]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 6.6
authorSasha Levin <sashal@kernel.org>
Tue, 22 Oct 2024 17:39:26 +0000 (13:39 -0400)
committerSasha Levin <sashal@kernel.org>
Tue, 22 Oct 2024 17:39:26 +0000 (13:39 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
107 files changed:
queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch [new file with mode: 0644]
queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch [new file with mode: 0644]
queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch [new file with mode: 0644]
queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch [new file with mode: 0644]
queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch [new file with mode: 0644]
queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch [new file with mode: 0644]
queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch [new file with mode: 0644]
queue-6.6/bpf-fix-iter-task-tid-filtering.patch [new file with mode: 0644]
queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch [new file with mode: 0644]
queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch [new file with mode: 0644]
queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch [new file with mode: 0644]
queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch [new file with mode: 0644]
queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch [new file with mode: 0644]
queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch [new file with mode: 0644]
queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch [new file with mode: 0644]
queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch [new file with mode: 0644]
queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch [new file with mode: 0644]
queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch [new file with mode: 0644]
queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch [new file with mode: 0644]
queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch [new file with mode: 0644]
queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch [new file with mode: 0644]
queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch [new file with mode: 0644]
queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch [new file with mode: 0644]
queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch [new file with mode: 0644]
queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch [new file with mode: 0644]
queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch [new file with mode: 0644]
queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch [new file with mode: 0644]
queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch [new file with mode: 0644]
queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch [new file with mode: 0644]
queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch [new file with mode: 0644]
queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch [new file with mode: 0644]
queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch [new file with mode: 0644]
queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch [new file with mode: 0644]
queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch [new file with mode: 0644]
queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch [new file with mode: 0644]
queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch [new file with mode: 0644]
queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch [new file with mode: 0644]
queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch [new file with mode: 0644]
queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch [new file with mode: 0644]
queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch [new file with mode: 0644]
queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch [new file with mode: 0644]
queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch [new file with mode: 0644]
queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch [new file with mode: 0644]
queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch [new file with mode: 0644]
queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch [new file with mode: 0644]
queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch [new file with mode: 0644]
queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch [new file with mode: 0644]
queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch [new file with mode: 0644]
queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch [new file with mode: 0644]
queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch [new file with mode: 0644]
queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch [new file with mode: 0644]
queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch [new file with mode: 0644]
queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch [new file with mode: 0644]
queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch [new file with mode: 0644]
queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch [new file with mode: 0644]
queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch [new file with mode: 0644]
queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch [new file with mode: 0644]
queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch [new file with mode: 0644]
queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch [new file with mode: 0644]
queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch [new file with mode: 0644]
queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch [new file with mode: 0644]
queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch [new file with mode: 0644]
queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch [new file with mode: 0644]
queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch [new file with mode: 0644]
queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch [new file with mode: 0644]
queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch [new file with mode: 0644]
queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch [new file with mode: 0644]
queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch [new file with mode: 0644]
queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch [new file with mode: 0644]
queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch [new file with mode: 0644]
queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch [new file with mode: 0644]
queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch [new file with mode: 0644]
queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch [new file with mode: 0644]
queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch [new file with mode: 0644]
queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch [new file with mode: 0644]
queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch [new file with mode: 0644]
queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch [new file with mode: 0644]
queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch [new file with mode: 0644]
queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch [new file with mode: 0644]
queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch [new file with mode: 0644]
queue-6.6/series
queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch [new file with mode: 0644]
queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch [new file with mode: 0644]
queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch [new file with mode: 0644]
queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch [new file with mode: 0644]
queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch [new file with mode: 0644]
queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch [new file with mode: 0644]
queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch [new file with mode: 0644]
queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch [new file with mode: 0644]
queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch [new file with mode: 0644]
queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch [new file with mode: 0644]
queue-6.6/vsock-update-msg_count-on-read_skb.patch [new file with mode: 0644]
queue-6.6/vsock-update-rx_bytes-on-read_skb.patch [new file with mode: 0644]
queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch [new file with mode: 0644]
queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch [new file with mode: 0644]
queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch [new file with mode: 0644]
queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch [new file with mode: 0644]
queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch [new file with mode: 0644]

diff --git a/queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch b/queue-6.6/accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch
new file mode 100644 (file)
index 0000000..61c2e3e
--- /dev/null
@@ -0,0 +1,74 @@
+From 087442f17f403f0a2af0559a0b6142849066dcf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 13:32:52 -0600
+Subject: accel/qaic: Fix the for loop used to walk SG table
+
+From: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
+
+[ Upstream commit c5e8e93897b7bb0a336bf3332f82f8d9f2b33f14 ]
+
+Only for_each_sgtable_dma_sg() should be used to walk through a SG table
+to grab correct bus address and length pair after calling DMA MAP API on
+a SG table as DMA MAP APIs updates the SG table and for_each_sgtable_sg()
+walks through the original SG table.
+
+Fixes: ff13be830333 ("accel/qaic: Add datapath")
+Fixes: 129776ac2e38 ("accel/qaic: Add control path")
+Signed-off-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241004193252.3888544-1-quic_jhugo@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/accel/qaic/qaic_control.c | 2 +-
+ drivers/accel/qaic/qaic_data.c    | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
+index 388abd40024ba..f3db3fa91dd52 100644
+--- a/drivers/accel/qaic/qaic_control.c
++++ b/drivers/accel/qaic/qaic_control.c
+@@ -496,7 +496,7 @@ static int encode_addr_size_pairs(struct dma_xfer *xfer, struct wrapper_list *wr
+       nents = sgt->nents;
+       nents_dma = nents;
+       *size = QAIC_MANAGE_EXT_MSG_LENGTH - msg_hdr_len - sizeof(**out_trans);
+-      for_each_sgtable_sg(sgt, sg, i) {
++      for_each_sgtable_dma_sg(sgt, sg, i) {
+               *size -= sizeof(*asp);
+               /* Save 1K for possible follow-up transactions. */
+               if (*size < SZ_1K) {
+diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
+index ed1a5af434f24..d2f8c70a77a5b 100644
+--- a/drivers/accel/qaic/qaic_data.c
++++ b/drivers/accel/qaic/qaic_data.c
+@@ -177,7 +177,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl
+       nents = 0;
+       size = size ? size : PAGE_SIZE;
+-      for (sg = sgt_in->sgl; sg; sg = sg_next(sg)) {
++      for_each_sgtable_dma_sg(sgt_in, sg, j) {
+               len = sg_dma_len(sg);
+               if (!len)
+@@ -214,7 +214,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl
+       /* copy relevant sg node and fix page and length */
+       sgn = sgf;
+-      for_each_sgtable_sg(sgt, sg, j) {
++      for_each_sgtable_dma_sg(sgt, sg, j) {
+               memcpy(sg, sgn, sizeof(*sg));
+               if (sgn == sgf) {
+                       sg_dma_address(sg) += offf;
+@@ -294,7 +294,7 @@ static int encode_reqs(struct qaic_device *qdev, struct bo_slice *slice,
+        * fence.
+        */
+       dev_addr = req->dev_addr;
+-      for_each_sgtable_sg(slice->sgt, sg, i) {
++      for_each_sgtable_dma_sg(slice->sgt, sg, i) {
+               slice->reqs[i].cmd = cmd;
+               slice->reqs[i].src_addr = cpu_to_le64(slice->dir == DMA_TO_DEVICE ?
+                                                     sg_dma_address(sg) : dev_addr);
+-- 
+2.43.0
+
diff --git a/queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch b/queue-6.6/alsa-hda-cs8409-fix-possible-null-dereference.patch
new file mode 100644 (file)
index 0000000..dc90c68
--- /dev/null
@@ -0,0 +1,45 @@
+From 050629f4187d49348f235d80f774f7825beca95f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 01:16:45 +0300
+Subject: ALSA: hda/cs8409: Fix possible NULL dereference
+
+From: Murad Masimov <m.masimov@maxima.ru>
+
+[ Upstream commit c9bd4a82b4ed32c6d1c90500a52063e6e341517f ]
+
+If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then
+NULL pointer dereference will occur in the next line.
+
+Since dolphin_fixups function is a hda_fixup function which is not supposed
+to return any errors, add simple check before dereference, ignore the fail.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin")
+Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
+Link: https://patch.msgid.link/20241010221649.1305-1-m.masimov@maxima.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_cs8409.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c
+index e41316e2e9833..892223d9e64ab 100644
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -1411,8 +1411,9 @@ void dolphin_fixups(struct hda_codec *codec, const struct hda_fixup *fix, int ac
+               kctrl = snd_hda_gen_add_kctl(&spec->gen, "Line Out Playback Volume",
+                                            &cs42l42_dac_volume_mixer);
+               /* Update Line Out kcontrol template */
+-              kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1,
+-                                     HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE;
++              if (kctrl)
++                      kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1,
++                                             HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE;
+               cs8409_enable_ur(codec, 0);
+               snd_hda_codec_set_name(codec, "CS8409/CS42L42");
+               break;
+-- 
+2.43.0
+
diff --git a/queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch b/queue-6.6/arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch
new file mode 100644 (file)
index 0000000..a01a17d
--- /dev/null
@@ -0,0 +1,42 @@
+From cd0d3111802015d87e22970c4196f90e0cd1f5d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 02:03:11 +0300
+Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin
+
+From: Florian Klink <flokli@flokli.de>
+
+[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ]
+
+HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1.
+
+This fixes HDMI hotplug/output detection.
+
+See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf
+
+Signed-off-by: Florian Klink <flokli@flokli.de>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board")
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
+index 72d26d130efaa..85f54fa595aa8 100644
+--- a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
++++ b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
+@@ -77,7 +77,7 @@
+ };
+ &hdmi {
+-      hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>;
++      hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>;
+       power-domains = <&power RPI_POWER_DOMAIN_HDMI>;
+       status = "okay";
+ };
+-- 
+2.43.0
+
diff --git a/queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch b/queue-6.6/bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch
new file mode 100644 (file)
index 0000000..bbd59a6
--- /dev/null
@@ -0,0 +1,50 @@
+From 0fc8b8e9934cc29aabaa70020e3ed1f8a189c0b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 17:07:08 +0800
+Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ]
+
+There's issue as follows:
+  KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
+  CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G        W
+  RIP: 0010:proto_unregister+0xee/0x400
+  Call Trace:
+   <TASK>
+   __do_sys_delete_module+0x318/0x580
+   do_syscall_64+0xc1/0x1d0
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
+will cleanup all resource. Then when remove bnep module will call
+bnep_sock_cleanup() to cleanup sock's resource.
+To solve above issue just return bnep_sock_init()'s return value in
+bnep_exit().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index a660c428e2207..38f542665f196 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -745,8 +745,7 @@ static int __init bnep_init(void)
+       if (flt[0])
+               BT_INFO("BNEP filters: %s", flt);
+-      bnep_sock_init();
+-      return 0;
++      return bnep_sock_init();
+ }
+ static void __exit bnep_exit(void)
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch b/queue-6.6/bpf-add-cookie-to-perf_event-bpf_link_info-records.patch
new file mode 100644 (file)
index 0000000..9b4f757
--- /dev/null
@@ -0,0 +1,138 @@
+From e694863fd2d7f73184cf3a52891b3b0ae0d29512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 12:04:58 +0100
+Subject: bpf: Add cookie to perf_event bpf_link_info records
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit d5c16492c66fbfca85f36e42363d32212df5927b ]
+
+At the moment we don't store cookie for perf_event probes,
+while we do that for the rest of the probes.
+
+Adding cookie fields to struct bpf_link_info perf event
+probe records:
+
+  perf_event.uprobe
+  perf_event.kprobe
+  perf_event.tracepoint
+  perf_event.perf_event
+
+And the code to store that in bpf_link_info struct.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Song Liu <song@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20240119110505.400573-2-jolsa@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h       | 6 ++++++
+ kernel/bpf/syscall.c           | 4 ++++
+ tools/include/uapi/linux/bpf.h | 6 ++++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 6ea588d1ae149..431bc700bcfb9 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -6556,6 +6556,7 @@ struct bpf_link_info {
+                                       __aligned_u64 file_name; /* in/out */
+                                       __u32 name_len;
+                                       __u32 offset; /* offset from file_name */
++                                      __u64 cookie;
+                               } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */
+                               struct {
+                                       __aligned_u64 func_name; /* in/out */
+@@ -6563,14 +6564,19 @@ struct bpf_link_info {
+                                       __u32 offset; /* offset from func_name */
+                                       __u64 addr;
+                                       __u64 missed;
++                                      __u64 cookie;
+                               } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+                               struct {
+                                       __aligned_u64 tp_name;   /* in/out */
+                                       __u32 name_len;
++                                      __u32 :32;
++                                      __u64 cookie;
+                               } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */
+                               struct {
+                                       __u64 config;
+                                       __u32 type;
++                                      __u32 :32;
++                                      __u64 cookie;
+                               } event; /* BPF_PERF_EVENT_EVENT */
+                       };
+               } perf_event;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 9c76f21f187f6..1d04d098f57db 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3500,6 +3500,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+       if (!kallsyms_show_value(current_cred()))
+               addr = 0;
+       info->perf_event.kprobe.addr = addr;
++      info->perf_event.kprobe.cookie = event->bpf_cookie;
+       return 0;
+ }
+ #endif
+@@ -3525,6 +3526,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+       else
+               info->perf_event.type = BPF_PERF_EVENT_UPROBE;
+       info->perf_event.uprobe.offset = offset;
++      info->perf_event.uprobe.cookie = event->bpf_cookie;
+       return 0;
+ }
+ #endif
+@@ -3552,6 +3554,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+       ulen = info->perf_event.tracepoint.name_len;
+       info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
++      info->perf_event.tracepoint.cookie = event->bpf_cookie;
+       return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
+ }
+@@ -3560,6 +3563,7 @@ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+ {
+       info->perf_event.event.type = event->attr.type;
+       info->perf_event.event.config = event->attr.config;
++      info->perf_event.event.cookie = event->bpf_cookie;
+       info->perf_event.type = BPF_PERF_EVENT_EVENT;
+       return 0;
+ }
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index acda713f8b4d1..977ec094bc2a6 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -6559,6 +6559,7 @@ struct bpf_link_info {
+                                       __aligned_u64 file_name; /* in/out */
+                                       __u32 name_len;
+                                       __u32 offset; /* offset from file_name */
++                                      __u64 cookie;
+                               } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */
+                               struct {
+                                       __aligned_u64 func_name; /* in/out */
+@@ -6566,14 +6567,19 @@ struct bpf_link_info {
+                                       __u32 offset; /* offset from func_name */
+                                       __u64 addr;
+                                       __u64 missed;
++                                      __u64 cookie;
+                               } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+                               struct {
+                                       __aligned_u64 tp_name;   /* in/out */
+                                       __u32 name_len;
++                                      __u32 :32;
++                                      __u64 cookie;
+                               } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */
+                               struct {
+                                       __u64 config;
+                                       __u32 type;
++                                      __u32 :32;
++                                      __u64 cookie;
+                               } event; /* BPF_PERF_EVENT_EVENT */
+                       };
+               } perf_event;
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch b/queue-6.6/bpf-add-missed-value-to-kprobe-perf-link-info.patch
new file mode 100644 (file)
index 0000000..5a45d49
--- /dev/null
@@ -0,0 +1,230 @@
+From a60c16cdffe27ae93b2e484fcf0744346dd59736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 23:31:39 +0200
+Subject: bpf: Add missed value to kprobe perf link info
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 3acf8ace68230e9558cf916847f1cc9f208abdf1 ]
+
+Add missed value to kprobe attached through perf link info to
+hold the stats of missed kprobe handler execution.
+
+The kprobe's missed counter gets incremented when kprobe handler
+is not executed due to another kprobe running on the same cpu.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20230920213145.1941596-4-jolsa@kernel.org
+Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/trace_events.h   |  6 ++++--
+ include/uapi/linux/bpf.h       |  1 +
+ kernel/bpf/syscall.c           | 14 ++++++++------
+ kernel/trace/bpf_trace.c       |  5 +++--
+ kernel/trace/trace_kprobe.c    | 14 +++++++++++---
+ tools/include/uapi/linux/bpf.h |  1 +
+ 6 files changed, 28 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h
+index cb8bd759e8005..9d799777c333c 100644
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -765,7 +765,8 @@ struct bpf_raw_event_map *bpf_get_raw_tracepoint(const char *name);
+ void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp);
+ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+                           u32 *fd_type, const char **buf,
+-                          u64 *probe_offset, u64 *probe_addr);
++                          u64 *probe_offset, u64 *probe_addr,
++                          unsigned long *missed);
+ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
+ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
+ #else
+@@ -805,7 +806,7 @@ static inline void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp)
+ static inline int bpf_get_perf_event_info(const struct perf_event *event,
+                                         u32 *prog_id, u32 *fd_type,
+                                         const char **buf, u64 *probe_offset,
+-                                        u64 *probe_addr)
++                                        u64 *probe_addr, unsigned long *missed)
+ {
+       return -EOPNOTSUPP;
+ }
+@@ -880,6 +881,7 @@ extern void perf_kprobe_destroy(struct perf_event *event);
+ extern int bpf_get_kprobe_info(const struct perf_event *event,
+                              u32 *fd_type, const char **symbol,
+                              u64 *probe_offset, u64 *probe_addr,
++                             unsigned long *missed,
+                              bool perf_type_tracepoint);
+ #endif
+ #ifdef CONFIG_UPROBE_EVENTS
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 4bb38409b26ad..6ea588d1ae149 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -6562,6 +6562,7 @@ struct bpf_link_info {
+                                       __u32 name_len;
+                                       __u32 offset; /* offset from func_name */
+                                       __u64 addr;
++                                      __u64 missed;
+                               } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+                               struct {
+                                       __aligned_u64 tp_name;   /* in/out */
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index b1933d074f051..9c76f21f187f6 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3444,7 +3444,7 @@ static void bpf_perf_link_dealloc(struct bpf_link *link)
+ static int bpf_perf_link_fill_common(const struct perf_event *event,
+                                    char __user *uname, u32 ulen,
+                                    u64 *probe_offset, u64 *probe_addr,
+-                                   u32 *fd_type)
++                                   u32 *fd_type, unsigned long *missed)
+ {
+       const char *buf;
+       u32 prog_id;
+@@ -3455,7 +3455,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+               return -EINVAL;
+       err = bpf_get_perf_event_info(event, &prog_id, fd_type, &buf,
+-                                    probe_offset, probe_addr);
++                                    probe_offset, probe_addr, missed);
+       if (err)
+               return err;
+       if (!uname)
+@@ -3478,6 +3478,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+                                    struct bpf_link_info *info)
+ {
++      unsigned long missed;
+       char __user *uname;
+       u64 addr, offset;
+       u32 ulen, type;
+@@ -3486,7 +3487,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.kprobe.func_name);
+       ulen = info->perf_event.kprobe.name_len;
+       err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
+-                                      &type);
++                                      &type, &missed);
+       if (err)
+               return err;
+       if (type == BPF_FD_TYPE_KRETPROBE)
+@@ -3495,6 +3496,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+               info->perf_event.type = BPF_PERF_EVENT_KPROBE;
+       info->perf_event.kprobe.offset = offset;
++      info->perf_event.kprobe.missed = missed;
+       if (!kallsyms_show_value(current_cred()))
+               addr = 0;
+       info->perf_event.kprobe.addr = addr;
+@@ -3514,7 +3516,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.uprobe.file_name);
+       ulen = info->perf_event.uprobe.name_len;
+       err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
+-                                      &type);
++                                      &type, NULL);
+       if (err)
+               return err;
+@@ -3550,7 +3552,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+       ulen = info->perf_event.tracepoint.name_len;
+       info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
+-      return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL);
++      return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
+ }
+ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+@@ -4897,7 +4899,7 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
+               err = bpf_get_perf_event_info(event, &prog_id, &fd_type,
+                                             &buf, &probe_offset,
+-                                            &probe_addr);
++                                            &probe_addr, NULL);
+               if (!err)
+                       err = bpf_task_fd_query_copy(attr, uattr, prog_id,
+                                                    fd_type, buf,
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index eca858bde8047..bbdc4199748bd 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -2389,7 +2389,8 @@ int bpf_probe_unregister(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
+ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+                           u32 *fd_type, const char **buf,
+-                          u64 *probe_offset, u64 *probe_addr)
++                          u64 *probe_offset, u64 *probe_addr,
++                          unsigned long *missed)
+ {
+       bool is_tracepoint, is_syscall_tp;
+       struct bpf_prog *prog;
+@@ -2424,7 +2425,7 @@ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+ #ifdef CONFIG_KPROBE_EVENTS
+               if (flags & TRACE_EVENT_FL_KPROBE)
+                       err = bpf_get_kprobe_info(event, fd_type, buf,
+-                                                probe_offset, probe_addr,
++                                                probe_offset, probe_addr, missed,
+                                                 event->attr.type == PERF_TYPE_TRACEPOINT);
+ #endif
+ #ifdef CONFIG_UPROBE_EVENTS
+diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
+index 47812aa16bb57..52f8b537dd0a0 100644
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1249,6 +1249,12 @@ static const struct file_operations kprobe_events_ops = {
+       .write          = probes_write,
+ };
++static unsigned long trace_kprobe_missed(struct trace_kprobe *tk)
++{
++      return trace_kprobe_is_return(tk) ?
++              tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed;
++}
++
+ /* Probes profiling interfaces */
+ static int probes_profile_seq_show(struct seq_file *m, void *v)
+ {
+@@ -1260,8 +1266,7 @@ static int probes_profile_seq_show(struct seq_file *m, void *v)
+               return 0;
+       tk = to_trace_kprobe(ev);
+-      nmissed = trace_kprobe_is_return(tk) ?
+-              tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed;
++      nmissed = trace_kprobe_missed(tk);
+       seq_printf(m, "  %-44s %15lu %15lu\n",
+                  trace_probe_name(&tk->tp),
+                  trace_kprobe_nhit(tk),
+@@ -1607,7 +1612,8 @@ NOKPROBE_SYMBOL(kretprobe_perf_func);
+ int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type,
+                       const char **symbol, u64 *probe_offset,
+-                      u64 *probe_addr, bool perf_type_tracepoint)
++                      u64 *probe_addr, unsigned long *missed,
++                      bool perf_type_tracepoint)
+ {
+       const char *pevent = trace_event_name(event->tp_event);
+       const char *group = event->tp_event->class->system;
+@@ -1626,6 +1632,8 @@ int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type,
+       *probe_addr = kallsyms_show_value(current_cred()) ?
+                     (unsigned long)tk->rp.kp.addr : 0;
+       *symbol = tk->symbol;
++      if (missed)
++              *missed = trace_kprobe_missed(tk);
+       return 0;
+ }
+ #endif        /* CONFIG_PERF_EVENTS */
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index ba6e346c8d669..acda713f8b4d1 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -6565,6 +6565,7 @@ struct bpf_link_info {
+                                       __u32 name_len;
+                                       __u32 offset; /* offset from func_name */
+                                       __u64 addr;
++                                      __u64 missed;
+                               } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+                               struct {
+                                       __aligned_u64 tp_name;   /* in/out */
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch b/queue-6.6/bpf-devmap-provide-rxq-after-redirect.patch
new file mode 100644 (file)
index 0000000..44776bd
--- /dev/null
@@ -0,0 +1,156 @@
+From 8de3f8ae6f79fed297e22563dd0efd14a8f6f713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:41:18 +0200
+Subject: bpf: devmap: provide rxq after redirect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit ca9984c5f0ab3690d98b13937b2485a978c8dd73 ]
+
+rxq contains a pointer to the device from where
+the redirect happened. Currently, the BPF program
+that was executed after a redirect via BPF_MAP_TYPE_DEVMAP*
+does not have it set.
+
+This is particularly bad since accessing ingress_ifindex, e.g.
+
+SEC("xdp")
+int prog(struct xdp_md *pkt)
+{
+        return bpf_redirect_map(&dev_redirect_map, 0, 0);
+}
+
+SEC("xdp/devmap")
+int prog_after_redirect(struct xdp_md *pkt)
+{
+        bpf_printk("ifindex %i", pkt->ingress_ifindex);
+        return XDP_PASS;
+}
+
+depends on access to rxq, so a NULL pointer gets dereferenced:
+
+<1>[  574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000
+<1>[  574.475188] #PF: supervisor read access in kernel mode
+<1>[  574.475194] #PF: error_code(0x0000) - not-present page
+<6>[  574.475199] PGD 0 P4D 0
+<4>[  574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+<4>[  574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23
+<4>[  574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023
+<4>[  574.475231] Workqueue: mld mld_ifc_work
+<4>[  574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
+<4>[  574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b
+<4>[  574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206
+<4>[  574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000
+<4>[  574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0
+<4>[  574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001
+<4>[  574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000
+<4>[  574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000
+<4>[  574.475289] FS:  0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000
+<4>[  574.475294] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[  574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0
+<4>[  574.475303] PKRU: 55555554
+<4>[  574.475306] Call Trace:
+<4>[  574.475313]  <IRQ>
+<4>[  574.475318]  ? __die+0x23/0x70
+<4>[  574.475329]  ? page_fault_oops+0x180/0x4c0
+<4>[  574.475339]  ? skb_pp_cow_data+0x34c/0x490
+<4>[  574.475346]  ? kmem_cache_free+0x257/0x280
+<4>[  574.475357]  ? exc_page_fault+0x67/0x150
+<4>[  574.475368]  ? asm_exc_page_fault+0x26/0x30
+<4>[  574.475381]  ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
+<4>[  574.475386]  bq_xmit_all+0x158/0x420
+<4>[  574.475397]  __dev_flush+0x30/0x90
+<4>[  574.475407]  veth_poll+0x216/0x250 [veth]
+<4>[  574.475421]  __napi_poll+0x28/0x1c0
+<4>[  574.475430]  net_rx_action+0x32d/0x3a0
+<4>[  574.475441]  handle_softirqs+0xcb/0x2c0
+<4>[  574.475451]  do_softirq+0x40/0x60
+<4>[  574.475458]  </IRQ>
+<4>[  574.475461]  <TASK>
+<4>[  574.475464]  __local_bh_enable_ip+0x66/0x70
+<4>[  574.475471]  __dev_queue_xmit+0x268/0xe40
+<4>[  574.475480]  ? selinux_ip_postroute+0x213/0x420
+<4>[  574.475491]  ? alloc_skb_with_frags+0x4a/0x1d0
+<4>[  574.475502]  ip6_finish_output2+0x2be/0x640
+<4>[  574.475512]  ? nf_hook_slow+0x42/0xf0
+<4>[  574.475521]  ip6_finish_output+0x194/0x300
+<4>[  574.475529]  ? __pfx_ip6_finish_output+0x10/0x10
+<4>[  574.475538]  mld_sendpack+0x17c/0x240
+<4>[  574.475548]  mld_ifc_work+0x192/0x410
+<4>[  574.475557]  process_one_work+0x15d/0x380
+<4>[  574.475566]  worker_thread+0x29d/0x3a0
+<4>[  574.475573]  ? __pfx_worker_thread+0x10/0x10
+<4>[  574.475580]  ? __pfx_worker_thread+0x10/0x10
+<4>[  574.475587]  kthread+0xcd/0x100
+<4>[  574.475597]  ? __pfx_kthread+0x10/0x10
+<4>[  574.475606]  ret_from_fork+0x31/0x50
+<4>[  574.475615]  ? __pfx_kthread+0x10/0x10
+<4>[  574.475623]  ret_from_fork_asm+0x1a/0x30
+<4>[  574.475635]  </TASK>
+<4>[  574.475637] Modules linked in: veth br_netfilter bridge stp llc iwlmvm x86_pkg_temp_thermal iwlwifi efivarfs nvme nvme_core
+<4>[  574.475662] CR2: 0000000000000000
+<4>[  574.475668] ---[ end trace 0000000000000000 ]---
+
+Therefore, provide it to the program by setting rxq properly.
+
+Fixes: cb261b594b41 ("bpf: Run devmap xdp_prog on flush instead of bulk enqueue")
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20240911-devel-koalo-fix-ingress-ifindex-v4-1-5c643ae10258@linutronix.de
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index 69e78dc4bb18e..96b0345f76c2c 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -322,9 +322,11 @@ static int dev_map_hash_get_next_key(struct bpf_map *map, void *key,
+ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+                               struct xdp_frame **frames, int n,
+-                              struct net_device *dev)
++                              struct net_device *tx_dev,
++                              struct net_device *rx_dev)
+ {
+-      struct xdp_txq_info txq = { .dev = dev };
++      struct xdp_txq_info txq = { .dev = tx_dev };
++      struct xdp_rxq_info rxq = { .dev = rx_dev };
+       struct xdp_buff xdp;
+       int i, nframes = 0;
+@@ -335,6 +337,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+               xdp_convert_frame_to_buff(xdpf, &xdp);
+               xdp.txq = &txq;
++              xdp.rxq = &rxq;
+               act = bpf_prog_run_xdp(xdp_prog, &xdp);
+               switch (act) {
+@@ -349,7 +352,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+                       bpf_warn_invalid_xdp_action(NULL, xdp_prog, act);
+                       fallthrough;
+               case XDP_ABORTED:
+-                      trace_xdp_exception(dev, xdp_prog, act);
++                      trace_xdp_exception(tx_dev, xdp_prog, act);
+                       fallthrough;
+               case XDP_DROP:
+                       xdp_return_frame_rx_napi(xdpf);
+@@ -377,7 +380,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
+       }
+       if (bq->xdp_prog) {
+-              to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev);
++              to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev, bq->dev_rx);
+               if (!to_send)
+                       goto out;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-iter-task-tid-filtering.patch b/queue-6.6/bpf-fix-iter-task-tid-filtering.patch
new file mode 100644 (file)
index 0000000..b984100
--- /dev/null
@@ -0,0 +1,40 @@
+From 12eb8ce4056e3f8939ce627d0f948877d8ef346e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 14:00:47 -0700
+Subject: bpf: Fix iter/task tid filtering
+
+From: Jordan Rome <linux@jordanrome.com>
+
+[ Upstream commit 9495a5b731fcaf580448a3438d63601c88367661 ]
+
+In userspace, you can add a tid filter by setting
+the "task.tid" field for "bpf_iter_link_info".
+However, `get_pid_task` when called for the
+`BPF_TASK_ITER_TID` type should have been using
+`PIDTYPE_PID` (tid) instead of `PIDTYPE_TGID` (pid).
+
+Fixes: f0d74c4da1f0 ("bpf: Parameterize task iterators.")
+Signed-off-by: Jordan Rome <linux@jordanrome.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20241016210048.1213935-1-linux@jordanrome.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/task_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
+index c4ab9d6cdbe9c..f7ef58090c7d0 100644
+--- a/kernel/bpf/task_iter.c
++++ b/kernel/bpf/task_iter.c
+@@ -119,7 +119,7 @@ static struct task_struct *task_seq_get_next(struct bpf_iter_seq_task_common *co
+               rcu_read_lock();
+               pid = find_pid_ns(common->pid, common->ns);
+               if (pid) {
+-                      task = get_pid_task(pid, PIDTYPE_TGID);
++                      task = get_pid_task(pid, PIDTYPE_PID);
+                       *tid = common->pid;
+               }
+               rcu_read_unlock();
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch b/queue-6.6/bpf-fix-kfunc-btf-caching-for-modules.patch
new file mode 100644 (file)
index 0000000..b4c2f7d
--- /dev/null
@@ -0,0 +1,82 @@
+From 95792cd4e5b7702acba24370c124fe9dd8218e33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 15:27:07 +0200
+Subject: bpf: fix kfunc btf caching for modules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 6cb86a0fdece87e126323ec1bb19deb16a52aedf ]
+
+The verifier contains a cache for looking up module BTF objects when
+calling kfuncs defined in modules. This cache uses a 'struct
+bpf_kfunc_btf_tab', which contains a sorted list of BTF objects that
+were already seen in the current verifier run, and the BTF objects are
+looked up by the offset stored in the relocated call instruction using
+bsearch().
+
+The first time a given offset is seen, the module BTF is loaded from the
+file descriptor passed in by libbpf, and stored into the cache. However,
+there's a bug in the code storing the new entry: it stores a pointer to
+the new cache entry, then calls sort() to keep the cache sorted for the
+next lookup using bsearch(), and then returns the entry that was just
+stored through the stored pointer. However, because sort() modifies the
+list of entries in place *by value*, the stored pointer may no longer
+point to the right entry, in which case the wrong BTF object will be
+returned.
+
+The end result of this is an intermittent bug where, if a BPF program
+calls two functions with the same signature in two different modules,
+the function from the wrong module may sometimes end up being called.
+Whether this happens depends on the order of the calls in the BPF
+program (as that affects whether sort() reorders the array of BTF
+objects), making it especially hard to track down. Simon, credited as
+reporter below, spent significant effort analysing and creating a
+reproducer for this issue. The reproducer is added as a selftest in a
+subsequent patch.
+
+The fix is straight forward: simply don't use the stored pointer after
+calling sort(). Since we already have an on-stack pointer to the BTF
+object itself at the point where the function return, just use that, and
+populate it from the cache entry in the branch where the lookup
+succeeds.
+
+Fixes: 2357672c54c3 ("bpf: Introduce BPF support for kernel module function calls")
+Reported-by: Simon Sundberg <simon.sundberg@kau.se>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20241010-fix-kfunc-btf-caching-for-modules-v2-1-745af6c1af98@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 3032a464d31bb..d1050479cbb33 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2799,10 +2799,16 @@ static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env,
+               b->module = mod;
+               b->offset = offset;
++              /* sort() reorders entries by value, so b may no longer point
++               * to the right entry after this
++               */
+               sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]),
+                    kfunc_btf_cmp_by_off, NULL);
++      } else {
++              btf = b->btf;
+       }
+-      return b->btf;
++
++      return btf;
+ }
+ void bpf_free_kfunc_btf_tab(struct bpf_kfunc_btf_tab *tab)
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch b/queue-6.6/bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch
new file mode 100644 (file)
index 0000000..d922ba9
--- /dev/null
@@ -0,0 +1,44 @@
+From 420ddcbfd92753965bea2e6072dfb15264583fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 19:32:51 +0000
+Subject: bpf: Fix link info netfilter flags to populate defrag flag
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 92f3715e1eba1d41e55be06159dc3d856b18326d ]
+
+This fix correctly populates the `bpf_link_info.netfilter.flags` field
+when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
+
+Fixes: 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Florian Westphal <fw@strlen.de>
+Cc: Daniel Xu <dxu@dxuuu.xyz>
+Link: https://lore.kernel.org/bpf/20241011193252.178997-1-wudevelops@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 0e4beae421f83..96015a59db09e 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -150,11 +150,12 @@ static int bpf_nf_link_fill_link_info(const struct bpf_link *link,
+                                     struct bpf_link_info *info)
+ {
+       struct bpf_nf_link *nf_link = container_of(link, struct bpf_nf_link, link);
++      const struct nf_defrag_hook *hook = nf_link->defrag_hook;
+       info->netfilter.pf = nf_link->hook_ops.pf;
+       info->netfilter.hooknum = nf_link->hook_ops.hooknum;
+       info->netfilter.priority = nf_link->hook_ops.priority;
+-      info->netfilter.flags = 0;
++      info->netfilter.flags = hook ? BPF_F_NETFILTER_IP_DEFRAG : 0;
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch b/queue-6.6/bpf-fix-memory-leak-in-bpf_core_apply.patch
new file mode 100644 (file)
index 0000000..e7639d0
--- /dev/null
@@ -0,0 +1,36 @@
+From a05e07699ca84a232fca25d368f864e4f663ba1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:09:58 +0200
+Subject: bpf: Fix memory leak in bpf_core_apply
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 45126b155e3b5201179cdc038504bf93a8ccd921 ]
+
+We need to free specs properly.
+
+Fixes: 3d2786d65aaa ("bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20241007160958.607434-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index e0e4d4f490e87..c8828016a66fd 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -8435,6 +8435,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+       if (!type) {
+               bpf_log(ctx->log, "relo #%u: bad type id %u\n",
+                       relo_idx, relo->type_id);
++              kfree(specs);
+               return -EINVAL;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch b/queue-6.6/bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch
new file mode 100644 (file)
index 0000000..d0e0d68
--- /dev/null
@@ -0,0 +1,67 @@
+From fc1d5959960aebc4453c53bacea0d87ee3ad9dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:11:53 +0300
+Subject: bpf: Fix truncation bug in coerce_reg_to_size_sx()
+
+From: Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
+
+[ Upstream commit ae67b9fb8c4e981e929a665dcaa070f4b05ebdb4 ]
+
+coerce_reg_to_size_sx() updates the register state after a sign-extension
+operation. However, there's a bug in the assignment order of the unsigned
+min/max values, leading to incorrect truncation:
+
+  0: (85) call bpf_get_prandom_u32#7    ; R0_w=scalar()
+  1: (57) r0 &= 1                       ; R0_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1))
+  2: (07) r0 += 254                     ; R0_w=scalar(smin=umin=smin32=umin32=254,smax=umax=smax32=umax32=255,var_off=(0xfe; 0x1))
+  3: (bf) r0 = (s8)r0                   ; R0_w=scalar(smin=smin32=-2,smax=smax32=-1,umin=umin32=0xfffffffe,umax=0xffffffff,var_off=(0xfffffffffffffffe; 0x1))
+
+In the current implementation, the unsigned 32-bit min/max values
+(u32_min_value and u32_max_value) are assigned directly from the 64-bit
+signed min/max values (s64_min and s64_max):
+
+  reg->umin_value = reg->u32_min_value = s64_min;
+  reg->umax_value = reg->u32_max_value = s64_max;
+
+Due to the chain assigmnent, this is equivalent to:
+
+  reg->u32_min_value = s64_min;  // Unintended truncation
+  reg->umin_value = reg->u32_min_value;
+  reg->u32_max_value = s64_max;  // Unintended truncation
+  reg->umax_value = reg->u32_max_value;
+
+Fixes: 1f9a1ea821ff ("bpf: Support new sign-extension load insns")
+Reported-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Reported-by: Zac Ecob <zacecob@protonmail.com>
+Signed-off-by: Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20241014121155.92887-2-dimitar.kanaliev@siteground.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index d1050479cbb33..28b09ca5525f0 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6143,10 +6143,10 @@ static void coerce_reg_to_size_sx(struct bpf_reg_state *reg, int size)
+       /* both of s64_max/s64_min positive or negative */
+       if ((s64_max >= 0) == (s64_min >= 0)) {
+-              reg->smin_value = reg->s32_min_value = s64_min;
+-              reg->smax_value = reg->s32_max_value = s64_max;
+-              reg->umin_value = reg->u32_min_value = s64_min;
+-              reg->umax_value = reg->u32_max_value = s64_max;
++              reg->s32_min_value = reg->smin_value = s64_min;
++              reg->s32_max_value = reg->smax_value = s64_max;
++              reg->u32_min_value = reg->umin_value = s64_min;
++              reg->u32_max_value = reg->umax_value = s64_max;
+               reg->var_off = tnum_range(s64_min, s64_max);
+               return;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch b/queue-6.6/bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch
new file mode 100644 (file)
index 0000000..1cdd5f9
--- /dev/null
@@ -0,0 +1,128 @@
+From bceed7581c7b402570686be6902f012ffdc90fd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:43:11 +0000
+Subject: bpf: fix unpopulated name_len field in perf_event link info
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 4deecdd29cf29844c7bd164d72dc38d2e672f64e ]
+
+Previously when retrieving `bpf_link_info.perf_event` for
+kprobe/uprobe/tracepoint, the `name_len` field was not populated by the
+kernel, leaving it to reflect the value initially set by the user. This
+behavior was inconsistent with how other input/output string buffer
+fields function (e.g. `raw_tracepoint.tp_name_len`).
+
+This patch fills `name_len` with the actual size of the string name.
+
+Fixes: 1b715e1b0ec5 ("bpf: Support ->fill_link_info for perf_event")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20241008164312.46269-1-wudevelops@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 1d04d098f57db..b43302c80cac5 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3442,15 +3442,16 @@ static void bpf_perf_link_dealloc(struct bpf_link *link)
+ }
+ static int bpf_perf_link_fill_common(const struct perf_event *event,
+-                                   char __user *uname, u32 ulen,
++                                   char __user *uname, u32 *ulenp,
+                                    u64 *probe_offset, u64 *probe_addr,
+                                    u32 *fd_type, unsigned long *missed)
+ {
+       const char *buf;
+-      u32 prog_id;
++      u32 prog_id, ulen;
+       size_t len;
+       int err;
++      ulen = *ulenp;
+       if (!ulen ^ !uname)
+               return -EINVAL;
+@@ -3458,10 +3459,17 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+                                     probe_offset, probe_addr, missed);
+       if (err)
+               return err;
++
++      if (buf) {
++              len = strlen(buf);
++              *ulenp = len + 1;
++      } else {
++              *ulenp = 1;
++      }
+       if (!uname)
+               return 0;
++
+       if (buf) {
+-              len = strlen(buf);
+               err = bpf_copy_to_user(uname, buf, ulen, len);
+               if (err)
+                       return err;
+@@ -3486,7 +3494,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.kprobe.func_name);
+       ulen = info->perf_event.kprobe.name_len;
+-      err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
++      err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr,
+                                       &type, &missed);
+       if (err)
+               return err;
+@@ -3494,7 +3502,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+               info->perf_event.type = BPF_PERF_EVENT_KRETPROBE;
+       else
+               info->perf_event.type = BPF_PERF_EVENT_KPROBE;
+-
++      info->perf_event.kprobe.name_len = ulen;
+       info->perf_event.kprobe.offset = offset;
+       info->perf_event.kprobe.missed = missed;
+       if (!kallsyms_show_value(current_cred()))
+@@ -3516,7 +3524,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+       uname = u64_to_user_ptr(info->perf_event.uprobe.file_name);
+       ulen = info->perf_event.uprobe.name_len;
+-      err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
++      err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr,
+                                       &type, NULL);
+       if (err)
+               return err;
+@@ -3525,6 +3533,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+               info->perf_event.type = BPF_PERF_EVENT_URETPROBE;
+       else
+               info->perf_event.type = BPF_PERF_EVENT_UPROBE;
++      info->perf_event.uprobe.name_len = ulen;
+       info->perf_event.uprobe.offset = offset;
+       info->perf_event.uprobe.cookie = event->bpf_cookie;
+       return 0;
+@@ -3550,12 +3559,18 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+ {
+       char __user *uname;
+       u32 ulen;
++      int err;
+       uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+       ulen = info->perf_event.tracepoint.name_len;
++      err = bpf_perf_link_fill_common(event, uname, &ulen, NULL, NULL, NULL, NULL);
++      if (err)
++              return err;
++
+       info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
++      info->perf_event.tracepoint.name_len = ulen;
+       info->perf_event.tracepoint.cookie = event->bpf_cookie;
+-      return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
++      return 0;
+ }
+ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch b/queue-6.6/bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch
new file mode 100644 (file)
index 0000000..3ec8d76
--- /dev/null
@@ -0,0 +1,103 @@
+From 61bac79e02698a536beae04caf2326851c8f4ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2024 14:56:24 +0200
+Subject: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ]
+
+The bpf_redirect_info is shared between the SKB and XDP redirect paths,
+and the two paths use the same numeric flag values in the ri->flags
+field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
+if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
+subsequently, an XDP redirect is performed using the same
+bpf_redirect_info struct, the XDP path will get confused and end up
+crashing, which syzbot managed to trigger.
+
+With the stack-allocated bpf_redirect_info, the structure is no longer
+shared between the SKB and XDP paths, so the crash doesn't happen
+anymore. However, different code paths using identically-numbered flag
+values in the same struct field still seems like a bit of a mess, so
+this patch cleans that up by moving the flag definitions together and
+redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
+with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
+sure the overlap is not re-introduced by mistake.
+
+Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
+Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
+Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 13 +++++--------
+ net/core/filter.c        |  8 +++++---
+ 2 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index ba6e346c8d669..4bb38409b26ad 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -5921,11 +5921,6 @@ enum {
+       BPF_F_MARK_ENFORCE              = (1ULL << 6),
+ };
+-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
+-enum {
+-      BPF_F_INGRESS                   = (1ULL << 0),
+-};
+-
+ /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
+ enum {
+       BPF_F_TUNINFO_IPV6              = (1ULL << 0),
+@@ -6072,10 +6067,12 @@ enum {
+       BPF_F_BPRM_SECUREEXEC   = (1ULL << 0),
+ };
+-/* Flags for bpf_redirect_map helper */
++/* Flags for bpf_redirect and bpf_redirect_map helpers */
+ enum {
+-      BPF_F_BROADCAST         = (1ULL << 3),
+-      BPF_F_EXCLUDE_INGRESS   = (1ULL << 4),
++      BPF_F_INGRESS           = (1ULL << 0), /* used for skb path */
++      BPF_F_BROADCAST         = (1ULL << 3), /* used for XDP path */
++      BPF_F_EXCLUDE_INGRESS   = (1ULL << 4), /* used for XDP path */
++#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
+ };
+ #define __bpf_md_ptr(type, name)      \
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 8bfd46a070c16..bbb1432488430 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2423,9 +2423,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev,
+ /* Internal, non-exposed redirect flags. */
+ enum {
+-      BPF_F_NEIGH     = (1ULL << 1),
+-      BPF_F_PEER      = (1ULL << 2),
+-      BPF_F_NEXTHOP   = (1ULL << 3),
++      BPF_F_NEIGH     = (1ULL << 16),
++      BPF_F_PEER      = (1ULL << 17),
++      BPF_F_NEXTHOP   = (1ULL << 18),
+ #define BPF_F_REDIRECT_INTERNAL       (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP)
+ };
+@@ -2435,6 +2435,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
+       struct sk_buff *clone;
+       int ret;
++      BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_FLAGS);
++
+       if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))
+               return -EINVAL;
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch b/queue-6.6/bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch
new file mode 100644 (file)
index 0000000..d5e6f79
--- /dev/null
@@ -0,0 +1,83 @@
+From c9cee25c21add629f55c38f961bc85fcafcbfad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:39 +0200
+Subject: bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 9c5bd93edf7b8834aecaa7c340b852d5990d7c78 ]
+
+Don't mislead the callers of bpf_{sk,msg}_redirect_{map,hash}(): make sure
+to immediately and visibly fail the forwarding of unsupported af_vsock
+packets.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-1-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h  | 5 +++++
+ net/core/sock_map.c | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index c3961050b8e39..e0be8bd983960 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2826,6 +2826,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk)
+       return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
+ }
++static inline bool sk_is_vsock(const struct sock *sk)
++{
++      return sk->sk_family == AF_VSOCK;
++}
++
+ /**
+  * sk_eat_skb - Release a skb if it is no longer needed
+  * @sk: socket to eat this skb from
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 2afac40bb83ca..2da881a8e7983 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -644,6 +644,8 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
+       sk = __sock_map_lookup_elem(map, key);
+       if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+               return SK_DROP;
++      if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
++              return SK_DROP;
+       skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
+       return SK_PASS;
+@@ -672,6 +674,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg,
+               return SK_DROP;
+       if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
+               return SK_DROP;
++      if (sk_is_vsock(sk))
++              return SK_DROP;
+       msg->flags = flags;
+       msg->sk_redir = sk;
+@@ -1246,6 +1250,8 @@ BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb,
+       sk = __sock_hash_lookup_elem(map, key);
+       if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+               return SK_DROP;
++      if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
++              return SK_DROP;
+       skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
+       return SK_PASS;
+@@ -1274,6 +1280,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg,
+               return SK_DROP;
+       if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
+               return SK_DROP;
++      if (sk_is_vsock(sk))
++              return SK_DROP;
+       msg->flags = flags;
+       msg->sk_redir = sk;
+-- 
+2.43.0
+
diff --git a/queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch b/queue-6.6/bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch
new file mode 100644 (file)
index 0000000..8a909ff
--- /dev/null
@@ -0,0 +1,45 @@
+From 6dc89356241833e054060bd6b5f67d49b38f98f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:42 +0200
+Subject: bpf, vsock: Drop static vsock_bpf_prot initialization
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ]
+
+vsock_bpf_prot is set up at runtime. Remove the superfluous init.
+
+No functional change intended.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/vsock_bpf.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
+index c42c5cc18f324..4aa6e74ec2957 100644
+--- a/net/vmw_vsock/vsock_bpf.c
++++ b/net/vmw_vsock/vsock_bpf.c
+@@ -114,14 +114,6 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
+       return copied;
+ }
+-/* Copy of original proto with updated sock_map methods */
+-static struct proto vsock_bpf_prot = {
+-      .close = sock_map_close,
+-      .recvmsg = vsock_bpf_recvmsg,
+-      .sock_is_readable = sk_msg_is_readable,
+-      .unhash = sock_map_unhash,
+-};
+-
+ static void vsock_bpf_rebuild_protos(struct proto *prot, const struct proto *base)
+ {
+       *prot        = *base;
+-- 
+2.43.0
+
diff --git a/queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch b/queue-6.6/cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch
new file mode 100644 (file)
index 0000000..ee4ab70
--- /dev/null
@@ -0,0 +1,44 @@
+From 164e64cfa5af69e9dd94835e60f535cb1a0f71cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 15:09:02 -0700
+Subject: cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit b0bf1afde7c34698cf61422fa8ee60e690dc25c3 ]
+
+The barrier_nospec() after the array bounds check is overkill and
+painfully slow for arches which implement it.
+
+Furthermore, most arches don't implement it, so they remain exposed to
+Spectre v1 (which can affect pretty much any CPU with branch
+prediction).
+
+Instead, clamp the user pointer to a valid range so it's guaranteed to
+be a valid array index even when the bounds check mispredicts.
+
+Fixes: 8270cb10c068 ("cdrom: Fix spectre-v1 gadget")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Link: https://lore.kernel.org/r/1d86f4d9d8fba68e5ca64cdeac2451b95a8bf872.1729202937.git.jpoimboe@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 01f46caf1f88b..54b80911f3e28 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2313,7 +2313,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
+               return -EINVAL;
+       /* Prevent arg from speculatively bypassing the length check */
+-      barrier_nospec();
++      arg = array_index_nospec(arg, cdi->capacity);
+       info = kmalloc(sizeof(*info), GFP_KERNEL);
+       if (!info)
+-- 
+2.43.0
+
diff --git a/queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch b/queue-6.6/cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch
new file mode 100644 (file)
index 0000000..acf9085
--- /dev/null
@@ -0,0 +1,55 @@
+From 599abd586b287d402752d61b1cbd8860ac1c1eba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 12:23:04 +0000
+Subject: cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory
+ systems
+
+From: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
+
+[ Upstream commit c10e50a469b5ec91eabf653526a22bdce03a9bca ]
+
+While switching the driver mode between active and passive, Collaborative
+Processor Performance Control (CPPC) is disabled in
+amd_pstate_unregister_driver(). But, it is not enabled back while registering
+the new driver (passive or active). This leads to the new driver mode not
+working correctly, so enable it back in amd_pstate_register_driver().
+
+Fixes: 3ca7bc818d8c ("cpufreq: amd-pstate: Add guided mode control support via sysfs")
+Signed-off-by: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20241004122303.94283-1-Dhananjay.Ugwekar@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/amd-pstate.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
+index f461f99eb040c..8c16d67b98bfe 100644
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -1061,11 +1061,21 @@ static int amd_pstate_register_driver(int mode)
+               return -EINVAL;
+       cppc_state = mode;
++
++      ret = amd_pstate_enable(true);
++      if (ret) {
++              pr_err("failed to enable cppc during amd-pstate driver registration, return %d\n",
++                     ret);
++              amd_pstate_driver_cleanup();
++              return ret;
++      }
++
+       ret = cpufreq_register_driver(current_pstate_driver);
+       if (ret) {
+               amd_pstate_driver_cleanup();
+               return ret;
+       }
++
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch b/queue-6.6/drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch
new file mode 100644 (file)
index 0000000..097a8d1
--- /dev/null
@@ -0,0 +1,183 @@
+From 33ae26354641f3c2cafaf65a608d82bfb1c37ff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 19:01:48 +0530
+Subject: drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit e7457532cb7167516263150ceae86f36d6ef9683 ]
+
+This patch addresses a double unlock issue in the amdgpu_mes_add_ring
+function. The mutex was being unlocked twice under certain error
+conditions, which could lead to undefined behavior.
+
+The fix ensures that the mutex is unlocked only once before jumping to
+the clean_up_memory label. The unlock operation is moved to just before
+the goto statement within the conditional block that checks the return
+value of amdgpu_ring_init. This prevents the second unlock attempt after
+the clean_up_memory label, which is no longer necessary as the mutex is
+already unlocked by this point in the code flow.
+
+This change resolves the potential double unlock and maintains the
+correct mutex handling throughout the function.
+
+Fixes below:
+Commit d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue
+submission"), leads to the following Smatch static checker warning:
+
+       drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c:1240 amdgpu_mes_add_ring()
+       warn: double unlock '&adev->mes.mutex_hidden' (orig line 1213)
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+    1143 int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+    1144                         int queue_type, int idx,
+    1145                         struct amdgpu_mes_ctx_data *ctx_data,
+    1146                         struct amdgpu_ring **out)
+    1147 {
+    1148         struct amdgpu_ring *ring;
+    1149         struct amdgpu_mes_gang *gang;
+    1150         struct amdgpu_mes_queue_properties qprops = {0};
+    1151         int r, queue_id, pasid;
+    1152
+    1153         /*
+    1154          * Avoid taking any other locks under MES lock to avoid circular
+    1155          * lock dependencies.
+    1156          */
+    1157         amdgpu_mes_lock(&adev->mes);
+    1158         gang = idr_find(&adev->mes.gang_id_idr, gang_id);
+    1159         if (!gang) {
+    1160                 DRM_ERROR("gang id %d doesn't exist\n", gang_id);
+    1161                 amdgpu_mes_unlock(&adev->mes);
+    1162                 return -EINVAL;
+    1163         }
+    1164         pasid = gang->process->pasid;
+    1165
+    1166         ring = kzalloc(sizeof(struct amdgpu_ring), GFP_KERNEL);
+    1167         if (!ring) {
+    1168                 amdgpu_mes_unlock(&adev->mes);
+    1169                 return -ENOMEM;
+    1170         }
+    1171
+    1172         ring->ring_obj = NULL;
+    1173         ring->use_doorbell = true;
+    1174         ring->is_mes_queue = true;
+    1175         ring->mes_ctx = ctx_data;
+    1176         ring->idx = idx;
+    1177         ring->no_scheduler = true;
+    1178
+    1179         if (queue_type == AMDGPU_RING_TYPE_COMPUTE) {
+    1180                 int offset = offsetof(struct amdgpu_mes_ctx_meta_data,
+    1181                                       compute[ring->idx].mec_hpd);
+    1182                 ring->eop_gpu_addr =
+    1183                         amdgpu_mes_ctx_get_offs_gpu_addr(ring, offset);
+    1184         }
+    1185
+    1186         switch (queue_type) {
+    1187         case AMDGPU_RING_TYPE_GFX:
+    1188                 ring->funcs = adev->gfx.gfx_ring[0].funcs;
+    1189                 ring->me = adev->gfx.gfx_ring[0].me;
+    1190                 ring->pipe = adev->gfx.gfx_ring[0].pipe;
+    1191                 break;
+    1192         case AMDGPU_RING_TYPE_COMPUTE:
+    1193                 ring->funcs = adev->gfx.compute_ring[0].funcs;
+    1194                 ring->me = adev->gfx.compute_ring[0].me;
+    1195                 ring->pipe = adev->gfx.compute_ring[0].pipe;
+    1196                 break;
+    1197         case AMDGPU_RING_TYPE_SDMA:
+    1198                 ring->funcs = adev->sdma.instance[0].ring.funcs;
+    1199                 break;
+    1200         default:
+    1201                 BUG();
+    1202         }
+    1203
+    1204         r = amdgpu_ring_init(adev, ring, 1024, NULL, 0,
+    1205                              AMDGPU_RING_PRIO_DEFAULT, NULL);
+    1206         if (r)
+    1207                 goto clean_up_memory;
+    1208
+    1209         amdgpu_mes_ring_to_queue_props(adev, ring, &qprops);
+    1210
+    1211         dma_fence_wait(gang->process->vm->last_update, false);
+    1212         dma_fence_wait(ctx_data->meta_data_va->last_pt_update, false);
+    1213         amdgpu_mes_unlock(&adev->mes);
+                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    1214
+    1215         r = amdgpu_mes_add_hw_queue(adev, gang_id, &qprops, &queue_id);
+    1216         if (r)
+    1217                 goto clean_up_ring;
+                         ^^^^^^^^^^^^^^^^^^
+
+    1218
+    1219         ring->hw_queue_id = queue_id;
+    1220         ring->doorbell_index = qprops.doorbell_off;
+    1221
+    1222         if (queue_type == AMDGPU_RING_TYPE_GFX)
+    1223                 sprintf(ring->name, "gfx_%d.%d.%d", pasid, gang_id, queue_id);
+    1224         else if (queue_type == AMDGPU_RING_TYPE_COMPUTE)
+    1225                 sprintf(ring->name, "compute_%d.%d.%d", pasid, gang_id,
+    1226                         queue_id);
+    1227         else if (queue_type == AMDGPU_RING_TYPE_SDMA)
+    1228                 sprintf(ring->name, "sdma_%d.%d.%d", pasid, gang_id,
+    1229                         queue_id);
+    1230         else
+    1231                 BUG();
+    1232
+    1233         *out = ring;
+    1234         return 0;
+    1235
+    1236 clean_up_ring:
+    1237         amdgpu_ring_fini(ring);
+    1238 clean_up_memory:
+    1239         kfree(ring);
+--> 1240         amdgpu_mes_unlock(&adev->mes);
+                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    1241         return r;
+    1242 }
+
+Fixes: d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue submission")
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Hawking Zhang <Hawking.Zhang@amd.com>
+Suggested-by: Jack Xiao <Jack.Xiao@amd.com>
+Reported by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Jack Xiao <Jack.Xiao@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit bfaf1883605fd0c0dbabacd67ed49708470d5ea4)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+index c5c55e132af21..5e3abdd0805b6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+@@ -1053,8 +1053,10 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+       r = amdgpu_ring_init(adev, ring, 1024, NULL, 0,
+                            AMDGPU_RING_PRIO_DEFAULT, NULL);
+-      if (r)
++      if (r) {
++              amdgpu_mes_unlock(&adev->mes);
+               goto clean_up_memory;
++      }
+       amdgpu_mes_ring_to_queue_props(adev, ring, &qprops);
+@@ -1087,7 +1089,6 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+       amdgpu_ring_fini(ring);
+ clean_up_memory:
+       kfree(ring);
+-      amdgpu_mes_unlock(&adev->mes);
+       return r;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch b/queue-6.6/drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch
new file mode 100644 (file)
index 0000000..8010ff9
--- /dev/null
@@ -0,0 +1,57 @@
+From 38d3e410a2f2cee6984a719e165fe4b898aadb4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:36:09 -0700
+Subject: drm/msm: Allocate memory for disp snapshot with kvzalloc()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit e4a45582db1b792c57bdb52c45958264f7fcfbdc ]
+
+With the "drm/msm: add a display mmu fault handler" series [1] we saw
+issues in the field where memory allocation was failing when
+allocating space for registers in msm_disp_state_dump_regs().
+Specifically we were seeing an order 5 allocation fail. It's not
+surprising that order 5 allocations will sometimes fail after the
+system has been up and running for a while.
+
+There's no need here for contiguous memory. Change the allocation to
+kvzalloc() which should make it much less likely to fail.
+
+[1] https://lore.kernel.org/r/20240628214848.4075651-1-quic_abhinavk@quicinc.com/
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619658/
+Link: https://lore.kernel.org/r/20241014093605.2.I72441365ffe91f3dceb17db0a8ec976af8139590@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+index bb149281d31fa..4d55e3cf570f0 100644
+--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+@@ -26,7 +26,7 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
+       end_addr = base_addr + aligned_len;
+       if (!(*reg))
+-              *reg = kzalloc(len_padded, GFP_KERNEL);
++              *reg = kvzalloc(len_padded, GFP_KERNEL);
+       if (*reg)
+               dump_addr = *reg;
+@@ -162,7 +162,7 @@ void msm_disp_state_free(void *data)
+       list_for_each_entry_safe(block, tmp, &disp_state->blocks, node) {
+               list_del(&block->node);
+-              kfree(block->state);
++              kvfree(block->state);
+               kfree(block);
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch b/queue-6.6/drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch
new file mode 100644 (file)
index 0000000..1531a03
--- /dev/null
@@ -0,0 +1,79 @@
+From 2ec6a32a9a9e0749e7f717e9a6f4208abd1be8f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:36:08 -0700
+Subject: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 293f53263266bc4340d777268ab4328a97f041fa ]
+
+If the allocation in msm_disp_state_dump_regs() failed then
+`block->state` can be NULL. The msm_disp_state_print_regs() function
+_does_ have code to try to handle it with:
+
+  if (*reg)
+    dump_addr = *reg;
+
+...but since "dump_addr" is initialized to NULL the above is actually
+a noop. The code then goes on to dereference `dump_addr`.
+
+Make the function print "Registers not stored" when it sees a NULL to
+solve this. Since we're touching the code, fix
+msm_disp_state_print_regs() not to pointlessly take a double-pointer
+and properly mark the pointer as `const`.
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619657/
+Link: https://lore.kernel.org/r/20241014093605.1.Ia1217cecec9ef09eb3c6d125360cc6c8574b0e73@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+index add72bbc28b17..bb149281d31fa 100644
+--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+@@ -48,20 +48,21 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
+       }
+ }
+-static void msm_disp_state_print_regs(u32 **reg, u32 len, void __iomem *base_addr,
+-              struct drm_printer *p)
++static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
++              void __iomem *base_addr, struct drm_printer *p)
+ {
+       int i;
+-      u32 *dump_addr = NULL;
+       void __iomem *addr;
+       u32 num_rows;
++      if (!dump_addr) {
++              drm_printf(p, "Registers not stored\n");
++              return;
++      }
++
+       addr = base_addr;
+       num_rows = len / REG_DUMP_ALIGN;
+-      if (*reg)
+-              dump_addr = *reg;
+-
+       for (i = 0; i < num_rows; i++) {
+               drm_printf(p, "0x%lx : %08x %08x %08x %08x\n",
+                               (unsigned long)(addr - base_addr),
+@@ -89,7 +90,7 @@ void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p)
+       list_for_each_entry_safe(block, tmp, &state->blocks, node) {
+               drm_printf(p, "====================%s================\n", block->name);
+-              msm_disp_state_print_regs(&block->state, block->size, block->base_addr, p);
++              msm_disp_state_print_regs(block->state, block->size, block->base_addr, p);
+       }
+       drm_printf(p, "===================dpu drm state================\n");
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch b/queue-6.6/drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch
new file mode 100644 (file)
index 0000000..384776f
--- /dev/null
@@ -0,0 +1,82 @@
+From 4b54358fd021b04d1dbe06a840fda891b17a9a2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 06:22:46 +0300
+Subject: drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds()
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 3a0851b442d1f63ba42ecfa2506d3176cfabf9d4 ]
+
+Make _dpu_crtc_setup_lm_bounds() check that CRTC width is not
+overflowing LM requirements. Rename the function accordingly.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Tested-by: Abhinav Kumar <quic_abhinavk@quicinc.com> # sc7280
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/612237/
+Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-3-617e1ecc4b7a@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+index e238e4e8116ca..ad57368dc13f0 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+@@ -722,12 +722,13 @@ void dpu_crtc_complete_commit(struct drm_crtc *crtc)
+       _dpu_crtc_complete_flip(crtc);
+ }
+-static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc,
++static int _dpu_crtc_check_and_setup_lm_bounds(struct drm_crtc *crtc,
+               struct drm_crtc_state *state)
+ {
+       struct dpu_crtc_state *cstate = to_dpu_crtc_state(state);
+       struct drm_display_mode *adj_mode = &state->adjusted_mode;
+       u32 crtc_split_width = adj_mode->hdisplay / cstate->num_mixers;
++      struct dpu_kms *dpu_kms = _dpu_crtc_get_kms(crtc);
+       int i;
+       for (i = 0; i < cstate->num_mixers; i++) {
+@@ -738,7 +739,12 @@ static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc,
+               r->y2 = adj_mode->vdisplay;
+               trace_dpu_crtc_setup_lm_bounds(DRMID(crtc), i, r);
++
++              if (drm_rect_width(r) > dpu_kms->catalog->caps->max_mixer_width)
++                      return -E2BIG;
+       }
++
++      return 0;
+ }
+ static void _dpu_crtc_get_pcc_coeff(struct drm_crtc_state *state,
+@@ -814,7 +820,7 @@ static void dpu_crtc_atomic_begin(struct drm_crtc *crtc,
+       DRM_DEBUG_ATOMIC("crtc%d\n", crtc->base.id);
+-      _dpu_crtc_setup_lm_bounds(crtc, crtc->state);
++      _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc->state);
+       /* encoder will trigger pending mask now */
+       drm_for_each_encoder_mask(encoder, crtc->dev, crtc->state->encoder_mask)
+@@ -1208,8 +1214,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc,
+       if (crtc_state->active_changed)
+               crtc_state->mode_changed = true;
+-      if (cstate->num_mixers)
+-              _dpu_crtc_setup_lm_bounds(crtc, crtc_state);
++      if (cstate->num_mixers) {
++              rc = _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc_state);
++              if (rc)
++                      return rc;
++      }
+       /* FIXME: move this to dpu_plane_atomic_check? */
+       drm_atomic_crtc_state_for_each_plane_state(plane, pstate, crtc_state) {
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch b/queue-6.6/drm-msm-dpu-don-t-always-program-merge_3d-block.patch
new file mode 100644 (file)
index 0000000..5582ce3
--- /dev/null
@@ -0,0 +1,39 @@
+From e582332b2eba2bc8b18b82d2f4d14cb3e271df81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 20:46:19 -0700
+Subject: drm/msm/dpu: don't always program merge_3d block
+
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+
+[ Upstream commit f87f3b80abaf7949e638dd17dfdc267066eb52d5 ]
+
+Only program the merge_3d block for the video phys encoder when the 3d
+blend mode is not NONE
+
+Fixes: 3e79527a33a8 ("drm/msm/dpu: enable merge_3d support on sm8150/sm8250")
+Suggested-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619095/
+Link: https://lore.kernel.org/r/20241009-merge3d-fix-v1-1-0d0b6f5c244e@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+index daaf0e6047538..20c8b9af7a219 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+@@ -280,7 +280,7 @@ static void dpu_encoder_phys_vid_setup_timing_engine(
+       intf_cfg.stream_sel = 0; /* Don't care value for video mode */
+       intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc);
+       intf_cfg.dsc = dpu_encoder_helper_get_dsc(phys_enc);
+-      if (phys_enc->hw_pp->merge_3d)
++      if (intf_cfg.mode_3d && phys_enc->hw_pp->merge_3d)
+               intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx;
+       spin_lock_irqsave(phys_enc->enc_spinlock, lock_flags);
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch b/queue-6.6/drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch
new file mode 100644 (file)
index 0000000..6a73416
--- /dev/null
@@ -0,0 +1,62 @@
+From f8ea4b0cdf9d2f2b4213aaf986440be65fa7ce01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 06:22:44 +0300
+Subject: drm/msm/dpu: make sure phys resources are properly initialized
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit bfecbc2cfba9b06d67d9d249c33d92e570e2fa70 ]
+
+The commit b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") removed
+zero-init of the hw_ctl array, but didn't change the error condition,
+that checked for hw_ctl[i] being NULL. At the same time because of the
+early returns in case of an error dpu_encoder_phys might be left with
+the resources assigned in the previous state. Rework assigning of hw_pp
+/ hw_ctl to the dpu_encoder_phys in order to make sure they are always
+set correctly.
+
+Fixes: b954fa6baaca ("drm/msm/dpu: Refactor rm iterator")
+Suggested-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612233/
+Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-1-617e1ecc4b7a@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index 6262ec5e40204..10c68de1bf22c 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -1122,21 +1122,20 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc,
+       for (i = 0; i < dpu_enc->num_phys_encs; i++) {
+               struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i];
+-              if (!dpu_enc->hw_pp[i]) {
++              phys->hw_pp = dpu_enc->hw_pp[i];
++              if (!phys->hw_pp) {
+                       DPU_ERROR_ENC(dpu_enc,
+                               "no pp block assigned at idx: %d\n", i);
+                       return;
+               }
+-              if (!hw_ctl[i]) {
++              phys->hw_ctl = i < num_ctl ? to_dpu_hw_ctl(hw_ctl[i]) : NULL;
++              if (!phys->hw_ctl) {
+                       DPU_ERROR_ENC(dpu_enc,
+                               "no ctl block assigned at idx: %d\n", i);
+                       return;
+               }
+-              phys->hw_pp = dpu_enc->hw_pp[i];
+-              phys->hw_ctl = to_dpu_hw_ctl(hw_ctl[i]);
+-
+               phys->cached_mode = crtc_state->adjusted_mode;
+               if (phys->ops.atomic_mode_set)
+                       phys->ops.atomic_mode_set(phys, crtc_state, conn_state);
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch b/queue-6.6/drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch
new file mode 100644 (file)
index 0000000..85de02d
--- /dev/null
@@ -0,0 +1,47 @@
+From f7e9c4be3421040a9782633d0a5d905aad4e337a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 01:01:49 -0400
+Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate
+ calculation
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ]
+
+When (mode->clock * 1000) is larger than (1<<31), int to unsigned long
+conversion will sign extend the int to 64 bits and the pclk_rate value
+will be incorrect.
+
+Fix this by making the result of the multiplication unsigned.
+
+Note that above (1<<32) would still be broken and require more changes, but
+its unlikely anyone will need that anytime soon.
+
+Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/618434/
+Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index fcfe612416b0b..f920329fe2e09 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -545,7 +545,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
+ {
+       unsigned long pclk_rate;
+-      pclk_rate = mode->clock * 1000;
++      pclk_rate = mode->clock * 1000u;
+       if (dsc)
+               pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc);
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch b/queue-6.6/drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch
new file mode 100644 (file)
index 0000000..024d4fa
--- /dev/null
@@ -0,0 +1,39 @@
+From c36a392ff4b7a091e90e45d112ba9187379a150a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 01:01:48 -0400
+Subject: drm/msm/dsi: improve/fix dsc pclk calculation
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 24436a540d16ca6a523b8e5441180001c31b6b35 ]
+
+drm_mode_vrefresh() can introduce a large rounding error, avoid it.
+
+Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/618432/
+Link: https://lore.kernel.org/r/20241007050157.26855-1-jonathan@marek.ca
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 77b805eacb1b1..fcfe612416b0b 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -537,7 +537,7 @@ static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mo
+       int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
+-      return new_htotal * mode->vtotal * drm_mode_vrefresh(mode);
++      return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal);
+ }
+ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
+-- 
+2.43.0
+
diff --git a/queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch b/queue-6.6/drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch
new file mode 100644 (file)
index 0000000..7c54050
--- /dev/null
@@ -0,0 +1,42 @@
+From 3736fdfc57b508d5005a9ceb2de2671b26d8d6cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 13:37:56 -0500
+Subject: drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 4809a017a2bc42ff239d53ade4b2e70f2fe81348 ]
+
+Handle unlikely ENOMEN condition and other errors in
+vmw_stdu_connector_atomic_check.
+
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 75c3e8a26a35 ("drm/vmwgfx: Trigger a modeset when the screen moves")
+Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
+Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240809183756.27283-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+index b22ae25db4e17..52ea0c50c852c 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+@@ -881,6 +881,10 @@ static int vmw_stdu_connector_atomic_check(struct drm_connector *conn,
+       struct drm_crtc_state *new_crtc_state;
+       conn_state = drm_atomic_get_connector_state(state, conn);
++
++      if (IS_ERR(conn_state))
++              return PTR_ERR(conn_state);
++
+       du = vmw_connector_to_stdu(conn);
+       if (!conn_state->crtc)
+-- 
+2.43.0
+
diff --git a/queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch b/queue-6.6/firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch
new file mode 100644 (file)
index 0000000..eaad35f
--- /dev/null
@@ -0,0 +1,51 @@
+From 8b96623e04d3640d4824e64e0a1c7f09b66b3a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:40:02 +0800
+Subject: firmware: arm_scmi: Fix the double free in
+ scmi_debugfs_common_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 39b13dce1a91cdfc3bec9238f9e89094551bd428 ]
+
+Clang static checker(scan-build) throws below warning:
+  |  drivers/firmware/arm_scmi/driver.c:line 2915, column 2
+  |        Attempt to free released memory.
+
+When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()
+will run twice which causes double free of 'dbg->name'.
+
+Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.
+
+Fixes: c3d4aed763ce ("firmware: arm_scmi: Populate a common SCMI debugfs root")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Message-Id: <20241011104001.1546476-1-suhui@nfschina.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/driver.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
+index 87383c05424bd..3962683e2af9d 100644
+--- a/drivers/firmware/arm_scmi/driver.c
++++ b/drivers/firmware/arm_scmi/driver.c
+@@ -2603,10 +2603,8 @@ static struct scmi_debug_info *scmi_debugfs_common_setup(struct scmi_info *info)
+       dbg->top_dentry = top_dentry;
+       if (devm_add_action_or_reset(info->dev,
+-                                   scmi_debugfs_common_cleanup, dbg)) {
+-              scmi_debugfs_common_cleanup(dbg);
++                                   scmi_debugfs_common_cleanup, dbg))
+               return NULL;
+-      }
+       return dbg;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch b/queue-6.6/firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch
new file mode 100644 (file)
index 0000000..172ab20
--- /dev/null
@@ -0,0 +1,115 @@
+From 125a02ec9422a4e3eceed36ae5ad9e0b83985a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:07:17 -0700
+Subject: firmware: arm_scmi: Queue in scmi layer for mailbox implementation
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit da1642bc97c4ef67f347edcd493bd0a52f88777b ]
+
+send_message() does not block in the MBOX implementation. This is
+because the mailbox layer has its own queue. However, this confuses
+the per xfer timeouts as they all start their timeout ticks in
+parallel.
+
+Consider a case where the xfer timeout is 30ms and a SCMI transaction
+takes 25ms:
+
+  | 0ms: Message #0 is queued in mailbox layer and sent out, then sits
+  |      at scmi_wait_for_message_response() with a timeout of 30ms
+  | 1ms: Message #1 is queued in mailbox layer but not sent out yet.
+  |      Since send_message() doesn't block, it also sits at
+  |      scmi_wait_for_message_response() with a timeout of 30ms
+  |  ...
+  | 25ms: Message #0 is completed, txdone is called and message #1 is sent
+  | 31ms: Message #1 times out since the count started at 1ms. Even though
+  |       it has only been inflight for 6ms.
+
+Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Message-Id: <20241014160717.1678953-1-justin.chen@broadcom.com>
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Tested-by: Cristian Marussi <cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/mailbox.c | 32 +++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c
+index b8d470417e8f9..8e513f70b75d4 100644
+--- a/drivers/firmware/arm_scmi/mailbox.c
++++ b/drivers/firmware/arm_scmi/mailbox.c
+@@ -23,6 +23,7 @@
+  * @chan_receiver: Optional Receiver mailbox unidirectional channel
+  * @cinfo: SCMI channel info
+  * @shmem: Transmit/Receive shared memory area
++ * @chan_lock: Lock that prevents multiple xfers from being queued
+  */
+ struct scmi_mailbox {
+       struct mbox_client cl;
+@@ -30,6 +31,7 @@ struct scmi_mailbox {
+       struct mbox_chan *chan_receiver;
+       struct scmi_chan_info *cinfo;
+       struct scmi_shared_mem __iomem *shmem;
++      struct mutex chan_lock;
+ };
+ #define client_to_scmi_mailbox(c) container_of(c, struct scmi_mailbox, cl)
+@@ -228,6 +230,7 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
+       cinfo->transport_info = smbox;
+       smbox->cinfo = cinfo;
++      mutex_init(&smbox->chan_lock);
+       return 0;
+ }
+@@ -255,13 +258,23 @@ static int mailbox_send_message(struct scmi_chan_info *cinfo,
+       struct scmi_mailbox *smbox = cinfo->transport_info;
+       int ret;
+-      ret = mbox_send_message(smbox->chan, xfer);
++      /*
++       * The mailbox layer has its own queue. However the mailbox queue
++       * confuses the per message SCMI timeouts since the clock starts when
++       * the message is submitted into the mailbox queue. So when multiple
++       * messages are queued up the clock starts on all messages instead of
++       * only the one inflight.
++       */
++      mutex_lock(&smbox->chan_lock);
+-      /* mbox_send_message returns non-negative value on success, so reset */
+-      if (ret > 0)
+-              ret = 0;
++      ret = mbox_send_message(smbox->chan, xfer);
++      /* mbox_send_message returns non-negative value on success */
++      if (ret < 0) {
++              mutex_unlock(&smbox->chan_lock);
++              return ret;
++      }
+-      return ret;
++      return 0;
+ }
+ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret,
+@@ -269,13 +282,10 @@ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret,
+ {
+       struct scmi_mailbox *smbox = cinfo->transport_info;
+-      /*
+-       * NOTE: we might prefer not to need the mailbox ticker to manage the
+-       * transfer queueing since the protocol layer queues things by itself.
+-       * Unfortunately, we have to kick the mailbox framework after we have
+-       * received our message.
+-       */
+       mbox_client_txdone(smbox->chan, ret);
++
++      /* Release channel */
++      mutex_unlock(&smbox->chan_lock);
+ }
+ static void mailbox_fetch_response(struct scmi_chan_info *cinfo,
+-- 
+2.43.0
+
diff --git a/queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch b/queue-6.6/genetlink-hold-rcu-in-genlmsg_mcast.patch
new file mode 100644 (file)
index 0000000..dc03496
--- /dev/null
@@ -0,0 +1,242 @@
+From f80b1af82f4a9bbc71993fe99da3e6dccc26ba77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 17:12:17 +0000
+Subject: genetlink: hold RCU in genlmsg_mcast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ]
+
+While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw
+one lockdep splat [1].
+
+genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU.
+
+Instead of letting all callers guard genlmsg_multicast_allns()
+with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast().
+
+This also means the @flags parameter is useless, we need to always use
+GFP_ATOMIC.
+
+[1]
+[10882.424136] =============================
+[10882.424166] WARNING: suspicious RCU usage
+[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted
+[10882.424400] -----------------------------
+[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!!
+[10882.424469]
+other info that might help us debug this:
+
+[10882.424500]
+rcu_scheduler_active = 2, debug_locks = 1
+[10882.424744] 2 locks held by ip/15677:
+[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219)
+[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209)
+[10882.426465]
+stack backtrace:
+[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156
+[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[10882.427046] Call Trace:
+[10882.427131]  <TASK>
+[10882.427244] dump_stack_lvl (lib/dump_stack.c:123)
+[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
+[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7))
+[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink
+[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink
+[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
+[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210)
+[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink
+[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
+[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551)
+[10882.428069] genl_rcv (net/netlink/genetlink.c:1220)
+[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357)
+[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901)
+[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1))
+
+Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Tom Parkin <tparkin@katalix.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c |  2 +-
+ include/net/genetlink.h           |  3 +--
+ net/l2tp/l2tp_netlink.c           |  4 ++--
+ net/netlink/genetlink.c           | 28 ++++++++++++++--------------
+ net/wireless/nl80211.c            |  8 ++------
+ 5 files changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index 22cc6cac0ba2b..2e100b76914a0 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -2130,7 +2130,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev,
+       }
+       ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0,
+-                                    TCMU_MCGRP_CONFIG, GFP_KERNEL);
++                                    TCMU_MCGRP_CONFIG);
+       /* Wait during an add as the listener may not be up yet */
+       if (ret == 0 ||
+diff --git a/include/net/genetlink.h b/include/net/genetlink.h
+index c53244f204370..e8c34aa4a640d 100644
+--- a/include/net/genetlink.h
++++ b/include/net/genetlink.h
+@@ -478,13 +478,12 @@ static inline int genlmsg_multicast(const struct genl_family *family,
+  * @skb: netlink message as socket buffer
+  * @portid: own netlink portid to avoid sending to yourself
+  * @group: offset of multicast group in groups array
+- * @flags: allocation flags
+  *
+  * This function must hold the RTNL or rcu_read_lock().
+  */
+ int genlmsg_multicast_allns(const struct genl_family *family,
+                           struct sk_buff *skb, u32 portid,
+-                          unsigned int group, gfp_t flags);
++                          unsigned int group);
+ /**
+  * genlmsg_unicast - unicast a netlink message
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index a901fd14fe3bf..e27e00cb16c6b 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -115,7 +115,7 @@ static int l2tp_tunnel_notify(struct genl_family *family,
+                                 NLM_F_ACK, tunnel, cmd);
+       if (ret >= 0) {
+-              ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
++              ret = genlmsg_multicast_allns(family, msg, 0, 0);
+               /* We don't care if no one is listening */
+               if (ret == -ESRCH)
+                       ret = 0;
+@@ -143,7 +143,7 @@ static int l2tp_session_notify(struct genl_family *family,
+                                  NLM_F_ACK, session, cmd);
+       if (ret >= 0) {
+-              ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
++              ret = genlmsg_multicast_allns(family, msg, 0, 0);
+               /* We don't care if no one is listening */
+               if (ret == -ESRCH)
+                       ret = 0;
+diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
+index d41c4a936ad0c..d6eee5140c8be 100644
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -1355,15 +1355,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family,
+       if (IS_ERR(msg))
+               return PTR_ERR(msg);
+-      if (!family->netnsok) {
++      if (!family->netnsok)
+               genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0,
+                                       0, GFP_KERNEL);
+-      } else {
+-              rcu_read_lock();
+-              genlmsg_multicast_allns(&genl_ctrl, msg, 0,
+-                                      0, GFP_ATOMIC);
+-              rcu_read_unlock();
+-      }
++      else
++              genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0);
+       return 0;
+ }
+@@ -1752,23 +1748,23 @@ static int __init genl_init(void)
+ core_initcall(genl_init);
+-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
+-                       gfp_t flags)
++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group)
+ {
+       struct sk_buff *tmp;
+       struct net *net, *prev = NULL;
+       bool delivered = false;
+       int err;
++      rcu_read_lock();
+       for_each_net_rcu(net) {
+               if (prev) {
+-                      tmp = skb_clone(skb, flags);
++                      tmp = skb_clone(skb, GFP_ATOMIC);
+                       if (!tmp) {
+                               err = -ENOMEM;
+                               goto error;
+                       }
+                       err = nlmsg_multicast(prev->genl_sock, tmp,
+-                                            portid, group, flags);
++                                            portid, group, GFP_ATOMIC);
+                       if (!err)
+                               delivered = true;
+                       else if (err != -ESRCH)
+@@ -1777,27 +1773,31 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
+               prev = net;
+       }
++      err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC);
++
++      rcu_read_unlock();
+-      err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+       if (!err)
+               delivered = true;
+       else if (err != -ESRCH)
+               return err;
+       return delivered ? 0 : -ESRCH;
+  error:
++      rcu_read_unlock();
++
+       kfree_skb(skb);
+       return err;
+ }
+ int genlmsg_multicast_allns(const struct genl_family *family,
+                           struct sk_buff *skb, u32 portid,
+-                          unsigned int group, gfp_t flags)
++                          unsigned int group)
+ {
+       if (WARN_ON_ONCE(group >= family->n_mcgrps))
+               return -EINVAL;
+       group = family->mcgrp_offset + group;
+-      return genlmsg_mcast(skb, portid, group, flags);
++      return genlmsg_mcast(skb, portid, group);
+ }
+ EXPORT_SYMBOL(genlmsg_multicast_allns);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 9e74f249cb45f..7979073036698 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -17905,10 +17905,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
+       genlmsg_end(msg, hdr);
+-      rcu_read_lock();
+       genlmsg_multicast_allns(&nl80211_fam, msg, 0,
+-                              NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
+-      rcu_read_unlock();
++                              NL80211_MCGRP_REGULATORY);
+       return;
+@@ -18605,10 +18603,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
+       genlmsg_end(msg, hdr);
+-      rcu_read_lock();
+       genlmsg_multicast_allns(&nl80211_fam, msg, 0,
+-                              NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
+-      rcu_read_unlock();
++                              NL80211_MCGRP_REGULATORY);
+       return;
+-- 
+2.43.0
+
diff --git a/queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch b/queue-6.6/iio-accel-bma400-fix-uninitialized-variable-field_va.patch
new file mode 100644 (file)
index 0000000..d2a8c57
--- /dev/null
@@ -0,0 +1,46 @@
+From 3ece4173b045239300a1f6b99ec0985e2a802ebd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 04:36:20 -0400
+Subject: iio: accel: bma400: Fix uninitialized variable field_value in tap
+ event handling.
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+[ Upstream commit db9795a43dc944f048a37b65e06707f60f713e34 ]
+
+In the current implementation, the local variable field_value is used
+without prior initialization, which may lead to reading uninitialized
+memory. Specifically, in the macro set_mask_bits, the initial
+(potentially uninitialized) value of the buffer is copied into old__,
+and a mask is applied to calculate new__. A similar issue was resolved in
+commit 6ee2a7058fea ("iio: accel: bma400: Fix smatch warning based on use
+of unintialized value.").
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 961db2da159d ("iio: accel: bma400: Add support for single and double tap events")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://patch.msgid.link/20240910083624.27224-1-m.lobanov@rosalinux.ru
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma400_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/bma400_core.c b/drivers/iio/accel/bma400_core.c
+index e90e2f01550ad..04083b7395ab8 100644
+--- a/drivers/iio/accel/bma400_core.c
++++ b/drivers/iio/accel/bma400_core.c
+@@ -1219,7 +1219,8 @@ static int bma400_activity_event_en(struct bma400_data *data,
+ static int bma400_tap_event_en(struct bma400_data *data,
+                              enum iio_event_direction dir, int state)
+ {
+-      unsigned int mask, field_value;
++      unsigned int mask;
++      unsigned int field_value = 0;
+       int ret;
+       /*
+-- 
+2.43.0
+
diff --git a/queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch b/queue-6.6/iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch
new file mode 100644 (file)
index 0000000..21475ac
--- /dev/null
@@ -0,0 +1,41 @@
+From 6257c233d8d09fb76805b842b12d877c23525157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 23:04:52 +0200
+Subject: iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in
+ Kconfig
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit a985576af824426e33100554a5958a6beda60a13 ]
+
+This driver makes use of triggered buffers, but does not select the
+required modules.
+
+Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'.
+
+Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig
+index e46817cb5581c..6dee3b686effd 100644
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -1335,6 +1335,8 @@ config TI_LMP92064
+       tristate "Texas Instruments LMP92064 ADC driver"
+       depends on SPI
+       select REGMAP_SPI
++      select IIO_BUFFER
++      select IIO_TRIGGERED_BUFFER
+       help
+         Say yes here to build support for the LMP92064 Precision Current and Voltage
+         sensor.
+-- 
+2.43.0
+
diff --git a/queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch b/queue-6.6/iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch
new file mode 100644 (file)
index 0000000..a433550
--- /dev/null
@@ -0,0 +1,70 @@
+From b1f07d3247815b6ab9cb8db42945cf88c8aa811f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 22:06:38 +0200
+Subject: iio: frequency: {admv4420,adrf6780}: format Kconfig entries
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 5c9644a683e1690387a476a4f5f6bd5cf9a1d695 ]
+
+Format the entries of these drivers in the Kconfig, where spaces
+instead of tabs were used.
+
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-1-7345d228040f@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Stable-dep-of: 6b8e9dbfaed4 ("iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/frequency/Kconfig | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig
+index 71de6cc4a1584..f7534dd8a8cae 100644
+--- a/drivers/iio/frequency/Kconfig
++++ b/drivers/iio/frequency/Kconfig
+@@ -82,25 +82,25 @@ config ADMV1014
+         module will be called admv1014.
+ config ADMV4420
+-       tristate "Analog Devices ADMV4420 K Band Downconverter"
+-       depends on SPI
+-       help
+-         Say yes here to build support for Analog Devices K Band
+-         Downconverter with integrated Fractional-N PLL and VCO.
++      tristate "Analog Devices ADMV4420 K Band Downconverter"
++      depends on SPI
++      help
++        Say yes here to build support for Analog Devices K Band
++        Downconverter with integrated Fractional-N PLL and VCO.
+-         To compile this driver as a module, choose M here: the
+-         module will be called admv4420.
++        To compile this driver as a module, choose M here: the
++        module will be called admv4420.
+ config ADRF6780
+-        tristate "Analog Devices ADRF6780 Microwave Upconverter"
+-        depends on SPI
+-        depends on COMMON_CLK
+-        help
+-          Say yes here to build support for Analog Devices ADRF6780
+-          5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter.
+-
+-          To compile this driver as a module, choose M here: the
+-          module will be called adrf6780.
++      tristate "Analog Devices ADRF6780 Microwave Upconverter"
++      depends on SPI
++      depends on COMMON_CLK
++      help
++        Say yes here to build support for Analog Devices ADRF6780
++        5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter.
++
++        To compile this driver as a module, choose M here: the
++        module will be called adrf6780.
+ endmenu
+ endmenu
+-- 
+2.43.0
+
diff --git a/queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch b/queue-6.6/iio-frequency-admv4420-fix-missing-select-remap_spi-.patch
new file mode 100644 (file)
index 0000000..91e60f6
--- /dev/null
@@ -0,0 +1,37 @@
+From e2cd37b7a18f49688d34e54bf78a811896169e7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 22:06:39 +0200
+Subject: iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 6b8e9dbfaed471627f7b863633b9937717df1d4d ]
+
+This driver makes use of regmap_spi, but does not select the required
+module.
+Add the missing 'select REGMAP_SPI'.
+
+Fixes: b59c04155901 ("iio: frequency: admv4420.c: Add support for ADMV4420")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-2-7345d228040f@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/frequency/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig
+index f7534dd8a8cae..036763d3e84c6 100644
+--- a/drivers/iio/frequency/Kconfig
++++ b/drivers/iio/frequency/Kconfig
+@@ -84,6 +84,7 @@ config ADMV1014
+ config ADMV4420
+       tristate "Analog Devices ADMV4420 K Band Downconverter"
+       depends on SPI
++      select REGMAP_SPI
+       help
+         Say yes here to build support for Analog Devices K Band
+         Downconverter with integrated Fractional-N PLL and VCO.
+-- 
+2.43.0
+
diff --git a/queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch b/queue-6.6/ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch
new file mode 100644 (file)
index 0000000..fdc13c1
--- /dev/null
@@ -0,0 +1,112 @@
+From cf6cac963605c3ba9846ec383bd6803706d77c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 14:47:13 -0400
+Subject: ipv4: give an IPv4 dev to blackhole_netdev
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ]
+
+After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to
+invalidate dst entries"), blackhole_netdev was introduced to invalidate
+dst cache entries on the TX path whenever the cache times out or is
+flushed.
+
+When two UDP sockets (sk1 and sk2) send messages to the same destination
+simultaneously, they are using the same dst cache. If the dst cache is
+invalidated on one path (sk2) while the other (sk1) is still transmitting,
+sk1 may try to use the invalid dst entry.
+
+         CPU1                   CPU2
+
+      udp_sendmsg(sk1)       udp_sendmsg(sk2)
+      udp_send_skb()
+      ip_output()
+                                             <--- dst timeout or flushed
+                             dst_dev_put()
+      ip_finish_output2()
+      ip_neigh_for_gw()
+
+This results in a scenario where ip_neigh_for_gw() returns -EINVAL because
+blackhole_dev lacks an in_dev, which is needed to initialize the neigh in
+arp_constructor(). This error is then propagated back to userspace,
+breaking the UDP application.
+
+The patch fixes this issue by assigning an in_dev to blackhole_dev for
+IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6:
+give an IPv6 dev to blackhole_netdev"). This ensures that even when the
+dst entry is invalidated with blackhole_dev, it will not fail to create
+the neigh entry.
+
+As devinet_init() is called ealier than blackhole_netdev_init() in system
+booting, it can not assign the in_dev to blackhole_dev in devinet_init().
+As Paolo suggested, add a separate late_initcall() in devinet.c to ensure
+inet_blackhole_dev_init() is called after blackhole_netdev_init().
+
+Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index cb0c80328eebf..4822f68edbf08 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -283,17 +283,19 @@ static struct in_device *inetdev_init(struct net_device *dev)
+       /* Account for reference dev->ip_ptr (below) */
+       refcount_set(&in_dev->refcnt, 1);
+-      err = devinet_sysctl_register(in_dev);
+-      if (err) {
+-              in_dev->dead = 1;
+-              neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+-              in_dev_put(in_dev);
+-              in_dev = NULL;
+-              goto out;
++      if (dev != blackhole_netdev) {
++              err = devinet_sysctl_register(in_dev);
++              if (err) {
++                      in_dev->dead = 1;
++                      neigh_parms_release(&arp_tbl, in_dev->arp_parms);
++                      in_dev_put(in_dev);
++                      in_dev = NULL;
++                      goto out;
++              }
++              ip_mc_init_dev(in_dev);
++              if (dev->flags & IFF_UP)
++                      ip_mc_up(in_dev);
+       }
+-      ip_mc_init_dev(in_dev);
+-      if (dev->flags & IFF_UP)
+-              ip_mc_up(in_dev);
+       /* we can receive as soon as ip_ptr is set -- do this last */
+       rcu_assign_pointer(dev->ip_ptr, in_dev);
+@@ -332,6 +334,19 @@ static void inetdev_destroy(struct in_device *in_dev)
+       in_dev_put(in_dev);
+ }
++static int __init inet_blackhole_dev_init(void)
++{
++      int err = 0;
++
++      rtnl_lock();
++      if (!inetdev_init(blackhole_netdev))
++              err = -ENOMEM;
++      rtnl_unlock();
++
++      return err;
++}
++late_initcall(inet_blackhole_dev_init);
++
+ int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b)
+ {
+       const struct in_ifaddr *ifa;
+-- 
+2.43.0
+
diff --git a/queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch b/queue-6.6/irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch
new file mode 100644 (file)
index 0000000..e8d6d95
--- /dev/null
@@ -0,0 +1,208 @@
+From 09fc4ae271bc0ff3ed4b345fb6f235c81c82275c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:18 +0200
+Subject: irqchip/renesas-rzg2l: Add support for suspend to RAM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 74d2ef5f6f4b2437e6292ab2502400e8048db4aa ]
+
+The irqchip-renesas-rzg2l driver is used on RZ/G3S SoC. RZ/G3S can go into
+deep sleep states where power to different SoC's parts is cut off and RAM
+is switched to self-refresh. The resume from these states is done with the
+help of the bootloader.
+
+The IA55 IRQ controller needs to be reconfigured when resuming from deep
+sleep state. For this the IA55 registers are cached in suspend and restored
+in resume.
+
+The IA55 IRQ controller is connected to GPIO controller and GIC as follows:
+
+                                      ┌──────────┐          ┌──────────┐
+                                      │          │ SPIX     │          │
+                                      │          ├─────────►│          │
+                                      │          │          │          │
+                                      │          │          │          │
+              ┌────────┐IRQ0-7        │  IA55    │          │  GIC     │
+ Pin0 ───────►│        ├─────────────►│          │          │          │
+              │        │              │          │ PPIY     │          │
+ ...          │  GPIO  │              │          ├─────────►│          │
+              │        │GPIOINT0-127  │          │          │          │
+ PinN ───────►│        ├─────────────►│          │          │          │
+              └────────┘              └──────────┘          └──────────┘
+
+where:
+  - Pin0 is the first GPIO controller pin
+  - PinN is the last GPIO controller pin
+
+  - SPIX is the SPI interrupt with identifier X
+  - PPIY is the PPI interrupt with identifier Y
+
+Implement suspend/resume functionality with syscore_ops to be able to
+cache/restore the registers after/before the GPIO controller suspend/resume
+functions are invoked.
+
+As the syscore_ops suspend/resume functions do not take any argument make
+the driver private data static so it can be accessed from the
+suspend/resume functions.
+
+The IA55 interrupt controller is resumed before the GPIO controller. As
+GPIO pins could be in an a state which causes spurious interrupts, the
+reconfiguration of the interrupt controller is restricted to restore the
+interrupt type and leave them disabled.
+
+An eventually required interrupt enable operation will be done as part of
+the GPIO controller resume function after restoring the GPIO state.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20231120111820.87398-8-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 68 ++++++++++++++++++++++++-----
+ 1 file changed, 57 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index ac925da17876c..00688043697f0 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -18,6 +18,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <linux/spinlock.h>
++#include <linux/syscore_ops.h>
+ #define IRQC_IRQ_START                        1
+ #define IRQC_IRQ_COUNT                        8
+@@ -55,17 +56,29 @@
+ #define TINT_EXTRACT_HWIRQ(x)           FIELD_GET(GENMASK(15, 0), (x))
+ #define TINT_EXTRACT_GPIOINT(x)         FIELD_GET(GENMASK(31, 16), (x))
++/**
++ * struct rzg2l_irqc_reg_cache - registers cache (necessary for suspend/resume)
++ * @iitsr: IITSR register
++ * @titsr: TITSR registers
++ */
++struct rzg2l_irqc_reg_cache {
++      u32     iitsr;
++      u32     titsr[2];
++};
++
+ /**
+  * struct rzg2l_irqc_priv - IRQ controller private data structure
+  * @base:     Controller's base address
+  * @fwspec:   IRQ firmware specific data
+  * @lock:     Lock to serialize access to hardware registers
++ * @cache:    Registers cache for suspend/resume
+  */
+-struct rzg2l_irqc_priv {
++static struct rzg2l_irqc_priv {
+       void __iomem                    *base;
+       struct irq_fwspec               fwspec[IRQC_NUM_IRQ];
+       raw_spinlock_t                  lock;
+-};
++      struct rzg2l_irqc_reg_cache     cache;
++} *rzg2l_irqc_data;
+ static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data)
+ {
+@@ -282,6 +295,38 @@ static int rzg2l_irqc_set_type(struct irq_data *d, unsigned int type)
+       return irq_chip_set_type_parent(d, IRQ_TYPE_LEVEL_HIGH);
+ }
++static int rzg2l_irqc_irq_suspend(void)
++{
++      struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache;
++      void __iomem *base = rzg2l_irqc_data->base;
++
++      cache->iitsr = readl_relaxed(base + IITSR);
++      for (u8 i = 0; i < 2; i++)
++              cache->titsr[i] = readl_relaxed(base + TITSR(i));
++
++      return 0;
++}
++
++static void rzg2l_irqc_irq_resume(void)
++{
++      struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache;
++      void __iomem *base = rzg2l_irqc_data->base;
++
++      /*
++       * Restore only interrupt type. TSSRx will be restored at the
++       * request of pin controller to avoid spurious interrupts due
++       * to invalid PIN states.
++       */
++      for (u8 i = 0; i < 2; i++)
++              writel_relaxed(cache->titsr[i], base + TITSR(i));
++      writel_relaxed(cache->iitsr, base + IITSR);
++}
++
++static struct syscore_ops rzg2l_irqc_syscore_ops = {
++      .suspend        = rzg2l_irqc_irq_suspend,
++      .resume         = rzg2l_irqc_irq_resume,
++};
++
+ static const struct irq_chip irqc_chip = {
+       .name                   = "rzg2l-irqc",
+       .irq_eoi                = rzg2l_irqc_eoi,
+@@ -366,7 +411,6 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+       struct irq_domain *irq_domain, *parent_domain;
+       struct platform_device *pdev;
+       struct reset_control *resetn;
+-      struct rzg2l_irqc_priv *priv;
+       int ret;
+       pdev = of_find_device_by_node(node);
+@@ -379,15 +423,15 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+               return -ENODEV;
+       }
+-      priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+-      if (!priv)
++      rzg2l_irqc_data = devm_kzalloc(&pdev->dev, sizeof(*rzg2l_irqc_data), GFP_KERNEL);
++      if (!rzg2l_irqc_data)
+               return -ENOMEM;
+-      priv->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL);
+-      if (IS_ERR(priv->base))
+-              return PTR_ERR(priv->base);
++      rzg2l_irqc_data->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL);
++      if (IS_ERR(rzg2l_irqc_data->base))
++              return PTR_ERR(rzg2l_irqc_data->base);
+-      ret = rzg2l_irqc_parse_interrupts(priv, node);
++      ret = rzg2l_irqc_parse_interrupts(rzg2l_irqc_data, node);
+       if (ret) {
+               dev_err(&pdev->dev, "cannot parse interrupts: %d\n", ret);
+               return ret;
+@@ -410,17 +454,19 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+               goto pm_disable;
+       }
+-      raw_spin_lock_init(&priv->lock);
++      raw_spin_lock_init(&rzg2l_irqc_data->lock);
+       irq_domain = irq_domain_add_hierarchy(parent_domain, 0, IRQC_NUM_IRQ,
+                                             node, &rzg2l_irqc_domain_ops,
+-                                            priv);
++                                            rzg2l_irqc_data);
+       if (!irq_domain) {
+               dev_err(&pdev->dev, "failed to add irq domain\n");
+               ret = -ENOMEM;
+               goto pm_put;
+       }
++      register_syscore_ops(&rzg2l_irqc_syscore_ops);
++
+       return 0;
+ pm_put:
+-- 
+2.43.0
+
diff --git a/queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch b/queue-6.6/irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch
new file mode 100644 (file)
index 0000000..909749b
--- /dev/null
@@ -0,0 +1,43 @@
+From 2c0b357c4b3271d3b5f42e24431049bfbd66a81b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:14 +0200
+Subject: irqchip/renesas-rzg2l: Align struct member names to tabs
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 02f6507640173addeeb3af035d2c6f0b3cff1567 ]
+
+Align struct member names to tabs to follow the requirements from
+maintainer-tip file. 3 tabs were used at the moment as the next commits
+will add a new member which requires 3 tabs for a better view.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20231120111820.87398-4-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index ea4b921e5e158..3ea312a27492b 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -56,9 +56,9 @@
+ #define TINT_EXTRACT_GPIOINT(x)         FIELD_GET(GENMASK(31, 16), (x))
+ struct rzg2l_irqc_priv {
+-      void __iomem *base;
+-      struct irq_fwspec fwspec[IRQC_NUM_IRQ];
+-      raw_spinlock_t lock;
++      void __iomem                    *base;
++      struct irq_fwspec               fwspec[IRQC_NUM_IRQ];
++      raw_spinlock_t                  lock;
+ };
+ static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data)
+-- 
+2.43.0
+
diff --git a/queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch b/queue-6.6/irqchip-renesas-rzg2l-document-structure-members.patch
new file mode 100644 (file)
index 0000000..321db6c
--- /dev/null
@@ -0,0 +1,42 @@
+From 7870098b4f9546fee29b86408f129113837d303a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:15 +0200
+Subject: irqchip/renesas-rzg2l: Document structure members
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit b94f455372ad6e6b4da8e8ed9864d9c7daaf54b8 ]
+
+Document structure members to follow the requirements specified in
+maintainer-tip, section 4.3.7. Struct declarations and initializers.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20231120111820.87398-5-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index 3ea312a27492b..ac925da17876c 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -55,6 +55,12 @@
+ #define TINT_EXTRACT_HWIRQ(x)           FIELD_GET(GENMASK(15, 0), (x))
+ #define TINT_EXTRACT_GPIOINT(x)         FIELD_GET(GENMASK(31, 16), (x))
++/**
++ * struct rzg2l_irqc_priv - IRQ controller private data structure
++ * @base:     Controller's base address
++ * @fwspec:   IRQ firmware specific data
++ * @lock:     Lock to serialize access to hardware registers
++ */
+ struct rzg2l_irqc_priv {
+       void __iomem                    *base;
+       struct irq_fwspec               fwspec[IRQC_NUM_IRQ];
+-- 
+2.43.0
+
diff --git a/queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch b/queue-6.6/irqchip-renesas-rzg2l-fix-missing-put_device.patch
new file mode 100644 (file)
index 0000000..6bf1e95
--- /dev/null
@@ -0,0 +1,81 @@
+From 5c0b32edd8d8c889fcee25db19f8c33729bc658b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:20:03 +0100
+Subject: irqchip/renesas-rzg2l: Fix missing put_device
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit d038109ac1c6bf619473dda03a16a6de58170f7f ]
+
+rzg2l_irqc_common_init() calls of_find_device_by_node(), but the
+corresponding put_device() call is missing.  This also gets reported by
+make coccicheck.
+
+Make use of the cleanup interfaces from cleanup.h to call into
+__free_put_device(), which in turn calls into put_device when leaving
+function rzg2l_irqc_common_init() and variable "dev" goes out of scope.
+
+To prevent that the device is put on successful completion, assign NULL to
+"dev" to prevent __free_put_device() from calling into put_device() within
+the successful path.
+
+"make coccicheck" will still complain about missing put_device() calls,
+but those are false positives now.
+
+Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20241011172003.1242841-1-fabrizio.castro.jz@renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index 00688043697f0..5a7836186fd41 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -8,6 +8,7 @@
+  */
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/clk.h>
+ #include <linux/err.h>
+ #include <linux/io.h>
+@@ -408,12 +409,12 @@ static int rzg2l_irqc_parse_interrupts(struct rzg2l_irqc_priv *priv,
+ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+ {
++      struct platform_device *pdev = of_find_device_by_node(node);
++      struct device *dev __free(put_device) = pdev ? &pdev->dev : NULL;
+       struct irq_domain *irq_domain, *parent_domain;
+-      struct platform_device *pdev;
+       struct reset_control *resetn;
+       int ret;
+-      pdev = of_find_device_by_node(node);
+       if (!pdev)
+               return -ENODEV;
+@@ -467,6 +468,17 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+       register_syscore_ops(&rzg2l_irqc_syscore_ops);
++      /*
++       * Prevent the cleanup function from invoking put_device by assigning
++       * NULL to dev.
++       *
++       * make coccicheck will complain about missing put_device calls, but
++       * those are false positives, as dev will be automatically "put" via
++       * __free_put_device on the failing path.
++       * On the successful path we don't actually want to "put" dev.
++       */
++      dev = NULL;
++
+       return 0;
+ pm_put:
+-- 
+2.43.0
+
diff --git a/queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch b/queue-6.6/khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch
new file mode 100644 (file)
index 0000000..fc1a15d
--- /dev/null
@@ -0,0 +1,99 @@
+From 64f56409384b5eb2b3a82c0c9ef725f63a8a5359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:31 +0100
+Subject: khugepaged: convert alloc_charge_hpage to alloc_charge_folio
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit d5ab50b9412c0bba750eef5a34fd2937de1aee55 ]
+
+Both callers want to deal with a folio, so return a folio from this
+function.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-3-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index d0fcfa47085b4..b197323450b5a 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1041,7 +1041,7 @@ static int __collapse_huge_page_swapin(struct mm_struct *mm,
+       return result;
+ }
+-static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
++static int alloc_charge_folio(struct folio **foliop, struct mm_struct *mm,
+                             struct collapse_control *cc)
+ {
+       gfp_t gfp = (cc->is_khugepaged ? alloc_hugepage_khugepaged_gfpmask() :
+@@ -1051,7 +1051,7 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+       folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask);
+       if (!folio) {
+-              *hpage = NULL;
++              *foliop = NULL;
+               count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+               return SCAN_ALLOC_HUGE_PAGE_FAIL;
+       }
+@@ -1059,13 +1059,13 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+       count_vm_event(THP_COLLAPSE_ALLOC);
+       if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+               folio_put(folio);
+-              *hpage = NULL;
++              *foliop = NULL;
+               return SCAN_CGROUP_CHARGE_FAIL;
+       }
+       count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1);
+-      *hpage = folio_page(folio, 0);
++      *foliop = folio;
+       return SCAN_SUCCEED;
+ }
+@@ -1094,7 +1094,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+        */
+       mmap_read_unlock(mm);
+-      result = alloc_charge_hpage(&hpage, mm, cc);
++      result = alloc_charge_folio(&folio, mm, cc);
++      hpage = &folio->page;
+       if (result != SCAN_SUCCEED)
+               goto out_nolock;
+@@ -1197,7 +1198,6 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+       if (unlikely(result != SCAN_SUCCEED))
+               goto out_up_write;
+-      folio = page_folio(hpage);
+       /*
+        * The smp_wmb() inside __folio_mark_uptodate() ensures the
+        * copy_huge_page writes become visible before the set_pmd_at()
+@@ -1786,7 +1786,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       struct page *hpage;
+       struct page *page;
+       struct page *tmp;
+-      struct folio *folio;
++      struct folio *folio, *new_folio;
+       pgoff_t index = 0, end = start + HPAGE_PMD_NR;
+       LIST_HEAD(pagelist);
+       XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER);
+@@ -1797,7 +1797,8 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem);
+       VM_BUG_ON(start & (HPAGE_PMD_NR - 1));
+-      result = alloc_charge_hpage(&hpage, mm, cc);
++      result = alloc_charge_folio(&new_folio, mm, cc);
++      hpage = &new_folio->page;
+       if (result != SCAN_SUCCEED)
+               goto out;
+-- 
+2.43.0
+
diff --git a/queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch b/queue-6.6/khugepaged-inline-hpage_collapse_alloc_folio.patch
new file mode 100644 (file)
index 0000000..8bf2358
--- /dev/null
@@ -0,0 +1,77 @@
+From 6c6042af6a00795d06a79bedb447d718fb96c75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:30 +0100
+Subject: khugepaged: inline hpage_collapse_alloc_folio()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 4746f5ce0fa52e21b5fe432970fe9516d1a45ebc ]
+
+Patch series "khugepaged folio conversions".
+
+We've been kind of hacking piecemeal at converting khugepaged to use
+folios instead of compound pages, and so this patchset is a little larger
+than it should be as I undo some of our wrong moves in the past.  In
+particular, collapse_file() now consistently uses 'new_folio' for the
+freshly allocated folio and 'folio' for the one that's currently in use.
+
+This patch (of 7):
+
+This function has one caller, and the combined function is simpler to
+read, reason about and modify.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-1-willy@infradead.org
+Link: https://lkml.kernel.org/r/20240403171838.1445826-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index cb6a243688045..d0fcfa47085b4 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -887,20 +887,6 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc)
+ }
+ #endif
+-static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node,
+-                                    nodemask_t *nmask)
+-{
+-      *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask);
+-
+-      if (unlikely(!*folio)) {
+-              count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+-              return false;
+-      }
+-
+-      count_vm_event(THP_COLLAPSE_ALLOC);
+-      return true;
+-}
+-
+ /*
+  * If mmap_lock temporarily dropped, revalidate vma
+  * before taking mmap_lock.
+@@ -1063,11 +1049,14 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+       int node = hpage_collapse_find_target_node(cc);
+       struct folio *folio;
+-      if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) {
++      folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask);
++      if (!folio) {
+               *hpage = NULL;
++              count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+               return SCAN_ALLOC_HUGE_PAGE_FAIL;
+       }
++      count_vm_event(THP_COLLAPSE_ALLOC);
+       if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+               folio_put(folio);
+               *hpage = NULL;
+-- 
+2.43.0
+
diff --git a/queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch b/queue-6.6/khugepaged-remove-hpage-from-collapse_file.patch
new file mode 100644 (file)
index 0000000..f5eed01
--- /dev/null
@@ -0,0 +1,219 @@
+From 96cb391700104bba00e7908da152de0e959b42ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:34 +0100
+Subject: khugepaged: remove hpage from collapse_file()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 610ff817b981921213ae51e5c5f38c76c6f0405e ]
+
+Use new_folio throughout where we had been using hpage.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-6-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/huge_memory.h |  6 +--
+ mm/khugepaged.c                    | 77 +++++++++++++++---------------
+ 2 files changed, 42 insertions(+), 41 deletions(-)
+
+diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h
+index 6e2ef1d4b0028..dc6eeef2d3dac 100644
+--- a/include/trace/events/huge_memory.h
++++ b/include/trace/events/huge_memory.h
+@@ -207,10 +207,10 @@ TRACE_EVENT(mm_khugepaged_scan_file,
+ );
+ TRACE_EVENT(mm_khugepaged_collapse_file,
+-      TP_PROTO(struct mm_struct *mm, struct page *hpage, pgoff_t index,
++      TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index,
+                       bool is_shmem, unsigned long addr, struct file *file,
+                       int nr, int result),
+-      TP_ARGS(mm, hpage, index, addr, is_shmem, file, nr, result),
++      TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result),
+       TP_STRUCT__entry(
+               __field(struct mm_struct *, mm)
+               __field(unsigned long, hpfn)
+@@ -224,7 +224,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file,
+       TP_fast_assign(
+               __entry->mm = mm;
+-              __entry->hpfn = hpage ? page_to_pfn(hpage) : -1;
++              __entry->hpfn = new_folio ? folio_pfn(new_folio) : -1;
+               __entry->index = index;
+               __entry->addr = addr;
+               __entry->is_shmem = is_shmem;
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index b197323450b5a..4b00592548f59 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1783,30 +1783,27 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+                        struct collapse_control *cc)
+ {
+       struct address_space *mapping = file->f_mapping;
+-      struct page *hpage;
+       struct page *page;
+-      struct page *tmp;
++      struct page *tmp, *dst;
+       struct folio *folio, *new_folio;
+       pgoff_t index = 0, end = start + HPAGE_PMD_NR;
+       LIST_HEAD(pagelist);
+       XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER);
+       int nr_none = 0, result = SCAN_SUCCEED;
+       bool is_shmem = shmem_file(file);
+-      int nr = 0;
+       VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem);
+       VM_BUG_ON(start & (HPAGE_PMD_NR - 1));
+       result = alloc_charge_folio(&new_folio, mm, cc);
+-      hpage = &new_folio->page;
+       if (result != SCAN_SUCCEED)
+               goto out;
+-      __SetPageLocked(hpage);
++      __folio_set_locked(new_folio);
+       if (is_shmem)
+-              __SetPageSwapBacked(hpage);
+-      hpage->index = start;
+-      hpage->mapping = mapping;
++              __folio_set_swapbacked(new_folio);
++      new_folio->index = start;
++      new_folio->mapping = mapping;
+       /*
+        * Ensure we have slots for all the pages in the range.  This is
+@@ -2039,20 +2036,24 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+        * The old pages are locked, so they won't change anymore.
+        */
+       index = start;
++      dst = folio_page(new_folio, 0);
+       list_for_each_entry(page, &pagelist, lru) {
+               while (index < page->index) {
+-                      clear_highpage(hpage + (index % HPAGE_PMD_NR));
++                      clear_highpage(dst);
+                       index++;
++                      dst++;
+               }
+-              if (copy_mc_highpage(hpage + (page->index % HPAGE_PMD_NR), page) > 0) {
++              if (copy_mc_highpage(dst, page) > 0) {
+                       result = SCAN_COPY_MC;
+                       goto rollback;
+               }
+               index++;
++              dst++;
+       }
+       while (index < end) {
+-              clear_highpage(hpage + (index % HPAGE_PMD_NR));
++              clear_highpage(dst);
+               index++;
++              dst++;
+       }
+       if (nr_none) {
+@@ -2080,16 +2081,17 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+               }
+               /*
+-               * If userspace observed a missing page in a VMA with a MODE_MISSING
+-               * userfaultfd, then it might expect a UFFD_EVENT_PAGEFAULT for that
+-               * page. If so, we need to roll back to avoid suppressing such an
+-               * event. Since wp/minor userfaultfds don't give userspace any
+-               * guarantees that the kernel doesn't fill a missing page with a zero
+-               * page, so they don't matter here.
++               * If userspace observed a missing page in a VMA with
++               * a MODE_MISSING userfaultfd, then it might expect a
++               * UFFD_EVENT_PAGEFAULT for that page. If so, we need to
++               * roll back to avoid suppressing such an event. Since
++               * wp/minor userfaultfds don't give userspace any
++               * guarantees that the kernel doesn't fill a missing
++               * page with a zero page, so they don't matter here.
+                *
+-               * Any userfaultfds registered after this point will not be able to
+-               * observe any missing pages due to the previously inserted retry
+-               * entries.
++               * Any userfaultfds registered after this point will
++               * not be able to observe any missing pages due to the
++               * previously inserted retry entries.
+                */
+               vma_interval_tree_foreach(vma, &mapping->i_mmap, start, end) {
+                       if (userfaultfd_missing(vma)) {
+@@ -2114,33 +2116,32 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+               xas_lock_irq(&xas);
+       }
+-      folio = page_folio(hpage);
+-      nr = folio_nr_pages(folio);
+       if (is_shmem)
+-              __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr);
++              __lruvec_stat_mod_folio(new_folio, NR_SHMEM_THPS, HPAGE_PMD_NR);
+       else
+-              __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr);
++              __lruvec_stat_mod_folio(new_folio, NR_FILE_THPS, HPAGE_PMD_NR);
+       if (nr_none) {
+-              __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none);
++              __lruvec_stat_mod_folio(new_folio, NR_FILE_PAGES, nr_none);
+               /* nr_none is always 0 for non-shmem. */
+-              __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none);
++              __lruvec_stat_mod_folio(new_folio, NR_SHMEM, nr_none);
+       }
+       /*
+-       * Mark hpage as uptodate before inserting it into the page cache so
+-       * that it isn't mistaken for an fallocated but unwritten page.
++       * Mark new_folio as uptodate before inserting it into the
++       * page cache so that it isn't mistaken for an fallocated but
++       * unwritten page.
+        */
+-      folio_mark_uptodate(folio);
+-      folio_ref_add(folio, HPAGE_PMD_NR - 1);
++      folio_mark_uptodate(new_folio);
++      folio_ref_add(new_folio, HPAGE_PMD_NR - 1);
+       if (is_shmem)
+-              folio_mark_dirty(folio);
+-      folio_add_lru(folio);
++              folio_mark_dirty(new_folio);
++      folio_add_lru(new_folio);
+       /* Join all the small entries into a single multi-index entry. */
+       xas_set_order(&xas, start, HPAGE_PMD_ORDER);
+-      xas_store(&xas, folio);
++      xas_store(&xas, new_folio);
+       WARN_ON_ONCE(xas_error(&xas));
+       xas_unlock_irq(&xas);
+@@ -2151,7 +2152,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       retract_page_tables(mapping, start);
+       if (cc && !cc->is_khugepaged)
+               result = SCAN_PTE_MAPPED_HUGEPAGE;
+-      folio_unlock(folio);
++      folio_unlock(new_folio);
+       /*
+        * The collapse has succeeded, so free the old pages.
+@@ -2196,13 +2197,13 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+               smp_mb();
+       }
+-      hpage->mapping = NULL;
++      new_folio->mapping = NULL;
+-      unlock_page(hpage);
+-      put_page(hpage);
++      folio_unlock(new_folio);
++      folio_put(new_folio);
+ out:
+       VM_BUG_ON(!list_empty(&pagelist));
+-      trace_mm_khugepaged_collapse_file(mm, hpage, index, is_shmem, addr, file, nr, result);
++      trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result);
+       return result;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch b/queue-6.6/lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch
new file mode 100644 (file)
index 0000000..1ed9061
--- /dev/null
@@ -0,0 +1,39 @@
+From 5df2ac601e6c49eb99ed68a7c2fbe1e9aeb9f08b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 16:02:44 +0200
+Subject: lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW
+
+From: Timo Grautstueck <timo.grautstueck@web.de>
+
+[ Upstream commit ab8851431bef5cc44f0f3f0da112e883fd4d0df5 ]
+
+Just a grammar fix in lib/Kconfig.debug, under the config option
+RUST_BUILD_ASSERT_ALLOW.
+
+Reported-by: Miguel Ojeda <ojeda@kernel.org>
+Closes: https://github.com/Rust-for-Linux/linux/issues/1006
+Fixes: ecaa6ddff2fd ("rust: add `build_error` crate")
+Signed-off-by: Timo Grautstueck <timo.grautstueck@web.de>
+Link: https://lore.kernel.org/r/20241006140244.5509-1-timo.grautstueck@web.de
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index da5513cfc1258..f94c3e957b829 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -2999,7 +2999,7 @@ config RUST_BUILD_ASSERT_ALLOW
+       bool "Allow unoptimized build-time assertions"
+       depends on RUST
+       help
+-        Controls how are `build_error!` and `build_assert!` handled during build.
++        Controls how `build_error!` and `build_assert!` are handled during the build.
+         If calls to them exist in the binary, it may indicate a violated invariant
+         or that the optimizer failed to verify the invariant during compilation.
+-- 
+2.43.0
+
diff --git a/queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch b/queue-6.6/macsec-don-t-increment-counters-for-an-unrelated-sa.patch
new file mode 100644 (file)
index 0000000..38ed848
--- /dev/null
@@ -0,0 +1,83 @@
+From a071ba4d8ce55b3e87576ab0ffb7d1de0555f41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 17:16:37 +0200
+Subject: macsec: don't increment counters for an unrelated SA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ]
+
+On RX, we shouldn't be incrementing the stats for an arbitrary SA in
+case the actual SA hasn't been set up. Those counters are intended to
+track packets for their respective AN when the SA isn't currently
+configured. Due to the way MACsec is implemented, we don't keep
+counters unless the SA is configured, so we can't track those packets,
+and those counters will remain at 0.
+
+The RXSC's stats keeps track of those packets without telling us which
+AN they belonged to. We could add counters for non-existent SAs, and
+then find a way to integrate them in the dump to userspace, but I
+don't think it's worth the effort.
+
+Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 778fb77c5a937..2ada8baf815b1 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -151,19 +151,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
+       return sa;
+ }
+-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc)
+-{
+-      struct macsec_rx_sa *sa = NULL;
+-      int an;
+-
+-      for (an = 0; an < MACSEC_NUM_AN; an++)  {
+-              sa = macsec_rxsa_get(rx_sc->sa[an]);
+-              if (sa)
+-                      break;
+-      }
+-      return sa;
+-}
+-
+ static void free_rx_sc_rcu(struct rcu_head *head)
+ {
+       struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
+@@ -1205,15 +1192,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+               /* If validateFrames is Strict or the C bit in the
+                * SecTAG is set, discard
+                */
+-              struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc);
+               if (hdr->tci_an & MACSEC_TCI_C ||
+                   secy->validate_frames == MACSEC_VALIDATE_STRICT) {
+                       u64_stats_update_begin(&rxsc_stats->syncp);
+                       rxsc_stats->stats.InPktsNotUsingSA++;
+                       u64_stats_update_end(&rxsc_stats->syncp);
+                       DEV_STATS_INC(secy->netdev, rx_errors);
+-                      if (active_rx_sa)
+-                              this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA);
+                       goto drop_nosa;
+               }
+@@ -1223,8 +1207,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+               u64_stats_update_begin(&rxsc_stats->syncp);
+               rxsc_stats->stats.InPktsUnusedSA++;
+               u64_stats_update_end(&rxsc_stats->syncp);
+-              if (active_rx_sa)
+-                      this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA);
+               goto deliver;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch b/queue-6.6/mm-convert-collapse_huge_page-to-use-a-folio.patch
new file mode 100644 (file)
index 0000000..f132d37
--- /dev/null
@@ -0,0 +1,66 @@
+From 1027a453bcac73c5978b5a542057c2ebc2d00e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 16:22:13 +0000
+Subject: mm: convert collapse_huge_page() to use a folio
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 5432726848bb27a01badcbc93b596f39ee6c5ffb ]
+
+Replace three calls to compound_head() with one.
+
+Link: https://lkml.kernel.org/r/20231211162214.2146080-9-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 97cc4ef061832..24d05e0a672dc 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1088,6 +1088,7 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+       pmd_t *pmd, _pmd;
+       pte_t *pte;
+       pgtable_t pgtable;
++      struct folio *folio;
+       struct page *hpage;
+       spinlock_t *pmd_ptl, *pte_ptl;
+       int result = SCAN_FAIL;
+@@ -1207,13 +1208,13 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+       if (unlikely(result != SCAN_SUCCEED))
+               goto out_up_write;
++      folio = page_folio(hpage);
+       /*
+-       * spin_lock() below is not the equivalent of smp_wmb(), but
+-       * the smp_wmb() inside __SetPageUptodate() can be reused to
+-       * avoid the copy_huge_page writes to become visible after
+-       * the set_pmd_at() write.
++       * The smp_wmb() inside __folio_mark_uptodate() ensures the
++       * copy_huge_page writes become visible before the set_pmd_at()
++       * write.
+        */
+-      __SetPageUptodate(hpage);
++      __folio_mark_uptodate(folio);
+       pgtable = pmd_pgtable(_pmd);
+       _pmd = mk_huge_pmd(hpage, vma->vm_page_prot);
+@@ -1221,8 +1222,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+       spin_lock(pmd_ptl);
+       BUG_ON(!pmd_none(*pmd));
+-      page_add_new_anon_rmap(hpage, vma, address);
+-      lru_cache_add_inactive_or_unevictable(hpage, vma);
++      folio_add_new_anon_rmap(folio, vma, address);
++      folio_add_lru_vma(folio, vma);
+       pgtable_trans_huge_deposit(mm, pmd, pgtable);
+       set_pmd_at(mm, address, pmd, _pmd);
+       update_mmu_cache_pmd(vma, address, pmd);
+-- 
+2.43.0
+
diff --git a/queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch b/queue-6.6/mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch
new file mode 100644 (file)
index 0000000..38214ee
--- /dev/null
@@ -0,0 +1,113 @@
+From 7f4c7302b5c4a2c4a695a3870390d32f8c792181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 11:33:30 -0700
+Subject: mm/khugepaged: convert alloc_charge_hpage() to use folios
+
+From: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+
+[ Upstream commit b455f39d228935f88eebcd1f7c1a6981093c6a3b ]
+
+Also remove count_memcg_page_event now that its last caller no longer uses
+it and reword hpage_collapse_alloc_page() to hpage_collapse_alloc_folio().
+
+This removes 1 call to compound_head() and helps convert khugepaged to
+use folios throughout.
+
+Link: https://lkml.kernel.org/r/20231020183331.10770-5-vishal.moola@gmail.com
+Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/memcontrol.h | 14 --------------
+ mm/khugepaged.c            | 17 ++++++++++-------
+ 2 files changed, 10 insertions(+), 21 deletions(-)
+
+diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
+index e4e24da16d2c3..b1fdb1554f2f9 100644
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -1080,15 +1080,6 @@ static inline void count_memcg_events(struct mem_cgroup *memcg,
+       local_irq_restore(flags);
+ }
+-static inline void count_memcg_page_event(struct page *page,
+-                                        enum vm_event_item idx)
+-{
+-      struct mem_cgroup *memcg = page_memcg(page);
+-
+-      if (memcg)
+-              count_memcg_events(memcg, idx, 1);
+-}
+-
+ static inline void count_memcg_folio_events(struct folio *folio,
+               enum vm_event_item idx, unsigned long nr)
+ {
+@@ -1565,11 +1556,6 @@ static inline void __count_memcg_events(struct mem_cgroup *memcg,
+ {
+ }
+-static inline void count_memcg_page_event(struct page *page,
+-                                        int idx)
+-{
+-}
+-
+ static inline void count_memcg_folio_events(struct folio *folio,
+               enum vm_event_item idx, unsigned long nr)
+ {
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 88433cc25d8a5..97cc4ef061832 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -887,16 +887,16 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc)
+ }
+ #endif
+-static bool hpage_collapse_alloc_page(struct page **hpage, gfp_t gfp, int node,
++static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node,
+                                     nodemask_t *nmask)
+ {
+-      *hpage = __alloc_pages(gfp, HPAGE_PMD_ORDER, node, nmask);
+-      if (unlikely(!*hpage)) {
++      *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask);
++
++      if (unlikely(!*folio)) {
+               count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+               return false;
+       }
+-      folio_prep_large_rmappable((struct folio *)*hpage);
+       count_vm_event(THP_COLLAPSE_ALLOC);
+       return true;
+ }
+@@ -1063,17 +1063,20 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+       int node = hpage_collapse_find_target_node(cc);
+       struct folio *folio;
+-      if (!hpage_collapse_alloc_page(hpage, gfp, node, &cc->alloc_nmask))
++      if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) {
++              *hpage = NULL;
+               return SCAN_ALLOC_HUGE_PAGE_FAIL;
++      }
+-      folio = page_folio(*hpage);
+       if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+               folio_put(folio);
+               *hpage = NULL;
+               return SCAN_CGROUP_CHARGE_FAIL;
+       }
+-      count_memcg_page_event(*hpage, THP_COLLAPSE_ALLOC);
++      count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1);
++
++      *hpage = folio_page(folio, 0);
+       return SCAN_SUCCEED;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch b/queue-6.6/mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch
new file mode 100644 (file)
index 0000000..c3f65db
--- /dev/null
@@ -0,0 +1,83 @@
+From 777dadbb80b9caed50e442d28afd2c31e2e33ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:17:02 -0700
+Subject: mm: khugepaged: fix the arguments order in khugepaged_collapse_file
+ trace point
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+[ Upstream commit 37f0b47c5143c2957909ced44fc09ffb118c99f7 ]
+
+The "addr" and "is_shmem" arguments have different order in TP_PROTO and
+TP_ARGS.  This resulted in the incorrect trace result:
+
+text-hugepage-644429 [276] 392092.878683: mm_khugepaged_collapse_file:
+mm=0xffff20025d52c440, hpage_pfn=0x200678c00, index=512, addr=1, is_shmem=0,
+filename=text-hugepage, nr=512, result=failed
+
+The value of "addr" is wrong because it was treated as bool value, the
+type of is_shmem.
+
+Fix the order in TP_PROTO to keep "addr" is before "is_shmem" since the
+original patch review suggested this order to achieve best packing.
+
+And use "lx" for "addr" instead of "ld" in TP_printk because address is
+typically shown in hex.
+
+After the fix, the trace result looks correct:
+
+text-hugepage-7291  [004]   128.627251: mm_khugepaged_collapse_file:
+mm=0xffff0001328f9500, hpage_pfn=0x20016ea00, index=512, addr=0x400000,
+is_shmem=0, filename=text-hugepage, nr=512, result=failed
+
+Link: https://lkml.kernel.org/r/20241012011702.1084846-1-yang@os.amperecomputing.com
+Fixes: 4c9473e87e75 ("mm/khugepaged: add tracepoint to collapse_file()")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Cc: Gautam Menghani <gautammenghani201@gmail.com>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org>    [6.2+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/huge_memory.h | 4 ++--
+ mm/khugepaged.c                    | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h
+index dc6eeef2d3dac..37f2443b3cdb0 100644
+--- a/include/trace/events/huge_memory.h
++++ b/include/trace/events/huge_memory.h
+@@ -208,7 +208,7 @@ TRACE_EVENT(mm_khugepaged_scan_file,
+ TRACE_EVENT(mm_khugepaged_collapse_file,
+       TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index,
+-                      bool is_shmem, unsigned long addr, struct file *file,
++                      unsigned long addr, bool is_shmem, struct file *file,
+                       int nr, int result),
+       TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result),
+       TP_STRUCT__entry(
+@@ -233,7 +233,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file,
+               __entry->result = result;
+       ),
+-      TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%ld, is_shmem=%d, filename=%s, nr=%d, result=%s",
++      TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%lx, is_shmem=%d, filename=%s, nr=%d, result=%s",
+               __entry->mm,
+               __entry->hpfn,
+               __entry->index,
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 4b00592548f59..a87cfe1d4b7be 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -2203,7 +2203,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       folio_put(new_folio);
+ out:
+       VM_BUG_ON(!list_empty(&pagelist));
+-      trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result);
++      trace_mm_khugepaged_collapse_file(mm, new_folio, index, addr, is_shmem, file, HPAGE_PMD_NR, result);
+       return result;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch b/queue-6.6/mm-khugepaged-use-a-folio-more-in-collapse_file.patch
new file mode 100644 (file)
index 0000000..a5c9d9d
--- /dev/null
@@ -0,0 +1,80 @@
+From 4dc450d895ee3abc843cae039c29fc80a5a6ac86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Dec 2023 08:57:47 +0000
+Subject: mm/khugepaged: use a folio more in collapse_file()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit b54d60b18e850561e8bdb4264ae740676c3b7658 ]
+
+This function is not yet fully converted to the folio API, but this
+removes a few uses of old APIs.
+
+Link: https://lkml.kernel.org/r/20231228085748.1083901-6-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 24d05e0a672dc..cb6a243688045 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -2124,23 +2124,23 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+               xas_lock_irq(&xas);
+       }
+-      nr = thp_nr_pages(hpage);
++      folio = page_folio(hpage);
++      nr = folio_nr_pages(folio);
+       if (is_shmem)
+-              __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr);
++              __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr);
+       else
+-              __mod_lruvec_page_state(hpage, NR_FILE_THPS, nr);
++              __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr);
+       if (nr_none) {
+-              __mod_lruvec_page_state(hpage, NR_FILE_PAGES, nr_none);
++              __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none);
+               /* nr_none is always 0 for non-shmem. */
+-              __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none);
++              __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none);
+       }
+       /*
+        * Mark hpage as uptodate before inserting it into the page cache so
+        * that it isn't mistaken for an fallocated but unwritten page.
+        */
+-      folio = page_folio(hpage);
+       folio_mark_uptodate(folio);
+       folio_ref_add(folio, HPAGE_PMD_NR - 1);
+@@ -2150,7 +2150,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       /* Join all the small entries into a single multi-index entry. */
+       xas_set_order(&xas, start, HPAGE_PMD_ORDER);
+-      xas_store(&xas, hpage);
++      xas_store(&xas, folio);
+       WARN_ON_ONCE(xas_error(&xas));
+       xas_unlock_irq(&xas);
+@@ -2161,7 +2161,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+       retract_page_tables(mapping, start);
+       if (cc && !cc->is_khugepaged)
+               result = SCAN_PTE_MAPPED_HUGEPAGE;
+-      unlock_page(hpage);
++      folio_unlock(folio);
+       /*
+        * The collapse has succeeded, so free the old pages.
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch b/queue-6.6/net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch
new file mode 100644 (file)
index 0000000..6f09c1e
--- /dev/null
@@ -0,0 +1,37 @@
+From a8bfc25654afd7c56607493aa1b025a3e0555730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:59:01 +0800
+Subject: net: bcmasp: fix potential memory leak in bcmasp_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit fed07d3eb8a8d9fcc0e455175a89bc6445d6faed ]
+
+The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb
+in case of mapping fails, add dev_kfree_skb() to fix it.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20241014145901.48940-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index 6bf149d645941..f0647286c68b2 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -322,6 +322,7 @@ static netdev_tx_t bcmasp_xmit(struct sk_buff *skb, struct net_device *dev)
+                       }
+                       /* Rewind so we do not have a hole */
+                       spb_index = intf->tx_spb_index;
++                      dev_kfree_skb(skb);
+                       return NETDEV_TX_OK;
+               }
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch b/queue-6.6/net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch
new file mode 100644 (file)
index 0000000..9330964
--- /dev/null
@@ -0,0 +1,42 @@
+From 186c9720b66379f19bebd6ca0faf864f49fac98f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 13:43:42 -0700
+Subject: net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361
+
+From: Peter Rashleigh <peter@rashleigh.ca>
+
+[ Upstream commit 1833d8a26f057128fd63e126b4428203ece84684 ]
+
+According to the Marvell datasheet the 88E6361 has two VTU pages
+(4k VIDs per page) so the max_vid should be 8191, not 4095.
+
+In the current implementation mv88e6xxx_vtu_walk() gives unexpected
+results because of this error. I verified that mv88e6xxx_vtu_walk()
+works correctly on the MV88E6361 with this patch in place.
+
+Fixes: 12899f299803 ("net: dsa: mv88e6xxx: enable support for 88E6361 switch")
+Signed-off-by: Peter Rashleigh <peter@rashleigh.ca>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241014204342.5852-1-peter@rashleigh.ca
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 3877744193e2a..062bcbe6255cf 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -6208,7 +6208,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+               .invalid_port_mask = BIT(1) | BIT(2) | BIT(8),
+               .num_internal_phys = 5,
+               .internal_phys_offset = 3,
+-              .max_vid = 4095,
++              .max_vid = 8191,
+               .max_sid = 63,
+               .port_base_addr = 0x0,
+               .phy_base_addr = 0x0,
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch b/queue-6.6/net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch
new file mode 100644 (file)
index 0000000..fe81935
--- /dev/null
@@ -0,0 +1,47 @@
+From 4f83b7b4b67e44b009977fbc0204fef5ce64b8b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 19:04:34 +0800
+Subject: net: ethernet: aeroflex: fix potential memory leak in
+ greth_start_xmit_gbit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ]
+
+The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb
+in case of skb->len being too long, add dev_kfree_skb() to fix it.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 597a02c75d527..e624d31d20d89 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+       if (unlikely(skb->len > MAX_FRAME_SIZE)) {
+               dev->stats.tx_errors++;
+-              goto out;
++              goto len_error;
+       }
+       /* Save skb pointer. */
+@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+ map_error:
+       if (net_ratelimit())
+               dev_warn(greth->dev, "Could not create TX DMA mapping\n");
++len_error:
+       dev_kfree_skb(skb);
+ out:
+       return err;
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch b/queue-6.6/net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch
new file mode 100644 (file)
index 0000000..cf07bd4
--- /dev/null
@@ -0,0 +1,47 @@
+From 3080538f11d037c07166d10c0b6049a20fe1b3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:05 +0300
+Subject: net/mlx5: Check for invalid vector index on EQ creation
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit d4f25be27e3ef7e23998fbd3dd4bff0602de7ae5 ]
+
+Currently, mlx5 driver does not enforce vector index to be lower than
+the maximum number of supported completion vectors when requesting a
+new completion EQ. Thus, mlx5_comp_eqn_get() fails when trying to
+acquire an IRQ with an improper vector index.
+
+To prevent the case above, enforce that vector index value is
+valid and lower than maximum in mlx5_comp_eqn_get() before handling the
+request.
+
+Fixes: f14c1a14e632 ("net/mlx5: Allocate completion EQs dynamically")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+index 40a6cb052a2da..07a0419549092 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+@@ -1073,6 +1073,12 @@ int mlx5_comp_eqn_get(struct mlx5_core_dev *dev, u16 vecidx, int *eqn)
+       struct mlx5_eq_comp *eq;
+       int ret = 0;
++      if (vecidx >= table->max_comp_eqs) {
++              mlx5_core_dbg(dev, "Requested vector index %u should be less than %u",
++                            vecidx, table->max_comp_eqs);
++              return -EINVAL;
++      }
++
+       mutex_lock(&table->comp_lock);
+       eq = xa_load(&table->comp_eqs, vecidx);
+       if (eq) {
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch b/queue-6.6/net-mlx5-fix-command-bitmask-initialization.patch
new file mode 100644 (file)
index 0000000..775eb27
--- /dev/null
@@ -0,0 +1,100 @@
+From a06f71712c4c7450d2564891d62e1402a316d866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:06 +0300
+Subject: net/mlx5: Fix command bitmask initialization
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit d62b14045c6511a7b2d4948d1a83a4e592deeb05 ]
+
+Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit
+isn't Initialize during command bitmask Initialization, only during
+MANAGE_PAGES.
+
+In addition, mlx5_cmd_trigger_completions() is trying to trigger
+completion for MANAGE_PAGES command as well.
+
+Hence, in case health error occurred before any MANAGE_PAGES command
+have been invoke (for example, during mlx5_enable_hca()),
+mlx5_cmd_trigger_completions() will try to trigger completion for
+MANAGE_PAGES command, which will result in null-ptr-deref error.[1]
+
+Fix it by Initialize command bitmask correctly.
+
+While at it, re-write the code for better understanding.
+
+[1]
+BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
+Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078
+CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7e/0xc0
+ kasan_report+0xb9/0xf0
+ kasan_check_range+0xec/0x190
+ mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
+ mlx5_cmd_flush+0x94/0x240 [mlx5_core]
+ enter_error_state+0x6c/0xd0 [mlx5_core]
+ mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]
+ process_one_work+0x787/0x1490
+ ? lockdep_hardirqs_on_prepare+0x400/0x400
+ ? pwq_dec_nr_in_flight+0xda0/0xda0
+ ? assign_work+0x168/0x240
+ worker_thread+0x586/0xd30
+ ? rescuer_thread+0xae0/0xae0
+ kthread+0x2df/0x3b0
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x2d/0x70
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Fixes: 9b98d395b85d ("net/mlx5: Start health poll at earlier stage of driver load")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 48dc4ae87af09..80af0fc7101fd 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1758,6 +1758,10 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+       }
+ }
++#define MLX5_MAX_MANAGE_PAGES_CMD_ENT 1
++#define MLX5_CMD_MASK ((1UL << (cmd->vars.max_reg_cmds + \
++                         MLX5_MAX_MANAGE_PAGES_CMD_ENT)) - 1)
++
+ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ {
+       struct mlx5_cmd *cmd = &dev->cmd;
+@@ -1769,7 +1773,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+       /* wait for pending handlers to complete */
+       mlx5_eq_synchronize_cmd_irq(dev);
+       spin_lock_irqsave(&dev->cmd.alloc_lock, flags);
+-      vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1);
++      vector = ~dev->cmd.vars.bitmask & MLX5_CMD_MASK;
+       if (!vector)
+               goto no_trig;
+@@ -2275,7 +2279,7 @@ int mlx5_cmd_enable(struct mlx5_core_dev *dev)
+       cmd->state = MLX5_CMDIF_STATE_DOWN;
+       cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1;
+-      cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1;
++      cmd->vars.bitmask = MLX5_CMD_MASK;
+       sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds);
+       sema_init(&cmd->vars.pages_sem, 1);
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch b/queue-6.6/net-mlx5-unregister-notifier-on-eswitch-init-failure.patch
new file mode 100644 (file)
index 0000000..57413b6
--- /dev/null
@@ -0,0 +1,72 @@
+From 21ebaa098a4ad18718c93055303f21aed06e8876 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:07 +0300
+Subject: net/mlx5: Unregister notifier on eswitch init failure
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit 1da9cfd6c41c2e6bbe624d0568644e1521c33e12 ]
+
+It otherwise remains registered and a subsequent attempt at eswitch
+enabling might trigger warnings of the sort:
+
+[  682.589148] ------------[ cut here ]------------
+[  682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered
+[  682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90
+[...snipped]
+[  682.610052] Call Trace:
+[  682.610369]  <TASK>
+[  682.610663]  ? __warn+0x7c/0x110
+[  682.611050]  ? notifier_chain_register+0x3e/0x90
+[  682.611556]  ? report_bug+0x148/0x170
+[  682.611977]  ? handle_bug+0x36/0x70
+[  682.612384]  ? exc_invalid_op+0x13/0x60
+[  682.612817]  ? asm_exc_invalid_op+0x16/0x20
+[  682.613284]  ? notifier_chain_register+0x3e/0x90
+[  682.613789]  atomic_notifier_chain_register+0x25/0x40
+[  682.614322]  mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core]
+[  682.614965]  mlx5_eswitch_enable+0xc9/0x100 [mlx5_core]
+[  682.615551]  mlx5_device_enable_sriov+0x25/0x340 [mlx5_core]
+[  682.616170]  mlx5_core_sriov_configure+0x50/0x170 [mlx5_core]
+[  682.616789]  sriov_numvfs_store+0xb0/0x1b0
+[  682.617248]  kernfs_fop_write_iter+0x117/0x1a0
+[  682.617734]  vfs_write+0x231/0x3f0
+[  682.618138]  ksys_write+0x63/0xe0
+[  682.618536]  do_syscall_64+0x4c/0x100
+[  682.618958]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: 7624e58a8b3a ("net/mlx5: E-switch, register event handler before arming the event")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 1789800faaeb6..f6022c135ec02 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1489,7 +1489,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+       }
+       if (err)
+-              goto abort;
++              goto err_esw_enable;
+       esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED;
+@@ -1503,7 +1503,8 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+       return 0;
+-abort:
++err_esw_enable:
++      mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
+       mlx5_esw_acls_ns_cleanup(esw);
+       return err;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch b/queue-6.6/net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch
new file mode 100644 (file)
index 0000000..2fcf6e7
--- /dev/null
@@ -0,0 +1,76 @@
+From 46bb6444c1e4b9b249ebdcfcccd885ea5d15e9b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 14:43:43 +0200
+Subject: net: ravb: Only advertise Rx/Tx timestamps if hardware supports it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 126e799602f45e9ce1ded03ee9eadda68bf470e0 ]
+
+Recent work moving the reporting of Rx software timestamps to the core
+[1] highlighted an issue where hardware time stamping was advertised
+for the platforms where it is not supported.
+
+Fix this by covering advertising support for hardware timestamps only if
+the hardware supports it. Due to the Tx implementation in RAVB software
+Tx timestamping is also only considered if the hardware supports
+hardware timestamps. This should be addressed in future, but this fix
+only reflects what the driver currently implements.
+
+1. Commit 277901ee3a26 ("ravb: Remove setting of RX software timestamp")
+
+Fixes: 7e09a052dc4e ("ravb: Exclude gPTP feature support for RZ/G2L")
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Tested-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://patch.msgid.link/20241014124343.3875285-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 25 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 8f62cc4517918..58fdc4f8dd483 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1673,20 +1673,19 @@ static int ravb_get_ts_info(struct net_device *ndev,
+       struct ravb_private *priv = netdev_priv(ndev);
+       const struct ravb_hw_info *hw_info = priv->info;
+-      info->so_timestamping =
+-              SOF_TIMESTAMPING_TX_SOFTWARE |
+-              SOF_TIMESTAMPING_TX_HARDWARE |
+-              SOF_TIMESTAMPING_RX_HARDWARE |
+-              SOF_TIMESTAMPING_RAW_HARDWARE;
+-      info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON);
+-      info->rx_filters =
+-              (1 << HWTSTAMP_FILTER_NONE) |
+-              (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) |
+-              (1 << HWTSTAMP_FILTER_ALL);
+-      if (hw_info->gptp || hw_info->ccc_gac)
++      if (hw_info->gptp || hw_info->ccc_gac) {
++              info->so_timestamping =
++                      SOF_TIMESTAMPING_TX_SOFTWARE |
++                      SOF_TIMESTAMPING_TX_HARDWARE |
++                      SOF_TIMESTAMPING_RX_HARDWARE |
++                      SOF_TIMESTAMPING_RAW_HARDWARE;
++              info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON);
++              info->rx_filters =
++                      (1 << HWTSTAMP_FILTER_NONE) |
++                      (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) |
++                      (1 << HWTSTAMP_FILTER_ALL);
+               info->phc_index = ptp_clock_index(priv->ptp.clock);
+-      else
+-              info->phc_index = 0;
++      }
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch b/queue-6.6/net-smc-fix-memory-leak-when-using-percpu-refs.patch
new file mode 100644 (file)
index 0000000..0416636
--- /dev/null
@@ -0,0 +1,57 @@
+From 2ba1dc430ccf87980c6bd62ddd5c3585116f7a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:56:24 +0000
+Subject: net/smc: Fix memory leak when using percpu refs
+
+From: Kai Shen <KaiShen@linux.alibaba.com>
+
+[ Upstream commit 25c12b459db8365fee84b63f3dd7910f70627f29 ]
+
+This patch adds missing percpu_ref_exit when releasing percpu refs.
+When releasing percpu refs, percpu_ref_exit should be called.
+Otherwise, memory leak happens.
+
+Fixes: 79a22238b4f2 ("net/smc: Use percpu ref for wr tx reference")
+Signed-off-by: Kai Shen <KaiShen@linux.alibaba.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://patch.msgid.link/20241010115624.7769-1-KaiShen@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_wr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
+index 0021065a600a0..994c0cd4fddbf 100644
+--- a/net/smc/smc_wr.c
++++ b/net/smc/smc_wr.c
+@@ -648,8 +648,10 @@ void smc_wr_free_link(struct smc_link *lnk)
+       smc_wr_tx_wait_no_pending_sends(lnk);
+       percpu_ref_kill(&lnk->wr_reg_refs);
+       wait_for_completion(&lnk->reg_ref_comp);
++      percpu_ref_exit(&lnk->wr_reg_refs);
+       percpu_ref_kill(&lnk->wr_tx_refs);
+       wait_for_completion(&lnk->tx_ref_comp);
++      percpu_ref_exit(&lnk->wr_tx_refs);
+       if (lnk->wr_rx_dma_addr) {
+               ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr,
+@@ -912,11 +914,13 @@ int smc_wr_create_link(struct smc_link *lnk)
+       init_waitqueue_head(&lnk->wr_reg_wait);
+       rc = percpu_ref_init(&lnk->wr_reg_refs, smcr_wr_reg_refs_free, 0, GFP_KERNEL);
+       if (rc)
+-              goto dma_unmap;
++              goto cancel_ref;
+       init_completion(&lnk->reg_ref_comp);
+       init_waitqueue_head(&lnk->wr_rx_empty_wait);
+       return rc;
++cancel_ref:
++      percpu_ref_exit(&lnk->wr_tx_refs);
+ dma_unmap:
+       if (lnk->wr_rx_v2_dma_addr) {
+               ib_dma_unmap_single(ibdev, lnk->wr_rx_v2_dma_addr,
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch b/queue-6.6/net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch
new file mode 100644 (file)
index 0000000..b3fe5fb
--- /dev/null
@@ -0,0 +1,41 @@
+From 5c437ea72acf2719007a7cf7dfb8cca0ebf40e9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 19:53:21 +0800
+Subject: net/smc: Fix searching in list of known pnetids in
+ smc_pnet_add_pnetid
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 82ac39ebd6db0c9f7a97a934bda1e3e101a9d201 ]
+
+pnetid of pi (not newly allocated pe) should be compared
+
+Fixes: e888a2e8337c ("net/smc: introduce list of pnetids for Ethernet devices")
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Link: https://patch.msgid.link/20241014115321.33234-1-lirongqing@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_pnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
+index 306b536fa89e9..284cec1e20ec1 100644
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -753,7 +753,7 @@ static int smc_pnet_add_pnetid(struct net *net, u8 *pnetid)
+       write_lock(&sn->pnetids_ndev.lock);
+       list_for_each_entry(pi, &sn->pnetids_ndev.list, list) {
+-              if (smc_pnet_match(pnetid, pe->pnetid)) {
++              if (smc_pnet_match(pnetid, pi->pnetid)) {
+                       refcount_inc(&pi->refcnt);
+                       kfree(pe);
+                       goto unlock;
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch b/queue-6.6/net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch
new file mode 100644 (file)
index 0000000..949374c
--- /dev/null
@@ -0,0 +1,91 @@
+From 3b35d5ad3abbc9a6e1d65558dc4d51442d33808f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 10:29:08 -0400
+Subject: net: stmmac: dwmac-tegra: Fix link bring-up sequence
+
+From: Paritosh Dixit <paritoshd@nvidia.com>
+
+[ Upstream commit 1cff6ff302f5703a627f9ee1d99131161ea2683e ]
+
+The Tegra MGBE driver sometimes fails to initialize, reporting the
+following error, and as a result, it is unable to acquire an IP
+address with DHCP:
+
+ tegra-mgbe 6800000.ethernet: timeout waiting for link to become ready
+
+As per the recommendation from the Tegra hardware design team, fix this
+issue by:
+- clearing the PHY_RDY bit before setting the CDR_RESET bit and then
+setting PHY_RDY bit before clearing CDR_RESET bit. This ensures valid
+data is present at UPHY RX inputs before starting the CDR lock.
+- adding the required delays when bringing up the UPHY lane. Note we
+need to use delays here because there is no alternative, such as
+polling, for these cases. Using the usleep_range() instead of ndelay()
+as sleeping is preferred over busy wait loop.
+
+Without this change we would see link failures on boot sometimes as
+often as 1 in 5 boots. With this fix we have not observed any failures
+in over 1000 boots.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Paritosh Dixit <paritoshd@nvidia.com>
+Link: https://patch.msgid.link/20241010142908.602712-1-paritoshd@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index e0f3cbd36852e..e2d61a3a7712d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -127,10 +127,12 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_
+       value &= ~XPCS_WRAP_UPHY_RX_CONTROL_AUX_RX_IDDQ;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      usleep_range(10, 20);  /* 50ns min delay needed as per HW design */
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+       value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_SLEEP;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      usleep_range(10, 20);  /* 500ns min delay needed as per HW design */
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+       value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CAL_EN;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+@@ -143,22 +145,30 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_
+               return err;
+       }
++      usleep_range(10, 20);  /* 50ns min delay needed as per HW design */
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+       value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_DATA_EN;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+-      value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++      value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      usleep_range(10, 20);  /* 50ns min delay needed as per HW design */
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+-      value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++      value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      usleep_range(10, 20);  /* 50ns min delay needed as per HW design */
+       value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+       value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY;
+       writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      msleep(30);  /* 30ms delay needed as per HW design */
++      value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++      value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++      writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++
+       err = readl_poll_timeout(mgbe->xpcs + XPCS_WRAP_IRQ_STATUS, value,
+                                value & XPCS_WRAP_IRQ_STATUS_PCS_LINK_STS,
+                                500, 500 * 2000);
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch b/queue-6.6/net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch
new file mode 100644 (file)
index 0000000..bf1bad9
--- /dev/null
@@ -0,0 +1,36 @@
+From 64309ae523059beb1d2628ea1bc7c04530fea2a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:51:15 +0800
+Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ]
+
+The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
+in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index bf1611cce974a..49e890a7e04a3 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1359,6 +1359,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
+               netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n",
+                         skb->data, skb_len);
+               ret = NETDEV_TX_OK;
++              dev_kfree_skb_any(skb);
+               goto out;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch b/queue-6.6/net-usb-usbnet-fix-race-in-probe-failure.patch
new file mode 100644 (file)
index 0000000..355491d
--- /dev/null
@@ -0,0 +1,37 @@
+From 72990d13a7dbd849789e84c6627f59860cc18d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 15:19:14 +0200
+Subject: net: usb: usbnet: fix race in probe failure
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit b62f4c186c70aa235fef2da68d07325d85ca3ade ]
+
+The same bug as in the disconnect code path also exists
+in the case of a failure late during the probe process.
+The flag must also be set.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://patch.msgid.link/20241010131934.1499695-1-oneukum@suse.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 60c58dd6d2531..4f5a3a4aac89e 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1874,6 +1874,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+        * may trigger an error resubmitting itself and, worse,
+        * schedule a timer. So we kill it all just in case.
+        */
++      usbnet_mark_going_away(dev);
+       cancel_work_sync(&dev->kevent);
+       del_timer_sync(&dev->delay);
+       free_percpu(net->tstats);
+-- 
+2.43.0
+
diff --git a/queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch b/queue-6.6/net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch
new file mode 100644 (file)
index 0000000..4492bec
--- /dev/null
@@ -0,0 +1,46 @@
+From 40e644b4473d930eacfa5511d8448d5f604ba090 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:37:04 +0800
+Subject: net: xilinx: axienet: fix potential memory leak in
+ axienet_start_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 99714e37e8333bbc22496fe80f241d5b35380e83 ]
+
+The axienet_start_xmit() returns NETDEV_TX_OK without freeing skb
+in case of dma_map_single() fails, add dev_kfree_skb_any() to fix it.
+
+Fixes: 71791dc8bdea ("net: axienet: Check for DMA mapping errors")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://patch.msgid.link/20241014143704.31938-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 62c10eb4f0adf..9f779653ed622 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -845,6 +845,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+               if (net_ratelimit())
+                       netdev_err(ndev, "TX DMA mapping error\n");
+               ndev->stats.tx_dropped++;
++              dev_kfree_skb_any(skb);
+               return NETDEV_TX_OK;
+       }
+       desc_set_phys_addr(lp, phys, cur_p);
+@@ -865,6 +866,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+                       ndev->stats.tx_dropped++;
+                       axienet_free_tx_chain(lp, orig_tail_ptr, ii + 1,
+                                             true, NULL, 0);
++                      dev_kfree_skb_any(skb);
+                       return NETDEV_TX_OK;
+               }
+               desc_set_phys_addr(lp, phys, cur_p);
+-- 
+2.43.0
+
diff --git a/queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch b/queue-6.6/netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch
new file mode 100644 (file)
index 0000000..7af5d88
--- /dev/null
@@ -0,0 +1,111 @@
+From 03462d808886a3a67d4955d5f3a365e6b67de5c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 09:42:30 +0000
+Subject: netdevsim: use cond_resched() in nsim_dev_trap_report_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a1494d532e28598bde7a5544892ef9c7dbfafa93 ]
+
+I am still seeing many syzbot reports hinting that syzbot
+might fool nsim_dev_trap_report_work() with hundreds of ports [1]
+
+Lets use cond_resched(), and system_unbound_wq
+instead of implicit system_wq.
+
+[1]
+INFO: task syz-executor:20633 blocked for more than 143 seconds.
+      Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor    state:D stack:25856 pid:20633 tgid:20633 ppid:1      flags:0x00004006
+...
+NMI backtrace for cpu 1
+CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: events nsim_dev_trap_report_work
+ RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210
+Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0
+RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246
+RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00
+RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577
+R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000
+R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00
+FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Call Trace:
+ <NMI>
+ </NMI>
+ <TASK>
+  __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
+  spin_unlock_bh include/linux/spinlock.h:396 [inline]
+  nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
+  nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850
+  process_one_work kernel/workqueue.c:3229 [inline]
+  process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
+  worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+  kthread+0x2f0/0x390 kernel/kthread.c:389
+  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+Fixes: ba5e1272142d ("netdevsim: avoid potential loop in nsim_dev_trap_report_work()")
+Reported-by: syzbot+d383dc9579a76f56c251@syzkaller.appspotmail.com
+Reported-by: syzbot+c596faae21a68bf7afd0@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Link: https://patch.msgid.link/20241012094230.3893510-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/dev.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
+index 92a7a36b93ac0..3e0b61202f0c9 100644
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -836,7 +836,8 @@ static void nsim_dev_trap_report_work(struct work_struct *work)
+       nsim_dev = nsim_trap_data->nsim_dev;
+       if (!devl_trylock(priv_to_devlink(nsim_dev))) {
+-              schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1);
++              queue_delayed_work(system_unbound_wq,
++                                 &nsim_dev->trap_data->trap_report_dw, 1);
+               return;
+       }
+@@ -848,11 +849,12 @@ static void nsim_dev_trap_report_work(struct work_struct *work)
+                       continue;
+               nsim_dev_trap_report(nsim_dev_port);
++              cond_resched();
+       }
+       devl_unlock(priv_to_devlink(nsim_dev));
+-
+-      schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw,
+-                            msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
++      queue_delayed_work(system_unbound_wq,
++                         &nsim_dev->trap_data->trap_report_dw,
++                         msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
+ }
+ static int nsim_dev_traps_init(struct devlink *devlink)
+@@ -907,8 +909,9 @@ static int nsim_dev_traps_init(struct devlink *devlink)
+       INIT_DELAYED_WORK(&nsim_dev->trap_data->trap_report_dw,
+                         nsim_dev_trap_report_work);
+-      schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw,
+-                            msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
++      queue_delayed_work(system_unbound_wq,
++                         &nsim_dev->trap_data->trap_report_dw,
++                         msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
+       return 0;
+-- 
+2.43.0
+
diff --git a/queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch b/queue-6.6/nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch
new file mode 100644 (file)
index 0000000..1a3681b
--- /dev/null
@@ -0,0 +1,89 @@
+From 59a81aa10080dbe0df980da52e724d3b847c9c31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 13:21:00 +0200
+Subject: nvme-pci: fix race condition between reset and nvme_dev_disable()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 26bc0a81f64ce00fc4342c38eeb2eddaad084dd2 ]
+
+nvme_dev_disable() modifies the dev->online_queues field, therefore
+nvme_pci_update_nr_queues() should avoid racing against it, otherwise
+we could end up passing invalid values to blk_mq_update_nr_hw_queues().
+
+ WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347
+          pci_irq_get_affinity+0x187/0x210
+ Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ RIP: 0010:pci_irq_get_affinity+0x187/0x210
+ Call Trace:
+  <TASK>
+  ? blk_mq_pci_map_queues+0x87/0x3c0
+  ? pci_irq_get_affinity+0x187/0x210
+  blk_mq_pci_map_queues+0x87/0x3c0
+  nvme_pci_map_queues+0x189/0x460 [nvme]
+  blk_mq_update_nr_hw_queues+0x2a/0x40
+  nvme_reset_work+0x1be/0x2a0 [nvme]
+
+Fix the bug by locking the shutdown_lock mutex before using
+dev->online_queues. Give up if nvme_dev_disable() is running or if
+it has been executed already.
+
+Fixes: 949928c1c731 ("NVMe: Fix possible queue use after freed")
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 61c9b175e035f..b701969cf1c2a 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2469,17 +2469,29 @@ static unsigned int nvme_pci_nr_maps(struct nvme_dev *dev)
+       return 1;
+ }
+-static void nvme_pci_update_nr_queues(struct nvme_dev *dev)
++static bool nvme_pci_update_nr_queues(struct nvme_dev *dev)
+ {
+       if (!dev->ctrl.tagset) {
+               nvme_alloc_io_tag_set(&dev->ctrl, &dev->tagset, &nvme_mq_ops,
+                               nvme_pci_nr_maps(dev), sizeof(struct nvme_iod));
+-              return;
++              return true;
++      }
++
++      /* Give up if we are racing with nvme_dev_disable() */
++      if (!mutex_trylock(&dev->shutdown_lock))
++              return false;
++
++      /* Check if nvme_dev_disable() has been executed already */
++      if (!dev->online_queues) {
++              mutex_unlock(&dev->shutdown_lock);
++              return false;
+       }
+       blk_mq_update_nr_hw_queues(&dev->tagset, dev->online_queues - 1);
+       /* free previously allocated queues that are no longer usable */
+       nvme_free_queues(dev, dev->online_queues);
++      mutex_unlock(&dev->shutdown_lock);
++      return true;
+ }
+ static int nvme_pci_enable(struct nvme_dev *dev)
+@@ -2760,7 +2772,8 @@ static void nvme_reset_work(struct work_struct *work)
+               nvme_dbbuf_set(dev);
+               nvme_unquiesce_io_queues(&dev->ctrl);
+               nvme_wait_freeze(&dev->ctrl);
+-              nvme_pci_update_nr_queues(dev);
++              if (!nvme_pci_update_nr_queues(dev))
++                      goto out;
+               nvme_unfreeze(&dev->ctrl);
+       } else {
+               dev_warn(dev->ctrl.device, "IO queues lost\n");
+-- 
+2.43.0
+
diff --git a/queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch b/queue-6.6/nvme-pci-set-doorbell-config-before-unquiescing.patch
new file mode 100644 (file)
index 0000000..140966a
--- /dev/null
@@ -0,0 +1,41 @@
+From eedd08089127ccab9b3f2843e59e1d4da5aee41b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jan 2024 18:28:55 +0000
+Subject: nvme-pci: set doorbell config before unquiescing
+
+From: William Butler <wab@google.com>
+
+[ Upstream commit 06c59d427017fcde3107c236177fcc74c9db7909 ]
+
+During resets, if queues are unquiesced first, then the host can submit
+IOs to the controller using shadow doorbell logic but the controller
+won't be aware. This can lead to necessary MMIO doorbells from being
+not issued, causing requests to be delayed and timed-out.
+
+Signed-off-by: William Butler <wab@google.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 26bc0a81f64c ("nvme-pci: fix race condition between reset and nvme_dev_disable()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 32b5cc76a0223..61c9b175e035f 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2757,10 +2757,10 @@ static void nvme_reset_work(struct work_struct *work)
+        * controller around but remove all namespaces.
+        */
+       if (dev->online_queues > 1) {
++              nvme_dbbuf_set(dev);
+               nvme_unquiesce_io_queues(&dev->ctrl);
+               nvme_wait_freeze(&dev->ctrl);
+               nvme_pci_update_nr_queues(dev);
+-              nvme_dbbuf_set(dev);
+               nvme_unfreeze(&dev->ctrl);
+       } else {
+               dev_warn(dev->ctrl.device, "IO queues lost\n");
+-- 
+2.43.0
+
diff --git a/queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch b/queue-6.6/octeontx2-af-fix-potential-integer-overflows-on-inte.patch
new file mode 100644 (file)
index 0000000..28533cb
--- /dev/null
@@ -0,0 +1,49 @@
+From 5165c09ac843bbc55956267b2ff8225b20075f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 16:45:19 +0100
+Subject: octeontx2-af: Fix potential integer overflows on integer shifts
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 637c4f6fe40befa04f19c38b5d15429cbb9191d9 ]
+
+The left shift int 32 bit integer constants 1 is evaluated using 32 bit
+arithmetic and then assigned to a 64 bit unsigned integer. In the case
+where the shift is 32 or more this can lead to an overflow. Avoid this
+by shifting using the BIT_ULL macro instead.
+
+Fixes: 019aba04f08c ("octeontx2-af: Modify SMQ flush sequence to drop packets")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20241010154519.768785-1-colin.i.king@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index 224a025283ca7..29487518ca672 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -2298,7 +2298,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr,
+                                NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link));
+               if (!(cfg & BIT_ULL(12)))
+                       continue;
+-              bmap |= (1 << i);
++              bmap |= BIT_ULL(i);
+               cfg &= ~BIT_ULL(12);
+               rvu_write64(rvu, blkaddr,
+                           NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link), cfg);
+@@ -2319,7 +2319,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr,
+       /* Set NIX_AF_TL3_TL2_LINKX_CFG[ENA] for the TL3/TL2 queue */
+       for (i = 0; i < (rvu->hw->cgx_links + rvu->hw->lbk_links); i++) {
+-              if (!(bmap & (1 << i)))
++              if (!(bmap & BIT_ULL(i)))
+                       continue;
+               cfg = rvu_read64(rvu, blkaddr,
+                                NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link));
+-- 
+2.43.0
+
diff --git a/queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch b/queue-6.6/ravb-remove-setting-of-rx-software-timestamp.patch
new file mode 100644 (file)
index 0000000..dbb1619
--- /dev/null
@@ -0,0 +1,54 @@
+From 3609e0353851187557f72974ad47c7e2d533e418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 14:27:55 +0300
+Subject: ravb: Remove setting of RX software timestamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 277901ee3a2620679e2c8797377d2a72f4358068 ]
+
+The responsibility for reporting of RX software timestamp has moved to
+the core layer (see __ethtool_get_ts_info()), remove usage from the
+device drivers.
+
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://patch.msgid.link/20240901112803.212753-8-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 126e799602f4 ("net: ravb: Only advertise Rx/Tx timestamps if hardware supports it")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c6897e6ea362d..8f62cc4517918 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1675,8 +1675,6 @@ static int ravb_get_ts_info(struct net_device *ndev,
+       info->so_timestamping =
+               SOF_TIMESTAMPING_TX_SOFTWARE |
+-              SOF_TIMESTAMPING_RX_SOFTWARE |
+-              SOF_TIMESTAMPING_SOFTWARE |
+               SOF_TIMESTAMPING_TX_HARDWARE |
+               SOF_TIMESTAMPING_RX_HARDWARE |
+               SOF_TIMESTAMPING_RAW_HARDWARE;
+@@ -1687,6 +1685,8 @@ static int ravb_get_ts_info(struct net_device *ndev,
+               (1 << HWTSTAMP_FILTER_ALL);
+       if (hw_info->gptp || hw_info->ccc_gac)
+               info->phc_index = ptp_clock_index(priv->ptp.clock);
++      else
++              info->phc_index = 0;
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch b/queue-6.6/rdma-bnxt_re-add-a-check-for-memory-allocation.patch
new file mode 100644 (file)
index 0000000..dc850d4
--- /dev/null
@@ -0,0 +1,40 @@
+From acf7799e4a5d76b8587b509717b1b4b286ea4995 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:58 -0700
+Subject: RDMA/bnxt_re: Add a check for memory allocation
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit c5c1ae73b7741fa3b58e6e001b407825bb971225 ]
+
+__alloc_pbl() can return error when memory allocation fails.
+Driver is not checking the status on one of the instances.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Link: https://patch.msgid.link/r/1726715161-18941-4-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index ae2bde34e785b..47406ab8879c1 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -244,6 +244,8 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+                       sginfo.pgsize = npde * pg_size;
+                       sginfo.npages = 1;
+                       rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
++                      if (rc)
++                              goto fail;
+                       /* Alloc PBL pages */
+                       sginfo.npages = npbl;
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch b/queue-6.6/rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch
new file mode 100644 (file)
index 0000000..caa8044
--- /dev/null
@@ -0,0 +1,59 @@
+From a268084f0cb0819411753cd6854bce33e1ce94ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:41 -0700
+Subject: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages
+
+From: Bhargava Chenna Marreddy <bhargava.marreddy@broadcom.com>
+
+[ Upstream commit 7988bdbbb85ac85a847baf09879edcd0f70521dc ]
+
+Avoid memory corruption while setting up Level-2 PBL pages for the non MR
+resources when num_pages > 256K.
+
+There will be a single PDE page address (contiguous pages in the case of >
+PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid
+memory access after 256K PBL entries in the PDE.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Link: https://patch.msgid.link/r/1728373302-19530-10-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Bhargava Chenna Marreddy <bhargava.marreddy@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 19 +++----------------
+ 1 file changed, 3 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 1fdffd6a0f480..96ceec1e8199a 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -257,22 +257,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+                       dst_virt_ptr =
+                               (dma_addr_t **)hwq->pbl[PBL_LVL_0].pg_arr;
+                       src_phys_ptr = hwq->pbl[PBL_LVL_1].pg_map_arr;
+-                      if (hwq_attr->type == HWQ_TYPE_MR) {
+-                      /* For MR it is expected that we supply only 1 contigous
+-                       * page i.e only 1 entry in the PDL that will contain
+-                       * all the PBLs for the user supplied memory region
+-                       */
+-                              for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count;
+-                                   i++)
+-                                      dst_virt_ptr[0][i] = src_phys_ptr[i] |
+-                                              flag;
+-                      } else {
+-                              for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count;
+-                                   i++)
+-                                      dst_virt_ptr[PTR_PG(i)][PTR_IDX(i)] =
+-                                              src_phys_ptr[i] |
+-                                              PTU_PDE_VALID;
+-                      }
++                      for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; i++)
++                              dst_virt_ptr[0][i] = src_phys_ptr[i] | flag;
++
+                       /* Alloc or init PTEs */
+                       rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_2],
+                                        hwq_attr->sginfo);
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-6.6/rdma-bnxt_re-fix-a-possible-memory-leak.patch
new file mode 100644 (file)
index 0000000..dcd1bba
--- /dev/null
@@ -0,0 +1,43 @@
+From beafbeb407d99a1638dfd0bb8cca2212d69ff1a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:56 -0700
+Subject: RDMA/bnxt_re: Fix a possible memory leak
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3fc5410f225d1651580a4aeb7c72f55e28673b53 ]
+
+In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails
+driver is not freeing the memory allocated for "rdev->chip_ctx".
+
+Fixes: 0ac20faf5d83 ("RDMA/bnxt_re: Reorg the bar mapping")
+Link: https://patch.msgid.link/r/1726715161-18941-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 039801d93ed8a..c173d0ffc6293 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -176,8 +176,11 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode)
+       bnxt_re_set_db_offset(rdev);
+       rc = bnxt_qplib_map_db_bar(&rdev->qplib_res);
+-      if (rc)
++      if (rc) {
++              kfree(rdev->chip_ctx);
++              rdev->chip_ctx = NULL;
+               return rc;
++      }
+       if (bnxt_qplib_determine_atomics(en_dev->pdev))
+               ibdev_info(&rdev->ibdev,
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch b/queue-6.6/rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch
new file mode 100644 (file)
index 0000000..6deb891
--- /dev/null
@@ -0,0 +1,47 @@
+From 4d5ddd6bdf7cdeda2ab667a8235e4c19ffcdc2d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:57 -0700
+Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ]
+
+Driver uses internal data structure to construct WQE frame.
+It used avid type as u16 which can accommodate up to 64K AVs.
+When outstanding AVID crosses 64K, driver truncates AVID and
+hence it uses incorrect AVID to WR. This leads to WR failure
+due to invalid AV ID and QP is moved to error state with reason
+set to 19 (INVALID AVID). When RDMA CM path is used, this issue
+hits QP1 and it is moved to error state
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index a6f38d8f12efe..56ddff96b5083 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -169,7 +169,7 @@ struct bnxt_qplib_swqe {
+                       };
+                       u32             q_key;
+                       u32             dst_qp;
+-                      u16             avid;
++                      u32             avid;
+               } send;
+               /* Send Raw Ethernet and QP1 */
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch b/queue-6.6/rdma-bnxt_re-fix-out-of-bound-check.patch
new file mode 100644 (file)
index 0000000..c32f5f4
--- /dev/null
@@ -0,0 +1,42 @@
+From e0e5b63429ea70e268ef2baebd6b9891cd87a916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:34 -0700
+Subject: RDMA/bnxt_re: Fix out of bound check
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit a9e6e7443922ac0a48243c35d03834c96926bff1 ]
+
+Driver exports pacing stats only on GenP5 and P7 adapters. But while
+parsing the pacing stats, driver has a check for "rdev->dbr_pacing".  This
+caused a trace when KASAN is enabled.
+
+BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re]
+Write of size 8 at addr ffff8885942a6340 by task modprobe/4809
+
+Fixes: 8b6573ff3420 ("bnxt_re: Update the debug counters for doorbell pacing")
+Link: https://patch.msgid.link/r/1728373302-19530-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+index 128651c015956..1e63f80917483 100644
+--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+@@ -366,7 +366,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
+                               goto done;
+                       }
+               }
+-              if (rdev->pacing.dbr_pacing)
++              if (rdev->pacing.dbr_pacing && bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+                       bnxt_re_copy_db_pacing_stats(rdev, stats);
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch b/queue-6.6/rdma-bnxt_re-fix-the-gid-table-length.patch
new file mode 100644 (file)
index 0000000..7d6bf2b
--- /dev/null
@@ -0,0 +1,51 @@
+From 4597e420961ef907ae59b3e79db584b00dcffadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:42 -0700
+Subject: RDMA/bnxt_re: Fix the GID table length
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit dc5006cfcf62bea88076a587344ba5e00e66d1c6 ]
+
+GID table length is reported by FW. The gid index which is passed to the
+driver during modify_qp/create_ah is restricted by the sgid_index field of
+struct ib_global_route.  sgid_index is u8 and the max sgid possible is
+256.
+
+Each GID entry in HW will have 2 GID entries in the kernel gid table.  So
+we can support twice the gid table size reported by FW. Also, restrict the
+max GID to 256 also.
+
+Fixes: 847b97887ed4 ("RDMA/bnxt_re: Restrict the max_gids to 256")
+Link: https://patch.msgid.link/r/1728373302-19530-11-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index 7e550432ccb14..0b98577cd7082 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -156,7 +156,14 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+       if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
+               attr->l2_db_size = (sb->l2_db_space_size + 1) *
+                                   (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
+-      attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED;
++      /*
++       * Read the max gid supported by HW.
++       * For each entry in HW  GID in HW table, we consume 2
++       * GID entries in the kernel GID table.  So max_gid reported
++       * to stack can be up to twice the value reported by the HW, up to 256 gids.
++       */
++      attr->max_sgid = le32_to_cpu(sb->max_gid);
++      attr->max_sgid = min_t(u32, BNXT_QPLIB_NUM_GIDS_SUPPORTED, 2 * attr->max_sgid);
+       attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags);
+       bnxt_qplib_query_version(rcfw, attr->fw_ver);
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch b/queue-6.6/rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch
new file mode 100644 (file)
index 0000000..4d20a18
--- /dev/null
@@ -0,0 +1,52 @@
+From 18ef58c49583db7b33d588dde18787e37549d1b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:33 -0700
+Subject: RDMA/bnxt_re: Fix the max CQ WQEs for older adapters
+
+From: Abhishek Mohapatra <abhishek.mohapatra@broadcom.com>
+
+[ Upstream commit ac6df53738b465053d38d491fff87bd7d37fdc07 ]
+
+Older adapters doesn't support the MAX CQ WQEs reported by older FW. So
+restrict the value reported to 1M always for older adapters.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://patch.msgid.link/r/1728373302-19530-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Abhishek Mohapatra<abhishek.mohapatra@broadcom.com>
+Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 ++
+ drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index c580bf78d4c13..2b73bb433b88c 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -137,6 +137,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+                           6 : sb->max_sge;
+       attr->max_cq = le32_to_cpu(sb->max_cq);
+       attr->max_cq_wqes = le32_to_cpu(sb->max_cqe);
++      if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
++              attr->max_cq_wqes = min_t(u32, BNXT_QPLIB_MAX_CQ_WQES, attr->max_cq_wqes);
+       attr->max_cq_sges = attr->max_qp_sges;
+       attr->max_mr = le32_to_cpu(sb->max_mr);
+       attr->max_mw = le32_to_cpu(sb->max_mw);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.h b/drivers/infiniband/hw/bnxt_re/qplib_sp.h
+index d33c78b96217a..755765e68eaab 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.h
+@@ -55,6 +55,7 @@ struct bnxt_qplib_dev_attr {
+       u32                             max_qp_wqes;
+       u32                             max_qp_sges;
+       u32                             max_cq;
++#define BNXT_QPLIB_MAX_CQ_WQES          0xfffff
+       u32                             max_cq_wqes;
+       u32                             max_cq_sges;
+       u32                             max_mr;
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch b/queue-6.6/rdma-bnxt_re-return-more-meaningful-error.patch
new file mode 100644 (file)
index 0000000..86bc404
--- /dev/null
@@ -0,0 +1,41 @@
+From 7531275a5debfcecf31b32918c3c086614dd3326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:36 -0700
+Subject: RDMA/bnxt_re: Return more meaningful error
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ]
+
+When the HWRM command fails, driver currently returns -EFAULT(Bad
+address). This does not look correct.
+
+Modified to return -EIO(I/O error).
+
+Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling")
+Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command")
+Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 3ffaef0c26519..7294221b3316c 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -525,7 +525,7 @@ static int __bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw,
+               /* failed with status */
+               dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n",
+                       cookie, opcode, evnt->status);
+-              rc = -EFAULT;
++              rc = -EIO;
+       }
+       return rc;
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch b/queue-6.6/rdma-bnxt_re-support-new-5760x-p7-devices.patch
new file mode 100644 (file)
index 0000000..852ae3b
--- /dev/null
@@ -0,0 +1,309 @@
+From 0cd5760031b5949d2403705893868f64869aaf71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Dec 2023 02:47:35 -0800
+Subject: RDMA/bnxt_re: Support new 5760X P7 devices
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 1801d87b3598b173bce3fbf15c5517796f38db96 ]
+
+Add basic support for 5760X P7 devices. Add new chip
+revisions. The first version support is similar to
+the existing P5 adapters. Extend the current support
+for P5 adapters to P7 also.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1701946060-13931-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: ac6df53738b4 ("RDMA/bnxt_re: Fix the max CQ WQEs for older adapters")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/hw_counters.c |  4 ++--
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c    | 10 +++++-----
+ drivers/infiniband/hw/bnxt_re/main.c        | 14 +++++++-------
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c    |  4 ++--
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c  |  2 +-
+ drivers/infiniband/hw/bnxt_re/qplib_res.c   |  2 +-
+ drivers/infiniband/hw/bnxt_re/qplib_res.h   | 20 +++++++++++++++++---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c    |  6 +++---
+ 8 files changed, 38 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+index 93572405d6fae..128651c015956 100644
+--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+@@ -371,7 +371,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
+       }
+ done:
+-      return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++      return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+               BNXT_RE_NUM_EXT_COUNTERS : BNXT_RE_NUM_STD_COUNTERS;
+ }
+@@ -381,7 +381,7 @@ struct rdma_hw_stats *bnxt_re_ib_alloc_hw_port_stats(struct ib_device *ibdev,
+       struct bnxt_re_dev *rdev = to_bnxt_re_dev(ibdev, ibdev);
+       int num_counters = 0;
+-      if (bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++      if (bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+               num_counters = BNXT_RE_NUM_EXT_COUNTERS;
+       else
+               num_counters = BNXT_RE_NUM_STD_COUNTERS;
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index b4d3e7dfc939f..f2eaecef7570c 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1023,7 +1023,7 @@ static int bnxt_re_init_user_qp(struct bnxt_re_dev *rdev, struct bnxt_re_pd *pd,
+       bytes = (qplib_qp->sq.max_wqe * qplib_qp->sq.wqe_size);
+       /* Consider mapping PSN search memory only for RC QPs. */
+       if (qplib_qp->type == CMDQ_CREATE_QP_TYPE_RC) {
+-              psn_sz = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++              psn_sz = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+                                                  sizeof(struct sq_psn_search_ext) :
+                                                  sizeof(struct sq_psn_search);
+               psn_nume = (qplib_qp->wqe_mode == BNXT_QPLIB_WQE_MODE_STATIC) ?
+@@ -1234,7 +1234,7 @@ static void bnxt_re_adjust_gsi_rq_attr(struct bnxt_re_qp *qp)
+       qplqp = &qp->qplib_qp;
+       dev_attr = &rdev->dev_attr;
+-      if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+               qplqp->rq.max_sge = dev_attr->max_qp_sges;
+               if (qplqp->rq.max_sge > dev_attr->max_qp_sges)
+                       qplqp->rq.max_sge = dev_attr->max_qp_sges;
+@@ -1301,7 +1301,7 @@ static void bnxt_re_adjust_gsi_sq_attr(struct bnxt_re_qp *qp,
+       qplqp = &qp->qplib_qp;
+       dev_attr = &rdev->dev_attr;
+-      if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+               entries = bnxt_re_init_depth(init_attr->cap.max_send_wr + 1, uctx);
+               qplqp->sq.max_wqe = min_t(u32, entries,
+                                         dev_attr->max_qp_wqes + 1);
+@@ -1328,7 +1328,7 @@ static int bnxt_re_init_qp_type(struct bnxt_re_dev *rdev,
+               goto out;
+       }
+-      if (bnxt_qplib_is_chip_gen_p5(chip_ctx) &&
++      if (bnxt_qplib_is_chip_gen_p5_p7(chip_ctx) &&
+           init_attr->qp_type == IB_QPT_GSI)
+               qptype = CMDQ_CREATE_QP_TYPE_GSI;
+ out:
+@@ -1527,7 +1527,7 @@ int bnxt_re_create_qp(struct ib_qp *ib_qp, struct ib_qp_init_attr *qp_init_attr,
+               goto fail;
+       if (qp_init_attr->qp_type == IB_QPT_GSI &&
+-          !(bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))) {
++          !(bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))) {
+               rc = bnxt_re_create_gsi_qp(qp, pd, qp_init_attr);
+               if (rc == -ENODEV)
+                       goto qp_destroy;
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index c173d0ffc6293..594cc6aa7b79d 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -128,7 +128,7 @@ static void bnxt_re_set_drv_mode(struct bnxt_re_dev *rdev, u8 mode)
+       struct bnxt_qplib_chip_ctx *cctx;
+       cctx = rdev->chip_ctx;
+-      cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++      cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+                              mode : BNXT_QPLIB_WQE_MODE_STATIC;
+       if (bnxt_re_hwrm_qcaps(rdev))
+               dev_err(rdev_to_dev(rdev),
+@@ -218,7 +218,7 @@ static void bnxt_re_limit_pf_res(struct bnxt_re_dev *rdev)
+       ctx->srqc_count = min_t(u32, BNXT_RE_MAX_SRQC_COUNT,
+                               attr->max_srq);
+       ctx->cq_count = min_t(u32, BNXT_RE_MAX_CQ_COUNT, attr->max_cq);
+-      if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+               for (i = 0; i < MAX_TQM_ALLOC_REQ; i++)
+                       rdev->qplib_ctx.tqm_ctx.qcount[i] =
+                       rdev->dev_attr.tqm_alloc_reqs[i];
+@@ -267,7 +267,7 @@ static void bnxt_re_set_resource_limits(struct bnxt_re_dev *rdev)
+       memset(&rdev->qplib_ctx.vf_res, 0, sizeof(struct bnxt_qplib_vf_res));
+       bnxt_re_limit_pf_res(rdev);
+-      num_vfs =  bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++      num_vfs =  bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+                       BNXT_RE_GEN_P5_MAX_VF : rdev->num_vfs;
+       if (num_vfs)
+               bnxt_re_limit_vf_res(&rdev->qplib_ctx, num_vfs);
+@@ -279,7 +279,7 @@ static void bnxt_re_vf_res_config(struct bnxt_re_dev *rdev)
+       if (test_bit(BNXT_RE_FLAG_ERR_DEVICE_DETACHED, &rdev->flags))
+               return;
+       rdev->num_vfs = pci_sriov_get_totalvfs(rdev->en_dev->pdev);
+-      if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+               bnxt_re_set_resource_limits(rdev);
+               bnxt_qplib_set_func_resources(&rdev->qplib_res, &rdev->rcfw,
+                                             &rdev->qplib_ctx);
+@@ -1074,7 +1074,7 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq,
+ #define BNXT_RE_GEN_P5_VF_NQ_DB               0x4000
+ static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx)
+ {
+-      return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++      return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+               (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB :
+                                  BNXT_RE_GEN_P5_PF_NQ_DB) :
+                                  rdev->en_dev->msix_entries[indx].db_offset;
+@@ -1539,7 +1539,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode)
+       bnxt_re_set_resource_limits(rdev);
+       rc = bnxt_qplib_alloc_ctx(&rdev->qplib_res, &rdev->qplib_ctx, 0,
+-                                bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx));
++                                bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx));
+       if (rc) {
+               ibdev_err(&rdev->ibdev,
+                         "Failed to allocate QPLIB context: %#x\n", rc);
+@@ -1662,7 +1662,7 @@ static void bnxt_re_setup_cc(struct bnxt_re_dev *rdev, bool enable)
+               return;
+       /* Currently enabling only for GenP5 adapters */
+-      if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+               return;
+       if (enable) {
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 3b28878f62062..4ee11cb4f2bd3 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -995,7 +995,7 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
+       /* SQ */
+       if (qp->type == CMDQ_CREATE_QP_TYPE_RC) {
+-              psn_sz = bnxt_qplib_is_chip_gen_p5(res->cctx) ?
++              psn_sz = bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ?
+                        sizeof(struct sq_psn_search_ext) :
+                        sizeof(struct sq_psn_search);
+@@ -1649,7 +1649,7 @@ static void bnxt_qplib_fill_psn_search(struct bnxt_qplib_qp *qp,
+       flg_npsn = ((swq->next_psn << SQ_PSN_SEARCH_NEXT_PSN_SFT) &
+                    SQ_PSN_SEARCH_NEXT_PSN_MASK);
+-      if (bnxt_qplib_is_chip_gen_p5(qp->cctx)) {
++      if (bnxt_qplib_is_chip_gen_p5_p7(qp->cctx)) {
+               psns_ext->opcode_start_psn = cpu_to_le32(op_spsn);
+               psns_ext->flags_next_psn = cpu_to_le32(flg_npsn);
+               psns_ext->start_slot_idx = cpu_to_le16(swq->slot_idx);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 5680fe8b890ad..3ffaef0c26519 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -852,7 +852,7 @@ int bnxt_qplib_init_rcfw(struct bnxt_qplib_rcfw *rcfw,
+        */
+       if (is_virtfn)
+               goto skip_ctx_setup;
+-      if (bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx))
++      if (bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx))
+               goto config_vf_res;
+       lvl = ctx->qpc_tbl.level;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 47406ab8879c1..1fdffd6a0f480 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -807,7 +807,7 @@ static int bnxt_qplib_alloc_dpi_tbl(struct bnxt_qplib_res *res,
+       dpit = &res->dpi_tbl;
+       reg = &dpit->wcreg;
+-      if (!bnxt_qplib_is_chip_gen_p5(res->cctx)) {
++      if (!bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) {
+               /* Offest should come from L2 driver */
+               dbr_offset = dev_attr->l2_db_size;
+               dpit->ucreg.offset = dbr_offset;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+index 534db462216ac..f9e7aa3757cfb 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+@@ -44,6 +44,9 @@ extern const struct bnxt_qplib_gid bnxt_qplib_gid_zero;
+ #define CHIP_NUM_57508                0x1750
+ #define CHIP_NUM_57504                0x1751
+ #define CHIP_NUM_57502                0x1752
++#define CHIP_NUM_58818          0xd818
++#define CHIP_NUM_57608          0x1760
++
+ struct bnxt_qplib_drv_modes {
+       u8      wqe_mode;
+@@ -296,6 +299,12 @@ struct bnxt_qplib_res {
+       struct bnxt_qplib_db_pacing_data *pacing_data;
+ };
++static inline bool bnxt_qplib_is_chip_gen_p7(struct bnxt_qplib_chip_ctx *cctx)
++{
++      return (cctx->chip_num == CHIP_NUM_58818 ||
++              cctx->chip_num == CHIP_NUM_57608);
++}
++
+ static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx)
+ {
+       return (cctx->chip_num == CHIP_NUM_57508 ||
+@@ -303,15 +312,20 @@ static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx)
+               cctx->chip_num == CHIP_NUM_57502);
+ }
++static inline bool bnxt_qplib_is_chip_gen_p5_p7(struct bnxt_qplib_chip_ctx *cctx)
++{
++      return bnxt_qplib_is_chip_gen_p5(cctx) || bnxt_qplib_is_chip_gen_p7(cctx);
++}
++
+ static inline u8 bnxt_qplib_get_hwq_type(struct bnxt_qplib_res *res)
+ {
+-      return bnxt_qplib_is_chip_gen_p5(res->cctx) ?
++      return bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ?
+                                       HWQ_TYPE_QUEUE : HWQ_TYPE_L2_CMPL;
+ }
+ static inline u8 bnxt_qplib_get_ring_type(struct bnxt_qplib_chip_ctx *cctx)
+ {
+-      return bnxt_qplib_is_chip_gen_p5(cctx) ?
++      return bnxt_qplib_is_chip_gen_p5_p7(cctx) ?
+              RING_ALLOC_REQ_RING_TYPE_NQ :
+              RING_ALLOC_REQ_RING_TYPE_ROCE_CMPL;
+ }
+@@ -488,7 +502,7 @@ static inline void bnxt_qplib_ring_nq_db(struct bnxt_qplib_db_info *info,
+       u32 type;
+       type = arm ? DBC_DBC_TYPE_NQ_ARM : DBC_DBC_TYPE_NQ;
+-      if (bnxt_qplib_is_chip_gen_p5(cctx))
++      if (bnxt_qplib_is_chip_gen_p5_p7(cctx))
+               bnxt_qplib_ring_db(info, type);
+       else
+               bnxt_qplib_ring_db32(info, arm);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index a27b685151647..c580bf78d4c13 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -59,7 +59,7 @@ static bool bnxt_qplib_is_atomic_cap(struct bnxt_qplib_rcfw *rcfw)
+ {
+       u16 pcie_ctl2 = 0;
+-      if (!bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx))
++      if (!bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx))
+               return false;
+       pcie_capability_read_word(rcfw->pdev, PCI_EXP_DEVCTL2, &pcie_ctl2);
+@@ -133,7 +133,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+        * reporting the max number
+        */
+       attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1;
+-      attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ?
++      attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx) ?
+                           6 : sb->max_sge;
+       attr->max_cq = le32_to_cpu(sb->max_cq);
+       attr->max_cq_wqes = le32_to_cpu(sb->max_cqe);
+@@ -934,7 +934,7 @@ int bnxt_qplib_modify_cc(struct bnxt_qplib_res *res,
+       req->inactivity_th = cpu_to_le16(cc_param->inact_th);
+       /* For chip gen P5 onwards fill extended cmd and header */
+-      if (bnxt_qplib_is_chip_gen_p5(res->cctx)) {
++      if (bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) {
+               struct roce_tlv *hdr;
+               u32 payload;
+               u32 chunks;
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch b/queue-6.6/rdma-bnxt_re-update-the-bar-offsets.patch
new file mode 100644 (file)
index 0000000..0d84ef3
--- /dev/null
@@ -0,0 +1,95 @@
+From 6c0cc86be6d8e080c87b49b37b1972ef138a81ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Dec 2023 02:47:36 -0800
+Subject: RDMA/bnxt_re: Update the BAR offsets
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit a62d685814416647fbb28b3eb2617744adef2d4f ]
+
+Update the BAR offsets for handling GenP7 adapters.
+Use the values populated by L2 driver for getting the
+Doorbell offsets.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1701946060-13931-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: dc5006cfcf62 ("RDMA/bnxt_re: Fix the GID table length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c     | 21 +++++++--------------
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c |  5 +++--
+ 2 files changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 594cc6aa7b79d..607293794b924 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -107,8 +107,11 @@ static void bnxt_re_set_db_offset(struct bnxt_re_dev *rdev)
+               dev_info(rdev_to_dev(rdev),
+                        "Couldn't get DB bar size, Low latency framework is disabled\n");
+       /* set register offsets for both UC and WC */
+-      res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET :
+-                                               BNXT_QPLIB_DBR_PF_DB_OFFSET;
++      if (bnxt_qplib_is_chip_gen_p7(cctx))
++              res->dpi_tbl.ucreg.offset = offset;
++      else
++              res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET :
++                                                       BNXT_QPLIB_DBR_PF_DB_OFFSET;
+       res->dpi_tbl.wcreg.offset = res->dpi_tbl.ucreg.offset;
+       /* If WC mapping is disabled by L2 driver then en_dev->l2_db_size
+@@ -1070,16 +1073,6 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq,
+       return 0;
+ }
+-#define BNXT_RE_GEN_P5_PF_NQ_DB               0x10000
+-#define BNXT_RE_GEN_P5_VF_NQ_DB               0x4000
+-static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx)
+-{
+-      return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+-              (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB :
+-                                 BNXT_RE_GEN_P5_PF_NQ_DB) :
+-                                 rdev->en_dev->msix_entries[indx].db_offset;
+-}
+-
+ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
+ {
+       int i;
+@@ -1100,7 +1093,7 @@ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
+       bnxt_qplib_init_res(&rdev->qplib_res);
+       for (i = 1; i < rdev->num_msix ; i++) {
+-              db_offt = bnxt_re_get_nqdb_offset(rdev, i);
++              db_offt = rdev->en_dev->msix_entries[i].db_offset;
+               rc = bnxt_qplib_enable_nq(rdev->en_dev->pdev, &rdev->nq[i - 1],
+                                         i - 1, rdev->en_dev->msix_entries[i].vector,
+                                         db_offt, &bnxt_re_cqn_handler,
+@@ -1511,7 +1504,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode)
+               ibdev_err(&rdev->ibdev, "Failed to allocate CREQ: %#x\n", rc);
+               goto free_rcfw;
+       }
+-      db_offt = bnxt_re_get_nqdb_offset(rdev, BNXT_RE_AEQ_IDX);
++      db_offt = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].db_offset;
+       vid = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].vector;
+       rc = bnxt_qplib_enable_rcfw_channel(&rdev->rcfw,
+                                           vid, db_offt,
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index 2b73bb433b88c..7e550432ccb14 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -153,8 +153,9 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+       attr->max_srq_sges = sb->max_srq_sge;
+       attr->max_pkey = 1;
+       attr->max_inline_data = le32_to_cpu(sb->max_inline_data);
+-      attr->l2_db_size = (sb->l2_db_space_size + 1) *
+-                          (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
++      if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
++              attr->l2_db_size = (sb->l2_db_space_size + 1) *
++                                  (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
+       attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED;
+       attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags);
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch b/queue-6.6/rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch
new file mode 100644 (file)
index 0000000..4cd3156
--- /dev/null
@@ -0,0 +1,42 @@
+From 4823f638846364973118db6f32d66c709f5a72c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 17:13:34 +0530
+Subject: RDMA/core: Fix ENODEV error for iWARP test over vlan
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit 5069d7e202f640a36cf213a432296c85113a52f7 ]
+
+If traffic is over vlan, cma_validate_port() fails to match vlan
+net_device ifindex with bound_if_index and results in ENODEV error.
+It is because rdma_copy_src_l2_addr() always assigns bound_if_index with
+real net_device ifindex.
+This patch fixes the issue by assigning bound_if_index with vlan
+net_device index if traffic is over vlan.
+
+Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices")
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://patch.msgid.link/20241008114334.146702-1-anumula@chelsio.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/addr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
+index f253295795f0a..fd78d678877c4 100644
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -269,6 +269,8 @@ rdma_find_ndev_for_src_ip_rcu(struct net *net, const struct sockaddr *src_in)
+               break;
+ #endif
+       }
++      if (!ret && dev && is_vlan_dev(dev))
++              dev = vlan_dev_real_dev(dev);
+       return ret ? ERR_PTR(ret) : dev;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch b/queue-6.6/rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch
new file mode 100644 (file)
index 0000000..8a8db31
--- /dev/null
@@ -0,0 +1,65 @@
+From c05ef2e03d7744d1b4f5db4571c3b06dc7924103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:53:11 +0530
+Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ]
+
+ip_dev_find() always returns real net_device address, whether traffic is
+running on a vlan or real device, if traffic is over vlan, filling
+endpoint struture with real ndev and an attempt to send a connect request
+will results in RDMA_CM_EVENT_UNREACHABLE error.  This patch fixes the
+issue by using vlan_dev_real_dev().
+
+Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address")
+Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index b3757c6a0457a..8d753e6e0c719 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+       err = -ENOMEM;
+       if (n->dev->flags & IFF_LOOPBACK) {
+               if (iptype == 4)
+-                      pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip);
++                      pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false);
+               else if (IS_ENABLED(CONFIG_IPV6))
+                       for_each_netdev(&init_net, pdev) {
+                               if (ipv6_chk_addr(&init_net,
+@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+                       err = -ENODEV;
+                       goto out;
+               }
++              if (is_vlan_dev(pdev))
++                      pdev = vlan_dev_real_dev(pdev);
+               ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+                                       n, pdev, rt_tos2priority(tos));
+-              if (!ep->l2t) {
+-                      dev_put(pdev);
++              if (!ep->l2t)
+                       goto out;
+-              }
+               ep->mtu = pdev->mtu;
+               ep->tx_chan = cxgb4_port_chan(pdev);
+               ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx;
+@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+               ep->rss_qid = cdev->rdev.lldi.rxq_ids[
+                       cxgb4_port_idx(pdev) * step];
+               set_tcp_window(ep, (struct port_info *)netdev_priv(pdev));
+-              dev_put(pdev);
+       } else {
+               pdev = get_real_dev(n->dev);
+               ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch b/queue-6.6/rdma-irdma-fix-misspelling-of-accept.patch
new file mode 100644 (file)
index 0000000..28ac042
--- /dev/null
@@ -0,0 +1,37 @@
+From 11adf49d89bc33e26330fb7783897117c4a76431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 18:19:13 +0200
+Subject: RDMA/irdma: Fix misspelling of "accept*"
+
+From: Alexander Zubkov <green@qrator.net>
+
+[ Upstream commit 8cddfa535c931b8d8110c73bfed7354a94cbf891 ]
+
+There is "accept*" misspelled as "accpet*" in the comments.  Fix the
+spelling.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Link: https://patch.msgid.link/r/20241008161913.19965-1-green@qrator.net
+Signed-off-by: Alexander Zubkov <green@qrator.net>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
+index 42d1e97710669..1916daa8c3323 100644
+--- a/drivers/infiniband/hw/irdma/cm.c
++++ b/drivers/infiniband/hw/irdma/cm.c
+@@ -3630,7 +3630,7 @@ void irdma_free_lsmm_rsrc(struct irdma_qp *iwqp)
+ /**
+  * irdma_accept - registered call for connection to be accepted
+  * @cm_id: cm information for passive connection
+- * @conn_param: accpet parameters
++ * @conn_param: accept parameters
+  */
+ int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ {
+-- 
+2.43.0
+
diff --git a/queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch b/queue-6.6/rdma-srpt-make-slab-cache-names-unique.patch
new file mode 100644 (file)
index 0000000..2d8376b
--- /dev/null
@@ -0,0 +1,195 @@
+From 5abe11d8c0bc2a26890e215d888c9b809c3130db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 14:00:48 -0700
+Subject: RDMA/srpt: Make slab cache names unique
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 4d784c042d164f10fc809e2338457036cd7c653d ]
+
+Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when
+DEBUG_VM=y"), slab complains about duplicate cache names. Hence this
+patch. The approach is as follows:
+- Maintain an xarray with the slab size as index and a reference count
+  and a kmem_cache pointer as contents. Use srpt-${slab_size} as kmem
+  cache name.
+- Use 512-byte alignment for all slabs instead of only for some of the
+  slabs.
+- Increment the reference count instead of calling kmem_cache_create().
+- Decrement the reference count instead of calling kmem_cache_destroy().
+
+Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data")
+Link: https://patch.msgid.link/r/20241009210048.4122518-1-bvanassche@acm.org
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Closes: https://lore.kernel.org/linux-block/xpe6bea7rakpyoyfvspvin2dsozjmjtjktpph7rep3h25tv7fb@ooz4cu5z6bq6/
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 80 +++++++++++++++++++++++----
+ 1 file changed, 68 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 45547bf281e31..4bebc34a2929b 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -68,6 +68,8 @@ MODULE_LICENSE("Dual BSD/GPL");
+ static u64 srpt_service_guid;
+ static DEFINE_SPINLOCK(srpt_dev_lock);        /* Protects srpt_dev_list. */
+ static LIST_HEAD(srpt_dev_list);      /* List of srpt_device structures. */
++static DEFINE_MUTEX(srpt_mc_mutex);   /* Protects srpt_memory_caches. */
++static DEFINE_XARRAY(srpt_memory_caches); /* See also srpt_memory_cache_entry */
+ static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE;
+ module_param(srp_max_req_size, int, 0444);
+@@ -105,6 +107,63 @@ static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void srpt_process_wait_list(struct srpt_rdma_ch *ch);
++/* Type of the entries in srpt_memory_caches. */
++struct srpt_memory_cache_entry {
++      refcount_t ref;
++      struct kmem_cache *c;
++};
++
++static struct kmem_cache *srpt_cache_get(unsigned int object_size)
++{
++      struct srpt_memory_cache_entry *e;
++      char name[32];
++      void *res;
++
++      guard(mutex)(&srpt_mc_mutex);
++      e = xa_load(&srpt_memory_caches, object_size);
++      if (e) {
++              refcount_inc(&e->ref);
++              return e->c;
++      }
++      snprintf(name, sizeof(name), "srpt-%u", object_size);
++      e = kmalloc(sizeof(*e), GFP_KERNEL);
++      if (!e)
++              return NULL;
++      refcount_set(&e->ref, 1);
++      e->c = kmem_cache_create(name, object_size, /*align=*/512, 0, NULL);
++      if (!e->c)
++              goto free_entry;
++      res = xa_store(&srpt_memory_caches, object_size, e, GFP_KERNEL);
++      if (xa_is_err(res))
++              goto destroy_cache;
++      return e->c;
++
++destroy_cache:
++      kmem_cache_destroy(e->c);
++
++free_entry:
++      kfree(e);
++      return NULL;
++}
++
++static void srpt_cache_put(struct kmem_cache *c)
++{
++      struct srpt_memory_cache_entry *e = NULL;
++      unsigned long object_size;
++
++      guard(mutex)(&srpt_mc_mutex);
++      xa_for_each(&srpt_memory_caches, object_size, e)
++              if (e->c == c)
++                      break;
++      if (WARN_ON_ONCE(!e))
++              return;
++      if (!refcount_dec_and_test(&e->ref))
++              return;
++      WARN_ON_ONCE(xa_erase(&srpt_memory_caches, object_size) != e);
++      kmem_cache_destroy(e->c);
++      kfree(e);
++}
++
+ /*
+  * The only allowed channel state changes are those that change the channel
+  * state into a state with a higher numerical value. Hence the new > prev test.
+@@ -2119,13 +2178,13 @@ static void srpt_release_channel_work(struct work_struct *w)
+                            ch->sport->sdev, ch->rq_size,
+                            ch->rsp_buf_cache, DMA_TO_DEVICE);
+-      kmem_cache_destroy(ch->rsp_buf_cache);
++      srpt_cache_put(ch->rsp_buf_cache);
+       srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring,
+                            sdev, ch->rq_size,
+                            ch->req_buf_cache, DMA_FROM_DEVICE);
+-      kmem_cache_destroy(ch->req_buf_cache);
++      srpt_cache_put(ch->req_buf_cache);
+       kref_put(&ch->kref, srpt_free_ch);
+ }
+@@ -2245,8 +2304,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+       INIT_LIST_HEAD(&ch->cmd_wait_list);
+       ch->max_rsp_size = ch->sport->port_attrib.srp_max_rsp_size;
+-      ch->rsp_buf_cache = kmem_cache_create("srpt-rsp-buf", ch->max_rsp_size,
+-                                            512, 0, NULL);
++      ch->rsp_buf_cache = srpt_cache_get(ch->max_rsp_size);
+       if (!ch->rsp_buf_cache)
+               goto free_ch;
+@@ -2280,8 +2338,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+               alignment_offset = round_up(imm_data_offset, 512) -
+                       imm_data_offset;
+               req_sz = alignment_offset + imm_data_offset + srp_max_req_size;
+-              ch->req_buf_cache = kmem_cache_create("srpt-req-buf", req_sz,
+-                                                    512, 0, NULL);
++              ch->req_buf_cache = srpt_cache_get(req_sz);
+               if (!ch->req_buf_cache)
+                       goto free_rsp_ring;
+@@ -2478,7 +2535,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+                            ch->req_buf_cache, DMA_FROM_DEVICE);
+ free_recv_cache:
+-      kmem_cache_destroy(ch->req_buf_cache);
++      srpt_cache_put(ch->req_buf_cache);
+ free_rsp_ring:
+       srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
+@@ -2486,7 +2543,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+                            ch->rsp_buf_cache, DMA_TO_DEVICE);
+ free_rsp_cache:
+-      kmem_cache_destroy(ch->rsp_buf_cache);
++      srpt_cache_put(ch->rsp_buf_cache);
+ free_ch:
+       if (rdma_cm_id)
+@@ -3055,7 +3112,7 @@ static void srpt_free_srq(struct srpt_device *sdev)
+       srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev,
+                            sdev->srq_size, sdev->req_buf_cache,
+                            DMA_FROM_DEVICE);
+-      kmem_cache_destroy(sdev->req_buf_cache);
++      srpt_cache_put(sdev->req_buf_cache);
+       sdev->srq = NULL;
+ }
+@@ -3082,8 +3139,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev)
+       pr_debug("create SRQ #wr= %d max_allow=%d dev= %s\n", sdev->srq_size,
+                sdev->device->attrs.max_srq_wr, dev_name(&device->dev));
+-      sdev->req_buf_cache = kmem_cache_create("srpt-srq-req-buf",
+-                                              srp_max_req_size, 0, 0, NULL);
++      sdev->req_buf_cache = srpt_cache_get(srp_max_req_size);
+       if (!sdev->req_buf_cache)
+               goto free_srq;
+@@ -3105,7 +3161,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev)
+       return 0;
+ free_cache:
+-      kmem_cache_destroy(sdev->req_buf_cache);
++      srpt_cache_put(sdev->req_buf_cache);
+ free_srq:
+       ib_destroy_srq(srq);
+-- 
+2.43.0
+
diff --git a/queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch b/queue-6.6/riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch
new file mode 100644 (file)
index 0000000..d2437ef
--- /dev/null
@@ -0,0 +1,89 @@
+From 8a732a04f6626a6c3aba840a08ac7f8ca03889ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 17:36:28 +0300
+Subject: riscv, bpf: Make BPF_CMPXCHG fully ordered
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrea Parri <parri.andrea@gmail.com>
+
+[ Upstream commit e59db0623f6955986d1be0880b351a1f56e7fd6d ]
+
+According to the prototype formal BPF memory consistency model
+discussed e.g. in [1] and following the ordering properties of
+the C/in-kernel macro atomic_cmpxchg(), a BPF atomic operation
+with the BPF_CMPXCHG modifier is fully ordered.  However, the
+current RISC-V JIT lowerings fail to meet such memory ordering
+property.  This is illustrated by the following litmus test:
+
+BPF BPF__MP+success_cmpxchg+fence
+{
+ 0:r1=x; 0:r3=y; 0:r5=1;
+ 1:r2=y; 1:r4=f; 1:r7=x;
+}
+ P0                               | P1                                         ;
+ *(u64 *)(r1 + 0) = 1             | r1 = *(u64 *)(r2 + 0)                      ;
+ r2 = cmpxchg_64 (r3 + 0, r4, r5) | r3 = atomic_fetch_add((u64 *)(r4 + 0), r5) ;
+                                  | r6 = *(u64 *)(r7 + 0)                      ;
+exists (1:r1=1 /\ 1:r6=0)
+
+whose "exists" clause is not satisfiable according to the BPF
+memory model.  Using the current RISC-V JIT lowerings, the test
+can be mapped to the following RISC-V litmus test:
+
+RISCV RISCV__MP+success_cmpxchg+fence
+{
+ 0:x1=x; 0:x3=y; 0:x5=1;
+ 1:x2=y; 1:x4=f; 1:x7=x;
+}
+ P0                 | P1                          ;
+ sd x5, 0(x1)       | ld x1, 0(x2)                ;
+ L00:               | amoadd.d.aqrl x3, x5, 0(x4) ;
+ lr.d x2, 0(x3)     | ld x6, 0(x7)                ;
+ bne x2, x4, L01    |                             ;
+ sc.d x6, x5, 0(x3) |                             ;
+ bne x6, x4, L00    |                             ;
+ fence rw, rw       |                             ;
+ L01:               |                             ;
+exists (1:x1=1 /\ 1:x6=0)
+
+where the two stores in P0 can be reordered.  Update the RISC-V
+JIT lowerings/implementation of BPF_CMPXCHG to emit an SC with
+RELEASE ("rl") annotation in order to meet the expected memory
+ordering guarantees.  The resulting RISC-V JIT lowerings of
+BPF_CMPXCHG match the RISC-V lowerings of the C atomic_cmpxchg().
+
+Other lowerings were fixed via 20a759df3bba ("riscv, bpf: make
+some atomic operations fully ordered").
+
+Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64")
+Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
+Acked-by: Björn Töpel <bjorn@kernel.org>
+Link: https://lpc.events/event/18/contributions/1949/attachments/1665/3441/bpfmemmodel.2024.09.19p.pdf [1]
+Link: https://lore.kernel.org/bpf/20241017143628.2673894-1-parri.andrea@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index 2f041b5cea970..26eeb39736319 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -555,8 +555,8 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64,
+                    rv_lr_w(r0, 0, rd, 0, 0), ctx);
+               jmp_offset = ninsns_rvoff(8);
+               emit(rv_bne(RV_REG_T2, r0, jmp_offset >> 1), ctx);
+-              emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 0) :
+-                   rv_sc_w(RV_REG_T3, rs, rd, 0, 0), ctx);
++              emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 1) :
++                   rv_sc_w(RV_REG_T3, rs, rd, 0, 1), ctx);
+               jmp_offset = ninsns_rvoff(-6);
+               emit(rv_bne(RV_REG_T3, 0, jmp_offset >> 1), ctx);
+               emit(rv_fence(0x3, 0x3), ctx);
+-- 
+2.43.0
+
diff --git a/queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch b/queue-6.6/s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch
new file mode 100644 (file)
index 0000000..80717c3
--- /dev/null
@@ -0,0 +1,38 @@
+From 9d41d3560575dc9fce646fb9c176716088ddcf81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 17:52:39 +0200
+Subject: s390: Initialize psw mask in perf_arch_fetch_caller_regs()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 223e7fb979fa06934f1595b6ad0ae1d4ead1147f ]
+
+Also initialize regs->psw.mask in perf_arch_fetch_caller_regs().
+This way user_mode(regs) will return false, like it should.
+
+It looks like all current users initialize regs to zero, so that this
+doesn't fix a bug currently. However it is better to not rely on callers
+to do this.
+
+Fixes: 914d52e46490 ("s390: implement perf_arch_fetch_caller_regs")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/perf_event.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/include/asm/perf_event.h b/arch/s390/include/asm/perf_event.h
+index 9917e2717b2b4..66aff768f8151 100644
+--- a/arch/s390/include/asm/perf_event.h
++++ b/arch/s390/include/asm/perf_event.h
+@@ -73,6 +73,7 @@ struct perf_sf_sde_regs {
+ #define SAMPLE_FREQ_MODE(hwc) (SAMPL_FLAGS(hwc) & PERF_CPUM_SF_FREQ_MODE)
+ #define perf_arch_fetch_caller_regs(regs, __ip) do {                  \
++      (regs)->psw.mask = 0;                                           \
+       (regs)->psw.addr = (__ip);                                      \
+       (regs)->gprs[15] = (unsigned long)__builtin_frame_address(0) -  \
+               offsetof(struct stack_frame, back_chain);               \
+-- 
+2.43.0
+
diff --git a/queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch b/queue-6.6/s390-pci-handle-pci-error-codes-other-than-0x3a.patch
new file mode 100644 (file)
index 0000000..d28a5d6
--- /dev/null
@@ -0,0 +1,65 @@
+From 8c4bac4cf809b14f66810491ccd1d7c242621727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 14:01:39 +0200
+Subject: s390/pci: Handle PCI error codes other than 0x3a
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit 3cd03ea57e8e16cc78cc357d5e9f26078426f236 ]
+
+The Linux implementation of PCI error recovery for s390 was based on the
+understanding that firmware error recovery is a two step process with an
+optional initial error event to indicate the cause of the error if known
+followed by either error event 0x3A (Success) or 0x3B (Failure) to
+indicate whether firmware was able to recover. While this has been the
+case in testing and the error cases seen in the wild it turns out this
+is not correct. Instead firmware only generates 0x3A for some error and
+service scenarios and expects the OS to perform recovery for all PCI
+events codes except for those indicating permanent error (0x3B, 0x40)
+and those indicating errors on the function measurement block (0x2A,
+0x2B, 0x2C). Align Linux behavior with these expectations.
+
+Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery")
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_event.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c
+index b9324ca2eb940..b3961f1016ea0 100644
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -272,18 +272,19 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf)
+               goto no_pdev;
+       switch (ccdf->pec) {
+-      case 0x003a: /* Service Action or Error Recovery Successful */
++      case 0x002a: /* Error event concerns FMB */
++      case 0x002b:
++      case 0x002c:
++              break;
++      case 0x0040: /* Service Action or Error Recovery Failed */
++      case 0x003b:
++              zpci_event_io_failure(pdev, pci_channel_io_perm_failure);
++              break;
++      default: /* PCI function left in the error state attempt to recover */
+               ers_res = zpci_event_attempt_error_recovery(pdev);
+               if (ers_res != PCI_ERS_RESULT_RECOVERED)
+                       zpci_event_io_failure(pdev, pci_channel_io_perm_failure);
+               break;
+-      default:
+-              /*
+-               * Mark as frozen not permanently failed because the device
+-               * could be subsequently recovered by the platform.
+-               */
+-              zpci_event_io_failure(pdev, pci_channel_io_frozen);
+-              break;
+       }
+       pci_dev_put(pdev);
+ no_pdev:
+-- 
+2.43.0
+
diff --git a/queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch b/queue-6.6/sched-core-disable-page-allocation-in-task_tick_mm_c.patch
new file mode 100644 (file)
index 0000000..338ec32
--- /dev/null
@@ -0,0 +1,132 @@
+From 3c2218fd9d59b14e7a365fa96c3b22b6f1525d7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 21:44:32 -0400
+Subject: sched/core: Disable page allocation in task_tick_mm_cid()
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 73ab05aa46b02d96509cb029a8d04fca7bbde8c7 ]
+
+With KASAN and PREEMPT_RT enabled, calling task_work_add() in
+task_tick_mm_cid() may cause the following splat.
+
+[   63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
+[   63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
+[   63.696416] preempt_count: 10001, expected: 0
+[   63.696416] RCU nest depth: 1, expected: 1
+
+This problem is caused by the following call trace.
+
+  sched_tick() [ acquire rq->__lock ]
+   -> task_tick_mm_cid()
+    -> task_work_add()
+     -> __kasan_record_aux_stack()
+      -> kasan_save_stack()
+       -> stack_depot_save_flags()
+        -> alloc_pages_mpol_noprof()
+         -> __alloc_pages_noprof()
+         -> get_page_from_freelist()
+          -> rmqueue()
+           -> rmqueue_pcplist()
+            -> __rmqueue_pcplist()
+             -> rmqueue_bulk()
+              -> rt_spin_lock()
+
+The rq lock is a raw_spinlock_t. We can't sleep while holding
+it. IOW, we can't call alloc_pages() in stack_depot_save_flags().
+
+The task_tick_mm_cid() function with its task_work_add() call was
+introduced by commit 223baf9d17f2 ("sched: Fix performance regression
+introduced by mm_cid") in v6.4 kernel.
+
+Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
+calls stack_depot_save_flags() while not allowing it to allocate
+new pages.  To allow task_tick_mm_cid() to use task_work without
+page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
+kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
+if set. The task_tick_mm_cid() function is modified to add this new flag.
+
+The possible downside is the missing stack trace in a KASAN report due
+to new page allocation required when task_work_add_noallloc() is called
+which should be rare.
+
+Fixes: 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20241010014432.194742-1-longman@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/task_work.h |  5 ++++-
+ kernel/sched/core.c       |  4 +++-
+ kernel/task_work.c        | 15 +++++++++++++--
+ 3 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/task_work.h b/include/linux/task_work.h
+index cf5e7e891a776..2964171856e00 100644
+--- a/include/linux/task_work.h
++++ b/include/linux/task_work.h
+@@ -14,11 +14,14 @@ init_task_work(struct callback_head *twork, task_work_func_t func)
+ }
+ enum task_work_notify_mode {
+-      TWA_NONE,
++      TWA_NONE = 0,
+       TWA_RESUME,
+       TWA_SIGNAL,
+       TWA_SIGNAL_NO_IPI,
+       TWA_NMI_CURRENT,
++
++      TWA_FLAGS = 0xff00,
++      TWAF_NO_ALLOC = 0x0100,
+ };
+ static inline bool task_work_pending(struct task_struct *task)
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9b406d9886541..b6f922a20f83a 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -12050,7 +12050,9 @@ void task_tick_mm_cid(struct rq *rq, struct task_struct *curr)
+               return;
+       if (time_before(now, READ_ONCE(curr->mm->mm_cid_next_scan)))
+               return;
+-      task_work_add(curr, work, TWA_RESUME);
++
++      /* No page allocation under rq lock */
++      task_work_add(curr, work, TWA_RESUME | TWAF_NO_ALLOC);
+ }
+ void sched_mm_cid_exit_signals(struct task_struct *t)
+diff --git a/kernel/task_work.c b/kernel/task_work.c
+index 5c2daa7ad3f90..8aa43204cb7dd 100644
+--- a/kernel/task_work.c
++++ b/kernel/task_work.c
+@@ -53,13 +53,24 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+                 enum task_work_notify_mode notify)
+ {
+       struct callback_head *head;
++      int flags = notify & TWA_FLAGS;
++      notify &= ~TWA_FLAGS;
+       if (notify == TWA_NMI_CURRENT) {
+               if (WARN_ON_ONCE(task != current))
+                       return -EINVAL;
+       } else {
+-              /* record the work call stack in order to print it in KASAN reports */
+-              kasan_record_aux_stack(work);
++              /*
++               * Record the work call stack in order to print it in KASAN
++               * reports.
++               *
++               * Note that stack allocation can fail if TWAF_NO_ALLOC flag
++               * is set and new page is needed to expand the stack buffer.
++               */
++              if (flags & TWAF_NO_ALLOC)
++                      kasan_record_aux_stack_noalloc(work);
++              else
++                      kasan_record_aux_stack(work);
+       }
+       head = READ_ONCE(task->task_works);
+-- 
+2.43.0
+
diff --git a/queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch b/queue-6.6/scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch
new file mode 100644 (file)
index 0000000..024aea5
--- /dev/null
@@ -0,0 +1,54 @@
+From edf3ce9f550835e178a339413f5f87807f395706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 19:34:44 +0800
+Subject: scsi: target: core: Fix null-ptr-deref in target_alloc_device()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ]
+
+There is a null-ptr-deref issue reported by KASAN:
+
+BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
+...
+ kasan_report+0xb9/0xf0
+ target_alloc_device+0xbc4/0xbe0 [target_core_mod]
+ core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
+ target_core_init_configfs+0x205/0x420 [target_core_mod]
+ do_one_initcall+0xdd/0x4e0
+...
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+In target_alloc_device(), if allocing memory for dev queues fails, then
+dev will be freed by dev->transport->free_device(), but dev->transport
+is not initialized at that time, which will lead to a null pointer
+reference problem.
+
+Fixing this bug by freeing dev with hba->backend->ops->free_device().
+
+Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index 86590a7e29f6a..dd041ee18ac9b 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -692,7 +692,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+       dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL);
+       if (!dev->queues) {
+-              dev->transport->free_device(dev);
++              hba->backend->ops->free_device(dev);
+               return NULL;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch b/queue-6.6/selftests-bpf-add-cookies-check-for-perf_event-fill_.patch
new file mode 100644 (file)
index 0000000..b008d58
--- /dev/null
@@ -0,0 +1,113 @@
+From afb9a8cfb5e85f124dd3c6ccc33c52bca9635a4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 12:05:02 +0100
+Subject: selftests/bpf: Add cookies check for perf_event fill_link_info test
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit d74179708473c649c653f1db280e29875a532e99 ]
+
+Now that we get cookies for perf_event probes, adding tests
+for cookie for kprobe/uprobe/tracepoint.
+
+The perf_event test needs to be added completely and is coming
+in following change.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240119110505.400573-6-jolsa@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/fill_link_info.c | 26 +++++++++++++++----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 7db7f9bd9d58e..9eb93258614f9 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -30,6 +30,8 @@ static noinline void uprobe_func(void)
+       asm volatile ("");
+ }
++#define PERF_EVENT_COOKIE 0xdeadbeef
++
+ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long addr,
+                                ssize_t offset, ssize_t entry_offset)
+ {
+@@ -61,6 +63,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+                       ASSERT_EQ(info.perf_event.kprobe.addr, addr + entry_offset,
+                                 "kprobe_addr");
++              ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie");
++
+               if (!info.perf_event.kprobe.func_name) {
+                       ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len");
+                       info.perf_event.kprobe.func_name = ptr_to_u64(&buf);
+@@ -80,6 +84,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+                       goto again;
+               }
++              ASSERT_EQ(info.perf_event.tracepoint.cookie, PERF_EVENT_COOKIE, "tracepoint_cookie");
++
+               err = strncmp(u64_to_ptr(info.perf_event.tracepoint.tp_name), TP_NAME,
+                             strlen(TP_NAME));
+               ASSERT_EQ(err, 0, "cmp_tp_name");
+@@ -95,6 +101,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+                       goto again;
+               }
++              ASSERT_EQ(info.perf_event.uprobe.cookie, PERF_EVENT_COOKIE, "uprobe_cookie");
++
+               err = strncmp(u64_to_ptr(info.perf_event.uprobe.file_name), UPROBE_FILE,
+                             strlen(UPROBE_FILE));
+                       ASSERT_EQ(err, 0, "cmp_file_name");
+@@ -138,6 +146,7 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+       DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts,
+               .attach_mode = PROBE_ATTACH_MODE_LINK,
+               .retprobe = type == BPF_PERF_EVENT_KRETPROBE,
++              .bpf_cookie = PERF_EVENT_COOKIE,
+       );
+       ssize_t entry_offset = 0;
+       struct bpf_link *link;
+@@ -162,10 +171,13 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ {
++      DECLARE_LIBBPF_OPTS(bpf_tracepoint_opts, opts,
++              .bpf_cookie = PERF_EVENT_COOKIE,
++      );
+       struct bpf_link *link;
+       int link_fd, err;
+-      link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
++      link = bpf_program__attach_tracepoint_opts(skel->progs.tp_run, TP_CAT, TP_NAME, &opts);
+       if (!ASSERT_OK_PTR(link, "attach_tp"))
+               return;
+@@ -178,13 +190,17 @@ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ static void test_uprobe_fill_link_info(struct test_fill_link_info *skel,
+                                      enum bpf_perf_event_type type)
+ {
++      DECLARE_LIBBPF_OPTS(bpf_uprobe_opts, opts,
++              .retprobe = type == BPF_PERF_EVENT_URETPROBE,
++              .bpf_cookie = PERF_EVENT_COOKIE,
++      );
+       struct bpf_link *link;
+       int link_fd, err;
+-      link = bpf_program__attach_uprobe(skel->progs.uprobe_run,
+-                                        type == BPF_PERF_EVENT_URETPROBE,
+-                                        0, /* self pid */
+-                                        UPROBE_FILE, uprobe_offset);
++      link = bpf_program__attach_uprobe_opts(skel->progs.uprobe_run,
++                                             0, /* self pid */
++                                             UPROBE_FILE, uprobe_offset,
++                                             &opts);
+       if (!ASSERT_OK_PTR(link, "attach_uprobe"))
+               return;
+-- 
+2.43.0
+
diff --git a/queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch b/queue-6.6/selftests-bpf-fix-cross-compiling-urandom_read.patch
new file mode 100644 (file)
index 0000000..7564300
--- /dev/null
@@ -0,0 +1,41 @@
+From 3567b5adfc612cbfc420950c27c3d70bc4eff317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 21:07:20 -0700
+Subject: selftests/bpf: Fix cross-compiling urandom_read
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit fd526e121c4d6f71aed82d21a8b8277b03e60b43 ]
+
+Linking of urandom_read and liburandom_read.so prefers LLVM's 'ld.lld' but
+falls back to using 'ld' if unsupported. However, this fallback discards
+any existing makefile macro for LD and can break cross-compilation.
+
+Fix by changing the fallback to use the target linker $(LD), passed via
+'-fuse-ld=' using an absolute path rather than a linker "flavour".
+
+Fixes: 08c79c9cd67f ("selftests/bpf: Don't force lld on non-x86 architectures")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20241009040720.635260-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index ab364e95a9b23..f5a3a84fac955 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -200,7 +200,7 @@ $(OUTPUT)/%:%.c
+ ifeq ($(SRCARCH),x86)
+ LLD := lld
+ else
+-LLD := ld
++LLD := $(shell command -v $(LD))
+ endif
+ # Filter out -static for liburandom_read.so and its dependent targets so that static builds
+-- 
+2.43.0
+
diff --git a/queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch b/queue-6.6/selftests-bpf-fix-perf_event-link-info-name_len-asse.patch
new file mode 100644 (file)
index 0000000..d9bfcc5
--- /dev/null
@@ -0,0 +1,63 @@
+From 1ebc1cc49eeba301123d44e88a582312fd685cec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:43:12 +0000
+Subject: selftests/bpf: fix perf_event link info name_len assertion
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 4538a38f654a1c292fe489a9b66179262bfed088 ]
+
+Fix `name_len` field assertions in `bpf_link_info.perf_event` for
+kprobe/uprobe/tracepoint to validate correct name size instead of 0.
+
+Fixes: 23cf7aa539dc ("selftests/bpf: Add selftest for fill_link_info")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20241008164312.46269-2-wudevelops@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 9eb93258614f9..5b0c6a04cdbfe 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -65,8 +65,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+               ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie");
++              ASSERT_EQ(info.perf_event.kprobe.name_len, strlen(KPROBE_FUNC) + 1,
++                                "name_len");
+               if (!info.perf_event.kprobe.func_name) {
+-                      ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len");
+                       info.perf_event.kprobe.func_name = ptr_to_u64(&buf);
+                       info.perf_event.kprobe.name_len = sizeof(buf);
+                       goto again;
+@@ -77,8 +78,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+               ASSERT_EQ(err, 0, "cmp_kprobe_func_name");
+               break;
+       case BPF_PERF_EVENT_TRACEPOINT:
++              ASSERT_EQ(info.perf_event.tracepoint.name_len, strlen(TP_NAME) + 1,
++                                "name_len");
+               if (!info.perf_event.tracepoint.tp_name) {
+-                      ASSERT_EQ(info.perf_event.tracepoint.name_len, 0, "name_len");
+                       info.perf_event.tracepoint.tp_name = ptr_to_u64(&buf);
+                       info.perf_event.tracepoint.name_len = sizeof(buf);
+                       goto again;
+@@ -94,8 +96,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+       case BPF_PERF_EVENT_URETPROBE:
+               ASSERT_EQ(info.perf_event.uprobe.offset, offset, "uprobe_offset");
++              ASSERT_EQ(info.perf_event.uprobe.name_len, strlen(UPROBE_FILE) + 1,
++                                "name_len");
+               if (!info.perf_event.uprobe.file_name) {
+-                      ASSERT_EQ(info.perf_event.uprobe.name_len, 0, "name_len");
+                       info.perf_event.uprobe.file_name = ptr_to_u64(&buf);
+                       info.perf_event.uprobe.name_len = sizeof(buf);
+                       goto again;
+-- 
+2.43.0
+
diff --git a/queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch b/queue-6.6/selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch
new file mode 100644 (file)
index 0000000..c7d9e75
--- /dev/null
@@ -0,0 +1,134 @@
+From 8b29b8ac97de278e2ad336a4f5713e6b1e3afb89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Nov 2023 20:31:28 +0100
+Subject: selftests/bpf: Use bpf_link__destroy in fill_link_info tests
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 1703612885723869064f18e8816c6f3f87987748 ]
+
+The fill_link_info test keeps skeleton open and just creates
+various links. We are wrongly calling bpf_link__detach after
+each test to close them, we need to call bpf_link__destroy.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/bpf/20231125193130.834322-5-jolsa@kernel.org
+Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/fill_link_info.c | 44 ++++++++++---------
+ 1 file changed, 23 insertions(+), 21 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 9d768e0837149..7db7f9bd9d58e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -140,14 +140,14 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+               .retprobe = type == BPF_PERF_EVENT_KRETPROBE,
+       );
+       ssize_t entry_offset = 0;
++      struct bpf_link *link;
+       int link_fd, err;
+-      skel->links.kprobe_run = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run,
+-                                                               KPROBE_FUNC, &opts);
+-      if (!ASSERT_OK_PTR(skel->links.kprobe_run, "attach_kprobe"))
++      link = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run, KPROBE_FUNC, &opts);
++      if (!ASSERT_OK_PTR(link, "attach_kprobe"))
+               return;
+-      link_fd = bpf_link__fd(skel->links.kprobe_run);
++      link_fd = bpf_link__fd(link);
+       if (!invalid) {
+               /* See also arch_adjust_kprobe_addr(). */
+               if (skel->kconfig->CONFIG_X86_KERNEL_IBT)
+@@ -157,39 +157,41 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+       } else {
+               kprobe_fill_invalid_user_buffer(link_fd);
+       }
+-      bpf_link__detach(skel->links.kprobe_run);
++      bpf_link__destroy(link);
+ }
+ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ {
++      struct bpf_link *link;
+       int link_fd, err;
+-      skel->links.tp_run = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
+-      if (!ASSERT_OK_PTR(skel->links.tp_run, "attach_tp"))
++      link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
++      if (!ASSERT_OK_PTR(link, "attach_tp"))
+               return;
+-      link_fd = bpf_link__fd(skel->links.tp_run);
++      link_fd = bpf_link__fd(link);
+       err = verify_perf_link_info(link_fd, BPF_PERF_EVENT_TRACEPOINT, 0, 0, 0);
+       ASSERT_OK(err, "verify_perf_link_info");
+-      bpf_link__detach(skel->links.tp_run);
++      bpf_link__destroy(link);
+ }
+ static void test_uprobe_fill_link_info(struct test_fill_link_info *skel,
+                                      enum bpf_perf_event_type type)
+ {
++      struct bpf_link *link;
+       int link_fd, err;
+-      skel->links.uprobe_run = bpf_program__attach_uprobe(skel->progs.uprobe_run,
+-                                                          type == BPF_PERF_EVENT_URETPROBE,
+-                                                          0, /* self pid */
+-                                                          UPROBE_FILE, uprobe_offset);
+-      if (!ASSERT_OK_PTR(skel->links.uprobe_run, "attach_uprobe"))
++      link = bpf_program__attach_uprobe(skel->progs.uprobe_run,
++                                        type == BPF_PERF_EVENT_URETPROBE,
++                                        0, /* self pid */
++                                        UPROBE_FILE, uprobe_offset);
++      if (!ASSERT_OK_PTR(link, "attach_uprobe"))
+               return;
+-      link_fd = bpf_link__fd(skel->links.uprobe_run);
++      link_fd = bpf_link__fd(link);
+       err = verify_perf_link_info(link_fd, type, 0, uprobe_offset, 0);
+       ASSERT_OK(err, "verify_perf_link_info");
+-      bpf_link__detach(skel->links.uprobe_run);
++      bpf_link__destroy(link);
+ }
+ static int verify_kmulti_link_info(int fd, bool retprobe)
+@@ -278,24 +280,24 @@ static void test_kprobe_multi_fill_link_info(struct test_fill_link_info *skel,
+                                            bool retprobe, bool invalid)
+ {
+       LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
++      struct bpf_link *link;
+       int link_fd, err;
+       opts.syms = kmulti_syms;
+       opts.cnt = KMULTI_CNT;
+       opts.retprobe = retprobe;
+-      skel->links.kmulti_run = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run,
+-                                                                     NULL, &opts);
+-      if (!ASSERT_OK_PTR(skel->links.kmulti_run, "attach_kprobe_multi"))
++      link = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run, NULL, &opts);
++      if (!ASSERT_OK_PTR(link, "attach_kprobe_multi"))
+               return;
+-      link_fd = bpf_link__fd(skel->links.kmulti_run);
++      link_fd = bpf_link__fd(link);
+       if (!invalid) {
+               err = verify_kmulti_link_info(link_fd, retprobe);
+               ASSERT_OK(err, "verify_kmulti_link_info");
+       } else {
+               verify_kmulti_invalid_user_buffer(link_fd);
+       }
+-      bpf_link__detach(skel->links.kmulti_run);
++      bpf_link__destroy(link);
+ }
+ void test_fill_link_info(void)
+-- 
+2.43.0
+
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..97f0cec414cf7968feb8b0517b4eb02130febd91 100644 (file)
@@ -0,0 +1,106 @@
+iio-accel-bma400-fix-uninitialized-variable-field_va.patch
+bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch
+bpf-devmap-provide-rxq-after-redirect.patch
+cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch
+lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch
+bpf-fix-memory-leak-in-bpf_core_apply.patch
+rdma-bnxt_re-fix-a-possible-memory-leak.patch
+rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch
+rdma-bnxt_re-add-a-check-for-memory-allocation.patch
+rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch
+x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch
+arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch
+bpf-add-missed-value-to-kprobe-perf-link-info.patch
+bpf-add-cookie-to-perf_event-bpf_link_info-records.patch
+bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch
+selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch
+selftests-bpf-add-cookies-check-for-perf_event-fill_.patch
+selftests-bpf-fix-perf_event-link-info-name_len-asse.patch
+s390-pci-handle-pci-error-codes-other-than-0x3a.patch
+bpf-fix-kfunc-btf-caching-for-modules.patch
+iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch
+iio-frequency-admv4420-fix-missing-select-remap_spi-.patch
+drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch
+selftests-bpf-fix-cross-compiling-urandom_read.patch
+task_work-add-twa_nmi_current-as-an-additional-notif.patch
+sched-core-disable-page-allocation-in-task_tick_mm_c.patch
+alsa-hda-cs8409-fix-possible-null-dereference.patch
+firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch
+rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch
+rdma-irdma-fix-misspelling-of-accept.patch
+rdma-srpt-make-slab-cache-names-unique.patch
+ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch
+rdma-bnxt_re-support-new-5760x-p7-devices.patch
+rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch
+rdma-bnxt_re-fix-out-of-bound-check.patch
+rdma-bnxt_re-return-more-meaningful-error.patch
+rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch
+rdma-bnxt_re-update-the-bar-offsets.patch
+rdma-bnxt_re-fix-the-gid-table-length.patch
+accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch
+drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch
+drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch
+drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch
+drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch
+drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch
+drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch
+firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch
+net-smc-fix-memory-leak-when-using-percpu-refs.patch
+net-usb-usbnet-fix-race-in-probe-failure.patch
+net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch
+octeontx2-af-fix-potential-integer-overflows-on-inte.patch
+drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch
+macsec-don-t-increment-counters-for-an-unrelated-sa.patch
+netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch
+net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch
+net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch
+net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch
+bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch
+net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch
+irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch
+irqchip-renesas-rzg2l-document-structure-members.patch
+irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch
+irqchip-renesas-rzg2l-fix-missing-put_device.patch
+drm-msm-dpu-don-t-always-program-merge_3d-block.patch
+net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch
+tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch
+net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch
+genetlink-hold-rcu-in-genlmsg_mcast.patch
+ravb-remove-setting-of-rx-software-timestamp.patch
+net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch
+scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch
+smb-client-fix-possible-double-free-in-smb2_set_ea.patch
+smb-client-fix-oobs-when-building-smb2_ioctl-request.patch
+usb-typec-altmode-should-keep-reference-to-parent.patch
+s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch
+bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch
+bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch
+vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch
+net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch
+net-mlx5-fix-command-bitmask-initialization.patch
+net-mlx5-unregister-notifier-on-eswitch-init-failure.patch
+bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch
+vsock-update-rx_bytes-on-read_skb.patch
+vsock-update-msg_count-on-read_skb.patch
+bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch
+riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch
+nvme-pci-set-doorbell-config-before-unquiescing.patch
+nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch
+bpf-fix-iter-task-tid-filtering.patch
+cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch
+mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch
+mm-convert-collapse_huge_page-to-use-a-folio.patch
+mm-khugepaged-use-a-folio-more-in-collapse_file.patch
+khugepaged-inline-hpage_collapse_alloc_folio.patch
+khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch
+khugepaged-remove-hpage-from-collapse_file.patch
+mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch
+iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch
+xhci-dbgtty-remove-kfifo_out-wrapper.patch
+xhci-dbgtty-use-kfifo-from-tty_port-struct.patch
+xhci-dbc-honor-usb-transfer-size-boundaries.patch
+usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch
+usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch
+usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch
+xhci-separate-port-and-caps-macros-into-dedicated-fi.patch
+usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch
diff --git a/queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch b/queue-6.6/smb-client-fix-oobs-when-building-smb2_ioctl-request.patch
new file mode 100644 (file)
index 0000000..7b2bbc9
--- /dev/null
@@ -0,0 +1,107 @@
+From 25ad60a90215e41f62c8a537eaae9a80d29f935c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 19:04:04 -0300
+Subject: smb: client: fix OOBs when building SMB2_IOCTL request
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ]
+
+When using encryption, either enforced by the server or when using
+'seal' mount option, the client will squash all compound request buffers
+down for encryption into a single iov in smb2_set_next_command().
+
+SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
+SMB2_IOCTL request in the first iov, and if the user passes an input
+buffer that is greater than 328 bytes, smb2_set_next_command() will
+end up writing off the end of @rqst->iov[0].iov_base as shown below:
+
+  mount.cifs //srv/share /mnt -o ...,seal
+  ln -s $(perl -e "print('a')for 1..1024") /mnt/link
+
+  BUG: KASAN: slab-out-of-bounds in
+  smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+  Write of size 4116 at addr ffff8881148fcab8 by task ln/859
+
+  CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
+  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+  1.16.3-2.fc40 04/01/2014
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x5d/0x80
+   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+   print_report+0x156/0x4d9
+   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+   ? __virt_addr_valid+0x145/0x310
+   ? __phys_addr+0x46/0x90
+   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+   kasan_report+0xda/0x110
+   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+   kasan_check_range+0x10f/0x1f0
+   __asan_memcpy+0x3c/0x60
+   smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+   smb2_compound_op+0x238c/0x3840 [cifs]
+   ? kasan_save_track+0x14/0x30
+   ? kasan_save_free_info+0x3b/0x70
+   ? vfs_symlink+0x1a1/0x2c0
+   ? do_symlinkat+0x108/0x1c0
+   ? __pfx_smb2_compound_op+0x10/0x10 [cifs]
+   ? kmem_cache_free+0x118/0x3e0
+   ? cifs_get_writable_path+0xeb/0x1a0 [cifs]
+   smb2_get_reparse_inode+0x423/0x540 [cifs]
+   ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
+   ? rcu_is_watching+0x20/0x50
+   ? __kmalloc_noprof+0x37c/0x480
+   ? smb2_create_reparse_symlink+0x257/0x490 [cifs]
+   ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
+   smb2_create_reparse_symlink+0x38f/0x490 [cifs]
+   ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
+   ? find_held_lock+0x8a/0xa0
+   ? hlock_class+0x32/0xb0
+   ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
+   cifs_symlink+0x24f/0x960 [cifs]
+   ? __pfx_make_vfsuid+0x10/0x10
+   ? __pfx_cifs_symlink+0x10/0x10 [cifs]
+   ? make_vfsgid+0x6b/0xc0
+   ? generic_permission+0x96/0x2d0
+   vfs_symlink+0x1a1/0x2c0
+   do_symlinkat+0x108/0x1c0
+   ? __pfx_do_symlinkat+0x10/0x10
+   ? strncpy_from_user+0xaa/0x160
+   __x64_sys_symlinkat+0xb9/0xf0
+   do_syscall_64+0xbb/0x1d0
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+  RIP: 0033:0x7f08d75c13bb
+
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2pdu.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index 83a03201bb862..a86a3fbfb5a49 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -3300,6 +3300,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
+               return rc;
+       if (indatalen) {
++              unsigned int len;
++
++              if (WARN_ON_ONCE(smb3_encryption_required(tcon) &&
++                               (check_add_overflow(total_len - 1,
++                                                   ALIGN(indatalen, 8), &len) ||
++                                len > MAX_CIFS_SMALL_BUFFER_SIZE))) {
++                      cifs_small_buf_release(req);
++                      return -EIO;
++              }
+               /*
+                * indatalen is usually small at a couple of bytes max, so
+                * just allocate through generic pool
+-- 
+2.43.0
+
diff --git a/queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch b/queue-6.6/smb-client-fix-possible-double-free-in-smb2_set_ea.patch
new file mode 100644 (file)
index 0000000..4b9ea64
--- /dev/null
@@ -0,0 +1,59 @@
+From ec49a220243c32ab6b5ee7b287112908fbd53eee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 18:20:37 +0800
+Subject: smb: client: fix possible double free in smb2_set_ea()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 19ebc1e6cab334a8193398d4152deb76019b5d34 ]
+
+Clang static checker(scan-build) warning:
+fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
+ 1304 |         kfree(ea);
+      |         ^~~~~~~~~
+
+There is a double free in such case:
+'ea is initialized to NULL' -> 'first successful memory allocation for
+ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
+-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
+for ea' -> 'second memory release for ea resulted in double free'.
+
+Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
+double free problem.
+
+Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
+index 450e3050324c6..ab6e79be2c15d 100644
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -1122,7 +1122,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+       struct cifs_fid fid;
+       unsigned int size[1];
+       void *data[1];
+-      struct smb2_file_full_ea_info *ea = NULL;
++      struct smb2_file_full_ea_info *ea;
+       struct smb2_query_info_rsp *rsp;
+       int rc, used_len = 0;
+       int retries = 0, cur_sleep = 1;
+@@ -1143,6 +1143,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+       if (!utf16_path)
+               return -ENOMEM;
++      ea = NULL;
+       resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
+       vars = kzalloc(sizeof(*vars), GFP_KERNEL);
+       if (!vars) {
+-- 
+2.43.0
+
diff --git a/queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch b/queue-6.6/task_work-add-twa_nmi_current-as-an-additional-notif.patch
new file mode 100644 (file)
index 0000000..6560589
--- /dev/null
@@ -0,0 +1,114 @@
+From 1afb31e5d0133295e6d94bb678f382e288029092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2024 19:03:36 +0200
+Subject: task_work: Add TWA_NMI_CURRENT as an additional notify mode.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 466e4d801cd438a1ab2c8a2cce1bef6b65c31bbb ]
+
+Adding task_work from NMI context requires the following:
+- The kasan_record_aux_stack() is not NMU safe and must be avoided.
+- Using TWA_RESUME is NMI safe. If the NMI occurs while the CPU is in
+  userland then it will continue in userland and not invoke the `work'
+  callback.
+
+Add TWA_NMI_CURRENT as an additional notify mode. In this mode skip
+kasan and use irq_work in hardirq-mode to for needed interrupt. Set
+TIF_NOTIFY_RESUME within the irq_work callback due to k[ac]san
+instrumentation in test_and_set_bit() which does not look NMI safe in
+case of a report.
+
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240704170424.1466941-3-bigeasy@linutronix.de
+Stable-dep-of: 73ab05aa46b0 ("sched/core: Disable page allocation in task_tick_mm_cid()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/task_work.h |  1 +
+ kernel/task_work.c        | 24 +++++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/task_work.h b/include/linux/task_work.h
+index 26b8a47f41fca..cf5e7e891a776 100644
+--- a/include/linux/task_work.h
++++ b/include/linux/task_work.h
+@@ -18,6 +18,7 @@ enum task_work_notify_mode {
+       TWA_RESUME,
+       TWA_SIGNAL,
+       TWA_SIGNAL_NO_IPI,
++      TWA_NMI_CURRENT,
+ };
+ static inline bool task_work_pending(struct task_struct *task)
+diff --git a/kernel/task_work.c b/kernel/task_work.c
+index 2134ac8057a94..5c2daa7ad3f90 100644
+--- a/kernel/task_work.c
++++ b/kernel/task_work.c
+@@ -1,10 +1,18 @@
+ // SPDX-License-Identifier: GPL-2.0
++#include <linux/irq_work.h>
+ #include <linux/spinlock.h>
+ #include <linux/task_work.h>
+ #include <linux/resume_user_mode.h>
+ static struct callback_head work_exited; /* all we need is ->next == NULL */
++static void task_work_set_notify_irq(struct irq_work *entry)
++{
++      test_and_set_tsk_thread_flag(current, TIF_NOTIFY_RESUME);
++}
++static DEFINE_PER_CPU(struct irq_work, irq_work_NMI_resume) =
++      IRQ_WORK_INIT_HARD(task_work_set_notify_irq);
++
+ /**
+  * task_work_add - ask the @task to execute @work->func()
+  * @task: the task which should run the callback
+@@ -12,7 +20,7 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */
+  * @notify: how to notify the targeted task
+  *
+  * Queue @work for task_work_run() below and notify the @task if @notify
+- * is @TWA_RESUME, @TWA_SIGNAL, or @TWA_SIGNAL_NO_IPI.
++ * is @TWA_RESUME, @TWA_SIGNAL, @TWA_SIGNAL_NO_IPI or @TWA_NMI_CURRENT.
+  *
+  * @TWA_SIGNAL works like signals, in that the it will interrupt the targeted
+  * task and run the task_work, regardless of whether the task is currently
+@@ -24,6 +32,8 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */
+  * kernel anyway.
+  * @TWA_RESUME work is run only when the task exits the kernel and returns to
+  * user mode, or before entering guest mode.
++ * @TWA_NMI_CURRENT works like @TWA_RESUME, except it can only be used for the
++ * current @task and if the current context is NMI.
+  *
+  * Fails if the @task is exiting/exited and thus it can't process this @work.
+  * Otherwise @work->func() will be called when the @task goes through one of
+@@ -44,8 +54,13 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+ {
+       struct callback_head *head;
+-      /* record the work call stack in order to print it in KASAN reports */
+-      kasan_record_aux_stack(work);
++      if (notify == TWA_NMI_CURRENT) {
++              if (WARN_ON_ONCE(task != current))
++                      return -EINVAL;
++      } else {
++              /* record the work call stack in order to print it in KASAN reports */
++              kasan_record_aux_stack(work);
++      }
+       head = READ_ONCE(task->task_works);
+       do {
+@@ -66,6 +81,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+       case TWA_SIGNAL_NO_IPI:
+               __set_notify_signal(task);
+               break;
++      case TWA_NMI_CURRENT:
++              irq_work_queue(this_cpu_ptr(&irq_work_NMI_resume));
++              break;
+       default:
+               WARN_ON_ONCE(1);
+               break;
+-- 
+2.43.0
+
diff --git a/queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch b/queue-6.6/tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch
new file mode 100644 (file)
index 0000000..0aff77f
--- /dev/null
@@ -0,0 +1,180 @@
+From 15804082f0431cb357bf3aa25ec2c153206f3cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:33:12 -0700
+Subject: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ]
+
+Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
+
+  """
+  We are seeing a use-after-free from a bpf prog attached to
+  trace_tcp_retransmit_synack. The program passes the req->sk to the
+  bpf_sk_storage_get_tracing kernel helper which does check for null
+  before using it.
+  """
+
+The commit 83fccfc3940c ("inet: fix potential deadlock in
+reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
+to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
+small race window.
+
+Before the timer is called, expire_timers() calls detach_timer(timer, true)
+to clear timer->entry.pprev and marks it as not pending.
+
+If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
+calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
+continue running and send multiple SYN+ACKs until it expires.
+
+The reported UAF could happen if req->sk is close()d earlier than the timer
+expiration, which is 63s by default.
+
+The scenario would be
+
+  1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
+     but del_timer_sync() is missed
+
+  2. reqsk timer is executed and scheduled again
+
+  3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
+     reqsk timer still has another one, and inet_csk_accept() does not
+     clear req->sk for non-TFO sockets
+
+  4. sk is close()d
+
+  5. reqsk timer is executed again, and BPF touches req->sk
+
+Let's not use timer_pending() by passing the caller context to
+__inet_csk_reqsk_queue_drop().
+
+Note that reqsk timer is pinned, so the issue does not happen in most
+use cases. [1]
+
+[0]
+BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
+
+Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
+bpf_sk_storage_get_tracing+0x2e/0x1b0
+bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
+bpf_trace_run2+0x4c/0xc0
+tcp_rtx_synack+0xf9/0x100
+reqsk_timer_handler+0xda/0x3d0
+run_timer_softirq+0x292/0x8a0
+irq_exit_rcu+0xf5/0x320
+sysvec_apic_timer_interrupt+0x6d/0x80
+asm_sysvec_apic_timer_interrupt+0x16/0x20
+intel_idle_irq+0x5a/0xa0
+cpuidle_enter_state+0x94/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
+
+allocated by task 0 on cpu 9 at 260507.901592s:
+sk_prot_alloc+0x35/0x140
+sk_clone_lock+0x1f/0x3f0
+inet_csk_clone_lock+0x15/0x160
+tcp_create_openreq_child+0x1f/0x410
+tcp_v6_syn_recv_sock+0x1da/0x700
+tcp_check_req+0x1fb/0x510
+tcp_v6_rcv+0x98b/0x1420
+ipv6_list_rcv+0x2258/0x26e0
+napi_complete_done+0x5b1/0x2990
+mlx5e_napi_poll+0x2ae/0x8d0
+net_rx_action+0x13e/0x590
+irq_exit_rcu+0xf5/0x320
+common_interrupt+0x80/0x90
+asm_common_interrupt+0x22/0x40
+cpuidle_enter_state+0xfb/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+freed by task 0 on cpu 9 at 260507.927527s:
+rcu_core_si+0x4ff/0xf10
+irq_exit_rcu+0xf5/0x320
+sysvec_apic_timer_interrupt+0x6d/0x80
+asm_sysvec_apic_timer_interrupt+0x16/0x20
+cpuidle_enter_state+0xfb/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()")
+Reported-by: Martin KaFai Lau <martin.lau@kernel.org>
+Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/
+Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1]
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_connection_sock.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 8720f3840b698..ca8cc0988b618 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -980,21 +980,31 @@ static bool reqsk_queue_unlink(struct request_sock *req)
+               found = __sk_nulls_del_node_init_rcu(sk);
+               spin_unlock(lock);
+       }
+-      if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
+-              reqsk_put(req);
++
+       return found;
+ }
+-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
++static bool __inet_csk_reqsk_queue_drop(struct sock *sk,
++                                      struct request_sock *req,
++                                      bool from_timer)
+ {
+       bool unlinked = reqsk_queue_unlink(req);
++      if (!from_timer && timer_delete_sync(&req->rsk_timer))
++              reqsk_put(req);
++
+       if (unlinked) {
+               reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req);
+               reqsk_put(req);
+       }
++
+       return unlinked;
+ }
++
++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
++{
++      return __inet_csk_reqsk_queue_drop(sk, req, false);
++}
+ EXPORT_SYMBOL(inet_csk_reqsk_queue_drop);
+ void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req)
+@@ -1087,7 +1097,7 @@ static void reqsk_timer_handler(struct timer_list *t)
+               if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
+                       /* delete timer */
+-                      inet_csk_reqsk_queue_drop(sk_listener, nreq);
++                      __inet_csk_reqsk_queue_drop(sk_listener, nreq, true);
+                       goto no_ownership;
+               }
+@@ -1113,7 +1123,8 @@ static void reqsk_timer_handler(struct timer_list *t)
+       }
+ drop:
+-      inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq);
++      __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
++      reqsk_put(req);
+ }
+ static bool reqsk_queue_hash_req(struct request_sock *req,
+-- 
+2.43.0
+
diff --git a/queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch b/queue-6.6/usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch
new file mode 100644 (file)
index 0000000..730756b
--- /dev/null
@@ -0,0 +1,111 @@
+From 7424de57ecea906d4e6e15ac9aeb2fc78939fedd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 13:53:24 +0300
+Subject: usb: dwc3: core: Fix system suspend on TI AM62 platforms
+
+From: Roger Quadros <rogerq@kernel.org>
+
+[ Upstream commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 ]
+
+Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"),
+system suspend is broken on AM62 TI platforms.
+
+Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY
+bits (hence forth called 2 SUSPHY bits) were being set during core
+initialization and even during core re-initialization after a system
+suspend/resume.
+
+These bits are required to be set for system suspend/resume to work correctly
+on AM62 platforms.
+
+Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget
+driver is not loaded and started.
+For Host mode, the 2 SUSPHY bits are set before the first system suspend but
+get cleared at system resume during core re-init and are never set again.
+
+This patch resovles these two issues by ensuring the 2 SUSPHY bits are set
+before system suspend and restored to the original state during system resume.
+
+Cc: stable@vger.kernel.org # v6.9+
+Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
+Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Tested-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 19 +++++++++++++++++++
+ drivers/usb/dwc3/core.h |  3 +++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index af851e4e8c8a7..8cbe19574bbcb 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -2106,6 +2106,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ {
+       u32 reg;
++      dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) &
++                          DWC3_GUSB2PHYCFG_SUSPHY) ||
++                          (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) &
++                          DWC3_GUSB3PIPECTL_SUSPHY);
++
+       switch (dwc->current_dr_role) {
+       case DWC3_GCTL_PRTCAP_DEVICE:
+               if (pm_runtime_suspended(dwc->dev))
+@@ -2153,6 +2158,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+               break;
+       }
++      if (!PMSG_IS_AUTO(msg)) {
++              /*
++               * TI AM62 platform requires SUSPHY to be
++               * enabled for system suspend to work.
++               */
++              if (!dwc->susphy_state)
++                      dwc3_enable_susphy(dwc, true);
++      }
++
+       return 0;
+ }
+@@ -2215,6 +2229,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg)
+               break;
+       }
++      if (!PMSG_IS_AUTO(msg)) {
++              /* restore SUSPHY state to that before system suspend. */
++              dwc3_enable_susphy(dwc, dwc->susphy_state);
++      }
++
+       return 0;
+ }
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 420753205fafa..3325796f3cb45 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -1127,6 +1127,8 @@ struct dwc3_scratchpad_array {
+  * @sys_wakeup: set if the device may do system wakeup.
+  * @wakeup_configured: set if the device is configured for remote wakeup.
+  * @suspended: set to track suspend event due to U3/L2.
++ * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY
++ *              before PM suspend.
+  * @imod_interval: set the interrupt moderation interval in 250ns
+  *                    increments or 0 to disable.
+  * @max_cfg_eps: current max number of IN eps used across all USB configs.
+@@ -1351,6 +1353,7 @@ struct dwc3 {
+       unsigned                sys_wakeup:1;
+       unsigned                wakeup_configured:1;
+       unsigned                suspended:1;
++      unsigned                susphy_state:1;
+       u16                     imod_interval;
+-- 
+2.43.0
+
diff --git a/queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch b/queue-6.6/usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch
new file mode 100644 (file)
index 0000000..f798599
--- /dev/null
@@ -0,0 +1,48 @@
+From 66102547c4f13d3f9412326241603124030423d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 15:25:53 +0100
+Subject: usb: gadget: f_uac2: fix non-newline-terminated function name
+
+From: John Keeping <jkeeping@inmusicbrands.com>
+
+[ Upstream commit e60284b63245b84c3ae352427ed5ff8b79266b91 ]
+
+Most writes to configfs handle an optional newline, but do not require
+it.  By using the number of bytes written as the limit for scnprintf()
+it is guaranteed that the final character in the buffer will be
+overwritten.
+
+This is expected if it is a newline but is undesirable when a string is
+written "as-is" (as libusbgx does, for example).
+
+Update the store function to strip an optional newline, matching the
+behaviour of usb_string_copy().
+
+Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
+Link: https://lore.kernel.org/r/20240708142553.3995022-1-jkeeping@inmusicbrands.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 55a4f07bc9cc1..79d1f87c6cc59 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2060,7 +2060,10 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item,     \
+               goto end;                                               \
+       }                                                               \
+                                                                       \
+-      ret = scnprintf(opts->name, min(sizeof(opts->name), len),       \
++      if (len && page[len - 1] == '\n')                               \
++              len--;                                                  \
++                                                                      \
++      ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1),   \
+                       "%s", page);                                    \
+                                                                       \
+ end:                                                                  \
+-- 
+2.43.0
+
diff --git a/queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch b/queue-6.6/usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch
new file mode 100644 (file)
index 0000000..cabf579
--- /dev/null
@@ -0,0 +1,58 @@
+From 5a42d949e31f2c7cfeffe28f267f29e590091080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 19:26:31 -0400
+Subject: usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store
+
+From: Kevin Groeneveld <kgroeneveld@lenbrook.com>
+
+[ Upstream commit 9499327714de7bc5cf6c792112c1474932d8ad31 ]
+
+The configfs store callback should return the number of bytes consumed
+not the total number of bytes we actually stored. These could differ if
+for example the passed in string had a newline we did not store.
+
+If the returned value does not match the number of bytes written the
+writer might assume a failure or keep trying to write the remaining bytes.
+
+For example the following command will hang trying to write the final
+newline over and over again (tested on bash 2.05b):
+
+  echo foo > function_name
+
+Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Kevin Groeneveld <kgroeneveld@lenbrook.com>
+Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 79d1f87c6cc59..b3dc5f5164f42 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2052,7 +2052,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item,      \
+                                         const char *page, size_t len) \
+ {                                                                     \
+       struct f_uac2_opts *opts = to_f_uac2_opts(item);                \
+-      int ret = 0;                                                    \
++      int ret = len;                                                  \
+                                                                       \
+       mutex_lock(&opts->lock);                                        \
+       if (opts->refcnt) {                                             \
+@@ -2063,8 +2063,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item,      \
+       if (len && page[len - 1] == '\n')                               \
+               len--;                                                  \
+                                                                       \
+-      ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1),   \
+-                      "%s", page);                                    \
++      scnprintf(opts->name, min(sizeof(opts->name), len + 1),         \
++                "%s", page);                                          \
+                                                                       \
+ end:                                                                  \
+       mutex_unlock(&opts->lock);                                      \
+-- 
+2.43.0
+
diff --git a/queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch b/queue-6.6/usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch
new file mode 100644 (file)
index 0000000..91b13db
--- /dev/null
@@ -0,0 +1,68 @@
+From d4614c7cd1eb5e09e25fc61b47d17b6701c98b51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 16:42:32 +0000
+Subject: usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf()
+ variant
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 60034e0aedf507888c4a880f57011bb7f5d7700c ]
+
+There is a general misunderstanding amongst engineers that {v}snprintf()
+returns the length of the data *actually* encoded into the destination
+array.  However, as per the C99 standard {v}snprintf() really returns
+the length of the data that *would have been* written if there were
+enough space for it.  This misunderstanding has led to buffer-overruns
+in the past.  It's generally considered safer to use the {v}scnprintf()
+variants in their place (or even sprintf() in simple cases).  So let's
+do that.
+
+Link: https://lwn.net/Articles/69419/
+Link: https://github.com/KSPP/linux/issues/105
+Cc: James Gruber <jimmyjgruber@gmail.com>
+Cc: Yadwinder Singh <yadi.brar01@gmail.com>
+Cc: Jaswinder Singh <jaswinder.singh@linaro.org>
+Cc: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20231213164246.1021885-4-lee@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 0219cd79493a7..55a4f07bc9cc1 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2042,7 +2042,7 @@ static ssize_t f_uac2_opts_##name##_show(struct config_item *item,       \
+       int result;                                                     \
+                                                                       \
+       mutex_lock(&opts->lock);                                        \
+-      result = snprintf(page, sizeof(opts->name), "%s", opts->name);  \
++      result = scnprintf(page, sizeof(opts->name), "%s", opts->name); \
+       mutex_unlock(&opts->lock);                                      \
+                                                                       \
+       return result;                                                  \
+@@ -2060,7 +2060,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item,      \
+               goto end;                                               \
+       }                                                               \
+                                                                       \
+-      ret = snprintf(opts->name, min(sizeof(opts->name), len),        \
++      ret = scnprintf(opts->name, min(sizeof(opts->name), len),       \
+                       "%s", page);                                    \
+                                                                       \
+ end:                                                                  \
+@@ -2178,7 +2178,7 @@ static struct usb_function_instance *afunc_alloc_inst(void)
+       opts->req_number = UAC2_DEF_REQ_NUM;
+       opts->fb_max = FBACK_FAST_MAX;
+-      snprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink");
++      scnprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink");
+       return &opts->func_inst;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch b/queue-6.6/usb-typec-altmode-should-keep-reference-to-parent.patch
new file mode 100644 (file)
index 0000000..f5159ac
--- /dev/null
@@ -0,0 +1,130 @@
+From e1c3f9214e9889e3135881d5346772204e6b6af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 09:37:38 -0300
+Subject: usb: typec: altmode should keep reference to parent
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ]
+
+The altmode device release refers to its parent device, but without keeping
+a reference to it.
+
+When registering the altmode, get a reference to the parent and put it in
+the release function.
+
+Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
+like this:
+
+[   43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
+[   43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
+[   43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
+[   43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
+[   43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
+[   43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
+[   43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
+[   46.612867] ==================================================================
+[   46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
+[   46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
+[   46.614538]
+[   46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
+[   46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[   46.616042] Workqueue: events kobject_delayed_cleanup
+[   46.616446] Call Trace:
+[   46.616648]  <TASK>
+[   46.616820]  dump_stack_lvl+0x5b/0x7c
+[   46.617112]  ? typec_altmode_release+0x38/0x129
+[   46.617470]  print_report+0x14c/0x49e
+[   46.617769]  ? rcu_read_unlock_sched+0x56/0x69
+[   46.618117]  ? __virt_addr_valid+0x19a/0x1ab
+[   46.618456]  ? kmem_cache_debug_flags+0xc/0x1d
+[   46.618807]  ? typec_altmode_release+0x38/0x129
+[   46.619161]  kasan_report+0x8d/0xb4
+[   46.619447]  ? typec_altmode_release+0x38/0x129
+[   46.619809]  ? process_scheduled_works+0x3cb/0x85f
+[   46.620185]  typec_altmode_release+0x38/0x129
+[   46.620537]  ? process_scheduled_works+0x3cb/0x85f
+[   46.620907]  device_release+0xaf/0xf2
+[   46.621206]  kobject_delayed_cleanup+0x13b/0x17a
+[   46.621584]  process_scheduled_works+0x4f6/0x85f
+[   46.621955]  ? __pfx_process_scheduled_works+0x10/0x10
+[   46.622353]  ? hlock_class+0x31/0x9a
+[   46.622647]  ? lock_acquired+0x361/0x3c3
+[   46.622956]  ? move_linked_works+0x46/0x7d
+[   46.623277]  worker_thread+0x1ce/0x291
+[   46.623582]  ? __kthread_parkme+0xc8/0xdf
+[   46.623900]  ? __pfx_worker_thread+0x10/0x10
+[   46.624236]  kthread+0x17e/0x190
+[   46.624501]  ? kthread+0xfb/0x190
+[   46.624756]  ? __pfx_kthread+0x10/0x10
+[   46.625015]  ret_from_fork+0x20/0x40
+[   46.625268]  ? __pfx_kthread+0x10/0x10
+[   46.625532]  ret_from_fork_asm+0x1a/0x30
+[   46.625805]  </TASK>
+[   46.625953]
+[   46.626056] Allocated by task 678:
+[   46.626287]  kasan_save_stack+0x24/0x44
+[   46.626555]  kasan_save_track+0x14/0x2d
+[   46.626811]  __kasan_kmalloc+0x3f/0x4d
+[   46.627049]  __kmalloc_noprof+0x1bf/0x1f0
+[   46.627362]  typec_register_port+0x23/0x491
+[   46.627698]  cros_typec_probe+0x634/0xbb6
+[   46.628026]  platform_probe+0x47/0x8c
+[   46.628311]  really_probe+0x20a/0x47d
+[   46.628605]  device_driver_attach+0x39/0x72
+[   46.628940]  bind_store+0x87/0xd7
+[   46.629213]  kernfs_fop_write_iter+0x1aa/0x218
+[   46.629574]  vfs_write+0x1d6/0x29b
+[   46.629856]  ksys_write+0xcd/0x13b
+[   46.630128]  do_syscall_64+0xd4/0x139
+[   46.630420]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[   46.630820]
+[   46.630946] Freed by task 48:
+[   46.631182]  kasan_save_stack+0x24/0x44
+[   46.631493]  kasan_save_track+0x14/0x2d
+[   46.631799]  kasan_save_free_info+0x3f/0x4d
+[   46.632144]  __kasan_slab_free+0x37/0x45
+[   46.632474]  kfree+0x1d4/0x252
+[   46.632725]  device_release+0xaf/0xf2
+[   46.633017]  kobject_delayed_cleanup+0x13b/0x17a
+[   46.633388]  process_scheduled_works+0x4f6/0x85f
+[   46.633764]  worker_thread+0x1ce/0x291
+[   46.634065]  kthread+0x17e/0x190
+[   46.634324]  ret_from_fork+0x20/0x40
+[   46.634621]  ret_from_fork_asm+0x1a/0x30
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/class.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
+index f92fc2acfcba0..79cad8d61dacd 100644
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -502,6 +502,7 @@ static void typec_altmode_release(struct device *dev)
+               typec_altmode_put_partner(alt);
+       altmode_id_remove(alt->adev.dev.parent, alt->id);
++      put_device(alt->adev.dev.parent);
+       kfree(alt);
+ }
+@@ -551,6 +552,8 @@ typec_register_altmode(struct device *parent,
+       alt->adev.dev.type = &typec_altmode_dev_type;
+       dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id);
++      get_device(alt->adev.dev.parent);
++
+       /* Link partners and plugs with the ports */
+       if (!is_port)
+               typec_altmode_set_partner(alt);
+-- 
+2.43.0
+
diff --git a/queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch b/queue-6.6/vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch
new file mode 100644 (file)
index 0000000..8a21410
--- /dev/null
@@ -0,0 +1,64 @@
+From a8854db35f7526b0b3fe20199a6321a82c3a7e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 21:03:11 +0200
+Subject: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 4678adf94da4a9e9683817b246b58ce15fb81782 ]
+
+Andrew and Nikolay reported connectivity issues with Cilium's service
+load-balancing in case of vmxnet3.
+
+If a BPF program for native XDP adds an encapsulation header such as
+IPIP and transmits the packet out the same interface, then in case
+of vmxnet3 a corrupted packet is being sent and subsequently dropped
+on the path.
+
+vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()
+through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:
+
+  page = virt_to_page(xdpf->data);
+  tbi->dma_addr = page_pool_get_dma_addr(page) +
+                  VMXNET3_XDP_HEADROOM;
+  dma_sync_single_for_device(&adapter->pdev->dev,
+                             tbi->dma_addr, buf_size,
+                             DMA_TO_DEVICE);
+
+The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP
+BPF program could have moved xdp->data. While the passed buf_size is
+correct (xdpf->len), the dma_addr needs to have a dynamic offset which
+can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data -
+xdp->data_hard_start.
+
+Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.")
+Reported-by: Andrew Sauber <andrew.sauber@isovalent.com>
+Reported-by: Nikolay Nikolaev <nikolay.nikolaev@isovalent.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Nikolay Nikolaev <nikolay.nikolaev@isovalent.com>
+Acked-by: Anton Protopopov <aspsk@isovalent.com>
+Cc: William Tu <witu@nvidia.com>
+Cc: Ronak Doshi <ronak.doshi@broadcom.com>
+Link: https://patch.msgid.link/a0888656d7f09028f9984498cc698bb5364d89fc.1728931137.git.daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_xdp.c b/drivers/net/vmxnet3/vmxnet3_xdp.c
+index a6c787454a1ae..1341374a4588a 100644
+--- a/drivers/net/vmxnet3/vmxnet3_xdp.c
++++ b/drivers/net/vmxnet3/vmxnet3_xdp.c
+@@ -148,7 +148,7 @@ vmxnet3_xdp_xmit_frame(struct vmxnet3_adapter *adapter,
+       } else { /* XDP buffer from page pool */
+               page = virt_to_page(xdpf->data);
+               tbi->dma_addr = page_pool_get_dma_addr(page) +
+-                              VMXNET3_XDP_HEADROOM;
++                              (xdpf->data - (void *)xdpf);
+               dma_sync_single_for_device(&adapter->pdev->dev,
+                                          tbi->dma_addr, buf_size,
+                                          DMA_TO_DEVICE);
+-- 
+2.43.0
+
diff --git a/queue-6.6/vsock-update-msg_count-on-read_skb.patch b/queue-6.6/vsock-update-msg_count-on-read_skb.patch
new file mode 100644 (file)
index 0000000..3b6f531
--- /dev/null
@@ -0,0 +1,40 @@
+From f8608ae0fff5c2f60d60d1f2676ba4b9367b34ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:41 +0200
+Subject: vsock: Update msg_count on read_skb()
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ]
+
+Dequeuing via vsock_transport::read_skb() left msg_count outdated, which
+then confused SOCK_SEQPACKET recv(). Decrease the counter.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index 072878012b51e..78b5f4f8808b9 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1524,6 +1524,9 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+       }
+       hdr = virtio_vsock_hdr(skb);
++      if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM)
++              vvs->msg_count--;
++
+       virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len));
+       spin_unlock_bh(&vvs->rx_lock);
+-- 
+2.43.0
+
diff --git a/queue-6.6/vsock-update-rx_bytes-on-read_skb.patch b/queue-6.6/vsock-update-rx_bytes-on-read_skb.patch
new file mode 100644 (file)
index 0000000..72695e4
--- /dev/null
@@ -0,0 +1,68 @@
+From 0883d1310735592f4f1d3b035c845a0ccc5cd707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:40 +0200
+Subject: vsock: Update rx_bytes on read_skb()
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ]
+
+Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()
+calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after
+vsock_transport::read_skb().
+
+While here, also inform the peer that we've freed up space and it has more
+credit.
+
+Failing to update rx_bytes after packet is dequeued leads to a warning on
+SOCK_STREAM recv():
+
+[  233.396654] rx_queue is empty, but rx_bytes is non-zero
+[  233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index e87fd9480acda..072878012b51e 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1508,6 +1508,7 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+ {
+       struct virtio_vsock_sock *vvs = vsk->trans;
+       struct sock *sk = sk_vsock(vsk);
++      struct virtio_vsock_hdr *hdr;
+       struct sk_buff *skb;
+       int off = 0;
+       int err;
+@@ -1517,10 +1518,16 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+        * works for types other than dgrams.
+        */
+       skb = __skb_recv_datagram(sk, &vvs->rx_queue, MSG_DONTWAIT, &off, &err);
++      if (!skb) {
++              spin_unlock_bh(&vvs->rx_lock);
++              return err;
++      }
++
++      hdr = virtio_vsock_hdr(skb);
++      virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len));
+       spin_unlock_bh(&vvs->rx_lock);
+-      if (!skb)
+-              return err;
++      virtio_transport_send_credit_update(vsk);
+       return recv_actor(sk, skb);
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch b/queue-6.6/x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch
new file mode 100644 (file)
index 0000000..8beb7d8
--- /dev/null
@@ -0,0 +1,102 @@
+From 8a00844fe54ac475f532cd0547677cb95caf6ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 13:43:56 +0200
+Subject: x86/resctrl: Avoid overflow in MB settings in bw_validate()
+
+From: Martin Kletzander <nert.pinx@gmail.com>
+
+[ Upstream commit 2b5648416e47933939dc310c4ea1e29404f35630 ]
+
+The resctrl schemata file supports specifying memory bandwidth associated with
+the Memory Bandwidth Allocation (MBA) feature via a percentage (this is the
+default) or bandwidth in MiBps (when resctrl is mounted with the "mba_MBps"
+option).
+
+The allowed range for the bandwidth percentage is from
+/sys/fs/resctrl/info/MB/min_bandwidth to 100, using a granularity of
+/sys/fs/resctrl/info/MB/bandwidth_gran. The supported range for the MiBps
+bandwidth is 0 to U32_MAX.
+
+There are two issues with parsing of MiBps memory bandwidth:
+
+* The user provided MiBps is mistakenly rounded up to the granularity
+  that is unique to percentage input.
+
+* The user provided MiBps is parsed using unsigned long (thus accepting
+  values up to ULONG_MAX), and then assigned to u32 that could result in
+  overflow.
+
+Do not round up the MiBps value and parse user provided bandwidth as the u32
+it is intended to be. Use the appropriate kstrtou32() that can detect out of
+range values.
+
+Fixes: 8205a078ba78 ("x86/intel_rdt/mba_sc: Add schemata support")
+Fixes: 6ce1560d35f6 ("x86/resctrl: Switch over to the resctrl mbps_val list")
+Co-developed-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Martin Kletzander <nert.pinx@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+index b44c487727d45..a701e7921ea5c 100644
+--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+@@ -27,10 +27,10 @@
+  * hardware. The allocated bandwidth percentage is rounded to the next
+  * control step available on the hardware.
+  */
+-static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r)
++static bool bw_validate(char *buf, u32 *data, struct rdt_resource *r)
+ {
+-      unsigned long bw;
+       int ret;
++      u32 bw;
+       /*
+        * Only linear delay values is supported for current Intel SKUs.
+@@ -40,16 +40,21 @@ static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r)
+               return false;
+       }
+-      ret = kstrtoul(buf, 10, &bw);
++      ret = kstrtou32(buf, 10, &bw);
+       if (ret) {
+-              rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf);
++              rdt_last_cmd_printf("Invalid MB value %s\n", buf);
+               return false;
+       }
+-      if ((bw < r->membw.min_bw || bw > r->default_ctrl) &&
+-          !is_mba_sc(r)) {
+-              rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", bw,
+-                                  r->membw.min_bw, r->default_ctrl);
++      /* Nothing else to do if software controller is enabled. */
++      if (is_mba_sc(r)) {
++              *data = bw;
++              return true;
++      }
++
++      if (bw < r->membw.min_bw || bw > r->default_ctrl) {
++              rdt_last_cmd_printf("MB value %u out of range [%d,%d]\n",
++                                  bw, r->membw.min_bw, r->default_ctrl);
+               return false;
+       }
+@@ -63,7 +68,7 @@ int parse_bw(struct rdt_parse_data *data, struct resctrl_schema *s,
+       struct resctrl_staged_config *cfg;
+       u32 closid = data->rdtgrp->closid;
+       struct rdt_resource *r = s->res;
+-      unsigned long bw_val;
++      u32 bw_val;
+       cfg = &d->staged_config[s->conf_type];
+       if (cfg->have_new_ctrl) {
+-- 
+2.43.0
+
diff --git a/queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch b/queue-6.6/xhci-dbc-honor-usb-transfer-size-boundaries.patch
new file mode 100644 (file)
index 0000000..61c8f57
--- /dev/null
@@ -0,0 +1,149 @@
+From deaef71ec0891952ff491629f52bfcdc27a988d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 17:00:00 +0300
+Subject: xhci: dbc: honor usb transfer size boundaries.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 30c9ae5ece8ecd69d36e6912c2c0896418f2468c ]
+
+Treat each completed full size write to /dev/ttyDBC0 as a separate usb
+transfer. Make sure the size of the TRBs matches the size of the tty
+write by first queuing as many max packet size TRBs as possible up to
+the last TRB which will be cut short to match the size of the tty write.
+
+This solves an issue where userspace writes several transfers back to
+back via /dev/ttyDBC0 into a kfifo before dbgtty can find available
+request to turn that kfifo data into TRBs on the transfer ring.
+
+The boundary between transfer was lost as xhci-dbgtty then turned
+everyting in the kfifo into as many 'max packet size' TRBs as possible.
+
+DbC would then send more data to the host than intended for that
+transfer, causing host to issue a babble error.
+
+Refuse to write more data to kfifo until previous tty write data is
+turned into properly sized TRBs with data size boundaries matching tty
+write size
+
+Tested-by: Uday M Bhat <uday.m.bhat@intel.com>
+Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgcap.h |  1 +
+ drivers/usb/host/xhci-dbgtty.c | 55 ++++++++++++++++++++++++++++++----
+ 2 files changed, 51 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h
+index 54fafebb7bd1f..76170d7a7e7c3 100644
+--- a/drivers/usb/host/xhci-dbgcap.h
++++ b/drivers/usb/host/xhci-dbgcap.h
+@@ -108,6 +108,7 @@ struct dbc_port {
+       struct tasklet_struct           push;
+       struct list_head                write_pool;
++      unsigned int                    tx_boundary;
+       bool                            registered;
+ };
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index 881f5a7e6e0e1..0266c2f5bc0d8 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc)
+       return dbc->priv;
+ }
++static unsigned int
++dbc_kfifo_to_req(struct dbc_port *port, char *packet)
++{
++      unsigned int    len;
++
++      len = kfifo_len(&port->port.xmit_fifo);
++
++      if (len == 0)
++              return 0;
++
++      len = min(len, DBC_MAX_PACKET);
++
++      if (port->tx_boundary)
++              len = min(port->tx_boundary, len);
++
++      len = kfifo_out(&port->port.xmit_fifo, packet, len);
++
++      if (port->tx_boundary)
++              port->tx_boundary -= len;
++
++      return len;
++}
++
+ static int dbc_start_tx(struct dbc_port *port)
+       __releases(&port->port_lock)
+       __acquires(&port->port_lock)
+@@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port)
+       while (!list_empty(pool)) {
+               req = list_entry(pool->next, struct dbc_request, list_pool);
+-              len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET);
++              len = dbc_kfifo_to_req(port, req->buf);
+               if (len == 0)
+                       break;
+               do_tty_wake = true;
+@@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf,
+ {
+       struct dbc_port         *port = tty->driver_data;
+       unsigned long           flags;
++      unsigned int            written = 0;
+       spin_lock_irqsave(&port->port_lock, flags);
+-      if (count)
+-              count = kfifo_in(&port->port.xmit_fifo, buf, count);
+-      dbc_start_tx(port);
++
++      /*
++       * Treat tty write as one usb transfer. Make sure the writes are turned
++       * into TRB request having the same size boundaries as the tty writes.
++       * Don't add data to kfifo before previous write is turned into TRBs
++       */
++      if (port->tx_boundary) {
++              spin_unlock_irqrestore(&port->port_lock, flags);
++              return 0;
++      }
++
++      if (count) {
++              written = kfifo_in(&port->port.xmit_fifo, buf, count);
++
++              if (written == count)
++                      port->tx_boundary = kfifo_len(&port->port.xmit_fifo);
++
++              dbc_start_tx(port);
++      }
++
+       spin_unlock_irqrestore(&port->port_lock, flags);
+-      return count;
++      return written;
+ }
+ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch)
+@@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty)
+       spin_lock_irqsave(&port->port_lock, flags);
+       room = kfifo_avail(&port->port.xmit_fifo);
++
++      if (port->tx_boundary)
++              room = 0;
++
+       spin_unlock_irqrestore(&port->port_lock, flags);
+       return room;
+-- 
+2.43.0
+
diff --git a/queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch b/queue-6.6/xhci-dbgtty-remove-kfifo_out-wrapper.patch
new file mode 100644 (file)
index 0000000..c49bd10
--- /dev/null
@@ -0,0 +1,61 @@
+From 1bbfed58a2bb2afe9acd6c7ad988f44a748fce99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 12:35:40 +0200
+Subject: xhci: dbgtty: remove kfifo_out() wrapper
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 2b217514436744dd98c4d9fa48d60610f9f67d61 ]
+
+There is no need to check against kfifo_len() before kfifo_out(). Just
+ask the latter for data and it tells how much it retrieved. Or returns 0
+in case there are no more.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Link: https://lore.kernel.org/r/20240808103549.429349-5-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgtty.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index b74e98e943932..64ea964949975 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -24,19 +24,6 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc)
+       return dbc->priv;
+ }
+-static unsigned int
+-dbc_send_packet(struct dbc_port *port, char *packet, unsigned int size)
+-{
+-      unsigned int            len;
+-
+-      len = kfifo_len(&port->write_fifo);
+-      if (len < size)
+-              size = len;
+-      if (size != 0)
+-              size = kfifo_out(&port->write_fifo, packet, size);
+-      return size;
+-}
+-
+ static int dbc_start_tx(struct dbc_port *port)
+       __releases(&port->port_lock)
+       __acquires(&port->port_lock)
+@@ -49,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port)
+       while (!list_empty(pool)) {
+               req = list_entry(pool->next, struct dbc_request, list_pool);
+-              len = dbc_send_packet(port, req->buf, DBC_MAX_PACKET);
++              len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET);
+               if (len == 0)
+                       break;
+               do_tty_wake = true;
+-- 
+2.43.0
+
diff --git a/queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch b/queue-6.6/xhci-dbgtty-use-kfifo-from-tty_port-struct.patch
new file mode 100644 (file)
index 0000000..7c8eb08
--- /dev/null
@@ -0,0 +1,117 @@
+From 050f69ebb8cc84a3e85919ffdbc7c4bcfb5ed0fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 12:35:41 +0200
+Subject: xhci: dbgtty: use kfifo from tty_port struct
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 866025f0237609532bc8e4af5ef4d7252d3b55b6 ]
+
+There is no need to define one in a custom structure. The tty_port one
+is free to use.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Link: https://lore.kernel.org/r/20240808103549.429349-6-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgcap.h |  1 -
+ drivers/usb/host/xhci-dbgtty.c | 17 +++++++++--------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h
+index 51a7ab3ba0cac..54fafebb7bd1f 100644
+--- a/drivers/usb/host/xhci-dbgcap.h
++++ b/drivers/usb/host/xhci-dbgcap.h
+@@ -108,7 +108,6 @@ struct dbc_port {
+       struct tasklet_struct           push;
+       struct list_head                write_pool;
+-      struct kfifo                    write_fifo;
+       bool                            registered;
+ };
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index 64ea964949975..881f5a7e6e0e1 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -36,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port)
+       while (!list_empty(pool)) {
+               req = list_entry(pool->next, struct dbc_request, list_pool);
+-              len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET);
++              len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET);
+               if (len == 0)
+                       break;
+               do_tty_wake = true;
+@@ -203,7 +203,7 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf,
+       spin_lock_irqsave(&port->port_lock, flags);
+       if (count)
+-              count = kfifo_in(&port->write_fifo, buf, count);
++              count = kfifo_in(&port->port.xmit_fifo, buf, count);
+       dbc_start_tx(port);
+       spin_unlock_irqrestore(&port->port_lock, flags);
+@@ -217,7 +217,7 @@ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch)
+       int                     status;
+       spin_lock_irqsave(&port->port_lock, flags);
+-      status = kfifo_put(&port->write_fifo, ch);
++      status = kfifo_put(&port->port.xmit_fifo, ch);
+       spin_unlock_irqrestore(&port->port_lock, flags);
+       return status;
+@@ -240,7 +240,7 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty)
+       unsigned int            room;
+       spin_lock_irqsave(&port->port_lock, flags);
+-      room = kfifo_avail(&port->write_fifo);
++      room = kfifo_avail(&port->port.xmit_fifo);
+       spin_unlock_irqrestore(&port->port_lock, flags);
+       return room;
+@@ -253,7 +253,7 @@ static unsigned int dbc_tty_chars_in_buffer(struct tty_struct *tty)
+       unsigned int            chars;
+       spin_lock_irqsave(&port->port_lock, flags);
+-      chars = kfifo_len(&port->write_fifo);
++      chars = kfifo_len(&port->port.xmit_fifo);
+       spin_unlock_irqrestore(&port->port_lock, flags);
+       return chars;
+@@ -411,7 +411,8 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc)
+               goto err_idr;
+       }
+-      ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL);
++      ret = kfifo_alloc(&port->port.xmit_fifo, DBC_WRITE_BUF_SIZE,
++                        GFP_KERNEL);
+       if (ret)
+               goto err_exit_port;
+@@ -440,7 +441,7 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc)
+       xhci_dbc_free_requests(&port->read_pool);
+       xhci_dbc_free_requests(&port->write_pool);
+ err_free_fifo:
+-      kfifo_free(&port->write_fifo);
++      kfifo_free(&port->port.xmit_fifo);
+ err_exit_port:
+       idr_remove(&dbc_tty_minors, port->minor);
+ err_idr:
+@@ -465,7 +466,7 @@ static void xhci_dbc_tty_unregister_device(struct xhci_dbc *dbc)
+       idr_remove(&dbc_tty_minors, port->minor);
+       mutex_unlock(&dbc_tty_minors_lock);
+-      kfifo_free(&port->write_fifo);
++      kfifo_free(&port->port.xmit_fifo);
+       xhci_dbc_free_requests(&port->read_pool);
+       xhci_dbc_free_requests(&port->read_queue);
+       xhci_dbc_free_requests(&port->write_pool);
+-- 
+2.43.0
+
diff --git a/queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch b/queue-6.6/xhci-separate-port-and-caps-macros-into-dedicated-fi.patch
new file mode 100644 (file)
index 0000000..3aa38c4
--- /dev/null
@@ -0,0 +1,589 @@
+From 852baa08d7eded220a2788d9eef267a14782a3aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 10:25:23 -0500
+Subject: XHCI: Separate PORT and CAPs macros into dedicated file
+
+From: Frank Li <Frank.Li@nxp.com>
+
+[ Upstream commit c35ba0ac48355df1d11fcce85945f76c42d250ac ]
+
+Split the PORT and CAPs macro definitions into a separate file to
+facilitate sharing with other files without the need to include the entire
+xhci.h.
+
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240124152525.3910311-2-Frank.Li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-caps.h |  85 ++++++++++++
+ drivers/usb/host/xhci-port.h | 176 +++++++++++++++++++++++
+ drivers/usb/host/xhci.h      | 262 +----------------------------------
+ 3 files changed, 264 insertions(+), 259 deletions(-)
+ create mode 100644 drivers/usb/host/xhci-caps.h
+ create mode 100644 drivers/usb/host/xhci-port.h
+
+diff --git a/drivers/usb/host/xhci-caps.h b/drivers/usb/host/xhci-caps.h
+new file mode 100644
+index 0000000000000..9e94cebf4a56d
+--- /dev/null
++++ b/drivers/usb/host/xhci-caps.h
+@@ -0,0 +1,85 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++/* hc_capbase bitmasks */
++/* bits 7:0 - how long is the Capabilities register */
++#define HC_LENGTH(p)          XHCI_HC_LENGTH(p)
++/* bits 31:16 */
++#define HC_VERSION(p)         (((p) >> 16) & 0xffff)
++
++/* HCSPARAMS1 - hcs_params1 - bitmasks */
++/* bits 0:7, Max Device Slots */
++#define HCS_MAX_SLOTS(p)      (((p) >> 0) & 0xff)
++#define HCS_SLOTS_MASK                0xff
++/* bits 8:18, Max Interrupters */
++#define HCS_MAX_INTRS(p)      (((p) >> 8) & 0x7ff)
++/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */
++#define HCS_MAX_PORTS(p)      (((p) >> 24) & 0x7f)
++
++/* HCSPARAMS2 - hcs_params2 - bitmasks */
++/* bits 0:3, frames or uframes that SW needs to queue transactions
++ * ahead of the HW to meet periodic deadlines */
++#define HCS_IST(p)            (((p) >> 0) & 0xf)
++/* bits 4:7, max number of Event Ring segments */
++#define HCS_ERST_MAX(p)               (((p) >> 4) & 0xf)
++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
++/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
++#define HCS_MAX_SCRATCHPAD(p)   ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
++
++/* HCSPARAMS3 - hcs_params3 - bitmasks */
++/* bits 0:7, Max U1 to U0 latency for the roothub ports */
++#define HCS_U1_LATENCY(p)     (((p) >> 0) & 0xff)
++/* bits 16:31, Max U2 to U0 latency for the roothub ports */
++#define HCS_U2_LATENCY(p)     (((p) >> 16) & 0xffff)
++
++/* HCCPARAMS - hcc_params - bitmasks */
++/* true: HC can use 64-bit address pointers */
++#define HCC_64BIT_ADDR(p)     ((p) & (1 << 0))
++/* true: HC can do bandwidth negotiation */
++#define HCC_BANDWIDTH_NEG(p)  ((p) & (1 << 1))
++/* true: HC uses 64-byte Device Context structures
++ * FIXME 64-byte context structures aren't supported yet.
++ */
++#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2))
++/* true: HC has port power switches */
++#define HCC_PPC(p)            ((p) & (1 << 3))
++/* true: HC has port indicators */
++#define HCS_INDICATOR(p)      ((p) & (1 << 4))
++/* true: HC has Light HC Reset Capability */
++#define HCC_LIGHT_RESET(p)    ((p) & (1 << 5))
++/* true: HC supports latency tolerance messaging */
++#define HCC_LTC(p)            ((p) & (1 << 6))
++/* true: no secondary Stream ID Support */
++#define HCC_NSS(p)            ((p) & (1 << 7))
++/* true: HC supports Stopped - Short Packet */
++#define HCC_SPC(p)            ((p) & (1 << 9))
++/* true: HC has Contiguous Frame ID Capability */
++#define HCC_CFC(p)            ((p) & (1 << 11))
++/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */
++#define HCC_MAX_PSA(p)                (1 << ((((p) >> 12) & 0xf) + 1))
++/* Extended Capabilities pointer from PCI base - section 5.3.6 */
++#define HCC_EXT_CAPS(p)               XHCI_HCC_EXT_CAPS(p)
++
++#define CTX_SIZE(_hcc)                (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32)
++
++/* db_off bitmask - bits 0:1 reserved */
++#define       DBOFF_MASK      (~0x3)
++
++/* run_regs_off bitmask - bits 0:4 reserved */
++#define       RTSOFF_MASK     (~0x1f)
++
++/* HCCPARAMS2 - hcc_params2 - bitmasks */
++/* true: HC supports U3 entry Capability */
++#define       HCC2_U3C(p)             ((p) & (1 << 0))
++/* true: HC supports Configure endpoint command Max exit latency too large */
++#define       HCC2_CMC(p)             ((p) & (1 << 1))
++/* true: HC supports Force Save context Capability */
++#define       HCC2_FSC(p)             ((p) & (1 << 2))
++/* true: HC supports Compliance Transition Capability */
++#define       HCC2_CTC(p)             ((p) & (1 << 3))
++/* true: HC support Large ESIT payload Capability > 48k */
++#define       HCC2_LEC(p)             ((p) & (1 << 4))
++/* true: HC support Configuration Information Capability */
++#define       HCC2_CIC(p)             ((p) & (1 << 5))
++/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */
++#define       HCC2_ETC(p)             ((p) & (1 << 6))
+diff --git a/drivers/usb/host/xhci-port.h b/drivers/usb/host/xhci-port.h
+new file mode 100644
+index 0000000000000..f19efb966d180
+--- /dev/null
++++ b/drivers/usb/host/xhci-port.h
+@@ -0,0 +1,176 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++/* PORTSC - Port Status and Control Register - port_status_base bitmasks */
++/* true: device connected */
++#define PORT_CONNECT  (1 << 0)
++/* true: port enabled */
++#define PORT_PE               (1 << 1)
++/* bit 2 reserved and zeroed */
++/* true: port has an over-current condition */
++#define PORT_OC               (1 << 3)
++/* true: port reset signaling asserted */
++#define PORT_RESET    (1 << 4)
++/* Port Link State - bits 5:8
++ * A read gives the current link PM state of the port,
++ * a write with Link State Write Strobe set sets the link state.
++ */
++#define PORT_PLS_MASK (0xf << 5)
++#define XDEV_U0               (0x0 << 5)
++#define XDEV_U1               (0x1 << 5)
++#define XDEV_U2               (0x2 << 5)
++#define XDEV_U3               (0x3 << 5)
++#define XDEV_DISABLED (0x4 << 5)
++#define XDEV_RXDETECT (0x5 << 5)
++#define XDEV_INACTIVE (0x6 << 5)
++#define XDEV_POLLING  (0x7 << 5)
++#define XDEV_RECOVERY (0x8 << 5)
++#define XDEV_HOT_RESET        (0x9 << 5)
++#define XDEV_COMP_MODE        (0xa << 5)
++#define XDEV_TEST_MODE        (0xb << 5)
++#define XDEV_RESUME   (0xf << 5)
++
++/* true: port has power (see HCC_PPC) */
++#define PORT_POWER    (1 << 9)
++/* bits 10:13 indicate device speed:
++ * 0 - undefined speed - port hasn't be initialized by a reset yet
++ * 1 - full speed
++ * 2 - low speed
++ * 3 - high speed
++ * 4 - super speed
++ * 5-15 reserved
++ */
++#define DEV_SPEED_MASK                (0xf << 10)
++#define       XDEV_FS                 (0x1 << 10)
++#define       XDEV_LS                 (0x2 << 10)
++#define       XDEV_HS                 (0x3 << 10)
++#define       XDEV_SS                 (0x4 << 10)
++#define       XDEV_SSP                (0x5 << 10)
++#define DEV_UNDEFSPEED(p)     (((p) & DEV_SPEED_MASK) == (0x0<<10))
++#define DEV_FULLSPEED(p)      (((p) & DEV_SPEED_MASK) == XDEV_FS)
++#define DEV_LOWSPEED(p)               (((p) & DEV_SPEED_MASK) == XDEV_LS)
++#define DEV_HIGHSPEED(p)      (((p) & DEV_SPEED_MASK) == XDEV_HS)
++#define DEV_SUPERSPEED(p)     (((p) & DEV_SPEED_MASK) == XDEV_SS)
++#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
++#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
++#define DEV_PORT_SPEED(p)     (((p) >> 10) & 0x0f)
++
++/* Bits 20:23 in the Slot Context are the speed for the device */
++#define       SLOT_SPEED_FS           (XDEV_FS << 10)
++#define       SLOT_SPEED_LS           (XDEV_LS << 10)
++#define       SLOT_SPEED_HS           (XDEV_HS << 10)
++#define       SLOT_SPEED_SS           (XDEV_SS << 10)
++#define       SLOT_SPEED_SSP          (XDEV_SSP << 10)
++/* Port Indicator Control */
++#define PORT_LED_OFF  (0 << 14)
++#define PORT_LED_AMBER        (1 << 14)
++#define PORT_LED_GREEN        (2 << 14)
++#define PORT_LED_MASK (3 << 14)
++/* Port Link State Write Strobe - set this when changing link state */
++#define PORT_LINK_STROBE      (1 << 16)
++/* true: connect status change */
++#define PORT_CSC      (1 << 17)
++/* true: port enable change */
++#define PORT_PEC      (1 << 18)
++/* true: warm reset for a USB 3.0 device is done.  A "hot" reset puts the port
++ * into an enabled state, and the device into the default state.  A "warm" reset
++ * also resets the link, forcing the device through the link training sequence.
++ * SW can also look at the Port Reset register to see when warm reset is done.
++ */
++#define PORT_WRC      (1 << 19)
++/* true: over-current change */
++#define PORT_OCC      (1 << 20)
++/* true: reset change - 1 to 0 transition of PORT_RESET */
++#define PORT_RC               (1 << 21)
++/* port link status change - set on some port link state transitions:
++ *  Transition                                Reason
++ *  ------------------------------------------------------------------------------
++ *  - U3 to Resume                    Wakeup signaling from a device
++ *  - Resume to Recovery to U0                USB 3.0 device resume
++ *  - Resume to U0                    USB 2.0 device resume
++ *  - U3 to Recovery to U0            Software resume of USB 3.0 device complete
++ *  - U3 to U0                                Software resume of USB 2.0 device complete
++ *  - U2 to U0                                L1 resume of USB 2.1 device complete
++ *  - U0 to U0 (???)                  L1 entry rejection by USB 2.1 device
++ *  - U0 to disabled                  L1 entry error with USB 2.1 device
++ *  - Any state to inactive           Error on USB 3.0 port
++ */
++#define PORT_PLC      (1 << 22)
++/* port configure error change - port failed to configure its link partner */
++#define PORT_CEC      (1 << 23)
++#define PORT_CHANGE_MASK      (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
++                               PORT_RC | PORT_PLC | PORT_CEC)
++
++
++/* Cold Attach Status - xHC can set this bit to report device attached during
++ * Sx state. Warm port reset should be perfomed to clear this bit and move port
++ * to connected state.
++ */
++#define PORT_CAS      (1 << 24)
++/* wake on connect (enable) */
++#define PORT_WKCONN_E (1 << 25)
++/* wake on disconnect (enable) */
++#define PORT_WKDISC_E (1 << 26)
++/* wake on over-current (enable) */
++#define PORT_WKOC_E   (1 << 27)
++/* bits 28:29 reserved */
++/* true: device is non-removable - for USB 3.0 roothub emulation */
++#define PORT_DEV_REMOVE       (1 << 30)
++/* Initiate a warm port reset - complete when PORT_WRC is '1' */
++#define PORT_WR               (1 << 31)
++
++/* We mark duplicate entries with -1 */
++#define DUPLICATE_ENTRY ((u8)(-1))
++
++/* Port Power Management Status and Control - port_power_base bitmasks */
++/* Inactivity timer value for transitions into U1, in microseconds.
++ * Timeout can be up to 127us.  0xFF means an infinite timeout.
++ */
++#define PORT_U1_TIMEOUT(p)    ((p) & 0xff)
++#define PORT_U1_TIMEOUT_MASK  0xff
++/* Inactivity timer value for transitions into U2 */
++#define PORT_U2_TIMEOUT(p)    (((p) & 0xff) << 8)
++#define PORT_U2_TIMEOUT_MASK  (0xff << 8)
++/* Bits 24:31 for port testing */
++
++/* USB2 Protocol PORTSPMSC */
++#define       PORT_L1S_MASK           7
++#define       PORT_L1S_SUCCESS        1
++#define       PORT_RWE                (1 << 3)
++#define       PORT_HIRD(p)            (((p) & 0xf) << 4)
++#define       PORT_HIRD_MASK          (0xf << 4)
++#define       PORT_L1DS_MASK          (0xff << 8)
++#define       PORT_L1DS(p)            (((p) & 0xff) << 8)
++#define       PORT_HLE                (1 << 16)
++#define PORT_TEST_MODE_SHIFT  28
++
++/* USB3 Protocol PORTLI  Port Link Information */
++#define PORT_RX_LANES(p)      (((p) >> 16) & 0xf)
++#define PORT_TX_LANES(p)      (((p) >> 20) & 0xf)
++
++/* USB2 Protocol PORTHLPMC */
++#define PORT_HIRDM(p)((p) & 3)
++#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2)
++#define PORT_BESLD(p)(((p) & 0xf) << 10)
++
++/* use 512 microseconds as USB2 LPM L1 default timeout. */
++#define XHCI_L1_TIMEOUT               512
++
++/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency.
++ * Safe to use with mixed HIRD and BESL systems (host and device) and is used
++ * by other operating systems.
++ *
++ * XHCI 1.0 errata 8/14/12 Table 13 notes:
++ * "Software should choose xHC BESL/BESLD field values that do not violate a
++ * device's resume latency requirements,
++ * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached,
++ * or not program values < '4' if BLC = '0' and a BESL device is attached.
++ */
++#define XHCI_DEFAULT_BESL     4
++
++/*
++ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
++ * to complete link training. usually link trainig completes much faster
++ * so check status 10 times with 36ms sleep in places we need to wait for
++ * polling to complete.
++ */
++#define XHCI_PORT_POLLING_LFPS_TIME  36
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 7754ed55d220b..f2190d121233b 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -23,6 +23,9 @@
+ #include      "xhci-ext-caps.h"
+ #include "pci-quirks.h"
++#include "xhci-port.h"
++#include "xhci-caps.h"
++
+ /* max buffer size for trace and debug messages */
+ #define XHCI_MSG_MAX          500
+@@ -63,90 +66,6 @@ struct xhci_cap_regs {
+       /* Reserved up to (CAPLENGTH - 0x1C) */
+ };
+-/* hc_capbase bitmasks */
+-/* bits 7:0 - how long is the Capabilities register */
+-#define HC_LENGTH(p)          XHCI_HC_LENGTH(p)
+-/* bits 31:16 */
+-#define HC_VERSION(p)         (((p) >> 16) & 0xffff)
+-
+-/* HCSPARAMS1 - hcs_params1 - bitmasks */
+-/* bits 0:7, Max Device Slots */
+-#define HCS_MAX_SLOTS(p)      (((p) >> 0) & 0xff)
+-#define HCS_SLOTS_MASK                0xff
+-/* bits 8:18, Max Interrupters */
+-#define HCS_MAX_INTRS(p)      (((p) >> 8) & 0x7ff)
+-/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */
+-#define HCS_MAX_PORTS(p)      (((p) >> 24) & 0x7f)
+-
+-/* HCSPARAMS2 - hcs_params2 - bitmasks */
+-/* bits 0:3, frames or uframes that SW needs to queue transactions
+- * ahead of the HW to meet periodic deadlines */
+-#define HCS_IST(p)            (((p) >> 0) & 0xf)
+-/* bits 4:7, max number of Event Ring segments */
+-#define HCS_ERST_MAX(p)               (((p) >> 4) & 0xf)
+-/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
+-/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
+-/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
+-#define HCS_MAX_SCRATCHPAD(p)   ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
+-
+-/* HCSPARAMS3 - hcs_params3 - bitmasks */
+-/* bits 0:7, Max U1 to U0 latency for the roothub ports */
+-#define HCS_U1_LATENCY(p)     (((p) >> 0) & 0xff)
+-/* bits 16:31, Max U2 to U0 latency for the roothub ports */
+-#define HCS_U2_LATENCY(p)     (((p) >> 16) & 0xffff)
+-
+-/* HCCPARAMS - hcc_params - bitmasks */
+-/* true: HC can use 64-bit address pointers */
+-#define HCC_64BIT_ADDR(p)     ((p) & (1 << 0))
+-/* true: HC can do bandwidth negotiation */
+-#define HCC_BANDWIDTH_NEG(p)  ((p) & (1 << 1))
+-/* true: HC uses 64-byte Device Context structures
+- * FIXME 64-byte context structures aren't supported yet.
+- */
+-#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2))
+-/* true: HC has port power switches */
+-#define HCC_PPC(p)            ((p) & (1 << 3))
+-/* true: HC has port indicators */
+-#define HCS_INDICATOR(p)      ((p) & (1 << 4))
+-/* true: HC has Light HC Reset Capability */
+-#define HCC_LIGHT_RESET(p)    ((p) & (1 << 5))
+-/* true: HC supports latency tolerance messaging */
+-#define HCC_LTC(p)            ((p) & (1 << 6))
+-/* true: no secondary Stream ID Support */
+-#define HCC_NSS(p)            ((p) & (1 << 7))
+-/* true: HC supports Stopped - Short Packet */
+-#define HCC_SPC(p)            ((p) & (1 << 9))
+-/* true: HC has Contiguous Frame ID Capability */
+-#define HCC_CFC(p)            ((p) & (1 << 11))
+-/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */
+-#define HCC_MAX_PSA(p)                (1 << ((((p) >> 12) & 0xf) + 1))
+-/* Extended Capabilities pointer from PCI base - section 5.3.6 */
+-#define HCC_EXT_CAPS(p)               XHCI_HCC_EXT_CAPS(p)
+-
+-#define CTX_SIZE(_hcc)                (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32)
+-
+-/* db_off bitmask - bits 0:1 reserved */
+-#define       DBOFF_MASK      (~0x3)
+-
+-/* run_regs_off bitmask - bits 0:4 reserved */
+-#define       RTSOFF_MASK     (~0x1f)
+-
+-/* HCCPARAMS2 - hcc_params2 - bitmasks */
+-/* true: HC supports U3 entry Capability */
+-#define       HCC2_U3C(p)             ((p) & (1 << 0))
+-/* true: HC supports Configure endpoint command Max exit latency too large */
+-#define       HCC2_CMC(p)             ((p) & (1 << 1))
+-/* true: HC supports Force Save context Capability */
+-#define       HCC2_FSC(p)             ((p) & (1 << 2))
+-/* true: HC supports Compliance Transition Capability */
+-#define       HCC2_CTC(p)             ((p) & (1 << 3))
+-/* true: HC support Large ESIT payload Capability > 48k */
+-#define       HCC2_LEC(p)             ((p) & (1 << 4))
+-/* true: HC support Configuration Information Capability */
+-#define       HCC2_CIC(p)             ((p) & (1 << 5))
+-/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */
+-#define       HCC2_ETC(p)             ((p) & (1 << 6))
+-
+ /* Number of registers per port */
+ #define       NUM_PORT_REGS   4
+@@ -292,181 +211,6 @@ struct xhci_op_regs {
+ #define CONFIG_CIE            (1 << 9)
+ /* bits 10:31 - reserved and should be preserved */
+-/* PORTSC - Port Status and Control Register - port_status_base bitmasks */
+-/* true: device connected */
+-#define PORT_CONNECT  (1 << 0)
+-/* true: port enabled */
+-#define PORT_PE               (1 << 1)
+-/* bit 2 reserved and zeroed */
+-/* true: port has an over-current condition */
+-#define PORT_OC               (1 << 3)
+-/* true: port reset signaling asserted */
+-#define PORT_RESET    (1 << 4)
+-/* Port Link State - bits 5:8
+- * A read gives the current link PM state of the port,
+- * a write with Link State Write Strobe set sets the link state.
+- */
+-#define PORT_PLS_MASK (0xf << 5)
+-#define XDEV_U0               (0x0 << 5)
+-#define XDEV_U1               (0x1 << 5)
+-#define XDEV_U2               (0x2 << 5)
+-#define XDEV_U3               (0x3 << 5)
+-#define XDEV_DISABLED (0x4 << 5)
+-#define XDEV_RXDETECT (0x5 << 5)
+-#define XDEV_INACTIVE (0x6 << 5)
+-#define XDEV_POLLING  (0x7 << 5)
+-#define XDEV_RECOVERY (0x8 << 5)
+-#define XDEV_HOT_RESET        (0x9 << 5)
+-#define XDEV_COMP_MODE        (0xa << 5)
+-#define XDEV_TEST_MODE        (0xb << 5)
+-#define XDEV_RESUME   (0xf << 5)
+-
+-/* true: port has power (see HCC_PPC) */
+-#define PORT_POWER    (1 << 9)
+-/* bits 10:13 indicate device speed:
+- * 0 - undefined speed - port hasn't be initialized by a reset yet
+- * 1 - full speed
+- * 2 - low speed
+- * 3 - high speed
+- * 4 - super speed
+- * 5-15 reserved
+- */
+-#define DEV_SPEED_MASK                (0xf << 10)
+-#define       XDEV_FS                 (0x1 << 10)
+-#define       XDEV_LS                 (0x2 << 10)
+-#define       XDEV_HS                 (0x3 << 10)
+-#define       XDEV_SS                 (0x4 << 10)
+-#define       XDEV_SSP                (0x5 << 10)
+-#define DEV_UNDEFSPEED(p)     (((p) & DEV_SPEED_MASK) == (0x0<<10))
+-#define DEV_FULLSPEED(p)      (((p) & DEV_SPEED_MASK) == XDEV_FS)
+-#define DEV_LOWSPEED(p)               (((p) & DEV_SPEED_MASK) == XDEV_LS)
+-#define DEV_HIGHSPEED(p)      (((p) & DEV_SPEED_MASK) == XDEV_HS)
+-#define DEV_SUPERSPEED(p)     (((p) & DEV_SPEED_MASK) == XDEV_SS)
+-#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
+-#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
+-#define DEV_PORT_SPEED(p)     (((p) >> 10) & 0x0f)
+-
+-/* Bits 20:23 in the Slot Context are the speed for the device */
+-#define       SLOT_SPEED_FS           (XDEV_FS << 10)
+-#define       SLOT_SPEED_LS           (XDEV_LS << 10)
+-#define       SLOT_SPEED_HS           (XDEV_HS << 10)
+-#define       SLOT_SPEED_SS           (XDEV_SS << 10)
+-#define       SLOT_SPEED_SSP          (XDEV_SSP << 10)
+-/* Port Indicator Control */
+-#define PORT_LED_OFF  (0 << 14)
+-#define PORT_LED_AMBER        (1 << 14)
+-#define PORT_LED_GREEN        (2 << 14)
+-#define PORT_LED_MASK (3 << 14)
+-/* Port Link State Write Strobe - set this when changing link state */
+-#define PORT_LINK_STROBE      (1 << 16)
+-/* true: connect status change */
+-#define PORT_CSC      (1 << 17)
+-/* true: port enable change */
+-#define PORT_PEC      (1 << 18)
+-/* true: warm reset for a USB 3.0 device is done.  A "hot" reset puts the port
+- * into an enabled state, and the device into the default state.  A "warm" reset
+- * also resets the link, forcing the device through the link training sequence.
+- * SW can also look at the Port Reset register to see when warm reset is done.
+- */
+-#define PORT_WRC      (1 << 19)
+-/* true: over-current change */
+-#define PORT_OCC      (1 << 20)
+-/* true: reset change - 1 to 0 transition of PORT_RESET */
+-#define PORT_RC               (1 << 21)
+-/* port link status change - set on some port link state transitions:
+- *  Transition                                Reason
+- *  ------------------------------------------------------------------------------
+- *  - U3 to Resume                    Wakeup signaling from a device
+- *  - Resume to Recovery to U0                USB 3.0 device resume
+- *  - Resume to U0                    USB 2.0 device resume
+- *  - U3 to Recovery to U0            Software resume of USB 3.0 device complete
+- *  - U3 to U0                                Software resume of USB 2.0 device complete
+- *  - U2 to U0                                L1 resume of USB 2.1 device complete
+- *  - U0 to U0 (???)                  L1 entry rejection by USB 2.1 device
+- *  - U0 to disabled                  L1 entry error with USB 2.1 device
+- *  - Any state to inactive           Error on USB 3.0 port
+- */
+-#define PORT_PLC      (1 << 22)
+-/* port configure error change - port failed to configure its link partner */
+-#define PORT_CEC      (1 << 23)
+-#define PORT_CHANGE_MASK      (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
+-                               PORT_RC | PORT_PLC | PORT_CEC)
+-
+-
+-/* Cold Attach Status - xHC can set this bit to report device attached during
+- * Sx state. Warm port reset should be perfomed to clear this bit and move port
+- * to connected state.
+- */
+-#define PORT_CAS      (1 << 24)
+-/* wake on connect (enable) */
+-#define PORT_WKCONN_E (1 << 25)
+-/* wake on disconnect (enable) */
+-#define PORT_WKDISC_E (1 << 26)
+-/* wake on over-current (enable) */
+-#define PORT_WKOC_E   (1 << 27)
+-/* bits 28:29 reserved */
+-/* true: device is non-removable - for USB 3.0 roothub emulation */
+-#define PORT_DEV_REMOVE       (1 << 30)
+-/* Initiate a warm port reset - complete when PORT_WRC is '1' */
+-#define PORT_WR               (1 << 31)
+-
+-/* We mark duplicate entries with -1 */
+-#define DUPLICATE_ENTRY ((u8)(-1))
+-
+-/* Port Power Management Status and Control - port_power_base bitmasks */
+-/* Inactivity timer value for transitions into U1, in microseconds.
+- * Timeout can be up to 127us.  0xFF means an infinite timeout.
+- */
+-#define PORT_U1_TIMEOUT(p)    ((p) & 0xff)
+-#define PORT_U1_TIMEOUT_MASK  0xff
+-/* Inactivity timer value for transitions into U2 */
+-#define PORT_U2_TIMEOUT(p)    (((p) & 0xff) << 8)
+-#define PORT_U2_TIMEOUT_MASK  (0xff << 8)
+-/* Bits 24:31 for port testing */
+-
+-/* USB2 Protocol PORTSPMSC */
+-#define       PORT_L1S_MASK           7
+-#define       PORT_L1S_SUCCESS        1
+-#define       PORT_RWE                (1 << 3)
+-#define       PORT_HIRD(p)            (((p) & 0xf) << 4)
+-#define       PORT_HIRD_MASK          (0xf << 4)
+-#define       PORT_L1DS_MASK          (0xff << 8)
+-#define       PORT_L1DS(p)            (((p) & 0xff) << 8)
+-#define       PORT_HLE                (1 << 16)
+-#define PORT_TEST_MODE_SHIFT  28
+-
+-/* USB3 Protocol PORTLI  Port Link Information */
+-#define PORT_RX_LANES(p)      (((p) >> 16) & 0xf)
+-#define PORT_TX_LANES(p)      (((p) >> 20) & 0xf)
+-
+-/* USB2 Protocol PORTHLPMC */
+-#define PORT_HIRDM(p)((p) & 3)
+-#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2)
+-#define PORT_BESLD(p)(((p) & 0xf) << 10)
+-
+-/* use 512 microseconds as USB2 LPM L1 default timeout. */
+-#define XHCI_L1_TIMEOUT               512
+-
+-/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency.
+- * Safe to use with mixed HIRD and BESL systems (host and device) and is used
+- * by other operating systems.
+- *
+- * XHCI 1.0 errata 8/14/12 Table 13 notes:
+- * "Software should choose xHC BESL/BESLD field values that do not violate a
+- * device's resume latency requirements,
+- * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached,
+- * or not program values < '4' if BLC = '0' and a BESL device is attached.
+- */
+-#define XHCI_DEFAULT_BESL     4
+-
+-/*
+- * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
+- * to complete link training. usually link trainig completes much faster
+- * so check status 10 times with 36ms sleep in places we need to wait for
+- * polling to complete.
+- */
+-#define XHCI_PORT_POLLING_LFPS_TIME  36
+-
+ /**
+  * struct xhci_intr_reg - Interrupt Register Set
+  * @irq_pending:      IMAN - Interrupt Management Register.  Used to enable
+-- 
+2.43.0
+