skmsg.h | diff 6648e613 Wed Apr 03 20:10:01 MDT 2024 Jason Xing <kernelxing@tencent.com> bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: syzbot+aa8c8ec2538929f18f2d@syzkaller.appspotmail.com Signed-off-by: Jason Xing <kernelxing@tencent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=aa8c8ec2538929f18f2d Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.com Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com |
| /linux-master/arch/x86/include/asm/ | ||
| H A D | smp.h | diff 9ed7d75b Wed Feb 27 01:48:51 MST 2019 Peter Zijlstra <peterz@infradead.org> x86/percpu: Relax smp_processor_id() Nadav reported that since this_cpu_read() became asm-volatile, many smp_processor_id() users generated worse code due to the extra constraints. However since smp_processor_id() is reading a stable value, we can use __this_cpu_read(). While this does reduce text size somewhat, this mostly results in code movement to .text.unlikely as a result of more/larger .cold. subfunctions. Less text on the hotpath is good for I$. $ ./compare.sh defconfig-build1 defconfig-build2 vmlinux.o setup_APIC_ibs 90 98 -12,+20 force_ibs_eilvt_setup 400 413 -57,+70 pci_serr_error 109 104 -54,+49 pci_serr_error 109 104 -54,+49 unknown_nmi_error 125 120 -76,+71 unknown_nmi_error 125 120 -76,+71 io_check_error 125 132 -97,+104 intel_thermal_interrupt 730 822 +92,+0 intel_init_thermal 951 945 -6,+0 generic_get_mtrr 301 294 -7,+0 generic_get_mtrr 301 294 -7,+0 generic_set_all 749 754 -44,+49 get_fixed_ranges 352 360 -41,+49 x86_acpi_suspend_lowlevel 369 363 -6,+0 check_tsc_sync_source 412 412 -71,+71 irq_migrate_all_off_this_cpu 662 674 -14,+26 clocksource_watchdog 748 748 -113,+113 __perf_event_account_interrupt 204 197 -7,+0 attempt_merge 1748 1741 -7,+0 intel_guc_send_ct 1424 1409 -15,+0 __fini_doorbell 235 231 -4,+0 bdw_set_cdclk 928 923 -5,+0 gen11_dsi_disable 1571 1556 -15,+0 gmbus_wait 493 488 -5,+0 md_make_request 376 369 -7,+0 __split_and_process_bio 543 536 -7,+0 delay_tsc 96 89 -7,+0 hsw_disable_pc8 696 691 -5,+0 tsc_verify_tsc_adjust 215 228 -22,+35 cpuidle_driver_unref 56 49 -7,+0 blk_account_io_completion 159 148 -11,+0 mtrr_wrmsr 95 99 -29,+33 __intel_wait_for_register_fw 401 419 +18,+0 cpuidle_driver_ref 43 36 -7,+0 cpuidle_get_driver 15 8 -7,+0 blk_account_io_done 535 528 -7,+0 irq_migrate_all_off_this_cpu 662 674 -14,+26 check_tsc_sync_source 412 412 -71,+71 irq_wait_for_poll 170 163 -7,+0 generic_end_io_acct 329 322 -7,+0 x86_acpi_suspend_lowlevel 369 363 -6,+0 nohz_balance_enter_idle 198 191 -7,+0 generic_start_io_acct 254 247 -7,+0 blk_account_io_start 341 334 -7,+0 perf_event_task_tick 682 675 -7,+0 intel_init_thermal 951 945 -6,+0 amd_e400_c1e_apic_setup 47 51 -28,+32 setup_APIC_eilvt 350 328 -22,+0 hsw_enable_pc8 1611 1605 -6,+0 total 12985947 12985892 -994,+939 Reported-by: Nadav Amit <nadav.amit@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| /linux-master/drivers/gpu/drm/i915/gt/ | ||
| H A D | intel_gt_regs.h | diff 1556c3b4 Mon Jun 13 10:53:14 MDT 2022 Matt Roper <matthew.d.roper@intel.com> drm/i915/pvc: Add recommended MMIO setting As with past platforms, the bspec's performance tuning guide provides recommended MMIO settings. Although not technically "workarounds" we apply these through the workaround framework to ensure that they're re-applied at the proper times (e.g., on engine resets) and that any conflicts with real workarounds are flagged. Bspec: 72161 Signed-off-by: Matt Roper <matthew.d.roper@intel.com> Reviewed-by: José Roberto de Souza <jose.souza@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220613165314.862029-1-matthew.d.roper@intel.com |
Completed in 741 milliseconds