From: Sasha Levin Date: Sun, 9 Apr 2023 12:31:04 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.15.107~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07ebecba7ecfb9e78362100759a70de80afe5ab9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/clk-imx-imx8mp-add-shared-clk-gate-for-usb-suspend-c.patch b/queue-5.15/clk-imx-imx8mp-add-shared-clk-gate-for-usb-suspend-c.patch new file mode 100644 index 00000000000..c94cd5115ae --- /dev/null +++ b/queue-5.15/clk-imx-imx8mp-add-shared-clk-gate-for-usb-suspend-c.patch @@ -0,0 +1,57 @@ +From ee2843f54c90aef164be3b1fc3534b20912dd1fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 22:54:22 +0800 +Subject: clk: imx: imx8mp: add shared clk gate for usb suspend clk + +From: Li Jun + +[ Upstream commit ed1f4ccfe947a3e1018a3bd7325134574c7ff9b3 ] + +32K usb suspend clock gate is shared with usb_root_clk, this +shared clock gate was initially defined only for usb suspend +clock, usb suspend clk is kept on while system is active or +system sleep with usb wakeup enabled, so usb root clock is +fine with this situation; with the commit cf7f3f4fa9e5 +("clk: imx8mp: fix usb_root_clk parent"), this clock gate is +changed to be for usb root clock, but usb root clock will +be off while usb is suspended, so usb suspend clock will be +gated too, this cause some usb functionalities will not work, +so define this clock to be a shared clock gate to conform with +the real HW status. + +Fixes: 9c140d9926761 ("clk: imx: Add support for i.MX8MP clock driver") +Cc: stable@vger.kernel.org # v5.19+ +Tested-by: Alexander Stein +Signed-off-by: Li Jun +Signed-off-by: Abel Vesa +Link: https://lore.kernel.org/r/1664549663-20364-2-git-send-email-jun.li@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index b173c30093946..ffcdd7393aefe 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -17,6 +17,7 @@ + + static u32 share_count_nand; + static u32 share_count_media; ++static u32 share_count_usb; + + static const char * const pll_ref_sels[] = { "osc_24m", "dummy", "dummy", "dummy", }; + static const char * const audio_pll1_bypass_sels[] = {"audio_pll1", "audio_pll1_ref_sel", }; +@@ -675,7 +676,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + hws[IMX8MP_CLK_UART2_ROOT] = imx_clk_hw_gate4("uart2_root_clk", "uart2", ccm_base + 0x44a0, 0); + hws[IMX8MP_CLK_UART3_ROOT] = imx_clk_hw_gate4("uart3_root_clk", "uart3", ccm_base + 0x44b0, 0); + hws[IMX8MP_CLK_UART4_ROOT] = imx_clk_hw_gate4("uart4_root_clk", "uart4", ccm_base + 0x44c0, 0); +- hws[IMX8MP_CLK_USB_ROOT] = imx_clk_hw_gate4("usb_root_clk", "hsio_axi", ccm_base + 0x44d0, 0); ++ hws[IMX8MP_CLK_USB_ROOT] = imx_clk_hw_gate2_shared2("usb_root_clk", "hsio_axi", ccm_base + 0x44d0, 0, &share_count_usb); ++ hws[IMX8MP_CLK_USB_SUSP] = imx_clk_hw_gate2_shared2("usb_suspend_clk", "osc_32k", ccm_base + 0x44d0, 0, &share_count_usb); + hws[IMX8MP_CLK_USB_PHY_ROOT] = imx_clk_hw_gate4("usb_phy_root_clk", "usb_phy_ref", ccm_base + 0x44f0, 0); + hws[IMX8MP_CLK_USDHC1_ROOT] = imx_clk_hw_gate4("usdhc1_root_clk", "usdhc1", ccm_base + 0x4510, 0); + hws[IMX8MP_CLK_USDHC2_ROOT] = imx_clk_hw_gate4("usdhc2_root_clk", "usdhc2", ccm_base + 0x4520, 0); +-- +2.39.2 + diff --git a/queue-5.15/drivers-vmbus-check-for-channel-allocation-before-lo.patch b/queue-5.15/drivers-vmbus-check-for-channel-allocation-before-lo.patch new file mode 100644 index 00000000000..703be2e17c6 --- /dev/null +++ b/queue-5.15/drivers-vmbus-check-for-channel-allocation-before-lo.patch @@ -0,0 +1,48 @@ +From 7e24c472bd3cb10b9adeb76306ecb61aa9f9941c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 22:44:11 +0200 +Subject: Drivers: vmbus: Check for channel allocation before looking up relids + +From: Mohammed Gamal + +[ Upstream commit 1eb65c8687316c65140b48fad27133d583178e15 ] + +relid2channel() assumes vmbus channel array to be allocated when called. +However, in cases such as kdump/kexec, not all relids will be reset by the host. +When the second kernel boots and if the guest receives a vmbus interrupt during +vmbus driver initialization before vmbus_connect() is called, before it finishes, +or if it fails, the vmbus interrupt service routine is called which in turn calls +relid2channel() and can cause a null pointer dereference. + +Print a warning and error out in relid2channel() for a channel id that's invalid +in the second kernel. + +Fixes: 8b6a877c060e ("Drivers: hv: vmbus: Replace the per-CPU channel lists with a global array of channels") + +Signed-off-by: Mohammed Gamal +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/20230217204411.212709-1-mgamal@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/connection.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c +index 5e479d54918cf..47fb412eafd35 100644 +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -315,6 +315,10 @@ void vmbus_disconnect(void) + */ + struct vmbus_channel *relid2channel(u32 relid) + { ++ if (vmbus_connection.channels == NULL) { ++ pr_warn_once("relid2channel: relid=%d: No channels mapped!\n", relid); ++ return NULL; ++ } + if (WARN_ON(relid >= MAX_CHANNEL_RELIDS)) + return NULL; + return READ_ONCE(vmbus_connection.channels[relid]); +-- +2.39.2 + diff --git a/queue-5.15/ethtool-reset-lanes-when-lanes-is-omitted.patch b/queue-5.15/ethtool-reset-lanes-when-lanes-is-omitted.patch new file mode 100644 index 00000000000..787c8c7d266 --- /dev/null +++ b/queue-5.15/ethtool-reset-lanes-when-lanes-is-omitted.patch @@ -0,0 +1,93 @@ +From c7846ede2078e5be1a0469f1043363471edf36ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:20:53 -0700 +Subject: ethtool: reset #lanes when lanes is omitted + +From: Andy Roulin + +[ Upstream commit e847c7675e19ef344913724dc68f83df31ad6a17 ] + +If the number of lanes was forced and then subsequently the user +omits this parameter, the ksettings->lanes is reset. The driver +should then reset the number of lanes to the device's default +for the specified speed. + +However, although the ksettings->lanes is set to 0, the mod variable +is not set to true to indicate the driver and userspace should be +notified of the changes. + +The consequence is that the same ethtool operation will produce +different results based on the initial state. + +If the initial state is: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: on + +then executing 'ethtool -s swp1 speed 50000 autoneg off' will yield: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: off + +While if the initial state is: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 1 + Duplex: Full + Auto-negotiation: off + +executing the same 'ethtool -s swp1 speed 50000 autoneg off' results in: +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 1 + Duplex: Full + Auto-negotiation: off + +This patch fixes this behavior. Omitting lanes will always results in +the driver choosing the default lane width for the chosen speed. In this +scenario, regardless of the initial state, the end state will be, e.g., + +$ ethtool swp1 | grep -A 3 'Speed: ' + Speed: 500000Mb/s + Lanes: 2 + Duplex: Full + Auto-negotiation: off + +Fixes: 012ce4dd3102 ("ethtool: Extend link modes settings uAPI with lanes") +Signed-off-by: Andy Roulin +Reviewed-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/ac238d6b-8726-8156-3810-6471291dbc7f@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/linkmodes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ethtool/linkmodes.c b/net/ethtool/linkmodes.c +index f9eda596f3014..3d05b9bf34854 100644 +--- a/net/ethtool/linkmodes.c ++++ b/net/ethtool/linkmodes.c +@@ -277,11 +277,12 @@ static int ethnl_update_linkmodes(struct genl_info *info, struct nlattr **tb, + "lanes configuration not supported by device"); + return -EOPNOTSUPP; + } +- } else if (!lsettings->autoneg) { +- /* If autoneg is off and lanes parameter is not passed from user, +- * set the lanes parameter to 0. ++ } else if (!lsettings->autoneg && ksettings->lanes) { ++ /* If autoneg is off and lanes parameter is not passed from user but ++ * it was defined previously then set the lanes parameter to 0. + */ + ksettings->lanes = 0; ++ *mod = true; + } + + ret = ethnl_update_bitset(ksettings->link_modes.advertising, +-- +2.39.2 + diff --git a/queue-5.15/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch b/queue-5.15/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch new file mode 100644 index 00000000000..56ace6ddc8b --- /dev/null +++ b/queue-5.15/gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch @@ -0,0 +1,37 @@ +From ca045a8f54ec20534c6c777c4bd0ec09a5a7960a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:54:43 +0530 +Subject: gpio: davinci: Add irq chip flag to skip set wake + +From: Dhruva Gole + +[ Upstream commit 7b75c4703609a3ebaf67271813521bc0281e1ec1 ] + +Add the IRQCHIP_SKIP_SET_WAKE flag since there are no special IRQ Wake +bits that can be set to enable wakeup IRQ. + +Fixes: 3d9edf09d452 ("[ARM] 4457/2: davinci: GPIO support") +Signed-off-by: Dhruva Gole +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index cb5afaa7ed482..0214244e9f01f 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -326,7 +326,7 @@ static struct irq_chip gpio_irqchip = { + .irq_enable = gpio_irq_enable, + .irq_disable = gpio_irq_disable, + .irq_set_type = gpio_irq_type, +- .flags = IRQCHIP_SET_TYPE_MASKED, ++ .flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_SKIP_SET_WAKE, + }; + + static void gpio_irq_handler(struct irq_desc *desc) +-- +2.39.2 + diff --git a/queue-5.15/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch b/queue-5.15/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch new file mode 100644 index 00000000000..75e0b4e1157 --- /dev/null +++ b/queue-5.15/gpio-gpio_regmap-select-regmap-instead-of-depending-.patch @@ -0,0 +1,47 @@ +From c4a6669f7879df7d2b85a86553b3d2efaec434e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:48 -0800 +Subject: gpio: GPIO_REGMAP: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit d49765b5f4320a402fbc4ed5edfd73d87640f27c ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: ebe363197e52 ("gpio: add a reusable generic gpio_chip using regmap") +Signed-off-by: Randy Dunlap +Cc: Michael Walle +Cc: Linus Walleij +Cc: Bartosz Golaszewski +Cc: linux-gpio@vger.kernel.org +Acked-by: Michael Walle +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index 947474f6abb45..7b9def6b10047 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -100,7 +100,7 @@ config GPIO_GENERIC + tristate + + config GPIO_REGMAP +- depends on REGMAP ++ select REGMAP + tristate + + # put drivers in the right section, in alphabetical order +-- +2.39.2 + diff --git a/queue-5.15/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch b/queue-5.15/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch new file mode 100644 index 00000000000..b287c8e2a6d --- /dev/null +++ b/queue-5.15/gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch @@ -0,0 +1,73 @@ +From 022abdff40a0d8fdbbdd080e7a5790943183fb07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 10:28:09 -0700 +Subject: gve: Secure enough bytes in the first TX desc for all TCP pkts + +From: Shailend Chand + +[ Upstream commit 3ce9345580974863c060fa32971537996a7b2d57 ] + +Non-GSO TCP packets whose SKBs' linear portion did not include the +entire TCP header were not populating the first Tx descriptor with +as many bytes as the vNIC expected. This change ensures that all +TCP packets populate the first descriptor with the correct number of +bytes. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Shailend Chand +Link: https://lore.kernel.org/r/20230403172809.2939306-1-shailend@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve.h | 2 ++ + drivers/net/ethernet/google/gve/gve_tx.c | 12 +++++------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h +index b1273dce4795b..08f4c0595efae 100644 +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -47,6 +47,8 @@ + + #define GVE_RX_BUFFER_SIZE_DQO 2048 + ++#define GVE_GQ_TX_MIN_PKT_DESC_BYTES 182 ++ + /* Each slot in the desc ring has a 1:1 mapping to a slot in the data ring */ + struct gve_rx_desc_queue { + struct gve_rx_desc *desc_ring; /* the descriptor ring */ +diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c +index 9922ce46a6351..43e7b74bdb767 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx.c ++++ b/drivers/net/ethernet/google/gve/gve_tx.c +@@ -283,8 +283,8 @@ static inline int gve_skb_fifo_bytes_required(struct gve_tx_ring *tx, + int bytes; + int hlen; + +- hlen = skb_is_gso(skb) ? skb_checksum_start_offset(skb) + +- tcp_hdrlen(skb) : skb_headlen(skb); ++ hlen = skb_is_gso(skb) ? skb_checksum_start_offset(skb) + tcp_hdrlen(skb) : ++ min_t(int, GVE_GQ_TX_MIN_PKT_DESC_BYTES, skb->len); + + pad_bytes = gve_tx_fifo_pad_alloc_one_frag(&tx->tx_fifo, + hlen); +@@ -431,13 +431,11 @@ static int gve_tx_add_skb_copy(struct gve_priv *priv, struct gve_tx_ring *tx, st + pkt_desc = &tx->desc[idx]; + + l4_hdr_offset = skb_checksum_start_offset(skb); +- /* If the skb is gso, then we want the tcp header in the first segment +- * otherwise we want the linear portion of the skb (which will contain +- * the checksum because skb->csum_start and skb->csum_offset are given +- * relative to skb->head) in the first segment. ++ /* If the skb is gso, then we want the tcp header alone in the first segment ++ * otherwise we want the minimum required by the gVNIC spec. + */ + hlen = is_gso ? l4_hdr_offset + tcp_hdrlen(skb) : +- skb_headlen(skb); ++ min_t(int, GVE_GQ_TX_MIN_PKT_DESC_BYTES, skb->len); + + info->skb = skb; + /* We don't want to split the header, so if necessary, pad to the end +-- +2.39.2 + diff --git a/queue-5.15/ice-fix-wrong-fallback-logic-for-fdir.patch b/queue-5.15/ice-fix-wrong-fallback-logic-for-fdir.patch new file mode 100644 index 00000000000..421b6348548 --- /dev/null +++ b/queue-5.15/ice-fix-wrong-fallback-logic-for-fdir.patch @@ -0,0 +1,59 @@ +From f7376ffc3532e86883de07029d801faed999c977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 10:24:15 +0800 +Subject: ice: fix wrong fallback logic for FDIR + +From: Simei Su + +[ Upstream commit b4a01ace20f5c93c724abffc0a83ec84f514b98d ] + +When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure, +the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr +returns failure, the fdir context info for irq handler will not be cleared +which may lead to inconsistent or memory leak issue. This patch refines +failure cases to resolve this issue. + +Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") +Signed-off-by: Simei Su +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +index 4b738f7391097..2254cae817c16 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +@@ -2136,7 +2136,7 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) + v_ret = VIRTCHNL_STATUS_SUCCESS; + stat->status = VIRTCHNL_FDIR_FAILURE_RULE_NORESOURCE; + dev_dbg(dev, "VF %d: set FDIR context failed\n", vf->vf_id); +- goto err_free_conf; ++ goto err_rem_entry; + } + + ret = ice_vc_fdir_write_fltr(vf, conf, true, is_tun); +@@ -2145,15 +2145,16 @@ int ice_vc_add_fdir_fltr(struct ice_vf *vf, u8 *msg) + stat->status = VIRTCHNL_FDIR_FAILURE_RULE_NORESOURCE; + dev_err(dev, "VF %d: writing FDIR rule failed, ret:%d\n", + vf->vf_id, ret); +- goto err_rem_entry; ++ goto err_clr_irq; + } + + exit: + kfree(stat); + return ret; + +-err_rem_entry: ++err_clr_irq: + ice_vc_fdir_clear_irq_ctx(vf); ++err_rem_entry: + ice_vc_fdir_remove_entry(vf, conf, conf->flow_id); + err_free_conf: + devm_kfree(dev, conf); +-- +2.39.2 + diff --git a/queue-5.15/ice-reset-fdir-counter-in-fdir-init-stage.patch b/queue-5.15/ice-reset-fdir-counter-in-fdir-init-stage.patch new file mode 100644 index 00000000000..b3acc8fddd0 --- /dev/null +++ b/queue-5.15/ice-reset-fdir-counter-in-fdir-init-stage.patch @@ -0,0 +1,61 @@ +From 4519671404e433e8dbc6400ab8e8d3faef78f193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 10:49:11 +0000 +Subject: ice: Reset FDIR counter in FDIR init stage + +From: Lingyu Liu + +[ Upstream commit 83c911dc5e0e8e6eaa6431c06972a8f159bfe2fc ] + +Reset the FDIR counters when FDIR inits. Without this patch, +when VF initializes or resets, all the FDIR counters are not +cleaned, which may cause unexpected behaviors for future FDIR +rule create (e.g., rule conflict). + +Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF") +Signed-off-by: Junfeng Guo +Signed-off-by: Lingyu Liu +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/ice/ice_virtchnl_fdir.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +index 2254cae817c16..412deb36b645b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c +@@ -731,6 +731,21 @@ static void ice_vc_fdir_rem_prof_all(struct ice_vf *vf) + } + } + ++/** ++ * ice_vc_fdir_reset_cnt_all - reset all FDIR counters for this VF FDIR ++ * @fdir: pointer to the VF FDIR structure ++ */ ++static void ice_vc_fdir_reset_cnt_all(struct ice_vf_fdir *fdir) ++{ ++ enum ice_fltr_ptype flow; ++ ++ for (flow = ICE_FLTR_PTYPE_NONF_NONE; ++ flow < ICE_FLTR_PTYPE_MAX; flow++) { ++ fdir->fdir_fltr_cnt[flow][0] = 0; ++ fdir->fdir_fltr_cnt[flow][1] = 0; ++ } ++} ++ + /** + * ice_vc_fdir_has_prof_conflict + * @vf: pointer to the VF structure +@@ -2263,6 +2278,7 @@ void ice_vf_fdir_init(struct ice_vf *vf) + spin_lock_init(&fdir->ctx_lock); + fdir->ctx_irq.flags = 0; + fdir->ctx_done.flags = 0; ++ ice_vc_fdir_reset_cnt_all(fdir); + } + + /** +-- +2.39.2 + diff --git a/queue-5.15/icmp-guard-against-too-small-mtu.patch b/queue-5.15/icmp-guard-against-too-small-mtu.patch new file mode 100644 index 00000000000..785e3620ccf --- /dev/null +++ b/queue-5.15/icmp-guard-against-too-small-mtu.patch @@ -0,0 +1,86 @@ +From e83056b23c3da2d0435b7352084da8470051db53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 17:45:02 +0000 +Subject: icmp: guard against too small mtu + +From: Eric Dumazet + +[ Upstream commit 7d63b67125382ff0ffdfca434acbc94a38bd092b ] + +syzbot was able to trigger a panic [1] in icmp_glue_bits(), or +more exactly in skb_copy_and_csum_bits() + +There is no repro yet, but I think the issue is that syzbot +manages to lower device mtu to a small value, fooling __icmp_send() + +__icmp_send() must make sure there is enough room for the +packet to include at least the headers. + +We might in the future refactor skb_copy_and_csum_bits() and its +callers to no longer crash when something bad happens. + +[1] +kernel BUG at net/core/skbuff.c:3343 ! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 15766 Comm: syz-executor.0 Not tainted 6.3.0-rc4-syzkaller-00039-gffe78bbd5121 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:skb_copy_and_csum_bits+0x798/0x860 net/core/skbuff.c:3343 +Code: f0 c1 c8 08 41 89 c6 e9 73 ff ff ff e8 61 48 d4 f9 e9 41 fd ff ff 48 8b 7c 24 48 e8 52 48 d4 f9 e9 c3 fc ff ff e8 c8 27 84 f9 <0f> 0b 48 89 44 24 28 e8 3c 48 d4 f9 48 8b 44 24 28 e9 9d fb ff ff +RSP: 0018:ffffc90000007620 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000001e8 RCX: 0000000000000100 +RDX: ffff8880276f6280 RSI: ffffffff87fdd138 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000000001e8 R11: 0000000000000001 R12: 000000000000003c +R13: 0000000000000000 R14: ffff888028244868 R15: 0000000000000b0e +FS: 00007fbc81f1c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2df43000 CR3: 00000000744db000 CR4: 0000000000150ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +icmp_glue_bits+0x7b/0x210 net/ipv4/icmp.c:353 +__ip_append_data+0x1d1b/0x39f0 net/ipv4/ip_output.c:1161 +ip_append_data net/ipv4/ip_output.c:1343 [inline] +ip_append_data+0x115/0x1a0 net/ipv4/ip_output.c:1322 +icmp_push_reply+0xa8/0x440 net/ipv4/icmp.c:370 +__icmp_send+0xb80/0x1430 net/ipv4/icmp.c:765 +ipv4_send_dest_unreach net/ipv4/route.c:1239 [inline] +ipv4_link_failure+0x5a9/0x9e0 net/ipv4/route.c:1246 +dst_link_failure include/net/dst.h:423 [inline] +arp_error_report+0xcb/0x1c0 net/ipv4/arp.c:296 +neigh_invalidate+0x20d/0x560 net/core/neighbour.c:1079 +neigh_timer_handler+0xc77/0xff0 net/core/neighbour.c:1166 +call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 +expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751 +__run_timers kernel/time/timer.c:2022 [inline] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230330174502.1915328-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 609c4ff7edc69..7b749a98327c2 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -755,6 +755,11 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + room = 576; + room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen; + room -= sizeof(struct icmphdr); ++ /* Guard against tiny mtu. We need to include at least one ++ * IP network header for this message to make any sense. ++ */ ++ if (room <= (int)sizeof(struct iphdr)) ++ goto ende; + + icmp_param.data_len = skb_in->len - icmp_param.offset; + if (icmp_param.data_len > room) +-- +2.39.2 + diff --git a/queue-5.15/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch b/queue-5.15/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch new file mode 100644 index 00000000000..8dc54d63f94 --- /dev/null +++ b/queue-5.15/ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch @@ -0,0 +1,101 @@ +From cb842306ee53f90c36ba731fb1dabc6c2394a460 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 15:34:17 +0800 +Subject: ipv6: Fix an uninit variable access bug in __ip6_make_skb() + +From: Ziyang Xuan + +[ Upstream commit ea30388baebcce37fd594d425a65037ca35e59e8 ] + +Syzbot reported a bug as following: + +===================================================== +BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] +BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] +BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] +BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] + arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] + atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] + __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 + ip6_finish_skb include/net/ipv6.h:1122 [inline] + ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 + rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 + rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 + kmalloc_reserve net/core/skbuff.c:492 [inline] + __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 + alloc_skb include/linux/skbuff.h:1270 [inline] + __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 + ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 + rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 + inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 + __sys_sendmsg net/socket.c:2559 [inline] + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because icmp6hdr does not in skb linear region under the scenario +of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will +trigger the uninit variable access bug. + +Use a local variable icmp6_type to carry the correct value in different +scenarios. + +Fixes: 14878f75abd5 ("[IPV6]: Add ICMPMsgStats MIB (RFC 4293) [rev 2]") +Reported-by: syzbot+8257f4dcef79de670baf@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3d605ec1d0a7f2a269a1a6936ac7f2b85975ee9c +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 383442ded9542..be63929b1ac53 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1913,8 +1913,13 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, + IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); + if (proto == IPPROTO_ICMPV6) { + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); ++ u8 icmp6_type; + +- ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type); ++ if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ icmp6_type = fl6->fl6_icmp_type; ++ else ++ icmp6_type = icmp6_hdr(skb)->icmp6_type; ++ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); + } + +-- +2.39.2 + diff --git a/queue-5.15/kbuild-refactor-single-builds-of-.ko.patch b/queue-5.15/kbuild-refactor-single-builds-of-.ko.patch new file mode 100644 index 00000000000..183419e892e --- /dev/null +++ b/queue-5.15/kbuild-refactor-single-builds-of-.ko.patch @@ -0,0 +1,70 @@ +From d0f006a07800022d624fdf2d218f484205228c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Aug 2022 11:39:50 +0900 +Subject: kbuild: refactor single builds of *.ko + +From: Masahiro Yamada + +[ Upstream commit f110e5a250e3c5db417e094b3dd86f1c135291ca ] + +Remove the potentially invalid modules.order instead of using +the temporary file. + +Also, KBUILD_MODULES is don't care for single builds. No need to +cancel it. + +Signed-off-by: Masahiro Yamada +Stable-dep-of: ed1f4ccfe947 ("clk: imx: imx8mp: add shared clk gate for usb suspend clk") +Signed-off-by: Sasha Levin +--- + Makefile | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/Makefile b/Makefile +index 6459e91369fdb..4de8cd300451d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1850,6 +1850,8 @@ modules modules_install: + @echo >&2 '***' + @exit 1 + ++KBUILD_MODULES := ++ + endif # CONFIG_MODULES + + # Single targets +@@ -1875,18 +1877,12 @@ $(single-ko): single_modpost + $(single-no-ko): descend + @: + +-ifeq ($(KBUILD_EXTMOD),) +-# For the single build of in-tree modules, use a temporary file to avoid +-# the situation of modules_install installing an invalid modules.order. +-MODORDER := .modules.tmp +-endif +- ++# Remove MODORDER when done because it is not the real one. + PHONY += single_modpost + single_modpost: $(single-no-ko) modules_prepare + $(Q){ $(foreach m, $(single-ko), echo $(extmod_prefix)$m;) } > $(MODORDER) + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost +- +-KBUILD_MODULES := 1 ++ $(Q)rm -f $(MODORDER) + + export KBUILD_SINGLE_TARGETS := $(addprefix $(extmod_prefix), $(single-no-ko)) + +@@ -1896,10 +1892,6 @@ build-dirs := $(foreach d, $(build-dirs), \ + + endif + +-ifndef CONFIG_MODULES +-KBUILD_MODULES := +-endif +- + # Handle descending into subdirectories listed in $(build-dirs) + # Preset locale variables to speed up the build process. Limit locale + # tweaks to this spot to avoid wrong language settings when running +-- +2.39.2 + diff --git a/queue-5.15/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch b/queue-5.15/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch new file mode 100644 index 00000000000..cef48ccedf7 --- /dev/null +++ b/queue-5.15/kvm-s390-pv-fix-external-interruption-loop-not-alway.patch @@ -0,0 +1,100 @@ +From 7a518e5fe88697f669b887801756bd8ff5f070b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Feb 2023 09:55:20 +0100 +Subject: KVM: s390: pv: fix external interruption loop not always detected + +From: Nico Boehr + +[ Upstream commit 21f27df854008b86349a203bf97fef79bb11f53e ] + +To determine whether the guest has caused an external interruption loop +upon code 20 (external interrupt) intercepts, the ext_new_psw needs to +be inspected to see whether external interrupts are enabled. + +Under non-PV, ext_new_psw can simply be taken from guest lowcore. Under +PV, KVM can only access the encrypted guest lowcore and hence the +ext_new_psw must not be taken from guest lowcore. + +handle_external_interrupt() incorrectly did that and hence was not able +to reliably tell whether an external interruption loop is happening or +not. False negatives cause spurious failures of my kvm-unit-test +for extint loops[1] under PV. + +Since code 20 is only caused under PV if and only if the guest's +ext_new_psw is enabled for external interrupts, false positive detection +of a external interruption loop can not happen. + +Fix this issue by instead looking at the guest PSW in the state +description. Since the PSW swap for external interrupt is done by the +ultravisor before the intercept is caused, this reliably tells whether +the guest is enabled for external interrupts in the ext_new_psw. + +Also update the comments to explain better what is happening. + +[1] https://lore.kernel.org/kvm/20220812062151.1980937-4-nrb@linux.ibm.com/ + +Signed-off-by: Nico Boehr +Reviewed-by: Janosch Frank +Reviewed-by: Christian Borntraeger +Fixes: 201ae986ead7 ("KVM: s390: protvirt: Implement interrupt injection") +Link: https://lore.kernel.org/r/20230213085520.100756-2-nrb@linux.ibm.com +Message-Id: <20230213085520.100756-2-nrb@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/intercept.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index 8ca301f49b305..aeb0e0865e890 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -271,10 +271,18 @@ static int handle_prog(struct kvm_vcpu *vcpu) + * handle_external_interrupt - used for external interruption interceptions + * @vcpu: virtual cpu + * +- * This interception only occurs if the CPUSTAT_EXT_INT bit was set, or if +- * the new PSW does not have external interrupts disabled. In the first case, +- * we've got to deliver the interrupt manually, and in the second case, we +- * drop to userspace to handle the situation there. ++ * This interception occurs if: ++ * - the CPUSTAT_EXT_INT bit was already set when the external interrupt ++ * occurred. In this case, the interrupt needs to be injected manually to ++ * preserve interrupt priority. ++ * - the external new PSW has external interrupts enabled, which will cause an ++ * interruption loop. We drop to userspace in this case. ++ * ++ * The latter case can be detected by inspecting the external mask bit in the ++ * external new psw. ++ * ++ * Under PV, only the latter case can occur, since interrupt priorities are ++ * handled in the ultravisor. + */ + static int handle_external_interrupt(struct kvm_vcpu *vcpu) + { +@@ -285,10 +293,18 @@ static int handle_external_interrupt(struct kvm_vcpu *vcpu) + + vcpu->stat.exit_external_interrupt++; + +- rc = read_guest_lc(vcpu, __LC_EXT_NEW_PSW, &newpsw, sizeof(psw_t)); +- if (rc) +- return rc; +- /* We can not handle clock comparator or timer interrupt with bad PSW */ ++ if (kvm_s390_pv_cpu_is_protected(vcpu)) { ++ newpsw = vcpu->arch.sie_block->gpsw; ++ } else { ++ rc = read_guest_lc(vcpu, __LC_EXT_NEW_PSW, &newpsw, sizeof(psw_t)); ++ if (rc) ++ return rc; ++ } ++ ++ /* ++ * Clock comparator or timer interrupt with external interrupt enabled ++ * will cause interrupt loop. Drop to userspace. ++ */ + if ((eic == EXT_IRQ_CLK_COMP || eic == EXT_IRQ_CPU_TIMER) && + (newpsw.mask & PSW_MASK_EXT)) + return -EOPNOTSUPP; +-- +2.39.2 + diff --git a/queue-5.15/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch b/queue-5.15/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch new file mode 100644 index 00000000000..d9534494d3c --- /dev/null +++ b/queue-5.15/net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch @@ -0,0 +1,80 @@ +From 404c72ae7e64159dbcf80b5c0423ca2f5e31ee52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 19:21:44 -0700 +Subject: net: don't let netpoll invoke NAPI if in xmit context + +From: Jakub Kicinski + +[ Upstream commit 275b471e3d2daf1472ae8fa70dc1b50c9e0b9e75 ] + +Commit 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") narrowed +down the region under netif_tx_trylock() inside netpoll_send_skb(). +(At that point in time netif_tx_trylock() would lock all queues of +the device.) Taking the tx lock was problematic because driver's +cleanup method may take the same lock. So the change made us hold +the xmit lock only around xmit, and expected the driver to take +care of locking within ->ndo_poll_controller(). + +Unfortunately this only works if netpoll isn't itself called with +the xmit lock already held. Netpoll code is careful and uses +trylock(). The drivers, however, may be using plain lock(). +Printing while holding the xmit lock is going to result in rare +deadlocks. + +Luckily we record the xmit lock owners, so we can scan all the queues, +the same way we scan NAPI owners. If any of the xmit locks is held +by the local CPU we better not attempt any polling. + +It would be nice if we could narrow down the check to only the NAPIs +and the queue we're trying to use. I don't see a way to do that now. + +Reported-by: Roman Gushchin +Fixes: 0db3dc73f7a3 ("[NETPOLL]: tx lock deadlock fix") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index edfc0f8011f88..bd750863959f2 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -137,6 +137,20 @@ static void queue_process(struct work_struct *work) + } + } + ++static int netif_local_xmit_active(struct net_device *dev) ++{ ++ int i; ++ ++ for (i = 0; i < dev->num_tx_queues; i++) { ++ struct netdev_queue *txq = netdev_get_tx_queue(dev, i); ++ ++ if (READ_ONCE(txq->xmit_lock_owner) == smp_processor_id()) ++ return 1; ++ } ++ ++ return 0; ++} ++ + static void poll_one_napi(struct napi_struct *napi) + { + int work; +@@ -183,7 +197,10 @@ void netpoll_poll_dev(struct net_device *dev) + if (!ni || down_trylock(&ni->dev_lock)) + return; + +- if (!netif_running(dev)) { ++ /* Some drivers will take the same locks in poll and xmit, ++ * we can't poll if local CPU is already in xmit. ++ */ ++ if (!netif_running(dev) || netif_local_xmit_active(dev)) { + up(&ni->dev_lock); + return; + } +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch b/queue-5.15/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch new file mode 100644 index 00000000000..6a6ba6dc253 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch @@ -0,0 +1,91 @@ +From 64b234339e941330017ed55421a1bf4e748de945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 10:40:13 +0200 +Subject: net: dsa: mv88e6xxx: Reset mv88e6393x force WD event bit + +From: Gustav Ekelund + +[ Upstream commit 089b91a0155c4de1209a07ff2a7dd299ff3ece47 ] + +The force watchdog event bit is not cleared during SW reset in the +mv88e6393x switch. This is a different behavior compared to mv886390 which +clears the force WD event bit as advertised. This causes a force WD event +to be handled over and over again as the SW reset following the event never +clears the force WD event bit. + +Explicitly clear the watchdog event register to 0 in irq_action when +handling an event to prevent the switch from sending continuous interrupts. +Marvell aren't aware of any other stuck bits apart from the force WD +bit. + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family" +Signed-off-by: Gustav Ekelund +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + drivers/net/dsa/mv88e6xxx/global2.c | 20 ++++++++++++++++++++ + drivers/net/dsa/mv88e6xxx/global2.h | 1 + + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 8a030dc0b8a36..bc363fca2895f 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4967,7 +4967,7 @@ static const struct mv88e6xxx_ops mv88e6393x_ops = { + * .port_set_upstream_port method. + */ + .set_egress_port = mv88e6393x_set_egress_port, +- .watchdog_ops = &mv88e6390_watchdog_ops, ++ .watchdog_ops = &mv88e6393x_watchdog_ops, + .mgmt_rsvd2cpu = mv88e6393x_port_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, + .reset = mv88e6352_g1_reset, +diff --git a/drivers/net/dsa/mv88e6xxx/global2.c b/drivers/net/dsa/mv88e6xxx/global2.c +index fa65ecd9cb853..ec49939968fac 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.c ++++ b/drivers/net/dsa/mv88e6xxx/global2.c +@@ -931,6 +931,26 @@ const struct mv88e6xxx_irq_ops mv88e6390_watchdog_ops = { + .irq_free = mv88e6390_watchdog_free, + }; + ++static int mv88e6393x_watchdog_action(struct mv88e6xxx_chip *chip, int irq) ++{ ++ mv88e6390_watchdog_action(chip, irq); ++ ++ /* Fix for clearing the force WD event bit. ++ * Unreleased erratum on mv88e6393x. ++ */ ++ mv88e6xxx_g2_write(chip, MV88E6390_G2_WDOG_CTL, ++ MV88E6390_G2_WDOG_CTL_UPDATE | ++ MV88E6390_G2_WDOG_CTL_PTR_EVENT); ++ ++ return IRQ_HANDLED; ++} ++ ++const struct mv88e6xxx_irq_ops mv88e6393x_watchdog_ops = { ++ .irq_action = mv88e6393x_watchdog_action, ++ .irq_setup = mv88e6390_watchdog_setup, ++ .irq_free = mv88e6390_watchdog_free, ++}; ++ + static irqreturn_t mv88e6xxx_g2_watchdog_thread_fn(int irq, void *dev_id) + { + struct mv88e6xxx_chip *chip = dev_id; +diff --git a/drivers/net/dsa/mv88e6xxx/global2.h b/drivers/net/dsa/mv88e6xxx/global2.h +index f3e27573a3864..89ba09b663a26 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.h ++++ b/drivers/net/dsa/mv88e6xxx/global2.h +@@ -361,6 +361,7 @@ int mv88e6xxx_g2_device_mapping_write(struct mv88e6xxx_chip *chip, int target, + extern const struct mv88e6xxx_irq_ops mv88e6097_watchdog_ops; + extern const struct mv88e6xxx_irq_ops mv88e6250_watchdog_ops; + extern const struct mv88e6xxx_irq_ops mv88e6390_watchdog_ops; ++extern const struct mv88e6xxx_irq_ops mv88e6393x_watchdog_ops; + + extern const struct mv88e6xxx_avb_ops mv88e6165_avb_ops; + extern const struct mv88e6xxx_avb_ops mv88e6352_avb_ops; +-- +2.39.2 + diff --git a/queue-5.15/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch b/queue-5.15/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch new file mode 100644 index 00000000000..41742644a05 --- /dev/null +++ b/queue-5.15/net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch @@ -0,0 +1,57 @@ +From fef6d719ba05c174ecefa9ca8a0c463ec659340a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:33:21 +0530 +Subject: net: ethernet: ti: am65-cpsw: Fix mdio cleanup in probe + +From: Siddharth Vadapalli + +[ Upstream commit c6b486fb33680ad5a3a6390ce693c835caaae3f7 ] + +In the am65_cpsw_nuss_probe() function's cleanup path, the call to +of_platform_device_destroy() for the common->mdio_dev device is invoked +unconditionally. It is possible that either the MDIO node is not present +in the device-tree, or the MDIO node is disabled in the device-tree. In +both these cases, the MDIO device is not created, resulting in a NULL +pointer dereference when the of_platform_device_destroy() function is +invoked on the common->mdio_dev device on the cleanup path. + +Fix this by ensuring that the common->mdio_dev device exists, before +attempting to invoke of_platform_device_destroy(). + +Fixes: a45cfcc69a25 ("net: ethernet: ti: am65-cpsw-nuss: use of_platform_device_create() for mdio") +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Roger Quadros +Link: https://lore.kernel.org/r/20230403090321.835877-1-s-vadapalli@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 37b9a798dd624..692c291d9a01a 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -2784,7 +2784,8 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) + return 0; + + err_of_clear: +- of_platform_device_destroy(common->mdio_dev, NULL); ++ if (common->mdio_dev) ++ of_platform_device_destroy(common->mdio_dev, NULL); + err_pm_clear: + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); +@@ -2813,7 +2814,8 @@ static int am65_cpsw_nuss_remove(struct platform_device *pdev) + */ + am65_cpsw_nuss_cleanup_ndev(common); + +- of_platform_device_destroy(common->mdio_dev, NULL); ++ if (common->mdio_dev) ++ of_platform_device_destroy(common->mdio_dev, NULL); + + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); +-- +2.39.2 + diff --git a/queue-5.15/net-qrtr-combine-nameservice-into-main-module.patch b/queue-5.15/net-qrtr-combine-nameservice-into-main-module.patch new file mode 100644 index 00000000000..726bd260281 --- /dev/null +++ b/queue-5.15/net-qrtr-combine-nameservice-into-main-module.patch @@ -0,0 +1,48 @@ +From 4d8120712e39b1ae250b433ea6a61a4508950ebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 19:11:57 +0200 +Subject: net: qrtr: combine nameservice into main module + +From: Luca Weiss + +[ Upstream commit a365023a76f231cc2fc6e33797e66f3bcaa9f9a9 ] + +Previously with CONFIG_QRTR=m a separate ns.ko would be built which +wasn't done on purpose and should be included in qrtr.ko. + +Rename qrtr.c to af_qrtr.c so we can build a qrtr.ko with both af_qrtr.c +and ns.c. + +Signed-off-by: Luca Weiss +Reviewed-by: Bjorn Andersson +Tested-By: Steev Klimaszewski +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20210928171156.6353-1-luca@z3ntu.xyz +Signed-off-by: Jakub Kicinski +Stable-dep-of: 44d807320000 ("net: qrtr: Fix a refcount bug in qrtr_recvmsg()") +Signed-off-by: Sasha Levin +--- + net/qrtr/Makefile | 3 ++- + net/qrtr/{qrtr.c => af_qrtr.c} | 0 + 2 files changed, 2 insertions(+), 1 deletion(-) + rename net/qrtr/{qrtr.c => af_qrtr.c} (100%) + +diff --git a/net/qrtr/Makefile b/net/qrtr/Makefile +index 1b1411d158a73..8e0605f88a73d 100644 +--- a/net/qrtr/Makefile ++++ b/net/qrtr/Makefile +@@ -1,5 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0-only +-obj-$(CONFIG_QRTR) := qrtr.o ns.o ++obj-$(CONFIG_QRTR) += qrtr.o ++qrtr-y := af_qrtr.o ns.o + + obj-$(CONFIG_QRTR_SMD) += qrtr-smd.o + qrtr-smd-y := smd.o +diff --git a/net/qrtr/qrtr.c b/net/qrtr/af_qrtr.c +similarity index 100% +rename from net/qrtr/qrtr.c +rename to net/qrtr/af_qrtr.c +-- +2.39.2 + diff --git a/queue-5.15/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch b/queue-5.15/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch new file mode 100644 index 00000000000..491d3442ed2 --- /dev/null +++ b/queue-5.15/net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch @@ -0,0 +1,94 @@ +From f7f50f3742a96c1143a0d7c1a1e4d751130b95e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 12:28:51 +0530 +Subject: net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT + +From: Sricharan Ramabadhran + +[ Upstream commit 839349d13905927d8a567ca4d21d88c82028e31d ] + +On the remote side, when QRTR socket is removed, af_qrtr will call +qrtr_port_remove() which broadcasts the DEL_CLIENT packet to all neighbours +including local NS. NS upon receiving the DEL_CLIENT packet, will remove +the lookups associated with the node:port and broadcasts the DEL_SERVER +packet. + +But on the host side, due to the arrival of the DEL_CLIENT packet, the NS +would've already deleted the server belonging to that port. So when the +remote's NS again broadcasts the DEL_SERVER for that port, it throws below +error message on the host: + +"failed while handling packet from 2:-2" + +So fix this error by not broadcasting the DEL_SERVER packet when the +DEL_CLIENT packet gets processed." + +Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Ram Kumar Dharuman +Signed-off-by: Sricharan Ramabadhran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/ns.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c +index e595079c2cafe..3e40a1ba48f79 100644 +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -273,7 +273,7 @@ static struct qrtr_server *server_add(unsigned int service, + return NULL; + } + +-static int server_del(struct qrtr_node *node, unsigned int port) ++static int server_del(struct qrtr_node *node, unsigned int port, bool bcast) + { + struct qrtr_lookup *lookup; + struct qrtr_server *srv; +@@ -286,7 +286,7 @@ static int server_del(struct qrtr_node *node, unsigned int port) + radix_tree_delete(&node->servers, port); + + /* Broadcast the removal of local servers */ +- if (srv->node == qrtr_ns.local_node) ++ if (srv->node == qrtr_ns.local_node && bcast) + service_announce_del(&qrtr_ns.bcast_sq, srv); + + /* Announce the service's disappearance to observers */ +@@ -372,7 +372,7 @@ static int ctrl_cmd_bye(struct sockaddr_qrtr *from) + } + slot = radix_tree_iter_resume(slot, &iter); + rcu_read_unlock(); +- server_del(node, srv->port); ++ server_del(node, srv->port, true); + rcu_read_lock(); + } + rcu_read_unlock(); +@@ -458,10 +458,13 @@ static int ctrl_cmd_del_client(struct sockaddr_qrtr *from, + kfree(lookup); + } + +- /* Remove the server belonging to this port */ ++ /* Remove the server belonging to this port but don't broadcast ++ * DEL_SERVER. Neighbours would've already removed the server belonging ++ * to this port due to the DEL_CLIENT broadcast from qrtr_port_remove(). ++ */ + node = node_get(node_id); + if (node) +- server_del(node, port); ++ server_del(node, port, false); + + /* Advertise the removal of this client to all local servers */ + local_node = node_get(qrtr_ns.local_node); +@@ -566,7 +569,7 @@ static int ctrl_cmd_del_server(struct sockaddr_qrtr *from, + if (!node) + return -ENOENT; + +- return server_del(node, port); ++ return server_del(node, port, true); + } + + static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from, +-- +2.39.2 + diff --git a/queue-5.15/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch b/queue-5.15/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..2a3a745c05c --- /dev/null +++ b/queue-5.15/net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch @@ -0,0 +1,77 @@ +From 6f8dafdf8d1943ecd8a9f3af606ed3af1a85180e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 09:25:32 +0800 +Subject: net: qrtr: Fix a refcount bug in qrtr_recvmsg() + +From: Ziyang Xuan + +[ Upstream commit 44d807320000db0d0013372ad39b53e12d52f758 ] + +Syzbot reported a bug as following: + +refcount_t: addition on 0; use-after-free. +... +RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 +... +Call Trace: + + __refcount_add include/linux/refcount.h:199 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + kref_get include/linux/kref.h:45 [inline] + qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] + qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] + qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] + qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 + sock_recvmsg_nosec net/socket.c:1017 [inline] + sock_recvmsg+0xe2/0x160 net/socket.c:1038 + qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 + process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 + worker_thread+0x669/0x1090 kernel/workqueue.c:2537 + +It occurs in the concurrent scenario of qrtr_recvmsg() and +qrtr_endpoint_unregister() as following: + + cpu0 cpu1 +qrtr_recvmsg qrtr_endpoint_unregister +qrtr_send_resume_tx qrtr_node_release +qrtr_node_lookup mutex_lock(&qrtr_node_lock) +spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] +radix_tree_lookup [node != NULL] __qrtr_node_release +qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) +kref_get(&node->ref) [WARNING] ... + mutex_unlock(&qrtr_node_lock) + +Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this +is actually improving the protection of node reference. + +Fixes: 0a7e0d0ef054 ("net: qrtr: Migrate node lookup tree to spinlock") +Reported-by: syzbot+a7492efaa5d61b51db23@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7492efaa5d61b51db23 +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/af_qrtr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c +index ec23225297278..6e88ba812d2a2 100644 +--- a/net/qrtr/af_qrtr.c ++++ b/net/qrtr/af_qrtr.c +@@ -393,10 +393,12 @@ static struct qrtr_node *qrtr_node_lookup(unsigned int nid) + struct qrtr_node *node; + unsigned long flags; + ++ mutex_lock(&qrtr_node_lock); + spin_lock_irqsave(&qrtr_nodes_lock, flags); + node = radix_tree_lookup(&qrtr_nodes, nid); + node = qrtr_node_acquire(node); + spin_unlock_irqrestore(&qrtr_nodes_lock, flags); ++ mutex_unlock(&qrtr_node_lock); + + return node; + } +-- +2.39.2 + diff --git a/queue-5.15/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch b/queue-5.15/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch new file mode 100644 index 00000000000..3a42cc5cd72 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch @@ -0,0 +1,86 @@ +From fc2d57dfb1ee02a6f3b117b5c4709aa091f85863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:11:20 +0200 +Subject: net: stmmac: fix up RX flow hash indirection table when setting + channels + +From: Corinna Vinschen + +[ Upstream commit 218c597325f4faf7b7a6049233a30d7842b5b2dc ] + +stmmac_reinit_queues() fails to fix up the RX hash. Even if the number +of channels gets restricted, the output of `ethtool -x' indicates that +all RX queues are used: + + $ ethtool -l enp0s29f2 + Channel parameters for enp0s29f2: + Pre-set maximums: + RX: 8 + TX: 8 + Other: n/a + Combined: n/a + Current hardware settings: + RX: 8 + TX: 8 + Other: n/a + Combined: n/a + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 8 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 0 1 2 3 4 5 6 7 + [...] + $ ethtool -L enp0s29f2 rx 3 + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 3 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 0 1 2 3 4 5 6 7 + [...] + +Fix this by setting the indirection table according to the number +of specified queues. The result is now as expected: + + $ ethtool -L enp0s29f2 rx 3 + $ ethtool -x enp0s29f2 + RX flow hash indirection table for enp0s29f2 with 3 RX ring(s): + 0: 0 1 2 0 1 2 0 1 + 8: 2 0 1 2 0 1 2 0 + [...] + +Tested on Intel Elkhart Lake. + +Fixes: 0366f7e06a6b ("net: stmmac: add ethtool support for get/set channels") +Signed-off-by: Corinna Vinschen +Link: https://lore.kernel.org/r/20230403121120.489138-1-vinschen@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 728e68971c397..a3bd5396c2f87 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -6893,7 +6893,7 @@ static void stmmac_napi_del(struct net_device *dev) + int stmmac_reinit_queues(struct net_device *dev, u32 rx_cnt, u32 tx_cnt) + { + struct stmmac_priv *priv = netdev_priv(dev); +- int ret = 0; ++ int ret = 0, i; + + if (netif_running(dev)) + stmmac_release(dev); +@@ -6902,6 +6902,10 @@ int stmmac_reinit_queues(struct net_device *dev, u32 rx_cnt, u32 tx_cnt) + + priv->plat->rx_queues_to_use = rx_cnt; + priv->plat->tx_queues_to_use = tx_cnt; ++ if (!netif_is_rxfh_configured(dev)) ++ for (i = 0; i < ARRAY_SIZE(priv->rss.table); i++) ++ priv->rss.table[i] = ethtool_rxfh_indir_default(i, ++ rx_cnt); + + stmmac_napi_add(dev); + +-- +2.39.2 + diff --git a/queue-5.15/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch b/queue-5.15/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch new file mode 100644 index 00000000000..7dfa7431aa0 --- /dev/null +++ b/queue-5.15/nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch @@ -0,0 +1,54 @@ +From 2f4978280f1aedb1ee37f29075670d1bb4d87abd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 16:31:19 -0400 +Subject: NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL + +From: Chuck Lever + +[ Upstream commit 804d8e0a6e54427268790472781e03bc243f4ee3 ] + +OPDESC() simply indexes into nfsd4_ops[] by the op's operation +number, without range checking that value. It assumes callers are +careful to avoid calling it with an out-of-bounds opnum value. + +nfsd4_decode_compound() is not so careful, and can invoke OPDESC() +with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end +of nfsd4_ops[]. + +Reported-by: Jeff Layton +Fixes: f4f9ef4a1b0a ("nfsd4: opdesc will be useful outside nfs4proc.c") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index dfd3877fdd818..0394dd60a0b47 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2370,10 +2370,12 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp) + for (i = 0; i < argp->opcnt; i++) { + op = &argp->ops[i]; + op->replay = NULL; ++ op->opdesc = NULL; + + if (xdr_stream_decode_u32(argp->xdr, &op->opnum) < 0) + return 0; + if (nfsd4_opnum_in_range(argp, op)) { ++ op->opdesc = OPDESC(op); + op->status = nfsd4_dec_ops[op->opnum](argp, &op->u); + if (op->status != nfs_ok) + trace_nfsd_compound_decode_err(argp->rqstp, +@@ -2384,7 +2386,7 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp) + op->opnum = OP_ILLEGAL; + op->status = nfserr_op_illegal; + } +- op->opdesc = OPDESC(op); ++ + /* + * We'll try to cache the result in the DRC if any one + * op in the compound wants to be cached: +-- +2.39.2 + diff --git a/queue-5.15/nfsd-callback-request-does-not-use-correct-credentia.patch b/queue-5.15/nfsd-callback-request-does-not-use-correct-credentia.patch new file mode 100644 index 00000000000..b134c7d41c1 --- /dev/null +++ b/queue-5.15/nfsd-callback-request-does-not-use-correct-credentia.patch @@ -0,0 +1,43 @@ +From c9a98a5906fc302c7a7378208995148ca6cc29b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 13:22:08 -0700 +Subject: NFSD: callback request does not use correct credential for AUTH_SYS + +From: Dai Ngo + +[ Upstream commit 7de82c2f36fb26aa78440bbf0efcf360b691d98b ] + +Currently callback request does not use the credential specified in +CREATE_SESSION if the security flavor for the back channel is AUTH_SYS. + +Problem was discovered by pynfs 4.1 DELEG5 and DELEG7 test with error: +DELEG5 st_delegation.testCBSecParms : FAILURE + expected callback with uid, gid == 17, 19, got 0, 0 + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Fixes: 8276c902bbe9 ("SUNRPC: remove uid and gid from struct auth_cred") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 2e0040d3bca79..97f517e9b4189 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -875,8 +875,8 @@ static const struct cred *get_backchannel_cred(struct nfs4_client *clp, struct r + if (!kcred) + return NULL; + +- kcred->uid = ses->se_cb_sec.uid; +- kcred->gid = ses->se_cb_sec.gid; ++ kcred->fsuid = ses->se_cb_sec.uid; ++ kcred->fsgid = ses->se_cb_sec.gid; + return kcred; + } + } +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-think-lmi-clean-up-display-of-current_v.patch b/queue-5.15/platform-x86-think-lmi-clean-up-display-of-current_v.patch new file mode 100644 index 00000000000..29e12ea8ca8 --- /dev/null +++ b/queue-5.15/platform-x86-think-lmi-clean-up-display-of-current_v.patch @@ -0,0 +1,60 @@ +From 8bb9c368e96e22e3101d0356a3d4fd2fdbc8c771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Apr 2023 21:31:20 -0400 +Subject: platform/x86: think-lmi: Clean up display of current_value on + Thinkstation + +From: Mark Pearson + +[ Upstream commit 7065655216d4d034d71164641f3bec0b189ad6fa ] + +On ThinkStations on retrieving the attribute value the BIOS appends the +possible values to the string. +Clean up the display in the current_value_show function so the options +part is not displayed. + +Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms") +Reported by Mario Limoncello +Link: https://github.com/fwupd/fwupd/issues/5077#issuecomment-1488730526 +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20230403013120.2105-2-mpearson-lenovo@squebb.ca +Tested-by: Mario Limonciello +Tested-by: Mirsad Goran Todorovac +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index ded3aacb26cc9..76f0d04e17f30 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -504,7 +504,7 @@ static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *at + static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) + { + struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); +- char *item, *value; ++ char *item, *value, *p; + int ret; + + ret = tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID); +@@ -515,9 +515,12 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + value = strpbrk(item, ","); + if (!value || value == item || !strlen(value + 1)) + ret = -EINVAL; +- else ++ else { ++ /* On Workstations remove the Options part after the value */ ++ p = strchrnul(value, ';'); ++ *p = '\0'; + ret = sysfs_emit(buf, "%s\n", value + 1); +- ++ } + kfree(item); + + return ret; +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch b/queue-5.15/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch new file mode 100644 index 00000000000..e7c59d2a636 --- /dev/null +++ b/queue-5.15/platform-x86-think-lmi-fix-memory-leak-when-showing-.patch @@ -0,0 +1,51 @@ +From bdd9ac77ed0ae1b58a1dd5636153027a28bc1410 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:33:19 +0200 +Subject: platform/x86: think-lmi: Fix memory leak when showing current + settings + +From: Armin Wolf + +[ Upstream commit a3c4c053014585dcf20f4df954791b74d8a8afcd ] + +When retriving a item string with tlmi_setting(), the result has to be +freed using kfree(). In current_value_show() however, malformed +item strings are not freed, causing a memory leak. +Fix this by eliminating the early return responsible for this. + +Reported-by: Mirsad Goran Todorovac +Link: https://lore.kernel.org/platform-driver-x86/01e920bc-5882-ba0c-dd15-868bf0eca0b8@alu.unizg.hr/T/#t +Tested-by: Mirsad Goran Todorovac +Fixes: 0fdf10e5fc96 ("platform/x86: think-lmi: Split current_value to reflect only the value") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20230331213319.41040-1-W_Armin@gmx.de +Tested-by: Mario Limonciello +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index c9ed2644bb8a6..5676587271988 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -514,10 +514,12 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + /* validate and split from `item,value` -> `value` */ + value = strpbrk(item, ","); + if (!value || value == item || !strlen(value + 1)) +- return -EINVAL; ++ ret = -EINVAL; ++ else ++ ret = sysfs_emit(buf, "%s\n", value + 1); + +- ret = sysfs_emit(buf, "%s\n", value + 1); + kfree(item); ++ + return ret; + } + +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch b/queue-5.15/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch new file mode 100644 index 00000000000..8f6f35d1fd1 --- /dev/null +++ b/queue-5.15/platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch @@ -0,0 +1,58 @@ +From f7110a040e9e1e895bba63cfd95b2eb2bccc5e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Apr 2023 21:31:19 -0400 +Subject: platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation + WMI strings + +From: Mark Pearson + +[ Upstream commit e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433 ] + +My previous commit introduced a memory leak where the item allocated +from tlmi_setting was not freed. +This commit also renames it to avoid confusion with the similarly name +variable in the same function. + +Fixes: 8a02d70679fc ("platform/x86: think-lmi: Add possible_values for ThinkStation") +Reported-by: Mirsad Todorovac +Link: https://lore.kernel.org/lkml/df26ff45-8933-f2b3-25f4-6ee51ccda7d8@gmx.de/T/ +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20230403013120.2105-1-mpearson-lenovo@squebb.ca +Tested-by: Mario Limonciello +Tested-by: Mirsad Goran Todorovac +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index 5676587271988..ded3aacb26cc9 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -952,10 +952,10 @@ static int tlmi_analyze(void) + * name string. + * Try and pull that out if it's available. + */ +- char *item, *optstart, *optend; ++ char *optitem, *optstart, *optend; + +- if (!tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID)) { +- optstart = strstr(item, "[Optional:"); ++ if (!tlmi_setting(setting->index, &optitem, LENOVO_BIOS_SETTING_GUID)) { ++ optstart = strstr(optitem, "[Optional:"); + if (optstart) { + optstart += strlen("[Optional:"); + optend = strstr(optstart, "]"); +@@ -964,6 +964,7 @@ static int tlmi_analyze(void) + kstrndup(optstart, optend - optstart, + GFP_KERNEL); + } ++ kfree(optitem); + } + } + /* +-- +2.39.2 + diff --git a/queue-5.15/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch b/queue-5.15/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..fd8dbaba953 --- /dev/null +++ b/queue-5.15/pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,40 @@ +From 0808a6b4f24813fc6c9429eaa92f023caaab29a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:41 +0100 +Subject: pwm: cros-ec: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 30006b77c7e130e01d1ab2148cc8abf73dfcc4bf ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Reviewed-by: Guenter Roeck +Fixes: 1f0d3bb02785 ("pwm: Add ChromeOS EC PWM driver") +Link: https://lore.kernel.org/r/20230228135508.1798428-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-cros-ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-cros-ec.c b/drivers/pwm/pwm-cros-ec.c +index 5e29d9c682c34..adfd03c11e18c 100644 +--- a/drivers/pwm/pwm-cros-ec.c ++++ b/drivers/pwm/pwm-cros-ec.c +@@ -157,6 +157,7 @@ static void cros_ec_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + + state->enabled = (ret > 0); + state->period = EC_PWM_MAX_DUTY; ++ state->polarity = PWM_POLARITY_NORMAL; + + /* + * Note that "disabled" and "duty cycle == 0" are treated the same. If +-- +2.39.2 + diff --git a/queue-5.15/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch b/queue-5.15/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch new file mode 100644 index 00000000000..5ffe21f745c --- /dev/null +++ b/queue-5.15/pwm-sprd-explicitly-set-.polarity-in-.get_state.patch @@ -0,0 +1,39 @@ +From 4973df827593e7a4562232b7c382a91d61a95d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 22:45:43 +0100 +Subject: pwm: sprd: Explicitly set .polarity in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 2be4dcf6627e1bcbbef8e6ba1811f5127d39202c ] + +The driver only supports normal polarity. Complete the implementation of +.get_state() by setting .polarity accordingly. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Link: https://lore.kernel.org/r/20230228135508.1798428-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index 7004f55bbf115..869e696a503f0 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -109,6 +109,7 @@ static void sprd_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + duty = val & SPRD_PWM_DUTY_MSK; + tmp = (prescale + 1) * NSEC_PER_SEC * duty; + state->duty_cycle = DIV_ROUND_CLOSEST_ULL(tmp, chn->clk_rate); ++ state->polarity = PWM_POLARITY_NORMAL; + + /* Disable PWM clocks if the PWM channel is not in enable state. */ + if (!state->enabled) +-- +2.39.2 + diff --git a/queue-5.15/sctp-check-send-stream-number-after-wait_for_sndbuf.patch b/queue-5.15/sctp-check-send-stream-number-after-wait_for_sndbuf.patch new file mode 100644 index 00000000000..9405922be61 --- /dev/null +++ b/queue-5.15/sctp-check-send-stream-number-after-wait_for_sndbuf.patch @@ -0,0 +1,66 @@ +From ae9a6f3a11c30cee3b79e7f70d8073e233614ecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 19:09:57 -0400 +Subject: sctp: check send stream number after wait_for_sndbuf + +From: Xin Long + +[ Upstream commit 2584024b23552c00d95b50255e47bd18d306d31a ] + +This patch fixes a corner case where the asoc out stream count may change +after wait_for_sndbuf. + +When the main thread in the client starts a connection, if its out stream +count is set to N while the in stream count in the server is set to N - 2, +another thread in the client keeps sending the msgs with stream number +N - 1, and waits for sndbuf before processing INIT_ACK. + +However, after processing INIT_ACK, the out stream count in the client is +shrunk to N - 2, the same to the in stream count in the server. The crash +occurs when the thread waiting for sndbuf is awake and sends the msg in a +non-existing stream(N - 1), the call trace is as below: + + KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] + Call Trace: + + sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline] + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] + sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170 + sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163 + sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868 + sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026 + inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825 + sock_sendmsg_nosec net/socket.c:722 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:745 + +The fix is to add an unlikely check for the send stream number after the +thread wakes up from the wait_for_sndbuf. + +Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") +Reported-by: syzbot+47c24ca20a2fa01f082e@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 5f6e6a6e91b3d..a5344fddddbb6 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1831,6 +1831,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) + goto err; ++ if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) { ++ err = -EINVAL; ++ goto err; ++ } + } + + if (sctp_state(asoc, CLOSED)) { +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index 3999fc1705f..838bd6606e8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -22,3 +22,32 @@ serial-exar-add-support-for-sealevel-7xxxc-serial-ca.patch drm-amdgpu-prevent-race-between-late-signaled-fences.patch drm-amdgpu-fix-amdgpu_job_free_resources-v2.patch bpf-hash-map-avoid-deadlock-with-suitable-hash-mask.patch +gpio-gpio_regmap-select-regmap-instead-of-depending-.patch +drivers-vmbus-check-for-channel-allocation-before-lo.patch +pwm-cros-ec-explicitly-set-.polarity-in-.get_state.patch +pwm-sprd-explicitly-set-.polarity-in-.get_state.patch +kvm-s390-pv-fix-external-interruption-loop-not-alway.patch +wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch +net-qrtr-combine-nameservice-into-main-module.patch +net-qrtr-fix-a-refcount-bug-in-qrtr_recvmsg.patch +nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch +icmp-guard-against-too-small-mtu.patch +net-don-t-let-netpoll-invoke-napi-if-in-xmit-context.patch +net-dsa-mv88e6xxx-reset-mv88e6393x-force-wd-event-bi.patch +sctp-check-send-stream-number-after-wait_for_sndbuf.patch +net-qrtr-do-not-do-del_server-broadcast-after-del_cl.patch +ipv6-fix-an-uninit-variable-access-bug-in-__ip6_make.patch +platform-x86-think-lmi-fix-memory-leak-when-showing-.patch +platform-x86-think-lmi-fix-memory-leaks-when-parsing.patch +platform-x86-think-lmi-clean-up-display-of-current_v.patch +gpio-davinci-add-irq-chip-flag-to-skip-set-wake.patch +net-ethernet-ti-am65-cpsw-fix-mdio-cleanup-in-probe.patch +net-stmmac-fix-up-rx-flow-hash-indirection-table-whe.patch +sunrpc-only-free-unix-grouplist-after-rcu-settles.patch +nfsd-callback-request-does-not-use-correct-credentia.patch +ice-fix-wrong-fallback-logic-for-fdir.patch +ice-reset-fdir-counter-in-fdir-init-stage.patch +ethtool-reset-lanes-when-lanes-is-omitted.patch +gve-secure-enough-bytes-in-the-first-tx-desc-for-all.patch +kbuild-refactor-single-builds-of-.ko.patch +clk-imx-imx8mp-add-shared-clk-gate-for-usb-suspend-c.patch diff --git a/queue-5.15/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch b/queue-5.15/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch new file mode 100644 index 00000000000..a7598393634 --- /dev/null +++ b/queue-5.15/sunrpc-only-free-unix-grouplist-after-rcu-settles.patch @@ -0,0 +1,58 @@ +From 0b954ccfce000d2f4bafd28b1c28ebbf26d250aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 14:24:27 -0400 +Subject: sunrpc: only free unix grouplist after RCU settles + +From: Jeff Layton + +[ Upstream commit 5085e41f9e83a1bec51da1f20b54f2ec3a13a3fe ] + +While the unix_gid object is rcu-freed, the group_info list that it +contains is not. Ensure that we only put the group list reference once +we are really freeing the unix_gid object. + +Reported-by: Zhi Li +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2183056 +Signed-off-by: Jeff Layton +Fixes: fd5d2f78261b ("SUNRPC: Make server side AUTH_UNIX use lockless lookups") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcauth_unix.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c +index d7ed7d49115ac..a7d107167c05c 100644 +--- a/net/sunrpc/svcauth_unix.c ++++ b/net/sunrpc/svcauth_unix.c +@@ -415,14 +415,23 @@ static int unix_gid_hash(kuid_t uid) + return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS); + } + +-static void unix_gid_put(struct kref *kref) ++static void unix_gid_free(struct rcu_head *rcu) + { +- struct cache_head *item = container_of(kref, struct cache_head, ref); +- struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ struct unix_gid *ug = container_of(rcu, struct unix_gid, rcu); ++ struct cache_head *item = &ug->h; ++ + if (test_bit(CACHE_VALID, &item->flags) && + !test_bit(CACHE_NEGATIVE, &item->flags)) + put_group_info(ug->gi); +- kfree_rcu(ug, rcu); ++ kfree(ug); ++} ++ ++static void unix_gid_put(struct kref *kref) ++{ ++ struct cache_head *item = container_of(kref, struct cache_head, ref); ++ struct unix_gid *ug = container_of(item, struct unix_gid, h); ++ ++ call_rcu(&ug->rcu, unix_gid_free); + } + + static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) +-- +2.39.2 + diff --git a/queue-5.15/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch b/queue-5.15/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch new file mode 100644 index 00000000000..69524db6cac --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch @@ -0,0 +1,40 @@ +From a598202ebd88a757affc3747f737ecce1bfee97b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 13:09:24 +0100 +Subject: wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for + non-uploaded sta + +From: Felix Fietkau + +[ Upstream commit 12b220a6171faf10638ab683a975cadcf1a352d6 ] + +Avoid potential data corruption issues caused by uninitialized driver +private data structures. + +Reported-by: Brian Coverstone +Fixes: 6a9d1b91f34d ("mac80211: add pre-RCU-sync sta removal driver operation") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230324120924.38412-3-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 14db465289c53..e10bcfa20526d 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1036,7 +1036,8 @@ static int __must_check __sta_info_destroy_part1(struct sta_info *sta) + list_del_rcu(&sta->list); + sta->removed = true; + +- drv_sta_pre_rcu_remove(local, sta->sdata, sta); ++ if (sta->uploaded) ++ drv_sta_pre_rcu_remove(local, sta->sdata, sta); + + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN && + rcu_access_pointer(sdata->u.vlan.sta) == sta) +-- +2.39.2 +