Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch b/queue-6.1/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch
new file mode 100644 (file)
index 0000000..eb95461
--- /dev/null
+++ b/queue-6.1/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch
@@ -0,0 +1,58 @@
+From e07f8f73bafa6ed7d0855e942a7f4c0de2ca8116 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:03:07 +0000
+Subject: ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rubén Gómez <mrgommer@proton.me>
+
+[ Upstream commit 71a485624c4cbb144169852d7bb8ca8c0667d7a3 ]
+
+Add an ACPI IRQ override quirk for LG UltraPC 17U70P to address the
+internal keyboard problem on it.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216983
+Signed-off-by: Rubén Gómez Agudo <mrgommer@proton.me>
+[ rjw: Subject, changelog, white space damage fixes ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index d08818baea88f..a7f12bdbc5e25 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -502,6 +502,17 @@ static const struct dmi_system_id maingear_laptop[] = {
+       { }
+ };
+ 
++static const struct dmi_system_id lg_laptop[] = {
++      {
++              .ident = "LG Electronics 17U70P",
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"),
++                      DMI_MATCH(DMI_BOARD_NAME, "17U70P"),
++              },
++      },
++      { }
++};
++
+ struct irq_override_cmp {
+       const struct dmi_system_id *system;
+       unsigned char irq;
+@@ -518,6 +529,7 @@ static const struct irq_override_cmp override_table[] = {
+       { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
+       { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true },
+       { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true },
++      { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
+ };
+ 
+ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+-- 
+2.39.2
+

diff --git a/queue-6.1/af_packet-do-not-use-read_once-in-packet_bind.patch b/queue-6.1/af_packet-do-not-use-read_once-in-packet_bind.patch
new file mode 100644 (file)
index 0000000..f45b71d
--- /dev/null
+++ b/queue-6.1/af_packet-do-not-use-read_once-in-packet_bind.patch
@@ -0,0 +1,64 @@
+From b6d3fb2886ca9474e39248c7e63faaad5a5dbb92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 15:43:42 +0000
+Subject: af_packet: do not use READ_ONCE() in packet_bind()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6ffc57ea004234d9373c57b204fd10370a69f392 ]
+
+A recent patch added READ_ONCE() in packet_bind() and packet_bind_spkt()
+
+This is better handled by reading pkt_sk(sk)->num later
+in packet_do_bind() while appropriate lock is held.
+
+READ_ONCE() in writers are often an evidence of something being wrong.
+
+Fixes: 822b5a1c17df ("af_packet: Fix data-races of pkt_sk(sk)->num.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230526154342.2533026-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c75191b0c82ba..6ab9d5b543387 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3193,6 +3193,9 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ 
+       lock_sock(sk);
+       spin_lock(&po->bind_lock);
++      if (!proto)
++              proto = po->num;
++
+       rcu_read_lock();
+ 
+       if (po->fanout) {
+@@ -3291,7 +3294,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+       memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
+       name[sizeof(uaddr->sa_data)] = 0;
+ 
+-      return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num));
++      return packet_do_bind(sk, name, 0, 0);
+ }
+ 
+ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+@@ -3308,8 +3311,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
+       if (sll->sll_family != AF_PACKET)
+               return -EINVAL;
+ 
+-      return packet_do_bind(sk, NULL, sll->sll_ifindex,
+-                            sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num));
++      return packet_do_bind(sk, NULL, sll->sll_ifindex, sll->sll_protocol);
+ }
+ 
+ static struct proto packet_proto = {
+-- 
+2.39.2
+

diff --git a/queue-6.1/af_packet-fix-data-races-of-pkt_sk-sk-num.patch b/queue-6.1/af_packet-fix-data-races-of-pkt_sk-sk-num.patch
new file mode 100644 (file)
index 0000000..2baf88b
--- /dev/null
+++ b/queue-6.1/af_packet-fix-data-races-of-pkt_sk-sk-num.patch
@@ -0,0 +1,98 @@
+From 741905984539fd789736d7fb9c903b87cd6b2d6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 16:29:34 -0700
+Subject: af_packet: Fix data-races of pkt_sk(sk)->num.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 822b5a1c17df7e338b9f05d1cfe5764e37c7f74f ]
+
+syzkaller found a data race of pkt_sk(sk)->num.
+
+The value is changed under lock_sock() and po->bind_lock, so we
+need READ_ONCE() to access pkt_sk(sk)->num without these locks in
+packet_bind_spkt(), packet_bind(), and sk_diag_fill().
+
+Note that WRITE_ONCE() is already added by commit c7d2ef5dd4b0
+("net/packet: annotate accesses to po->bind").
+
+BUG: KCSAN: data-race in packet_bind / packet_do_bind
+
+write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0:
+ packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236
+ packet_bind+0x99/0xe0 net/packet/af_packet.c:3321
+ __sys_bind+0x19b/0x1e0 net/socket.c:1803
+ __do_sys_bind net/socket.c:1814 [inline]
+ __se_sys_bind net/socket.c:1812 [inline]
+ __x64_sys_bind+0x40/0x50 net/socket.c:1812
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1:
+ packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322
+ __sys_bind+0x19b/0x1e0 net/socket.c:1803
+ __do_sys_bind net/socket.c:1814 [inline]
+ __se_sys_bind net/socket.c:1812 [inline]
+ __x64_sys_bind+0x40/0x50 net/socket.c:1812
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+value changed: 0x0300 -> 0x0000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 96ec6327144e ("packet: Diag core and basic socket info dumping")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ net/packet/diag.c      | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 67771b0f57719..c75191b0c82ba 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3291,7 +3291,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+       memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
+       name[sizeof(uaddr->sa_data)] = 0;
+ 
+-      return packet_do_bind(sk, name, 0, pkt_sk(sk)->num);
++      return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num));
+ }
+ 
+ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+@@ -3309,7 +3309,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
+               return -EINVAL;
+ 
+       return packet_do_bind(sk, NULL, sll->sll_ifindex,
+-                            sll->sll_protocol ? : pkt_sk(sk)->num);
++                            sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num));
+ }
+ 
+ static struct proto packet_proto = {
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index d704c7bf51b20..a68a84574c739 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -143,7 +143,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+       rp = nlmsg_data(nlh);
+       rp->pdiag_family = AF_PACKET;
+       rp->pdiag_type = sk->sk_type;
+-      rp->pdiag_num = ntohs(po->num);
++      rp->pdiag_num = ntohs(READ_ONCE(po->num));
+       rp->pdiag_ino = sk_ino;
+       sock_diag_save_cookie(sk, rp->pdiag_cookie);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch b/queue-6.1/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch
new file mode 100644 (file)
index 0000000..83e9794
--- /dev/null
+++ b/queue-6.1/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch
@@ -0,0 +1,145 @@
+From 67f042a0d74f0d1995c92f3645bbb5d11e450404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 09:30:59 +0800
+Subject: ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
+
+From: jasontao <jasontao@glenfly.com>
+
+[ Upstream commit c51e431052e2eacfb23fbf6b39bc6c8770d9827a ]
+
+Add a set of HD Audio PCI IDS, and the HDMI codec vendor IDs for
+Glenfly Gpus.
+
+- In default_bdl_pos_adj, set bdl to 128 as Glenfly Gpus have hardware
+limitation, need to increase hdac interrupt interval.
+- In azx_first_init, enable polling mode for Glenfly Gpu. When the codec
+complete the command, it sends interrupt and writes response entries to
+memory, howerver, the write requests sometimes are not actually
+synchronized to memory when driver handle hdac interrupt on Glenfly Gpus.
+If the RIRB status is not updated in the interrupt handler,
+azx_rirb_get_response keeps trying to recevie a response from rirb until
+1s timeout. Enabling polling mode for Glenfly Gpu can fix the issue.
+- In patch_gf_hdmi, set Glenlfy Gpu Codec's no_sticky_stream as it need
+driver to do actual clean-ups for the linked codec when switch from one
+codec to another.
+
+Signed-off-by: jasontao <jasontao@glenfly.com>
+Signed-off-by: Reaper Li <reaperlioc@glenfly.com>
+Link: https://lore.kernel.org/r/20230426013059.4329-1-reaperlioc@glenfly.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c  | 21 +++++++++++++++++++++
+ sound/pci/hda/patch_hdmi.c | 22 ++++++++++++++++++++++
+ 2 files changed, 43 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 881b2f3a1551f..3226691ac923c 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -227,6 +227,7 @@ enum {
+       AZX_DRIVER_ATI,
+       AZX_DRIVER_ATIHDMI,
+       AZX_DRIVER_ATIHDMI_NS,
++      AZX_DRIVER_GFHDMI,
+       AZX_DRIVER_VIA,
+       AZX_DRIVER_SIS,
+       AZX_DRIVER_ULI,
+@@ -349,6 +350,7 @@ static const char * const driver_short_names[] = {
+       [AZX_DRIVER_ATI] = "HDA ATI SB",
+       [AZX_DRIVER_ATIHDMI] = "HDA ATI HDMI",
+       [AZX_DRIVER_ATIHDMI_NS] = "HDA ATI HDMI",
++      [AZX_DRIVER_GFHDMI] = "HDA GF HDMI",
+       [AZX_DRIVER_VIA] = "HDA VIA VT82xx",
+       [AZX_DRIVER_SIS] = "HDA SIS966",
+       [AZX_DRIVER_ULI] = "HDA ULI M5461",
+@@ -1743,6 +1745,12 @@ static int default_bdl_pos_adj(struct azx *chip)
+       }
+ 
+       switch (chip->driver_type) {
++      /*
++       * increase the bdl size for Glenfly Gpus for hardware
++       * limitation on hdac interrupt interval
++       */
++      case AZX_DRIVER_GFHDMI:
++              return 128;
+       case AZX_DRIVER_ICH:
+       case AZX_DRIVER_PCH:
+               return 1;
+@@ -1858,6 +1866,12 @@ static int azx_first_init(struct azx *chip)
+               pci_write_config_dword(pci, PCI_BASE_ADDRESS_1, 0);
+       }
+ #endif
++      /*
++       * Fix response write request not synced to memory when handle
++       * hdac interrupt on Glenfly Gpus
++       */
++      if (chip->driver_type == AZX_DRIVER_GFHDMI)
++              bus->polling_mode = 1;
+ 
+       err = pcim_iomap_regions(pci, 1 << 0, "ICH HD audio");
+       if (err < 0)
+@@ -1959,6 +1973,7 @@ static int azx_first_init(struct azx *chip)
+                       chip->playback_streams = ATIHDMI_NUM_PLAYBACK;
+                       chip->capture_streams = ATIHDMI_NUM_CAPTURE;
+                       break;
++              case AZX_DRIVER_GFHDMI:
+               case AZX_DRIVER_GENERIC:
+               default:
+                       chip->playback_streams = ICH6_NUM_PLAYBACK;
+@@ -2727,6 +2742,12 @@ static const struct pci_device_id azx_ids[] = {
+       { PCI_DEVICE(0x1002, 0xab38),
+         .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS |
+         AZX_DCAPS_PM_RUNTIME },
++      /* GLENFLY */
++      { PCI_DEVICE(0x6766, PCI_ANY_ID),
++        .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
++        .class_mask = 0xffffff,
++        .driver_data = AZX_DRIVER_GFHDMI | AZX_DCAPS_POSFIX_LPIB |
++        AZX_DCAPS_NO_MSI | AZX_DCAPS_NO_64BIT },
+       /* VIA VT8251/VT8237A */
+       { PCI_DEVICE(0x1106, 0x3288), .driver_data = AZX_DRIVER_VIA },
+       /* VIA GFX VT7122/VX900 */
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index be2c6cff77011..7b5e09070ab9b 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -4489,6 +4489,22 @@ static int patch_via_hdmi(struct hda_codec *codec)
+       return patch_simple_hdmi(codec, VIAHDMI_CVT_NID, VIAHDMI_PIN_NID);
+ }
+ 
++static int patch_gf_hdmi(struct hda_codec *codec)
++{
++      int err;
++
++      err = patch_generic_hdmi(codec);
++      if (err)
++              return err;
++
++      /*
++       * Glenfly GPUs have two codecs, stream switches from one codec to
++       * another, need to do actual clean-ups in codec_cleanup_stream
++       */
++      codec->no_sticky_stream = 1;
++      return 0;
++}
++
+ /*
+  * patch entries
+  */
+@@ -4584,6 +4600,12 @@ HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP",   patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+ HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI",     patch_nvhdmi_2ch),
+ HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI",  patch_nvhdmi_2ch),
++HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP",       patch_gf_hdmi),
++HDA_CODEC_ENTRY(0x67663d83, "Arise 83 HDMI/DP",       patch_gf_hdmi),
++HDA_CODEC_ENTRY(0x67663d84, "Arise 84 HDMI/DP",       patch_gf_hdmi),
++HDA_CODEC_ENTRY(0x67663d85, "Arise 85 HDMI/DP",       patch_gf_hdmi),
++HDA_CODEC_ENTRY(0x67663d86, "Arise 86 HDMI/DP",       patch_gf_hdmi),
++HDA_CODEC_ENTRY(0x67663d87, "Arise 87 HDMI/DP",       patch_gf_hdmi),
+ HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP",  patch_via_hdmi),
+ HDA_CODEC_ENTRY(0x11069f81, "VX900 HDMI/DP",  patch_via_hdmi),
+ HDA_CODEC_ENTRY(0x11069f84, "VX11 HDMI/DP",   patch_generic_hdmi),
+-- 
+2.39.2
+

diff --git a/queue-6.1/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch b/queue-6.1/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch
new file mode 100644 (file)
index 0000000..7b3248b
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch
@@ -0,0 +1,78 @@
+From 47d611500b2c0f5719acda8bf8d0ec112819ece5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 19:15:10 +0300
+Subject: ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V
+
+From: Alexandru Sorodoc <ealex95@gmail.com>
+
+[ Upstream commit 4b963ae1df6426f0e51de64133d379d9bde50c48 ]
+
+These models use 2 CS35L41 amplifiers using SPI for down-facing
+speakers.
+
+alc285_fixup_speaker2_to_dac1 is needed to fix volume control of the
+down-facing speakers.
+
+Pin configs are needed to enable headset mic detection.
+
+Note that these models lack the ACPI _DSD properties needed to
+initialize the amplifiers. They can be added during boot to get working
+sound out of the speakers:
+  https://gist.github.com/lamperez/862763881c0e1c812392b5574727f6ff
+
+Signed-off-by: Alexandru Sorodoc <ealex95@gmail.com>
+Link: https://lore.kernel.org/r/20230511161510.315170-1-ealex95@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 379f216158ab4..7b5f194513c7b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7063,6 +7063,8 @@ enum {
+       ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+       ALC295_FIXUP_DISABLE_DAC3,
+       ALC285_FIXUP_SPEAKER2_TO_DAC1,
++      ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1,
++      ALC285_FIXUP_ASUS_HEADSET_MIC,
+       ALC280_FIXUP_HP_HEADSET_MIC,
+       ALC221_FIXUP_HP_FRONT_MIC,
+       ALC292_FIXUP_TPT460,
+@@ -8033,6 +8035,22 @@ static const struct hda_fixup alc269_fixups[] = {
+               .chained = true,
+               .chain_id = ALC269_FIXUP_THINKPAD_ACPI
+       },
++      [ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1] = {
++              .type = HDA_FIXUP_FUNC,
++              .v.func = alc285_fixup_speaker2_to_dac1,
++              .chained = true,
++              .chain_id = ALC245_FIXUP_CS35L41_SPI_2
++      },
++      [ALC285_FIXUP_ASUS_HEADSET_MIC] = {
++              .type = HDA_FIXUP_PINS,
++              .v.pins = (const struct hda_pintbl[]) {
++                      { 0x19, 0x03a11050 },
++                      { 0x1b, 0x03a11c30 },
++                      { }
++              },
++              .chained = true,
++              .chain_id = ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1
++      },
+       [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+               .type = HDA_FIXUP_PINS,
+               .v.pins = (const struct hda_pintbl[]) {
+@@ -9507,6 +9525,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+       SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC),
+       SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
++      SND_PCI_QUIRK(0x1043, 0x1473, "ASUS GU604V", ALC285_FIXUP_ASUS_HEADSET_MIC),
++      SND_PCI_QUIRK(0x1043, 0x1483, "ASUS GU603V", ALC285_FIXUP_ASUS_HEADSET_MIC),
+       SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+       SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK),
+       SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2),
+-- 
+2.39.2
+

diff --git a/queue-6.1/alsa-oss-avoid-missing-prototype-warnings.patch b/queue-6.1/alsa-oss-avoid-missing-prototype-warnings.patch
new file mode 100644 (file)
index 0000000..e648a09
--- /dev/null
+++ b/queue-6.1/alsa-oss-avoid-missing-prototype-warnings.patch
@@ -0,0 +1,64 @@
+From 822b0b8ad01b9c41d5b4687c0173f7a2ebe43d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:50:42 +0200
+Subject: ALSA: oss: avoid missing-prototype warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 040b5a046a9e18098580d3ccd029e2318fca7859 ]
+
+Two functions are defined and used in pcm_oss.c but also optionally
+used from io.c, with an optional prototype. If CONFIG_SND_PCM_OSS_PLUGINS
+is disabled, this causes a warning as the functions are not static
+and have no prototype:
+
+sound/core/oss/pcm_oss.c:1235:19: error: no previous prototype for 'snd_pcm_oss_write3' [-Werror=missing-prototypes]
+sound/core/oss/pcm_oss.c:1266:19: error: no previous prototype for 'snd_pcm_oss_read3' [-Werror=missing-prototypes]
+
+Avoid this by making the prototypes unconditional.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516195046.550584-2-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/oss/pcm_plugin.h | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/core/oss/pcm_plugin.h b/sound/core/oss/pcm_plugin.h
+index 46e273bd4a786..50a6b50f5db4c 100644
+--- a/sound/core/oss/pcm_plugin.h
++++ b/sound/core/oss/pcm_plugin.h
+@@ -141,6 +141,14 @@ int snd_pcm_area_copy(const struct snd_pcm_channel_area *src_channel,
+ 
+ void *snd_pcm_plug_buf_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t size);
+ void snd_pcm_plug_buf_unlock(struct snd_pcm_substream *plug, void *ptr);
++#else
++
++static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; }
++static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; }
++static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; }
++
++#endif
++
+ snd_pcm_sframes_t snd_pcm_oss_write3(struct snd_pcm_substream *substream,
+                                    const char *ptr, snd_pcm_uframes_t size,
+                                    int in_kernel);
+@@ -151,14 +159,6 @@ snd_pcm_sframes_t snd_pcm_oss_writev3(struct snd_pcm_substream *substream,
+ snd_pcm_sframes_t snd_pcm_oss_readv3(struct snd_pcm_substream *substream,
+                                    void **bufs, snd_pcm_uframes_t frames);
+ 
+-#else
+-
+-static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; }
+-static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; }
+-static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; }
+-
+-#endif
+-
+ #ifdef PLUGIN_DEBUG
+ #define pdprintf(fmt, args...) printk(KERN_DEBUG "plugin: " fmt, ##args)
+ #else
+-- 
+2.39.2
+

diff --git a/queue-6.1/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch b/queue-6.1/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch
new file mode 100644 (file)
index 0000000..cd3986c
--- /dev/null
+++ b/queue-6.1/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch
@@ -0,0 +1,71 @@
+From a2266f441cf361890f458505224f72b864cd89f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 23:56:12 +0530
+Subject: amd-xgbe: fix the false linkup in xgbe_phy_status
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit dc362e20cd6ab7a93d1b09669730c406f0910c35 ]
+
+In the event of a change in XGBE mode, the current auto-negotiation
+needs to be reset and the AN cycle needs to be re-triggerred. However,
+the current code ignores the return value of xgbe_set_mode(), leading to
+false information as the link is declared without checking the status
+register.
+
+Fix this by propagating the mode switch status information to
+xgbe_phy_status().
+
+Fixes: e57f7a3feaef ("amd-xgbe: Prepare for working with more than one type of phy")
+Co-developed-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 43fdd111235a6..ca7372369b3e6 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -1312,7 +1312,7 @@ static enum xgbe_mode xgbe_phy_status_aneg(struct xgbe_prv_data *pdata)
+       return pdata->phy_if.phy_impl.an_outcome(pdata);
+ }
+ 
+-static void xgbe_phy_status_result(struct xgbe_prv_data *pdata)
++static bool xgbe_phy_status_result(struct xgbe_prv_data *pdata)
+ {
+       struct ethtool_link_ksettings *lks = &pdata->phy.lks;
+       enum xgbe_mode mode;
+@@ -1347,8 +1347,13 @@ static void xgbe_phy_status_result(struct xgbe_prv_data *pdata)
+ 
+       pdata->phy.duplex = DUPLEX_FULL;
+ 
+-      if (xgbe_set_mode(pdata, mode) && pdata->an_again)
++      if (!xgbe_set_mode(pdata, mode))
++              return false;
++
++      if (pdata->an_again)
+               xgbe_phy_reconfig_aneg(pdata);
++
++      return true;
+ }
+ 
+ static void xgbe_phy_status(struct xgbe_prv_data *pdata)
+@@ -1378,7 +1383,8 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata)
+                       return;
+               }
+ 
+-              xgbe_phy_status_result(pdata);
++              if (xgbe_phy_status_result(pdata))
++                      return;
+ 
+               if (test_bit(XGBE_LINK_INIT, &pdata->dev_state))
+                       clear_bit(XGBE_LINK_INIT, &pdata->dev_state);
+-- 
+2.39.2
+

diff --git a/queue-6.1/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch b/queue-6.1/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch
new file mode 100644 (file)
index 0000000..9980076
--- /dev/null
+++ b/queue-6.1/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch
@@ -0,0 +1,93 @@
+From 7c6dadf3711d919a607c7650c524aa00bb73b6bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 10:17:07 +0100
+Subject: ARM: 9295/1: unwind:fix unwind abort for uleb128 case
+
+From: Haibo Li <haibo.li@mediatek.com>
+
+[ Upstream commit fa3eeb638de0c1a9d2d860e5b48259facdd65176 ]
+
+When unwind instruction is 0xb2,the subsequent instructions
+are uleb128 bytes.
+For now,it uses only the first uleb128 byte in code.
+
+For vsp increments of 0x204~0x400,use one uleb128 byte like below:
+0xc06a00e4 <unwind_test_work>: 0x80b27fac
+  Compact model index: 0
+  0xb2 0x7f vsp = vsp + 1024
+  0xac      pop {r4, r5, r6, r7, r8, r14}
+
+For vsp increments larger than 0x400,use two uleb128 bytes like below:
+0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
+  Compact model index: 1
+  0xb2 0x81 0x01 vsp = vsp + 1032
+  0xac      pop {r4, r5, r6, r7, r8, r14}
+The unwind works well since the decoded uleb128 byte is also 0x81.
+
+For vsp increments larger than 0x600,use two uleb128 bytes like below:
+0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
+  Compact model index: 1
+  0xb2 0x81 0x02 vsp = vsp + 1544
+  0xac      pop {r4, r5, r6, r7, r8, r14}
+In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)).
+While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)).
+The unwind aborts at this frame since it gets incorrect vsp.
+
+To fix this,add uleb128 decode to cover all the above case.
+
+Signed-off-by: Haibo Li <haibo.li@mediatek.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/unwind.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c
+index a37ea6c772cd5..2e6aa5dc15bf3 100644
+--- a/arch/arm/kernel/unwind.c
++++ b/arch/arm/kernel/unwind.c
+@@ -307,6 +307,29 @@ static int unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl,
+       return URC_OK;
+ }
+ 
++static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block *ctrl)
++{
++      unsigned long bytes = 0;
++      unsigned long insn;
++      unsigned long result = 0;
++
++      /*
++       * unwind_get_byte() will advance `ctrl` one instruction at a time, so
++       * loop until we get an instruction byte where bit 7 is not set.
++       *
++       * Note: This decodes a maximum of 4 bytes to output 28 bits data where
++       * max is 0xfffffff: that will cover a vsp increment of 1073742336, hence
++       * it is sufficient for unwinding the stack.
++       */
++      do {
++              insn = unwind_get_byte(ctrl);
++              result |= (insn & 0x7f) << (bytes * 7);
++              bytes++;
++      } while (!!(insn & 0x80) && (bytes != sizeof(result)));
++
++      return result;
++}
++
+ /*
+  * Execute the current unwind instruction.
+  */
+@@ -360,7 +383,7 @@ static int unwind_exec_insn(struct unwind_ctrl_block *ctrl)
+               if (ret)
+                       goto error;
+       } else if (insn == 0xb2) {
+-              unsigned long uleb128 = unwind_get_byte(ctrl);
++              unsigned long uleb128 = unwind_decode_uleb128(ctrl);
+ 
+               ctrl->vrs[SP] += 0x204 + (uleb128 << 2);
+       } else {
+-- 
+2.39.2
+

diff --git a/queue-6.1/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch b/queue-6.1/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch
new file mode 100644 (file)
index 0000000..36a014f
--- /dev/null
+++ b/queue-6.1/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch
@@ -0,0 +1,115 @@
+From 1dc874eefa151606ef764736c581339c73964f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 22:45:38 +0200
+Subject: ARM: dts: stm32: add pin map for CAN controller on stm32f7
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 011644249686f2675e142519cd59e81e04cfc231 ]
+
+Add pin configurations for using CAN controller on stm32f7.
+
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Link: https://lore.kernel.org/all/20230427204540.3126234-4-dario.binacchi@amarulasolutions.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32f7-pinctrl.dtsi | 82 ++++++++++++++++++++++++++
+ 1 file changed, 82 insertions(+)
+
+diff --git a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi
+index 8f37aefa73150..000278ec2c58f 100644
+--- a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi
++++ b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi
+@@ -284,6 +284,88 @@
+                                       slew-rate = <2>;
+                               };
+                       };
++
++                      can1_pins_a: can1-0 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('A', 12, AF9)>; /* CAN1_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('A', 11, AF9)>; /* CAN1_RX */
++                                      bias-pull-up;
++                              };
++                      };
++
++                      can1_pins_b: can1-1 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('B', 9, AF9)>; /* CAN1_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('B', 8, AF9)>; /* CAN1_RX */
++                                      bias-pull-up;
++                              };
++                      };
++
++                      can1_pins_c: can1-2 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('D', 1, AF9)>; /* CAN1_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('D', 0, AF9)>; /* CAN1_RX */
++                                      bias-pull-up;
++
++                              };
++                      };
++
++                      can1_pins_d: can1-3 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('H', 13, AF9)>; /* CAN1_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('H', 14, AF9)>; /* CAN1_RX */
++                                      bias-pull-up;
++
++                              };
++                      };
++
++                      can2_pins_a: can2-0 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('B', 6, AF9)>; /* CAN2_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('B', 5, AF9)>; /* CAN2_RX */
++                                      bias-pull-up;
++                              };
++                      };
++
++                      can2_pins_b: can2-1 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('B', 13, AF9)>; /* CAN2_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('B', 12, AF9)>; /* CAN2_RX */
++                                      bias-pull-up;
++                              };
++                      };
++
++                      can3_pins_a: can3-0 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('A', 15, AF11)>; /* CAN3_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('A', 8, AF11)>; /* CAN3_RX */
++                                      bias-pull-up;
++                              };
++                      };
++
++                      can3_pins_b: can3-1 {
++                              pins1 {
++                                      pinmux = <STM32_PINMUX('B', 4, AF11)>;  /* CAN3_TX */
++                              };
++                              pins2 {
++                                      pinmux = <STM32_PINMUX('B', 3, AF11)>; /* CAN3_RX */
++                                      bias-pull-up;
++                              };
++                      };
+               };
+       };
+ };
+-- 
+2.39.2
+

diff --git a/queue-6.1/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch b/queue-6.1/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch
new file mode 100644 (file)
index 0000000..5806b82
--- /dev/null
+++ b/queue-6.1/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch
@@ -0,0 +1,54 @@
+From a8ecfa4ca0c75b09d8f02e10a7821614879ec961 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 May 2023 23:19:06 +0800
+Subject: arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
+
+From: Min-Hua Chen <minhuadotchen@gmail.com>
+
+[ Upstream commit d91d580878064b880f3574ac35b98d8b70ee8620 ]
+
+This patch fixes several sparse warnings for fault.c:
+
+arch/arm64/mm/fault.c:493:24: sparse: warning: incorrect type in return expression (different base types)
+arch/arm64/mm/fault.c:493:24: sparse:    expected restricted vm_fault_t
+arch/arm64/mm/fault.c:493:24: sparse:    got int
+arch/arm64/mm/fault.c:501:32: sparse: warning: incorrect type in return expression (different base types)
+arch/arm64/mm/fault.c:501:32: sparse:    expected restricted vm_fault_t
+arch/arm64/mm/fault.c:501:32: sparse:    got int
+arch/arm64/mm/fault.c:503:32: sparse: warning: incorrect type in return expression (different base types)
+arch/arm64/mm/fault.c:503:32: sparse:    expected restricted vm_fault_t
+arch/arm64/mm/fault.c:503:32: sparse:    got int
+arch/arm64/mm/fault.c:511:24: sparse: warning: incorrect type in return expression (different base types)
+arch/arm64/mm/fault.c:511:24: sparse:    expected restricted vm_fault_t
+arch/arm64/mm/fault.c:511:24: sparse:    got int
+arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer
+arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer
+arch/arm64/mm/fault.c:713:39: sparse: warning: restricted vm_fault_t degrades to integer
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Min-Hua Chen <minhuadotchen@gmail.com>
+Link: https://lore.kernel.org/r/20230502151909.128810-1-minhuadotchen@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/fault.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 4ee20280133e4..2fef1fa93e7b6 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -480,8 +480,8 @@ static void do_bad_area(unsigned long far, unsigned long esr,
+       }
+ }
+ 
+-#define VM_FAULT_BADMAP               0x010000
+-#define VM_FAULT_BADACCESS    0x020000
++#define VM_FAULT_BADMAP               ((__force vm_fault_t)0x010000)
++#define VM_FAULT_BADACCESS    ((__force vm_fault_t)0x020000)
+ 
+ static vm_fault_t __do_page_fault(struct mm_struct *mm, unsigned long addr,
+                                 unsigned int mm_flags, unsigned long vm_flags,
+-- 
+2.39.2
+

diff --git a/queue-6.1/arm64-vdso-pass-void-to-virt_to_page.patch b/queue-6.1/arm64-vdso-pass-void-to-virt_to_page.patch
new file mode 100644 (file)
index 0000000..cd79bd8
--- /dev/null
+++ b/queue-6.1/arm64-vdso-pass-void-to-virt_to_page.patch
@@ -0,0 +1,42 @@
+From 9e961fc0fbea7300d27e503b87c2f88eecd7e93d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 08:48:11 +0200
+Subject: arm64: vdso: Pass (void *) to virt_to_page()
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit b0abde80620f42d1ceb3de5e4c1a49cdd5628229 ]
+
+Like the other calls in this function virt_to_page() expects
+a pointer, not an integer.
+
+However since many architectures implement virt_to_pfn() as
+a macro, this function becomes polymorphic and accepts both a
+(unsigned long) and a (void *).
+
+Fix this up with an explicit cast.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: http://lists.infradead.org/pipermail/linux-arm-kernel/2023-May/832583.html
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/vdso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
+index 99ae81ab91a74..6ebb8dea5f09e 100644
+--- a/arch/arm64/kernel/vdso.c
++++ b/arch/arm64/kernel/vdso.c
+@@ -312,7 +312,7 @@ static int aarch32_alloc_kuser_vdso_page(void)
+ 
+       memcpy((void *)(vdso_page + 0x1000 - kuser_sz), __kuser_helper_start,
+              kuser_sz);
+-      aarch32_vectors_page = virt_to_page(vdso_page);
++      aarch32_vectors_page = virt_to_page((void *)vdso_page);
+       return 0;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch b/queue-6.1/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch
new file mode 100644 (file)
index 0000000..2cb06bd
--- /dev/null
+++ b/queue-6.1/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch
@@ -0,0 +1,41 @@
+From 6b3871bce018ec97a9ef99d8fb519a5464c9f12f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 10:14:58 -0600
+Subject: ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12
+
+From: Jeremy Soller <jeremy@system76.com>
+
+[ Upstream commit 7b9891ad25246b18b5ccc19518da7abc7763aa0a ]
+
+Add pang12 quirk to enable the internal microphone.
+
+Signed-off-by: Jeremy Soller <jeremy@system76.com
+Signed-off-by: Tim Crawford <tcrawford@system76.com
+Link: https://lore.kernel.org/r/20230505161458.19676-1-tcrawford@system76.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index b9958e5553674..84b401b685f7f 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -297,6 +297,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+                       DMI_MATCH(DMI_BOARD_NAME, "8A22"),
+               }
+       },
++      {
++              .driver_data = &acp6x_card,
++              .matches = {
++                      DMI_MATCH(DMI_BOARD_VENDOR, "System76"),
++                      DMI_MATCH(DMI_PRODUCT_VERSION, "pang12"),
++              }
++      },
+       {}
+ };
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch b/queue-6.1/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch
new file mode 100644 (file)
index 0000000..0607c6d
--- /dev/null
+++ b/queue-6.1/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch
@@ -0,0 +1,101 @@
+From 3a61c385ab38f2f92f5a9e455cb026fbcdb2beec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 17:34:12 +0200
+Subject: ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit efb2bfd7b3d210c479b9361c176d7426e5eb8663 ]
+
+A bunch of TI's codecs have binding schemas which force #sound-dai-cells
+to one despite those codecs only having a single DAI. Allow for bindings
+with zero DAI cells and deprecate the former non-zero value.
+
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org
+Link: https://lore.kernel.org/r/20230509153412.62847-1-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/sound/tas2562.yaml | 6 ++++--
+ Documentation/devicetree/bindings/sound/tas2770.yaml | 6 ++++--
+ Documentation/devicetree/bindings/sound/tas27xx.yaml | 6 ++++--
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/sound/tas2562.yaml b/Documentation/devicetree/bindings/sound/tas2562.yaml
+index 30f6b029ac085..cb519a4b6e710 100644
+--- a/Documentation/devicetree/bindings/sound/tas2562.yaml
++++ b/Documentation/devicetree/bindings/sound/tas2562.yaml
+@@ -52,7 +52,9 @@ properties:
+     description: TDM TX current sense time slot.
+ 
+   '#sound-dai-cells':
+-    const: 1
++    # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward
++    # compatibility but is deprecated.
++    enum: [0, 1]
+ 
+ required:
+   - compatible
+@@ -69,7 +71,7 @@ examples:
+      codec: codec@4c {
+        compatible = "ti,tas2562";
+        reg = <0x4c>;
+-       #sound-dai-cells = <1>;
++       #sound-dai-cells = <0>;
+        interrupt-parent = <&gpio1>;
+        interrupts = <14>;
+        shutdown-gpios = <&gpio1 15 0>;
+diff --git a/Documentation/devicetree/bindings/sound/tas2770.yaml b/Documentation/devicetree/bindings/sound/tas2770.yaml
+index bc90e72bf7cf9..1859fbe1cdf17 100644
+--- a/Documentation/devicetree/bindings/sound/tas2770.yaml
++++ b/Documentation/devicetree/bindings/sound/tas2770.yaml
+@@ -54,7 +54,9 @@ properties:
+       - 1 # Falling edge
+ 
+   '#sound-dai-cells':
+-    const: 1
++    # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward
++    # compatibility but is deprecated.
++    enum: [0, 1]
+ 
+ required:
+   - compatible
+@@ -71,7 +73,7 @@ examples:
+      codec: codec@41 {
+        compatible = "ti,tas2770";
+        reg = <0x41>;
+-       #sound-dai-cells = <1>;
++       #sound-dai-cells = <0>;
+        interrupt-parent = <&gpio1>;
+        interrupts = <14>;
+        reset-gpio = <&gpio1 15 0>;
+diff --git a/Documentation/devicetree/bindings/sound/tas27xx.yaml b/Documentation/devicetree/bindings/sound/tas27xx.yaml
+index 66a0df8850ea6..079cb6f8d4474 100644
+--- a/Documentation/devicetree/bindings/sound/tas27xx.yaml
++++ b/Documentation/devicetree/bindings/sound/tas27xx.yaml
+@@ -47,7 +47,9 @@ properties:
+     description: TDM TX voltage sense time slot.
+ 
+   '#sound-dai-cells':
+-    const: 1
++    # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward
++    # compatibility but is deprecated.
++    enum: [0, 1]
+ 
+ required:
+   - compatible
+@@ -64,7 +66,7 @@ examples:
+      codec: codec@38 {
+        compatible = "ti,tas2764";
+        reg = <0x38>;
+-       #sound-dai-cells = <1>;
++       #sound-dai-cells = <0>;
+        interrupt-parent = <&gpio1>;
+        interrupts = <14>;
+        reset-gpios = <&gpio1 15 0>;
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-dwc-limit-the-number-of-overrun-messages.patch b/queue-6.1/asoc-dwc-limit-the-number-of-overrun-messages.patch
new file mode 100644 (file)
index 0000000..597575c
--- /dev/null
+++ b/queue-6.1/asoc-dwc-limit-the-number-of-overrun-messages.patch
@@ -0,0 +1,44 @@
+From a86e5882d0690786f970db9c9ebe73eeba8ddd60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 09:28:20 +0300
+Subject: ASoC: dwc: limit the number of overrun messages
+
+From: Maxim Kochetkov <fido_max@inbox.ru>
+
+[ Upstream commit ab6ecfbf40fccf74b6ec2ba7ed6dd2fc024c3af2 ]
+
+On slow CPU (FPGA/QEMU emulated) printing overrun messages from
+interrupt handler to uart console may leads to more overrun errors.
+So use dev_err_ratelimited to limit the number of error messages.
+
+Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru
+Link: https://lore.kernel.org/r/20230505062820.21840-1-fido_max@inbox.ru
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/dwc/dwc-i2s.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/dwc/dwc-i2s.c b/sound/soc/dwc/dwc-i2s.c
+index 7f7dd07c63b2f..3496301582b22 100644
+--- a/sound/soc/dwc/dwc-i2s.c
++++ b/sound/soc/dwc/dwc-i2s.c
+@@ -132,13 +132,13 @@ static irqreturn_t i2s_irq_handler(int irq, void *dev_id)
+ 
+               /* Error Handling: TX */
+               if (isr[i] & ISR_TXFO) {
+-                      dev_err(dev->dev, "TX overrun (ch_id=%d)\n", i);
++                      dev_err_ratelimited(dev->dev, "TX overrun (ch_id=%d)\n", i);
+                       irq_valid = true;
+               }
+ 
+               /* Error Handling: TX */
+               if (isr[i] & ISR_RXFO) {
+-                      dev_err(dev->dev, "RX overrun (ch_id=%d)\n", i);
++                      dev_err_ratelimited(dev->dev, "RX overrun (ch_id=%d)\n", i);
+                       irq_valid = true;
+               }
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch b/queue-6.1/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch
new file mode 100644 (file)
index 0000000..30fe430
--- /dev/null
+++ b/queue-6.1/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch
@@ -0,0 +1,72 @@
+From d5f35d2a7e98a47eefabfb2f2eec469bb7735931 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Apr 2023 12:47:21 +0200
+Subject: ASoC: Intel: soc-acpi-cht: Add quirk for Nextbook Ares 8A tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ec6f82b4c63cc68f8dc03316e725106d242706be ]
+
+The Nextbook Ares 8A tablet which has Android as factory OS, has a buggy
+DSDT with both ESSX8316 and 10EC5651 ACPI devices.
+
+This tablet actually uses an rt5651 codec, but the matching code ends up
+picking the ESSX8316 device, add a quirk to ignote the ESSX8316 device
+on this tablet.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Message-Id: <20230429104721.7176-1-hdegoede@redhat.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../intel/common/soc-acpi-intel-cht-match.c   | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/sound/soc/intel/common/soc-acpi-intel-cht-match.c b/sound/soc/intel/common/soc-acpi-intel-cht-match.c
+index 6beb00858c33f..cdcbf04b8832f 100644
+--- a/sound/soc/intel/common/soc-acpi-intel-cht-match.c
++++ b/sound/soc/intel/common/soc-acpi-intel-cht-match.c
+@@ -50,6 +50,31 @@ static struct snd_soc_acpi_mach *cht_quirk(void *arg)
+               return mach;
+ }
+ 
++/*
++ * Some tablets with Android factory OS have buggy DSDTs with an ESSX8316 device
++ * in the ACPI tables. While they are not using an ESS8316 codec. These DSDTs
++ * also have an ACPI device for the correct codec, ignore the ESSX8316.
++ */
++static const struct dmi_system_id cht_ess8316_not_present_table[] = {
++      {
++              /* Nextbook Ares 8A */
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"),
++                      DMI_MATCH(DMI_BIOS_VERSION, "M882"),
++              },
++      },
++      { }
++};
++
++static struct snd_soc_acpi_mach *cht_ess8316_quirk(void *arg)
++{
++      if (dmi_check_system(cht_ess8316_not_present_table))
++              return NULL;
++
++      return arg;
++}
++
+ static const struct snd_soc_acpi_codecs rt5640_comp_ids = {
+       .num_codecs = 2,
+       .codecs = { "10EC5640", "10EC3276" },
+@@ -113,6 +138,7 @@ struct snd_soc_acpi_mach  snd_soc_acpi_intel_cherrytrail_machines[] = {
+               .drv_name = "bytcht_es8316",
+               .fw_filename = "intel/fw_sst_22a8.bin",
+               .board = "bytcht_es8316",
++              .machine_quirk = cht_ess8316_quirk,
+               .sof_tplg_filename = "sof-cht-es8316.tplg",
+       },
+       /* some CHT-T platforms rely on RT5640, use Baytrail machine driver */
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch b/queue-6.1/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch
new file mode 100644 (file)
index 0000000..e34a908
--- /dev/null
+++ b/queue-6.1/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch
@@ -0,0 +1,53 @@
+From 70effe0ccf9f4cef19fc3eaf4ae7a08a2aa3ff69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 13:33:13 +0300
+Subject: ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 3de975862f985f1c9e225a0d13aa3d501373f7c3 ]
+
+When a firmware IPC error happens during a pm_runtime suspend, we
+ignore the error and suspend anyways. However, the code
+unconditionally increases the runtime_pm counter. This results in a
+confusing configuration where the code will suspend, resume but never
+suspend again due to the use of pm_runtime_get_noresume().
+
+The intent of the counter increase was to prevent entry in D3, but if
+that transition to D3 is already started it cannot be stopped. In
+addition, there's no point in that case in trying to prevent anything,
+the firmware error is handled and the next resume will re-initialize
+the firmware completely.
+
+This patch changes the logic to prevent suspend when the device is
+pm_runtime active and has a use_count > 0.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com
+Link: https://lore.kernel.org/r/20230512103315.8921-2-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/debug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c
+index ade0507328af4..5042312b1b98d 100644
+--- a/sound/soc/sof/debug.c
++++ b/sound/soc/sof/debug.c
+@@ -437,8 +437,8 @@ void snd_sof_handle_fw_exception(struct snd_sof_dev *sdev, const char *msg)
+               /* should we prevent DSP entering D3 ? */
+               if (!sdev->ipc_dump_printed)
+                       dev_info(sdev->dev,
+-                               "preventing DSP entering D3 state to preserve context\n");
+-              pm_runtime_get_noresume(sdev->dev);
++                               "Attempting to prevent DSP from entering D3 state to preserve context\n");
++              pm_runtime_get_if_in_use(sdev->dev);
+       }
+ 
+       /* dump vital information to the logs */
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch b/queue-6.1/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch
new file mode 100644 (file)
index 0000000..bc24287
--- /dev/null
+++ b/queue-6.1/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch
@@ -0,0 +1,53 @@
+From 071784b768d45b492eda215e2886329fd7358399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 13:33:14 +0300
+Subject: ASoC: SOF: pcm: fix pm_runtime imbalance in error handling
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit da0fe8fd515a471d373acc3682bfb5522cca4d55 ]
+
+When an error occurs, we need to make sure the device can pm_runtime
+suspend instead of keeping it active.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com
+Link: https://lore.kernel.org/r/20230512103315.8921-3-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/pcm.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/sof/pcm.c b/sound/soc/sof/pcm.c
+index 14571b821ecac..be6f38af37b5d 100644
+--- a/sound/soc/sof/pcm.c
++++ b/sound/soc/sof/pcm.c
+@@ -619,16 +619,17 @@ static int sof_pcm_probe(struct snd_soc_component *component)
+                                      "%s/%s",
+                                      plat_data->tplg_filename_prefix,
+                                      plat_data->tplg_filename);
+-      if (!tplg_filename)
+-              return -ENOMEM;
++      if (!tplg_filename) {
++              ret = -ENOMEM;
++              goto pm_error;
++      }
+ 
+       ret = snd_sof_load_topology(component, tplg_filename);
+-      if (ret < 0) {
++      if (ret < 0)
+               dev_err(component->dev, "error: failed to load DSP topology %d\n",
+                       ret);
+-              return ret;
+-      }
+ 
++pm_error:
+       pm_runtime_mark_last_busy(component->dev);
+       pm_runtime_put_autosuspend(component->dev);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch b/queue-6.1/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch
new file mode 100644 (file)
index 0000000..2b86ac7
--- /dev/null
+++ b/queue-6.1/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch
@@ -0,0 +1,74 @@
+From 10cd9ad6eb85707be9a8311ebfbe4e438eaff58b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 13:46:38 +0300
+Subject: ASoC: SOF: pm: save io region state in case of errors in resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+[ Upstream commit 171b53be635ac15d4feafeb33946035649b1ca14 ]
+
+If there are failures in DSP runtime resume, the device state will not
+reach active and this makes it impossible e.g. to retrieve a possible
+DSP panic dump via "exception" debugfs node. If
+CONFIG_SND_SOC_SOF_DEBUG_ENABLE_DEBUGFS_CACHE=y is set, the data in
+cache is stale. If debugfs cache is not used, the region simply cannot
+be read.
+
+To allow debugging these scenarios, update the debugfs cache contents in
+resume error handler. User-space can then later retrieve DSP panic and
+other state via debugfs (requires SOF debugfs cache to be enabled in
+build).
+
+Reported-by: Curtis Malainey <cujomalainey@chromium.org
+Link: https://github.com/thesofproject/linux/issues/4274
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com
+Reviewed-by: Curtis Malainey <cujomalainey@chromium.org
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com
+Link: https://lore.kernel.org/r/20230512104638.21376-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/pm.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/pm.c b/sound/soc/sof/pm.c
+index 26ffcbb6e30f4..a1bfa5a37e2ad 100644
+--- a/sound/soc/sof/pm.c
++++ b/sound/soc/sof/pm.c
+@@ -159,7 +159,7 @@ static int sof_resume(struct device *dev, bool runtime_resume)
+               ret = tplg_ops->set_up_all_pipelines(sdev, false);
+               if (ret < 0) {
+                       dev_err(sdev->dev, "Failed to restore pipeline after resume %d\n", ret);
+-                      return ret;
++                      goto setup_fail;
+               }
+       }
+ 
+@@ -173,6 +173,18 @@ static int sof_resume(struct device *dev, bool runtime_resume)
+                       dev_err(sdev->dev, "ctx_restore IPC error during resume: %d\n", ret);
+       }
+ 
++setup_fail:
++#if IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_ENABLE_DEBUGFS_CACHE)
++      if (ret < 0) {
++              /*
++               * Debugfs cannot be read in runtime suspend, so cache
++               * the contents upon failure. This allows to capture
++               * possible DSP coredump information.
++               */
++              sof_cache_debugfs(sdev);
++      }
++#endif
++
+       return ret;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch b/queue-6.1/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch
new file mode 100644 (file)
index 0000000..31bff11
--- /dev/null
+++ b/queue-6.1/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch
@@ -0,0 +1,59 @@
+From 430bf2ff76d7e20597a45dc4d14fe434e71807b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 13:33:15 +0300
+Subject: ASoC: SOF: sof-client-probes: fix pm_runtime imbalance in error
+ handling
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit bc424273c74c1565c459c8f2a6ed95caee368d0a ]
+
+When an error occurs, we need to make sure the device can pm_runtime
+suspend instead of keeping it active.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com
+Link: https://lore.kernel.org/r/20230512103315.8921-4-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/sof-client-probes.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/sof/sof-client-probes.c b/sound/soc/sof/sof-client-probes.c
+index ddeabbb5580e1..1e521a9e34d27 100644
+--- a/sound/soc/sof/sof-client-probes.c
++++ b/sound/soc/sof/sof-client-probes.c
+@@ -441,12 +441,7 @@ static ssize_t sof_probes_dfs_points_read(struct file *file, char __user *to,
+ 
+       ret = sof_probes_points_info(cdev, &desc, &num_desc);
+       if (ret < 0)
+-              goto exit;
+-
+-      pm_runtime_mark_last_busy(dev);
+-      err = pm_runtime_put_autosuspend(dev);
+-      if (err < 0)
+-              dev_err_ratelimited(dev, "debugfs read failed to idle %d\n", err);
++              goto pm_error;
+ 
+       for (i = 0; i < num_desc; i++) {
+               offset = strlen(buf);
+@@ -464,6 +459,13 @@ static ssize_t sof_probes_dfs_points_read(struct file *file, char __user *to,
+       ret = simple_read_from_buffer(to, count, ppos, buf, strlen(buf));
+ 
+       kfree(desc);
++
++pm_error:
++      pm_runtime_mark_last_busy(dev);
++      err = pm_runtime_put_autosuspend(dev);
++      if (err < 0)
++              dev_err_ratelimited(dev, "debugfs read failed to idle %d\n", err);
++
+ exit:
+       kfree(buf);
+       return ret;
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-ssm2602-add-workaround-for-playback-distortions.patch b/queue-6.1/asoc-ssm2602-add-workaround-for-playback-distortions.patch
new file mode 100644 (file)
index 0000000..7a49118
--- /dev/null
+++ b/queue-6.1/asoc-ssm2602-add-workaround-for-playback-distortions.patch
@@ -0,0 +1,140 @@
+From 96eddba8d5f8727573594703a60e487b509afc3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 13:30:37 +0200
+Subject: ASoC: ssm2602: Add workaround for playback distortions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paweł Anikiel <pan@semihalf.com>
+
+[ Upstream commit f63550e2b165208a2f382afcaf5551df9569e1d4 ]
+
+Apply a workaround for what appears to be a hardware quirk.
+
+The problem seems to happen when enabling "whole chip power" (bit D7
+register R6) for the very first time after the chip receives power. If
+either "output" (D4) or "DAC" (D3) aren't powered on at that time,
+playback becomes very distorted later on.
+
+This happens on the Google Chameleon v3, as well as on a ZYBO Z7-10:
+https://ez.analog.com/audio/f/q-a/543726/solved-ssm2603-right-output-offset-issue/480229
+I suspect this happens only when using an external MCLK signal (which
+is the case for both of these boards).
+
+Here are some experiments run on a Google Chameleon v3. These were run
+in userspace using a wrapper around the i2cset utility:
+ssmset() {
+        i2cset -y 0 0x1a $(($1*2)) $2
+}
+
+For each of the following sequences, we apply power to the ssm2603
+chip, set the configuration registers R0-R5 and R7-R8, run the selected
+sequence, and check for distortions on playback.
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x07 # chip, out, dac
+  OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x87 # out, dac
+  ssmset 0x06 0x07 # chip
+  OK
+
+  (disable MCLK)
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x1f # chip
+  ssmset 0x06 0x07 # out, dac
+  (enable MCLK)
+  OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x1f # chip
+  ssmset 0x06 0x07 # out, dac
+  NOT OK
+
+  ssmset 0x06 0x1f # chip
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x07 # out, dac
+  NOT OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x0f # chip, out
+  ssmset 0x06 0x07 # dac
+  NOT OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x17 # chip, dac
+  ssmset 0x06 0x07 # out
+  NOT OK
+
+For each of the following sequences, we apply power to the ssm2603
+chip, run the selected sequence, issue a reset with R15, configure
+R0-R5 and R7-R8, run one of the NOT OK sequences from above, and check
+for distortions.
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x07 # chip, out, dac
+  OK
+
+  (disable MCLK)
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x07 # chip, out, dac
+  (enable MCLK after reset)
+  NOT OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x17 # chip, dac
+  NOT OK
+
+  ssmset 0x09 0x01 # core
+  ssmset 0x06 0x0f # chip, out
+  NOT OK
+
+  ssmset 0x06 0x07 # chip, out, dac
+  NOT OK
+
+Signed-off-by: Paweł Anikiel <pan@semihalf.com
+Link: https://lore.kernel.org/r/20230508113037.137627-8-pan@semihalf.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/ssm2602.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c
+index cbbe83b85adaf..cf7927222be15 100644
+--- a/sound/soc/codecs/ssm2602.c
++++ b/sound/soc/codecs/ssm2602.c
+@@ -53,6 +53,18 @@ static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
+       { .reg = 0x09, .def = 0x0000 }
+ };
+ 
++/*
++ * ssm2602 register patch
++ * Workaround for playback distortions after power up: activates digital
++ * core, and then powers on output, DAC, and whole chip at the same time
++ */
++
++static const struct reg_sequence ssm2602_patch[] = {
++      { SSM2602_ACTIVE, 0x01 },
++      { SSM2602_PWR,    0x07 },
++      { SSM2602_RESET,  0x00 },
++};
++
+ 
+ /*Appending several "None"s just for OSS mixer use*/
+ static const char *ssm2602_input_select[] = {
+@@ -589,6 +601,9 @@ static int ssm260x_component_probe(struct snd_soc_component *component)
+               return ret;
+       }
+ 
++      regmap_register_patch(ssm2602->regmap, ssm2602_patch,
++                            ARRAY_SIZE(ssm2602_patch));
++
+       /* set the update bits */
+       regmap_update_bits(ssm2602->regmap, SSM2602_LINVOL,
+                           LINVOL_LRIN_BOTH, LINVOL_LRIN_BOTH);
+-- 
+2.39.2
+

diff --git a/queue-6.1/atm-hide-unused-procfs-functions.patch b/queue-6.1/atm-hide-unused-procfs-functions.patch
new file mode 100644 (file)
index 0000000..f544550
--- /dev/null
+++ b/queue-6.1/atm-hide-unused-procfs-functions.patch
@@ -0,0 +1,47 @@
+From c4af66bb86327a09696f6227c923679452bf896d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:45:34 +0200
+Subject: atm: hide unused procfs functions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit fb1b7be9b16c1f4626969ba4e95a97da2a452b41 ]
+
+When CONFIG_PROC_FS is disabled, the function declarations for some
+procfs functions are hidden, but the definitions are still build,
+as shown by this compiler warning:
+
+net/atm/resources.c:403:7: error: no previous prototype for 'atm_dev_seq_start' [-Werror=missing-prototypes]
+net/atm/resources.c:409:6: error: no previous prototype for 'atm_dev_seq_stop' [-Werror=missing-prototypes]
+net/atm/resources.c:414:7: error: no previous prototype for 'atm_dev_seq_next' [-Werror=missing-prototypes]
+
+Add another #ifdef to leave these out of the build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516194625.549249-2-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index 2b2d33eeaf200..995d29e7fb138 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -400,6 +400,7 @@ int atm_dev_ioctl(unsigned int cmd, void __user *buf, int __user *sioc_len,
+       return error;
+ }
+ 
++#ifdef CONFIG_PROC_FS
+ void *atm_dev_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+       mutex_lock(&atm_dev_mutex);
+@@ -415,3 +416,4 @@ void *atm_dev_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
+       return seq_list_next(v, &atm_devs, pos);
+ }
++#endif
+-- 
+2.39.2
+

diff --git a/queue-6.1/block-deny-writable-memory-mapping-if-block-is-read-.patch b/queue-6.1/block-deny-writable-memory-mapping-if-block-is-read-.patch
new file mode 100644 (file)
index 0000000..1daa26f
--- /dev/null
+++ b/queue-6.1/block-deny-writable-memory-mapping-if-block-is-read-.patch
@@ -0,0 +1,68 @@
+From f6047883aeeb37250149935a49217c7fc7e1d50b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 09:42:23 +0200
+Subject: block: Deny writable memory mapping if block is read-only
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 69baa3a623fd2e58624f24f2f23d46f87b817c93 ]
+
+User should not be able to write block device if it is read-only at
+block level (e.g force_ro attribute). This is ensured in the regular
+fops write operation (blkdev_write_iter) but not when writing via
+user mapping (mmap), allowing user to actually write a read-only
+block device via a PROT_WRITE mapping.
+
+Example: This can lead to integrity issue of eMMC boot partition
+(e.g mmcblk0boot0) which is read-only by default.
+
+To fix this issue, simply deny shared writable mapping if the block
+is readonly.
+
+Note: Block remains writable if switch to read-only is performed
+after the initial mapping, but this is expected behavior according
+to commit a32e236eb93e ("Partially revert "block: fail op_is_write()
+requests to read-only partitions"")'.
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230510074223.991297-1-loic.poulain@linaro.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/fops.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/block/fops.c b/block/fops.c
+index e406aa605327e..6197d1c41652d 100644
+--- a/block/fops.c
++++ b/block/fops.c
+@@ -685,6 +685,16 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start,
+       return error;
+ }
+ 
++static int blkdev_mmap(struct file *file, struct vm_area_struct *vma)
++{
++      struct inode *bd_inode = bdev_file_inode(file);
++
++      if (bdev_read_only(I_BDEV(bd_inode)))
++              return generic_file_readonly_mmap(file, vma);
++
++      return generic_file_mmap(file, vma);
++}
++
+ const struct file_operations def_blk_fops = {
+       .open           = blkdev_open,
+       .release        = blkdev_close,
+@@ -692,7 +702,7 @@ const struct file_operations def_blk_fops = {
+       .read_iter      = blkdev_read_iter,
+       .write_iter     = blkdev_write_iter,
+       .iopoll         = iocb_bio_iopoll,
+-      .mmap           = generic_file_mmap,
++      .mmap           = blkdev_mmap,
+       .fsync          = blkdev_fsync,
+       .unlocked_ioctl = blkdev_ioctl,
+ #ifdef CONFIG_COMPAT
+-- 
+2.39.2
+

diff --git a/queue-6.1/block-rnbd-replace-req_op_flush-with-req_op_write.patch b/queue-6.1/block-rnbd-replace-req_op_flush-with-req_op_write.patch
new file mode 100644 (file)
index 0000000..005a1ea
--- /dev/null
+++ b/queue-6.1/block-rnbd-replace-req_op_flush-with-req_op_write.patch
@@ -0,0 +1,72 @@
+From 0f572368df5cfa91a0d6b2a2610642f924f5f16b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 11:46:31 +0800
+Subject: block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+[ Upstream commit 5e6e08087a4acb4ee3574cea32dbff0f63c7f608 ]
+
+Since flush bios are implemented as writes with no data and
+the preflush flag per Christoph's comment [1].
+
+And we need to change it in rnbd accordingly. Otherwise, I
+got splatting when create fs from rnbd client.
+
+[  464.028545] ------------[ cut here ]------------
+[  464.028553] WARNING: CPU: 0 PID: 65 at block/blk-core.c:751 submit_bio_noacct+0x32c/0x5d0
+[ ... ]
+[  464.028668] CPU: 0 PID: 65 Comm: kworker/0:1H Tainted: G           OE      6.4.0-rc1 #9
+[  464.028671] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+[  464.028673] Workqueue: ib-comp-wq ib_cq_poll_work [ib_core]
+[  464.028717] RIP: 0010:submit_bio_noacct+0x32c/0x5d0
+[  464.028720] Code: 03 0f 85 51 fe ff ff 48 8b 43 18 8b 88 04 03 00 00 85 c9 0f 85 3f fe ff ff e9 be fd ff ff 0f b6 d0 3c 0d 74 26 83 fa 01 74 21 <0f> 0b b8 0a 00 00 00 e9 56 fd ff ff 4c 89 e7 e8 70 a1 03 00 84 c0
+[  464.028722] RSP: 0018:ffffaf3680b57c68 EFLAGS: 00010202
+[  464.028724] RAX: 0000000000060802 RBX: ffffa09dcc18bf00 RCX: 0000000000000000
+[  464.028726] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffa09dde081d00
+[  464.028727] RBP: ffffaf3680b57c98 R08: ffffa09dde081d00 R09: ffffa09e38327200
+[  464.028729] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa09dde081d00
+[  464.028730] R13: ffffa09dcb06e1e8 R14: 0000000000000000 R15: 0000000000200000
+[  464.028733] FS:  0000000000000000(0000) GS:ffffa09e3bc00000(0000) knlGS:0000000000000000
+[  464.028735] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  464.028736] CR2: 000055a4e8206c40 CR3: 0000000119f06000 CR4: 00000000003506f0
+[  464.028738] Call Trace:
+[  464.028740]  <TASK>
+[  464.028746]  submit_bio+0x1b/0x80
+[  464.028748]  rnbd_srv_rdma_ev+0x50d/0x10c0 [rnbd_server]
+[  464.028754]  ? percpu_ref_get_many.constprop.0+0x55/0x140 [rtrs_server]
+[  464.028760]  ? __this_cpu_preempt_check+0x13/0x20
+[  464.028769]  process_io_req+0x1dc/0x450 [rtrs_server]
+[  464.028775]  rtrs_srv_inv_rkey_done+0x67/0xb0 [rtrs_server]
+[  464.028780]  __ib_process_cq+0xbc/0x1f0 [ib_core]
+[  464.028793]  ib_cq_poll_work+0x2b/0xa0 [ib_core]
+[  464.028804]  process_one_work+0x2a9/0x580
+
+[1]. https://lore.kernel.org/all/ZFHgefWofVt24tRl@infradead.org/
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Link: https://lore.kernel.org/r/20230512034631.28686-1-guoqing.jiang@linux.dev
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-proto.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-proto.h b/drivers/block/rnbd/rnbd-proto.h
+index ea7ac8bca63cf..da1d0542d7e2c 100644
+--- a/drivers/block/rnbd/rnbd-proto.h
++++ b/drivers/block/rnbd/rnbd-proto.h
+@@ -241,7 +241,7 @@ static inline blk_opf_t rnbd_to_bio_flags(u32 rnbd_opf)
+               bio_opf = REQ_OP_WRITE;
+               break;
+       case RNBD_OP_FLUSH:
+-              bio_opf = REQ_OP_FLUSH | REQ_PREFLUSH;
++              bio_opf = REQ_OP_WRITE | REQ_PREFLUSH;
+               break;
+       case RNBD_OP_DISCARD:
+               bio_opf = REQ_OP_DISCARD;
+-- 
+2.39.2
+

diff --git a/queue-6.1/btrfs-abort-transaction-when-sibling-keys-check-fail.patch b/queue-6.1/btrfs-abort-transaction-when-sibling-keys-check-fail.patch
new file mode 100644 (file)
index 0000000..12411b4
--- /dev/null
+++ b/queue-6.1/btrfs-abort-transaction-when-sibling-keys-check-fail.patch
@@ -0,0 +1,56 @@
+From 1c872e7dcadbc90516212ef9fd6bf247465ef3b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 11:51:35 +0100
+Subject: btrfs: abort transaction when sibling keys check fails for leaves
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9ae5afd02a03d4e22a17a9609b19400b77c36273 ]
+
+If the sibling keys check fails before we move keys from one sibling
+leaf to another, we are not aborting the transaction - we leave that to
+some higher level caller of btrfs_search_slot() (or anything else that
+uses it to insert items into a b+tree).
+
+This means that the transaction abort will provide a stack trace that
+omits the b+tree modification call chain. So change this to immediately
+abort the transaction and therefore get a more useful stack trace that
+shows us the call chain in the bt+tree modification code.
+
+It's also important to immediately abort the transaction just in case
+some higher level caller is not doing it, as this indicates a very
+serious corruption and we should stop the possibility of doing further
+damage.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index dbbae92ac23d8..ab9f8d6c4f1b9 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -3118,6 +3118,7 @@ static int push_leaf_right(struct btrfs_trans_handle *trans, struct btrfs_root
+ 
+       if (check_sibling_keys(left, right)) {
+               ret = -EUCLEAN;
++              btrfs_abort_transaction(trans, ret);
+               btrfs_tree_unlock(right);
+               free_extent_buffer(right);
+               return ret;
+@@ -3348,6 +3349,7 @@ static int push_leaf_left(struct btrfs_trans_handle *trans, struct btrfs_root
+ 
+       if (check_sibling_keys(left, right)) {
+               ret = -EUCLEAN;
++              btrfs_abort_transaction(trans, ret);
+               goto out;
+       }
+       return __push_leaf_left(path, min_data_size,
+-- 
+2.39.2
+

diff --git a/queue-6.1/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch b/queue-6.1/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch
new file mode 100644 (file)
index 0000000..9cdf289
--- /dev/null
+++ b/queue-6.1/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch
@@ -0,0 +1,50 @@
+From f867470cbb77e07ca449113de13c9812eeaedf29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 14:45:01 +0800
+Subject: ceph: silence smatch warning in reconnect_caps_cb()
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit 9aaa7eb018661b2da221362d9bacb096bd596f52 ]
+
+Smatch static checker warning:
+
+  fs/ceph/mds_client.c:3968 reconnect_caps_cb()
+  warn: missing error code here? '__get_cap_for_mds()' failed. 'err' = '0'
+
+[ idryomov: Dan says that Smatch considers it intentional only if the
+  "ret = 0;" assignment is within 4 or 5 lines of the goto. ]
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/mds_client.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 54e3c2ab21d22..1989c8deea55a 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -3938,7 +3938,7 @@ static int reconnect_caps_cb(struct inode *inode, int mds, void *arg)
+       struct dentry *dentry;
+       struct ceph_cap *cap;
+       char *path;
+-      int pathlen = 0, err = 0;
++      int pathlen = 0, err;
+       u64 pathbase;
+       u64 snap_follows;
+ 
+@@ -3961,6 +3961,7 @@ static int reconnect_caps_cb(struct inode *inode, int mds, void *arg)
+       cap = __get_cap_for_mds(ci, mds);
+       if (!cap) {
+               spin_unlock(&ci->i_ceph_lock);
++              err = 0;
+               goto out_err;
+       }
+       dout(" adding %p ino %llx.%llx cap %p %lld %s\n",
+-- 
+2.39.2
+

diff --git a/queue-6.1/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch b/queue-6.1/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch
new file mode 100644 (file)
index 0000000..fb70dbb
--- /dev/null
+++ b/queue-6.1/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch
@@ -0,0 +1,56 @@
+From 00d56d83c3d7aaa559e5ef88cbb4387ec733f22e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 13:32:10 +0300
+Subject: dmaengine: at_xdmac: fix potential Oops in
+ at_xdmac_prep_interleaved()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 4d43acb145c363626d76f49febb4240c488cd1cf ]
+
+There are two place if the at_xdmac_interleaved_queue_desc() fails which
+could lead to a NULL dereference where "first" is NULL and we call
+list_add_tail(&first->desc_node, ...).  In the first caller, the return
+is not checked so add a check for that.  In the next caller, the return
+is checked but if it fails on the first iteration through the loop then
+it will lead to a NULL pointer dereference.
+
+Fixes: 4e5385784e69 ("dmaengine: at_xdmac: handle numf > 1")
+Fixes: 62b5cb757f1d ("dmaengine: at_xdmac: fix memory leak in interleaved mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/r/21282b66-9860-410a-83df-39c17fcf2f1b@kili.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index bfc8ae2143957..7919906b02e74 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -1026,6 +1026,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
+                                                       NULL,
+                                                       src_addr, dst_addr,
+                                                       xt, xt->sgl);
++              if (!first)
++                      return NULL;
+ 
+               /* Length of the block is (BLEN+1) microblocks. */
+               for (i = 0; i < xt->numf - 1; i++)
+@@ -1056,8 +1058,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
+                                                              src_addr, dst_addr,
+                                                              xt, chunk);
+                       if (!desc) {
+-                              list_splice_tail_init(&first->descs_list,
+-                                                    &atchan->free_descs_list);
++                              if (first)
++                                      list_splice_tail_init(&first->descs_list,
++                                                            &atchan->free_descs_list);
+                               return NULL;
+                       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/dmaengine-pl330-rename-_start-to-prevent-build-error.patch b/queue-6.1/dmaengine-pl330-rename-_start-to-prevent-build-error.patch
new file mode 100644 (file)
index 0000000..7dd1aa4
--- /dev/null
+++ b/queue-6.1/dmaengine-pl330-rename-_start-to-prevent-build-error.patch
@@ -0,0 +1,85 @@
+From 41f6b17a9495516137ae983cb71f22660caece22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 21:53:10 -0700
+Subject: dmaengine: pl330: rename _start to prevent build error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a1a5f2c887252dec161c1e12e04303ca9ba56fa9 ]
+
+"_start" is used in several arches and proably should be reserved
+for ARCH usage. Using it in a driver for a private symbol can cause
+a build error when it conflicts with ARCH usage of the same symbol.
+
+Therefore rename pl330's "_start" to "pl330_start_thread" so that there
+is no conflict and no build error.
+
+drivers/dma/pl330.c:1053:13: error: '_start' redeclared as different kind of symbol
+ 1053 | static bool _start(struct pl330_thread *thrd)
+      |             ^~~~~~
+In file included from ../include/linux/interrupt.h:21,
+                 from ../drivers/dma/pl330.c:18:
+arch/riscv/include/asm/sections.h:11:13: note: previous declaration of '_start' with type 'char[]'
+   11 | extern char _start[];
+      |             ^~~~~~
+
+Fixes: b7d861d93945 ("DMA: PL330: Merge PL330 driver into drivers/dma/")
+Fixes: ae43b3289186 ("ARM: 8202/1: dmaengine: pl330: Add runtime Power Management support v12")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jaswinder Singh <jassisinghbrar@gmail.com>
+Cc: Boojin Kim <boojin.kim@samsung.com>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: dmaengine@vger.kernel.org
+Cc: linux-riscv@lists.infradead.org
+Link: https://lore.kernel.org/r/20230524045310.27923-1-rdunlap@infradead.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index 0d9257fbdfb0d..b4731fe6bbc14 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1050,7 +1050,7 @@ static bool _trigger(struct pl330_thread *thrd)
+       return true;
+ }
+ 
+-static bool _start(struct pl330_thread *thrd)
++static bool pl330_start_thread(struct pl330_thread *thrd)
+ {
+       switch (_state(thrd)) {
+       case PL330_STATE_FAULT_COMPLETING:
+@@ -1702,7 +1702,7 @@ static int pl330_update(struct pl330_dmac *pl330)
+                       thrd->req_running = -1;
+ 
+                       /* Get going again ASAP */
+-                      _start(thrd);
++                      pl330_start_thread(thrd);
+ 
+                       /* For now, just make a list of callbacks to be done */
+                       list_add_tail(&descdone->rqd, &pl330->req_done);
+@@ -2089,7 +2089,7 @@ static void pl330_tasklet(struct tasklet_struct *t)
+       } else {
+               /* Make sure the PL330 Channel thread is active */
+               spin_lock(&pch->thread->dmac->lock);
+-              _start(pch->thread);
++              pl330_start_thread(pch->thread);
+               spin_unlock(&pch->thread->dmac->lock);
+       }
+ 
+@@ -2107,7 +2107,7 @@ static void pl330_tasklet(struct tasklet_struct *t)
+                       if (power_down) {
+                               pch->active = true;
+                               spin_lock(&pch->thread->dmac->lock);
+-                              _start(pch->thread);
++                              pl330_start_thread(pch->thread);
+                               spin_unlock(&pch->thread->dmac->lock);
+                               power_down = false;
+                       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch b/queue-6.1/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch
new file mode 100644 (file)
index 0000000..29baedd
--- /dev/null
+++ b/queue-6.1/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch
@@ -0,0 +1,121 @@
+From 8bae8a477742df0e3c2501358796e6c1f3f94976 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 14:11:14 +0530
+Subject: drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU
+ hotplug
+
+From: K Prateek Nayak <kprateek.nayak@amd.com>
+
+[ Upstream commit 126310c9f669c9a8c875a3e5c2292299ca90225d ]
+
+While building the shared_cpu_map, check if the cache level and cache
+type matches. On certain systems that build the cache topology based on
+the instance ID, there are cases where the same ID may repeat across
+multiple cache levels, leading inaccurate topology.
+
+In event of CPU offlining, the cache_shared_cpu_map_remove() does not
+consider if IDs at same level are being compared. As a result, when same
+IDs repeat across different cache levels, the CPU going offline is not
+removed from all the shared_cpu_map.
+
+Below is the output of cache topology of CPU8 and it's SMT sibling after
+CPU8 is offlined on a dual socket 3rd Generation AMD EPYC processor
+(2 x 64C/128T) running kernel release v6.3:
+
+  # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done
+    /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143
+
+  # echo 0 > /sys/devices/system/cpu/cpu8/online
+
+  # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done
+    /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136
+    /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143
+
+CPU8 is removed from index0 (L1i) but remains in the shared_cpu_list of
+index1 (L1d) and index2 (L2). Since L1i, L1d, and L2 are shared by the
+SMT siblings, and they have the same cache instance ID, CPU 2 is only
+removed from the first index with matching ID which is index1 (L1i) in
+this case. With this fix, the results are as expected when performing
+the same experiment on the same system:
+
+  # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done
+    /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136
+    /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143
+
+  # echo 0 > /sys/devices/system/cpu/cpu8/online
+
+  # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done
+    /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136
+    /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 136
+    /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 136
+    /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143
+
+When rebuilding topology, the same problem appears as
+cache_shared_cpu_map_setup() implements a similar logic. Consider the
+same 3rd Generation EPYC processor: CPUs in Core 1, that share the L1
+and L2 caches, have L1 and L2 instance ID as 1. For all the CPUs on
+the second chiplet, the L3 ID is also 1 leading to grouping on CPUs from
+Core 1 (1, 17) and the entire second chiplet (8-15, 24-31) as CPUs
+sharing one cache domain. This went undetected since x86 processors
+depended on arch specific populate_cache_leaves() method to repopulate
+the shared_cpus_map when CPU came back online until kernel release
+v6.3-rc5.
+
+Fixes: 198102c9103f ("cacheinfo: Fix shared_cpu_map to handle shared caches at different levels")
+Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://lore.kernel.org/r/20230508084115.1157-2-kprateek.nayak@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/cacheinfo.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
+index c440d1af197a4..26e13887aba46 100644
+--- a/drivers/base/cacheinfo.c
++++ b/drivers/base/cacheinfo.c
+@@ -280,6 +280,16 @@ static int cache_shared_cpu_map_setup(unsigned int cpu)
+                               continue;/* skip if itself or no cacheinfo */
+                       for (sib_index = 0; sib_index < cache_leaves(i); sib_index++) {
+                               sib_leaf = per_cpu_cacheinfo_idx(i, sib_index);
++
++                              /*
++                               * Comparing cache IDs only makes sense if the leaves
++                               * belong to the same cache level of same type. Skip
++                               * the check if level and type do not match.
++                               */
++                              if (sib_leaf->level != this_leaf->level ||
++                                  sib_leaf->type != this_leaf->type)
++                                      continue;
++
+                               if (cache_leaves_are_shared(this_leaf, sib_leaf)) {
+                                       cpumask_set_cpu(cpu, &sib_leaf->shared_cpu_map);
+                                       cpumask_set_cpu(i, &this_leaf->shared_cpu_map);
+@@ -311,6 +321,16 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
+ 
+                       for (sib_index = 0; sib_index < cache_leaves(sibling); sib_index++) {
+                               sib_leaf = per_cpu_cacheinfo_idx(sibling, sib_index);
++
++                              /*
++                               * Comparing cache IDs only makes sense if the leaves
++                               * belong to the same cache level of same type. Skip
++                               * the check if level and type do not match.
++                               */
++                              if (sib_leaf->level != this_leaf->level ||
++                                  sib_leaf->type != this_leaf->type)
++                                      continue;
++
+                               if (cache_leaves_are_shared(this_leaf, sib_leaf)) {
+                                       cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map);
+                                       cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map);
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch b/queue-6.1/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch
new file mode 100644 (file)
index 0000000..c2a5b03
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch
@@ -0,0 +1,118 @@
+From ed2e2b43671067f71a3bfc7ddb2c0ebba4845540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 13:51:19 +0800
+Subject: drm/amdgpu: release gpu full access after
+ "amdgpu_device_ip_late_init"
+
+From: Chong Li <chongli2@amd.com>
+
+[ Upstream commit 38eecbe086a4e52f54b2bbda8feba65d44addbef ]
+
+[WHY]
+ Function "amdgpu_irq_update()" called by "amdgpu_device_ip_late_init()" is an atomic context.
+ We shouldn't access registers through KIQ since "msleep()" may be called in "amdgpu_kiq_rreg()".
+
+[HOW]
+ Move function "amdgpu_virt_release_full_gpu()" after function "amdgpu_device_ip_late_init()",
+ to ensure that registers be accessed through RLCG instead of KIQ.
+
+Call Trace:
+  <TASK>
+  show_stack+0x52/0x69
+  dump_stack_lvl+0x49/0x6d
+  dump_stack+0x10/0x18
+  __schedule_bug.cold+0x4f/0x6b
+  __schedule+0x473/0x5d0
+  ? __wake_up_klogd.part.0+0x40/0x70
+  ? vprintk_emit+0xbe/0x1f0
+  schedule+0x68/0x110
+  schedule_timeout+0x87/0x160
+  ? timer_migration_handler+0xa0/0xa0
+  msleep+0x2d/0x50
+  amdgpu_kiq_rreg+0x18d/0x1f0 [amdgpu]
+  amdgpu_device_rreg.part.0+0x59/0xd0 [amdgpu]
+  amdgpu_device_rreg+0x3a/0x50 [amdgpu]
+  amdgpu_sriov_rreg+0x3c/0xb0 [amdgpu]
+  gfx_v10_0_set_gfx_eop_interrupt_state.constprop.0+0x16c/0x190 [amdgpu]
+  gfx_v10_0_set_eop_interrupt_state+0xa5/0xb0 [amdgpu]
+  amdgpu_irq_update+0x53/0x80 [amdgpu]
+  amdgpu_irq_get+0x7c/0xb0 [amdgpu]
+  amdgpu_fence_driver_hw_init+0x58/0x90 [amdgpu]
+  amdgpu_device_init.cold+0x16b7/0x2022 [amdgpu]
+
+Signed-off-by: Chong Li <chongli2@amd.com>
+Reviewed-by: JingWen.Chen2@amd.com
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 32 ++++++++++++----------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 011e4fbe27f10..c83df8b78b7de 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2512,8 +2512,6 @@ static int amdgpu_device_ip_init(struct amdgpu_device *adev)
+       amdgpu_fru_get_product_info(adev);
+ 
+ init_failed:
+-      if (amdgpu_sriov_vf(adev))
+-              amdgpu_virt_release_full_gpu(adev, true);
+ 
+       return r;
+ }
+@@ -3838,18 +3836,6 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+ 
+       r = amdgpu_device_ip_init(adev);
+       if (r) {
+-              /* failed in exclusive mode due to timeout */
+-              if (amdgpu_sriov_vf(adev) &&
+-                  !amdgpu_sriov_runtime(adev) &&
+-                  amdgpu_virt_mmio_blocked(adev) &&
+-                  !amdgpu_virt_wait_reset(adev)) {
+-                      dev_err(adev->dev, "VF exclusive mode timeout\n");
+-                      /* Don't send request since VF is inactive. */
+-                      adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME;
+-                      adev->virt.ops = NULL;
+-                      r = -EAGAIN;
+-                      goto release_ras_con;
+-              }
+               dev_err(adev->dev, "amdgpu_device_ip_init failed\n");
+               amdgpu_vf_error_put(adev, AMDGIM_ERROR_VF_AMDGPU_INIT_FAIL, 0, 0);
+               goto release_ras_con;
+@@ -3921,8 +3907,10 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+                                  msecs_to_jiffies(AMDGPU_RESUME_MS));
+       }
+ 
+-      if (amdgpu_sriov_vf(adev))
++      if (amdgpu_sriov_vf(adev)) {
++              amdgpu_virt_release_full_gpu(adev, true);
+               flush_delayed_work(&adev->delayed_init_work);
++      }
+ 
+       r = sysfs_create_files(&adev->dev->kobj, amdgpu_dev_attributes);
+       if (r)
+@@ -3962,6 +3950,20 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+       return 0;
+ 
+ release_ras_con:
++      if (amdgpu_sriov_vf(adev))
++              amdgpu_virt_release_full_gpu(adev, true);
++
++      /* failed in exclusive mode due to timeout */
++      if (amdgpu_sriov_vf(adev) &&
++              !amdgpu_sriov_runtime(adev) &&
++              amdgpu_virt_mmio_blocked(adev) &&
++              !amdgpu_virt_wait_reset(adev)) {
++              dev_err(adev->dev, "VF exclusive mode timeout\n");
++              /* Don't send request since VF is inactive. */
++              adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME;
++              adev->virt.ops = NULL;
++              r = -EAGAIN;
++      }
+       amdgpu_release_ras_context(adev);
+ 
+ failed:
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch b/queue-6.1/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch
new file mode 100644 (file)
index 0000000..40ff523
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch
@@ -0,0 +1,43 @@
+From 595c836559e3f30e633e5a558f278a97f61b9d00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 14:01:05 +0800
+Subject: drm/amdgpu: set gfx9 onwards APU atomics support to be true
+
+From: Yifan Zhang <yifan1.zhang@amd.com>
+
+[ Upstream commit af7828fbceed4f9e503034111066a0adef3db383 ]
+
+APUs w/ gfx9 onwards doesn't reply on PCIe atomics, rather
+it is internal path w/ native atomic support. Set have_atomics_support
+to true.
+
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Reviewed-by: Lang Yu <lang.yu@amd.com>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 9556df0dfefad..ef0a94c70859b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3734,6 +3734,12 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+               adev->have_atomics_support = ((struct amd_sriov_msg_pf2vf_info *)
+                       adev->virt.fw_reserve.p_pf2vf)->pcie_atomic_ops_support_flags ==
+                       (PCI_EXP_DEVCAP2_ATOMIC_COMP32 | PCI_EXP_DEVCAP2_ATOMIC_COMP64);
++      /* APUs w/ gfx9 onwards doesn't reply on PCIe atomics, rather it is a
++       * internal path natively support atomics, set have_atomics_support to true.
++       */
++      else if ((adev->flags & AMD_IS_APU) &&
++              (adev->ip_versions[GC_HWIP][0] > IP_VERSION(9, 0, 0)))
++              adev->have_atomics_support = true;
+       else
+               adev->have_atomics_support =
+                       !pci_enable_atomic_ops_to_root(adev->pdev,
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch b/queue-6.1/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch
new file mode 100644 (file)
index 0000000..d934a80
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch
@@ -0,0 +1,52 @@
+From 40b8567b6bb2b8130f307c89649bf614dda47ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 16:15:27 +0800
+Subject: drm/amdgpu: skip disabling fence driver src_irqs when device is
+ unplugged
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit c1a322a7a4a96cd0a3dde32ce37af437a78bf8cd ]
+
+When performing device unbind or halt, we have disabled all irqs at the
+very begining like amdgpu_pci_remove or amdgpu_device_halt. So
+amdgpu_irq_put for irqs stored in fence driver should not be called
+any more, otherwise, below calltrace will arrive.
+
+[  139.114088] WARNING: CPU: 2 PID: 1550 at drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c:616 amdgpu_irq_put+0xf6/0x110 [amdgpu]
+[  139.114655] Call Trace:
+[  139.114655]  <TASK>
+[  139.114657]  amdgpu_fence_driver_hw_fini+0x93/0x130 [amdgpu]
+[  139.114836]  amdgpu_device_fini_hw+0xb6/0x350 [amdgpu]
+[  139.114955]  amdgpu_driver_unload_kms+0x51/0x70 [amdgpu]
+[  139.115075]  amdgpu_pci_remove+0x63/0x160 [amdgpu]
+[  139.115193]  ? __pm_runtime_resume+0x64/0x90
+[  139.115195]  pci_device_remove+0x3a/0xb0
+[  139.115197]  device_remove+0x43/0x70
+[  139.115198]  device_release_driver_internal+0xbd/0x140
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+index 3cc1929285fc0..ed6878d5b3ce3 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -528,7 +528,8 @@ void amdgpu_fence_driver_hw_fini(struct amdgpu_device *adev)
+               if (r)
+                       amdgpu_fence_driver_force_completion(ring);
+ 
+-              if (ring->fence_drv.irq_src)
++              if (!drm_dev_is_unplugged(adev_to_drm(adev)) &&
++                  ring->fence_drv.irq_src)
+                       amdgpu_irq_put(adev, ring->fence_drv.irq_src,
+                                      ring->fence_drv.irq_type);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch b/queue-6.1/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch
new file mode 100644 (file)
index 0000000..de9e161
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch
@@ -0,0 +1,77 @@
+From b9a9ce6d92b54d7c714d966a5a7cb13124675a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Apr 2023 17:05:15 +0800
+Subject: drm/amdgpu: Use the default reset when loading or reloading the
+ driver
+
+From: lyndonli <Lyndon.Li@amd.com>
+
+[ Upstream commit 4eea7fb980dc44545a32eec92e2662053b34cd9d ]
+
+Below call trace and errors are observed when reloading
+amdgpu driver with the module parameter reset_method=3.
+
+It should do a default reset when loading or reloading the
+driver, regardless of the module parameter reset_method.
+
+v2: add comments inside and modify commit messages.
+
+[  +2.180243] [drm] psp gfx command ID_LOAD_TOC(0x20) failed
+and response status is (0x0)
+[  +0.000011] [drm:psp_hw_start [amdgpu]] *ERROR* Failed to load toc
+[  +0.000890] [drm:psp_hw_start [amdgpu]] *ERROR* PSP tmr init failed!
+[  +0.020683] [drm:amdgpu_fill_buffer [amdgpu]] *ERROR* Trying to
+clear memory with ring turned off.
+[  +0.000003] RIP: 0010:amdgpu_bo_release_notify+0x1ef/0x210 [amdgpu]
+[  +0.000004] Call Trace:
+[  +0.000003]  <TASK>
+[  +0.000008]  ttm_bo_release+0x2c4/0x330 [amdttm]
+[  +0.000026]  amdttm_bo_put+0x3c/0x70 [amdttm]
+[  +0.000020]  amdgpu_bo_free_kernel+0xe6/0x140 [amdgpu]
+[  +0.000728]  psp_v11_0_ring_destroy+0x34/0x60 [amdgpu]
+[  +0.000826]  psp_hw_init+0xe7/0x2f0 [amdgpu]
+[  +0.000813]  amdgpu_device_fw_loading+0x1ad/0x2d0 [amdgpu]
+[  +0.000731]  amdgpu_device_init.cold+0x108e/0x2002 [amdgpu]
+[  +0.001071]  ? do_pci_enable_device+0xe1/0x110
+[  +0.000011]  amdgpu_driver_load_kms+0x1a/0x160 [amdgpu]
+[  +0.000729]  amdgpu_pci_probe+0x179/0x3a0 [amdgpu]
+
+Signed-off-by: lyndonli <Lyndon.Li@amd.com>
+Signed-off-by: Yunxiang Li <Yunxiang.Li@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index c83df8b78b7de..9556df0dfefad 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3555,6 +3555,7 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+       int r, i;
+       bool px = false;
+       u32 max_MBps;
++      int tmp;
+ 
+       adev->shutdown = false;
+       adev->flags = flags;
+@@ -3776,7 +3777,13 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+                               }
+                       }
+               } else {
++                      tmp = amdgpu_reset_method;
++                      /* It should do a default reset when loading or reloading the driver,
++                       * regardless of the module parameter reset_method.
++                       */
++                      amdgpu_reset_method = AMD_RESET_METHOD_NONE;
+                       r = amdgpu_asic_reset(adev);
++                      amdgpu_reset_method = tmp;
+                       if (r) {
+                               dev_err(adev->dev, "asic reset on init failed\n");
+                               goto failed;
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-ast-fix-arm-compatibility.patch b/queue-6.1/drm-ast-fix-arm-compatibility.patch
new file mode 100644 (file)
index 0000000..b522482
--- /dev/null
+++ b/queue-6.1/drm-ast-fix-arm-compatibility.patch
@@ -0,0 +1,45 @@
+From e05cff381894f1295a6841070e325696af7603d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Apr 2023 08:33:54 +0800
+Subject: drm/ast: Fix ARM compatibility
+
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+
+[ Upstream commit 4327a6137ed43a091d900b1ac833345d60f32228 ]
+
+ARM architecture only has 'memory', so all devices are accessed by
+MMIO if possible.
+
+Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230421003354.27767-1-jammy_huang@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
+index 067453266897f..5df527051177a 100644
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -427,11 +427,12 @@ struct ast_private *ast_device_create(const struct drm_driver *drv,
+               return ERR_PTR(-EIO);
+ 
+       /*
+-       * If we don't have IO space at all, use MMIO now and
+-       * assume the chip has MMIO enabled by default (rev 0x20
+-       * and higher).
++       * After AST2500, MMIO is enabled by default, and it should be adopted
++       * to be compatible with Arm.
+        */
+-      if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) {
++      if (pdev->revision >= 0x40) {
++              ast->ioregs = ast->regs + AST_IO_MM_OFFSET;
++      } else if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) {
+               drm_info(dev, "platform has no IO space, trying MMIO\n");
+               ast->ioregs = ast->regs + AST_IO_MM_OFFSET;
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch b/queue-6.1/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch
new file mode 100644 (file)
index 0000000..8294819
--- /dev/null
+++ b/queue-6.1/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch
@@ -0,0 +1,42 @@
+From 479fb838625eea669eff6c1c86021803d14ca36e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 15:20:37 -0700
+Subject: drm/msm: Be more shouty if per-process pgtables aren't working
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 5c054db54c43a5fcb5cc81012361f5e3fac37637 ]
+
+Otherwise it is not always obvious if a dt or iommu change is causing us
+to fall back to global pgtable.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/537359/
+Link: https://lore.kernel.org/r/20230516222039.907690-2-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_iommu.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
+index 5577cea7c0092..d12ba47b37c4f 100644
+--- a/drivers/gpu/drm/msm/msm_iommu.c
++++ b/drivers/gpu/drm/msm/msm_iommu.c
+@@ -227,7 +227,12 @@ struct msm_mmu *msm_iommu_pagetable_create(struct msm_mmu *parent)
+       /* Get the pagetable configuration from the domain */
+       if (adreno_smmu->cookie)
+               ttbr1_cfg = adreno_smmu->get_ttbr1_cfg(adreno_smmu->cookie);
+-      if (!ttbr1_cfg)
++
++      /*
++       * If you hit this WARN_ONCE() you are probably missing an entry in
++       * qcom_smmu_impl_of_match[] in arm-smmu-qcom.c
++       */
++      if (WARN_ONCE(!ttbr1_cfg, "No per-process page tables"))
+               return ERR_PTR(-ENODEV);
+ 
+       /*
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch b/queue-6.1/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch
new file mode 100644 (file)
index 0000000..8344079
--- /dev/null
+++ b/queue-6.1/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch
@@ -0,0 +1,80 @@
+From d12f7b6d148b1cb4417dfd4d8d1ebb5aa6be3ec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 11:08:41 +0800
+Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit c75f5a55061091030a13fef71b9995b89bc86213 ]
+
+A use-after-free bug may occur if init_imstt invokes framebuffer_release
+and free the info ptr. The caller, imsttfb_probe didn't notice that and
+still keep the ptr as private data in pdev.
+
+If we remove the driver which will call imsttfb_remove to make cleanup,
+UAF happens.
+
+Fix it by return error code if bad case happens in init_imstt.
+
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/imsttfb.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c
+index d7edb9c5d3a3f..e6adb2890ecfe 100644
+--- a/drivers/video/fbdev/imsttfb.c
++++ b/drivers/video/fbdev/imsttfb.c
+@@ -1347,7 +1347,7 @@ static const struct fb_ops imsttfb_ops = {
+       .fb_ioctl       = imsttfb_ioctl,
+ };
+ 
+-static void init_imstt(struct fb_info *info)
++static int init_imstt(struct fb_info *info)
+ {
+       struct imstt_par *par = info->par;
+       __u32 i, tmp, *ip, *end;
+@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *info)
+           || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) {
+               printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel);
+               framebuffer_release(info);
+-              return;
++              return -ENODEV;
+       }
+ 
+       sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP");
+@@ -1456,12 +1456,13 @@ static void init_imstt(struct fb_info *info)
+ 
+       if (register_framebuffer(info) < 0) {
+               framebuffer_release(info);
+-              return;
++              return -ENODEV;
+       }
+ 
+       tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8;
+       fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n",
+               info->fix.id, info->fix.smem_len >> 20, tmp);
++      return 0;
+ }
+ 
+ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+@@ -1529,10 +1530,10 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+       if (!par->cmap_regs)
+               goto error;
+       info->pseudo_palette = par->palette;
+-      init_imstt(info);
+-
+-      pci_set_drvdata(pdev, info);
+-      return 0;
++      ret = init_imstt(info);
++      if (!ret)
++              pci_set_drvdata(pdev, info);
++      return ret;
+ 
+ error:
+       if (par->dc_regs)
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch b/queue-6.1/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch
new file mode 100644 (file)
index 0000000..d946562
--- /dev/null
+++ b/queue-6.1/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch
@@ -0,0 +1,36 @@
+From 1c72dd5b940ad03f9b25a3e84c43e8892bc9dc25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Apr 2023 23:24:26 +0200
+Subject: fbdev: modedb: Add 1920x1080 at 60 Hz video mode
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit c8902258b2b8ecaa1b8d88c312853c5b14c2553d ]
+
+Add typical resolution for Full-HD monitors.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/modedb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c
+index 6473e0dfe1464..e78ec7f728463 100644
+--- a/drivers/video/fbdev/core/modedb.c
++++ b/drivers/video/fbdev/core/modedb.c
+@@ -257,6 +257,11 @@ static const struct fb_videomode modedb[] = {
+       { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
+               FB_VMODE_DOUBLE },
+ 
++      /* 1920x1080 @ 60 Hz, 67.3 kHz hsync */
++      { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0,
++              FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
++              FB_VMODE_NONINTERLACED },
++
+       /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
+       { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
+               FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch b/queue-6.1/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch
new file mode 100644 (file)
index 0000000..58334d8
--- /dev/null
+++ b/queue-6.1/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch
@@ -0,0 +1,32 @@
+From 011355fe2d181d98d2957689cafd35079fd8c2f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 11:50:33 +0200
+Subject: fbdev: stifb: Fix info entry in sti_struct on error path
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 0bdf1ad8d10bd4e50a8b1a2c53d15984165f7fea ]
+
+Minor fix to reset the info field to NULL in case of error.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/stifb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/stifb.c b/drivers/video/fbdev/stifb.c
+index ef8a4c5fc6875..63f51783352dc 100644
+--- a/drivers/video/fbdev/stifb.c
++++ b/drivers/video/fbdev/stifb.c
+@@ -1413,6 +1413,7 @@ static int __init stifb_init_fb(struct sti_struct *sti, int bpp_pref)
+       iounmap(info->screen_base);
+ out_err0:
+       kfree(fb);
++      sti->info = NULL;
+       return -ENXIO;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/gfs2-don-t-deref-jdesc-in-evict.patch b/queue-6.1/gfs2-don-t-deref-jdesc-in-evict.patch
new file mode 100644 (file)
index 0000000..71ee036
--- /dev/null
+++ b/queue-6.1/gfs2-don-t-deref-jdesc-in-evict.patch
@@ -0,0 +1,66 @@
+From b58e228ae72f24397ebf10e9d5f55c721adc677d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Apr 2023 12:07:46 -0400
+Subject: gfs2: Don't deref jdesc in evict
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 ]
+
+On corrupt gfs2 file systems the evict code can try to reference the
+journal descriptor structure, jdesc, after it has been freed and set to
+NULL. The sequence of events is:
+
+init_journal()
+...
+fail_jindex:
+   gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
+      if (gfs2_holder_initialized(&ji_gh))
+         gfs2_glock_dq_uninit(&ji_gh);
+fail:
+   iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
+      evict()
+         gfs2_evict_inode()
+            evict_linked_inode()
+               ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
+<------references the now freed/zeroed sd_jdesc pointer.
+
+The call to gfs2_trans_begin is done because the truncate_inode_pages
+call can cause gfs2 events that require a transaction, such as removing
+journaled data (jdata) blocks from the journal.
+
+This patch fixes the problem by adding a check for sdp->sd_jdesc to
+function gfs2_evict_inode. In theory, this should only happen to corrupt
+gfs2 file systems, when gfs2 detects the problem, reports it, then tries
+to evict all the system inodes it has read in up to that point.
+
+Reported-by: Yang Lan <lanyang0908@gmail.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/super.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index 2015bd05cba10..9d27aa8bd2bc6 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -1380,6 +1380,14 @@ static void gfs2_evict_inode(struct inode *inode)
+       if (inode->i_nlink || sb_rdonly(sb))
+               goto out;
+ 
++      /*
++       * In case of an incomplete mount, gfs2_evict_inode() may be called for
++       * system files without having an active journal to write to.  In that
++       * case, skip the filesystem evict.
++       */
++      if (!sdp->sd_jdesc)
++              goto out;
++
+       gfs2_holder_mark_uninitialized(&gh);
+       ret = evict_should_delete(inode, &gh);
+       if (ret == SHOULD_DEFER_EVICTION)
+-- 
+2.39.2
+

diff --git a/queue-6.1/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch b/queue-6.1/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch
new file mode 100644 (file)
index 0000000..1f928a8
--- /dev/null
+++ b/queue-6.1/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch
@@ -0,0 +1,37 @@
+From 76013222e0fe042784c9232cc232f639e8119555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 00:33:37 -0500
+Subject: hwmon: (k10temp) Add PCI ID for family 19, model 78h
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 7d8accfaa0ab65e4282c8e58950f7d688342cd86 ]
+
+Enable k10temp on this system.
+
+  [ bp: Massage. ]
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230427053338.16653-3-mario.limonciello@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/k10temp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c
+index be8bbb1c3a02d..823d0ca1d6059 100644
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -507,6 +507,7 @@ static const struct pci_device_id k10temp_id_table[] = {
+       { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M50H_DF_F3) },
+       { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M60H_DF_F3) },
+       { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M70H_DF_F3) },
++      { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) },
+       { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) },
+       {}
+ };
+-- 
+2.39.2
+

diff --git a/queue-6.1/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch b/queue-6.1/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch
new file mode 100644 (file)
index 0000000..afa19f0
--- /dev/null
+++ b/queue-6.1/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch
@@ -0,0 +1,76 @@
+From 686b2cde9552d33a98a45d203070ac00ede943da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Apr 2023 21:11:53 +0100
+Subject: iommu/amd: Don't block updates to GATag if guest mode is on
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit ed8a2f4ddef2eaaf864ab1efbbca9788187036ab ]
+
+On KVM GSI routing table updates, specially those where they have vIOMMUs
+with interrupt remapping enabled (to boot >255vcpus setups without relying
+on KVM_FEATURE_MSI_EXT_DEST_ID), a VMM may update the backing VF MSIs
+with a new VCPU affinity.
+
+On AMD with AVIC enabled, the new vcpu affinity info is updated via:
+       avic_pi_update_irte()
+               irq_set_vcpu_affinity()
+                       amd_ir_set_vcpu_affinity()
+                               amd_iommu_{de}activate_guest_mode()
+
+Where the IRTE[GATag] is updated with the new vcpu affinity. The GATag
+contains VM ID and VCPU ID, and is used by IOMMU hardware to signal KVM
+(via GALog) when interrupt cannot be delivered due to vCPU is in
+blocking state.
+
+The issue is that amd_iommu_activate_guest_mode() will essentially
+only change IRTE fields on transitions from non-guest-mode to guest-mode
+and otherwise returns *with no changes to IRTE* on already configured
+guest-mode interrupts. To the guest this means that the VF interrupts
+remain affined to the first vCPU they were first configured, and guest
+will be unable to issue VF interrupts and receive messages like this
+from spurious interrupts (e.g. from waking the wrong vCPU in GALog):
+
+[  167.759472] __common_interrupt: 3.34 No irq handler for vector
+[  230.680927] mlx5_core 0000:00:02.0: mlx5_cmd_eq_recover:247:(pid
+3122): Recovered 1 EQEs on cmd_eq
+[  230.681799] mlx5_core 0000:00:02.0:
+wait_func_handle_exec_timeout:1113:(pid 3122): cmd[0]: CREATE_CQ(0x400)
+recovered after timeout
+[  230.683266] __common_interrupt: 3.34 No irq handler for vector
+
+Given the fact that amd_ir_set_vcpu_affinity() uses
+amd_iommu_activate_guest_mode() underneath it essentially means that VCPU
+affinity changes of IRTEs are nops. Fix it by dropping the check for
+guest-mode at amd_iommu_activate_guest_mode(). Same thing is applicable to
+amd_iommu_deactivate_guest_mode() although, even if the IRTE doesn't change
+underlying DestID on the host, the VFIO IRQ handler will still be able to
+poke at the right guest-vCPU.
+
+Fixes: b9c6ff94e43a ("iommu/amd: Re-factor guest virtual APIC (de-)activation code")
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20230419201154.83880-2-joao.m.martins@oracle.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index 26fb78003889f..0ccc6b8319fba 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -3504,8 +3504,7 @@ int amd_iommu_activate_guest_mode(void *data)
+       struct irte_ga *entry = (struct irte_ga *) ir_data->entry;
+       u64 valid;
+ 
+-      if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) ||
+-          !entry || entry->lo.fields_vapic.guest_mode)
++      if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || !entry)
+               return 0;
+ 
+       valid = entry->lo.fields_vapic.valid;
+-- 
+2.39.2
+

diff --git a/queue-6.1/iommu-amd-fix-up-merge-conflict-resolution.patch b/queue-6.1/iommu-amd-fix-up-merge-conflict-resolution.patch
new file mode 100644 (file)
index 0000000..2e077ca
--- /dev/null
+++ b/queue-6.1/iommu-amd-fix-up-merge-conflict-resolution.patch
@@ -0,0 +1,45 @@
+From 0a4270f091d860e1623ece2e2607d219605d6954 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 12:20:13 -0700
+Subject: iommu/amd: Fix up merge conflict resolution
+
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+
+[ Upstream commit 8ec4e2befef10c7679cd59251956a428e783c0b5 ]
+
+Merge commit e17c6debd4b2 ("Merge branches 'arm/mediatek', 'arm/msm', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'x86/vt-d' and 'x86/amd' into next")
+added amd_iommu_init_devices, amd_iommu_uninit_devices,
+and amd_iommu_init_notifier back to drivers/iommu/amd/amd_iommu.h.
+The only references to them are here, so clean them up.
+
+Fixes: e17c6debd4b2 ("Merge branches 'arm/mediatek', 'arm/msm', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'x86/vt-d' and 'x86/amd' into next")
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://lore.kernel.org/r/20230420192013.733331-1-jsnitsel@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/amd_iommu.h | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/iommu/amd/amd_iommu.h b/drivers/iommu/amd/amd_iommu.h
+index 24c7e6c6c0de9..471f40351f4c8 100644
+--- a/drivers/iommu/amd/amd_iommu.h
++++ b/drivers/iommu/amd/amd_iommu.h
+@@ -16,9 +16,6 @@ extern irqreturn_t amd_iommu_int_handler(int irq, void *data);
+ extern void amd_iommu_apply_erratum_63(struct amd_iommu *iommu, u16 devid);
+ extern void amd_iommu_restart_event_logging(struct amd_iommu *iommu);
+ extern void amd_iommu_restart_ga_log(struct amd_iommu *iommu);
+-extern int amd_iommu_init_devices(void);
+-extern void amd_iommu_uninit_devices(void);
+-extern void amd_iommu_init_notifier(void);
+ extern void amd_iommu_set_rlookup_table(struct amd_iommu *iommu, u16 devid);
+ 
+ #ifdef CONFIG_AMD_IOMMU_DEBUGFS
+-- 
+2.39.2
+

diff --git a/queue-6.1/iommu-amd-handle-galog-overflows.patch b/queue-6.1/iommu-amd-handle-galog-overflows.patch
new file mode 100644 (file)
index 0000000..ccd9d41
--- /dev/null
+++ b/queue-6.1/iommu-amd-handle-galog-overflows.patch
@@ -0,0 +1,139 @@
+From 004ca64f9c6711b28a2bb4291db823e49028eda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Apr 2023 21:11:54 +0100
+Subject: iommu/amd: Handle GALog overflows
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit af47b0a24058e56e983881993752f88288ca6511 ]
+
+GALog exists to propagate interrupts into all vCPUs in the system when
+interrupts are marked as non running (e.g. when vCPUs aren't running). A
+GALog overflow happens when there's in no space in the log to record the
+GATag of the interrupt. So when the GALOverflow condition happens, the
+GALog queue is processed and the GALog is restarted, as the IOMMU
+manual indicates in section "2.7.4 Guest Virtual APIC Log Restart
+Procedure":
+
+| * Wait until MMIO Offset 2020h[GALogRun]=0b so that all request
+|   entries are completed as circumstances allow. GALogRun must be 0b to
+|   modify the guest virtual APIC log registers safely.
+| * Write MMIO Offset 0018h[GALogEn]=0b.
+| * As necessary, change the following values (e.g., to relocate or
+| resize the guest virtual APIC event log):
+|   - the Guest Virtual APIC Log Base Address Register
+|      [MMIO Offset 00E0h],
+|   - the Guest Virtual APIC Log Head Pointer Register
+|      [MMIO Offset 2040h][GALogHead], and
+|   - the Guest Virtual APIC Log Tail Pointer Register
+|      [MMIO Offset 2048h][GALogTail].
+| * Write MMIO Offset 2020h[GALOverflow] = 1b to clear the bit (W1C).
+| * Write MMIO Offset 0018h[GALogEn] = 1b, and either set
+|   MMIO Offset 0018h[GAIntEn] to enable the GA log interrupt or clear
+|   the bit to disable it.
+
+Failing to handle the GALog overflow means that none of the VFs (in any
+guest) will work with IOMMU AVIC forcing the user to power cycle the
+host. When handling the event it resumes the GALog without resizing
+much like how it is done in the event handler overflow. The
+[MMIO Offset 2020h][GALOverflow] bit might be set in status register
+without the [MMIO Offset 2020h][GAInt] bit, so when deciding to poll
+for GA events (to clear space in the galog), also check the overflow
+bit.
+
+[suravee: Check for GAOverflow without GAInt, toggle CONTROL_GAINT_EN]
+
+Co-developed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://lore.kernel.org/r/20230419201154.83880-3-joao.m.martins@oracle.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: 8ec4e2befef1 ("iommu/amd: Fix up merge conflict resolution")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/amd_iommu.h |  1 +
+ drivers/iommu/amd/init.c      | 24 ++++++++++++++++++++++++
+ drivers/iommu/amd/iommu.c     |  9 ++++++++-
+ 3 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/amd_iommu.h b/drivers/iommu/amd/amd_iommu.h
+index c160a332ce339..24c7e6c6c0de9 100644
+--- a/drivers/iommu/amd/amd_iommu.h
++++ b/drivers/iommu/amd/amd_iommu.h
+@@ -15,6 +15,7 @@ extern irqreturn_t amd_iommu_int_thread(int irq, void *data);
+ extern irqreturn_t amd_iommu_int_handler(int irq, void *data);
+ extern void amd_iommu_apply_erratum_63(struct amd_iommu *iommu, u16 devid);
+ extern void amd_iommu_restart_event_logging(struct amd_iommu *iommu);
++extern void amd_iommu_restart_ga_log(struct amd_iommu *iommu);
+ extern int amd_iommu_init_devices(void);
+ extern void amd_iommu_uninit_devices(void);
+ extern void amd_iommu_init_notifier(void);
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 7c14b1d32c8db..b0af8b5967e0d 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -751,6 +751,30 @@ void amd_iommu_restart_event_logging(struct amd_iommu *iommu)
+       iommu_feature_enable(iommu, CONTROL_EVT_LOG_EN);
+ }
+ 
++/*
++ * This function restarts event logging in case the IOMMU experienced
++ * an GA log overflow.
++ */
++void amd_iommu_restart_ga_log(struct amd_iommu *iommu)
++{
++      u32 status;
++
++      status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET);
++      if (status & MMIO_STATUS_GALOG_RUN_MASK)
++              return;
++
++      pr_info_ratelimited("IOMMU GA Log restarting\n");
++
++      iommu_feature_disable(iommu, CONTROL_GALOG_EN);
++      iommu_feature_disable(iommu, CONTROL_GAINT_EN);
++
++      writel(MMIO_STATUS_GALOG_OVERFLOW_MASK,
++             iommu->mmio_base + MMIO_STATUS_OFFSET);
++
++      iommu_feature_enable(iommu, CONTROL_GAINT_EN);
++      iommu_feature_enable(iommu, CONTROL_GALOG_EN);
++}
++
+ /*
+  * This function resets the command buffer if the IOMMU stopped fetching
+  * commands from it.
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index 0ccc6b8319fba..16c5d1b97b564 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -836,6 +836,7 @@ amd_iommu_set_pci_msi_domain(struct device *dev, struct amd_iommu *iommu) { }
+       (MMIO_STATUS_EVT_OVERFLOW_INT_MASK | \
+        MMIO_STATUS_EVT_INT_MASK | \
+        MMIO_STATUS_PPR_INT_MASK | \
++       MMIO_STATUS_GALOG_OVERFLOW_MASK | \
+        MMIO_STATUS_GALOG_INT_MASK)
+ 
+ irqreturn_t amd_iommu_int_thread(int irq, void *data)
+@@ -859,10 +860,16 @@ irqreturn_t amd_iommu_int_thread(int irq, void *data)
+               }
+ 
+ #ifdef CONFIG_IRQ_REMAP
+-              if (status & MMIO_STATUS_GALOG_INT_MASK) {
++              if (status & (MMIO_STATUS_GALOG_INT_MASK |
++                            MMIO_STATUS_GALOG_OVERFLOW_MASK)) {
+                       pr_devel("Processing IOMMU GA Log\n");
+                       iommu_poll_ga_log(iommu);
+               }
++
++              if (status & MMIO_STATUS_GALOG_OVERFLOW_MASK) {
++                      pr_info_ratelimited("IOMMU GA Log overflow\n");
++                      amd_iommu_restart_ga_log(iommu);
++              }
+ #endif
+ 
+               if (status & MMIO_STATUS_EVT_OVERFLOW_INT_MASK) {
+-- 
+2.39.2
+

diff --git a/queue-6.1/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch b/queue-6.1/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch
new file mode 100644 (file)
index 0000000..beb9870
--- /dev/null
+++ b/queue-6.1/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch
@@ -0,0 +1,58 @@
+From 62ea41c15238c8c53f5eca4cca49d74fde5de92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 16:53:59 +0800
+Subject: iommu/mediatek: Flush IOTLB completely only if domain has been
+ attached
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit b3fc95709c54ffbe80f16801e0a792a4d2b3d55e ]
+
+If an IOMMU domain was never attached, it lacks any linkage to the
+actual IOMMU hardware. Attempting to do flush_iotlb_all() on it will
+result in a NULL pointer dereference. This seems to happen after the
+recent IOMMU core rework in v6.4-rc1.
+
+    Unable to handle kernel read from unreadable memory at virtual address 0000000000000018
+    Call trace:
+     mtk_iommu_flush_iotlb_all+0x20/0x80
+     iommu_create_device_direct_mappings.part.0+0x13c/0x230
+     iommu_setup_default_domain+0x29c/0x4d0
+     iommu_probe_device+0x12c/0x190
+     of_iommu_configure+0x140/0x208
+     of_dma_configure_id+0x19c/0x3c0
+     platform_dma_configure+0x38/0x88
+     really_probe+0x78/0x2c0
+
+Check if the "bank" field has been filled in before actually attempting
+the IOTLB flush to avoid it. The IOTLB is also flushed when the device
+comes out of runtime suspend, so it should have a clean initial state.
+
+Fixes: 08500c43d4f7 ("iommu/mediatek: Adjust the structure")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20230526085402.394239-1-wenst@chromium.org
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index e93ca9dc37c8e..2ae5a6058a34a 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -737,7 +737,8 @@ static void mtk_iommu_flush_iotlb_all(struct iommu_domain *domain)
+ {
+       struct mtk_iommu_domain *dom = to_mtk_domain(domain);
+ 
+-      mtk_iommu_tlb_flush_all(dom->bank->parent_data);
++      if (dom->bank)
++              mtk_iommu_tlb_flush_all(dom->bank->parent_data);
+ }
+ 
+ static void mtk_iommu_iotlb_sync(struct iommu_domain *domain,
+-- 
+2.39.2
+

diff --git a/queue-6.1/iommu-rockchip-fix-unwind-goto-issue.patch b/queue-6.1/iommu-rockchip-fix-unwind-goto-issue.patch
new file mode 100644 (file)
index 0000000..57a6efc
--- /dev/null
+++ b/queue-6.1/iommu-rockchip-fix-unwind-goto-issue.patch
@@ -0,0 +1,67 @@
+From a5bf93a7dfc9a66b7b693e1aaeea2799920d7b45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 03:04:21 +0000
+Subject: iommu/rockchip: Fix unwind goto issue
+
+From: Chao Wang <D202280639@hust.edu.cn>
+
+[ Upstream commit ec014683c564fb74fc68e8f5e84691d3b3839d24 ]
+
+Smatch complains that
+drivers/iommu/rockchip-iommu.c:1306 rk_iommu_probe() warn: missing unwind goto?
+
+The rk_iommu_probe function, after obtaining the irq value through
+platform_get_irq, directly returns an error if the returned value
+is negative, without releasing any resources.
+
+Fix this by adding a new error handling label "err_pm_disable" and
+use a goto statement to redirect to the error handling process. In
+order to preserve the original semantics, set err to the value of irq.
+
+Fixes: 1aa55ca9b14a ("iommu/rockchip: Move irq request past pm_runtime_enable")
+Signed-off-by: Chao Wang <D202280639@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20230417030421.2777-1-D202280639@hust.edu.cn
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/rockchip-iommu.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c
+index a68eadd64f38d..f7e9b56be174f 100644
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -1303,20 +1303,22 @@ static int rk_iommu_probe(struct platform_device *pdev)
+       for (i = 0; i < iommu->num_irq; i++) {
+               int irq = platform_get_irq(pdev, i);
+ 
+-              if (irq < 0)
+-                      return irq;
++              if (irq < 0) {
++                      err = irq;
++                      goto err_pm_disable;
++              }
+ 
+               err = devm_request_irq(iommu->dev, irq, rk_iommu_irq,
+                                      IRQF_SHARED, dev_name(dev), iommu);
+-              if (err) {
+-                      pm_runtime_disable(dev);
+-                      goto err_remove_sysfs;
+-              }
++              if (err)
++                      goto err_pm_disable;
+       }
+ 
+       dma_set_mask_and_coherent(dev, rk_ops->dma_bit_mask);
+ 
+       return 0;
++err_pm_disable:
++      pm_runtime_disable(dev);
+ err_remove_sysfs:
+       iommu_device_sysfs_remove(&iommu->iommu);
+ err_put_group:
+-- 
+2.39.2
+

diff --git a/queue-6.1/kvm-arm64-vgic-fix-a-circular-locking-issue.patch b/queue-6.1/kvm-arm64-vgic-fix-a-circular-locking-issue.patch
new file mode 100644 (file)
index 0000000..5ea87ed
--- /dev/null
+++ b/queue-6.1/kvm-arm64-vgic-fix-a-circular-locking-issue.patch
@@ -0,0 +1,348 @@
+From 9e9f9ecbd478dfc05fc0e7827f93e5ee1da2d126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 11:09:15 +0100
+Subject: KVM: arm64: vgic: Fix a circular locking issue
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+[ Upstream commit 59112e9c390be595224e427827475a6cd3726021 ]
+
+Lockdep reports a circular lock dependency between the srcu and the
+config_lock:
+
+[  262.179917] -> #1 (&kvm->srcu){.+.+}-{0:0}:
+[  262.182010]        __synchronize_srcu+0xb0/0x224
+[  262.183422]        synchronize_srcu_expedited+0x24/0x34
+[  262.184554]        kvm_io_bus_register_dev+0x324/0x50c
+[  262.185650]        vgic_register_redist_iodev+0x254/0x398
+[  262.186740]        vgic_v3_set_redist_base+0x3b0/0x724
+[  262.188087]        kvm_vgic_addr+0x364/0x600
+[  262.189189]        vgic_set_common_attr+0x90/0x544
+[  262.190278]        vgic_v3_set_attr+0x74/0x9c
+[  262.191432]        kvm_device_ioctl+0x2a0/0x4e4
+[  262.192515]        __arm64_sys_ioctl+0x7ac/0x1ba8
+[  262.193612]        invoke_syscall.constprop.0+0x70/0x1e0
+[  262.195006]        do_el0_svc+0xe4/0x2d4
+[  262.195929]        el0_svc+0x44/0x8c
+[  262.196917]        el0t_64_sync_handler+0xf4/0x120
+[  262.198238]        el0t_64_sync+0x190/0x194
+[  262.199224]
+[  262.199224] -> #0 (&kvm->arch.config_lock){+.+.}-{3:3}:
+[  262.201094]        __lock_acquire+0x2b70/0x626c
+[  262.202245]        lock_acquire+0x454/0x778
+[  262.203132]        __mutex_lock+0x190/0x8b4
+[  262.204023]        mutex_lock_nested+0x24/0x30
+[  262.205100]        vgic_mmio_write_v3_misc+0x5c/0x2a0
+[  262.206178]        dispatch_mmio_write+0xd8/0x258
+[  262.207498]        __kvm_io_bus_write+0x1e0/0x350
+[  262.208582]        kvm_io_bus_write+0xe0/0x1cc
+[  262.209653]        io_mem_abort+0x2ac/0x6d8
+[  262.210569]        kvm_handle_guest_abort+0x9b8/0x1f88
+[  262.211937]        handle_exit+0xc4/0x39c
+[  262.212971]        kvm_arch_vcpu_ioctl_run+0x90c/0x1c04
+[  262.214154]        kvm_vcpu_ioctl+0x450/0x12f8
+[  262.215233]        __arm64_sys_ioctl+0x7ac/0x1ba8
+[  262.216402]        invoke_syscall.constprop.0+0x70/0x1e0
+[  262.217774]        do_el0_svc+0xe4/0x2d4
+[  262.218758]        el0_svc+0x44/0x8c
+[  262.219941]        el0t_64_sync_handler+0xf4/0x120
+[  262.221110]        el0t_64_sync+0x190/0x194
+
+Note that the current report, which can be triggered by the vgic_irq
+kselftest, is a triple chain that includes slots_lock, but after
+inverting the slots_lock/config_lock dependency, the actual problem
+reported above remains.
+
+In several places, the vgic code calls kvm_io_bus_register_dev(), which
+synchronizes the srcu, while holding config_lock (#1). And the MMIO
+handler takes the config_lock while holding the srcu read lock (#0).
+
+Break dependency #1, by registering the distributor and redistributors
+without holding config_lock. The ITS also uses kvm_io_bus_register_dev()
+but already relies on slots_lock to serialize calls.
+
+The distributor iodev is created on the first KVM_RUN call. Multiple
+threads will race for vgic initialization, and only the first one will
+see !vgic_ready() under the lock. To serialize those threads, rely on
+slots_lock rather than config_lock.
+
+Redistributors are created earlier, through KVM_DEV_ARM_VGIC_GRP_ADDR
+ioctls and vCPU creation. Similarly, serialize the iodev creation with
+slots_lock, and the rest with config_lock.
+
+Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230518100914.2837292-2-jean-philippe@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/vgic/vgic-init.c       | 25 ++++++++++++++++-----
+ arch/arm64/kvm/vgic/vgic-kvm-device.c | 10 +++++++--
+ arch/arm64/kvm/vgic/vgic-mmio-v3.c    | 31 ++++++++++++++++++---------
+ arch/arm64/kvm/vgic/vgic-mmio.c       |  9 ++------
+ arch/arm64/kvm/vgic/vgic-v2.c         |  6 ------
+ arch/arm64/kvm/vgic/vgic-v3.c         |  7 ------
+ 6 files changed, 51 insertions(+), 37 deletions(-)
+
+diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c
+index 8c1d2d7128db6..37e74ca4dad85 100644
+--- a/arch/arm64/kvm/vgic/vgic-init.c
++++ b/arch/arm64/kvm/vgic/vgic-init.c
+@@ -235,9 +235,9 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu)
+        * KVM io device for the redistributor that belongs to this VCPU.
+        */
+       if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) {
+-              mutex_lock(&vcpu->kvm->arch.config_lock);
++              mutex_lock(&vcpu->kvm->slots_lock);
+               ret = vgic_register_redist_iodev(vcpu);
+-              mutex_unlock(&vcpu->kvm->arch.config_lock);
++              mutex_unlock(&vcpu->kvm->slots_lock);
+       }
+       return ret;
+ }
+@@ -446,11 +446,13 @@ int vgic_lazy_init(struct kvm *kvm)
+ int kvm_vgic_map_resources(struct kvm *kvm)
+ {
+       struct vgic_dist *dist = &kvm->arch.vgic;
++      gpa_t dist_base;
+       int ret = 0;
+ 
+       if (likely(vgic_ready(kvm)))
+               return 0;
+ 
++      mutex_lock(&kvm->slots_lock);
+       mutex_lock(&kvm->arch.config_lock);
+       if (vgic_ready(kvm))
+               goto out;
+@@ -463,13 +465,26 @@ int kvm_vgic_map_resources(struct kvm *kvm)
+       else
+               ret = vgic_v3_map_resources(kvm);
+ 
+-      if (ret)
++      if (ret) {
+               __kvm_vgic_destroy(kvm);
+-      else
+-              dist->ready = true;
++              goto out;
++      }
++      dist->ready = true;
++      dist_base = dist->vgic_dist_base;
++      mutex_unlock(&kvm->arch.config_lock);
++
++      ret = vgic_register_dist_iodev(kvm, dist_base,
++                                     kvm_vgic_global_state.type);
++      if (ret) {
++              kvm_err("Unable to register VGIC dist MMIO regions\n");
++              kvm_vgic_destroy(kvm);
++      }
++      mutex_unlock(&kvm->slots_lock);
++      return ret;
+ 
+ out:
+       mutex_unlock(&kvm->arch.config_lock);
++      mutex_unlock(&kvm->slots_lock);
+       return ret;
+ }
+ 
+diff --git a/arch/arm64/kvm/vgic/vgic-kvm-device.c b/arch/arm64/kvm/vgic/vgic-kvm-device.c
+index 07e727023deb7..bf4b3d9631ce1 100644
+--- a/arch/arm64/kvm/vgic/vgic-kvm-device.c
++++ b/arch/arm64/kvm/vgic/vgic-kvm-device.c
+@@ -102,7 +102,11 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri
+               if (get_user(addr, uaddr))
+                       return -EFAULT;
+ 
+-      mutex_lock(&kvm->arch.config_lock);
++      /*
++       * Since we can't hold config_lock while registering the redistributor
++       * iodevs, take the slots_lock immediately.
++       */
++      mutex_lock(&kvm->slots_lock);
+       switch (attr->attr) {
+       case KVM_VGIC_V2_ADDR_TYPE_DIST:
+               r = vgic_check_type(kvm, KVM_DEV_TYPE_ARM_VGIC_V2);
+@@ -182,6 +186,7 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri
+       if (r)
+               goto out;
+ 
++      mutex_lock(&kvm->arch.config_lock);
+       if (write) {
+               r = vgic_check_iorange(kvm, *addr_ptr, addr, alignment, size);
+               if (!r)
+@@ -189,9 +194,10 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri
+       } else {
+               addr = *addr_ptr;
+       }
++      mutex_unlock(&kvm->arch.config_lock);
+ 
+ out:
+-      mutex_unlock(&kvm->arch.config_lock);
++      mutex_unlock(&kvm->slots_lock);
+ 
+       if (!r && !write)
+               r =  put_user(addr, uaddr);
+diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+index 472b18ac92a24..188d2187eede9 100644
+--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+@@ -769,10 +769,13 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu)
+       struct vgic_io_device *rd_dev = &vcpu->arch.vgic_cpu.rd_iodev;
+       struct vgic_redist_region *rdreg;
+       gpa_t rd_base;
+-      int ret;
++      int ret = 0;
++
++      lockdep_assert_held(&kvm->slots_lock);
++      mutex_lock(&kvm->arch.config_lock);
+ 
+       if (!IS_VGIC_ADDR_UNDEF(vgic_cpu->rd_iodev.base_addr))
+-              return 0;
++              goto out_unlock;
+ 
+       /*
+        * We may be creating VCPUs before having set the base address for the
+@@ -782,10 +785,12 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu)
+        */
+       rdreg = vgic_v3_rdist_free_slot(&vgic->rd_regions);
+       if (!rdreg)
+-              return 0;
++              goto out_unlock;
+ 
+-      if (!vgic_v3_check_base(kvm))
+-              return -EINVAL;
++      if (!vgic_v3_check_base(kvm)) {
++              ret = -EINVAL;
++              goto out_unlock;
++      }
+ 
+       vgic_cpu->rdreg = rdreg;
+       vgic_cpu->rdreg_index = rdreg->free_index;
+@@ -799,16 +804,20 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu)
+       rd_dev->nr_regions = ARRAY_SIZE(vgic_v3_rd_registers);
+       rd_dev->redist_vcpu = vcpu;
+ 
+-      mutex_lock(&kvm->slots_lock);
++      mutex_unlock(&kvm->arch.config_lock);
++
+       ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, rd_base,
+                                     2 * SZ_64K, &rd_dev->dev);
+-      mutex_unlock(&kvm->slots_lock);
+-
+       if (ret)
+               return ret;
+ 
++      /* Protected by slots_lock */
+       rdreg->free_index++;
+       return 0;
++
++out_unlock:
++      mutex_unlock(&kvm->arch.config_lock);
++      return ret;
+ }
+ 
+ static void vgic_unregister_redist_iodev(struct kvm_vcpu *vcpu)
+@@ -834,12 +843,10 @@ static int vgic_register_all_redist_iodevs(struct kvm *kvm)
+               /* The current c failed, so iterate over the previous ones. */
+               int i;
+ 
+-              mutex_lock(&kvm->slots_lock);
+               for (i = 0; i < c; i++) {
+                       vcpu = kvm_get_vcpu(kvm, i);
+                       vgic_unregister_redist_iodev(vcpu);
+               }
+-              mutex_unlock(&kvm->slots_lock);
+       }
+ 
+       return ret;
+@@ -938,7 +945,9 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count)
+ {
+       int ret;
+ 
++      mutex_lock(&kvm->arch.config_lock);
+       ret = vgic_v3_alloc_redist_region(kvm, index, addr, count);
++      mutex_unlock(&kvm->arch.config_lock);
+       if (ret)
+               return ret;
+ 
+@@ -950,8 +959,10 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count)
+       if (ret) {
+               struct vgic_redist_region *rdreg;
+ 
++              mutex_lock(&kvm->arch.config_lock);
+               rdreg = vgic_v3_rdist_region_from_index(kvm, index);
+               vgic_v3_free_redist_region(rdreg);
++              mutex_unlock(&kvm->arch.config_lock);
+               return ret;
+       }
+ 
+diff --git a/arch/arm64/kvm/vgic/vgic-mmio.c b/arch/arm64/kvm/vgic/vgic-mmio.c
+index a95f99b93dd68..eb5c58d785b99 100644
+--- a/arch/arm64/kvm/vgic/vgic-mmio.c
++++ b/arch/arm64/kvm/vgic/vgic-mmio.c
+@@ -1093,7 +1093,6 @@ int vgic_register_dist_iodev(struct kvm *kvm, gpa_t dist_base_address,
+                            enum vgic_type type)
+ {
+       struct vgic_io_device *io_device = &kvm->arch.vgic.dist_iodev;
+-      int ret = 0;
+       unsigned int len;
+ 
+       switch (type) {
+@@ -1111,10 +1110,6 @@ int vgic_register_dist_iodev(struct kvm *kvm, gpa_t dist_base_address,
+       io_device->iodev_type = IODEV_DIST;
+       io_device->redist_vcpu = NULL;
+ 
+-      mutex_lock(&kvm->slots_lock);
+-      ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, dist_base_address,
+-                                    len, &io_device->dev);
+-      mutex_unlock(&kvm->slots_lock);
+-
+-      return ret;
++      return kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, dist_base_address,
++                                     len, &io_device->dev);
+ }
+diff --git a/arch/arm64/kvm/vgic/vgic-v2.c b/arch/arm64/kvm/vgic/vgic-v2.c
+index 645648349c99b..7e9cdb78f7ce8 100644
+--- a/arch/arm64/kvm/vgic/vgic-v2.c
++++ b/arch/arm64/kvm/vgic/vgic-v2.c
+@@ -312,12 +312,6 @@ int vgic_v2_map_resources(struct kvm *kvm)
+               return ret;
+       }
+ 
+-      ret = vgic_register_dist_iodev(kvm, dist->vgic_dist_base, VGIC_V2);
+-      if (ret) {
+-              kvm_err("Unable to register VGIC MMIO regions\n");
+-              return ret;
+-      }
+-
+       if (!static_branch_unlikely(&vgic_v2_cpuif_trap)) {
+               ret = kvm_phys_addr_ioremap(kvm, dist->vgic_cpu_base,
+                                           kvm_vgic_global_state.vcpu_base,
+diff --git a/arch/arm64/kvm/vgic/vgic-v3.c b/arch/arm64/kvm/vgic/vgic-v3.c
+index 5bdada3137287..f86c3007a319c 100644
+--- a/arch/arm64/kvm/vgic/vgic-v3.c
++++ b/arch/arm64/kvm/vgic/vgic-v3.c
+@@ -538,7 +538,6 @@ int vgic_v3_map_resources(struct kvm *kvm)
+ {
+       struct vgic_dist *dist = &kvm->arch.vgic;
+       struct kvm_vcpu *vcpu;
+-      int ret = 0;
+       unsigned long c;
+ 
+       kvm_for_each_vcpu(c, vcpu, kvm) {
+@@ -568,12 +567,6 @@ int vgic_v3_map_resources(struct kvm *kvm)
+               return -EBUSY;
+       }
+ 
+-      ret = vgic_register_dist_iodev(kvm, dist->vgic_dist_base, VGIC_V3);
+-      if (ret) {
+-              kvm_err("Unable to register VGICv3 dist MMIO regions\n");
+-              return ret;
+-      }
+-
+       if (kvm_vgic_global_state.has_gicv4_1)
+               vgic_v4_configure_vsgis(kvm);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/kvm-arm64-vgic-fix-locking-comment.patch b/queue-6.1/kvm-arm64-vgic-fix-locking-comment.patch
new file mode 100644 (file)
index 0000000..9cd78f8
--- /dev/null
+++ b/queue-6.1/kvm-arm64-vgic-fix-locking-comment.patch
@@ -0,0 +1,45 @@
+From f91a1de7e2d1fa63716f99305ca68fcadcbec316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 11:09:17 +0100
+Subject: KVM: arm64: vgic: Fix locking comment
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+[ Upstream commit c38b8400aef99d63be2b1ff131bb993465dcafe1 ]
+
+It is now config_lock that must be held, not kvm lock. Replace the
+comment with a lockdep annotation.
+
+Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230518100914.2837292-4-jean-philippe@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/vgic/vgic-v4.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kvm/vgic/vgic-v4.c b/arch/arm64/kvm/vgic/vgic-v4.c
+index 3bb0034780605..c1c28fe680ba3 100644
+--- a/arch/arm64/kvm/vgic/vgic-v4.c
++++ b/arch/arm64/kvm/vgic/vgic-v4.c
+@@ -184,13 +184,14 @@ static void vgic_v4_disable_vsgis(struct kvm_vcpu *vcpu)
+       }
+ }
+ 
+-/* Must be called with the kvm lock held */
+ void vgic_v4_configure_vsgis(struct kvm *kvm)
+ {
+       struct vgic_dist *dist = &kvm->arch.vgic;
+       struct kvm_vcpu *vcpu;
+       unsigned long i;
+ 
++      lockdep_assert_held(&kvm->arch.config_lock);
++
+       kvm_arm_halt_guest(kvm);
+ 
+       kvm_for_each_vcpu(i, vcpu, kvm) {
+-- 
+2.39.2
+

diff --git a/queue-6.1/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch b/queue-6.1/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch
new file mode 100644 (file)
index 0000000..f6cdd12
--- /dev/null
+++ b/queue-6.1/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch
@@ -0,0 +1,93 @@
+From 48590836dac76e983590fc683c36576194cd3658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 11:09:16 +0100
+Subject: KVM: arm64: vgic: Wrap vgic_its_create() with config_lock
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+[ Upstream commit 9cf2f840c439b6b23bd99f584f2917ca425ae406 ]
+
+vgic_its_create() changes the vgic state without holding the
+config_lock, which triggers a lockdep warning in vgic_v4_init():
+
+[  358.667941] WARNING: CPU: 3 PID: 178 at arch/arm64/kvm/vgic/vgic-v4.c:245 vgic_v4_init+0x15c/0x7a8
+...
+[  358.707410]  vgic_v4_init+0x15c/0x7a8
+[  358.708550]  vgic_its_create+0x37c/0x4a4
+[  358.709640]  kvm_vm_ioctl+0x1518/0x2d80
+[  358.710688]  __arm64_sys_ioctl+0x7ac/0x1ba8
+[  358.711960]  invoke_syscall.constprop.0+0x70/0x1e0
+[  358.713245]  do_el0_svc+0xe4/0x2d4
+[  358.714289]  el0_svc+0x44/0x8c
+[  358.715329]  el0t_64_sync_handler+0xf4/0x120
+[  358.716615]  el0t_64_sync+0x190/0x194
+
+Wrap the whole of vgic_its_create() with config_lock since, in addition
+to calling vgic_v4_init(), it also modifies the global kvm->arch.vgic
+state.
+
+Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230518100914.2837292-3-jean-philippe@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/vgic/vgic-its.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
+index c9a03033d5077..00ad6587bee9a 100644
+--- a/arch/arm64/kvm/vgic/vgic-its.c
++++ b/arch/arm64/kvm/vgic/vgic-its.c
+@@ -1936,6 +1936,7 @@ void vgic_lpi_translation_cache_destroy(struct kvm *kvm)
+ 
+ static int vgic_its_create(struct kvm_device *dev, u32 type)
+ {
++      int ret;
+       struct vgic_its *its;
+ 
+       if (type != KVM_DEV_TYPE_ARM_VGIC_ITS)
+@@ -1945,9 +1946,12 @@ static int vgic_its_create(struct kvm_device *dev, u32 type)
+       if (!its)
+               return -ENOMEM;
+ 
++      mutex_lock(&dev->kvm->arch.config_lock);
++
+       if (vgic_initialized(dev->kvm)) {
+-              int ret = vgic_v4_init(dev->kvm);
++              ret = vgic_v4_init(dev->kvm);
+               if (ret < 0) {
++                      mutex_unlock(&dev->kvm->arch.config_lock);
+                       kfree(its);
+                       return ret;
+               }
+@@ -1960,12 +1964,10 @@ static int vgic_its_create(struct kvm_device *dev, u32 type)
+ 
+       /* Yep, even more trickery for lock ordering... */
+ #ifdef CONFIG_LOCKDEP
+-      mutex_lock(&dev->kvm->arch.config_lock);
+       mutex_lock(&its->cmd_lock);
+       mutex_lock(&its->its_lock);
+       mutex_unlock(&its->its_lock);
+       mutex_unlock(&its->cmd_lock);
+-      mutex_unlock(&dev->kvm->arch.config_lock);
+ #endif
+ 
+       its->vgic_its_base = VGIC_ADDR_UNDEF;
+@@ -1986,7 +1988,11 @@ static int vgic_its_create(struct kvm_device *dev, u32 type)
+ 
+       dev->private = its;
+ 
+-      return vgic_its_set_abi(its, NR_ITS_ABIS - 1);
++      ret = vgic_its_set_abi(its, NR_ITS_ABIS - 1);
++
++      mutex_unlock(&dev->kvm->arch.config_lock);
++
++      return ret;
+ }
+ 
+ static void vgic_its_destroy(struct kvm_device *kvm_dev)
+-- 
+2.39.2
+

diff --git a/queue-6.1/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch b/queue-6.1/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch
new file mode 100644 (file)
index 0000000..e73a3a6
--- /dev/null
+++ b/queue-6.1/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch
@@ -0,0 +1,241 @@
+From e3dfa110446fabe5e54ffce840033bc2b08eb12e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 May 2023 17:19:27 +0800
+Subject: LoongArch: Relay BCE exceptions to userland as SIGSEGV with
+ si_code=SEGV_BNDERR
+
+From: WANG Xuerui <git@xen0n.name>
+
+[ Upstream commit c23e7f01cf621290770069d968ca4c8356a50d00 ]
+
+SEGV_BNDERR was introduced initially for supporting the Intel MPX, but
+fell into disuse after the MPX support was removed. The LoongArch
+bounds-checking instructions behave very differently than MPX, but
+overall the interface is still kind of suitable for conveying the
+information to userland when bounds-checking assertions trigger, so we
+wouldn't have to invent more UAPI. Specifically, when the BCE triggers,
+a SEGV_BNDERR is sent to userland, with si_addr set to the out-of-bounds
+address or value (in asrt{gt,le}'s case), and one of si_lower or
+si_upper set to the configured bound depending on the faulting
+instruction. The other bound is set to either 0 or ULONG_MAX to resemble
+a range with both lower and upper bounds.
+
+Note that it is possible to have si_addr == si_lower in case of a
+failing asrtgt or {ld,st}gt, because those instructions test for strict
+greater-than relationship. This should not pose a problem for userland,
+though, because the faulting PC is available for the application to
+associate back to the exact instruction for figuring out the
+expectation.
+
+Example exception context generated by a faulting `asrtgt.d t0, t1`
+(assert t0 > t1 or BCE) with t0=100 and t1=200:
+
+> pc 00005555558206a4 ra 00007ffff2d854fc tp 00007ffff2f2f180 sp 00007ffffbf9fb80
+> a0 0000000000000002 a1 00007ffffbf9fce8 a2 00007ffffbf9fd00 a3 00007ffff2ed4558
+> a4 0000000000000000 a5 00007ffff2f044c8 a6 00007ffffbf9fce0 a7 fffffffffffff000
+> t0 0000000000000064 t1 00000000000000c8 t2 00007ffffbfa2d5e t3 00007ffff2f12aa0
+> t4 00007ffff2ed6158 t5 00007ffff2ed6158 t6 000000000000002e t7 0000000003d8f538
+> t8 0000000000000005 u0 0000000000000000 s9 0000000000000000 s0 00007ffffbf9fce8
+> s1 0000000000000002 s2 0000000000000000 s3 00007ffff2f2c038 s4 0000555555820610
+> s5 00007ffff2ed5000 s6 0000555555827e38 s7 00007ffffbf9fd00 s8 0000555555827e38
+>    ra: 00007ffff2d854fc
+>   ERA: 00005555558206a4
+>  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
+>  PRMD: 00000007 (PPLV3 +PIE -PWE)
+>  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
+>  ECFG: 0007181c (LIE=2-4,11-12 VS=7)
+> ESTAT: 000a0000 [BCE] (IS= ECode=10 EsubCode=0)
+>  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
+
+Signed-off-by: WANG Xuerui <git@xen0n.name>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/include/asm/inst.h | 26 +++++++++
+ arch/loongarch/kernel/genex.S     |  1 +
+ arch/loongarch/kernel/traps.c     | 92 +++++++++++++++++++++++++++++++
+ 3 files changed, 119 insertions(+)
+
+diff --git a/arch/loongarch/include/asm/inst.h b/arch/loongarch/include/asm/inst.h
+index fce1843ceebb3..d476a88b9616c 100644
+--- a/arch/loongarch/include/asm/inst.h
++++ b/arch/loongarch/include/asm/inst.h
+@@ -105,6 +105,8 @@ enum reg2bstrd_op {
+ };
+ 
+ enum reg3_op {
++      asrtle_op       = 0x02,
++      asrtgt_op       = 0x03,
+       addw_op         = 0x20,
+       addd_op         = 0x21,
+       subw_op         = 0x22,
+@@ -156,6 +158,30 @@ enum reg3_op {
+       amord_op        = 0x70c7,
+       amxorw_op       = 0x70c8,
+       amxord_op       = 0x70c9,
++      fldgts_op       = 0x70e8,
++      fldgtd_op       = 0x70e9,
++      fldles_op       = 0x70ea,
++      fldled_op       = 0x70eb,
++      fstgts_op       = 0x70ec,
++      fstgtd_op       = 0x70ed,
++      fstles_op       = 0x70ee,
++      fstled_op       = 0x70ef,
++      ldgtb_op        = 0x70f0,
++      ldgth_op        = 0x70f1,
++      ldgtw_op        = 0x70f2,
++      ldgtd_op        = 0x70f3,
++      ldleb_op        = 0x70f4,
++      ldleh_op        = 0x70f5,
++      ldlew_op        = 0x70f6,
++      ldled_op        = 0x70f7,
++      stgtb_op        = 0x70f8,
++      stgth_op        = 0x70f9,
++      stgtw_op        = 0x70fa,
++      stgtd_op        = 0x70fb,
++      stleb_op        = 0x70fc,
++      stleh_op        = 0x70fd,
++      stlew_op        = 0x70fe,
++      stled_op        = 0x70ff,
+ };
+ 
+ enum reg3sa2_op {
+diff --git a/arch/loongarch/kernel/genex.S b/arch/loongarch/kernel/genex.S
+index 75e5be807a0d5..42ff28eadf04d 100644
+--- a/arch/loongarch/kernel/genex.S
++++ b/arch/loongarch/kernel/genex.S
+@@ -79,6 +79,7 @@ SYM_FUNC_END(except_vec_cex)
+ 
+       BUILD_HANDLER ade ade badv
+       BUILD_HANDLER ale ale badv
++      BUILD_HANDLER bce bce none
+       BUILD_HANDLER bp bp none
+       BUILD_HANDLER fpe fpe fcsr
+       BUILD_HANDLER fpu fpu none
+diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c
+index 1a4dce84ebc60..5d5ae11d9f67e 100644
+--- a/arch/loongarch/kernel/traps.c
++++ b/arch/loongarch/kernel/traps.c
+@@ -35,6 +35,7 @@
+ #include <asm/break.h>
+ #include <asm/cpu.h>
+ #include <asm/fpu.h>
++#include <asm/inst.h>
+ #include <asm/loongarch.h>
+ #include <asm/mmu_context.h>
+ #include <asm/pgtable.h>
+@@ -50,6 +51,7 @@
+ 
+ extern asmlinkage void handle_ade(void);
+ extern asmlinkage void handle_ale(void);
++extern asmlinkage void handle_bce(void);
+ extern asmlinkage void handle_sys(void);
+ extern asmlinkage void handle_bp(void);
+ extern asmlinkage void handle_ri(void);
+@@ -401,6 +403,95 @@ static void bug_handler(struct pt_regs *regs)
+       }
+ }
+ 
++asmlinkage void noinstr do_bce(struct pt_regs *regs)
++{
++      bool user = user_mode(regs);
++      unsigned long era = exception_era(regs);
++      u64 badv = 0, lower = 0, upper = ULONG_MAX;
++      union loongarch_instruction insn;
++      irqentry_state_t state = irqentry_enter(regs);
++
++      if (regs->csr_prmd & CSR_PRMD_PIE)
++              local_irq_enable();
++
++      current->thread.trap_nr = read_csr_excode();
++
++      die_if_kernel("Bounds check error in kernel code", regs);
++
++      /*
++       * Pull out the address that failed bounds checking, and the lower /
++       * upper bound, by minimally looking at the faulting instruction word
++       * and reading from the correct register.
++       */
++      if (__get_inst(&insn.word, (u32 *)era, user))
++              goto bad_era;
++
++      switch (insn.reg3_format.opcode) {
++      case asrtle_op:
++              if (insn.reg3_format.rd != 0)
++                      break;  /* not asrtle */
++              badv = regs->regs[insn.reg3_format.rj];
++              upper = regs->regs[insn.reg3_format.rk];
++              break;
++
++      case asrtgt_op:
++              if (insn.reg3_format.rd != 0)
++                      break;  /* not asrtgt */
++              badv = regs->regs[insn.reg3_format.rj];
++              lower = regs->regs[insn.reg3_format.rk];
++              break;
++
++      case ldleb_op:
++      case ldleh_op:
++      case ldlew_op:
++      case ldled_op:
++      case stleb_op:
++      case stleh_op:
++      case stlew_op:
++      case stled_op:
++      case fldles_op:
++      case fldled_op:
++      case fstles_op:
++      case fstled_op:
++              badv = regs->regs[insn.reg3_format.rj];
++              upper = regs->regs[insn.reg3_format.rk];
++              break;
++
++      case ldgtb_op:
++      case ldgth_op:
++      case ldgtw_op:
++      case ldgtd_op:
++      case stgtb_op:
++      case stgth_op:
++      case stgtw_op:
++      case stgtd_op:
++      case fldgts_op:
++      case fldgtd_op:
++      case fstgts_op:
++      case fstgtd_op:
++              badv = regs->regs[insn.reg3_format.rj];
++              lower = regs->regs[insn.reg3_format.rk];
++              break;
++      }
++
++      force_sig_bnderr((void __user *)badv, (void __user *)lower, (void __user *)upper);
++
++out:
++      if (regs->csr_prmd & CSR_PRMD_PIE)
++              local_irq_disable();
++
++      irqentry_exit(regs, state);
++      return;
++
++bad_era:
++      /*
++       * Cannot pull out the instruction word, hence cannot provide more
++       * info than a regular SIGSEGV in this case.
++       */
++      force_sig(SIGSEGV);
++      goto out;
++}
++
+ asmlinkage void noinstr do_bp(struct pt_regs *regs)
+ {
+       bool user = user_mode(regs);
+@@ -721,6 +812,7 @@ void __init trap_init(void)
+ 
+       set_handler(EXCCODE_ADE * VECSIZE, handle_ade, VECSIZE);
+       set_handler(EXCCODE_ALE * VECSIZE, handle_ale, VECSIZE);
++      set_handler(EXCCODE_BCE * VECSIZE, handle_bce, VECSIZE);
+       set_handler(EXCCODE_SYS * VECSIZE, handle_sys, VECSIZE);
+       set_handler(EXCCODE_BP * VECSIZE, handle_bp, VECSIZE);
+       set_handler(EXCCODE_INE * VECSIZE, handle_ri, VECSIZE);
+-- 
+2.39.2
+

diff --git a/queue-6.1/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch b/queue-6.1/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch
new file mode 100644 (file)
index 0000000..5d3fb2b
--- /dev/null
+++ b/queue-6.1/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch
@@ -0,0 +1,56 @@
+From cff4ba56fe4116f253deef3c28ff65fd71835ff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 12:22:09 +0300
+Subject: mailbox: mailbox-test: fix a locking issue in
+ mbox_test_message_write()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 8fe72b76db79d694858e872370df49676bc3be8c ]
+
+There was a bug where this code forgot to unlock the tdev->mutex if the
+kzalloc() failed.  Fix this issue, by moving the allocation outside the
+lock.
+
+Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-test.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
+index 6dd5b9614452b..abcee58e851c2 100644
+--- a/drivers/mailbox/mailbox-test.c
++++ b/drivers/mailbox/mailbox-test.c
+@@ -97,6 +97,7 @@ static ssize_t mbox_test_message_write(struct file *filp,
+                                      size_t count, loff_t *ppos)
+ {
+       struct mbox_test_device *tdev = filp->private_data;
++      char *message;
+       void *data;
+       int ret;
+ 
+@@ -112,12 +113,13 @@ static ssize_t mbox_test_message_write(struct file *filp,
+               return -EINVAL;
+       }
+ 
+-      mutex_lock(&tdev->mutex);
+-
+-      tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
+-      if (!tdev->message)
++      message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
++      if (!message)
+               return -ENOMEM;
+ 
++      mutex_lock(&tdev->mutex);
++
++      tdev->message = message;
+       ret = copy_from_user(tdev->message, userbuf, count);
+       if (ret) {
+               ret = -EFAULT;
+-- 
+2.39.2
+

diff --git a/queue-6.1/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch b/queue-6.1/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch
new file mode 100644 (file)
index 0000000..336d123
--- /dev/null
+++ b/queue-6.1/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch
@@ -0,0 +1,136 @@
+From f1272fcb1ac0daae0d30dd0e92fd3a0fff4e3268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 08:27:18 +0100
+Subject: mailbox: mailbox-test: Fix potential double-free in
+ mbox_test_message_write()
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 2d1e952a2b8e5e92d8d55ac88a7cf7ca5ea591ad ]
+
+If a user can make copy_from_user() fail, there is a potential for
+UAF/DF due to a lack of locking around the allocation, use and freeing
+of the data buffers.
+
+This issue is not theoretical.  I managed to author a POC for it:
+
+    BUG: KASAN: double-free in kfree+0x5c/0xac
+    Free of addr ffff29280be5de00 by task poc/356
+    CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20
+    Hardware name: linux,dummy-virt (DT)
+    Call trace:
+     dump_backtrace.part.0+0xe0/0xf0
+     show_stack+0x18/0x40
+     dump_stack_lvl+0x64/0x80
+     print_report+0x188/0x48c
+     kasan_report_invalid_free+0xa0/0xc0
+     ____kasan_slab_free+0x174/0x1b0
+     __kasan_slab_free+0x18/0x24
+     __kmem_cache_free+0x130/0x2e0
+     kfree+0x5c/0xac
+     mbox_test_message_write+0x208/0x29c
+     full_proxy_write+0x90/0xf0
+     vfs_write+0x154/0x440
+     ksys_write+0xcc/0x180
+     __arm64_sys_write+0x44/0x60
+     invoke_syscall+0x60/0x190
+     el0_svc_common.constprop.0+0x7c/0x160
+     do_el0_svc+0x40/0xf0
+     el0_svc+0x2c/0x6c
+     el0t_64_sync_handler+0xf4/0x120
+     el0t_64_sync+0x18c/0x190
+
+    Allocated by task 356:
+     kasan_save_stack+0x3c/0x70
+     kasan_set_track+0x2c/0x40
+     kasan_save_alloc_info+0x24/0x34
+     __kasan_kmalloc+0xb8/0xc0
+     kmalloc_trace+0x58/0x70
+     mbox_test_message_write+0x6c/0x29c
+     full_proxy_write+0x90/0xf0
+     vfs_write+0x154/0x440
+     ksys_write+0xcc/0x180
+     __arm64_sys_write+0x44/0x60
+     invoke_syscall+0x60/0x190
+     el0_svc_common.constprop.0+0x7c/0x160
+     do_el0_svc+0x40/0xf0
+     el0_svc+0x2c/0x6c
+     el0t_64_sync_handler+0xf4/0x120
+     el0t_64_sync+0x18c/0x190
+
+    Freed by task 357:
+     kasan_save_stack+0x3c/0x70
+     kasan_set_track+0x2c/0x40
+     kasan_save_free_info+0x38/0x5c
+     ____kasan_slab_free+0x13c/0x1b0
+     __kasan_slab_free+0x18/0x24
+     __kmem_cache_free+0x130/0x2e0
+     kfree+0x5c/0xac
+     mbox_test_message_write+0x208/0x29c
+     full_proxy_write+0x90/0xf0
+     vfs_write+0x154/0x440
+     ksys_write+0xcc/0x180
+     __arm64_sys_write+0x44/0x60
+     invoke_syscall+0x60/0x190
+     el0_svc_common.constprop.0+0x7c/0x160
+     do_el0_svc+0x40/0xf0
+     el0_svc+0x2c/0x6c
+     el0t_64_sync_handler+0xf4/0x120
+     el0t_64_sync+0x18c/0x190
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-test.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
+index 4555d678fadda..6dd5b9614452b 100644
+--- a/drivers/mailbox/mailbox-test.c
++++ b/drivers/mailbox/mailbox-test.c
+@@ -12,6 +12,7 @@
+ #include <linux/kernel.h>
+ #include <linux/mailbox_client.h>
+ #include <linux/module.h>
++#include <linux/mutex.h>
+ #include <linux/of.h>
+ #include <linux/platform_device.h>
+ #include <linux/poll.h>
+@@ -38,6 +39,7 @@ struct mbox_test_device {
+       char                    *signal;
+       char                    *message;
+       spinlock_t              lock;
++      struct mutex            mutex;
+       wait_queue_head_t       waitq;
+       struct fasync_struct    *async_queue;
+       struct dentry           *root_debugfs_dir;
+@@ -110,6 +112,8 @@ static ssize_t mbox_test_message_write(struct file *filp,
+               return -EINVAL;
+       }
+ 
++      mutex_lock(&tdev->mutex);
++
+       tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
+       if (!tdev->message)
+               return -ENOMEM;
+@@ -144,6 +148,8 @@ static ssize_t mbox_test_message_write(struct file *filp,
+       kfree(tdev->message);
+       tdev->signal = NULL;
+ 
++      mutex_unlock(&tdev->mutex);
++
+       return ret < 0 ? ret : count;
+ }
+ 
+@@ -392,6 +398,7 @@ static int mbox_test_probe(struct platform_device *pdev)
+       platform_set_drvdata(pdev, tdev);
+ 
+       spin_lock_init(&tdev->lock);
++      mutex_init(&tdev->mutex);
+ 
+       if (tdev->rx_channel) {
+               tdev->rx_buffer = devm_kzalloc(&pdev->dev,
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch b/queue-6.1/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch
new file mode 100644 (file)
index 0000000..8108b27
--- /dev/null
+++ b/queue-6.1/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch
@@ -0,0 +1,67 @@
+From 538996e0af9d4d617dd157134f89e30188f682c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 16:18:00 +0100
+Subject: media: dvb-core: Fix kernel WARNING for blocking operation in
+ wait_event*()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b8c75e4a1b325ea0a9433fa8834be97b5836b946 ]
+
+Using a semaphore in the wait_event*() condition is no good idea.
+It hits a kernel WARN_ON() at prepare_to_wait_event() like:
+  do not call blocking ops when !TASK_RUNNING; state=1 set at
+  prepare_to_wait_event+0x6d/0x690
+
+For avoiding the potential deadlock, rewrite to an open-coded loop
+instead.  Unlike the loop in wait_event*(), this uses wait_woken()
+after the condition check, hence the task state stays consistent.
+
+CVE-2023-31084 was assigned to this bug.
+
+Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/
+
+Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de
+Reported-by: Yu Hao <yhao016@ucr.edu>
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index c41a7e5c2b928..fce0e20940780 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
+       }
+ 
+       if (events->eventw == events->eventr) {
+-              int ret;
++              struct wait_queue_entry wait;
++              int ret = 0;
+ 
+               if (flags & O_NONBLOCK)
+                       return -EWOULDBLOCK;
+ 
+-              ret = wait_event_interruptible(events->wait_queue,
+-                                             dvb_frontend_test_event(fepriv, events));
+-
++              init_waitqueue_entry(&wait, current);
++              add_wait_queue(&events->wait_queue, &wait);
++              while (!dvb_frontend_test_event(fepriv, events)) {
++                      wait_woken(&wait, TASK_INTERRUPTIBLE, 0);
++                      if (signal_pending(current)) {
++                              ret = -ERESTARTSYS;
++                              break;
++                      }
++              }
++              remove_wait_queue(&events->wait_queue, &wait);
+               if (ret < 0)
+                       return ret;
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-core-fix-use-after-free-due-on-race-condit.patch b/queue-6.1/media-dvb-core-fix-use-after-free-due-on-race-condit.patch
new file mode 100644 (file)
index 0000000..eacd82d
--- /dev/null
+++ b/queue-6.1/media-dvb-core-fix-use-after-free-due-on-race-condit.patch
@@ -0,0 +1,138 @@
+From c999950137d9caab303f8f7f0d7a4a8da23e1bc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:59:23 +0000
+Subject: media: dvb-core: Fix use-after-free due on race condition at dvb_net
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 4172385b0c9ac366dcab78eda48c26814b87ed1a ]
+
+A race condition may occur between the .disconnect function, which
+is called when the device is disconnected, and the dvb_device_open()
+function, which is called when the device node is open()ed.
+This results in several types of UAFs.
+
+The root cause of this is that you use the dvb_device_open() function,
+which does not implement a conditional statement
+that checks 'dvbnet->exit'.
+
+So, add 'remove_mutex` to protect 'dvbnet->exit' and use
+locked_dvb_net_open() function to check 'dvbnet->exit'.
+
+[mchehab: fix a checkpatch warning]
+
+Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_net.c | 38 +++++++++++++++++++++++++++++---
+ include/media/dvb_net.h          |  4 ++++
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
+index 8a2febf33ce28..8bb8dd34c223e 100644
+--- a/drivers/media/dvb-core/dvb_net.c
++++ b/drivers/media/dvb-core/dvb_net.c
+@@ -1564,15 +1564,43 @@ static long dvb_net_ioctl(struct file *file,
+       return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl);
+ }
+ 
++static int locked_dvb_net_open(struct inode *inode, struct file *file)
++{
++      struct dvb_device *dvbdev = file->private_data;
++      struct dvb_net *dvbnet = dvbdev->priv;
++      int ret;
++
++      if (mutex_lock_interruptible(&dvbnet->remove_mutex))
++              return -ERESTARTSYS;
++
++      if (dvbnet->exit) {
++              mutex_unlock(&dvbnet->remove_mutex);
++              return -ENODEV;
++      }
++
++      ret = dvb_generic_open(inode, file);
++
++      mutex_unlock(&dvbnet->remove_mutex);
++
++      return ret;
++}
++
+ static int dvb_net_close(struct inode *inode, struct file *file)
+ {
+       struct dvb_device *dvbdev = file->private_data;
+       struct dvb_net *dvbnet = dvbdev->priv;
+ 
++      mutex_lock(&dvbnet->remove_mutex);
++
+       dvb_generic_release(inode, file);
+ 
+-      if(dvbdev->users == 1 && dvbnet->exit == 1)
++      if (dvbdev->users == 1 && dvbnet->exit == 1) {
++              mutex_unlock(&dvbnet->remove_mutex);
+               wake_up(&dvbdev->wait_queue);
++      } else {
++              mutex_unlock(&dvbnet->remove_mutex);
++      }
++
+       return 0;
+ }
+ 
+@@ -1580,7 +1608,7 @@ static int dvb_net_close(struct inode *inode, struct file *file)
+ static const struct file_operations dvb_net_fops = {
+       .owner = THIS_MODULE,
+       .unlocked_ioctl = dvb_net_ioctl,
+-      .open = dvb_generic_open,
++      .open = locked_dvb_net_open,
+       .release = dvb_net_close,
+       .llseek = noop_llseek,
+ };
+@@ -1599,10 +1627,13 @@ void dvb_net_release (struct dvb_net *dvbnet)
+ {
+       int i;
+ 
++      mutex_lock(&dvbnet->remove_mutex);
+       dvbnet->exit = 1;
++      mutex_unlock(&dvbnet->remove_mutex);
++
+       if (dvbnet->dvbdev->users < 1)
+               wait_event(dvbnet->dvbdev->wait_queue,
+-                              dvbnet->dvbdev->users==1);
++                              dvbnet->dvbdev->users == 1);
+ 
+       dvb_unregister_device(dvbnet->dvbdev);
+ 
+@@ -1621,6 +1652,7 @@ int dvb_net_init (struct dvb_adapter *adap, struct dvb_net *dvbnet,
+       int i;
+ 
+       mutex_init(&dvbnet->ioctl_mutex);
++      mutex_init(&dvbnet->remove_mutex);
+       dvbnet->demux = dmx;
+ 
+       for (i=0; i<DVB_NET_DEVICES_MAX; i++)
+diff --git a/include/media/dvb_net.h b/include/media/dvb_net.h
+index 5e31d37f25fac..cc01dffcc9f35 100644
+--- a/include/media/dvb_net.h
++++ b/include/media/dvb_net.h
+@@ -41,6 +41,9 @@
+  * @exit:             flag to indicate when the device is being removed.
+  * @demux:            pointer to &struct dmx_demux.
+  * @ioctl_mutex:      protect access to this struct.
++ * @remove_mutex:     mutex that avoids a race condition between a callback
++ *                    called when the hardware is disconnected and the
++ *                    file_operations of dvb_net.
+  *
+  * Currently, the core supports up to %DVB_NET_DEVICES_MAX (10) network
+  * devices.
+@@ -53,6 +56,7 @@ struct dvb_net {
+       unsigned int exit:1;
+       struct dmx_demux *demux;
+       struct mutex ioctl_mutex;
++      struct mutex remove_mutex;
+ };
+ 
+ /**
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch b/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch
new file mode 100644 (file)
index 0000000..a96a7ad
--- /dev/null
+++ b/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch
@@ -0,0 +1,255 @@
+From 9e656750a5ed6a374796914f6305d0c1f7cbf06d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:59:24 +0000
+Subject: media: dvb-core: Fix use-after-free due to race at
+ dvb_register_device()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ]
+
+dvb_register_device() dynamically allocates fops with kmemdup()
+to set the fops->owner.
+And these fops are registered in 'file->f_ops' using replace_fops()
+in the dvb_device_open() process, and kfree()d in dvb_free_device().
+
+However, it is not common to use dynamically allocated fops instead
+of 'static const' fops as an argument of replace_fops(),
+and UAF may occur.
+These UAFs can occur on any dvb type using dvb_register_device(),
+such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc.
+
+So, instead of kfree() the fops dynamically allocated in
+dvb_register_device() in dvb_free_device() called during the
+.disconnect() process, kfree() it collectively in exit_dvbdev()
+called when the dvbdev.c module is removed.
+
+Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++---------
+ include/media/dvbdev.h          | 15 ++++++
+ 2 files changed, 78 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index a31d52cb6d62c..9f9a976527080 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -27,6 +27,7 @@
+ #include <media/tuner.h>
+ 
+ static DEFINE_MUTEX(dvbdev_mutex);
++static LIST_HEAD(dvbdevfops_list);
+ static int dvbdev_debug;
+ 
+ module_param(dvbdev_debug, int, 0644);
+@@ -452,14 +453,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+                       enum dvb_device_type type, int demux_sink_pads)
+ {
+       struct dvb_device *dvbdev;
+-      struct file_operations *dvbdevfops;
++      struct file_operations *dvbdevfops = NULL;
++      struct dvbdevfops_node *node = NULL, *new_node = NULL;
+       struct device *clsdev;
+       int minor;
+       int id, ret;
+ 
+       mutex_lock(&dvbdev_register_lock);
+ 
+-      if ((id = dvbdev_get_free_id (adap, type)) < 0){
++      if ((id = dvbdev_get_free_id (adap, type)) < 0) {
+               mutex_unlock(&dvbdev_register_lock);
+               *pdvbdev = NULL;
+               pr_err("%s: couldn't find free device id\n", __func__);
+@@ -467,18 +469,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+       }
+ 
+       *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL);
+-
+       if (!dvbdev){
+               mutex_unlock(&dvbdev_register_lock);
+               return -ENOMEM;
+       }
+ 
+-      dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL);
++      /*
++       * When a device of the same type is probe()d more than once,
++       * the first allocated fops are used. This prevents memory leaks
++       * that can occur when the same device is probe()d repeatedly.
++       */
++      list_for_each_entry(node, &dvbdevfops_list, list_head) {
++              if (node->fops->owner == adap->module &&
++                              node->type == type &&
++                              node->template == template) {
++                      dvbdevfops = node->fops;
++                      break;
++              }
++      }
+ 
+-      if (!dvbdevfops){
+-              kfree (dvbdev);
+-              mutex_unlock(&dvbdev_register_lock);
+-              return -ENOMEM;
++      if (dvbdevfops == NULL) {
++              dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL);
++              if (!dvbdevfops) {
++                      kfree(dvbdev);
++                      mutex_unlock(&dvbdev_register_lock);
++                      return -ENOMEM;
++              }
++
++              new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL);
++              if (!new_node) {
++                      kfree(dvbdevfops);
++                      kfree(dvbdev);
++                      mutex_unlock(&dvbdev_register_lock);
++                      return -ENOMEM;
++              }
++
++              new_node->fops = dvbdevfops;
++              new_node->type = type;
++              new_node->template = template;
++              list_add_tail (&new_node->list_head, &dvbdevfops_list);
+       }
+ 
+       memcpy(dvbdev, template, sizeof(struct dvb_device));
+@@ -489,20 +518,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+       dvbdev->priv = priv;
+       dvbdev->fops = dvbdevfops;
+       init_waitqueue_head (&dvbdev->wait_queue);
+-
+       dvbdevfops->owner = adap->module;
+-
+       list_add_tail (&dvbdev->list_head, &adap->device_list);
+-
+       down_write(&minor_rwsem);
+ #ifdef CONFIG_DVB_DYNAMIC_MINORS
+       for (minor = 0; minor < MAX_DVB_MINORS; minor++)
+               if (dvb_minors[minor] == NULL)
+                       break;
+-
+       if (minor == MAX_DVB_MINORS) {
++              if (new_node) {
++                      list_del (&new_node->list_head);
++                      kfree(dvbdevfops);
++                      kfree(new_node);
++              }
+               list_del (&dvbdev->list_head);
+-              kfree(dvbdevfops);
+               kfree(dvbdev);
+               up_write(&minor_rwsem);
+               mutex_unlock(&dvbdev_register_lock);
+@@ -511,41 +540,47 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ #else
+       minor = nums2minor(adap->num, type, id);
+ #endif
+-
+       dvbdev->minor = minor;
+       dvb_minors[minor] = dvb_device_get(dvbdev);
+       up_write(&minor_rwsem);
+-
+       ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
+       if (ret) {
+               pr_err("%s: dvb_register_media_device failed to create the mediagraph\n",
+                     __func__);
+-
++              if (new_node) {
++                      list_del (&new_node->list_head);
++                      kfree(dvbdevfops);
++                      kfree(new_node);
++              }
+               dvb_media_device_free(dvbdev);
+               list_del (&dvbdev->list_head);
+-              kfree(dvbdevfops);
+               kfree(dvbdev);
+               mutex_unlock(&dvbdev_register_lock);
+               return ret;
+       }
+ 
+-      mutex_unlock(&dvbdev_register_lock);
+-
+       clsdev = device_create(dvb_class, adap->device,
+                              MKDEV(DVB_MAJOR, minor),
+                              dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id);
+       if (IS_ERR(clsdev)) {
+               pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n",
+                      __func__, adap->num, dnames[type], id, PTR_ERR(clsdev));
++              if (new_node) {
++                      list_del (&new_node->list_head);
++                      kfree(dvbdevfops);
++                      kfree(new_node);
++              }
+               dvb_media_device_free(dvbdev);
+               list_del (&dvbdev->list_head);
+-              kfree(dvbdevfops);
+               kfree(dvbdev);
++              mutex_unlock(&dvbdev_register_lock);
+               return PTR_ERR(clsdev);
+       }
++
+       dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n",
+               adap->num, dnames[type], id, minor, minor);
+ 
++      mutex_unlock(&dvbdev_register_lock);
+       return 0;
+ }
+ EXPORT_SYMBOL(dvb_register_device);
+@@ -574,7 +609,6 @@ static void dvb_free_device(struct kref *ref)
+ {
+       struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref);
+ 
+-      kfree (dvbdev->fops);
+       kfree (dvbdev);
+ }
+ 
+@@ -1080,9 +1114,17 @@ static int __init init_dvbdev(void)
+ 
+ static void __exit exit_dvbdev(void)
+ {
++      struct dvbdevfops_node *node, *next;
++
+       class_destroy(dvb_class);
+       cdev_del(&dvb_device_cdev);
+       unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS);
++
++      list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) {
++              list_del (&node->list_head);
++              kfree(node->fops);
++              kfree(node);
++      }
+ }
+ 
+ subsys_initcall(init_dvbdev);
+diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h
+index ac60c9fcfe9a6..34b01ebf32828 100644
+--- a/include/media/dvbdev.h
++++ b/include/media/dvbdev.h
+@@ -189,6 +189,21 @@ struct dvb_device {
+       void *priv;
+ };
+ 
++/**
++ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list
++ *
++ * @fops:             Dynamically allocated fops for ->owner registration
++ * @type:             type of dvb_device
++ * @template:         dvb_device used for registration
++ * @list_head:                list_head for dvbdevfops_list
++ */
++struct dvbdevfops_node {
++      struct file_operations *fops;
++      enum dvb_device_type type;
++      const struct dvb_device *template;
++      struct list_head list_head;
++};
++
+ /**
+  * dvb_device_get - Increase dvb_device reference
+  *
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-condit.patch b/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-condit.patch
new file mode 100644 (file)
index 0000000..887733f
--- /dev/null
+++ b/queue-6.1/media-dvb-core-fix-use-after-free-due-to-race-condit.patch
@@ -0,0 +1,129 @@
+From 89fdf0406dc230859c98426b2c2b3687f693adbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 06:33:08 +0000
+Subject: media: dvb-core: Fix use-after-free due to race condition at
+ dvb_ca_en50221
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit 280a8ab81733da8bc442253c700a52c4c0886ffd ]
+
+If the device node of dvb_ca_en50221 is open() and the
+device is disconnected, a UAF may occur when calling
+close() on the device node.
+
+The root cause is that wake_up() and wait_event() for
+dvbdev->wait_queue are not implemented.
+
+So implement wait_event() function in dvb_ca_en50221_release()
+and add 'remove_mutex' which prevents race condition
+for 'ca->exit'.
+
+[mchehab: fix a checkpatch warning]
+
+Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
+index b6ca29dfb184a..baf64540dc00a 100644
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -151,6 +151,12 @@ struct dvb_ca_private {
+ 
+       /* mutex serializing ioctls */
+       struct mutex ioctl_mutex;
++
++      /* A mutex used when a device is disconnected */
++      struct mutex remove_mutex;
++
++      /* Whether the device is disconnected */
++      int exit;
+ };
+ 
+ static void dvb_ca_private_free(struct dvb_ca_private *ca)
+@@ -1711,12 +1717,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
+ 
+       dprintk("%s\n", __func__);
+ 
+-      if (!try_module_get(ca->pub->owner))
++      mutex_lock(&ca->remove_mutex);
++
++      if (ca->exit) {
++              mutex_unlock(&ca->remove_mutex);
++              return -ENODEV;
++      }
++
++      if (!try_module_get(ca->pub->owner)) {
++              mutex_unlock(&ca->remove_mutex);
+               return -EIO;
++      }
+ 
+       err = dvb_generic_open(inode, file);
+       if (err < 0) {
+               module_put(ca->pub->owner);
++              mutex_unlock(&ca->remove_mutex);
+               return err;
+       }
+ 
+@@ -1741,6 +1757,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
+ 
+       dvb_ca_private_get(ca);
+ 
++      mutex_unlock(&ca->remove_mutex);
+       return 0;
+ }
+ 
+@@ -1760,6 +1777,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
+ 
+       dprintk("%s\n", __func__);
+ 
++      mutex_lock(&ca->remove_mutex);
++
+       /* mark the CA device as closed */
+       ca->open = 0;
+       dvb_ca_en50221_thread_update_delay(ca);
+@@ -1770,6 +1789,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
+ 
+       dvb_ca_private_put(ca);
+ 
++      if (dvbdev->users == 1 && ca->exit == 1) {
++              mutex_unlock(&ca->remove_mutex);
++              wake_up(&dvbdev->wait_queue);
++      } else {
++              mutex_unlock(&ca->remove_mutex);
++      }
++
+       return err;
+ }
+ 
+@@ -1893,6 +1919,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter,
+       }
+ 
+       mutex_init(&ca->ioctl_mutex);
++      mutex_init(&ca->remove_mutex);
+ 
+       if (signal_pending(current)) {
+               ret = -EINTR;
+@@ -1935,6 +1962,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
+ 
+       dprintk("%s\n", __func__);
+ 
++      mutex_lock(&ca->remove_mutex);
++      ca->exit = 1;
++      mutex_unlock(&ca->remove_mutex);
++
++      if (ca->dvbdev->users < 1)
++              wait_event(ca->dvbdev->wait_queue,
++                              ca->dvbdev->users == 1);
++
+       /* shutdown the thread if there was one */
+       kthread_stop(ca->thread);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch b/queue-6.1/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch
new file mode 100644 (file)
index 0000000..4fb2609
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch
@@ -0,0 +1,63 @@
+From e456a045bdef5839c37081d3c6e34ff342f81c5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 16:56:04 +0000
+Subject: media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ]
+
+In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in
+az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99.
+However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0.
+We add check on msg[i].len to prevent null-ptr-deref.
+
+Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
+index 7d78ee09be5e1..a31c6f82f4e90 100644
+--- a/drivers/media/usb/dvb-usb/az6027.c
++++ b/drivers/media/usb/dvb-usb/az6027.c
+@@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+                       /* write/read request */
+                       if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
+                               req = 0xB9;
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
+                               value = msg[i].addr + (msg[i].len << 8);
+                               length = msg[i + 1].len + 6;
+@@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+ 
+                               /* demod 16bit addr */
+                               req = 0xBD;
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
+                               value = msg[i].addr + (2 << 8);
+                               length = msg[i].len - 2;
+@@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+                       } else {
+ 
+                               req = 0xBD;
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               index = msg[i].buf[0] & 0x00FF;
+                               value = msg[i].addr + (1 << 8);
+                               length = msg[i].len - 1;
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch b/queue-6.1/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch
new file mode 100644 (file)
index 0000000..18cfff4
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch
@@ -0,0 +1,44 @@
+From da82d355390c74fce092ae93df002b2c04ac95dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 09:50:08 +0000
+Subject: media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 9ded5bd2a49ce3015b7c936743eec0a0e6e11f0c ]
+
+In digitv_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach digitv_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen. We add
+check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313095008.1039689-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/digitv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
+index 2756815a780bc..32134be169148 100644
+--- a/drivers/media/usb/dvb-usb/digitv.c
++++ b/drivers/media/usb/dvb-usb/digitv.c
+@@ -63,6 +63,10 @@ static int digitv_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num
+               warn("more than 2 i2c messages at a time is not handled yet. TODO.");
+ 
+       for (i = 0; i < num; i++) {
++              if (msg[i].len < 1) {
++                      i = -EOPNOTSUPP;
++                      break;
++              }
+               /* write/read request */
+               if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) {
+                       if (digitv_ctrl_msg(d, USB_READ_COFDM, msg[i].buf[0], NULL, 0,
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch b/queue-6.1/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch
new file mode 100644 (file)
index 0000000..802360d
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch
@@ -0,0 +1,40 @@
+From a64fe2c86cf71651fe0df9f0f8a6f82c8fa6a310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 13:44:16 +0100
+Subject: media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit a3fd1ef27aa686d871cefe207bd6168c4b0cd29e ]
+
+In su3000_read_mac_address, if i2c_transfer fails to execute two
+messages, array mac address will not be initialized. Without handling
+such error, later in function dvb_usb_adapter_dvb_init, proposed_mac
+is accessed before initialization.
+
+Fix this error by returning a negative value if message execution fails.
+
+Link: https://lore.kernel.org/linux-media/20230328124416.560889-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index 0ca764282c767..8747960e61461 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -946,7 +946,7 @@ static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6])
+       for (i = 0; i < 6; i++) {
+               obuf[1] = 0xf0 + i;
+               if (i2c_transfer(&d->i2c_adap, msg, 2) != 2)
+-                      break;
++                      return -1;
+               else
+                       mac[i] = ibuf[0];
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch b/queue-6.1/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch
new file mode 100644 (file)
index 0000000..c3f3756
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch
@@ -0,0 +1,56 @@
+From 82e13f13126891dbf9d23664f542cd369b9697e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 09:27:51 +0000
+Subject: media: dvb-usb-v2: ce6230: fix null-ptr-deref in
+ ce6230_i2c_master_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit dff919090155fb22679869e8469168f270dcd97f ]
+
+In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen. We add
+check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/ce6230.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
+index 44540de1a2066..d3b5cb4a24daf 100644
+--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
++++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
+@@ -101,6 +101,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
+               if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
+                       if (msg[i].addr ==
+                               ce6230_zl10353_config.demod_address) {
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               req.cmd = DEMOD_READ;
+                               req.value = msg[i].addr >> 1;
+                               req.index = msg[i].buf[0];
+@@ -117,6 +121,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
+               } else {
+                       if (msg[i].addr ==
+                               ce6230_zl10353_config.demod_address) {
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               req.cmd = DEMOD_WRITE;
+                               req.value = msg[i].addr >> 1;
+                               req.index = msg[i].buf[0];
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch b/queue-6.1/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch
new file mode 100644 (file)
index 0000000..382fec8
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch
@@ -0,0 +1,65 @@
+From 649d61c57bc78cbf3d403bd322762df759c3a6b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 08:58:53 +0000
+Subject: media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit a6dcefcc08eca1bf4e3d213c97c3cfb75f377935 ]
+
+In ec168_i2c_xfer, msg is controlled by user. When msg[i].buf is null
+and msg[i].len is zero, former checks on msg[i].buf would be passed.
+If accessing msg[i].buf[0] without sanity check, null pointer deref
+would happen. We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313085853.3252349-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/ec168.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-usb-v2/ec168.c
+index 7ed0ab9e429b1..0e4773fc025c9 100644
+--- a/drivers/media/usb/dvb-usb-v2/ec168.c
++++ b/drivers/media/usb/dvb-usb-v2/ec168.c
+@@ -115,6 +115,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+       while (i < num) {
+               if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
+                       if (msg[i].addr == ec168_ec100_config.demod_address) {
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               req.cmd = READ_DEMOD;
+                               req.value = 0;
+                               req.index = 0xff00 + msg[i].buf[0]; /* reg */
+@@ -131,6 +135,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                       }
+               } else {
+                       if (msg[i].addr == ec168_ec100_config.demod_address) {
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               req.cmd = WRITE_DEMOD;
+                               req.value = msg[i].buf[1]; /* val */
+                               req.index = 0xff00 + msg[i].buf[0]; /* reg */
+@@ -139,6 +147,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                               ret = ec168_ctrl_msg(d, &req);
+                               i += 1;
+                       } else {
++                              if (msg[i].len < 1) {
++                                      i = -EOPNOTSUPP;
++                                      break;
++                              }
+                               req.cmd = WRITE_I2C;
+                               req.value = msg[i].buf[0]; /* val */
+                               req.index = 0x0100 + msg[i].addr; /* I2C addr */
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch b/queue-6.1/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch
new file mode 100644 (file)
index 0000000..746230d
--- /dev/null
+++ b/queue-6.1/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch
@@ -0,0 +1,84 @@
+From d96e38e8c5cd37886dc5c7f4dbc06334aed4dc2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 May 2023 15:52:47 +0100
+Subject: media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit aa4a447b81b84f69c1a89ad899df157f386d7636 ]
+
+In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+index 795a012d40200..f7884bb56fccf 100644
+--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+@@ -176,6 +176,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                       ret = -EOPNOTSUPP;
+                       goto err_mutex_unlock;
+               } else if (msg[0].addr == 0x10) {
++                      if (msg[0].len < 1 || msg[1].len < 1) {
++                              ret = -EOPNOTSUPP;
++                              goto err_mutex_unlock;
++                      }
+                       /* method 1 - integrated demod */
+                       if (msg[0].buf[0] == 0x00) {
+                               /* return demod page from driver cache */
+@@ -189,6 +193,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                               ret = rtl28xxu_ctrl_msg(d, &req);
+                       }
+               } else if (msg[0].len < 2) {
++                      if (msg[0].len < 1) {
++                              ret = -EOPNOTSUPP;
++                              goto err_mutex_unlock;
++                      }
+                       /* method 2 - old I2C */
+                       req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
+                       req.index = CMD_I2C_RD;
+@@ -217,8 +225,16 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                       ret = -EOPNOTSUPP;
+                       goto err_mutex_unlock;
+               } else if (msg[0].addr == 0x10) {
++                      if (msg[0].len < 1) {
++                              ret = -EOPNOTSUPP;
++                              goto err_mutex_unlock;
++                      }
+                       /* method 1 - integrated demod */
+                       if (msg[0].buf[0] == 0x00) {
++                              if (msg[0].len < 2) {
++                                      ret = -EOPNOTSUPP;
++                                      goto err_mutex_unlock;
++                              }
+                               /* save demod page for later demod access */
+                               dev->page = msg[0].buf[1];
+                               ret = 0;
+@@ -231,6 +247,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+                               ret = rtl28xxu_ctrl_msg(d, &req);
+                       }
+               } else if ((msg[0].len < 23) && (!dev->new_i2c_write)) {
++                      if (msg[0].len < 1) {
++                              ret = -EOPNOTSUPP;
++                              goto err_mutex_unlock;
++                      }
+                       /* method 2 - old I2C */
+                       req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
+                       req.index = CMD_I2C_WR;
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb_ca_en50221-fix-a-size-write-bug.patch b/queue-6.1/media-dvb_ca_en50221-fix-a-size-write-bug.patch
new file mode 100644 (file)
index 0000000..438ed3a
--- /dev/null
+++ b/queue-6.1/media-dvb_ca_en50221-fix-a-size-write-bug.patch
@@ -0,0 +1,118 @@
+From c24cb9316febcfa5682fd510386b898c003c312c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 13:50:27 +0100
+Subject: media: dvb_ca_en50221: fix a size write bug
+
+From: YongSu Yoo <yongsuyoo0215@gmail.com>
+
+[ Upstream commit a4315e5be7020aac9b24a8151caf4bb85224cd0e ]
+
+The function of "dvb_ca_en50221_write_data" at source/drivers/media
+/dvb-core/dvb_ca_en50221.c is used for two cases.
+The first case is for writing APDU data in the function of
+"dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/
+dvb_ca_en50221.c.
+The second case is for writing the host link buf size on the
+Command Register in the function of "dvb_ca_en50221_link_init"
+at source/drivers/media/dvb-core/dvb_ca_en50221.c.
+In the second case, there exists a bug like following.
+In the function of the "dvb_ca_en50221_link_init",
+after a TV host calculates the host link buf_size,
+the TV host writes the calculated host link buf_size on the
+Size Register.
+Accroding to the en50221 Spec (the page 60 of
+https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf),
+before this writing operation, the "SW(CMDREG_SW)" flag in the
+Command Register should be set. We can see this setting operation
+in the function of the "dvb_ca_en50221_link_init" like below.
+...
+       if ((ret = ca->pub->write_cam_control(ca->pub, slot,
+CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0)
+               return ret;
+...
+But, after that, the real writing operation is implemented using
+the function of the "dvb_ca_en50221_write_data" in the function of
+"dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data"
+includes the function of "ca->pub->write_cam_control",
+and the function of the "ca->pub->write_cam_control" in the
+function of the "dvb_ca_en50221_wrte_data" does not include
+"CMDREG_SW" flag like below.
+...
+       if ((status = ca->pub->write_cam_control(ca->pub, slot,
+CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0)
+...
+In the above source code, we can see only the "IRQEN | CMDREG_HC",
+but we cannot see the "CMDREG_SW".
+The "CMDREG_SW" flag which was set in the function of the
+"dvb_ca_en50221_link_init" was rollbacked by the follwoing function
+of the "dvb_ca_en50221_write_data".
+This is a bug. and this bug causes that the calculated host link buf_size
+is not properly written in the CI module.
+Through this patch, we fix this bug.
+
+Link: https://lore.kernel.org/linux-media/20220818125027.1131-1-yongsuyoo0215@gmail.com
+Signed-off-by: YongSu Yoo <yongsuyoo0215@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
+index c2d2792227f86..b6ca29dfb184a 100644
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
+ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
+                                   u8 *ebuf, int ecount);
+ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
+-                                   u8 *ebuf, int ecount);
++                                   u8 *ebuf, int ecount, int size_write_flag);
+ 
+ /**
+  * findstr - Safely find needle in haystack.
+@@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot)
+       ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10);
+       if (ret)
+               return ret;
+-      ret = dvb_ca_en50221_write_data(ca, slot, buf, 2);
++      ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW);
+       if (ret != 2)
+               return -EIO;
+       ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN);
+@@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot,
+  * @buf: The data in this buffer is treated as a complete link-level packet to
+  *     be written.
+  * @bytes_write: Size of ebuf.
++ * @size_write_flag: A flag on Command Register which says whether the link size
++ * information will be writen or not.
+  *
+  * return: Number of bytes written, or < 0 on error.
+  */
+ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
+-                                   u8 *buf, int bytes_write)
++                                   u8 *buf, int bytes_write, int size_write_flag)
+ {
+       struct dvb_ca_slot *sl = &ca->slot_info[slot];
+       int status;
+@@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot,
+ 
+       /* OK, set HC bit */
+       status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND,
+-                                          IRQEN | CMDREG_HC);
++                                          IRQEN | CMDREG_HC | size_write_flag);
+       if (status)
+               goto exit;
+ 
+@@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
+ 
+                       mutex_lock(&sl->slot_lock);
+                       status = dvb_ca_en50221_write_data(ca, slot, fragbuf,
+-                                                         fraglen + 2);
++                                                         fraglen + 2, 0);
+                       mutex_unlock(&sl->slot_lock);
+                       if (status == (fraglen + 2)) {
+                               written = 1;
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch b/queue-6.1/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch
new file mode 100644 (file)
index 0000000..f42e555
--- /dev/null
+++ b/queue-6.1/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch
@@ -0,0 +1,65 @@
+From 5105793f2ea457ad89c88684942bcb653d1a5f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Mar 2023 21:25:19 +0000
+Subject: media: dvb_demux: fix a bug for the continuity counter
+
+From: YongSu Yoo <yongsuyoo0215@gmail.com>
+
+[ Upstream commit 7efb10d8dc70ea3000cc70dca53407c52488acd1 ]
+
+In dvb_demux.c, some logics exist which compare the expected
+continuity counter and the real continuity counter. If they
+are not matched each other, both of the expected continuity
+counter and the real continuity counter should be printed.
+But there exists a bug that the expected continuity counter
+is not correctly printed. The expected continuity counter is
+replaced with the real countinuity counter + 1 so that
+the epected continuity counter is not correclty printed.
+This is wrong. This bug is fixed.
+
+Link: https://lore.kernel.org/linux-media/20230305212519.499-1-yongsuyoo0215@gmail.com
+
+Signed-off-by: YongSu Yoo <yongsuyoo0215@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_demux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
+index 83cc32ad7e122..eadd579bb4fad 100644
+--- a/drivers/media/dvb-core/dvb_demux.c
++++ b/drivers/media/dvb-core/dvb_demux.c
+@@ -115,12 +115,12 @@ static inline int dvb_dmx_swfilter_payload(struct dvb_demux_feed *feed,
+ 
+       cc = buf[3] & 0x0f;
+       ccok = ((feed->cc + 1) & 0x0f) == cc;
+-      feed->cc = cc;
+       if (!ccok) {
+               set_buf_flags(feed, DMX_BUFFER_FLAG_DISCONTINUITY_DETECTED);
+               dprintk_sect_loss("missed packet: %d instead of %d!\n",
+                                 cc, (feed->cc + 1) & 0x0f);
+       }
++      feed->cc = cc;
+ 
+       if (buf[1] & 0x40)      // PUSI ?
+               feed->peslen = 0xfffa;
+@@ -300,7 +300,6 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed,
+ 
+       cc = buf[3] & 0x0f;
+       ccok = ((feed->cc + 1) & 0x0f) == cc;
+-      feed->cc = cc;
+ 
+       if (buf[3] & 0x20) {
+               /* adaption field present, check for discontinuity_indicator */
+@@ -336,6 +335,7 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed,
+               feed->pusi_seen = false;
+               dvb_dmx_swfilter_section_new(feed);
+       }
++      feed->cc = cc;
+ 
+       if (buf[1] & 0x40) {
+               /* PUSI=1 (is set), section boundary is here */
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch b/queue-6.1/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch
new file mode 100644 (file)
index 0000000..7bbecac
--- /dev/null
+++ b/queue-6.1/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch
@@ -0,0 +1,41 @@
+From 84e668735893b4b0a9fd14dff10eb29a8fa634ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Apr 2023 11:39:05 +0100
+Subject: media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+[ Upstream commit ed17f89e9502f03af493e130620a9bb74c07cf28 ]
+
+When VCODEC_CAPABILITY_4K_DISABLED is not set in dec_capability, skip
+formats that are not MTK_FMT_DEC so only decoder formats is updated in
+mtk_init_vdec_params.
+
+Fixes: e25528e1dbe5 ("media: mediatek: vcodec: Use 4K frame size when supported by stateful decoder")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c   | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c
+index 29991551cf614..0fbd030026c72 100644
+--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c
++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c
+@@ -584,6 +584,9 @@ static void mtk_init_vdec_params(struct mtk_vcodec_ctx *ctx)
+ 
+       if (!(ctx->dev->dec_capability & VCODEC_CAPABILITY_4K_DISABLED)) {
+               for (i = 0; i < num_supported_formats; i++) {
++                      if (mtk_video_formats[i].type != MTK_FMT_DEC)
++                              continue;
++
+                       mtk_video_formats[i].frmsize.max_width =
+                               VCODEC_DEC_4K_CODED_WIDTH;
+                       mtk_video_formats[i].frmsize.max_height =
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch b/queue-6.1/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch
new file mode 100644 (file)
index 0000000..ccb63c5
--- /dev/null
+++ b/queue-6.1/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch
@@ -0,0 +1,44 @@
+From bd62931e611b83b3d5c37cfd544b19ecdf21416c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Mar 2023 13:13:18 +0000
+Subject: media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID
+ table
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit ae11c0efaec32fb45130ee9886689f467232eebc ]
+
+The driver will match mostly by DT table (even thought there is regular
+ID table) so there is little benefit in of_match_ptr (this also allows
+ACPI matching via PRP0001, even though it might not be relevant here).
+This also fixes !CONFIG_OF error:
+
+  drivers/media/dvb-frontends/mn88443x.c:782:34: error: ‘mn88443x_of_match’ defined but not used [-Werror=unused-const-variable=]
+
+Link: https://lore.kernel.org/linux-media/20230312131318.351173-28-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/mn88443x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c
+index 452571b380b72..5a024870979de 100644
+--- a/drivers/media/dvb-frontends/mn88443x.c
++++ b/drivers/media/dvb-frontends/mn88443x.c
+@@ -798,7 +798,7 @@ MODULE_DEVICE_TABLE(i2c, mn88443x_i2c_id);
+ static struct i2c_driver mn88443x_driver = {
+       .driver = {
+               .name = "mn88443x",
+-              .of_match_table = of_match_ptr(mn88443x_of_match),
++              .of_match_table = mn88443x_of_match,
+       },
+       .probe    = mn88443x_probe,
+       .remove   = mn88443x_remove,
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch b/queue-6.1/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch
new file mode 100644 (file)
index 0000000..fd802e2
--- /dev/null
+++ b/queue-6.1/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch
@@ -0,0 +1,70 @@
+From 97ae8542b71f4f3ced488f2c5584d94ba2cd4c79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:45:18 +0000
+Subject: media: netup_unidvb: fix irq init by register it at the end of probe
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit e6ad6233592593079db5c8fa592c298e51bc1356 ]
+
+IRQ handler netup_spi_interrupt() takes spinlock spi->lock. The lock
+is initialized in netup_spi_init(). However, irq handler is registered
+before initializing the lock.
+
+Spinlock dma->lock and i2c->lock suffer from the same problem.
+
+Fix this by registering the irq at the end of probe.
+
+Link: https://lore.kernel.org/linux-media/20230315134518.1074497-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/pci/netup_unidvb/netup_unidvb_core.c  | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index aaa1d2dedebdd..d85bfbb77a250 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -887,12 +887,7 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+               ndev->lmmio0, (u32)pci_resource_len(pci_dev, 0),
+               ndev->lmmio1, (u32)pci_resource_len(pci_dev, 1),
+               pci_dev->irq);
+-      if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED,
+-                      "netup_unidvb", pci_dev) < 0) {
+-              dev_err(&pci_dev->dev,
+-                      "%s(): can't get IRQ %d\n", __func__, pci_dev->irq);
+-              goto irq_request_err;
+-      }
++
+       ndev->dma_size = 2 * 188 *
+               NETUP_DMA_BLOCKS_COUNT * NETUP_DMA_PACKETS_COUNT;
+       ndev->dma_virt = dma_alloc_coherent(&pci_dev->dev,
+@@ -933,6 +928,14 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+               dev_err(&pci_dev->dev, "netup_unidvb: DMA setup failed\n");
+               goto dma_setup_err;
+       }
++
++      if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED,
++                      "netup_unidvb", pci_dev) < 0) {
++              dev_err(&pci_dev->dev,
++                      "%s(): can't get IRQ %d\n", __func__, pci_dev->irq);
++              goto dma_setup_err;
++      }
++
+       dev_info(&pci_dev->dev,
+               "netup_unidvb: device has been initialized\n");
+       return 0;
+@@ -951,8 +954,6 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+       dma_free_coherent(&pci_dev->dev, ndev->dma_size,
+                       ndev->dma_virt, ndev->dma_phys);
+ dma_alloc_err:
+-      free_irq(pci_dev->irq, pci_dev);
+-irq_request_err:
+       iounmap(ndev->lmmio1);
+ pci_bar1_error:
+       iounmap(ndev->lmmio0);
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch b/queue-6.1/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch
new file mode 100644 (file)
index 0000000..84428c6
--- /dev/null
+++ b/queue-6.1/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch
@@ -0,0 +1,49 @@
+From eac41e1abc4a6760e1fd95e0d1ec91ad030f2beb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Feb 2023 21:55:34 +0100
+Subject: media: rcar-vin: Select correct interrupt mode for
+ V4L2_FIELD_ALTERNATE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit e10707d5865c90d3dfe4ef589ce02ff4287fef85 ]
+
+When adding proper support for V4L2_FIELD_ALTERNATE it was missed that
+this field format should trigger an interrupt for each field, not just
+for the whole frame. Fix this by marking it as progressive in the
+capture setup, which will then select the correct interrupt mode.
+
+Tested on both Gen2 and Gen3 with the result of a doubling of the frame
+rate for V4L2_FIELD_ALTERNATE. From a PAL video source the frame rate is
+now 50, which is expected for alternate field capture.
+
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/renesas/rcar-vin/rcar-dma.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c
+index 3aea96d85165a..ef5adffae1972 100644
+--- a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c
++++ b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c
+@@ -651,11 +651,9 @@ static int rvin_setup(struct rvin_dev *vin)
+       case V4L2_FIELD_SEQ_TB:
+       case V4L2_FIELD_SEQ_BT:
+       case V4L2_FIELD_NONE:
+-              vnmc = VNMC_IM_ODD_EVEN;
+-              progressive = true;
+-              break;
+       case V4L2_FIELD_ALTERNATE:
+               vnmc = VNMC_IM_ODD_EVEN;
++              progressive = true;
+               break;
+       default:
+               vnmc = VNMC_IM_ODD;
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch b/queue-6.1/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch
new file mode 100644 (file)
index 0000000..4ae6188
--- /dev/null
+++ b/queue-6.1/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch
@@ -0,0 +1,43 @@
+From 5501198d36ed0e7b2fb03d9c59db497a61849dfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:59:25 +0000
+Subject: media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 517a281338322ff8293f988771c98aaa7205e457 ]
+
+Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(),
+which is called when the device is disconnected, dvb_frontend_free()
+is not finally called.
+
+This causes a memory leak just by repeatedly plugging and
+unplugging the device.
+
+Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb().
+
+Link: https://lore.kernel.org/linux-media/20221117045925.14297-5-imv4bel@gmail.com
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+index 38822cedd93a9..c4474d4c44e28 100644
+--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+@@ -1544,8 +1544,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec)
+       dvb_dmx_release(&dec->demux);
+       if (dec->fe) {
+               dvb_unregister_frontend(dec->fe);
+-              if (dec->fe->ops.release)
+-                      dec->fe->ops.release(dec->fe);
++              dvb_frontend_detach(dec->fe);
+       }
+       dvb_unregister_adapter(&dec->adapter);
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch b/queue-6.1/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch
new file mode 100644 (file)
index 0000000..856bf7d
--- /dev/null
+++ b/queue-6.1/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch
@@ -0,0 +1,81 @@
+From 68246aceed2369752dd7583c22bf2c9e0762693e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 10:45:59 +0100
+Subject: media: uvcvideo: Don't expose unsupported formats to userspace
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 81f3affa19d6ab0c32aef46b053838219eef7e71 ]
+
+When the uvcvideo driver encounters a format descriptor with an unknown
+format GUID, it creates a corresponding struct uvc_format instance with
+the fcc field set to 0. Since commit 50459f103edf ("media: uvcvideo:
+Remove format descriptions"), the driver relies on the V4L2 core to
+provide the format description string, which the V4L2 core can't do
+without a valid 4CC. This triggers a WARN_ON.
+
+As a format with a zero 4CC can't be selected, it is unusable for
+applications. Ignore the format completely without creating a uvc_format
+instance, which fixes the warning.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217252
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2180107
+
+Fixes: 50459f103edf ("media: uvcvideo: Remove format descriptions")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index a9cdef07e6b14..191db831d7606 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -251,14 +251,17 @@ static int uvc_parse_format(struct uvc_device *dev,
+               /* Find the format descriptor from its GUID. */
+               fmtdesc = uvc_format_by_guid(&buffer[5]);
+ 
+-              if (fmtdesc != NULL) {
+-                      format->fcc = fmtdesc->fcc;
+-              } else {
++              if (!fmtdesc) {
++                      /*
++                       * Unknown video formats are not fatal errors, the
++                       * caller will skip this descriptor.
++                       */
+                       dev_info(&streaming->intf->dev,
+                                "Unknown video format %pUl\n", &buffer[5]);
+-                      format->fcc = 0;
++                      return 0;
+               }
+ 
++              format->fcc = fmtdesc->fcc;
+               format->bpp = buffer[21];
+ 
+               /*
+@@ -675,7 +678,7 @@ static int uvc_parse_streaming(struct uvc_device *dev,
+       interval = (u32 *)&frame[nframes];
+ 
+       streaming->format = format;
+-      streaming->nformats = nformats;
++      streaming->nformats = 0;
+ 
+       /* Parse the format descriptors. */
+       while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE) {
+@@ -689,7 +692,10 @@ static int uvc_parse_streaming(struct uvc_device *dev,
+                               &interval, buffer, buflen);
+                       if (ret < 0)
+                               goto error;
++                      if (!ret)
++                              break;
+ 
++                      streaming->nformats++;
+                       frame += format->nframes;
+                       format++;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-add-annotations-around-msk-subflow-accesses.patch b/queue-6.1/mptcp-add-annotations-around-msk-subflow-accesses.patch
new file mode 100644 (file)
index 0000000..8a39d40
--- /dev/null
+++ b/queue-6.1/mptcp-add-annotations-around-msk-subflow-accesses.patch
@@ -0,0 +1,118 @@
+From 0e29a113695e80c1610878e1368442d524885832 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:37:04 -0700
+Subject: mptcp: add annotations around msk->subflow accesses
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 5b825727d0871b23e8867f6371183e61628b4a26 ]
+
+The MPTCP can access the first subflow socket in a few spots
+outside the socket lock scope. That is actually safe, as MPTCP
+will delete the socket itself only after the msk sock close().
+
+Still the such accesses causes a few KCSAN splats, as reported
+by Christoph. Silence the harmless warning adding a few annotation
+around the relevant accesses.
+
+Fixes: 71ba088ce0aa ("mptcp: cleanup accept and poll")
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/402
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 18 ++++++++++--------
+ net/mptcp/protocol.h |  6 +++++-
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index fecee0a850d65..efe372ff389d4 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -112,7 +112,7 @@ static int __mptcp_socket_create(struct mptcp_sock *msk)
+               return err;
+ 
+       msk->first = ssock->sk;
+-      msk->subflow = ssock;
++      WRITE_ONCE(msk->subflow, ssock);
+       subflow = mptcp_subflow_ctx(ssock->sk);
+       list_add(&subflow->node, &msk->conn_list);
+       sock_hold(ssock->sk);
+@@ -2269,7 +2269,7 @@ static void mptcp_dispose_initial_subflow(struct mptcp_sock *msk)
+ {
+       if (msk->subflow) {
+               iput(SOCK_INODE(msk->subflow));
+-              msk->subflow = NULL;
++              WRITE_ONCE(msk->subflow, NULL);
+       }
+ }
+ 
+@@ -3115,7 +3115,7 @@ struct sock *mptcp_sk_clone(const struct sock *sk,
+       msk = mptcp_sk(nsk);
+       msk->local_key = subflow_req->local_key;
+       msk->token = subflow_req->token;
+-      msk->subflow = NULL;
++      WRITE_ONCE(msk->subflow, NULL);
+       msk->in_accept_queue = 1;
+       WRITE_ONCE(msk->fully_established, false);
+       if (mp_opt->suboptions & OPTION_MPTCP_CSUMREQD)
+@@ -3172,7 +3172,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
+       struct socket *listener;
+       struct sock *newsk;
+ 
+-      listener = msk->subflow;
++      listener = READ_ONCE(msk->subflow);
+       if (WARN_ON_ONCE(!listener)) {
+               *err = -EINVAL;
+               return NULL;
+@@ -3746,10 +3746,10 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock,
+ 
+       pr_debug("msk=%p", msk);
+ 
+-      /* buggy applications can call accept on socket states other then LISTEN
++      /* Buggy applications can call accept on socket states other then LISTEN
+        * but no need to allocate the first subflow just to error out.
+        */
+-      ssock = msk->subflow;
++      ssock = READ_ONCE(msk->subflow);
+       if (!ssock)
+               return -EINVAL;
+ 
+@@ -3822,10 +3822,12 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock,
+       state = inet_sk_state_load(sk);
+       pr_debug("msk=%p state=%d flags=%lx", msk, state, msk->flags);
+       if (state == TCP_LISTEN) {
+-              if (WARN_ON_ONCE(!msk->subflow || !msk->subflow->sk))
++              struct socket *ssock = READ_ONCE(msk->subflow);
++
++              if (WARN_ON_ONCE(!ssock || !ssock->sk))
+                       return 0;
+ 
+-              return inet_csk_listen_poll(msk->subflow->sk);
++              return inet_csk_listen_poll(ssock->sk);
+       }
+ 
+       if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) {
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index 441feeaeb2427..822fd749f5690 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -297,7 +297,11 @@ struct mptcp_sock {
+       struct list_head rtx_queue;
+       struct mptcp_data_frag *first_pending;
+       struct list_head join_list;
+-      struct socket   *subflow; /* outgoing connect/listener/!mp_capable */
++      struct socket   *subflow; /* outgoing connect/listener/!mp_capable
++                                 * The mptcp ops can safely dereference, using suitable
++                                 * ONCE annotation, the subflow outside the socket
++                                 * lock as such sock is freed after close().
++                                 */
+       struct sock     *first;
+       struct mptcp_pm_data    pm;
+       struct {
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch b/queue-6.1/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch
new file mode 100644 (file)
index 0000000..abf7c34
--- /dev/null
+++ b/queue-6.1/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch
@@ -0,0 +1,124 @@
+From 5808a2f69958722060f0276fd4036b08ce5066ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:37:07 -0700
+Subject: mptcp: add annotations around sk->sk_shutdown accesses
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 6b9831bfd9322b297eb6d44257808cc055fdc586 ]
+
+Christoph reported the mptcp variant of a recently addressed plain
+TCP issue. Similar to commit e14cadfd80d7 ("tcp: add annotations around
+sk->sk_shutdown accesses") add READ/WRITE ONCE annotations to silence
+KCSAN reports around lockless sk_shutdown access.
+
+Fixes: 71ba088ce0aa ("mptcp: cleanup accept and poll")
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/401
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index f4206001e2fe5..c25796eacd95f 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -599,7 +599,7 @@ static bool mptcp_check_data_fin(struct sock *sk)
+               WRITE_ONCE(msk->ack_seq, msk->ack_seq + 1);
+               WRITE_ONCE(msk->rcv_data_fin, 0);
+ 
+-              sk->sk_shutdown |= RCV_SHUTDOWN;
++              WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN);
+               smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+ 
+               switch (sk->sk_state) {
+@@ -906,7 +906,7 @@ static void mptcp_check_for_eof(struct mptcp_sock *msk)
+               /* hopefully temporary hack: propagate shutdown status
+                * to msk, when all subflows agree on it
+                */
+-              sk->sk_shutdown |= RCV_SHUTDOWN;
++              WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN);
+ 
+               smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+               sk->sk_data_ready(sk);
+@@ -2512,7 +2512,7 @@ static void mptcp_check_fastclose(struct mptcp_sock *msk)
+       }
+ 
+       inet_sk_state_store(sk, TCP_CLOSE);
+-      sk->sk_shutdown = SHUTDOWN_MASK;
++      WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
+       smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+       set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags);
+ 
+@@ -2941,7 +2941,7 @@ bool __mptcp_close(struct sock *sk, long timeout)
+       bool do_cancel_work = false;
+       int subflows_alive = 0;
+ 
+-      sk->sk_shutdown = SHUTDOWN_MASK;
++      WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
+ 
+       if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) {
+               inet_sk_state_store(sk, TCP_CLOSE);
+@@ -3079,7 +3079,7 @@ static int mptcp_disconnect(struct sock *sk, int flags)
+       mptcp_pm_data_reset(msk);
+       mptcp_ca_reset(sk);
+ 
+-      sk->sk_shutdown = 0;
++      WRITE_ONCE(sk->sk_shutdown, 0);
+       sk_error_report(sk);
+       return 0;
+ }
+@@ -3815,9 +3815,6 @@ static __poll_t mptcp_check_writeable(struct mptcp_sock *msk)
+ {
+       struct sock *sk = (struct sock *)msk;
+ 
+-      if (unlikely(sk->sk_shutdown & SEND_SHUTDOWN))
+-              return EPOLLOUT | EPOLLWRNORM;
+-
+       if (sk_stream_is_writeable(sk))
+               return EPOLLOUT | EPOLLWRNORM;
+ 
+@@ -3835,6 +3832,7 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock,
+       struct sock *sk = sock->sk;
+       struct mptcp_sock *msk;
+       __poll_t mask = 0;
++      u8 shutdown;
+       int state;
+ 
+       msk = mptcp_sk(sk);
+@@ -3851,17 +3849,22 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock,
+               return inet_csk_listen_poll(ssock->sk);
+       }
+ 
++      shutdown = READ_ONCE(sk->sk_shutdown);
++      if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
++              mask |= EPOLLHUP;
++      if (shutdown & RCV_SHUTDOWN)
++              mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
++
+       if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) {
+               mask |= mptcp_check_readable(msk);
+-              mask |= mptcp_check_writeable(msk);
++              if (shutdown & SEND_SHUTDOWN)
++                      mask |= EPOLLOUT | EPOLLWRNORM;
++              else
++                      mask |= mptcp_check_writeable(msk);
+       } else if (state == TCP_SYN_SENT && inet_sk(sk)->defer_connect) {
+               /* cf tcp_poll() note about TFO */
+               mask |= EPOLLOUT | EPOLLWRNORM;
+       }
+-      if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
+-              mask |= EPOLLHUP;
+-      if (sk->sk_shutdown & RCV_SHUTDOWN)
+-              mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
+ 
+       /* This barrier is coupled with smp_wmb() in __mptcp_error_report() */
+       smp_rmb();
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch b/queue-6.1/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch
new file mode 100644 (file)
index 0000000..2b7a6b7
--- /dev/null
+++ b/queue-6.1/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch
@@ -0,0 +1,65 @@
+From 4c959457f74aba4c8b161c0cc4843b1b690080ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 16:08:01 +0200
+Subject: mptcp: avoid unneeded __mptcp_nmpc_socket() usage
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 617612316953093bc859890e405e1b550c27d840 ]
+
+In a few spots, the mptcp code invokes the __mptcp_nmpc_socket() helper
+multiple times under the same socket lock scope. Additionally, in such
+places, the socket status ensures that there is no MP capable handshake
+running.
+
+Under the above condition we can replace the later __mptcp_nmpc_socket()
+helper invocation with direct access to the msk->subflow pointer and
+better document such access is not supposed to fail with WARN().
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5b825727d087 ("mptcp: add annotations around msk->subflow accesses")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index ea46a5cb1c30f..fecee0a850d65 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3172,7 +3172,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
+       struct socket *listener;
+       struct sock *newsk;
+ 
+-      listener = __mptcp_nmpc_socket(msk);
++      listener = msk->subflow;
+       if (WARN_ON_ONCE(!listener)) {
+               *err = -EINVAL;
+               return NULL;
+@@ -3398,7 +3398,7 @@ static int mptcp_get_port(struct sock *sk, unsigned short snum)
+       struct mptcp_sock *msk = mptcp_sk(sk);
+       struct socket *ssock;
+ 
+-      ssock = __mptcp_nmpc_socket(msk);
++      ssock = msk->subflow;
+       pr_debug("msk=%p, subflow=%p", msk, ssock);
+       if (WARN_ON_ONCE(!ssock))
+               return -EINVAL;
+@@ -3746,7 +3746,10 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock,
+ 
+       pr_debug("msk=%p", msk);
+ 
+-      ssock = __mptcp_nmpc_socket(msk);
++      /* buggy applications can call accept on socket states other then LISTEN
++       * but no need to allocate the first subflow just to error out.
++       */
++      ssock = msk->subflow;
+       if (!ssock)
+               return -EINVAL;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-avoid-unneeded-address-copy.patch b/queue-6.1/mptcp-avoid-unneeded-address-copy.patch
new file mode 100644 (file)
index 0000000..d48f51c
--- /dev/null
+++ b/queue-6.1/mptcp-avoid-unneeded-address-copy.patch
@@ -0,0 +1,38 @@
+From c7b186a65b5969c376aaaa4f57cdb91f64120331 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 12:22:21 +0200
+Subject: mptcp: avoid unneeded address copy
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 2bb9a37f0e194ed95c70603b0efc7898a5a0d9b4 ]
+
+In the syn_recv fallback path, the msk is unused. We can skip
+setting the socket address.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7e8b88ec35ee ("mptcp: consolidate passive msk socket initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 67ddbf6f2e4ee..4995a6281ea16 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -759,8 +759,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+                               goto dispose_child;
+                       }
+ 
+-                      if (new_msk)
+-                              mptcp_copy_inaddrs(new_msk, child);
+                       mptcp_subflow_drop_ctx(child);
+                       goto out;
+               }
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-consolidate-passive-msk-socket-initialization.patch b/queue-6.1/mptcp-consolidate-passive-msk-socket-initialization.patch
new file mode 100644 (file)
index 0000000..cfa062e
--- /dev/null
+++ b/queue-6.1/mptcp-consolidate-passive-msk-socket-initialization.patch
@@ -0,0 +1,171 @@
+From fbc809ef6e4c040b773cb49794882e26f5b4b505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:37:05 -0700
+Subject: mptcp: consolidate passive msk socket initialization
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 7e8b88ec35eef363040e08d99536d2bebef83774 ]
+
+When the msk socket is cloned at MPC handshake time, a few
+fields are initialized in a racy way outside mptcp_sk_clone()
+and the msk socket lock.
+
+The above is due historical reasons: before commit a88d0092b24b
+("mptcp: simplify subflow_syn_recv_sock()") as the first subflow socket
+carrying all the needed date was not available yet at msk creation
+time
+
+We can now refactor the code moving the missing initialization bit
+under the socket lock, removing the init race and avoiding some
+code duplication.
+
+This will also simplify the next patch, as all msk->first write
+access are now under the msk socket lock.
+
+Fixes: 0397c6d85f9c ("mptcp: keep unaccepted MPC subflow into join list")
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 35 ++++++++++++++++++++++++++++-------
+ net/mptcp/protocol.h |  8 ++++----
+ net/mptcp/subflow.c  | 28 +---------------------------
+ 3 files changed, 33 insertions(+), 38 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index efe372ff389d4..6f6b65d3eed1a 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3017,7 +3017,7 @@ static void mptcp_close(struct sock *sk, long timeout)
+       sock_put(sk);
+ }
+ 
+-void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk)
++static void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk)
+ {
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+       const struct ipv6_pinfo *ssk6 = inet6_sk(ssk);
+@@ -3093,9 +3093,10 @@ static struct ipv6_pinfo *mptcp_inet6_sk(const struct sock *sk)
+ }
+ #endif
+ 
+-struct sock *mptcp_sk_clone(const struct sock *sk,
+-                          const struct mptcp_options_received *mp_opt,
+-                          struct request_sock *req)
++struct sock *mptcp_sk_clone_init(const struct sock *sk,
++                               const struct mptcp_options_received *mp_opt,
++                               struct sock *ssk,
++                               struct request_sock *req)
+ {
+       struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
+       struct sock *nsk = sk_clone_lock(sk, GFP_ATOMIC);
+@@ -3137,10 +3138,30 @@ struct sock *mptcp_sk_clone(const struct sock *sk,
+       }
+ 
+       sock_reset_flag(nsk, SOCK_RCU_FREE);
+-      /* will be fully established after successful MPC subflow creation */
+-      inet_sk_state_store(nsk, TCP_SYN_RECV);
+-
+       security_inet_csk_clone(nsk, req);
++
++      /* this can't race with mptcp_close(), as the msk is
++       * not yet exposted to user-space
++       */
++      inet_sk_state_store(nsk, TCP_ESTABLISHED);
++
++      /* The msk maintain a ref to each subflow in the connections list */
++      WRITE_ONCE(msk->first, ssk);
++      list_add(&mptcp_subflow_ctx(ssk)->node, &msk->conn_list);
++      sock_hold(ssk);
++
++      /* new mpc subflow takes ownership of the newly
++       * created mptcp socket
++       */
++      mptcp_token_accept(subflow_req, msk);
++
++      /* set msk addresses early to ensure mptcp_pm_get_local_id()
++       * uses the correct data
++       */
++      mptcp_copy_inaddrs(nsk, ssk);
++      mptcp_propagate_sndbuf(nsk, ssk);
++
++      mptcp_rcv_space_init(msk, ssk);
+       bh_unlock_sock(nsk);
+ 
+       /* note: the newly allocated socket refcount is 2 now */
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index 822fd749f5690..4a2f6e29211a1 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -606,7 +606,6 @@ int mptcp_is_checksum_enabled(const struct net *net);
+ int mptcp_allow_join_id0(const struct net *net);
+ unsigned int mptcp_stale_loss_cnt(const struct net *net);
+ int mptcp_get_pm_type(const struct net *net);
+-void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk);
+ void mptcp_subflow_fully_established(struct mptcp_subflow_context *subflow,
+                                    struct mptcp_options_received *mp_opt);
+ bool __mptcp_retransmit_pending_data(struct sock *sk);
+@@ -675,9 +674,10 @@ void __init mptcp_proto_init(void);
+ int __init mptcp_proto_v6_init(void);
+ #endif
+ 
+-struct sock *mptcp_sk_clone(const struct sock *sk,
+-                          const struct mptcp_options_received *mp_opt,
+-                          struct request_sock *req);
++struct sock *mptcp_sk_clone_init(const struct sock *sk,
++                               const struct mptcp_options_received *mp_opt,
++                               struct sock *ssk,
++                               struct request_sock *req);
+ void mptcp_get_options(const struct sk_buff *skb,
+                      struct mptcp_options_received *mp_opt);
+ 
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 276e62003631e..336878f8a222a 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -751,38 +751,12 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+               ctx->setsockopt_seq = listener->setsockopt_seq;
+ 
+               if (ctx->mp_capable) {
+-                      ctx->conn = mptcp_sk_clone(listener->conn, &mp_opt, req);
++                      ctx->conn = mptcp_sk_clone_init(listener->conn, &mp_opt, child, req);
+                       if (!ctx->conn)
+                               goto fallback;
+ 
+                       owner = mptcp_sk(ctx->conn);
+-
+-                      /* this can't race with mptcp_close(), as the msk is
+-                       * not yet exposted to user-space
+-                       */
+-                      inet_sk_state_store(ctx->conn, TCP_ESTABLISHED);
+-
+-                      /* record the newly created socket as the first msk
+-                       * subflow, but don't link it yet into conn_list
+-                       */
+-                      WRITE_ONCE(owner->first, child);
+-
+-                      /* new mpc subflow takes ownership of the newly
+-                       * created mptcp socket
+-                       */
+-                      owner->setsockopt_seq = ctx->setsockopt_seq;
+                       mptcp_pm_new_connection(owner, child, 1);
+-                      mptcp_token_accept(subflow_req, owner);
+-
+-                      /* set msk addresses early to ensure mptcp_pm_get_local_id()
+-                       * uses the correct data
+-                       */
+-                      mptcp_copy_inaddrs(ctx->conn, child);
+-                      mptcp_propagate_sndbuf(ctx->conn, child);
+-
+-                      mptcp_rcv_space_init(owner, child);
+-                      list_add(&ctx->node, &owner->conn_list);
+-                      sock_hold(child);
+ 
+                       /* with OoO packets we can reach here without ingress
+                        * mpc option
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-fix-data-race-around-msk-first-access.patch b/queue-6.1/mptcp-fix-data-race-around-msk-first-access.patch
new file mode 100644 (file)
index 0000000..0b87410
--- /dev/null
+++ b/queue-6.1/mptcp-fix-data-race-around-msk-first-access.patch
@@ -0,0 +1,57 @@
+From 8e4e875ae3a2ee2e9854abd5b2b69e4deacc4788 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:37:06 -0700
+Subject: mptcp: fix data race around msk->first access
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 1b1b43ee7a208096ecd79e626f2fc90d4a321111 ]
+
+The first subflow socket is accessed outside the msk socket lock
+by mptcp_subflow_fail(), we need to annotate each write access
+with WRITE_ONCE, but a few spots still lacks it.
+
+Fixes: 76a13b315709 ("mptcp: invoke MP_FAIL response when needed")
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 6f6b65d3eed1a..f4206001e2fe5 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -111,7 +111,7 @@ static int __mptcp_socket_create(struct mptcp_sock *msk)
+       if (err)
+               return err;
+ 
+-      msk->first = ssock->sk;
++      WRITE_ONCE(msk->first, ssock->sk);
+       WRITE_ONCE(msk->subflow, ssock);
+       subflow = mptcp_subflow_ctx(ssock->sk);
+       list_add(&subflow->node, &msk->conn_list);
+@@ -2405,7 +2405,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
+       sock_put(ssk);
+ 
+       if (ssk == msk->first)
+-              msk->first = NULL;
++              WRITE_ONCE(msk->first, NULL);
+ 
+ out:
+       if (ssk == msk->last_snd)
+@@ -2706,7 +2706,7 @@ static int __mptcp_init_sock(struct sock *sk)
+       WRITE_ONCE(msk->rmem_released, 0);
+       msk->timer_ival = TCP_RTO_MIN;
+ 
+-      msk->first = NULL;
++      WRITE_ONCE(msk->first, NULL);
+       inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;
+       WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk)));
+       WRITE_ONCE(msk->allow_infinite_fallback, true);
+-- 
+2.39.2
+

diff --git a/queue-6.1/mptcp-simplify-subflow_syn_recv_sock.patch b/queue-6.1/mptcp-simplify-subflow_syn_recv_sock.patch
new file mode 100644 (file)
index 0000000..3847c59
--- /dev/null
+++ b/queue-6.1/mptcp-simplify-subflow_syn_recv_sock.patch
@@ -0,0 +1,134 @@
+From a8a486dd862eb4346ee4bd97e8bdccb54f2019d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 12:22:22 +0200
+Subject: mptcp: simplify subflow_syn_recv_sock()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit a88d0092b24b8cddce57fe0e88e60a9e29e0b515 ]
+
+Postpone the msk cloning to the child process creation
+so that we can avoid a bunch of conditionals.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/61
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7e8b88ec35ee ("mptcp: consolidate passive msk socket initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 41 +++++++++++++----------------------------
+ 1 file changed, 13 insertions(+), 28 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 4995a6281ea16..276e62003631e 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -633,14 +633,6 @@ static bool subflow_hmac_valid(const struct request_sock *req,
+       return !crypto_memneq(hmac, mp_opt->hmac, MPTCPOPT_HMAC_LEN);
+ }
+ 
+-static void mptcp_force_close(struct sock *sk)
+-{
+-      /* the msk is not yet exposed to user-space, and refcount is 2 */
+-      inet_sk_state_store(sk, TCP_CLOSE);
+-      sk_common_release(sk);
+-      sock_put(sk);
+-}
+-
+ static void subflow_ulp_fallback(struct sock *sk,
+                                struct mptcp_subflow_context *old_ctx)
+ {
+@@ -693,7 +685,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+       struct mptcp_subflow_request_sock *subflow_req;
+       struct mptcp_options_received mp_opt;
+       bool fallback, fallback_is_fatal;
+-      struct sock *new_msk = NULL;
+       struct mptcp_sock *owner;
+       struct sock *child;
+ 
+@@ -722,14 +713,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+                * options.
+                */
+               mptcp_get_options(skb, &mp_opt);
+-              if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPC)) {
++              if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPC))
+                       fallback = true;
+-                      goto create_child;
+-              }
+ 
+-              new_msk = mptcp_sk_clone(listener->conn, &mp_opt, req);
+-              if (!new_msk)
+-                      fallback = true;
+       } else if (subflow_req->mp_join) {
+               mptcp_get_options(skb, &mp_opt);
+               if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPJ) ||
+@@ -758,21 +744,23 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+                               subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP);
+                               goto dispose_child;
+                       }
+-
+-                      mptcp_subflow_drop_ctx(child);
+-                      goto out;
++                      goto fallback;
+               }
+ 
+               /* ssk inherits options of listener sk */
+               ctx->setsockopt_seq = listener->setsockopt_seq;
+ 
+               if (ctx->mp_capable) {
+-                      owner = mptcp_sk(new_msk);
++                      ctx->conn = mptcp_sk_clone(listener->conn, &mp_opt, req);
++                      if (!ctx->conn)
++                              goto fallback;
++
++                      owner = mptcp_sk(ctx->conn);
+ 
+                       /* this can't race with mptcp_close(), as the msk is
+                        * not yet exposted to user-space
+                        */
+-                      inet_sk_state_store((void *)new_msk, TCP_ESTABLISHED);
++                      inet_sk_state_store(ctx->conn, TCP_ESTABLISHED);
+ 
+                       /* record the newly created socket as the first msk
+                        * subflow, but don't link it yet into conn_list
+@@ -782,11 +770,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+                       /* new mpc subflow takes ownership of the newly
+                        * created mptcp socket
+                        */
+-                      mptcp_sk(new_msk)->setsockopt_seq = ctx->setsockopt_seq;
++                      owner->setsockopt_seq = ctx->setsockopt_seq;
+                       mptcp_pm_new_connection(owner, child, 1);
+                       mptcp_token_accept(subflow_req, owner);
+-                      ctx->conn = new_msk;
+-                      new_msk = NULL;
+ 
+                       /* set msk addresses early to ensure mptcp_pm_get_local_id()
+                        * uses the correct data
+@@ -836,11 +822,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+               }
+       }
+ 
+-out:
+-      /* dispose of the left over mptcp master, if any */
+-      if (unlikely(new_msk))
+-              mptcp_force_close(new_msk);
+-
+       /* check for expected invariant - should never trigger, just help
+        * catching eariler subtle bugs
+        */
+@@ -858,6 +839,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+ 
+       /* The last child reference will be released by the caller */
+       return child;
++
++fallback:
++      mptcp_subflow_drop_ctx(child);
++      return child;
+ }
+ 
+ static struct inet_connection_sock_af_ops subflow_specific __ro_after_init;
+-- 
+2.39.2
+

diff --git a/queue-6.1/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch b/queue-6.1/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch
new file mode 100644 (file)
index 0000000..0cdd62b
--- /dev/null
+++ b/queue-6.1/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch
@@ -0,0 +1,67 @@
+From ffbee70526747602b15116efa6f7599ca5a34a65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 22:21:24 +0200
+Subject: mtd: rawnand: ingenic: fix empty stub helper definitions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 650a8884a364ff2568b51cde9009cfd43cdae6ad ]
+
+A few functions provide an empty interface definition when
+CONFIG_MTD_NAND_INGENIC_ECC is disabled, but they are accidentally
+defined as global functions in the header:
+
+drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:39:5: error: no previous prototype for 'ingenic_ecc_calculate'
+drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:46:5: error: no previous prototype for 'ingenic_ecc_correct'
+drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:53:6: error: no previous prototype for 'ingenic_ecc_release'
+drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:57:21: error: no previous prototype for 'of_ingenic_ecc_get'
+
+Turn them into 'static inline' definitions instead.
+
+Fixes: 15de8c6efd0e ("mtd: rawnand: ingenic: Separate top-level and SoC specific code")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20230516202133.559488-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/ingenic/ingenic_ecc.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h
+index 2cda439b5e11b..017868f59f222 100644
+--- a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h
++++ b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h
+@@ -36,25 +36,25 @@ int ingenic_ecc_correct(struct ingenic_ecc *ecc,
+ void ingenic_ecc_release(struct ingenic_ecc *ecc);
+ struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np);
+ #else /* CONFIG_MTD_NAND_INGENIC_ECC */
+-int ingenic_ecc_calculate(struct ingenic_ecc *ecc,
++static inline int ingenic_ecc_calculate(struct ingenic_ecc *ecc,
+                         struct ingenic_ecc_params *params,
+                         const u8 *buf, u8 *ecc_code)
+ {
+       return -ENODEV;
+ }
+ 
+-int ingenic_ecc_correct(struct ingenic_ecc *ecc,
++static inline int ingenic_ecc_correct(struct ingenic_ecc *ecc,
+                       struct ingenic_ecc_params *params, u8 *buf,
+                       u8 *ecc_code)
+ {
+       return -ENODEV;
+ }
+ 
+-void ingenic_ecc_release(struct ingenic_ecc *ecc)
++static inline void ingenic_ecc_release(struct ingenic_ecc *ecc)
+ {
+ }
+ 
+-struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np)
++static inline struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np)
+ {
+       return ERR_PTR(-ENODEV);
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch b/queue-6.1/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch
new file mode 100644 (file)
index 0000000..e3c8af9
--- /dev/null
+++ b/queue-6.1/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch
@@ -0,0 +1,44 @@
+From 540e2e9272a1dcf4749780da3339e61b67980e79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 12:31:53 +1200
+Subject: mtd: rawnand: marvell: don't set the NAND frequency select
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit c4d28e30a8d0b979e4029465ab8f312ab6ce2644 ]
+
+marvell_nfc_setup_interface() uses the frequency retrieved from the
+clock associated with the nand interface to determine the timings that
+will be used. By changing the NAND frequency select without reflecting
+this in the clock configuration this means that the timings calculated
+don't correctly meet the requirements of the NAND chip. This hasn't been
+an issue up to now because of a different bug that was stopping the
+timings being updated after they were initially set.
+
+Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()")
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-2-chris.packham@alliedtelesis.co.nz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/marvell_nand.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c
+index 72069a8643563..a57a1501449aa 100644
+--- a/drivers/mtd/nand/raw/marvell_nand.c
++++ b/drivers/mtd/nand/raw/marvell_nand.c
+@@ -2891,10 +2891,6 @@ static int marvell_nfc_init(struct marvell_nfc *nfc)
+               regmap_update_bits(sysctrl_base, GENCONF_CLK_GATING_CTRL,
+                                  GENCONF_CLK_GATING_CTRL_ND_GATE,
+                                  GENCONF_CLK_GATING_CTRL_ND_GATE);
+-
+-              regmap_update_bits(sysctrl_base, GENCONF_ND_CLK_CTRL,
+-                                 GENCONF_ND_CLK_CTRL_EN,
+-                                 GENCONF_ND_CLK_CTRL_EN);
+       }
+ 
+       /* Configure the DMA if appropriate */
+-- 
+2.39.2
+

diff --git a/queue-6.1/mtd-rawnand-marvell-ensure-timing-values-are-written.patch b/queue-6.1/mtd-rawnand-marvell-ensure-timing-values-are-written.patch
new file mode 100644 (file)
index 0000000..f671e8c
--- /dev/null
+++ b/queue-6.1/mtd-rawnand-marvell-ensure-timing-values-are-written.patch
@@ -0,0 +1,43 @@
+From 2dbaa9d517dc1e3d1fd2e657c9f8399542f2691f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 12:31:52 +1200
+Subject: mtd: rawnand: marvell: ensure timing values are written
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit 8a6f4d346f3bad9c68b4a87701eb3f7978542d57 ]
+
+When new timing values are calculated in marvell_nfc_setup_interface()
+ensure that they will be applied in marvell_nfc_select_target() by
+clearing the selected_chip pointer.
+
+Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()")
+Suggested-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-1-chris.packham@alliedtelesis.co.nz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/marvell_nand.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c
+index b9d1e96e33345..72069a8643563 100644
+--- a/drivers/mtd/nand/raw/marvell_nand.c
++++ b/drivers/mtd/nand/raw/marvell_nand.c
+@@ -2449,6 +2449,12 @@ static int marvell_nfc_setup_interface(struct nand_chip *chip, int chipnr,
+                       NDTR1_WAIT_MODE;
+       }
+ 
++      /*
++       * Reset nfc->selected_chip so the next command will cause the timing
++       * registers to be updated in marvell_nfc_select_target().
++       */
++      nfc->selected_chip = NULL;
++
+       return 0;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/nbd-fix-debugfs_create_dir-error-checking.patch b/queue-6.1/nbd-fix-debugfs_create_dir-error-checking.patch
new file mode 100644 (file)
index 0000000..354ae3d
--- /dev/null
+++ b/queue-6.1/nbd-fix-debugfs_create_dir-error-checking.patch
@@ -0,0 +1,46 @@
+From 30858067bee382cbcede3dcbee1a90f6aad05eee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:05:32 +0400
+Subject: nbd: Fix debugfs_create_dir error checking
+
+From: Ivan Orlov <ivan.orlov0322@gmail.com>
+
+[ Upstream commit 4913cfcf014c95f0437db2df1734472fd3e15098 ]
+
+The debugfs_create_dir function returns ERR_PTR in case of error, and the
+only correct way to check if an error occurred is 'IS_ERR' inline function.
+This patch will replace the null-comparison with IS_ERR.
+
+Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
+Link: https://lore.kernel.org/r/20230512130533.98709-1-ivan.orlov0322@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 888a6abb50f53..7718c81e1dba8 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1665,7 +1665,7 @@ static int nbd_dev_dbg_init(struct nbd_device *nbd)
+               return -EIO;
+ 
+       dir = debugfs_create_dir(nbd_name(nbd), nbd_dbg_dir);
+-      if (!dir) {
++      if (IS_ERR(dir)) {
+               dev_err(nbd_to_dev(nbd), "Failed to create debugfs dir for '%s'\n",
+                       nbd_name(nbd));
+               return -EIO;
+@@ -1691,7 +1691,7 @@ static int nbd_dbg_init(void)
+       struct dentry *dbg_dir;
+ 
+       dbg_dir = debugfs_create_dir("nbd", NULL);
+-      if (!dbg_dir)
++      if (IS_ERR(dbg_dir))
+               return -EIO;
+ 
+       nbd_dbg_dir = dbg_dir;
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-add-gso_ipv4_max_size-and-gro_ipv4_max_size-per-.patch b/queue-6.1/net-add-gso_ipv4_max_size-and-gro_ipv4_max_size-per-.patch
new file mode 100644 (file)
index 0000000..2914588
--- /dev/null
+++ b/queue-6.1/net-add-gso_ipv4_max_size-and-gro_ipv4_max_size-per-.patch
@@ -0,0 +1,218 @@
+From 1b6476dd699424b28a16a280bb327df8cdc65580 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jan 2023 10:58:38 -0500
+Subject: net: add gso_ipv4_max_size and gro_ipv4_max_size per device
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 9eefedd58ae1daece2ba907849a44db2941fb4b0 ]
+
+This patch introduces gso_ipv4_max_size and gro_ipv4_max_size
+per device and adds netlink attributes for them, so that IPV4
+BIG TCP can be guarded by a separate tunable in the next patch.
+
+To not break the old application using "gso/gro_max_size" for
+IPv4 GSO packets, this patch updates "gso/gro_ipv4_max_size"
+in netif_set_gso/gro_max_size() if the new size isn't greater
+than GSO_LEGACY_MAX_SIZE, so that nothing will change even if
+userspace doesn't realize the new netlink attributes.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h    |  6 ++++++
+ include/uapi/linux/if_link.h |  3 +++
+ net/core/dev.c               |  4 ++++
+ net/core/dev.h               | 18 ++++++++++++++++++
+ net/core/rtnetlink.c         | 33 +++++++++++++++++++++++++++++++++
+ 5 files changed, 64 insertions(+)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1f8e1cff035da..6d6ae5b1b681d 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1960,6 +1960,8 @@ enum netdev_ml_priv_type {
+  *    @gso_max_segs:  Maximum number of segments that can be passed to the
+  *                    NIC for GSO
+  *    @tso_max_segs:  Device (as in HW) limit on the max TSO segment count
++ *    @gso_ipv4_max_size:     Maximum size of generic segmentation offload,
++ *                            for IPv4.
+  *
+  *    @dcbnl_ops:     Data Center Bridging netlink ops
+  *    @num_tc:        Number of traffic classes in the net device
+@@ -2000,6 +2002,8 @@ enum netdev_ml_priv_type {
+  *                    keep a list of interfaces to be deleted.
+  *    @gro_max_size:  Maximum size of aggregated packet in generic
+  *                    receive offload (GRO)
++ *    @gro_ipv4_max_size:     Maximum size of aggregated packet in generic
++ *                            receive offload (GRO), for IPv4.
+  *
+  *    @dev_addr_shadow:       Copy of @dev_addr to catch direct writes.
+  *    @linkwatch_dev_tracker: refcount tracker used by linkwatch.
+@@ -2202,6 +2206,7 @@ struct net_device {
+  */
+ #define GRO_MAX_SIZE          (8 * 65535u)
+       unsigned int            gro_max_size;
++      unsigned int            gro_ipv4_max_size;
+       rx_handler_func_t __rcu *rx_handler;
+       void __rcu              *rx_handler_data;
+ 
+@@ -2325,6 +2330,7 @@ struct net_device {
+       u16                     gso_max_segs;
+ #define TSO_MAX_SEGS          U16_MAX
+       u16                     tso_max_segs;
++      unsigned int            gso_ipv4_max_size;
+ 
+ #ifdef CONFIG_DCB
+       const struct dcbnl_rtnl_ops *dcbnl_ops;
+diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
+index 9af9da1db4e84..134b86568087c 100644
+--- a/include/uapi/linux/if_link.h
++++ b/include/uapi/linux/if_link.h
+@@ -374,6 +374,9 @@ enum {
+ 
+       IFLA_DEVLINK_PORT,
+ 
++      IFLA_GSO_IPV4_MAX_SIZE,
++      IFLA_GRO_IPV4_MAX_SIZE,
++
+       __IFLA_MAX
+ };
+ 
+diff --git a/net/core/dev.c b/net/core/dev.c
+index ba9a0c1a4c505..a633a9bf9329f 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3010,6 +3010,8 @@ void netif_set_tso_max_size(struct net_device *dev, unsigned int size)
+       dev->tso_max_size = min(GSO_MAX_SIZE, size);
+       if (size < READ_ONCE(dev->gso_max_size))
+               netif_set_gso_max_size(dev, size);
++      if (size < READ_ONCE(dev->gso_ipv4_max_size))
++              netif_set_gso_ipv4_max_size(dev, size);
+ }
+ EXPORT_SYMBOL(netif_set_tso_max_size);
+ 
+@@ -10612,6 +10614,8 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
+       dev->gso_max_size = GSO_LEGACY_MAX_SIZE;
+       dev->gso_max_segs = GSO_MAX_SEGS;
+       dev->gro_max_size = GRO_LEGACY_MAX_SIZE;
++      dev->gso_ipv4_max_size = GSO_LEGACY_MAX_SIZE;
++      dev->gro_ipv4_max_size = GRO_LEGACY_MAX_SIZE;
+       dev->tso_max_size = TSO_LEGACY_MAX_SIZE;
+       dev->tso_max_segs = TSO_MAX_SEGS;
+       dev->upper_level = 1;
+diff --git a/net/core/dev.h b/net/core/dev.h
+index cbb8a925175a2..bd6584fcaf524 100644
+--- a/net/core/dev.h
++++ b/net/core/dev.h
+@@ -93,6 +93,8 @@ static inline void netif_set_gso_max_size(struct net_device *dev,
+ {
+       /* dev->gso_max_size is read locklessly from sk_setup_caps() */
+       WRITE_ONCE(dev->gso_max_size, size);
++      if (size <= GSO_LEGACY_MAX_SIZE)
++              WRITE_ONCE(dev->gso_ipv4_max_size, size);
+ }
+ 
+ static inline void netif_set_gso_max_segs(struct net_device *dev,
+@@ -107,6 +109,22 @@ static inline void netif_set_gro_max_size(struct net_device *dev,
+ {
+       /* This pairs with the READ_ONCE() in skb_gro_receive() */
+       WRITE_ONCE(dev->gro_max_size, size);
++      if (size <= GRO_LEGACY_MAX_SIZE)
++              WRITE_ONCE(dev->gro_ipv4_max_size, size);
++}
++
++static inline void netif_set_gso_ipv4_max_size(struct net_device *dev,
++                                             unsigned int size)
++{
++      /* dev->gso_ipv4_max_size is read locklessly from sk_setup_caps() */
++      WRITE_ONCE(dev->gso_ipv4_max_size, size);
++}
++
++static inline void netif_set_gro_ipv4_max_size(struct net_device *dev,
++                                             unsigned int size)
++{
++      /* This pairs with the READ_ONCE() in skb_gro_receive() */
++      WRITE_ONCE(dev->gro_ipv4_max_size, size);
+ }
+ 
+ #endif
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index d3727d9151c2a..027275235858b 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1074,6 +1074,8 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev,
+              + nla_total_size(4) /* IFLA_GSO_MAX_SEGS */
+              + nla_total_size(4) /* IFLA_GSO_MAX_SIZE */
+              + nla_total_size(4) /* IFLA_GRO_MAX_SIZE */
++             + nla_total_size(4) /* IFLA_GSO_IPV4_MAX_SIZE */
++             + nla_total_size(4) /* IFLA_GRO_IPV4_MAX_SIZE */
+              + nla_total_size(4) /* IFLA_TSO_MAX_SIZE */
+              + nla_total_size(4) /* IFLA_TSO_MAX_SEGS */
+              + nla_total_size(1) /* IFLA_OPERSTATE */
+@@ -1807,6 +1809,8 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb,
+           nla_put_u32(skb, IFLA_GSO_MAX_SEGS, dev->gso_max_segs) ||
+           nla_put_u32(skb, IFLA_GSO_MAX_SIZE, dev->gso_max_size) ||
+           nla_put_u32(skb, IFLA_GRO_MAX_SIZE, dev->gro_max_size) ||
++          nla_put_u32(skb, IFLA_GSO_IPV4_MAX_SIZE, dev->gso_ipv4_max_size) ||
++          nla_put_u32(skb, IFLA_GRO_IPV4_MAX_SIZE, dev->gro_ipv4_max_size) ||
+           nla_put_u32(skb, IFLA_TSO_MAX_SIZE, dev->tso_max_size) ||
+           nla_put_u32(skb, IFLA_TSO_MAX_SEGS, dev->tso_max_segs) ||
+ #ifdef CONFIG_RPS
+@@ -1968,6 +1972,8 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
+       [IFLA_TSO_MAX_SIZE]     = { .type = NLA_REJECT },
+       [IFLA_TSO_MAX_SEGS]     = { .type = NLA_REJECT },
+       [IFLA_ALLMULTI]         = { .type = NLA_REJECT },
++      [IFLA_GSO_IPV4_MAX_SIZE]        = { .type = NLA_U32 },
++      [IFLA_GRO_IPV4_MAX_SIZE]        = { .type = NLA_U32 },
+ };
+ 
+ static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
+@@ -2883,6 +2889,29 @@ static int do_setlink(const struct sk_buff *skb,
+               }
+       }
+ 
++      if (tb[IFLA_GSO_IPV4_MAX_SIZE]) {
++              u32 max_size = nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]);
++
++              if (max_size > dev->tso_max_size) {
++                      err = -EINVAL;
++                      goto errout;
++              }
++
++              if (dev->gso_ipv4_max_size ^ max_size) {
++                      netif_set_gso_ipv4_max_size(dev, max_size);
++                      status |= DO_SETLINK_MODIFIED;
++              }
++      }
++
++      if (tb[IFLA_GRO_IPV4_MAX_SIZE]) {
++              u32 gro_max_size = nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]);
++
++              if (dev->gro_ipv4_max_size ^ gro_max_size) {
++                      netif_set_gro_ipv4_max_size(dev, gro_max_size);
++                      status |= DO_SETLINK_MODIFIED;
++              }
++      }
++
+       if (tb[IFLA_OPERSTATE])
+               set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+ 
+@@ -3329,6 +3358,10 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname,
+               netif_set_gso_max_segs(dev, nla_get_u32(tb[IFLA_GSO_MAX_SEGS]));
+       if (tb[IFLA_GRO_MAX_SIZE])
+               netif_set_gro_max_size(dev, nla_get_u32(tb[IFLA_GRO_MAX_SIZE]));
++      if (tb[IFLA_GSO_IPV4_MAX_SIZE])
++              netif_set_gso_ipv4_max_size(dev, nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]));
++      if (tb[IFLA_GRO_IPV4_MAX_SIZE])
++              netif_set_gro_ipv4_max_size(dev, nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]));
+ 
+       return dev;
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-devlink-convert-devlink-port-type-specific-point.patch b/queue-6.1/net-devlink-convert-devlink-port-type-specific-point.patch
new file mode 100644 (file)
index 0000000..33bf358
--- /dev/null
+++ b/queue-6.1/net-devlink-convert-devlink-port-type-specific-point.patch
@@ -0,0 +1,100 @@
+From a3f6c7f0c515b5aedcd5e76921eb427033780600 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:01:59 +0100
+Subject: net: devlink: convert devlink port type-specific pointers to union
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 3830c5719af66fac9849cf5fb04b03d4e4bb46ff ]
+
+Instead of storing type_dev as a void pointer, convert it to union and
+use it to store either struct net_device or struct ib_device pointer.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/devlink.h | 13 ++++++++++---
+ net/core/devlink.c    | 17 +++++++++++++----
+ 2 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/devlink.h b/include/net/devlink.h
+index ba6b8b0949432..6c55aabaedf19 100644
+--- a/include/net/devlink.h
++++ b/include/net/devlink.h
+@@ -121,12 +121,19 @@ struct devlink_port {
+       struct list_head region_list;
+       struct devlink *devlink;
+       unsigned int index;
+-      spinlock_t type_lock; /* Protects type and type_dev
+-                             * pointer consistency.
++      spinlock_t type_lock; /* Protects type and type_eth/ib
++                             * structures consistency.
+                              */
+       enum devlink_port_type type;
+       enum devlink_port_type desired_type;
+-      void *type_dev;
++      union {
++              struct {
++                      struct net_device *netdev;
++              } type_eth;
++              struct {
++                      struct ib_device *ibdev;
++              } type_ib;
++      };
+       struct devlink_port_attrs attrs;
+       u8 attrs_set:1,
+          switch_port:1,
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 2aa77d4b80d0a..4f95987e02234 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -1303,7 +1303,7 @@ static int devlink_nl_port_fill(struct sk_buff *msg,
+               goto nla_put_failure_type_locked;
+       if (devlink_port->type == DEVLINK_PORT_TYPE_ETH) {
+               struct net *net = devlink_net(devlink_port->devlink);
+-              struct net_device *netdev = devlink_port->type_dev;
++              struct net_device *netdev = devlink_port->type_eth.netdev;
+ 
+               if (netdev && net_eq(net, dev_net(netdev)) &&
+                   (nla_put_u32(msg, DEVLINK_ATTR_PORT_NETDEV_IFINDEX,
+@@ -1313,7 +1313,7 @@ static int devlink_nl_port_fill(struct sk_buff *msg,
+                       goto nla_put_failure_type_locked;
+       }
+       if (devlink_port->type == DEVLINK_PORT_TYPE_IB) {
+-              struct ib_device *ibdev = devlink_port->type_dev;
++              struct ib_device *ibdev = devlink_port->type_ib.ibdev;
+ 
+               if (ibdev &&
+                   nla_put_string(msg, DEVLINK_ATTR_PORT_IBDEV_NAME,
+@@ -10006,7 +10006,16 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
+       devlink_port_type_warn_cancel(devlink_port);
+       spin_lock_bh(&devlink_port->type_lock);
+       devlink_port->type = type;
+-      devlink_port->type_dev = type_dev;
++      switch (type) {
++      case DEVLINK_PORT_TYPE_ETH:
++              devlink_port->type_eth.netdev = type_dev;
++              break;
++      case DEVLINK_PORT_TYPE_IB:
++              devlink_port->type_ib.ibdev = type_dev;
++              break;
++      default:
++              break;
++      }
+       spin_unlock_bh(&devlink_port->type_lock);
+       devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_NEW);
+ }
+@@ -12021,7 +12030,7 @@ devlink_trap_report_metadata_set(struct devlink_trap_metadata *metadata,
+ 
+       spin_lock(&in_devlink_port->type_lock);
+       if (in_devlink_port->type == DEVLINK_PORT_TYPE_ETH)
+-              metadata->input_dev = in_devlink_port->type_dev;
++              metadata->input_dev = in_devlink_port->type_eth.netdev;
+       spin_unlock(&in_devlink_port->type_lock);
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-devlink-move-port_type_netdev_checks-call-to-__d.patch b/queue-6.1/net-devlink-move-port_type_netdev_checks-call-to-__d.patch
new file mode 100644 (file)
index 0000000..04f17e3
--- /dev/null
+++ b/queue-6.1/net-devlink-move-port_type_netdev_checks-call-to-__d.patch
@@ -0,0 +1,113 @@
+From 6c123dd21384cb6ba0ea718cdc92231237ad2624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:02:01 +0100
+Subject: net: devlink: move port_type_netdev_checks() call to
+ __devlink_port_type_set()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 45791e0d00c445936bb19535fe847083b1edd26d ]
+
+As __devlink_port_type_set() is going to be called directly from netdevice
+notifier event handle in one of the follow-up patches, move the
+port_type_netdev_checks() call there.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 63 ++++++++++++++++++++++++----------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 8a8d838c53cfa..7d7fc61a62553 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -9997,33 +9997,6 @@ void devlink_port_unregister(struct devlink_port *devlink_port)
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_unregister);
+ 
+-static void __devlink_port_type_set(struct devlink_port *devlink_port,
+-                                  enum devlink_port_type type,
+-                                  void *type_dev)
+-{
+-      ASSERT_DEVLINK_PORT_REGISTERED(devlink_port);
+-
+-      if (type == DEVLINK_PORT_TYPE_NOTSET)
+-              devlink_port_type_warn_schedule(devlink_port);
+-      else
+-              devlink_port_type_warn_cancel(devlink_port);
+-
+-      spin_lock_bh(&devlink_port->type_lock);
+-      devlink_port->type = type;
+-      switch (type) {
+-      case DEVLINK_PORT_TYPE_ETH:
+-              devlink_port->type_eth.netdev = type_dev;
+-              break;
+-      case DEVLINK_PORT_TYPE_IB:
+-              devlink_port->type_ib.ibdev = type_dev;
+-              break;
+-      default:
+-              break;
+-      }
+-      spin_unlock_bh(&devlink_port->type_lock);
+-      devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_NEW);
+-}
+-
+ static void devlink_port_type_netdev_checks(struct devlink_port *devlink_port,
+                                           struct net_device *netdev)
+ {
+@@ -10061,6 +10034,38 @@ static void devlink_port_type_netdev_checks(struct devlink_port *devlink_port,
+       }
+ }
+ 
++static void __devlink_port_type_set(struct devlink_port *devlink_port,
++                                  enum devlink_port_type type,
++                                  void *type_dev)
++{
++      struct net_device *netdev = type_dev;
++
++      ASSERT_DEVLINK_PORT_REGISTERED(devlink_port);
++
++      if (type == DEVLINK_PORT_TYPE_NOTSET) {
++              devlink_port_type_warn_schedule(devlink_port);
++      } else {
++              devlink_port_type_warn_cancel(devlink_port);
++              if (type == DEVLINK_PORT_TYPE_ETH && netdev)
++                      devlink_port_type_netdev_checks(devlink_port, netdev);
++      }
++
++      spin_lock_bh(&devlink_port->type_lock);
++      devlink_port->type = type;
++      switch (type) {
++      case DEVLINK_PORT_TYPE_ETH:
++              devlink_port->type_eth.netdev = netdev;
++              break;
++      case DEVLINK_PORT_TYPE_IB:
++              devlink_port->type_ib.ibdev = type_dev;
++              break;
++      default:
++              break;
++      }
++      spin_unlock_bh(&devlink_port->type_lock);
++      devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_NEW);
++}
++
+ /**
+  *    devlink_port_type_eth_set - Set port type to Ethernet
+  *
+@@ -10070,9 +10075,7 @@ static void devlink_port_type_netdev_checks(struct devlink_port *devlink_port,
+ void devlink_port_type_eth_set(struct devlink_port *devlink_port,
+                              struct net_device *netdev)
+ {
+-      if (netdev)
+-              devlink_port_type_netdev_checks(devlink_port, netdev);
+-      else
++      if (!netdev)
+               dev_warn(devlink_port->devlink->dev,
+                        "devlink port type for port %d set to Ethernet without a software interface reference, device type not supported by the kernel?\n",
+                        devlink_port->index);
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-devlink-move-port_type_warn_schedule-call-to-__d.patch b/queue-6.1/net-devlink-move-port_type_warn_schedule-call-to-__d.patch
new file mode 100644 (file)
index 0000000..3c01601
--- /dev/null
+++ b/queue-6.1/net-devlink-move-port_type_warn_schedule-call-to-__d.patch
@@ -0,0 +1,50 @@
+From 30acfeed998f4bfd42d905c2d63c335a6c098697 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:02:00 +0100
+Subject: net: devlink: move port_type_warn_schedule() call to
+ __devlink_port_type_set()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 8573a04404ddacb2d966eef09bf38b2ad6dbe86f ]
+
+As __devlink_port_type_set() is going to be called directly from netdevice
+notifier event handle in one of the follow-up patches, move the
+port_type_warn_schedule() call there.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 4f95987e02234..8a8d838c53cfa 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -10003,7 +10003,11 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
+ {
+       ASSERT_DEVLINK_PORT_REGISTERED(devlink_port);
+ 
+-      devlink_port_type_warn_cancel(devlink_port);
++      if (type == DEVLINK_PORT_TYPE_NOTSET)
++              devlink_port_type_warn_schedule(devlink_port);
++      else
++              devlink_port_type_warn_cancel(devlink_port);
++
+       spin_lock_bh(&devlink_port->type_lock);
+       devlink_port->type = type;
+       switch (type) {
+@@ -10098,7 +10102,6 @@ EXPORT_SYMBOL_GPL(devlink_port_type_ib_set);
+ void devlink_port_type_clear(struct devlink_port *devlink_port)
+ {
+       __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_NOTSET, NULL);
+-      devlink_port_type_warn_schedule(devlink_port);
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_type_clear);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-devlink-take-rtnl-in-port_fill-function-only-if-.patch b/queue-6.1/net-devlink-take-rtnl-in-port_fill-function-only-if-.patch
new file mode 100644 (file)
index 0000000..81b91fb
--- /dev/null
+++ b/queue-6.1/net-devlink-take-rtnl-in-port_fill-function-only-if-.patch
@@ -0,0 +1,181 @@
+From 68d81614aec1851d3e794c9cc8a5ad703d0234ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:02:02 +0100
+Subject: net: devlink: take RTNL in port_fill() function only if it is not
+ held
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit d41c9dbd12745cfc1cb2946cd99016d83c2c5364 ]
+
+Follow-up patch is going to introduce a netdevice notifier event
+processing which is called with RTNL mutex held. Processing of this will
+eventually lead to call to port_notity() and port_fill() which currently
+takes RTNL mutex internally. So as a temporary solution, propagate a
+bool indicating if the mutex is already held. This will go away in one
+of the follow-up patches.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 46 +++++++++++++++++++++++++++++++---------------
+ 1 file changed, 31 insertions(+), 15 deletions(-)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 7d7fc61a62553..79cfba316438c 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -1278,7 +1278,8 @@ devlink_nl_port_function_attrs_put(struct sk_buff *msg, struct devlink_port *por
+ static int devlink_nl_port_fill(struct sk_buff *msg,
+                               struct devlink_port *devlink_port,
+                               enum devlink_command cmd, u32 portid, u32 seq,
+-                              int flags, struct netlink_ext_ack *extack)
++                              int flags, struct netlink_ext_ack *extack,
++                              bool rtnl_held)
+ {
+       struct devlink *devlink = devlink_port->devlink;
+       void *hdr;
+@@ -1293,7 +1294,8 @@ static int devlink_nl_port_fill(struct sk_buff *msg,
+               goto nla_put_failure;
+ 
+       /* Hold rtnl lock while accessing port's netdev attributes. */
+-      rtnl_lock();
++      if (!rtnl_held)
++              rtnl_lock();
+       spin_lock_bh(&devlink_port->type_lock);
+       if (nla_put_u16(msg, DEVLINK_ATTR_PORT_TYPE, devlink_port->type))
+               goto nla_put_failure_type_locked;
+@@ -1321,7 +1323,8 @@ static int devlink_nl_port_fill(struct sk_buff *msg,
+                       goto nla_put_failure_type_locked;
+       }
+       spin_unlock_bh(&devlink_port->type_lock);
+-      rtnl_unlock();
++      if (!rtnl_held)
++              rtnl_unlock();
+       if (devlink_nl_port_attrs_put(msg, devlink_port))
+               goto nla_put_failure;
+       if (devlink_nl_port_function_attrs_put(msg, devlink_port, extack))
+@@ -1336,14 +1339,15 @@ static int devlink_nl_port_fill(struct sk_buff *msg,
+ 
+ nla_put_failure_type_locked:
+       spin_unlock_bh(&devlink_port->type_lock);
+-      rtnl_unlock();
++      if (!rtnl_held)
++              rtnl_unlock();
+ nla_put_failure:
+       genlmsg_cancel(msg, hdr);
+       return -EMSGSIZE;
+ }
+ 
+-static void devlink_port_notify(struct devlink_port *devlink_port,
+-                              enum devlink_command cmd)
++static void __devlink_port_notify(struct devlink_port *devlink_port,
++                                enum devlink_command cmd, bool rtnl_held)
+ {
+       struct devlink *devlink = devlink_port->devlink;
+       struct sk_buff *msg;
+@@ -1358,7 +1362,8 @@ static void devlink_port_notify(struct devlink_port *devlink_port,
+       if (!msg)
+               return;
+ 
+-      err = devlink_nl_port_fill(msg, devlink_port, cmd, 0, 0, 0, NULL);
++      err = devlink_nl_port_fill(msg, devlink_port, cmd, 0, 0, 0, NULL,
++                                 rtnl_held);
+       if (err) {
+               nlmsg_free(msg);
+               return;
+@@ -1368,6 +1373,12 @@ static void devlink_port_notify(struct devlink_port *devlink_port,
+                               0, DEVLINK_MCGRP_CONFIG, GFP_KERNEL);
+ }
+ 
++static void devlink_port_notify(struct devlink_port *devlink_port,
++                              enum devlink_command cmd)
++{
++      __devlink_port_notify(devlink_port, cmd, false);
++}
++
+ static void devlink_rate_notify(struct devlink_rate *devlink_rate,
+                               enum devlink_command cmd)
+ {
+@@ -1534,7 +1545,7 @@ static int devlink_nl_cmd_port_get_doit(struct sk_buff *skb,
+ 
+       err = devlink_nl_port_fill(msg, devlink_port, DEVLINK_CMD_PORT_NEW,
+                                  info->snd_portid, info->snd_seq, 0,
+-                                 info->extack);
++                                 info->extack, false);
+       if (err) {
+               nlmsg_free(msg);
+               return err;
+@@ -1564,7 +1575,8 @@ static int devlink_nl_cmd_port_get_dumpit(struct sk_buff *msg,
+                                                  DEVLINK_CMD_NEW,
+                                                  NETLINK_CB(cb->skb).portid,
+                                                  cb->nlh->nlmsg_seq,
+-                                                 NLM_F_MULTI, cb->extack);
++                                                 NLM_F_MULTI, cb->extack,
++                                                 false);
+                       if (err) {
+                               devl_unlock(devlink);
+                               devlink_put(devlink);
+@@ -1776,7 +1788,8 @@ static int devlink_port_new_notify(struct devlink *devlink,
+       }
+ 
+       err = devlink_nl_port_fill(msg, devlink_port, DEVLINK_CMD_NEW,
+-                                 info->snd_portid, info->snd_seq, 0, NULL);
++                                 info->snd_portid, info->snd_seq, 0, NULL,
++                                 false);
+       if (err)
+               goto out;
+ 
+@@ -10036,7 +10049,7 @@ static void devlink_port_type_netdev_checks(struct devlink_port *devlink_port,
+ 
+ static void __devlink_port_type_set(struct devlink_port *devlink_port,
+                                   enum devlink_port_type type,
+-                                  void *type_dev)
++                                  void *type_dev, bool rtnl_held)
+ {
+       struct net_device *netdev = type_dev;
+ 
+@@ -10063,7 +10076,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
+               break;
+       }
+       spin_unlock_bh(&devlink_port->type_lock);
+-      devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_NEW);
++      __devlink_port_notify(devlink_port, DEVLINK_CMD_PORT_NEW, rtnl_held);
+ }
+ 
+ /**
+@@ -10080,7 +10093,8 @@ void devlink_port_type_eth_set(struct devlink_port *devlink_port,
+                        "devlink port type for port %d set to Ethernet without a software interface reference, device type not supported by the kernel?\n",
+                        devlink_port->index);
+ 
+-      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_ETH, netdev);
++      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_ETH, netdev,
++                              false);
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_type_eth_set);
+ 
+@@ -10093,7 +10107,8 @@ EXPORT_SYMBOL_GPL(devlink_port_type_eth_set);
+ void devlink_port_type_ib_set(struct devlink_port *devlink_port,
+                             struct ib_device *ibdev)
+ {
+-      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_IB, ibdev);
++      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_IB, ibdev,
++                              false);
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_type_ib_set);
+ 
+@@ -10104,7 +10119,8 @@ EXPORT_SYMBOL_GPL(devlink_port_type_ib_set);
+  */
+ void devlink_port_type_clear(struct devlink_port *devlink_port)
+ {
+-      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_NOTSET, NULL);
++      __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_NOTSET, NULL,
++                              false);
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_type_clear);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-devlink-track-netdev-with-devlink_port-assigned.patch b/queue-6.1/net-devlink-track-netdev-with-devlink_port-assigned.patch
new file mode 100644 (file)
index 0000000..b3ea1de
--- /dev/null
+++ b/queue-6.1/net-devlink-track-netdev-with-devlink_port-assigned.patch
@@ -0,0 +1,249 @@
+From 71fe4bb7e1513846e9be4229e11c805d991d4768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:02:03 +0100
+Subject: net: devlink: track netdev with devlink_port assigned
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 02a68a47eadedf95748facfca6ced31fb0181d52 ]
+
+Currently, ethernet drivers are using devlink_port_type_eth_set() and
+devlink_port_type_clear() to set devlink port type and link to related
+netdev.
+
+Instead of calling them directly, let the driver use
+SET_NETDEV_DEVLINK_PORT macro to assign devlink_port pointer and let
+devlink to track it. Note the devlink port pointer is static during
+the time netdevice is registered.
+
+In devlink code, use per-namespace netdev notifier to track
+the netdevices with devlink_port assigned and change the internal
+devlink_port type and related type pointer accordingly.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 19 ++++++++++
+ net/core/dev.c            | 14 +++++---
+ net/core/devlink.c        | 75 ++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 99 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index eac51e22a52a8..1f8e1cff035da 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2008,6 +2008,11 @@ enum netdev_ml_priv_type {
+  *                                    registered
+  *    @offload_xstats_l3:     L3 HW stats for this netdevice.
+  *
++ *    @devlink_port:  Pointer to related devlink port structure.
++ *                    Assigned by a driver before netdev registration using
++ *                    SET_NETDEV_DEVLINK_PORT macro. This pointer is static
++ *                    during the time netdevice is registered.
++ *
+  *    FIXME: cleanup struct net_device such that network protocol info
+  *    moves out.
+  */
+@@ -2358,9 +2363,22 @@ struct net_device {
+       netdevice_tracker       watchdog_dev_tracker;
+       netdevice_tracker       dev_registered_tracker;
+       struct rtnl_hw_stats64  *offload_xstats_l3;
++
++      struct devlink_port     *devlink_port;
+ };
+ #define to_net_dev(d) container_of(d, struct net_device, dev)
+ 
++/*
++ * Driver should use this to assign devlink port instance to a netdevice
++ * before it registers the netdevice. Therefore devlink_port is static
++ * during the netdev lifetime after it is registered.
++ */
++#define SET_NETDEV_DEVLINK_PORT(dev, port)                    \
++({                                                            \
++      WARN_ON((dev)->reg_state != NETREG_UNINITIALIZED);      \
++      ((dev)->devlink_port = (port));                         \
++})
++
+ static inline bool netif_elide_gro(const struct net_device *dev)
+ {
+       if (!(dev->features & NETIF_F_GRO) || dev->xdp_prog)
+@@ -2795,6 +2813,7 @@ enum netdev_cmd {
+       NETDEV_PRE_TYPE_CHANGE,
+       NETDEV_POST_TYPE_CHANGE,
+       NETDEV_POST_INIT,
++      NETDEV_PRE_UNINIT,
+       NETDEV_RELEASE,
+       NETDEV_NOTIFY_PEERS,
+       NETDEV_JOIN,
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 93d430693ca0f..ba9a0c1a4c505 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1621,10 +1621,10 @@ const char *netdev_cmd_to_name(enum netdev_cmd cmd)
+       N(UP) N(DOWN) N(REBOOT) N(CHANGE) N(REGISTER) N(UNREGISTER)
+       N(CHANGEMTU) N(CHANGEADDR) N(GOING_DOWN) N(CHANGENAME) N(FEAT_CHANGE)
+       N(BONDING_FAILOVER) N(PRE_UP) N(PRE_TYPE_CHANGE) N(POST_TYPE_CHANGE)
+-      N(POST_INIT) N(RELEASE) N(NOTIFY_PEERS) N(JOIN) N(CHANGEUPPER)
+-      N(RESEND_IGMP) N(PRECHANGEMTU) N(CHANGEINFODATA) N(BONDING_INFO)
+-      N(PRECHANGEUPPER) N(CHANGELOWERSTATE) N(UDP_TUNNEL_PUSH_INFO)
+-      N(UDP_TUNNEL_DROP_INFO) N(CHANGE_TX_QUEUE_LEN)
++      N(POST_INIT) N(PRE_UNINIT) N(RELEASE) N(NOTIFY_PEERS) N(JOIN)
++      N(CHANGEUPPER) N(RESEND_IGMP) N(PRECHANGEMTU) N(CHANGEINFODATA)
++      N(BONDING_INFO) N(PRECHANGEUPPER) N(CHANGELOWERSTATE)
++      N(UDP_TUNNEL_PUSH_INFO) N(UDP_TUNNEL_DROP_INFO) N(CHANGE_TX_QUEUE_LEN)
+       N(CVLAN_FILTER_PUSH_INFO) N(CVLAN_FILTER_DROP_INFO)
+       N(SVLAN_FILTER_PUSH_INFO) N(SVLAN_FILTER_DROP_INFO)
+       N(PRE_CHANGEADDR) N(OFFLOAD_XSTATS_ENABLE) N(OFFLOAD_XSTATS_DISABLE)
+@@ -10064,7 +10064,7 @@ int register_netdevice(struct net_device *dev)
+       dev->reg_state = ret ? NETREG_UNREGISTERED : NETREG_REGISTERED;
+       write_unlock(&dev_base_lock);
+       if (ret)
+-              goto err_uninit;
++              goto err_uninit_notify;
+ 
+       __netdev_update_features(dev);
+ 
+@@ -10111,6 +10111,8 @@ int register_netdevice(struct net_device *dev)
+ out:
+       return ret;
+ 
++err_uninit_notify:
++      call_netdevice_notifiers(NETDEV_PRE_UNINIT, dev);
+ err_uninit:
+       if (dev->netdev_ops->ndo_uninit)
+               dev->netdev_ops->ndo_uninit(dev);
+@@ -10857,6 +10859,8 @@ void unregister_netdevice_many(struct list_head *head)
+               netdev_name_node_alt_flush(dev);
+               netdev_name_node_free(dev->name_node);
+ 
++              call_netdevice_notifiers(NETDEV_PRE_UNINIT, dev);
++
+               if (dev->netdev_ops->ndo_uninit)
+                       dev->netdev_ops->ndo_uninit(dev);
+ 
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 79cfba316438c..4d167d3e84c62 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -71,6 +71,7 @@ struct devlink {
+       refcount_t refcount;
+       struct completion comp;
+       struct rcu_head rcu;
++      struct notifier_block netdevice_nb;
+       char priv[] __aligned(NETDEV_ALIGN);
+ };
+ 
+@@ -9618,6 +9619,9 @@ void devlink_set_features(struct devlink *devlink, u64 features)
+ }
+ EXPORT_SYMBOL_GPL(devlink_set_features);
+ 
++static int devlink_netdevice_event(struct notifier_block *nb,
++                                 unsigned long event, void *ptr);
++
+ /**
+  *    devlink_alloc_ns - Allocate new devlink instance resources
+  *    in specific namespace
+@@ -9648,10 +9652,13 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops,
+ 
+       ret = xa_alloc_cyclic(&devlinks, &devlink->index, devlink, xa_limit_31b,
+                             &last_id, GFP_KERNEL);
+-      if (ret < 0) {
+-              kfree(devlink);
+-              return NULL;
+-      }
++      if (ret < 0)
++              goto err_xa_alloc;
++
++      devlink->netdevice_nb.notifier_call = devlink_netdevice_event;
++      ret = register_netdevice_notifier_net(net, &devlink->netdevice_nb);
++      if (ret)
++              goto err_register_netdevice_notifier;
+ 
+       devlink->dev = dev;
+       devlink->ops = ops;
+@@ -9678,6 +9685,12 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops,
+       init_completion(&devlink->comp);
+ 
+       return devlink;
++
++err_register_netdevice_notifier:
++      xa_erase(&devlinks, devlink->index);
++err_xa_alloc:
++      kfree(devlink);
++      return NULL;
+ }
+ EXPORT_SYMBOL_GPL(devlink_alloc_ns);
+ 
+@@ -9831,6 +9844,10 @@ void devlink_free(struct devlink *devlink)
+       WARN_ON(!list_empty(&devlink->port_list));
+ 
+       xa_destroy(&devlink->snapshot_ids);
++
++      unregister_netdevice_notifier_net(devlink_net(devlink),
++                                        &devlink->netdevice_nb);
++
+       xa_erase(&devlinks, devlink->index);
+ 
+       kfree(devlink);
+@@ -10124,6 +10141,56 @@ void devlink_port_type_clear(struct devlink_port *devlink_port)
+ }
+ EXPORT_SYMBOL_GPL(devlink_port_type_clear);
+ 
++static int devlink_netdevice_event(struct notifier_block *nb,
++                                 unsigned long event, void *ptr)
++{
++      struct net_device *netdev = netdev_notifier_info_to_dev(ptr);
++      struct devlink_port *devlink_port = netdev->devlink_port;
++      struct devlink *devlink;
++
++      devlink = container_of(nb, struct devlink, netdevice_nb);
++
++      if (!devlink_port || devlink_port->devlink != devlink)
++              return NOTIFY_OK;
++
++      switch (event) {
++      case NETDEV_POST_INIT:
++              /* Set the type but not netdev pointer. It is going to be set
++               * later on by NETDEV_REGISTER event. Happens once during
++               * netdevice register
++               */
++              __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_ETH,
++                                      NULL, true);
++              break;
++      case NETDEV_REGISTER:
++              /* Set the netdev on top of previously set type. Note this
++               * event happens also during net namespace change so here
++               * we take into account netdev pointer appearing in this
++               * namespace.
++               */
++              __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_ETH,
++                                      netdev, true);
++              break;
++      case NETDEV_UNREGISTER:
++              /* Clear netdev pointer, but not the type. This event happens
++               * also during net namespace change so we need to clear
++               * pointer to netdev that is going to another net namespace.
++               */
++              __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_ETH,
++                                      NULL, true);
++              break;
++      case NETDEV_PRE_UNINIT:
++              /* Clear the type and the netdev pointer. Happens one during
++               * netdevice unregister.
++               */
++              __devlink_port_type_set(devlink_port, DEVLINK_PORT_TYPE_NOTSET,
++                                      NULL, true);
++              break;
++      }
++
++      return NOTIFY_OK;
++}
++
+ static int __devlink_port_attrs_set(struct devlink_port *devlink_port,
+                                   enum devlink_port_flavour flavour)
+ {
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch b/queue-6.1/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch
new file mode 100644 (file)
index 0000000..5f88228
--- /dev/null
+++ b/queue-6.1/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch
@@ -0,0 +1,45 @@
+From c675045b3970f1ea66ecd5a30b20a197e16ebdb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 16:52:23 +0200
+Subject: net: dsa: mv88e6xxx: Increase wait after reset deactivation
+
+From: Andreas Svensson <andreas.svensson@axis.com>
+
+[ Upstream commit 3c27f3d53d588618d81d30d6712459a3cc9489b8 ]
+
+A switch held in reset by default needs to wait longer until we can
+reliably detect it.
+
+An issue was observed when testing on the Marvell 88E6393X (Link Street).
+The driver failed to detect the switch on some upstarts. Increasing the
+wait time after reset deactivation solves this issue.
+
+The updated wait time is now also the same as the wait time in the
+mv88e6xxx_hardware_reset function.
+
+Fixes: 7b75e49de424 ("net: dsa: mv88e6xxx: wait after reset deactivation")
+Signed-off-by: Andreas Svensson <andreas.svensson@axis.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230530145223.1223993-1-andreas.svensson@axis.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index a8ff6ee6d58e6..4db1652015d1d 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -7067,7 +7067,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+               goto out;
+       }
+       if (chip->reset)
+-              usleep_range(1000, 2000);
++              usleep_range(10000, 20000);
+ 
+       /* Detect if the device is configured in single chip addressing mode,
+        * otherwise continue with address specific smi init/detection.
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-expose-devlink-port-over-rtnetlink.patch b/queue-6.1/net-expose-devlink-port-over-rtnetlink.patch
new file mode 100644 (file)
index 0000000..645b578
--- /dev/null
+++ b/queue-6.1/net-expose-devlink-port-over-rtnetlink.patch
@@ -0,0 +1,180 @@
+From 96d23a5586e52e38e77bfbb6a937696d0857a85f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:02:11 +0100
+Subject: net: expose devlink port over rtnetlink
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit dca56c3038c34a3e5acfe0aadb1f2bc9d724ae79 ]
+
+Expose devlink port handle related to netdev over rtnetlink. Introduce a
+new nested IFLA attribute to carry the info. Call into devlink code to
+fill-up the nest with existing devlink attributes that are used over
+devlink netlink.
+
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: fef5b228dd38 ("rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/devlink.h        | 14 +++++++++++++
+ include/uapi/linux/if_link.h |  2 ++
+ net/core/devlink.c           | 18 +++++++++++++++++
+ net/core/rtnetlink.c         | 39 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 73 insertions(+)
+
+diff --git a/include/net/devlink.h b/include/net/devlink.h
+index 6c55aabaedf19..ebd678ab5519e 100644
+--- a/include/net/devlink.h
++++ b/include/net/devlink.h
+@@ -1872,6 +1872,9 @@ int devlink_compat_phys_port_name_get(struct net_device *dev,
+ int devlink_compat_switch_id_get(struct net_device *dev,
+                                struct netdev_phys_item_id *ppid);
+ 
++int devlink_nl_port_handle_fill(struct sk_buff *msg, struct devlink_port *devlink_port);
++size_t devlink_nl_port_handle_size(struct devlink_port *devlink_port);
++
+ #else
+ 
+ static inline struct devlink *devlink_try_get(struct devlink *devlink)
+@@ -1908,6 +1911,17 @@ devlink_compat_switch_id_get(struct net_device *dev,
+       return -EOPNOTSUPP;
+ }
+ 
++static inline int
++devlink_nl_port_handle_fill(struct sk_buff *msg, struct devlink_port *devlink_port)
++{
++      return 0;
++}
++
++static inline size_t devlink_nl_port_handle_size(struct devlink_port *devlink_port)
++{
++      return 0;
++}
++
+ #endif
+ 
+ #endif /* _NET_DEVLINK_H_ */
+diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
+index 5e7a1041df3a4..9af9da1db4e84 100644
+--- a/include/uapi/linux/if_link.h
++++ b/include/uapi/linux/if_link.h
+@@ -372,6 +372,8 @@ enum {
+       IFLA_TSO_MAX_SEGS,
+       IFLA_ALLMULTI,          /* Allmulti count: > 0 means acts ALLMULTI */
+ 
++      IFLA_DEVLINK_PORT,
++
+       __IFLA_MAX
+ };
+ 
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 4d167d3e84c62..fedbea59b5d39 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -880,6 +880,24 @@ static int devlink_nl_put_nested_handle(struct sk_buff *msg, struct devlink *dev
+       return -EMSGSIZE;
+ }
+ 
++int devlink_nl_port_handle_fill(struct sk_buff *msg, struct devlink_port *devlink_port)
++{
++      if (devlink_nl_put_handle(msg, devlink_port->devlink))
++              return -EMSGSIZE;
++      if (nla_put_u32(msg, DEVLINK_ATTR_PORT_INDEX, devlink_port->index))
++              return -EMSGSIZE;
++      return 0;
++}
++
++size_t devlink_nl_port_handle_size(struct devlink_port *devlink_port)
++{
++      struct devlink *devlink = devlink_port->devlink;
++
++      return nla_total_size(strlen(devlink->dev->bus->name) + 1) /* DEVLINK_ATTR_BUS_NAME */
++           + nla_total_size(strlen(dev_name(devlink->dev)) + 1) /* DEVLINK_ATTR_DEV_NAME */
++           + nla_total_size(4); /* DEVLINK_ATTR_PORT_INDEX */
++}
++
+ struct devlink_reload_combination {
+       enum devlink_reload_action action;
+       enum devlink_reload_limit limit;
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index b192c69f3936c..d3727d9151c2a 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -53,6 +53,7 @@
+ #include <net/fib_rules.h>
+ #include <net/rtnetlink.h>
+ #include <net/net_namespace.h>
++#include <net/devlink.h>
+ 
+ #include "dev.h"
+ 
+@@ -1038,6 +1039,16 @@ static size_t rtnl_proto_down_size(const struct net_device *dev)
+       return size;
+ }
+ 
++static size_t rtnl_devlink_port_size(const struct net_device *dev)
++{
++      size_t size = nla_total_size(0); /* nest IFLA_DEVLINK_PORT */
++
++      if (dev->devlink_port)
++              size += devlink_nl_port_handle_size(dev->devlink_port);
++
++      return size;
++}
++
+ static noinline size_t if_nlmsg_size(const struct net_device *dev,
+                                    u32 ext_filter_mask)
+ {
+@@ -1091,6 +1102,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev,
+              + nla_total_size(4)  /* IFLA_MAX_MTU */
+              + rtnl_prop_list_size(dev)
+              + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
++             + rtnl_devlink_port_size(dev)
+              + 0;
+ }
+ 
+@@ -1728,6 +1740,30 @@ static int rtnl_fill_proto_down(struct sk_buff *skb,
+       return -EMSGSIZE;
+ }
+ 
++static int rtnl_fill_devlink_port(struct sk_buff *skb,
++                                const struct net_device *dev)
++{
++      struct nlattr *devlink_port_nest;
++      int ret;
++
++      devlink_port_nest = nla_nest_start(skb, IFLA_DEVLINK_PORT);
++      if (!devlink_port_nest)
++              return -EMSGSIZE;
++
++      if (dev->devlink_port) {
++              ret = devlink_nl_port_handle_fill(skb, dev->devlink_port);
++              if (ret < 0)
++                      goto nest_cancel;
++      }
++
++      nla_nest_end(skb, devlink_port_nest);
++      return 0;
++
++nest_cancel:
++      nla_nest_cancel(skb, devlink_port_nest);
++      return ret;
++}
++
+ static int rtnl_fill_ifinfo(struct sk_buff *skb,
+                           struct net_device *dev, struct net *src_net,
+                           int type, u32 pid, u32 seq, u32 change,
+@@ -1865,6 +1901,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb,
+                          dev->dev.parent->bus->name))
+               goto nla_put_failure;
+ 
++      if (rtnl_fill_devlink_port(skb, dev))
++              goto nla_put_failure;
++
+       nlmsg_end(skb, nlh);
+       return 0;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch b/queue-6.1/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch
new file mode 100644 (file)
index 0000000..faac38c
--- /dev/null
+++ b/queue-6.1/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch
@@ -0,0 +1,56 @@
+From c2a86628853c9f71e8ec703f0c5738250c69dcb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 21:49:08 +0200
+Subject: net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit d68cb7cf1fd0ef4287bc0ecd1ed0b6ae8e05fc70 ]
+
+Do skb_put() after a new skb has been successfully allocated otherwise
+the reused skb leads to skb_panics or incorrect packet sizes.
+
+Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver")
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230524194908.147145-1-tbogendoerfer@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c    | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
+index afa3b92a6905f..0d5a41a2ae010 100644
+--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c
+@@ -245,12 +245,6 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts)
+ 
+               skb = priv->rx_skb[rx_pi_rem];
+ 
+-              skb_put(skb, datalen);
+-
+-              skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */
+-
+-              skb->protocol = eth_type_trans(skb, netdev);
+-
+               /* Alloc another RX SKB for this same index */
+               rx_skb = mlxbf_gige_alloc_skb(priv, MLXBF_GIGE_DEFAULT_BUF_SZ,
+                                             &rx_buf_dma, DMA_FROM_DEVICE);
+@@ -259,6 +253,13 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts)
+               priv->rx_skb[rx_pi_rem] = rx_skb;
+               dma_unmap_single(priv->dev, *rx_wqe_addr,
+                                MLXBF_GIGE_DEFAULT_BUF_SZ, DMA_FROM_DEVICE);
++
++              skb_put(skb, datalen);
++
++              skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */
++
++              skb->protocol = eth_type_trans(skb, netdev);
++
+               *rx_wqe_addr = rx_buf_dma;
+       } else if (rx_cqe & MLXBF_GIGE_RX_CQE_PKT_STATUS_MAC_ERR) {
+               priv->stats.rx_mac_errors++;
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5-drain-health-before-unregistering-devlink.patch b/queue-6.1/net-mlx5-drain-health-before-unregistering-devlink.patch
new file mode 100644 (file)
index 0000000..ac80072
--- /dev/null
+++ b/queue-6.1/net-mlx5-drain-health-before-unregistering-devlink.patch
@@ -0,0 +1,49 @@
+From 4c7f0e3b115cf6e213c08c00809ded66e1a247b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 12:31:59 +0300
+Subject: net/mlx5: Drain health before unregistering devlink
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 824c8dc4a470040bf0e56ba716543839c2498d49 ]
+
+mlx5 health mechanism is using devlink APIs, which are using devlink
+notify APIs. After the cited patch, using devlink notify APIs after
+devlink is unregistered triggers a WARN_ON().
+Hence, drain health WQ before devlink is unregistered.
+
+Fixes: cf530217408e ("devlink: Notify users when objects are accessible")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 91724c5450a05..1a06493da4121 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1753,14 +1753,15 @@ static void remove_one(struct pci_dev *pdev)
+       struct devlink *devlink = priv_to_devlink(dev);
+ 
+       set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state);
+-      /* mlx5_drain_fw_reset() is using devlink APIs. Hence, we must drain
+-       * fw_reset before unregistering the devlink.
++      /* mlx5_drain_fw_reset() and mlx5_drain_health_wq() are using
++       * devlink notify APIs.
++       * Hence, we must drain them before unregistering the devlink.
+        */
+       mlx5_drain_fw_reset(dev);
++      mlx5_drain_health_wq(dev);
+       devlink_unregister(devlink);
+       mlx5_sriov_disable(pdev);
+       mlx5_crdump_disable(dev);
+-      mlx5_drain_health_wq(dev);
+       mlx5_uninit_one(dev);
+       mlx5_pci_close(dev);
+       mlx5_mdev_uninit(dev);
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5-fw_tracer-fix-event-handling.patch b/queue-6.1/net-mlx5-fw_tracer-fix-event-handling.patch
new file mode 100644 (file)
index 0000000..d7f6f03
--- /dev/null
+++ b/queue-6.1/net-mlx5-fw_tracer-fix-event-handling.patch
@@ -0,0 +1,40 @@
+From 0fde02ec537169754c47b2eb690385287171033b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Apr 2023 20:41:41 +0300
+Subject: net/mlx5: fw_tracer, Fix event handling
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 341a80de2468f481b1f771683709b5649cbfe513 ]
+
+mlx5 driver needs to parse traces with event_id inside the range of
+first_string_trace and num_string_trace. However, mlx5 is parsing all
+events with event_id >= first_string_trace.
+
+Fix it by checking for the correct range.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index d7b2ee5de1158..c4e40834e3ff9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -483,7 +483,7 @@ static void poll_trace(struct mlx5_fw_tracer *tracer,
+                               (u64)timestamp_low;
+               break;
+       default:
+-              if (tracer_event->event_id >= tracer->str_db.first_string_trace ||
++              if (tracer_event->event_id >= tracer->str_db.first_string_trace &&
+                   tracer_event->event_id <= tracer->str_db.first_string_trace +
+                                             tracer->str_db.num_string_trace) {
+                       tracer_event->type = TRACER_EVENT_TYPE_STRING;
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch b/queue-6.1/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch
new file mode 100644 (file)
index 0000000..98d467b
--- /dev/null
+++ b/queue-6.1/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch
@@ -0,0 +1,48 @@
+From 809186e8d3bbfd465cdbeb1b7d10c02a4d4f12ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Apr 2023 13:48:13 +0300
+Subject: net/mlx5: Read embedded cpu after init bit cleared
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit bbfa4b58997e3d38ba629c9f6fc0bd1c163aaf43 ]
+
+During driver load it reads embedded_cpu bit from initialization
+segment, but the initialization segment is readable only after
+initialization bit is cleared.
+
+Move the call to mlx5_read_embedded_cpu() right after initialization bit
+cleared.
+
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Fixes: 591905ba9679 ("net/mlx5: Introduce Mellanox SmartNIC and modify page management logic")
+Reviewed-by: Shay Drory <shayd@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 1a06493da4121..077204929fe4a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -896,7 +896,6 @@ static int mlx5_pci_init(struct mlx5_core_dev *dev, struct pci_dev *pdev,
+       }
+ 
+       mlx5_pci_vsc_init(dev);
+-      dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev);
+       return 0;
+ 
+ err_clr_master:
+@@ -1130,6 +1129,7 @@ static int mlx5_function_setup(struct mlx5_core_dev *dev, bool boot, u64 timeout
+               goto err_cmd_cleanup;
+       }
+ 
++      dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev);
+       mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_UP);
+ 
+       mlx5_start_health_poll(dev);
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5-sf-drain-health-before-removing-device.patch b/queue-6.1/net-mlx5-sf-drain-health-before-removing-device.patch
new file mode 100644 (file)
index 0000000..0b0ab21
--- /dev/null
+++ b/queue-6.1/net-mlx5-sf-drain-health-before-removing-device.patch
@@ -0,0 +1,39 @@
+From c99829fb82244879e412ac8148101f457a231d32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 12:46:06 +0300
+Subject: net/mlx5: SF, Drain health before removing device
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit b4646da0573fae9dfa2b8f1f10936cb6eedd7230 ]
+
+There is no point in recovery during device removal. Also, if health
+work started need to wait for it to avoid races and NULL pointer
+access.
+
+Hence, drain health WQ before removing device.
+
+Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+index a7377619ba6f2..2424cdf9cca99 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+@@ -63,6 +63,7 @@ static void mlx5_sf_dev_remove(struct auxiliary_device *adev)
+       struct mlx5_sf_dev *sf_dev = container_of(adev, struct mlx5_sf_dev, adev);
+       struct devlink *devlink = priv_to_devlink(sf_dev->mdev);
+ 
++      mlx5_drain_health_wq(sf_dev->mdev);
+       devlink_unregister(devlink);
+       mlx5_uninit_one(sf_dev->mdev);
+       iounmap(sf_dev->mdev->iseg);
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch b/queue-6.1/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch
new file mode 100644 (file)
index 0000000..53ec497
--- /dev/null
+++ b/queue-6.1/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch
@@ -0,0 +1,106 @@
+From a681a5e567fede53c092b2f51b1e8fd97373f056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 14:39:24 +0300
+Subject: net/mlx5e: Don't attach netdev profile while handling internal error
+
+From: Dmytro Linkin <dlinkin@nvidia.com>
+
+[ Upstream commit bdf274750fca17b289404ef03453c4070725302c ]
+
+As part of switchdev mode disablement, driver changes port netdevice
+profile from uplink to nic. If this process is triggered by health
+recovery flow (PCI reset, for ex.) profile attach would fail because all
+fw commands aborted when internal error flag is set. As a result, nic
+netdevice profile is not attached and driver fails to rollback to uplink
+profile, which leave driver in broken state and cause crash later.
+
+To handle broken state do netdevice profile initialization only instead
+of full attachment and release mdev resources on driver suspend as
+expected. Actual netdevice attachment is done during driver load.
+
+Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
+Signed-off-by: Dmytro Linkin <dlinkin@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 35 ++++++++++++++++---
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 94d010e2d5efd..4e7daa382bc05 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5745,8 +5745,8 @@ void mlx5e_detach_netdev(struct mlx5e_priv *priv)
+ }
+ 
+ static int
+-mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev,
+-                          const struct mlx5e_profile *new_profile, void *new_ppriv)
++mlx5e_netdev_init_profile(struct net_device *netdev, struct mlx5_core_dev *mdev,
++                        const struct mlx5e_profile *new_profile, void *new_ppriv)
+ {
+       struct mlx5e_priv *priv = netdev_priv(netdev);
+       int err;
+@@ -5762,6 +5762,25 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde
+       err = new_profile->init(priv->mdev, priv->netdev);
+       if (err)
+               goto priv_cleanup;
++
++      return 0;
++
++priv_cleanup:
++      mlx5e_priv_cleanup(priv);
++      return err;
++}
++
++static int
++mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev,
++                          const struct mlx5e_profile *new_profile, void *new_ppriv)
++{
++      struct mlx5e_priv *priv = netdev_priv(netdev);
++      int err;
++
++      err = mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv);
++      if (err)
++              return err;
++
+       err = mlx5e_attach_netdev(priv);
+       if (err)
+               goto profile_cleanup;
+@@ -5769,7 +5788,6 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde
+ 
+ profile_cleanup:
+       new_profile->cleanup(priv);
+-priv_cleanup:
+       mlx5e_priv_cleanup(priv);
+       return err;
+ }
+@@ -5788,6 +5806,12 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
+       priv->profile->cleanup(priv);
+       mlx5e_priv_cleanup(priv);
+ 
++      if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
++              mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv);
++              set_bit(MLX5E_STATE_DESTROYING, &priv->state);
++              return -EIO;
++      }
++
+       err = mlx5e_netdev_attach_profile(netdev, mdev, new_profile, new_ppriv);
+       if (err) { /* roll back to original profile */
+               netdev_warn(netdev, "%s: new profile init failed, %d\n", __func__, err);
+@@ -5847,8 +5871,11 @@ static int mlx5e_suspend(struct auxiliary_device *adev, pm_message_t state)
+       struct net_device *netdev = priv->netdev;
+       struct mlx5_core_dev *mdev = priv->mdev;
+ 
+-      if (!netif_device_present(netdev))
++      if (!netif_device_present(netdev)) {
++              if (test_bit(MLX5E_STATE_DESTROYING, &priv->state))
++                      mlx5e_destroy_mdev_resources(mdev);
+               return -ENODEV;
++      }
+ 
+       mlx5e_detach_netdev(priv);
+       mlx5e_destroy_mdev_resources(mdev);
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch b/queue-6.1/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch
new file mode 100644 (file)
index 0000000..b8c8edf
--- /dev/null
+++ b/queue-6.1/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch
@@ -0,0 +1,58 @@
+From d89afac00c43b3d486b6d2eb7fafe6789cb83095 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 23:07:08 -0700
+Subject: net/mlx5e: Fix error handling in mlx5e_refresh_tirs
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit b6193d7030e3c59f1d4c75648c9c8fa40cad2bcd ]
+
+Allocation failure is outside the critical lock section and should
+return immediately rather than jumping to the unlock section.
+
+Also unlock as soon as required and remove the now redundant jump label.
+
+Fixes: 80a2a9026b24 ("net/mlx5e: Add a lock on tir list")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+index 68f19324db93c..03a99918a8942 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+@@ -139,10 +139,8 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb,
+ 
+       inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
+       in = kvzalloc(inlen, GFP_KERNEL);
+-      if (!in) {
+-              err = -ENOMEM;
+-              goto out;
+-      }
++      if (!in)
++              return -ENOMEM;
+ 
+       if (enable_uc_lb)
+               lb_flags = MLX5_TIRC_SELF_LB_BLOCK_BLOCK_UNICAST;
+@@ -160,14 +158,13 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb,
+               tirn = tir->tirn;
+               err = mlx5_core_modify_tir(mdev, tirn, in);
+               if (err)
+-                      goto out;
++                      break;
+       }
++      mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock);
+ 
+-out:
+       kvfree(in);
+       if (err)
+               netdev_err(priv->netdev, "refresh tir(0x%x) failed, %d\n", tirn, err);
+-      mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock);
+ 
+       return err;
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-netlink-fix-netlink_list_memberships-length-repo.patch b/queue-6.1/net-netlink-fix-netlink_list_memberships-length-repo.patch
new file mode 100644 (file)
index 0000000..4186047
--- /dev/null
+++ b/queue-6.1/net-netlink-fix-netlink_list_memberships-length-repo.patch
@@ -0,0 +1,40 @@
+From 1d394d4e9103cc5e383f561117896c2ef3b54c41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 12:33:35 -0300
+Subject: net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit f4e4534850a9d18c250a93f8d7fbb51310828110 ]
+
+The current code for the length calculation wrongly truncates the reported
+length of the groups array, causing an under report of the subscribed
+groups. To fix this, use 'BITS_TO_BYTES()' which rounds up the
+division by 8.
+
+Fixes: b42be38b2778 ("netlink: add API to retrieve all group memberships")
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230529153335.389815-1-pctammela@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index d1b19618890b7..6d493a0ccf399 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1768,7 +1768,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
+                               break;
+                       }
+               }
+-              if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen))
++              if (put_user(ALIGN(BITS_TO_BYTES(nlk->ngroups), sizeof(u32)), optlen))
+                       err = -EFAULT;
+               netlink_unlock_table();
+               return err;
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-fix-null-pointer-dereference-in-mq_attach.patch b/queue-6.1/net-sched-fix-null-pointer-dereference-in-mq_attach.patch
new file mode 100644 (file)
index 0000000..c58d8be
--- /dev/null
+++ b/queue-6.1/net-sched-fix-null-pointer-dereference-in-mq_attach.patch
@@ -0,0 +1,93 @@
+From b7ff35dabe3a7f8abe0dc1bf183b08a7555ea3fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 17:37:47 +0800
+Subject: net: sched: fix NULL pointer dereference in mq_attach
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 36eec020fab668719b541f34d97f44e232ffa165 ]
+
+When use the following command to test:
+1)ip link add bond0 type bond
+2)ip link set bond0 up
+3)tc qdisc add dev bond0 root handle ffff: mq
+4)tc qdisc replace dev bond0 parent ffff:fff1 handle ffff: mq
+
+The kernel reports NULL pointer dereference issue. The stack information
+is as follows:
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+Internal error: Oops: 0000000096000006 [#1] SMP
+Modules linked in:
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : mq_attach+0x44/0xa0
+lr : qdisc_graft+0x20c/0x5cc
+sp : ffff80000e2236a0
+x29: ffff80000e2236a0 x28: ffff0000c0e59d80 x27: ffff0000c0be19c0
+x26: ffff0000cae3e800 x25: 0000000000000010 x24: 00000000fffffff1
+x23: 0000000000000000 x22: ffff0000cae3e800 x21: ffff0000c9df4000
+x20: ffff0000c9df4000 x19: 0000000000000000 x18: ffff80000a934000
+x17: ffff8000f5b56000 x16: ffff80000bb08000 x15: 0000000000000000
+x14: 0000000000000000 x13: 6b6b6b6b6b6b6b6b x12: 6b6b6b6b00000001
+x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+x8 : ffff0000c0be0730 x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008
+x5 : ffff0000cae3e864 x4 : 0000000000000000 x3 : 0000000000000001
+x2 : 0000000000000001 x1 : ffff8000090bc23c x0 : 0000000000000000
+Call trace:
+mq_attach+0x44/0xa0
+qdisc_graft+0x20c/0x5cc
+tc_modify_qdisc+0x1c4/0x664
+rtnetlink_rcv_msg+0x354/0x440
+netlink_rcv_skb+0x64/0x144
+rtnetlink_rcv+0x28/0x34
+netlink_unicast+0x1e8/0x2a4
+netlink_sendmsg+0x308/0x4a0
+sock_sendmsg+0x64/0xac
+____sys_sendmsg+0x29c/0x358
+___sys_sendmsg+0x90/0xd0
+__sys_sendmsg+0x7c/0xd0
+__arm64_sys_sendmsg+0x2c/0x38
+invoke_syscall+0x54/0x114
+el0_svc_common.constprop.1+0x90/0x174
+do_el0_svc+0x3c/0xb0
+el0_svc+0x24/0xec
+el0t_64_sync_handler+0x90/0xb4
+el0t_64_sync+0x174/0x178
+
+This is because when mq is added for the first time, qdiscs in mq is set
+to NULL in mq_attach(). Therefore, when replacing mq after adding mq, we
+need to initialize qdiscs in the mq before continuing to graft. Otherwise,
+it will couse NULL pointer dereference issue in mq_attach(). And the same
+issue will occur in the attach functions of mqprio, taprio and htb.
+ffff:fff1 means that the repalce qdisc is ingress. Ingress does not allow
+any qdisc to be attached. Therefore, ffff:fff1 is incorrectly used, and
+the command should be dropped.
+
+Fixes: 6ec1c69a8f64 ("net_sched: add classful multiqueue dummy scheduler")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Tested-by: Peilin Ye <peilin.ye@bytedance.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230527093747.3583502-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 95f38595b0f7f..f6a7b876d5954 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1601,6 +1601,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                                       NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected");
+                                       return -ELOOP;
+                               }
++                              if (clid == TC_H_INGRESS) {
++                                      NL_SET_ERR_MSG(extack, "Ingress cannot graft directly");
++                                      return -EINVAL;
++                              }
+                               qdisc_refcount_inc(q);
+                               goto graft;
+                       } else {
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch b/queue-6.1/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch
new file mode 100644 (file)
index 0000000..cab994b
--- /dev/null
+++ b/queue-6.1/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch
@@ -0,0 +1,43 @@
+From 13ea57d16fdb52bb8b2dd8cbd9f571396fea2143 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 18:28:04 +0800
+Subject: net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ]
+
+If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
+size is 252 bytes(key->enc_opts.len = 252) then
+key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
+TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
+bypasses the next bounds check and results in an out-of-bounds.
+
+Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
+Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_flower.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index 25bc57ee6ea10..3de72e7c1075a 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -1147,6 +1147,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
+       if (option_len > sizeof(struct geneve_opt))
+               data_len = option_len - sizeof(struct geneve_opt);
+ 
++      if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
++              return -ERANGE;
++
+       opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
+       memset(opt, 0xff, option_len);
+       opt->length = data_len / 4;
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch b/queue-6.1/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch
new file mode 100644 (file)
index 0000000..13189fb
--- /dev/null
+++ b/queue-6.1/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch
@@ -0,0 +1,60 @@
+From a35429a457142be0ccc35d881f2f9660e611bef5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 12:54:26 -0700
+Subject: net/sched: Prohibit regrafting ingress or clsact Qdiscs
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit 9de95df5d15baa956c2b70b9e794842e790a8a13 ]
+
+Currently, after creating an ingress (or clsact) Qdisc and grafting it
+under TC_H_INGRESS (TC_H_CLSACT), it is possible to graft it again under
+e.g. a TBF Qdisc:
+
+  $ ip link add ifb0 type ifb
+  $ tc qdisc add dev ifb0 handle 1: root tbf rate 20kbit buffer 1600 limit 3000
+  $ tc qdisc add dev ifb0 clsact
+  $ tc qdisc link dev ifb0 handle ffff: parent 1:1
+  $ tc qdisc show dev ifb0
+  qdisc tbf 1: root refcnt 2 rate 20Kbit burst 1600b lat 560.0ms
+  qdisc clsact ffff: parent ffff:fff1 refcnt 2
+                                      ^^^^^^^^
+
+clsact's refcount has increased: it is now grafted under both
+TC_H_CLSACT and 1:1.
+
+ingress and clsact Qdiscs should only be used under TC_H_INGRESS
+(TC_H_CLSACT).  Prohibit regrafting them.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
+Tested-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 2244e00ea9a10..95f38595b0f7f 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1591,6 +1591,11 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                                       NL_SET_ERR_MSG(extack, "Invalid qdisc name");
+                                       return -EINVAL;
+                               }
++                              if (q->flags & TCQ_F_INGRESS) {
++                                      NL_SET_ERR_MSG(extack,
++                                                     "Cannot regraft ingress or clsact Qdiscs");
++                                      return -EINVAL;
++                              }
+                               if (q == p ||
+                                   (p && check_loop(q, p, 0))) {
+                                       NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected");
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch b/queue-6.1/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch
new file mode 100644 (file)
index 0000000..ca736b1
--- /dev/null
+++ b/queue-6.1/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch
@@ -0,0 +1,87 @@
+From 8a47f6759c413fe395e0d7ba76908715fb7551d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 12:54:03 -0700
+Subject: net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact)
+ Qdiscs
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit f85fa45d4a9408d98c46c8fa45ba2e3b2f4bf219 ]
+
+Currently it is possible to add e.g. an HTB Qdisc under ffff:fff1
+(TC_H_INGRESS, TC_H_CLSACT):
+
+  $ ip link add name ifb0 type ifb
+  $ tc qdisc add dev ifb0 parent ffff:fff1 htb
+  $ tc qdisc add dev ifb0 clsact
+  Error: Exclusivity flag on, cannot modify.
+  $ drgn
+  ...
+  >>> ifb0 = netdev_get_by_name(prog, "ifb0")
+  >>> qdisc = ifb0.ingress_queue.qdisc_sleeping
+  >>> print(qdisc.ops.id.string_().decode())
+  htb
+  >>> qdisc.flags.value_() # TCQ_F_INGRESS
+  2
+
+Only allow ingress and clsact Qdiscs under ffff:fff1.  Return -EINVAL
+for everything else.  Make TCQ_F_INGRESS a static flag of ingress and
+clsact Qdiscs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
+Tested-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c     | 7 ++++++-
+ net/sched/sch_ingress.c | 4 ++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index c82532e206992..2244e00ea9a10 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1241,7 +1241,12 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
+       sch->parent = parent;
+ 
+       if (handle == TC_H_INGRESS) {
+-              sch->flags |= TCQ_F_INGRESS;
++              if (!(sch->flags & TCQ_F_INGRESS)) {
++                      NL_SET_ERR_MSG(extack,
++                                     "Specified parent ID is reserved for ingress and clsact Qdiscs");
++                      err = -EINVAL;
++                      goto err_out3;
++              }
+               handle = TC_H_MAKE(TC_H_INGRESS, 0);
+       } else {
+               if (handle == 0) {
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index 35963929e1178..e43a454993723 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -140,7 +140,7 @@ static struct Qdisc_ops ingress_qdisc_ops __read_mostly = {
+       .cl_ops                 =       &ingress_class_ops,
+       .id                     =       "ingress",
+       .priv_size              =       sizeof(struct ingress_sched_data),
+-      .static_flags           =       TCQ_F_CPUSTATS,
++      .static_flags           =       TCQ_F_INGRESS | TCQ_F_CPUSTATS,
+       .init                   =       ingress_init,
+       .destroy                =       ingress_destroy,
+       .dump                   =       ingress_dump,
+@@ -281,7 +281,7 @@ static struct Qdisc_ops clsact_qdisc_ops __read_mostly = {
+       .cl_ops                 =       &clsact_class_ops,
+       .id                     =       "clsact",
+       .priv_size              =       sizeof(struct clsact_sched_data),
+-      .static_flags           =       TCQ_F_CPUSTATS,
++      .static_flags           =       TCQ_F_INGRESS | TCQ_F_CPUSTATS,
+       .init                   =       clsact_init,
+       .destroy                =       clsact_destroy,
+       .dump                   =       ingress_dump,
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch b/queue-6.1/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch
new file mode 100644 (file)
index 0000000..deae2a6
--- /dev/null
+++ b/queue-6.1/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch
@@ -0,0 +1,52 @@
+From 69098327f0d0d513b4a619868a339bfc46f6bd8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 12:53:21 -0700
+Subject: net/sched: sch_clsact: Only create under TC_H_CLSACT
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit 5eeebfe6c493192b10d516abfd72742900f2a162 ]
+
+clsact Qdiscs are only supposed to be created under TC_H_CLSACT (which
+equals TC_H_INGRESS).  Return -EOPNOTSUPP if 'parent' is not
+TC_H_CLSACT.
+
+Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
+Tested-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_ingress.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index f9ef6deb27709..35963929e1178 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -225,6 +225,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt,
+       struct net_device *dev = qdisc_dev(sch);
+       int err;
+ 
++      if (sch->parent != TC_H_CLSACT)
++              return -EOPNOTSUPP;
++
+       net_inc_ingress_queue();
+       net_inc_egress_queue();
+ 
+@@ -254,6 +257,9 @@ static void clsact_destroy(struct Qdisc *sch)
+ {
+       struct clsact_sched_data *q = qdisc_priv(sch);
+ 
++      if (sch->parent != TC_H_CLSACT)
++              return;
++
+       tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info);
+       tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch b/queue-6.1/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch
new file mode 100644 (file)
index 0000000..d853acc
--- /dev/null
+++ b/queue-6.1/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch
@@ -0,0 +1,54 @@
+From ebcb08d8c74954610ca73a7f47490d960a78b1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 12:52:55 -0700
+Subject: net/sched: sch_ingress: Only create under TC_H_INGRESS
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit c7cfbd115001f94de9e4053657946a383147e803 ]
+
+ingress Qdiscs are only supposed to be created under TC_H_INGRESS.
+Return -EOPNOTSUPP if 'parent' is not TC_H_INGRESS, similar to
+mq_init().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/
+Tested-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_ingress.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index 84838128b9c5b..f9ef6deb27709 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -80,6 +80,9 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt,
+       struct net_device *dev = qdisc_dev(sch);
+       int err;
+ 
++      if (sch->parent != TC_H_INGRESS)
++              return -EOPNOTSUPP;
++
+       net_inc_ingress_queue();
+ 
+       mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress);
+@@ -101,6 +104,9 @@ static void ingress_destroy(struct Qdisc *sch)
+ {
+       struct ingress_sched_data *q = qdisc_priv(sch);
+ 
++      if (sch->parent != TC_H_INGRESS)
++              return;
++
+       tcf_block_put_ext(q->block, sch, &q->block_info);
+       net_dec_ingress_queue();
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch b/queue-6.1/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch
new file mode 100644 (file)
index 0000000..499f05c
--- /dev/null
+++ b/queue-6.1/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch
@@ -0,0 +1,87 @@
+From 203b7748cbc343b3a56bd4fa31be56ce52820b28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 19:49:01 +0800
+Subject: net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 71c6aa0305e3d2365d3bfd0134b4025d9e7ba388 ]
+
+We encountered a crash when using SMCRv2. It is caused by a logical
+error in smc_llc_fill_ext_v2().
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000014
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP PTI
+ CPU: 7 PID: 453 Comm: kworker/7:4 Kdump: loaded Tainted: G        W   E      6.4.0-rc3+ #44
+ Workqueue: events smc_llc_add_link_work [smc]
+ RIP: 0010:smc_llc_fill_ext_v2+0x117/0x280 [smc]
+ RSP: 0018:ffffacb5c064bd88 EFLAGS: 00010282
+ RAX: ffff9a6bc1c3c02c RBX: ffff9a6be3558000 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000002 RDI: 000000000000000a
+ RBP: ffffacb5c064bdb8 R08: 0000000000000040 R09: 000000000000000c
+ R10: ffff9a6bc0910300 R11: 0000000000000002 R12: 0000000000000000
+ R13: 0000000000000002 R14: ffff9a6bc1c3c02c R15: ffff9a6be3558250
+ FS:  0000000000000000(0000) GS:ffff9a6eefdc0000(0000) knlGS:0000000000000000
+ CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000014 CR3: 000000010b078003 CR4: 00000000003706e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+  <TASK>
+  smc_llc_send_add_link+0x1ae/0x2f0 [smc]
+  smc_llc_srv_add_link+0x2c9/0x5a0 [smc]
+  ? cc_mkenc+0x40/0x60
+  smc_llc_add_link_work+0xb8/0x140 [smc]
+  process_one_work+0x1e5/0x3f0
+  worker_thread+0x4d/0x2f0
+  ? __pfx_worker_thread+0x10/0x10
+  kthread+0xe5/0x120
+  ? __pfx_kthread+0x10/0x10
+  ret_from_fork+0x2c/0x50
+  </TASK>
+
+When an alernate RNIC is available in system, SMC will try to add a new
+link based on the RNIC for resilience. All the RMBs in use will be mapped
+to the new link. Then the RMBs' MRs corresponding to the new link will be
+filled into SMCRv2 LLC ADD LINK messages.
+
+However, smc_llc_fill_ext_v2() mistakenly accesses to unused RMBs which
+haven't been mapped to the new link and have no valid MRs, thus causing
+a crash. So this patch fixes the logic.
+
+Fixes: b4ba4652b3f8 ("net/smc: extend LLC layer for SMC-Rv2")
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_llc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
+index 85af5bfa96228..3008dfdf7c55e 100644
+--- a/net/smc/smc_llc.c
++++ b/net/smc/smc_llc.c
+@@ -617,6 +617,8 @@ static int smc_llc_fill_ext_v2(struct smc_llc_msg_add_link_v2_ext *ext,
+               goto out;
+       buf_pos = smc_llc_get_first_rmb(lgr, &buf_lst);
+       for (i = 0; i < ext->num_rkeys; i++) {
++              while (buf_pos && !(buf_pos)->used)
++                      buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos);
+               if (!buf_pos)
+                       break;
+               rmb = buf_pos;
+@@ -626,8 +628,6 @@ static int smc_llc_fill_ext_v2(struct smc_llc_msg_add_link_v2_ext *ext,
+                       cpu_to_be64((uintptr_t)rmb->cpu_addr) :
+                       cpu_to_be64((u64)sg_dma_address(rmb->sgt[lnk_idx].sgl));
+               buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos);
+-              while (buf_pos && !(buf_pos)->used)
+-                      buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos);
+       }
+       len += i * sizeof(ext->rt[0]);
+ out:
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-smc-scan-from-current-rmb-list-when-no-position-.patch b/queue-6.1/net-smc-scan-from-current-rmb-list-when-no-position-.patch
new file mode 100644 (file)
index 0000000..4b8cb75
--- /dev/null
+++ b/queue-6.1/net-smc-scan-from-current-rmb-list-when-no-position-.patch
@@ -0,0 +1,39 @@
+From a6f53c85806500630d96c2d47f5f13b71b23e402 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 19:49:00 +0800
+Subject: net/smc: Scan from current RMB list when no position specified
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit b24aa141c2ff26c919237aee61ea1818fc6780d9 ]
+
+When finding the first RMB of link group, it should start from the
+current RMB list whose index is 0. So fix it.
+
+Fixes: b4ba4652b3f8 ("net/smc: extend LLC layer for SMC-Rv2")
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_llc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
+index 524649d0ab652..85af5bfa96228 100644
+--- a/net/smc/smc_llc.c
++++ b/net/smc/smc_llc.c
+@@ -578,7 +578,10 @@ static struct smc_buf_desc *smc_llc_get_next_rmb(struct smc_link_group *lgr,
+ {
+       struct smc_buf_desc *buf_next;
+ 
+-      if (!buf_pos || list_is_last(&buf_pos->list, &lgr->rmbs[*buf_lst])) {
++      if (!buf_pos)
++              return _smc_llc_get_next_rmb(lgr, buf_lst);
++
++      if (list_is_last(&buf_pos->list, &lgr->rmbs[*buf_lst])) {
+               (*buf_lst)++;
+               return _smc_llc_get_next_rmb(lgr, buf_lst);
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-wwan-t7xx-ensure-init-is-completed-before-system.patch b/queue-6.1/net-wwan-t7xx-ensure-init-is-completed-before-system.patch
new file mode 100644 (file)
index 0000000..cb46902
--- /dev/null
+++ b/queue-6.1/net-wwan-t7xx-ensure-init-is-completed-before-system.patch
@@ -0,0 +1,100 @@
+From 69c09dcfe80c9f05f274cdcdbc28e6d327e0b0e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 13:24:51 +0800
+Subject: net: wwan: t7xx: Ensure init is completed before system sleep
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit ab87603b251134441a67385ecc9d3371be17b7a7 ]
+
+When the system attempts to sleep while mtk_t7xx is not ready, the driver
+cannot put the device to sleep:
+[   12.472918] mtk_t7xx 0000:57:00.0: [PM] Exiting suspend, modem in invalid state
+[   12.472936] mtk_t7xx 0000:57:00.0: PM: pci_pm_suspend(): t7xx_pci_pm_suspend+0x0/0x20 [mtk_t7xx] returns -14
+[   12.473678] mtk_t7xx 0000:57:00.0: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x1b0 returns -14
+[   12.473711] mtk_t7xx 0000:57:00.0: PM: failed to suspend async: error -14
+[   12.764776] PM: Some devices failed to suspend, or early wake event detected
+
+Mediatek confirmed the device can take a rather long time to complete
+its initialization, so wait for up to 20 seconds until init is done.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_pci.c | 18 ++++++++++++++++++
+ drivers/net/wwan/t7xx/t7xx_pci.h |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_pci.c b/drivers/net/wwan/t7xx/t7xx_pci.c
+index 226fc1703e90f..91256e005b846 100644
+--- a/drivers/net/wwan/t7xx/t7xx_pci.c
++++ b/drivers/net/wwan/t7xx/t7xx_pci.c
+@@ -45,6 +45,7 @@
+ #define T7XX_PCI_IREG_BASE            0
+ #define T7XX_PCI_EREG_BASE            2
+ 
++#define T7XX_INIT_TIMEOUT             20
+ #define PM_SLEEP_DIS_TIMEOUT_MS               20
+ #define PM_ACK_TIMEOUT_MS             1500
+ #define PM_AUTOSUSPEND_MS             20000
+@@ -96,6 +97,7 @@ static int t7xx_pci_pm_init(struct t7xx_pci_dev *t7xx_dev)
+       spin_lock_init(&t7xx_dev->md_pm_lock);
+       init_completion(&t7xx_dev->sleep_lock_acquire);
+       init_completion(&t7xx_dev->pm_sr_ack);
++      init_completion(&t7xx_dev->init_done);
+       atomic_set(&t7xx_dev->md_pm_state, MTK_PM_INIT);
+ 
+       device_init_wakeup(&pdev->dev, true);
+@@ -124,6 +126,7 @@ void t7xx_pci_pm_init_late(struct t7xx_pci_dev *t7xx_dev)
+       pm_runtime_mark_last_busy(&t7xx_dev->pdev->dev);
+       pm_runtime_allow(&t7xx_dev->pdev->dev);
+       pm_runtime_put_noidle(&t7xx_dev->pdev->dev);
++      complete_all(&t7xx_dev->init_done);
+ }
+ 
+ static int t7xx_pci_pm_reinit(struct t7xx_pci_dev *t7xx_dev)
+@@ -529,6 +532,20 @@ static void t7xx_pci_shutdown(struct pci_dev *pdev)
+       __t7xx_pci_pm_suspend(pdev);
+ }
+ 
++static int t7xx_pci_pm_prepare(struct device *dev)
++{
++      struct pci_dev *pdev = to_pci_dev(dev);
++      struct t7xx_pci_dev *t7xx_dev;
++
++      t7xx_dev = pci_get_drvdata(pdev);
++      if (!wait_for_completion_timeout(&t7xx_dev->init_done, T7XX_INIT_TIMEOUT * HZ)) {
++              dev_warn(dev, "Not ready for system sleep.\n");
++              return -ETIMEDOUT;
++      }
++
++      return 0;
++}
++
+ static int t7xx_pci_pm_suspend(struct device *dev)
+ {
+       return __t7xx_pci_pm_suspend(to_pci_dev(dev));
+@@ -555,6 +572,7 @@ static int t7xx_pci_pm_runtime_resume(struct device *dev)
+ }
+ 
+ static const struct dev_pm_ops t7xx_pci_pm_ops = {
++      .prepare = t7xx_pci_pm_prepare,
+       .suspend = t7xx_pci_pm_suspend,
+       .resume = t7xx_pci_pm_resume,
+       .resume_noirq = t7xx_pci_pm_resume_noirq,
+diff --git a/drivers/net/wwan/t7xx/t7xx_pci.h b/drivers/net/wwan/t7xx/t7xx_pci.h
+index 50b37056ce5a4..5dffe24ef37b4 100644
+--- a/drivers/net/wwan/t7xx/t7xx_pci.h
++++ b/drivers/net/wwan/t7xx/t7xx_pci.h
+@@ -69,6 +69,7 @@ struct t7xx_pci_dev {
+       struct t7xx_modem       *md;
+       struct t7xx_ccmni_ctrl  *ccmni_ctlb;
+       bool                    rgu_pci_irq_en;
++      struct completion       init_done;
+ 
+       /* Low Power Items */
+       struct list_head        md_pm_entities;
+-- 
+2.39.2
+

diff --git a/queue-6.1/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch b/queue-6.1/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch
new file mode 100644 (file)
index 0000000..1148979
--- /dev/null
+++ b/queue-6.1/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch
@@ -0,0 +1,63 @@
+From 4592411c9de9d6486a7ae23810c574c29ee959d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 10:00:10 -0400
+Subject: netfilter: conntrack: define variables exp_nat_nla_policy and
+ any_addr with CONFIG_NF_NAT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 224a876e37543eee111bf9b6aa4935080e619335 ]
+
+gcc with W=1 and ! CONFIG_NF_NAT
+net/netfilter/nf_conntrack_netlink.c:3463:32: error:
+  ‘exp_nat_nla_policy’ defined but not used [-Werror=unused-const-variable=]
+ 3463 | static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
+      |                                ^~~~~~~~~~~~~~~~~~
+net/netfilter/nf_conntrack_netlink.c:2979:33: error:
+  ‘any_addr’ defined but not used [-Werror=unused-const-variable=]
+ 2979 | static const union nf_inet_addr any_addr;
+      |                                 ^~~~~~~~
+
+These variables use is controlled by CONFIG_NF_NAT, so should their definitions.
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 857cddd9d82e5..9ee8abd3e4b10 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2976,7 +2976,9 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
+       return -1;
+ }
+ 
++#if IS_ENABLED(CONFIG_NF_NAT)
+ static const union nf_inet_addr any_addr;
++#endif
+ 
+ static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
+ {
+@@ -3460,10 +3462,12 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,
+       return 0;
+ }
+ 
++#if IS_ENABLED(CONFIG_NF_NAT)
+ static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
+       [CTA_EXPECT_NAT_DIR]    = { .type = NLA_U32 },
+       [CTA_EXPECT_NAT_TUPLE]  = { .type = NLA_NESTED },
+ };
++#endif
+ 
+ static int
+ ctnetlink_parse_expect_nat(const struct nlattr *attr,
+-- 
+2.39.2
+

diff --git a/queue-6.1/netrom-fix-info-leak-in-nr_write_internal.patch b/queue-6.1/netrom-fix-info-leak-in-nr_write_internal.patch
new file mode 100644 (file)
index 0000000..db12798
--- /dev/null
+++ b/queue-6.1/netrom-fix-info-leak-in-nr_write_internal.patch
@@ -0,0 +1,85 @@
+From edd4793f6290002e93b048d180698abf38b8f362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 14:14:56 +0000
+Subject: netrom: fix info-leak in nr_write_internal()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31642e7089df8fd3f54ca7843f7ee2952978cad1 ]
+
+Simon Kapadia reported the following issue:
+
+<quote>
+
+The Online Amateur Radio Community (OARC) has recently been experimenting
+with building a nationwide packet network in the UK.
+As part of our experimentation, we have been testing out packet on 300bps HF,
+and playing with net/rom.  For HF packet at this baud rate you really need
+to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60,
+and a net/rom PACLEN of 40 to go with that.
+However the Linux net/rom support didn't work with a low PACLEN;
+the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.:
+
+Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet!
+
+This didn't make any sense to me (if the packets are smaller why would they
+be truncated?) so I started investigating.
+I looked at the packets using ethereal, and found that many were just huge
+compared to what I would expect.
+A simple net/rom connection request packet had the request and then a bunch
+of what appeared to be random data following it:
+
+</quote>
+
+Simon provided a patch that I slightly revised:
+Not only we must not use skb_tailroom(), we also do
+not want to count NR_NETWORK_LEN twice.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-Developed-by: Simon Kapadia <szymon@kapadia.pl>
+Signed-off-by: Simon Kapadia <szymon@kapadia.pl>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Simon Kapadia <szymon@kapadia.pl>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_subr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c
+index 3f99b432ea707..e2d2af924cff4 100644
+--- a/net/netrom/nr_subr.c
++++ b/net/netrom/nr_subr.c
+@@ -123,7 +123,7 @@ void nr_write_internal(struct sock *sk, int frametype)
+       unsigned char  *dptr;
+       int len, timeout;
+ 
+-      len = NR_NETWORK_LEN + NR_TRANSPORT_LEN;
++      len = NR_TRANSPORT_LEN;
+ 
+       switch (frametype & 0x0F) {
+       case NR_CONNREQ:
+@@ -141,7 +141,8 @@ void nr_write_internal(struct sock *sk, int frametype)
+               return;
+       }
+ 
+-      if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
++      skb = alloc_skb(NR_NETWORK_LEN + len, GFP_ATOMIC);
++      if (!skb)
+               return;
+ 
+       /*
+@@ -149,7 +150,7 @@ void nr_write_internal(struct sock *sk, int frametype)
+        */
+       skb_reserve(skb, NR_NETWORK_LEN);
+ 
+-      dptr = skb_put(skb, skb_tailroom(skb));
++      dptr = skb_put(skb, len);
+ 
+       switch (frametype & 0x0F) {
+       case NR_CONNREQ:
+-- 
+2.39.2
+

diff --git a/queue-6.1/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch b/queue-6.1/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch
new file mode 100644 (file)
index 0000000..6de89a3
--- /dev/null
+++ b/queue-6.1/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch
@@ -0,0 +1,123 @@
+From a390caad4767c9bc31a1242b14191283afa1a853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 14:35:55 +0300
+Subject: nfsd: fix double fget() bug in __write_ports_addfd()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c034203b6a9dae6751ef4371c18cb77983e30c28 ]
+
+The bug here is that you cannot rely on getting the same socket
+from multiple calls to fget() because userspace can influence
+that.  This is a kind of double fetch bug.
+
+The fix is to delete the svc_alien_sock() function and instead do
+the checking inside the svc_addsock() function.
+
+Fixes: 3064639423c4 ("nfsd: check passed socket's net matches NFSd superblock's one")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfsctl.c               |  7 +------
+ include/linux/sunrpc/svcsock.h |  7 +++----
+ net/sunrpc/svcsock.c           | 24 ++++++------------------
+ 3 files changed, 10 insertions(+), 28 deletions(-)
+
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index dc74a947a440c..573de0d49e172 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -710,16 +710,11 @@ static ssize_t __write_ports_addfd(char *buf, struct net *net, const struct cred
+       if (err != 0 || fd < 0)
+               return -EINVAL;
+ 
+-      if (svc_alien_sock(net, fd)) {
+-              printk(KERN_ERR "%s: socket net is different to NFSd's one\n", __func__);
+-              return -EINVAL;
+-      }
+-
+       err = nfsd_create_serv(net);
+       if (err != 0)
+               return err;
+ 
+-      err = svc_addsock(nn->nfsd_serv, fd, buf, SIMPLE_TRANSACTION_LIMIT, cred);
++      err = svc_addsock(nn->nfsd_serv, net, fd, buf, SIMPLE_TRANSACTION_LIMIT, cred);
+ 
+       if (err >= 0 &&
+           !nn->nfsd_serv->sv_nrthreads && !xchg(&nn->keep_active, 1))
+diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h
+index bcc555c7ae9c6..13aff355d5a13 100644
+--- a/include/linux/sunrpc/svcsock.h
++++ b/include/linux/sunrpc/svcsock.h
+@@ -59,10 +59,9 @@ int         svc_recv(struct svc_rqst *, long);
+ int           svc_send(struct svc_rqst *);
+ void          svc_drop(struct svc_rqst *);
+ void          svc_sock_update_bufs(struct svc_serv *serv);
+-bool          svc_alien_sock(struct net *net, int fd);
+-int           svc_addsock(struct svc_serv *serv, const int fd,
+-                                      char *name_return, const size_t len,
+-                                      const struct cred *cred);
++int           svc_addsock(struct svc_serv *serv, struct net *net,
++                          const int fd, char *name_return, const size_t len,
++                          const struct cred *cred);
+ void          svc_init_xprt_sock(void);
+ void          svc_cleanup_xprt_sock(void);
+ struct svc_xprt *svc_sock_create(struct svc_serv *serv, int prot);
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 7107fbcbff343..d808c00cdbac1 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1338,25 +1338,10 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv,
+       return svsk;
+ }
+ 
+-bool svc_alien_sock(struct net *net, int fd)
+-{
+-      int err;
+-      struct socket *sock = sockfd_lookup(fd, &err);
+-      bool ret = false;
+-
+-      if (!sock)
+-              goto out;
+-      if (sock_net(sock->sk) != net)
+-              ret = true;
+-      sockfd_put(sock);
+-out:
+-      return ret;
+-}
+-EXPORT_SYMBOL_GPL(svc_alien_sock);
+-
+ /**
+  * svc_addsock - add a listener socket to an RPC service
+  * @serv: pointer to RPC service to which to add a new listener
++ * @net: caller's network namespace
+  * @fd: file descriptor of the new listener
+  * @name_return: pointer to buffer to fill in with name of listener
+  * @len: size of the buffer
+@@ -1366,8 +1351,8 @@ EXPORT_SYMBOL_GPL(svc_alien_sock);
+  * Name is terminated with '\n'.  On error, returns a negative errno
+  * value.
+  */
+-int svc_addsock(struct svc_serv *serv, const int fd, char *name_return,
+-              const size_t len, const struct cred *cred)
++int svc_addsock(struct svc_serv *serv, struct net *net, const int fd,
++              char *name_return, const size_t len, const struct cred *cred)
+ {
+       int err = 0;
+       struct socket *so = sockfd_lookup(fd, &err);
+@@ -1378,6 +1363,9 @@ int svc_addsock(struct svc_serv *serv, const int fd, char *name_return,
+ 
+       if (!so)
+               return err;
++      err = -EINVAL;
++      if (sock_net(so->sk) != net)
++              goto out;
+       err = -EAFNOSUPPORT;
+       if ((so->sk->sk_family != PF_INET) && (so->sk->sk_family != PF_INET6))
+               goto out;
+-- 
+2.39.2
+

diff --git a/queue-6.1/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch b/queue-6.1/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch
new file mode 100644 (file)
index 0000000..def5215
--- /dev/null
+++ b/queue-6.1/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch
@@ -0,0 +1,50 @@
+From 8a1741fe3d6d2419baa03f4fd349cddc71637e1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 12:26:44 -0400
+Subject: nfsd: make a copy of struct iattr before calling notify_change
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit d53d70084d27f56bcdf5074328f2c9ec861be596 ]
+
+notify_change can modify the iattr structure. In particular it can
+end up setting ATTR_MODE when ATTR_KILL_SUID is already set, causing
+a BUG() if the same iattr is passed to notify_change more than once.
+
+Make a copy of the struct iattr before calling notify_change.
+
+Reported-by: Zhi Li <yieli@redhat.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2207969
+Tested-by: Zhi Li <yieli@redhat.com>
+Fixes: 34b91dda7124 ("NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/vfs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index dc3ba13546dd6..155b34c4683c2 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -469,7 +469,15 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 
+       inode_lock(inode);
+       for (retries = 1;;) {
+-              host_err = __nfsd_setattr(dentry, iap);
++              struct iattr attrs;
++
++              /*
++               * notify_change() can alter its iattr argument, making
++               * @iap unsuitable for submission multiple times. Make a
++               * copy for every loop iteration.
++               */
++              attrs = *iap;
++              host_err = __nfsd_setattr(dentry, &attrs);
+               if (host_err != -EAGAIN || !retries--)
+                       break;
+               if (!nfsd_wait_for_delegreturn(rqstp, inode))
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch b/queue-6.1/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch
new file mode 100644 (file)
index 0000000..feb67b0
--- /dev/null
+++ b/queue-6.1/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch
@@ -0,0 +1,76 @@
+From 60c1d8f83fb641c900886d41efe018d1d01985c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 13:07:41 +0200
+Subject: nvme: do not let the user delete a ctrl before a complete
+ initialization
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 2eb94dd56a4a4e3fe286def3e2ba207804a37345 ]
+
+If a userspace application performes a "delete_controller" command
+early during the ctrl initialization, the delete operation
+may race against the init code and the kernel will crash.
+
+nvme nvme5: Connect command failed: host path error
+nvme nvme5: failed to connect queue: 0 ret=880
+PF: supervisor write access in kernel mode
+PF: error_code(0x0002) - not-present page
+ blk_mq_quiesce_queue+0x18/0x90
+ nvme_tcp_delete_ctrl+0x24/0x40 [nvme_tcp]
+ nvme_do_delete_ctrl+0x7f/0x8b [nvme_core]
+ nvme_sysfs_delete.cold+0x8/0xd [nvme_core]
+ kernfs_fop_write_iter+0x124/0x1b0
+ new_sync_write+0xff/0x190
+ vfs_write+0x1ef/0x280
+
+Fix the crash by checking the NVME_CTRL_STARTED_ONCE bit;
+if it's not set it means that the nvme controller is still
+in the process of getting initialized and the kernel
+will return an -EBUSY error to userspace.
+Set the NVME_CTRL_STARTED_ONCE later in the nvme_start_ctrl()
+function, after the controller start operation is completed.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f502e032e7e46..2e22c78991ccf 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3540,6 +3540,9 @@ static ssize_t nvme_sysfs_delete(struct device *dev,
+ {
+       struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
+ 
++      if (!test_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags))
++              return -EBUSY;
++
+       if (device_remove_file_self(dev, attr))
+               nvme_delete_ctrl_sync(ctrl);
+       return count;
+@@ -4980,7 +4983,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl)
+        * that were missed. We identify persistent discovery controllers by
+        * checking that they started once before, hence are reconnecting back.
+        */
+-      if (test_and_set_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags) &&
++      if (test_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags) &&
+           nvme_discovery_ctrl(ctrl))
+               nvme_change_uevent(ctrl, "NVME_EVENT=rediscover");
+ 
+@@ -4991,6 +4994,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl)
+       }
+ 
+       nvme_change_uevent(ctrl, "NVME_EVENT=connected");
++      set_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags);
+ }
+ EXPORT_SYMBOL_GPL(nvme_start_ctrl);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch b/queue-6.1/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch
new file mode 100644 (file)
index 0000000..3e2317f
--- /dev/null
+++ b/queue-6.1/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch
@@ -0,0 +1,36 @@
+From 882e643a225462685a8bbf2889cf96bf6b29fafb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 14:54:54 +0200
+Subject: nvme: fix the name of Zone Append for verbose logging
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 856303797724d28f1d65b702f0eadcee1ea7abf5 ]
+
+No Management involved in Zone Appened.
+
+Fixes: bd83fe6f2cd2 ("nvme: add verbose error logging")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Alan Adamson <alan.adamson@oracle.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/constants.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/constants.c b/drivers/nvme/host/constants.c
+index e958d50155857..5766ceba2fec9 100644
+--- a/drivers/nvme/host/constants.c
++++ b/drivers/nvme/host/constants.c
+@@ -21,7 +21,7 @@ static const char * const nvme_ops[] = {
+       [nvme_cmd_resv_release] = "Reservation Release",
+       [nvme_cmd_zone_mgmt_send] = "Zone Management Send",
+       [nvme_cmd_zone_mgmt_recv] = "Zone Management Receive",
+-      [nvme_cmd_zone_append] = "Zone Management Append",
++      [nvme_cmd_zone_append] = "Zone Append",
+ };
+ 
+ static const char * const nvme_admin_ops[] = {
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch b/queue-6.1/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch
new file mode 100644 (file)
index 0000000..287346c
--- /dev/null
+++ b/queue-6.1/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch
@@ -0,0 +1,36 @@
+From 653d67815da82260944eefb99f6954a88aec0163 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 09:53:45 +0200
+Subject: nvme-multipath: don't call blk_mark_disk_dead in
+ nvme_mpath_remove_disk
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1743e5f6000901a11f4e1cd741bfa9136f3ec9b1 ]
+
+nvme_mpath_remove_disk is called after del_gendisk, at which point a
+blk_mark_disk_dead call doesn't make any sense.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index d09ed00701743..f96d330d39641 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -858,7 +858,6 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head)
+ {
+       if (!head->disk)
+               return;
+-      blk_mark_disk_dead(head->disk);
+       /* make sure all pending bios are cleaned up */
+       kblockd_schedule_work(&head->requeue_work);
+       flush_work(&head->requeue_work);
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch
new file mode 100644 (file)
index 0000000..b440ef2
--- /dev/null
+++ b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch
@@ -0,0 +1,37 @@
+From dde192faa6a4364d4b6f937b44b5bdd2b5cbf31d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 May 2023 18:57:33 +0300
+Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 1616d6c3717bae9041a4240d381ec56ccdaafedc ]
+
+Add a quirk to fix HS-SSD-FUTURE 2048G SSD drives reporting duplicate
+nsids.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217384
+Reported-by: Andrey God <andreygod83@protonmail.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 581bf94416e6d..3347e86b3c55f 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3554,6 +3554,8 @@ static const struct pci_device_id nvme_id_table[] = {
+                               NVME_QUIRK_IGNORE_DEV_SUBNQN, },
+       { PCI_DEVICE(0x10ec, 0x5763), /* TEAMGROUP T-FORCE CARDEA ZERO Z330 SSD */
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
++      { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G  */
++              .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061),
+               .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, },
+       { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065),
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-pci-add-quirk-for-missing-secondary-temperature.patch b/queue-6.1/nvme-pci-add-quirk-for-missing-secondary-temperature.patch
new file mode 100644 (file)
index 0000000..737de69
--- /dev/null
+++ b/queue-6.1/nvme-pci-add-quirk-for-missing-secondary-temperature.patch
@@ -0,0 +1,79 @@
+From 5ebb6ed66b516425f57b174fdb57958b777442d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 22:58:54 +0300
+Subject: nvme-pci: add quirk for missing secondary temperature thresholds
+
+From: Hristo Venev <hristo@venev.name>
+
+[ Upstream commit bd375feeaf3408ed00e08c3bc918d6be15f691ad ]
+
+On Kingston KC3000 and Kingston FURY Renegade (both have the same PCI
+IDs) accessing temp3_{min,max} fails with an invalid field error (note
+that there is no problem setting the thresholds for temp1).
+
+This contradicts the NVM Express Base Specification 2.0b, page 292:
+
+  The over temperature threshold and under temperature threshold
+  features shall be implemented for all implemented temperature sensors
+  (i.e., all Temperature Sensor fields that report a non-zero value).
+
+Define NVME_QUIRK_NO_SECONDARY_TEMP_THRESH that disables the thresholds
+for all but the composite temperature and set it for this device.
+
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/hwmon.c | 4 +++-
+ drivers/nvme/host/nvme.h  | 5 +++++
+ drivers/nvme/host/pci.c   | 2 ++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/hwmon.c b/drivers/nvme/host/hwmon.c
+index 9e6e56c20ec99..316f3e4ca7cc6 100644
+--- a/drivers/nvme/host/hwmon.c
++++ b/drivers/nvme/host/hwmon.c
+@@ -163,7 +163,9 @@ static umode_t nvme_hwmon_is_visible(const void *_data,
+       case hwmon_temp_max:
+       case hwmon_temp_min:
+               if ((!channel && data->ctrl->wctemp) ||
+-                  (channel && data->log->temp_sensor[channel - 1])) {
++                  (channel && data->log->temp_sensor[channel - 1] &&
++                   !(data->ctrl->quirks &
++                     NVME_QUIRK_NO_SECONDARY_TEMP_THRESH))) {
+                       if (data->ctrl->quirks &
+                           NVME_QUIRK_NO_TEMP_THRESH_CHANGE)
+                               return 0444;
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 01d90424af534..3f82de6060ef7 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -149,6 +149,11 @@ enum nvme_quirks {
+        * Reports garbage in the namespace identifiers (eui64, nguid, uuid).
+        */
+       NVME_QUIRK_BOGUS_NID                    = (1 << 18),
++
++      /*
++       * No temperature thresholds for channels other than 0 (Composite).
++       */
++      NVME_QUIRK_NO_SECONDARY_TEMP_THRESH     = (1 << 19),
+ };
+ 
+ /*
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 3347e86b3c55f..1ec0ca40604aa 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3515,6 +3515,8 @@ static const struct pci_device_id nvme_id_table[] = {
+               .driver_data = NVME_QUIRK_NO_DEEPEST_PS, },
+       { PCI_DEVICE(0x2646, 0x2263),   /* KINGSTON A2000 NVMe SSD  */
+               .driver_data = NVME_QUIRK_NO_DEEPEST_PS, },
++      { PCI_DEVICE(0x2646, 0x5013),   /* Kingston KC3000, Kingston FURY Renegade */
++              .driver_data = NVME_QUIRK_NO_SECONDARY_TEMP_THRESH, },
+       { PCI_DEVICE(0x2646, 0x5018),   /* KINGSTON OM8SFP4xxxxP OS21012 NVMe SSD */
+               .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+       { PCI_DEVICE(0x2646, 0x5016),   /* KINGSTON OM3PGP4xxxxP OS21011 NVMe SSD */
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch b/queue-6.1/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch
new file mode 100644 (file)
index 0000000..3f06777
--- /dev/null
+++ b/queue-6.1/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch
@@ -0,0 +1,37 @@
+From 881c73828567d0beecd3b021759ac408ab9d3b53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 14:32:32 -0700
+Subject: nvme-pci: Add quirk for Teamgroup MP33 SSD
+
+From: Daniel Smith <dansmith@ds.gy>
+
+[ Upstream commit 0649728123cf6a5518e154b4e1735fc85ea4f55c ]
+
+Add a quirk for Teamgroup MP33 that reports duplicate ids for disk.
+
+Signed-off-by: Daniel Smith <dansmith@ds.gy>
+[kch: patch formatting]
+Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
+Tested-by: Daniel Smith <dansmith@ds.gy>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 1ec0ca40604aa..ba4903c86f7ff 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3558,6 +3558,8 @@ static const struct pci_device_id nvme_id_table[] = {
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G  */
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
++      { PCI_DEVICE(0x10ec, 0x5765), /* TEAMGROUP MP33 2TB SSD */
++              .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061),
+               .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, },
+       { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065),
+-- 
+2.39.2
+

diff --git a/queue-6.1/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch b/queue-6.1/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch
new file mode 100644 (file)
index 0000000..6d931d2
--- /dev/null
+++ b/queue-6.1/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch
@@ -0,0 +1,56 @@
+From 0cb73b4578d328f140bd98ddec8bc27cd77eeb5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 14:20:38 -0700
+Subject: perf ftrace latency: Remove unnecessary "--" from --use-nsec option
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 8d73259ef23f449329294dc187932f7470268126 ]
+
+The option name should not have the dashes.  Current version shows four
+dashes for the option.
+
+  $ perf ftrace latency -h
+
+   Usage: perf ftrace [<options>] [<command>]
+      or: perf ftrace [<options>] -- [<command>] [<options>]
+      or: perf ftrace {trace|latency} [<options>] [<command>]
+      or: perf ftrace {trace|latency} [<options>] -- [<command>] [<options>]
+
+      -b, --use-bpf         Use BPF to measure function latency
+      -n, ----use-nsec      Use nano-second histogram
+      -T, --trace-funcs <func>
+                            Show latency of given function
+
+Fixes: 84005bb6148618cc ("perf ftrace latency: Add -n/--use-nsec option")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20230525212038.3535851-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
+index 4bc5b7cf3e04b..1d40f9bcb63bc 100644
+--- a/tools/perf/builtin-ftrace.c
++++ b/tools/perf/builtin-ftrace.c
+@@ -1175,7 +1175,7 @@ int cmd_ftrace(int argc, const char **argv)
+       OPT_BOOLEAN('b', "use-bpf", &ftrace.target.use_bpf,
+                   "Use BPF to measure function latency"),
+ #endif
+-      OPT_BOOLEAN('n', "--use-nsec", &ftrace.use_nsec,
++      OPT_BOOLEAN('n', "use-nsec", &ftrace.use_nsec,
+                   "Use nano-second histogram"),
+       OPT_PARENT(common_options),
+       };
+-- 
+2.39.2
+

diff --git a/queue-6.1/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch b/queue-6.1/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch
new file mode 100644 (file)
index 0000000..82cddcf
--- /dev/null
+++ b/queue-6.1/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch
@@ -0,0 +1,38 @@
+From d84a043094e8f44575c718fa338fc0fba284ba77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 15:11:41 +0200
+Subject: phy: amlogic: phy-meson-g12a-mipi-dphy-analog: fix CNTL2_DIF_TX_CTL0
+ value
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit b949193011540bb17cf1da7795ec42af1b875203 ]
+
+Use the same CNTL2_DIF_TX_CTL0 value used by the vendor, it was reported
+fixing timings issues.
+
+Fixes: 2a56dc650e54 ("phy: amlogic: Add G12A Analog MIPI D-PHY driver")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20230512-amlogic-v6-4-upstream-dsi-ccf-vim3-v4-10-2592c29ea263@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c b/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c
+index c14089fa7db49..cabdddbbabfd7 100644
+--- a/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c
++++ b/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c
+@@ -70,7 +70,7 @@ static int phy_g12a_mipi_dphy_analog_power_on(struct phy *phy)
+                    HHI_MIPI_CNTL1_BANDGAP);
+ 
+       regmap_write(priv->regmap, HHI_MIPI_CNTL2,
+-                   FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL0, 0x459) |
++                   FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL0, 0x45a) |
+                    FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL1, 0x2680));
+ 
+       reg = DSI_LANE_CLK;
+-- 
+2.39.2
+

diff --git a/queue-6.1/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch b/queue-6.1/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch
new file mode 100644 (file)
index 0000000..195c5f3
--- /dev/null
+++ b/queue-6.1/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch
@@ -0,0 +1,65 @@
+From b632cc20b54b15f0a6b0d94d569ae9d522c2178f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 10:23:44 -0400
+Subject: platform/mellanox: fix potential race in mlxbf-tmfifo driver
+
+From: Liming Sun <limings@nvidia.com>
+
+[ Upstream commit 3d43f9f639542fadfb28f40b509bf147a6624d48 ]
+
+This commit adds memory barrier for the 'vq' update in function
+mlxbf_tmfifo_virtio_find_vqs() to avoid potential race due to
+out-of-order memory write. It also adds barrier for the 'is_ready'
+flag to make sure the initializations are visible before this flag
+is checked.
+
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/b98c0ab61d644ba38fa9b3fd1607b138b0dd820b.1682518748.git.limings@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index 1ae3c56b66b09..b2e19f30a928b 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -765,7 +765,7 @@ static void mlxbf_tmfifo_rxtx(struct mlxbf_tmfifo_vring *vring, bool is_rx)
+       fifo = vring->fifo;
+ 
+       /* Return if vdev is not ready. */
+-      if (!fifo->vdev[devid])
++      if (!fifo || !fifo->vdev[devid])
+               return;
+ 
+       /* Return if another vring is running. */
+@@ -961,9 +961,13 @@ static int mlxbf_tmfifo_virtio_find_vqs(struct virtio_device *vdev,
+ 
+               vq->num_max = vring->num;
+ 
++              vq->priv = vring;
++
++              /* Make vq update visible before using it. */
++              virtio_mb(false);
++
+               vqs[i] = vq;
+               vring->vq = vq;
+-              vq->priv = vring;
+       }
+ 
+       return 0;
+@@ -1260,6 +1264,9 @@ static int mlxbf_tmfifo_probe(struct platform_device *pdev)
+ 
+       mod_timer(&fifo->timer, jiffies + MLXBF_TMFIFO_TIMER_INTERVAL);
+ 
++      /* Make all updates visible before setting the 'is_ready' flag. */
++      virtio_mb(false);
++
+       fifo->is_ready = true;
+       return 0;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch b/queue-6.1/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch
new file mode 100644 (file)
index 0000000..19e8b92
--- /dev/null
+++ b/queue-6.1/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch
@@ -0,0 +1,39 @@
+From 1d1af536228e5ae7b4655bfb12a45324a11819af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Apr 2023 17:49:32 +0200
+Subject: platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
+
+From: Julian Winkler <julian.winkler1@web.de>
+
+[ Upstream commit 4a9b6850c794e4394cad99e2b863d75f5bc8e92f ]
+
+This id was removed in commit b47018a778c1 ("platform/x86: intel_scu_ipc:
+Remove Lincroft support"), saying it is only used on Moorestown,
+but apparently the same id is also used on Medfield.
+
+Tested on the Medfield based Motorola RAZR i smartphone.
+
+Signed-off-by: Julian Winkler <julian.winkler1@web.de>
+Link: https://lore.kernel.org/r/20230416154932.6579-1-julian.winkler1@web.de
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_pcidrv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/intel_scu_pcidrv.c b/drivers/platform/x86/intel_scu_pcidrv.c
+index 80abc708e4f2f..d904fad499aa5 100644
+--- a/drivers/platform/x86/intel_scu_pcidrv.c
++++ b/drivers/platform/x86/intel_scu_pcidrv.c
+@@ -34,6 +34,7 @@ static int intel_scu_pci_probe(struct pci_dev *pdev,
+ 
+ static const struct pci_device_id pci_ids[] = {
+       { PCI_VDEVICE(INTEL, 0x080e) },
++      { PCI_VDEVICE(INTEL, 0x082a) },
+       { PCI_VDEVICE(INTEL, 0x08ea) },
+       { PCI_VDEVICE(INTEL, 0x0a94) },
+       { PCI_VDEVICE(INTEL, 0x11a0) },
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-6.1/rdma-bnxt_re-fix-a-possible-memory-leak.patch
new file mode 100644 (file)
index 0000000..ba92d65
--- /dev/null
+++ b/queue-6.1/rdma-bnxt_re-fix-a-possible-memory-leak.patch
@@ -0,0 +1,59 @@
+From f777e3e19646c0ba22864613a28461e412388fa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 01:10:59 -0700
+Subject: RDMA/bnxt_re: Fix a possible memory leak
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 349e3c0cf239cc01d58a1e6c749e171de014cd6a ]
+
+Inside bnxt_qplib_create_cq(), when the check for NULL DPI fails, driver
+returns directly without freeing the memory allocated inside
+bnxt_qplib_alloc_init_hwq() routine.
+
+Fixed this by moving the check for NULL DPI before invoking
+bnxt_qplib_alloc_init_hwq().
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://lore.kernel.org/r/1684397461-23082-2-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 96e581ced50e2..ab2cc1c67f70b 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -2043,6 +2043,12 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq)
+       u32 pg_sz_lvl;
+       int rc;
+ 
++      if (!cq->dpi) {
++              dev_err(&rcfw->pdev->dev,
++                      "FP: CREATE_CQ failed due to NULL DPI\n");
++              return -EINVAL;
++      }
++
+       hwq_attr.res = res;
+       hwq_attr.depth = cq->max_wqe;
+       hwq_attr.stride = sizeof(struct cq_base);
+@@ -2054,11 +2060,6 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq)
+ 
+       RCFW_CMD_PREP(req, CREATE_CQ, cmd_flags);
+ 
+-      if (!cq->dpi) {
+-              dev_err(&rcfw->pdev->dev,
+-                      "FP: CREATE_CQ failed due to NULL DPI\n");
+-              return -EINVAL;
+-      }
+       req.dpi = cpu_to_le32(cq->dpi->dpi);
+       req.cq_handle = cpu_to_le64(cq->cq_handle);
+       req.cq_size = cpu_to_le32(cq->hwq.max_elements);
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch b/queue-6.1/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch
new file mode 100644 (file)
index 0000000..ba0c6ae
--- /dev/null
+++ b/queue-6.1/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch
@@ -0,0 +1,42 @@
+From 5f6f23d87e63fb4b8bd587b406266c6a59082d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 01:11:00 -0700
+Subject: RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 0fa0d520e2a878cb4c94c4dc84395905d3f14f54 ]
+
+bnxt_re_process_raw_qp_pkt_rx() always return 0 and ignores the return
+value of bnxt_re_post_send_shadow_qp().
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://lore.kernel.org/r/1684397461-23082-3-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Hongguang Gao <hongguang.gao@broadcom.com>
+Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 989edc7896338..94222de1d3719 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -3241,9 +3241,7 @@ static int bnxt_re_process_raw_qp_pkt_rx(struct bnxt_re_qp *gsi_qp,
+       udwr.remote_qkey = gsi_sqp->qplib_qp.qkey;
+ 
+       /* post data received  in the send queue */
+-      rc = bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr);
+-
+-      return 0;
++      return bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr);
+ }
+ 
+ static void bnxt_re_process_res_rawqp1_wc(struct ib_wc *wc,
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch b/queue-6.1/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch
new file mode 100644 (file)
index 0000000..7b64d1a
--- /dev/null
+++ b/queue-6.1/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch
@@ -0,0 +1,83 @@
+From 37bdfd0e8770feb7e11850546b3eac08b87ee854 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 May 2023 11:29:29 -0700
+Subject: RDMA/bnxt_re: Fix the page_size used during the MR creation
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 08c7f09356e45d093d1867c7a3c6ac6526e2f98b ]
+
+Driver populates the list of pages used for Memory region wrongly when
+page size is more than system page size. This is causing a failure when
+some of the applications that creates MR with page size as 2M.  Since HW
+can support multiple page sizes, pass the correct page size while creating
+the MR.
+
+Also, driver need not adjust the number of pages when HW Queues are
+created with user memory. It should work with the number of dma blocks
+returned by ib_umem_num_dma_blocks. Fix this calculation also.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Fixes: f6919d56388c ("RDMA/bnxt_re: Code refactor while populating user MRs")
+Link: https://lore.kernel.org/r/1683484169-9539-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 12 ++----------
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c  |  7 +++----
+ 2 files changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 126d4f26f75ad..81b0c5e879f9e 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -215,17 +215,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+                       return -EINVAL;
+               hwq_attr->sginfo->npages = npages;
+       } else {
+-              unsigned long sginfo_num_pages = ib_umem_num_dma_blocks(
+-                      hwq_attr->sginfo->umem, hwq_attr->sginfo->pgsize);
+-
++              npages = ib_umem_num_dma_blocks(hwq_attr->sginfo->umem,
++                                              hwq_attr->sginfo->pgsize);
+               hwq->is_user = true;
+-              npages = sginfo_num_pages;
+-              npages = (npages * PAGE_SIZE) /
+-                        BIT_ULL(hwq_attr->sginfo->pgshft);
+-              if ((sginfo_num_pages * PAGE_SIZE) %
+-                   BIT_ULL(hwq_attr->sginfo->pgshft))
+-                      if (!npages)
+-                              npages++;
+       }
+ 
+       if (npages == MAX_PBL_LVL_0_PGS && !hwq_attr->sginfo->nopte) {
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index b802981b71716..bae7d89261439 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -584,16 +584,15 @@ int bnxt_qplib_reg_mr(struct bnxt_qplib_res *res, struct bnxt_qplib_mrw *mr,
+               /* Free the hwq if it already exist, must be a rereg */
+               if (mr->hwq.max_elements)
+                       bnxt_qplib_free_hwq(res, &mr->hwq);
+-              /* Use system PAGE_SIZE */
+               hwq_attr.res = res;
+               hwq_attr.depth = pages;
+-              hwq_attr.stride = buf_pg_size;
++              hwq_attr.stride = sizeof(dma_addr_t);
+               hwq_attr.type = HWQ_TYPE_MR;
+               hwq_attr.sginfo = &sginfo;
+               hwq_attr.sginfo->umem = umem;
+               hwq_attr.sginfo->npages = pages;
+-              hwq_attr.sginfo->pgsize = PAGE_SIZE;
+-              hwq_attr.sginfo->pgshft = PAGE_SHIFT;
++              hwq_attr.sginfo->pgsize = buf_pg_size;
++              hwq_attr.sginfo->pgshft = ilog2(buf_pg_size);
+               rc = bnxt_qplib_alloc_init_hwq(&mr->hwq, &hwq_attr);
+               if (rc) {
+                       dev_err(&res->pdev->dev,
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-efa-fix-unsupported-page-sizes-in-device.patch b/queue-6.1/rdma-efa-fix-unsupported-page-sizes-in-device.patch
new file mode 100644 (file)
index 0000000..7b09045
--- /dev/null
+++ b/queue-6.1/rdma-efa-fix-unsupported-page-sizes-in-device.patch
@@ -0,0 +1,42 @@
+From 0deb3b84b63182183a88c3ec2e593a4cdff8b5b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 11:51:03 +0000
+Subject: RDMA/efa: Fix unsupported page sizes in device
+
+From: Yonatan Nachum <ynachum@amazon.com>
+
+[ Upstream commit 866422cdddcdf59d8c68e9472d49ba1be29b5fcf ]
+
+Device uses 4KB size blocks for user pages indirect list while the
+driver creates those blocks with the size of PAGE_SIZE of the kernel. On
+kernels with PAGE_SIZE different than 4KB (ARM RHEL), this leads to a
+failure on register MR with indirect list because of the miss
+communication between driver and device.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://lore.kernel.org/r/20230511115103.13876-1-ynachum@amazon.com
+Reviewed-by: Firas Jahjah <firasj@amazon.com>
+Reviewed-by: Michael Margolin <mrgolin@amazon.com>
+Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 31454643f8c54..f9526a4c75b26 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1397,7 +1397,7 @@ static int pbl_continuous_initialize(struct efa_dev *dev,
+  */
+ static int pbl_indirect_initialize(struct efa_dev *dev, struct pbl_context *pbl)
+ {
+-      u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, PAGE_SIZE);
++      u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, EFA_CHUNK_PAYLOAD_SIZE);
+       struct scatterlist *sgl;
+       int sg_dma_cnt, err;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-hns-fix-base-address-table-allocation.patch b/queue-6.1/rdma-hns-fix-base-address-table-allocation.patch
new file mode 100644 (file)
index 0000000..4b050b5
--- /dev/null
+++ b/queue-6.1/rdma-hns-fix-base-address-table-allocation.patch
@@ -0,0 +1,103 @@
+From c060a112cfe8fd646a0718b59f090713f7b28aa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:22:44 +0800
+Subject: RDMA/hns: Fix base address table allocation
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 7f3969b14f356dd65fa95b3528eb05c32e68bc06 ]
+
+For hns, the specification of an entry like resource (E.g. WQE/CQE/EQE)
+depends on BT page size, buf page size and hopnum. For user mode, the buf
+page size depends on UMEM. Therefore, the actual specification is
+controlled by BT page size and hopnum.
+
+The current BT page size and hopnum are obtained from firmware. This makes
+the driver inflexible and introduces unnecessary constraints.  Resource
+allocation failures occur in many scenarios.
+
+This patch will calculate whether the BT page size set by firmware is
+sufficient before allocating BT, and increase the BT page size if it is
+insufficient.
+
+Fixes: 1133401412a9 ("RDMA/hns: Optimize base address table config flow for qp buffer")
+Link: https://lore.kernel.org/r/20230512092245.344442-3-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 43 +++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index 37a5cf62f88b4..14376490ac226 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -33,6 +33,7 @@
+ 
+ #include <linux/vmalloc.h>
+ #include <rdma/ib_umem.h>
++#include <linux/math.h>
+ #include "hns_roce_device.h"
+ #include "hns_roce_cmd.h"
+ #include "hns_roce_hem.h"
+@@ -909,6 +910,44 @@ static int mtr_init_buf_cfg(struct hns_roce_dev *hr_dev,
+       return page_cnt;
+ }
+ 
++static u64 cal_pages_per_l1ba(unsigned int ba_per_bt, unsigned int hopnum)
++{
++      return int_pow(ba_per_bt, hopnum - 1);
++}
++
++static unsigned int cal_best_bt_pg_sz(struct hns_roce_dev *hr_dev,
++                                    struct hns_roce_mtr *mtr,
++                                    unsigned int pg_shift)
++{
++      unsigned long cap = hr_dev->caps.page_size_cap;
++      struct hns_roce_buf_region *re;
++      unsigned int pgs_per_l1ba;
++      unsigned int ba_per_bt;
++      unsigned int ba_num;
++      int i;
++
++      for_each_set_bit_from(pg_shift, &cap, sizeof(cap) * BITS_PER_BYTE) {
++              if (!(BIT(pg_shift) & cap))
++                      continue;
++
++              ba_per_bt = BIT(pg_shift) / BA_BYTE_LEN;
++              ba_num = 0;
++              for (i = 0; i < mtr->hem_cfg.region_count; i++) {
++                      re = &mtr->hem_cfg.region[i];
++                      if (re->hopnum == 0)
++                              continue;
++
++                      pgs_per_l1ba = cal_pages_per_l1ba(ba_per_bt, re->hopnum);
++                      ba_num += DIV_ROUND_UP(re->count, pgs_per_l1ba);
++              }
++
++              if (ba_num <= ba_per_bt)
++                      return pg_shift;
++      }
++
++      return 0;
++}
++
+ static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+                        unsigned int ba_page_shift)
+ {
+@@ -917,6 +956,10 @@ static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ 
+       hns_roce_hem_list_init(&mtr->hem_list);
+       if (!cfg->is_direct) {
++              ba_page_shift = cal_best_bt_pg_sz(hr_dev, mtr, ba_page_shift);
++              if (!ba_page_shift)
++                      return -ERANGE;
++
+               ret = hns_roce_hem_list_request(hr_dev, &mtr->hem_list,
+                                               cfg->region, cfg->region_count,
+                                               ba_page_shift);
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch b/queue-6.1/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch
new file mode 100644 (file)
index 0000000..82ad9e5
--- /dev/null
+++ b/queue-6.1/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch
@@ -0,0 +1,100 @@
+From 880f7527c5df89b022fdfca4cfe482c9f980e0d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:22:43 +0800
+Subject: RDMA/hns: Fix timeout attr in query qp for HIP08
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 58caa2a51ad4fd21763696cc6c4defc9fc1b4b4f ]
+
+On HIP08, the queried timeout attr is different from the timeout attr
+configured by the user.
+
+It is found by rdma-core testcase test_rdmacm_async_traffic:
+
+======================================================================
+FAIL: test_rdmacm_async_traffic (tests.test_rdmacm.CMTestCase)
+----------------------------------------------------------------------
+Traceback (most recent call last):
+  File "./tests/test_rdmacm.py", line 33, in test_rdmacm_async_traffic
+    self.two_nodes_rdmacm_traffic(CMAsyncConnection, self.rdmacm_traffic,
+  File "./tests/base.py", line 382, in two_nodes_rdmacm_traffic
+    raise(res)
+AssertionError
+
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Link: https://lore.kernel.org/r/20230512092245.344442-2-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 17 ++++++++++++++---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h |  2 ++
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index b2421883993b1..7a5bfe6a9115f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5136,7 +5136,6 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp,
+ static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout)
+ {
+ #define QP_ACK_TIMEOUT_MAX_HIP08 20
+-#define QP_ACK_TIMEOUT_OFFSET 10
+ #define QP_ACK_TIMEOUT_MAX 31
+ 
+       if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
+@@ -5145,7 +5144,7 @@ static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout)
+                                  "local ACK timeout shall be 0 to 20.\n");
+                       return false;
+               }
+-              *timeout += QP_ACK_TIMEOUT_OFFSET;
++              *timeout += HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08;
+       } else if (hr_dev->pci_dev->revision > PCI_REVISION_ID_HIP08) {
+               if (*timeout > QP_ACK_TIMEOUT_MAX) {
+                       ibdev_warn(&hr_dev->ib_dev,
+@@ -5431,6 +5430,18 @@ static int hns_roce_v2_query_qpc(struct hns_roce_dev *hr_dev, u32 qpn,
+       return ret;
+ }
+ 
++static u8 get_qp_timeout_attr(struct hns_roce_dev *hr_dev,
++                            struct hns_roce_v2_qp_context *context)
++{
++      u8 timeout;
++
++      timeout = (u8)hr_reg_read(context, QPC_AT);
++      if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
++              timeout -= HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08;
++
++      return timeout;
++}
++
+ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+                               int qp_attr_mask,
+                               struct ib_qp_init_attr *qp_init_attr)
+@@ -5508,7 +5519,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+       qp_attr->max_dest_rd_atomic = 1 << hr_reg_read(&context, QPC_RR_MAX);
+ 
+       qp_attr->min_rnr_timer = (u8)hr_reg_read(&context, QPC_MIN_RNR_TIME);
+-      qp_attr->timeout = (u8)hr_reg_read(&context, QPC_AT);
++      qp_attr->timeout = get_qp_timeout_attr(hr_dev, &context);
+       qp_attr->retry_cnt = hr_reg_read(&context, QPC_RETRY_NUM_INIT);
+       qp_attr->rnr_retry = hr_reg_read(&context, QPC_RNR_NUM_INIT);
+ 
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index b1b3e1e0b84e5..2b4dbbb06eb56 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -72,6 +72,8 @@
+ #define HNS_ROCE_V2_IDX_ENTRY_SZ              4
+ 
+ #define HNS_ROCE_V2_SCCC_SZ                   32
++#define HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08    10
++
+ #define HNS_ROCE_V3_SCCC_SZ                   64
+ #define HNS_ROCE_V3_GMV_ENTRY_SZ              32
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-hns-modify-the-value-of-long-message-loopback-s.patch b/queue-6.1/rdma-hns-modify-the-value-of-long-message-loopback-s.patch
new file mode 100644 (file)
index 0000000..1fd889a
--- /dev/null
+++ b/queue-6.1/rdma-hns-modify-the-value-of-long-message-loopback-s.patch
@@ -0,0 +1,61 @@
+From ff075a80e8f66dbf31d08d112f0313afa689bc01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:22:45 +0800
+Subject: RDMA/hns: Modify the value of long message loopback slice
+
+From: Yangyang Li <liyangyang20@huawei.com>
+
+[ Upstream commit 56518a603fd2bf74762d176ac980572db84a3e14 ]
+
+Long message loopback slice is used for achieving traffic balance between
+QPs. It prevents the problem that QPs with large traffic occupying the
+hardware pipeline for a long time and QPs with small traffic cannot be
+scheduled.
+
+Currently, its maximum value is set to 16K, which means only after a QP
+sends 16K will the second QP be scheduled. This value is too large, which
+will lead to unbalanced traffic scheduling, and thus it needs to be
+modified.
+
+The setting range of the long message loopback slice is modified to be
+from 1024 (the lower limit supported by hardware) to mtu. Actual testing
+shows that this value can significantly reduce error in hardware traffic
+scheduling.
+
+This solution is compatible with both HIP08 and HIP09. The modified
+lp_pktn_ini has a maximum value of 2 (when mtu is 256), so the range
+checking code for lp_pktn_ini is no longer necessary and needs to be
+deleted.
+
+Fixes: 0e60778efb07 ("RDMA/hns: Modify the value of MAX_LP_MSG_LEN to meet hardware compatibility")
+Link: https://lore.kernel.org/r/20230512092245.344442-4-huangjunxian6@hisilicon.com
+Signed-off-by: Yangyang Li <liyangyang20@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 7a5bfe6a9115f..34a270b6891a9 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4728,11 +4728,9 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp,
+       mtu = ib_mtu_enum_to_int(ib_mtu);
+       if (WARN_ON(mtu <= 0))
+               return -EINVAL;
+-#define MAX_LP_MSG_LEN 16384
+-      /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 16KB */
+-      lp_pktn_ini = ilog2(MAX_LP_MSG_LEN / mtu);
+-      if (WARN_ON(lp_pktn_ini >= 0xF))
+-              return -EINVAL;
++#define MIN_LP_MSG_LEN 1024
++      /* mtu * (2 ^ lp_pktn_ini) should be in the range of 1024 to mtu */
++      lp_pktn_ini = ilog2(max(mtu, MIN_LP_MSG_LEN) / mtu);
+ 
+       if (attr_mask & IB_QP_PATH_MTU) {
+               hr_reg_write(context, QPC_MTU, ib_mtu);
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-irdma-fix-local-invalidate-fencing.patch b/queue-6.1/rdma-irdma-fix-local-invalidate-fencing.patch
new file mode 100644 (file)
index 0000000..1a26913
--- /dev/null
+++ b/queue-6.1/rdma-irdma-fix-local-invalidate-fencing.patch
@@ -0,0 +1,38 @@
+From 39b9c187d96a0896fa5df51a135f4e18023e02d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 10:56:54 -0500
+Subject: RDMA/irdma: Fix Local Invalidate fencing
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 5842d1d9c1b0d17e0c29eae65ae1f245f83682dd ]
+
+If the local invalidate fence is indicated in the WR, only the read fence
+is currently being set in WQE. Fix this to set both the read and local
+fence in the WQE.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Link: https://lore.kernel.org/r/20230522155654.1309-4-shiraz.saleem@intel.com
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 1c5a61f51a67a..6a8bb6ed4bf43 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3191,6 +3191,7 @@ static int irdma_post_send(struct ib_qp *ibqp,
+                       break;
+               case IB_WR_LOCAL_INV:
+                       info.op_type = IRDMA_OP_TYPE_INV_STAG;
++                      info.local_fence = info.read_fence;
+                       info.op.inv_local_stag.target_stag = ib_wr->ex.invalidate_rkey;
+                       err = irdma_uk_stag_local_invalidate(ukqp, &info, true);
+                       break;
+-- 
+2.39.2
+

diff --git a/queue-6.1/rdma-irdma-prevent-qp-use-after-free.patch b/queue-6.1/rdma-irdma-prevent-qp-use-after-free.patch
new file mode 100644 (file)
index 0000000..37e2123
--- /dev/null
+++ b/queue-6.1/rdma-irdma-prevent-qp-use-after-free.patch
@@ -0,0 +1,57 @@
+From 95857f375f4800d9aa3fa79bf5b2a825919f7f44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 10:56:53 -0500
+Subject: RDMA/irdma: Prevent QP use after free
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit c8f304d75f6c6cc679a73f89591f9a915da38f09 ]
+
+There is a window where the poll cq may use a QP that has been freed.
+This can happen if a CQE is polled before irdma_clean_cqes() can clear the
+CQE's related to the QP and the destroy QP races to free the QP memory.
+then the QP structures are used in irdma_poll_cq.  Fix this by moving the
+clearing of CQE's before the reference is removed and the QP is destroyed.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Link: https://lore.kernel.org/r/20230522155654.1309-3-shiraz.saleem@intel.com
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index f6973ea55eda7..1c5a61f51a67a 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -522,11 +522,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+       if (!iwqp->user_mode)
+               cancel_delayed_work_sync(&iwqp->dwork_flush);
+ 
+-      irdma_qp_rem_ref(&iwqp->ibqp);
+-      wait_for_completion(&iwqp->free_qp);
+-      irdma_free_lsmm_rsrc(iwqp);
+-      irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
+-
+       if (!iwqp->user_mode) {
+               if (iwqp->iwscq) {
+                       irdma_clean_cqes(iwqp, iwqp->iwscq);
+@@ -534,6 +529,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+                               irdma_clean_cqes(iwqp, iwqp->iwrcq);
+               }
+       }
++
++      irdma_qp_rem_ref(&iwqp->ibqp);
++      wait_for_completion(&iwqp->free_qp);
++      irdma_free_lsmm_rsrc(iwqp);
++      irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
++
+       irdma_remove_push_mmap_entries(iwqp);
+       irdma_free_qp_rsrc(iwqp);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch b/queue-6.1/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch
new file mode 100644 (file)
index 0000000..5c8b5d3
--- /dev/null
+++ b/queue-6.1/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch
@@ -0,0 +1,49 @@
+From ecf4773a2785fabb7385820690621e7ac8e67b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 15:13:11 +0200
+Subject: riscv: Fix unused variable warning when BUILTIN_DTB is set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+[ Upstream commit 33d418da6f476b15e4510e0a590062583f63cd36 ]
+
+commit ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap
+region") wrongly moved the #ifndef CONFIG_BUILTIN_DTB surrounding the pa
+variable definition in create_fdt_early_page_table(), so move it back to
+its right place to quiet the following warning:
+
+../arch/riscv/mm/init.c: In function ‘create_fdt_early_page_table’:
+../arch/riscv/mm/init.c:925:12: warning: unused variable ‘pa’ [-Wunused-variable]
+  925 |  uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1);
+
+Fixes: ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap region")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230519131311.391960-1-alexghiti@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index 6315a3c942259..2b9906ed2d1d1 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -845,9 +845,9 @@ static void __init create_kernel_page_table(pgd_t *pgdir, bool early)
+ static void __init create_fdt_early_page_table(uintptr_t fix_fdt_va,
+                                              uintptr_t dtb_pa)
+ {
++#ifndef CONFIG_BUILTIN_DTB
+       uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1);
+ 
+-#ifndef CONFIG_BUILTIN_DTB
+       /* Make sure the fdt fixmap address is always aligned on PMD size */
+       BUILD_BUG_ON(FIX_FDT % (PMD_SIZE / PAGE_SIZE));
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch b/queue-6.1/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch
new file mode 100644 (file)
index 0000000..3166ee9
--- /dev/null
+++ b/queue-6.1/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch
@@ -0,0 +1,59 @@
+From 4e69ce98b1501f833b1cde2381fdfd81a52fdadf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:01:44 -0400
+Subject: rtnetlink: add the missing IFLA_GRO_ tb check in validate_linkmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 65d6914e253f3d83b724a9bbfc889ae95711e512 ]
+
+This fixes the issue that dev gro_max_size and gso_ipv4_max_size
+can be set to a huge value:
+
+  # ip link add dummy1 type dummy
+  # ip link set dummy1 gro_max_size 4294967295
+  # ip -d link show dummy1
+    dummy addrgenmode eui64 ... gro_max_size 4294967295
+
+Fixes: 0fe79f28bfaf ("net: allow gro_max_size to exceed 65536")
+Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 99c1430cde345..91b50bdd848fe 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2396,11 +2396,23 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
+                       return -EINVAL;
+               }
+ 
++              if (tb[IFLA_GRO_MAX_SIZE] &&
++                  nla_get_u32(tb[IFLA_GRO_MAX_SIZE]) > GRO_MAX_SIZE) {
++                      NL_SET_ERR_MSG(extack, "too big gro_max_size");
++                      return -EINVAL;
++              }
++
+               if (tb[IFLA_GSO_IPV4_MAX_SIZE] &&
+                   nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) > dev->tso_max_size) {
+                       NL_SET_ERR_MSG(extack, "too big gso_ipv4_max_size");
+                       return -EINVAL;
+               }
++
++              if (tb[IFLA_GRO_IPV4_MAX_SIZE] &&
++                  nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) {
++                      NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size");
++                      return -EINVAL;
++              }
+       }
+ 
+       if (tb[IFLA_AF_SPEC]) {
+-- 
+2.39.2
+

diff --git a/queue-6.1/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch b/queue-6.1/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch
new file mode 100644 (file)
index 0000000..863cc1b
--- /dev/null
+++ b/queue-6.1/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch
@@ -0,0 +1,64 @@
+From 2bad0d28d345a30d75037080916b13deaca88a3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:01:42 -0400
+Subject: rtnetlink: call validate_linkmsg in rtnl_create_link
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit b0ad3c179059089d809b477a1d445c1183a7b8fe ]
+
+validate_linkmsg() was introduced by commit 1840bb13c22f5b ("[RTNL]:
+Validate hardware and broadcast address attribute for RTM_NEWLINK")
+to validate tb[IFLA_ADDRESS/BROADCAST] for existing links. The same
+check should also be done for newly created links.
+
+This patch adds validate_linkmsg() call in rtnl_create_link(), to
+avoid the invalid address set when creating some devices like:
+
+  # ip link add dummy0 type dummy
+  # ip link add link dummy0 name mac0 address 01:02 type macsec
+
+Fixes: 0e06877c6fdb ("[RTNETLINK]: rtnl_link: allow specifying initial device address")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 74864dc46a7ef..b192c69f3936c 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3212,6 +3212,7 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname,
+       struct net_device *dev;
+       unsigned int num_tx_queues = 1;
+       unsigned int num_rx_queues = 1;
++      int err;
+ 
+       if (tb[IFLA_NUM_TX_QUEUES])
+               num_tx_queues = nla_get_u32(tb[IFLA_NUM_TX_QUEUES]);
+@@ -3247,13 +3248,18 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname,
+       if (!dev)
+               return ERR_PTR(-ENOMEM);
+ 
++      err = validate_linkmsg(dev, tb, extack);
++      if (err < 0) {
++              free_netdev(dev);
++              return ERR_PTR(err);
++      }
++
+       dev_net_set(dev, net);
+       dev->rtnl_link_ops = ops;
+       dev->rtnl_link_state = RTNL_LINK_INITIALIZING;
+ 
+       if (tb[IFLA_MTU]) {
+               u32 mtu = nla_get_u32(tb[IFLA_MTU]);
+-              int err;
+ 
+               err = dev_validate_mtu(dev, mtu, extack);
+               if (err) {
+-- 
+2.39.2
+

diff --git a/queue-6.1/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch b/queue-6.1/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch
new file mode 100644 (file)
index 0000000..b809d33
--- /dev/null
+++ b/queue-6.1/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch
@@ -0,0 +1,95 @@
+From c7415cb989a51dbb899bea64f3d7f26971e1e018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 12:01:43 -0400
+Subject: rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit fef5b228dd38378148bc850f7e69a7783f3b95a4 ]
+
+These IFLA_GSO_* tb check should also be done for the new created link,
+otherwise, they can be set to a huge value when creating links:
+
+  # ip link add dummy1 gso_max_size 4294967295 type dummy
+  # ip -d link show dummy1
+    dummy addrgenmode eui64 ... gso_max_size 4294967295
+
+Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
+Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 027275235858b..99c1430cde345 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2382,6 +2382,25 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
+               if (tb[IFLA_BROADCAST] &&
+                   nla_len(tb[IFLA_BROADCAST]) < dev->addr_len)
+                       return -EINVAL;
++
++              if (tb[IFLA_GSO_MAX_SIZE] &&
++                  nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) > dev->tso_max_size) {
++                      NL_SET_ERR_MSG(extack, "too big gso_max_size");
++                      return -EINVAL;
++              }
++
++              if (tb[IFLA_GSO_MAX_SEGS] &&
++                  (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS ||
++                   nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) {
++                      NL_SET_ERR_MSG(extack, "too big gso_max_segs");
++                      return -EINVAL;
++              }
++
++              if (tb[IFLA_GSO_IPV4_MAX_SIZE] &&
++                  nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) > dev->tso_max_size) {
++                      NL_SET_ERR_MSG(extack, "too big gso_ipv4_max_size");
++                      return -EINVAL;
++              }
+       }
+ 
+       if (tb[IFLA_AF_SPEC]) {
+@@ -2855,11 +2874,6 @@ static int do_setlink(const struct sk_buff *skb,
+       if (tb[IFLA_GSO_MAX_SIZE]) {
+               u32 max_size = nla_get_u32(tb[IFLA_GSO_MAX_SIZE]);
+ 
+-              if (max_size > dev->tso_max_size) {
+-                      err = -EINVAL;
+-                      goto errout;
+-              }
+-
+               if (dev->gso_max_size ^ max_size) {
+                       netif_set_gso_max_size(dev, max_size);
+                       status |= DO_SETLINK_MODIFIED;
+@@ -2869,11 +2883,6 @@ static int do_setlink(const struct sk_buff *skb,
+       if (tb[IFLA_GSO_MAX_SEGS]) {
+               u32 max_segs = nla_get_u32(tb[IFLA_GSO_MAX_SEGS]);
+ 
+-              if (max_segs > GSO_MAX_SEGS || max_segs > dev->tso_max_segs) {
+-                      err = -EINVAL;
+-                      goto errout;
+-              }
+-
+               if (dev->gso_max_segs ^ max_segs) {
+                       netif_set_gso_max_segs(dev, max_segs);
+                       status |= DO_SETLINK_MODIFIED;
+@@ -2892,11 +2901,6 @@ static int do_setlink(const struct sk_buff *skb,
+       if (tb[IFLA_GSO_IPV4_MAX_SIZE]) {
+               u32 max_size = nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]);
+ 
+-              if (max_size > dev->tso_max_size) {
+-                      err = -EINVAL;
+-                      goto errout;
+-              }
+-
+               if (dev->gso_ipv4_max_size ^ max_size) {
+                       netif_set_gso_ipv4_max_size(dev, max_size);
+                       status |= DO_SETLINK_MODIFIED;
+-- 
+2.39.2
+

diff --git a/queue-6.1/s390-pkey-zeroize-key-blobs.patch b/queue-6.1/s390-pkey-zeroize-key-blobs.patch
new file mode 100644 (file)
index 0000000..7a2c8e6
--- /dev/null
+++ b/queue-6.1/s390-pkey-zeroize-key-blobs.patch
@@ -0,0 +1,52 @@
+From 668cf9706432ecc8c2a27fbde96fa950bffd7a96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 14:34:10 +0200
+Subject: s390/pkey: zeroize key blobs
+
+From: Holger Dengler <dengler@linux.ibm.com>
+
+[ Upstream commit 844cf829e5f33e00b279230470c8c93b58b8c16f ]
+
+Key blobs for the IOCTLs PKEY_KBLOB2PROTK[23] may contain clear key
+material. Zeroize the copies of these keys in kernel memory after
+creating the protected key.
+
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index 5a05d1cdfec20..a8def50c149bd 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1293,6 +1293,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+                       return PTR_ERR(kkey);
+               rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey);
+               DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
++              memzero_explicit(kkey, ktp.keylen);
+               kfree(kkey);
+               if (rc)
+                       break;
+@@ -1426,6 +1427,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+                                       kkey, ktp.keylen, &ktp.protkey);
+               DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
+               kfree(apqns);
++              memzero_explicit(kkey, ktp.keylen);
+               kfree(kkey);
+               if (rc)
+                       break;
+@@ -1552,6 +1554,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+                                       protkey, &protkeylen);
+               DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc);
+               kfree(apqns);
++              memzero_explicit(kkey, ktp.keylen);
+               kfree(kkey);
+               if (rc) {
+                       kfree(protkey);
+-- 
+2.39.2
+

diff --git a/queue-6.1/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch b/queue-6.1/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch
new file mode 100644 (file)
index 0000000..3a9e079
--- /dev/null
+++ b/queue-6.1/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch
@@ -0,0 +1,89 @@
+From a24a7e3d9b9bd571b1c34f80c3e1f67e7ee40432 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:21:48 +0200
+Subject: s390/topology: honour nr_cpu_ids when adding CPUs
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit a33239be2d38ff5a44427db1707c08787508d34a ]
+
+When SMT thread CPUs are added to CPU masks the nr_cpu_ids
+limit is not checked and could be exceeded. This leads to
+a warning for example if CONFIG_DEBUG_PER_CPU_MAPS is set
+and the command line parameter nr_cpus is set to 1.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/topology.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/arch/s390/kernel/topology.c b/arch/s390/kernel/topology.c
+index c6eecd4a5302d..10b20aeb27d3b 100644
+--- a/arch/s390/kernel/topology.c
++++ b/arch/s390/kernel/topology.c
+@@ -95,7 +95,7 @@ static void cpu_group_map(cpumask_t *dst, struct mask_info *info, unsigned int c
+ static void cpu_thread_map(cpumask_t *dst, unsigned int cpu)
+ {
+       static cpumask_t mask;
+-      int i;
++      unsigned int max_cpu;
+ 
+       cpumask_clear(&mask);
+       if (!cpumask_test_cpu(cpu, &cpu_setup_mask))
+@@ -104,9 +104,10 @@ static void cpu_thread_map(cpumask_t *dst, unsigned int cpu)
+       if (topology_mode != TOPOLOGY_MODE_HW)
+               goto out;
+       cpu -= cpu % (smp_cpu_mtid + 1);
+-      for (i = 0; i <= smp_cpu_mtid; i++) {
+-              if (cpumask_test_cpu(cpu + i, &cpu_setup_mask))
+-                      cpumask_set_cpu(cpu + i, &mask);
++      max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1);
++      for (; cpu <= max_cpu; cpu++) {
++              if (cpumask_test_cpu(cpu, &cpu_setup_mask))
++                      cpumask_set_cpu(cpu, &mask);
+       }
+ out:
+       cpumask_copy(dst, &mask);
+@@ -123,25 +124,26 @@ static void add_cpus_to_mask(struct topology_core *tl_core,
+       unsigned int core;
+ 
+       for_each_set_bit(core, &tl_core->mask, TOPOLOGY_CORE_BITS) {
+-              unsigned int rcore;
+-              int lcpu, i;
++              unsigned int max_cpu, rcore;
++              int cpu;
+ 
+               rcore = TOPOLOGY_CORE_BITS - 1 - core + tl_core->origin;
+-              lcpu = smp_find_processor_id(rcore << smp_cpu_mt_shift);
+-              if (lcpu < 0)
++              cpu = smp_find_processor_id(rcore << smp_cpu_mt_shift);
++              if (cpu < 0)
+                       continue;
+-              for (i = 0; i <= smp_cpu_mtid; i++) {
+-                      topo = &cpu_topology[lcpu + i];
++              max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1);
++              for (; cpu <= max_cpu; cpu++) {
++                      topo = &cpu_topology[cpu];
+                       topo->drawer_id = drawer->id;
+                       topo->book_id = book->id;
+                       topo->socket_id = socket->id;
+                       topo->core_id = rcore;
+-                      topo->thread_id = lcpu + i;
++                      topo->thread_id = cpu;
+                       topo->dedicated = tl_core->d;
+-                      cpumask_set_cpu(lcpu + i, &drawer->mask);
+-                      cpumask_set_cpu(lcpu + i, &book->mask);
+-                      cpumask_set_cpu(lcpu + i, &socket->mask);
+-                      smp_cpu_set_polarization(lcpu + i, tl_core->pp);
++                      cpumask_set_cpu(cpu, &drawer->mask);
++                      cpumask_set_cpu(cpu, &book->mask);
++                      cpumask_set_cpu(cpu, &socket->mask);
++                      smp_cpu_set_polarization(cpu, tl_core->pp);
+               }
+       }
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch b/queue-6.1/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch
new file mode 100644 (file)
index 0000000..72cc656
--- /dev/null
+++ b/queue-6.1/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch
@@ -0,0 +1,51 @@
+From ba46111c7bd36190f3f916e79c375ff8b87907c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 15:01:56 +0800
+Subject: scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit 09e797c8641f6ad435c33ae24c223351197ea29a ]
+
+If scsi_dispatch_cmd() failed, the SCSI command was not sent to the target,
+scsi_queue_rq() would return BLK_STS_RESOURCE and the related request would
+be requeued. The timeout of this request would not fire, no one would
+increase iodone_cnt.
+
+The above flow would result the iodone_cnt smaller than iorequest_cnt.  So
+decrease the iorequest_cnt if dispatch failed to workaround the issue.
+
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/r/ZF+zB+bB7iqe0wGd@ovpn-8-17.pek2.redhat.com
+Link: https://lore.kernel.org/r/20230515070156.1790181-3-haowenchao2@huawei.com
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 8b89fab7c4206..fb6e9a7a7f58b 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1491,6 +1491,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
+                */
+               SCSI_LOG_MLQUEUE(3, scmd_printk(KERN_INFO, cmd,
+                       "queuecommand : device blocked\n"));
++              atomic_dec(&cmd->device->iorequest_cnt);
+               return SCSI_MLQUEUE_DEVICE_BUSY;
+       }
+ 
+@@ -1523,6 +1524,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
+       trace_scsi_dispatch_cmd_start(cmd);
+       rtn = host->hostt->queuecommand(host, cmd);
+       if (rtn) {
++              atomic_dec(&cmd->device->iorequest_cnt);
+               trace_scsi_dispatch_cmd_error(cmd, rtn);
+               if (rtn != SCSI_MLQUEUE_DEVICE_BUSY &&
+                   rtn != SCSI_MLQUEUE_TARGET_BUSY)
+-- 
+2.39.2
+

diff --git a/queue-6.1/series b/queue-6.1/series
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..98283bdef64687008dba8bb1f8112ebe85adb425 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -0,0 +1,149 @@
+rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch
+phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch
+rdma-efa-fix-unsupported-page-sizes-in-device.patch
+rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch
+rdma-hns-fix-base-address-table-allocation.patch
+rdma-hns-modify-the-value-of-long-message-loopback-s.patch
+dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch
+rdma-bnxt_re-fix-a-possible-memory-leak.patch
+rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch
+iommu-rockchip-fix-unwind-goto-issue.patch
+iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch
+iommu-amd-handle-galog-overflows.patch
+iommu-amd-fix-up-merge-conflict-resolution.patch
+nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch
+dmaengine-pl330-rename-_start-to-prevent-build-error.patch
+riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch
+net-mlx5-drain-health-before-unregistering-devlink.patch
+net-mlx5-sf-drain-health-before-removing-device.patch
+net-mlx5-fw_tracer-fix-event-handling.patch
+net-mlx5e-don-t-attach-netdev-profile-while-handling.patch
+net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch
+netrom-fix-info-leak-in-nr_write_internal.patch
+af_packet-fix-data-races-of-pkt_sk-sk-num.patch
+tls-improve-lockless-access-safety-of-tls_err_abort.patch
+amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch
+perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch
+mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch
+rdma-irdma-prevent-qp-use-after-free.patch
+rdma-irdma-fix-local-invalidate-fencing.patch
+af_packet-do-not-use-read_once-in-packet_bind.patch
+tcp-deny-tcp_disconnect-when-threads-are-waiting.patch
+tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch
+net-smc-scan-from-current-rmb-list-when-no-position-.patch
+net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch
+net-sched-sch_ingress-only-create-under-tc_h_ingress.patch
+net-sched-sch_clsact-only-create-under-tc_h_clsact.patch
+net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch
+net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch
+net-sched-fix-null-pointer-dereference-in-mq_attach.patch
+net-netlink-fix-netlink_list_memberships-length-repo.patch
+udp6-fix-race-condition-in-udp6_sendmsg-connect.patch
+nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch
+nvme-fix-the-name-of-zone-append-for-verbose-logging.patch
+net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch
+net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch
+iommu-mediatek-flush-iotlb-completely-only-if-domain.patch
+net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch
+tcp-fix-mishandling-when-the-sack-compression-is-def.patch
+net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch
+mtd-rawnand-marvell-ensure-timing-values-are-written.patch
+mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch
+rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch
+net-devlink-convert-devlink-port-type-specific-point.patch
+net-devlink-move-port_type_warn_schedule-call-to-__d.patch
+net-devlink-move-port_type_netdev_checks-call-to-__d.patch
+net-devlink-take-rtnl-in-port_fill-function-only-if-.patch
+net-devlink-track-netdev-with-devlink_port-assigned.patch
+net-expose-devlink-port-over-rtnetlink.patch
+net-add-gso_ipv4_max_size-and-gro_ipv4_max_size-per-.patch
+rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch
+rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch
+mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch
+mptcp-add-annotations-around-msk-subflow-accesses.patch
+mptcp-avoid-unneeded-address-copy.patch
+mptcp-simplify-subflow_syn_recv_sock.patch
+mptcp-consolidate-passive-msk-socket-initialization.patch
+mptcp-fix-data-race-around-msk-first-access.patch
+mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch
+drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch
+watchdog-menz069_wdt-fix-watchdog-initialisation.patch
+alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch
+loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch
+asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch
+drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch
+mailbox-mailbox-test-fix-potential-double-free-in-mb.patch
+drm-ast-fix-arm-compatibility.patch
+btrfs-abort-transaction-when-sibling-keys-check-fail.patch
+arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch
+hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch
+media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch
+platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch
+platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch
+gfs2-don-t-deref-jdesc-in-evict.patch
+drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch
+fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch
+fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch
+fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch
+nbd-fix-debugfs_create_dir-error-checking.patch
+block-rnbd-replace-req_op_flush-with-req_op_write.patch
+nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch
+nvme-pci-add-quirk-for-missing-secondary-temperature.patch
+asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch
+asoc-dwc-limit-the-number-of-overrun-messages.patch
+um-harddog-fix-modular-build.patch
+xfrm-check-if_id-in-inbound-policy-secpath-match.patch
+asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch
+alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch
+asoc-ssm2602-add-workaround-for-playback-distortions.patch
+media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch
+media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch
+media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch
+media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch
+media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch
+media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch
+media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch
+media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch
+media-dvb_ca_en50221-fix-a-size-write-bug.patch
+media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch
+media-mn88443x-fix-config_of-error-by-drop-of_match_.patch
+media-dvb-core-fix-use-after-free-due-on-race-condit.patch
+media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch
+media-dvb-core-fix-kernel-warning-for-blocking-opera.patch
+media-dvb-core-fix-use-after-free-due-to-race-condit.patch
+asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch
+asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch
+asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch
+asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch
+s390-pkey-zeroize-key-blobs.patch
+s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch
+acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch
+wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch
+arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch
+arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch
+arm64-vdso-pass-void-to-virt_to_page.patch
+wifi-mac80211-simplify-chanctx-allocation.patch
+wifi-mac80211-consider-reserved-chanctx-for-mindef.patch
+wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch
+wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch
+scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch
+wifi-b43-fix-incorrect-__packed-annotation.patch
+net-wwan-t7xx-ensure-init-is-completed-before-system.patch
+netfilter-conntrack-define-variables-exp_nat_nla_pol.patch
+nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch
+nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch
+alsa-oss-avoid-missing-prototype-warnings.patch
+drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch
+atm-hide-unused-procfs-functions.patch
+ceph-silence-smatch-warning-in-reconnect_caps_cb.patch
+drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch
+ublk-fix-ab-ba-lockdep-warning.patch
+nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch
+block-deny-writable-memory-mapping-if-block-is-read-.patch
+kvm-arm64-vgic-fix-a-circular-locking-issue.patch
+kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch
+kvm-arm64-vgic-fix-locking-comment.patch
+media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch
+mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch
+drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch
+media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch

diff --git a/queue-6.1/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch b/queue-6.1/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch
new file mode 100644 (file)
index 0000000..1e77570
--- /dev/null
+++ b/queue-6.1/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch
@@ -0,0 +1,186 @@
+From 0eb9b9575ab9437b01552205ab212e8613c68723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 16:34:58 +0000
+Subject: tcp: deny tcp_disconnect() when threads are waiting
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4faeee0cf8a5d88d63cdbc3bab124fb0e6aed08c ]
+
+Historically connect(AF_UNSPEC) has been abused by syzkaller
+and other fuzzers to trigger various bugs.
+
+A recent one triggers a divide-by-zero [1], and Paolo Abeni
+was able to diagnose the issue.
+
+tcp_recvmsg_locked() has tests about sk_state being not TCP_LISTEN
+and TCP REPAIR mode being not used.
+
+Then later if socket lock is released in sk_wait_data(),
+another thread can call connect(AF_UNSPEC), then make this
+socket a TCP listener.
+
+When recvmsg() is resumed, it can eventually call tcp_cleanup_rbuf()
+and attempt a divide by 0 in tcp_rcv_space_adjust() [1]
+
+This patch adds a new socket field, counting number of threads
+blocked in sk_wait_event() and inet_wait_for_connect().
+
+If this counter is not zero, tcp_disconnect() returns an error.
+
+This patch adds code in blocking socket system calls, thus should
+not hurt performance of non blocking ones.
+
+Note that we probably could revert commit 499350a5a6e7 ("tcp:
+initialize rcv_mss to TCP_MIN_MSS instead of 0") to restore
+original tcpi_rcv_mss meaning (was 0 if no payload was ever
+received on a socket)
+
+[1]
+divide error: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 13832 Comm: syz-executor.5 Not tainted 6.3.0-rc4-syzkaller-00224-g00c7b5f4ddc5 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+RIP: 0010:tcp_rcv_space_adjust+0x36e/0x9d0 net/ipv4/tcp_input.c:740
+Code: 00 00 00 00 fc ff df 4c 89 64 24 48 8b 44 24 04 44 89 f9 41 81 c7 80 03 00 00 c1 e1 04 44 29 f0 48 63 c9 48 01 e9 48 0f af c1 <49> f7 f6 48 8d 04 41 48 89 44 24 40 48 8b 44 24 30 48 c1 e8 03 48
+RSP: 0018:ffffc900033af660 EFLAGS: 00010206
+RAX: 4a66b76cbade2c48 RBX: ffff888076640cc0 RCX: 00000000c334e4ac
+RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000001
+RBP: 00000000c324e86c R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880766417f8
+R13: ffff888028fbb980 R14: 0000000000000000 R15: 0000000000010344
+FS: 00007f5bffbfe700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32f25000 CR3: 000000007ced0000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+tcp_recvmsg_locked+0x100e/0x22e0 net/ipv4/tcp.c:2616
+tcp_recvmsg+0x117/0x620 net/ipv4/tcp.c:2681
+inet6_recvmsg+0x114/0x640 net/ipv6/af_inet6.c:670
+sock_recvmsg_nosec net/socket.c:1017 [inline]
+sock_recvmsg+0xe2/0x160 net/socket.c:1038
+____sys_recvmsg+0x210/0x5a0 net/socket.c:2720
+___sys_recvmsg+0xf2/0x180 net/socket.c:2762
+do_recvmmsg+0x25e/0x6e0 net/socket.c:2856
+__sys_recvmmsg net/socket.c:2935 [inline]
+__do_sys_recvmmsg net/socket.c:2958 [inline]
+__se_sys_recvmmsg net/socket.c:2951 [inline]
+__x64_sys_recvmmsg+0x20f/0x260 net/socket.c:2951
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f5c0108c0f9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f5bffbfe168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00007f5c011ac050 RCX: 00007f5c0108c0f9
+RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000003
+RBP: 00007f5c010e7b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f5c012cfb1f R14: 00007f5bffbfe300 R15: 0000000000022000
+</TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Diagnosed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://lore.kernel.org/r/20230526163458.2880232-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h              | 4 ++++
+ net/ipv4/af_inet.c              | 2 ++
+ net/ipv4/inet_connection_sock.c | 1 +
+ net/ipv4/tcp.c                  | 6 ++++++
+ 4 files changed, 13 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index beb1b747fb09d..f11b98bd0244c 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -333,6 +333,7 @@ struct sk_filter;
+   *   @sk_cgrp_data: cgroup data for this cgroup
+   *   @sk_memcg: this socket's memory cgroup association
+   *   @sk_write_pending: a write to stream socket waits to start
++  *   @sk_wait_pending: number of threads blocked on this socket
+   *   @sk_state_change: callback to indicate change in the state of the sock
+   *   @sk_data_ready: callback to indicate there is data to be processed
+   *   @sk_write_space: callback to indicate there is bf sending space available
+@@ -425,6 +426,7 @@ struct sock {
+       unsigned int            sk_napi_id;
+ #endif
+       int                     sk_rcvbuf;
++      int                     sk_wait_pending;
+ 
+       struct sk_filter __rcu  *sk_filter;
+       union {
+@@ -1170,6 +1172,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
+ 
+ #define sk_wait_event(__sk, __timeo, __condition, __wait)             \
+       ({      int __rc;                                               \
++              __sk->sk_wait_pending++;                                \
+               release_sock(__sk);                                     \
+               __rc = __condition;                                     \
+               if (!__rc) {                                            \
+@@ -1179,6 +1182,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
+               }                                                       \
+               sched_annotate_sleep();                                 \
+               lock_sock(__sk);                                        \
++              __sk->sk_wait_pending--;                                \
+               __rc = __condition;                                     \
+               __rc;                                                   \
+       })
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 5fd0ff5734e36..ebb737ac9e894 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -589,6 +589,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
+ 
+       add_wait_queue(sk_sleep(sk), &wait);
+       sk->sk_write_pending += writebias;
++      sk->sk_wait_pending++;
+ 
+       /* Basic assumption: if someone sets sk->sk_err, he _must_
+        * change state of the socket from TCP_SYN_*.
+@@ -604,6 +605,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
+       }
+       remove_wait_queue(sk_sleep(sk), &wait);
+       sk->sk_write_pending -= writebias;
++      sk->sk_wait_pending--;
+       return timeo;
+ }
+ 
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 916075e00d066..8e35ea66d930a 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -1143,6 +1143,7 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
+       if (newsk) {
+               struct inet_connection_sock *newicsk = inet_csk(newsk);
+ 
++              newsk->sk_wait_pending = 0;
+               inet_sk_set_state(newsk, TCP_SYN_RECV);
+               newicsk->icsk_bind_hash = NULL;
+               newicsk->icsk_bind2_hash = NULL;
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 021a8bf6a1898..c77b57d4a832a 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3079,6 +3079,12 @@ int tcp_disconnect(struct sock *sk, int flags)
+       int old_state = sk->sk_state;
+       u32 seq;
+ 
++      /* Deny disconnect if other threads are blocked in sk_wait_event()
++       * or inet_wait_for_connect().
++       */
++      if (sk->sk_wait_pending)
++              return -EBUSY;
++
+       if (old_state != TCP_CLOSE)
+               tcp_set_state(sk, TCP_CLOSE);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/tcp-fix-mishandling-when-the-sack-compression-is-def.patch b/queue-6.1/tcp-fix-mishandling-when-the-sack-compression-is-def.patch
new file mode 100644 (file)
index 0000000..8e89ff1
--- /dev/null
+++ b/queue-6.1/tcp-fix-mishandling-when-the-sack-compression-is-def.patch
@@ -0,0 +1,99 @@
+From fb98adcac992729b54a2ef14a89079824769511f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 16:01:50 +0800
+Subject: tcp: fix mishandling when the sack compression is deferred.
+
+From: fuyuanli <fuyuanli@didiglobal.com>
+
+[ Upstream commit 30c6f0bf9579debce27e45fac34fdc97e46acacc ]
+
+In this patch, we mainly try to handle sending a compressed ack
+correctly if it's deferred.
+
+Here are more details in the old logic:
+When sack compression is triggered in the tcp_compressed_ack_kick(),
+if the sock is owned by user, it will set TCP_DELACK_TIMER_DEFERRED
+and then defer to the release cb phrase. Later once user releases
+the sock, tcp_delack_timer_handler() should send a ack as expected,
+which, however, cannot happen due to lack of ICSK_ACK_TIMER flag.
+Therefore, the receiver would not sent an ack until the sender's
+retransmission timeout. It definitely increases unnecessary latency.
+
+Fixes: 5d9f4262b7ea ("tcp: add SACK compression")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: fuyuanli <fuyuanli@didiglobal.com>
+Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
+Link: https://lore.kernel.org/netdev/20230529113804.GA20300@didi-ThinkCentre-M920t-N000/
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230531080150.GA20424@didi-ThinkCentre-M920t-N000
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h    |  1 +
+ net/ipv4/tcp_input.c |  2 +-
+ net/ipv4/tcp_timer.c | 16 +++++++++++++---
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 0744717f5caa7..5eedd476a38d7 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -632,6 +632,7 @@ void tcp_reset(struct sock *sk, struct sk_buff *skb);
+ void tcp_skb_mark_lost_uncond_verify(struct tcp_sock *tp, struct sk_buff *skb);
+ void tcp_fin(struct sock *sk);
+ void tcp_check_space(struct sock *sk);
++void tcp_sack_compress_send_ack(struct sock *sk);
+ 
+ /* tcp_timer.c */
+ void tcp_init_xmit_timers(struct sock *);
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index ac44edd6f52e6..5dabb38b857ff 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4529,7 +4529,7 @@ static void tcp_sack_maybe_coalesce(struct tcp_sock *tp)
+       }
+ }
+ 
+-static void tcp_sack_compress_send_ack(struct sock *sk)
++void tcp_sack_compress_send_ack(struct sock *sk)
+ {
+       struct tcp_sock *tp = tcp_sk(sk);
+ 
+diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
+index cb79127f45c34..0b5d0a2867a8c 100644
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -290,9 +290,19 @@ static int tcp_write_timeout(struct sock *sk)
+ void tcp_delack_timer_handler(struct sock *sk)
+ {
+       struct inet_connection_sock *icsk = inet_csk(sk);
++      struct tcp_sock *tp = tcp_sk(sk);
+ 
+-      if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+-          !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
++      if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
++              return;
++
++      /* Handling the sack compression case */
++      if (tp->compressed_ack) {
++              tcp_mstamp_refresh(tp);
++              tcp_sack_compress_send_ack(sk);
++              return;
++      }
++
++      if (!(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
+               return;
+ 
+       if (time_after(icsk->icsk_ack.timeout, jiffies)) {
+@@ -312,7 +322,7 @@ void tcp_delack_timer_handler(struct sock *sk)
+                       inet_csk_exit_pingpong_mode(sk);
+                       icsk->icsk_ack.ato      = TCP_ATO_MIN;
+               }
+-              tcp_mstamp_refresh(tcp_sk(sk));
++              tcp_mstamp_refresh(tp);
+               tcp_send_ack(sk);
+               __NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS);
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch b/queue-6.1/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch
new file mode 100644 (file)
index 0000000..aab7798
--- /dev/null
+++ b/queue-6.1/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch
@@ -0,0 +1,50 @@
+From 02b9ee9d50127983172d67ca65751c468edcc632 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 12:03:17 +0800
+Subject: tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss
+ set
+
+From: Cambda Zhu <cambda@linux.alibaba.com>
+
+[ Upstream commit 34dfde4ad87b84d21278a7e19d92b5b2c68e6c4d ]
+
+This patch replaces the tp->mss_cache check in getting TCP_MAXSEG
+with tp->rx_opt.user_mss check for CLOSE/LISTEN sock. Since
+tp->mss_cache is initialized with TCP_MSS_DEFAULT, checking if
+it's zero is probably a bug.
+
+With this change, getting TCP_MAXSEG before connecting will return
+default MSS normally, and return user_mss if user_mss is set.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Jack Yang <mingliang@linux.alibaba.com>
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/netdev/CANn89i+3kL9pYtkxkwxwNMzvC_w3LNUum_2=3u+UyLBmGmifHA@mail.gmail.com/#t
+Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
+Link: https://lore.kernel.org/netdev/14D45862-36EA-4076-974C-EA67513C92F6@linux.alibaba.com/
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230527040317.68247-1-cambda@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index c77b57d4a832a..0bd0be3c63d22 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4071,7 +4071,8 @@ int do_tcp_getsockopt(struct sock *sk, int level,
+       switch (optname) {
+       case TCP_MAXSEG:
+               val = tp->mss_cache;
+-              if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
++              if (tp->rx_opt.user_mss &&
++                  ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
+                       val = tp->rx_opt.user_mss;
+               if (tp->repair)
+                       val = tp->rx_opt.mss_clamp;
+-- 
+2.39.2
+

diff --git a/queue-6.1/tls-improve-lockless-access-safety-of-tls_err_abort.patch b/queue-6.1/tls-improve-lockless-access-safety-of-tls_err_abort.patch
new file mode 100644 (file)
index 0000000..a1ada66
--- /dev/null
+++ b/queue-6.1/tls-improve-lockless-access-safety-of-tls_err_abort.patch
@@ -0,0 +1,59 @@
+From a83c85119067349613be1421e033ad0f17868178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 22:17:41 -0700
+Subject: tls: improve lockless access safety of tls_err_abort()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 8a0d57df8938e9fd2e99d47a85b7f37d86f91097 ]
+
+Most protos' poll() methods insert a memory barrier between
+writes to sk_err and sk_error_report(). This dates back to
+commit a4d258036ed9 ("tcp: Fix race in tcp_poll").
+
+I guess we should do the same thing in TLS, tcp_poll() does
+not hold the socket lock.
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_strp.c | 4 +++-
+ net/tls/tls_sw.c   | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
+index da95abbb7ea32..f37f4a0fcd3c2 100644
+--- a/net/tls/tls_strp.c
++++ b/net/tls/tls_strp.c
+@@ -20,7 +20,9 @@ static void tls_strp_abort_strp(struct tls_strparser *strp, int err)
+       strp->stopped = 1;
+ 
+       /* Report an error on the lower socket */
+-      strp->sk->sk_err = -err;
++      WRITE_ONCE(strp->sk->sk_err, -err);
++      /* Paired with smp_rmb() in tcp_poll() */
++      smp_wmb();
+       sk_error_report(strp->sk);
+ }
+ 
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 992092aeebad9..2e5e7853a6101 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -67,7 +67,9 @@ noinline void tls_err_abort(struct sock *sk, int err)
+ {
+       WARN_ON_ONCE(err >= 0);
+       /* sk->sk_err should contain a positive error code. */
+-      sk->sk_err = -err;
++      WRITE_ONCE(sk->sk_err, -err);
++      /* Paired with smp_rmb() in tcp_poll() */
++      smp_wmb();
+       sk_error_report(sk);
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/ublk-fix-ab-ba-lockdep-warning.patch b/queue-6.1/ublk-fix-ab-ba-lockdep-warning.patch
new file mode 100644 (file)
index 0000000..dd9d4d5
--- /dev/null
+++ b/queue-6.1/ublk-fix-ab-ba-lockdep-warning.patch
@@ -0,0 +1,65 @@
+From 032400ea1de4d257660b089d2447013c2d52b5e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 21:34:08 +0800
+Subject: ublk: fix AB-BA lockdep warning
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit ac5902f84bb546c64aea02c439c2579cbf40318f ]
+
+When handling UBLK_IO_FETCH_REQ, ctx->uring_lock is grabbed first, then
+ub->mutex is acquired.
+
+When handling UBLK_CMD_STOP_DEV or UBLK_CMD_DEL_DEV, ub->mutex is
+grabbed first, then calling io_uring_cmd_done() for canceling uring
+command, in which ctx->uring_lock may be required.
+
+Real deadlock only happens when all the above commands are issued from
+same uring context, and in reality different uring contexts are often used
+for handing control command and IO command.
+
+Fix the issue by using io_uring_cmd_complete_in_task() to cancel command
+in ublk_cancel_dev(ublk_cancel_queue).
+
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Closes: https://lore.kernel.org/linux-block/becol2g7sawl4rsjq2dztsbc7mqypfqko6wzsyoyazqydoasml@rcxarzwidrhk
+Cc: Ziyang Zhang <ZiyangZhang@linux.alibaba.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20230517133408.210944-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index c0cbc5f3eb266..c56d1c6d8e58d 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1045,6 +1045,11 @@ static inline bool ublk_queue_ready(struct ublk_queue *ubq)
+       return ubq->nr_io_ready == ubq->q_depth;
+ }
+ 
++static void ublk_cmd_cancel_cb(struct io_uring_cmd *cmd, unsigned issue_flags)
++{
++      io_uring_cmd_done(cmd, UBLK_IO_RES_ABORT, 0, issue_flags);
++}
++
+ static void ublk_cancel_queue(struct ublk_queue *ubq)
+ {
+       int i;
+@@ -1056,8 +1061,8 @@ static void ublk_cancel_queue(struct ublk_queue *ubq)
+               struct ublk_io *io = &ubq->ios[i];
+ 
+               if (io->flags & UBLK_IO_FLAG_ACTIVE)
+-                      io_uring_cmd_done(io->cmd, UBLK_IO_RES_ABORT, 0,
+-                                              IO_URING_F_UNLOCKED);
++                      io_uring_cmd_complete_in_task(io->cmd,
++                                                    ublk_cmd_cancel_cb);
+       }
+ 
+       /* all io commands are canceled */
+-- 
+2.39.2
+

diff --git a/queue-6.1/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch b/queue-6.1/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch
new file mode 100644 (file)
index 0000000..a2269aa
--- /dev/null
+++ b/queue-6.1/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch
@@ -0,0 +1,63 @@
+From a36c557f3a6889c90ab8d10bce85ea853260b963 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 14:39:41 +0300
+Subject: udp6: Fix race condition in udp6_sendmsg & connect
+
+From: Vladislav Efanov <VEfanov@ispras.ru>
+
+[ Upstream commit 448a5ce1120c5bdbce1f1ccdabcd31c7d029f328 ]
+
+Syzkaller got the following report:
+BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
+Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255
+
+The function sk_setup_caps (called by ip6_sk_dst_store_flow->
+ip6_dst_store) referenced already freed memory as this memory was
+freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow->
+sk_dst_check.
+
+          task1 (connect)              task2 (udp6_sendmsg)
+        sk_setup_caps->sk_dst_set |
+                                  |  sk_dst_check->
+                                  |      sk_dst_set
+                                  |      dst_release
+        sk_setup_caps references  |
+        to already freed dst_entry|
+
+The reason for this race condition is: sk_setup_caps() keeps using
+the dst after transferring the ownership to the dst cache.
+
+Found by Linux Verification Center (linuxtesting.org) with syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index eb0b76acd9df1..83f590d8d0850 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2370,7 +2370,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ {
+       u32 max_segs = 1;
+ 
+-      sk_dst_set(sk, dst);
+       sk->sk_route_caps = dst->dev->features;
+       if (sk_is_tcp(sk))
+               sk->sk_route_caps |= NETIF_F_GSO;
+@@ -2392,6 +2391,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+               }
+       }
+       sk->sk_gso_max_segs = max_segs;
++      sk_dst_set(sk, dst);
+ }
+ EXPORT_SYMBOL_GPL(sk_setup_caps);
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/um-harddog-fix-modular-build.patch b/queue-6.1/um-harddog-fix-modular-build.patch
new file mode 100644 (file)
index 0000000..a038cf8
--- /dev/null
+++ b/queue-6.1/um-harddog-fix-modular-build.patch
@@ -0,0 +1,134 @@
+From 904a33dbb4f69fba0020ca60c4c0e2375f568cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 10:38:37 +0200
+Subject: um: harddog: fix modular build
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 73a23d7710331a530e972903318528b75e5a5f58 ]
+
+Since we no longer (want to) export any libc symbols the
+_user portions of any drivers need to be built into image
+rather than the module. I missed this for the watchdog.
+Fix the watchdog accordingly.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/Makefile           | 4 +++-
+ arch/um/drivers/harddog.h          | 9 +++++++++
+ arch/um/drivers/harddog_kern.c     | 7 +------
+ arch/um/drivers/harddog_user.c     | 1 +
+ arch/um/drivers/harddog_user_exp.c | 9 +++++++++
+ 5 files changed, 23 insertions(+), 7 deletions(-)
+ create mode 100644 arch/um/drivers/harddog.h
+ create mode 100644 arch/um/drivers/harddog_user_exp.c
+
+diff --git a/arch/um/drivers/Makefile b/arch/um/drivers/Makefile
+index e1dc4292bd22e..65b449c992d2c 100644
+--- a/arch/um/drivers/Makefile
++++ b/arch/um/drivers/Makefile
+@@ -16,7 +16,8 @@ mconsole-objs := mconsole_kern.o mconsole_user.o
+ hostaudio-objs := hostaudio_kern.o
+ ubd-objs := ubd_kern.o ubd_user.o
+ port-objs := port_kern.o port_user.o
+-harddog-objs := harddog_kern.o harddog_user.o
++harddog-objs := harddog_kern.o
++harddog-builtin-$(CONFIG_UML_WATCHDOG) := harddog_user.o harddog_user_exp.o
+ rtc-objs := rtc_kern.o rtc_user.o
+ 
+ LDFLAGS_pcap.o = $(shell $(CC) $(KBUILD_CFLAGS) -print-file-name=libpcap.a)
+@@ -60,6 +61,7 @@ obj-$(CONFIG_PTY_CHAN) += pty.o
+ obj-$(CONFIG_TTY_CHAN) += tty.o 
+ obj-$(CONFIG_XTERM_CHAN) += xterm.o xterm_kern.o
+ obj-$(CONFIG_UML_WATCHDOG) += harddog.o
++obj-y += $(harddog-builtin-y) $(harddog-builtin-m)
+ obj-$(CONFIG_BLK_DEV_COW_COMMON) += cow_user.o
+ obj-$(CONFIG_UML_RANDOM) += random.o
+ obj-$(CONFIG_VIRTIO_UML) += virtio_uml.o
+diff --git a/arch/um/drivers/harddog.h b/arch/um/drivers/harddog.h
+new file mode 100644
+index 0000000000000..6d9ea60e7133e
+--- /dev/null
++++ b/arch/um/drivers/harddog.h
+@@ -0,0 +1,9 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef UM_WATCHDOG_H
++#define UM_WATCHDOG_H
++
++int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock);
++void stop_watchdog(int in_fd, int out_fd);
++int ping_watchdog(int fd);
++
++#endif /* UM_WATCHDOG_H */
+diff --git a/arch/um/drivers/harddog_kern.c b/arch/um/drivers/harddog_kern.c
+index e6d4f43deba82..60d1c6cab8a95 100644
+--- a/arch/um/drivers/harddog_kern.c
++++ b/arch/um/drivers/harddog_kern.c
+@@ -47,6 +47,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/uaccess.h>
+ #include "mconsole.h"
++#include "harddog.h"
+ 
+ MODULE_LICENSE("GPL");
+ 
+@@ -60,8 +61,6 @@ static int harddog_out_fd = -1;
+  *    Allow only one person to hold it open
+  */
+ 
+-extern int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock);
+-
+ static int harddog_open(struct inode *inode, struct file *file)
+ {
+       int err = -EBUSY;
+@@ -92,8 +91,6 @@ static int harddog_open(struct inode *inode, struct file *file)
+       return err;
+ }
+ 
+-extern void stop_watchdog(int in_fd, int out_fd);
+-
+ static int harddog_release(struct inode *inode, struct file *file)
+ {
+       /*
+@@ -112,8 +109,6 @@ static int harddog_release(struct inode *inode, struct file *file)
+       return 0;
+ }
+ 
+-extern int ping_watchdog(int fd);
+-
+ static ssize_t harddog_write(struct file *file, const char __user *data, size_t len,
+                            loff_t *ppos)
+ {
+diff --git a/arch/um/drivers/harddog_user.c b/arch/um/drivers/harddog_user.c
+index 070468d22e394..9ed89304975ed 100644
+--- a/arch/um/drivers/harddog_user.c
++++ b/arch/um/drivers/harddog_user.c
+@@ -7,6 +7,7 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <os.h>
++#include "harddog.h"
+ 
+ struct dog_data {
+       int stdin_fd;
+diff --git a/arch/um/drivers/harddog_user_exp.c b/arch/um/drivers/harddog_user_exp.c
+new file mode 100644
+index 0000000000000..c74d4b815d143
+--- /dev/null
++++ b/arch/um/drivers/harddog_user_exp.c
+@@ -0,0 +1,9 @@
++// SPDX-License-Identifier: GPL-2.0
++#include <linux/export.h>
++#include "harddog.h"
++
++#if IS_MODULE(CONFIG_UML_WATCHDOG)
++EXPORT_SYMBOL(start_watchdog);
++EXPORT_SYMBOL(stop_watchdog);
++EXPORT_SYMBOL(ping_watchdog);
++#endif
+-- 
+2.39.2
+

diff --git a/queue-6.1/watchdog-menz069_wdt-fix-watchdog-initialisation.patch b/queue-6.1/watchdog-menz069_wdt-fix-watchdog-initialisation.patch
new file mode 100644 (file)
index 0000000..e9090c2
--- /dev/null
+++ b/queue-6.1/watchdog-menz069_wdt-fix-watchdog-initialisation.patch
@@ -0,0 +1,71 @@
+From dd347029b504fde4a100e72f8e9ee409943f5375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 19:25:30 +0200
+Subject: watchdog: menz069_wdt: fix watchdog initialisation
+
+From: Johannes Thumshirn <jth@kernel.org>
+
+[ Upstream commit 87b22656ca6a896d0378e9e60ffccb0c82f48b08 ]
+
+Doing a 'cat /dev/watchdog0' with menz069_wdt as watchdog0 will result in
+a NULL pointer dereference.
+
+This happens because we're passing the wrong pointer to
+watchdog_register_device(). Fix this by getting rid of the static
+watchdog_device structure and use the one embedded into the driver's
+per-instance private data.
+
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230418172531.177349-2-jth@kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/menz69_wdt.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/watchdog/menz69_wdt.c b/drivers/watchdog/menz69_wdt.c
+index 8973f98bc6a56..bca0938f3429f 100644
+--- a/drivers/watchdog/menz69_wdt.c
++++ b/drivers/watchdog/menz69_wdt.c
+@@ -98,14 +98,6 @@ static const struct watchdog_ops men_z069_ops = {
+       .set_timeout = men_z069_wdt_set_timeout,
+ };
+ 
+-static struct watchdog_device men_z069_wdt = {
+-      .info = &men_z069_info,
+-      .ops = &men_z069_ops,
+-      .timeout = MEN_Z069_DEFAULT_TIMEOUT,
+-      .min_timeout = 1,
+-      .max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ,
+-};
+-
+ static int men_z069_probe(struct mcb_device *dev,
+                         const struct mcb_device_id *id)
+ {
+@@ -125,15 +117,19 @@ static int men_z069_probe(struct mcb_device *dev,
+               goto release_mem;
+ 
+       drv->mem = mem;
++      drv->wdt.info = &men_z069_info;
++      drv->wdt.ops = &men_z069_ops;
++      drv->wdt.timeout = MEN_Z069_DEFAULT_TIMEOUT;
++      drv->wdt.min_timeout = 1;
++      drv->wdt.max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ;
+ 
+-      drv->wdt = men_z069_wdt;
+       watchdog_init_timeout(&drv->wdt, 0, &dev->dev);
+       watchdog_set_nowayout(&drv->wdt, nowayout);
+       watchdog_set_drvdata(&drv->wdt, drv);
+       drv->wdt.parent = &dev->dev;
+       mcb_set_drvdata(dev, drv);
+ 
+-      return watchdog_register_device(&men_z069_wdt);
++      return watchdog_register_device(&drv->wdt);
+ 
+ release_mem:
+       mcb_release_mem(mem);
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-b43-fix-incorrect-__packed-annotation.patch b/queue-6.1/wifi-b43-fix-incorrect-__packed-annotation.patch
new file mode 100644 (file)
index 0000000..4ce27d7
--- /dev/null
+++ b/queue-6.1/wifi-b43-fix-incorrect-__packed-annotation.patch
@@ -0,0 +1,69 @@
+From 3a198b01479ce9d9663833e8506c320243052222 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 20:34:22 +0200
+Subject: wifi: b43: fix incorrect __packed annotation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 212457ccbd60dba34f965e4ffbe62f0e4f970538 ]
+
+clang warns about an unpacked structure inside of a packed one:
+
+drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access]
+
+The problem here is that the anonymous union has the default alignment
+from its members, apparently because the original author mixed up the
+placement of the __packed attribute by placing it next to the struct
+member rather than the union definition. As the struct itself is
+also marked as __packed, there is no need to mark its members, so just
+move the annotation to the inner type instead.
+
+As Michael noted, the same problem is present in b43legacy, so
+change both at the same time.
+
+Acked-by: Michael Büsch <m@bues.ch>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/b43.h             | 2 +-
+ drivers/net/wireless/broadcom/b43legacy/b43legacy.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h
+index 9fc7c088a539e..67b4bac048e58 100644
+--- a/drivers/net/wireless/broadcom/b43/b43.h
++++ b/drivers/net/wireless/broadcom/b43/b43.h
+@@ -651,7 +651,7 @@ struct b43_iv {
+       union {
+               __be16 d16;
+               __be32 d32;
+-      } data __packed;
++      } __packed data;
+ } __packed;
+ 
+ 
+diff --git a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
+index 6b0cec467938f..f49365d14619f 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
++++ b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
+@@ -379,7 +379,7 @@ struct b43legacy_iv {
+       union {
+               __be16 d16;
+               __be32 d32;
+-      } data __packed;
++      } __packed data;
+ } __packed;
+ 
+ #define B43legacy_PHYMODE(phytype)    (1 << (phytype))
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch b/queue-6.1/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch
new file mode 100644 (file)
index 0000000..9487394
--- /dev/null
+++ b/queue-6.1/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch
@@ -0,0 +1,50 @@
+From a97a2607d6004d599fb9ed69aefad8962672add1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:55 +0300
+Subject: wifi: iwlwifi: mvm: Add locking to the rate read flow
+
+From: Ariel Malamud <ariel.malamud@intel.com>
+
+[ Upstream commit a8938bc881d2a03f9b77f19fae924fe798a01285 ]
+
+The rs_drv_get_rate flow reads the lq_sta to return the optimal rate
+for tx frames. This read flow is not protected thereby leaving
+a small window, a few instructions wide, open to contention by an
+asynchronous rate update. Indeed this race condition was hit and the
+update occurred in the middle of the read.
+
+Fix this by locking the lq_sta struct during read.
+
+Signed-off-by: Ariel Malamud <ariel.malamud@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.b52c9ed5c379.I15290b78e0d966c1b68278263776ca9de841d5fe@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+index 0b50b816684a0..2be6801d48aca 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+@@ -2692,6 +2692,8 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta,
+               return;
+ 
+       lq_sta = mvm_sta;
++
++      spin_lock(&lq_sta->pers.lock);
+       iwl_mvm_hwrate_to_tx_rate_v1(lq_sta->last_rate_n_flags,
+                                    info->band, &info->control.rates[0]);
+       info->control.rates[0].count = 1;
+@@ -2706,6 +2708,7 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta,
+               iwl_mvm_hwrate_to_tx_rate_v1(last_ucode_rate, info->band,
+                                            &txrc->reported_rate);
+       }
++      spin_unlock(&lq_sta->pers.lock);
+ }
+ 
+ static void *rs_drv_alloc_sta(void *mvm_rate, struct ieee80211_sta *sta,
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch b/queue-6.1/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch
new file mode 100644 (file)
index 0000000..12479a7
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch
@@ -0,0 +1,279 @@
+From c562d656422e41cbb9c9e3b4f3498bc551058a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:45:03 +0300
+Subject: wifi: mac80211: consider reserved chanctx for mindef
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit b72a455a2409fd94d6d9b4eb51d659a88213243b ]
+
+When a chanctx is reserved for a new vif and we recalculate
+the minimal definition for it, we need to consider the new
+interface it's being reserved for before we assign it, so it
+can be used directly with the correct min channel width.
+
+Fix the code to - optionally - consider that, and use that
+option just before doing the reassignment.
+
+Also, when considering channel context reservations, we
+should only consider the one link we're currently working with.
+Change the boolean argument to a link pointer to do that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230504134511.828474-4-gregory.greenman@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/chan.c        | 72 +++++++++++++++++++++++---------------
+ net/mac80211/ieee80211_i.h |  3 +-
+ net/mac80211/util.c        |  2 +-
+ 3 files changed, 47 insertions(+), 30 deletions(-)
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index 76c6decb0762c..c5d345e53056a 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -258,7 +258,8 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata,
+ 
+ static enum nl80211_chan_width
+ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata,
+-                                        struct ieee80211_chanctx_conf *conf)
++                                        struct ieee80211_chanctx *ctx,
++                                        struct ieee80211_link_data *rsvd_for)
+ {
+       enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT;
+       struct ieee80211_vif *vif = &sdata->vif;
+@@ -267,13 +268,14 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata,
+       rcu_read_lock();
+       for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
+               enum nl80211_chan_width width = NL80211_CHAN_WIDTH_20_NOHT;
+-              struct ieee80211_bss_conf *link_conf =
+-                      rcu_dereference(sdata->vif.link_conf[link_id]);
++              struct ieee80211_link_data *link =
++                      rcu_dereference(sdata->link[link_id]);
+ 
+-              if (!link_conf)
++              if (!link)
+                       continue;
+ 
+-              if (rcu_access_pointer(link_conf->chanctx_conf) != conf)
++              if (link != rsvd_for &&
++                  rcu_access_pointer(link->conf->chanctx_conf) != &ctx->conf)
+                       continue;
+ 
+               switch (vif->type) {
+@@ -287,7 +289,7 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata,
+                        * point, so take the width from the chandef, but
+                        * account also for TDLS peers
+                        */
+-                      width = max(link_conf->chandef.width,
++                      width = max(link->conf->chandef.width,
+                                   ieee80211_get_max_required_bw(sdata, link_id));
+                       break;
+               case NL80211_IFTYPE_P2P_DEVICE:
+@@ -296,7 +298,7 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata,
+               case NL80211_IFTYPE_ADHOC:
+               case NL80211_IFTYPE_MESH_POINT:
+               case NL80211_IFTYPE_OCB:
+-                      width = link_conf->chandef.width;
++                      width = link->conf->chandef.width;
+                       break;
+               case NL80211_IFTYPE_WDS:
+               case NL80211_IFTYPE_UNSPECIFIED:
+@@ -316,7 +318,8 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata,
+ 
+ static enum nl80211_chan_width
+ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
+-                                    struct ieee80211_chanctx_conf *conf)
++                                    struct ieee80211_chanctx *ctx,
++                                    struct ieee80211_link_data *rsvd_for)
+ {
+       struct ieee80211_sub_if_data *sdata;
+       enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT;
+@@ -328,7 +331,8 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
+               if (!ieee80211_sdata_running(sdata))
+                       continue;
+ 
+-              width = ieee80211_get_chanctx_vif_max_required_bw(sdata, conf);
++              width = ieee80211_get_chanctx_vif_max_required_bw(sdata, ctx,
++                                                                rsvd_for);
+ 
+               max_bw = max(max_bw, width);
+       }
+@@ -336,8 +340,8 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
+       /* use the configured bandwidth in case of monitor interface */
+       sdata = rcu_dereference(local->monitor_sdata);
+       if (sdata &&
+-          rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf) == conf)
+-              max_bw = max(max_bw, conf->def.width);
++          rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf) == &ctx->conf)
++              max_bw = max(max_bw, ctx->conf.def.width);
+ 
+       rcu_read_unlock();
+ 
+@@ -349,8 +353,10 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
+  * the max of min required widths of all the interfaces bound to this
+  * channel context.
+  */
+-static u32 _ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
+-                                           struct ieee80211_chanctx *ctx)
++static u32
++_ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
++                                struct ieee80211_chanctx *ctx,
++                                struct ieee80211_link_data *rsvd_for)
+ {
+       enum nl80211_chan_width max_bw;
+       struct cfg80211_chan_def min_def;
+@@ -370,7 +376,7 @@ static u32 _ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
+               return 0;
+       }
+ 
+-      max_bw = ieee80211_get_chanctx_max_required_bw(local, &ctx->conf);
++      max_bw = ieee80211_get_chanctx_max_required_bw(local, ctx, rsvd_for);
+ 
+       /* downgrade chandef up to max_bw */
+       min_def = ctx->conf.def;
+@@ -448,9 +454,10 @@ static void ieee80211_chan_bw_change(struct ieee80211_local *local,
+  * channel context.
+  */
+ void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
+-                                    struct ieee80211_chanctx *ctx)
++                                    struct ieee80211_chanctx *ctx,
++                                    struct ieee80211_link_data *rsvd_for)
+ {
+-      u32 changed = _ieee80211_recalc_chanctx_min_def(local, ctx);
++      u32 changed = _ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for);
+ 
+       if (!changed)
+               return;
+@@ -464,10 +471,11 @@ void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
+       ieee80211_chan_bw_change(local, ctx, false);
+ }
+ 
+-static void ieee80211_change_chanctx(struct ieee80211_local *local,
+-                                   struct ieee80211_chanctx *ctx,
+-                                   struct ieee80211_chanctx *old_ctx,
+-                                   const struct cfg80211_chan_def *chandef)
++static void _ieee80211_change_chanctx(struct ieee80211_local *local,
++                                    struct ieee80211_chanctx *ctx,
++                                    struct ieee80211_chanctx *old_ctx,
++                                    const struct cfg80211_chan_def *chandef,
++                                    struct ieee80211_link_data *rsvd_for)
+ {
+       u32 changed;
+ 
+@@ -492,7 +500,7 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local,
+       ieee80211_chan_bw_change(local, old_ctx, true);
+ 
+       if (cfg80211_chandef_identical(&ctx->conf.def, chandef)) {
+-              ieee80211_recalc_chanctx_min_def(local, ctx);
++              ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for);
+               return;
+       }
+ 
+@@ -502,7 +510,7 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local,
+ 
+       /* check if min chanctx also changed */
+       changed = IEEE80211_CHANCTX_CHANGE_WIDTH |
+-                _ieee80211_recalc_chanctx_min_def(local, ctx);
++                _ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for);
+       drv_change_chanctx(local, ctx, changed);
+ 
+       if (!local->use_chanctx) {
+@@ -514,6 +522,14 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local,
+       ieee80211_chan_bw_change(local, old_ctx, false);
+ }
+ 
++static void ieee80211_change_chanctx(struct ieee80211_local *local,
++                                   struct ieee80211_chanctx *ctx,
++                                   struct ieee80211_chanctx *old_ctx,
++                                   const struct cfg80211_chan_def *chandef)
++{
++      _ieee80211_change_chanctx(local, ctx, old_ctx, chandef, NULL);
++}
++
+ static struct ieee80211_chanctx *
+ ieee80211_find_chanctx(struct ieee80211_local *local,
+                      const struct cfg80211_chan_def *chandef,
+@@ -638,7 +654,7 @@ ieee80211_alloc_chanctx(struct ieee80211_local *local,
+       ctx->conf.rx_chains_dynamic = 1;
+       ctx->mode = mode;
+       ctx->conf.radar_enabled = false;
+-      _ieee80211_recalc_chanctx_min_def(local, ctx);
++      _ieee80211_recalc_chanctx_min_def(local, ctx, NULL);
+ 
+       return ctx;
+ }
+@@ -873,12 +889,12 @@ static int ieee80211_assign_link_chanctx(struct ieee80211_link_data *link,
+               ieee80211_recalc_chanctx_chantype(local, curr_ctx);
+               ieee80211_recalc_smps_chanctx(local, curr_ctx);
+               ieee80211_recalc_radar_chanctx(local, curr_ctx);
+-              ieee80211_recalc_chanctx_min_def(local, curr_ctx);
++              ieee80211_recalc_chanctx_min_def(local, curr_ctx, NULL);
+       }
+ 
+       if (new_ctx && ieee80211_chanctx_num_assigned(local, new_ctx) > 0) {
+               ieee80211_recalc_txpower(sdata, false);
+-              ieee80211_recalc_chanctx_min_def(local, new_ctx);
++              ieee80211_recalc_chanctx_min_def(local, new_ctx, NULL);
+       }
+ 
+       if (sdata->vif.type != NL80211_IFTYPE_P2P_DEVICE &&
+@@ -1270,7 +1286,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link)
+ 
+       ieee80211_link_update_chandef(link, &link->reserved_chandef);
+ 
+-      ieee80211_change_chanctx(local, new_ctx, old_ctx, chandef);
++      _ieee80211_change_chanctx(local, new_ctx, old_ctx, chandef, link);
+ 
+       vif_chsw[0].vif = &sdata->vif;
+       vif_chsw[0].old_ctx = &old_ctx->conf;
+@@ -1300,7 +1316,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link)
+       if (ieee80211_chanctx_refcount(local, old_ctx) == 0)
+               ieee80211_free_chanctx(local, old_ctx);
+ 
+-      ieee80211_recalc_chanctx_min_def(local, new_ctx);
++      ieee80211_recalc_chanctx_min_def(local, new_ctx, NULL);
+       ieee80211_recalc_smps_chanctx(local, new_ctx);
+       ieee80211_recalc_radar_chanctx(local, new_ctx);
+ 
+@@ -1665,7 +1681,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
+               ieee80211_recalc_chanctx_chantype(local, ctx);
+               ieee80211_recalc_smps_chanctx(local, ctx);
+               ieee80211_recalc_radar_chanctx(local, ctx);
+-              ieee80211_recalc_chanctx_min_def(local, ctx);
++              ieee80211_recalc_chanctx_min_def(local, ctx, NULL);
+ 
+               list_for_each_entry_safe(link, link_tmp, &ctx->reserved_links,
+                                        reserved_chanctx_list) {
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index e57001e00a3d0..27479bbb093ac 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2475,7 +2475,8 @@ int ieee80211_chanctx_refcount(struct ieee80211_local *local,
+ void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
+                                  struct ieee80211_chanctx *chanctx);
+ void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local,
+-                                    struct ieee80211_chanctx *ctx);
++                                    struct ieee80211_chanctx *ctx,
++                                    struct ieee80211_link_data *rsvd_for);
+ bool ieee80211_is_radar_required(struct ieee80211_local *local);
+ 
+ void ieee80211_dfs_cac_timer(unsigned long data);
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 0785d9393e718..784b9ba61581e 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2899,7 +2899,7 @@ void ieee80211_recalc_min_chandef(struct ieee80211_sub_if_data *sdata,
+ 
+               chanctx = container_of(chanctx_conf, struct ieee80211_chanctx,
+                                      conf);
+-              ieee80211_recalc_chanctx_min_def(local, chanctx);
++              ieee80211_recalc_chanctx_min_def(local, chanctx, NULL);
+       }
+  unlock:
+       mutex_unlock(&local->chanctx_mtx);
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch b/queue-6.1/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch
new file mode 100644 (file)
index 0000000..abaf44c
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch
@@ -0,0 +1,52 @@
+From 63c25c7f5707e6fc9781f629160f796740f6d4d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:45:04 +0300
+Subject: wifi: mac80211: recalc chanctx mindef before assigning
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 04312de4ced4b152749614e8179f3978a20a992f ]
+
+When we allocate a new channel context, or find an existing one
+that is compatible, we currently assign it to a link before its
+mindef is updated. This leads to strange situations, especially
+in link switching where you switch to an 80 MHz link and expect
+it to be active immediately, but the mindef is still configured
+to 20 MHz while assigning.  Also, it's strange that the chandef
+passed to the assign method's argument is wider than the one in
+the context.
+
+Fix this by calculating the mindef with the new link considered
+before calling the driver.
+
+In particular, this fixes an iwlwifi problem during link switch
+where the firmware would assert because the (link) station that
+was added for the AP is configured to transmit at a bandwidth
+that's wider than the channel context that it's configured on.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230504134511.828474-5-gregory.greenman@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/chan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index c5d345e53056a..f07e34bed8f3a 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -871,6 +871,9 @@ static int ieee80211_assign_link_chanctx(struct ieee80211_link_data *link,
+       }
+ 
+       if (new_ctx) {
++              /* recalc considering the link we'll use it for now */
++              ieee80211_recalc_chanctx_min_def(local, new_ctx, link);
++
+               ret = drv_assign_vif_chanctx(local, sdata, link->conf, new_ctx);
+               if (ret)
+                       goto out;
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-mac80211-simplify-chanctx-allocation.patch b/queue-6.1/wifi-mac80211-simplify-chanctx-allocation.patch
new file mode 100644 (file)
index 0000000..22ed9a1
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-simplify-chanctx-allocation.patch
@@ -0,0 +1,38 @@
+From 7f434838953efcf98eb61ea1fbf9ba5288dfef08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:45:02 +0300
+Subject: wifi: mac80211: simplify chanctx allocation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 860e1b43da94551cd1e73adc36b3c64cc3e5dc01 ]
+
+There's no need to call ieee80211_recalc_chanctx_min_def()
+since it cannot and won't call the driver anyway; just use
+_ieee80211_recalc_chanctx_min_def() instead.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230504134511.828474-3-gregory.greenman@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/chan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index e72cf0749d492..76c6decb0762c 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -638,7 +638,7 @@ ieee80211_alloc_chanctx(struct ieee80211_local *local,
+       ctx->conf.rx_chains_dynamic = 1;
+       ctx->mode = mode;
+       ctx->conf.radar_enabled = false;
+-      ieee80211_recalc_chanctx_min_def(local, ctx);
++      _ieee80211_recalc_chanctx_min_def(local, ctx);
+ 
+       return ctx;
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch b/queue-6.1/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch
new file mode 100644 (file)
index 0000000..b848f48
--- /dev/null
+++ b/queue-6.1/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch
@@ -0,0 +1,73 @@
+From 3a987ef3d64b51935f14b1131c88e0e404070375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 09:20:55 +0800
+Subject: wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
+
+From: Yun Lu <luyun@kylinos.cn>
+
+[ Upstream commit 20429444e653ee8242dfbf815c0c37866beb371b ]
+
+When using rtl8192cu with rtl8xxxu driver to connect wifi, there is a
+probability of failure, which shows "authentication with ... timed out".
+Through debugging, it was found that the RCR register has been inexplicably
+modified to an incorrect value, resulting in the nic not being able to
+receive authenticated frames.
+
+To fix this problem, add regrcr in rtl8xxxu_priv struct, and store
+the RCR value every time the register is written, and use it the next
+time the register need to be modified.
+
+Signed-off-by: Yun Lu <luyun@kylinos.cn>
+Link: https://lore.kernel.org/all/20230427020512.1221062-1-luyun_611@163.com
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230512012055.2990472-1-luyun_611@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h      | 1 +
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index 1ba66b8f70c95..cda3b802e89dd 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -1346,6 +1346,7 @@ struct rtl8xxxu_priv {
+       u32 rege9c;
+       u32 regeb4;
+       u32 regebc;
++      u32 regrcr;
+       int next_mbox;
+       int nr_out_eps;
+ 
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 95c0150f23569..3a9fa3ff37acc 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4049,6 +4049,7 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw)
+               RCR_ACCEPT_MGMT_FRAME | RCR_HTC_LOC_CTRL |
+               RCR_APPEND_PHYSTAT | RCR_APPEND_ICV | RCR_APPEND_MIC;
+       rtl8xxxu_write32(priv, REG_RCR, val32);
++      priv->regrcr = val32;
+ 
+       /*
+        * Accept all multicast
+@@ -6058,7 +6059,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw,
+                                     unsigned int *total_flags, u64 multicast)
+ {
+       struct rtl8xxxu_priv *priv = hw->priv;
+-      u32 rcr = rtl8xxxu_read32(priv, REG_RCR);
++      u32 rcr = priv->regrcr;
+ 
+       dev_dbg(&priv->udev->dev, "%s: changed_flags %08x, total_flags %08x\n",
+               __func__, changed_flags, *total_flags);
+@@ -6104,6 +6105,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw,
+        */
+ 
+       rtl8xxxu_write32(priv, REG_RCR, rcr);
++      priv->regrcr = rcr;
+ 
+       *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_BCN_PRBRESP_PROMISC |
+                        FIF_CONTROL | FIF_OTHER_BSS | FIF_PSPOLL |
+-- 
+2.39.2
+

diff --git a/queue-6.1/xfrm-check-if_id-in-inbound-policy-secpath-match.patch b/queue-6.1/xfrm-check-if_id-in-inbound-policy-secpath-match.patch
new file mode 100644 (file)
index 0000000..7d48f85
--- /dev/null
+++ b/queue-6.1/xfrm-check-if_id-in-inbound-policy-secpath-match.patch
@@ -0,0 +1,79 @@
+From b8054cae01e5f528db33975f384e0a01755b48dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 01:14:14 +0000
+Subject: xfrm: Check if_id in inbound policy/secpath match
+
+From: Benedict Wong <benedictwong@google.com>
+
+[ Upstream commit 8680407b6f8f5fba59e8f1d63c869abc280f04df ]
+
+This change ensures that if configured in the policy, the if_id set in
+the policy and secpath states match during the inbound policy check.
+Without this, there is potential for ambiguity where entries in the
+secpath differing by only the if_id could be mismatched.
+
+Notably, this is checked in the outbound direction when resolving
+templates to SAs, but not on the inbound path when matching SAs and
+policies.
+
+Test: Tested against Android kernel unit tests & CTS
+Signed-off-by: Benedict Wong <benedictwong@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index bc04cb83215f9..e894c269affb1 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3237,7 +3237,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
+ 
+ static inline int
+ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
+-            unsigned short family)
++            unsigned short family, u32 if_id)
+ {
+       if (xfrm_state_kern(x))
+               return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
+@@ -3248,7 +3248,8 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
+               (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
+                !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
+               !(x->props.mode != XFRM_MODE_TRANSPORT &&
+-                xfrm_state_addr_cmp(tmpl, x, family));
++                xfrm_state_addr_cmp(tmpl, x, family)) &&
++              (if_id == 0 || if_id == x->if_id);
+ }
+ 
+ /*
+@@ -3260,7 +3261,7 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
+  */
+ static inline int
+ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
+-             unsigned short family)
++             unsigned short family, u32 if_id)
+ {
+       int idx = start;
+ 
+@@ -3270,7 +3271,7 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star
+       } else
+               start = -1;
+       for (; idx < sp->len; idx++) {
+-              if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
++              if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
+                       return ++idx;
+               if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
+                       if (start == -1)
+@@ -3649,7 +3650,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+                * are implied between each two transformations.
+                */
+               for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
+-                      k = xfrm_policy_ok(tpp[i], sp, k, family);
++                      k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
+                       if (k < 0) {
+                               if (k < -1)
+                                       /* "-2 - errored_index" returned */
+-- 
+2.39.2
+