]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 5.15
authorSasha Levin <sashal@kernel.org>
Sun, 19 Mar 2023 12:04:22 +0000 (08:04 -0400)
committerSasha Levin <sashal@kernel.org>
Sun, 19 Mar 2023 12:04:22 +0000 (08:04 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
53 files changed:
queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch [new file with mode: 0644]
queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch [new file with mode: 0644]
queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch [new file with mode: 0644]
queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch [new file with mode: 0644]
queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch [new file with mode: 0644]
queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch [new file with mode: 0644]
queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch [new file with mode: 0644]
queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch [new file with mode: 0644]
queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch [new file with mode: 0644]
queue-5.15/drm-i915-display-clean-up-comments.patch [new file with mode: 0644]
queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch [new file with mode: 0644]
queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch [new file with mode: 0644]
queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch [new file with mode: 0644]
queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch [new file with mode: 0644]
queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch [new file with mode: 0644]
queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch [new file with mode: 0644]
queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch [new file with mode: 0644]
queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch [new file with mode: 0644]
queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch [new file with mode: 0644]
queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch [new file with mode: 0644]
queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch [new file with mode: 0644]
queue-5.15/loop-fix-use-after-free-issues.patch [new file with mode: 0644]
queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch [new file with mode: 0644]
queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch [new file with mode: 0644]
queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch [new file with mode: 0644]
queue-5.15/net-iucv-fix-size-of-interrupt-data.patch [new file with mode: 0644]
queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch [new file with mode: 0644]
queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch [new file with mode: 0644]
queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch [new file with mode: 0644]
queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch [new file with mode: 0644]
queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch [new file with mode: 0644]
queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch [new file with mode: 0644]
queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch [new file with mode: 0644]
queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch [new file with mode: 0644]
queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch [new file with mode: 0644]
queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch [new file with mode: 0644]
queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch [new file with mode: 0644]
queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch [new file with mode: 0644]
queue-5.15/nvme-fix-handling-single-range-discard-request.patch [new file with mode: 0644]
queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch [new file with mode: 0644]
queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch [new file with mode: 0644]
queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch [new file with mode: 0644]
queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch [new file with mode: 0644]
queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch [new file with mode: 0644]
queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch [new file with mode: 0644]
queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch [new file with mode: 0644]
queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch [new file with mode: 0644]
queue-5.15/series [new file with mode: 0644]
queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch [new file with mode: 0644]
queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch [new file with mode: 0644]
queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch [new file with mode: 0644]
queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch [new file with mode: 0644]
queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch [new file with mode: 0644]

diff --git a/queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch b/queue-5.15/alsa-hda-match-only-intel-devices-with-controller_in.patch
new file mode 100644 (file)
index 0000000..85c50e3
--- /dev/null
@@ -0,0 +1,50 @@
+From 3e9b614403380d27e7f4ea014c14ee55c8f49edf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 15:40:54 -0600
+Subject: ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit ff447886e675979d66b2bc01810035d3baea1b3a ]
+
+CONTROLLER_IN_GPU() is clearly intended to match only Intel devices, but
+previously it checked only the PCI Device ID, not the Vendor ID, so it
+could match devices from other vendors that happened to use the same Device
+ID.
+
+Update CONTROLLER_IN_GPU() so it matches only Intel devices.
+
+Fixes: 535115b5ff51 ("ALSA: hda - Abort the probe without i915 binding for HSW/B")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20230307214054.886721-1-helgaas@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index c8042eb703c34..5fce1ca8a393a 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -331,14 +331,15 @@ enum {
+ #define needs_eld_notify_link(chip)   false
+ #endif
+-#define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \
++#define CONTROLLER_IN_GPU(pci) (((pci)->vendor == 0x8086) &&         \
++                                     (((pci)->device == 0x0a0c) || \
+                                       ((pci)->device == 0x0c0c) || \
+                                       ((pci)->device == 0x0d0c) || \
+                                       ((pci)->device == 0x160c) || \
+                                       ((pci)->device == 0x490d) || \
+                                       ((pci)->device == 0x4f90) || \
+                                       ((pci)->device == 0x4f91) || \
+-                                      ((pci)->device == 0x4f92))
++                                      ((pci)->device == 0x4f92)))
+ #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
+-- 
+2.39.2
+
diff --git a/queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch b/queue-5.15/block-null_blk-fix-handling-of-fake-timeout-request.patch
new file mode 100644 (file)
index 0000000..08d7292
--- /dev/null
@@ -0,0 +1,57 @@
+From e7605940a0fcd6bfc5348963133e59f683b1495b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:11:05 +0900
+Subject: block: null_blk: Fix handling of fake timeout request
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 63f886597085f346276e3b3c8974de0100d65f32 ]
+
+When injecting a fake timeout into the null_blk driver using
+fail_io_timeout, the request timeout handler does not execute
+blk_mq_complete_request(), so the complete callback is never executed
+for a timedout request.
+
+The null_blk driver also has a driver-specific fake timeout mechanism
+which does not have this problem. Fix the problem with fail_io_timeout
+by using the same meachanism as null_blk internal timeout feature, using
+the fake_timeout field of null_blk commands.
+
+Reported-by: Akinobu Mita <akinobu.mita@gmail.com>
+Fixes: de3510e52b0a ("null_blk: fix command timeout completion handling")
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20230314041106.19173-2-damien.lemoal@opensource.wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index 4c8b4101516c3..033b0f64f2b9b 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -1314,8 +1314,7 @@ static inline void nullb_complete_cmd(struct nullb_cmd *cmd)
+       case NULL_IRQ_SOFTIRQ:
+               switch (cmd->nq->dev->queue_mode) {
+               case NULL_Q_MQ:
+-                      if (likely(!blk_should_fake_timeout(cmd->rq->q)))
+-                              blk_mq_complete_request(cmd->rq);
++                      blk_mq_complete_request(cmd->rq);
+                       break;
+               case NULL_Q_BIO:
+                       /*
+@@ -1491,7 +1490,8 @@ static blk_status_t null_queue_rq(struct blk_mq_hw_ctx *hctx,
+       cmd->rq = bd->rq;
+       cmd->error = BLK_STS_OK;
+       cmd->nq = nq;
+-      cmd->fake_timeout = should_timeout_request(bd->rq);
++      cmd->fake_timeout = should_timeout_request(bd->rq) ||
++              blk_should_fake_timeout(bd->rq->q);
+       blk_mq_start_request(bd->rq);
+-- 
+2.39.2
+
diff --git a/queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch b/queue-5.15/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch
new file mode 100644 (file)
index 0000000..abf7689
--- /dev/null
@@ -0,0 +1,38 @@
+From 055bca5c3b6b0a566364722a24cb090dd4771ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:20:32 +0800
+Subject: block: sunvdc: add check for mdesc_grab() returning NULL
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ]
+
+In vdc_port_probe(), we should check the return value of mdesc_grab() as
+it may return NULL, which can cause potential NPD bug.
+
+Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com
+[axboe: style cleanup]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/sunvdc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
+index 4d4bb810c2aea..656d99faf40a2 100644
+--- a/drivers/block/sunvdc.c
++++ b/drivers/block/sunvdc.c
+@@ -964,6 +964,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+       print_version();
+       hp = mdesc_grab();
++      if (!hp)
++              return -ENODEV;
+       err = -ENODEV;
+       if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) {
+-- 
+2.39.2
+
diff --git a/queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch b/queue-5.15/bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch
new file mode 100644 (file)
index 0000000..76749e4
--- /dev/null
@@ -0,0 +1,119 @@
+From 384930ade51ad1bbc1320e7379ad7fe3f43ba70c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:18:41 +0200
+Subject: bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails
+
+From: Nikolay Aleksandrov <razor@blackwall.org>
+
+[ Upstream commit e667d469098671261d558be0cd93dca4d285ce1e ]
+
+syzbot reported a warning[1] where the bond device itself is a slave and
+we try to enslave a non-ethernet device as the first slave which fails
+but then in the error path when ether_setup() restores the bond device
+it also clears all flags. In my previous fix[2] I restored the
+IFF_MASTER flag, but I didn't consider the case that the bond device
+itself might also be a slave with IFF_SLAVE set, so we need to restore
+that flag as well. Use the bond_ether_setup helper which does the right
+thing and restores the bond's flags properly.
+
+Steps to reproduce using a nlmon dev:
+ $ ip l add nlmon0 type nlmon
+ $ ip l add bond1 type bond
+ $ ip l add bond2 type bond
+ $ ip l set bond1 master bond2
+ $ ip l set dev nlmon0 master bond1
+ $ ip -d l sh dev bond1
+ 22: bond1: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noqueue master bond2 state DOWN mode DEFAULT group default qlen 1000
+ (now bond1's IFF_SLAVE flag is gone and we'll hit a warning[3] if we
+  try to delete it)
+
+[1] https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef
+[2] commit 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure")
+[3] example warning:
+ [   27.008664] bond1: (slave nlmon0): The slave device specified does not support setting the MAC address
+ [   27.008692] bond1: (slave nlmon0): Error -95 calling set_mac_address
+ [   32.464639] bond1 (unregistering): Released all slaves
+ [   32.464685] ------------[ cut here ]------------
+ [   32.464686] WARNING: CPU: 1 PID: 2004 at net/core/dev.c:10829 unregister_netdevice_many+0x72a/0x780
+ [   32.464694] Modules linked in: br_netfilter bridge bonding virtio_net
+ [   32.464699] CPU: 1 PID: 2004 Comm: ip Kdump: loaded Not tainted 5.18.0-rc3+ #47
+ [   32.464703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
+ [   32.464704] RIP: 0010:unregister_netdevice_many+0x72a/0x780
+ [   32.464707] Code: 99 fd ff ff ba 90 1a 00 00 48 c7 c6 f4 02 66 96 48 c7 c7 20 4d 35 96 c6 05 fa c7 2b 02 01 e8 be 6f 4a 00 0f 0b e9 73 fd ff ff <0f> 0b e9 5f fd ff ff 80 3d e3 c7 2b 02 00 0f 85 3b fd ff ff ba 59
+ [   32.464710] RSP: 0018:ffffa006422d7820 EFLAGS: 00010206
+ [   32.464712] RAX: ffff8f6e077140a0 RBX: ffffa006422d7888 RCX: 0000000000000000
+ [   32.464714] RDX: ffff8f6e12edbe58 RSI: 0000000000000296 RDI: ffffffff96d4a520
+ [   32.464716] RBP: ffff8f6e07714000 R08: ffffffff96d63600 R09: ffffa006422d7728
+ [   32.464717] R10: 0000000000000ec0 R11: ffffffff9698c988 R12: ffff8f6e12edb140
+ [   32.464719] R13: dead000000000122 R14: dead000000000100 R15: ffff8f6e12edb140
+ [   32.464723] FS:  00007f297c2f1740(0000) GS:ffff8f6e5d900000(0000) knlGS:0000000000000000
+ [   32.464725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [   32.464726] CR2: 00007f297bf1c800 CR3: 00000000115e8000 CR4: 0000000000350ee0
+ [   32.464730] Call Trace:
+ [   32.464763]  <TASK>
+ [   32.464767]  rtnl_dellink+0x13e/0x380
+ [   32.464776]  ? cred_has_capability.isra.0+0x68/0x100
+ [   32.464780]  ? __rtnl_unlock+0x33/0x60
+ [   32.464783]  ? bpf_lsm_capset+0x10/0x10
+ [   32.464786]  ? security_capable+0x36/0x50
+ [   32.464790]  rtnetlink_rcv_msg+0x14e/0x3b0
+ [   32.464792]  ? _copy_to_iter+0xb1/0x790
+ [   32.464796]  ? post_alloc_hook+0xa0/0x160
+ [   32.464799]  ? rtnl_calcit.isra.0+0x110/0x110
+ [   32.464802]  netlink_rcv_skb+0x50/0xf0
+ [   32.464806]  netlink_unicast+0x216/0x340
+ [   32.464809]  netlink_sendmsg+0x23f/0x480
+ [   32.464812]  sock_sendmsg+0x5e/0x60
+ [   32.464815]  ____sys_sendmsg+0x22c/0x270
+ [   32.464818]  ? import_iovec+0x17/0x20
+ [   32.464821]  ? sendmsg_copy_msghdr+0x59/0x90
+ [   32.464823]  ? do_set_pte+0xa0/0xe0
+ [   32.464828]  ___sys_sendmsg+0x81/0xc0
+ [   32.464832]  ? mod_objcg_state+0xc6/0x300
+ [   32.464835]  ? refill_obj_stock+0xa9/0x160
+ [   32.464838]  ? memcg_slab_free_hook+0x1a5/0x1f0
+ [   32.464842]  __sys_sendmsg+0x49/0x80
+ [   32.464847]  do_syscall_64+0x3b/0x90
+ [   32.464851]  entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [   32.464865] RIP: 0033:0x7f297bf2e5e7
+ [   32.464868] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+ [   32.464869] RSP: 002b:00007ffd96c824c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ [   32.464872] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f297bf2e5e7
+ [   32.464874] RDX: 0000000000000000 RSI: 00007ffd96c82540 RDI: 0000000000000003
+ [   32.464875] RBP: 00000000640f19de R08: 0000000000000001 R09: 000000000000007c
+ [   32.464876] R10: 00007f297bffabe0 R11: 0000000000000246 R12: 0000000000000001
+ [   32.464877] R13: 00007ffd96c82d20 R14: 00007ffd96c82610 R15: 000055bfe38a7020
+ [   32.464881]  </TASK>
+ [   32.464882] ---[ end trace 0000000000000000 ]---
+
+Fixes: 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure")
+Reported-by: syzbot+9dfc3f3348729cc82277@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Acked-by: Jonathan Toppins <jtoppins@redhat.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b2db30d5f1f45..e1dc94f01cb5a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2267,9 +2267,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+                       eth_hw_addr_random(bond_dev);
+               if (bond_dev->type != ARPHRD_ETHER) {
+                       dev_close(bond_dev);
+-                      ether_setup(bond_dev);
+-                      bond_dev->flags |= IFF_MASTER;
+-                      bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
++                      bond_ether_setup(bond_dev);
+               }
+       }
+-- 
+2.39.2
+
diff --git a/queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch b/queue-5.15/bonding-restore-iff_master-slave-flags-on-bond-ensla.patch
new file mode 100644 (file)
index 0000000..d5434bb
--- /dev/null
@@ -0,0 +1,80 @@
+From 2cc9a79e26cbe8eb4384ce7fa36a23e9dda31d1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:18:40 +0200
+Subject: bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type
+ change
+
+From: Nikolay Aleksandrov <razor@blackwall.org>
+
+[ Upstream commit 9ec7eb60dcbcb6c41076defbc5df7bbd95ceaba5 ]
+
+Add bond_ether_setup helper which is used to fix ether_setup() calls in the
+bonding driver. It takes care of both IFF_MASTER and IFF_SLAVE flags, the
+former is always restored and the latter only if it was set.
+If the bond enslaves non-ARPHRD_ETHER device (changes its type), then
+releases it and enslaves ARPHRD_ETHER device (changes back) then we
+use ether_setup() to restore the bond device type but it also resets its
+flags and removes IFF_MASTER and IFF_SLAVE[1]. Use the bond_ether_setup
+helper to restore both after such transition.
+
+[1] reproduce (nlmon is non-ARPHRD_ETHER):
+ $ ip l add nlmon0 type nlmon
+ $ ip l add bond2 type bond mode active-backup
+ $ ip l set nlmon0 master bond2
+ $ ip l set nlmon0 nomaster
+ $ ip l add bond1 type bond
+ (we use bond1 as ARPHRD_ETHER device to restore bond2's mode)
+ $ ip l set bond1 master bond2
+ $ ip l sh dev bond2
+ 37: bond2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+    link/ether be:d7:c5:40:5b:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 1500
+ (notice bond2's IFF_MASTER is missing)
+
+Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type")
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 456298919d541..b2db30d5f1f45 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1744,6 +1744,19 @@ void bond_lower_state_changed(struct slave *slave)
+               slave_err(bond_dev, slave_dev, "Error: %s\n", errmsg);  \
+ } while (0)
++/* The bonding driver uses ether_setup() to convert a master bond device
++ * to ARPHRD_ETHER, that resets the target netdevice's flags so we always
++ * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set
++ */
++static void bond_ether_setup(struct net_device *bond_dev)
++{
++      unsigned int slave_flag = bond_dev->flags & IFF_SLAVE;
++
++      ether_setup(bond_dev);
++      bond_dev->flags |= IFF_MASTER | slave_flag;
++      bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
++}
++
+ /* enslave device <slave> to bond device <master> */
+ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+                struct netlink_ext_ack *extack)
+@@ -1835,10 +1848,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+                       if (slave_dev->type != ARPHRD_ETHER)
+                               bond_setup_by_slave(bond_dev, slave_dev);
+-                      else {
+-                              ether_setup(bond_dev);
+-                              bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+-                      }
++                      else
++                              bond_ether_setup(bond_dev);
+                       call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE,
+                                                bond_dev);
+-- 
+2.39.2
+
diff --git a/queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch b/queue-5.15/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch
new file mode 100644 (file)
index 0000000..fa2c2d4
--- /dev/null
@@ -0,0 +1,117 @@
+From b8eaee2477d8271d7e694a215936eee4871a0d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 11:11:36 +0800
+Subject: cifs: Move the in_send statistic to __smb_send_rqst()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit d0dc41119905f740e8d5594adce277f7c0de8c92 ]
+
+When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
+in_send statistic was lost.
+
+Let's move the in_send statistic to the send function to avoid
+this scenario.
+
+Fixes: 7ee1af765dfa ("[CIFS]")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/transport.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
+index 514056605fa7a..49b7edbe34975 100644
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -299,7 +299,7 @@ static int
+ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+               struct smb_rqst *rqst)
+ {
+-      int rc = 0;
++      int rc;
+       struct kvec *iov;
+       int n_vec;
+       unsigned int send_length = 0;
+@@ -310,6 +310,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+       struct msghdr smb_msg = {};
+       __be32 rfc1002_marker;
++      cifs_in_send_inc(server);
+       if (cifs_rdma_enabled(server)) {
+               /* return -EAGAIN when connecting or reconnecting */
+               rc = -EAGAIN;
+@@ -318,14 +319,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+               goto smbd_done;
+       }
++      rc = -EAGAIN;
+       if (ssocket == NULL)
+-              return -EAGAIN;
++              goto out;
++      rc = -ERESTARTSYS;
+       if (fatal_signal_pending(current)) {
+               cifs_dbg(FYI, "signal pending before send request\n");
+-              return -ERESTARTSYS;
++              goto out;
+       }
++      rc = 0;
+       /* cork the socket */
+       tcp_sock_set_cork(ssocket->sk, true);
+@@ -438,7 +442,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+                        rc);
+       else if (rc > 0)
+               rc = 0;
+-
++out:
++      cifs_in_send_dec(server);
+       return rc;
+ }
+@@ -855,9 +860,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst,
+        * I/O response may come back and free the mid entry on another thread.
+        */
+       cifs_save_when_sent(mid);
+-      cifs_in_send_inc(server);
+       rc = smb_send_rqst(server, 1, rqst, flags);
+-      cifs_in_send_dec(server);
+       if (rc < 0) {
+               revert_current_mid(server, mid->credits);
+@@ -1149,9 +1152,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
+               else
+                       midQ[i]->callback = cifs_compound_last_callback;
+       }
+-      cifs_in_send_inc(server);
+       rc = smb_send_rqst(server, num_rqst, rqst, flags);
+-      cifs_in_send_dec(server);
+       for (i = 0; i < num_rqst; i++)
+               cifs_save_when_sent(midQ[i]);
+@@ -1388,9 +1389,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
+       midQ->mid_state = MID_REQUEST_SUBMITTED;
+-      cifs_in_send_inc(server);
+       rc = smb_send(server, in_buf, len);
+-      cifs_in_send_dec(server);
+       cifs_save_when_sent(midQ);
+       if (rc < 0)
+@@ -1527,9 +1526,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
+       }
+       midQ->mid_state = MID_REQUEST_SUBMITTED;
+-      cifs_in_send_inc(server);
+       rc = smb_send(server, in_buf, len);
+-      cifs_in_send_dec(server);
+       cifs_save_when_sent(midQ);
+       if (rc < 0)
+-- 
+2.39.2
+
diff --git a/queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch b/queue-5.15/clk-hi655x-select-regmap-instead-of-depending-on-it.patch
new file mode 100644 (file)
index 0000000..aee5d75
--- /dev/null
@@ -0,0 +1,47 @@
+From b7a62ee57a7489a0fa83a38b7af6ed6175f7d176 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 21:39:47 -0800
+Subject: clk: HI655X: select REGMAP instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 0ffad67784a097beccf34d297ddd1b0773b3b8a3 ]
+
+REGMAP is a hidden (not user visible) symbol. Users cannot set it
+directly thru "make *config", so drivers should select it instead of
+depending on it if they need it.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on REGMAP" to "select REGMAP".
+
+Fixes: 3a49afb84ca0 ("clk: enable hi655x common clk automatically")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Riku Voipio <riku.voipio@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Michael Turquette <mturquette@baylibre.com>
+Cc: linux-clk@vger.kernel.org
+Link: https://lore.kernel.org/r/20230226053953.4681-3-rdunlap@infradead.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig
+index c5b3dc97396a6..100e474ff3dc5 100644
+--- a/drivers/clk/Kconfig
++++ b/drivers/clk/Kconfig
+@@ -83,7 +83,7 @@ config COMMON_CLK_RK808
+ config COMMON_CLK_HI655X
+       tristate "Clock driver for Hi655x" if EXPERT
+       depends on (MFD_HI655X_PMIC || COMPILE_TEST)
+-      depends on REGMAP
++      select REGMAP
+       default MFD_HI655X_PMIC
+       help
+         This driver supports the hi655x PMIC clock. This
+-- 
+2.39.2
+
diff --git a/queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch b/queue-5.15/docs-correct-missing-d_-prefix-for-dentry_operations.patch
new file mode 100644 (file)
index 0000000..a175843
--- /dev/null
@@ -0,0 +1,39 @@
+From 85fc3fdc8511a1a83be1052f2cee59a9128e2414 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 12:40:42 -0600
+Subject: docs: Correct missing "d_" prefix for dentry_operations member
+ d_weak_revalidate
+
+From: Glenn Washburn <development@efficientek.com>
+
+[ Upstream commit 74596085796fae0cfce3e42ee46bf4f8acbdac55 ]
+
+The details for struct dentry_operations member d_weak_revalidate is
+missing a "d_" prefix.
+
+Fixes: af96c1e304f7 ("docs: filesystems: vfs: Convert vfs.txt to RST")
+Signed-off-by: Glenn Washburn <development@efficientek.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Link: https://lore.kernel.org/r/20230227184042.2375235-1-development@efficientek.com
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/vfs.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst
+index a99c1c338e8f4..a15527940b461 100644
+--- a/Documentation/filesystems/vfs.rst
++++ b/Documentation/filesystems/vfs.rst
+@@ -1210,7 +1210,7 @@ defined:
+       return
+       -ECHILD and it will be called again in ref-walk mode.
+-``_weak_revalidate``
++``d_weak_revalidate``
+       called when the VFS needs to revalidate a "jumped" dentry.  This
+       is called when a path-walk ends at dentry that was not acquired
+       by doing a lookup in the parent directory.  This includes "/",
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch b/queue-5.15/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch
new file mode 100644 (file)
index 0000000..8a63c41
--- /dev/null
@@ -0,0 +1,47 @@
+From 2ec24d01fefa76b8080a9723393c2a47251823d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:50:35 +0800
+Subject: drm/bridge: Fix returned array size name for
+ atomic_get_input_bus_fmts kdoc
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit 0d3c9333d976af41d7dbc6bf4d9d2e95fbdf9c89 ]
+
+The returned array size for input formats is set through
+atomic_get_input_bus_fmts()'s 'num_input_fmts' argument, so use
+'num_input_fmts' to represent the array size in the function's kdoc,
+not 'num_output_fmts'.
+
+Fixes: 91ea83306bfa ("drm/bridge: Fix the bridge kernel doc")
+Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230314055035.3731179-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/drm_bridge.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
+index 1648ce265cba0..c84783cd5abd7 100644
+--- a/include/drm/drm_bridge.h
++++ b/include/drm/drm_bridge.h
+@@ -447,11 +447,11 @@ struct drm_bridge_funcs {
+        *
+        * The returned array must be allocated with kmalloc() and will be
+        * freed by the caller. If the allocation fails, NULL should be
+-       * returned. num_output_fmts must be set to the returned array size.
++       * returned. num_input_fmts must be set to the returned array size.
+        * Formats listed in the returned array should be listed in decreasing
+        * preference order (the core will try all formats until it finds one
+        * that works). When the format is not supported NULL should be
+-       * returned and num_output_fmts should be set to 0.
++       * returned and num_input_fmts should be set to 0.
+        *
+        * This method is called on all elements of the bridge chain as part of
+        * the bus format negotiation process that happens in
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-i915-display-clean-up-comments.patch b/queue-5.15/drm-i915-display-clean-up-comments.patch
new file mode 100644 (file)
index 0000000..cac421f
--- /dev/null
@@ -0,0 +1,68 @@
+From 97b6e403e95c739366197b7990e747b6b0cb53ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Jul 2022 16:32:36 -0400
+Subject: drm/i915/display: clean up comments
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 3461b040a90d723c93c9d1c7c11e3464f5cadc0e ]
+
+spelling changes
+resoluition -> resolution
+dont        -> don't
+commmit     -> commit
+Invalidade  -> Invalidate
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220701203236.1871668-1-trix@redhat.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 21d58d22c82ee..5f9894e3c7aa7 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -580,7 +580,7 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+               /*
+                * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default
+                * values from BSpec. In order to setting an optimal power
+-               * consumption, lower than 4k resoluition mode needs to decrese
++               * consumption, lower than 4k resolution mode needs to decrease
+                * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution
+                * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE.
+                */
+@@ -986,7 +986,7 @@ void intel_psr_compute_config(struct intel_dp *intel_dp,
+       int psr_setup_time;
+       /*
+-       * Current PSR panels dont work reliably with VRR enabled
++       * Current PSR panels don't work reliably with VRR enabled
+        * So if VRR is enabled, do not enable PSR.
+        */
+       if (crtc_state->vrr.enable)
+@@ -1619,7 +1619,7 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta
+  *
+  * Plane scaling and rotation is not supported by selective fetch and both
+  * properties can change without a modeset, so need to be check at every
+- * atomic commmit.
++ * atomic commit.
+  */
+ static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state)
+ {
+@@ -2067,7 +2067,7 @@ static void intel_psr_work(struct work_struct *work)
+ }
+ /**
+- * intel_psr_invalidate - Invalidade PSR
++ * intel_psr_invalidate - Invalidate PSR
+  * @dev_priv: i915 device
+  * @frontbuffer_bits: frontbuffer plane tracking bits
+  * @origin: which operation caused the invalidate
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch b/queue-5.15/drm-i915-display-psr-handle-plane-and-pipe-restricti.patch
new file mode 100644 (file)
index 0000000..833ff1b
--- /dev/null
@@ -0,0 +1,162 @@
+From 974b629a68de59a80bd2e055be6df410d2c50ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 17:14:01 -0700
+Subject: drm/i915/display/psr: Handle plane and pipe restrictions at every
+ page flip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit ac220f5f754b1d2f4a69428f515c3f1b10d1fad0 ]
+
+PSR2 selective is not supported over rotated and scaled planes.
+We had the rotation check in intel_psr2_sel_fetch_config_valid()
+but that code path is only execute when a modeset is needed and
+those plane parameters can change without a modeset.
+
+Pipe selective fetch restrictions are also needed, it could be added
+in intel_psr_compute_config() but pippe scaling is computed after
+it is executed, so leaving as is for now.
+There is no much loss in this approach as it would cause selective
+fetch to not enabled as for alderlake-P and newer will cause it to
+switch to PSR1 that will have the same power-savings as do full pipe
+fetch.
+
+Also need to check those restricions in the second
+for_each_oldnew_intel_plane_in_state() loop because the state could
+only have a plane that is not affected by those restricitons but
+the damaged area intersect with planes that has those restrictions,
+so a full pipe fetch is required.
+
+v2:
+- also handling pipe restrictions
+
+BSpec: 55229
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> # v1
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210930001409.254817-1-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 65 +++++++++++++++++-------
+ 1 file changed, 46 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 5e7827b076028..21d58d22c82ee 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -756,11 +756,7 @@ tgl_dc3co_exitline_compute_config(struct intel_dp *intel_dp,
+ static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp,
+                                             struct intel_crtc_state *crtc_state)
+ {
+-      struct intel_atomic_state *state = to_intel_atomic_state(crtc_state->uapi.state);
+       struct drm_i915_private *dev_priv = dp_to_i915(intel_dp);
+-      struct intel_plane_state *plane_state;
+-      struct intel_plane *plane;
+-      int i;
+       if (!dev_priv->params.enable_psr2_sel_fetch &&
+           intel_dp->psr.debug != I915_PSR_DEBUG_ENABLE_SEL_FETCH) {
+@@ -775,14 +771,6 @@ static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp,
+               return false;
+       }
+-      for_each_new_intel_plane_in_state(state, plane, plane_state, i) {
+-              if (plane_state->uapi.rotation != DRM_MODE_ROTATE_0) {
+-                      drm_dbg_kms(&dev_priv->drm,
+-                                  "PSR2 sel fetch not enabled, plane rotated\n");
+-                      return false;
+-              }
+-      }
+-
+       /* Wa_14010254185 Wa_14010103792 */
+       if (IS_TGL_DISPLAY_STEP(dev_priv, STEP_A0, STEP_C0)) {
+               drm_dbg_kms(&dev_priv->drm,
+@@ -1624,6 +1612,41 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta
+       clip_area_update(pipe_clip, damaged_area);
+ }
++/*
++ * TODO: Not clear how to handle planes with negative position,
++ * also planes are not updated if they have a negative X
++ * position so for now doing a full update in this cases
++ *
++ * Plane scaling and rotation is not supported by selective fetch and both
++ * properties can change without a modeset, so need to be check at every
++ * atomic commmit.
++ */
++static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state)
++{
++      if (plane_state->uapi.dst.y1 < 0 ||
++          plane_state->uapi.dst.x1 < 0 ||
++          plane_state->scaler_id >= 0 ||
++          plane_state->uapi.rotation != DRM_MODE_ROTATE_0)
++              return false;
++
++      return true;
++}
++
++/*
++ * Check for pipe properties that is not supported by selective fetch.
++ *
++ * TODO: pipe scaling causes a modeset but skl_update_scaler_crtc() is executed
++ * after intel_psr_compute_config(), so for now keeping PSR2 selective fetch
++ * enabled and going to the full update path.
++ */
++static bool psr2_sel_fetch_pipe_state_supported(const struct intel_crtc_state *crtc_state)
++{
++      if (crtc_state->scaler_state.scaler_id >= 0)
++              return false;
++
++      return true;
++}
++
+ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                               struct intel_crtc *crtc)
+ {
+@@ -1637,6 +1660,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+       if (!crtc_state->enable_psr2_sel_fetch)
+               return 0;
++      if (!psr2_sel_fetch_pipe_state_supported(crtc_state)) {
++              full_update = true;
++              goto skip_sel_fetch_set_loop;
++      }
++
+       /*
+        * Calculate minimal selective fetch area of each plane and calculate
+        * the pipe damaged area.
+@@ -1656,13 +1684,7 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                   !old_plane_state->uapi.visible)
+                       continue;
+-              /*
+-               * TODO: Not clear how to handle planes with negative position,
+-               * also planes are not updated if they have a negative X
+-               * position so for now doing a full update in this cases
+-               */
+-              if (new_plane_state->uapi.dst.y1 < 0 ||
+-                  new_plane_state->uapi.dst.x1 < 0) {
++              if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) {
+                       full_update = true;
+                       break;
+               }
+@@ -1741,6 +1763,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+               if (!drm_rect_intersect(&inter, &new_plane_state->uapi.dst))
+                       continue;
++              if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) {
++                      full_update = true;
++                      break;
++              }
++
+               sel_fetch_area = &new_plane_state->psr2_sel_fetch_area;
+               sel_fetch_area->y1 = inter.y1 - new_plane_state->uapi.dst.y1;
+               sel_fetch_area->y2 = inter.y2 - new_plane_state->uapi.dst.y1;
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch b/queue-5.15/drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch
new file mode 100644 (file)
index 0000000..8a54423
--- /dev/null
@@ -0,0 +1,134 @@
+From 26b5e1c756413921e72ec159dd2c436489013791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 14:25:06 -0700
+Subject: drm/i915/display/psr: Use drm damage helpers to calculate plane
+ damaged area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit af7ea1e22afc7ce7773b2e4562df4370c8c711ea ]
+
+drm_atomic_helper_damage_iter_init() + drm_atomic_for_each_plane_damage()
+returns the full plane area in case no damaged area was set by
+userspace or it was discarted by driver.
+
+This is important to fix the rendering of userspace applications that
+does frontbuffer rendering and notify driver about dirty areas but do
+not set any dirty clips.
+
+With this we don't need to worry about to check and mark the whole
+area as damaged in page flips.
+
+Another important change here is the move of
+drm_atomic_add_affected_planes() call, it needs to called late
+otherwise the area of all the planes would be added to pipe_clip and
+not saving power.
+
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-4-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 37 +++++++++---------------
+ 1 file changed, 13 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index b4b193c2bc32e..5e7827b076028 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -22,6 +22,7 @@
+  */
+ #include <drm/drm_atomic_helper.h>
++#include <drm/drm_damage_helper.h>
+ #include "display/intel_dp.h"
+@@ -1636,10 +1637,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+       if (!crtc_state->enable_psr2_sel_fetch)
+               return 0;
+-      ret = drm_atomic_add_affected_planes(&state->base, &crtc->base);
+-      if (ret)
+-              return ret;
+-
+       /*
+        * Calculate minimal selective fetch area of each plane and calculate
+        * the pipe damaged area.
+@@ -1649,8 +1646,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+       for_each_oldnew_intel_plane_in_state(state, plane, old_plane_state,
+                                            new_plane_state, i) {
+               struct drm_rect src, damaged_area = { .y1 = -1 };
+-              struct drm_mode_rect *damaged_clips;
+-              u32 num_clips, j;
++              struct drm_atomic_helper_damage_iter iter;
++              struct drm_rect clip;
+               if (new_plane_state->uapi.crtc != crtc_state->uapi.crtc)
+                       continue;
+@@ -1670,8 +1667,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                       break;
+               }
+-              num_clips = drm_plane_get_damage_clips_count(&new_plane_state->uapi);
+-
+               /*
+                * If visibility or plane moved, mark the whole plane area as
+                * damaged as it needs to be complete redraw in the new and old
+@@ -1695,14 +1690,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                       cursor_area_workaround(new_plane_state, &damaged_area,
+                                              &pipe_clip);
+                       continue;
+-              } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha ||
+-                         (!num_clips &&
+-                          new_plane_state->uapi.fb != old_plane_state->uapi.fb)) {
+-                      /*
+-                       * If the plane don't have damaged areas but the
+-                       * framebuffer changed or alpha changed, mark the whole
+-                       * plane area as damaged.
+-                       */
++              } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha) {
++                      /* If alpha changed mark the whole plane area as damaged */
+                       damaged_area.y1 = new_plane_state->uapi.dst.y1;
+                       damaged_area.y2 = new_plane_state->uapi.dst.y2;
+                       clip_area_update(&pipe_clip, &damaged_area);
+@@ -1710,15 +1699,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+               }
+               drm_rect_fp_to_int(&src, &new_plane_state->uapi.src);
+-              damaged_clips = drm_plane_get_damage_clips(&new_plane_state->uapi);
+-
+-              for (j = 0; j < num_clips; j++) {
+-                      struct drm_rect clip;
+-                      clip.x1 = damaged_clips[j].x1;
+-                      clip.y1 = damaged_clips[j].y1;
+-                      clip.x2 = damaged_clips[j].x2;
+-                      clip.y2 = damaged_clips[j].y2;
++              drm_atomic_helper_damage_iter_init(&iter,
++                                                 &old_plane_state->uapi,
++                                                 &new_plane_state->uapi);
++              drm_atomic_for_each_plane_damage(&iter, &clip) {
+                       if (drm_rect_intersect(&clip, &src))
+                               clip_area_update(&damaged_area, &clip);
+               }
+@@ -1734,6 +1719,10 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+       if (full_update)
+               goto skip_sel_fetch_set_loop;
++      ret = drm_atomic_add_affected_planes(&state->base, &crtc->base);
++      if (ret)
++              return ret;
++
+       intel_psr2_sel_fetch_pipe_alignment(crtc_state, &pipe_clip);
+       /*
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch b/queue-5.15/drm-i915-display-workaround-cursor-left-overs-with-p.patch
new file mode 100644 (file)
index 0000000..3e4ad36
--- /dev/null
@@ -0,0 +1,76 @@
+From 7a200aea2dbe8ef0d3517dc31bf25d4b72631075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 14:25:05 -0700
+Subject: drm/i915/display: Workaround cursor left overs with PSR2 selective
+ fetch enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit 1f3a11c341ab211d6ba55ef3d58026b7b5319945 ]
+
+Not sure why but when moving the cursor fast it causes some artifacts
+of the cursor to be left in the cursor path, adding some pixels above
+the cursor to the damaged area fixes the issue, so leaving this as a
+workaround until proper fix is found.
+
+This is reproducile on TGL and ADL-P.
+
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-3-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 25 ++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index a3d0c57ec0f0b..b4b193c2bc32e 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -1601,6 +1601,28 @@ static void intel_psr2_sel_fetch_pipe_alignment(const struct intel_crtc_state *c
+               drm_warn(&dev_priv->drm, "Missing PSR2 sel fetch alignment with DSC\n");
+ }
++/*
++ * FIXME: Not sure why but when moving the cursor fast it causes some artifacts
++ * of the cursor to be left in the cursor path, adding some pixels above the
++ * cursor to the damaged area fixes the issue.
++ */
++static void cursor_area_workaround(const struct intel_plane_state *new_plane_state,
++                                 struct drm_rect *damaged_area,
++                                 struct drm_rect *pipe_clip)
++{
++      const struct intel_plane *plane = to_intel_plane(new_plane_state->uapi.plane);
++      int height;
++
++      if (plane->id != PLANE_CURSOR)
++              return;
++
++      height = drm_rect_height(&new_plane_state->uapi.dst) / 2;
++      damaged_area->y1 -=  height;
++      damaged_area->y1 = max(damaged_area->y1, 0);
++
++      clip_area_update(pipe_clip, damaged_area);
++}
++
+ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                               struct intel_crtc *crtc)
+ {
+@@ -1669,6 +1691,9 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+                               damaged_area.y2 = new_plane_state->uapi.dst.y2;
+                               clip_area_update(&pipe_clip, &damaged_area);
+                       }
++
++                      cursor_area_workaround(new_plane_state, &damaged_area,
++                                             &pipe_clip);
+                       continue;
+               } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha ||
+                          (!num_clips &&
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch b/queue-5.15/drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch
new file mode 100644 (file)
index 0000000..7193e8d
--- /dev/null
@@ -0,0 +1,174 @@
+From 26e915179963c5cc6271e89e536367c960b5f875 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 10:53:04 +0200
+Subject: drm/i915/psr: Use calculated io and fast wake lines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+[ Upstream commit 71c602103c74b277bef3d20a308874a33ec8326d ]
+
+Currently we are using hardcoded 7 for io and fast wake lines.
+
+According to Bspec io and fast wake times are both 42us for
+DISPLAY_VER >= 12 and 50us and 32us for older platforms.
+
+Calculate line counts for these and configure them into PSR2_CTL
+accordingly
+
+Use 45 us for the fast wake calculation as 42 seems to be too
+tight based on testing.
+
+Bspec: 49274, 4289
+
+Cc: Mika Kahola <mika.kahola@intel.com>
+Cc: José Roberto de Souza <jose.souza@intel.com>
+Fixes: 64cf40a125ff ("drm/i915/psr: Program default IO buffer Wake and Fast Wake")
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7725
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230221085304.3382297-1-jouni.hogander@intel.com
+(cherry picked from commit cb42e8ede5b475c096e473b86c356b1158b4bc3b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/i915/display/intel_display_types.h    |  2 +
+ drivers/gpu/drm/i915/display/intel_psr.c      | 78 +++++++++++++++----
+ 2 files changed, 63 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
+index b56850d964919..90e055f056994 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_types.h
++++ b/drivers/gpu/drm/i915/display/intel_display_types.h
+@@ -1520,6 +1520,8 @@ struct intel_psr {
+       bool psr2_sel_fetch_enabled;
+       bool req_psr2_sdp_prior_scanline;
+       u8 sink_sync_latency;
++      u8 io_wake_lines;
++      u8 fast_wake_lines;
+       ktime_t last_entry_attempt;
+       ktime_t last_exit;
+       bool sink_not_reliable;
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 5f9894e3c7aa7..cf1e92486cbc9 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -549,6 +549,14 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+       val |= EDP_PSR2_FRAME_BEFORE_SU(intel_dp->psr.sink_sync_latency + 1);
+       val |= intel_psr2_get_tp_time(intel_dp);
++      if (DISPLAY_VER(dev_priv) >= 12) {
++              if (intel_dp->psr.io_wake_lines < 9 &&
++                  intel_dp->psr.fast_wake_lines < 9)
++                      val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
++              else
++                      val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_3;
++      }
++
+       /* Wa_22012278275:adl-p */
+       if (IS_ADLP_DISPLAY_STEP(dev_priv, STEP_A0, STEP_E0)) {
+               static const u8 map[] = {
+@@ -565,31 +573,21 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+                * Still using the default IO_BUFFER_WAKE and FAST_WAKE, see
+                * comments bellow for more information
+                */
+-              u32 tmp, lines = 7;
++              u32 tmp;
+-              val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
+-
+-              tmp = map[lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES];
++              tmp = map[intel_dp->psr.io_wake_lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES];
+               tmp = tmp << TGL_EDP_PSR2_IO_BUFFER_WAKE_SHIFT;
+               val |= tmp;
+-              tmp = map[lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES];
++              tmp = map[intel_dp->psr.fast_wake_lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES];
+               tmp = tmp << TGL_EDP_PSR2_FAST_WAKE_MIN_SHIFT;
+               val |= tmp;
+       } else if (DISPLAY_VER(dev_priv) >= 12) {
+-              /*
+-               * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default
+-               * values from BSpec. In order to setting an optimal power
+-               * consumption, lower than 4k resolution mode needs to decrease
+-               * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution
+-               * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE.
+-               */
+-              val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
+-              val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(7);
+-              val |= TGL_EDP_PSR2_FAST_WAKE(7);
++              val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines);
++              val |= TGL_EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines);
+       } else if (DISPLAY_VER(dev_priv) >= 9) {
+-              val |= EDP_PSR2_IO_BUFFER_WAKE(7);
+-              val |= EDP_PSR2_FAST_WAKE(7);
++              val |= EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines);
++              val |= EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines);
+       }
+       if (intel_dp->psr.req_psr2_sdp_prior_scanline)
+@@ -842,6 +840,46 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
+       return true;
+ }
++static bool _compute_psr2_wake_times(struct intel_dp *intel_dp,
++                                   struct intel_crtc_state *crtc_state)
++{
++      struct drm_i915_private *i915 = dp_to_i915(intel_dp);
++      int io_wake_lines, io_wake_time, fast_wake_lines, fast_wake_time;
++      u8 max_wake_lines;
++
++      if (DISPLAY_VER(i915) >= 12) {
++              io_wake_time = 42;
++              /*
++               * According to Bspec it's 42us, but based on testing
++               * it is not enough -> use 45 us.
++               */
++              fast_wake_time = 45;
++              max_wake_lines = 12;
++      } else {
++              io_wake_time = 50;
++              fast_wake_time = 32;
++              max_wake_lines = 8;
++      }
++
++      io_wake_lines = intel_usecs_to_scanlines(
++              &crtc_state->uapi.adjusted_mode, io_wake_time);
++      fast_wake_lines = intel_usecs_to_scanlines(
++              &crtc_state->uapi.adjusted_mode, fast_wake_time);
++
++      if (io_wake_lines > max_wake_lines ||
++          fast_wake_lines > max_wake_lines)
++              return false;
++
++      if (i915->params.psr_safest_params)
++              io_wake_lines = fast_wake_lines = max_wake_lines;
++
++      /* According to Bspec lower limit should be set as 7 lines. */
++      intel_dp->psr.io_wake_lines = max(io_wake_lines, 7);
++      intel_dp->psr.fast_wake_lines = max(fast_wake_lines, 7);
++
++      return true;
++}
++
+ static bool intel_psr2_config_valid(struct intel_dp *intel_dp,
+                                   struct intel_crtc_state *crtc_state)
+ {
+@@ -939,6 +977,12 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp,
+               return false;
+       }
++      if (!_compute_psr2_wake_times(intel_dp, crtc_state)) {
++              drm_dbg_kms(&dev_priv->drm,
++                          "PSR2 not enabled, Unable to use long enough wake times\n");
++              return false;
++      }
++
+       if (HAS_PSR2_SEL_FETCH(dev_priv)) {
+               if (!intel_psr2_sel_fetch_config_valid(intel_dp, crtc_state) &&
+                   !HAS_PSR_HW_TRACKING(dev_priv)) {
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch b/queue-5.15/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch
new file mode 100644 (file)
index 0000000..9d62db7
--- /dev/null
@@ -0,0 +1,45 @@
+From 2664ebfbe23e8584288aa134c17d30fac7182b8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 12:33:12 +0000
+Subject: drm/meson: fix 1px pink line on GXM when scaling video overlay
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit 5c8cf1664f288098a971a1d1e65716a2b6a279e1 ]
+
+Playing media with a resolution smaller than the crtc size requires the
+video overlay to be scaled for output and GXM boards display a 1px pink
+line on the bottom of the scaled overlay. Comparing with the downstream
+vendor driver revealed VPP_DUMMY_DATA not being set [0].
+
+Setting VPP_DUMMY_DATA prevents the 1px pink line from being seen.
+
+[0] https://github.com/endlessm/linux-s905x/blob/master/drivers/amlogic/amports/video.c#L7869
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Suggested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230303123312.155164-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_vpp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_vpp.c b/drivers/gpu/drm/meson/meson_vpp.c
+index 154837688ab0d..5df1957c8e41f 100644
+--- a/drivers/gpu/drm/meson/meson_vpp.c
++++ b/drivers/gpu/drm/meson/meson_vpp.c
+@@ -100,6 +100,8 @@ void meson_vpp_init(struct meson_drm *priv)
+                              priv->io_base + _REG(VPP_DOLBY_CTRL));
+               writel_relaxed(0x1020080,
+                               priv->io_base + _REG(VPP_DUMMY_DATA1));
++              writel_relaxed(0x42020,
++                              priv->io_base + _REG(VPP_DUMMY_DATA));
+       } else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
+               writel_relaxed(0xf, priv->io_base + _REG(DOLBY_PATH_CTRL));
+-- 
+2.39.2
+
diff --git a/queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch b/queue-5.15/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch
new file mode 100644 (file)
index 0000000..eb79199
--- /dev/null
@@ -0,0 +1,38 @@
+From 05ffa1f61c56dc52a285ba349e6d32c26b501564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:40:38 +0300
+Subject: drm/panfrost: Don't sync rpm suspension after mmu flushing
+
+From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+
+[ Upstream commit ba3be66f11c3c49afaa9f49b99e21d88756229ef ]
+
+Lockdep warns about potential circular locking dependency of devfreq
+with the fs_reclaim caused by immediate device suspension when mapping is
+released by shrinker. Fix it by doing the suspension asynchronously.
+
+Reviewed-by: Steven Price <steven.price@arm.com>
+Fixes: ec7eba47da86 ("drm/panfrost: Rework page table flushing and runtime PM interaction")
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://lore.kernel.org/all/20230108210445.3948344-3-dmitry.osipenko@collabora.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+index c3292a6bd1ae8..d6dda97e2591d 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -253,7 +253,7 @@ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev,
+       if (pm_runtime_active(pfdev->dev))
+               mmu_hw_do_operation(pfdev, mmu, iova, size, AS_COMMAND_FLUSH_PT);
+-      pm_runtime_put_sync_autosuspend(pfdev->dev);
++      pm_runtime_put_autosuspend(pfdev->dev);
+ }
+ static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu,
+-- 
+2.39.2
+
diff --git a/queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch b/queue-5.15/ethernet-sun-add-check-for-the-mdesc_grab.patch
new file mode 100644 (file)
index 0000000..ce9cae7
--- /dev/null
@@ -0,0 +1,55 @@
+From ba0a2193a411e1160fcf7aca39f5e76bbfe5ec7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:00:21 +0800
+Subject: ethernet: sun: add check for the mdesc_grab()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ]
+
+In vnet_port_probe() and vsw_port_probe(), we should
+check the return value of mdesc_grab() as it may
+return NULL which can caused NPD bugs.
+
+Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code")
+Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/ldmvsw.c  | 3 +++
+ drivers/net/ethernet/sun/sunvnet.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c
+index 50bd4e3b0af9d..cde65f76e5cef 100644
+--- a/drivers/net/ethernet/sun/ldmvsw.c
++++ b/drivers/net/ethernet/sun/ldmvsw.c
+@@ -290,6 +290,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+       hp = mdesc_grab();
++      if (!hp)
++              return -ENODEV;
++
+       rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len);
+       err = -ENODEV;
+       if (!rmac) {
+diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
+index 58ee89223951e..dcdfc1fd3d2ca 100644
+--- a/drivers/net/ethernet/sun/sunvnet.c
++++ b/drivers/net/ethernet/sun/sunvnet.c
+@@ -431,6 +431,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+       hp = mdesc_grab();
++      if (!hp)
++              return -ENODEV;
++
+       vp = vnet_find_parent(hp, vdev->mp, vdev);
+       if (IS_ERR(vp)) {
+               pr_err("Cannot find port parent vnet\n");
+-- 
+2.39.2
+
diff --git a/queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch b/queue-5.15/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch
new file mode 100644 (file)
index 0000000..4c6ddc3
--- /dev/null
@@ -0,0 +1,91 @@
+From 3ffc0514a93780183239801c62f8c6424a3f3c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 10:45:09 -0800
+Subject: i40e: Fix kernel crash during reboot when adapter is in recovery mode
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 7e4f8a0c495413a50413e8c9f1032ce1bc633bae ]
+
+If the driver detects during probe that firmware is in recovery
+mode then i40e_init_recovery_mode() is called and the rest of
+probe function is skipped including pci_set_drvdata(). Subsequent
+i40e_shutdown() called during shutdown/reboot dereferences NULL
+pointer as pci_get_drvdata() returns NULL.
+
+To fix call pci_set_drvdata() also during entering to recovery mode.
+
+Reproducer:
+1) Lets have i40e NIC with firmware in recovery mode
+2) Run reboot
+
+Result:
+[  139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver
+[  139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.
+[  139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.
+[  139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.
+[  139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]
+[  139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0
+[  139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.
+[  139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.
+[  139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]
+[  139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0
+...
+[  156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2
+[  156.318330] #PF: supervisor write access in kernel mode
+[  156.323546] #PF: error_code(0x0002) - not-present page
+[  156.328679] PGD 0 P4D 0
+[  156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[  156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G            E      6.2.0+ #1
+[  156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
+[  156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]
+[  156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 <f0> 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00
+[  156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282
+[  156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001
+[  156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000
+[  156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40
+[  156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000
+[  156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000
+[  156.418007] FS:  00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000
+[  156.426083] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0
+[  156.438944] PKRU: 55555554
+[  156.441647] Call Trace:
+[  156.444096]  <TASK>
+[  156.446199]  pci_device_shutdown+0x38/0x60
+[  156.450297]  device_shutdown+0x163/0x210
+[  156.454215]  kernel_restart+0x12/0x70
+[  156.457872]  __do_sys_reboot+0x1ab/0x230
+[  156.461789]  ? vfs_writev+0xa6/0x1a0
+[  156.465362]  ? __pfx_file_free_rcu+0x10/0x10
+[  156.469635]  ? __call_rcu_common.constprop.85+0x109/0x5a0
+[  156.475034]  do_syscall_64+0x3e/0x90
+[  156.478611]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[  156.483658] RIP: 0033:0x7fe7bff37ab7
+
+Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230309184509.984639-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 5ffcd3cc989f7..85d48efce1d00 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -15338,6 +15338,7 @@ static int i40e_init_recovery_mode(struct i40e_pf *pf, struct i40e_hw *hw)
+       int err;
+       int v_idx;
++      pci_set_drvdata(pf->pdev, pf);
+       pci_save_state(pf->pdev);
+       /* set up periodic task facility */
+-- 
+2.39.2
+
diff --git a/queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch b/queue-5.15/ice-xsk-disable-txq-irq-before-flushing-hw.patch
new file mode 100644 (file)
index 0000000..494a5d8
--- /dev/null
@@ -0,0 +1,111 @@
+From 5642c9184dd48db3f110c542963624979ddf0310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 10:45:43 -0700
+Subject: ice: xsk: disable txq irq before flushing hw
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit b830c9642386867863ac64295185f896ff2928ac ]
+
+ice_qp_dis() intends to stop a given queue pair that is a target of xsk
+pool attach/detach. One of the steps is to disable interrupts on these
+queues. It currently is broken in a way that txq irq is turned off
+*after* HW flush which in turn takes no effect.
+
+ice_qp_dis():
+-> ice_qvec_dis_irq()
+--> disable rxq irq
+--> flush hw
+-> ice_vsi_stop_tx_ring()
+-->disable txq irq
+
+Below splat can be triggered by following steps:
+- start xdpsock WITHOUT loading xdp prog
+- run xdp_rxq_info with XDP_TX action on this interface
+- start traffic
+- terminate xdpsock
+
+[  256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018
+[  256.319560] #PF: supervisor read access in kernel mode
+[  256.324775] #PF: error_code(0x0000) - not-present page
+[  256.329994] PGD 0 P4D 0
+[  256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[  256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G           OE      6.2.0-rc5+ #51
+[  256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
+[  256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice]
+[  256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44
+[  256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206
+[  256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f
+[  256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80
+[  256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000
+[  256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000
+[  256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600
+[  256.421990] FS:  0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000
+[  256.430207] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0
+[  256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  256.457770] PKRU: 55555554
+[  256.460529] Call Trace:
+[  256.463015]  <TASK>
+[  256.465157]  ? ice_xmit_zc+0x6e/0x150 [ice]
+[  256.469437]  ice_napi_poll+0x46d/0x680 [ice]
+[  256.473815]  ? _raw_spin_unlock_irqrestore+0x1b/0x40
+[  256.478863]  __napi_poll+0x29/0x160
+[  256.482409]  net_rx_action+0x136/0x260
+[  256.486222]  __do_softirq+0xe8/0x2e5
+[  256.489853]  ? smpboot_thread_fn+0x2c/0x270
+[  256.494108]  run_ksoftirqd+0x2a/0x50
+[  256.497747]  smpboot_thread_fn+0x1c1/0x270
+[  256.501907]  ? __pfx_smpboot_thread_fn+0x10/0x10
+[  256.506594]  kthread+0xea/0x120
+[  256.509785]  ? __pfx_kthread+0x10/0x10
+[  256.513597]  ret_from_fork+0x29/0x50
+[  256.517238]  </TASK>
+
+In fact, irqs were not disabled and napi managed to be scheduled and run
+while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers
+was already freed.
+
+To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also
+while at it, remove redundant ice_clean_rx_ring() call - this is handled
+in ice_qp_clean_rings().
+
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index 60d8ef0c88595..070be30cbaa91 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -166,8 +166,6 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+       }
+       netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
+-      ice_qvec_dis_irq(vsi, rx_ring, q_vector);
+-
+       ice_fill_txq_meta(vsi, tx_ring, &txq_meta);
+       err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta);
+       if (err)
+@@ -182,6 +180,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+               if (err)
+                       return err;
+       }
++      ice_qvec_dis_irq(vsi, rx_ring, q_vector);
++
+       err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true);
+       if (err)
+               return err;
+-- 
+2.39.2
+
diff --git a/queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch b/queue-5.15/ipv4-fix-incorrect-table-id-in-ioctl-path.patch
new file mode 100644 (file)
index 0000000..519d0bd
--- /dev/null
@@ -0,0 +1,74 @@
+From 0efda240afcb902b8ad61688b9b0878e0c5f0573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:40:09 +0200
+Subject: ipv4: Fix incorrect table ID in IOCTL path
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ]
+
+Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source
+address is deleted") started to take the table ID field in the FIB info
+structure into account when determining if two structures are identical
+or not. This field is initialized using the 'fc_table' field in the
+route configuration structure, which is not set when adding a route via
+IOCTL.
+
+The above can result in user space being able to install two identical
+routes that only differ in the table ID field of their associated FIB
+info.
+
+Fix by initializing the table ID field in the route configuration
+structure in the IOCTL path.
+
+Before the fix:
+
+ # ip route add default via 192.0.2.2
+ # route add default gw 192.0.2.2
+ # ip -4 r show default
+ # default via 192.0.2.2 dev dummy10
+ # default via 192.0.2.2 dev dummy10
+
+After the fix:
+
+ # ip route add default via 192.0.2.2
+ # route add default gw 192.0.2.2
+ SIOCADDRT: File exists
+ # ip -4 r show default
+ default via 192.0.2.2 dev dummy10
+
+Audited the code paths to ensure there are no other paths that do not
+properly initialize the route configuration structure when installing a
+route.
+
+Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
+Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted")
+Reported-by: gaoxingwang <gaoxingwang1@huawei.com>
+Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/
+Tested-by: gaoxingwang <gaoxingwang1@huawei.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_frontend.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 75c88d4863276..c21d57f02c651 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -573,6 +573,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt,
+                       cfg->fc_scope = RT_SCOPE_UNIVERSE;
+       }
++      if (!cfg->fc_table)
++              cfg->fc_table = RT_TABLE_MAIN;
++
+       if (cmd == SIOCDELRT)
+               return 0;
+-- 
+2.39.2
+
diff --git a/queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch b/queue-5.15/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch
new file mode 100644 (file)
index 0000000..7df0a94
--- /dev/null
@@ -0,0 +1,49 @@
+From f4767a66e606f8fd87fc953b3f1e372bb0d563e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 10:03:36 +0800
+Subject: ipvlan: Make skb->skb_iif track skb->dev for l3s mode
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 59a0b022aa249e3f5735d93de0849341722c4754 ]
+
+For l3s mode, skb->dev is set to ipvlan interface in ipvlan_nf_input():
+  skb->dev = addr->master->dev
+but, skb->skb_iif remain unchanged, this will cause socket lookup failed
+if a target socket is bound to a interface, like the following example:
+
+  ip link add ipvlan0 link eth0 type ipvlan mode l3s
+  ip addr add dev ipvlan0 192.168.124.111/24
+  ip link set ipvlan0 up
+
+  ping -c 1 -I ipvlan0 8.8.8.8
+  100% packet loss
+
+This is because there is no match sk in __raw_v4_lookup() as sk->sk_bound_dev_if != dif(skb->skb_iif).
+Fix this by make skb->skb_iif track skb->dev in ipvlan_nf_input().
+
+Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/29865b1f-6db7-c07a-de89-949d3721ea30@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_l3s.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c
+index 943d26cbf39f5..71712ea25403d 100644
+--- a/drivers/net/ipvlan/ipvlan_l3s.c
++++ b/drivers/net/ipvlan/ipvlan_l3s.c
+@@ -101,6 +101,7 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb,
+               goto out;
+       skb->dev = addr->master->dev;
++      skb->skb_iif = skb->dev->ifindex;
+       len = skb->len + ETH_HLEN;
+       ipvlan_count_rx(addr->master, len, true, false);
+ out:
+-- 
+2.39.2
+
diff --git a/queue-5.15/loop-fix-use-after-free-issues.patch b/queue-5.15/loop-fix-use-after-free-issues.patch
new file mode 100644 (file)
index 0000000..9c530d7
--- /dev/null
@@ -0,0 +1,101 @@
+From a605e60e4aa62d5bcec4a4437feb790d8952d774 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 11:21:54 -0700
+Subject: loop: Fix use-after-free issues
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 9b0cb770f5d7b1ff40bea7ca385438ee94570eec ]
+
+do_req_filebacked() calls blk_mq_complete_request() synchronously or
+asynchronously when using asynchronous I/O unless memory allocation fails.
+Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
+'rq' after do_req_filebacked() finished unless we are sure that the request
+has not yet been completed. This patch fixes the following kernel crash:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
+Call trace:
+ css_put.42938+0x1c/0x1ac
+ loop_process_work+0xc8c/0xfd4
+ loop_rootcg_workfn+0x24/0x34
+ process_one_work+0x244/0x558
+ worker_thread+0x400/0x8fc
+ kthread+0x16c/0x1e0
+ ret_from_fork+0x10/0x20
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Dan Schatzberg <schatzberg.dan@gmail.com>
+Fixes: c74d40e8b5e2 ("loop: charge i/o to mem and blk cg")
+Fixes: bc07c10a3603 ("block: loop: support DIO & AIO")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 58a38e61de535..07cf7a35ae502 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -2188,35 +2188,44 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ static void loop_handle_cmd(struct loop_cmd *cmd)
+ {
++      struct cgroup_subsys_state *cmd_blkcg_css = cmd->blkcg_css;
++      struct cgroup_subsys_state *cmd_memcg_css = cmd->memcg_css;
+       struct request *rq = blk_mq_rq_from_pdu(cmd);
+       const bool write = op_is_write(req_op(rq));
+       struct loop_device *lo = rq->q->queuedata;
+       int ret = 0;
+       struct mem_cgroup *old_memcg = NULL;
++      const bool use_aio = cmd->use_aio;
+       if (write && (lo->lo_flags & LO_FLAGS_READ_ONLY)) {
+               ret = -EIO;
+               goto failed;
+       }
+-      if (cmd->blkcg_css)
+-              kthread_associate_blkcg(cmd->blkcg_css);
+-      if (cmd->memcg_css)
++      if (cmd_blkcg_css)
++              kthread_associate_blkcg(cmd_blkcg_css);
++      if (cmd_memcg_css)
+               old_memcg = set_active_memcg(
+-                      mem_cgroup_from_css(cmd->memcg_css));
++                      mem_cgroup_from_css(cmd_memcg_css));
++      /*
++       * do_req_filebacked() may call blk_mq_complete_request() synchronously
++       * or asynchronously if using aio. Hence, do not touch 'cmd' after
++       * do_req_filebacked() has returned unless we are sure that 'cmd' has
++       * not yet been completed.
++       */
+       ret = do_req_filebacked(lo, rq);
+-      if (cmd->blkcg_css)
++      if (cmd_blkcg_css)
+               kthread_associate_blkcg(NULL);
+-      if (cmd->memcg_css) {
++      if (cmd_memcg_css) {
+               set_active_memcg(old_memcg);
+-              css_put(cmd->memcg_css);
++              css_put(cmd_memcg_css);
+       }
+  failed:
+       /* complete non-aio request */
+-      if (!cmd->use_aio || ret) {
++      if (!use_aio || ret) {
+               if (ret == -EOPNOTSUPP)
+                       cmd->ret = ret;
+               else
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch b/queue-5.15/net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch
new file mode 100644 (file)
index 0000000..ed39aa2
--- /dev/null
@@ -0,0 +1,41 @@
+From 696045c9575a5adc13a672c716ab966471868f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 10:33:37 +0300
+Subject: net: dsa: mt7530: remove now incorrect comment regarding port 5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit feb03fd11c5616f3a47e4714d2f9917d0f1a2edd ]
+
+Remove now incorrect comment regarding port 5 as GMAC5. This is supposed to
+be supported since commit 38f790a80560 ("net: dsa: mt7530: Add support for
+port 5") under mt7530_setup_port5().
+
+Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230310073338.5836-1-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 7bcfa3be95e29..22a09a11d8749 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -2168,7 +2168,7 @@ mt7530_setup(struct dsa_switch *ds)
+       mt7530_pll_setup(priv);
+-      /* Enable Port 6 only; P5 as GMAC5 which currently is not supported */
++      /* Enable port 6 */
+       val = mt7530_read(priv, MT7530_MHWTRAP);
+       val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS;
+       val |= MHWTRAP_MANUAL;
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch b/queue-5.15/net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch
new file mode 100644 (file)
index 0000000..b1c802f
--- /dev/null
@@ -0,0 +1,120 @@
+From 560642604e3e4fdfbc6109ce32ec30188384e96f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 10:33:38 +0300
+Subject: net: dsa: mt7530: set PLL frequency and trgmii only when trgmii is
+ used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 0b086d76e7b011772b0ac214c6e5fd5816eff2df ]
+
+As my testing on the MCM MT7530 switch on MT7621 SoC shows, setting the PLL
+frequency does not affect MII modes other than trgmii on port 5 and port 6.
+So the assumption is that the operation here called "setting the PLL
+frequency" actually sets the frequency of the TRGMII TX clock.
+
+Make it so that it and the rest of the trgmii setup run only when the
+trgmii mode is used.
+
+Tested rgmii and trgmii modes of port 6 on MCM MT7530 on MT7621AT Unielec
+U7621-06 and standalone MT7530 on MT7623NI Bananapi BPI-R2.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230310073338.5836-2-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 62 ++++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 22a09a11d8749..793992c378559 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -425,8 +425,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+       switch (interface) {
+       case PHY_INTERFACE_MODE_RGMII:
+               trgint = 0;
+-              /* PLL frequency: 125MHz */
+-              ncpo1 = 0x0c80;
+               break;
+       case PHY_INTERFACE_MODE_TRGMII:
+               trgint = 1;
+@@ -457,38 +455,40 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+       mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK,
+                  P6_INTF_MODE(trgint));
+-      /* Lower Tx Driving for TRGMII path */
+-      for (i = 0 ; i < NUM_TRGMII_CTRL ; i++)
+-              mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
+-                           TD_DM_DRVP(8) | TD_DM_DRVN(8));
+-
+-      /* Disable MT7530 core and TRGMII Tx clocks */
+-      core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
+-                 REG_GSWCK_EN | REG_TRGMIICK_EN);
+-
+-      /* Setup the MT7530 TRGMII Tx Clock */
+-      core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
+-      core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0));
+-      core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta));
+-      core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta));
+-      core_write(priv, CORE_PLL_GROUP4,
+-                 RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN |
+-                 RG_SYSPLL_BIAS_LPF_EN);
+-      core_write(priv, CORE_PLL_GROUP2,
+-                 RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN |
+-                 RG_SYSPLL_POSDIV(1));
+-      core_write(priv, CORE_PLL_GROUP7,
+-                 RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) |
+-                 RG_LCDDS_PWDB | RG_LCDDS_ISO_EN);
+-
+-      /* Enable MT7530 core and TRGMII Tx clocks */
+-      core_set(priv, CORE_TRGMII_GSW_CLK_CG,
+-               REG_GSWCK_EN | REG_TRGMIICK_EN);
+-
+-      if (!trgint)
++      if (trgint) {
++              /* Lower Tx Driving for TRGMII path */
++              for (i = 0 ; i < NUM_TRGMII_CTRL ; i++)
++                      mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
++                                   TD_DM_DRVP(8) | TD_DM_DRVN(8));
++
++              /* Disable MT7530 core and TRGMII Tx clocks */
++              core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
++                         REG_GSWCK_EN | REG_TRGMIICK_EN);
++
++              /* Setup the MT7530 TRGMII Tx Clock */
++              core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
++              core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0));
++              core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta));
++              core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta));
++              core_write(priv, CORE_PLL_GROUP4,
++                         RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN |
++                         RG_SYSPLL_BIAS_LPF_EN);
++              core_write(priv, CORE_PLL_GROUP2,
++                         RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN |
++                         RG_SYSPLL_POSDIV(1));
++              core_write(priv, CORE_PLL_GROUP7,
++                         RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) |
++                         RG_LCDDS_PWDB | RG_LCDDS_ISO_EN);
++
++              /* Enable MT7530 core and TRGMII Tx clocks */
++              core_set(priv, CORE_TRGMII_GSW_CLK_CG,
++                       REG_GSWCK_EN | REG_TRGMIICK_EN);
++      } else {
+               for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
+                       mt7530_rmw(priv, MT7530_TRGMII_RD(i),
+                                  RD_TAP_MASK, RD_TAP(16));
++      }
++
+       return 0;
+ }
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch b/queue-5.15/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch
new file mode 100644 (file)
index 0000000..3244414
--- /dev/null
@@ -0,0 +1,110 @@
+From 8519a56f3475ddf9cf1f0cfe8223701105b59ed7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 20:24:05 +0200
+Subject: net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250,
+ 6290
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 7e9517375a14f44ee830ca1c3278076dd65fcc8f ]
+
+There are 3 classes of switch families that the driver is aware of, as
+far as mv88e6xxx_change_mtu() is concerned:
+
+- MTU configuration is available per port. Here, the
+  chip->info->ops->port_set_jumbo_size() method will be present.
+
+- MTU configuration is global to the switch. Here, the
+  chip->info->ops->set_max_frame_size() method will be present.
+
+- We don't know how to change the MTU. Here, none of the above methods
+  will be present.
+
+Switch families MV88E6165, MV88E6191, MV88E6220, MV88E6250 and MV88E6290
+fall in category 3.
+
+The blamed commit has adjusted the MTU for all 3 categories by EDSA_HLEN
+(8 bytes), resulting in a new maximum MTU of 1492 being reported by the
+driver for these switches.
+
+I don't have the hardware to test, but I do have a MV88E6390 switch on
+which I can simulate this by commenting out its .port_set_jumbo_size
+definition from mv88e6390_ops. The result is this set of messages at
+probe time:
+
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 1
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 2
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 3
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 4
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 5
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 6
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 7
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 8
+
+It is highly implausible that there exist Ethernet switches which don't
+support the standard MTU of 1500 octets, and this is what the DSA
+framework says as well - the error comes from dsa_slave_create() ->
+dsa_slave_change_mtu(slave_dev, ETH_DATA_LEN).
+
+But the error messages are alarming, and it would be good to suppress
+them.
+
+As a consequence of this unlikeliness, we reimplement mv88e6xxx_get_max_mtu()
+and mv88e6xxx_change_mtu() on switches from the 3rd category as follows:
+the maximum supported MTU is 1500, and any request to set the MTU to a
+value larger than that fails in dev_validate_mtu().
+
+Fixes: b9c587fed61c ("dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index f9efd0c8bab8d..99c4e45c62e33 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3054,7 +3054,7 @@ static int mv88e6xxx_get_max_mtu(struct dsa_switch *ds, int port)
+               return 10240 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
+       else if (chip->info->ops->set_max_frame_size)
+               return 1632 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
+-      return 1522 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
++      return ETH_DATA_LEN;
+ }
+ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+@@ -3062,6 +3062,17 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+       struct mv88e6xxx_chip *chip = ds->priv;
+       int ret = 0;
++      /* For families where we don't know how to alter the MTU,
++       * just accept any value up to ETH_DATA_LEN
++       */
++      if (!chip->info->ops->port_set_jumbo_size &&
++          !chip->info->ops->set_max_frame_size) {
++              if (new_mtu > ETH_DATA_LEN)
++                      return -EINVAL;
++
++              return 0;
++      }
++
+       if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port))
+               new_mtu += EDSA_HLEN;
+@@ -3070,9 +3081,6 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+               ret = chip->info->ops->port_set_jumbo_size(chip, port, new_mtu);
+       else if (chip->info->ops->set_max_frame_size)
+               ret = chip->info->ops->set_max_frame_size(chip, new_mtu);
+-      else
+-              if (new_mtu > 1522)
+-                      ret = -EINVAL;
+       mv88e6xxx_reg_unlock(chip);
+       return ret;
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-iucv-fix-size-of-interrupt-data.patch b/queue-5.15/net-iucv-fix-size-of-interrupt-data.patch
new file mode 100644 (file)
index 0000000..22391fe
--- /dev/null
@@ -0,0 +1,105 @@
+From 92dea5ece8b3ee5f1b03af9a229721e0f43d3cf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:14:35 +0100
+Subject: net/iucv: Fix size of interrupt data
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ]
+
+iucv_irq_data needs to be 4 bytes larger.
+These bytes are not used by the iucv module, but written by
+the z/VM hypervisor in case a CPU is deconfigured.
+
+Reported as:
+BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten
+-----------------------------------------------------------------------------
+0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc
+Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1
+__kmem_cache_alloc_node+0x166/0x450
+kmalloc_node_trace+0x3a/0x70
+iucv_cpu_prepare+0x44/0xd0
+cpuhp_invoke_callback+0x156/0x2f0
+cpuhp_issue_call+0xf0/0x298
+__cpuhp_setup_state_cpuslocked+0x136/0x338
+__cpuhp_setup_state+0xf4/0x288
+iucv_init+0xf4/0x280
+do_one_initcall+0x78/0x390
+do_initcalls+0x11a/0x140
+kernel_init_freeable+0x25e/0x2a0
+kernel_init+0x2e/0x170
+__ret_from_fork+0x3c/0x58
+ret_from_fork+0xa/0x40
+Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1
+__kmem_cache_free+0x308/0x358
+iucv_init+0x92/0x280
+do_one_initcall+0x78/0x390
+do_initcalls+0x11a/0x140
+kernel_init_freeable+0x25e/0x2a0
+kernel_init+0x2e/0x170
+__ret_from_fork+0x3c/0x58
+ret_from_fork+0xa/0x40
+Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0|
+Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000
+Redzone  0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
+Redzone  0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
+Redzone  0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
+Redzone  0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
+Object   0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object   0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2  ................
+Object   0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc  ................
+Object   0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
+Redzone  0000000000400580: cc cc cc cc cc cc cc cc                          ........
+Padding  00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
+Padding  00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
+Padding  00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
+CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1
+Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)
+Call Trace:
+[<000000032aa034ec>] dump_stack_lvl+0xac/0x100
+[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140
+[<0000000329f5aa78>] check_object+0x370/0x3c0
+[<0000000329f5ede6>] free_debug_processing+0x15e/0x348
+[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0
+[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8
+[<0000000329f61768>] __kmem_cache_free+0x308/0x358
+[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88
+[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0
+[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0
+[<0000000329c3243e>] cpu_device_down+0x4e/0x78
+[<000000032a61dee0>] device_offline+0xc8/0x118
+[<000000032a61e048>] online_store+0x60/0xe0
+[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8
+[<0000000329fab65c>] vfs_write+0x174/0x360
+[<0000000329fab9fc>] ksys_write+0x74/0x100
+[<000000032aa03a5a>] __do_syscall+0x1da/0x208
+[<000000032aa177b2>] system_call+0x82/0xb0
+INFO: lockdep is turned off.
+FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc
+FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed
+
+Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2")
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index f3343a8541a57..8efc369934fc7 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -83,7 +83,7 @@ struct iucv_irq_data {
+       u16 ippathid;
+       u8  ipflags1;
+       u8  iptype;
+-      u32 res2[8];
++      u32 res2[9];
+ };
+ struct iucv_irq_list {
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch b/queue-5.15/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch
new file mode 100644 (file)
index 0000000..be4f706
--- /dev/null
@@ -0,0 +1,44 @@
+From b2d9bee0367c8157ce73c72ac5288e5e8bbe839e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Mar 2023 19:34:45 +0100
+Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status
+ fails
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ]
+
+If genphy_read_status fails then further access to the PHY may result
+in unpredictable behavior. To prevent this bail out immediately if
+genphy_read_status fails.
+
+Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 04e628788f1b5..36dcf6c7f445d 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -206,8 +206,11 @@ static int lan95xx_config_aneg_ext(struct phy_device *phydev)
+ static int lan87xx_read_status(struct phy_device *phydev)
+ {
+       struct smsc_phy_priv *priv = phydev->priv;
++      int err;
+-      int err = genphy_read_status(phydev);
++      err = genphy_read_status(phydev);
++      if (err)
++              return err;
+       if (!phydev->link && priv->energy_enable && phydev->irq == PHY_POLL) {
+               /* Disable EDPD to wake up PHY */
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch b/queue-5.15/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch
new file mode 100644 (file)
index 0000000..5b42459
--- /dev/null
@@ -0,0 +1,164 @@
+From 302552c7cceb5c40da15c2b73237e947ae5d061b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 11:08:28 +0100
+Subject: net/smc: fix deadlock triggered by cancel_delayed_work_syn()
+
+From: Wenjia Zhang <wenjia@linux.ibm.com>
+
+[ Upstream commit 13085e1b5cab8ad802904d72e6a6dae85ae0cd20 ]
+
+The following LOCKDEP was detected:
+               Workqueue: events smc_lgr_free_work [smc]
+               WARNING: possible circular locking dependency detected
+               6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted
+               ------------------------------------------------------
+               kworker/3:0/176251 is trying to acquire lock:
+               00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0},
+                       at: __flush_workqueue+0x7a/0x4f0
+               but task is already holding lock:
+               0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0},
+                       at: process_one_work+0x232/0x730
+               which lock already depends on the new lock.
+               the existing dependency chain (in reverse order) is:
+               -> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}:
+                      __lock_acquire+0x58e/0xbd8
+                      lock_acquire.part.0+0xe2/0x248
+                      lock_acquire+0xac/0x1c8
+                      __flush_work+0x76/0xf0
+                      __cancel_work_timer+0x170/0x220
+                      __smc_lgr_terminate.part.0+0x34/0x1c0 [smc]
+                      smc_connect_rdma+0x15e/0x418 [smc]
+                      __smc_connect+0x234/0x480 [smc]
+                      smc_connect+0x1d6/0x230 [smc]
+                      __sys_connect+0x90/0xc0
+                      __do_sys_socketcall+0x186/0x370
+                      __do_syscall+0x1da/0x208
+                      system_call+0x82/0xb0
+               -> #3 (smc_client_lgr_pending){+.+.}-{3:3}:
+                      __lock_acquire+0x58e/0xbd8
+                      lock_acquire.part.0+0xe2/0x248
+                      lock_acquire+0xac/0x1c8
+                      __mutex_lock+0x96/0x8e8
+                      mutex_lock_nested+0x32/0x40
+                      smc_connect_rdma+0xa4/0x418 [smc]
+                      __smc_connect+0x234/0x480 [smc]
+                      smc_connect+0x1d6/0x230 [smc]
+                      __sys_connect+0x90/0xc0
+                      __do_sys_socketcall+0x186/0x370
+                      __do_syscall+0x1da/0x208
+                      system_call+0x82/0xb0
+               -> #2 (sk_lock-AF_SMC){+.+.}-{0:0}:
+                      __lock_acquire+0x58e/0xbd8
+                      lock_acquire.part.0+0xe2/0x248
+                      lock_acquire+0xac/0x1c8
+                      lock_sock_nested+0x46/0xa8
+                      smc_tx_work+0x34/0x50 [smc]
+                      process_one_work+0x30c/0x730
+                      worker_thread+0x62/0x420
+                      kthread+0x138/0x150
+                      __ret_from_fork+0x3c/0x58
+                      ret_from_fork+0xa/0x40
+               -> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}:
+                      __lock_acquire+0x58e/0xbd8
+                      lock_acquire.part.0+0xe2/0x248
+                      lock_acquire+0xac/0x1c8
+                      process_one_work+0x2bc/0x730
+                      worker_thread+0x62/0x420
+                      kthread+0x138/0x150
+                      __ret_from_fork+0x3c/0x58
+                      ret_from_fork+0xa/0x40
+               -> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}:
+                      check_prev_add+0xd8/0xe88
+                      validate_chain+0x70c/0xb20
+                      __lock_acquire+0x58e/0xbd8
+                      lock_acquire.part.0+0xe2/0x248
+                      lock_acquire+0xac/0x1c8
+                      __flush_workqueue+0xaa/0x4f0
+                      drain_workqueue+0xaa/0x158
+                      destroy_workqueue+0x44/0x2d8
+                      smc_lgr_free+0x9e/0xf8 [smc]
+                      process_one_work+0x30c/0x730
+                      worker_thread+0x62/0x420
+                      kthread+0x138/0x150
+                      __ret_from_fork+0x3c/0x58
+                      ret_from_fork+0xa/0x40
+               other info that might help us debug this:
+               Chain exists of:
+                 (wq_completion)smc_tx_wq-00000000#2
+                 --> smc_client_lgr_pending
+                 --> (work_completion)(&(&lgr->free_work)->work)
+                Possible unsafe locking scenario:
+                      CPU0                    CPU1
+                      ----                    ----
+                 lock((work_completion)(&(&lgr->free_work)->work));
+                                  lock(smc_client_lgr_pending);
+                                  lock((work_completion)
+                                       (&(&lgr->free_work)->work));
+                 lock((wq_completion)smc_tx_wq-00000000#2);
+                *** DEADLOCK ***
+               2 locks held by kworker/3:0/176251:
+                #0: 0000000080183548
+                       ((wq_completion)events){+.+.}-{0:0},
+                               at: process_one_work+0x232/0x730
+                #1: 0000037fffe97dc8
+                       ((work_completion)
+                        (&(&lgr->free_work)->work)){+.+.}-{0:0},
+                               at: process_one_work+0x232/0x730
+               stack backtrace:
+               CPU: 3 PID: 176251 Comm: kworker/3:0 Not tainted
+               Hardware name: IBM 8561 T01 701 (z/VM 7.2.0)
+               Call Trace:
+                [<000000002983c3e4>] dump_stack_lvl+0xac/0x100
+                [<0000000028b477ae>] check_noncircular+0x13e/0x160
+                [<0000000028b48808>] check_prev_add+0xd8/0xe88
+                [<0000000028b49cc4>] validate_chain+0x70c/0xb20
+                [<0000000028b4bd26>] __lock_acquire+0x58e/0xbd8
+                [<0000000028b4cf6a>] lock_acquire.part.0+0xe2/0x248
+                [<0000000028b4d17c>] lock_acquire+0xac/0x1c8
+                [<0000000028addaaa>] __flush_workqueue+0xaa/0x4f0
+                [<0000000028addf9a>] drain_workqueue+0xaa/0x158
+                [<0000000028ae303c>] destroy_workqueue+0x44/0x2d8
+                [<000003ff8029af26>] smc_lgr_free+0x9e/0xf8 [smc]
+                [<0000000028adf3d4>] process_one_work+0x30c/0x730
+                [<0000000028adf85a>] worker_thread+0x62/0x420
+                [<0000000028aeac50>] kthread+0x138/0x150
+                [<0000000028a63914>] __ret_from_fork+0x3c/0x58
+                [<00000000298503da>] ret_from_fork+0xa/0x40
+               INFO: lockdep is turned off.
+===================================================================
+
+This deadlock occurs because cancel_delayed_work_sync() waits for
+the work(&lgr->free_work) to finish, while the &lgr->free_work
+waits for the work(lgr->tx_wq), which needs the sk_lock-AF_SMC, that
+is already used under the mutex_lock.
+
+The solution is to use cancel_delayed_work() instead, which kills
+off a pending work.
+
+Fixes: a52bcc919b14 ("net/smc: improve termination processing")
+Signed-off-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index 2eafefa15a1ae..f08fcc50fad3c 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -1297,7 +1297,7 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft)
+       if (lgr->terminating)
+               return; /* lgr already terminating */
+       /* cancel free_work sync, will terminate when lgr->freeing is set */
+-      cancel_delayed_work_sync(&lgr->free_work);
++      cancel_delayed_work(&lgr->free_work);
+       lgr->terminating = 1;
+       /* kill remaining link group connections */
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch b/queue-5.15/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch
new file mode 100644 (file)
index 0000000..3e2f417
--- /dev/null
@@ -0,0 +1,68 @@
+From c9107c3b0c19fe346f954558b96818295a64f466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 16:17:12 +0800
+Subject: net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit 22a825c541d775c1dbe7b2402786025acad6727b ]
+
+When performing a stress test on SMC-R by rmmod mlx5_ib driver
+during the wrk/nginx test, we found that there is a probability
+of triggering a panic while terminating all link groups.
+
+This issue dues to the race between smc_smcr_terminate_all()
+and smc_buf_create().
+
+                       smc_smcr_terminate_all
+
+smc_buf_create
+/* init */
+conn->sndbuf_desc = NULL;
+...
+
+                       __smc_lgr_terminate
+                               smc_conn_kill
+                                       smc_close_abort
+                                               smc_cdc_get_slot_and_msg_send
+
+                       __softirqentry_text_start
+                               smc_wr_tx_process_cqe
+                                       smc_cdc_tx_handler
+                                               READ(conn->sndbuf_desc->len);
+                                               /* panic dues to NULL sndbuf_desc */
+
+conn->sndbuf_desc = xxx;
+
+This patch tries to fix the issue by always to check the sndbuf_desc
+before send any cdc msg, to make sure that no null pointer is
+seen during cqe processing.
+
+Fixes: 0b29ec643613 ("net/smc: immediate termination for SMCR link groups")
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://lore.kernel.org/r/1678263432-17329-1-git-send-email-alibuda@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_cdc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
+index 5d180d24cbf1c..41b23f71c29a2 100644
+--- a/net/smc/smc_cdc.c
++++ b/net/smc/smc_cdc.c
+@@ -104,6 +104,9 @@ int smc_cdc_msg_send(struct smc_connection *conn,
+       union smc_host_cursor cfed;
+       int rc;
++      if (unlikely(!READ_ONCE(conn->sndbuf_desc)))
++              return -ENOBUFS;
++
+       smc_cdc_add_pending_send(conn, pend);
+       conn->tx_cdc_seq++;
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch b/queue-5.15/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch
new file mode 100644 (file)
index 0000000..7848567
--- /dev/null
@@ -0,0 +1,252 @@
+From 49f1a26862cac23505f10d699a7561f170fa56da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 19:11:09 +0000
+Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ]
+
+IP tunnels can apparently update dev->needed_headroom
+in their xmit path.
+
+This patch takes care of three tunnels xmit, and also the
+core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA()
+helpers.
+
+More changes might be needed for completeness.
+
+BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit
+
+read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1:
+ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+
+write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0:
+ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134
+__ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
+ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227
+dst_output include/net/dst.h:444 [inline]
+NF_HOOK include/linux/netfilter.h:302 [inline]
+mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820
+mld_send_cr net/ipv6/mcast.c:2121 [inline]
+mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653
+process_one_work+0x3e6/0x750 kernel/workqueue.c:2390
+worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537
+kthread+0x1ac/0x1e0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0dd4 -> 0x0e14
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+Workqueue: mld mld_ifc_work
+
+Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h |  6 ++++--
+ net/ipv4/ip_tunnel.c      | 12 ++++++------
+ net/ipv6/ip6_tunnel.c     |  4 ++--
+ 3 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 3a75d644a1204..5b6c38f748076 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -275,9 +275,11 @@ struct hh_cache {
+  * relationship HH alignment <= LL alignment.
+  */
+ #define LL_RESERVED_SPACE(dev) \
+-      ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
++      ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \
++        & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
+ #define LL_RESERVED_SPACE_EXTRA(dev,extra) \
+-      ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
++      ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \
++        & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
+ struct header_ops {
+       int     (*create) (struct sk_buff *skb, struct net_device *dev,
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index fe9101d3d69e0..426dc910aaf87 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -613,10 +613,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+       }
+       headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len;
+-      if (headroom > dev->needed_headroom)
+-              dev->needed_headroom = headroom;
++      if (headroom > READ_ONCE(dev->needed_headroom))
++              WRITE_ONCE(dev->needed_headroom, headroom);
+-      if (skb_cow_head(skb, dev->needed_headroom)) {
++      if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) {
+               ip_rt_put(rt);
+               goto tx_dropped;
+       }
+@@ -797,10 +797,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+       max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr)
+                       + rt->dst.header_len + ip_encap_hlen(&tunnel->encap);
+-      if (max_headroom > dev->needed_headroom)
+-              dev->needed_headroom = max_headroom;
++      if (max_headroom > READ_ONCE(dev->needed_headroom))
++              WRITE_ONCE(dev->needed_headroom, max_headroom);
+-      if (skb_cow_head(skb, dev->needed_headroom)) {
++      if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) {
+               ip_rt_put(rt);
+               dev->stats.tx_dropped++;
+               kfree_skb(skb);
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index ea50779428711..bc5d3188454d0 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1237,8 +1237,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
+        */
+       max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr)
+                       + dst->header_len + t->hlen;
+-      if (max_headroom > dev->needed_headroom)
+-              dev->needed_headroom = max_headroom;
++      if (max_headroom > READ_ONCE(dev->needed_headroom))
++              WRITE_ONCE(dev->needed_headroom, max_headroom);
+       err = ip6_tnl_encap(skb, t, &proto, fl6);
+       if (err)
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch b/queue-5.15/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch
new file mode 100644 (file)
index 0000000..b432600
--- /dev/null
@@ -0,0 +1,39 @@
+From 89246e4edc25d7362b4bb5389e75d3dfd416f695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 23:00:45 +0100
+Subject: net: usb: smsc75xx: Limit packet length to skb->len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ]
+
+Packet length retrieved from skb data may be larger than
+the actual socket buffer length (up to 9026 bytes). In such
+case the cloned skb passed up the network stack will leak
+kernel memory contents.
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 76f7af1613139..705bd31b18787 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+                               dev->net->stats.rx_frame_errors++;
+               } else {
+                       /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
+-                      if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
++                      if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
++                                   size > skb->len)) {
+                               netif_dbg(dev, rx_err, dev->net,
+                                         "size err rx_cmd_a=0x%08x\n",
+                                         rx_cmd_a);
+-- 
+2.39.2
+
diff --git a/queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch b/queue-5.15/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch
new file mode 100644 (file)
index 0000000..e8bb799
--- /dev/null
@@ -0,0 +1,54 @@
+From ed894f4fb0eb6bb4bc8b48ad0e199cccc36a1779 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 12:05:40 +0100
+Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic
+ in skb_pull
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ]
+
+Packet length check needs to be located after size and align_count
+calculation to prevent kernel panic in skb_pull() in case
+rx_cmd_a & RX_CMD_A_RED evaluates to true.
+
+Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 705bd31b18787..7c3e866514199 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -2199,6 +2199,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+               size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING;
+               align_count = (4 - ((size + RXW_PADDING) % 4)) % 4;
++              if (unlikely(size > skb->len)) {
++                      netif_dbg(dev, rx_err, dev->net,
++                                "size err rx_cmd_a=0x%08x\n",
++                                rx_cmd_a);
++                      return 0;
++              }
++
+               if (unlikely(rx_cmd_a & RX_CMD_A_RED)) {
+                       netif_dbg(dev, rx_err, dev->net,
+                                 "Error rx_cmd_a=0x%08x\n", rx_cmd_a);
+@@ -2211,8 +2218,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+                               dev->net->stats.rx_frame_errors++;
+               } else {
+                       /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
+-                      if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
+-                                   size > skb->len)) {
++                      if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
+                               netif_dbg(dev, rx_err, dev->net,
+                                         "size err rx_cmd_a=0x%08x\n",
+                                         rx_cmd_a);
+-- 
+2.39.2
+
diff --git a/queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch b/queue-5.15/netfilter-nft_masq-correct-length-for-loading-protoc.patch
new file mode 100644 (file)
index 0000000..b00386f
--- /dev/null
@@ -0,0 +1,39 @@
+From 3ffb3eb0186ac6d2b3e70f1198a0e94eeaecb12d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:57 +0000
+Subject: netfilter: nft_masq: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit ec2c5917eb858428b2083d1c74f445aabbe8316b ]
+
+The values in the protocol registers are two bytes wide.  However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`.  Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: 8a6bf5da1aef ("netfilter: nft_masq: support port range")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_masq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
+index 9953e80537536..1818dbf089cad 100644
+--- a/net/netfilter/nft_masq.c
++++ b/net/netfilter/nft_masq.c
+@@ -43,7 +43,7 @@ static int nft_masq_init(const struct nft_ctx *ctx,
+                        const struct nft_expr *expr,
+                        const struct nlattr * const tb[])
+ {
+-      u32 plen = sizeof_field(struct nf_nat_range, min_addr.all);
++      u32 plen = sizeof_field(struct nf_nat_range, min_proto.all);
+       struct nft_masq *priv = nft_expr_priv(expr);
+       int err;
+-- 
+2.39.2
+
diff --git a/queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch b/queue-5.15/netfilter-nft_nat-correct-length-for-loading-protoco.patch
new file mode 100644 (file)
index 0000000..aa04d64
--- /dev/null
@@ -0,0 +1,39 @@
+From de0e0ace38b1709e899158563216e071d7458cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:56 +0000
+Subject: netfilter: nft_nat: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 068d82e75d537b444303b8c449a11e51ea659565 ]
+
+The values in the protocol registers are two bytes wide.  However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`.  Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index db8f9116eeb43..cd4eb4996aff3 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -226,7 +226,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+               priv->flags |= NF_NAT_RANGE_MAP_IPS;
+       }
+-      plen = sizeof_field(struct nf_nat_range, min_addr.all);
++      plen = sizeof_field(struct nf_nat_range, min_proto.all);
+       if (tb[NFTA_NAT_REG_PROTO_MIN]) {
+               err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MIN],
+                                             &priv->sreg_proto_min, plen);
+-- 
+2.39.2
+
diff --git a/queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch b/queue-5.15/netfilter-nft_redir-correct-length-for-loading-proto.patch
new file mode 100644 (file)
index 0000000..f463161
--- /dev/null
@@ -0,0 +1,39 @@
+From a1d2c5520cea55d492003d519a0e52c9208be35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:58 +0000
+Subject: netfilter: nft_redir: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 1f617b6b4c7a3d5ea7a56abb83a4c27733b60c2f ]
+
+The values in the protocol registers are two bytes wide.  However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`.  Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_redir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
+index ba09890dddb50..deb7e65c8d82b 100644
+--- a/net/netfilter/nft_redir.c
++++ b/net/netfilter/nft_redir.c
+@@ -48,7 +48,7 @@ static int nft_redir_init(const struct nft_ctx *ctx,
+       unsigned int plen;
+       int err;
+-      plen = sizeof_field(struct nf_nat_range, min_addr.all);
++      plen = sizeof_field(struct nf_nat_range, min_proto.all);
+       if (tb[NFTA_REDIR_REG_PROTO_MIN]) {
+               err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MIN],
+                                             &priv->sreg_proto_min, plen);
+-- 
+2.39.2
+
diff --git a/queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch b/queue-5.15/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch
new file mode 100644 (file)
index 0000000..9c3694c
--- /dev/null
@@ -0,0 +1,37 @@
+From c1aabe988cde5d881f400fd21f8180535151d966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:59 +0000
+Subject: netfilter: nft_redir: correct value of inet type `.maxattrs`
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 493924519b1fe3faab13ee621a43b0d0939abab1 ]
+
+`nft_redir_inet_type.maxattrs` was being set, presumably because of a
+cut-and-paste error, to `NFTA_MASQ_MAX`, instead of `NFTA_REDIR_MAX`.
+
+Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_redir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
+index deb7e65c8d82b..e64f531d66cfc 100644
+--- a/net/netfilter/nft_redir.c
++++ b/net/netfilter/nft_redir.c
+@@ -232,7 +232,7 @@ static struct nft_expr_type nft_redir_inet_type __read_mostly = {
+       .name           = "redir",
+       .ops            = &nft_redir_inet_ops,
+       .policy         = nft_redir_policy,
+-      .maxattr        = NFTA_MASQ_MAX,
++      .maxattr        = NFTA_REDIR_MAX,
+       .owner          = THIS_MODULE,
+ };
+-- 
+2.39.2
+
diff --git a/queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch b/queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch
new file mode 100644 (file)
index 0000000..c7b723e
--- /dev/null
@@ -0,0 +1,65 @@
+From 6177fa47ae5a51122b43d4a1776f68fa7eba7f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 19:50:50 +0300
+Subject: nfc: pn533: initialize struct pn533_out_arg properly
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ]
+
+struct pn533_out_arg used as a temporary context for out_urb is not
+initialized properly. Its uninitialized 'phy' field can be dereferenced in
+error cases inside pn533_out_complete() callback function. It causes the
+following failure:
+
+general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441
+Call Trace:
+ <IRQ>
+ __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671
+ usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754
+ dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988
+ call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700
+ expire_timers+0x234/0x330 kernel/time/timer.c:1751
+ __run_timers kernel/time/timer.c:2022 [inline]
+ __run_timers kernel/time/timer.c:1995 [inline]
+ run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
+ __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571
+ invoke_softirq kernel/softirq.c:445 [inline]
+ __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
+ irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
+ sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107
+
+Initialize the field with the pn533_usb_phy currently used.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()")
+Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
+index 62ad26e4299d1..47d423cc26081 100644
+--- a/drivers/nfc/pn533/usb.c
++++ b/drivers/nfc/pn533/usb.c
+@@ -175,6 +175,7 @@ static int pn533_usb_send_frame(struct pn533 *dev,
+       print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1,
+                            out->data, out->len, false);
++      arg.phy = phy;
+       init_completion(&arg.done);
+       cntx = phy->out_urb->context;
+       phy->out_urb->context = &arg;
+-- 
+2.39.2
+
diff --git a/queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch b/queue-5.15/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch
new file mode 100644 (file)
index 0000000..48a18de
--- /dev/null
@@ -0,0 +1,72 @@
+From e8bc14d29826d4436853cf9782035202887e68bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:08:37 +0800
+Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ]
+
+This bug influences both st_nci_i2c_remove and st_nci_spi_remove.
+Take st_nci_i2c_remove as an example.
+
+In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work
+with llt_ndlc_sm_work.
+
+When it calls ndlc_recv or timeout handler, it will finally call
+schedule_work to start the work.
+
+When we call st_nci_i2c_remove to remove the driver, there
+may be a sequence as follows:
+
+Fix it by finishing the work before cleanup in ndlc_remove
+
+CPU0                  CPU1
+
+                    |llt_ndlc_sm_work
+st_nci_i2c_remove   |
+  ndlc_remove       |
+     st_nci_remove  |
+     nci_free_device|
+     kfree(ndev)    |
+//free ndlc->ndev   |
+                    |llt_ndlc_rcv_queue
+                    |nci_recv_frame
+                    |//use ndlc->ndev
+
+Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/ndlc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c
+index e9dc313b333e2..3564e3335a988 100644
+--- a/drivers/nfc/st-nci/ndlc.c
++++ b/drivers/nfc/st-nci/ndlc.c
+@@ -286,13 +286,15 @@ EXPORT_SYMBOL(ndlc_probe);
+ void ndlc_remove(struct llt_ndlc *ndlc)
+ {
+-      st_nci_remove(ndlc->ndev);
+-
+       /* cancel timers */
+       del_timer_sync(&ndlc->t1_timer);
+       del_timer_sync(&ndlc->t2_timer);
+       ndlc->t2_active = false;
+       ndlc->t1_active = false;
++      /* cancel work */
++      cancel_work_sync(&ndlc->sm_work);
++
++      st_nci_remove(ndlc->ndev);
+       skb_queue_purge(&ndlc->rcv_q);
+       skb_queue_purge(&ndlc->send_q);
+-- 
+2.39.2
+
diff --git a/queue-5.15/nvme-fix-handling-single-range-discard-request.patch b/queue-5.15/nvme-fix-handling-single-range-discard-request.patch
new file mode 100644 (file)
index 0000000..ac70c9b
--- /dev/null
@@ -0,0 +1,70 @@
+From fa961558b66be9d64fa53df3d52e06e8de04fce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 07:13:45 +0800
+Subject: nvme: fix handling single range discard request
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 37f0dc2ec78af0c3f35dd05578763de059f6fe77 ]
+
+When investigating one customer report on warning in nvme_setup_discard,
+we observed the controller(nvme/tcp) actually exposes
+queue_max_discard_segments(req->q) == 1.
+
+Obviously the current code can't handle this situation, since contiguity
+merge like normal RW request is taken.
+
+Fix the issue by building range from request sector/nr_sectors directly.
+
+Fixes: b35ba01ea697 ("nvme: support ranged discard requests")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 06750f3d52745..ef9d7a795b007 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -853,16 +853,26 @@ static blk_status_t nvme_setup_discard(struct nvme_ns *ns, struct request *req,
+               range = page_address(ns->ctrl->discard_page);
+       }
+-      __rq_for_each_bio(bio, req) {
+-              u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector);
+-              u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift;
+-
+-              if (n < segments) {
+-                      range[n].cattr = cpu_to_le32(0);
+-                      range[n].nlb = cpu_to_le32(nlb);
+-                      range[n].slba = cpu_to_le64(slba);
++      if (queue_max_discard_segments(req->q) == 1) {
++              u64 slba = nvme_sect_to_lba(ns, blk_rq_pos(req));
++              u32 nlb = blk_rq_sectors(req) >> (ns->lba_shift - 9);
++
++              range[0].cattr = cpu_to_le32(0);
++              range[0].nlb = cpu_to_le32(nlb);
++              range[0].slba = cpu_to_le64(slba);
++              n = 1;
++      } else {
++              __rq_for_each_bio(bio, req) {
++                      u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector);
++                      u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift;
++
++                      if (n < segments) {
++                              range[n].cattr = cpu_to_le32(0);
++                              range[n].nlb = cpu_to_le32(nlb);
++                              range[n].slba = cpu_to_le64(slba);
++                      }
++                      n++;
+               }
+-              n++;
+       }
+       if (WARN_ON_ONCE(n != segments)) {
+-- 
+2.39.2
+
diff --git a/queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch b/queue-5.15/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch
new file mode 100644 (file)
index 0000000..2ac19b5
--- /dev/null
@@ -0,0 +1,46 @@
+From e5a7c801771882d6bf407cfe732688b9299f3099 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 10:13:13 +0900
+Subject: nvmet: avoid potential UAF in nvmet_req_complete()
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ]
+
+An nvme target ->queue_response() operation implementation may free the
+request passed as argument. Such implementation potentially could result
+in a use after free of the request pointer when percpu_ref_put() is
+called in nvmet_req_complete().
+
+Avoid such problem by using a local variable to save the sq pointer
+before calling __nvmet_req_complete(), thus avoiding dereferencing the
+req pointer after that function call.
+
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index cfd0385511564..4c6d56dd29adc 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -756,8 +756,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status)
+ void nvmet_req_complete(struct nvmet_req *req, u16 status)
+ {
++      struct nvmet_sq *sq = req->sq;
++
+       __nvmet_req_complete(req, status);
+-      percpu_ref_put(&req->sq->ref);
++      percpu_ref_put(&sq->ref);
+ }
+ EXPORT_SYMBOL_GPL(nvmet_req_complete);
+-- 
+2.39.2
+
diff --git a/queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch b/queue-5.15/pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch
new file mode 100644 (file)
index 0000000..871f815
--- /dev/null
@@ -0,0 +1,197 @@
+From bfddf28ab03d2c30943f2e6acf3f45f9bc83e677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 16:10:11 +0100
+Subject: PCI: s390: Fix use-after-free of PCI resources with per-function
+ hotplug
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit ab909509850b27fd39b8ba99e44cda39dbc3858c ]
+
+On s390 PCI functions may be hotplugged individually even when they
+belong to a multi-function device. In particular on an SR-IOV device VFs
+may be removed and later re-added.
+
+In commit a50297cf8235 ("s390/pci: separate zbus creation from
+scanning") it was missed however that struct pci_bus and struct
+zpci_bus's resource list retained a reference to the PCI functions MMIO
+resources even though those resources are released and freed on
+hot-unplug. These stale resources may subsequently be claimed when the
+PCI function re-appears resulting in use-after-free.
+
+One idea of fixing this use-after-free in s390 specific code that was
+investigated was to simply keep resources around from the moment a PCI
+function first appeared until the whole virtual PCI bus created for
+a multi-function device disappears. The problem with this however is
+that due to the requirement of artificial MMIO addreesses (address
+cookies) extra logic is then needed to keep the address cookies
+compatible on re-plug. At the same time the MMIO resources semantically
+belong to the PCI function so tying their lifecycle to the function
+seems more logical.
+
+Instead a simpler approach is to remove the resources of an individually
+hot-unplugged PCI function from the PCI bus's resource list while
+keeping the resources of other PCI functions on the PCI bus untouched.
+
+This is done by introducing pci_bus_remove_resource() to remove an
+individual resource. Similarly the resource also needs to be removed
+from the struct zpci_bus's resource list. It turns out however, that
+there is really no need to add the MMIO resources to the struct
+zpci_bus's resource list at all and instead we can simply use the
+zpci_bar_struct's resource pointer directly.
+
+Fixes: a50297cf8235 ("s390/pci: separate zbus creation from scanning")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci.c     | 16 ++++++++++------
+ arch/s390/pci/pci_bus.c | 12 +++++-------
+ arch/s390/pci/pci_bus.h |  3 +--
+ drivers/pci/bus.c       | 21 +++++++++++++++++++++
+ include/linux/pci.h     |  1 +
+ 5 files changed, 38 insertions(+), 15 deletions(-)
+
+diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
+index 639924d983315..56c4cecdbbf9e 100644
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -503,8 +503,7 @@ static struct resource *__alloc_res(struct zpci_dev *zdev, unsigned long start,
+       return r;
+ }
+-int zpci_setup_bus_resources(struct zpci_dev *zdev,
+-                           struct list_head *resources)
++int zpci_setup_bus_resources(struct zpci_dev *zdev)
+ {
+       unsigned long addr, size, flags;
+       struct resource *res;
+@@ -540,7 +539,6 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev,
+                       return -ENOMEM;
+               }
+               zdev->bars[i].res = res;
+-              pci_add_resource(resources, res);
+       }
+       zdev->has_resources = 1;
+@@ -549,17 +547,23 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev,
+ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)
+ {
++      struct resource *res;
+       int i;
++      pci_lock_rescan_remove();
+       for (i = 0; i < PCI_STD_NUM_BARS; i++) {
+-              if (!zdev->bars[i].size || !zdev->bars[i].res)
++              res = zdev->bars[i].res;
++              if (!res)
+                       continue;
++              release_resource(res);
++              pci_bus_remove_resource(zdev->zbus->bus, res);
+               zpci_free_iomap(zdev, zdev->bars[i].map_idx);
+-              release_resource(zdev->bars[i].res);
+-              kfree(zdev->bars[i].res);
++              zdev->bars[i].res = NULL;
++              kfree(res);
+       }
+       zdev->has_resources = 0;
++      pci_unlock_rescan_remove();
+ }
+ int pcibios_add_device(struct pci_dev *pdev)
+diff --git a/arch/s390/pci/pci_bus.c b/arch/s390/pci/pci_bus.c
+index 5d77acbd1c872..cc7e5b22ccfb3 100644
+--- a/arch/s390/pci/pci_bus.c
++++ b/arch/s390/pci/pci_bus.c
+@@ -41,9 +41,7 @@ static int zpci_nb_devices;
+  */
+ static int zpci_bus_prepare_device(struct zpci_dev *zdev)
+ {
+-      struct resource_entry *window, *n;
+-      struct resource *res;
+-      int rc;
++      int rc, i;
+       if (!zdev_enabled(zdev)) {
+               rc = zpci_enable_device(zdev);
+@@ -57,10 +55,10 @@ static int zpci_bus_prepare_device(struct zpci_dev *zdev)
+       }
+       if (!zdev->has_resources) {
+-              zpci_setup_bus_resources(zdev, &zdev->zbus->resources);
+-              resource_list_for_each_entry_safe(window, n, &zdev->zbus->resources) {
+-                      res = window->res;
+-                      pci_bus_add_resource(zdev->zbus->bus, res, 0);
++              zpci_setup_bus_resources(zdev);
++              for (i = 0; i < PCI_STD_NUM_BARS; i++) {
++                      if (zdev->bars[i].res)
++                              pci_bus_add_resource(zdev->zbus->bus, zdev->bars[i].res, 0);
+               }
+       }
+diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h
+index ecef3a9e16c00..c5aa9a2e5e3e5 100644
+--- a/arch/s390/pci/pci_bus.h
++++ b/arch/s390/pci/pci_bus.h
+@@ -30,8 +30,7 @@ static inline void zpci_zdev_get(struct zpci_dev *zdev)
+ int zpci_alloc_domain(int domain);
+ void zpci_free_domain(int domain);
+-int zpci_setup_bus_resources(struct zpci_dev *zdev,
+-                           struct list_head *resources);
++int zpci_setup_bus_resources(struct zpci_dev *zdev);
+ static inline struct zpci_dev *get_zdev_by_bus(struct pci_bus *bus,
+                                              unsigned int devfn)
+diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c
+index 3cef835b375fd..feafa378bf8ea 100644
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -76,6 +76,27 @@ struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n)
+ }
+ EXPORT_SYMBOL_GPL(pci_bus_resource_n);
++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res)
++{
++      struct pci_bus_resource *bus_res, *tmp;
++      int i;
++
++      for (i = 0; i < PCI_BRIDGE_RESOURCE_NUM; i++) {
++              if (bus->resource[i] == res) {
++                      bus->resource[i] = NULL;
++                      return;
++              }
++      }
++
++      list_for_each_entry_safe(bus_res, tmp, &bus->resources, list) {
++              if (bus_res->res == res) {
++                      list_del(&bus_res->list);
++                      kfree(bus_res);
++                      return;
++              }
++      }
++}
++
+ void pci_bus_remove_resources(struct pci_bus *bus)
+ {
+       int i;
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 34dd24c991804..7e471432a998c 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1390,6 +1390,7 @@ void pci_bus_add_resource(struct pci_bus *bus, struct resource *res,
+                         unsigned int flags);
+ struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n);
+ void pci_bus_remove_resources(struct pci_bus *bus);
++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res);
+ int devm_request_pci_bus_resources(struct device *dev,
+                                  struct list_head *resources);
+-- 
+2.39.2
+
diff --git a/queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch b/queue-5.15/qed-qed_dev-guard-against-a-possible-division-by-zer.patch
new file mode 100644 (file)
index 0000000..23d05bd
--- /dev/null
@@ -0,0 +1,46 @@
+From 995ef4c5f49b3f9d8aaf1b698abfdc5881b81ec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 23:15:56 +0300
+Subject: qed/qed_dev: guard against a possible division by zero
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ]
+
+Previously we would divide total_left_rate by zero if num_vports
+happened to be 1 because non_requested_count is calculated as
+num_vports - req_count. Guard against this by validating num_vports at
+the beginning and returning an error otherwise.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 0410c3604abdb..ba445724ee65e 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -5022,6 +5022,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn,
+       num_vports = p_hwfn->qm_info.num_vports;
++      if (num_vports < 2) {
++              DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports);
++              return -EINVAL;
++      }
++
+       /* Accounting for the vports which are configured for WFQ explicitly */
+       for (i = 0; i < num_vports; i++) {
+               u32 tmp_speed;
+-- 
+2.39.2
+
diff --git a/queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch b/queue-5.15/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch
new file mode 100644 (file)
index 0000000..d33625b
--- /dev/null
@@ -0,0 +1,40 @@
+From cd123de902fcc2c5f4d4b15ccaba8761f521090c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 22:46:18 +0300
+Subject: qed/qed_mng_tlv: correctly zero out ->min instead of ->hour
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 470efd68a4653d9819d391489886432cd31bcd0b ]
+
+This fixes an issue where ->hour would erroneously get zeroed out
+instead of ->min because of a bad copy paste.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: f240b6882211 ("qed: Add support for processing fcoe tlv request.")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Link: https://lore.kernel.org/r/20230315194618.579286-1-d-tatianin@yandex-team.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
+index 6190adf965bca..f55eed092f25d 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
+@@ -422,7 +422,7 @@ qed_mfw_get_tlv_time_value(struct qed_mfw_tlv_time *p_time,
+       if (p_time->hour > 23)
+               p_time->hour = 0;
+       if (p_time->min > 59)
+-              p_time->hour = 0;
++              p_time->min = 0;
+       if (p_time->msec > 999)
+               p_time->msec = 0;
+       if (p_time->usec > 999)
+-- 
+2.39.2
+
diff --git a/queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch b/queue-5.15/ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch
new file mode 100644 (file)
index 0000000..9811123
--- /dev/null
@@ -0,0 +1,66 @@
+From af357035893cf088f95e0560d80123802ad58b58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:41:14 +0100
+Subject: ravb: avoid PHY being resumed when interface is not up
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 7f5ebf5dae42e710162f1c481ebcf28ab7b741c7 ]
+
+RAVB doesn't need mdiobus suspend/resume, that's why it sets
+'mac_managed_pm'. However, setting it needs to be moved from init to
+probe, so mdiobus PM functions will really never be called (e.g. when
+the interface is not up yet during suspend/resume).
+
+Fixes: 4924c0cdce75 ("net: ravb: Fix PHY state warning splat during system resume")
+Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c6fe1cda7b889..12548eeef4f8a 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1115,8 +1115,6 @@ static int ravb_phy_init(struct net_device *ndev)
+       phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_1000baseT_Half_BIT);
+       phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_100baseT_Half_BIT);
+-      /* Indicate that the MAC is responsible for managing PHY PM */
+-      phydev->mac_managed_pm = true;
+       phy_attached_info(phydev);
+       return 0;
+@@ -1961,6 +1959,8 @@ static int ravb_mdio_init(struct ravb_private *priv)
+ {
+       struct platform_device *pdev = priv->pdev;
+       struct device *dev = &pdev->dev;
++      struct phy_device *phydev;
++      struct device_node *pn;
+       int error;
+       /* Bitbang init */
+@@ -1982,6 +1982,14 @@ static int ravb_mdio_init(struct ravb_private *priv)
+       if (error)
+               goto out_free_bus;
++      pn = of_parse_phandle(dev->of_node, "phy-handle", 0);
++      phydev = of_phy_find_device(pn);
++      if (phydev) {
++              phydev->mac_managed_pm = true;
++              put_device(&phydev->mdio.dev);
++      }
++      of_node_put(pn);
++
+       return 0;
+ out_free_bus:
+-- 
+2.39.2
+
diff --git a/queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch b/queue-5.15/scsi-core-fix-a-procfs-host-directory-removal-regres.patch
new file mode 100644 (file)
index 0000000..f0c30e8
--- /dev/null
@@ -0,0 +1,47 @@
+From 707fe20fe0ab2d5f3e5a0e003aaad4fb6b092cb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:44:28 -0800
+Subject: scsi: core: Fix a procfs host directory removal regression
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit be03df3d4bfe7e8866d4aa43d62e648ffe884f5f ]
+
+scsi_proc_hostdir_rm() decreases a reference counter and hence must only be
+called once per host that is removed. This change does not require a
+scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return
+0 (success) if scsi_proc_host_add() is called.
+
+Fixes: fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier")
+Cc: John Garry <john.g.garry@oracle.com>
+Reported-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/all/ed6b8027-a9d9-1b45-be8e-df4e8c6c4605@oracle.com/
+Reported-by: syzbot+645a4616b87a2f10e398@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-scsi/000000000000890fab05f65342b6@google.com/
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20230307214428.3703498-1-bvanassche@acm.org
+Tested-by: John Garry <john.g.garry@oracle.com>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index 28b201c443267..7dc42d0e2a0dd 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -322,9 +322,6 @@ static void scsi_host_dev_release(struct device *dev)
+       struct Scsi_Host *shost = dev_to_shost(dev);
+       struct device *parent = dev->parent;
+-      /* In case scsi_remove_host() has not been called. */
+-      scsi_proc_hostdir_rm(shost->hostt);
+-
+       /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */
+       rcu_barrier();
+-- 
+2.39.2
+
diff --git a/queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch b/queue-5.15/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch
new file mode 100644 (file)
index 0000000..0a1b1f6
--- /dev/null
@@ -0,0 +1,77 @@
+From e6ccb893834cce9a2eb583a54a08e2c59535fb2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 18:01:36 +0800
+Subject: scsi: mpt3sas: Fix NULL pointer access in
+ mpt3sas_transport_port_add()
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit d3c57724f1569311e4b81e98fad0931028b9bdcd ]
+
+Port is allocated by sas_port_alloc_num() and rphy is allocated by either
+sas_end_device_alloc() or sas_expander_alloc(), all of which may return
+NULL. So we need to check the rphy to avoid possible NULL pointer access.
+
+If sas_rphy_add() returned with failure, rphy is set to NULL. We would
+access the rphy in the following lines which would also result NULL pointer
+access.
+
+Fixes: 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()")
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Link: https://lore.kernel.org/r/20230225100135.2109330-1-haowenchao2@huawei.com
+Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+index e5ecd6ada6cdd..e8a4750f6ec47 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+@@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+               goto out_fail;
+       }
+       port = sas_port_alloc_num(sas_node->parent_dev);
+-      if ((sas_port_add(port))) {
++      if (!port || (sas_port_add(port))) {
+               ioc_err(ioc, "failure at %s:%d/%s()!\n",
+                       __FILE__, __LINE__, __func__);
+               goto out_fail;
+@@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+                           mpt3sas_port->remote_identify.sas_address;
+       }
++      if (!rphy) {
++              ioc_err(ioc, "failure at %s:%d/%s()!\n",
++                      __FILE__, __LINE__, __func__);
++              goto out_delete_port;
++      }
++
+       rphy->identify = mpt3sas_port->remote_identify;
+       if ((sas_rphy_add(rphy))) {
+@@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+                       __FILE__, __LINE__, __func__);
+               sas_rphy_free(rphy);
+               rphy = NULL;
++              goto out_delete_port;
+       }
+       if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
+@@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+                   rphy_to_expander_device(rphy), hba_port->port_id);
+       return mpt3sas_port;
+- out_fail:
++out_delete_port:
++      sas_port_delete(port);
++
++out_fail:
+       list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
+           port_siblings)
+               list_del(&mpt3sas_phy->port_siblings);
+-- 
+2.39.2
+
diff --git a/queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch b/queue-5.15/selftests-net-devlink_port_split.py-skip-test-if-no-.patch
new file mode 100644 (file)
index 0000000..a90b63f
--- /dev/null
@@ -0,0 +1,120 @@
+From 03e8d4d6d377ce04db6c79b0127dddcc46df737c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 00:53:53 +0800
+Subject: selftests: net: devlink_port_split.py: skip test if no suitable
+ device available
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 24994513ad13ff2c47ba91d2b5df82c3d496c370 ]
+
+The `devlink -j port show` command output may not contain the "flavour"
+key, an example from Ubuntu 22.10 s390x LPAR(5.19.0-37-generic), with
+mlx4 driver and iproute2-5.15.0:
+  {"port":{"pci/0001:00:00.0/1":{"type":"eth","netdev":"ens301"},
+           "pci/0001:00:00.0/2":{"type":"eth","netdev":"ens301d1"},
+           "pci/0002:00:00.0/1":{"type":"eth","netdev":"ens317"},
+           "pci/0002:00:00.0/2":{"type":"eth","netdev":"ens317d1"}}}
+
+This will cause a KeyError exception.
+
+Create a validate_devlink_output() to check for this "flavour" from
+devlink command output to avoid this KeyError exception. Also let
+it handle the check for `devlink -j dev show` output in main().
+
+Apart from this, if the test was not started because the max lanes of
+the designated device is 0. The script will still return 0 and thus
+causing a false-negative test result.
+
+Use a found_max_lanes flag to determine if these tests were skipped
+due to this reason and return KSFT_SKIP to make it more clear.
+
+Link: https://bugs.launchpad.net/bugs/1937133
+Fixes: f3348a82e727 ("selftests: net: Add port split test")
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Link: https://lore.kernel.org/r/20230315165353.229590-1-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/net/devlink_port_split.py       | 36 ++++++++++++++++---
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/net/devlink_port_split.py b/tools/testing/selftests/net/devlink_port_split.py
+index 2b5d6ff873738..2d84c7a0be6b2 100755
+--- a/tools/testing/selftests/net/devlink_port_split.py
++++ b/tools/testing/selftests/net/devlink_port_split.py
+@@ -59,6 +59,8 @@ class devlink_ports(object):
+         assert stderr == ""
+         ports = json.loads(stdout)['port']
++        validate_devlink_output(ports, 'flavour')
++
+         for port in ports:
+             if dev in port:
+                 if ports[port]['flavour'] == 'physical':
+@@ -220,6 +222,27 @@ def split_splittable_port(port, k, lanes, dev):
+     unsplit(port.bus_info)
++def validate_devlink_output(devlink_data, target_property=None):
++    """
++    Determine if test should be skipped by checking:
++      1. devlink_data contains values
++      2. The target_property exist in devlink_data
++    """
++    skip_reason = None
++    if any(devlink_data.values()):
++        if target_property:
++            skip_reason = "{} not found in devlink output, test skipped".format(target_property)
++            for key in devlink_data:
++                if target_property in devlink_data[key]:
++                    skip_reason = None
++    else:
++        skip_reason = 'devlink output is empty, test skipped'
++
++    if skip_reason:
++        print(skip_reason)
++        sys.exit(KSFT_SKIP)
++
++
+ def make_parser():
+     parser = argparse.ArgumentParser(description='A test for port splitting.')
+     parser.add_argument('--dev',
+@@ -240,12 +263,9 @@ def main(cmdline=None):
+         stdout, stderr = run_command(cmd)
+         assert stderr == ""
++        validate_devlink_output(json.loads(stdout))
+         devs = json.loads(stdout)['dev']
+-        if devs:
+-            dev = list(devs.keys())[0]
+-        else:
+-            print("no devlink device was found, test skipped")
+-            sys.exit(KSFT_SKIP)
++        dev = list(devs.keys())[0]
+     cmd = "devlink dev show %s" % dev
+     stdout, stderr = run_command(cmd)
+@@ -255,6 +275,7 @@ def main(cmdline=None):
+     ports = devlink_ports(dev)
++    found_max_lanes = False
+     for port in ports.if_names:
+         max_lanes = get_max_lanes(port.name)
+@@ -277,6 +298,11 @@ def main(cmdline=None):
+                 split_splittable_port(port, lane, max_lanes, dev)
+                 lane //= 2
++        found_max_lanes = True
++
++    if not found_max_lanes:
++        print(f"Test not started, no port of device {dev} reports max_lanes")
++        sys.exit(KSFT_SKIP)
+ if __name__ == "__main__":
+-- 
+2.39.2
+
diff --git a/queue-5.15/series b/queue-5.15/series
new file mode 100644 (file)
index 0000000..968bda2
--- /dev/null
@@ -0,0 +1,52 @@
+xfrm-allow-transport-mode-states-with-af_unspec-sele.patch
+drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch
+cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch
+drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch
+clk-hi655x-select-regmap-instead-of-depending-on-it.patch
+docs-correct-missing-d_-prefix-for-dentry_operations.patch
+scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch
+alsa-hda-match-only-intel-devices-with-controller_in.patch
+netfilter-nft_nat-correct-length-for-loading-protoco.patch
+netfilter-nft_masq-correct-length-for-loading-protoc.patch
+netfilter-nft_redir-correct-length-for-loading-proto.patch
+netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch
+scsi-core-fix-a-procfs-host-directory-removal-regres.patch
+tcp-tcp_make_synack-can-be-called-from-process-conte.patch
+nfc-pn533-initialize-struct-pn533_out_arg-properly.patch
+ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch
+i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch
+vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch
+vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch
+pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch
+drm-i915-display-workaround-cursor-left-overs-with-p.patch
+drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch
+drm-i915-display-psr-handle-plane-and-pipe-restricti.patch
+drm-i915-display-clean-up-comments.patch
+drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch
+net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch
+qed-qed_dev-guard-against-a-possible-division-by-zer.patch
+net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch
+net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch
+loop-fix-use-after-free-issues.patch
+net-tunnels-annotate-lockless-accesses-to-dev-needed.patch
+net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch
+nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch
+net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch
+net-usb-smsc75xx-limit-packet-length-to-skb-len.patch
+drm-bridge-fix-returned-array-size-name-for-atomic_g.patch
+block-null_blk-fix-handling-of-fake-timeout-request.patch
+nvme-fix-handling-single-range-discard-request.patch
+nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch
+block-sunvdc-add-check-for-mdesc_grab-returning-null.patch
+ice-xsk-disable-txq-irq-before-flushing-hw.patch
+net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch
+ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch
+sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch
+ipv4-fix-incorrect-table-id-in-ioctl-path.patch
+net-usb-smsc75xx-move-packet-length-check-to-prevent.patch
+net-iucv-fix-size-of-interrupt-data.patch
+selftests-net-devlink_port_split.py-skip-test-if-no-.patch
+qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch
+ethernet-sun-add-check-for-the-mdesc_grab.patch
+bonding-restore-iff_master-slave-flags-on-bond-ensla.patch
+bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch
diff --git a/queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch b/queue-5.15/sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch
new file mode 100644 (file)
index 0000000..6cd41f2
--- /dev/null
@@ -0,0 +1,65 @@
+From 63d065306188ac77af896fc84973ac107714046d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:41:15 +0100
+Subject: sh_eth: avoid PHY being resumed when interface is not up
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c6be7136afb224a01d4cde2983ddebac8da98693 ]
+
+SH_ETH doesn't need mdiobus suspend/resume, that's why it sets
+'mac_managed_pm'. However, setting it needs to be moved from init to
+probe, so mdiobus PM functions will really never be called (e.g. when
+the interface is not up yet during suspend/resume).
+
+Fixes: 6a1dbfefdae4 ("net: sh_eth: Fix PHY state warning splat during system resume")
+Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index 4e190f5e32c3d..b6e426d8014d1 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2033,8 +2033,6 @@ static int sh_eth_phy_init(struct net_device *ndev)
+               }
+       }
+-      /* Indicate that the MAC is responsible for managing PHY PM */
+-      phydev->mac_managed_pm = true;
+       phy_attached_info(phydev);
+       return 0;
+@@ -3074,6 +3072,8 @@ static int sh_mdio_init(struct sh_eth_private *mdp,
+       struct bb_info *bitbang;
+       struct platform_device *pdev = mdp->pdev;
+       struct device *dev = &mdp->pdev->dev;
++      struct phy_device *phydev;
++      struct device_node *pn;
+       /* create bit control struct for PHY */
+       bitbang = devm_kzalloc(dev, sizeof(struct bb_info), GFP_KERNEL);
+@@ -3108,6 +3108,14 @@ static int sh_mdio_init(struct sh_eth_private *mdp,
+       if (ret)
+               goto out_free_bus;
++      pn = of_parse_phandle(dev->of_node, "phy-handle", 0);
++      phydev = of_phy_find_device(pn);
++      if (phydev) {
++              phydev->mac_managed_pm = true;
++              put_device(&phydev->mdio.dev);
++      }
++      of_node_put(pn);
++
+       return 0;
+ out_free_bus:
+-- 
+2.39.2
+
diff --git a/queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch b/queue-5.15/tcp-tcp_make_synack-can-be-called-from-process-conte.patch
new file mode 100644 (file)
index 0000000..f24dcaa
--- /dev/null
@@ -0,0 +1,64 @@
+From 261a323db33a7860b21c974ca0c05a15a0561bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 11:07:45 -0800
+Subject: tcp: tcp_make_synack() can be called from process context
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ]
+
+tcp_rtx_synack() now could be called in process context as explained in
+0a375c822497 ("tcp: tcp_rtx_synack() can be called from process
+context").
+
+tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU
+variables with preemption enabled. This causes the following BUG:
+
+    BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464
+    caller is tcp_make_synack+0x841/0xac0
+    Call Trace:
+     <TASK>
+     dump_stack_lvl+0x10d/0x1a0
+     check_preemption_disabled+0x104/0x110
+     tcp_make_synack+0x841/0xac0
+     tcp_v6_send_synack+0x5c/0x450
+     tcp_rtx_synack+0xeb/0x1f0
+     inet_rtx_syn_ack+0x34/0x60
+     tcp_check_req+0x3af/0x9e0
+     tcp_rcv_state_process+0x59b/0x2030
+     tcp_v6_do_rcv+0x5f5/0x700
+     release_sock+0x3a/0xf0
+     tcp_sendmsg+0x33/0x40
+     ____sys_sendmsg+0x2f2/0x490
+     __sys_sendmsg+0x184/0x230
+     do_syscall_64+0x3d/0x90
+
+Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use
+TCP_INC_STATS() which is safe to be called from context switch.
+
+Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 33ba1268a111f..1f39b56bbab32 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3610,7 +3610,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
+       th->window = htons(min(req->rsk_rcv_wnd, 65535U));
+       tcp_options_write((__be32 *)(th + 1), NULL, &opts);
+       th->doff = (tcp_header_size >> 2);
+-      __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
++      TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
+ #ifdef CONFIG_TCP_MD5SIG
+       /* Okay, we have all we need - do the md5 hash if needed */
+-- 
+2.39.2
+
diff --git a/queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch b/queue-5.15/vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch
new file mode 100644 (file)
index 0000000..1285432
--- /dev/null
@@ -0,0 +1,54 @@
+From 08759aa26e261c88e56bdedd0da58c17c4b1e055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 17:43:58 +0100
+Subject: vdpa_sim: not reset state in vdpasim_queue_ready
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+[ Upstream commit 0e84f918fac8ae61dcb790534fad5e3555ca2930 ]
+
+vdpasim_queue_ready calls vringh_init_iotlb, which resets split indexes.
+But it can be called after setting a ring base with
+vdpasim_set_vq_state.
+
+Fix it by stashing them. They're still resetted in vdpasim_vq_reset.
+
+This was discovered and tested live migrating the vdpa_sim_net device.
+
+Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20230118164359.1523760-2-eperezma@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+index 4d9e3fdae5f6c..eeda45fbba258 100644
+--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+@@ -65,6 +65,7 @@ static void vdpasim_vq_notify(struct vringh *vring)
+ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+ {
+       struct vdpasim_virtqueue *vq = &vdpasim->vqs[idx];
++      uint16_t last_avail_idx = vq->vring.last_avail_idx;
+       vringh_init_iotlb(&vq->vring, vdpasim->features, vq->num, false,
+                         (struct vring_desc *)(uintptr_t)vq->desc_addr,
+@@ -73,6 +74,7 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+                         (struct vring_used *)
+                         (uintptr_t)vq->device_addr);
++      vq->vring.last_avail_idx = last_avail_idx;
+       vq->vring.notify = vdpasim_vq_notify;
+ }
+-- 
+2.39.2
+
diff --git a/queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch b/queue-5.15/vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch
new file mode 100644 (file)
index 0000000..c470baa
--- /dev/null
@@ -0,0 +1,66 @@
+From c188aff218d15f8a3f9d24ab6f3b7dc7e08199a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 19:18:57 +0100
+Subject: vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+[ Upstream commit b4cca6d48eb3fa6f0d9caba4329b1a2b0ff67a77 ]
+
+Starting from an used_idx different than 0 is needed in use cases like
+virtual machine migration.  Not doing so and letting the caller set an
+avail idx different than 0 causes destination device to try to use old
+buffers that source driver already recover and are not available
+anymore.
+
+Since vdpa_sim does not support receive inflight descriptors as a
+destination of a migration, let's set both avail_idx and used_idx the
+same at vq start.  This is how vhost-user works in a
+VHOST_SET_VRING_BASE call.
+
+Although the simple fix is to set last_used_idx at vdpasim_set_vq_state,
+it would be reset at vdpasim_queue_ready.  The last_avail_idx case is
+fixed with commit 0e84f918fac8 ("vdpa_sim: not reset state in
+vdpasim_queue_ready").  Since the only option is to make it equal to
+last_avail_idx, adding the only change needed here.
+
+This was discovered and tested live migrating the vdpa_sim_net device.
+
+Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20230302181857.925374-1-eperezma@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_sim/vdpa_sim.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+index eeda45fbba258..3ccefa58e405c 100644
+--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+@@ -75,6 +75,17 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+                         (uintptr_t)vq->device_addr);
+       vq->vring.last_avail_idx = last_avail_idx;
++
++      /*
++       * Since vdpa_sim does not support receive inflight descriptors as a
++       * destination of a migration, let's set both avail_idx and used_idx
++       * the same at vq start.  This is how vhost-user works in a
++       * VHOST_SET_VRING_BASE call.
++       *
++       * Although the simple fix is to set last_used_idx at
++       * vdpasim_set_vq_state, it would be reset at vdpasim_queue_ready.
++       */
++      vq->vring.last_used_idx = last_avail_idx;
+       vq->vring.notify = vdpasim_vq_notify;
+ }
+-- 
+2.39.2
+
diff --git a/queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch b/queue-5.15/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch
new file mode 100644 (file)
index 0000000..a227353
--- /dev/null
@@ -0,0 +1,44 @@
+From 159137983a8cd371cf2da5c16d485401e0dd9153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 13:54:00 +0800
+Subject: xfrm: Allow transport-mode states with AF_UNSPEC selector
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit c276a706ea1f51cf9723ed8484feceaf961b8f89 ]
+
+xfrm state selectors are matched against the inner-most flow
+which can be of any address family.  Therefore middle states
+in nested configurations need to carry a wildcard selector in
+order to work at all.
+
+However, this is currently forbidden for transport-mode states.
+
+Fix this by removing the unnecessary check.
+
+Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode")
+Reported-by: David George <David.George@sophos.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 15132b080614c..60f3ea5561ddf 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2643,9 +2643,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
+               if (inner_mode == NULL)
+                       goto error;
+-              if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL))
+-                      goto error;
+-
+               x->inner_mode = *inner_mode;
+               if (x->props.family == AF_INET)
+-- 
+2.39.2
+