From: Zhang Zekun <zhangzekun11(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9TIC6
------------------------------------------
The first four params in struct iova_rcache will share the same
cache line. The depot related parameter which will be upated each
time the depot has been changed, and it should not influence the
field "cpu_rcache". Moving the delayed_work up to avoid cache
false-sharing, because it has 192 Bytes, which should be enough for
sperating a cache line. The optimization can be reflected by perf top:
Before:
31.13% [kernel] [k] queue_iova
23.02% [kernel] [k] __iova_rcache_get
7.78% [kernel] [k] __arm_lpae_unmap
6.18% [kernel] [k] arm_lpae_map
3.91% [kernel] [k] sch_direct_xmit
3.19% [kernel] [k] __arm_lpae_map
1.50% [kernel] [k] __dev_queue_xmit
After:
15.88% [kernel] [k] __arm_lpae_unmap
11.33% [kernel] [k] arm_lpae_map
7.98% [kernel] [k] sch_direct_xmit
6.71% [kernel] [k] __arm_lpae_map
5.35% [kernel] [k] queue_iova
3.09% [kernel] [k] __dev_queue_xmit
2.83% [kernel] [k] ip_finish_output2
Fixes: 876b598ef137 ("iommu/iova: Make the rcache depot scale better")
Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com>
---
include/linux/iova.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/iova.h b/include/linux/iova.h
index ccc59e4b6c54..32996e73ce19 100644
--- a/include/linux/iova.h
+++ b/include/linux/iova.h
@@ -31,9 +31,9 @@ struct iova_rcache {
spinlock_t lock;
unsigned int depot_size;
struct iova_magazine *depot;
+ struct delayed_work work;
struct iova_cpu_rcache __percpu *cpu_rcaches;
struct iova_domain *iovad;
- struct delayed_work work;
KABI_RESERVE(1)
KABI_RESERVE(2)
};
--
2.34.1
From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
stable inclusion
from stable-v5.10.219
commit cc121e3722a0a2c8f716ef991e5425b180a5fb94
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L
CVE: CVE-2024-38634
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ]
uart_handle_cts_change() has to be called with port lock taken,
Since we run it in a separate work, the lock may not be taken at
the time of running. Make sure that it's taken by explicitly doing
that. Without it we got a splat:
WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0
...
Workqueue: max3100-0 max3100_work [max3100]
RIP: 0010:uart_handle_cts_change+0xa6/0xb0
...
max3100_handlerx+0xc5/0x110 [max3100]
max3100_work+0x12a/0x340 [max3100]
Fixes: 7831d56b0a35 ("tty: MAX3100")
Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Yi Yang <yiyang13(a)huawei.com>
---
drivers/tty/serial/max3100.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c
index 371569a0fd00..915d7753eec2 100644
--- a/drivers/tty/serial/max3100.c
+++ b/drivers/tty/serial/max3100.c
@@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx)
return 0;
}
-static int max3100_handlerx(struct max3100_port *s, u16 rx)
+static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx)
{
unsigned int ch, flg, status = 0;
int ret = 0, cts;
@@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx)
return ret;
}
+static int max3100_handlerx(struct max3100_port *s, u16 rx)
+{
+ unsigned long flags;
+ int ret;
+
+ uart_port_lock_irqsave(&s->port, &flags);
+ ret = max3100_handlerx_unlocked(s, rx);
+ uart_port_unlock_irqrestore(&s->port, flags);
+ return ret;
+}
+
static void max3100_work(struct work_struct *w)
{
struct max3100_port *s = container_of(w, struct max3100_port, work);
--
2.25.1
From: "Matthew R. Ochs" <mochs(a)nvidia.com>
mainline inclusion
from mainline-v6.10-rc2
commit 195aba96b854dd664768f382cd1db375d8181f88
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7DAP
CVE: CVE-2024-36477
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the
maximum transfer length and the size of the transfer buffer. As such, it
does not account for the 4 bytes of header that prepends the SPI data
frame. This can result in out-of-bounds accesses and was confirmed with
KASAN.
Introduce SPI_HDRSIZE to account for the header and use to allocate the
transfer buffer.
Fixes: a86a42ac2bd6 ("tpm_tis_spi: Add hardware wait polling")
Signed-off-by: Matthew R. Ochs <mochs(a)nvidia.com>
Tested-by: Carol Soto <csoto(a)nvidia.com>
Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org>
Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com>
---
drivers/char/tpm/tpm_tis_spi_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c
index c5c3197ee29f..4bdad9e3667f 100644
--- a/drivers/char/tpm/tpm_tis_spi_main.c
+++ b/drivers/char/tpm/tpm_tis_spi_main.c
@@ -37,6 +37,7 @@
#include "tpm_tis_spi.h"
#define MAX_SPI_FRAMESIZE 64
+#define SPI_HDRSIZE 4
/*
* TCG SPI flow control is documented in section 6.4 of the spec[1]. In short,
@@ -247,7 +248,7 @@ static int tpm_tis_spi_write_bytes(struct tpm_tis_data *data, u32 addr,
int tpm_tis_spi_init(struct spi_device *spi, struct tpm_tis_spi_phy *phy,
int irq, const struct tpm_tis_phy_ops *phy_ops)
{
- phy->iobuf = devm_kmalloc(&spi->dev, MAX_SPI_FRAMESIZE, GFP_KERNEL);
+ phy->iobuf = devm_kmalloc(&spi->dev, SPI_HDRSIZE + MAX_SPI_FRAMESIZE, GFP_KERNEL);
if (!phy->iobuf)
return -ENOMEM;
--
2.34.1