1. 11 Oct, 2024 11 commits
    • Johan Hovold's avatar
      serial: qcom-geni: drop unused receive parameter · 4cf4b344
      Johan Hovold authored
      Serial drivers should not be dropping characters themselves, but at
      least drop the unused 'drop' parameter from the receive handler for now.
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-9-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4cf4b344
    • Johan Hovold's avatar
      serial: qcom-geni: drop flip buffer WARN() · 8173d74a
      Johan Hovold authored
      Drop the unnecessary WARN() in case the TTY buffers are ever full in
      favour of a rate limited dev_err() which doesn't kill the machine when
      panic_on_warn is set.
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-8-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8173d74a
    • Johan Hovold's avatar
      serial: qcom-geni: fix rx cancel dma status bit · c657243a
      Johan Hovold authored
      Cancelling an rx command is signalled using bit 14 of the rx DMA status
      register and not bit 11.
      
      This bit is currently unused, but this error becomes apparent, for
      example, when tracing the status register when closing the port.
      
      Fixes: eddac5af ("soc: qcom: Add GENI based QUP Wrapper driver")
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-7-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c657243a
    • Johan Hovold's avatar
      serial: qcom-geni: fix receiver enable · fa103d25
      Johan Hovold authored
      The receiver is supposed to be enabled in the startup() callback and not
      in set_termios() which is called also during console setup.
      
      This specifically avoids accepting input before the port has been opened
      (and interrupts enabled), something which can also break the GENI
      firmware (cancel fails and after abort, the "stale" counter handling
      appears to be broken so that later input is not processed until twelve
      chars have been received).
      
      There also does not appear to be any need to keep the receiver disabled
      while updating the port settings.
      
      Since commit 6f3c3caf ("serial: qcom-geni: disable interrupts during
      console writes") the calls to manipulate the secondary interrupts, which
      were done without holding the port lock, can also lead to the receiver
      being left disabled when set_termios() races with the console code (e.g.
      when init opens the tty during boot). This can manifest itself as a
      serial getty not accepting input.
      
      The calls to stop and start rx in set_termios() can similarly race with
      DMA completion and, for example, cause the DMA buffer to be unmapped
      twice or the mapping to be leaked.
      
      Fix this by only enabling the receiver during startup and while holding
      the port lock to avoid racing with the console code.
      
      Fixes: 6f3c3caf ("serial: qcom-geni: disable interrupts during console writes")
      Fixes: 2aaa43c7 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
      Fixes: c4f52879 ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
      Cc: stable@vger.kernel.org      # 6.3
      Cc: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-6-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa103d25
    • Johan Hovold's avatar
      serial: qcom-geni: fix dma rx cancellation · 23ee4a25
      Johan Hovold authored
      Make sure to wait for the DMA transfer to complete when cancelling the
      rx command on stop_rx(). This specifically prevents the DMA completion
      interrupt from firing after rx has been restarted, something which can
      lead to an IOMMU fault and hosed rx when the interrupt handler unmaps
      the DMA buffer for the new command:
      
      	qcom_geni_serial 988000.serial: serial engine reports 0 RX bytes in!
      	arm-smmu 15000000.iommu: FSR    = 00000402 [Format=2 TF], SID=0x563
      	arm-smmu 15000000.iommu: FSYNR0 = 00210013 [S1CBNDX=33 WNR PLVL=3]
      	Bluetooth: hci0: command 0xfc00 tx timeout
      	Bluetooth: hci0: Reading QCA version information failed (-110)
      
      Also add the missing state machine reset which is needed in case
      cancellation fails.
      
      Fixes: 2aaa43c7 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
      Cc: stable@vger.kernel.org      # 6.3
      Cc: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-5-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23ee4a25
    • Johan Hovold's avatar
      serial: qcom-geni: fix shutdown race · 23f5f5de
      Johan Hovold authored
      A commit adding back the stopping of tx on port shutdown failed to add
      back the locking which had also been removed by commit e8376633
      ("tty: serial: qcom_geni_serial: No need to stop tx/rx on UART
      shutdown").
      
      Holding the port lock is needed to serialise against the console code,
      which may update the interrupt enable register and access the port
      state.
      
      Fixes: d8aca2f9 ("tty: serial: qcom-geni-serial: stop operations in progress at shutdown")
      Fixes: 947cc4ec ("serial: qcom-geni: fix soft lockup on sw flow control and suspend")
      Cc: stable@vger.kernel.org	# 6.3
      Reviewed-by: default avatarBartosz Golaszewski <bartosz.golaszewski@linaro.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-4-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23f5f5de
    • Johan Hovold's avatar
      serial: qcom-geni: revert broken hibernation support · 19df7666
      Johan Hovold authored
      This reverts commit 35781d83.
      
      Hibernation is not supported on Qualcomm platforms with mainline
      kernels yet a broken vendor implementation for the GENI serial driver
      made it upstream.
      
      This is effectively dead code that cannot be tested and should just be
      removed, but if these paths were ever hit for an open non-console port
      they would crash the machine as the driver would fail to enable clocks
      during restore() (i.e. all ports would have to be closed by drivers and
      user space before hibernating the system to avoid this as a comment in
      the code hinted at).
      
      The broken implementation also added a random call to enable the
      receiver in the port setup code where it does not belong and which
      enables the receiver prematurely for console ports.
      
      Fixes: 35781d83 ("tty: serial: qcom-geni-serial: Add support for Hibernation feature")
      Cc: stable@vger.kernel.org	# 6.2
      Cc: Aniket Randive <quic_arandive@quicinc.com>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-3-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19df7666
    • Johan Hovold's avatar
      serial: qcom-geni: fix polled console initialisation · 4bef7c6f
      Johan Hovold authored
      The polled console (KGDB/KDB) implementation must not call port setup
      unconditionally as the port may already be in use by the console or a
      getty.
      
      Only make sure that the receiver is enabled, but do not enable any
      device interrupts.
      
      Fixes: d8851a96 ("tty: serial: qcom-geni-serial: Add a poll_init() function")
      Cc: stable@vger.kernel.org	# 6.4
      Cc: Douglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Link: https://lore.kernel.org/r/20241009145110.16847-2-johan+linaro@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bef7c6f
    • Marek Vasut's avatar
      serial: imx: Update mctrl old_status on RTSD interrupt · 40d79033
      Marek Vasut authored
      When sending data using DMA at high baudrate (4 Mbdps in local test case) to
      a device with small RX buffer which keeps asserting RTS after every received
      byte, it is possible that the iMX UART driver would not recognize the falling
      edge of RTS input signal and get stuck, unable to transmit any more data.
      
      This condition happens when the following sequence of events occur:
      - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART
        control signal status into sport->old_status using imx_uart_get_hwmctrl().
        The RTSS/TIOCM_CTS bit is of interest here (*).
      - DMA transfer occurs, the remote device asserts RTS signal after each byte.
        The i.MX UART driver recognizes each such RTS signal change, raises an
        interrupt with USR1 register RTSD bit set, which leads to invocation of
        __imx_uart_rtsint(), which calls uart_handle_cts_change().
        - If the RTS signal is deasserted, uart_handle_cts_change() clears
          port->hw_stopped and unblocks the port for further data transfers.
        - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped
          and blocks the port for further data transfers. This may occur as the
          last interrupt of a transfer, which means port->hw_stopped remains set
          and the port remains blocked (**).
      - Any further data transfer attempts will trigger imx_uart_mctrl_check(),
        which will read current status of UART control signals by calling
        imx_uart_get_hwmctrl() (***) and compare it with sport->old_status .
        - If current status differs from sport->old_status for RTS signal,
          uart_handle_cts_change() is called and possibly unblocks the port
          by clearing port->hw_stopped .
        - If current status does not differ from sport->old_status for RTS
          signal, no action occurs. This may occur in case prior snapshot (*)
          was taken before any transfer so the RTS is deasserted, current
          snapshot (***) was taken after a transfer and therefore RTS is
          deasserted again, which means current status and sport->old_status
          are identical. In case (**) triggered when RTS got asserted, and
          made port->hw_stopped set, the port->hw_stopped will remain set
          because no change on RTS line is recognized by this driver and
          uart_handle_cts_change() is not called from here to unblock the
          port->hw_stopped.
      
      Update sport->old_status in __imx_uart_rtsint() accordingly to make
      imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR
      and TIOCM_RI bits in sport->old_status do not suffer from this problem.
      
      Fixes: ceca629e ("[ARM] 2971/1: i.MX uart handle rts irq")
      Cc: stable <stable@kernel.org>
      Reviewed-by: default avatarEsben Haabendal <esben@geanix.com>
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40d79033
    • Longlong Xia's avatar
      tty: n_gsm: Fix use-after-free in gsm_cleanup_mux · 9462f4ca
      Longlong Xia authored
      BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0
      drivers/tty/n_gsm.c:3160 [n_gsm]
      Read of size 8 at addr ffff88815fe99c00 by task poc/3379
      CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56
      Hardware name: VMware, Inc. VMware Virtual Platform/440BX
      Desktop Reference Platform, BIOS 6.00 11/12/2020
      Call Trace:
       <TASK>
       gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
       __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]
       __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389
       update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500
       __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846
       __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161
       gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
       _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107
       __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]
       ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195
       ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79
       __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338
       __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805
       tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818
      
      Allocated by task 65:
       gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]
       gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]
       gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]
       gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]
       tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391
       tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39
       flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445
       process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229
       worker_thread+0x3dc/0x950 kernel/workqueue.c:3391
       kthread+0x2a3/0x370 kernel/kthread.c:389
       ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257
      
      Freed by task 3367:
       kfree+0x126/0x420 mm/slub.c:4580
       gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
       gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
       tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818
      
      [Analysis]
      gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux
      can be freed by multi threads through ioctl,which leads
      to the occurrence of uaf. Protect it by gsm tx lock.
      Signed-off-by: default avatarLonglong Xia <xialonglong@kylinos.cn>
      Cc: stable <stable@kernel.org>
      Suggested-by: default avatarJiri Slaby <jirislaby@kernel.org>
      Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cnSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9462f4ca
    • Jeongjun Park's avatar
      vt: prevent kernel-infoleak in con_font_get() · f956052e
      Jeongjun Park authored
      font.data may not initialize all memory spaces depending on the implementation
      of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it
      is safest to modify it to initialize the allocated memory space to 0, and it
      generally does not affect the overall performance of the system.
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+955da2d57931604ee691@syzkaller.appspotmail.com
      Fixes: 05e2600c ("VT: Bump font size limitation to 64x128 pixels")
      Signed-off-by: default avatarJeongjun Park <aha310510@gmail.com>
      Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f956052e
  2. 06 Oct, 2024 20 commits
  3. 05 Oct, 2024 9 commits
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-10-05' of git://evilpiepirate.org/bcachefs · 8f602276
      Linus Torvalds authored
      Pull bcachefs fixes from Kent Overstreet:
       "A lot of little fixes, bigger ones include:
      
         - bcachefs's __wait_on_freeing_inode() was broken in rc1 due to vfs
           changes, now fixed along with another lost wakeup
      
         - fragmentation LRU fixes; fsck now repairs successfully (this is the
           data structure copygc uses); along with some nice simplification.
      
         - Rework logged op error handling, so that if logged op replay errors
           (due to another filesystem error) we delete the logged op instead
           of going into an infinite loop)
      
         - Various small filesystem connectivitity repair fixes"
      
      * tag 'bcachefs-2024-10-05' of git://evilpiepirate.org/bcachefs:
        bcachefs: Rework logged op error handling
        bcachefs: Add warn param to subvol_get_snapshot, peek_inode
        bcachefs: Kill snapshot arg to fsck_write_inode()
        bcachefs: Check for unlinked, non-empty dirs in check_inode()
        bcachefs: Check for unlinked inodes with dirents
        bcachefs: Check for directories with no backpointers
        bcachefs: Kill alloc_v4.fragmentation_lru
        bcachefs: minor lru fsck fixes
        bcachefs: Mark more errors AUTOFIX
        bcachefs: Make sure we print error that causes fsck to bail out
        bcachefs: bkey errors are only AUTOFIX during read
        bcachefs: Create lost+found in correct snapshot
        bcachefs: Fix reattach_inode()
        bcachefs: Add missing wakeup to bch2_inode_hash_remove()
        bcachefs: Fix trans_commit disk accounting revert
        bcachefs: Fix bch2_inode_is_open() check
        bcachefs: Fix return type of dirent_points_to_inode_nowarn()
        bcachefs: Fix bad shift in bch2_read_flag_list()
      8f602276
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.12a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · fc20a3e5
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "Fix Xen config issue introduced in the merge window"
      
      * tag 'for-linus-6.12a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen: Fix config option reference in XEN_PRIVCMD definition
      fc20a3e5
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · fdd0a94d
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Fix some ext4 bugs and regressions relating to oneline resize and fast
        commits"
      
      * tag 'ext4_for_linus-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix off by one issue in alloc_flex_gd()
        ext4: mark fc as ineligible using an handle in ext4_xattr_set()
        ext4: use handle to mark fc as ineligible in __track_dentry_update()
      fdd0a94d
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 7c50f221
      Linus Torvalds authored
      Pull cxl fix from Ira Weiny:
      
       - Fix calculation for SBDF in error injection
      
      * tag 'cxl-fixes-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        EINJ, CXL: Fix CXL device SBDF calculation
      7c50f221
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 3a28c9e1
      Linus Torvalds authored
      Pull i2c fix from Wolfram Sang:
      
       - Fix potential deadlock during runtime suspend and resume (stm32f7)
      
      * tag 'i2c-for-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume
      3a28c9e1
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 60b9f47e
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A small set of driver specific fixes that came in since the merge
        window, about half of which is fixes for correctness in the use of the
        runtime PM APIs done as part of a broader cleanup"
      
      * tag 'spi-fix-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: s3c64xx: fix timeout counters in flush_fifo
        spi: atmel-quadspi: Fix wrong register value written to MR
        spi: spi-cadence: Fix missing spi_controller_is_target() check
        spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled
        spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled
      60b9f47e
    • Linus Torvalds's avatar
      Merge tag 'hardening-v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 9ec2236a
      Linus Torvalds authored
      Pull hardening fixes from Kees Cook:
      
       - gcc plugins: Avoid Kconfig warnings with randstruct (Nathan
         Chancellor)
      
       - MAINTAINERS: Add security/Kconfig.hardening to hardening section
         (Nathan Chancellor)
      
       - MAINTAINERS: Add unsafe_memcpy() to the FORTIFY review list
      
      * tag 'hardening-v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        MAINTAINERS: Add security/Kconfig.hardening to hardening section
        hardening: Adjust dependencies in selection of MODVERSIONS
        MAINTAINERS: Add unsafe_memcpy() to the FORTIFY review list
      9ec2236a
    • Linus Torvalds's avatar
      Merge tag 'lsm-pr-20241004' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm · fb9b7674
      Linus Torvalds authored
      Pull lsm revert from Paul Moore:
       "Here is the CONFIG_SECURITY_TOMOYO_LKM revert that we've been
        discussing this week. With near unanimous agreement that the original
        TOMOYO patches were not the right way to solve the distro problem
        Tetsuo is trying the solve, reverting is our best option at this time"
      
      * tag 'lsm-pr-20241004' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
        tomoyo: revert CONFIG_SECURITY_TOMOYO_LKM support
      fb9b7674
    • Zach Wade's avatar
      platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug · 7d59ac07
      Zach Wade authored
      Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
      kasan report:
      [   19.411889] ==================================================================
      [   19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
      [   19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
      [   19.417368]
      [   19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G            E      6.9.0 #10
      [   19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
      [   19.422687] Call Trace:
      [   19.424091]  <TASK>
      [   19.425448]  dump_stack_lvl+0x5d/0x80
      [   19.426963]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
      [   19.428694]  print_report+0x19d/0x52e
      [   19.430206]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
      [   19.431837]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
      [   19.433539]  kasan_report+0xf0/0x170
      [   19.435019]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
      [   19.436709]  _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
      [   19.438379]  ? __pfx_sched_clock_cpu+0x10/0x10
      [   19.439910]  isst_if_cpu_online+0x406/0x58f [isst_if_common]
      [   19.441573]  ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
      [   19.443263]  ? ttwu_queue_wakelist+0x2c1/0x360
      [   19.444797]  cpuhp_invoke_callback+0x221/0xec0
      [   19.446337]  cpuhp_thread_fun+0x21b/0x610
      [   19.447814]  ? __pfx_cpuhp_thread_fun+0x10/0x10
      [   19.449354]  smpboot_thread_fn+0x2e7/0x6e0
      [   19.450859]  ? __pfx_smpboot_thread_fn+0x10/0x10
      [   19.452405]  kthread+0x29c/0x350
      [   19.453817]  ? __pfx_kthread+0x10/0x10
      [   19.455253]  ret_from_fork+0x31/0x70
      [   19.456685]  ? __pfx_kthread+0x10/0x10
      [   19.458114]  ret_from_fork_asm+0x1a/0x30
      [   19.459573]  </TASK>
      [   19.460853]
      [   19.462055] Allocated by task 1198:
      [   19.463410]  kasan_save_stack+0x30/0x50
      [   19.464788]  kasan_save_track+0x14/0x30
      [   19.466139]  __kasan_kmalloc+0xaa/0xb0
      [   19.467465]  __kmalloc+0x1cd/0x470
      [   19.468748]  isst_if_cdev_register+0x1da/0x350 [isst_if_common]
      [   19.470233]  isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
      [   19.471670]  do_one_initcall+0xa4/0x380
      [   19.472903]  do_init_module+0x238/0x760
      [   19.474105]  load_module+0x5239/0x6f00
      [   19.475285]  init_module_from_file+0xd1/0x130
      [   19.476506]  idempotent_init_module+0x23b/0x650
      [   19.477725]  __x64_sys_finit_module+0xbe/0x130
      [   19.476506]  idempotent_init_module+0x23b/0x650
      [   19.477725]  __x64_sys_finit_module+0xbe/0x130
      [   19.478920]  do_syscall_64+0x82/0x160
      [   19.480036]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
      [   19.481292]
      [   19.482205] The buggy address belongs to the object at ffff888829e65000
       which belongs to the cache kmalloc-512 of size 512
      [   19.484818] The buggy address is located 0 bytes to the right of
       allocated 512-byte region [ffff888829e65000, ffff888829e65200)
      [   19.487447]
      [   19.488328] The buggy address belongs to the physical page:
      [   19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
      [   19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      [   19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
      [   19.493914] page_type: 0xffffffff()
      [   19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
      [   19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
      [   19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
      [   19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
      [   19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
      [   19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
      [   19.503784] page dumped because: kasan: bad access detected
      [   19.505058]
      [   19.505970] Memory state around the buggy address:
      [   19.507172]  ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   19.508599]  ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   19.510014]                    ^
      [   19.510016]  ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   19.510018]  ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   19.515367] ==================================================================
      
      The reason for this error is physical_package_ids assigned by VMware VMM
      are not continuous and have gaps. This will cause value returned by
      topology_physical_package_id() to be more than topology_max_packages().
      
      Here the allocation uses topology_max_packages(). The call to
      topology_max_packages() returns maximum logical package ID not physical
      ID. Hence use topology_logical_package_id() instead of
      topology_physical_package_id().
      
      Fixes: 9a1aac8a ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarZach Wade <zachwade.k@gmail.com>
      Link: https://lore.kernel.org/r/20240923144508.1764-1-zachwade.k@gmail.comReviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      7d59ac07