Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/bonding-fix-macvlan-over-alb-bond-support.patch b/queue-6.1/bonding-fix-macvlan-over-alb-bond-support.patch
new file mode 100644 (file)
index 0000000..c09aaa5
--- /dev/null
+++ b/queue-6.1/bonding-fix-macvlan-over-alb-bond-support.patch
@@ -0,0 +1,90 @@
+From 0384765dc5fe0c8c195692171de70a71eeea6bee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Aug 2023 15:19:04 +0800
+Subject: bonding: fix macvlan over alb bond support
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit e74216b8def3803e98ae536de78733e9d7f3b109 ]
+
+The commit 14af9963ba1e ("bonding: Support macvlans on top of tlb/rlb mode
+bonds") aims to enable the use of macvlans on top of rlb bond mode. However,
+the current rlb bond mode only handles ARP packets to update remote neighbor
+entries. This causes an issue when a macvlan is on top of the bond, and
+remote devices send packets to the macvlan using the bond's MAC address
+as the destination. After delivering the packets to the macvlan, the macvlan
+will rejects them as the MAC address is incorrect. Consequently, this commit
+makes macvlan over bond non-functional.
+
+To address this problem, one potential solution is to check for the presence
+of a macvlan port on the bond device using netif_is_macvlan_port(bond->dev)
+and return NULL in the rlb_arp_xmit() function. However, this approach
+doesn't fully resolve the situation when a VLAN exists between the bond and
+macvlan.
+
+So let's just do a partial revert for commit 14af9963ba1e in rlb_arp_xmit().
+As the comment said, Don't modify or load balance ARPs that do not originate
+locally.
+
+Fixes: 14af9963ba1e ("bonding: Support macvlans on top of tlb/rlb mode bonds")
+Reported-by: susan.zheng@veritas.com
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2117816
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_alb.c |  6 +++---
+ include/net/bonding.h          | 11 +----------
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
+index b9dbad3a8af82..fc5da5d7744da 100644
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -660,10 +660,10 @@ static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond)
+               return NULL;
+       arp = (struct arp_pkt *)skb_network_header(skb);
+ 
+-      /* Don't modify or load balance ARPs that do not originate locally
+-       * (e.g.,arrive via a bridge).
++      /* Don't modify or load balance ARPs that do not originate
++       * from the bond itself or a VLAN directly above the bond.
+        */
+-      if (!bond_slave_has_mac_rx(bond, arp->mac_src))
++      if (!bond_slave_has_mac_rcu(bond, arp->mac_src))
+               return NULL;
+ 
+       dev = ip_dev_find(dev_net(bond->dev), arp->ip_src);
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 17329a19f0c64..9a3ac960dfe15 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -727,23 +727,14 @@ static inline struct slave *bond_slave_has_mac(struct bonding *bond,
+ }
+ 
+ /* Caller must hold rcu_read_lock() for read */
+-static inline bool bond_slave_has_mac_rx(struct bonding *bond, const u8 *mac)
++static inline bool bond_slave_has_mac_rcu(struct bonding *bond, const u8 *mac)
+ {
+       struct list_head *iter;
+       struct slave *tmp;
+-      struct netdev_hw_addr *ha;
+ 
+       bond_for_each_slave_rcu(bond, tmp, iter)
+               if (ether_addr_equal_64bits(mac, tmp->dev->dev_addr))
+                       return true;
+-
+-      if (netdev_uc_empty(bond->dev))
+-              return false;
+-
+-      netdev_for_each_uc_addr(ha, bond->dev)
+-              if (ether_addr_equal_64bits(mac, ha->addr))
+-                      return true;
+-
+       return false;
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/can-isotp-fix-support-for-transmission-of-sf-without.patch b/queue-6.1/can-isotp-fix-support-for-transmission-of-sf-without.patch
new file mode 100644 (file)
index 0000000..02dd2a2
--- /dev/null
+++ b/queue-6.1/can-isotp-fix-support-for-transmission-of-sf-without.patch
@@ -0,0 +1,87 @@
+From 01fcfa26fb91ba3ff8ab69536caec0061e6378b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 16:45:46 +0200
+Subject: can: isotp: fix support for transmission of SF without flow control
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 0bfe71159230bab79ee230225ae12ffecbb69f3e ]
+
+The original implementation had a very simple handling for single frame
+transmissions as it just sent the single frame without a timeout handling.
+
+With the new echo frame handling the echo frame was also introduced for
+single frames but the former exception ('simple without timers') has been
+maintained by accident. This leads to a 1 second timeout when closing the
+socket and to an -ECOMM error when CAN_ISOTP_WAIT_TX_DONE is selected.
+
+As the echo handling is always active (also for single frames) remove the
+wrong extra condition for single frames.
+
+Fixes: 9f39d36530e5 ("can: isotp: add support for transmission without flow control")
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/r/20230821144547.6658-2-socketcan@hartkopp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/isotp.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+diff --git a/net/can/isotp.c b/net/can/isotp.c
+index b3c2a49b189cc..8c97f4061ffd7 100644
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -175,12 +175,6 @@ static bool isotp_register_rxid(struct isotp_sock *so)
+       return (isotp_bc_flags(so) == 0);
+ }
+ 
+-static bool isotp_register_txecho(struct isotp_sock *so)
+-{
+-      /* all modes but SF_BROADCAST register for tx echo skbs */
+-      return (isotp_bc_flags(so) != CAN_ISOTP_SF_BROADCAST);
+-}
+-
+ static enum hrtimer_restart isotp_rx_timer_handler(struct hrtimer *hrtimer)
+ {
+       struct isotp_sock *so = container_of(hrtimer, struct isotp_sock,
+@@ -1176,7 +1170,7 @@ static int isotp_release(struct socket *sock)
+       lock_sock(sk);
+ 
+       /* remove current filters & unregister */
+-      if (so->bound && isotp_register_txecho(so)) {
++      if (so->bound) {
+               if (so->ifindex) {
+                       struct net_device *dev;
+ 
+@@ -1293,14 +1287,12 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+               can_rx_register(net, dev, rx_id, SINGLE_MASK(rx_id),
+                               isotp_rcv, sk, "isotp", sk);
+ 
+-      if (isotp_register_txecho(so)) {
+-              /* no consecutive frame echo skb in flight */
+-              so->cfecho = 0;
++      /* no consecutive frame echo skb in flight */
++      so->cfecho = 0;
+ 
+-              /* register for echo skb's */
+-              can_rx_register(net, dev, tx_id, SINGLE_MASK(tx_id),
+-                              isotp_rcv_echo, sk, "isotpe", sk);
+-      }
++      /* register for echo skb's */
++      can_rx_register(net, dev, tx_id, SINGLE_MASK(tx_id),
++                      isotp_rcv_echo, sk, "isotpe", sk);
+ 
+       dev_put(dev);
+ 
+@@ -1521,7 +1513,7 @@ static void isotp_notify(struct isotp_sock *so, unsigned long msg,
+       case NETDEV_UNREGISTER:
+               lock_sock(sk);
+               /* remove current filters & unregister */
+-              if (so->bound && isotp_register_txecho(so)) {
++              if (so->bound) {
+                       if (isotp_register_rxid(so))
+                               can_rx_unregister(dev_net(dev), dev, so->rxid,
+                                                 SINGLE_MASK(so->rxid),
+-- 
+2.40.1
+

diff --git a/queue-6.1/can-raw-fix-lockdep-issue-in-raw_release.patch b/queue-6.1/can-raw-fix-lockdep-issue-in-raw_release.patch
new file mode 100644 (file)
index 0000000..7c2161a
--- /dev/null
+++ b/queue-6.1/can-raw-fix-lockdep-issue-in-raw_release.patch
@@ -0,0 +1,159 @@
+From 01d2347a6523fb5305687eb33a3d44f52c9c94aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jul 2023 11:44:38 +0000
+Subject: can: raw: fix lockdep issue in raw_release()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 11c9027c983e9e4b408ee5613b6504d24ebd85be ]
+
+syzbot complained about a lockdep issue [1]
+
+Since raw_bind() and raw_setsockopt() first get RTNL
+before locking the socket, we must adopt the same order in raw_release()
+
+[1]
+WARNING: possible circular locking dependency detected
+6.5.0-rc1-syzkaller-00192-g78adb4bcf99e #0 Not tainted
+------------------------------------------------------
+syz-executor.0/14110 is trying to acquire lock:
+ffff88804e4b6130 (sk_lock-AF_CAN){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1708 [inline]
+ffff88804e4b6130 (sk_lock-AF_CAN){+.+.}-{0:0}, at: raw_bind+0xb1/0xab0 net/can/raw.c:435
+
+but task is already holding lock:
+ffffffff8e3df368 (rtnl_mutex){+.+.}-{3:3}, at: raw_bind+0xa7/0xab0 net/can/raw.c:434
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (rtnl_mutex){+.+.}-{3:3}:
+__mutex_lock_common kernel/locking/mutex.c:603 [inline]
+__mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
+raw_release+0x1c6/0x9b0 net/can/raw.c:391
+__sock_release+0xcd/0x290 net/socket.c:654
+sock_close+0x1c/0x20 net/socket.c:1386
+__fput+0x3fd/0xac0 fs/file_table.c:384
+task_work_run+0x14d/0x240 kernel/task_work.c:179
+resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
+__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
+do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+-> #0 (sk_lock-AF_CAN){+.+.}-{0:0}:
+check_prev_add kernel/locking/lockdep.c:3142 [inline]
+check_prevs_add kernel/locking/lockdep.c:3261 [inline]
+validate_chain kernel/locking/lockdep.c:3876 [inline]
+__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5144
+lock_acquire kernel/locking/lockdep.c:5761 [inline]
+lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
+lock_sock_nested+0x3a/0xf0 net/core/sock.c:3492
+lock_sock include/net/sock.h:1708 [inline]
+raw_bind+0xb1/0xab0 net/can/raw.c:435
+__sys_bind+0x1ec/0x220 net/socket.c:1792
+__do_sys_bind net/socket.c:1803 [inline]
+__se_sys_bind net/socket.c:1801 [inline]
+__x64_sys_bind+0x72/0xb0 net/socket.c:1801
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+other info that might help us debug this:
+
+Possible unsafe locking scenario:
+
+CPU0 CPU1
+---- ----
+lock(rtnl_mutex);
+        lock(sk_lock-AF_CAN);
+        lock(rtnl_mutex);
+lock(sk_lock-AF_CAN);
+
+*** DEADLOCK ***
+
+1 lock held by syz-executor.0/14110:
+
+stack backtrace:
+CPU: 0 PID: 14110 Comm: syz-executor.0 Not tainted 6.5.0-rc1-syzkaller-00192-g78adb4bcf99e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+check_noncircular+0x311/0x3f0 kernel/locking/lockdep.c:2195
+check_prev_add kernel/locking/lockdep.c:3142 [inline]
+check_prevs_add kernel/locking/lockdep.c:3261 [inline]
+validate_chain kernel/locking/lockdep.c:3876 [inline]
+__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5144
+lock_acquire kernel/locking/lockdep.c:5761 [inline]
+lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
+lock_sock_nested+0x3a/0xf0 net/core/sock.c:3492
+lock_sock include/net/sock.h:1708 [inline]
+raw_bind+0xb1/0xab0 net/can/raw.c:435
+__sys_bind+0x1ec/0x220 net/socket.c:1792
+__do_sys_bind net/socket.c:1803 [inline]
+__se_sys_bind net/socket.c:1801 [inline]
+__x64_sys_bind+0x72/0xb0 net/socket.c:1801
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fd89007cb29
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fd890d2a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 00007fd89019bf80 RCX: 00007fd89007cb29
+RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
+RBP: 00007fd8900c847a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fd89019bf80 R15: 00007ffebf8124f8
+</TASK>
+
+Fixes: ee8b94c8510c ("can: raw: fix receiver memory leak")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ziyang Xuan <william.xuanziyang@huawei.com>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: stable@vger.kernel.org
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/all/20230720114438.172434-1-edumazet@google.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/raw.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 1cd2c8748c26a..0dd3259357a35 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -386,9 +386,9 @@ static int raw_release(struct socket *sock)
+       list_del(&ro->notifier);
+       spin_unlock(&raw_notifier_lock);
+ 
++      rtnl_lock();
+       lock_sock(sk);
+ 
+-      rtnl_lock();
+       /* remove current filters & unregister */
+       if (ro->bound) {
+               if (ro->dev)
+@@ -405,12 +405,13 @@ static int raw_release(struct socket *sock)
+       ro->dev = NULL;
+       ro->count = 0;
+       free_percpu(ro->uniq);
+-      rtnl_unlock();
+ 
+       sock_orphan(sk);
+       sock->sk = NULL;
+ 
+       release_sock(sk);
++      rtnl_unlock();
++
+       sock_put(sk);
+ 
+       return 0;
+-- 
+2.40.1
+

diff --git a/queue-6.1/can-raw-fix-receiver-memory-leak.patch b/queue-6.1/can-raw-fix-receiver-memory-leak.patch
new file mode 100644 (file)
index 0000000..c118d05
--- /dev/null
+++ b/queue-6.1/can-raw-fix-receiver-memory-leak.patch
@@ -0,0 +1,238 @@
+From bf8b956983ca48e4732ad264473794894cc6295a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 09:17:37 +0800
+Subject: can: raw: fix receiver memory leak
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 ]
+
+Got kmemleak errors with the following ltp can_filter testcase:
+
+for ((i=1; i<=100; i++))
+do
+        ./can_filter &
+        sleep 0.1
+done
+
+==============================================================
+[<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
+[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
+[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
+[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
+[<00000000fd468496>] do_syscall_64+0x33/0x40
+[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+It's a bug in the concurrent scenario of unregister_netdevice_many()
+and raw_release() as following:
+
+             cpu0                                        cpu1
+unregister_netdevice_many(can_dev)
+  unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
+  net_set_todo(can_dev)
+                                               raw_release(can_socket)
+                                                 dev = dev_get_by_index(, ro->ifindex); // dev == NULL
+                                                 if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
+                                                   raw_disable_allfilters(, dev, );
+                                                   dev_put(dev);
+                                                 }
+                                                 ...
+                                                 ro->bound = 0;
+                                                 ...
+
+call_netdevice_notifiers(NETDEV_UNREGISTER, )
+  raw_notify(, NETDEV_UNREGISTER, )
+    if (ro->bound) // invalid because ro->bound has been set 0
+      raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
+
+Add a net_device pointer member in struct raw_sock to record bound
+can_dev, and use rtnl_lock to serialize raw_socket members between
+raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use
+ro->dev to decide whether to free receivers in dev_rcv_lists.
+
+Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/raw.c | 57 ++++++++++++++++++++++-----------------------------
+ 1 file changed, 24 insertions(+), 33 deletions(-)
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 4abab2c3011a3..1cd2c8748c26a 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -84,6 +84,7 @@ struct raw_sock {
+       struct sock sk;
+       int bound;
+       int ifindex;
++      struct net_device *dev;
+       struct list_head notifier;
+       int loopback;
+       int recv_own_msgs;
+@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock *ro, unsigned long msg,
+       if (!net_eq(dev_net(dev), sock_net(sk)))
+               return;
+ 
+-      if (ro->ifindex != dev->ifindex)
++      if (ro->dev != dev)
+               return;
+ 
+       switch (msg) {
+@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock *ro, unsigned long msg,
+ 
+               ro->ifindex = 0;
+               ro->bound = 0;
++              ro->dev = NULL;
+               ro->count = 0;
+               release_sock(sk);
+ 
+@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk)
+ 
+       ro->bound            = 0;
+       ro->ifindex          = 0;
++      ro->dev              = NULL;
+ 
+       /* set default filter to single entry dfilter */
+       ro->dfilter.can_id   = 0;
+@@ -385,19 +388,13 @@ static int raw_release(struct socket *sock)
+ 
+       lock_sock(sk);
+ 
++      rtnl_lock();
+       /* remove current filters & unregister */
+       if (ro->bound) {
+-              if (ro->ifindex) {
+-                      struct net_device *dev;
+-
+-                      dev = dev_get_by_index(sock_net(sk), ro->ifindex);
+-                      if (dev) {
+-                              raw_disable_allfilters(dev_net(dev), dev, sk);
+-                              dev_put(dev);
+-                      }
+-              } else {
++              if (ro->dev)
++                      raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk);
++              else
+                       raw_disable_allfilters(sock_net(sk), NULL, sk);
+-              }
+       }
+ 
+       if (ro->count > 1)
+@@ -405,8 +402,10 @@ static int raw_release(struct socket *sock)
+ 
+       ro->ifindex = 0;
+       ro->bound = 0;
++      ro->dev = NULL;
+       ro->count = 0;
+       free_percpu(ro->uniq);
++      rtnl_unlock();
+ 
+       sock_orphan(sk);
+       sock->sk = NULL;
+@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+       struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
+       struct sock *sk = sock->sk;
+       struct raw_sock *ro = raw_sk(sk);
++      struct net_device *dev = NULL;
+       int ifindex;
+       int err = 0;
+       int notify_enetdown = 0;
+@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+       if (addr->can_family != AF_CAN)
+               return -EINVAL;
+ 
++      rtnl_lock();
+       lock_sock(sk);
+ 
+       if (ro->bound && addr->can_ifindex == ro->ifindex)
+               goto out;
+ 
+       if (addr->can_ifindex) {
+-              struct net_device *dev;
+-
+               dev = dev_get_by_index(sock_net(sk), addr->can_ifindex);
+               if (!dev) {
+                       err = -ENODEV;
+@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+       if (!err) {
+               if (ro->bound) {
+                       /* unregister old filters */
+-                      if (ro->ifindex) {
+-                              struct net_device *dev;
+-
+-                              dev = dev_get_by_index(sock_net(sk),
+-                                                     ro->ifindex);
+-                              if (dev) {
+-                                      raw_disable_allfilters(dev_net(dev),
+-                                                             dev, sk);
+-                                      dev_put(dev);
+-                              }
+-                      } else {
++                      if (ro->dev)
++                              raw_disable_allfilters(dev_net(ro->dev),
++                                                     ro->dev, sk);
++                      else
+                               raw_disable_allfilters(sock_net(sk), NULL, sk);
+-                      }
+               }
+               ro->ifindex = ifindex;
+               ro->bound = 1;
++              ro->dev = dev;
+       }
+ 
+  out:
+       release_sock(sk);
++      rtnl_unlock();
+ 
+       if (notify_enetdown) {
+               sk->sk_err = ENETDOWN;
+@@ -552,9 +545,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+               rtnl_lock();
+               lock_sock(sk);
+ 
+-              if (ro->bound && ro->ifindex) {
+-                      dev = dev_get_by_index(sock_net(sk), ro->ifindex);
+-                      if (!dev) {
++              dev = ro->dev;
++              if (ro->bound && dev) {
++                      if (dev->reg_state != NETREG_REGISTERED) {
+                               if (count > 1)
+                                       kfree(filter);
+                               err = -ENODEV;
+@@ -595,7 +588,6 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+               ro->count  = count;
+ 
+  out_fil:
+-              dev_put(dev);
+               release_sock(sk);
+               rtnl_unlock();
+ 
+@@ -613,9 +605,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+               rtnl_lock();
+               lock_sock(sk);
+ 
+-              if (ro->bound && ro->ifindex) {
+-                      dev = dev_get_by_index(sock_net(sk), ro->ifindex);
+-                      if (!dev) {
++              dev = ro->dev;
++              if (ro->bound && dev) {
++                      if (dev->reg_state != NETREG_REGISTERED) {
+                               err = -ENODEV;
+                               goto out_err;
+                       }
+@@ -639,7 +631,6 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+               ro->err_mask = err_mask;
+ 
+  out_err:
+-              dev_put(dev);
+               release_sock(sk);
+               rtnl_unlock();
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/dccp-annotate-data-races-in-dccp_poll.patch b/queue-6.1/dccp-annotate-data-races-in-dccp_poll.patch
new file mode 100644 (file)
index 0000000..fcf5506
--- /dev/null
+++ b/queue-6.1/dccp-annotate-data-races-in-dccp_poll.patch
@@ -0,0 +1,82 @@
+From 584031d584ef32fdbd7ca4ccbac5b248a7655cbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 01:58:20 +0000
+Subject: dccp: annotate data-races in dccp_poll()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cba3f1786916063261e3e5ccbb803abc325b24ef ]
+
+We changed tcp_poll() over time, bug never updated dccp.
+
+Note that we also could remove dccp instead of maintaining it.
+
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230818015820.2701595-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/proto.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index abc02d25edc14..c522c76a9f89f 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -312,11 +312,15 @@ EXPORT_SYMBOL_GPL(dccp_disconnect);
+ __poll_t dccp_poll(struct file *file, struct socket *sock,
+                      poll_table *wait)
+ {
+-      __poll_t mask;
+       struct sock *sk = sock->sk;
++      __poll_t mask;
++      u8 shutdown;
++      int state;
+ 
+       sock_poll_wait(file, sock, wait);
+-      if (sk->sk_state == DCCP_LISTEN)
++
++      state = inet_sk_state_load(sk);
++      if (state == DCCP_LISTEN)
+               return inet_csk_listen_poll(sk);
+ 
+       /* Socket is not locked. We are protected from async events
+@@ -325,20 +329,21 @@ __poll_t dccp_poll(struct file *file, struct socket *sock,
+        */
+ 
+       mask = 0;
+-      if (sk->sk_err)
++      if (READ_ONCE(sk->sk_err))
+               mask = EPOLLERR;
++      shutdown = READ_ONCE(sk->sk_shutdown);
+ 
+-      if (sk->sk_shutdown == SHUTDOWN_MASK || sk->sk_state == DCCP_CLOSED)
++      if (shutdown == SHUTDOWN_MASK || state == DCCP_CLOSED)
+               mask |= EPOLLHUP;
+-      if (sk->sk_shutdown & RCV_SHUTDOWN)
++      if (shutdown & RCV_SHUTDOWN)
+               mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
+ 
+       /* Connected? */
+-      if ((1 << sk->sk_state) & ~(DCCPF_REQUESTING | DCCPF_RESPOND)) {
++      if ((1 << state) & ~(DCCPF_REQUESTING | DCCPF_RESPOND)) {
+               if (atomic_read(&sk->sk_rmem_alloc) > 0)
+                       mask |= EPOLLIN | EPOLLRDNORM;
+ 
+-              if (!(sk->sk_shutdown & SEND_SHUTDOWN)) {
++              if (!(shutdown & SEND_SHUTDOWN)) {
+                       if (sk_stream_is_writeable(sk)) {
+                               mask |= EPOLLOUT | EPOLLWRNORM;
+                       } else {  /* send SIGIO later */
+@@ -356,7 +361,6 @@ __poll_t dccp_poll(struct file *file, struct socket *sock,
+       }
+       return mask;
+ }
+-
+ EXPORT_SYMBOL_GPL(dccp_poll);
+ 
+ int dccp_ioctl(struct sock *sk, int cmd, unsigned long arg)
+-- 
+2.40.1
+

diff --git a/queue-6.1/devlink-add-missing-unregister-linecard-notification.patch b/queue-6.1/devlink-add-missing-unregister-linecard-notification.patch
new file mode 100644 (file)
index 0000000..0fb2771
--- /dev/null
+++ b/queue-6.1/devlink-add-missing-unregister-linecard-notification.patch
@@ -0,0 +1,46 @@
+From 65090ab9bf82ed344b56c91e2cea7f503bbe886c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 14:52:40 +0200
+Subject: devlink: add missing unregister linecard notification
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 2ebbc9752d06bb1d01201fe632cb6da033b0248d ]
+
+Cited fixes commit introduced linecard notifications for register,
+however it didn't add them for unregister. Fix that by adding them.
+
+Fixes: c246f9b5fd61 ("devlink: add support to create line card and expose to user")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230817125240.2144794-1-jiri@resnulli.us
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/leftover.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c
+index 5a4a4b34ac15c..63188d6a50fe9 100644
+--- a/net/devlink/leftover.c
++++ b/net/devlink/leftover.c
+@@ -9727,6 +9727,7 @@ static void devlink_notify_unregister(struct devlink *devlink)
+       struct devlink_param_item *param_item;
+       struct devlink_trap_item *trap_item;
+       struct devlink_port *devlink_port;
++      struct devlink_linecard *linecard;
+       struct devlink_rate *rate_node;
+       struct devlink_region *region;
+ 
+@@ -9753,6 +9754,8 @@ static void devlink_notify_unregister(struct devlink *devlink)
+ 
+       list_for_each_entry_reverse(devlink_port, &devlink->port_list, list)
+               devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_DEL);
++      list_for_each_entry_reverse(linecard, &devlink->linecard_list, list)
++              devlink_linecard_notify(linecard, DEVLINK_CMD_LINECARD_DEL);
+       devlink_notify(devlink, DEVLINK_CMD_DEL);
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/devlink-move-code-to-a-dedicated-directory.patch b/queue-6.1/devlink-move-code-to-a-dedicated-directory.patch
new file mode 100644 (file)
index 0000000..39c49c0
--- /dev/null
+++ b/queue-6.1/devlink-move-code-to-a-dedicated-directory.patch
@@ -0,0 +1,86 @@
+From 493a4cadb707046d2e85e69ed35095534192be6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 20:05:17 -0800
+Subject: devlink: move code to a dedicated directory
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit f05bd8ebeb69c803efd6d8a76d96b7fcd7011094 ]
+
+The devlink code is hard to navigate with 13kLoC in one file.
+I really like the way Michal split the ethtool into per-command
+files and core. It'd probably be too much to split it all up,
+but we can at least separate the core parts out of the per-cmd
+implementations and put it in a directory so that new commands
+can be separate files.
+
+Move the code, subsequent commit will do a partial split.
+
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 2ebbc9752d06 ("devlink: add missing unregister linecard notification")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ MAINTAINERS                                | 2 +-
+ net/Makefile                               | 1 +
+ net/core/Makefile                          | 1 -
+ net/devlink/Makefile                       | 3 +++
+ net/{core/devlink.c => devlink/leftover.c} | 0
+ 5 files changed, 5 insertions(+), 2 deletions(-)
+ create mode 100644 net/devlink/Makefile
+ rename net/{core/devlink.c => devlink/leftover.c} (100%)
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 379387e20a96d..07a9c274c0e29 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -6027,7 +6027,7 @@ S:       Supported
+ F:    Documentation/networking/devlink
+ F:    include/net/devlink.h
+ F:    include/uapi/linux/devlink.h
+-F:    net/core/devlink.c
++F:    net/devlink/
+ 
+ DH ELECTRONICS IMX6 DHCOM BOARD SUPPORT
+ M:    Christoph Niedermaier <cniedermaier@dh-electronics.com>
+diff --git a/net/Makefile b/net/Makefile
+index 6a62e5b273781..0914bea9c335f 100644
+--- a/net/Makefile
++++ b/net/Makefile
+@@ -23,6 +23,7 @@ obj-$(CONFIG_BPFILTER)               += bpfilter/
+ obj-$(CONFIG_PACKET)          += packet/
+ obj-$(CONFIG_NET_KEY)         += key/
+ obj-$(CONFIG_BRIDGE)          += bridge/
++obj-$(CONFIG_NET_DEVLINK)     += devlink/
+ obj-$(CONFIG_NET_DSA)         += dsa/
+ obj-$(CONFIG_ATALK)           += appletalk/
+ obj-$(CONFIG_X25)             += x25/
+diff --git a/net/core/Makefile b/net/core/Makefile
+index 5857cec87b839..10edd66a8a372 100644
+--- a/net/core/Makefile
++++ b/net/core/Makefile
+@@ -33,7 +33,6 @@ obj-$(CONFIG_LWTUNNEL) += lwtunnel.o
+ obj-$(CONFIG_LWTUNNEL_BPF) += lwt_bpf.o
+ obj-$(CONFIG_DST_CACHE) += dst_cache.o
+ obj-$(CONFIG_HWBM) += hwbm.o
+-obj-$(CONFIG_NET_DEVLINK) += devlink.o
+ obj-$(CONFIG_GRO_CELLS) += gro_cells.o
+ obj-$(CONFIG_FAILOVER) += failover.o
+ obj-$(CONFIG_NET_SOCK_MSG) += skmsg.o
+diff --git a/net/devlink/Makefile b/net/devlink/Makefile
+new file mode 100644
+index 0000000000000..3a60959f71eea
+--- /dev/null
++++ b/net/devlink/Makefile
+@@ -0,0 +1,3 @@
++# SPDX-License-Identifier: GPL-2.0
++
++obj-y := leftover.o
+diff --git a/net/core/devlink.c b/net/devlink/leftover.c
+similarity index 100%
+rename from net/core/devlink.c
+rename to net/devlink/leftover.c
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-aperture-remove-primary-argument.patch b/queue-6.1/drm-aperture-remove-primary-argument.patch
new file mode 100644 (file)
index 0000000..f10046c
--- /dev/null
+++ b/queue-6.1/drm-aperture-remove-primary-argument.patch
@@ -0,0 +1,292 @@
+From 9439d136bfdaa6efcb044c2b9617a8dc5e0eb447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:21:03 +0200
+Subject: drm/aperture: Remove primary argument
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 62aeaeaa1b267c5149abee6b45967a5df3feed58 ]
+
+Only really pci devices have a business setting this - it's for
+figuring out whether the legacy vga stuff should be nuked too. And
+with the preceding two patches those are all using the pci version of
+this.
+
+Which means for all other callers primary == false and we can remove
+it now.
+
+v2:
+- Reorder to avoid compile fail (Thomas)
+- Include gma500, which retained it's called to the non-pci version.
+
+v4:
+- fix Daniel's S-o-b address
+
+v5:
+- add back an S-o-b tag with Daniel's Intel address
+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Deepak Rawat <drawat.floss@gmail.com>
+Cc: Neil Armstrong <neil.armstrong@linaro.org>
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: Jerome Brunet <jbrunet@baylibre.com>
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Jonathan Hunter <jonathanh@nvidia.com>
+Cc: Emma Anholt <emma@anholt.net>
+Cc: Helge Deller <deller@gmx.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: linux-hyperv@vger.kernel.org
+Cc: linux-amlogic@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-tegra@vger.kernel.org
+Cc: linux-fbdev@vger.kernel.org
+Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230406132109.32050-4-tzimmermann@suse.de
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/arm/hdlcd_drv.c             |  2 +-
+ drivers/gpu/drm/armada/armada_drv.c         |  2 +-
+ drivers/gpu/drm/drm_aperture.c              | 11 +++--------
+ drivers/gpu/drm/gma500/psb_drv.c            |  2 +-
+ drivers/gpu/drm/hyperv/hyperv_drm_drv.c     |  1 -
+ drivers/gpu/drm/meson/meson_drv.c           |  2 +-
+ drivers/gpu/drm/msm/msm_fbdev.c             |  2 +-
+ drivers/gpu/drm/rockchip/rockchip_drm_drv.c |  2 +-
+ drivers/gpu/drm/stm/drv.c                   |  2 +-
+ drivers/gpu/drm/sun4i/sun4i_drv.c           |  2 +-
+ drivers/gpu/drm/tegra/drm.c                 |  2 +-
+ drivers/gpu/drm/vc4/vc4_drv.c               |  2 +-
+ include/drm/drm_aperture.h                  |  7 +++----
+ 13 files changed, 16 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/arm/hdlcd_drv.c b/drivers/gpu/drm/arm/hdlcd_drv.c
+index a032003c340cc..d6ea47873627f 100644
+--- a/drivers/gpu/drm/arm/hdlcd_drv.c
++++ b/drivers/gpu/drm/arm/hdlcd_drv.c
+@@ -290,7 +290,7 @@ static int hdlcd_drm_bind(struct device *dev)
+        */
+       if (hdlcd_read(hdlcd, HDLCD_REG_COMMAND)) {
+               hdlcd_write(hdlcd, HDLCD_REG_COMMAND, 0);
+-              drm_aperture_remove_framebuffers(false, &hdlcd_driver);
++              drm_aperture_remove_framebuffers(&hdlcd_driver);
+       }
+ 
+       drm_mode_config_reset(drm);
+diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c
+index 142668cd6d7cd..688ba358f5319 100644
+--- a/drivers/gpu/drm/armada/armada_drv.c
++++ b/drivers/gpu/drm/armada/armada_drv.c
+@@ -95,7 +95,7 @@ static int armada_drm_bind(struct device *dev)
+       }
+ 
+       /* Remove early framebuffers */
+-      ret = drm_aperture_remove_framebuffers(false, &armada_drm_driver);
++      ret = drm_aperture_remove_framebuffers(&armada_drm_driver);
+       if (ret) {
+               dev_err(dev, "[" DRM_NAME ":%s] can't kick out simple-fb: %d\n",
+                       __func__, ret);
+diff --git a/drivers/gpu/drm/drm_aperture.c b/drivers/gpu/drm/drm_aperture.c
+index 3b8fdeeafd53a..697cffbfd6037 100644
+--- a/drivers/gpu/drm/drm_aperture.c
++++ b/drivers/gpu/drm/drm_aperture.c
+@@ -32,17 +32,13 @@
+  *
+  *    static int remove_conflicting_framebuffers(struct pci_dev *pdev)
+  *    {
+- *            bool primary = false;
+  *            resource_size_t base, size;
+  *            int ret;
+  *
+  *            base = pci_resource_start(pdev, 0);
+  *            size = pci_resource_len(pdev, 0);
+- *    #ifdef CONFIG_X86
+- *            primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
+- *    #endif
+  *
+- *            return drm_aperture_remove_conflicting_framebuffers(base, size, primary,
++ *            return drm_aperture_remove_conflicting_framebuffers(base, size,
+  *                                                                &example_driver);
+  *    }
+  *
+@@ -161,7 +157,6 @@ EXPORT_SYMBOL(devm_aperture_acquire_from_firmware);
+  * drm_aperture_remove_conflicting_framebuffers - remove existing framebuffers in the given range
+  * @base: the aperture's base address in physical memory
+  * @size: aperture size in bytes
+- * @primary: also kick vga16fb if present
+  * @req_driver: requesting DRM driver
+  *
+  * This function removes graphics device drivers which use the memory range described by
+@@ -171,9 +166,9 @@ EXPORT_SYMBOL(devm_aperture_acquire_from_firmware);
+  * 0 on success, or a negative errno code otherwise
+  */
+ int drm_aperture_remove_conflicting_framebuffers(resource_size_t base, resource_size_t size,
+-                                               bool primary, const struct drm_driver *req_driver)
++                                               const struct drm_driver *req_driver)
+ {
+-      return aperture_remove_conflicting_devices(base, size, primary, req_driver->name);
++      return aperture_remove_conflicting_devices(base, size, false, req_driver->name);
+ }
+ EXPORT_SYMBOL(drm_aperture_remove_conflicting_framebuffers);
+ 
+diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
+index 000e6704e3c75..738eb558a97e9 100644
+--- a/drivers/gpu/drm/gma500/psb_drv.c
++++ b/drivers/gpu/drm/gma500/psb_drv.c
+@@ -430,7 +430,7 @@ static int psb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+        * TODO: Refactor psb_driver_load() to map vdc_reg earlier. Then we
+        *       might be able to read the framebuffer range from the device.
+        */
+-      ret = drm_aperture_remove_framebuffers(false, &driver);
++      ret = drm_aperture_remove_framebuffers(&driver);
+       if (ret)
+               return ret;
+ 
+diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+index ca127ff797f75..29ee0814bccc8 100644
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+@@ -74,7 +74,6 @@ static int hyperv_setup_vram(struct hyperv_drm_device *hv,
+ 
+       drm_aperture_remove_conflicting_framebuffers(screen_info.lfb_base,
+                                                    screen_info.lfb_size,
+-                                                   false,
+                                                    &hyperv_driver);
+ 
+       hv->fb_size = (unsigned long)hv->mmio_megabytes * 1024 * 1024;
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index eea433ade79d0..119544d88b586 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -285,7 +285,7 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
+        * Remove early framebuffers (ie. simplefb). The framebuffer can be
+        * located anywhere in RAM
+        */
+-      ret = drm_aperture_remove_framebuffers(false, &meson_driver);
++      ret = drm_aperture_remove_framebuffers(&meson_driver);
+       if (ret)
+               goto free_drm;
+ 
+diff --git a/drivers/gpu/drm/msm/msm_fbdev.c b/drivers/gpu/drm/msm/msm_fbdev.c
+index 46168eccfac4a..d4a9b501e1bcc 100644
+--- a/drivers/gpu/drm/msm/msm_fbdev.c
++++ b/drivers/gpu/drm/msm/msm_fbdev.c
+@@ -157,7 +157,7 @@ struct drm_fb_helper *msm_fbdev_init(struct drm_device *dev)
+       }
+ 
+       /* the fw fb could be anywhere in memory */
+-      ret = drm_aperture_remove_framebuffers(false, dev->driver);
++      ret = drm_aperture_remove_framebuffers(dev->driver);
+       if (ret)
+               goto fini;
+ 
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+index 813f9f8c86982..8e12053a220b0 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+@@ -140,7 +140,7 @@ static int rockchip_drm_bind(struct device *dev)
+       int ret;
+ 
+       /* Remove existing drivers that may own the framebuffer memory. */
+-      ret = drm_aperture_remove_framebuffers(false, &rockchip_drm_driver);
++      ret = drm_aperture_remove_framebuffers(&rockchip_drm_driver);
+       if (ret) {
+               DRM_DEV_ERROR(dev,
+                             "Failed to remove existing framebuffers - %d.\n",
+diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
+index d7914f5122dff..0a09a85ac9d69 100644
+--- a/drivers/gpu/drm/stm/drv.c
++++ b/drivers/gpu/drm/stm/drv.c
+@@ -185,7 +185,7 @@ static int stm_drm_platform_probe(struct platform_device *pdev)
+ 
+       DRM_DEBUG("%s\n", __func__);
+ 
+-      ret = drm_aperture_remove_framebuffers(false, &drv_driver);
++      ret = drm_aperture_remove_framebuffers(&drv_driver);
+       if (ret)
+               return ret;
+ 
+diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c
+index 7910c5853f0a8..5c483bbccbbbc 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -98,7 +98,7 @@ static int sun4i_drv_bind(struct device *dev)
+               goto unbind_all;
+ 
+       /* Remove early framebuffers (ie. simplefb) */
+-      ret = drm_aperture_remove_framebuffers(false, &sun4i_drv_driver);
++      ret = drm_aperture_remove_framebuffers(&sun4i_drv_driver);
+       if (ret)
+               goto unbind_all;
+ 
+diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
+index a1f909dac89a7..5fc55b9777cbf 100644
+--- a/drivers/gpu/drm/tegra/drm.c
++++ b/drivers/gpu/drm/tegra/drm.c
+@@ -1252,7 +1252,7 @@ static int host1x_drm_probe(struct host1x_device *dev)
+ 
+       drm_mode_config_reset(drm);
+ 
+-      err = drm_aperture_remove_framebuffers(false, &tegra_drm_driver);
++      err = drm_aperture_remove_framebuffers(&tegra_drm_driver);
+       if (err < 0)
+               goto hub;
+ 
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c
+index 8c329c071c62d..b6384a5dfdbc1 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.c
++++ b/drivers/gpu/drm/vc4/vc4_drv.c
+@@ -351,7 +351,7 @@ static int vc4_drm_bind(struct device *dev)
+                       return -EPROBE_DEFER;
+       }
+ 
+-      ret = drm_aperture_remove_framebuffers(false, driver);
++      ret = drm_aperture_remove_framebuffers(driver);
+       if (ret)
+               return ret;
+ 
+diff --git a/include/drm/drm_aperture.h b/include/drm/drm_aperture.h
+index 7096703c39493..cbe33b49fd5dc 100644
+--- a/include/drm/drm_aperture.h
++++ b/include/drm/drm_aperture.h
+@@ -13,14 +13,13 @@ int devm_aperture_acquire_from_firmware(struct drm_device *dev, resource_size_t
+                                       resource_size_t size);
+ 
+ int drm_aperture_remove_conflicting_framebuffers(resource_size_t base, resource_size_t size,
+-                                               bool primary, const struct drm_driver *req_driver);
++                                               const struct drm_driver *req_driver);
+ 
+ int drm_aperture_remove_conflicting_pci_framebuffers(struct pci_dev *pdev,
+                                                    const struct drm_driver *req_driver);
+ 
+ /**
+  * drm_aperture_remove_framebuffers - remove all existing framebuffers
+- * @primary: also kick vga16fb if present
+  * @req_driver: requesting DRM driver
+  *
+  * This function removes all graphics device drivers. Use this function on systems
+@@ -30,9 +29,9 @@ int drm_aperture_remove_conflicting_pci_framebuffers(struct pci_dev *pdev,
+  * 0 on success, or a negative errno code otherwise
+  */
+ static inline int
+-drm_aperture_remove_framebuffers(bool primary, const struct drm_driver *req_driver)
++drm_aperture_remove_framebuffers(const struct drm_driver *req_driver)
+ {
+-      return drm_aperture_remove_conflicting_framebuffers(0, (resource_size_t)-1, primary,
++      return drm_aperture_remove_conflicting_framebuffers(0, (resource_size_t)-1,
+                                                           req_driver);
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-ast-use-drm_aperture_remove_conflicting_pci_fram.patch b/queue-6.1/drm-ast-use-drm_aperture_remove_conflicting_pci_fram.patch
new file mode 100644 (file)
index 0000000..002f568
--- /dev/null
+++ b/queue-6.1/drm-ast-use-drm_aperture_remove_conflicting_pci_fram.patch
@@ -0,0 +1,66 @@
+From 11c8e60dff2ac07edb1d475a5a6dfff2592456a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 16:41:02 +0100
+Subject: drm/ast: Use drm_aperture_remove_conflicting_pci_framebuffers
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit c1ebead36099deb85384f6fb262fe619a04cee73 ]
+
+It's just open coded and matches.
+
+Note that Thomas said that his version apparently failed for some
+reason, but hey maybe we should try again.
+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Tested-by: Thomas Zimmmermann <tzimmermann@suse.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230111154112.90575-1-daniel.vetter@ffwll.ch
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_drv.c | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_drv.c b/drivers/gpu/drm/ast/ast_drv.c
+index b9392f31e6291..800471f2a2037 100644
+--- a/drivers/gpu/drm/ast/ast_drv.c
++++ b/drivers/gpu/drm/ast/ast_drv.c
+@@ -89,27 +89,13 @@ static const struct pci_device_id ast_pciidlist[] = {
+ 
+ MODULE_DEVICE_TABLE(pci, ast_pciidlist);
+ 
+-static int ast_remove_conflicting_framebuffers(struct pci_dev *pdev)
+-{
+-      bool primary = false;
+-      resource_size_t base, size;
+-
+-      base = pci_resource_start(pdev, 0);
+-      size = pci_resource_len(pdev, 0);
+-#ifdef CONFIG_X86
+-      primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
+-#endif
+-
+-      return drm_aperture_remove_conflicting_framebuffers(base, size, primary, &ast_driver);
+-}
+-
+ static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+       struct ast_private *ast;
+       struct drm_device *dev;
+       int ret;
+ 
+-      ret = ast_remove_conflicting_framebuffers(pdev);
++      ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &ast_driver);
+       if (ret)
+               return ret;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-gma500-use-drm_aperture_remove_conflicting_pci_f.patch b/queue-6.1/drm-gma500-use-drm_aperture_remove_conflicting_pci_f.patch
new file mode 100644 (file)
index 0000000..32c860c
--- /dev/null
+++ b/queue-6.1/drm-gma500-use-drm_aperture_remove_conflicting_pci_f.patch
@@ -0,0 +1,68 @@
+From f083c16f5c953ba479105efae87c53f55168d5af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:21:01 +0200
+Subject: drm/gma500: Use drm_aperture_remove_conflicting_pci_framebuffers
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 80e993988b97fe794f3ec2be6db05fe30f9353c3 ]
+
+This one nukes all framebuffers, which is a bit much. In reality
+gma500 is igpu and never shipped with anything discrete, so there should
+not be any difference.
+
+v2: Unfortunately the framebuffer sits outside of the pci bars for
+gma500, and so only using the pci helpers won't be enough. Otoh if we
+only use non-pci helper, then we don't get the vga handling, and
+subsequent refactoring to untangle these special cases won't work.
+
+It's not pretty, but the simplest fix (since gma500 really is the only
+quirky pci driver like this we have) is to just have both calls.
+
+v4:
+- fix Daniel's S-o-b address
+
+v5:
+- add back an S-o-b tag with Daniel's Intel address
+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230406132109.32050-2-tzimmermann@suse.de
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/psb_drv.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
+index cd9c73f5a64ab..000e6704e3c75 100644
+--- a/drivers/gpu/drm/gma500/psb_drv.c
++++ b/drivers/gpu/drm/gma500/psb_drv.c
+@@ -424,12 +424,17 @@ static int psb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 
+       /*
+        * We cannot yet easily find the framebuffer's location in memory. So
+-       * remove all framebuffers here.
++       * remove all framebuffers here. Note that we still want the pci special
++       * handling to kick out vgacon.
+        *
+        * TODO: Refactor psb_driver_load() to map vdc_reg earlier. Then we
+        *       might be able to read the framebuffer range from the device.
+        */
+-      ret = drm_aperture_remove_framebuffers(true, &driver);
++      ret = drm_aperture_remove_framebuffers(false, &driver);
++      if (ret)
++              return ret;
++
++      ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &driver);
+       if (ret)
+               return ret;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-i915-add-the-gen12_needs_ccs_aux_inv-helper.patch b/queue-6.1/drm-i915-add-the-gen12_needs_ccs_aux_inv-helper.patch
new file mode 100644 (file)
index 0000000..9e39022
--- /dev/null
+++ b/queue-6.1/drm-i915-add-the-gen12_needs_ccs_aux_inv-helper.patch
@@ -0,0 +1,88 @@
+From 181e8e3738999fa0c652536cc0f9433aa49d3fe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 02:19:45 +0200
+Subject: drm/i915: Add the gen12_needs_ccs_aux_inv helper
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+[ Upstream commit b2f59e9026038a5bbcbc0019fa58f963138211ee ]
+
+We always assumed that a device might either have AUX or FLAT
+CCS, but this is an approximation that is not always true, e.g.
+PVC represents an exception.
+
+Set the basis for future finer selection by implementing a
+boolean gen12_needs_ccs_aux_inv() function that tells whether aux
+invalidation is needed or not.
+
+Currently PVC is the only exception to the above mentioned rule.
+
+Requires: 059ae7ae2a1c ("drm/i915/gt: Cleanup aux invalidation registers")
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230725001950.1014671-3-andi.shyti@linux.intel.com
+(cherry picked from commit c827655b87ad201ebe36f2e28d16b5491c8f7801)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/gen8_engine_cs.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+index b2838732ac936..8e286733a4367 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+@@ -165,6 +165,18 @@ static u32 preparser_disable(bool state)
+       return MI_ARB_CHECK | 1 << 8 | state;
+ }
+ 
++static bool gen12_needs_ccs_aux_inv(struct intel_engine_cs *engine)
++{
++      if (IS_PONTEVECCHIO(engine->i915))
++              return false;
++
++      /*
++       * so far platforms supported by i915 having
++       * flat ccs do not require AUX invalidation
++       */
++      return !HAS_FLAT_CCS(engine->i915);
++}
++
+ u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv_reg)
+ {
+       u32 gsi_offset = gt->uncore->gsi_offset;
+@@ -236,7 +248,7 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+               else if (engine->class == COMPUTE_CLASS)
+                       flags &= ~PIPE_CONTROL_3D_ENGINE_FLAGS;
+ 
+-              if (!HAS_FLAT_CCS(rq->engine->i915))
++              if (gen12_needs_ccs_aux_inv(rq->engine))
+                       count = 8 + 4;
+               else
+                       count = 8;
+@@ -254,7 +266,7 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+ 
+               cs = gen8_emit_pipe_control(cs, flags, LRC_PPHWSP_SCRATCH_ADDR);
+ 
+-              if (!HAS_FLAT_CCS(rq->engine->i915)) {
++              if (gen12_needs_ccs_aux_inv(rq->engine)) {
+                       /* hsdes: 1809175790 */
+                       cs = gen12_emit_aux_table_inv(rq->engine->gt, cs,
+                                                     GEN12_CCS_AUX_INV);
+@@ -276,7 +288,7 @@ int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
+       if (mode & EMIT_INVALIDATE) {
+               cmd += 2;
+ 
+-              if (!HAS_FLAT_CCS(rq->engine->i915) &&
++              if (gen12_needs_ccs_aux_inv(rq->engine) &&
+                   (rq->engine->class == VIDEO_DECODE_CLASS ||
+                    rq->engine->class == VIDEO_ENHANCEMENT_CLASS)) {
+                       aux_inv = rq->engine->mask &
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-i915-gt-ensure-memory-quiesced-before-invalidati.patch b/queue-6.1/drm-i915-gt-ensure-memory-quiesced-before-invalidati.patch
new file mode 100644 (file)
index 0000000..7b785c1
--- /dev/null
+++ b/queue-6.1/drm-i915-gt-ensure-memory-quiesced-before-invalidati.patch
@@ -0,0 +1,47 @@
+From d9497a238b5b33bac8495e47eec58a94fb2f0570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 02:19:46 +0200
+Subject: drm/i915/gt: Ensure memory quiesced before invalidation
+
+From: Jonathan Cavitt <jonathan.cavitt@intel.com>
+
+[ Upstream commit 78a6ccd65fa3a7cc697810db079cc4b84dff03d5 ]
+
+All memory traffic must be quiesced before requesting
+an aux invalidation on platforms that use Aux CCS.
+
+Fixes: 972282c4cf24 ("drm/i915/gen12: Add aux table invalidate for all engines")
+Requires: a2a4aa0eef3b ("drm/i915: Add the gen12_needs_ccs_aux_inv helper")
+Signed-off-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230725001950.1014671-4-andi.shyti@linux.intel.com
+(cherry picked from commit ad8ebf12217e451cd19804b1c3e97ad56491c74a)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/gen8_engine_cs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+index 8e286733a4367..6a8c2fab4ca81 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+@@ -193,7 +193,11 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+ {
+       struct intel_engine_cs *engine = rq->engine;
+ 
+-      if (mode & EMIT_FLUSH) {
++      /*
++       * On Aux CCS platforms the invalidation of the Aux
++       * table requires quiescing memory traffic beforehand
++       */
++      if (mode & EMIT_FLUSH || gen12_needs_ccs_aux_inv(engine)) {
+               u32 flags = 0;
+               u32 *cs;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-i915-gt-poll-aux-invalidation-register-bit-on-in.patch b/queue-6.1/drm-i915-gt-poll-aux-invalidation-register-bit-on-in.patch
new file mode 100644 (file)
index 0000000..630ee33
--- /dev/null
+++ b/queue-6.1/drm-i915-gt-poll-aux-invalidation-register-bit-on-in.patch
@@ -0,0 +1,87 @@
+From 9201c3eac1e955be13872cdeed28cbfb9bd33474 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 02:19:49 +0200
+Subject: drm/i915/gt: Poll aux invalidation register bit on invalidation
+
+From: Jonathan Cavitt <jonathan.cavitt@intel.com>
+
+[ Upstream commit 0fde2f23516a00fd90dfb980b66b4665fcbfa659 ]
+
+For platforms that use Aux CCS, wait for aux invalidation to
+complete by checking the aux invalidation register bit is
+cleared.
+
+Fixes: 972282c4cf24 ("drm/i915/gen12: Add aux table invalidate for all engines")
+Signed-off-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230725001950.1014671-7-andi.shyti@linux.intel.com
+(cherry picked from commit d459c86f00aa98028d155a012c65dc42f7c37e76)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/gen8_engine_cs.c     | 17 ++++++++++++-----
+ drivers/gpu/drm/i915/gt/intel_gpu_commands.h |  1 +
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+index 6a8c2fab4ca81..975e31d876b1a 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+@@ -184,7 +184,15 @@ u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv
+       *cs++ = MI_LOAD_REGISTER_IMM(1) | MI_LRI_MMIO_REMAP_EN;
+       *cs++ = i915_mmio_reg_offset(inv_reg) + gsi_offset;
+       *cs++ = AUX_INV;
+-      *cs++ = MI_NOOP;
++
++      *cs++ = MI_SEMAPHORE_WAIT_TOKEN |
++              MI_SEMAPHORE_REGISTER_POLL |
++              MI_SEMAPHORE_POLL |
++              MI_SEMAPHORE_SAD_EQ_SDD;
++      *cs++ = 0;
++      *cs++ = i915_mmio_reg_offset(inv_reg) + gsi_offset;
++      *cs++ = 0;
++      *cs++ = 0;
+ 
+       return cs;
+ }
+@@ -252,10 +260,9 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+               else if (engine->class == COMPUTE_CLASS)
+                       flags &= ~PIPE_CONTROL_3D_ENGINE_FLAGS;
+ 
++              count = 8;
+               if (gen12_needs_ccs_aux_inv(rq->engine))
+-                      count = 8 + 4;
+-              else
+-                      count = 8;
++                      count += 8;
+ 
+               cs = intel_ring_begin(rq, count);
+               if (IS_ERR(cs))
+@@ -298,7 +305,7 @@ int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
+                       aux_inv = rq->engine->mask &
+                               ~GENMASK(_BCS(I915_MAX_BCS - 1), BCS0);
+                       if (aux_inv)
+-                              cmd += 4;
++                              cmd += 8;
+               }
+       }
+ 
+diff --git a/drivers/gpu/drm/i915/gt/intel_gpu_commands.h b/drivers/gpu/drm/i915/gt/intel_gpu_commands.h
+index d4e9702d3c8e7..25ea5f8a464a4 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gpu_commands.h
++++ b/drivers/gpu/drm/i915/gt/intel_gpu_commands.h
+@@ -120,6 +120,7 @@
+ #define   MI_SEMAPHORE_TARGET(engine) ((engine)<<15)
+ #define MI_SEMAPHORE_WAIT     MI_INSTR(0x1c, 2) /* GEN8+ */
+ #define MI_SEMAPHORE_WAIT_TOKEN       MI_INSTR(0x1c, 3) /* GEN12+ */
++#define   MI_SEMAPHORE_REGISTER_POLL  (1 << 16)
+ #define   MI_SEMAPHORE_POLL           (1 << 15)
+ #define   MI_SEMAPHORE_SAD_GT_SDD     (0 << 12)
+ #define   MI_SEMAPHORE_SAD_GTE_SDD    (1 << 12)
+-- 
+2.40.1
+

diff --git a/queue-6.1/drm-i915-gt-support-aux-invalidation-on-all-engines.patch b/queue-6.1/drm-i915-gt-support-aux-invalidation-on-all-engines.patch
new file mode 100644 (file)
index 0000000..00a9041
--- /dev/null
+++ b/queue-6.1/drm-i915-gt-support-aux-invalidation-on-all-engines.patch
@@ -0,0 +1,203 @@
+From 3a22a108805a3cdfe642d9d2d9cb19a5ff932633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 02:19:50 +0200
+Subject: drm/i915/gt: Support aux invalidation on all engines
+
+From: Andi Shyti <andi.shyti@linux.intel.com>
+
+[ Upstream commit 6a35f22d222528e1b157c6978c9424d2f8cbe0a1 ]
+
+Perform some refactoring with the purpose of keeping in one
+single place all the operations around the aux table
+invalidation.
+
+With this refactoring add more engines where the invalidation
+should be performed.
+
+Fixes: 972282c4cf24 ("drm/i915/gen12: Add aux table invalidate for all engines")
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230725001950.1014671-8-andi.shyti@linux.intel.com
+(cherry picked from commit 76ff7789d6e63d1a10b3b58f5c70b2e640c7a880)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/gen8_engine_cs.c | 66 +++++++++++++-----------
+ drivers/gpu/drm/i915/gt/gen8_engine_cs.h |  3 +-
+ drivers/gpu/drm/i915/gt/intel_lrc.c      | 17 +-----
+ 3 files changed, 41 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+index 975e31d876b1a..cc84685368715 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.c
+@@ -165,21 +165,47 @@ static u32 preparser_disable(bool state)
+       return MI_ARB_CHECK | 1 << 8 | state;
+ }
+ 
++static i915_reg_t gen12_get_aux_inv_reg(struct intel_engine_cs *engine)
++{
++      switch (engine->id) {
++      case RCS0:
++              return GEN12_CCS_AUX_INV;
++      case BCS0:
++              return GEN12_BCS0_AUX_INV;
++      case VCS0:
++              return GEN12_VD0_AUX_INV;
++      case VCS2:
++              return GEN12_VD2_AUX_INV;
++      case VECS0:
++              return GEN12_VE0_AUX_INV;
++      case CCS0:
++              return GEN12_CCS0_AUX_INV;
++      default:
++              return INVALID_MMIO_REG;
++      }
++}
++
+ static bool gen12_needs_ccs_aux_inv(struct intel_engine_cs *engine)
+ {
++      i915_reg_t reg = gen12_get_aux_inv_reg(engine);
++
+       if (IS_PONTEVECCHIO(engine->i915))
+               return false;
+ 
+       /*
+-       * so far platforms supported by i915 having
+-       * flat ccs do not require AUX invalidation
++       * So far platforms supported by i915 having flat ccs do not require
++       * AUX invalidation. Check also whether the engine requires it.
+        */
+-      return !HAS_FLAT_CCS(engine->i915);
++      return i915_mmio_reg_valid(reg) && !HAS_FLAT_CCS(engine->i915);
+ }
+ 
+-u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv_reg)
++u32 *gen12_emit_aux_table_inv(struct intel_engine_cs *engine, u32 *cs)
+ {
+-      u32 gsi_offset = gt->uncore->gsi_offset;
++      i915_reg_t inv_reg = gen12_get_aux_inv_reg(engine);
++      u32 gsi_offset = engine->gt->uncore->gsi_offset;
++
++      if (!gen12_needs_ccs_aux_inv(engine))
++              return cs;
+ 
+       *cs++ = MI_LOAD_REGISTER_IMM(1) | MI_LRI_MMIO_REMAP_EN;
+       *cs++ = i915_mmio_reg_offset(inv_reg) + gsi_offset;
+@@ -277,11 +303,7 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+ 
+               cs = gen8_emit_pipe_control(cs, flags, LRC_PPHWSP_SCRATCH_ADDR);
+ 
+-              if (gen12_needs_ccs_aux_inv(rq->engine)) {
+-                      /* hsdes: 1809175790 */
+-                      cs = gen12_emit_aux_table_inv(rq->engine->gt, cs,
+-                                                    GEN12_CCS_AUX_INV);
+-              }
++              cs = gen12_emit_aux_table_inv(engine, cs);
+ 
+               *cs++ = preparser_disable(false);
+               intel_ring_advance(rq, cs);
+@@ -292,21 +314,14 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
+ 
+ int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
+ {
+-      intel_engine_mask_t aux_inv = 0;
+-      u32 cmd, *cs;
++      u32 cmd = 4;
++      u32 *cs;
+ 
+-      cmd = 4;
+       if (mode & EMIT_INVALIDATE) {
+               cmd += 2;
+ 
+-              if (gen12_needs_ccs_aux_inv(rq->engine) &&
+-                  (rq->engine->class == VIDEO_DECODE_CLASS ||
+-                   rq->engine->class == VIDEO_ENHANCEMENT_CLASS)) {
+-                      aux_inv = rq->engine->mask &
+-                              ~GENMASK(_BCS(I915_MAX_BCS - 1), BCS0);
+-                      if (aux_inv)
+-                              cmd += 8;
+-              }
++              if (gen12_needs_ccs_aux_inv(rq->engine))
++                      cmd += 8;
+       }
+ 
+       cs = intel_ring_begin(rq, cmd);
+@@ -337,14 +352,7 @@ int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
+       *cs++ = 0; /* upper addr */
+       *cs++ = 0; /* value */
+ 
+-      if (aux_inv) { /* hsdes: 1809175790 */
+-              if (rq->engine->class == VIDEO_DECODE_CLASS)
+-                      cs = gen12_emit_aux_table_inv(rq->engine->gt,
+-                                                    cs, GEN12_VD0_AUX_INV);
+-              else
+-                      cs = gen12_emit_aux_table_inv(rq->engine->gt,
+-                                                    cs, GEN12_VE0_AUX_INV);
+-      }
++      cs = gen12_emit_aux_table_inv(rq->engine, cs);
+ 
+       if (mode & EMIT_INVALIDATE)
+               *cs++ = preparser_disable(false);
+diff --git a/drivers/gpu/drm/i915/gt/gen8_engine_cs.h b/drivers/gpu/drm/i915/gt/gen8_engine_cs.h
+index e4d24c811dd61..651eb786e930c 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_engine_cs.h
++++ b/drivers/gpu/drm/i915/gt/gen8_engine_cs.h
+@@ -13,6 +13,7 @@
+ #include "intel_gt_regs.h"
+ #include "intel_gpu_commands.h"
+ 
++struct intel_engine_cs;
+ struct intel_gt;
+ struct i915_request;
+ 
+@@ -46,7 +47,7 @@ u32 *gen8_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
+ u32 *gen11_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
+ u32 *gen12_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
+ 
+-u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv_reg);
++u32 *gen12_emit_aux_table_inv(struct intel_engine_cs *engine, u32 *cs);
+ 
+ static inline u32 *
+ __gen8_emit_pipe_control(u32 *batch, u32 flags0, u32 flags1, u32 offset)
+diff --git a/drivers/gpu/drm/i915/gt/intel_lrc.c b/drivers/gpu/drm/i915/gt/intel_lrc.c
+index 137e41e37ea54..7eb01ff17d89b 100644
+--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
+@@ -1296,10 +1296,7 @@ gen12_emit_indirect_ctx_rcs(const struct intel_context *ce, u32 *cs)
+           IS_DG2_G11(ce->engine->i915))
+               cs = gen8_emit_pipe_control(cs, PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE, 0);
+ 
+-      /* hsdes: 1809175790 */
+-      if (!HAS_FLAT_CCS(ce->engine->i915))
+-              cs = gen12_emit_aux_table_inv(ce->engine->gt,
+-                                            cs, GEN12_CCS_AUX_INV);
++      cs = gen12_emit_aux_table_inv(ce->engine, cs);
+ 
+       /* Wa_16014892111 */
+       if (IS_DG2(ce->engine->i915))
+@@ -1322,17 +1319,7 @@ gen12_emit_indirect_ctx_xcs(const struct intel_context *ce, u32 *cs)
+                                                   PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE,
+                                                   0);
+ 
+-      /* hsdes: 1809175790 */
+-      if (!HAS_FLAT_CCS(ce->engine->i915)) {
+-              if (ce->engine->class == VIDEO_DECODE_CLASS)
+-                      cs = gen12_emit_aux_table_inv(ce->engine->gt,
+-                                                    cs, GEN12_VD0_AUX_INV);
+-              else if (ce->engine->class == VIDEO_ENHANCEMENT_CLASS)
+-                      cs = gen12_emit_aux_table_inv(ce->engine->gt,
+-                                                    cs, GEN12_VE0_AUX_INV);
+-      }
+-
+-      return cs;
++      return gen12_emit_aux_table_inv(ce->engine, cs);
+ }
+ 
+ static void
+-- 
+2.40.1
+

diff --git a/queue-6.1/fbdev-radeon-use-pci-aperture-helpers.patch b/queue-6.1/fbdev-radeon-use-pci-aperture-helpers.patch
new file mode 100644 (file)
index 0000000..108c8a6
--- /dev/null
+++ b/queue-6.1/fbdev-radeon-use-pci-aperture-helpers.patch
@@ -0,0 +1,55 @@
+From fdca0999ae5e0674cfa71db0ddf2fbce4599b7a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 16:41:08 +0100
+Subject: fbdev/radeon: use pci aperture helpers
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 9b539c4d1b921bc9c8c578d4d50f0a7e7874d384 ]
+
+It's not exactly the same since the open coded version doesn't set
+primary correctly. But that's a bugfix, so shouldn't hurt really.
+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: linux-fbdev@vger.kernel.org
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230111154112.90575-7-daniel.vetter@ffwll.ch
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/aty/radeon_base.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c
+index 8b28c9bddd974..50c384ce28837 100644
+--- a/drivers/video/fbdev/aty/radeon_base.c
++++ b/drivers/video/fbdev/aty/radeon_base.c
+@@ -2238,14 +2238,6 @@ static const struct bin_attribute edid2_attr = {
+       .read   = radeon_show_edid2,
+ };
+ 
+-static int radeon_kick_out_firmware_fb(struct pci_dev *pdev)
+-{
+-      resource_size_t base = pci_resource_start(pdev, 0);
+-      resource_size_t size = pci_resource_len(pdev, 0);
+-
+-      return aperture_remove_conflicting_devices(base, size, false, KBUILD_MODNAME);
+-}
+-
+ static int radeonfb_pci_register(struct pci_dev *pdev,
+                                const struct pci_device_id *ent)
+ {
+@@ -2296,7 +2288,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev,
+       rinfo->fb_base_phys = pci_resource_start (pdev, 0);
+       rinfo->mmio_base_phys = pci_resource_start (pdev, 2);
+ 
+-      ret = radeon_kick_out_firmware_fb(pdev);
++      ret = aperture_remove_conflicting_pci_devices(pdev, KBUILD_MODNAME);
+       if (ret)
+               goto err_release_fb;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/i40e-fix-potential-null-pointer-dereferencing-of-pf-.patch b/queue-6.1/i40e-fix-potential-null-pointer-dereferencing-of-pf-.patch
new file mode 100644 (file)
index 0000000..5c7adc3
--- /dev/null
+++ b/queue-6.1/i40e-fix-potential-null-pointer-dereferencing-of-pf-.patch
@@ -0,0 +1,52 @@
+From e5862a56ff9a86eccd3ed7ee6ddfd877f30f4ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 15:16:53 -0700
+Subject: i40e: fix potential NULL pointer dereferencing of pf->vf
+ i40e_sync_vsi_filters()
+
+From: Andrii Staikov <andrii.staikov@intel.com>
+
+[ Upstream commit 9525a3c38accd2e186f52443e35e633e296cc7f5 ]
+
+Add check for pf->vf not being NULL before dereferencing
+pf->vf[vsi->vf_id] in updating VSI filter sync.
+Add a similar check before dereferencing !pf->vf[vsi->vf_id].trusted
+in the condition for clearing promisc mode bit.
+
+Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning")
+Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 0e01b1927c1c6..08ccf0024ce1a 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2615,7 +2615,7 @@ int i40e_sync_vsi_filters(struct i40e_vsi *vsi)
+                       retval = i40e_correct_mac_vlan_filters
+                               (vsi, &tmp_add_list, &tmp_del_list,
+                                vlan_filters);
+-              else
++              else if (pf->vf)
+                       retval = i40e_correct_vf_mac_vlan_filters
+                               (vsi, &tmp_add_list, &tmp_del_list,
+                                vlan_filters, pf->vf[vsi->vf_id].trusted);
+@@ -2788,7 +2788,8 @@ int i40e_sync_vsi_filters(struct i40e_vsi *vsi)
+       }
+ 
+       /* if the VF is not trusted do not do promisc */
+-      if ((vsi->type == I40E_VSI_SRIOV) && !pf->vf[vsi->vf_id].trusted) {
++      if (vsi->type == I40E_VSI_SRIOV && pf->vf &&
++          !pf->vf[vsi->vf_id].trusted) {
+               clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state);
+               goto out;
+       }
+-- 
+2.40.1
+

diff --git a/queue-6.1/ice-fix-null-pointer-deref-during-vf-reset.patch b/queue-6.1/ice-fix-null-pointer-deref-during-vf-reset.patch
new file mode 100644 (file)
index 0000000..40d14d4
--- /dev/null
+++ b/queue-6.1/ice-fix-null-pointer-deref-during-vf-reset.patch
@@ -0,0 +1,132 @@
+From d495265b3403abd262446c32b1dcab555f0233ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 10:07:02 +0200
+Subject: ice: Fix NULL pointer deref during VF reset
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 67f6317dfa609846a227a706532439a22828c24b ]
+
+During stress test with attaching and detaching VF from KVM and
+simultaneously changing VFs spoofcheck and trust there was a
+NULL pointer dereference in ice_reset_vf that VF's VSI is null.
+
+More than one instance of ice_reset_vf() can be running at a given
+time. When we rebuild the VSI in ice_reset_vf, another reset can be
+triaged from ice_service_task. In this case we can access the currently
+uninitialized VSI and cause panic. The window for this racing condition
+has been around for a long time but it's much worse after commit
+227bf4500aaa ("ice: move VSI delete outside deconfig") because
+the reset runs faster. ice_reset_vf() using vf->cfg_lock and when
+we move this lock before accessing to the VF VSI, we can fix
+BUG for all cases.
+
+Panic occurs sometimes in ice_vsi_is_rx_queue_active() and sometimes
+in ice_vsi_stop_all_rx_rings()
+
+With our reproducer, we can hit BUG:
+~8h before commit 227bf4500aaa ("ice: move VSI delete outside deconfig").
+~20m after commit 227bf4500aaa ("ice: move VSI delete outside deconfig").
+After this fix we are not able to reproduce it after ~48h
+
+There was commit cf90b74341ee ("ice: Fix call trace with null VSI during
+VF reset") which also tried to fix this issue, but it was only
+partially resolved and the bug still exists.
+
+[ 6420.658415] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 6420.665382] #PF: supervisor read access in kernel mode
+[ 6420.670521] #PF: error_code(0x0000) - not-present page
+[ 6420.675659] PGD 0
+[ 6420.677679] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 6420.682038] CPU: 53 PID: 326472 Comm: kworker/53:0 Kdump: loaded Not tainted 5.14.0-317.el9.x86_64 #1
+[ 6420.691250] Hardware name: Dell Inc. PowerEdge R750/04V528, BIOS 1.6.5 04/15/2022
+[ 6420.698729] Workqueue: ice ice_service_task [ice]
+[ 6420.703462] RIP: 0010:ice_vsi_is_rx_queue_active+0x2d/0x60 [ice]
+[ 6420.705860] ice 0000:ca:00.0: VF 0 is now untrusted
+[ 6420.709494] Code: 00 00 66 83 bf 76 04 00 00 00 48 8b 77 10 74 3e 31 c0 eb 0f 0f b7 97 76 04 00 00 48 83 c0 01 39 c2 7e 2b 48 8b 97 68 04 00 00 <0f> b7 0c 42 48 8b 96 20 13 00 00 48 8d 94 8a 00 00 12 00 8b 12 83
+[ 6420.714426] ice 0000:ca:00.0 ens7f0: Setting MAC 22:22:22:22:22:00 on VF 0. VF driver will be reinitialized
+[ 6420.733120] RSP: 0018:ff778d2ff383fdd8 EFLAGS: 00010246
+[ 6420.733123] RAX: 0000000000000000 RBX: ff2acf1916294000 RCX: 0000000000000000
+[ 6420.733125] RDX: 0000000000000000 RSI: ff2acf1f2c6401a0 RDI: ff2acf1a27301828
+[ 6420.762346] RBP: ff2acf1a27301828 R08: 0000000000000010 R09: 0000000000001000
+[ 6420.769476] R10: ff2acf1916286000 R11: 00000000019eba3f R12: ff2acf19066460d0
+[ 6420.776611] R13: ff2acf1f2c6401a0 R14: ff2acf1f2c6401a0 R15: 00000000ffffffff
+[ 6420.783742] FS:  0000000000000000(0000) GS:ff2acf28ffa80000(0000) knlGS:0000000000000000
+[ 6420.791829] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6420.797575] CR2: 0000000000000000 CR3: 00000016ad410003 CR4: 0000000000773ee0
+[ 6420.804708] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6420.811034] vfio-pci 0000:ca:01.0: enabling device (0000 -> 0002)
+[ 6420.811840] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6420.811841] PKRU: 55555554
+[ 6420.811842] Call Trace:
+[ 6420.811843]  <TASK>
+[ 6420.811844]  ice_reset_vf+0x9a/0x450 [ice]
+[ 6420.811876]  ice_process_vflr_event+0x8f/0xc0 [ice]
+[ 6420.841343]  ice_service_task+0x23b/0x600 [ice]
+[ 6420.845884]  ? __schedule+0x212/0x550
+[ 6420.849550]  process_one_work+0x1e2/0x3b0
+[ 6420.853563]  ? rescuer_thread+0x390/0x390
+[ 6420.857577]  worker_thread+0x50/0x3a0
+[ 6420.861242]  ? rescuer_thread+0x390/0x390
+[ 6420.865253]  kthread+0xdd/0x100
+[ 6420.868400]  ? kthread_complete_and_exit+0x20/0x20
+[ 6420.873194]  ret_from_fork+0x1f/0x30
+[ 6420.876774]  </TASK>
+[ 6420.878967] Modules linked in: vfio_pci vfio_pci_core vfio_iommu_type1 vfio iavf vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter nf_tables bridge stp llc sctp ip6_udp_tunnel udp_tunnel nfp tls nfnetlink bluetooth mlx4_en mlx4_core rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp irdma kvm_intel i40e kvm iTCO_wdt dcdbas ib_uverbs irqbypass iTCO_vendor_support mgag200 mei_me ib_core dell_smbios isst_if_mmio isst_if_mbox_pci rapl i2c_algo_bit drm_shmem_helper intel_cstate drm_kms_helper syscopyarea sysfillrect isst_if_common sysimgblt intel_uncore fb_sys_fops dell_wmi_descriptor wmi_bmof intel_vsec mei i2c_i801 acpi_ipmi ipmi_si i2c_smbus ipmi_devintf intel_pch_thermal acpi_power_meter pcspk
+ r
+
+Fixes: efe41860008e ("ice: Fix memory corruption in VF driver")
+Fixes: f23df5220d2b ("ice: Fix spurious interrupt during removal of trusted VF")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 86abbcb480d9d..9dbe6e9bb1f79 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -569,11 +569,17 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
+               return 0;
+       }
+ 
++      if (flags & ICE_VF_RESET_LOCK)
++              mutex_lock(&vf->cfg_lock);
++      else
++              lockdep_assert_held(&vf->cfg_lock);
++
+       if (ice_is_vf_disabled(vf)) {
+               vsi = ice_get_vf_vsi(vf);
+               if (!vsi) {
+                       dev_dbg(dev, "VF is already removed\n");
+-                      return -EINVAL;
++                      err = -EINVAL;
++                      goto out_unlock;
+               }
+               ice_vsi_stop_lan_tx_rings(vsi, ICE_NO_RESET, vf->vf_id);
+ 
+@@ -582,14 +588,9 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
+ 
+               dev_dbg(dev, "VF is already disabled, there is no need for resetting it, telling VM, all is fine %d\n",
+                       vf->vf_id);
+-              return 0;
++              goto out_unlock;
+       }
+ 
+-      if (flags & ICE_VF_RESET_LOCK)
+-              mutex_lock(&vf->cfg_lock);
+-      else
+-              lockdep_assert_held(&vf->cfg_lock);
+-
+       /* Set VF disable bit state here, before triggering reset */
+       set_bit(ICE_VF_STATE_DIS, vf->vf_states);
+       ice_trigger_vf_reset(vf, flags & ICE_VF_RESET_VFLR, false);
+-- 
+2.40.1
+

diff --git a/queue-6.1/ice-fix-receive-buffer-size-miscalculation.patch b/queue-6.1/ice-fix-receive-buffer-size-miscalculation.patch
new file mode 100644 (file)
index 0000000..c18ca10
--- /dev/null
+++ b/queue-6.1/ice-fix-receive-buffer-size-miscalculation.patch
@@ -0,0 +1,50 @@
+From d3aa3c6ea3eec8f5eb592584c8d1903b2c022b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Aug 2023 16:51:10 -0700
+Subject: ice: fix receive buffer size miscalculation
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit 10083aef784031fa9f06c19a1b182e6fad5338d9 ]
+
+The driver is misconfiguring the hardware for some values of MTU such that
+it could use multiple descriptors to receive a packet when it could have
+simply used one.
+
+Change the driver to use a round-up instead of the result of a shift, as
+the shift can truncate the lower bits of the size, and result in the
+problem noted above. It also aligns this driver with similar code in i40e.
+
+The insidiousness of this problem is that everything works with the wrong
+size, it's just not working as well as it could, as some MTU sizes end up
+using two or more descriptors, and there is no way to tell that is
+happening without looking at ice_trace or a bus analyzer.
+
+Fixes: efc2214b6047 ("ice: Add support for XDP")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c
+index e864634d66bc6..818eca6aa4a41 100644
+--- a/drivers/net/ethernet/intel/ice/ice_base.c
++++ b/drivers/net/ethernet/intel/ice/ice_base.c
+@@ -396,7 +396,8 @@ static int ice_setup_rx_ctx(struct ice_rx_ring *ring)
+       /* Receive Packet Data Buffer Size.
+        * The Packet Data Buffer Size is defined in 128 byte units.
+        */
+-      rlan_ctx.dbuf = ring->rx_buf_len >> ICE_RLAN_CTX_DBUF_S;
++      rlan_ctx.dbuf = DIV_ROUND_UP(ring->rx_buf_len,
++                                   BIT_ULL(ICE_RLAN_CTX_DBUF_S));
+ 
+       /* use 32 byte descriptors */
+       rlan_ctx.dsize = 1;
+-- 
+2.40.1
+

diff --git a/queue-6.1/igb-avoid-starting-unnecessary-workqueues.patch b/queue-6.1/igb-avoid-starting-unnecessary-workqueues.patch
new file mode 100644 (file)
index 0000000..1f7320f
--- /dev/null
+++ b/queue-6.1/igb-avoid-starting-unnecessary-workqueues.patch
@@ -0,0 +1,91 @@
+From 86d93555e0ec174e4e13c532b9be69d44ca18f2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 10:19:27 -0700
+Subject: igb: Avoid starting unnecessary workqueues
+
+From: Alessio Igor Bogani <alessio.bogani@elettra.eu>
+
+[ Upstream commit b888c510f7b3d64ca75fc0f43b4a4bd1a611312f ]
+
+If ptp_clock_register() fails or CONFIG_PTP isn't enabled, avoid starting
+PTP related workqueues.
+
+In this way we can fix this:
+ BUG: unable to handle page fault for address: ffffc9000440b6f8
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 100000067 P4D 100000067 PUD 1001e0067 PMD 107dc5067 PTE 0
+ Oops: 0000 [#1] PREEMPT SMP
+ [...]
+ Workqueue: events igb_ptp_overflow_check
+ RIP: 0010:igb_rd32+0x1f/0x60
+ [...]
+ Call Trace:
+  igb_ptp_read_82580+0x20/0x50
+  timecounter_read+0x15/0x60
+  igb_ptp_overflow_check+0x1a/0x50
+  process_one_work+0x1cb/0x3c0
+  worker_thread+0x53/0x3f0
+  ? rescuer_thread+0x370/0x370
+  kthread+0x142/0x160
+  ? kthread_associate_blkcg+0xc0/0xc0
+  ret_from_fork+0x1f/0x30
+
+Fixes: 1f6e8178d685 ("igb: Prevent dropped Tx timestamps via work items and interrupts.")
+Fixes: d339b1331616 ("igb: add PTP Hardware Clock code")
+Signed-off-by: Alessio Igor Bogani <alessio.bogani@elettra.eu>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230821171927.2203644-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ptp.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
+index 15e57460e19ea..07171e574e7d7 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -1404,18 +1404,6 @@ void igb_ptp_init(struct igb_adapter *adapter)
+               return;
+       }
+ 
+-      spin_lock_init(&adapter->tmreg_lock);
+-      INIT_WORK(&adapter->ptp_tx_work, igb_ptp_tx_work);
+-
+-      if (adapter->ptp_flags & IGB_PTP_OVERFLOW_CHECK)
+-              INIT_DELAYED_WORK(&adapter->ptp_overflow_work,
+-                                igb_ptp_overflow_check);
+-
+-      adapter->tstamp_config.rx_filter = HWTSTAMP_FILTER_NONE;
+-      adapter->tstamp_config.tx_type = HWTSTAMP_TX_OFF;
+-
+-      igb_ptp_reset(adapter);
+-
+       adapter->ptp_clock = ptp_clock_register(&adapter->ptp_caps,
+                                               &adapter->pdev->dev);
+       if (IS_ERR(adapter->ptp_clock)) {
+@@ -1425,6 +1413,18 @@ void igb_ptp_init(struct igb_adapter *adapter)
+               dev_info(&adapter->pdev->dev, "added PHC on %s\n",
+                        adapter->netdev->name);
+               adapter->ptp_flags |= IGB_PTP_ENABLED;
++
++              spin_lock_init(&adapter->tmreg_lock);
++              INIT_WORK(&adapter->ptp_tx_work, igb_ptp_tx_work);
++
++              if (adapter->ptp_flags & IGB_PTP_OVERFLOW_CHECK)
++                      INIT_DELAYED_WORK(&adapter->ptp_overflow_work,
++                                        igb_ptp_overflow_check);
++
++              adapter->tstamp_config.rx_filter = HWTSTAMP_FILTER_NONE;
++              adapter->tstamp_config.tx_type = HWTSTAMP_TX_OFF;
++
++              igb_ptp_reset(adapter);
+       }
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/igc-fix-the-typo-in-the-ptm-control-macro.patch b/queue-6.1/igc-fix-the-typo-in-the-ptm-control-macro.patch
new file mode 100644 (file)
index 0000000..f385f1c
--- /dev/null
+++ b/queue-6.1/igc-fix-the-typo-in-the-ptm-control-macro.patch
@@ -0,0 +1,43 @@
+From 72a585e93a19b99f3a82128ee68c6432f578a2c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 10:17:21 -0700
+Subject: igc: Fix the typo in the PTM Control macro
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit de43975721b97283d5f17eea4228faddf08f2681 ]
+
+The IGC_PTM_CTRL_SHRT_CYC defines the time between two consecutive PTM
+requests. The bit resolution of this field is six bits. That bit five was
+missing in the mask. This patch comes to correct the typo in the
+IGC_PTM_CTRL_SHRT_CYC macro.
+
+Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()")
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://lore.kernel.org/r/20230821171721.2203572-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_defines.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
+index dbfa4b9dee066..90ca01889cd82 100644
+--- a/drivers/net/ethernet/intel/igc/igc_defines.h
++++ b/drivers/net/ethernet/intel/igc/igc_defines.h
+@@ -536,7 +536,7 @@
+ #define IGC_PTM_CTRL_START_NOW        BIT(29) /* Start PTM Now */
+ #define IGC_PTM_CTRL_EN               BIT(30) /* Enable PTM */
+ #define IGC_PTM_CTRL_TRIG     BIT(31) /* PTM Cycle trigger */
+-#define IGC_PTM_CTRL_SHRT_CYC(usec)   (((usec) & 0x2f) << 2)
++#define IGC_PTM_CTRL_SHRT_CYC(usec)   (((usec) & 0x3f) << 2)
+ #define IGC_PTM_CTRL_PTM_TO(usec)     (((usec) & 0xff) << 8)
+ 
+ #define IGC_PTM_SHORT_CYC_DEFAULT     10  /* Default Short/interrupted cycle interval */
+-- 
+2.40.1
+

diff --git a/queue-6.1/ipv4-fix-data-races-around-inet-inet_id.patch b/queue-6.1/ipv4-fix-data-races-around-inet-inet_id.patch
new file mode 100644 (file)
index 0000000..cac788b
--- /dev/null
+++ b/queue-6.1/ipv4-fix-data-races-around-inet-inet_id.patch
@@ -0,0 +1,228 @@
+From 9f756921aaab9dad37c3961de18527c004b4a518 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Aug 2023 03:17:07 +0000
+Subject: ipv4: fix data-races around inet->inet_id
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f866fbc842de5976e41ba874b76ce31710b634b5 ]
+
+UDP sendmsg() is lockless, so ip_select_ident_segs()
+can very well be run from multiple cpus [1]
+
+Convert inet->inet_id to an atomic_t, but implement
+a dedicated path for TCP, avoiding cost of a locked
+instruction (atomic_add_return())
+
+Note that this patch will cause a trivial merge conflict
+because we added inet->flags in net-next tree.
+
+v2: added missing change in
+drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
+(David Ahern)
+
+[1]
+
+BUG: KCSAN: data-race in __ip_make_skb / __ip_make_skb
+
+read-write to 0xffff888145af952a of 2 bytes by task 7803 on cpu 1:
+ip_select_ident_segs include/net/ip.h:542 [inline]
+ip_select_ident include/net/ip.h:556 [inline]
+__ip_make_skb+0x844/0xc70 net/ipv4/ip_output.c:1446
+ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
+udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
+inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
+sock_sendmsg_nosec net/socket.c:725 [inline]
+sock_sendmsg net/socket.c:748 [inline]
+____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
+___sys_sendmsg net/socket.c:2548 [inline]
+__sys_sendmmsg+0x269/0x500 net/socket.c:2634
+__do_sys_sendmmsg net/socket.c:2663 [inline]
+__se_sys_sendmmsg net/socket.c:2660 [inline]
+__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffff888145af952a of 2 bytes by task 7804 on cpu 0:
+ip_select_ident_segs include/net/ip.h:541 [inline]
+ip_select_ident include/net/ip.h:556 [inline]
+__ip_make_skb+0x817/0xc70 net/ipv4/ip_output.c:1446
+ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
+udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
+inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
+sock_sendmsg_nosec net/socket.c:725 [inline]
+sock_sendmsg net/socket.c:748 [inline]
+____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
+___sys_sendmsg net/socket.c:2548 [inline]
+__sys_sendmmsg+0x269/0x500 net/socket.c:2634
+__do_sys_sendmmsg net/socket.c:2663 [inline]
+__se_sys_sendmmsg net/socket.c:2660 [inline]
+__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x184d -> 0x184e
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 7804 Comm: syz-executor.1 Not tainted 6.5.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+==================================================================
+
+Fixes: 23f57406b82d ("ipv4: avoid using shared IP generator for connected sockets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../chelsio/inline_crypto/chtls/chtls_cm.c        |  2 +-
+ include/net/inet_sock.h                           |  2 +-
+ include/net/ip.h                                  | 15 +++++++++++++--
+ net/dccp/ipv4.c                                   |  4 ++--
+ net/ipv4/af_inet.c                                |  2 +-
+ net/ipv4/datagram.c                               |  2 +-
+ net/ipv4/tcp_ipv4.c                               |  4 ++--
+ net/sctp/socket.c                                 |  2 +-
+ 8 files changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
+index c2e7037c7ba1c..7750702900fa6 100644
+--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
+@@ -1466,7 +1466,7 @@ static void make_established(struct sock *sk, u32 snd_isn, unsigned int opt)
+       tp->write_seq = snd_isn;
+       tp->snd_nxt = snd_isn;
+       tp->snd_una = snd_isn;
+-      inet_sk(sk)->inet_id = get_random_u16();
++      atomic_set(&inet_sk(sk)->inet_id, get_random_u16());
+       assign_rxopt(sk, opt);
+ 
+       if (tp->rcv_wnd > (RCV_BUFSIZ_M << 10))
+diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
+index c8ef3b881f03d..c2432c2addc82 100644
+--- a/include/net/inet_sock.h
++++ b/include/net/inet_sock.h
+@@ -222,8 +222,8 @@ struct inet_sock {
+       __s16                   uc_ttl;
+       __u16                   cmsg_flags;
+       struct ip_options_rcu __rcu     *inet_opt;
++      atomic_t                inet_id;
+       __be16                  inet_sport;
+-      __u16                   inet_id;
+ 
+       __u8                    tos;
+       __u8                    min_ttl;
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 530e7257e4389..1872f570abeda 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -532,8 +532,19 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
+        * generator as much as we can.
+        */
+       if (sk && inet_sk(sk)->inet_daddr) {
+-              iph->id = htons(inet_sk(sk)->inet_id);
+-              inet_sk(sk)->inet_id += segs;
++              int val;
++
++              /* avoid atomic operations for TCP,
++               * as we hold socket lock at this point.
++               */
++              if (sk_is_tcp(sk)) {
++                      sock_owned_by_me(sk);
++                      val = atomic_read(&inet_sk(sk)->inet_id);
++                      atomic_set(&inet_sk(sk)->inet_id, val + segs);
++              } else {
++                      val = atomic_add_return(segs, &inet_sk(sk)->inet_id);
++              }
++              iph->id = htons(val);
+               return;
+       }
+       if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index b780827f5e0a5..bfececa9e244e 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -130,7 +130,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+                                                   inet->inet_daddr,
+                                                   inet->inet_sport,
+                                                   inet->inet_dport);
+-      inet->inet_id = get_random_u16();
++      atomic_set(&inet->inet_id, get_random_u16());
+ 
+       err = dccp_connect(sk);
+       rt = NULL;
+@@ -430,7 +430,7 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk,
+       RCU_INIT_POINTER(newinet->inet_opt, rcu_dereference(ireq->ireq_opt));
+       newinet->mc_index  = inet_iif(skb);
+       newinet->mc_ttl    = ip_hdr(skb)->ttl;
+-      newinet->inet_id   = get_random_u16();
++      atomic_set(&newinet->inet_id, get_random_u16());
+ 
+       if (dst == NULL && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+               goto put_and_exit;
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index ebb737ac9e894..04853c83c85c4 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -340,7 +340,7 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
+       else
+               inet->pmtudisc = IP_PMTUDISC_WANT;
+ 
+-      inet->inet_id = 0;
++      atomic_set(&inet->inet_id, 0);
+ 
+       sock_init_data(sock, sk);
+ 
+diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
+index 4d1af0cd7d99e..cb5dbee9e018f 100644
+--- a/net/ipv4/datagram.c
++++ b/net/ipv4/datagram.c
+@@ -73,7 +73,7 @@ int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
+       reuseport_has_conns_set(sk);
+       sk->sk_state = TCP_ESTABLISHED;
+       sk_set_txhash(sk);
+-      inet->inet_id = get_random_u16();
++      atomic_set(&inet->inet_id, get_random_u16());
+ 
+       sk_dst_set(sk, &rt->dst);
+       err = 0;
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 08921b96f9728..f9b8a4a1d2edc 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -312,7 +312,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+                                            inet->inet_daddr));
+       }
+ 
+-      inet->inet_id = get_random_u16();
++      atomic_set(&inet->inet_id, get_random_u16());
+ 
+       if (tcp_fastopen_defer_connect(sk, &err))
+               return err;
+@@ -1539,7 +1539,7 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
+       inet_csk(newsk)->icsk_ext_hdr_len = 0;
+       if (inet_opt)
+               inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
+-      newinet->inet_id = get_random_u16();
++      atomic_set(&newinet->inet_id, get_random_u16());
+ 
+       /* Set ToS of the new socket based upon the value of incoming SYN.
+        * ECT bits are set later in tcp_init_transfer().
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 83656fe03a0e6..a11b0d903514c 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -9472,7 +9472,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
+       newinet->inet_rcv_saddr = inet->inet_rcv_saddr;
+       newinet->inet_dport = htons(asoc->peer.port);
+       newinet->pmtudisc = inet->pmtudisc;
+-      newinet->inet_id = get_random_u16();
++      atomic_set(&newinet->inet_id, get_random_u16());
+ 
+       newinet->uc_ttl = inet->uc_ttl;
+       newinet->mc_loop = 1;
+-- 
+2.40.1
+

diff --git a/queue-6.1/ipvlan-fix-a-reference-count-leak-warning-in-ipvlan_.patch b/queue-6.1/ipvlan-fix-a-reference-count-leak-warning-in-ipvlan_.patch
new file mode 100644 (file)
index 0000000..8126676
--- /dev/null
+++ b/queue-6.1/ipvlan-fix-a-reference-count-leak-warning-in-ipvlan_.patch
@@ -0,0 +1,90 @@
+From 34ff5f66851810db6ecb429a46a5c0d85dc4a05f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 22:54:49 +0800
+Subject: ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 043d5f68d0ccdda91029b4b6dce7eeffdcfad281 ]
+
+There are two network devices(veth1 and veth3) in ns1, and ipvlan1 with
+L3S mode and ipvlan2 with L2 mode are created based on them as
+figure (1). In this case, ipvlan_register_nf_hook() will be called to
+register nf hook which is needed by ipvlans in L3S mode in ns1 and value
+of ipvl_nf_hook_refcnt is set to 1.
+
+(1)
+           ns1                           ns2
+      ------------                  ------------
+
+   veth1--ipvlan1 (L3S)
+
+   veth3--ipvlan2 (L2)
+
+(2)
+           ns1                           ns2
+      ------------                  ------------
+
+   veth1--ipvlan1 (L3S)
+
+         ipvlan2 (L2)                  veth3
+     |                                  |
+     |------->-------->--------->--------
+                    migrate
+
+When veth3 migrates from ns1 to ns2 as figure (2), veth3 will register in
+ns2 and calls call_netdevice_notifiers with NETDEV_REGISTER event:
+
+dev_change_net_namespace
+    call_netdevice_notifiers
+        ipvlan_device_event
+            ipvlan_migrate_l3s_hook
+                ipvlan_register_nf_hook(newnet)      (I)
+                ipvlan_unregister_nf_hook(oldnet)    (II)
+
+In function ipvlan_migrate_l3s_hook(), ipvl_nf_hook_refcnt in ns1 is not 0
+since veth1 with ipvlan1 still in ns1, (I) and (II) will be called to
+register nf_hook in ns2 and unregister nf_hook in ns1. As a result,
+ipvl_nf_hook_refcnt in ns1 is decreased incorrectly and this in ns2
+is increased incorrectly. When the second net namespace is removed, a
+reference count leak warning in ipvlan_ns_exit() will be triggered.
+
+This patch add a check before ipvlan_migrate_l3s_hook() is called. The
+warning can be triggered as follows:
+
+$ ip netns add ns1
+$ ip netns add ns2
+$ ip netns exec ns1 ip link add veth1 type veth peer name veth2
+$ ip netns exec ns1 ip link add veth3 type veth peer name veth4
+$ ip netns exec ns1 ip link add ipv1 link veth1 type ipvlan mode l3s
+$ ip netns exec ns1 ip link add ipv2 link veth3 type ipvlan mode l2
+$ ip netns exec ns1 ip link set veth3 netns ns2
+$ ip net del ns2
+
+Fixes: 3133822f5ac1 ("ipvlan: use pernet operations and restrict l3s hooks to master netns")
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20230817145449.141827-1-luwei32@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 796a38f9d7b24..cd16bc8bf154c 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -748,7 +748,8 @@ static int ipvlan_device_event(struct notifier_block *unused,
+ 
+               write_pnet(&port->pnet, newnet);
+ 
+-              ipvlan_migrate_l3s_hook(oldnet, newnet);
++              if (port->mode == IPVLAN_MODE_L3S)
++                      ipvlan_migrate_l3s_hook(oldnet, newnet);
+               break;
+       }
+       case NETDEV_UNREGISTER:
+-- 
+2.40.1
+

diff --git a/queue-6.1/jbd2-fix-a-race-when-checking-checkpoint-buffer-busy.patch b/queue-6.1/jbd2-fix-a-race-when-checking-checkpoint-buffer-busy.patch
new file mode 100644 (file)
index 0000000..9da8aa6
--- /dev/null
+++ b/queue-6.1/jbd2-fix-a-race-when-checking-checkpoint-buffer-busy.patch
@@ -0,0 +1,150 @@
+From 3482e181ecd3c8a57f327740cccbbbcddcab70a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 21:59:27 +0800
+Subject: jbd2: fix a race when checking checkpoint buffer busy
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 46f881b5b1758dc4a35fba4a643c10717d0cf427 ]
+
+Before removing checkpoint buffer from the t_checkpoint_list, we have to
+check both BH_Dirty and BH_Lock bits together to distinguish buffers
+have not been or were being written back. But __cp_buffer_busy() checks
+them separately, it first check lock state and then check dirty, the
+window between these two checks could be raced by writing back
+procedure, which locks buffer and clears buffer dirty before I/O
+completes. So it cannot guarantee checkpointing buffers been written
+back to disk if some error happens later. Finally, it may clean
+checkpoint transactions and lead to inconsistent filesystem.
+
+jbd2_journal_forget() and __journal_try_to_free_buffer() also have the
+same problem (journal_unmap_buffer() escape from this issue since it's
+running under the buffer lock), so fix them through introducing a new
+helper to try holding the buffer lock and remove really clean buffer.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217490
+Cc: stable@vger.kernel.org
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230606135928.434610-6-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/checkpoint.c  | 38 +++++++++++++++++++++++++++++++++++---
+ fs/jbd2/transaction.c | 17 +++++------------
+ include/linux/jbd2.h  |  1 +
+ 3 files changed, 41 insertions(+), 15 deletions(-)
+
+diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
+index 42b34cab64fbd..9ec91017a7f3c 100644
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -376,11 +376,15 @@ static unsigned long journal_shrink_one_cp_list(struct journal_head *jh,
+               jh = next_jh;
+               next_jh = jh->b_cpnext;
+ 
+-              if (!destroy && __cp_buffer_busy(jh))
+-                      continue;
++              if (destroy) {
++                      ret = __jbd2_journal_remove_checkpoint(jh);
++              } else {
++                      ret = jbd2_journal_try_remove_checkpoint(jh);
++                      if (ret < 0)
++                              continue;
++              }
+ 
+               nr_freed++;
+-              ret = __jbd2_journal_remove_checkpoint(jh);
+               if (ret) {
+                       *released = true;
+                       break;
+@@ -616,6 +620,34 @@ int __jbd2_journal_remove_checkpoint(struct journal_head *jh)
+       return 1;
+ }
+ 
++/*
++ * Check the checkpoint buffer and try to remove it from the checkpoint
++ * list if it's clean. Returns -EBUSY if it is not clean, returns 1 if
++ * it frees the transaction, 0 otherwise.
++ *
++ * This function is called with j_list_lock held.
++ */
++int jbd2_journal_try_remove_checkpoint(struct journal_head *jh)
++{
++      struct buffer_head *bh = jh2bh(jh);
++
++      if (!trylock_buffer(bh))
++              return -EBUSY;
++      if (buffer_dirty(bh)) {
++              unlock_buffer(bh);
++              return -EBUSY;
++      }
++      unlock_buffer(bh);
++
++      /*
++       * Buffer is clean and the IO has finished (we held the buffer
++       * lock) so the checkpoint is done. We can safely remove the
++       * buffer from this transaction.
++       */
++      JBUFFER_TRACE(jh, "remove from checkpoint list");
++      return __jbd2_journal_remove_checkpoint(jh);
++}
++
+ /*
+  * journal_insert_checkpoint: put a committed buffer onto a checkpoint
+  * list so that we know when it is safe to clean the transaction out of
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 18611241f4513..6ef5022949c46 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1784,8 +1784,7 @@ int jbd2_journal_forget(handle_t *handle, struct buffer_head *bh)
+                * Otherwise, if the buffer has been written to disk,
+                * it is safe to remove the checkpoint and drop it.
+                */
+-              if (!buffer_dirty(bh)) {
+-                      __jbd2_journal_remove_checkpoint(jh);
++              if (jbd2_journal_try_remove_checkpoint(jh) >= 0) {
+                       spin_unlock(&journal->j_list_lock);
+                       goto drop;
+               }
+@@ -2112,20 +2111,14 @@ __journal_try_to_free_buffer(journal_t *journal, struct buffer_head *bh)
+ 
+       jh = bh2jh(bh);
+ 
+-      if (buffer_locked(bh) || buffer_dirty(bh))
+-              goto out;
+-
+       if (jh->b_next_transaction != NULL || jh->b_transaction != NULL)
+-              goto out;
++              return;
+ 
+       spin_lock(&journal->j_list_lock);
+-      if (jh->b_cp_transaction != NULL) {
+-              /* written-back checkpointed metadata buffer */
+-              JBUFFER_TRACE(jh, "remove from checkpoint list");
+-              __jbd2_journal_remove_checkpoint(jh);
+-      }
++      /* Remove written-back checkpointed metadata buffer */
++      if (jh->b_cp_transaction != NULL)
++              jbd2_journal_try_remove_checkpoint(jh);
+       spin_unlock(&journal->j_list_lock);
+-out:
+       return;
+ }
+ 
+diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
+index 67912fe08fbbd..ebb1608d9dcd2 100644
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -1435,6 +1435,7 @@ extern void jbd2_journal_commit_transaction(journal_t *);
+ void __jbd2_journal_clean_checkpoint_list(journal_t *journal, bool destroy);
+ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal, unsigned long *nr_to_scan);
+ int __jbd2_journal_remove_checkpoint(struct journal_head *);
++int jbd2_journal_try_remove_checkpoint(struct journal_head *jh);
+ void jbd2_journal_destroy_checkpoint(journal_t *journal);
+ void __jbd2_journal_insert_checkpoint(struct journal_head *, transaction_t *);
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/jbd2-remove-journal_clean_one_cp_list.patch b/queue-6.1/jbd2-remove-journal_clean_one_cp_list.patch
new file mode 100644 (file)
index 0000000..7a8d506
--- /dev/null
+++ b/queue-6.1/jbd2-remove-journal_clean_one_cp_list.patch
@@ -0,0 +1,235 @@
+From 0364e932b0946dd98e9ca0463476bafc9ef9ef97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 21:59:25 +0800
+Subject: jbd2: remove journal_clean_one_cp_list()
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit b98dba273a0e47dbfade89c9af73c5b012a4eabb ]
+
+journal_clean_one_cp_list() and journal_shrink_one_cp_list() are almost
+the same, so merge them into journal_shrink_one_cp_list(), remove the
+nr_to_scan parameter, always scan and try to free the whole checkpoint
+list.
+
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230606135928.434610-4-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 46f881b5b175 ("jbd2: fix a race when checking checkpoint buffer busy")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/checkpoint.c        | 75 +++++++++----------------------------
+ include/trace/events/jbd2.h | 12 ++----
+ 2 files changed, 21 insertions(+), 66 deletions(-)
+
+diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
+index 723b4eb112828..42b34cab64fbd 100644
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -349,50 +349,10 @@ int jbd2_cleanup_journal_tail(journal_t *journal)
+ 
+ /* Checkpoint list management */
+ 
+-/*
+- * journal_clean_one_cp_list
+- *
+- * Find all the written-back checkpoint buffers in the given list and
+- * release them. If 'destroy' is set, clean all buffers unconditionally.
+- *
+- * Called with j_list_lock held.
+- * Returns 1 if we freed the transaction, 0 otherwise.
+- */
+-static int journal_clean_one_cp_list(struct journal_head *jh, bool destroy)
+-{
+-      struct journal_head *last_jh;
+-      struct journal_head *next_jh = jh;
+-
+-      if (!jh)
+-              return 0;
+-
+-      last_jh = jh->b_cpprev;
+-      do {
+-              jh = next_jh;
+-              next_jh = jh->b_cpnext;
+-
+-              if (!destroy && __cp_buffer_busy(jh))
+-                      return 0;
+-
+-              if (__jbd2_journal_remove_checkpoint(jh))
+-                      return 1;
+-              /*
+-               * This function only frees up some memory
+-               * if possible so we dont have an obligation
+-               * to finish processing. Bail out if preemption
+-               * requested:
+-               */
+-              if (need_resched())
+-                      return 0;
+-      } while (jh != last_jh);
+-
+-      return 0;
+-}
+-
+ /*
+  * journal_shrink_one_cp_list
+  *
+- * Find 'nr_to_scan' written-back checkpoint buffers in the given list
++ * Find all the written-back checkpoint buffers in the given list
+  * and try to release them. If the whole transaction is released, set
+  * the 'released' parameter. Return the number of released checkpointed
+  * buffers.
+@@ -400,15 +360,15 @@ static int journal_clean_one_cp_list(struct journal_head *jh, bool destroy)
+  * Called with j_list_lock held.
+  */
+ static unsigned long journal_shrink_one_cp_list(struct journal_head *jh,
+-                                              unsigned long *nr_to_scan,
+-                                              bool *released)
++                                              bool destroy, bool *released)
+ {
+       struct journal_head *last_jh;
+       struct journal_head *next_jh = jh;
+       unsigned long nr_freed = 0;
+       int ret;
+ 
+-      if (!jh || *nr_to_scan == 0)
++      *released = false;
++      if (!jh)
+               return 0;
+ 
+       last_jh = jh->b_cpprev;
+@@ -416,8 +376,7 @@ static unsigned long journal_shrink_one_cp_list(struct journal_head *jh,
+               jh = next_jh;
+               next_jh = jh->b_cpnext;
+ 
+-              (*nr_to_scan)--;
+-              if (__cp_buffer_busy(jh))
++              if (!destroy && __cp_buffer_busy(jh))
+                       continue;
+ 
+               nr_freed++;
+@@ -429,7 +388,7 @@ static unsigned long journal_shrink_one_cp_list(struct journal_head *jh,
+ 
+               if (need_resched())
+                       break;
+-      } while (jh != last_jh && *nr_to_scan);
++      } while (jh != last_jh);
+ 
+       return nr_freed;
+ }
+@@ -447,11 +406,11 @@ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal,
+                                                 unsigned long *nr_to_scan)
+ {
+       transaction_t *transaction, *last_transaction, *next_transaction;
+-      bool released;
++      bool __maybe_unused released;
+       tid_t first_tid = 0, last_tid = 0, next_tid = 0;
+       tid_t tid = 0;
+       unsigned long nr_freed = 0;
+-      unsigned long nr_scanned = *nr_to_scan;
++      unsigned long freed;
+ 
+ again:
+       spin_lock(&journal->j_list_lock);
+@@ -480,10 +439,11 @@ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal,
+               transaction = next_transaction;
+               next_transaction = transaction->t_cpnext;
+               tid = transaction->t_tid;
+-              released = false;
+ 
+-              nr_freed += journal_shrink_one_cp_list(transaction->t_checkpoint_list,
+-                                                     nr_to_scan, &released);
++              freed = journal_shrink_one_cp_list(transaction->t_checkpoint_list,
++                                                 false, &released);
++              nr_freed += freed;
++              (*nr_to_scan) -= min(*nr_to_scan, freed);
+               if (*nr_to_scan == 0)
+                       break;
+               if (need_resched() || spin_needbreak(&journal->j_list_lock))
+@@ -504,9 +464,8 @@ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal,
+       if (*nr_to_scan && next_tid)
+               goto again;
+ out:
+-      nr_scanned -= *nr_to_scan;
+       trace_jbd2_shrink_checkpoint_list(journal, first_tid, tid, last_tid,
+-                                        nr_freed, nr_scanned, next_tid);
++                                        nr_freed, next_tid);
+ 
+       return nr_freed;
+ }
+@@ -522,7 +481,7 @@ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal,
+ void __jbd2_journal_clean_checkpoint_list(journal_t *journal, bool destroy)
+ {
+       transaction_t *transaction, *last_transaction, *next_transaction;
+-      int ret;
++      bool released;
+ 
+       transaction = journal->j_checkpoint_transactions;
+       if (!transaction)
+@@ -533,8 +492,8 @@ void __jbd2_journal_clean_checkpoint_list(journal_t *journal, bool destroy)
+       do {
+               transaction = next_transaction;
+               next_transaction = transaction->t_cpnext;
+-              ret = journal_clean_one_cp_list(transaction->t_checkpoint_list,
+-                                              destroy);
++              journal_shrink_one_cp_list(transaction->t_checkpoint_list,
++                                         destroy, &released);
+               /*
+                * This function only frees up some memory if possible so we
+                * dont have an obligation to finish processing. Bail out if
+@@ -547,7 +506,7 @@ void __jbd2_journal_clean_checkpoint_list(journal_t *journal, bool destroy)
+                * avoids pointless scanning of transactions which still
+                * weren't checkpointed.
+                */
+-              if (!ret)
++              if (!released)
+                       return;
+       } while (transaction != last_transaction);
+ }
+diff --git a/include/trace/events/jbd2.h b/include/trace/events/jbd2.h
+index 8f5ee380d3093..5646ae15a957a 100644
+--- a/include/trace/events/jbd2.h
++++ b/include/trace/events/jbd2.h
+@@ -462,11 +462,9 @@ TRACE_EVENT(jbd2_shrink_scan_exit,
+ TRACE_EVENT(jbd2_shrink_checkpoint_list,
+ 
+       TP_PROTO(journal_t *journal, tid_t first_tid, tid_t tid, tid_t last_tid,
+-               unsigned long nr_freed, unsigned long nr_scanned,
+-               tid_t next_tid),
++               unsigned long nr_freed, tid_t next_tid),
+ 
+-      TP_ARGS(journal, first_tid, tid, last_tid, nr_freed,
+-              nr_scanned, next_tid),
++      TP_ARGS(journal, first_tid, tid, last_tid, nr_freed, next_tid),
+ 
+       TP_STRUCT__entry(
+               __field(dev_t, dev)
+@@ -474,7 +472,6 @@ TRACE_EVENT(jbd2_shrink_checkpoint_list,
+               __field(tid_t, tid)
+               __field(tid_t, last_tid)
+               __field(unsigned long, nr_freed)
+-              __field(unsigned long, nr_scanned)
+               __field(tid_t, next_tid)
+       ),
+ 
+@@ -484,15 +481,14 @@ TRACE_EVENT(jbd2_shrink_checkpoint_list,
+               __entry->tid            = tid;
+               __entry->last_tid       = last_tid;
+               __entry->nr_freed       = nr_freed;
+-              __entry->nr_scanned     = nr_scanned;
+               __entry->next_tid       = next_tid;
+       ),
+ 
+       TP_printk("dev %d,%d shrink transaction %u-%u(%u) freed %lu "
+-                "scanned %lu next transaction %u",
++                "next transaction %u",
+                 MAJOR(__entry->dev), MINOR(__entry->dev),
+                 __entry->first_tid, __entry->tid, __entry->last_tid,
+-                __entry->nr_freed, __entry->nr_scanned, __entry->next_tid)
++                __entry->nr_freed, __entry->next_tid)
+ );
+ 
+ #endif /* _TRACE_JBD2_H */
+-- 
+2.40.1
+

diff --git a/queue-6.1/jbd2-remove-t_checkpoint_io_list.patch b/queue-6.1/jbd2-remove-t_checkpoint_io_list.patch
new file mode 100644 (file)
index 0000000..84ff7ce
--- /dev/null
+++ b/queue-6.1/jbd2-remove-t_checkpoint_io_list.patch
@@ -0,0 +1,146 @@
+From 17f200a7a81b6905d55a8ec01813f6479fae789e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 21:59:24 +0800
+Subject: jbd2: remove t_checkpoint_io_list
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit be22255360f80d3af789daad00025171a65424a5 ]
+
+Since t_checkpoint_io_list was stop using in jbd2_log_do_checkpoint()
+now, it's time to remove the whole t_checkpoint_io_list logic.
+
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230606135928.434610-3-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 46f881b5b175 ("jbd2: fix a race when checking checkpoint buffer busy")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/checkpoint.c | 42 ++----------------------------------------
+ fs/jbd2/commit.c     |  3 +--
+ include/linux/jbd2.h |  6 ------
+ 3 files changed, 3 insertions(+), 48 deletions(-)
+
+diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
+index c4e0da6db7195..723b4eb112828 100644
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -27,7 +27,7 @@
+  *
+  * Called with j_list_lock held.
+  */
+-static inline void __buffer_unlink_first(struct journal_head *jh)
++static inline void __buffer_unlink(struct journal_head *jh)
+ {
+       transaction_t *transaction = jh->b_cp_transaction;
+ 
+@@ -40,23 +40,6 @@ static inline void __buffer_unlink_first(struct journal_head *jh)
+       }
+ }
+ 
+-/*
+- * Unlink a buffer from a transaction checkpoint(io) list.
+- *
+- * Called with j_list_lock held.
+- */
+-static inline void __buffer_unlink(struct journal_head *jh)
+-{
+-      transaction_t *transaction = jh->b_cp_transaction;
+-
+-      __buffer_unlink_first(jh);
+-      if (transaction->t_checkpoint_io_list == jh) {
+-              transaction->t_checkpoint_io_list = jh->b_cpnext;
+-              if (transaction->t_checkpoint_io_list == jh)
+-                      transaction->t_checkpoint_io_list = NULL;
+-      }
+-}
+-
+ /*
+  * Check a checkpoint buffer could be release or not.
+  *
+@@ -505,15 +488,6 @@ unsigned long jbd2_journal_shrink_checkpoint_list(journal_t *journal,
+                       break;
+               if (need_resched() || spin_needbreak(&journal->j_list_lock))
+                       break;
+-              if (released)
+-                      continue;
+-
+-              nr_freed += journal_shrink_one_cp_list(transaction->t_checkpoint_io_list,
+-                                                     nr_to_scan, &released);
+-              if (*nr_to_scan == 0)
+-                      break;
+-              if (need_resched() || spin_needbreak(&journal->j_list_lock))
+-                      break;
+       } while (transaction != last_transaction);
+ 
+       if (transaction != last_transaction) {
+@@ -568,17 +542,6 @@ void __jbd2_journal_clean_checkpoint_list(journal_t *journal, bool destroy)
+                */
+               if (need_resched())
+                       return;
+-              if (ret)
+-                      continue;
+-              /*
+-               * It is essential that we are as careful as in the case of
+-               * t_checkpoint_list with removing the buffer from the list as
+-               * we can possibly see not yet submitted buffers on io_list
+-               */
+-              ret = journal_clean_one_cp_list(transaction->
+-                              t_checkpoint_io_list, destroy);
+-              if (need_resched())
+-                      return;
+               /*
+                * Stop scanning if we couldn't free the transaction. This
+                * avoids pointless scanning of transactions which still
+@@ -663,7 +626,7 @@ int __jbd2_journal_remove_checkpoint(struct journal_head *jh)
+       jbd2_journal_put_journal_head(jh);
+ 
+       /* Is this transaction empty? */
+-      if (transaction->t_checkpoint_list || transaction->t_checkpoint_io_list)
++      if (transaction->t_checkpoint_list)
+               return 0;
+ 
+       /*
+@@ -755,7 +718,6 @@ void __jbd2_journal_drop_transaction(journal_t *journal, transaction_t *transact
+       J_ASSERT(transaction->t_forget == NULL);
+       J_ASSERT(transaction->t_shadow_list == NULL);
+       J_ASSERT(transaction->t_checkpoint_list == NULL);
+-      J_ASSERT(transaction->t_checkpoint_io_list == NULL);
+       J_ASSERT(atomic_read(&transaction->t_updates) == 0);
+       J_ASSERT(journal->j_committing_transaction != transaction);
+       J_ASSERT(journal->j_running_transaction != transaction);
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 885a7a6cc53e6..f1d9db6686e31 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -1171,8 +1171,7 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+       spin_lock(&journal->j_list_lock);
+       commit_transaction->t_state = T_FINISHED;
+       /* Check if the transaction can be dropped now that we are finished */
+-      if (commit_transaction->t_checkpoint_list == NULL &&
+-          commit_transaction->t_checkpoint_io_list == NULL) {
++      if (commit_transaction->t_checkpoint_list == NULL) {
+               __jbd2_journal_drop_transaction(journal, commit_transaction);
+               jbd2_journal_free_transaction(commit_transaction);
+       }
+diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
+index 0b7242370b567..67912fe08fbbd 100644
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -622,12 +622,6 @@ struct transaction_s
+        */
+       struct journal_head     *t_checkpoint_list;
+ 
+-      /*
+-       * Doubly-linked circular list of all buffers submitted for IO while
+-       * checkpointing. [j_list_lock]
+-       */
+-      struct journal_head     *t_checkpoint_io_list;
+-
+       /*
+        * Doubly-linked circular list of metadata buffers being
+        * shadowed by log IO.  The IO buffers on the iobuf list and
+-- 
+2.40.1
+

diff --git a/queue-6.1/mips-cpu-features-enable-octeon_cache-by-cpu_type.patch b/queue-6.1/mips-cpu-features-enable-octeon_cache-by-cpu_type.patch
new file mode 100644 (file)
index 0000000..60563ac
--- /dev/null
+++ b/queue-6.1/mips-cpu-features-enable-octeon_cache-by-cpu_type.patch
@@ -0,0 +1,56 @@
+From 44c3c0ba71ddd413d35494a647551cc60b282699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 10:33:44 +0100
+Subject: MIPS: cpu-features: Enable octeon_cache by cpu_type
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit f641519409a73403ee6612b8648b95a688ab85c2 ]
+
+cpu_has_octeon_cache was tied to 0 for generic cpu-features,
+whith this generic kernel built for octeon CPU won't boot.
+
+Just enable this flag by cpu_type. It won't hurt orther platforms
+because compiler will eliminate the code path on other processors.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Stable-dep-of: 5487a7b60695 ("MIPS: cpu-features: Use boot_cpu_type for CPU type based features")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cpu-features.h | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/cpu-features.h b/arch/mips/include/asm/cpu-features.h
+index c0983130a44c9..53c8551ec89bc 100644
+--- a/arch/mips/include/asm/cpu-features.h
++++ b/arch/mips/include/asm/cpu-features.h
+@@ -121,7 +121,24 @@
+ #define cpu_has_4k_cache      __isa_ge_or_opt(1, MIPS_CPU_4K_CACHE)
+ #endif
+ #ifndef cpu_has_octeon_cache
+-#define cpu_has_octeon_cache  0
++#define cpu_has_octeon_cache                                          \
++({                                                                    \
++      int __res;                                                      \
++                                                                      \
++      switch (current_cpu_type()) {                                   \
++      case CPU_CAVIUM_OCTEON:                                         \
++      case CPU_CAVIUM_OCTEON_PLUS:                                    \
++      case CPU_CAVIUM_OCTEON2:                                        \
++      case CPU_CAVIUM_OCTEON3:                                        \
++              __res = 1;                                              \
++              break;                                                  \
++                                                                      \
++      default:                                                        \
++              __res = 0;                                              \
++      }                                                               \
++                                                                      \
++      __res;                                                          \
++})
+ #endif
+ /* Don't override `cpu_has_fpu' to 1 or the "nofpu" option won't work.  */
+ #ifndef cpu_has_fpu
+-- 
+2.40.1
+

diff --git a/queue-6.1/mips-cpu-features-use-boot_cpu_type-for-cpu-type-bas.patch b/queue-6.1/mips-cpu-features-use-boot_cpu_type-for-cpu-type-bas.patch
new file mode 100644 (file)
index 0000000..8ad608b
--- /dev/null
+++ b/queue-6.1/mips-cpu-features-use-boot_cpu_type-for-cpu-type-bas.patch
@@ -0,0 +1,51 @@
+From 08118d67bebd9863a656016c0b009baac088d653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 13:51:22 +0800
+Subject: MIPS: cpu-features: Use boot_cpu_type for CPU type based features
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit 5487a7b60695a92cf998350e4beac17144c91fcd ]
+
+Some CPU feature macros were using current_cpu_type to mark feature
+availability.
+
+However current_cpu_type will use smp_processor_id, which is prohibited
+under preemptable context.
+
+Since those features are all uniform on all CPUs in a SMP system, use
+boot_cpu_type instead of current_cpu_type to fix preemptable kernel.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cpu-features.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cpu-features.h b/arch/mips/include/asm/cpu-features.h
+index 53c8551ec89bc..e0a4da4cfd8bc 100644
+--- a/arch/mips/include/asm/cpu-features.h
++++ b/arch/mips/include/asm/cpu-features.h
+@@ -125,7 +125,7 @@
+ ({                                                                    \
+       int __res;                                                      \
+                                                                       \
+-      switch (current_cpu_type()) {                                   \
++      switch (boot_cpu_type()) {                                      \
+       case CPU_CAVIUM_OCTEON:                                         \
+       case CPU_CAVIUM_OCTEON_PLUS:                                    \
+       case CPU_CAVIUM_OCTEON2:                                        \
+@@ -368,7 +368,7 @@
+ ({                                                                    \
+       int __res;                                                      \
+                                                                       \
+-      switch (current_cpu_type()) {                                   \
++      switch (boot_cpu_type()) {                                      \
+       case CPU_M14KC:                                                 \
+       case CPU_74K:                                                   \
+       case CPU_1074K:                                                 \
+-- 
+2.40.1
+

diff --git a/queue-6.1/mlxsw-fix-the-size-of-virt_router_msb.patch b/queue-6.1/mlxsw-fix-the-size-of-virt_router_msb.patch
new file mode 100644 (file)
index 0000000..1f47fdb
--- /dev/null
+++ b/queue-6.1/mlxsw-fix-the-size-of-virt_router_msb.patch
@@ -0,0 +1,88 @@
+From e07adfc6cc9382e4b4bd0df18974ea45890e46be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:58:24 +0200
+Subject: mlxsw: Fix the size of 'VIRT_ROUTER_MSB'
+
+From: Amit Cohen <amcohen@nvidia.com>
+
+[ Upstream commit 348c976be0a599918b88729def198a843701c9fe ]
+
+The field 'virtual router' was extended to 12 bits in Spectrum-4.
+Therefore, the element 'MLXSW_AFK_ELEMENT_VIRT_ROUTER_MSB' needs 3 bits for
+Spectrum < 4 and 4 bits for Spectrum >= 4.
+
+The elements are stored in an internal storage scratchpad. Currently, the
+MSB is defined there as 3 bits. It means that for Spectrum-4, only 2K VRFs
+can be used for multicast routing, as the highest bit is not really used by
+the driver. Fix the definition of 'VIRT_ROUTER_MSB' to use 4 bits. Adjust
+the definitions of 'virtual router' field in the blocks accordingly - use
+'_avoid_size_check' for Spectrum-2 instead of for Spectrum-4. Fix the mask
+in parse function to use 4 bits.
+
+Fixes: 6d5d8ebb881c ("mlxsw: Rename virtual router flex key element")
+Signed-off-by: Amit Cohen <amcohen@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/79bed2b70f6b9ed58d4df02e9798a23da648015b.1692268427.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c     | 4 ++--
+ drivers/net/ethernet/mellanox/mlxsw/spectrum2_mr_tcam.c      | 2 +-
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_flex_keys.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c
+index bd1a51a0a5408..f208a237d0b52 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c
+@@ -32,8 +32,8 @@ static const struct mlxsw_afk_element_info mlxsw_afk_element_infos[] = {
+       MLXSW_AFK_ELEMENT_INFO_U32(IP_TTL_, 0x18, 0, 8),
+       MLXSW_AFK_ELEMENT_INFO_U32(IP_ECN, 0x18, 9, 2),
+       MLXSW_AFK_ELEMENT_INFO_U32(IP_DSCP, 0x18, 11, 6),
+-      MLXSW_AFK_ELEMENT_INFO_U32(VIRT_ROUTER_MSB, 0x18, 17, 3),
+-      MLXSW_AFK_ELEMENT_INFO_U32(VIRT_ROUTER_LSB, 0x18, 20, 8),
++      MLXSW_AFK_ELEMENT_INFO_U32(VIRT_ROUTER_MSB, 0x18, 17, 4),
++      MLXSW_AFK_ELEMENT_INFO_U32(VIRT_ROUTER_LSB, 0x18, 21, 8),
+       MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP_96_127, 0x20, 4),
+       MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP_64_95, 0x24, 4),
+       MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP_32_63, 0x28, 4),
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum2_mr_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum2_mr_tcam.c
+index e4f4cded2b6f9..b1178b7a7f51a 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum2_mr_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum2_mr_tcam.c
+@@ -193,7 +193,7 @@ mlxsw_sp2_mr_tcam_rule_parse(struct mlxsw_sp_acl_rule *rule,
+                                      key->vrid, GENMASK(7, 0));
+       mlxsw_sp_acl_rulei_keymask_u32(rulei,
+                                      MLXSW_AFK_ELEMENT_VIRT_ROUTER_MSB,
+-                                     key->vrid >> 8, GENMASK(2, 0));
++                                     key->vrid >> 8, GENMASK(3, 0));
+       switch (key->proto) {
+       case MLXSW_SP_L3_PROTO_IPV4:
+               return mlxsw_sp2_mr_tcam_rule_parse4(rulei, key);
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_flex_keys.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_flex_keys.c
+index 00c32320f8915..173808c096bab 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_flex_keys.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_flex_keys.c
+@@ -169,7 +169,7 @@ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_ipv4_2[] = {
+ 
+ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_ipv4_4[] = {
+       MLXSW_AFK_ELEMENT_INST_U32(VIRT_ROUTER_LSB, 0x04, 24, 8),
+-      MLXSW_AFK_ELEMENT_INST_U32(VIRT_ROUTER_MSB, 0x00, 0, 3),
++      MLXSW_AFK_ELEMENT_INST_EXT_U32(VIRT_ROUTER_MSB, 0x00, 0, 3, 0, true),
+ };
+ 
+ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_ipv6_0[] = {
+@@ -319,7 +319,7 @@ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_mac_5b[] = {
+ 
+ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_ipv4_4b[] = {
+       MLXSW_AFK_ELEMENT_INST_U32(VIRT_ROUTER_LSB, 0x04, 13, 8),
+-      MLXSW_AFK_ELEMENT_INST_EXT_U32(VIRT_ROUTER_MSB, 0x04, 21, 4, 0, true),
++      MLXSW_AFK_ELEMENT_INST_U32(VIRT_ROUTER_MSB, 0x04, 21, 4),
+ };
+ 
+ static struct mlxsw_afk_element_inst mlxsw_sp_afk_element_info_ipv6_2b[] = {
+-- 
+2.40.1
+

diff --git a/queue-6.1/mlxsw-pci-set-time-stamp-fields-also-when-its-type-i.patch b/queue-6.1/mlxsw-pci-set-time-stamp-fields-also-when-its-type-i.patch
new file mode 100644 (file)
index 0000000..7b42b49
--- /dev/null
+++ b/queue-6.1/mlxsw-pci-set-time-stamp-fields-also-when-its-type-i.patch
@@ -0,0 +1,75 @@
+From ca1fe4f7b6d0eb169cf3692452f234f9d66de910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:58:22 +0200
+Subject: mlxsw: pci: Set time stamp fields also when its type is MIRROR_UTC
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit bc2de151ab6ad0762a04563527ec42e54dde572a ]
+
+Currently, in Spectrum-2 and above, time stamps are extracted from the CQE
+into the time stamp fields in 'struct mlxsw_skb_cb', only when the CQE
+time stamp type is UTC. The time stamps are read directly from the CQE and
+software can get the time stamp in UTC format using CQEv2.
+
+From Spectrum-4, the time stamps that are read from the CQE are allowed
+to be also from MIRROR_UTC type.
+
+Therefore, we get a warning [1] from the driver that the time stamp fields
+were not set, when LLDP control packet is sent.
+
+Allow the time stamp type to be MIRROR_UTC and set the time stamp in this
+case as well.
+
+[1]
+ WARNING: CPU: 11 PID: 0 at drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c:1409 mlxsw_sp2_ptp_hwtstamp_fill+0x1f/0x70 [mlxsw_spectrum]
+[...]
+ Call Trace:
+  <IRQ>
+  mlxsw_sp2_ptp_receive+0x3c/0x80 [mlxsw_spectrum]
+  mlxsw_core_skb_receive+0x119/0x190 [mlxsw_core]
+  mlxsw_pci_cq_tasklet+0x3c9/0x780 [mlxsw_pci]
+  tasklet_action_common.constprop.0+0x9f/0x110
+  __do_softirq+0xbb/0x296
+  irq_exit_rcu+0x79/0xa0
+  common_interrupt+0x86/0xa0
+  </IRQ>
+  <TASK>
+
+Fixes: 4735402173e6 ("mlxsw: spectrum: Extend to support Spectrum-4 ASIC")
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/bcef4d044ef608a4e258d33a7ec0ecd91f480db5.1692268427.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/pci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+index c968309657dd1..51eea1f0529c8 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+@@ -517,11 +517,15 @@ static void mlxsw_pci_skb_cb_ts_set(struct mlxsw_pci *mlxsw_pci,
+                                   struct sk_buff *skb,
+                                   enum mlxsw_pci_cqe_v cqe_v, char *cqe)
+ {
++      u8 ts_type;
++
+       if (cqe_v != MLXSW_PCI_CQE_V2)
+               return;
+ 
+-      if (mlxsw_pci_cqe2_time_stamp_type_get(cqe) !=
+-          MLXSW_PCI_CQE_TIME_STAMP_TYPE_UTC)
++      ts_type = mlxsw_pci_cqe2_time_stamp_type_get(cqe);
++
++      if (ts_type != MLXSW_PCI_CQE_TIME_STAMP_TYPE_UTC &&
++          ts_type != MLXSW_PCI_CQE_TIME_STAMP_TYPE_MIRROR_UTC)
+               return;
+ 
+       mlxsw_skb_cb(skb)->cqe_ts.sec = mlxsw_pci_cqe2_time_stamp_sec_get(cqe);
+-- 
+2.40.1
+

diff --git a/queue-6.1/mlxsw-reg-fix-sspr-register-layout.patch b/queue-6.1/mlxsw-reg-fix-sspr-register-layout.patch
new file mode 100644 (file)
index 0000000..2656d82
--- /dev/null
+++ b/queue-6.1/mlxsw-reg-fix-sspr-register-layout.patch
@@ -0,0 +1,62 @@
+From 0026f6b41cc45314971ebe3848fc3d3cf5718db5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:58:23 +0200
+Subject: mlxsw: reg: Fix SSPR register layout
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 0dc63b9cfd4c5666ced52c829fdd65dcaeb9f0f1 ]
+
+The two most significant bits of the "local_port" field in the SSPR
+register are always cleared since they are overwritten by the deprecated
+and overlapping "sub_port" field.
+
+On systems with more than 255 local ports (e.g., Spectrum-4), this
+results in the firmware maintaining invalid mappings between system port
+and local port. Specifically, two different systems ports (0x1 and
+0x101) point to the same local port (0x1), which eventually leads to
+firmware errors.
+
+Fix by removing the deprecated "sub_port" field.
+
+Fixes: fd24b29a1b74 ("mlxsw: reg: Align existing registers to use extended local_port field")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/9b909a3033c8d3d6f67f237306bef4411c5e6ae4.1692268427.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+index 0777bed5bb1af..a34ff19c58bd2 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -97,14 +97,6 @@ MLXSW_ITEM32(reg, sspr, m, 0x00, 31, 1);
+  */
+ MLXSW_ITEM32_LP(reg, sspr, 0x00, 16, 0x00, 12);
+ 
+-/* reg_sspr_sub_port
+- * Virtual port within the physical port.
+- * Should be set to 0 when virtual ports are not enabled on the port.
+- *
+- * Access: RW
+- */
+-MLXSW_ITEM32(reg, sspr, sub_port, 0x00, 8, 8);
+-
+ /* reg_sspr_system_port
+  * Unique identifier within the stacking domain that represents all the ports
+  * that are available in the system (external ports).
+@@ -120,7 +112,6 @@ static inline void mlxsw_reg_sspr_pack(char *payload, u16 local_port)
+       MLXSW_REG_ZERO(sspr, payload);
+       mlxsw_reg_sspr_m_set(payload, 1);
+       mlxsw_reg_sspr_local_port_set(payload, local_port);
+-      mlxsw_reg_sspr_sub_port_set(payload, 0);
+       mlxsw_reg_sspr_system_port_set(payload, local_port);
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-bcmgenet-fix-return-value-check-for-fixed_phy_re.patch b/queue-6.1/net-bcmgenet-fix-return-value-check-for-fixed_phy_re.patch
new file mode 100644 (file)
index 0000000..d0f3859
--- /dev/null
+++ b/queue-6.1/net-bcmgenet-fix-return-value-check-for-fixed_phy_re.patch
@@ -0,0 +1,38 @@
+From b2cdc9472f39b009c2a0083dd2d05029dfaf1d02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 13:12:21 +0800
+Subject: net: bcmgenet: Fix return value check for fixed_phy_register()
+
+From: Ruan Jinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit 32bbe64a1386065ab2aef8ce8cae7c689d0add6e ]
+
+The fixed_phy_register() function returns error pointers and never
+returns NULL. Update the checks accordingly.
+
+Fixes: b0ba512e25d7 ("net: bcmgenet: enable driver to work without a device tree")
+Signed-off-by: Ruan Jinjie <ruanjinjie@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Acked-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+index 1fe8038587ac8..1779ee524dac7 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -608,7 +608,7 @@ static int bcmgenet_mii_pd_init(struct bcmgenet_priv *priv)
+               };
+ 
+               phydev = fixed_phy_register(PHY_POLL, &fphy_status, NULL);
+-              if (!phydev || IS_ERR(phydev)) {
++              if (IS_ERR(phydev)) {
+                       dev_err(kdev, "failed to register fixed PHY device\n");
+                       return -ENODEV;
+               }
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-bgmac-fix-return-value-check-for-fixed_phy_regis.patch b/queue-6.1/net-bgmac-fix-return-value-check-for-fixed_phy_regis.patch
new file mode 100644 (file)
index 0000000..7e5a0f4
--- /dev/null
+++ b/queue-6.1/net-bgmac-fix-return-value-check-for-fixed_phy_regis.patch
@@ -0,0 +1,38 @@
+From 64e0e7621cf272a583397aa3e5310b77022899ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 13:12:20 +0800
+Subject: net: bgmac: Fix return value check for fixed_phy_register()
+
+From: Ruan Jinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit 23a14488ea5882dea5851b65c9fce2127ee8fcad ]
+
+The fixed_phy_register() function returns error pointers and never
+returns NULL. Update the checks accordingly.
+
+Fixes: c25b23b8a387 ("bgmac: register fixed PHY for ARM BCM470X / BCM5301X chipsets")
+Signed-off-by: Ruan Jinjie <ruanjinjie@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
+index 10c7c232cc4ec..52ee3751187a2 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -1448,7 +1448,7 @@ int bgmac_phy_connect_direct(struct bgmac *bgmac)
+       int err;
+ 
+       phy_dev = fixed_phy_register(PHY_POLL, &fphy_status, NULL);
+-      if (!phy_dev || IS_ERR(phy_dev)) {
++      if (IS_ERR(phy_dev)) {
+               dev_err(bgmac->dev, "Failed to register fixed PHY device\n");
+               return -ENODEV;
+       }
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-dsa-felix-fix-oversize-frame-dropping-for-always.patch b/queue-6.1/net-dsa-felix-fix-oversize-frame-dropping-for-always.patch
new file mode 100644 (file)
index 0000000..9795ca7
--- /dev/null
+++ b/queue-6.1/net-dsa-felix-fix-oversize-frame-dropping-for-always.patch
@@ -0,0 +1,73 @@
+From 74b803932a262b4bf8fec3b4a53867848b961e78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:01:11 +0300
+Subject: net: dsa: felix: fix oversize frame dropping for always closed
+ tc-taprio gates
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit d44036cad31170da0cb9c728e80743f84267da6e ]
+
+The blamed commit resolved a bug where frames would still get stuck at
+egress, even though they're smaller than the maxSDU[tc], because the
+driver did not take into account the extra 33 ns that the queue system
+needs for scheduling the frame.
+
+It now takes that into account, but the arithmetic that we perform in
+vsc9959_tas_remaining_gate_len_ps() is buggy, because we operate on
+64-bit unsigned integers, so gate_len_ns - VSC9959_TAS_MIN_GATE_LEN_NS
+may become a very large integer if gate_len_ns < 33 ns.
+
+In practice, this means that we've introduced a regression where all
+traffic class gates which are permanently closed will not get detected
+by the driver, and we won't enable oversize frame dropping for them.
+
+Before:
+mscc_felix 0000:00:00.5: port 0: max frame size 1526 needs 12400000 ps, 1152000 ps for mPackets at speed 1000
+mscc_felix 0000:00:00.5: port 0 tc 0 min gate len 1000000, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 1 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 2 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 3 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 4 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 5 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 6 min gate len 0, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 5120 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 615 octets including FCS
+
+After:
+mscc_felix 0000:00:00.5: port 0: max frame size 1526 needs 12400000 ps, 1152000 ps for mPackets at speed 1000
+mscc_felix 0000:00:00.5: port 0 tc 0 min gate len 1000000, sending all frames
+mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 5120 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 615 octets including FCS
+
+Fixes: 11afdc6526de ("net: dsa: felix: tc-taprio intervals smaller than MTU should send at least one packet")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230817120111.3522827-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/ocelot/felix_vsc9959.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/ocelot/felix_vsc9959.c b/drivers/net/dsa/ocelot/felix_vsc9959.c
+index 5f6af0870dfd6..0186482194d20 100644
+--- a/drivers/net/dsa/ocelot/felix_vsc9959.c
++++ b/drivers/net/dsa/ocelot/felix_vsc9959.c
+@@ -1071,6 +1071,9 @@ static u64 vsc9959_tas_remaining_gate_len_ps(u64 gate_len_ns)
+       if (gate_len_ns == U64_MAX)
+               return U64_MAX;
+ 
++      if (gate_len_ns < VSC9959_TAS_MIN_GATE_LEN_NS)
++              return 0;
++
+       return (gate_len_ns - VSC9959_TAS_MIN_GATE_LEN_NS) * PSEC_PER_NSEC;
+ }
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-dsa-mt7530-fix-handling-of-802.1x-pae-frames.patch b/queue-6.1/net-dsa-mt7530-fix-handling-of-802.1x-pae-frames.patch
new file mode 100644 (file)
index 0000000..d889b29
--- /dev/null
+++ b/queue-6.1/net-dsa-mt7530-fix-handling-of-802.1x-pae-frames.patch
@@ -0,0 +1,58 @@
+From 7f3319eb93090c76324d4ebc918dbf88b3ec6d6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Aug 2023 13:59:17 +0300
+Subject: net: dsa: mt7530: fix handling of 802.1X PAE frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit e94b590abfff2cdbf0bdaa7d9904364c8d480af5 ]
+
+802.1X PAE frames are link-local frames, therefore they must be trapped to
+the CPU port. Currently, the MT753X switches treat 802.1X PAE frames as
+regular multicast frames, therefore flooding them to user ports. To fix
+this, set 802.1X PAE frames to be trapped to the CPU port(s).
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 4 ++++
+ drivers/net/dsa/mt7530.h | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 51d2ef0dc835c..b988c8a40d536 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1005,6 +1005,10 @@ mt753x_trap_frames(struct mt7530_priv *priv)
+       mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
+                  MT753X_BPDU_CPU_ONLY);
+ 
++      /* Trap 802.1X PAE frames to the CPU port(s) */
++      mt7530_rmw(priv, MT753X_BPC, MT753X_PAE_PORT_FW_MASK,
++                 MT753X_PAE_PORT_FW(MT753X_BPDU_CPU_ONLY));
++
+       /* Trap LLDP frames with :0E MAC DA to the CPU port(s) */
+       mt7530_rmw(priv, MT753X_RGAC2, MT753X_R0E_PORT_FW_MASK,
+                  MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY));
+diff --git a/drivers/net/dsa/mt7530.h b/drivers/net/dsa/mt7530.h
+index 9a45663d8b4ef..6202b0f8c3f34 100644
+--- a/drivers/net/dsa/mt7530.h
++++ b/drivers/net/dsa/mt7530.h
+@@ -64,6 +64,8 @@ enum mt753x_id {
+ /* Registers for BPDU and PAE frame control*/
+ #define MT753X_BPC                    0x24
+ #define  MT753X_BPDU_PORT_FW_MASK     GENMASK(2, 0)
++#define  MT753X_PAE_PORT_FW_MASK      GENMASK(18, 16)
++#define  MT753X_PAE_PORT_FW(x)                FIELD_PREP(MT753X_PAE_PORT_FW_MASK, x)
+ 
+ /* Register for :03 and :0E MAC DA frame control */
+ #define MT753X_RGAC2                  0x2c
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-sched-fix-a-qdisc-modification-with-ambiguous-co.patch b/queue-6.1/net-sched-fix-a-qdisc-modification-with-ambiguous-co.patch
new file mode 100644 (file)
index 0000000..7b8e908
--- /dev/null
+++ b/queue-6.1/net-sched-fix-a-qdisc-modification-with-ambiguous-co.patch
@@ -0,0 +1,138 @@
+From f6ef689fefabe82e53b080d63308e2e2fcd7d4c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 06:12:31 -0400
+Subject: net/sched: fix a qdisc modification with ambiguous command request
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit da71714e359b64bd7aab3bd56ec53f307f058133 ]
+
+When replacing an existing root qdisc, with one that is of the same kind, the
+request boils down to essentially a parameterization change  i.e not one that
+requires allocation and grafting of a new qdisc. syzbot was able to create a
+scenario which resulted in a taprio qdisc replacing an existing taprio qdisc
+with a combination of NLM_F_CREATE, NLM_F_REPLACE and NLM_F_EXCL leading to
+create and graft scenario.
+The fix ensures that only when the qdisc kinds are different that we should
+allow a create and graft, otherwise it goes into the "change" codepath.
+
+While at it, fix the code and comments to improve readability.
+
+While syzbot was able to create the issue, it did not zone on the root cause.
+Analysis from Vladimir Oltean <vladimir.oltean@nxp.com> helped narrow it down.
+
+v1->V2 changes:
+- remove "inline" function definition (Vladmir)
+- remove extrenous braces in branches (Vladmir)
+- change inline function names (Pedro)
+- Run tdc tests (Victor)
+v2->v3 changes:
+- dont break else/if (Simon)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+a3618a167af2021433cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/20230816225759.g25x76kmgzya2gei@skbuf/T/
+Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 53 ++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 40 insertions(+), 13 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 01d07e6a68119..e8f988e1c7e64 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1550,10 +1550,28 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+       return 0;
+ }
+ 
++static bool req_create_or_replace(struct nlmsghdr *n)
++{
++      return (n->nlmsg_flags & NLM_F_CREATE &&
++              n->nlmsg_flags & NLM_F_REPLACE);
++}
++
++static bool req_create_exclusive(struct nlmsghdr *n)
++{
++      return (n->nlmsg_flags & NLM_F_CREATE &&
++              n->nlmsg_flags & NLM_F_EXCL);
++}
++
++static bool req_change(struct nlmsghdr *n)
++{
++      return (!(n->nlmsg_flags & NLM_F_CREATE) &&
++              !(n->nlmsg_flags & NLM_F_REPLACE) &&
++              !(n->nlmsg_flags & NLM_F_EXCL));
++}
++
+ /*
+  * Create/change qdisc.
+  */
+-
+ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                          struct netlink_ext_ack *extack)
+ {
+@@ -1647,27 +1665,35 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                                *
+                                *   We know, that some child q is already
+                                *   attached to this parent and have choice:
+-                               *   either to change it or to create/graft new one.
++                               *   1) change it or 2) create/graft new one.
++                               *   If the requested qdisc kind is different
++                               *   than the existing one, then we choose graft.
++                               *   If they are the same then this is "change"
++                               *   operation - just let it fallthrough..
+                                *
+                                *   1. We are allowed to create/graft only
+-                               *   if CREATE and REPLACE flags are set.
++                               *   if the request is explicitly stating
++                               *   "please create if it doesn't exist".
+                                *
+-                               *   2. If EXCL is set, requestor wanted to say,
+-                               *   that qdisc tcm_handle is not expected
++                               *   2. If the request is to exclusive create
++                               *   then the qdisc tcm_handle is not expected
+                                *   to exist, so that we choose create/graft too.
+                                *
+                                *   3. The last case is when no flags are set.
++                               *   This will happen when for example tc
++                               *   utility issues a "change" command.
+                                *   Alas, it is sort of hole in API, we
+                                *   cannot decide what to do unambiguously.
+-                               *   For now we select create/graft, if
+-                               *   user gave KIND, which does not match existing.
++                               *   For now we select create/graft.
+                                */
+-                              if ((n->nlmsg_flags & NLM_F_CREATE) &&
+-                                  (n->nlmsg_flags & NLM_F_REPLACE) &&
+-                                  ((n->nlmsg_flags & NLM_F_EXCL) ||
+-                                   (tca[TCA_KIND] &&
+-                                    nla_strcmp(tca[TCA_KIND], q->ops->id))))
+-                                      goto create_n_graft;
++                              if (tca[TCA_KIND] &&
++                                  nla_strcmp(tca[TCA_KIND], q->ops->id)) {
++                                      if (req_create_or_replace(n) ||
++                                          req_create_exclusive(n))
++                                              goto create_n_graft;
++                                      else if (req_change(n))
++                                              goto create_n_graft2;
++                              }
+                       }
+               }
+       } else {
+@@ -1701,6 +1727,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+               NL_SET_ERR_MSG(extack, "Qdisc not found. To create specify NLM_F_CREATE flag");
+               return -ENOENT;
+       }
++create_n_graft2:
+       if (clid == TC_H_INGRESS) {
+               if (dev_ingress_queue(dev)) {
+                       q = qdisc_create(dev, dev_ingress_queue(dev),
+-- 
+2.40.1
+

diff --git a/queue-6.1/net-validate-veth-and-vxcan-peer-ifindexes.patch b/queue-6.1/net-validate-veth-and-vxcan-peer-ifindexes.patch
new file mode 100644 (file)
index 0000000..056b343
--- /dev/null
+++ b/queue-6.1/net-validate-veth-and-vxcan-peer-ifindexes.patch
@@ -0,0 +1,137 @@
+From e0fd9e77b041f358597563454b1a152f9effa0d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 18:26:02 -0700
+Subject: net: validate veth and vxcan peer ifindexes
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit f534f6581ec084fe94d6759f7672bd009794b07e ]
+
+veth and vxcan need to make sure the ifindexes of the peer
+are not negative, core does not validate this.
+
+Using iproute2 with user-space-level checking removed:
+
+Before:
+
+  # ./ip link add index 10 type veth peer index -1
+  # ip link show
+  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+  2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
+    link/ether 52:54:00:74:b2:03 brd ff:ff:ff:ff:ff:ff
+  10: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+    link/ether 8a:90:ff:57:6d:5d brd ff:ff:ff:ff:ff:ff
+  -1: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+    link/ether ae:ed:18:e6:fa:7f brd ff:ff:ff:ff:ff:ff
+
+Now:
+
+  $ ./ip link add index 10 type veth peer index -1
+  Error: ifindex can't be negative.
+
+This problem surfaced in net-next because an explicit WARN()
+was added, the root cause is older.
+
+Fixes: e6f8f1a739b6 ("veth: Allow to create peer link with given ifindex")
+Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)")
+Reported-by: syzbot+5ba06978f34abb058571@syzkaller.appspotmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/vxcan.c |  7 +------
+ drivers/net/veth.c      |  5 +----
+ include/net/rtnetlink.h |  4 ++--
+ net/core/rtnetlink.c    | 22 ++++++++++++++++++----
+ 4 files changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
+index 26a472d2ea583..6d549dbdb4674 100644
+--- a/drivers/net/can/vxcan.c
++++ b/drivers/net/can/vxcan.c
+@@ -192,12 +192,7 @@ static int vxcan_newlink(struct net *net, struct net_device *dev,
+ 
+               nla_peer = data[VXCAN_INFO_PEER];
+               ifmp = nla_data(nla_peer);
+-              err = rtnl_nla_parse_ifla(peer_tb,
+-                                        nla_data(nla_peer) +
+-                                        sizeof(struct ifinfomsg),
+-                                        nla_len(nla_peer) -
+-                                        sizeof(struct ifinfomsg),
+-                                        NULL);
++              err = rtnl_nla_parse_ifinfomsg(peer_tb, nla_peer, extack);
+               if (err < 0)
+                       return err;
+ 
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index a71786b3e7ba7..727b9278b9fe5 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -1716,10 +1716,7 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
+ 
+               nla_peer = data[VETH_INFO_PEER];
+               ifmp = nla_data(nla_peer);
+-              err = rtnl_nla_parse_ifla(peer_tb,
+-                                        nla_data(nla_peer) + sizeof(struct ifinfomsg),
+-                                        nla_len(nla_peer) - sizeof(struct ifinfomsg),
+-                                        NULL);
++              err = rtnl_nla_parse_ifinfomsg(peer_tb, nla_peer, extack);
+               if (err < 0)
+                       return err;
+ 
+diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
+index bf8bb33578250..9f881b74f32ed 100644
+--- a/include/net/rtnetlink.h
++++ b/include/net/rtnetlink.h
+@@ -189,8 +189,8 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname,
+ int rtnl_delete_link(struct net_device *dev);
+ int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm);
+ 
+-int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len,
+-                      struct netlink_ext_ack *exterr);
++int rtnl_nla_parse_ifinfomsg(struct nlattr **tb, const struct nlattr *nla_peer,
++                           struct netlink_ext_ack *exterr);
+ struct net *rtnl_get_net_ns_capable(struct sock *sk, int netnsid);
+ 
+ #define MODULE_ALIAS_RTNL_LINK(kind) MODULE_ALIAS("rtnl-link-" kind)
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 2758b3f7c0214..48e300a144ad6 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2220,13 +2220,27 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
+       return err;
+ }
+ 
+-int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len,
+-                      struct netlink_ext_ack *exterr)
++int rtnl_nla_parse_ifinfomsg(struct nlattr **tb, const struct nlattr *nla_peer,
++                           struct netlink_ext_ack *exterr)
+ {
+-      return nla_parse_deprecated(tb, IFLA_MAX, head, len, ifla_policy,
++      const struct ifinfomsg *ifmp;
++      const struct nlattr *attrs;
++      size_t len;
++
++      ifmp = nla_data(nla_peer);
++      attrs = nla_data(nla_peer) + sizeof(struct ifinfomsg);
++      len = nla_len(nla_peer) - sizeof(struct ifinfomsg);
++
++      if (ifmp->ifi_index < 0) {
++              NL_SET_ERR_MSG_ATTR(exterr, nla_peer,
++                                  "ifindex can't be negative");
++              return -EINVAL;
++      }
++
++      return nla_parse_deprecated(tb, IFLA_MAX, attrs, len, ifla_policy,
+                                   exterr);
+ }
+-EXPORT_SYMBOL(rtnl_nla_parse_ifla);
++EXPORT_SYMBOL(rtnl_nla_parse_ifinfomsg);
+ 
+ struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[])
+ {
+-- 
+2.40.1
+

diff --git a/queue-6.1/netfilter-nf_tables-fix-out-of-memory-error-handling.patch b/queue-6.1/netfilter-nf_tables-fix-out-of-memory-error-handling.patch
new file mode 100644 (file)
index 0000000..559a622
--- /dev/null
+++ b/queue-6.1/netfilter-nf_tables-fix-out-of-memory-error-handling.patch
@@ -0,0 +1,65 @@
+From bd152bcb5a868f19bf02139e624459d5341fe613 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 19:49:52 +0200
+Subject: netfilter: nf_tables: fix out of memory error handling
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 5e1be4cdc98c989d5387ce94ff15b5ad06a5b681 ]
+
+Several instances of pipapo_resize() don't propagate allocation failures,
+this causes a crash when fault injection is enabled for gfp_kernel slabs.
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 32cfd0a84b0e2..8c16681884b7e 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -901,12 +901,14 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f)
+ static int pipapo_insert(struct nft_pipapo_field *f, const uint8_t *k,
+                        int mask_bits)
+ {
+-      int rule = f->rules++, group, ret, bit_offset = 0;
++      int rule = f->rules, group, ret, bit_offset = 0;
+ 
+-      ret = pipapo_resize(f, f->rules - 1, f->rules);
++      ret = pipapo_resize(f, f->rules, f->rules + 1);
+       if (ret)
+               return ret;
+ 
++      f->rules++;
++
+       for (group = 0; group < f->groups; group++) {
+               int i, v;
+               u8 mask;
+@@ -1051,7 +1053,9 @@ static int pipapo_expand(struct nft_pipapo_field *f,
+                       step++;
+                       if (step >= len) {
+                               if (!masks) {
+-                                      pipapo_insert(f, base, 0);
++                                      err = pipapo_insert(f, base, 0);
++                                      if (err < 0)
++                                              return err;
+                                       masks = 1;
+                               }
+                               goto out;
+@@ -1234,6 +1238,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
+               else
+                       ret = pipapo_expand(f, start, end, f->groups * f->bb);
+ 
++              if (ret < 0)
++                      return ret;
++
+               if (f->bsize > bsize_max)
+                       bsize_max = f->bsize;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-befor.patch b/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-befor.patch
new file mode 100644 (file)
index 0000000..6776771
--- /dev/null
+++ b/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-befor.patch
@@ -0,0 +1,44 @@
+From 969e66080fd7eb44d50da3b90d906d6a82347388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 01:13:31 +0200
+Subject: netfilter: nf_tables: flush pending destroy work before netlink
+ notifier
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 2c9f0293280e258606e54ed2b96fa71498432eae ]
+
+Destroy work waits for the RCU grace period then it releases the objects
+with no mutex held. All releases objects follow this path for
+transactions, therefore, order is guaranteed and references to top-level
+objects in the hierarchy remain valid.
+
+However, netlink notifier might interfer with pending destroy work.
+rcu_barrier() is not correct because objects are not release via RCU
+callback. Flush destroy work before releasing objects from netlink
+notifier path.
+
+Fixes: d4bc8271db21 ("netfilter: nf_tables: netlink notifier might race to release objects")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4c2df7af73f76..3c5cac9bd9b70 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -10509,7 +10509,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
+       deleted = 0;
+       mutex_lock(&nft_net->commit_mutex);
+       if (!list_empty(&nf_tables_destroy_list))
+-              rcu_barrier();
++              nf_tables_trans_destroy_flush_work();
+ again:
+       list_for_each_entry(table, &nft_net->tables, list) {
+               if (nft_table_has_owner(table) &&
+-- 
+2.40.1
+

diff --git a/queue-6.1/nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch b/queue-6.1/nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch
new file mode 100644 (file)
index 0000000..ccf3a99
--- /dev/null
+++ b/queue-6.1/nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch
@@ -0,0 +1,46 @@
+From d2325455dbb997bbd922d24cd28e7aa5b1244b78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 14:59:30 +0300
+Subject: NFSv4: fix out path in __nfs4_get_acl_uncached
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit f4e89f1a6dab4c063fc1e823cc9dddc408ff40cf ]
+
+Another highly rare error case when a page allocating loop (inside
+__nfs4_get_acl_uncached, this time) is not properly unwound on error.
+Since pages array is allocated being uninitialized, need to free only
+lower array indices. NULL checks were useful before commit 62a1573fcf84
+("NFSv4 fix acl retrieval over krb5i/krb5p mounts") when the array had
+been initialized to zero on stack.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: 62a1573fcf84 ("NFSv4 fix acl retrieval over krb5i/krb5p mounts")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 177cb7b089b9a..d67383665e9bb 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5995,9 +5995,8 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf,
+ out_ok:
+       ret = res.acl_len;
+ out_free:
+-      for (i = 0; i < npages; i++)
+-              if (pages[i])
+-                      __free_page(pages[i]);
++      while (--i >= 0)
++              __free_page(pages[i]);
+       if (res.acl_scratch)
+               __free_page(res.acl_scratch);
+       kfree(pages);
+-- 
+2.40.1
+

diff --git a/queue-6.1/nfsv4.2-fix-error-handling-in-nfs42_proc_getxattr.patch b/queue-6.1/nfsv4.2-fix-error-handling-in-nfs42_proc_getxattr.patch
new file mode 100644 (file)
index 0000000..79f2c75
--- /dev/null
+++ b/queue-6.1/nfsv4.2-fix-error-handling-in-nfs42_proc_getxattr.patch
@@ -0,0 +1,51 @@
+From 1385446162539cc3d096115e2c6cf25171757411 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 14:58:58 +0300
+Subject: NFSv4.2: fix error handling in nfs42_proc_getxattr
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 4e3733fd2b0f677faae21cf838a43faf317986d3 ]
+
+There is a slight issue with error handling code inside
+nfs42_proc_getxattr(). If page allocating loop fails then we free the
+failing page array element which is NULL but __free_page() can't deal with
+NULL args.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: a1f26739ccdc ("NFSv4.2: improve page handling for GETXATTR")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index ecb428512fe1a..7c33bba179d2f 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -1359,7 +1359,6 @@ ssize_t nfs42_proc_getxattr(struct inode *inode, const char *name,
+       for (i = 0; i < np; i++) {
+               pages[i] = alloc_page(GFP_KERNEL);
+               if (!pages[i]) {
+-                      np = i + 1;
+                       err = -ENOMEM;
+                       goto out;
+               }
+@@ -1383,8 +1382,8 @@ ssize_t nfs42_proc_getxattr(struct inode *inode, const char *name,
+       } while (exception.retry);
+ 
+ out:
+-      while (--np >= 0)
+-              __free_page(pages[np]);
++      while (--i >= 0)
++              __free_page(pages[i]);
+       kfree(pages);
+ 
+       return err;
+-- 
+2.40.1
+

diff --git a/queue-6.1/octeontx2-af-sdp-fix-receive-link-config.patch b/queue-6.1/octeontx2-af-sdp-fix-receive-link-config.patch
new file mode 100644 (file)
index 0000000..3ccf72e
--- /dev/null
+++ b/queue-6.1/octeontx2-af-sdp-fix-receive-link-config.patch
@@ -0,0 +1,45 @@
+From f3b346841466a7ded6040af25e3e9e653078bee3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 12:00:06 +0530
+Subject: octeontx2-af: SDP: fix receive link config
+
+From: Hariprasad Kelam <hkelam@marvell.com>
+
+[ Upstream commit 05f3d5bc23524bed6f043dfe6b44da687584f9fb ]
+
+On SDP interfaces, frame oversize and undersize errors are
+observed as driver is not considering packet sizes of all
+subscribers of the link before updating the link config.
+
+This patch fixes the same.
+
+Fixes: 9b7dd87ac071 ("octeontx2-af: Support to modify min/max allowed packet lengths")
+Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20230817063006.10366-1-hkelam@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index 705325431dec3..5541e284cd3f0 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -4005,9 +4005,10 @@ int rvu_mbox_handler_nix_set_hw_frs(struct rvu *rvu, struct nix_frs_cfg *req,
+       if (link < 0)
+               return NIX_AF_ERR_RX_LINK_INVALID;
+ 
+-      nix_find_link_frs(rvu, req, pcifunc);
+ 
+ linkcfg:
++      nix_find_link_frs(rvu, req, pcifunc);
++
+       cfg = rvu_read64(rvu, blkaddr, NIX_AF_RX_LINKX_CFG(link));
+       cfg = (cfg & ~(0xFFFFULL << 16)) | ((u64)req->maxlen << 16);
+       if (req->update_minlen)
+-- 
+2.40.1
+

diff --git a/queue-6.1/pci-acpiphp-reassign-resources-on-bridge-if-necessar.patch b/queue-6.1/pci-acpiphp-reassign-resources-on-bridge-if-necessar.patch
new file mode 100644 (file)
index 0000000..454ab18
--- /dev/null
+++ b/queue-6.1/pci-acpiphp-reassign-resources-on-bridge-if-necessar.patch
@@ -0,0 +1,83 @@
+From 83ad052a14e4ab0f032c53c7caa3f4dc9eb91bbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 21:15:57 +0200
+Subject: PCI: acpiphp: Reassign resources on bridge if necessary
+
+From: Igor Mammedov <imammedo@redhat.com>
+
+[ Upstream commit 40613da52b13fb21c5566f10b287e0ca8c12c4e9 ]
+
+When using ACPI PCI hotplug, hotplugging a device with large BARs may fail
+if bridge windows programmed by firmware are not large enough.
+
+Reproducer:
+  $ qemu-kvm -monitor stdio -M q35  -m 4G \
+      -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=on \
+      -device id=rp1,pcie-root-port,bus=pcie.0,chassis=4 \
+      disk_image
+
+ wait till linux guest boots, then hotplug device:
+   (qemu) device_add qxl,bus=rp1
+
+ hotplug on guest side fails with:
+   pci 0000:01:00.0: [1b36:0100] type 00 class 0x038000
+   pci 0000:01:00.0: reg 0x10: [mem 0x00000000-0x03ffffff]
+   pci 0000:01:00.0: reg 0x14: [mem 0x00000000-0x03ffffff]
+   pci 0000:01:00.0: reg 0x18: [mem 0x00000000-0x00001fff]
+   pci 0000:01:00.0: reg 0x1c: [io  0x0000-0x001f]
+   pci 0000:01:00.0: BAR 0: no space for [mem size 0x04000000]
+   pci 0000:01:00.0: BAR 0: failed to assign [mem size 0x04000000]
+   pci 0000:01:00.0: BAR 1: no space for [mem size 0x04000000]
+   pci 0000:01:00.0: BAR 1: failed to assign [mem size 0x04000000]
+   pci 0000:01:00.0: BAR 2: assigned [mem 0xfe800000-0xfe801fff]
+   pci 0000:01:00.0: BAR 3: assigned [io  0x1000-0x101f]
+   qxl 0000:01:00.0: enabling device (0000 -> 0003)
+   Unable to create vram_mapping
+   qxl: probe of 0000:01:00.0 failed with error -12
+
+However when using native PCIe hotplug
+  '-global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off'
+it works fine, since kernel attempts to reassign unused resources.
+
+Use the same machinery as native PCIe hotplug to (re)assign resources.
+
+Link: https://lore.kernel.org/r/20230424191557.2464760-1-imammedo@redhat.com
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Rafael J. Wysocki <rafael@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/acpiphp_glue.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
+index 6efa3d8db9a56..393f341d9d764 100644
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -490,7 +490,6 @@ static void enable_slot(struct acpiphp_slot *slot, bool bridge)
+                               acpiphp_native_scan_bridge(dev);
+               }
+       } else {
+-              LIST_HEAD(add_list);
+               int max, pass;
+ 
+               acpiphp_rescan_slot(slot);
+@@ -504,12 +503,10 @@ static void enable_slot(struct acpiphp_slot *slot, bool bridge)
+                               if (pass && dev->subordinate) {
+                                       check_hotplug_bridge(slot, dev);
+                                       pcibios_resource_survey_bus(dev->subordinate);
+-                                      __pci_bus_size_bridges(dev->subordinate,
+-                                                             &add_list);
+                               }
+                       }
+               }
+-              __pci_bus_assign_resources(bus, &add_list, NULL);
++              pci_assign_unassigned_bridge_resources(bus->self);
+       }
+ 
+       acpiphp_sanitize_bus(bus);
+-- 
+2.40.1
+

diff --git a/queue-6.1/revert-ice-fix-ice-vf-reset-during-iavf-initializati.patch b/queue-6.1/revert-ice-fix-ice-vf-reset-during-iavf-initializati.patch
new file mode 100644 (file)
index 0000000..49f8e74
--- /dev/null
+++ b/queue-6.1/revert-ice-fix-ice-vf-reset-during-iavf-initializati.patch
@@ -0,0 +1,131 @@
+From 6bb351bfa464afdba197f25bd8b136543ed98b3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 10:07:01 +0200
+Subject: Revert "ice: Fix ice VF reset during iavf initialization"
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 0ecff05e6c59dd82dbcb9706db911f7fd9f40fb8 ]
+
+This reverts commit 7255355a0636b4eff08d5e8139c77d98f151c4fc.
+
+After this commit we are not able to attach VF to VM:
+virsh attach-interface v0 hostdev --managed 0000:41:01.0 --mac 52:52:52:52:52:52
+error: Failed to attach interface
+error: Cannot set interface MAC to 52:52:52:52:52:52 for ifname enp65s0f0np0 vf 0: Resource temporarily unavailable
+
+ice_check_vf_ready_for_cfg() already contain waiting for reset.
+New condition in ice_check_vf_ready_for_reset() causing only problems.
+
+Fixes: 7255355a0636 ("ice: Fix ice VF reset during iavf initialization")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c    |  8 ++++----
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c   | 19 -------------------
+ drivers/net/ethernet/intel/ice/ice_vf_lib.h   |  1 -
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c |  1 -
+ 4 files changed, 4 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index b8c31bf721ad1..b719e9a771e36 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1240,7 +1240,7 @@ int ice_set_vf_spoofchk(struct net_device *netdev, int vf_id, bool ena)
+       if (!vf)
+               return -EINVAL;
+ 
+-      ret = ice_check_vf_ready_for_reset(vf);
++      ret = ice_check_vf_ready_for_cfg(vf);
+       if (ret)
+               goto out_put_vf;
+ 
+@@ -1355,7 +1355,7 @@ int ice_set_vf_mac(struct net_device *netdev, int vf_id, u8 *mac)
+               goto out_put_vf;
+       }
+ 
+-      ret = ice_check_vf_ready_for_reset(vf);
++      ret = ice_check_vf_ready_for_cfg(vf);
+       if (ret)
+               goto out_put_vf;
+ 
+@@ -1409,7 +1409,7 @@ int ice_set_vf_trust(struct net_device *netdev, int vf_id, bool trusted)
+               return -EOPNOTSUPP;
+       }
+ 
+-      ret = ice_check_vf_ready_for_reset(vf);
++      ret = ice_check_vf_ready_for_cfg(vf);
+       if (ret)
+               goto out_put_vf;
+ 
+@@ -1722,7 +1722,7 @@ ice_set_vf_port_vlan(struct net_device *netdev, int vf_id, u16 vlan_id, u8 qos,
+       if (!vf)
+               return -EINVAL;
+ 
+-      ret = ice_check_vf_ready_for_reset(vf);
++      ret = ice_check_vf_ready_for_cfg(vf);
+       if (ret)
+               goto out_put_vf;
+ 
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 71047fc341392..86abbcb480d9d 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -185,25 +185,6 @@ int ice_check_vf_ready_for_cfg(struct ice_vf *vf)
+       return 0;
+ }
+ 
+-/**
+- * ice_check_vf_ready_for_reset - check if VF is ready to be reset
+- * @vf: VF to check if it's ready to be reset
+- *
+- * The purpose of this function is to ensure that the VF is not in reset,
+- * disabled, and is both initialized and active, thus enabling us to safely
+- * initialize another reset.
+- */
+-int ice_check_vf_ready_for_reset(struct ice_vf *vf)
+-{
+-      int ret;
+-
+-      ret = ice_check_vf_ready_for_cfg(vf);
+-      if (!ret && !test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states))
+-              ret = -EAGAIN;
+-
+-      return ret;
+-}
+-
+ /**
+  * ice_trigger_vf_reset - Reset a VF on HW
+  * @vf: pointer to the VF structure
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+index e5bed85724622..9f7fcd8e5714b 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+@@ -214,7 +214,6 @@ u16 ice_get_num_vfs(struct ice_pf *pf);
+ struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf);
+ bool ice_is_vf_disabled(struct ice_vf *vf);
+ int ice_check_vf_ready_for_cfg(struct ice_vf *vf);
+-int ice_check_vf_ready_for_reset(struct ice_vf *vf);
+ void ice_set_vf_state_dis(struct ice_vf *vf);
+ bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf);
+ void
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+index ef3c709d6a750..2b4c791b6cbad 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -3722,7 +3722,6 @@ void ice_vc_process_vf_msg(struct ice_pf *pf, struct ice_rq_event_info *event)
+               ice_vc_notify_vf_link_state(vf);
+               break;
+       case VIRTCHNL_OP_RESET_VF:
+-              clear_bit(ICE_VF_STATE_ACTIVE, vf->vf_states);
+               ops->reset_vf(vf);
+               break;
+       case VIRTCHNL_OP_ADD_ETH_ADDR:
+-- 
+2.40.1
+

diff --git a/queue-6.1/rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch b/queue-6.1/rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch
new file mode 100644 (file)
index 0000000..c2a28c7
--- /dev/null
+++ b/queue-6.1/rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch
@@ -0,0 +1,68 @@
+From a2da68952557873031be8a43ec7c36617db5364a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Aug 2023 09:43:48 +0300
+Subject: rtnetlink: Reject negative ifindexes in RTM_NEWLINK
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 30188bd7838c16a98a520db1fe9df01ffc6ed368 ]
+
+Negative ifindexes are illegal, but the kernel does not validate the
+ifindex in the ancillary header of RTM_NEWLINK messages, resulting in
+the kernel generating a warning [1] when such an ifindex is specified.
+
+Fix by rejecting negative ifindexes.
+
+[1]
+WARNING: CPU: 0 PID: 5031 at net/core/dev.c:9593 dev_index_reserve+0x1a2/0x1c0 net/core/dev.c:9593
+[...]
+Call Trace:
+ <TASK>
+ register_netdevice+0x69a/0x1490 net/core/dev.c:10081
+ br_dev_newlink+0x27/0x110 net/bridge/br_netlink.c:1552
+ rtnl_newlink_create net/core/rtnetlink.c:3471 [inline]
+ __rtnl_newlink+0x115e/0x18c0 net/core/rtnetlink.c:3688
+ rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3701
+ rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6427
+ netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
+ netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
+ netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
+ netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
+ sock_sendmsg_nosec net/socket.c:728 [inline]
+ sock_sendmsg+0xd9/0x180 net/socket.c:751
+ ____sys_sendmsg+0x6ac/0x940 net/socket.c:2538
+ ___sys_sendmsg+0x135/0x1d0 net/socket.c:2592
+ __sys_sendmsg+0x117/0x1e0 net/socket.c:2621
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 38f7b870d4a6 ("[RTNETLINK]: Link creation API")
+Reported-by: syzbot+5ba06978f34abb058571@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20230823064348.2252280-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 48e300a144ad6..9d4507aa736b7 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3465,6 +3465,9 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+       if (ifm->ifi_index > 0) {
+               link_specified = true;
+               dev = __dev_get_by_index(net, ifm->ifi_index);
++      } else if (ifm->ifi_index < 0) {
++              NL_SET_ERR_MSG(extack, "ifindex can't be negative");
++              return -EINVAL;
+       } else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) {
+               link_specified = true;
+               dev = rtnl_dev_get(net, tb);
+-- 
+2.40.1
+

diff --git a/queue-6.1/s390-zcrypt-fix-reply-buffer-calculations-for-cca-re.patch b/queue-6.1/s390-zcrypt-fix-reply-buffer-calculations-for-cca-re.patch
new file mode 100644 (file)
index 0000000..6e1be2e
--- /dev/null
+++ b/queue-6.1/s390-zcrypt-fix-reply-buffer-calculations-for-cca-re.patch
@@ -0,0 +1,99 @@
+From 191f5e2f120ce8c0e4107daf0bbac81923c41ba8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 16:55:29 +0200
+Subject: s390/zcrypt: fix reply buffer calculations for CCA replies
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 4cfca532ddc3474b3fc42592d0e4237544344b1a ]
+
+The length information for available buffer space for CCA
+replies is covered with two fields in the T6 header prepended
+on each CCA reply: fromcardlen1 and fromcardlen2. The sum of
+these both values must not exceed the AP bus limit for this
+card (24KB for CEX8, 12KB CEX7 and older) minus the always
+present headers.
+
+The current code adjusted the fromcardlen2 value in case
+of exceeding the AP bus limit when there was a non-zero
+value given from userspace. Some tests now showed that this
+was the wrong assumption. Instead the userspace value given for
+this field should always be trusted and if the sum of the
+two fields exceeds the AP bus limit for this card the first
+field fromcardlen1 should be adjusted instead.
+
+So now the calculation is done with this new insight in mind.
+Also some additional checks for overflow have been introduced
+and some comments to provide some documentation for future
+maintainers of this complicated calculation code.
+
+Furthermore the 128 bytes of fix overhead which is used
+in the current code is not correct. Investigations showed
+that for a reply always the same two header structs are
+prepended before a possible payload. So this is also fixed
+with this patch.
+
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_msgtype6.c | 35 ++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
+index 37c01aaa21a2b..84e3ad290f6ba 100644
+--- a/drivers/s390/crypto/zcrypt_msgtype6.c
++++ b/drivers/s390/crypto/zcrypt_msgtype6.c
+@@ -1154,23 +1154,36 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
+                                     struct ica_xcRB *xcrb,
+                                     struct ap_message *ap_msg)
+ {
+-      int rc;
+       struct response_type *rtype = ap_msg->private;
+       struct {
+               struct type6_hdr hdr;
+               struct CPRBX cprbx;
+               /* ... more data blocks ... */
+       } __packed * msg = ap_msg->msg;
+-
+-      /*
+-       * Set the queue's reply buffer length minus 128 byte padding
+-       * as reply limit for the card firmware.
+-       */
+-      msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
+-                                    zq->reply.bufsize - 128);
+-      if (msg->hdr.fromcardlen2)
+-              msg->hdr.fromcardlen2 =
+-                      zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
++      unsigned int max_payload_size;
++      int rc, delta;
++
++      /* calculate maximum payload for this card and msg type */
++      max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
++
++      /* limit each of the two from fields to the maximum payload size */
++      msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
++      msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
++
++      /* calculate delta if the sum of both exceeds max payload size */
++      delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
++              - max_payload_size;
++      if (delta > 0) {
++              /*
++               * Sum exceeds maximum payload size, prune fromcardlen1
++               * (always trust fromcardlen2)
++               */
++              if (delta > msg->hdr.fromcardlen1) {
++                      rc = -EINVAL;
++                      goto out;
++              }
++              msg->hdr.fromcardlen1 -= delta;
++      }
+ 
+       init_completion(&rtype->work);
+       rc = ap_queue_message(zq->queue, ap_msg);
+-- 
+2.40.1
+

diff --git a/queue-6.1/s390-zcrypt-remove-unnecessary-void-conversions.patch b/queue-6.1/s390-zcrypt-remove-unnecessary-void-conversions.patch
new file mode 100644 (file)
index 0000000..5f52af6
--- /dev/null
+++ b/queue-6.1/s390-zcrypt-remove-unnecessary-void-conversions.patch
@@ -0,0 +1,76 @@
+From 1e11becda0bcdb7579adc930f914d8566a4a0981 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 13:21:55 +0800
+Subject: s390/zcrypt: remove unnecessary (void *) conversions
+
+From: Yu Zhe <yuzhe@nfschina.com>
+
+[ Upstream commit 72c2112ce9d72e6c40dd893f32187a3d34453113 ]
+
+Pointer variables of void * type do not require type cast.
+
+Signed-off-by: Yu Zhe <yuzhe@nfschina.com>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/20230303052155.21072-1-yuzhe@nfschina.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Stable-dep-of: 4cfca532ddc3 ("s390/zcrypt: fix reply buffer calculations for CCA replies")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_msgtype6.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
+index f99a9ef42116f..37c01aaa21a2b 100644
+--- a/drivers/s390/crypto/zcrypt_msgtype6.c
++++ b/drivers/s390/crypto/zcrypt_msgtype6.c
+@@ -926,8 +926,7 @@ static void zcrypt_msgtype6_receive(struct ap_queue *aq,
+               .type = TYPE82_RSP_CODE,
+               .reply_code = REP82_ERROR_MACHINE_FAILURE,
+       };
+-      struct response_type *resp_type =
+-              (struct response_type *)msg->private;
++      struct response_type *resp_type = msg->private;
+       struct type86x_reply *t86r;
+       int len;
+ 
+@@ -982,8 +981,7 @@ static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
+               .type = TYPE82_RSP_CODE,
+               .reply_code = REP82_ERROR_MACHINE_FAILURE,
+       };
+-      struct response_type *resp_type =
+-              (struct response_type *)msg->private;
++      struct response_type *resp_type = msg->private;
+       struct type86_ep11_reply *t86r;
+       int len;
+ 
+@@ -1157,7 +1155,7 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
+                                     struct ap_message *ap_msg)
+ {
+       int rc;
+-      struct response_type *rtype = (struct response_type *)(ap_msg->private);
++      struct response_type *rtype = ap_msg->private;
+       struct {
+               struct type6_hdr hdr;
+               struct CPRBX cprbx;
+@@ -1243,7 +1241,7 @@ static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *
+ {
+       int rc;
+       unsigned int lfmt;
+-      struct response_type *rtype = (struct response_type *)(ap_msg->private);
++      struct response_type *rtype = ap_msg->private;
+       struct {
+               struct type6_hdr hdr;
+               struct ep11_cprb cprbx;
+@@ -1365,7 +1363,7 @@ static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
+               short int verb_length;
+               short int key_length;
+       } __packed * msg = ap_msg->msg;
+-      struct response_type *rtype = (struct response_type *)(ap_msg->private);
++      struct response_type *rtype = ap_msg->private;
+       int rc;
+ 
+       msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
+-- 
+2.40.1
+

diff --git a/queue-6.1/selftests-bonding-do-not-set-port-down-before-adding.patch b/queue-6.1/selftests-bonding-do-not-set-port-down-before-adding.patch
new file mode 100644 (file)
index 0000000..405ede2
--- /dev/null
+++ b/queue-6.1/selftests-bonding-do-not-set-port-down-before-adding.patch
@@ -0,0 +1,48 @@
+From 36fd7c636efa528035dc9b8abc4249b7e009b470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 16:24:59 +0800
+Subject: selftests: bonding: do not set port down before adding to bond
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit be809424659c2844a2d7ab653aacca4898538023 ]
+
+Before adding a port to bond, it need to be set down first. In the
+lacpdu test the author set the port down specifically. But commit
+a4abfa627c38 ("net: rtnetlink: Enslave device before bringing it up")
+changed the operation order, the kernel will set the port down _after_
+adding to bond. So all the ports will be down at last and the test failed.
+
+In fact, the veth interfaces are already inactive when added. This
+means there's no need to set them down again before adding to the bond.
+Let's just remove the link down operation.
+
+Fixes: a4abfa627c38 ("net: rtnetlink: Enslave device before bringing it up")
+Reported-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Closes: https://lore.kernel.org/netdev/a0ef07c7-91b0-94bd-240d-944a330fcabd@huawei.com/
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20230817082459.1685972-1-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh     | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh
+index 47ab90596acb2..6358df5752f90 100755
+--- a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh
++++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh
+@@ -57,8 +57,8 @@ ip link add name veth2-bond type veth peer name veth2-end
+ 
+ # add ports
+ ip link set fbond master fab-br0
+-ip link set veth1-bond down master fbond
+-ip link set veth2-bond down master fbond
++ip link set veth1-bond master fbond
++ip link set veth2-bond master fbond
+ 
+ # bring up
+ ip link set veth1-end up
+-- 
+2.40.1
+

diff --git a/queue-6.1/selftests-mlxsw-fix-test-failure-on-spectrum-4.patch b/queue-6.1/selftests-mlxsw-fix-test-failure-on-spectrum-4.patch
new file mode 100644 (file)
index 0000000..337d8cf
--- /dev/null
+++ b/queue-6.1/selftests-mlxsw-fix-test-failure-on-spectrum-4.patch
@@ -0,0 +1,83 @@
+From d05916794f6280d99e9f18799b432fe97909f1b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:58:25 +0200
+Subject: selftests: mlxsw: Fix test failure on Spectrum-4
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit f520489e99a35b0a5257667274fbe9afd2d8c50b ]
+
+Remove assumptions about shared buffer cell size and instead query the
+cell size from devlink. Adjust the test to send small packets that fit
+inside a single cell.
+
+Tested on Spectrum-{1,2,3,4}.
+
+Fixes: 4735402173e6 ("mlxsw: spectrum: Extend to support Spectrum-4 ASIC")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/f7dfbf3c4d1cb23838d9eb99bab09afaa320c4ca.1692268427.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/drivers/net/mlxsw/sharedbuffer.sh  | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+index 7d9e73a43a49b..0c47faff9274b 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+@@ -98,12 +98,12 @@ sb_occ_etc_check()
+ 
+ port_pool_test()
+ {
+-      local exp_max_occ=288
++      local exp_max_occ=$(devlink_cell_size_get)
+       local max_occ
+ 
+       devlink sb occupancy clearmax $DEVLINK_DEV
+ 
+-      $MZ $h1 -c 1 -p 160 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
++      $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
+               -t ip -q
+ 
+       devlink sb occupancy snapshot $DEVLINK_DEV
+@@ -126,12 +126,12 @@ port_pool_test()
+ 
+ port_tc_ip_test()
+ {
+-      local exp_max_occ=288
++      local exp_max_occ=$(devlink_cell_size_get)
+       local max_occ
+ 
+       devlink sb occupancy clearmax $DEVLINK_DEV
+ 
+-      $MZ $h1 -c 1 -p 160 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
++      $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
+               -t ip -q
+ 
+       devlink sb occupancy snapshot $DEVLINK_DEV
+@@ -154,16 +154,12 @@ port_tc_ip_test()
+ 
+ port_tc_arp_test()
+ {
+-      local exp_max_occ=96
++      local exp_max_occ=$(devlink_cell_size_get)
+       local max_occ
+ 
+-      if [[ $MLXSW_CHIP != "mlxsw_spectrum" ]]; then
+-              exp_max_occ=144
+-      fi
+-
+       devlink sb occupancy clearmax $DEVLINK_DEV
+ 
+-      $MZ $h1 -c 1 -p 160 -a $h1mac -A 192.0.1.1 -t arp -q
++      $MZ $h1 -c 1 -p 10 -a $h1mac -A 192.0.1.1 -t arp -q
+ 
+       devlink sb occupancy snapshot $DEVLINK_DEV
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 20944b76ca81dc9c27c6b61f644a6677a788bf92..710690e9cadef79ae048806d1adc42685f7e753b 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -1 +1,55 @@
 objtool-x86-fix-srso-mess.patch
+nfsv4.2-fix-error-handling-in-nfs42_proc_getxattr.patch
+nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch
+xprtrdma-remap-receive-buffers-after-a-reconnect.patch
+drm-ast-use-drm_aperture_remove_conflicting_pci_fram.patch
+fbdev-radeon-use-pci-aperture-helpers.patch
+drm-gma500-use-drm_aperture_remove_conflicting_pci_f.patch
+drm-aperture-remove-primary-argument.patch
+video-aperture-only-kick-vgacon-when-the-pdev-is-dec.patch
+video-aperture-move-vga-handling-to-pci-function.patch
+pci-acpiphp-reassign-resources-on-bridge-if-necessar.patch
+mips-cpu-features-enable-octeon_cache-by-cpu_type.patch
+mips-cpu-features-use-boot_cpu_type-for-cpu-type-bas.patch
+jbd2-remove-t_checkpoint_io_list.patch
+jbd2-remove-journal_clean_one_cp_list.patch
+jbd2-fix-a-race-when-checking-checkpoint-buffer-busy.patch
+can-raw-fix-receiver-memory-leak.patch
+can-raw-fix-lockdep-issue-in-raw_release.patch
+s390-zcrypt-remove-unnecessary-void-conversions.patch
+s390-zcrypt-fix-reply-buffer-calculations-for-cca-re.patch
+drm-i915-add-the-gen12_needs_ccs_aux_inv-helper.patch
+drm-i915-gt-ensure-memory-quiesced-before-invalidati.patch
+drm-i915-gt-poll-aux-invalidation-register-bit-on-in.patch
+drm-i915-gt-support-aux-invalidation-on-all-engines.patch
+tracing-fix-cpu-buffers-unavailable-due-to-record_di.patch
+tracing-fix-memleak-due-to-race-between-current_trac.patch
+octeontx2-af-sdp-fix-receive-link-config.patch
+devlink-move-code-to-a-dedicated-directory.patch
+devlink-add-missing-unregister-linecard-notification.patch
+net-dsa-felix-fix-oversize-frame-dropping-for-always.patch
+sock-annotate-data-races-around-prot-memory_pressure.patch
+dccp-annotate-data-races-in-dccp_poll.patch
+ipvlan-fix-a-reference-count-leak-warning-in-ipvlan_.patch
+mlxsw-pci-set-time-stamp-fields-also-when-its-type-i.patch
+mlxsw-reg-fix-sspr-register-layout.patch
+mlxsw-fix-the-size-of-virt_router_msb.patch
+selftests-mlxsw-fix-test-failure-on-spectrum-4.patch
+net-dsa-mt7530-fix-handling-of-802.1x-pae-frames.patch
+net-bgmac-fix-return-value-check-for-fixed_phy_regis.patch
+net-bcmgenet-fix-return-value-check-for-fixed_phy_re.patch
+net-validate-veth-and-vxcan-peer-ifindexes.patch
+ipv4-fix-data-races-around-inet-inet_id.patch
+ice-fix-receive-buffer-size-miscalculation.patch
+revert-ice-fix-ice-vf-reset-during-iavf-initializati.patch
+ice-fix-null-pointer-deref-during-vf-reset.patch
+selftests-bonding-do-not-set-port-down-before-adding.patch
+can-isotp-fix-support-for-transmission-of-sf-without.patch
+igb-avoid-starting-unnecessary-workqueues.patch
+igc-fix-the-typo-in-the-ptm-control-macro.patch
+net-sched-fix-a-qdisc-modification-with-ambiguous-co.patch
+i40e-fix-potential-null-pointer-dereferencing-of-pf-.patch
+netfilter-nf_tables-flush-pending-destroy-work-befor.patch
+netfilter-nf_tables-fix-out-of-memory-error-handling.patch
+rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch
+bonding-fix-macvlan-over-alb-bond-support.patch

diff --git a/queue-6.1/sock-annotate-data-races-around-prot-memory_pressure.patch b/queue-6.1/sock-annotate-data-races-around-prot-memory_pressure.patch
new file mode 100644 (file)
index 0000000..4cb0c62
--- /dev/null
+++ b/queue-6.1/sock-annotate-data-races-around-prot-memory_pressure.patch
@@ -0,0 +1,82 @@
+From 1a64ec3477bc57c27c4bb8bdd3a128cce0dbe176 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 01:51:32 +0000
+Subject: sock: annotate data-races around prot->memory_pressure
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 76f33296d2e09f63118db78125c95ef56df438e9 ]
+
+*prot->memory_pressure is read/writen locklessly, we need
+to add proper annotations.
+
+A recent commit added a new race, it is time to audit all accesses.
+
+Fixes: 2d0c88e84e48 ("sock: Fix misuse of sk_under_memory_pressure()")
+Fixes: 4d93df0abd50 ("[SCTP]: Rewrite of sctp buffer management code")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Abel Wu <wuyun.abel@bytedance.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Link: https://lore.kernel.org/r/20230818015132.2699348-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 7 ++++---
+ net/sctp/socket.c  | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 699408944952c..d1f936ed97556 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1320,6 +1320,7 @@ struct proto {
+       /*
+        * Pressure flag: try to collapse.
+        * Technical note: it is used by multiple contexts non atomically.
++       * Make sure to use READ_ONCE()/WRITE_ONCE() for all reads/writes.
+        * All the __sk_mem_schedule() is of this nature: accounting
+        * is strict, actions are advisory and have some latency.
+        */
+@@ -1448,7 +1449,7 @@ static inline bool sk_has_memory_pressure(const struct sock *sk)
+ static inline bool sk_under_global_memory_pressure(const struct sock *sk)
+ {
+       return sk->sk_prot->memory_pressure &&
+-              !!*sk->sk_prot->memory_pressure;
++              !!READ_ONCE(*sk->sk_prot->memory_pressure);
+ }
+ 
+ static inline bool sk_under_memory_pressure(const struct sock *sk)
+@@ -1460,7 +1461,7 @@ static inline bool sk_under_memory_pressure(const struct sock *sk)
+           mem_cgroup_under_socket_pressure(sk->sk_memcg))
+               return true;
+ 
+-      return !!*sk->sk_prot->memory_pressure;
++      return !!READ_ONCE(*sk->sk_prot->memory_pressure);
+ }
+ 
+ static inline long
+@@ -1537,7 +1538,7 @@ proto_memory_pressure(struct proto *prot)
+ {
+       if (!prot->memory_pressure)
+               return false;
+-      return !!*prot->memory_pressure;
++      return !!READ_ONCE(*prot->memory_pressure);
+ }
+ 
+ 
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index c806d272107ac..83656fe03a0e6 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -98,7 +98,7 @@ struct percpu_counter sctp_sockets_allocated;
+ 
+ static void sctp_enter_memory_pressure(struct sock *sk)
+ {
+-      sctp_memory_pressure = 1;
++      WRITE_ONCE(sctp_memory_pressure, 1);
+ }
+ 
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/tracing-fix-cpu-buffers-unavailable-due-to-record_di.patch b/queue-6.1/tracing-fix-cpu-buffers-unavailable-due-to-record_di.patch
new file mode 100644 (file)
index 0000000..d02056b
--- /dev/null
+++ b/queue-6.1/tracing-fix-cpu-buffers-unavailable-due-to-record_di.patch
@@ -0,0 +1,73 @@
+From 2f445d8482b2b36e051090394e8f7da3b558d493 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Aug 2023 11:38:15 +0800
+Subject: tracing: Fix cpu buffers unavailable due to 'record_disabled' missed
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit b71645d6af10196c46cbe3732de2ea7d36b3ff6d ]
+
+Trace ring buffer can no longer record anything after executing
+following commands at the shell prompt:
+
+  # cd /sys/kernel/tracing
+  # cat tracing_cpumask
+  fff
+  # echo 0 > tracing_cpumask
+  # echo 1 > snapshot
+  # echo fff > tracing_cpumask
+  # echo 1 > tracing_on
+  # echo "hello world" > trace_marker
+  -bash: echo: write error: Bad file descriptor
+
+The root cause is that:
+  1. After `echo 0 > tracing_cpumask`, 'record_disabled' of cpu buffers
+     in 'tr->array_buffer.buffer' became 1 (see tracing_set_cpumask());
+  2. After `echo 1 > snapshot`, 'tr->array_buffer.buffer' is swapped
+     with 'tr->max_buffer.buffer', then the 'record_disabled' became 0
+     (see update_max_tr());
+  3. After `echo fff > tracing_cpumask`, the 'record_disabled' become -1;
+Then array_buffer and max_buffer are both unavailable due to value of
+'record_disabled' is not 0.
+
+To fix it, enable or disable both array_buffer and max_buffer at the same
+time in tracing_set_cpumask().
+
+Link: https://lkml.kernel.org/r/20230805033816.3284594-2-zhengyejian1@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <vnagarnaik@google.com>
+Cc: <shuah@kernel.org>
+Fixes: 71babb2705e2 ("tracing: change CPU ring buffer state from tracing_cpumask")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index af33c5a4166d4..d56dcd78452c3 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5189,11 +5189,17 @@ int tracing_set_cpumask(struct trace_array *tr,
+                               !cpumask_test_cpu(cpu, tracing_cpumask_new)) {
+                       atomic_inc(&per_cpu_ptr(tr->array_buffer.data, cpu)->disabled);
+                       ring_buffer_record_disable_cpu(tr->array_buffer.buffer, cpu);
++#ifdef CONFIG_TRACER_MAX_TRACE
++                      ring_buffer_record_disable_cpu(tr->max_buffer.buffer, cpu);
++#endif
+               }
+               if (!cpumask_test_cpu(cpu, tr->tracing_cpumask) &&
+                               cpumask_test_cpu(cpu, tracing_cpumask_new)) {
+                       atomic_dec(&per_cpu_ptr(tr->array_buffer.data, cpu)->disabled);
+                       ring_buffer_record_enable_cpu(tr->array_buffer.buffer, cpu);
++#ifdef CONFIG_TRACER_MAX_TRACE
++                      ring_buffer_record_enable_cpu(tr->max_buffer.buffer, cpu);
++#endif
+               }
+       }
+       arch_spin_unlock(&tr->max_lock);
+-- 
+2.40.1
+

diff --git a/queue-6.1/tracing-fix-memleak-due-to-race-between-current_trac.patch b/queue-6.1/tracing-fix-memleak-due-to-race-between-current_trac.patch
new file mode 100644 (file)
index 0000000..a7ce805
--- /dev/null
+++ b/queue-6.1/tracing-fix-memleak-due-to-race-between-current_trac.patch
@@ -0,0 +1,122 @@
+From dce2c58987e2282794b018691066b5370b3f4d76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 20:55:39 +0800
+Subject: tracing: Fix memleak due to race between current_tracer and trace
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit eecb91b9f98d6427d4af5fdb8f108f52572a39e7 ]
+
+Kmemleak report a leak in graph_trace_open():
+
+  unreferenced object 0xffff0040b95f4a00 (size 128):
+    comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
+    hex dump (first 32 bytes):
+      e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
+      f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
+    backtrace:
+      [<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
+      [<000000007df90faa>] graph_trace_open+0xb0/0x344
+      [<00000000737524cd>] __tracing_open+0x450/0xb10
+      [<0000000098043327>] tracing_open+0x1a0/0x2a0
+      [<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
+      [<000000004015bcd6>] vfs_open+0x98/0xd0
+      [<000000002b5f60c9>] do_open+0x520/0x8d0
+      [<00000000376c7820>] path_openat+0x1c0/0x3e0
+      [<00000000336a54b5>] do_filp_open+0x14c/0x324
+      [<000000002802df13>] do_sys_openat2+0x2c4/0x530
+      [<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
+      [<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
+      [<00000000313647bf>] do_el0_svc+0xac/0xec
+      [<000000002ef1c651>] el0_svc+0x20/0x30
+      [<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
+      [<000000000c309c35>] el0_sync+0x160/0x180
+
+The root cause is descripted as follows:
+
+  __tracing_open() {  // 1. File 'trace' is being opened;
+    ...
+    *iter->trace = *tr->current_trace;  // 2. Tracer 'function_graph' is
+                                        //    currently set;
+    ...
+    iter->trace->open(iter);  // 3. Call graph_trace_open() here,
+                              //    and memory are allocated in it;
+    ...
+  }
+
+  s_start() {  // 4. The opened file is being read;
+    ...
+    *iter->trace = *tr->current_trace;  // 5. If tracer is switched to
+                                        //    'nop' or others, then memory
+                                        //    in step 3 are leaked!!!
+    ...
+  }
+
+To fix it, in s_start(), close tracer before switching then reopen the
+new tracer after switching. And some tracers like 'wakeup' may not update
+'iter->private' in some cases when reopen, then it should be cleared
+to avoid being mistakenly closed again.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230817125539.1646321-1-zhengyejian1@huawei.com
+
+Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c              | 9 ++++++++-
+ kernel/trace/trace_irqsoff.c      | 3 ++-
+ kernel/trace/trace_sched_wakeup.c | 2 ++
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index d56dcd78452c3..1a87cb70f1eb5 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4128,8 +4128,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
+        * will point to the same string as current_trace->name.
+        */
+       mutex_lock(&trace_types_lock);
+-      if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
++      if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
++              /* Close iter->trace before switching to the new current tracer */
++              if (iter->trace->close)
++                      iter->trace->close(iter);
+               *iter->trace = *tr->current_trace;
++              /* Reopen the new current tracer */
++              if (iter->trace->open)
++                      iter->trace->open(iter);
++      }
+       mutex_unlock(&trace_types_lock);
+ 
+ #ifdef CONFIG_TRACER_MAX_TRACE
+diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c
+index 590b3d51afae9..ba37f768e2f27 100644
+--- a/kernel/trace/trace_irqsoff.c
++++ b/kernel/trace/trace_irqsoff.c
+@@ -231,7 +231,8 @@ static void irqsoff_trace_open(struct trace_iterator *iter)
+ {
+       if (is_graph(iter->tr))
+               graph_trace_open(iter);
+-
++      else
++              iter->private = NULL;
+ }
+ 
+ static void irqsoff_trace_close(struct trace_iterator *iter)
+diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_wakeup.c
+index 330aee1c1a49e..0469a04a355f2 100644
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -168,6 +168,8 @@ static void wakeup_trace_open(struct trace_iterator *iter)
+ {
+       if (is_graph(iter->tr))
+               graph_trace_open(iter);
++      else
++              iter->private = NULL;
+ }
+ 
+ static void wakeup_trace_close(struct trace_iterator *iter)
+-- 
+2.40.1
+

diff --git a/queue-6.1/video-aperture-move-vga-handling-to-pci-function.patch b/queue-6.1/video-aperture-move-vga-handling-to-pci-function.patch
new file mode 100644 (file)
index 0000000..06b821a
--- /dev/null
+++ b/queue-6.1/video-aperture-move-vga-handling-to-pci-function.patch
@@ -0,0 +1,83 @@
+From 565248ca86de0e5bfba7d14375c4647e51cd583f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:21:05 +0200
+Subject: video/aperture: Move vga handling to pci function
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit f1d599d315fb7b7343cddaf365e671aaa8453aca ]
+
+A few reasons for this:
+
+- It's really the only one where this matters. I tried looking around,
+  and I didn't find any non-pci vga-compatible controllers for x86
+  (since that's the only platform where we had this until a few
+  patches ago), where a driver participating in the aperture claim
+  dance would interfere.
+
+- I also don't expect that any future bus anytime soon will
+  not just look like pci towards the OS, that's been the case for like
+  25+ years by now for practically everything (even non non-x86).
+
+- Also it's a bit funny if we have one part of the vga removal in the
+  pci function, and the other in the generic one.
+
+v2: Rebase.
+
+v4:
+- fix Daniel's S-o-b address
+
+v5:
+- add back an S-o-b tag with Daniel's Intel address
+
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230406132109.32050-6-tzimmermann@suse.de
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/aperture.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c
+index 7ea18086e6599..3e4a1f55f51b3 100644
+--- a/drivers/video/aperture.c
++++ b/drivers/video/aperture.c
+@@ -298,14 +298,6 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si
+ 
+       aperture_detach_devices(base, size);
+ 
+-      /*
+-       * If this is the primary adapter, there could be a VGA device
+-       * that consumes the VGA framebuffer I/O range. Remove this device
+-       * as well.
+-       */
+-      if (primary)
+-              aperture_detach_devices(VGA_FB_PHYS_BASE, VGA_FB_PHYS_SIZE);
+-
+       return 0;
+ }
+ EXPORT_SYMBOL(aperture_remove_conflicting_devices);
+@@ -345,6 +337,13 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na
+       }
+ 
+       if (primary) {
++              /*
++               * If this is the primary adapter, there could be a VGA device
++               * that consumes the VGA framebuffer I/O range. Remove this
++               * device as well.
++               */
++              aperture_detach_devices(VGA_FB_PHYS_BASE, VGA_FB_PHYS_SIZE);
++
+               /*
+                * WARNING: Apparently we must kick fbdev drivers before vgacon,
+                * otherwise the vga fbdev driver falls over.
+-- 
+2.40.1
+

diff --git a/queue-6.1/video-aperture-only-kick-vgacon-when-the-pdev-is-dec.patch b/queue-6.1/video-aperture-only-kick-vgacon-when-the-pdev-is-dec.patch
new file mode 100644 (file)
index 0000000..cbf885d
--- /dev/null
+++ b/queue-6.1/video-aperture-only-kick-vgacon-when-the-pdev-is-dec.patch
@@ -0,0 +1,70 @@
+From dbfa373a160f702e4c379e29134c7df29ac61e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:21:04 +0200
+Subject: video/aperture: Only kick vgacon when the pdev is decoding vga
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 7450cd235b45d43ee6f3c235f89e92623458175d ]
+
+Otherwise it's a bit silly, and we might throw out the driver for the
+screen the user is actually looking at. I haven't found a bug report
+for this case yet, but we did get bug reports for the analog case
+where we're throwing out the efifb driver.
+
+v2: Flip the check around to make it clear it's a special case for
+kicking out the vgacon driver only (Thomas)
+
+v4:
+- fixes to commit message
+- fix Daniel's S-o-b address
+
+v5:
+- add back an S-o-b tag with Daniel's Intel address
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216303
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230406132109.32050-5-tzimmermann@suse.de
+Stable-dep-of: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/aperture.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c
+index 5c94abdb1ad6d..7ea18086e6599 100644
+--- a/drivers/video/aperture.c
++++ b/drivers/video/aperture.c
+@@ -344,13 +344,15 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na
+               aperture_detach_devices(base, size);
+       }
+ 
+-      /*
+-       * WARNING: Apparently we must kick fbdev drivers before vgacon,
+-       * otherwise the vga fbdev driver falls over.
+-       */
+-      ret = vga_remove_vgacon(pdev);
+-      if (ret)
+-              return ret;
++      if (primary) {
++              /*
++               * WARNING: Apparently we must kick fbdev drivers before vgacon,
++               * otherwise the vga fbdev driver falls over.
++               */
++              ret = vga_remove_vgacon(pdev);
++              if (ret)
++                      return ret;
++      }
+ 
+       return 0;
+ 
+-- 
+2.40.1
+

diff --git a/queue-6.1/xprtrdma-remap-receive-buffers-after-a-reconnect.patch b/queue-6.1/xprtrdma-remap-receive-buffers-after-a-reconnect.patch
new file mode 100644 (file)
index 0000000..784ea9a
--- /dev/null
+++ b/queue-6.1/xprtrdma-remap-receive-buffers-after-a-reconnect.patch
@@ -0,0 +1,60 @@
+From ac07ae93154713b859299d26f5d904060e2a95c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jul 2023 14:18:29 -0400
+Subject: xprtrdma: Remap Receive buffers after a reconnect
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 895cedc1791916e8a98864f12b656702fad0bb67 ]
+
+On server-initiated disconnect, rpcrdma_xprt_disconnect() was DMA-
+unmapping the Receive buffers, but rpcrdma_post_recvs() neglected
+to remap them after a new connection had been established. The
+result was immediate failure of the new connection with the Receives
+flushing with LOCAL_PROT_ERR.
+
+Fixes: 671c450b6fe0 ("xprtrdma: Fix oops in Receive handler after device removal")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/verbs.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
+index b098fde373abf..28c0771c4e8c3 100644
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -935,9 +935,6 @@ struct rpcrdma_rep *rpcrdma_rep_create(struct rpcrdma_xprt *r_xprt,
+       if (!rep->rr_rdmabuf)
+               goto out_free;
+ 
+-      if (!rpcrdma_regbuf_dma_map(r_xprt, rep->rr_rdmabuf))
+-              goto out_free_regbuf;
+-
+       rep->rr_cid.ci_completion_id =
+               atomic_inc_return(&r_xprt->rx_ep->re_completion_ids);
+ 
+@@ -956,8 +953,6 @@ struct rpcrdma_rep *rpcrdma_rep_create(struct rpcrdma_xprt *r_xprt,
+       spin_unlock(&buf->rb_lock);
+       return rep;
+ 
+-out_free_regbuf:
+-      rpcrdma_regbuf_free(rep->rr_rdmabuf);
+ out_free:
+       kfree(rep);
+ out:
+@@ -1363,6 +1358,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
+                       rep = rpcrdma_rep_create(r_xprt, temp);
+               if (!rep)
+                       break;
++              if (!rpcrdma_regbuf_dma_map(r_xprt, rep->rr_rdmabuf)) {
++                      rpcrdma_rep_put(buf, rep);
++                      break;
++              }
+ 
+               rep->rr_cid.ci_queue_id = ep->re_attr.recv_cq->res.id;
+               trace_xprtrdma_post_recv(rep);
+-- 
+2.40.1
+