[PATCH OLK-5.10] drivers:misc:sdma-dae: Write the CQ head pointer correctly.
From: wangzijian970910 <wangzijian22@huawei.com> kunpeng inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14439 CVE: NA ----------------------------------------------------------------- When writing the CQ head pointer for SDMA, the passed-in val should be written to the register.However, the code currently hardcodes the CQ head pointer to 1.This bug causes the CQ head and tail pointers to never match during driver unloading, resulting in an infinite loop. Fixes: 42aacec658a8 ("drivers:misc:sdma-dae: optimize kernel code") Signed-off-by: wangzijian970910 <wangzijian22@huawei.com> --- drivers/misc/sdma-dae/sdma_hal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/sdma-dae/sdma_hal.h b/drivers/misc/sdma-dae/sdma_hal.h index 437fb755bca3c..8924ad0c5f103 100644 --- a/drivers/misc/sdma-dae/sdma_hal.h +++ b/drivers/misc/sdma-dae/sdma_hal.h @@ -270,7 +270,7 @@ static inline void sdma_channel_set_cq_head(struct hisi_sdma_channel *pchan, u32 u32 reg_val = readl(pchan->io_base + HISI_SDMA_CH_CQHDBR_REG); reg_val &= ~HISI_SDMA_U32_MSK; - reg_val |= FIELD_PREP(HISI_SDMA_U32_MSK, 1); + reg_val |= FIELD_PREP(HISI_SDMA_U32_MSK, val); writel(reg_val, pchan->io_base + HISI_SDMA_CH_CQHDBR_REG); } -- 2.43.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,转换为PR失败! 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KSB... 失败原因:应用补丁/补丁集失败,Patch failed at 0001 drivers:misc:sdma-dae: Write the CQ head pointer correctly. 建议解决方法:请查看失败原因, 确认补丁是否可以应用在当前期望分支的最新代码上 FeedBack: The patch(es) which you have sent to kernel@openeuler.org has been converted to PR failed! Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KSB... Failed Reason: apply patch(es) failed, Patch failed at 0001 drivers:misc:sdma-dae: Write the CQ head pointer correctly. Suggest Solution: please checkout if the failed patch(es) can work on the newest codes in expected branch
From: Davidlohr Bueso <dave@stgolabs.net> stable inclusion from stable-v5.10.253 commit 33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14301 CVE: CVE-2026-31555 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 210d36d892de5195e6766c45519dfb1e65f3eb83 upstream. Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi. Fixes: 3ef240eaff36 ("futex: Prevent exit livelock") Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260326001759.4129680-1-dave@stgolabs.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jiacheng Yu <yujiacheng3@huawei.com> --- kernel/futex/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/futex/core.c b/kernel/futex/core.c index cde0ca876b935..df86c0e494184 100644 --- a/kernel/futex/core.c +++ b/kernel/futex/core.c @@ -2785,9 +2785,9 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock) { struct hrtimer_sleeper timeout, *to; - struct task_struct *exiting = NULL; struct rt_mutex_waiter rt_waiter; struct futex_hash_bucket *hb; + struct task_struct *exiting; struct futex_q q = futex_q_init; int res, ret; @@ -2800,6 +2800,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags, to = futex_setup_timer(time, &timeout, FLAGS_CLOCKRT, 0); retry: + exiting = NULL; ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE); if (unlikely(ret != 0)) goto out; -- 2.43.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,转换为PR失败! 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NZZ... 失败原因:调用atomgit api创建PR失败, 失败原因如下: Backend timeout 建议解决方法:请稍等,机器人会在下一次任务重新执行 FeedBack: The patch(es) which you have sent to kernel@openeuler.org has been converted to PR failed! Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NZZ... Failed Reason: create PR failed when call atomgit's api, failed reason is as follows: Backend timeout Suggest Solution: please wait, the bot will retry in the next interval
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/22117 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NZZ... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22117 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NZZ...
participants (2)
-
Jiacheng Yu -
patchwork bot