From: Sasha Levin Date: Mon, 26 Feb 2024 22:21:32 +0000 (-0500) Subject: Fixes for 6.7 X-Git-Tag: v4.19.308~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1311f26f23327f6e782597d2a7e50d0293a1b1d9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.7 Signed-off-by: Sasha Levin --- diff --git a/queue-6.7/afs-increase-buffer-size-in-afs_update_volume_status.patch b/queue-6.7/afs-increase-buffer-size-in-afs_update_volume_status.patch new file mode 100644 index 00000000000..245b7c992e1 --- /dev/null +++ b/queue-6.7/afs-increase-buffer-size-in-afs_update_volume_status.patch @@ -0,0 +1,53 @@ +From 5f91c2a170d8198d1971d66f05733ec770dae380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:39:03 +0000 +Subject: afs: Increase buffer size in afs_update_volume_status() + +From: Daniil Dulov + +[ Upstream commit 6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d ] + +The max length of volume->vid value is 20 characters. +So increase idbuf[] size up to 24 to avoid overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()] + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: Daniil Dulov +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20240211150442.3416-1-d.dulov@aladdin.ru/ # v1 +Link: https://lore.kernel.org/r/20240212083347.10742-1-d.dulov@aladdin.ru/ # v2 +Link: https://lore.kernel.org/r/20240219143906.138346-3-dhowells@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/volume.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index 115c081a8e2ce..c028598a903c9 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -337,7 +337,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) + { + struct afs_server_list *new, *old, *discard; + struct afs_vldb_entry *vldb; +- char idbuf[16]; ++ char idbuf[24]; + int ret, idsz; + + _enter(""); +@@ -345,7 +345,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) + /* We look up an ID by passing it as a decimal string in the + * operation's name parameter. + */ +- idsz = sprintf(idbuf, "%llu", volume->vid); ++ idsz = snprintf(idbuf, sizeof(idbuf), "%llu", volume->vid); + + vldb = afs_vl_lookup_vldb(volume->cell, key, idbuf, idsz); + if (IS_ERR(vldb)) { +-- +2.43.0 + diff --git a/queue-6.7/arm64-dts-imx8mp-disable-uart4-by-default-on-data-mo.patch b/queue-6.7/arm64-dts-imx8mp-disable-uart4-by-default-on-data-mo.patch new file mode 100644 index 00000000000..d6c05c175a9 --- /dev/null +++ b/queue-6.7/arm64-dts-imx8mp-disable-uart4-by-default-on-data-mo.patch @@ -0,0 +1,41 @@ +From 52b293712fadc75aa344caaeda59234c0f41f913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 01:02:42 +0100 +Subject: arm64: dts: imx8mp: Disable UART4 by default on Data Modul i.MX8M + Plus eDM SBC + +From: Marek Vasut + +[ Upstream commit f03869698bc3bd6d9d2d9f216b20da08a8c2508a ] + +UART4 is used as CM7 coprocessor debug UART and may not be accessible from +Linux in case it is protected by RDC. The RDC protection is set up by the +platform firmware. UART4 is not used on this platform by Linux. Disable +UART4 by default to prevent boot hangs, which occur when the RDC protection +is in place. + +Fixes: 562d222f23f0 ("arm64: dts: imx8mp: Add support for Data Modul i.MX8M Plus eDM SBC") +Signed-off-by: Marek Vasut +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts +index d98a040860a48..5828c9d7821de 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts +@@ -486,7 +486,7 @@ + &uart4 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_uart4>; +- status = "okay"; ++ status = "disabled"; + }; + + &usb3_phy0 { +-- +2.43.0 + diff --git a/queue-6.7/arm64-dts-rockchip-correct-indiedroid-nova-gpio-name.patch b/queue-6.7/arm64-dts-rockchip-correct-indiedroid-nova-gpio-name.patch new file mode 100644 index 00000000000..f94d35d8ce8 --- /dev/null +++ b/queue-6.7/arm64-dts-rockchip-correct-indiedroid-nova-gpio-name.patch @@ -0,0 +1,61 @@ +From f9c55441f6cdff9d68c197a68819f841530bdad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 14:19:42 -0600 +Subject: arm64: dts: rockchip: Correct Indiedroid Nova GPIO Names + +From: Chris Morgan + +[ Upstream commit c22d03a95b0d815cd186302fdd93f74d99f1c914 ] + +Correct the names given to a few of the GPIO pins. The original names +were unknowingly based on the header from a pre-production board. The +production board has a slightly different pin assignment for the 40-pin +GPIO header. + +Fixes: 3900160e164b ("arm64: dts: rockchip: Add Indiedroid Nova board") +Signed-off-by: Chris Morgan +Link: https://lore.kernel.org/r/20240125201943.90476-2-macroalpha82@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + .../boot/dts/rockchip/rk3588s-indiedroid-nova.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts b/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts +index 60f00ceb630e1..3b675fd0c5ea5 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts +@@ -196,13 +196,13 @@ + + &gpio1 { + gpio-line-names = /* GPIO1 A0-A7 */ +- "HEADER_27_3v3", "HEADER_28_3v3", "", "", ++ "HEADER_27_3v3", "", "", "", + "HEADER_29_1v8", "", "HEADER_7_1v8", "", + /* GPIO1 B0-B7 */ + "", "HEADER_31_1v8", "HEADER_33_1v8", "", + "HEADER_11_1v8", "HEADER_13_1v8", "", "", + /* GPIO1 C0-C7 */ +- "", "", "", "", ++ "", "HEADER_28_3v3", "", "", + "", "", "", "", + /* GPIO1 D0-D7 */ + "", "", "", "", +@@ -226,11 +226,11 @@ + + &gpio4 { + gpio-line-names = /* GPIO4 A0-A7 */ +- "", "", "HEADER_37_3v3", "HEADER_32_3v3", +- "HEADER_36_3v3", "", "HEADER_35_3v3", "HEADER_38_3v3", ++ "", "", "HEADER_37_3v3", "HEADER_8_3v3", ++ "HEADER_10_3v3", "", "HEADER_32_3v3", "HEADER_35_3v3", + /* GPIO4 B0-B7 */ + "", "", "", "HEADER_40_3v3", +- "HEADER_8_3v3", "HEADER_10_3v3", "", "", ++ "HEADER_38_3v3", "HEADER_36_3v3", "", "", + /* GPIO4 C0-C7 */ + "", "", "", "", + "", "", "", "", +-- +2.43.0 + diff --git a/queue-6.7/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch b/queue-6.7/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch new file mode 100644 index 00000000000..c46119e52d1 --- /dev/null +++ b/queue-6.7/arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch @@ -0,0 +1,50 @@ +From 2ce4f0336025fadb1abad8c10ab5f99ca8cea225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 11:16:56 +0100 +Subject: arm64: dts: rockchip: set num-cs property for spi on px30 + +From: Heiko Stuebner + +[ Upstream commit 334bf0710c98d391f4067b72f535d6c4c84dfb6f ] + +The px30 has two spi controllers with two chip-selects each. +The num-cs property is specified as the total number of chip +selects a controllers has and is used since 2020 to find uses +of chipselects outside that range in the Rockchip spi driver. + +Without the property set, the default is 1, so spi devices +using the second chipselect will not be created. + +Fixes: eb1262e3cc8b ("spi: spi-rockchip: use num-cs property and ctlr->enable_gpiods") +Signed-off-by: Heiko Stuebner +Reviewed-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240119101656.965744-1-heiko@sntech.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/px30.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/px30.dtsi b/arch/arm64/boot/dts/rockchip/px30.dtsi +index 42ce78beb4134..20955556b624d 100644 +--- a/arch/arm64/boot/dts/rockchip/px30.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30.dtsi +@@ -632,6 +632,7 @@ + clock-names = "spiclk", "apb_pclk"; + dmas = <&dmac 12>, <&dmac 13>; + dma-names = "tx", "rx"; ++ num-cs = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&spi0_clk &spi0_csn &spi0_miso &spi0_mosi>; + #address-cells = <1>; +@@ -647,6 +648,7 @@ + clock-names = "spiclk", "apb_pclk"; + dmas = <&dmac 14>, <&dmac 15>; + dma-names = "tx", "rx"; ++ num-cs = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&spi1_clk &spi1_csn0 &spi1_csn1 &spi1_miso &spi1_mosi>; + #address-cells = <1>; +-- +2.43.0 + diff --git a/queue-6.7/arm64-dts-tqma8mpql-fix-audio-codec-iov-supply.patch b/queue-6.7/arm64-dts-tqma8mpql-fix-audio-codec-iov-supply.patch new file mode 100644 index 00000000000..c96ebffe880 --- /dev/null +++ b/queue-6.7/arm64-dts-tqma8mpql-fix-audio-codec-iov-supply.patch @@ -0,0 +1,49 @@ +From f5e76cf0646cb8fd9416ed9a7507209e868b30b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 10:08:49 +0100 +Subject: arm64: dts: tqma8mpql: fix audio codec iov-supply + +From: Alexander Stein + +[ Upstream commit a620a7f2ae8b08c5beea6369f61e87064ee222dc ] + +IOVDD is supplied by 1.8V, fix the referenced regulator. + +Fixes: d8f9d8126582d ("arm64: dts: imx8mp: Add analog audio output on i.MX8MP TQMa8MPxL/MBa8MPxL") +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts +index 4240e20d38ac3..258e90cc16ff3 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts +@@ -168,6 +168,13 @@ + enable-active-high; + }; + ++ reg_vcc_1v8: regulator-1v8 { ++ compatible = "regulator-fixed"; ++ regulator-name = "VCC_1V8"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ }; ++ + reg_vcc_3v3: regulator-3v3 { + compatible = "regulator-fixed"; + regulator-name = "VCC_3V3"; +@@ -464,7 +471,7 @@ + clock-names = "mclk"; + clocks = <&audio_blk_ctrl IMX8MP_CLK_AUDIOMIX_SAI3_MCLK1>; + reset-gpios = <&gpio4 29 GPIO_ACTIVE_LOW>; +- iov-supply = <®_vcc_3v3>; ++ iov-supply = <®_vcc_1v8>; + ldoin-supply = <®_vcc_3v3>; + }; + +-- +2.43.0 + diff --git a/queue-6.7/arm64-sme-restore-smcr_el1.ezt0-on-exit-from-suspend.patch b/queue-6.7/arm64-sme-restore-smcr_el1.ezt0-on-exit-from-suspend.patch new file mode 100644 index 00000000000..ec210a78b6d --- /dev/null +++ b/queue-6.7/arm64-sme-restore-smcr_el1.ezt0-on-exit-from-suspend.patch @@ -0,0 +1,40 @@ +From 2bf244b2048228c3bd9565174f5ba4499e601196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 23:06:33 +0000 +Subject: arm64/sme: Restore SMCR_EL1.EZT0 on exit from suspend + +From: Mark Brown + +[ Upstream commit d7b77a0d565b048cb0808fa8a4fb031352b22a01 ] + +The fields in SMCR_EL1 reset to an architecturally UNKNOWN value. Since we +do not otherwise manage the traps configured in this register at runtime we +need to reconfigure them after a suspend in case nothing else was kind +enough to preserve them for us. Do so for SMCR_EL1.EZT0. + +Fixes: d4913eee152d ("arm64/sme: Add basic enumeration for SME2") +Reported-by: Jackson Cooper-Driver +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20240213-arm64-sme-resume-v3-2-17e05e493471@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index db1eba8d5f66d..0898ac9979045 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1348,6 +1348,8 @@ void sme_suspend_exit(void) + + if (system_supports_fa64()) + smcr |= SMCR_ELx_FA64; ++ if (system_supports_sme2()) ++ smcr |= SMCR_ELx_EZT0; + + write_sysreg_s(smcr, SYS_SMCR_EL1); + write_sysreg_s(0, SYS_SMPRI_EL1); +-- +2.43.0 + diff --git a/queue-6.7/arm64-sme-restore-sme-registers-on-exit-from-suspend.patch b/queue-6.7/arm64-sme-restore-sme-registers-on-exit-from-suspend.patch new file mode 100644 index 00000000000..8e10750ad6c --- /dev/null +++ b/queue-6.7/arm64-sme-restore-sme-registers-on-exit-from-suspend.patch @@ -0,0 +1,98 @@ +From 05924b634b03e31a0a1740200ef8ca68cad6bd94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 23:06:32 +0000 +Subject: arm64/sme: Restore SME registers on exit from suspend + +From: Mark Brown + +[ Upstream commit 9533864816fb4a6207c63b7a98396351ce1a9fae ] + +The fields in SMCR_EL1 and SMPRI_EL1 reset to an architecturally UNKNOWN +value. Since we do not otherwise manage the traps configured in this +register at runtime we need to reconfigure them after a suspend in case +nothing else was kind enough to preserve them for us. + +The vector length will be restored as part of restoring the SME state for +the next SME using task. + +Fixes: a1f4ccd25cc2 ("arm64/sme: Provide Kconfig for SME") +Reported-by: Jackson Cooper-Driver +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20240213-arm64-sme-resume-v3-1-17e05e493471@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/fpsimd.h | 2 ++ + arch/arm64/kernel/fpsimd.c | 14 ++++++++++++++ + arch/arm64/kernel/suspend.c | 3 +++ + 3 files changed, 19 insertions(+) + +diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h +index 50e5f25d3024c..7780d343ef080 100644 +--- a/arch/arm64/include/asm/fpsimd.h ++++ b/arch/arm64/include/asm/fpsimd.h +@@ -386,6 +386,7 @@ extern void sme_alloc(struct task_struct *task, bool flush); + extern unsigned int sme_get_vl(void); + extern int sme_set_current_vl(unsigned long arg); + extern int sme_get_current_vl(void); ++extern void sme_suspend_exit(void); + + /* + * Return how many bytes of memory are required to store the full SME +@@ -421,6 +422,7 @@ static inline int sme_max_vl(void) { return 0; } + static inline int sme_max_virtualisable_vl(void) { return 0; } + static inline int sme_set_current_vl(unsigned long arg) { return -EINVAL; } + static inline int sme_get_current_vl(void) { return -EINVAL; } ++static inline void sme_suspend_exit(void) { } + + static inline size_t sme_state_size(struct task_struct const *task) + { +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index f7d8f5d81cfe9..db1eba8d5f66d 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1339,6 +1339,20 @@ void __init sme_setup(void) + get_sme_default_vl()); + } + ++void sme_suspend_exit(void) ++{ ++ u64 smcr = 0; ++ ++ if (!system_supports_sme()) ++ return; ++ ++ if (system_supports_fa64()) ++ smcr |= SMCR_ELx_FA64; ++ ++ write_sysreg_s(smcr, SYS_SMCR_EL1); ++ write_sysreg_s(0, SYS_SMPRI_EL1); ++} ++ + #endif /* CONFIG_ARM64_SME */ + + static void sve_init_regs(void) +diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +index eca4d04352118..eaaff94329cdd 100644 +--- a/arch/arm64/kernel/suspend.c ++++ b/arch/arm64/kernel/suspend.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -80,6 +81,8 @@ void notrace __cpu_suspend_exit(void) + */ + spectre_v4_enable_mitigation(NULL); + ++ sme_suspend_exit(); ++ + /* Restore additional feature-specific configuration */ + ptrauth_suspend_exit(); + } +-- +2.43.0 + diff --git a/queue-6.7/arp-prevent-overflow-in-arp_req_get.patch b/queue-6.7/arp-prevent-overflow-in-arp_req_get.patch new file mode 100644 index 00000000000..7d55f96619c --- /dev/null +++ b/queue-6.7/arp-prevent-overflow-in-arp_req_get.patch @@ -0,0 +1,101 @@ +From b0ef979a5c7ae41636d6456ea71522439aecb16f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 15:05:16 -0800 +Subject: arp: Prevent overflow in arp_req_get(). + +From: Kuniyuki Iwashima + +[ Upstream commit a7d6027790acea24446ddd6632d394096c0f4667 ] + +syzkaller reported an overflown write in arp_req_get(). [0] + +When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour +entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. + +The arp_ha here is struct sockaddr, not struct sockaddr_storage, so +the sa_data buffer is just 14 bytes. + +In the splat below, 2 bytes are overflown to the next int field, +arp_flags. We initialise the field just after the memcpy(), so it's +not a problem. + +However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), +arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) +in arp_ioctl() before calling arp_req_get(). + +To avoid the overflow, let's limit the max length of memcpy(). + +Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible +array in struct sockaddr") just silenced syzkaller. + +[0]: +memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) +WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Modules linked in: +CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 +RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 +RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 +RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 +R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 +FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 + inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 + sock_do_ioctl+0xdf/0x260 net/socket.c:1204 + sock_ioctl+0x3ef/0x650 net/socket.c:1321 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x64/0xce +RIP: 0033:0x7f172b262b8d +Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d +RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 +RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 + + +Reported-by: syzkaller +Reported-by: Bjoern Doebel +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240215230516.31330-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 9456f5bb35e5d..0d0d725b46ad0 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -1125,7 +1125,8 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev) + if (neigh) { + if (!(READ_ONCE(neigh->nud_state) & NUD_NOARP)) { + read_lock_bh(&neigh->lock); +- memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len); ++ memcpy(r->arp_ha.sa_data, neigh->ha, ++ min(dev->addr_len, sizeof(r->arp_ha.sa_data_min))); + r->arp_flags = arp_state_to_flags(neigh); + read_unlock_bh(&neigh->lock); + r->arp_ha.sa_family = dev->type; +-- +2.43.0 + diff --git a/queue-6.7/ata-ahci_ceva-fix-error-handling-for-xilinx-gt-phy-s.patch b/queue-6.7/ata-ahci_ceva-fix-error-handling-for-xilinx-gt-phy-s.patch new file mode 100644 index 00000000000..d9571420877 --- /dev/null +++ b/queue-6.7/ata-ahci_ceva-fix-error-handling-for-xilinx-gt-phy-s.patch @@ -0,0 +1,245 @@ +From 04d45ffe9370c1a26a9ee3f8c4d8124b15b18622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 23:44:57 +0530 +Subject: ata: ahci_ceva: fix error handling for Xilinx GT PHY support + +From: Radhey Shyam Pandey + +[ Upstream commit 26c8404e162b43dddcb037ba2d0cb58c0ed60aab ] + +Platform clock and phy error resources are not cleaned up in Xilinx GT PHY +error path. + +To fix introduce the function ceva_ahci_platform_enable_resources() which +is a customized version of ahci_platform_enable_resources() and inline with +SATA IP programming sequence it does: + +- Assert SATA reset +- Program PS GTR phy +- Bring SATA by de-asserting the reset +- Wait for GT lane PLL to be locked + +ceva_ahci_platform_enable_resources() is also used in the resume path +as the same SATA programming sequence (as in probe) should be followed. +Also cleanup the mixed usage of ahci_platform_enable_resources() and custom +implementation in the probe function as both are not required. + +Fixes: 9a9d3abe24bb ("ata: ahci: ceva: Update the driver to support xilinx GT phy") +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci_ceva.c | 125 +++++++++++++++++++++++++--------------- + 1 file changed, 79 insertions(+), 46 deletions(-) + +diff --git a/drivers/ata/ahci_ceva.c b/drivers/ata/ahci_ceva.c +index 64f7f7d6ba84e..11a2c199a7c24 100644 +--- a/drivers/ata/ahci_ceva.c ++++ b/drivers/ata/ahci_ceva.c +@@ -88,7 +88,6 @@ struct ceva_ahci_priv { + u32 axicc; + bool is_cci_enabled; + int flags; +- struct reset_control *rst; + }; + + static unsigned int ceva_ahci_read_id(struct ata_device *dev, +@@ -189,6 +188,60 @@ static const struct scsi_host_template ahci_platform_sht = { + AHCI_SHT(DRV_NAME), + }; + ++static int ceva_ahci_platform_enable_resources(struct ahci_host_priv *hpriv) ++{ ++ int rc, i; ++ ++ rc = ahci_platform_enable_regulators(hpriv); ++ if (rc) ++ return rc; ++ ++ rc = ahci_platform_enable_clks(hpriv); ++ if (rc) ++ goto disable_regulator; ++ ++ /* Assert the controller reset */ ++ rc = ahci_platform_assert_rsts(hpriv); ++ if (rc) ++ goto disable_clks; ++ ++ for (i = 0; i < hpriv->nports; i++) { ++ rc = phy_init(hpriv->phys[i]); ++ if (rc) ++ goto disable_rsts; ++ } ++ ++ /* De-assert the controller reset */ ++ ahci_platform_deassert_rsts(hpriv); ++ ++ for (i = 0; i < hpriv->nports; i++) { ++ rc = phy_power_on(hpriv->phys[i]); ++ if (rc) { ++ phy_exit(hpriv->phys[i]); ++ goto disable_phys; ++ } ++ } ++ ++ return 0; ++ ++disable_rsts: ++ ahci_platform_deassert_rsts(hpriv); ++ ++disable_phys: ++ while (--i >= 0) { ++ phy_power_off(hpriv->phys[i]); ++ phy_exit(hpriv->phys[i]); ++ } ++ ++disable_clks: ++ ahci_platform_disable_clks(hpriv); ++ ++disable_regulator: ++ ahci_platform_disable_regulators(hpriv); ++ ++ return rc; ++} ++ + static int ceva_ahci_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +@@ -203,47 +256,19 @@ static int ceva_ahci_probe(struct platform_device *pdev) + return -ENOMEM; + + cevapriv->ahci_pdev = pdev; +- +- cevapriv->rst = devm_reset_control_get_optional_exclusive(&pdev->dev, +- NULL); +- if (IS_ERR(cevapriv->rst)) +- dev_err_probe(&pdev->dev, PTR_ERR(cevapriv->rst), +- "failed to get reset\n"); +- + hpriv = ahci_platform_get_resources(pdev, 0); + if (IS_ERR(hpriv)) + return PTR_ERR(hpriv); + +- if (!cevapriv->rst) { +- rc = ahci_platform_enable_resources(hpriv); +- if (rc) +- return rc; +- } else { +- int i; ++ hpriv->rsts = devm_reset_control_get_optional_exclusive(&pdev->dev, ++ NULL); ++ if (IS_ERR(hpriv->rsts)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(hpriv->rsts), ++ "failed to get reset\n"); + +- rc = ahci_platform_enable_clks(hpriv); +- if (rc) +- return rc; +- /* Assert the controller reset */ +- reset_control_assert(cevapriv->rst); +- +- for (i = 0; i < hpriv->nports; i++) { +- rc = phy_init(hpriv->phys[i]); +- if (rc) +- return rc; +- } +- +- /* De-assert the controller reset */ +- reset_control_deassert(cevapriv->rst); +- +- for (i = 0; i < hpriv->nports; i++) { +- rc = phy_power_on(hpriv->phys[i]); +- if (rc) { +- phy_exit(hpriv->phys[i]); +- return rc; +- } +- } +- } ++ rc = ceva_ahci_platform_enable_resources(hpriv); ++ if (rc) ++ return rc; + + if (of_property_read_bool(np, "ceva,broken-gen2")) + cevapriv->flags = CEVA_FLAG_BROKEN_GEN2; +@@ -252,52 +277,60 @@ static int ceva_ahci_probe(struct platform_device *pdev) + if (of_property_read_u8_array(np, "ceva,p0-cominit-params", + (u8 *)&cevapriv->pp2c[0], 4) < 0) { + dev_warn(dev, "ceva,p0-cominit-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + if (of_property_read_u8_array(np, "ceva,p1-cominit-params", + (u8 *)&cevapriv->pp2c[1], 4) < 0) { + dev_warn(dev, "ceva,p1-cominit-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + /* Read OOB timing value for COMWAKE from device-tree*/ + if (of_property_read_u8_array(np, "ceva,p0-comwake-params", + (u8 *)&cevapriv->pp3c[0], 4) < 0) { + dev_warn(dev, "ceva,p0-comwake-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + if (of_property_read_u8_array(np, "ceva,p1-comwake-params", + (u8 *)&cevapriv->pp3c[1], 4) < 0) { + dev_warn(dev, "ceva,p1-comwake-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + /* Read phy BURST timing value from device-tree */ + if (of_property_read_u8_array(np, "ceva,p0-burst-params", + (u8 *)&cevapriv->pp4c[0], 4) < 0) { + dev_warn(dev, "ceva,p0-burst-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + if (of_property_read_u8_array(np, "ceva,p1-burst-params", + (u8 *)&cevapriv->pp4c[1], 4) < 0) { + dev_warn(dev, "ceva,p1-burst-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + /* Read phy RETRY interval timing value from device-tree */ + if (of_property_read_u16_array(np, "ceva,p0-retry-params", + (u16 *)&cevapriv->pp5c[0], 2) < 0) { + dev_warn(dev, "ceva,p0-retry-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + if (of_property_read_u16_array(np, "ceva,p1-retry-params", + (u16 *)&cevapriv->pp5c[1], 2) < 0) { + dev_warn(dev, "ceva,p1-retry-params property not defined\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto disable_resources; + } + + /* +@@ -335,7 +368,7 @@ static int __maybe_unused ceva_ahci_resume(struct device *dev) + struct ahci_host_priv *hpriv = host->private_data; + int rc; + +- rc = ahci_platform_enable_resources(hpriv); ++ rc = ceva_ahci_platform_enable_resources(hpriv); + if (rc) + return rc; + +-- +2.43.0 + diff --git a/queue-6.7/bpf-fix-racing-between-bpf_timer_cancel_and_free-and.patch b/queue-6.7/bpf-fix-racing-between-bpf_timer_cancel_and_free-and.patch new file mode 100644 index 00000000000..d1b647c908a --- /dev/null +++ b/queue-6.7/bpf-fix-racing-between-bpf_timer_cancel_and_free-and.patch @@ -0,0 +1,98 @@ +From a424d2388cd5e2a142884fce99584001ac88c6cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 13:12:17 -0800 +Subject: bpf: Fix racing between bpf_timer_cancel_and_free and + bpf_timer_cancel + +From: Martin KaFai Lau + +[ Upstream commit 0281b919e175bb9c3128bd3872ac2903e9436e3f ] + +The following race is possible between bpf_timer_cancel_and_free +and bpf_timer_cancel. It will lead a UAF on the timer->timer. + +bpf_timer_cancel(); + spin_lock(); + t = timer->time; + spin_unlock(); + + bpf_timer_cancel_and_free(); + spin_lock(); + t = timer->timer; + timer->timer = NULL; + spin_unlock(); + hrtimer_cancel(&t->timer); + kfree(t); + + /* UAF on t */ + hrtimer_cancel(&t->timer); + +In bpf_timer_cancel_and_free, this patch frees the timer->timer +after a rcu grace period. This requires a rcu_head addition +to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, +this does not need a kfree_rcu because it is still under the +spin_lock and timer->timer has not been visible by others yet. + +In bpf_timer_cancel, rcu_read_lock() is added because this helper +can be used in a non rcu critical section context (e.g. from +a sleepable bpf prog). Other timer->timer usages in helpers.c +have been audited, bpf_timer_cancel() is the only place where +timer->timer is used outside of the spin_lock. + +Another solution considered is to mark a t->flag in bpf_timer_cancel +and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, +it busy waits for the flag to be cleared before kfree(t). This patch +goes with a straight forward solution and frees timer->timer after +a rcu grace period. + +Fixes: b00628b1c7d5 ("bpf: Introduce bpf timers.") +Suggested-by: Alexei Starovoitov +Signed-off-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Acked-by: Hou Tao +Link: https://lore.kernel.org/bpf/20240215211218.990808-1-martin.lau@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index b3053af6427d2..ce4729ef1ad2d 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -1101,6 +1101,7 @@ struct bpf_hrtimer { + struct bpf_prog *prog; + void __rcu *callback_fn; + void *value; ++ struct rcu_head rcu; + }; + + /* the actual struct hidden inside uapi struct bpf_timer */ +@@ -1332,6 +1333,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer) + + if (in_nmi()) + return -EOPNOTSUPP; ++ rcu_read_lock(); + __bpf_spin_lock_irqsave(&timer->lock); + t = timer->timer; + if (!t) { +@@ -1353,6 +1355,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer) + * if it was running. + */ + ret = ret ?: hrtimer_cancel(&t->timer); ++ rcu_read_unlock(); + return ret; + } + +@@ -1407,7 +1410,7 @@ void bpf_timer_cancel_and_free(void *val) + */ + if (this_cpu_read(hrtimer_running) != t) + hrtimer_cancel(&t->timer); +- kfree(t); ++ kfree_rcu(t, rcu); + } + + BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr) +-- +2.43.0 + diff --git a/queue-6.7/bpf-scripts-correct-gpl-license-name.patch b/queue-6.7/bpf-scripts-correct-gpl-license-name.patch new file mode 100644 index 00000000000..05b69ae398b --- /dev/null +++ b/queue-6.7/bpf-scripts-correct-gpl-license-name.patch @@ -0,0 +1,41 @@ +From f0278fbd5fc4b5bbf96276fc3f031fae0141429b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 23:05:46 +0000 +Subject: bpf, scripts: Correct GPL license name + +From: Gianmarco Lusvardi + +[ Upstream commit e37243b65d528a8a9f8b9a57a43885f8e8dfc15c ] + +The bpf_doc script refers to the GPL as the "GNU Privacy License". +I strongly suspect that the author wanted to refer to the GNU General +Public License, under which the Linux kernel is released, as, to the +best of my knowledge, there is no license named "GNU Privacy License". +This patch corrects the license name in the script accordingly. + +Fixes: 56a092c89505 ("bpf: add script and prepare bpf.h for new helpers documentation") +Signed-off-by: Gianmarco Lusvardi +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20240213230544.930018-3-glusvardi@posteo.net +Signed-off-by: Sasha Levin +--- + scripts/bpf_doc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/bpf_doc.py b/scripts/bpf_doc.py +index 61b7dddedc461..0669bac5e900e 100755 +--- a/scripts/bpf_doc.py ++++ b/scripts/bpf_doc.py +@@ -513,7 +513,7 @@ eBPF programs can have an associated license, passed along with the bytecode + instructions to the kernel when the programs are loaded. The format for that + string is identical to the one in use for kernel modules (Dual licenses, such + as "Dual BSD/GPL", may be used). Some helper functions are only accessible to +-programs that are compatible with the GNU Privacy License (GPL). ++programs that are compatible with the GNU General Public License (GNU GPL). + + In order to use such helpers, the eBPF program must be loaded with the correct + license string passed (via **attr**) to the **bpf**\\ () system call, and this +-- +2.43.0 + diff --git a/queue-6.7/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch b/queue-6.7/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch new file mode 100644 index 00000000000..53f70a6beb5 --- /dev/null +++ b/queue-6.7/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch @@ -0,0 +1,69 @@ +From 9d0036756521a986adc9fec05139696ee5712081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 00:09:33 +0900 +Subject: bpf, sockmap: Fix NULL pointer dereference in + sk_psock_verdict_data_ready() + +From: Shigeru Yoshida + +[ Upstream commit 4cd12c6065dfcdeba10f49949bffcf383b3952d8 ] + +syzbot reported the following NULL pointer dereference issue [1]: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + RIP: 0010:0x0 + [...] + Call Trace: + + sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230 + unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called +concurrently, psock->saved_data_ready can be NULL, causing the above issue. + +This patch fixes this issue by calling the appropriate data ready function +using the sk_psock_data_ready() helper and protecting it from concurrency +with sk->sk_callback_lock. + +Fixes: 6df7f764cd3c ("bpf, sockmap: Wake up polling after data copy") +Reported-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com +Acked-by: John Fastabend +Closes: https://syzkaller.appspot.com/bug?extid=fd7b34375c1c8ce29c93 [1] +Link: https://lore.kernel.org/bpf/20240218150933.6004-1-syoshida@redhat.com +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 93ecfceac1bc4..4d75ef9d24bfa 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -1226,8 +1226,11 @@ static void sk_psock_verdict_data_ready(struct sock *sk) + + rcu_read_lock(); + psock = sk_psock(sk); +- if (psock) +- psock->saved_data_ready(sk); ++ if (psock) { ++ read_lock_bh(&sk->sk_callback_lock); ++ sk_psock_data_ready(sk, psock); ++ read_unlock_bh(&sk->sk_callback_lock); ++ } + rcu_read_unlock(); + } + } +-- +2.43.0 + diff --git a/queue-6.7/bus-imx-weim-fix-valid-range-check.patch b/queue-6.7/bus-imx-weim-fix-valid-range-check.patch new file mode 100644 index 00000000000..4234aa3e482 --- /dev/null +++ b/queue-6.7/bus-imx-weim-fix-valid-range-check.patch @@ -0,0 +1,39 @@ +From 8ee80014b967fcb5f8f61c55acc3f7cbe124b46c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 19:50:26 +0100 +Subject: bus: imx-weim: fix valid range check + +From: Lucas Stach + +[ Upstream commit 7bca405c986075c99b9f729d3587b5c45db39d01 ] + +When the range parsing was open-coded the number of u32 entries to +parse had to be a multiple of 4 and the driver checks this. With +the range parsing converted to the range parser the counting changes +from individual u32 entries to a complete range, so the check must +not reject counts not divisible by 4. + +Fixes: 2a88e4792c6d ("bus: imx-weim: Remove open coded "ranges" parsing") +Signed-off-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/bus/imx-weim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/imx-weim.c b/drivers/bus/imx-weim.c +index 42c9386a7b423..f9fd1582f150d 100644 +--- a/drivers/bus/imx-weim.c ++++ b/drivers/bus/imx-weim.c +@@ -117,7 +117,7 @@ static int imx_weim_gpr_setup(struct platform_device *pdev) + i++; + } + +- if (i == 0 || i % 4) ++ if (i == 0) + goto err; + + for (i = 0; i < ARRAY_SIZE(gprvals); i++) { +-- +2.43.0 + diff --git a/queue-6.7/cache-ax45mp_cache-align-end-size-to-cache-boundary-.patch b/queue-6.7/cache-ax45mp_cache-align-end-size-to-cache-boundary-.patch new file mode 100644 index 00000000000..35e1f182658 --- /dev/null +++ b/queue-6.7/cache-ax45mp_cache-align-end-size-to-cache-boundary-.patch @@ -0,0 +1,45 @@ +From 43bd2c62193011ac9cee4f613eef26aabd5eb54c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 21:26:40 +0000 +Subject: cache: ax45mp_cache: Align end size to cache boundary in + ax45mp_dma_cache_wback() + +From: Lad Prabhakar + +[ Upstream commit 9bd405c48b0ac4de087c0c4440fd79597201b8a7 ] + +Align the end size to cache boundary size in ax45mp_dma_cache_wback() +callback likewise done in ax45mp_dma_cache_inv() callback. + +Additionally return early in case of start == end. + +Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core") +Reported-by: Pavel Machek +Link: https://lore.kernel.org/cip-dev/ZYsdKDiw7G+kxQ3m@duo.ucw.cz/ +Signed-off-by: Lad Prabhakar +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/ax45mp_cache.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c +index 57186c58dc849..1d7dd3d2c101c 100644 +--- a/drivers/cache/ax45mp_cache.c ++++ b/drivers/cache/ax45mp_cache.c +@@ -129,8 +129,12 @@ static void ax45mp_dma_cache_wback(phys_addr_t paddr, size_t size) + unsigned long line_size; + unsigned long flags; + ++ if (unlikely(start == end)) ++ return; ++ + line_size = ax45mp_priv.ax45mp_cache_line_size; + start = start & (~(line_size - 1)); ++ end = ((end + line_size - 1) & (~(line_size - 1))); + local_irq_save(flags); + ax45mp_cpu_dcache_wb_range(start, end); + local_irq_restore(flags); +-- +2.43.0 + diff --git a/queue-6.7/dccp-tcp-unhash-sk-from-ehash-for-tb2-alloc-failure-.patch b/queue-6.7/dccp-tcp-unhash-sk-from-ehash-for-tb2-alloc-failure-.patch new file mode 100644 index 00000000000..42e08c4722f --- /dev/null +++ b/queue-6.7/dccp-tcp-unhash-sk-from-ehash-for-tb2-alloc-failure-.patch @@ -0,0 +1,157 @@ +From ce71397396125ef837b800693c68686c94b8c51e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 11:13:08 -0800 +Subject: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after + check_estalblished(). + +From: Kuniyuki Iwashima + +[ Upstream commit 66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f ] + +syzkaller reported a warning [0] in inet_csk_destroy_sock() with no +repro. + + WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash); + +However, the syzkaller's log hinted that connect() failed just before +the warning due to FAULT_INJECTION. [1] + +When connect() is called for an unbound socket, we search for an +available ephemeral port. If a bhash bucket exists for the port, we +call __inet_check_established() or __inet6_check_established() to check +if the bucket is reusable. + +If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num. + +Later, we look up the corresponding bhash2 bucket and try to allocate +it if it does not exist. + +Although it rarely occurs in real use, if the allocation fails, we must +revert the changes by check_established(). Otherwise, an unconnected +socket could illegally occupy an ehash entry. + +Note that we do not put tw back into ehash because sk might have +already responded to a packet for tw and it would be better to free +tw earlier under such memory presure. + +[0]: +WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) +Modules linked in: +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) +Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05 +RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40 +RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8 +RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000 +R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0 +R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000 +FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0 +PKRU: 55555554 +Call Trace: + + ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) + dccp_close (net/dccp/proto.c:1078) + inet_release (net/ipv4/af_inet.c:434) + __sock_release (net/socket.c:660) + sock_close (net/socket.c:1423) + __fput (fs/file_table.c:377) + __fput_sync (fs/file_table.c:462) + __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) +RIP: 0033:0x7f03e53852bb +Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44 +RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb +RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c +R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000 +R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170 + + +[1]: +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 +CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) + should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) + should_failslab (mm/slub.c:3748) + kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867) + inet_bind2_bucket_create (net/ipv4/inet_hashtables.c:135) + __inet_hash_connect (net/ipv4/inet_hashtables.c:1100) + dccp_v4_connect (net/dccp/ipv4.c:116) + __inet_stream_connect (net/ipv4/af_inet.c:676) + inet_stream_connect (net/ipv4/af_inet.c:747) + __sys_connect_file (net/socket.c:2048 (discriminator 2)) + __sys_connect (net/socket.c:2065) + __x64_sys_connect (net/socket.c:2072) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) +RIP: 0033:0x7f03e5284e5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f03e4641cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f03e5284e5d +RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 000000000000000b R14: 00007f03e52e5530 R15: 0000000000000000 + + +Reported-by: syzkaller +Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index a532f749e4778..9456bf9e2705b 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -1131,10 +1131,33 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + return 0; + + error: ++ if (sk_hashed(sk)) { ++ spinlock_t *lock = inet_ehash_lockp(hinfo, sk->sk_hash); ++ ++ sock_prot_inuse_add(net, sk->sk_prot, -1); ++ ++ spin_lock(lock); ++ sk_nulls_del_node_init_rcu(sk); ++ spin_unlock(lock); ++ ++ sk->sk_hash = 0; ++ inet_sk(sk)->inet_sport = 0; ++ inet_sk(sk)->inet_num = 0; ++ ++ if (tw) ++ inet_twsk_bind_unhash(tw, hinfo); ++ } ++ + spin_unlock(&head2->lock); + if (tb_created) + inet_bind_bucket_destroy(hinfo->bind_bucket_cachep, tb); +- spin_unlock_bh(&head->lock); ++ spin_unlock(&head->lock); ++ ++ if (tw) ++ inet_twsk_deschedule_put(tw); ++ ++ local_bh_enable(); ++ + return -ENOMEM; + } + +-- +2.43.0 + diff --git a/queue-6.7/devlink-fix-port-dump-cmd-type.patch b/queue-6.7/devlink-fix-port-dump-cmd-type.patch new file mode 100644 index 00000000000..a336f595682 --- /dev/null +++ b/queue-6.7/devlink-fix-port-dump-cmd-type.patch @@ -0,0 +1,49 @@ +From a35478ad29833237beb89ab48ee8a7214fb3f035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 08:52:45 +0100 +Subject: devlink: fix port dump cmd type + +From: Jiri Pirko + +[ Upstream commit 61c43780e9444123410cd48c2483e01d2b8f75e8 ] + +Unlike other commands, due to a c&p error, port dump fills-up cmd with +wrong value, different from port-get request cmd, port-get doit reply +and port notification. + +Fix it by filling cmd with value DEVLINK_CMD_PORT_NEW. + +Skimmed through devlink userspace implementations, none of them cares +about this cmd value. Only ynl, for which, this is actually a fix, as it +expects doit and dumpit ops rsp_value to be the same. + +Omit the fixes tag, even thought this is fix, better to target this for +next release. + +Fixes: bfcd3a466172 ("Introduce devlink infrastructure") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20240220075245.75416-1-jiri@resnulli.us +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/port.c b/net/devlink/port.c +index 841a3eafa328e..d39ee6053cc7b 100644 +--- a/net/devlink/port.c ++++ b/net/devlink/port.c +@@ -581,7 +581,7 @@ devlink_nl_port_get_dump_one(struct sk_buff *msg, struct devlink *devlink, + + xa_for_each_start(&devlink->ports, port_index, devlink_port, state->idx) { + err = devlink_nl_port_fill(msg, devlink_port, +- DEVLINK_CMD_NEW, ++ DEVLINK_CMD_PORT_NEW, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, flags, + cb->extack); +-- +2.43.0 + diff --git a/queue-6.7/devlink-fix-possible-use-after-free-and-memory-leaks.patch b/queue-6.7/devlink-fix-possible-use-after-free-and-memory-leaks.patch new file mode 100644 index 00000000000..440b1945d11 --- /dev/null +++ b/queue-6.7/devlink-fix-possible-use-after-free-and-memory-leaks.patch @@ -0,0 +1,55 @@ +From c4e63d6d02938bf2630524672a22933d482dadcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 23:34:00 +0300 +Subject: devlink: fix possible use-after-free and memory leaks in + devlink_init() + +From: Vasiliy Kovalev + +[ Upstream commit def689fc26b9a9622d2e2cb0c4933dd3b1c8071c ] + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +Make an unregister in case of unsuccessful registration. + +Fixes: 687125b5799c ("devlink: split out core code") +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20240215203400.29976-1-kovalev@altlinux.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/devlink/core.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/devlink/core.c b/net/devlink/core.c +index cbf8560c93752..bc3d265fe2d6e 100644 +--- a/net/devlink/core.c ++++ b/net/devlink/core.c +@@ -529,14 +529,20 @@ static int __init devlink_init(void) + { + int err; + +- err = genl_register_family(&devlink_nl_family); +- if (err) +- goto out; + err = register_pernet_subsys(&devlink_pernet_ops); + if (err) + goto out; ++ err = genl_register_family(&devlink_nl_family); ++ if (err) ++ goto out_unreg_pernet_subsys; + err = register_netdevice_notifier(&devlink_port_netdevice_nb); ++ if (!err) ++ return 0; ++ ++ genl_unregister_family(&devlink_nl_family); + ++out_unreg_pernet_subsys: ++ unregister_pernet_subsys(&devlink_pernet_ops); + out: + WARN_ON(err); + return err; +-- +2.43.0 + diff --git a/queue-6.7/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch b/queue-6.7/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch new file mode 100644 index 00000000000..e734c846e5f --- /dev/null +++ b/queue-6.7/drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch @@ -0,0 +1,60 @@ +From 9b4bc1ab1af27bb96770832fd1dc9aa2deaa536d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 01:50:50 +0100 +Subject: drm/amd/display: Fix memory leak in dm_sw_fini() + +From: Armin Wolf + +[ Upstream commit bae67893578d608e35691dcdfa90c4957debf1d3 ] + +After destroying dmub_srv, the memory associated with it is +not freed, causing a memory leak: + +unreferenced object 0xffff896302b45800 (size 1024): + comm "(udev-worker)", pid 222, jiffies 4294894636 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 6265fd77): + [] kmalloc_trace+0x29d/0x340 + [] dm_dmub_sw_init+0xb4/0x450 [amdgpu] + [] dm_sw_init+0x15/0x2b0 [amdgpu] + [] amdgpu_device_init+0x1417/0x24e0 [amdgpu] + [] amdgpu_driver_load_kms+0x15/0x190 [amdgpu] + [] amdgpu_pci_probe+0x187/0x4e0 [amdgpu] + [] local_pci_probe+0x3e/0x90 + [] pci_device_probe+0xc3/0x230 + [] really_probe+0xe2/0x480 + [] __driver_probe_device+0x78/0x160 + [] driver_probe_device+0x1f/0x90 + [] __driver_attach+0xce/0x1c0 + [] bus_for_each_dev+0x70/0xc0 + [] bus_add_driver+0x112/0x210 + [] driver_register+0x55/0x100 + [] do_one_initcall+0x41/0x300 + +Fix this by freeing dmub_srv after destroying it. + +Fixes: 743b9786b14a ("drm/amd/display: Hook up the DMUB service in DM") +Signed-off-by: Armin Wolf +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index d83c4128fa165..88ca985603de5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2245,6 +2245,7 @@ static int dm_sw_fini(void *handle) + + if (adev->dm.dmub_srv) { + dmub_srv_destroy(adev->dm.dmub_srv); ++ kfree(adev->dm.dmub_srv); + adev->dm.dmub_srv = NULL; + } + +-- +2.43.0 + diff --git a/queue-6.7/drm-amd-display-fix-null-pointer-dereference-on-edid.patch b/queue-6.7/drm-amd-display-fix-null-pointer-dereference-on-edid.patch new file mode 100644 index 00000000000..598ead47cf4 --- /dev/null +++ b/queue-6.7/drm-amd-display-fix-null-pointer-dereference-on-edid.patch @@ -0,0 +1,152 @@ +From c3d08828bbd2f95b0112145a6ee1ef73ddb2c239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 09:23:19 -0300 +Subject: drm/amd/display: fix null-pointer dereference on edid reading + +From: Melissa Wen + +[ Upstream commit 9671761792156f2339627918bafcd713a8a6f777 ] + +Use i2c adapter when there isn't aux_mode in dc_link to fix a +null-pointer derefence that happens when running +igt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector +detected as below: + +[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0 +[ +0.000010] #PF: supervisor read access in kernel mode +[ +0.000005] #PF: error_code(0x0000) - not-present page +[ +0.000004] PGD 0 P4D 0 +[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152 +[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021 +[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100 +[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16 +[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246 +[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080 +[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0 +[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980 +[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080 +[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f +[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000 +[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0 +[ +0.000003] PKRU: 55555554 +[ +0.000003] Call Trace: +[ +0.000006] +[ +0.000006] ? __die+0x23/0x70 +[ +0.000011] ? page_fault_oops+0x17d/0x4c0 +[ +0.000008] ? preempt_count_add+0x6e/0xa0 +[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000011] ? exc_page_fault+0x7f/0x180 +[ +0.000009] ? asm_exc_page_fault+0x26/0x30 +[ +0.000013] ? i2c_transfer+0xd/0x100 +[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm] +[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm] +[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm] +[ +0.000042] edid_block_read+0x3b/0xd0 [drm] +[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm] +[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm] +[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm] +[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu] +[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper] +[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper] +[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu] +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper] +[ +0.000000] status_store+0xb2/0x1f0 [drm] +[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0 +[ +0.000000] vfs_write+0x24d/0x440 +[ +0.000000] ksys_write+0x6f/0xf0 +[ +0.000000] do_syscall_64+0x60/0xc0 +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40 +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] ? do_syscall_64+0x6c/0xc0 +[ +0.000000] ? do_syscall_64+0x6c/0xc0 +[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ +0.000000] RIP: 0033:0x7f9ad46b4b00 +[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 +[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00 +[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009 +[ +0.000000] RBP: 0000000000000002 R08: 0000000000000064 R09: 0000000000000000 +[ +0.000000] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f9ad48a7417 +[ +0.000000] R13: 0000000000000009 R14: 00007ffcbd3bd760 R15: 0000000000000001 +[ +0.000000] +[ +0.000000] Modules linked in: ctr ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash algif_skcipher af_alg bnep btusb btrtl btbcm btintel btmtk bluetooth uvcvideo videobuf2_vmalloc sha3_generic videobuf2_memops uvc jitterentropy_rng videobuf2_v4l2 videodev drbg videobuf2_common ansi_cprng mc ecdh_generic ecc qrtr binfmt_misc hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio snd_ctl_led joydev hid_sensor_iio_common rtw89_8852ae rtw89_8852a rtw89_pci snd_hda_codec_realtek rtw89_core snd_hda_codec_generic intel_rapl_msr ledtrig_audio intel_rapl_common snd_hda_codec_hdmi mac80211 snd_hda_intel snd_intel_dspcfg kvm_amd snd_hda_codec snd_soc_dmic snd_acp3x_rn snd_acp3x_pdm_dma libarc4 snd_hwdep snd_soc_core kvm snd_hda_core cfg80211 snd_pci_acp6x snd_pcm nls_ascii snd_timer hp_wmi snd_pci_acp5x nls_cp437 snd_rn_pci_acp3x ucsi_acpi sparse_keymap ccp snd platform_profile snd_acp_config typec_ucsi irqbypass vfat sp5100_tco +[ +0.000000] snd_soc_acpi fat rapl pcspkr wmi_bmof roles rfkill rng_core snd_pci_acp3x soundcore k10temp watchdog typec battery ac amd_pmc acpi_tad button hid_sensor_hub hid_multitouch evdev serio_raw msr parport_pc ppdev lp parport fuse loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic dm_crypt dm_mod efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c crc32c_generic xor raid6_pq raid1 raid0 multipath linear md_mod amdgpu amdxcp i2c_algo_bit drm_ttm_helper ttm crc32_pclmul crc32c_intel drm_exec gpu_sched drm_suballoc_helper nvme ghash_clmulni_intel drm_buddy drm_display_helper sha512_ssse3 nvme_core ahci xhci_pci sha512_generic hid_generic xhci_hcd libahci rtsx_pci_sdmmc t10_pi i2c_hid_acpi drm_kms_helper i2c_hid mmc_core libata aesni_intel crc64_rocksoft_generic crypto_simd amd_sfh crc64_rocksoft scsi_mod usbcore cryptd crc_t10dif cec drm crct10dif_generic hid rtsx_pci crct10dif_pclmul scsi_common rc_core crc64 i2c_piix4 +[ +0.000000] usb_common crct10dif_common video wmi +[ +0.000000] CR2: 00000000000004c0 +[ +0.000000] ---[ end trace 0000000000000000 ]--- + +Fixes: 0e859faf8670 ("drm/amd/display: Remove unwanted drm edid references") +Signed-off-by: Melissa Wen +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 88ca985603de5..272c27495ede6 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6445,10 +6445,15 @@ amdgpu_dm_connector_late_register(struct drm_connector *connector) + static void amdgpu_dm_connector_funcs_force(struct drm_connector *connector) + { + struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector); +- struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(connector); + struct dc_link *dc_link = aconnector->dc_link; + struct dc_sink *dc_em_sink = aconnector->dc_em_sink; + struct edid *edid; ++ struct i2c_adapter *ddc; ++ ++ if (dc_link->aux_mode) ++ ddc = &aconnector->dm_dp_aux.aux.ddc; ++ else ++ ddc = &aconnector->i2c->base; + + /* + * Note: drm_get_edid gets edid in the following order: +@@ -6456,7 +6461,7 @@ static void amdgpu_dm_connector_funcs_force(struct drm_connector *connector) + * 2) firmware EDID if set via edid_firmware module parameter + * 3) regular DDC read. + */ +- edid = drm_get_edid(connector, &amdgpu_connector->ddc_bus->aux.ddc); ++ edid = drm_get_edid(connector, ddc); + if (!edid) { + DRM_ERROR("No EDID found on connector: %s.\n", connector->name); + return; +@@ -6497,12 +6502,18 @@ static int get_modes(struct drm_connector *connector) + static void create_eml_sink(struct amdgpu_dm_connector *aconnector) + { + struct drm_connector *connector = &aconnector->base; +- struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(&aconnector->base); ++ struct dc_link *dc_link = aconnector->dc_link; + struct dc_sink_init_data init_params = { + .link = aconnector->dc_link, + .sink_signal = SIGNAL_TYPE_VIRTUAL + }; + struct edid *edid; ++ struct i2c_adapter *ddc; ++ ++ if (dc_link->aux_mode) ++ ddc = &aconnector->dm_dp_aux.aux.ddc; ++ else ++ ddc = &aconnector->i2c->base; + + /* + * Note: drm_get_edid gets edid in the following order: +@@ -6510,7 +6521,7 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector) + * 2) firmware EDID if set via edid_firmware module parameter + * 3) regular DDC read. + */ +- edid = drm_get_edid(connector, &amdgpu_connector->ddc_bus->aux.ddc); ++ edid = drm_get_edid(connector, ddc); + if (!edid) { + DRM_ERROR("No EDID found on connector: %s.\n", connector->name); + return; +-- +2.43.0 + diff --git a/queue-6.7/drm-amd-display-fix-potential-null-pointer-dereferen.patch b/queue-6.7/drm-amd-display-fix-potential-null-pointer-dereferen.patch new file mode 100644 index 00000000000..f36ab058387 --- /dev/null +++ b/queue-6.7/drm-amd-display-fix-potential-null-pointer-dereferen.patch @@ -0,0 +1,88 @@ +From cefdfef47f82acca6a89fe9890f5ea2a9fccf071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 11:43:16 +0530 +Subject: drm/amd/display: Fix potential null pointer dereference in + dc_dmub_srv + +From: Srinivasan Shanmugam + +[ Upstream commit d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907 ] + +Fixes potential null pointer dereference warnings in the +dc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up() +functions. + +In both functions, the 'dc_dmub_srv' variable was being dereferenced +before it was checked for null. This could lead to a null pointer +dereference if 'dc_dmub_srv' is null. The fix is to check if +'dc_dmub_srv' is null before dereferencing it. + +Thus moving the null checks for 'dc_dmub_srv' to the beginning of the +functions to ensure that 'dc_dmub_srv' is not null when it is +dereferenced. + +Found by smatch & thus fixing the below: +drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128) +drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164) + +Fixes: 028bac583449 ("drm/amd/display: decouple dmcub execution to reduce lock granularity") +Fixes: 65138eb72e1f ("drm/amd/display: Add DCN35 DMUB") +Cc: JinZe.Xu +Cc: Hersen Wu +Cc: Josip Pavic +Cc: Roman Li +Cc: Qingqing Zhuo +Cc: Harry Wentland +Cc: Rodrigo Siqueira +Cc: Aurabindo Pillai +Cc: Tom Chung +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +index 61d1b4eadbee3..05b3433cbb0b4 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c ++++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +@@ -124,7 +124,7 @@ bool dc_dmub_srv_cmd_list_queue_execute(struct dc_dmub_srv *dc_dmub_srv, + unsigned int count, + union dmub_rb_cmd *cmd_list) + { +- struct dc_context *dc_ctx = dc_dmub_srv->ctx; ++ struct dc_context *dc_ctx; + struct dmub_srv *dmub; + enum dmub_status status; + int i; +@@ -132,6 +132,7 @@ bool dc_dmub_srv_cmd_list_queue_execute(struct dc_dmub_srv *dc_dmub_srv, + if (!dc_dmub_srv || !dc_dmub_srv->dmub) + return false; + ++ dc_ctx = dc_dmub_srv->ctx; + dmub = dc_dmub_srv->dmub; + + for (i = 0 ; i < count; i++) { +@@ -1129,7 +1130,7 @@ void dc_dmub_srv_subvp_save_surf_addr(const struct dc_dmub_srv *dc_dmub_srv, con + + bool dc_dmub_srv_is_hw_pwr_up(struct dc_dmub_srv *dc_dmub_srv, bool wait) + { +- struct dc_context *dc_ctx = dc_dmub_srv->ctx; ++ struct dc_context *dc_ctx; + enum dmub_status status; + + if (!dc_dmub_srv || !dc_dmub_srv->dmub) +@@ -1138,6 +1139,8 @@ bool dc_dmub_srv_is_hw_pwr_up(struct dc_dmub_srv *dc_dmub_srv, bool wait) + if (dc_dmub_srv->ctx->dc->debug.dmcub_emulation) + return true; + ++ dc_ctx = dc_dmub_srv->ctx; ++ + if (wait) { + status = dmub_srv_wait_for_hw_pwr_up(dc_dmub_srv->dmub, 500000); + if (status != DMUB_STATUS_OK) { +-- +2.43.0 + diff --git a/queue-6.7/drm-i915-tv-fix-tv-mode.patch b/queue-6.7/drm-i915-tv-fix-tv-mode.patch new file mode 100644 index 00000000000..73ff1e2f53d --- /dev/null +++ b/queue-6.7/drm-i915-tv-fix-tv-mode.patch @@ -0,0 +1,142 @@ +From 937478def5f245b8bf9a6a09337c992815e304a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 14:12:51 +0100 +Subject: drm/i915/tv: Fix TV mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit fb1e881273f432e593f8789f99e725b09304cc97 ] + +Commit 1fd4a5a36f9f ("drm/connector: Rename legacy TV property") failed +to update all the users of the struct drm_tv_connector_state mode field, +which resulted in a build failure in i915. + +However, a subsequent commit in the same series reintroduced a mode +field in that structure, with a different semantic but the same type, +with the assumption that all previous users were updated. + +Since that didn't happen, the i915 driver now compiles, but mixes +accesses to the legacy_mode field and the newer mode field, but with the +previous semantics. + +This obviously doesn't work very well, so we need to update the accesses +that weren't in the legacy renaming commit. + +Fixes: 1fd4a5a36f9f ("drm/connector: Rename legacy TV property") +Reported-by: Ville Syrjälä +Signed-off-by: Maxime Ripard +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20240220131251.453060-1-mripard@kernel.org +(cherry picked from commit bf7626f19d6ff14b9722273e23700400cc4d78ba) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_sdvo.c | 10 +++++----- + drivers/gpu/drm/i915/display/intel_tv.c | 10 +++++----- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_sdvo.c b/drivers/gpu/drm/i915/display/intel_sdvo.c +index a9ac7d45d1f33..312f88d90af95 100644 +--- a/drivers/gpu/drm/i915/display/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/display/intel_sdvo.c +@@ -1208,7 +1208,7 @@ static bool intel_sdvo_set_tv_format(struct intel_sdvo *intel_sdvo, + struct intel_sdvo_tv_format format; + u32 format_map; + +- format_map = 1 << conn_state->tv.mode; ++ format_map = 1 << conn_state->tv.legacy_mode; + memset(&format, 0, sizeof(format)); + memcpy(&format, &format_map, min(sizeof(format), sizeof(format_map))); + +@@ -2288,7 +2288,7 @@ static int intel_sdvo_get_tv_modes(struct drm_connector *connector) + * Read the list of supported input resolutions for the selected TV + * format. + */ +- format_map = 1 << conn_state->tv.mode; ++ format_map = 1 << conn_state->tv.legacy_mode; + memcpy(&tv_res, &format_map, + min(sizeof(format_map), sizeof(struct intel_sdvo_sdtv_resolution_request))); + +@@ -2353,7 +2353,7 @@ intel_sdvo_connector_atomic_get_property(struct drm_connector *connector, + int i; + + for (i = 0; i < intel_sdvo_connector->format_supported_num; i++) +- if (state->tv.mode == intel_sdvo_connector->tv_format_supported[i]) { ++ if (state->tv.legacy_mode == intel_sdvo_connector->tv_format_supported[i]) { + *val = i; + + return 0; +@@ -2409,7 +2409,7 @@ intel_sdvo_connector_atomic_set_property(struct drm_connector *connector, + struct intel_sdvo_connector_state *sdvo_state = to_intel_sdvo_connector_state(state); + + if (property == intel_sdvo_connector->tv_format) { +- state->tv.mode = intel_sdvo_connector->tv_format_supported[val]; ++ state->tv.legacy_mode = intel_sdvo_connector->tv_format_supported[val]; + + if (state->crtc) { + struct drm_crtc_state *crtc_state = +@@ -3066,7 +3066,7 @@ static bool intel_sdvo_tv_create_property(struct intel_sdvo *intel_sdvo, + drm_property_add_enum(intel_sdvo_connector->tv_format, i, + tv_format_names[intel_sdvo_connector->tv_format_supported[i]]); + +- intel_sdvo_connector->base.base.state->tv.mode = intel_sdvo_connector->tv_format_supported[0]; ++ intel_sdvo_connector->base.base.state->tv.legacy_mode = intel_sdvo_connector->tv_format_supported[0]; + drm_object_attach_property(&intel_sdvo_connector->base.base.base, + intel_sdvo_connector->tv_format, 0); + return true; +diff --git a/drivers/gpu/drm/i915/display/intel_tv.c b/drivers/gpu/drm/i915/display/intel_tv.c +index 2ee4f0d958513..f790fd10ba00a 100644 +--- a/drivers/gpu/drm/i915/display/intel_tv.c ++++ b/drivers/gpu/drm/i915/display/intel_tv.c +@@ -949,7 +949,7 @@ intel_disable_tv(struct intel_atomic_state *state, + + static const struct tv_mode *intel_tv_mode_find(const struct drm_connector_state *conn_state) + { +- int format = conn_state->tv.mode; ++ int format = conn_state->tv.legacy_mode; + + return &tv_modes[format]; + } +@@ -1710,7 +1710,7 @@ static void intel_tv_find_better_format(struct drm_connector *connector) + break; + } + +- connector->state->tv.mode = i; ++ connector->state->tv.legacy_mode = i; + } + + static int +@@ -1865,7 +1865,7 @@ static int intel_tv_atomic_check(struct drm_connector *connector, + old_state = drm_atomic_get_old_connector_state(state, connector); + new_crtc_state = drm_atomic_get_new_crtc_state(state, new_state->crtc); + +- if (old_state->tv.mode != new_state->tv.mode || ++ if (old_state->tv.legacy_mode != new_state->tv.legacy_mode || + old_state->tv.margins.left != new_state->tv.margins.left || + old_state->tv.margins.right != new_state->tv.margins.right || + old_state->tv.margins.top != new_state->tv.margins.top || +@@ -1902,7 +1902,7 @@ static void intel_tv_add_properties(struct drm_connector *connector) + conn_state->tv.margins.right = 46; + conn_state->tv.margins.bottom = 37; + +- conn_state->tv.mode = 0; ++ conn_state->tv.legacy_mode = 0; + + /* Create TV properties then attach current values */ + for (i = 0; i < ARRAY_SIZE(tv_modes); i++) { +@@ -1916,7 +1916,7 @@ static void intel_tv_add_properties(struct drm_connector *connector) + + drm_object_attach_property(&connector->base, + i915->drm.mode_config.legacy_tv_mode_property, +- conn_state->tv.mode); ++ conn_state->tv.legacy_mode); + drm_object_attach_property(&connector->base, + i915->drm.mode_config.tv_left_margin_property, + conn_state->tv.margins.left); +-- +2.43.0 + diff --git a/queue-6.7/drm-nouveau-mmu-r535-uninitialized-variable-in-r535_.patch b/queue-6.7/drm-nouveau-mmu-r535-uninitialized-variable-in-r535_.patch new file mode 100644 index 00000000000..f963cdeb3f9 --- /dev/null +++ b/queue-6.7/drm-nouveau-mmu-r535-uninitialized-variable-in-r535_.patch @@ -0,0 +1,42 @@ +From 965cde7d67ef87d8fe4fcd002134393ae4f3b4ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 21:09:57 +0300 +Subject: drm/nouveau/mmu/r535: uninitialized variable in r535_bar_new_() + +From: Dan Carpenter + +[ Upstream commit 65323796debe49a1922ba507020f7530a4b3f9af ] + +If gf100_bar_new_() fails then "bar" is not initialized. + +Fixes: 5bf0257136a2 ("drm/nouveau/mmu/r535: initial support") +Signed-off-by: Dan Carpenter +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/dab21df7-4d90-4479-97d8-97e5d228c714@moroto.mountain +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c +index 4135690326f44..3a30bea30e366 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c +@@ -168,12 +168,11 @@ r535_bar_new_(const struct nvkm_bar_func *hw, struct nvkm_device *device, + rm->flush = r535_bar_flush; + + ret = gf100_bar_new_(rm, device, type, inst, &bar); +- *pbar = bar; + if (ret) { +- if (!bar) +- kfree(rm); ++ kfree(rm); + return ret; + } ++ *pbar = bar; + + bar->flushBAR2PhysMode = ioremap(device->func->resource_addr(device, 3), PAGE_SIZE); + if (!bar->flushBAR2PhysMode) +-- +2.43.0 + diff --git a/queue-6.7/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch b/queue-6.7/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch new file mode 100644 index 00000000000..34202a906e8 --- /dev/null +++ b/queue-6.7/drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch @@ -0,0 +1,75 @@ +From 40be1ac73a3ea6b46d0211861ff0cdb3fd8bb176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 08:32:06 -0800 +Subject: drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag + is set + +From: Erik Kurzinger + +[ Upstream commit 3c43177ffb54ea5be97505eb8e2690e99ac96bc9 ] + +When waiting for a syncobj timeline point whose fence has not yet been +submitted with the WAIT_FOR_SUBMIT flag, a callback is registered using +drm_syncobj_fence_add_wait and the thread is put to sleep until the +timeout expires. If the fence is submitted before then, +drm_syncobj_add_point will wake up the sleeping thread immediately which +will proceed to wait for the fence to be signaled. + +However, if the WAIT_AVAILABLE flag is used instead, +drm_syncobj_fence_add_wait won't get called, meaning the waiting thread +will always sleep for the full timeout duration, even if the fence gets +submitted earlier. If it turns out that the fence *has* been submitted +by the time it eventually wakes up, it will still indicate to userspace +that the wait completed successfully (it won't return -ETIME), but it +will have taken much longer than it should have. + +To fix this, we must call drm_syncobj_fence_add_wait if *either* the +WAIT_FOR_SUBMIT flag or the WAIT_AVAILABLE flag is set. The only +difference being that with WAIT_FOR_SUBMIT we will also wait for the +fence to be signaled after it has been submitted while with +WAIT_AVAILABLE we will return immediately. + +IGT test patch: https://lists.freedesktop.org/archives/igt-dev/2024-January/067537.html + +v1 -> v2: adjust lockdep_assert_none_held_once condition + +(cherry picked from commit 8c44ea81634a4a337df70a32621a5f3791be23df) + +Fixes: 01d6c3578379 ("drm/syncobj: add support for timeline point wait v8") +Signed-off-by: Erik Kurzinger +Signed-off-by: Simon Ser +Reviewed-by: Daniel Vetter +Reviewed-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20240119163208.3723457-1-ekurzinger@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_syncobj.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c +index 01da6789d0440..b3433265be6ab 100644 +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -1034,7 +1034,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs, + uint64_t *points; + uint32_t signaled_count, i; + +- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) ++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT | ++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE)) + lockdep_assert_none_held_once(); + + points = kmalloc_array(count, sizeof(*points), GFP_KERNEL); +@@ -1103,7 +1104,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs, + * fallthough and try a 0 timeout wait! + */ + +- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) { ++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT | ++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE)) { + for (i = 0; i < count; ++i) + drm_syncobj_fence_add_wait(syncobjs[i], &entries[i]); + } +-- +2.43.0 + diff --git a/queue-6.7/drm-syncobj-handle-null-fence-in-syncobj_eventfd_ent.patch b/queue-6.7/drm-syncobj-handle-null-fence-in-syncobj_eventfd_ent.patch new file mode 100644 index 00000000000..ebe0f76ff84 --- /dev/null +++ b/queue-6.7/drm-syncobj-handle-null-fence-in-syncobj_eventfd_ent.patch @@ -0,0 +1,62 @@ +From e814a67b65f602278e3310a57d07ba331a414c3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 10:44:28 -0800 +Subject: drm/syncobj: handle NULL fence in syncobj_eventfd_entry_func + +From: Erik Kurzinger + +[ Upstream commit 2aa6f5b0fd052e363bb9d4b547189f0bf6b3d6d3 ] + +During syncobj_eventfd_entry_func, dma_fence_chain_find_seqno may set +the fence to NULL if the given seqno is signaled and a later seqno has +already been submitted. In that case, the eventfd should be signaled +immediately which currently does not happen. + +This is a similar issue to the one addressed by commit b19926d4f3a6 +("drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence."). + +As a fix, if the return value of dma_fence_chain_find_seqno indicates +success but it sets the fence to NULL, we will assign a stub fence to +ensure the following code still signals the eventfd. + +v1 -> v2: assign a stub fence instead of signaling the eventfd + +Signed-off-by: Erik Kurzinger +Fixes: c7a472297169 ("drm/syncobj: add IOCTL to register an eventfd") +Signed-off-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20240221184527.37667-1-ekurzinger@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_syncobj.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c +index b3433265be6ab..5860428da8de8 100644 +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -1380,10 +1380,21 @@ syncobj_eventfd_entry_func(struct drm_syncobj *syncobj, + + /* This happens inside the syncobj lock */ + fence = dma_fence_get(rcu_dereference_protected(syncobj->fence, 1)); ++ if (!fence) ++ return; ++ + ret = dma_fence_chain_find_seqno(&fence, entry->point); +- if (ret != 0 || !fence) { ++ if (ret != 0) { ++ /* The given seqno has not been submitted yet. */ + dma_fence_put(fence); + return; ++ } else if (!fence) { ++ /* If dma_fence_chain_find_seqno returns 0 but sets the fence ++ * to NULL, it implies that the given seqno is signaled and a ++ * later seqno has already been submitted. Assign a stub fence ++ * so that the eventfd still gets signaled below. ++ */ ++ fence = dma_fence_get_stub(); + } + + list_del_init(&entry->node); +-- +2.43.0 + diff --git a/queue-6.7/fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch b/queue-6.7/fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch new file mode 100644 index 00000000000..a2212f9647c --- /dev/null +++ b/queue-6.7/fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch @@ -0,0 +1,56 @@ +From 4220e8f2c7ff498a37f95a1a8eee8af2614069ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:52:54 +0100 +Subject: Fix write to cloned skb in ipv6_hop_ioam() + +From: Justin Iurman + +[ Upstream commit f198d933c2e4f8f89e0620fbaf1ea7eac384a0eb ] + +ioam6_fill_trace_data() writes inside the skb payload without ensuring +it's writeable (e.g., not cloned). This function is called both from the +input and output path. The output path (ioam6_iptunnel) already does the +check. This commit provides a fix for the input path, inside +ipv6_hop_ioam(). It also updates ip6_parse_tlv() to refresh the network +header pointer ("nh") when returning from ipv6_hop_ioam(). + +Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace") +Reported-by: Paolo Abeni +Signed-off-by: Justin Iurman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/exthdrs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 4952ae7924505..02e9ffb63af19 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -177,6 +177,8 @@ static bool ip6_parse_tlv(bool hopbyhop, + case IPV6_TLV_IOAM: + if (!ipv6_hop_ioam(skb, off)) + return false; ++ ++ nh = skb_network_header(skb); + break; + case IPV6_TLV_JUMBO: + if (!ipv6_hop_jumbo(skb, off)) +@@ -943,6 +945,14 @@ static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff) + if (!skb_valid_dst(skb)) + ip6_route_input(skb); + ++ /* About to mangle packet header */ ++ if (skb_ensure_writable(skb, optoff + 2 + hdr->opt_len)) ++ goto drop; ++ ++ /* Trace pointer may have changed */ ++ trace = (struct ioam6_trace_hdr *)(skb_network_header(skb) ++ + optoff + sizeof(*hdr)); ++ + ioam6_fill_trace_data(skb, ns, trace, true); + break; + default: +-- +2.43.0 + diff --git a/queue-6.7/gpiolib-handle-no-pin_ranges-in-gpiochip_generic_con.patch b/queue-6.7/gpiolib-handle-no-pin_ranges-in-gpiochip_generic_con.patch new file mode 100644 index 00000000000..af598a4d943 --- /dev/null +++ b/queue-6.7/gpiolib-handle-no-pin_ranges-in-gpiochip_generic_con.patch @@ -0,0 +1,55 @@ +From 1abd23fd10d91005cb6d5c950b0ec4b86d134330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 18:25:13 +0100 +Subject: gpiolib: Handle no pin_ranges in gpiochip_generic_config() + +From: Emil Renner Berthing + +[ Upstream commit ae366ba8576da0135d7d3db2dfa6304f3338d0c2 ] + +Similar to gpiochip_generic_request() and gpiochip_generic_free() the +gpiochip_generic_config() function needs to handle the case where there +are no pinctrl pins mapped to the GPIOs, usually through the gpio-ranges +device tree property. + +Commit f34fd6ee1be8 ("gpio: dwapb: Use generic request, free and +set_config") set the .set_config callback to gpiochip_generic_config() +in the dwapb GPIO driver so the GPIO API can set pinctrl configuration +for the corresponding pins. Most boards using the dwapb driver do not +set the gpio-ranges device tree property though, and in this case +gpiochip_generic_config() would return -EPROPE_DEFER rather than the +previous -ENOTSUPP return value. This in turn makes +gpio_set_config_with_argument_optional() fail and propagate the error to +any driver requesting GPIOs. + +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Reported-by: Jisheng Zhang +Closes: https://lore.kernel.org/linux-gpio/ZdC_g3U4l0CJIWzh@xhacker/ +Tested-by: Jisheng Zhang +Signed-off-by: Emil Renner Berthing +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 95d2a7b2ea3e2..15de124d5b402 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2043,6 +2043,11 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_free); + int gpiochip_generic_config(struct gpio_chip *gc, unsigned int offset, + unsigned long config) + { ++#ifdef CONFIG_PINCTRL ++ if (list_empty(&gc->gpiodev->pin_ranges)) ++ return -ENOTSUPP; ++#endif ++ + return pinctrl_gpio_set_config(gc, offset, config); + } + EXPORT_SYMBOL_GPL(gpiochip_generic_config); +-- +2.43.0 + diff --git a/queue-6.7/hwmon-nct6775-fix-access-to-temperature-configuratio.patch b/queue-6.7/hwmon-nct6775-fix-access-to-temperature-configuratio.patch new file mode 100644 index 00000000000..5a2a68a786e --- /dev/null +++ b/queue-6.7/hwmon-nct6775-fix-access-to-temperature-configuratio.patch @@ -0,0 +1,117 @@ +From 3b9b91fc9631b5a0285b1d19237b7f82bdfe8b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 06:01:20 -0800 +Subject: hwmon: (nct6775) Fix access to temperature configuration registers + +From: Guenter Roeck + +[ Upstream commit d56e460e19ea8382f813eb489730248ec8d7eb73 ] + +The number of temperature configuration registers does +not always match the total number of temperature registers. +This can result in access errors reported if KASAN is enabled. + +BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/linux-hwmon/d51181d1-d26b-42b2-b002-3f5a4037721f@roeck-us.net/ +Fixes: b7f1f7b2523a ("hwmon: (nct6775) Additional TEMP registers for nct6799") +Cc: Ahmad Khalifa +Tested-by: Ahmad Khalifa +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775-core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c +index 92a49fafe2c02..f3bf2e4701c38 100644 +--- a/drivers/hwmon/nct6775-core.c ++++ b/drivers/hwmon/nct6775-core.c +@@ -3512,6 +3512,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + const u16 *reg_temp_mon, *reg_temp_alternate, *reg_temp_crit; + const u16 *reg_temp_crit_l = NULL, *reg_temp_crit_h = NULL; + int num_reg_temp, num_reg_temp_mon, num_reg_tsi_temp; ++ int num_reg_temp_config; + struct device *hwmon_dev; + struct sensor_template_group tsi_temp_tg; + +@@ -3594,6 +3595,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6106_REG_TEMP_OVER; + reg_temp_hyst = NCT6106_REG_TEMP_HYST; + reg_temp_config = NCT6106_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6106_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6106_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6106_REG_TEMP_CRIT; + reg_temp_crit_l = NCT6106_REG_TEMP_CRIT_L; +@@ -3669,6 +3671,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6106_REG_TEMP_OVER; + reg_temp_hyst = NCT6106_REG_TEMP_HYST; + reg_temp_config = NCT6106_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6106_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6106_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6106_REG_TEMP_CRIT; + reg_temp_crit_l = NCT6106_REG_TEMP_CRIT_L; +@@ -3746,6 +3749,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6775_REG_TEMP_OVER; + reg_temp_hyst = NCT6775_REG_TEMP_HYST; + reg_temp_config = NCT6775_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6775_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6775_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6775_REG_TEMP_CRIT; + +@@ -3821,6 +3825,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6775_REG_TEMP_OVER; + reg_temp_hyst = NCT6775_REG_TEMP_HYST; + reg_temp_config = NCT6776_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6776_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6776_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6776_REG_TEMP_CRIT; + +@@ -3900,6 +3905,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6779_REG_TEMP_OVER; + reg_temp_hyst = NCT6779_REG_TEMP_HYST; + reg_temp_config = NCT6779_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6779_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6779_REG_TEMP_CRIT; + +@@ -4034,6 +4040,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6779_REG_TEMP_OVER; + reg_temp_hyst = NCT6779_REG_TEMP_HYST; + reg_temp_config = NCT6779_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6779_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6779_REG_TEMP_CRIT; + +@@ -4123,6 +4130,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + reg_temp_over = NCT6798_REG_TEMP_OVER; + reg_temp_hyst = NCT6798_REG_TEMP_HYST; + reg_temp_config = NCT6779_REG_TEMP_CONFIG; ++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG); + reg_temp_alternate = NCT6798_REG_TEMP_ALTERNATE; + reg_temp_crit = NCT6798_REG_TEMP_CRIT; + +@@ -4204,7 +4212,8 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + = reg_temp_crit[src - 1]; + if (reg_temp_crit_l && reg_temp_crit_l[i]) + data->reg_temp[4][src - 1] = reg_temp_crit_l[i]; +- data->reg_temp_config[src - 1] = reg_temp_config[i]; ++ if (i < num_reg_temp_config) ++ data->reg_temp_config[src - 1] = reg_temp_config[i]; + data->temp_src[src - 1] = src; + continue; + } +@@ -4217,7 +4226,8 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data, + data->reg_temp[0][s] = reg_temp[i]; + data->reg_temp[1][s] = reg_temp_over[i]; + data->reg_temp[2][s] = reg_temp_hyst[i]; +- data->reg_temp_config[s] = reg_temp_config[i]; ++ if (i < num_reg_temp_config) ++ data->reg_temp_config[s] = reg_temp_config[i]; + if (reg_temp_crit_h && reg_temp_crit_h[i]) + data->reg_temp[3][s] = reg_temp_crit_h[i]; + else if (reg_temp_crit[src - 1]) +-- +2.43.0 + diff --git a/queue-6.7/i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch b/queue-6.7/i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch new file mode 100644 index 00000000000..9d6ddebf2c7 --- /dev/null +++ b/queue-6.7/i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch @@ -0,0 +1,45 @@ +From d51568ed339142de8c050d65a5c5ed0f1e944df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 20:27:13 +0100 +Subject: i2c: imx: when being a target, mark the last read as processed + +From: Corey Minyard + +[ Upstream commit 87aec499368d488c20292952d6d4be7cb9e49c5e ] + +When being a target, NAK from the controller means that all bytes have +been transferred. So, the last byte needs also to be marked as +'processed'. Otherwise index registers of backends may not increase. + +Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver") +Signed-off-by: Corey Minyard +Tested-by: Andrew Manley +Reviewed-by: Andrew Manley +Reviewed-by: Oleksij Rempel +[wsa: fixed comment and commit message to properly describe the case] +Signed-off-by: Wolfram Sang +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c +index 1775a79aeba2a..0951bfdc89cfa 100644 +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -803,6 +803,11 @@ static irqreturn_t i2c_imx_slave_handle(struct imx_i2c_struct *i2c_imx, + ctl &= ~I2CR_MTX; + imx_i2c_write_reg(ctl, i2c_imx, IMX_I2C_I2CR); + imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); ++ ++ /* flag the last byte as processed */ ++ i2c_imx_slave_event(i2c_imx, ++ I2C_SLAVE_READ_PROCESSED, &value); ++ + i2c_imx_slave_finish_op(i2c_imx); + return IRQ_HANDLED; + } +-- +2.43.0 + diff --git a/queue-6.7/ib-hfi1-fix-a-memleak-in-init_credit_return.patch b/queue-6.7/ib-hfi1-fix-a-memleak-in-init_credit_return.patch new file mode 100644 index 00000000000..db4b2b31ebb --- /dev/null +++ b/queue-6.7/ib-hfi1-fix-a-memleak-in-init_credit_return.patch @@ -0,0 +1,51 @@ +From 65a1ee9bc9e221078867052851a72fc3b31f95f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 16:55:23 +0800 +Subject: IB/hfi1: Fix a memleak in init_credit_return + +From: Zhipeng Lu + +[ Upstream commit 809aa64ebff51eb170ee31a95f83b2d21efa32e2 ] + +When dma_alloc_coherent fails to allocate dd->cr_base[i].va, +init_credit_return should deallocate dd->cr_base and +dd->cr_base[i] that allocated before. Or those resources +would be never freed and a memleak is triggered. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Zhipeng Lu +Link: https://lore.kernel.org/r/20240112085523.3731720-1-alexious@zju.edu.cn +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/pio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c +index 68c621ff59d03..5a91cbda4aee6 100644 +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -2086,7 +2086,7 @@ int init_credit_return(struct hfi1_devdata *dd) + "Unable to allocate credit return DMA range for NUMA %d\n", + i); + ret = -ENOMEM; +- goto done; ++ goto free_cr_base; + } + } + set_dev_node(&dd->pcidev->dev, dd->node); +@@ -2094,6 +2094,10 @@ int init_credit_return(struct hfi1_devdata *dd) + ret = 0; + done: + return ret; ++ ++free_cr_base: ++ free_credit_return(dd); ++ goto done; + } + + void free_credit_return(struct hfi1_devdata *dd) +-- +2.43.0 + diff --git a/queue-6.7/ib-mlx5-don-t-expose-debugfs-entries-for-rroce-gener.patch b/queue-6.7/ib-mlx5-don-t-expose-debugfs-entries-for-rroce-gener.patch new file mode 100644 index 00000000000..4f0f66c0d78 --- /dev/null +++ b/queue-6.7/ib-mlx5-don-t-expose-debugfs-entries-for-rroce-gener.patch @@ -0,0 +1,63 @@ +From 52e6883e6668997a6b6a70b684bcc8f209bf459b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 11:29:12 +0200 +Subject: IB/mlx5: Don't expose debugfs entries for RRoCE general parameters if + not supported + +From: Mark Zhang + +[ Upstream commit 43fdbd140238d44e7e847232719fef7d20f9d326 ] + +debugfs entries for RRoCE general CC parameters must be exposed only when +they are supported, otherwise when accessing them there may be a syndrome +error in kernel log, for example: + +$ cat /sys/kernel/debug/mlx5/0000:08:00.1/cc_params/rtt_resp_dscp +cat: '/sys/kernel/debug/mlx5/0000:08:00.1/cc_params/rtt_resp_dscp': Invalid argument +$ dmesg + mlx5_core 0000:08:00.1: mlx5_cmd_out_err:805:(pid 1253): QUERY_CONG_PARAMS(0x824) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x325a82), err(-22) + +Fixes: 66fb1d5df6ac ("IB/mlx5: Extend debug control for CC parameters") +Reviewed-by: Edward Srouji +Signed-off-by: Mark Zhang +Link: https://lore.kernel.org/r/e7ade70bad52b7468bdb1de4d41d5fad70c8b71c.1706433934.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cong.c | 6 ++++++ + include/linux/mlx5/mlx5_ifc.h | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/cong.c b/drivers/infiniband/hw/mlx5/cong.c +index f87531318feb8..a78a067e3ce7f 100644 +--- a/drivers/infiniband/hw/mlx5/cong.c ++++ b/drivers/infiniband/hw/mlx5/cong.c +@@ -458,6 +458,12 @@ void mlx5_ib_init_cong_debugfs(struct mlx5_ib_dev *dev, u32 port_num) + dbg_cc_params->root = debugfs_create_dir("cc_params", mlx5_debugfs_get_dev_root(mdev)); + + for (i = 0; i < MLX5_IB_DBG_CC_MAX; i++) { ++ if ((i == MLX5_IB_DBG_CC_GENERAL_RTT_RESP_DSCP_VALID || ++ i == MLX5_IB_DBG_CC_GENERAL_RTT_RESP_DSCP)) ++ if (!MLX5_CAP_GEN(mdev, roce) || ++ !MLX5_CAP_ROCE(mdev, roce_cc_general)) ++ continue; ++ + dbg_cc_params->params[i].offset = i; + dbg_cc_params->params[i].dev = dev; + dbg_cc_params->params[i].port_num = port_num; +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index fb8d26a15df47..77cd2e13724e7 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1103,7 +1103,7 @@ struct mlx5_ifc_roce_cap_bits { + u8 sw_r_roce_src_udp_port[0x1]; + u8 fl_rc_qp_when_roce_disabled[0x1]; + u8 fl_rc_qp_when_roce_enabled[0x1]; +- u8 reserved_at_7[0x1]; ++ u8 roce_cc_general[0x1]; + u8 qp_ooo_transmit_default[0x1]; + u8 reserved_at_9[0x15]; + u8 qp_ts_format[0x2]; +-- +2.43.0 + diff --git a/queue-6.7/iommu-add-mm_get_enqcmd_pasid-helper-function.patch b/queue-6.7/iommu-add-mm_get_enqcmd_pasid-helper-function.patch new file mode 100644 index 00000000000..047b7440440 --- /dev/null +++ b/queue-6.7/iommu-add-mm_get_enqcmd_pasid-helper-function.patch @@ -0,0 +1,160 @@ +From 1339c5c25a70f92acd8167090553d294101442be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 08:05:22 +0800 +Subject: iommu: Add mm_get_enqcmd_pasid() helper function + +From: Tina Zhang + +[ Upstream commit 2396046d75d3c0b2cfead852a77efd023f8539dc ] + +mm_get_enqcmd_pasid() should be used by architecture code and closely +related to learn the PASID value that the x86 ENQCMD operation should +use for the mm. + +For the moment SMMUv3 uses this without any connection to ENQCMD, it +will be cleaned up similar to how the prior patch made VT-d use the +PASID argument of set_dev_pasid(). + +The motivation is to replace mm->pasid with an iommu private data +structure that is introduced in a later patch. + +Reviewed-by: Lu Baolu +Reviewed-by: Jason Gunthorpe +Tested-by: Nicolin Chen +Signed-off-by: Tina Zhang +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20231027000525.1278806-4-tina.zhang@intel.com +Signed-off-by: Joerg Roedel +Stable-dep-of: b5bf7778b722 ("iommu/arm-smmu-v3: Do not use GFP_KERNEL under as spinlock") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/traps.c | 2 +- + .../iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 23 ++++++++++++------- + drivers/iommu/iommu-sva.c | 2 +- + include/linux/iommu.h | 12 ++++++++++ + 4 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index c876f1d36a81a..832f4413d96a8 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -591,7 +591,7 @@ static bool try_fixup_enqcmd_gp(void) + if (!mm_valid_pasid(current->mm)) + return false; + +- pasid = current->mm->pasid; ++ pasid = mm_get_enqcmd_pasid(current->mm); + + /* + * Did this thread already have its PASID activated? +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +index 353248ab18e76..05722121f00e7 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +@@ -246,7 +246,8 @@ static void arm_smmu_mm_arch_invalidate_secondary_tlbs(struct mmu_notifier *mn, + smmu_domain); + } + +- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, start, size); ++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), start, ++ size); + } + + static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm) +@@ -264,10 +265,11 @@ static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm) + * DMA may still be running. Keep the cd valid to avoid C_BAD_CD events, + * but disable translation. + */ +- arm_smmu_update_ctx_desc_devices(smmu_domain, mm->pasid, &quiet_cd); ++ arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm), ++ &quiet_cd); + + arm_smmu_tlb_inv_asid(smmu_domain->smmu, smmu_mn->cd->asid); +- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, 0, 0); ++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), 0, 0); + + smmu_mn->cleared = true; + mutex_unlock(&sva_lock); +@@ -325,10 +327,13 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain, + + spin_lock_irqsave(&smmu_domain->devices_lock, flags); + list_for_each_entry(master, &smmu_domain->devices, domain_head) { +- ret = arm_smmu_write_ctx_desc(master, mm->pasid, cd); ++ ret = arm_smmu_write_ctx_desc(master, mm_get_enqcmd_pasid(mm), ++ cd); + if (ret) { +- list_for_each_entry_from_reverse(master, &smmu_domain->devices, domain_head) +- arm_smmu_write_ctx_desc(master, mm->pasid, NULL); ++ list_for_each_entry_from_reverse( ++ master, &smmu_domain->devices, domain_head) ++ arm_smmu_write_ctx_desc( ++ master, mm_get_enqcmd_pasid(mm), NULL); + break; + } + } +@@ -358,7 +363,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn) + + list_del(&smmu_mn->list); + +- arm_smmu_update_ctx_desc_devices(smmu_domain, mm->pasid, NULL); ++ arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm), ++ NULL); + + /* + * If we went through clear(), we've already invalidated, and no +@@ -366,7 +372,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn) + */ + if (!smmu_mn->cleared) { + arm_smmu_tlb_inv_asid(smmu_domain->smmu, cd->asid); +- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, 0, 0); ++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), 0, ++ 0); + } + + /* Frees smmu_mn */ +diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c +index b78671a8a9143..4a2f5699747f1 100644 +--- a/drivers/iommu/iommu-sva.c ++++ b/drivers/iommu/iommu-sva.c +@@ -141,7 +141,7 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle) + { + struct iommu_domain *domain = handle->domain; + +- return domain->mm->pasid; ++ return mm_get_enqcmd_pasid(domain->mm); + } + EXPORT_SYMBOL_GPL(iommu_sva_get_pasid); + +diff --git a/include/linux/iommu.h b/include/linux/iommu.h +index 6291aa7b079b0..81553770e411a 100644 +--- a/include/linux/iommu.h ++++ b/include/linux/iommu.h +@@ -1346,6 +1346,12 @@ static inline bool mm_valid_pasid(struct mm_struct *mm) + { + return mm->pasid != IOMMU_PASID_INVALID; + } ++ ++static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) ++{ ++ return mm->pasid; ++} ++ + void mm_pasid_drop(struct mm_struct *mm); + struct iommu_sva *iommu_sva_bind_device(struct device *dev, + struct mm_struct *mm); +@@ -1368,6 +1374,12 @@ static inline u32 iommu_sva_get_pasid(struct iommu_sva *handle) + } + static inline void mm_pasid_init(struct mm_struct *mm) {} + static inline bool mm_valid_pasid(struct mm_struct *mm) { return false; } ++ ++static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) ++{ ++ return IOMMU_PASID_INVALID; ++} ++ + static inline void mm_pasid_drop(struct mm_struct *mm) {} + #endif /* CONFIG_IOMMU_SVA */ + +-- +2.43.0 + diff --git a/queue-6.7/iommu-arm-smmu-v3-do-not-use-gfp_kernel-under-as-spi.patch b/queue-6.7/iommu-arm-smmu-v3-do-not-use-gfp_kernel-under-as-spi.patch new file mode 100644 index 00000000000..44c465b4719 --- /dev/null +++ b/queue-6.7/iommu-arm-smmu-v3-do-not-use-gfp_kernel-under-as-spi.patch @@ -0,0 +1,183 @@ +From 07511b9734d777a94df86f591472c3c67cedb816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 20:27:02 -0400 +Subject: iommu/arm-smmu-v3: Do not use GFP_KERNEL under as spinlock + +From: Jason Gunthorpe + +[ Upstream commit b5bf7778b722105d7a04b1d51e884497b542638b ] + +If the SMMU is configured to use a two level CD table then +arm_smmu_write_ctx_desc() allocates a CD table leaf internally using +GFP_KERNEL. Due to recent changes this is being done under a spinlock to +iterate over the device list - thus it will trigger a sleeping while +atomic warning: + + arm_smmu_sva_set_dev_pasid() + mutex_lock(&sva_lock); + __arm_smmu_sva_bind() + arm_smmu_mmu_notifier_get() + spin_lock_irqsave() + arm_smmu_write_ctx_desc() + arm_smmu_get_cd_ptr() + arm_smmu_alloc_cd_leaf_table() + dmam_alloc_coherent(GFP_KERNEL) + +This is a 64K high order allocation and really should not be done +atomically. + +At the moment the rework of the SVA to follow the new API is half +finished. Recently the CD table memory was moved from the domain to the +master, however we have the confusing situation where the SVA code is +wrongly using the RID domains device's list to track which CD tables the +SVA is installed in. + +Remove the logic to replicate the CD across all the domain's masters +during attach. We know which master and which CD table the PASID should be +installed in. + +Right now SVA only works when dma-iommu.c is in control of the RID +translation, which means we have a single iommu_domain shared across the +entire group and that iommu_domain is not shared outside the group. + +Critically this means that the iommu_group->devices list and RID's +smmu_domain->devices list describe the same set of masters. + +For PCI cases the core code also insists on singleton groups so there is +only one entry in the smmu_domain->devices list that is equal to the +master being passed in to arm_smmu_sva_set_dev_pasid(). + +Only non-PCI cases may have multi-device groups. However, the core code +will repeat the calls to arm_smmu_sva_set_dev_pasid() across the entire +iommu_group->devices list. + +Instead of having arm_smmu_mmu_notifier_get() indirectly loop over all the +devices in the group via the RID's smmu_domain, rely on +__arm_smmu_sva_bind() to be called for each device in the group and +install the repeated CD entry that way. + +This avoids taking the spinlock to access the devices list and permits the +arm_smmu_write_ctx_desc() to use a sleeping allocation. Leave the +arm_smmu_mm_release() as a confusing situation, this requires tracking +attached masters inside the SVA domain. + +Removing the loop allows arm_smmu_write_ctx_desc() to be called outside +the spinlock and thus is safe to use GFP_KERNEL. + +Move the clearing of the CD into arm_smmu_sva_remove_dev_pasid() so that +arm_smmu_mmu_notifier_get/put() remain paired functions. + +Fixes: 24503148c545 ("iommu/arm-smmu-v3: Refactor write_ctx_desc") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/4e25d161-0cf8-4050-9aa3-dfa21cd63e56@moroto.mountain/ +Signed-off-by: Jason Gunthorpe +Reviewed-by: Michael Shavit +Link: https://lore.kernel.org/r/0-v3-11978fc67151+112-smmu_cd_atomic_jgg@nvidia.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + .../iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 38 ++++++------------- + 1 file changed, 12 insertions(+), 26 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +index 05722121f00e7..4a27fbdb2d844 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +@@ -292,10 +292,8 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain, + struct mm_struct *mm) + { + int ret; +- unsigned long flags; + struct arm_smmu_ctx_desc *cd; + struct arm_smmu_mmu_notifier *smmu_mn; +- struct arm_smmu_master *master; + + list_for_each_entry(smmu_mn, &smmu_domain->mmu_notifiers, list) { + if (smmu_mn->mn.mm == mm) { +@@ -325,28 +323,9 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain, + goto err_free_cd; + } + +- spin_lock_irqsave(&smmu_domain->devices_lock, flags); +- list_for_each_entry(master, &smmu_domain->devices, domain_head) { +- ret = arm_smmu_write_ctx_desc(master, mm_get_enqcmd_pasid(mm), +- cd); +- if (ret) { +- list_for_each_entry_from_reverse( +- master, &smmu_domain->devices, domain_head) +- arm_smmu_write_ctx_desc( +- master, mm_get_enqcmd_pasid(mm), NULL); +- break; +- } +- } +- spin_unlock_irqrestore(&smmu_domain->devices_lock, flags); +- if (ret) +- goto err_put_notifier; +- + list_add(&smmu_mn->list, &smmu_domain->mmu_notifiers); + return smmu_mn; + +-err_put_notifier: +- /* Frees smmu_mn */ +- mmu_notifier_put(&smmu_mn->mn); + err_free_cd: + arm_smmu_free_shared_cd(cd); + return ERR_PTR(ret); +@@ -363,9 +342,6 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn) + + list_del(&smmu_mn->list); + +- arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm), +- NULL); +- + /* + * If we went through clear(), we've already invalidated, and no + * new TLB entry can have been formed. +@@ -381,7 +357,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn) + arm_smmu_free_shared_cd(cd); + } + +-static int __arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm) ++static int __arm_smmu_sva_bind(struct device *dev, ioasid_t pasid, ++ struct mm_struct *mm) + { + int ret; + struct arm_smmu_bond *bond; +@@ -404,9 +381,15 @@ static int __arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm) + goto err_free_bond; + } + ++ ret = arm_smmu_write_ctx_desc(master, pasid, bond->smmu_mn->cd); ++ if (ret) ++ goto err_put_notifier; ++ + list_add(&bond->list, &master->bonds); + return 0; + ++err_put_notifier: ++ arm_smmu_mmu_notifier_put(bond->smmu_mn); + err_free_bond: + kfree(bond); + return ret; +@@ -568,6 +551,9 @@ void arm_smmu_sva_remove_dev_pasid(struct iommu_domain *domain, + struct arm_smmu_master *master = dev_iommu_priv_get(dev); + + mutex_lock(&sva_lock); ++ ++ arm_smmu_write_ctx_desc(master, id, NULL); ++ + list_for_each_entry(t, &master->bonds, list) { + if (t->mm == mm) { + bond = t; +@@ -590,7 +576,7 @@ static int arm_smmu_sva_set_dev_pasid(struct iommu_domain *domain, + struct mm_struct *mm = domain->mm; + + mutex_lock(&sva_lock); +- ret = __arm_smmu_sva_bind(dev, mm); ++ ret = __arm_smmu_sva_bind(dev, id, mm); + mutex_unlock(&sva_lock); + + return ret; +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-add-missing-dirty-tracking-set-for-parent.patch b/queue-6.7/iommu-vt-d-add-missing-dirty-tracking-set-for-parent.patch new file mode 100644 index 00000000000..bb7068d7405 --- /dev/null +++ b/queue-6.7/iommu-vt-d-add-missing-dirty-tracking-set-for-parent.patch @@ -0,0 +1,88 @@ +From a9dfb71392e3728bb24b82b14d8df695fafde4c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:15:59 +0800 +Subject: iommu/vt-d: Add missing dirty tracking set for parent domain + +From: Yi Liu + +[ Upstream commit f1e1610950eac0af5e40f6ee02315952f78192f7 ] + +Setting dirty tracking for a s2 domain requires to loop all the related +devices and set the dirty tracking enable bit in the PASID table entry. +This includes the devices that are attached to the nested domains of a +s2 domain if this s2 domain is used as parent. However, the existing dirty +tracking set only loops s2 domain's own devices. It will miss dirty page +logs in the parent domain. + +Now, the parent domain tracks the nested domains, so it can loop the +nested domains and the devices attached to the nested domains to ensure +dirty tracking on the parent is set completely. + +Fixes: b41e38e22539 ("iommu/vt-d: Add nested domain allocation") +Signed-off-by: Yi Sun +Signed-off-by: Yi Liu +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240208082307.15759-9-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index e3b3ab506b185..a8366b1f4f48b 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4884,6 +4884,35 @@ static int device_set_dirty_tracking(struct list_head *devices, bool enable) + return ret; + } + ++static int parent_domain_set_dirty_tracking(struct dmar_domain *domain, ++ bool enable) ++{ ++ struct dmar_domain *s1_domain; ++ unsigned long flags; ++ int ret; ++ ++ spin_lock(&domain->s1_lock); ++ list_for_each_entry(s1_domain, &domain->s1_domains, s2_link) { ++ spin_lock_irqsave(&s1_domain->lock, flags); ++ ret = device_set_dirty_tracking(&s1_domain->devices, enable); ++ spin_unlock_irqrestore(&s1_domain->lock, flags); ++ if (ret) ++ goto err_unwind; ++ } ++ spin_unlock(&domain->s1_lock); ++ return 0; ++ ++err_unwind: ++ list_for_each_entry(s1_domain, &domain->s1_domains, s2_link) { ++ spin_lock_irqsave(&s1_domain->lock, flags); ++ device_set_dirty_tracking(&s1_domain->devices, ++ domain->dirty_tracking); ++ spin_unlock_irqrestore(&s1_domain->lock, flags); ++ } ++ spin_unlock(&domain->s1_lock); ++ return ret; ++} ++ + static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + bool enable) + { +@@ -4898,6 +4927,12 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + if (ret) + goto err_unwind; + ++ if (dmar_domain->nested_parent) { ++ ret = parent_domain_set_dirty_tracking(dmar_domain, enable); ++ if (ret) ++ goto err_unwind; ++ } ++ + dmar_domain->dirty_tracking = enable; + out_unlock: + spin_unlock(&dmar_domain->lock); +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-remove-domain-parameter-for-intel_pasid_s.patch b/queue-6.7/iommu-vt-d-remove-domain-parameter-for-intel_pasid_s.patch new file mode 100644 index 00000000000..92fee4b6bc3 --- /dev/null +++ b/queue-6.7/iommu-vt-d-remove-domain-parameter-for-intel_pasid_s.patch @@ -0,0 +1,91 @@ +From f6504fa1c4a4f5afcdf5464aa587037d572d1da6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:15:57 +0800 +Subject: iommu/vt-d: Remove domain parameter for + intel_pasid_setup_dirty_tracking() + +From: Yi Liu + +[ Upstream commit 56ecaf6c5834ace14941d7f13dceb48bc3327111 ] + +The only usage of input @domain is to get the domain id (DID) to flush +cache after setting dirty tracking. However, DID can be obtained from +the pasid entry. So no need to pass in domain. This can make this helper +cleaner when adding the missing dirty tracking for the parent domain, +which needs to use the DID of nested domain. + +Signed-off-by: Yi Liu +Reviewed-by: Joao Martins +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240208082307.15759-7-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain") +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 7 +++---- + drivers/iommu/intel/pasid.c | 3 +-- + drivers/iommu/intel/pasid.h | 1 - + 3 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 9f7954c4c26f8..88f9b4ffd5774 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4877,8 +4877,7 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + goto out_unlock; + + list_for_each_entry(info, &dmar_domain->devices, link) { +- ret = intel_pasid_setup_dirty_tracking(info->iommu, +- info->domain, info->dev, ++ ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev, + IOMMU_NO_PASID, enable); + if (ret) + goto err_unwind; +@@ -4892,8 +4891,8 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + + err_unwind: + list_for_each_entry(info, &dmar_domain->devices, link) +- intel_pasid_setup_dirty_tracking(info->iommu, dmar_domain, +- info->dev, IOMMU_NO_PASID, ++ intel_pasid_setup_dirty_tracking(info->iommu, info->dev, ++ IOMMU_NO_PASID, + dmar_domain->dirty_tracking); + spin_unlock(&dmar_domain->lock); + return ret; +diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c +index 74e8e4c17e814..9f8f389ff255c 100644 +--- a/drivers/iommu/intel/pasid.c ++++ b/drivers/iommu/intel/pasid.c +@@ -695,7 +695,6 @@ int intel_pasid_setup_second_level(struct intel_iommu *iommu, + * Set up dirty tracking on a second only or nested translation type. + */ + int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu, +- struct dmar_domain *domain, + struct device *dev, u32 pasid, + bool enabled) + { +@@ -712,7 +711,7 @@ int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu, + return -ENODEV; + } + +- did = domain_id_iommu(domain, iommu); ++ did = pasid_get_domain_id(pte); + pgtt = pasid_pte_get_pgtt(pte); + if (pgtt != PASID_ENTRY_PGTT_SL_ONLY && + pgtt != PASID_ENTRY_PGTT_NESTED) { +diff --git a/drivers/iommu/intel/pasid.h b/drivers/iommu/intel/pasid.h +index dd37611175cc1..3568adca1fd82 100644 +--- a/drivers/iommu/intel/pasid.h ++++ b/drivers/iommu/intel/pasid.h +@@ -107,7 +107,6 @@ int intel_pasid_setup_second_level(struct intel_iommu *iommu, + struct dmar_domain *domain, + struct device *dev, u32 pasid); + int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu, +- struct dmar_domain *domain, + struct device *dev, u32 pasid, + bool enabled); + int intel_pasid_setup_pass_through(struct intel_iommu *iommu, +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-set-ssade-when-attaching-to-a-parent-with.patch b/queue-6.7/iommu-vt-d-set-ssade-when-attaching-to-a-parent-with.patch new file mode 100644 index 00000000000..8cd25374be5 --- /dev/null +++ b/queue-6.7/iommu-vt-d-set-ssade-when-attaching-to-a-parent-with.patch @@ -0,0 +1,40 @@ +From 859b57e27effd53ed488091a7856f7a715eeecb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:16:00 +0800 +Subject: iommu/vt-d: Set SSADE when attaching to a parent with dirty tracking + +From: Yi Liu + +[ Upstream commit 1f0198fce68340e0da2d438f4ea9fc20d2c958da ] + +Should set the SSADE (Second Stage Access/Dirty bit Enable) bit of the +pasid entry when attaching a device to a nested domain if its parent +has already enabled dirty tracking. + +Fixes: 111bf85c68f6 ("iommu/vt-d: Add helper to setup pasid nested translation") +Signed-off-by: Yi Liu +Reviewed-by: Joao Martins +Link: https://lore.kernel.org/r/20240208091414.28133-1-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/pasid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c +index 9f8f389ff255c..6e102cbbde845 100644 +--- a/drivers/iommu/intel/pasid.c ++++ b/drivers/iommu/intel/pasid.c +@@ -925,6 +925,8 @@ int intel_pasid_setup_nested(struct intel_iommu *iommu, struct device *dev, + pasid_set_domain_id(pte, did); + pasid_set_address_width(pte, s2_domain->agaw); + pasid_set_page_snoop(pte, !!ecap_smpwc(iommu->ecap)); ++ if (s2_domain->dirty_tracking) ++ pasid_set_ssade(pte); + pasid_set_translation_type(pte, PASID_ENTRY_PGTT_NESTED); + pasid_set_present(pte); + spin_unlock(&iommu->lock); +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-track-nested-domains-in-parent.patch b/queue-6.7/iommu-vt-d-track-nested-domains-in-parent.patch new file mode 100644 index 00000000000..d2fb2c219fd --- /dev/null +++ b/queue-6.7/iommu-vt-d-track-nested-domains-in-parent.patch @@ -0,0 +1,136 @@ +From f4e3636c865c8166ae9c63998258e7179abc8de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:15:52 +0800 +Subject: iommu/vt-d: Track nested domains in parent + +From: Yi Liu + +[ Upstream commit 85ce8e1d6d73e8d54cb244d10dd4021771231746 ] + +Today the parent domain (s2_domain) is unaware of which DID's are +used by and which devices are attached to nested domains (s1_domain) +nested on it. This leads to a problem that some operations (flush +iotlb/devtlb and enable dirty tracking) on parent domain only apply to +DID's and devices directly tracked in the parent domain hence are +incomplete. + +This tracks the nested domains in list in parent domain. With this, +operations on parent domain can loop the nested domains and refer to +the devices and iommu_array to ensure the operations on parent domain +take effect on all the affected devices and iommus. + +Signed-off-by: Yi Liu +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240208082307.15759-2-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain") +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 18 ++++++++++++++---- + drivers/iommu/intel/iommu.h | 6 ++++++ + drivers/iommu/intel/nested.c | 12 +++++++++++- + 3 files changed, 31 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 0cc6e08e12c13..9f7954c4c26f8 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4069,6 +4069,7 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags, + bool dirty_tracking = flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING; + bool nested_parent = flags & IOMMU_HWPT_ALLOC_NEST_PARENT; + struct intel_iommu *iommu = info->iommu; ++ struct dmar_domain *dmar_domain; + struct iommu_domain *domain; + + /* Must be NESTING domain */ +@@ -4094,11 +4095,16 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags, + if (!domain) + return ERR_PTR(-ENOMEM); + +- if (nested_parent) +- to_dmar_domain(domain)->nested_parent = true; ++ dmar_domain = to_dmar_domain(domain); ++ ++ if (nested_parent) { ++ dmar_domain->nested_parent = true; ++ INIT_LIST_HEAD(&dmar_domain->s1_domains); ++ spin_lock_init(&dmar_domain->s1_lock); ++ } + + if (dirty_tracking) { +- if (to_dmar_domain(domain)->use_first_level) { ++ if (dmar_domain->use_first_level) { + iommu_domain_free(domain); + return ERR_PTR(-EOPNOTSUPP); + } +@@ -4110,8 +4116,12 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags, + + static void intel_iommu_domain_free(struct iommu_domain *domain) + { ++ struct dmar_domain *dmar_domain = to_dmar_domain(domain); ++ ++ WARN_ON(dmar_domain->nested_parent && ++ !list_empty(&dmar_domain->s1_domains)); + if (domain != &si_domain->domain) +- domain_exit(to_dmar_domain(domain)); ++ domain_exit(dmar_domain); + } + + int prepare_domain_attach_device(struct iommu_domain *domain, +diff --git a/drivers/iommu/intel/iommu.h b/drivers/iommu/intel/iommu.h +index 70ac2b989127a..efc00d2b4527a 100644 +--- a/drivers/iommu/intel/iommu.h ++++ b/drivers/iommu/intel/iommu.h +@@ -630,6 +630,10 @@ struct dmar_domain { + int agaw; + /* maximum mapped address */ + u64 max_addr; ++ /* Protect the s1_domains list */ ++ spinlock_t s1_lock; ++ /* Track s1_domains nested on this domain */ ++ struct list_head s1_domains; + }; + + /* Nested user domain */ +@@ -640,6 +644,8 @@ struct dmar_domain { + unsigned long s1_pgtbl; + /* page table attributes */ + struct iommu_hwpt_vtd_s1 s1_cfg; ++ /* link to parent domain siblings */ ++ struct list_head s2_link; + }; + }; + +diff --git a/drivers/iommu/intel/nested.c b/drivers/iommu/intel/nested.c +index 694c1c4223f66..92e82b33ea979 100644 +--- a/drivers/iommu/intel/nested.c ++++ b/drivers/iommu/intel/nested.c +@@ -72,7 +72,13 @@ static int intel_nested_attach_dev(struct iommu_domain *domain, + + static void intel_nested_domain_free(struct iommu_domain *domain) + { +- kfree(to_dmar_domain(domain)); ++ struct dmar_domain *dmar_domain = to_dmar_domain(domain); ++ struct dmar_domain *s2_domain = dmar_domain->s2_domain; ++ ++ spin_lock(&s2_domain->s1_lock); ++ list_del(&dmar_domain->s2_link); ++ spin_unlock(&s2_domain->s1_lock); ++ kfree(dmar_domain); + } + + static const struct iommu_domain_ops intel_nested_domain_ops = { +@@ -115,5 +121,9 @@ struct iommu_domain *intel_nested_domain_alloc(struct iommu_domain *parent, + spin_lock_init(&domain->lock); + xa_init(&domain->iommu_array); + ++ spin_lock(&s2_domain->s1_lock); ++ list_add(&domain->s2_link, &s2_domain->s1_domains); ++ spin_unlock(&s2_domain->s1_lock); ++ + return &domain->domain; + } +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-update-iotlb-in-nested-domain-attach.patch b/queue-6.7/iommu-vt-d-update-iotlb-in-nested-domain-attach.patch new file mode 100644 index 00000000000..fdbf1725871 --- /dev/null +++ b/queue-6.7/iommu-vt-d-update-iotlb-in-nested-domain-attach.patch @@ -0,0 +1,76 @@ +From d6ef4289f22ae3b783e689a57297e5c25f65c8fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:15:55 +0800 +Subject: iommu/vt-d: Update iotlb in nested domain attach + +From: Yi Liu + +[ Upstream commit 29e10487d6df050afeee886b7c1da208f389cb5b ] + +Should call domain_update_iotlb() to update the has_iotlb_device flag +of the domain after attaching device to nested domain. Without it, this +flag is not set properly and would result in missing device TLB flush. + +Fixes: 9838f2bb6b6b ("iommu/vt-d: Set the nested domain to a device") +Signed-off-by: Yi Liu +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240208082307.15759-5-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 4 +--- + drivers/iommu/intel/iommu.h | 1 + + drivers/iommu/intel/nested.c | 2 ++ + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 897159dba47de..0cc6e08e12c13 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -540,8 +540,6 @@ static int domain_update_device_node(struct dmar_domain *domain) + return nid; + } + +-static void domain_update_iotlb(struct dmar_domain *domain); +- + /* Return the super pagesize bitmap if supported. */ + static unsigned long domain_super_pgsize_bitmap(struct dmar_domain *domain) + { +@@ -1362,7 +1360,7 @@ domain_lookup_dev_info(struct dmar_domain *domain, + return NULL; + } + +-static void domain_update_iotlb(struct dmar_domain *domain) ++void domain_update_iotlb(struct dmar_domain *domain) + { + struct dev_pasid_info *dev_pasid; + struct device_domain_info *info; +diff --git a/drivers/iommu/intel/iommu.h b/drivers/iommu/intel/iommu.h +index ce030c5b5772a..70ac2b989127a 100644 +--- a/drivers/iommu/intel/iommu.h ++++ b/drivers/iommu/intel/iommu.h +@@ -888,6 +888,7 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc, + */ + #define QI_OPT_WAIT_DRAIN BIT(0) + ++void domain_update_iotlb(struct dmar_domain *domain); + int domain_attach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu); + void domain_detach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu); + void device_block_translation(struct device *dev); +diff --git a/drivers/iommu/intel/nested.c b/drivers/iommu/intel/nested.c +index b5a5563ab32c6..694c1c4223f66 100644 +--- a/drivers/iommu/intel/nested.c ++++ b/drivers/iommu/intel/nested.c +@@ -65,6 +65,8 @@ static int intel_nested_attach_dev(struct iommu_domain *domain, + list_add(&info->link, &dmar_domain->devices); + spin_unlock_irqrestore(&dmar_domain->lock, flags); + ++ domain_update_iotlb(dmar_domain); ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.7/iommu-vt-d-wrap-the-dirty-tracking-loop-to-be-a-help.patch b/queue-6.7/iommu-vt-d-wrap-the-dirty-tracking-loop-to-be-a-help.patch new file mode 100644 index 00000000000..f669fc0617d --- /dev/null +++ b/queue-6.7/iommu-vt-d-wrap-the-dirty-tracking-loop-to-be-a-help.patch @@ -0,0 +1,90 @@ +From 3c57be5954d2f7fee62a5b65ef4aaeac01e0d9b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:15:58 +0800 +Subject: iommu/vt-d: Wrap the dirty tracking loop to be a helper + +From: Yi Liu + +[ Upstream commit 0c7f2497b39da44253d7bcf2b41f52b0048859ad ] + +Add device_set_dirty_tracking() to loop all the devices and set the dirty +tracking per the @enable parameter. + +Signed-off-by: Yi Liu +Reviewed-by: Kevin Tian +Reviewed-by: Joao Martins +Link: https://lore.kernel.org/r/20240208082307.15759-8-yi.l.liu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain") +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 88f9b4ffd5774..e3b3ab506b185 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4865,23 +4865,38 @@ static void *intel_iommu_hw_info(struct device *dev, u32 *length, u32 *type) + return vtd; + } + ++/* ++ * Set dirty tracking for the device list of a domain. The caller must ++ * hold the domain->lock when calling it. ++ */ ++static int device_set_dirty_tracking(struct list_head *devices, bool enable) ++{ ++ struct device_domain_info *info; ++ int ret = 0; ++ ++ list_for_each_entry(info, devices, link) { ++ ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev, ++ IOMMU_NO_PASID, enable); ++ if (ret) ++ break; ++ } ++ ++ return ret; ++} ++ + static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + bool enable) + { + struct dmar_domain *dmar_domain = to_dmar_domain(domain); +- struct device_domain_info *info; + int ret; + + spin_lock(&dmar_domain->lock); + if (dmar_domain->dirty_tracking == enable) + goto out_unlock; + +- list_for_each_entry(info, &dmar_domain->devices, link) { +- ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev, +- IOMMU_NO_PASID, enable); +- if (ret) +- goto err_unwind; +- } ++ ret = device_set_dirty_tracking(&dmar_domain->devices, enable); ++ if (ret) ++ goto err_unwind; + + dmar_domain->dirty_tracking = enable; + out_unlock: +@@ -4890,10 +4905,8 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain, + return 0; + + err_unwind: +- list_for_each_entry(info, &dmar_domain->devices, link) +- intel_pasid_setup_dirty_tracking(info->iommu, info->dev, +- IOMMU_NO_PASID, +- dmar_domain->dirty_tracking); ++ device_set_dirty_tracking(&dmar_domain->devices, ++ dmar_domain->dirty_tracking); + spin_unlock(&dmar_domain->lock); + return ret; + } +-- +2.43.0 + diff --git a/queue-6.7/iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch b/queue-6.7/iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch new file mode 100644 index 00000000000..43602e65043 --- /dev/null +++ b/queue-6.7/iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch @@ -0,0 +1,55 @@ +From 32290f152fd36f9c87d2647eed124c30a29979b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 13:34:07 +0000 +Subject: iommufd/iova_bitmap: Bounds check mapped::pages access + +From: Joao Martins + +[ Upstream commit a4ab7dedaee0e39b15653c5fd0367e420739f7ef ] + +Dirty IOMMU hugepages reported on a base page page-size granularity can +lead to an attempt to set dirty pages in the bitmap beyond the limits that +are pinned. + +Bounds check the page index of the array we are trying to access is within +the limits before we kmap() and return otherwise. + +While it is also a defensive check, this is also in preparation to defer +setting bits (outside the mapped range) to the next iteration(s) when the +pages become available. + +Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries") +Link: https://lore.kernel.org/r/20240202133415.23819-2-joao.m.martins@oracle.com +Signed-off-by: Joao Martins +Tested-by: Avihai Horon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommufd/iova_bitmap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c +index 0a92c9eeaf7f5..a3606b4c22292 100644 +--- a/drivers/iommu/iommufd/iova_bitmap.c ++++ b/drivers/iommu/iommufd/iova_bitmap.c +@@ -409,6 +409,7 @@ void iova_bitmap_set(struct iova_bitmap *bitmap, + mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE; + unsigned long last_bit = (((iova + length - 1) - mapped->iova) >> + mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE; ++ unsigned long last_page_idx = mapped->npages - 1; + + do { + unsigned int page_idx = cur_bit / BITS_PER_PAGE; +@@ -417,6 +418,9 @@ void iova_bitmap_set(struct iova_bitmap *bitmap, + last_bit - cur_bit + 1); + void *kaddr; + ++ if (unlikely(page_idx > last_page_idx)) ++ break; ++ + kaddr = kmap_local_page(mapped->pages[page_idx]); + bitmap_set(kaddr, offset, nbits); + kunmap_local(kaddr); +-- +2.43.0 + diff --git a/queue-6.7/iommufd-iova_bitmap-consider-page-offset-for-the-pag.patch b/queue-6.7/iommufd-iova_bitmap-consider-page-offset-for-the-pag.patch new file mode 100644 index 00000000000..f881f555ab1 --- /dev/null +++ b/queue-6.7/iommufd-iova_bitmap-consider-page-offset-for-the-pag.patch @@ -0,0 +1,57 @@ +From cd2de5cd34d4659e3f492efd5644bcb8edfede3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 13:34:15 +0000 +Subject: iommufd/iova_bitmap: Consider page offset for the pages to be pinned + +From: Joao Martins + +[ Upstream commit 4bbcbc6ea2fa379632a24c14cfb47aa603816ac6 ] + +For small bitmaps that aren't PAGE_SIZE aligned *and* that are less than +512 pages in bitmap length, use an extra page to be able to cover the +entire range e.g. [1M..3G] which would be iterated more efficiently in a +single iteration, rather than two. + +Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries") +Link: https://lore.kernel.org/r/20240202133415.23819-10-joao.m.martins@oracle.com +Signed-off-by: Joao Martins +Tested-by: Avihai Horon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommufd/iova_bitmap.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c +index b370e8ee88665..db8c46bee1559 100644 +--- a/drivers/iommu/iommufd/iova_bitmap.c ++++ b/drivers/iommu/iommufd/iova_bitmap.c +@@ -178,18 +178,19 @@ static int iova_bitmap_get(struct iova_bitmap *bitmap) + bitmap->mapped_base_index) * + sizeof(*bitmap->bitmap), PAGE_SIZE); + +- /* +- * We always cap at max number of 'struct page' a base page can fit. +- * This is, for example, on x86 means 2M of bitmap data max. +- */ +- npages = min(npages, PAGE_SIZE / sizeof(struct page *)); +- + /* + * Bitmap address to be pinned is calculated via pointer arithmetic + * with bitmap u64 word index. + */ + addr = bitmap->bitmap + bitmap->mapped_base_index; + ++ /* ++ * We always cap at max number of 'struct page' a base page can fit. ++ * This is, for example, on x86 means 2M of bitmap data max. ++ */ ++ npages = min(npages + !!offset_in_page(addr), ++ PAGE_SIZE / sizeof(struct page *)); ++ + ret = pin_user_pages_fast((unsigned long)addr, npages, + FOLL_WRITE, mapped->pages); + if (ret <= 0) +-- +2.43.0 + diff --git a/queue-6.7/iommufd-iova_bitmap-handle-recording-beyond-the-mapp.patch b/queue-6.7/iommufd-iova_bitmap-handle-recording-beyond-the-mapp.patch new file mode 100644 index 00000000000..ca047cd0b0c --- /dev/null +++ b/queue-6.7/iommufd-iova_bitmap-handle-recording-beyond-the-mapp.patch @@ -0,0 +1,115 @@ +From 84c2437c5f8d2a1e1688d757650c70077140699e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 13:34:10 +0000 +Subject: iommufd/iova_bitmap: Handle recording beyond the mapped pages + +From: Joao Martins + +[ Upstream commit 2780025e01e2e1c92f83ee7da91d9727c2e58a3e ] + +IOVA bitmap is a zero-copy scheme of recording dirty bits that iterate the +different bitmap user pages at chunks of a maximum of +PAGE_SIZE/sizeof(struct page*) pages. + +When the iterations are split up into 64G, the end of the range may be +broken up in a way that's aligned with a non base page PTE size. This +leads to only part of the huge page being recorded in the bitmap. Note +that in pratice this is only a problem for IOMMU dirty tracking i.e. when +the backing PTEs are in IOMMU hugepages and the bitmap is in base page +granularity. So far this not something that affects VF dirty trackers +(which reports and records at the same granularity). + +To fix that, if there is a remainder of bits left to set in which the +current IOVA bitmap doesn't cover, make a copy of the bitmap structure and +iterate-and-set the rest of the bits remaining. Finally, when advancing +the iterator, skip all the bits that were set ahead. + +Link: https://lore.kernel.org/r/20240202133415.23819-5-joao.m.martins@oracle.com +Reported-by: Avihai Horon +Fixes: f35f22cc760e ("iommu/vt-d: Access/Dirty bit support for SS domains") +Fixes: 421a511a293f ("iommu/amd: Access/Dirty bit support in IOPTEs") +Signed-off-by: Joao Martins +Tested-by: Avihai Horon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommufd/iova_bitmap.c | 43 +++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c +index 9d42ab51a6bb3..b370e8ee88665 100644 +--- a/drivers/iommu/iommufd/iova_bitmap.c ++++ b/drivers/iommu/iommufd/iova_bitmap.c +@@ -113,6 +113,9 @@ struct iova_bitmap { + + /* length of the IOVA range for the whole bitmap */ + size_t length; ++ ++ /* length of the IOVA range set ahead the pinned pages */ ++ unsigned long set_ahead_length; + }; + + /* +@@ -341,6 +344,32 @@ static bool iova_bitmap_done(struct iova_bitmap *bitmap) + return bitmap->mapped_base_index >= bitmap->mapped_total_index; + } + ++static int iova_bitmap_set_ahead(struct iova_bitmap *bitmap, ++ size_t set_ahead_length) ++{ ++ int ret = 0; ++ ++ while (set_ahead_length > 0 && !iova_bitmap_done(bitmap)) { ++ unsigned long length = iova_bitmap_mapped_length(bitmap); ++ unsigned long iova = iova_bitmap_mapped_iova(bitmap); ++ ++ ret = iova_bitmap_get(bitmap); ++ if (ret) ++ break; ++ ++ length = min(length, set_ahead_length); ++ iova_bitmap_set(bitmap, iova, length); ++ ++ set_ahead_length -= length; ++ bitmap->mapped_base_index += ++ iova_bitmap_offset_to_index(bitmap, length - 1) + 1; ++ iova_bitmap_put(bitmap); ++ } ++ ++ bitmap->set_ahead_length = 0; ++ return ret; ++} ++ + /* + * Advances to the next range, releases the current pinned + * pages and pins the next set of bitmap pages. +@@ -357,6 +386,15 @@ static int iova_bitmap_advance(struct iova_bitmap *bitmap) + if (iova_bitmap_done(bitmap)) + return 0; + ++ /* Iterate, set and skip any bits requested for next iteration */ ++ if (bitmap->set_ahead_length) { ++ int ret; ++ ++ ret = iova_bitmap_set_ahead(bitmap, bitmap->set_ahead_length); ++ if (ret) ++ return ret; ++ } ++ + /* When advancing the index we pin the next set of bitmap pages */ + return iova_bitmap_get(bitmap); + } +@@ -426,5 +464,10 @@ void iova_bitmap_set(struct iova_bitmap *bitmap, + kunmap_local(kaddr); + cur_bit += nbits; + } while (cur_bit <= last_bit); ++ ++ if (unlikely(cur_bit <= last_bit)) { ++ bitmap->set_ahead_length = ++ ((last_bit - cur_bit + 1) << bitmap->mapped.pgshift); ++ } + } + EXPORT_SYMBOL_NS_GPL(iova_bitmap_set, IOMMUFD); +-- +2.43.0 + diff --git a/queue-6.7/iommufd-iova_bitmap-switch-iova_bitmap-bitmap-to-an-.patch b/queue-6.7/iommufd-iova_bitmap-switch-iova_bitmap-bitmap-to-an-.patch new file mode 100644 index 00000000000..507cdb7cac3 --- /dev/null +++ b/queue-6.7/iommufd-iova_bitmap-switch-iova_bitmap-bitmap-to-an-.patch @@ -0,0 +1,72 @@ +From 6238cb20d4be81e33b7a303dedff706056c2a033 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 13:34:08 +0000 +Subject: iommufd/iova_bitmap: Switch iova_bitmap::bitmap to an u8 array + +From: Joao Martins + +[ Upstream commit d18411ec305728c6371806c4fb09be07016aad0b ] + +iova_bitmap_mapped_length() don't deal correctly with the small bitmaps +(< 2M bitmaps) when the starting address isn't u64 aligned, leading to +skipping a tiny part of the IOVA range. This is materialized as not +marking data dirty that should otherwise have been. + +Fix that by using a u8 * in the internal state of IOVA bitmap. Most of the +data structures use the type of the bitmap to adjust its indexes, thus +changing the type of the bitmap decreases the granularity of the bitmap +indexes. + +Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries") +Link: https://lore.kernel.org/r/20240202133415.23819-3-joao.m.martins@oracle.com +Signed-off-by: Joao Martins +Tested-by: Avihai Horon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommufd/iova_bitmap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c +index a3606b4c22292..9d42ab51a6bb3 100644 +--- a/drivers/iommu/iommufd/iova_bitmap.c ++++ b/drivers/iommu/iommufd/iova_bitmap.c +@@ -100,7 +100,7 @@ struct iova_bitmap { + struct iova_bitmap_map mapped; + + /* userspace address of the bitmap */ +- u64 __user *bitmap; ++ u8 __user *bitmap; + + /* u64 index that @mapped points to */ + unsigned long mapped_base_index; +@@ -162,7 +162,7 @@ static int iova_bitmap_get(struct iova_bitmap *bitmap) + { + struct iova_bitmap_map *mapped = &bitmap->mapped; + unsigned long npages; +- u64 __user *addr; ++ u8 __user *addr; + long ret; + + /* +@@ -247,7 +247,7 @@ struct iova_bitmap *iova_bitmap_alloc(unsigned long iova, size_t length, + + mapped = &bitmap->mapped; + mapped->pgshift = __ffs(page_size); +- bitmap->bitmap = data; ++ bitmap->bitmap = (u8 __user *)data; + bitmap->mapped_total_index = + iova_bitmap_offset_to_index(bitmap, length - 1) + 1; + bitmap->iova = iova; +@@ -304,7 +304,7 @@ static unsigned long iova_bitmap_mapped_remaining(struct iova_bitmap *bitmap) + + remaining = bitmap->mapped_total_index - bitmap->mapped_base_index; + remaining = min_t(unsigned long, remaining, +- bytes / sizeof(*bitmap->bitmap)); ++ DIV_ROUND_UP(bytes, sizeof(*bitmap->bitmap))); + + return remaining; + } +-- +2.43.0 + diff --git a/queue-6.7/iommufd-reject-non-zero-data_type-if-no-data_len-is-.patch b/queue-6.7/iommufd-reject-non-zero-data_type-if-no-data_len-is-.patch new file mode 100644 index 00000000000..4c5419c5d24 --- /dev/null +++ b/queue-6.7/iommufd-reject-non-zero-data_type-if-no-data_len-is-.patch @@ -0,0 +1,40 @@ +From cbab42865ce5eb39aec175e4f101968c31a3c43d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 14:43:54 -0400 +Subject: iommufd: Reject non-zero data_type if no data_len is provided + +From: Jason Gunthorpe + +[ Upstream commit 7adc0c1cfa7732b81bf7bf2ed16ffb99719ceebf ] + +Since the current design doesn't forward the data_type to the driver to +check unless there is a data_len/uptr for a driver specific struct we +should check and ensure that data_type is 0 if data_len is 0. Otherwise +any value is permitted. + +Fixes: bd529dbb661d ("iommufd: Add a nested HW pagetable object") +Link: https://lore.kernel.org/r/0-v1-9b1ea6869554+110c60-iommufd_ck_data_type_jgg@nvidia.com +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommufd/hw_pagetable.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/hw_pagetable.c +index cbb5df0a6c32f..6f680959b23ed 100644 +--- a/drivers/iommu/iommufd/hw_pagetable.c ++++ b/drivers/iommu/iommufd/hw_pagetable.c +@@ -261,7 +261,8 @@ int iommufd_hwpt_alloc(struct iommufd_ucmd *ucmd) + + if (cmd->__reserved) + return -EOPNOTSUPP; +- if (cmd->data_type == IOMMU_HWPT_DATA_NONE && cmd->data_len) ++ if ((cmd->data_type == IOMMU_HWPT_DATA_NONE && cmd->data_len) || ++ (cmd->data_type != IOMMU_HWPT_DATA_NONE && !cmd->data_len)) + return -EINVAL; + + idev = iommufd_get_device(ucmd, cmd->dev_id); +-- +2.43.0 + diff --git a/queue-6.7/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch b/queue-6.7/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch new file mode 100644 index 00000000000..64d32f4b6ef --- /dev/null +++ b/queue-6.7/ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch @@ -0,0 +1,73 @@ +From d939c5abb26d39765b6746780f0d5b4657a1212f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:21:06 +0000 +Subject: ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid + +From: Eric Dumazet + +[ Upstream commit 081a0e3b0d4c061419d3f4679dec9f68725b17e4 ] + +net->dev_base_seq and ipv4.dev_addr_genid are monotonically increasing. + +If we XOR their values, we could miss to detect if both values +were changed with the same amount. + +Fixes: 0465277f6b3f ("ipv4: provide addr and netconf dump consistency info") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index ca0ff15dc8fa3..bc74f131fe4df 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1825,6 +1825,21 @@ static int in_dev_dump_addr(struct in_device *in_dev, struct sk_buff *skb, + return err; + } + ++/* Combine dev_addr_genid and dev_base_seq to detect changes. ++ */ ++static u32 inet_base_seq(const struct net *net) ++{ ++ u32 res = atomic_read(&net->ipv4.dev_addr_genid) + ++ net->dev_base_seq; ++ ++ /* Must not return 0 (see nl_dump_check_consistent()). ++ * Chose a value far away from 0. ++ */ ++ if (!res) ++ res = 0x80000000; ++ return res; ++} ++ + static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) + { + const struct nlmsghdr *nlh = cb->nlh; +@@ -1876,8 +1891,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) + idx = 0; + head = &tgt_net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&tgt_net->ipv4.dev_addr_genid) ^ +- tgt_net->dev_base_seq; ++ cb->seq = inet_base_seq(tgt_net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +@@ -2278,8 +2292,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, + idx = 0; + head = &net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^ +- net->dev_base_seq; ++ cb->seq = inet_base_seq(net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +-- +2.43.0 + diff --git a/queue-6.7/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch b/queue-6.7/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch new file mode 100644 index 00000000000..88b72a14d12 --- /dev/null +++ b/queue-6.7/ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch @@ -0,0 +1,75 @@ +From df22ef95c5b0bb57c47b7194b51dca212219315f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:21:07 +0000 +Subject: ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid + +From: Eric Dumazet + +[ Upstream commit e898e4cd1aab271ca414f9ac6e08e4c761f6913c ] + +net->dev_base_seq and ipv6.dev_addr_genid are monotonically increasing. + +If we XOR their values, we could miss to detect if both values +were changed with the same amount. + +Fixes: 63998ac24f83 ("ipv6: provide addr and netconf dump consistency info") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel + +Signed-off-by: Eric Dumazet +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 733ace18806c6..5a839c5fb1a5a 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -708,6 +708,22 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb, + return err; + } + ++/* Combine dev_addr_genid and dev_base_seq to detect changes. ++ */ ++static u32 inet6_base_seq(const struct net *net) ++{ ++ u32 res = atomic_read(&net->ipv6.dev_addr_genid) + ++ net->dev_base_seq; ++ ++ /* Must not return 0 (see nl_dump_check_consistent()). ++ * Chose a value far away from 0. ++ */ ++ if (!res) ++ res = 0x80000000; ++ return res; ++} ++ ++ + static int inet6_netconf_dump_devconf(struct sk_buff *skb, + struct netlink_callback *cb) + { +@@ -741,8 +757,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, + idx = 0; + head = &net->dev_index_head[h]; + rcu_read_lock(); +- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ +- net->dev_base_seq; ++ cb->seq = inet6_base_seq(net); + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +@@ -5362,7 +5377,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, + } + + rcu_read_lock(); +- cb->seq = atomic_read(&tgt_net->ipv6.dev_addr_genid) ^ tgt_net->dev_base_seq; ++ cb->seq = inet6_base_seq(tgt_net); + for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { + idx = 0; + head = &tgt_net->dev_index_head[h]; +-- +2.43.0 + diff --git a/queue-6.7/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch b/queue-6.7/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch new file mode 100644 index 00000000000..cde14c74eb5 --- /dev/null +++ b/queue-6.7/ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch @@ -0,0 +1,74 @@ +From 9f3751bd53ad14e3fc1fd6329957ff376d0e9c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 23:27:17 +0300 +Subject: ipv6: sr: fix possible use-after-free and null-ptr-deref + +From: Vasiliy Kovalev + +[ Upstream commit 5559cea2d5aa3018a5f00dd2aca3427ba09b386b ] + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +Fixes: 915d7e5e5930 ("ipv6: sr: add code base for control plane support of SR-IPv6") +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20240215202717.29815-1-kovalev@altlinux.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 29346a6eec9ff..35508abd76f43 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -512,22 +512,24 @@ int __init seg6_init(void) + { + int err; + +- err = genl_register_family(&seg6_genl_family); ++ err = register_pernet_subsys(&ip6_segments_ops); + if (err) + goto out; + +- err = register_pernet_subsys(&ip6_segments_ops); ++ err = genl_register_family(&seg6_genl_family); + if (err) +- goto out_unregister_genl; ++ goto out_unregister_pernet; + + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + err = seg6_iptunnel_init(); + if (err) +- goto out_unregister_pernet; ++ goto out_unregister_genl; + + err = seg6_local_init(); +- if (err) +- goto out_unregister_pernet; ++ if (err) { ++ seg6_iptunnel_exit(); ++ goto out_unregister_genl; ++ } + #endif + + #ifdef CONFIG_IPV6_SEG6_HMAC +@@ -548,11 +550,11 @@ int __init seg6_init(void) + #endif + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL +-out_unregister_pernet: +- unregister_pernet_subsys(&ip6_segments_ops); +-#endif + out_unregister_genl: + genl_unregister_family(&seg6_genl_family); ++#endif ++out_unregister_pernet: ++ unregister_pernet_subsys(&ip6_segments_ops); + goto out; + } + +-- +2.43.0 + diff --git a/queue-6.7/kvm-ppc-book3s-hv-fix-l2-guest-reboot-failure-due-to.patch b/queue-6.7/kvm-ppc-book3s-hv-fix-l2-guest-reboot-failure-due-to.patch new file mode 100644 index 00000000000..e4f634b973a --- /dev/null +++ b/queue-6.7/kvm-ppc-book3s-hv-fix-l2-guest-reboot-failure-due-to.patch @@ -0,0 +1,162 @@ +From 156173fd9b390e49d44252b872e5adf1e974d2fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 11:15:26 +0530 +Subject: KVM: PPC: Book3S HV: Fix L2 guest reboot failure due to empty + 'arch_compat' + +From: Amit Machhiwal + +[ Upstream commit 20c8c4dafe93e82441583e93bd68c0d256d7bed4 ] + +Currently, rebooting a pseries nested qemu-kvm guest (L2) results in +below error as L1 qemu sends PVR value 'arch_compat' == 0 via +ppc_set_compat ioctl. This triggers a condition failure in +kvmppc_set_arch_compat() resulting in an EINVAL. + +qemu-system-ppc64: Unable to set CPU compatibility mode in KVM: Invalid +argument + +Also, a value of 0 for arch_compat generally refers the default +compatibility of the host. But, arch_compat, being a Guest Wide Element +in nested API v2, cannot be set to 0 in GSB as PowerVM (L0) expects a +non-zero value. A value of 0 triggers a kernel trap during a reboot and +consequently causes it to fail: + +[ 22.106360] reboot: Restarting system +KVM: unknown exit, hardware reason ffffffffffffffea +NIP 0000000000000100 LR 000000000000fe44 CTR 0000000000000000 XER 0000000020040092 CPU#0 +MSR 0000000000001000 HID0 0000000000000000 HF 6c000000 iidx 3 didx 3 +TB 00000000 00000000 DECR 0 +GPR00 0000000000000000 0000000000000000 c000000002a8c300 000000007fe00000 +GPR04 0000000000000000 0000000000000000 0000000000001002 8000000002803033 +GPR08 000000000a000000 0000000000000000 0000000000000004 000000002fff0000 +GPR12 0000000000000000 c000000002e10000 0000000105639200 0000000000000004 +GPR16 0000000000000000 000000010563a090 0000000000000000 0000000000000000 +GPR20 0000000105639e20 00000001056399c8 00007fffe54abab0 0000000105639288 +GPR24 0000000000000000 0000000000000001 0000000000000001 0000000000000000 +GPR28 0000000000000000 0000000000000000 c000000002b30840 0000000000000000 +CR 00000000 [ - - - - - - - - ] RES 000@ffffffffffffffff + SRR0 0000000000000000 SRR1 0000000000000000 PVR 0000000000800200 VRSAVE 0000000000000000 +SPRG0 0000000000000000 SPRG1 0000000000000000 SPRG2 0000000000000000 SPRG3 0000000000000000 +SPRG4 0000000000000000 SPRG5 0000000000000000 SPRG6 0000000000000000 SPRG7 0000000000000000 +HSRR0 0000000000000000 HSRR1 0000000000000000 + CFAR 0000000000000000 + LPCR 0000000000020400 + PTCR 0000000000000000 DAR 0000000000000000 DSISR 0000000000000000 + + kernel:trap=0xffffffea | pc=0x100 | msr=0x1000 + +This patch updates kvmppc_set_arch_compat() to use the host PVR value if +'compat_pvr' == 0 indicating that qemu doesn't want to enforce any +specific PVR compat mode. + +The relevant part of the code might need a rework if PowerVM implements +a support for `arch_compat == 0` in nestedv2 API. + +Fixes: 19d31c5f1157 ("KVM: PPC: Add support for nestedv2 guests") +Reviewed-by: "Aneesh Kumar K.V (IBM)" +Reviewed-by: Vaibhav Jain +Signed-off-by: Amit Machhiwal +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240207054526.3720087-1-amachhiw@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 26 ++++++++++++++++++++++++-- + arch/powerpc/kvm/book3s_hv_nestedv2.c | 20 ++++++++++++++++++-- + 2 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 002a7573a5d44..b5c6af0bef81e 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -391,6 +391,24 @@ static void kvmppc_set_pvr_hv(struct kvm_vcpu *vcpu, u32 pvr) + /* Dummy value used in computing PCR value below */ + #define PCR_ARCH_31 (PCR_ARCH_300 << 1) + ++static inline unsigned long map_pcr_to_cap(unsigned long pcr) ++{ ++ unsigned long cap = 0; ++ ++ switch (pcr) { ++ case PCR_ARCH_300: ++ cap = H_GUEST_CAP_POWER9; ++ break; ++ case PCR_ARCH_31: ++ cap = H_GUEST_CAP_POWER10; ++ break; ++ default: ++ break; ++ } ++ ++ return cap; ++} ++ + static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat) + { + unsigned long host_pcr_bit = 0, guest_pcr_bit = 0, cap = 0; +@@ -424,11 +442,9 @@ static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat) + break; + case PVR_ARCH_300: + guest_pcr_bit = PCR_ARCH_300; +- cap = H_GUEST_CAP_POWER9; + break; + case PVR_ARCH_31: + guest_pcr_bit = PCR_ARCH_31; +- cap = H_GUEST_CAP_POWER10; + break; + default: + return -EINVAL; +@@ -440,6 +456,12 @@ static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat) + return -EINVAL; + + if (kvmhv_on_pseries() && kvmhv_is_nestedv2()) { ++ /* ++ * 'arch_compat == 0' would mean the guest should default to ++ * L1's compatibility. In this case, the guest would pick ++ * host's PCR and evaluate the corresponding capabilities. ++ */ ++ cap = map_pcr_to_cap(guest_pcr_bit); + if (!(cap & nested_capabilities)) + return -EINVAL; + } +diff --git a/arch/powerpc/kvm/book3s_hv_nestedv2.c b/arch/powerpc/kvm/book3s_hv_nestedv2.c +index fd3c4f2d94805..f354af7e85114 100644 +--- a/arch/powerpc/kvm/book3s_hv_nestedv2.c ++++ b/arch/powerpc/kvm/book3s_hv_nestedv2.c +@@ -138,6 +138,7 @@ static int gs_msg_ops_vcpu_fill_info(struct kvmppc_gs_buff *gsb, + vector128 v; + int rc, i; + u16 iden; ++ u32 arch_compat = 0; + + vcpu = gsm->data; + +@@ -347,8 +348,23 @@ static int gs_msg_ops_vcpu_fill_info(struct kvmppc_gs_buff *gsb, + break; + } + case KVMPPC_GSID_LOGICAL_PVR: +- rc = kvmppc_gse_put_u32(gsb, iden, +- vcpu->arch.vcore->arch_compat); ++ /* ++ * Though 'arch_compat == 0' would mean the default ++ * compatibility, arch_compat, being a Guest Wide ++ * Element, cannot be filled with a value of 0 in GSB ++ * as this would result into a kernel trap. ++ * Hence, when `arch_compat == 0`, arch_compat should ++ * default to L1's PVR. ++ */ ++ if (!vcpu->arch.vcore->arch_compat) { ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) ++ arch_compat = PVR_ARCH_31; ++ else if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ arch_compat = PVR_ARCH_300; ++ } else { ++ arch_compat = vcpu->arch.vcore->arch_compat; ++ } ++ rc = kvmppc_gse_put_u32(gsb, iden, arch_compat); + break; + } + +-- +2.43.0 + diff --git a/queue-6.7/net-bcmasp-indicate-mac-is-in-charge-of-phy-pm.patch b/queue-6.7/net-bcmasp-indicate-mac-is-in-charge-of-phy-pm.patch new file mode 100644 index 00000000000..dfe69ff152f --- /dev/null +++ b/queue-6.7/net-bcmasp-indicate-mac-is-in-charge-of-phy-pm.patch @@ -0,0 +1,39 @@ +From 368a6e18a50beac828dfe286a58ed0cea043226c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 10:27:31 -0800 +Subject: net: bcmasp: Indicate MAC is in charge of PHY PM + +From: Florian Fainelli + +[ Upstream commit 5b76d928f8b779a1b19c5842e7cabee4cbb610c3 ] + +Avoid the PHY library call unnecessarily into the suspend/resume +functions by setting phydev->mac_managed_pm to true. The ASP driver +essentially does exactly what mdio_bus_phy_resume() does. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Florian Fainelli +Signed-off-by: Justin Chen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index 53e5428812552..9cae5a3090000 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -1048,6 +1048,9 @@ static int bcmasp_netif_init(struct net_device *dev, bool phy_connect) + netdev_err(dev, "could not attach to PHY\n"); + goto err_phy_disable; + } ++ ++ /* Indicate that the MAC is responsible for PHY PM */ ++ phydev->mac_managed_pm = true; + } else if (!intf->wolopts) { + ret = phy_resume(dev->phydev); + if (ret) +-- +2.43.0 + diff --git a/queue-6.7/net-bcmasp-sanity-check-is-off-by-one.patch b/queue-6.7/net-bcmasp-sanity-check-is-off-by-one.patch new file mode 100644 index 00000000000..ff49d39a8d0 --- /dev/null +++ b/queue-6.7/net-bcmasp-sanity-check-is-off-by-one.patch @@ -0,0 +1,48 @@ +From a4a6207b7a2f076e13624a0807200ff245351933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 10:27:32 -0800 +Subject: net: bcmasp: Sanity check is off by one + +From: Justin Chen + +[ Upstream commit f120e62e37f0af4c4cbe08e5a88ea60a6a17c858 ] + +A sanity check for OOB write is off by one leading to a false positive +when the array is full. + +Fixes: 9b90aca97f6d ("net: ethernet: bcmasp: fix possible OOB write in bcmasp_netfilt_get_all_active()") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c +index 29b04a274d077..80245c65cc904 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c +@@ -535,9 +535,6 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs, + int j = 0, i; + + for (i = 0; i < NUM_NET_FILTERS; i++) { +- if (j == *rule_cnt) +- return -EMSGSIZE; +- + if (!priv->net_filters[i].claimed || + priv->net_filters[i].port != intf->port) + continue; +@@ -547,6 +544,9 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs, + priv->net_filters[i - 1].wake_filter) + continue; + ++ if (j == *rule_cnt) ++ return -EMSGSIZE; ++ + rule_locs[j++] = priv->net_filters[i].fs.location; + } + +-- +2.43.0 + diff --git a/queue-6.7/net-bridge-switchdev-ensure-deferred-event-delivery-.patch b/queue-6.7/net-bridge-switchdev-ensure-deferred-event-delivery-.patch new file mode 100644 index 00000000000..28da335cdc1 --- /dev/null +++ b/queue-6.7/net-bridge-switchdev-ensure-deferred-event-delivery-.patch @@ -0,0 +1,74 @@ +From 661883e4857cea4139c70ad7331c5296bfa5ab38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 22:40:04 +0100 +Subject: net: bridge: switchdev: Ensure deferred event delivery on unoffload + +From: Tobias Waldekranz + +[ Upstream commit f7a70d650b0b6b0134ccba763d672c8439d9f09b ] + +When unoffloading a device, it is important to ensure that all +relevant deferred events are delivered to it before it disassociates +itself from the bridge. + +Before this change, this was true for the normal case when a device +maps 1:1 to a net_bridge_port, i.e. + + br0 + / +swp0 + +When swp0 leaves br0, the call to switchdev_deferred_process() in +del_nbp() makes sure to process any outstanding events while the +device is still associated with the bridge. + +In the case when the association is indirect though, i.e. when the +device is attached to the bridge via an intermediate device, like a +LAG... + + br0 + / + lag0 + / +swp0 + +...then detaching swp0 from lag0 does not cause any net_bridge_port to +be deleted, so there was no guarantee that all events had been +processed before the device disassociated itself from the bridge. + +Fix this by always synchronously processing all deferred events before +signaling completion of unoffloading back to the driver. + +Fixes: 4e51bf44a03a ("net: bridge: move the switchdev object replay helpers to "push" mode") +Signed-off-by: Tobias Waldekranz +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_switchdev.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index 6a7cb01f121c7..7b41ee8740cbb 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -804,6 +804,16 @@ static void nbp_switchdev_unsync_objs(struct net_bridge_port *p, + br_switchdev_mdb_replay(br_dev, dev, ctx, false, blocking_nb, NULL); + + br_switchdev_vlan_replay(br_dev, ctx, false, blocking_nb, NULL); ++ ++ /* Make sure that the device leaving this bridge has seen all ++ * relevant events before it is disassociated. In the normal ++ * case, when the device is directly attached to the bridge, ++ * this is covered by del_nbp(). If the association was indirect ++ * however, e.g. via a team or bond, and the device is leaving ++ * that intermediate device, then the bridge port remains in ++ * place. ++ */ ++ switchdev_deferred_process(); + } + + /* Let the bridge know that this port is offloaded, so that it can assign a +-- +2.43.0 + diff --git a/queue-6.7/net-bridge-switchdev-skip-mdb-replays-of-deferred-ev.patch b/queue-6.7/net-bridge-switchdev-skip-mdb-replays-of-deferred-ev.patch new file mode 100644 index 00000000000..f808e05f450 --- /dev/null +++ b/queue-6.7/net-bridge-switchdev-skip-mdb-replays-of-deferred-ev.patch @@ -0,0 +1,329 @@ +From a2d0d574ebf76c216ecfedf095598f59b956ea78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 22:40:03 +0100 +Subject: net: bridge: switchdev: Skip MDB replays of deferred events on + offload + +From: Tobias Waldekranz + +[ Upstream commit dc489f86257cab5056e747344f17a164f63bff4b ] + +Before this change, generation of the list of MDB events to replay +would race against the creation of new group memberships, either from +the IGMP/MLD snooping logic or from user configuration. + +While new memberships are immediately visible to walkers of +br->mdb_list, the notification of their existence to switchdev event +subscribers is deferred until a later point in time. So if a replay +list was generated during a time that overlapped with such a window, +it would also contain a replay of the not-yet-delivered event. + +The driver would thus receive two copies of what the bridge internally +considered to be one single event. On destruction of the bridge, only +a single membership deletion event was therefore sent. As a +consequence of this, drivers which reference count memberships (at +least DSA), would be left with orphan groups in their hardware +database when the bridge was destroyed. + +This is only an issue when replaying additions. While deletion events +may still be pending on the deferred queue, they will already have +been removed from br->mdb_list, so no duplicates can be generated in +that scenario. + +To a user this meant that old group memberships, from a bridge in +which a port was previously attached, could be reanimated (in +hardware) when the port joined a new bridge, without the new bridge's +knowledge. + +For example, on an mv88e6xxx system, create a snooping bridge and +immediately add a port to it: + + root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \ + > ip link set dev x3 up master br0 + +And then destroy the bridge: + + root@infix-06-0b-00:~$ ip link del dev br0 + root@infix-06-0b-00:~$ mvls atu + ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a + DEV:0 Marvell 88E6393X + 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . + 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . + ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a + root@infix-06-0b-00:~$ + +The two IPv6 groups remain in the hardware database because the +port (x3) is notified of the host's membership twice: once via the +original event and once via a replay. Since only a single delete +notification is sent, the count remains at 1 when the bridge is +destroyed. + +Then add the same port (or another port belonging to the same hardware +domain) to a new bridge, this time with snooping disabled: + + root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \ + > ip link set dev x3 up master br1 + +All multicast, including the two IPv6 groups from br0, should now be +flooded, according to the policy of br1. But instead the old +memberships are still active in the hardware database, causing the +switch to only forward traffic to those groups towards the CPU (port +0). + +Eliminate the race in two steps: + +1. Grab the write-side lock of the MDB while generating the replay + list. + +This prevents new memberships from showing up while we are generating +the replay list. But it leaves the scenario in which a deferred event +was already generated, but not delivered, before we grabbed the +lock. Therefore: + +2. Make sure that no deferred version of a replay event is already + enqueued to the switchdev deferred queue, before adding it to the + replay list, when replaying additions. + +Fixes: 4f2673b3a2b6 ("net: bridge: add helper to replay port and host-joined mdb entries") +Signed-off-by: Tobias Waldekranz +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/switchdev.h | 3 ++ + net/bridge/br_switchdev.c | 74 ++++++++++++++++++++++++--------------- + net/switchdev/switchdev.c | 73 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 122 insertions(+), 28 deletions(-) + +diff --git a/include/net/switchdev.h b/include/net/switchdev.h +index a43062d4c734b..8346b0d29542c 100644 +--- a/include/net/switchdev.h ++++ b/include/net/switchdev.h +@@ -308,6 +308,9 @@ void switchdev_deferred_process(void); + int switchdev_port_attr_set(struct net_device *dev, + const struct switchdev_attr *attr, + struct netlink_ext_ack *extack); ++bool switchdev_port_obj_act_is_deferred(struct net_device *dev, ++ enum switchdev_notifier_type nt, ++ const struct switchdev_obj *obj); + int switchdev_port_obj_add(struct net_device *dev, + const struct switchdev_obj *obj, + struct netlink_ext_ack *extack); +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index ee84e783e1dff..6a7cb01f121c7 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -595,21 +595,40 @@ br_switchdev_mdb_replay_one(struct notifier_block *nb, struct net_device *dev, + } + + static int br_switchdev_mdb_queue_one(struct list_head *mdb_list, ++ struct net_device *dev, ++ unsigned long action, + enum switchdev_obj_id id, + const struct net_bridge_mdb_entry *mp, + struct net_device *orig_dev) + { +- struct switchdev_obj_port_mdb *mdb; ++ struct switchdev_obj_port_mdb mdb = { ++ .obj = { ++ .id = id, ++ .orig_dev = orig_dev, ++ }, ++ }; ++ struct switchdev_obj_port_mdb *pmdb; + +- mdb = kzalloc(sizeof(*mdb), GFP_ATOMIC); +- if (!mdb) +- return -ENOMEM; ++ br_switchdev_mdb_populate(&mdb, mp); + +- mdb->obj.id = id; +- mdb->obj.orig_dev = orig_dev; +- br_switchdev_mdb_populate(mdb, mp); +- list_add_tail(&mdb->obj.list, mdb_list); ++ if (action == SWITCHDEV_PORT_OBJ_ADD && ++ switchdev_port_obj_act_is_deferred(dev, action, &mdb.obj)) { ++ /* This event is already in the deferred queue of ++ * events, so this replay must be elided, lest the ++ * driver receives duplicate events for it. This can ++ * only happen when replaying additions, since ++ * modifications are always immediately visible in ++ * br->mdb_list, whereas actual event delivery may be ++ * delayed. ++ */ ++ return 0; ++ } ++ ++ pmdb = kmemdup(&mdb, sizeof(mdb), GFP_ATOMIC); ++ if (!pmdb) ++ return -ENOMEM; + ++ list_add_tail(&pmdb->obj.list, mdb_list); + return 0; + } + +@@ -677,51 +696,50 @@ br_switchdev_mdb_replay(struct net_device *br_dev, struct net_device *dev, + if (!br_opt_get(br, BROPT_MULTICAST_ENABLED)) + return 0; + +- /* We cannot walk over br->mdb_list protected just by the rtnl_mutex, +- * because the write-side protection is br->multicast_lock. But we +- * need to emulate the [ blocking ] calling context of a regular +- * switchdev event, so since both br->multicast_lock and RCU read side +- * critical sections are atomic, we have no choice but to pick the RCU +- * read side lock, queue up all our events, leave the critical section +- * and notify switchdev from blocking context. ++ if (adding) ++ action = SWITCHDEV_PORT_OBJ_ADD; ++ else ++ action = SWITCHDEV_PORT_OBJ_DEL; ++ ++ /* br_switchdev_mdb_queue_one() will take care to not queue a ++ * replay of an event that is already pending in the switchdev ++ * deferred queue. In order to safely determine that, there ++ * must be no new deferred MDB notifications enqueued for the ++ * duration of the MDB scan. Therefore, grab the write-side ++ * lock to avoid racing with any concurrent IGMP/MLD snooping. + */ +- rcu_read_lock(); ++ spin_lock_bh(&br->multicast_lock); + +- hlist_for_each_entry_rcu(mp, &br->mdb_list, mdb_node) { ++ hlist_for_each_entry(mp, &br->mdb_list, mdb_node) { + struct net_bridge_port_group __rcu * const *pp; + const struct net_bridge_port_group *p; + + if (mp->host_joined) { +- err = br_switchdev_mdb_queue_one(&mdb_list, ++ err = br_switchdev_mdb_queue_one(&mdb_list, dev, action, + SWITCHDEV_OBJ_ID_HOST_MDB, + mp, br_dev); + if (err) { +- rcu_read_unlock(); ++ spin_unlock_bh(&br->multicast_lock); + goto out_free_mdb; + } + } + +- for (pp = &mp->ports; (p = rcu_dereference(*pp)) != NULL; ++ for (pp = &mp->ports; (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { + if (p->key.port->dev != dev) + continue; + +- err = br_switchdev_mdb_queue_one(&mdb_list, ++ err = br_switchdev_mdb_queue_one(&mdb_list, dev, action, + SWITCHDEV_OBJ_ID_PORT_MDB, + mp, dev); + if (err) { +- rcu_read_unlock(); ++ spin_unlock_bh(&br->multicast_lock); + goto out_free_mdb; + } + } + } + +- rcu_read_unlock(); +- +- if (adding) +- action = SWITCHDEV_PORT_OBJ_ADD; +- else +- action = SWITCHDEV_PORT_OBJ_DEL; ++ spin_unlock_bh(&br->multicast_lock); + + list_for_each_entry(obj, &mdb_list, list) { + err = br_switchdev_mdb_replay_one(nb, dev, +diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c +index 5b045284849e0..c9189a970eec3 100644 +--- a/net/switchdev/switchdev.c ++++ b/net/switchdev/switchdev.c +@@ -19,6 +19,35 @@ + #include + #include + ++static bool switchdev_obj_eq(const struct switchdev_obj *a, ++ const struct switchdev_obj *b) ++{ ++ const struct switchdev_obj_port_vlan *va, *vb; ++ const struct switchdev_obj_port_mdb *ma, *mb; ++ ++ if (a->id != b->id || a->orig_dev != b->orig_dev) ++ return false; ++ ++ switch (a->id) { ++ case SWITCHDEV_OBJ_ID_PORT_VLAN: ++ va = SWITCHDEV_OBJ_PORT_VLAN(a); ++ vb = SWITCHDEV_OBJ_PORT_VLAN(b); ++ return va->flags == vb->flags && ++ va->vid == vb->vid && ++ va->changed == vb->changed; ++ case SWITCHDEV_OBJ_ID_PORT_MDB: ++ case SWITCHDEV_OBJ_ID_HOST_MDB: ++ ma = SWITCHDEV_OBJ_PORT_MDB(a); ++ mb = SWITCHDEV_OBJ_PORT_MDB(b); ++ return ma->vid == mb->vid && ++ ether_addr_equal(ma->addr, mb->addr); ++ default: ++ break; ++ } ++ ++ BUG(); ++} ++ + static LIST_HEAD(deferred); + static DEFINE_SPINLOCK(deferred_lock); + +@@ -307,6 +336,50 @@ int switchdev_port_obj_del(struct net_device *dev, + } + EXPORT_SYMBOL_GPL(switchdev_port_obj_del); + ++/** ++ * switchdev_port_obj_act_is_deferred - Is object action pending? ++ * ++ * @dev: port device ++ * @nt: type of action; add or delete ++ * @obj: object to test ++ * ++ * Returns true if a deferred item is pending, which is ++ * equivalent to the action @nt on an object @obj. ++ * ++ * rtnl_lock must be held. ++ */ ++bool switchdev_port_obj_act_is_deferred(struct net_device *dev, ++ enum switchdev_notifier_type nt, ++ const struct switchdev_obj *obj) ++{ ++ struct switchdev_deferred_item *dfitem; ++ bool found = false; ++ ++ ASSERT_RTNL(); ++ ++ spin_lock_bh(&deferred_lock); ++ ++ list_for_each_entry(dfitem, &deferred, list) { ++ if (dfitem->dev != dev) ++ continue; ++ ++ if ((dfitem->func == switchdev_port_obj_add_deferred && ++ nt == SWITCHDEV_PORT_OBJ_ADD) || ++ (dfitem->func == switchdev_port_obj_del_deferred && ++ nt == SWITCHDEV_PORT_OBJ_DEL)) { ++ if (switchdev_obj_eq((const void *)dfitem->data, obj)) { ++ found = true; ++ break; ++ } ++ } ++ } ++ ++ spin_unlock_bh(&deferred_lock); ++ ++ return found; ++} ++EXPORT_SYMBOL_GPL(switchdev_port_obj_act_is_deferred); ++ + static ATOMIC_NOTIFIER_HEAD(switchdev_notif_chain); + static BLOCKING_NOTIFIER_HEAD(switchdev_blocking_notif_chain); + +-- +2.43.0 + diff --git a/queue-6.7/net-ethernet-adi-requires-phylib-support.patch b/queue-6.7/net-ethernet-adi-requires-phylib-support.patch new file mode 100644 index 00000000000..bbb6b26e753 --- /dev/null +++ b/queue-6.7/net-ethernet-adi-requires-phylib-support.patch @@ -0,0 +1,70 @@ +From 83ba69af58fd914e1cc7fc1f65f556088adbe9c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 23:00:50 -0800 +Subject: net: ethernet: adi: requires PHYLIB support + +From: Randy Dunlap + +[ Upstream commit a9f80df4f51440303d063b55bb98720857693821 ] + +This driver uses functions that are supplied by the Kconfig symbol +PHYLIB, so select it to ensure that they are built as needed. + +When CONFIG_ADIN1110=y and CONFIG_PHYLIB=m, there are multiple build +(linker) errors that are resolved by this Kconfig change: + + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_net_open': + drivers/net/ethernet/adi/adin1110.c:933: undefined reference to `phy_start' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_probe_netdevs': + drivers/net/ethernet/adi/adin1110.c:1603: undefined reference to `get_phy_device' + ld: drivers/net/ethernet/adi/adin1110.c:1609: undefined reference to `phy_connect' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_disconnect_phy': + drivers/net/ethernet/adi/adin1110.c:1226: undefined reference to `phy_disconnect' + ld: drivers/net/ethernet/adi/adin1110.o: in function `devm_mdiobus_alloc': + include/linux/phy.h:455: undefined reference to `devm_mdiobus_alloc_size' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_register_mdiobus': + drivers/net/ethernet/adi/adin1110.c:529: undefined reference to `__devm_mdiobus_register' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_net_stop': + drivers/net/ethernet/adi/adin1110.c:958: undefined reference to `phy_stop' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_disconnect_phy': + drivers/net/ethernet/adi/adin1110.c:1226: undefined reference to `phy_disconnect' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_adjust_link': + drivers/net/ethernet/adi/adin1110.c:1077: undefined reference to `phy_print_status' + ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_ioctl': + drivers/net/ethernet/adi/adin1110.c:790: undefined reference to `phy_do_ioctl' + ld: drivers/net/ethernet/adi/adin1110.o:(.rodata+0xf60): undefined reference to `phy_ethtool_get_link_ksettings' + ld: drivers/net/ethernet/adi/adin1110.o:(.rodata+0xf68): undefined reference to `phy_ethtool_set_link_ksettings' + +Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402070626.eZsfVHG5-lkp@intel.com/ +Cc: Lennart Franzen +Cc: Alexandru Tachici +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Reviewed-by: Nuno Sa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/adi/Kconfig b/drivers/net/ethernet/adi/Kconfig +index da3bdd3025022..c91b4dcef4ec2 100644 +--- a/drivers/net/ethernet/adi/Kconfig ++++ b/drivers/net/ethernet/adi/Kconfig +@@ -7,6 +7,7 @@ config NET_VENDOR_ADI + bool "Analog Devices devices" + default y + depends on SPI ++ select PHYLIB + help + If you have a network (Ethernet) card belonging to this class, say Y. + +-- +2.43.0 + diff --git a/queue-6.7/net-implement-lockless-setsockopt-so_peek_off.patch b/queue-6.7/net-implement-lockless-setsockopt-so_peek_off.patch new file mode 100644 index 00000000000..d34ede30f88 --- /dev/null +++ b/queue-6.7/net-implement-lockless-setsockopt-so_peek_off.patch @@ -0,0 +1,260 @@ +From 42ad90eb03f1162f3d9dc9d2441eaafb67762bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:12:20 +0000 +Subject: net: implement lockless setsockopt(SO_PEEK_OFF) + +From: Eric Dumazet + +[ Upstream commit 56667da7399eb19af857e30f41bea89aa6fa812c ] + +syzbot reported a lockdep violation [1] involving af_unix +support of SO_PEEK_OFF. + +Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket +sk_peek_off field), there is really no point to enforce a pointless +thread safety in the kernel. + +After this patch : + +- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock. + +- skb_consume_udp() no longer has to acquire the socket lock. + +- af_unix no longer needs a special version of sk_set_peek_off(), + because it does not lock u->iolock anymore. + +As a followup, we could replace prot->set_peek_off to be a boolean +and avoid an indirect call, since we always use sk_set_peek_off(). + +[1] + +WARNING: possible circular locking dependency detected +6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted + +syz-executor.2/30025 is trying to acquire lock: + ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + +but task is already holding lock: + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline] + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline] + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}: + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + lock_sock_nested+0x48/0x100 net/core/sock.c:3524 + lock_sock include/net/sock.h:1691 [inline] + __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415 + sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046 + ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x474/0xae0 net/socket.c:2939 + __sys_recvmmsg net/socket.c:3018 [inline] + __do_sys_recvmmsg net/socket.c:3041 [inline] + __se_sys_recvmmsg net/socket.c:3034 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +-> #0 (&u->iolock){+.+.}-{3:3}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 + unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + sk_setsockopt+0x207e/0x3360 + do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307 + __sys_setsockopt+0x1ad/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(sk_lock-AF_UNIX); + lock(&u->iolock); + lock(sk_lock-AF_UNIX); + lock(&u->iolock); + + *** DEADLOCK *** + +1 lock held by syz-executor.2/30025: + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline] + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline] + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193 + +stack backtrace: +CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 + check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 + unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + sk_setsockopt+0x207e/0x3360 + do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307 + __sys_setsockopt+0x1ad/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f78a1c7dda9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f78a0fde0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007f78a1dac050 RCX: 00007f78a1c7dda9 +RDX: 000000000000002a RSI: 0000000000000001 RDI: 0000000000000006 +RBP: 00007f78a1cca47a R08: 0000000000000004 R09: 0000000000000000 +R10: 0000000020000180 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f78a1dac050 R15: 00007ffe5cd81ae8 + +Fixes: 859051dd165e ("bpf: Implement cgroup sockaddr hooks for unix sockets") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Cc: Daan De Meyer +Cc: Kuniyuki Iwashima +Cc: Martin KaFai Lau +Cc: David Ahern +Reviewed-by: Willem de Bruijn +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 23 +++++++++++------------ + net/ipv4/udp.c | 7 +------ + net/unix/af_unix.c | 19 +++---------------- + 3 files changed, 15 insertions(+), 34 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index e5d43a068f8ed..20160865ede9c 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1192,6 +1192,17 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + */ + WRITE_ONCE(sk->sk_txrehash, (u8)val); + return 0; ++ case SO_PEEK_OFF: ++ { ++ int (*set_peek_off)(struct sock *sk, int val); ++ ++ set_peek_off = READ_ONCE(sock->ops)->set_peek_off; ++ if (set_peek_off) ++ ret = set_peek_off(sk, val); ++ else ++ ret = -EOPNOTSUPP; ++ return ret; ++ } + } + + sockopt_lock_sock(sk); +@@ -1434,18 +1445,6 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + sock_valbool_flag(sk, SOCK_WIFI_STATUS, valbool); + break; + +- case SO_PEEK_OFF: +- { +- int (*set_peek_off)(struct sock *sk, int val); +- +- set_peek_off = READ_ONCE(sock->ops)->set_peek_off; +- if (set_peek_off) +- ret = set_peek_off(sk, val); +- else +- ret = -EOPNOTSUPP; +- break; +- } +- + case SO_NOFCS: + sock_valbool_flag(sk, SOCK_NOFCS, valbool); + break; +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index f631b0a21af4c..e474b201900f9 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1589,12 +1589,7 @@ int udp_init_sock(struct sock *sk) + + void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len) + { +- if (unlikely(READ_ONCE(sk->sk_peek_off) >= 0)) { +- bool slow = lock_sock_fast(sk); +- +- sk_peek_offset_bwd(sk, len); +- unlock_sock_fast(sk, slow); +- } ++ sk_peek_offset_bwd(sk, len); + + if (!skb_unref(skb)) + return; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 30b178ebba60a..0748e7ea5210e 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -782,19 +782,6 @@ static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t); + static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t, + int); + +-static int unix_set_peek_off(struct sock *sk, int val) +-{ +- struct unix_sock *u = unix_sk(sk); +- +- if (mutex_lock_interruptible(&u->iolock)) +- return -EINTR; +- +- WRITE_ONCE(sk->sk_peek_off, val); +- mutex_unlock(&u->iolock); +- +- return 0; +-} +- + #ifdef CONFIG_PROC_FS + static int unix_count_nr_fds(struct sock *sk) + { +@@ -862,7 +849,7 @@ static const struct proto_ops unix_stream_ops = { + .read_skb = unix_stream_read_skb, + .mmap = sock_no_mmap, + .splice_read = unix_stream_splice_read, +- .set_peek_off = unix_set_peek_off, ++ .set_peek_off = sk_set_peek_off, + .show_fdinfo = unix_show_fdinfo, + }; + +@@ -886,7 +873,7 @@ static const struct proto_ops unix_dgram_ops = { + .read_skb = unix_read_skb, + .recvmsg = unix_dgram_recvmsg, + .mmap = sock_no_mmap, +- .set_peek_off = unix_set_peek_off, ++ .set_peek_off = sk_set_peek_off, + .show_fdinfo = unix_show_fdinfo, + }; + +@@ -909,7 +896,7 @@ static const struct proto_ops unix_seqpacket_ops = { + .sendmsg = unix_seqpacket_sendmsg, + .recvmsg = unix_seqpacket_recvmsg, + .mmap = sock_no_mmap, +- .set_peek_off = unix_set_peek_off, ++ .set_peek_off = sk_set_peek_off, + .show_fdinfo = unix_show_fdinfo, + }; + +-- +2.43.0 + diff --git a/queue-6.7/net-ipa-don-t-overrun-ipa-suspend-interrupt-register.patch b/queue-6.7/net-ipa-don-t-overrun-ipa-suspend-interrupt-register.patch new file mode 100644 index 00000000000..444b7f07001 --- /dev/null +++ b/queue-6.7/net-ipa-don-t-overrun-ipa-suspend-interrupt-register.patch @@ -0,0 +1,53 @@ +From 05ea4658bc7b0ebb9b1237012b1632c65be035ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 08:40:15 -0600 +Subject: net: ipa: don't overrun IPA suspend interrupt registers + +From: Alex Elder + +[ Upstream commit d80f8e96d47d7374794a30fbed69be43f3388afc ] + +In newer hardware, IPA supports more than 32 endpoints. Some +registers--such as IPA interrupt registers--represent endpoints +as bits in a 4-byte register, and such registers are repeated as +needed to represent endpoints beyond the first 32. + +In ipa_interrupt_suspend_clear_all(), we clear all pending IPA +suspend interrupts by reading all status register(s) and writing +corresponding registers to clear interrupt conditions. + +Unfortunately the number of registers to read/write is calculated +incorrectly, and as a result we access *many* more registers than +intended. This bug occurs only when the IPA hardware signals a +SUSPEND interrupt, which happens when a packet is received for an +endpoint (or its underlying GSI channel) that is suspended. This +situation is difficult to reproduce, but possible. + +Fix this by correctly computing the number of interrupt registers to +read and write. This is the only place in the code where registers +that map endpoints or channels this way perform this calculation. + +Fixes: f298ba785e2d ("net: ipa: add a parameter to suspend registers") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_interrupt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/ipa_interrupt.c b/drivers/net/ipa/ipa_interrupt.c +index 4bc05948f772d..a78c692f2d3c5 100644 +--- a/drivers/net/ipa/ipa_interrupt.c ++++ b/drivers/net/ipa/ipa_interrupt.c +@@ -212,7 +212,7 @@ void ipa_interrupt_suspend_clear_all(struct ipa_interrupt *interrupt) + u32 unit_count; + u32 unit; + +- unit_count = roundup(ipa->endpoint_count, 32); ++ unit_count = DIV_ROUND_UP(ipa->endpoint_count, 32); + for (unit = 0; unit < unit_count; unit++) { + const struct reg *reg; + u32 val; +-- +2.43.0 + diff --git a/queue-6.7/net-mctp-put-sock-on-tag-allocation-failure.patch b/queue-6.7/net-mctp-put-sock-on-tag-allocation-failure.patch new file mode 100644 index 00000000000..135f9bf8d09 --- /dev/null +++ b/queue-6.7/net-mctp-put-sock-on-tag-allocation-failure.patch @@ -0,0 +1,42 @@ +From cedb0e21da2523baa16a7bed45df9e611f82464b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 15:53:08 +0800 +Subject: net: mctp: put sock on tag allocation failure + +From: Jeremy Kerr + +[ Upstream commit 9990889be14288d4f1743e4768222d5032a79c27 ] + +We may hold an extra reference on a socket if a tag allocation fails: we +optimistically allocate the sk_key, and take a ref there, but do not +drop if we end up not using the allocated key. + +Ensure we're dropping the sock on this failure by doing a proper unref +rather than directly kfree()ing. + +Fixes: de8a6b15d965 ("net: mctp: add an explicit reference from a mctp_sk_key to sock") +Signed-off-by: Jeremy Kerr +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ce9b61e44d1cdae7797be0c5e3141baf582d23a0.1707983487.git.jk@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 7a47a58aa54b4..6218dcd07e184 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -663,7 +663,7 @@ struct mctp_sk_key *mctp_alloc_local_tag(struct mctp_sock *msk, + spin_unlock_irqrestore(&mns->keys_lock, flags); + + if (!tagbits) { +- kfree(key); ++ mctp_key_unref(key); + return ERR_PTR(-EBUSY); + } + +-- +2.43.0 + diff --git a/queue-6.7/net-phy-realtek-fix-rtl8211f_config_init-for-rtl8211.patch b/queue-6.7/net-phy-realtek-fix-rtl8211f_config_init-for-rtl8211.patch new file mode 100644 index 00000000000..0b660cbde6a --- /dev/null +++ b/queue-6.7/net-phy-realtek-fix-rtl8211f_config_init-for-rtl8211.patch @@ -0,0 +1,57 @@ +From 6c2d0f250d435ecd7ea1dcd8cb1bacf7b41e3fe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 12:30:07 +0530 +Subject: net: phy: realtek: Fix rtl8211f_config_init() for + RTL8211F(D)(I)-VD-CG PHY + +From: Siddharth Vadapalli + +[ Upstream commit 3489182b11d35f1944c1245fc9c4867cf622c50f ] + +Commit bb726b753f75 ("net: phy: realtek: add support for +RTL8211F(D)(I)-VD-CG") extended support of the driver from the existing +support for RTL8211F(D)(I)-CG PHY to the newer RTL8211F(D)(I)-VD-CG PHY. + +While that commit indicated that the RTL8211F_PHYCR2 register is not +supported by the "VD-CG" PHY model and therefore updated the corresponding +section in rtl8211f_config_init() to be invoked conditionally, the call to +"genphy_soft_reset()" was left as-is, when it should have also been invoked +conditionally. This is because the call to "genphy_soft_reset()" was first +introduced by the commit 0a4355c2b7f8 ("net: phy: realtek: add dt property +to disable CLKOUT clock") since the RTL8211F guide indicates that a PHY +reset should be issued after setting bits in the PHYCR2 register. + +As the PHYCR2 register is not applicable to the "VD-CG" PHY model, fix the +rtl8211f_config_init() function by invoking "genphy_soft_reset()" +conditionally based on the presence of the "PHYCR2" register. + +Fixes: bb726b753f75 ("net: phy: realtek: add support for RTL8211F(D)(I)-VD-CG") +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240220070007.968762-1-s-vadapalli@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/realtek.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c +index 894172a3e15fe..337899c69738e 100644 +--- a/drivers/net/phy/realtek.c ++++ b/drivers/net/phy/realtek.c +@@ -421,9 +421,11 @@ static int rtl8211f_config_init(struct phy_device *phydev) + ERR_PTR(ret)); + return ret; + } ++ ++ return genphy_soft_reset(phydev); + } + +- return genphy_soft_reset(phydev); ++ return 0; + } + + static int rtl821x_suspend(struct phy_device *phydev) +-- +2.43.0 + diff --git a/queue-6.7/net-sched-act_mirred-create-function-tcf_mirred_to_d.patch b/queue-6.7/net-sched-act_mirred-create-function-tcf_mirred_to_d.patch new file mode 100644 index 00000000000..177e7e57bae --- /dev/null +++ b/queue-6.7/net-sched-act_mirred-create-function-tcf_mirred_to_d.patch @@ -0,0 +1,219 @@ +From 61f1fabf3da9a628f280eae5acf09952d8a3a0b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 15:16:21 -0300 +Subject: net/sched: act_mirred: Create function tcf_mirred_to_dev and improve + readability + +From: Victor Nogueira + +[ Upstream commit 16085e48cb48aeb50a1178dc276747749910b0f2 ] + +As a preparation for adding block ID to mirred, separate the part of +mirred that redirect/mirrors to a dev into a specific function so that it +can be called by blockcast for each dev. + +Also improve readability. Eg. rename use_reinsert to dont_clone and skb2 +to skb_to_send. + +Co-developed-by: Jamal Hadi Salim +Signed-off-by: Jamal Hadi Salim +Co-developed-by: Pedro Tammela +Signed-off-by: Pedro Tammela +Signed-off-by: Victor Nogueira +Signed-off-by: David S. Miller +Stable-dep-of: 52f671db1882 ("net/sched: act_mirred: use the backlog for mirred ingress") +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 129 +++++++++++++++++++++++------------------ + 1 file changed, 72 insertions(+), 57 deletions(-) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index 0a711c184c29b..6f2544c1e3961 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -225,48 +225,26 @@ static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb) + return err; + } + +-TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb, +- const struct tc_action *a, +- struct tcf_result *res) ++static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m, ++ struct net_device *dev, ++ const bool m_mac_header_xmit, int m_eaction, ++ int retval) + { +- struct tcf_mirred *m = to_mirred(a); +- struct sk_buff *skb2 = skb; +- bool m_mac_header_xmit; +- struct net_device *dev; +- unsigned int nest_level; +- int retval, err = 0; +- bool use_reinsert; ++ struct sk_buff *skb_to_send = skb; + bool want_ingress; + bool is_redirect; + bool expects_nh; + bool at_ingress; +- int m_eaction; ++ bool dont_clone; + int mac_len; + bool at_nh; ++ int err; + +- nest_level = __this_cpu_inc_return(mirred_nest_level); +- if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { +- net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", +- netdev_name(skb->dev)); +- __this_cpu_dec(mirred_nest_level); +- return TC_ACT_SHOT; +- } +- +- tcf_lastuse_update(&m->tcf_tm); +- tcf_action_update_bstats(&m->common, skb); +- +- m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit); +- m_eaction = READ_ONCE(m->tcfm_eaction); +- retval = READ_ONCE(m->tcf_action); +- dev = rcu_dereference_bh(m->tcfm_dev); +- if (unlikely(!dev)) { +- pr_notice_once("tc mirred: target device is gone\n"); +- goto out; +- } +- ++ is_redirect = tcf_mirred_is_act_redirect(m_eaction); + if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { + net_notice_ratelimited("tc mirred to Houston: device %s is down\n", + dev->name); ++ err = -ENODEV; + goto out; + } + +@@ -274,61 +252,98 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb, + * since we can't easily detect the clsact caller, skip clone only for + * ingress - that covers the TC S/W datapath. + */ +- is_redirect = tcf_mirred_is_act_redirect(m_eaction); + at_ingress = skb_at_tc_ingress(skb); +- use_reinsert = at_ingress && is_redirect && +- tcf_mirred_can_reinsert(retval); +- if (!use_reinsert) { +- skb2 = skb_clone(skb, GFP_ATOMIC); +- if (!skb2) ++ dont_clone = skb_at_tc_ingress(skb) && is_redirect && ++ tcf_mirred_can_reinsert(retval); ++ if (!dont_clone) { ++ skb_to_send = skb_clone(skb, GFP_ATOMIC); ++ if (!skb_to_send) { ++ err = -ENOMEM; + goto out; ++ } + } + + want_ingress = tcf_mirred_act_wants_ingress(m_eaction); + + /* All mirred/redirected skbs should clear previous ct info */ +- nf_reset_ct(skb2); ++ nf_reset_ct(skb_to_send); + if (want_ingress && !at_ingress) /* drop dst for egress -> ingress */ +- skb_dst_drop(skb2); ++ skb_dst_drop(skb_to_send); + + expects_nh = want_ingress || !m_mac_header_xmit; + at_nh = skb->data == skb_network_header(skb); + if (at_nh != expects_nh) { +- mac_len = skb_at_tc_ingress(skb) ? skb->mac_len : ++ mac_len = at_ingress ? skb->mac_len : + skb_network_offset(skb); + if (expects_nh) { + /* target device/action expect data at nh */ +- skb_pull_rcsum(skb2, mac_len); ++ skb_pull_rcsum(skb_to_send, mac_len); + } else { + /* target device/action expect data at mac */ +- skb_push_rcsum(skb2, mac_len); ++ skb_push_rcsum(skb_to_send, mac_len); + } + } + +- skb2->skb_iif = skb->dev->ifindex; +- skb2->dev = dev; ++ skb_to_send->skb_iif = skb->dev->ifindex; ++ skb_to_send->dev = dev; + +- /* mirror is always swallowed */ + if (is_redirect) { +- skb_set_redirected(skb2, skb2->tc_at_ingress); +- +- /* let's the caller reinsert the packet, if possible */ +- if (use_reinsert) { +- err = tcf_mirred_forward(want_ingress, skb); +- if (err) +- tcf_action_inc_overlimit_qstats(&m->common); +- __this_cpu_dec(mirred_nest_level); +- return TC_ACT_CONSUMED; +- } ++ if (skb == skb_to_send) ++ retval = TC_ACT_CONSUMED; ++ ++ skb_set_redirected(skb_to_send, skb_to_send->tc_at_ingress); ++ ++ err = tcf_mirred_forward(want_ingress, skb_to_send); ++ } else { ++ err = tcf_mirred_forward(want_ingress, skb_to_send); + } + +- err = tcf_mirred_forward(want_ingress, skb2); + if (err) { + out: + tcf_action_inc_overlimit_qstats(&m->common); +- if (tcf_mirred_is_act_redirect(m_eaction)) ++ if (is_redirect) + retval = TC_ACT_SHOT; + } ++ ++ return retval; ++} ++ ++TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb, ++ const struct tc_action *a, ++ struct tcf_result *res) ++{ ++ struct tcf_mirred *m = to_mirred(a); ++ int retval = READ_ONCE(m->tcf_action); ++ unsigned int nest_level; ++ bool m_mac_header_xmit; ++ struct net_device *dev; ++ int m_eaction; ++ ++ nest_level = __this_cpu_inc_return(mirred_nest_level); ++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { ++ net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", ++ netdev_name(skb->dev)); ++ retval = TC_ACT_SHOT; ++ goto dec_nest_level; ++ } ++ ++ tcf_lastuse_update(&m->tcf_tm); ++ tcf_action_update_bstats(&m->common, skb); ++ ++ dev = rcu_dereference_bh(m->tcfm_dev); ++ if (unlikely(!dev)) { ++ pr_notice_once("tc mirred: target device is gone\n"); ++ tcf_action_inc_overlimit_qstats(&m->common); ++ goto dec_nest_level; ++ } ++ ++ m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit); ++ m_eaction = READ_ONCE(m->tcfm_eaction); ++ ++ retval = tcf_mirred_to_dev(skb, m, dev, m_mac_header_xmit, m_eaction, ++ retval); ++ ++dec_nest_level: + __this_cpu_dec(mirred_nest_level); + + return retval; +-- +2.43.0 + diff --git a/queue-6.7/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch b/queue-6.7/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch new file mode 100644 index 00000000000..59ece476b21 --- /dev/null +++ b/queue-6.7/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch @@ -0,0 +1,80 @@ +From c25049ea06d33fc66f6dca0cbc49d724bd7d8a81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 06:33:46 -0800 +Subject: net/sched: act_mirred: don't override retval if we already lost the + skb + +From: Jakub Kicinski + +[ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ] + +If we're redirecting the skb, and haven't called tcf_mirred_forward(), +yet, we need to tell the core to drop the skb by setting the retcode +to SHOT. If we have called tcf_mirred_forward(), however, the skb +is out of our hands and returning SHOT will lead to UaF. + +Move the retval override to the error path which actually need it. + +Reviewed-by: Michal Swiatkowski +Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") +Signed-off-by: Jakub Kicinski +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index bab090bb5e80a..674f7ae356ca2 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -240,8 +240,7 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m, + if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { + net_notice_ratelimited("tc mirred to Houston: device %s is down\n", + dev->name); +- err = -ENODEV; +- goto out; ++ goto err_cant_do; + } + + /* we could easily avoid the clone only if called by ingress and clsact; +@@ -253,10 +252,8 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m, + tcf_mirred_can_reinsert(retval); + if (!dont_clone) { + skb_to_send = skb_clone(skb, GFP_ATOMIC); +- if (!skb_to_send) { +- err = -ENOMEM; +- goto out; +- } ++ if (!skb_to_send) ++ goto err_cant_do; + } + + want_ingress = tcf_mirred_act_wants_ingress(m_eaction); +@@ -293,15 +290,16 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m, + } else { + err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send); + } +- +- if (err) { +-out: ++ if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- if (is_redirect) +- retval = TC_ACT_SHOT; +- } + + return retval; ++ ++err_cant_do: ++ if (is_redirect) ++ retval = TC_ACT_SHOT; ++ tcf_action_inc_overlimit_qstats(&m->common); ++ return retval; + } + + TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb, +-- +2.43.0 + diff --git a/queue-6.7/net-sched-act_mirred-use-the-backlog-for-mirred-ingr.patch b/queue-6.7/net-sched-act_mirred-use-the-backlog-for-mirred-ingr.patch new file mode 100644 index 00000000000..73b9cde64bc --- /dev/null +++ b/queue-6.7/net-sched-act_mirred-use-the-backlog-for-mirred-ingr.patch @@ -0,0 +1,94 @@ +From 16314e5aff1dacad78ce5bbfc8c9eeb0b7adcef6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 06:33:45 -0800 +Subject: net/sched: act_mirred: use the backlog for mirred ingress + +From: Jakub Kicinski + +[ Upstream commit 52f671db18823089a02f07efc04efdb2272ddc17 ] + +The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog +for nested calls to mirred ingress") hangs our testing VMs every 10 or so +runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by +lockdep. + +The problem as previously described by Davide (see Link) is that +if we reverse flow of traffic with the redirect (egress -> ingress) +we may reach the same socket which generated the packet. And we may +still be holding its socket lock. The common solution to such deadlocks +is to put the packet in the Rx backlog, rather than run the Rx path +inline. Do that for all egress -> ingress reversals, not just once +we started to nest mirred calls. + +In the past there was a concern that the backlog indirection will +lead to loss of error reporting / less accurate stats. But the current +workaround does not seem to address the issue. + +Fixes: 53592b364001 ("net/sched: act_mirred: Implement ingress actions") +Cc: Marcelo Ricardo Leitner +Suggested-by: Davide Caratti +Link: https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/ +Signed-off-by: Jakub Kicinski +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 14 +++++--------- + .../testing/selftests/net/forwarding/tc_actions.sh | 3 --- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index 6f2544c1e3961..bab090bb5e80a 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -206,18 +206,14 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, + return err; + } + +-static bool is_mirred_nested(void) +-{ +- return unlikely(__this_cpu_read(mirred_nest_level) > 1); +-} +- +-static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb) ++static int ++tcf_mirred_forward(bool at_ingress, bool want_ingress, struct sk_buff *skb) + { + int err; + + if (!want_ingress) + err = tcf_dev_queue_xmit(skb, dev_queue_xmit); +- else if (is_mirred_nested()) ++ else if (!at_ingress) + err = netif_rx(skb); + else + err = netif_receive_skb(skb); +@@ -293,9 +289,9 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m, + + skb_set_redirected(skb_to_send, skb_to_send->tc_at_ingress); + +- err = tcf_mirred_forward(want_ingress, skb_to_send); ++ err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send); + } else { +- err = tcf_mirred_forward(want_ingress, skb_to_send); ++ err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send); + } + + if (err) { +diff --git a/tools/testing/selftests/net/forwarding/tc_actions.sh b/tools/testing/selftests/net/forwarding/tc_actions.sh +index b0f5e55d2d0b2..5896296365022 100755 +--- a/tools/testing/selftests/net/forwarding/tc_actions.sh ++++ b/tools/testing/selftests/net/forwarding/tc_actions.sh +@@ -235,9 +235,6 @@ mirred_egress_to_ingress_tcp_test() + check_err $? "didn't mirred redirect ICMP" + tc_check_packets "dev $h1 ingress" 102 10 + check_err $? "didn't drop mirred ICMP" +- local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits) +- test ${overlimits} = 10 +- check_err $? "wrong overlimits, expected 10 got ${overlimits}" + + tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower + tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower +-- +2.43.0 + diff --git a/queue-6.7/net-sched-flower-add-lock-protection-when-remove-fil.patch b/queue-6.7/net-sched-flower-add-lock-protection-when-remove-fil.patch new file mode 100644 index 00000000000..d82aee531ce --- /dev/null +++ b/queue-6.7/net-sched-flower-add-lock-protection-when-remove-fil.patch @@ -0,0 +1,45 @@ +From 9cc0421170832125729a880bf13f887deaddf61b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 08:59:28 +0000 +Subject: net/sched: flower: Add lock protection when remove filter handle + +From: Jianbo Liu + +[ Upstream commit 1fde0ca3a0de7e9f917668941156959dd5e9108b ] + +As IDR can't protect itself from the concurrent modification, place +idr_remove() under the protection of tp->lock. + +Fixes: 08a0063df3ae ("net/sched: flower: Move filter handle initialization earlier") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Gal Pressman +Reviewed-by: Jiri Pirko +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20240220085928.9161-1-jianbol@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index efb9d2811b73d..6ee7064c82fcc 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -2460,8 +2460,11 @@ static int fl_change(struct net *net, struct sk_buff *in_skb, + } + + errout_idr: +- if (!fold) ++ if (!fold) { ++ spin_lock(&tp->lock); + idr_remove(&head->handle_idr, fnew->handle); ++ spin_unlock(&tp->lock); ++ } + __fl_put(fnew); + errout_tb: + kfree(tb); +-- +2.43.0 + diff --git a/queue-6.7/net-sparx5-add-spinlock-for-frame-transmission-from-.patch b/queue-6.7/net-sparx5-add-spinlock-for-frame-transmission-from-.patch new file mode 100644 index 00000000000..dc4d801f8c0 --- /dev/null +++ b/queue-6.7/net-sparx5-add-spinlock-for-frame-transmission-from-.patch @@ -0,0 +1,79 @@ +From 22000c02bda467eb2366d40fa9aeae7b4e40a4b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 09:00:43 +0100 +Subject: net: sparx5: Add spinlock for frame transmission from CPU + +From: Horatiu Vultur + +[ Upstream commit 603ead96582d85903baec2d55f021b8dac5c25d2 ] + +Both registers used when doing manual injection or fdma injection are +shared between all the net devices of the switch. It was noticed that +when having two process which each of them trying to inject frames on +different ethernet ports, that the HW started to behave strange, by +sending out more frames then expected. When doing fdma injection it is +required to set the frame in the DCB and then make sure that the next +pointer of the last DCB is invalid. But because there is no locks for +this, then easily this pointer between the DCB can be broken and then it +would create a loop of DCBs. And that means that the HW will +continuously transmit these frames in a loop. Until the SW will break +this loop. +Therefore to fix this issue, add a spin lock for when accessing the +registers for manual or fdma injection. + +Signed-off-by: Horatiu Vultur +Reviewed-by: Daniel Machon +Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support") +Link: https://lore.kernel.org/r/20240219080043.1561014-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 1 + + drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 1 + + drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 2 ++ + 3 files changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +index d1f7fc8b1b71a..3c066b62e6894 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +@@ -757,6 +757,7 @@ static int mchp_sparx5_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, sparx5); + sparx5->pdev = pdev; + sparx5->dev = &pdev->dev; ++ spin_lock_init(&sparx5->tx_lock); + + /* Do switch core reset if available */ + reset = devm_reset_control_get_optional_shared(&pdev->dev, "switch"); +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +index 6f565c0c0c3dc..316fed5f27355 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +@@ -280,6 +280,7 @@ struct sparx5 { + int xtr_irq; + /* Frame DMA */ + int fdma_irq; ++ spinlock_t tx_lock; /* lock for frame transmission */ + struct sparx5_rx rx; + struct sparx5_tx tx; + /* PTP */ +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index 6db6ac6a3bbc2..ac7e1cffbcecf 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -244,10 +244,12 @@ netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev) + } + + skb_tx_timestamp(skb); ++ spin_lock(&sparx5->tx_lock); + if (sparx5->fdma_irq > 0) + ret = sparx5_fdma_xmit(sparx5, ifh, skb); + else + ret = sparx5_inject(sparx5, ifh, skb, dev); ++ spin_unlock(&sparx5->tx_lock); + + if (ret == -EBUSY) + goto busy; +-- +2.43.0 + diff --git a/queue-6.7/net-stmmac-fix-incorrect-dereference-in-interrupt-ha.patch b/queue-6.7/net-stmmac-fix-incorrect-dereference-in-interrupt-ha.patch new file mode 100644 index 00000000000..bd1c78172ae --- /dev/null +++ b/queue-6.7/net-stmmac-fix-incorrect-dereference-in-interrupt-ha.patch @@ -0,0 +1,84 @@ +From 2500ef08bf679bf20f6991b06d6b9d2b99503917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 12:27:17 +0300 +Subject: net: stmmac: Fix incorrect dereference in interrupt handlers + +From: Pavel Sakharov + +[ Upstream commit 97dde84026339e4b4af9a6301f825d1828d7874b ] + +If 'dev' or 'data' is NULL, the 'priv' variable has an incorrect address +when dereferencing calling netdev_err(). + +Since we get as 'dev_id' or 'data' what was passed as the 'dev' argument +to request_irq() during interrupt initialization (that is, the net_device +and rx/tx queue pointers initialized at the time of the call) and since +there are usually no checks for the 'dev_id' argument in such handlers +in other drivers, remove these checks from the handlers in stmmac driver. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8532f613bc78 ("net: stmmac: introduce MSI Interrupt routines for mac, safety, RX & TX") +Signed-off-by: Pavel Sakharov +Reviewed-by: Serge Semin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 20 ------------------- + 1 file changed, 20 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index ec34768e054da..e9a1b60ebb503 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5977,11 +5977,6 @@ static irqreturn_t stmmac_mac_interrupt(int irq, void *dev_id) + struct net_device *dev = (struct net_device *)dev_id; + struct stmmac_priv *priv = netdev_priv(dev); + +- if (unlikely(!dev)) { +- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); +- return IRQ_NONE; +- } +- + /* Check if adapter is up */ + if (test_bit(STMMAC_DOWN, &priv->state)) + return IRQ_HANDLED; +@@ -5997,11 +5992,6 @@ static irqreturn_t stmmac_safety_interrupt(int irq, void *dev_id) + struct net_device *dev = (struct net_device *)dev_id; + struct stmmac_priv *priv = netdev_priv(dev); + +- if (unlikely(!dev)) { +- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); +- return IRQ_NONE; +- } +- + /* Check if adapter is up */ + if (test_bit(STMMAC_DOWN, &priv->state)) + return IRQ_HANDLED; +@@ -6023,11 +6013,6 @@ static irqreturn_t stmmac_msi_intr_tx(int irq, void *data) + dma_conf = container_of(tx_q, struct stmmac_dma_conf, tx_queue[chan]); + priv = container_of(dma_conf, struct stmmac_priv, dma_conf); + +- if (unlikely(!data)) { +- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); +- return IRQ_NONE; +- } +- + /* Check if adapter is up */ + if (test_bit(STMMAC_DOWN, &priv->state)) + return IRQ_HANDLED; +@@ -6054,11 +6039,6 @@ static irqreturn_t stmmac_msi_intr_rx(int irq, void *data) + dma_conf = container_of(rx_q, struct stmmac_dma_conf, rx_queue[chan]); + priv = container_of(dma_conf, struct stmmac_priv, dma_conf); + +- if (unlikely(!data)) { +- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); +- return IRQ_NONE; +- } +- + /* Check if adapter is up */ + if (test_bit(STMMAC_DOWN, &priv->state)) + return IRQ_HANDLED; +-- +2.43.0 + diff --git a/queue-6.7/netfilter-nf_tables-register-hooks-last-when-adding-.patch b/queue-6.7/netfilter-nf_tables-register-hooks-last-when-adding-.patch new file mode 100644 index 00000000000..7cbdc6f4b47 --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-register-hooks-last-when-adding-.patch @@ -0,0 +1,191 @@ +From a864779d6628d77e1714750bbfe427b92f88226b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 19:43:53 +0100 +Subject: netfilter: nf_tables: register hooks last when adding new + chain/flowtable + +From: Pablo Neira Ayuso + +[ Upstream commit d472e9853d7b46a6b094224d131d09ccd3a03daf ] + +Register hooks last when adding chain/flowtable to ensure that packets do +not walk over datastructure that is being released in the error path +without waiting for the rcu grace period. + +Fixes: 91c7b38dc9f0 ("netfilter: nf_tables: use new transaction infrastructure to handle chain") +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 78 ++++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 38 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index dc26986fd4b93..6901067d715dc 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -684,15 +684,16 @@ static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) + return err; + } + +-static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, +- struct nft_flowtable *flowtable) ++static struct nft_trans * ++nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, ++ struct nft_flowtable *flowtable) + { + struct nft_trans *trans; + + trans = nft_trans_alloc(ctx, msg_type, + sizeof(struct nft_trans_flowtable)); + if (trans == NULL) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + if (msg_type == NFT_MSG_NEWFLOWTABLE) + nft_activate_next(ctx->net, flowtable); +@@ -701,22 +702,22 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, + nft_trans_flowtable(trans) = flowtable; + nft_trans_commit_list_add_tail(ctx->net, trans); + +- return 0; ++ return trans; + } + + static int nft_delflowtable(struct nft_ctx *ctx, + struct nft_flowtable *flowtable) + { +- int err; ++ struct nft_trans *trans; + +- err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); +- if (err < 0) +- return err; ++ trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); ++ if (IS_ERR(trans)) ++ return PTR_ERR(trans); + + nft_deactivate_next(ctx->net, flowtable); + nft_use_dec(&ctx->table->use); + +- return err; ++ return 0; + } + + static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) +@@ -2504,19 +2505,15 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + RCU_INIT_POINTER(chain->blob_gen_0, blob); + RCU_INIT_POINTER(chain->blob_gen_1, blob); + +- err = nf_tables_register_hook(net, table, chain); +- if (err < 0) +- goto err_destroy_chain; +- + if (!nft_use_inc(&table->use)) { + err = -EMFILE; +- goto err_use; ++ goto err_destroy_chain; + } + + trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); + if (IS_ERR(trans)) { + err = PTR_ERR(trans); +- goto err_unregister_hook; ++ goto err_trans; + } + + nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; +@@ -2524,17 +2521,22 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + nft_trans_chain_policy(trans) = policy; + + err = nft_chain_add(table, chain); +- if (err < 0) { +- nft_trans_destroy(trans); +- goto err_unregister_hook; +- } ++ if (err < 0) ++ goto err_chain_add; ++ ++ /* This must be LAST to ensure no packets are walking over this chain. */ ++ err = nf_tables_register_hook(net, table, chain); ++ if (err < 0) ++ goto err_register_hook; + + return 0; + +-err_unregister_hook: ++err_register_hook: ++ nft_chain_del(chain); ++err_chain_add: ++ nft_trans_destroy(trans); ++err_trans: + nft_use_dec_restore(&table->use); +-err_use: +- nf_tables_unregister_hook(net, table, chain); + err_destroy_chain: + nf_tables_chain_destroy(ctx); + +@@ -8373,9 +8375,9 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + u8 family = info->nfmsg->nfgen_family; + const struct nf_flowtable_type *type; + struct nft_flowtable *flowtable; +- struct nft_hook *hook, *next; + struct net *net = info->net; + struct nft_table *table; ++ struct nft_trans *trans; + struct nft_ctx ctx; + int err; + +@@ -8455,34 +8457,34 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable, + extack, true); + if (err < 0) +- goto err4; ++ goto err_flowtable_parse_hooks; + + list_splice(&flowtable_hook.list, &flowtable->hook_list); + flowtable->data.priority = flowtable_hook.priority; + flowtable->hooknum = flowtable_hook.num; + ++ trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); ++ if (IS_ERR(trans)) { ++ err = PTR_ERR(trans); ++ goto err_flowtable_trans; ++ } ++ ++ /* This must be LAST to ensure no packets are walking over this flowtable. */ + err = nft_register_flowtable_net_hooks(ctx.net, table, + &flowtable->hook_list, + flowtable); +- if (err < 0) { +- nft_hooks_destroy(&flowtable->hook_list); +- goto err4; +- } +- +- err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); + if (err < 0) +- goto err5; ++ goto err_flowtable_hooks; + + list_add_tail_rcu(&flowtable->list, &table->flowtables); + + return 0; +-err5: +- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- nft_unregister_flowtable_hook(net, flowtable, hook); +- list_del_rcu(&hook->list); +- kfree_rcu(hook, rcu); +- } +-err4: ++ ++err_flowtable_hooks: ++ nft_trans_destroy(trans); ++err_flowtable_trans: ++ nft_hooks_destroy(&flowtable->hook_list); ++err_flowtable_parse_hooks: + flowtable->data.type->free(&flowtable->data); + err3: + module_put(type->owner); +-- +2.43.0 + diff --git a/queue-6.7/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch b/queue-6.7/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch new file mode 100644 index 00000000000..deede8555e8 --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch @@ -0,0 +1,42 @@ +From 7b348a99308ca472db2eeca0f59c2b2b4bfa08b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 16:58:04 +0100 +Subject: netfilter: nf_tables: set dormant flag on hook register failure + +From: Florian Westphal + +[ Upstream commit bccebf64701735533c8db37773eeacc6566cc8ec ] + +We need to set the dormant flag again if we fail to register +the hooks. + +During memory pressure hook registration can fail and we end up +with a table marked as active but no registered hooks. + +On table/base chain deletion, nf_tables will attempt to unregister +the hook again which yields a warn splat from the nftables core. + +Reported-and-tested-by: syzbot+de4025c006ec68ac56fc@syzkaller.appspotmail.com +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 04c5aa4debc74..dc26986fd4b93 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1251,6 +1251,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + return 0; + + err_register_hooks: ++ ctx->table->flags |= NFT_TABLE_F_DORMANT; + nft_trans_destroy(trans); + return ret; + } +-- +2.43.0 + diff --git a/queue-6.7/netfilter-nf_tables-use-kzalloc-for-hook-allocation.patch b/queue-6.7/netfilter-nf_tables-use-kzalloc-for-hook-allocation.patch new file mode 100644 index 00000000000..f875db4feda --- /dev/null +++ b/queue-6.7/netfilter-nf_tables-use-kzalloc-for-hook-allocation.patch @@ -0,0 +1,40 @@ +From 72541d30578e7dd5a8085117d2863fed0d05f181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 18:38:45 +0100 +Subject: netfilter: nf_tables: use kzalloc for hook allocation + +From: Florian Westphal + +[ Upstream commit 195e5f88c2e48330ba5483e0bad2de3b3fad484f ] + +KMSAN reports unitialized variable when registering the hook, + reg->hook_ops_type == NF_HOOK_OP_BPF) + ~~~~~~~~~~~ undefined + +This is a small structure, just use kzalloc to make sure this +won't happen again when new fields get added to nf_hook_ops. + +Fixes: 7b4b2fa37587 ("netfilter: annotate nf_tables base hook ops") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 6901067d715dc..79e088e6f103e 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2082,7 +2082,7 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, + struct nft_hook *hook; + int err; + +- hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); ++ hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); + if (!hook) { + err = -ENOMEM; + goto err_hook_alloc; +-- +2.43.0 + diff --git a/queue-6.7/netfilter-nft_flow_offload-release-dst-in-case-direc.patch b/queue-6.7/netfilter-nft_flow_offload-release-dst-in-case-direc.patch new file mode 100644 index 00000000000..3b9d39bf2a0 --- /dev/null +++ b/queue-6.7/netfilter-nft_flow_offload-release-dst-in-case-direc.patch @@ -0,0 +1,61 @@ +From 665b78846a6233c6a37d8adadea733ba06a5dc0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 21:36:39 +0100 +Subject: netfilter: nft_flow_offload: release dst in case direct xmit path is + used + +From: Pablo Neira Ayuso + +[ Upstream commit 8762785f459be1cfe6fcf7285c123aad6a3703f0 ] + +Direct xmit does not use it since it calls dev_queue_xmit() to send +packets, hence it calls dst_release(). + +kmemleak reports: + +unreferenced object 0xffff88814f440900 (size 184): + comm "softirq", pid 0, jiffies 4294951896 + hex dump (first 32 bytes): + 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[............. + 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P............. + backtrace (crc cb2bf5d6): + [<000000003ee17107>] kmem_cache_alloc+0x286/0x340 + [<0000000021a5de2c>] dst_alloc+0x43/0xb0 + [<00000000f0671159>] rt_dst_alloc+0x2e/0x190 + [<00000000fe5092c9>] __mkroute_output+0x244/0x980 + [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160 + [<0000000045367433>] nf_ip_route+0xf/0x30 + [<0000000085da1d8e>] nf_route+0x2d/0x60 + [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload] + [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload] + [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables] + [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables] + [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables] + [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160 + [<0000000005eccab1>] ip_forward+0x8b6/0x9b0 + [<00000000553a269b>] ip_rcv+0x221/0x230 + [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110 + +Fixes: fa502c865666 ("netfilter: flowtable: simplify route logic") +Reported-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 7502d6d73a600..a0571339239c4 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow, + ETH_ALEN); + flow_tuple->out.ifidx = route->tuple[dir].out.ifindex; + flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex; ++ dst_release(dst); + break; + case FLOW_OFFLOAD_XMIT_XFRM: + case FLOW_OFFLOAD_XMIT_NEIGH: +-- +2.43.0 + diff --git a/queue-6.7/netfilter-nft_flow_offload-reset-dst-in-route-object.patch b/queue-6.7/netfilter-nft_flow_offload-reset-dst-in-route-object.patch new file mode 100644 index 00000000000..5ea97e346b0 --- /dev/null +++ b/queue-6.7/netfilter-nft_flow_offload-reset-dst-in-route-object.patch @@ -0,0 +1,76 @@ +From a88e54d92d6bfa80551368c8b53167df1be305b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 12:32:58 +0100 +Subject: netfilter: nft_flow_offload: reset dst in route object after setting + up flow + +From: Pablo Neira Ayuso + +[ Upstream commit 9e0f0430389be7696396c62f037be4bf72cf93e3 ] + +dst is transferred to the flow object, route object does not own it +anymore. Reset dst in route object, otherwise if flow_offload_add() +fails, error path releases dst twice, leading to a refcount underflow. + +Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_flow_table.h | 2 +- + net/netfilter/nf_flow_table_core.c | 16 +++++++++++++--- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index 692d5955911c7..4a767b3d20b9d 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -275,7 +275,7 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, + } + + void flow_offload_route_init(struct flow_offload *flow, +- const struct nf_flow_route *route); ++ struct nf_flow_route *route); + + int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); + void flow_offload_refresh(struct nf_flowtable *flow_table, +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 920a5a29ae1dc..7502d6d73a600 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -87,12 +87,22 @@ static u32 flow_offload_dst_cookie(struct flow_offload_tuple *flow_tuple) + return 0; + } + ++static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route, ++ enum flow_offload_tuple_dir dir) ++{ ++ struct dst_entry *dst = route->tuple[dir].dst; ++ ++ route->tuple[dir].dst = NULL; ++ ++ return dst; ++} ++ + static int flow_offload_fill_route(struct flow_offload *flow, +- const struct nf_flow_route *route, ++ struct nf_flow_route *route, + enum flow_offload_tuple_dir dir) + { + struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple; +- struct dst_entry *dst = route->tuple[dir].dst; ++ struct dst_entry *dst = nft_route_dst_fetch(route, dir); + int i, j = 0; + + switch (flow_tuple->l3proto) { +@@ -146,7 +156,7 @@ static void nft_flow_dst_release(struct flow_offload *flow, + } + + void flow_offload_route_init(struct flow_offload *flow, +- const struct nf_flow_route *route) ++ struct nf_flow_route *route) + { + flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_ORIGINAL); + flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_REPLY); +-- +2.43.0 + diff --git a/queue-6.7/nouveau-fix-function-cast-warnings.patch b/queue-6.7/nouveau-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..f198b950306 --- /dev/null +++ b/queue-6.7/nouveau-fix-function-cast-warnings.patch @@ -0,0 +1,54 @@ +From 41de72468affc2b7ec3af96eed3f1e778b6ac062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:57:37 +0100 +Subject: nouveau: fix function cast warnings + +From: Arnd Bergmann + +[ Upstream commit 0affdba22aca5573f9d989bcb1d71d32a6a03efe ] + +clang-16 warns about casting between incompatible function types: + +drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c:161:10: error: cast from 'void (*)(const struct firmware *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 161 | .fini = (void(*)(void *))release_firmware, + +This one was done to use the generic shadow_fw_release() function as a +callback for struct nvbios_source. Change it to use the same prototype +as the other five instances, with a trivial helper function that actually +calls release_firmware. + +Fixes: 70c0f263cc2e ("drm/nouveau/bios: pull in basic vbios subdev, more to come later") +Signed-off-by: Arnd Bergmann +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240213095753.455062-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c +index 19188683c8fca..8c2bf1c16f2a9 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c +@@ -154,11 +154,17 @@ shadow_fw_init(struct nvkm_bios *bios, const char *name) + return (void *)fw; + } + ++static void ++shadow_fw_release(void *fw) ++{ ++ release_firmware(fw); ++} ++ + static const struct nvbios_source + shadow_fw = { + .name = "firmware", + .init = shadow_fw_init, +- .fini = (void(*)(void *))release_firmware, ++ .fini = shadow_fw_release, + .read = shadow_fw_read, + .rw = false, + }; +-- +2.43.0 + diff --git a/queue-6.7/octeontx2-af-consider-the-action-set-by-pf.patch b/queue-6.7/octeontx2-af-consider-the-action-set-by-pf.patch new file mode 100644 index 00000000000..fa19b52147f --- /dev/null +++ b/queue-6.7/octeontx2-af-consider-the-action-set-by-pf.patch @@ -0,0 +1,46 @@ +From 8caa82646453eea135788b92a827bba38e63a810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 18:25:14 +0530 +Subject: octeontx2-af: Consider the action set by PF + +From: Subbaraya Sundeep + +[ Upstream commit 3b1ae9b71c2a97f848b00fb085a2bd29bddbe8d9 ] + +AF reserves MCAM entries for each PF, VF present in the +system and populates the entry with DMAC and action with +default RSS so that basic packet I/O works. Since PF/VF is +not aware of the RSS action installed by AF, AF only fixup +the actions of the rules installed by PF/VF with corresponding +default RSS action. This worked well for rules installed by +PF/VF for features like RX VLAN offload and DMAC filters but +rules involving action like drop/forward to queue are also +getting modified by AF. Hence fix it by setting the default +RSS action only if requested by PF/VF. + +Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +index 3784347b6fd88..55639c133dd02 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -437,6 +437,10 @@ static void npc_fixup_vf_rule(struct rvu *rvu, struct npc_mcam *mcam, + return; + } + ++ /* AF modifies given action iff PF/VF has requested for it */ ++ if ((entry->action & 0xFULL) != NIX_RX_ACTION_DEFAULT) ++ return; ++ + /* copy VF default entry action to the VF mcam entry */ + rx_action = npc_get_default_entry_action(rvu, mcam, blkaddr, + target_func); +-- +2.43.0 + diff --git a/queue-6.7/parisc-fix-stack-unwinder.patch b/queue-6.7/parisc-fix-stack-unwinder.patch new file mode 100644 index 00000000000..af18b946bf6 --- /dev/null +++ b/queue-6.7/parisc-fix-stack-unwinder.patch @@ -0,0 +1,90 @@ +From b0a90dd6093cacae63e5d498d551e54705815881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 13:51:45 -0800 +Subject: parisc: Fix stack unwinder + +From: Guenter Roeck + +[ Upstream commit 882a2a724ee964c1ebe7268a91d5c8c8ddc796bf ] + +Debugging shows a large number of unaligned access traps in the unwinder +code. Code analysis reveals a number of issues with this code: + +- handle_interruption is passed twice through + dereference_kernel_function_descriptor() +- ret_from_kernel_thread, syscall_exit, intr_return, + _switch_to_ret, and _call_on_stack are passed through + dereference_kernel_function_descriptor() even though they are + not declared as function pointers. + +To fix the problems, drop one of the calls to +dereference_kernel_function_descriptor() for handle_interruption, +and compare the other pointers directly. + +Fixes: 6414b30b39f9 ("parisc: unwind: Avoid missing prototype warning for handle_interruption()") +Fixes: 8e0ba125c2bf ("parisc/unwind: fix unwinder when CONFIG_64BIT is enabled") +Cc: Helge Deller +Cc: Sven Schnelle +Cc: John David Anglin +Cc: Charlie Jenkins +Cc: David Laight +Signed-off-by: Guenter Roeck +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/unwind.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c +index 27ae40a443b80..f7e0fee5ee55a 100644 +--- a/arch/parisc/kernel/unwind.c ++++ b/arch/parisc/kernel/unwind.c +@@ -228,10 +228,8 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + #ifdef CONFIG_IRQSTACKS + extern void * const _call_on_stack; + #endif /* CONFIG_IRQSTACKS */ +- void *ptr; + +- ptr = dereference_kernel_function_descriptor(&handle_interruption); +- if (pc_is_kernel_fn(pc, ptr)) { ++ if (pc_is_kernel_fn(pc, handle_interruption)) { + struct pt_regs *regs = (struct pt_regs *)(info->sp - frame_size - PT_SZ_ALGN); + dbg("Unwinding through handle_interruption()\n"); + info->prev_sp = regs->gr[30]; +@@ -239,13 +237,13 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + return 1; + } + +- if (pc_is_kernel_fn(pc, ret_from_kernel_thread) || +- pc_is_kernel_fn(pc, syscall_exit)) { ++ if (pc == (unsigned long)&ret_from_kernel_thread || ++ pc == (unsigned long)&syscall_exit) { + info->prev_sp = info->prev_ip = 0; + return 1; + } + +- if (pc_is_kernel_fn(pc, intr_return)) { ++ if (pc == (unsigned long)&intr_return) { + struct pt_regs *regs; + + dbg("Found intr_return()\n"); +@@ -257,14 +255,14 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + } + + if (pc_is_kernel_fn(pc, _switch_to) || +- pc_is_kernel_fn(pc, _switch_to_ret)) { ++ pc == (unsigned long)&_switch_to_ret) { + info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE; + info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET); + return 1; + } + + #ifdef CONFIG_IRQSTACKS +- if (pc_is_kernel_fn(pc, _call_on_stack)) { ++ if (pc == (unsigned long)&_call_on_stack) { + info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ); + info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET); + return 1; +-- +2.43.0 + diff --git a/queue-6.7/phonet-pep-fix-racy-skb_queue_empty-use.patch b/queue-6.7/phonet-pep-fix-racy-skb_queue_empty-use.patch new file mode 100644 index 00000000000..769820bc553 --- /dev/null +++ b/queue-6.7/phonet-pep-fix-racy-skb_queue_empty-use.patch @@ -0,0 +1,87 @@ +From 8053a09268a1e9eb5dd4df1556322cc6e3bcd06b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 10:12:14 +0200 +Subject: phonet/pep: fix racy skb_queue_empty() use +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rémi Denis-Courmont + +[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ] + +The receive queues are protected by their respective spin-lock, not +the socket lock. This could lead to skb_peek() unexpectedly +returning NULL or a pointer to an already dequeued socket buffer. + +Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol") +Signed-off-by: Rémi Denis-Courmont +Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index faba31f2eff29..3dd5f52bc1b58 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -917,6 +917,37 @@ static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len) + return 0; + } + ++static unsigned int pep_first_packet_length(struct sock *sk) ++{ ++ struct pep_sock *pn = pep_sk(sk); ++ struct sk_buff_head *q; ++ struct sk_buff *skb; ++ unsigned int len = 0; ++ bool found = false; ++ ++ if (sock_flag(sk, SOCK_URGINLINE)) { ++ q = &pn->ctrlreq_queue; ++ spin_lock_bh(&q->lock); ++ skb = skb_peek(q); ++ if (skb) { ++ len = skb->len; ++ found = true; ++ } ++ spin_unlock_bh(&q->lock); ++ } ++ ++ if (likely(!found)) { ++ q = &sk->sk_receive_queue; ++ spin_lock_bh(&q->lock); ++ skb = skb_peek(q); ++ if (skb) ++ len = skb->len; ++ spin_unlock_bh(&q->lock); ++ } ++ ++ return len; ++} ++ + static int pep_ioctl(struct sock *sk, int cmd, int *karg) + { + struct pep_sock *pn = pep_sk(sk); +@@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, int cmd, int *karg) + break; + } + +- lock_sock(sk); +- if (sock_flag(sk, SOCK_URGINLINE) && +- !skb_queue_empty(&pn->ctrlreq_queue)) +- *karg = skb_peek(&pn->ctrlreq_queue)->len; +- else if (!skb_queue_empty(&sk->sk_receive_queue)) +- *karg = skb_peek(&sk->sk_receive_queue)->len; +- else +- *karg = 0; +- release_sock(sk); ++ *karg = pep_first_packet_length(sk); + ret = 0; + break; + +-- +2.43.0 + diff --git a/queue-6.7/phonet-take-correct-lock-to-peek-at-the-rx-queue.patch b/queue-6.7/phonet-take-correct-lock-to-peek-at-the-rx-queue.patch new file mode 100644 index 00000000000..be39e4bdc68 --- /dev/null +++ b/queue-6.7/phonet-take-correct-lock-to-peek-at-the-rx-queue.patch @@ -0,0 +1,46 @@ +From 62ffdf7d41ee10eaf5bb278dcfdb6af056ff36b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 10:12:13 +0200 +Subject: phonet: take correct lock to peek at the RX queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rémi Denis-Courmont + +[ Upstream commit 3b2d9bc4d4acdf15a876eae2c0d83149250e85ba ] + +The receive queue is protected by its embedded spin-lock, not the +socket lock, so we need the former lock here (and only that one). + +Fixes: 107d0d9b8d9a ("Phonet: Phonet datagram transport protocol") +Reported-by: Luosili +Signed-off-by: Rémi Denis-Courmont +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240218081214.4806-1-remi@remlab.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/phonet/datagram.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c +index 3aa50dc7535b7..976fe250b5095 100644 +--- a/net/phonet/datagram.c ++++ b/net/phonet/datagram.c +@@ -34,10 +34,10 @@ static int pn_ioctl(struct sock *sk, int cmd, int *karg) + + switch (cmd) { + case SIOCINQ: +- lock_sock(sk); ++ spin_lock_bh(&sk->sk_receive_queue.lock); + skb = skb_peek(&sk->sk_receive_queue); + *karg = skb ? skb->len : 0; +- release_sock(sk); ++ spin_unlock_bh(&sk->sk_receive_queue.lock); + return 0; + + case SIOCPNADDRESOURCE: +-- +2.43.0 + diff --git a/queue-6.7/platform-x86-think-lmi-fix-password-opcode-ordering-.patch b/queue-6.7/platform-x86-think-lmi-fix-password-opcode-ordering-.patch new file mode 100644 index 00000000000..93eb8b882cc --- /dev/null +++ b/queue-6.7/platform-x86-think-lmi-fix-password-opcode-ordering-.patch @@ -0,0 +1,73 @@ +From 1ed8f0f163dc0f7a7e30b4f377398ae918526fa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 10:23:47 -0500 +Subject: platform/x86: think-lmi: Fix password opcode ordering for + workstations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mark Pearson + +[ Upstream commit 6f7d0f5fd8e440c3446560100ac4ff9a55eec340 ] + +The Lenovo workstations require the password opcode to be run before +the attribute value is changed (if Admin password is enabled). + +Tested on some Thinkpads to confirm they are OK with this order too. + +Signed-off-by: Mark Pearson +Fixes: 640a5fa50a42 ("platform/x86: think-lmi: Opcode support") +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240209152359.528919-1-mpearson-lenovo@squebb.ca +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/think-lmi.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c +index 3a396b763c496..ce3e08815a8e6 100644 +--- a/drivers/platform/x86/think-lmi.c ++++ b/drivers/platform/x86/think-lmi.c +@@ -1009,7 +1009,16 @@ static ssize_t current_value_store(struct kobject *kobj, + * Note - this sets the variable and then the password as separate + * WMI calls. Function tlmi_save_bios_settings will error if the + * password is incorrect. ++ * Workstation's require the opcode to be set before changing the ++ * attribute. + */ ++ if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { ++ ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", ++ tlmi_priv.pwd_admin->password); ++ if (ret) ++ goto out; ++ } ++ + set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name, + new_setting); + if (!set_str) { +@@ -1021,17 +1030,10 @@ static ssize_t current_value_store(struct kobject *kobj, + if (ret) + goto out; + +- if (tlmi_priv.save_mode == TLMI_SAVE_BULK) { ++ if (tlmi_priv.save_mode == TLMI_SAVE_BULK) + tlmi_priv.save_required = true; +- } else { +- if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { +- ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", +- tlmi_priv.pwd_admin->password); +- if (ret) +- goto out; +- } ++ else + ret = tlmi_save_bios_settings(""); +- } + } else { /* old non-opcode based authentication method (deprecated) */ + if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { + auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", +-- +2.43.0 + diff --git a/queue-6.7/platform-x86-thinkpad_acpi-only-update-profile-if-su.patch b/queue-6.7/platform-x86-thinkpad_acpi-only-update-profile-if-su.patch new file mode 100644 index 00000000000..621f8e25433 --- /dev/null +++ b/queue-6.7/platform-x86-thinkpad_acpi-only-update-profile-if-su.patch @@ -0,0 +1,61 @@ +From 595a21641556dc181022d04f19da433e0bdd938b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 20:23:11 -0600 +Subject: platform/x86: thinkpad_acpi: Only update profile if successfully + converted + +From: Mario Limonciello + +[ Upstream commit 427c70dec738318b7f71e1b9d829ff0e9771d493 ] + +Randomly a Lenovo Z13 will trigger a kernel warning traceback from this +condition: + +``` +if (WARN_ON((profile < 0) || (profile >= ARRAY_SIZE(profile_names)))) +``` + +This happens because thinkpad-acpi always assumes that +convert_dytc_to_profile() successfully updated the profile. On the +contrary a condition can occur that when dytc_profile_refresh() is called +the profile doesn't get updated as there is a -EOPNOTSUPP branch. + +Catch this situation and avoid updating the profile. Also log this into +dynamic debugging in case any other modes should be added in the future. + +Fixes: c3bfcd4c6762 ("platform/x86: thinkpad_acpi: Add platform profile support") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20240217022311.113879-1-mario.limonciello@amd.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index c4895e9bc7148..5ecd9d33250d7 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -10308,6 +10308,7 @@ static int convert_dytc_to_profile(int funcmode, int dytcmode, + return 0; + default: + /* Unknown function */ ++ pr_debug("unknown function 0x%x\n", funcmode); + return -EOPNOTSUPP; + } + return 0; +@@ -10493,8 +10494,8 @@ static void dytc_profile_refresh(void) + return; + + perfmode = (output >> DYTC_GET_MODE_BIT) & 0xF; +- convert_dytc_to_profile(funcmode, perfmode, &profile); +- if (profile != dytc_current_profile) { ++ err = convert_dytc_to_profile(funcmode, perfmode, &profile); ++ if (!err && profile != dytc_current_profile) { + dytc_current_profile = profile; + platform_profile_notify(); + } +-- +2.43.0 + diff --git a/queue-6.7/powerpc-pseries-iommu-dlpar-add-doesn-t-completely-i.patch b/queue-6.7/powerpc-pseries-iommu-dlpar-add-doesn-t-completely-i.patch new file mode 100644 index 00000000000..9b35d25fe0b --- /dev/null +++ b/queue-6.7/powerpc-pseries-iommu-dlpar-add-doesn-t-completely-i.patch @@ -0,0 +1,172 @@ +From f38214cadedb8bb2c6aff2750bd116b8dcfb246e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 16:18:33 -0600 +Subject: powerpc/pseries/iommu: DLPAR add doesn't completely initialize + pci_controller + +From: Gaurav Batra + +[ Upstream commit a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321 ] + +When a PCI device is dynamically added, the kernel oopses with a NULL +pointer dereference: + + BUG: Kernel NULL pointer dereference on read at 0x00000030 + Faulting instruction address: 0xc0000000006bbe5c + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse + CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66 + Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries + NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8 + REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+) + MSR: 8000000000009033 CR: 24002220 XER: 20040006 + CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0 + ... + NIP sysfs_add_link_to_group+0x34/0x94 + LR iommu_device_link+0x5c/0x118 + Call Trace: + iommu_init_device+0x26c/0x318 (unreliable) + iommu_device_link+0x5c/0x118 + iommu_init_device+0xa8/0x318 + iommu_probe_device+0xc0/0x134 + iommu_bus_notifier+0x44/0x104 + notifier_call_chain+0xb8/0x19c + blocking_notifier_call_chain+0x64/0x98 + bus_notify+0x50/0x7c + device_add+0x640/0x918 + pci_device_add+0x23c/0x298 + of_create_pci_dev+0x400/0x884 + of_scan_pci_dev+0x124/0x1b0 + __of_scan_bus+0x78/0x18c + pcibios_scan_phb+0x2a4/0x3b0 + init_phb_dynamic+0xb8/0x110 + dlpar_add_slot+0x170/0x3b8 [rpadlpar_io] + add_slot_store.part.0+0xb4/0x130 [rpadlpar_io] + kobj_attr_store+0x2c/0x48 + sysfs_kf_write+0x64/0x78 + kernfs_fop_write_iter+0x1b0/0x290 + vfs_write+0x350/0x4a0 + ksys_write+0x84/0x140 + system_call_exception+0x124/0x330 + system_call_vectored_common+0x15c/0x2ec + +Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities +and allow blocking domains") broke DLPAR add of PCI devices. + +The above added iommu_device structure to pci_controller. During +system boot, PCI devices are discovered and this newly added iommu_device +structure is initialized by a call to iommu_device_register(). + +During DLPAR add of a PCI device, a new pci_controller structure is +allocated but there are no calls made to iommu_device_register() +interface. + +Fix is to register the iommu device during DLPAR add as well. + +Fixes: a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains") +Signed-off-by: Gaurav Batra +Reviewed-by: Brian King +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240215221833.4817-1-gbatra@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/ppc-pci.h | 10 ++++++++++ + arch/powerpc/kernel/iommu.c | 23 ++++++++++++++++------ + arch/powerpc/platforms/pseries/pci_dlpar.c | 4 ++++ + 3 files changed, 31 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/include/asm/ppc-pci.h b/arch/powerpc/include/asm/ppc-pci.h +index d9fcff5750271..2689e7139b9ea 100644 +--- a/arch/powerpc/include/asm/ppc-pci.h ++++ b/arch/powerpc/include/asm/ppc-pci.h +@@ -30,6 +30,16 @@ void *pci_traverse_device_nodes(struct device_node *start, + void *data); + extern void pci_devs_phb_init_dynamic(struct pci_controller *phb); + ++#if defined(CONFIG_IOMMU_API) && (defined(CONFIG_PPC_PSERIES) || \ ++ defined(CONFIG_PPC_POWERNV)) ++extern void ppc_iommu_register_device(struct pci_controller *phb); ++extern void ppc_iommu_unregister_device(struct pci_controller *phb); ++#else ++static inline void ppc_iommu_register_device(struct pci_controller *phb) { } ++static inline void ppc_iommu_unregister_device(struct pci_controller *phb) { } ++#endif ++ ++ + /* From rtas_pci.h */ + extern void init_pci_config_tokens (void); + extern unsigned long get_phb_buid (struct device_node *); +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index df17b33b89d13..2c0173e7094da 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1341,7 +1341,7 @@ static struct iommu_device *spapr_tce_iommu_probe_device(struct device *dev) + struct pci_controller *hose; + + if (!dev_is_pci(dev)) +- return ERR_PTR(-EPERM); ++ return ERR_PTR(-ENODEV); + + pdev = to_pci_dev(dev); + hose = pdev->bus->sysdata; +@@ -1390,6 +1390,21 @@ static const struct attribute_group *spapr_tce_iommu_groups[] = { + NULL, + }; + ++void ppc_iommu_register_device(struct pci_controller *phb) ++{ ++ iommu_device_sysfs_add(&phb->iommu, phb->parent, ++ spapr_tce_iommu_groups, "iommu-phb%04x", ++ phb->global_number); ++ iommu_device_register(&phb->iommu, &spapr_tce_iommu_ops, ++ phb->parent); ++} ++ ++void ppc_iommu_unregister_device(struct pci_controller *phb) ++{ ++ iommu_device_unregister(&phb->iommu); ++ iommu_device_sysfs_remove(&phb->iommu); ++} ++ + /* + * This registers IOMMU devices of PHBs. This needs to happen + * after core_initcall(iommu_init) + postcore_initcall(pci_driver_init) and +@@ -1400,11 +1415,7 @@ static int __init spapr_tce_setup_phb_iommus_initcall(void) + struct pci_controller *hose; + + list_for_each_entry(hose, &hose_list, list_node) { +- iommu_device_sysfs_add(&hose->iommu, hose->parent, +- spapr_tce_iommu_groups, "iommu-phb%04x", +- hose->global_number); +- iommu_device_register(&hose->iommu, &spapr_tce_iommu_ops, +- hose->parent); ++ ppc_iommu_register_device(hose); + } + return 0; + } +diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c +index 4ba8245681192..4448386268d99 100644 +--- a/arch/powerpc/platforms/pseries/pci_dlpar.c ++++ b/arch/powerpc/platforms/pseries/pci_dlpar.c +@@ -35,6 +35,8 @@ struct pci_controller *init_phb_dynamic(struct device_node *dn) + + pseries_msi_allocate_domains(phb); + ++ ppc_iommu_register_device(phb); ++ + /* Create EEH devices for the PHB */ + eeh_phb_pe_create(phb); + +@@ -76,6 +78,8 @@ int remove_phb_dynamic(struct pci_controller *phb) + } + } + ++ ppc_iommu_unregister_device(phb); ++ + pseries_msi_free_domains(phb); + + /* Keep a reference so phb isn't freed yet */ +-- +2.43.0 + diff --git a/queue-6.7/rdma-bnxt_re-add-a-missing-check-in-bnxt_qplib_query.patch b/queue-6.7/rdma-bnxt_re-add-a-missing-check-in-bnxt_qplib_query.patch new file mode 100644 index 00000000000..15748935a24 --- /dev/null +++ b/queue-6.7/rdma-bnxt_re-add-a-missing-check-in-bnxt_qplib_query.patch @@ -0,0 +1,39 @@ +From 2362d9039c31d2863b0d6df4d86b8e7ae5aaac29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 20:54:37 -0800 +Subject: RDMA/bnxt_re: Add a missing check in bnxt_qplib_query_srq + +From: Kalesh AP + +[ Upstream commit 80dde187f734cf9ccf988d5c2ef1a46b990660fd ] + +Before populating the response, driver has to check the status +of HWRM command. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1705985677-15551-6-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index abbabea7f5fa3..2a62239187622 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -748,7 +748,8 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res, + bnxt_qplib_fill_cmdqmsg(&msg, &req, &resp, &sbuf, sizeof(req), + sizeof(resp), 0); + rc = bnxt_qplib_rcfw_send_message(rcfw, &msg); +- srq->threshold = le16_to_cpu(sb->srq_limit); ++ if (!rc) ++ srq->threshold = le16_to_cpu(sb->srq_limit); + dma_free_coherent(&rcfw->pdev->dev, sbuf.size, + sbuf.sb, sbuf.dma_addr); + +-- +2.43.0 + diff --git a/queue-6.7/rdma-bnxt_re-return-error-for-srq-resize.patch b/queue-6.7/rdma-bnxt_re-return-error-for-srq-resize.patch new file mode 100644 index 00000000000..7bcd0ab9058 --- /dev/null +++ b/queue-6.7/rdma-bnxt_re-return-error-for-srq-resize.patch @@ -0,0 +1,53 @@ +From 2869847523dff0af90db63bcdb31d20e96fa6627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 20:54:36 -0800 +Subject: RDMA/bnxt_re: Return error for SRQ resize + +From: Kalesh AP + +[ Upstream commit 3687b450c5f32e80f179ce4b09e0454da1449eac ] + +SRQ resize is not supported in the driver. But driver is not +returning error from bnxt_re_modify_srq() for SRQ resize. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1705985677-15551-5-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index faa88d12ee868..cc466dfd792b0 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1809,7 +1809,7 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr, + switch (srq_attr_mask) { + case IB_SRQ_MAX_WR: + /* SRQ resize is not supported */ +- break; ++ return -EINVAL; + case IB_SRQ_LIMIT: + /* Change the SRQ threshold */ + if (srq_attr->srq_limit > srq->qplib_srq.max_wqe) +@@ -1824,13 +1824,12 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr, + /* On success, update the shadow */ + srq->srq_limit = srq_attr->srq_limit; + /* No need to Build and send response back to udata */ +- break; ++ return 0; + default: + ibdev_err(&rdev->ibdev, + "Unsupported srq_attr_mask 0x%x", srq_attr_mask); + return -EINVAL; + } +- return 0; + } + + int bnxt_re_query_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr) +-- +2.43.0 + diff --git a/queue-6.7/rdma-irdma-add-ae-for-too-many-rnrs.patch b/queue-6.7/rdma-irdma-add-ae-for-too-many-rnrs.patch new file mode 100644 index 00000000000..9535b636840 --- /dev/null +++ b/queue-6.7/rdma-irdma-add-ae-for-too-many-rnrs.patch @@ -0,0 +1,51 @@ +From a4d8bdb9abc2c58443e254bd774da6a40a83cee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 17:38:49 -0600 +Subject: RDMA/irdma: Add AE for too many RNRS + +From: Mustafa Ismail + +[ Upstream commit 630bdb6f28ca9e5ff79e244030170ac788478332 ] + +Add IRDMA_AE_LLP_TOO_MANY_RNRS to the list of AE's processed as an +abnormal asyncronous event. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Sindhu Devale +Link: https://lore.kernel.org/r/20240131233849.400285-5-sindhu.devale@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/defs.h | 1 + + drivers/infiniband/hw/irdma/hw.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/irdma/defs.h b/drivers/infiniband/hw/irdma/defs.h +index 8fb752f2eda29..2cb4b96db7212 100644 +--- a/drivers/infiniband/hw/irdma/defs.h ++++ b/drivers/infiniband/hw/irdma/defs.h +@@ -346,6 +346,7 @@ enum irdma_cqp_op_type { + #define IRDMA_AE_LLP_TOO_MANY_KEEPALIVE_RETRIES 0x050b + #define IRDMA_AE_LLP_DOUBT_REACHABILITY 0x050c + #define IRDMA_AE_LLP_CONNECTION_ESTABLISHED 0x050e ++#define IRDMA_AE_LLP_TOO_MANY_RNRS 0x050f + #define IRDMA_AE_RESOURCE_EXHAUSTION 0x0520 + #define IRDMA_AE_RESET_SENT 0x0601 + #define IRDMA_AE_TERMINATE_SENT 0x0602 +diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c +index 2f8d18d8be3b7..ad50b77282f8a 100644 +--- a/drivers/infiniband/hw/irdma/hw.c ++++ b/drivers/infiniband/hw/irdma/hw.c +@@ -387,6 +387,7 @@ static void irdma_process_aeq(struct irdma_pci_f *rf) + case IRDMA_AE_LLP_TOO_MANY_RETRIES: + case IRDMA_AE_LCE_QP_CATASTROPHIC: + case IRDMA_AE_LCE_FUNCTION_CATASTROPHIC: ++ case IRDMA_AE_LLP_TOO_MANY_RNRS: + case IRDMA_AE_LCE_CQ_CATASTROPHIC: + case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG: + default: +-- +2.43.0 + diff --git a/queue-6.7/rdma-irdma-fix-kasan-issue-with-tasklet.patch b/queue-6.7/rdma-irdma-fix-kasan-issue-with-tasklet.patch new file mode 100644 index 00000000000..8f4b71a7ae3 --- /dev/null +++ b/queue-6.7/rdma-irdma-fix-kasan-issue-with-tasklet.patch @@ -0,0 +1,69 @@ +From 0e585678b105c0db42f337fe3920444bdc3aeefe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 17:38:46 -0600 +Subject: RDMA/irdma: Fix KASAN issue with tasklet + +From: Mike Marciniszyn + +[ Upstream commit bd97cea7b18a0a553773af806dfbfac27a7c4acb ] + +KASAN testing revealed the following issue assocated with freeing an IRQ. + +[50006.466686] Call Trace: +[50006.466691] +[50006.489538] dump_stack+0x5c/0x80 +[50006.493475] print_address_description.constprop.6+0x1a/0x150 +[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.511644] kasan_report.cold.11+0x7f/0x118 +[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] +[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] +[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] +[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 +[50006.551096] __do_softirq+0x1d0/0xaf8 +[50006.555396] irq_exit_rcu+0x219/0x260 +[50006.559670] irq_exit+0xa/0x20 +[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 +[50006.568645] apic_timer_interrupt+0xf/0x20 +[50006.573341] + +The issue is that a tasklet could be pending on another core racing +the delete of the irq. + +Fix by insuring any scheduled tasklet is killed after deleting the +irq. + +Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Shiraz Saleem +Signed-off-by: Sindhu Devale +Link: https://lore.kernel.org/r/20240131233849.400285-2-sindhu.devale@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/hw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c +index bd4b2b8964444..2f8d18d8be3b7 100644 +--- a/drivers/infiniband/hw/irdma/hw.c ++++ b/drivers/infiniband/hw/irdma/hw.c +@@ -570,6 +570,13 @@ static void irdma_destroy_irq(struct irdma_pci_f *rf, + dev->irq_ops->irdma_dis_irq(dev, msix_vec->idx); + irq_update_affinity_hint(msix_vec->irq, NULL); + free_irq(msix_vec->irq, dev_id); ++ if (rf == dev_id) { ++ tasklet_kill(&rf->dpc_tasklet); ++ } else { ++ struct irdma_ceq *iwceq = (struct irdma_ceq *)dev_id; ++ ++ tasklet_kill(&iwceq->dpc_tasklet); ++ } + } + + /** +-- +2.43.0 + diff --git a/queue-6.7/rdma-irdma-set-the-cq-read-threshold-for-gen-1.patch b/queue-6.7/rdma-irdma-set-the-cq-read-threshold-for-gen-1.patch new file mode 100644 index 00000000000..951c8b03fd2 --- /dev/null +++ b/queue-6.7/rdma-irdma-set-the-cq-read-threshold-for-gen-1.patch @@ -0,0 +1,43 @@ +From 87b2633c54cd9deee7b4d5f5685ee1de7e23ad5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 17:38:48 -0600 +Subject: RDMA/irdma: Set the CQ read threshold for GEN 1 + +From: Mustafa Ismail + +[ Upstream commit 666047f3ece9f991774c1fe9b223139a9ef8908d ] + +The CQ shadow read threshold is currently not set for GEN 2. This could +cause an invalid CQ overflow condition, so remove the GEN check that +exclused GEN 1. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Sindhu Devale +Link: https://lore.kernel.org/r/20240131233849.400285-4-sindhu.devale@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index cb828e3da478e..0b046c061742b 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -2186,9 +2186,8 @@ static int irdma_create_cq(struct ib_cq *ibcq, + info.cq_base_pa = iwcq->kmem.pa; + } + +- if (dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) +- info.shadow_read_threshold = min(info.cq_uk_init_info.cq_size / 2, +- (u32)IRDMA_MAX_CQ_READ_THRESH); ++ info.shadow_read_threshold = min(info.cq_uk_init_info.cq_size / 2, ++ (u32)IRDMA_MAX_CQ_READ_THRESH); + + if (irdma_sc_cq_init(cq, &info)) { + ibdev_dbg(&iwdev->ibdev, "VERBS: init cq fail\n"); +-- +2.43.0 + diff --git a/queue-6.7/rdma-irdma-validate-max_send_wr-and-max_recv_wr.patch b/queue-6.7/rdma-irdma-validate-max_send_wr-and-max_recv_wr.patch new file mode 100644 index 00000000000..36efe7464b4 --- /dev/null +++ b/queue-6.7/rdma-irdma-validate-max_send_wr-and-max_recv_wr.patch @@ -0,0 +1,41 @@ +From cc04e3c72ed554bbc29d4522544491f728b927d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 17:38:47 -0600 +Subject: RDMA/irdma: Validate max_send_wr and max_recv_wr + +From: Shiraz Saleem + +[ Upstream commit ee107186bcfd25d7873258f3f75440e20f5e6416 ] + +Validate that max_send_wr and max_recv_wr is within the +supported range. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Change-Id: I2fc8b10292b641fddd20b36986a9dae90a93f4be +Signed-off-by: Shiraz Saleem +Signed-off-by: Sindhu Devale +Link: https://lore.kernel.org/r/20240131233849.400285-3-sindhu.devale@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index b5eb8d421988c..cb828e3da478e 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -839,7 +839,9 @@ static int irdma_validate_qp_attrs(struct ib_qp_init_attr *init_attr, + + if (init_attr->cap.max_inline_data > uk_attrs->max_hw_inline || + init_attr->cap.max_send_sge > uk_attrs->max_hw_wq_frags || +- init_attr->cap.max_recv_sge > uk_attrs->max_hw_wq_frags) ++ init_attr->cap.max_recv_sge > uk_attrs->max_hw_wq_frags || ++ init_attr->cap.max_send_wr > uk_attrs->max_hw_wq_quanta || ++ init_attr->cap.max_recv_wr > uk_attrs->max_hw_rq_quanta) + return -EINVAL; + + if (rdma_protocol_roce(&iwdev->ibdev, 1)) { +-- +2.43.0 + diff --git a/queue-6.7/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch b/queue-6.7/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch new file mode 100644 index 00000000000..71c180c1289 --- /dev/null +++ b/queue-6.7/rdma-qedr-fix-qedr_create_user_qp-error-flow.patch @@ -0,0 +1,109 @@ +From b0859f4d8f7b28f2fa34516befc8bebc25b7f158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 17:36:28 -0500 +Subject: RDMA/qedr: Fix qedr_create_user_qp error flow + +From: Kamal Heib + +[ Upstream commit 5ba4e6d5863c53e937f49932dee0ecb004c65928 ] + +Avoid the following warning by making sure to free the allocated +resources in case that qedr_init_user_queue() fail. + +-----------[ cut here ]----------- +WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3 +ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt] +CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1 +Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022 +RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff +RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286 +RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016 +RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80 +R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0 +Call Trace: + +? show_trace_log_lvl+0x1c4/0x2df +? show_trace_log_lvl+0x1c4/0x2df +? ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? __warn+0x81/0x110 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? report_bug+0x10a/0x140 +? handle_bug+0x3c/0x70 +? exc_invalid_op+0x14/0x70 +? asm_exc_invalid_op+0x16/0x20 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +__fput+0x94/0x250 +task_work_run+0x5c/0x90 +do_exit+0x270/0x4a0 +do_group_exit+0x2d/0x90 +get_signal+0x87c/0x8c0 +arch_do_signal_or_restart+0x25/0x100 +? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs] +exit_to_user_mode_loop+0x9c/0x130 +exit_to_user_mode_prepare+0xb6/0x100 +syscall_exit_to_user_mode+0x12/0x40 +do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +? common_interrupt+0x43/0xa0 +entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x1470abe3ec6b +Code: Unable to access opcode bytes at RIP 0x1470abe3ec41. +RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b +RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004 +RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00 +R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358 +R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470 + +--[ end trace 888a9b92e04c5c97 ]-- + +Fixes: df15856132bc ("RDMA/qedr: restructure functions that create/destroy QPs") +Signed-off-by: Kamal Heib +Link: https://lore.kernel.org/r/20240208223628.2040841-1-kheib@redhat.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 7887a6786ed43..f118ce0a9a617 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1879,8 +1879,17 @@ static int qedr_create_user_qp(struct qedr_dev *dev, + /* RQ - read access only (0) */ + rc = qedr_init_user_queue(udata, dev, &qp->urq, ureq.rq_addr, + ureq.rq_len, true, 0, alloc_and_init); +- if (rc) ++ if (rc) { ++ ib_umem_release(qp->usq.umem); ++ qp->usq.umem = NULL; ++ if (rdma_protocol_roce(&dev->ibdev, 1)) { ++ qedr_free_pbl(dev, &qp->usq.pbl_info, ++ qp->usq.pbl_tbl); ++ } else { ++ kfree(qp->usq.pbl_tbl); ++ } + return rc; ++ } + } + + memset(&in_params, 0, sizeof(in_params)); +-- +2.43.0 + diff --git a/queue-6.7/rdma-srpt-fix-function-pointer-cast-warnings.patch b/queue-6.7/rdma-srpt-fix-function-pointer-cast-warnings.patch new file mode 100644 index 00000000000..e1fc91cbc26 --- /dev/null +++ b/queue-6.7/rdma-srpt-fix-function-pointer-cast-warnings.patch @@ -0,0 +1,60 @@ +From caf98e1c3105d57c0aa486600d271132e19b8df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:07:13 +0100 +Subject: RDMA/srpt: fix function pointer cast warnings + +From: Arnd Bergmann + +[ Upstream commit eb5c7465c3240151cd42a55c7ace9da0026308a1 ] + +clang-16 notices that srpt_qp_event() gets called through an incompatible +pointer here: + +drivers/infiniband/ulp/srpt/ib_srpt.c:1815:5: error: cast from 'void (*)(struct ib_event *, struct srpt_rdma_ch *)' to 'void (*)(struct ib_event *, void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1815 | = (void(*)(struct ib_event *, void*))srpt_qp_event; + +Change srpt_qp_event() to use the correct prototype and adjust the +argument inside of it. + +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213100728.458348-1-arnd@kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index d2dce6ce30a94..040234c01be4d 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -214,10 +214,12 @@ static const char *get_ch_state_name(enum rdma_ch_state s) + /** + * srpt_qp_event - QP event callback function + * @event: Description of the event that occurred. +- * @ch: SRPT RDMA channel. ++ * @ptr: SRPT RDMA channel. + */ +-static void srpt_qp_event(struct ib_event *event, struct srpt_rdma_ch *ch) ++static void srpt_qp_event(struct ib_event *event, void *ptr) + { ++ struct srpt_rdma_ch *ch = ptr; ++ + pr_debug("QP event %d on ch=%p sess_name=%s-%d state=%s\n", + event->event, ch, ch->sess_name, ch->qp->qp_num, + get_ch_state_name(ch->state)); +@@ -1811,8 +1813,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch) + ch->cq_size = ch->rq_size + sq_size; + + qp_init->qp_context = (void *)ch; +- qp_init->event_handler +- = (void(*)(struct ib_event *, void*))srpt_qp_event; ++ qp_init->event_handler = srpt_qp_event; + qp_init->send_cq = ch->cq; + qp_init->recv_cq = ch->cq; + qp_init->sq_sig_type = IB_SIGNAL_REQ_WR; +-- +2.43.0 + diff --git a/queue-6.7/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch b/queue-6.7/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch new file mode 100644 index 00000000000..987d91690b3 --- /dev/null +++ b/queue-6.7/rdma-srpt-support-specifying-the-srpt_service_guid-p.patch @@ -0,0 +1,62 @@ +From 2a0f8d350c2613117b0dd42ad6d16922d5e9bc4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Feb 2024 16:42:07 -0800 +Subject: RDMA/srpt: Support specifying the srpt_service_guid parameter + +From: Bart Van Assche + +[ Upstream commit fdfa083549de5d50ebf7f6811f33757781e838c0 ] + +Make loading ib_srpt with this parameter set work. The current behavior is +that setting that parameter while loading the ib_srpt kernel module +triggers the following kernel crash: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +Call Trace: + + parse_one+0x18c/0x1d0 + parse_args+0xe1/0x230 + load_module+0x8de/0xa60 + init_module_from_file+0x8b/0xd0 + idempotent_init_module+0x181/0x240 + __x64_sys_finit_module+0x5a/0xb0 + do_syscall_64+0x5f/0xe0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +Cc: LiHonggang +Reported-by: LiHonggang +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240205004207.17031-1-bvanassche@acm.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 58f70cfec45a7..d2dce6ce30a94 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -79,12 +79,16 @@ module_param(srpt_srq_size, int, 0444); + MODULE_PARM_DESC(srpt_srq_size, + "Shared receive queue (SRQ) size."); + ++static int srpt_set_u64_x(const char *buffer, const struct kernel_param *kp) ++{ ++ return kstrtou64(buffer, 16, (u64 *)kp->arg); ++} + static int srpt_get_u64_x(char *buffer, const struct kernel_param *kp) + { + return sprintf(buffer, "0x%016llx\n", *(u64 *)kp->arg); + } +-module_param_call(srpt_service_guid, NULL, srpt_get_u64_x, &srpt_service_guid, +- 0444); ++module_param_call(srpt_service_guid, srpt_set_u64_x, srpt_get_u64_x, ++ &srpt_service_guid, 0444); + MODULE_PARM_DESC(srpt_service_guid, + "Using this value for ioc_guid, id_ext, and cm_listen_id instead of using the node_guid of the first HCA."); + +-- +2.43.0 + diff --git a/queue-6.7/s390-use-the-correct-count-for-__iowrite64_copy.patch b/queue-6.7/s390-use-the-correct-count-for-__iowrite64_copy.patch new file mode 100644 index 00000000000..49820897cef --- /dev/null +++ b/queue-6.7/s390-use-the-correct-count-for-__iowrite64_copy.patch @@ -0,0 +1,39 @@ +From 931cbe5524532b2a97b866ca9b6e7e070de2bdd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 20:48:14 -0400 +Subject: s390: use the correct count for __iowrite64_copy() + +From: Jason Gunthorpe + +[ Upstream commit 723a2cc8d69d4342b47dfddbfe6c19f1b135f09b ] + +The signature for __iowrite64_copy() requires the number of 64 bit +quantities, not bytes. Multiple by 8 to get to a byte length before +invoking zpci_memcpy_toio() + +Fixes: 87bc359b9822 ("s390/pci: speed up __iowrite64_copy by using pci store block insn") +Acked-by: Niklas Schnelle +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/0-v1-9223d11a7662+1d7785-s390_iowrite64_jgg@nvidia.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c +index 676ac74026a82..52a44e353796c 100644 +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -252,7 +252,7 @@ resource_size_t pcibios_align_resource(void *data, const struct resource *res, + /* combine single writes by using store-block insn */ + void __iowrite64_copy(void __iomem *to, const void *from, size_t count) + { +- zpci_memcpy_toio(to, from, count); ++ zpci_memcpy_toio(to, from, count * 8); + } + + void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size, +-- +2.43.0 + diff --git a/queue-6.7/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch b/queue-6.7/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch new file mode 100644 index 00000000000..0f5613ab275 --- /dev/null +++ b/queue-6.7/scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch @@ -0,0 +1,54 @@ +From 8b48ac4762a55ef68416fd59778c1fb61638ee66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 21:59:53 -0800 +Subject: scsi: jazz_esp: Only build if SCSI core is builtin + +From: Randy Dunlap + +[ Upstream commit 9ddf190a7df77b77817f955fdb9c2ae9d1c9c9a3 ] + +JAZZ_ESP is a bool kconfig symbol that selects SCSI_SPI_ATTRS. When +CONFIG_SCSI=m, this results in SCSI_SPI_ATTRS=m while JAZZ_ESP=y, which +causes many undefined symbol linker errors. + +Fix this by only offering to build this driver when CONFIG_SCSI=y. + +[mkp: JAZZ_ESP is unique in that it does not support being compiled as a +module unlike the remaining SPI SCSI HBA drivers] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20240214055953.9612-1-rdunlap@infradead.org +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Arnd Bergmann +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: James E.J. Bottomley +Cc: Martin K. Petersen +Cc: linux-scsi@vger.kernel.org +Cc: Geert Uytterhoeven +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402112222.Gl0udKyU-lkp@intel.com/ +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/Kconfig b/drivers/scsi/Kconfig +index addac7fbe37b9..9ce27092729c3 100644 +--- a/drivers/scsi/Kconfig ++++ b/drivers/scsi/Kconfig +@@ -1270,7 +1270,7 @@ source "drivers/scsi/arm/Kconfig" + + config JAZZ_ESP + bool "MIPS JAZZ FAS216 SCSI support" +- depends on MACH_JAZZ && SCSI ++ depends on MACH_JAZZ && SCSI=y + select SCSI_SPI_ATTRS + help + This is the driver for the onboard SCSI host adapter of MIPS Magnum +-- +2.43.0 + diff --git a/queue-6.7/scsi-smartpqi-fix-disable_managed_interrupts.patch b/queue-6.7/scsi-smartpqi-fix-disable_managed_interrupts.patch new file mode 100644 index 00000000000..068a49aed24 --- /dev/null +++ b/queue-6.7/scsi-smartpqi-fix-disable_managed_interrupts.patch @@ -0,0 +1,92 @@ +From aaf7d956fa0606d54120dd6a0baae49234301276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:22:00 -0600 +Subject: scsi: smartpqi: Fix disable_managed_interrupts + +From: Don Brace + +[ Upstream commit 5761eb9761d2d5fe8248a9b719efc4d8baf1f24a ] + +Correct blk-mq registration issue with module parameter +disable_managed_interrupts enabled. + +When we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to +register with blk-mq using blk_mq_map_queues(). The driver is currently +calling blk_mq_pci_map_queues() which results in a stack trace and possibly +undefined behavior. + +Stack Trace: +[ 7.860089] scsi host2: smartpqi +[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0 +[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse +[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1 +[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022 +[ 7.963026] Workqueue: events work_for_cpu_fn +[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0 +[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54 +[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216 +[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010 +[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310 +[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00 +[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000 +[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8 +[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000 +[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0 +[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 8.172818] PKRU: 55555554 +[ 8.172819] Call Trace: +[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310 +[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245 +[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi] +[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi] +[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi] +[ 8.323286] local_pci_probe+0x42/0x80 +[ 8.337855] work_for_cpu_fn+0x16/0x20 +[ 8.351193] process_one_work+0x1a7/0x360 +[ 8.364462] ? create_worker+0x1a0/0x1a0 +[ 8.379252] worker_thread+0x1ce/0x390 +[ 8.392623] ? create_worker+0x1a0/0x1a0 +[ 8.406295] kthread+0x10a/0x120 +[ 8.418428] ? set_kthread_struct+0x50/0x50 +[ 8.431532] ret_from_fork+0x1f/0x40 +[ 8.444137] ---[ end trace 1bf0173d39354506 ]--- + +Fixes: cf15c3e734e8 ("scsi: smartpqi: Add module param to disable managed ints") +Tested-by: Yogesh Chandra Pandey +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Mahesh Rajashekhara +Reviewed-by: Mike McGowen +Reviewed-by: Kevin Barnett +Signed-off-by: Don Brace +Link: https://lore.kernel.org/r/20240213162200.1875970-2-don.brace@microchip.com +Reviewed-by: Tomas Henzl +Reviewed-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 081bb2c098063..868453b18c9ae 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -6533,8 +6533,11 @@ static void pqi_map_queues(struct Scsi_Host *shost) + { + struct pqi_ctrl_info *ctrl_info = shost_to_hba(shost); + +- blk_mq_pci_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT], ++ if (!ctrl_info->disable_managed_interrupts) ++ return blk_mq_pci_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT], + ctrl_info->pci_dev, 0); ++ else ++ return blk_mq_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT]); + } + + static inline bool pqi_is_tape_changer_device(struct pqi_scsi_dev *device) +-- +2.43.0 + diff --git a/queue-6.7/scsi-ufs-uninitialized-variable-in-ufshcd_devfreq_ta.patch b/queue-6.7/scsi-ufs-uninitialized-variable-in-ufshcd_devfreq_ta.patch new file mode 100644 index 00000000000..9ba667f3b88 --- /dev/null +++ b/queue-6.7/scsi-ufs-uninitialized-variable-in-ufshcd_devfreq_ta.patch @@ -0,0 +1,42 @@ +From dc6de3cc62c31695238cbf2ba3924aa16cf17e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 21:08:09 +0300 +Subject: scsi: ufs: Uninitialized variable in ufshcd_devfreq_target() + +From: Dan Carpenter + +[ Upstream commit f2dced9d1992824d677593072bc20eccf66ac5d5 ] + +There is one goto where "sched_clk_scaling_suspend_work" is true but +"scale_up" is uninitialized. It leads to a Smatch uninitialized variable +warning: + +drivers/ufs/core/ufshcd.c:1589 ufshcd_devfreq_target() error: uninitialized symbol 'scale_up'. + +Fixes: 1d969731b87f ("scsi: ufs: core: Only suspend clock scaling if scaling down") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c787d37f-1107-4512-8991-bccf80e74a35@moroto.mountain +Reviewed-by: Peter Wang +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index e197b9828c3c3..d2d760143ca30 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -1456,7 +1456,7 @@ static int ufshcd_devfreq_target(struct device *dev, + int ret = 0; + struct ufs_hba *hba = dev_get_drvdata(dev); + ktime_t start; +- bool scale_up, sched_clk_scaling_suspend_work = false; ++ bool scale_up = false, sched_clk_scaling_suspend_work = false; + struct list_head *clk_list = &hba->clk_list_head; + struct ufs_clk_info *clki; + unsigned long irq_flags; +-- +2.43.0 + diff --git a/queue-6.7/selftests-bonding-set-active-slave-to-primary-eth1-s.patch b/queue-6.7/selftests-bonding-set-active-slave-to-primary-eth1-s.patch new file mode 100644 index 00000000000..6f03214a094 --- /dev/null +++ b/queue-6.7/selftests-bonding-set-active-slave-to-primary-eth1-s.patch @@ -0,0 +1,67 @@ +From 1c56b0dfa12368d6a882bdd9eee2a30ec0f5d476 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 10:33:25 +0800 +Subject: selftests: bonding: set active slave to primary eth1 specifically + +From: Hangbin Liu + +[ Upstream commit cd65c48d66920457129584553f217005d09b1edb ] + +In bond priority testing, we set the primary interface to eth1 and add +eth0,1,2 to bond in serial. This is OK in normal times. But when in +debug kernel, the bridge port that eth0,1,2 connected would start +slowly (enter blocking, forwarding state), which caused the primary +interface down for a while after enslaving and active slave changed. +Here is a test log from Jakub's debug test[1]. + + [ 400.399070][ T50] br0: port 1(s0) entered disabled state + [ 400.400168][ T50] br0: port 4(s2) entered disabled state + [ 400.941504][ T2791] bond0: (slave eth0): making interface the new active one + [ 400.942603][ T2791] bond0: (slave eth0): Enslaving as an active interface with an up link + [ 400.943633][ T2766] br0: port 1(s0) entered blocking state + [ 400.944119][ T2766] br0: port 1(s0) entered forwarding state + [ 401.128792][ T2792] bond0: (slave eth1): making interface the new active one + [ 401.130771][ T2792] bond0: (slave eth1): Enslaving as an active interface with an up link + [ 401.131643][ T69] br0: port 2(s1) entered blocking state + [ 401.132067][ T69] br0: port 2(s1) entered forwarding state + [ 401.346201][ T2793] bond0: (slave eth2): Enslaving as a backup interface with an up link + [ 401.348414][ T50] br0: port 4(s2) entered blocking state + [ 401.348857][ T50] br0: port 4(s2) entered forwarding state + [ 401.519669][ T250] bond0: (slave eth0): link status definitely down, disabling slave + [ 401.526522][ T250] bond0: (slave eth1): link status definitely down, disabling slave + [ 401.526986][ T250] bond0: (slave eth2): making interface the new active one + [ 401.629470][ T250] bond0: (slave eth0): link status definitely up + [ 401.630089][ T250] bond0: (slave eth1): link status definitely up + [...] + # TEST: prio (active-backup ns_ip6_target primary_reselect 1) [FAIL] + # Current active slave is eth2 but not eth1 + +Fix it by setting active slave to primary slave specifically before +testing. + +[1] https://netdev-3.bots.linux.dev/vmksft-bonding-dbg/results/464301/1-bond-options-sh/stdout + +Fixes: 481b56e0391e ("selftests: bonding: re-format bond option tests") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/bonding/bond_options.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/bonding/bond_options.sh b/tools/testing/selftests/drivers/net/bonding/bond_options.sh +index d508486cc0bdc..9a3d3c389dadd 100755 +--- a/tools/testing/selftests/drivers/net/bonding/bond_options.sh ++++ b/tools/testing/selftests/drivers/net/bonding/bond_options.sh +@@ -62,6 +62,8 @@ prio_test() + + # create bond + bond_reset "${param}" ++ # set active_slave to primary eth1 specifically ++ ip -n ${s_ns} link set bond0 type bond active_slave eth1 + + # check bonding member prio value + ip -n ${s_ns} link set eth0 type bond_slave prio 0 +-- +2.43.0 + diff --git a/queue-6.7/selftests-iommu-fix-the-config-fragment.patch b/queue-6.7/selftests-iommu-fix-the-config-fragment.patch new file mode 100644 index 00000000000..a058df8179c --- /dev/null +++ b/queue-6.7/selftests-iommu-fix-the-config-fragment.patch @@ -0,0 +1,49 @@ +From a7b487a63a1d7c8d2d26832b553084320be4824b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 12:49:33 +0500 +Subject: selftests/iommu: fix the config fragment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Muhammad Usama Anjum + +[ Upstream commit 510325e5ac5f45c1180189d3bfc108c54bf64544 ] + +The config fragment doesn't follow the correct format to enable those +config options which make the config options getting missed while +merging with other configs. + +➜ merge_config.sh -m .config tools/testing/selftests/iommu/config +Using .config as base +Merging tools/testing/selftests/iommu/config +➜ make olddefconfig +.config:5295:warning: unexpected data: CONFIG_IOMMUFD +.config:5296:warning: unexpected data: CONFIG_IOMMUFD_TEST + +While at it, add CONFIG_FAULT_INJECTION as well which is needed for +CONFIG_IOMMUFD_TEST. If CONFIG_FAULT_INJECTION isn't present in base +config (such as x86 defconfig), CONFIG_IOMMUFD_TEST doesn't get enabled. + +Fixes: 57f0988706fe ("iommufd: Add a selftest") +Link: https://lore.kernel.org/r/20240222074934.71380-1-usama.anjum@collabora.com +Signed-off-by: Muhammad Usama Anjum +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/iommu/config | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/iommu/config b/tools/testing/selftests/iommu/config +index 6c4f901d6fed3..110d73917615d 100644 +--- a/tools/testing/selftests/iommu/config ++++ b/tools/testing/selftests/iommu/config +@@ -1,2 +1,3 @@ +-CONFIG_IOMMUFD +-CONFIG_IOMMUFD_TEST ++CONFIG_IOMMUFD=y ++CONFIG_FAULT_INJECTION=y ++CONFIG_IOMMUFD_TEST=y +-- +2.43.0 + diff --git a/queue-6.7/series b/queue-6.7/series index a64bc840df2..a16b05a361c 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -229,3 +229,101 @@ smb3-add-missing-null-server-pointer-check.patch drm-amd-display-avoid-enum-conversion-warning.patch drm-amd-display-fix-buffer-overflow-in-get_host_router_total_dp_tunnel_bw.patch revert-drm-amd-display-increased-min_dcfclk_mhz-and-min_fclk_mhz.patch +ib-hfi1-fix-a-memleak-in-init_credit_return.patch +rdma-bnxt_re-return-error-for-srq-resize.patch +rdma-bnxt_re-add-a-missing-check-in-bnxt_qplib_query.patch +ib-mlx5-don-t-expose-debugfs-entries-for-rroce-gener.patch +arm64-dts-imx8mp-disable-uart4-by-default-on-data-mo.patch +rdma-irdma-fix-kasan-issue-with-tasklet.patch +rdma-irdma-validate-max_send_wr-and-max_recv_wr.patch +rdma-irdma-set-the-cq-read-threshold-for-gen-1.patch +rdma-irdma-add-ae-for-too-many-rnrs.patch +rdma-srpt-support-specifying-the-srpt_service_guid-p.patch +arm64-dts-tqma8mpql-fix-audio-codec-iov-supply.patch +bus-imx-weim-fix-valid-range-check.patch +iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch +iommufd-iova_bitmap-switch-iova_bitmap-bitmap-to-an-.patch +iommufd-iova_bitmap-handle-recording-beyond-the-mapp.patch +iommufd-iova_bitmap-consider-page-offset-for-the-pag.patch +rdma-qedr-fix-qedr_create_user_qp-error-flow.patch +arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch +arm64-dts-rockchip-correct-indiedroid-nova-gpio-name.patch +xsk-add-truesize-to-skb_add_rx_frag.patch +rdma-srpt-fix-function-pointer-cast-warnings.patch +bpf-scripts-correct-gpl-license-name.patch +scsi-ufs-uninitialized-variable-in-ufshcd_devfreq_ta.patch +scsi-smartpqi-fix-disable_managed_interrupts.patch +scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch +net-bridge-switchdev-skip-mdb-replays-of-deferred-ev.patch +net-bridge-switchdev-ensure-deferred-event-delivery-.patch +dccp-tcp-unhash-sk-from-ehash-for-tb2-alloc-failure-.patch +net-ethernet-adi-requires-phylib-support.patch +net-sched-act_mirred-create-function-tcf_mirred_to_d.patch +net-sched-act_mirred-use-the-backlog-for-mirred-ingr.patch +net-sched-act_mirred-don-t-override-retval-if-we-alr.patch +nouveau-fix-function-cast-warnings.patch +drm-nouveau-mmu-r535-uninitialized-variable-in-r535_.patch +x86-numa-fix-the-address-overlap-check-in-numa_fill_.patch +x86-numa-fix-the-sort-compare-func-used-in-numa_fill.patch +net-stmmac-fix-incorrect-dereference-in-interrupt-ha.patch +ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch +ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch +net-bcmasp-indicate-mac-is-in-charge-of-phy-pm.patch +net-bcmasp-sanity-check-is-off-by-one.patch +powerpc-pseries-iommu-dlpar-add-doesn-t-completely-i.patch +selftests-bonding-set-active-slave-to-primary-eth1-s.patch +ata-ahci_ceva-fix-error-handling-for-xilinx-gt-phy-s.patch +bpf-fix-racing-between-bpf_timer_cancel_and_free-and.patch +platform-x86-think-lmi-fix-password-opcode-ordering-.patch +parisc-fix-stack-unwinder.patch +afs-increase-buffer-size-in-afs_update_volume_status.patch +ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch +devlink-fix-possible-use-after-free-and-memory-leaks.patch +arp-prevent-overflow-in-arp_req_get.patch +kvm-ppc-book3s-hv-fix-l2-guest-reboot-failure-due-to.patch +gpiolib-handle-no-pin_ranges-in-gpiochip_generic_con.patch +arm64-sme-restore-sme-registers-on-exit-from-suspend.patch +arm64-sme-restore-smcr_el1.ezt0-on-exit-from-suspend.patch +platform-x86-thinkpad_acpi-only-update-profile-if-su.patch +drm-i915-tv-fix-tv-mode.patch +iommu-vt-d-update-iotlb-in-nested-domain-attach.patch +iommu-vt-d-track-nested-domains-in-parent.patch +iommu-vt-d-remove-domain-parameter-for-intel_pasid_s.patch +iommu-vt-d-wrap-the-dirty-tracking-loop-to-be-a-help.patch +iommu-vt-d-add-missing-dirty-tracking-set-for-parent.patch +iommu-vt-d-set-ssade-when-attaching-to-a-parent-with.patch +octeontx2-af-consider-the-action-set-by-pf.patch +net-implement-lockless-setsockopt-so_peek_off.patch +net-ipa-don-t-overrun-ipa-suspend-interrupt-register.patch +iommufd-reject-non-zero-data_type-if-no-data_len-is-.patch +s390-use-the-correct-count-for-__iowrite64_copy.patch +bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch +cache-ax45mp_cache-align-end-size-to-cache-boundary-.patch +hwmon-nct6775-fix-access-to-temperature-configuratio.patch +tls-break-out-of-main-loop-when-peek-gets-a-non-data.patch +tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch +tls-don-t-skip-over-different-type-records-from-the-.patch +netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch +netfilter-nft_flow_offload-reset-dst-in-route-object.patch +netfilter-nft_flow_offload-release-dst-in-case-direc.patch +netfilter-nf_tables-register-hooks-last-when-adding-.patch +netfilter-nf_tables-use-kzalloc-for-hook-allocation.patch +net-mctp-put-sock-on-tag-allocation-failure.patch +tools-ynl-make-sure-we-always-pass-yarg-to-mnl_cb_ru.patch +tools-ynl-don-t-leak-mcast_groups-on-init-error.patch +devlink-fix-port-dump-cmd-type.patch +net-sched-flower-add-lock-protection-when-remove-fil.patch +net-sparx5-add-spinlock-for-frame-transmission-from-.patch +phonet-take-correct-lock-to-peek-at-the-rx-queue.patch +phonet-pep-fix-racy-skb_queue_empty-use.patch +fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch +net-phy-realtek-fix-rtl8211f_config_init-for-rtl8211.patch +drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch +iommu-add-mm_get_enqcmd_pasid-helper-function.patch +iommu-arm-smmu-v3-do-not-use-gfp_kernel-under-as-spi.patch +drm-syncobj-handle-null-fence-in-syncobj_eventfd_ent.patch +selftests-iommu-fix-the-config-fragment.patch +drm-amd-display-fix-potential-null-pointer-dereferen.patch +drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch +drm-amd-display-fix-null-pointer-dereference-on-edid.patch +i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch diff --git a/queue-6.7/tls-break-out-of-main-loop-when-peek-gets-a-non-data.patch b/queue-6.7/tls-break-out-of-main-loop-when-peek-gets-a-non-data.patch new file mode 100644 index 00000000000..872d2cfbc5d --- /dev/null +++ b/queue-6.7/tls-break-out-of-main-loop-when-peek-gets-a-non-data.patch @@ -0,0 +1,47 @@ +From 892ece070d4514609f675ef0816deadfbb10f74c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:17:29 +0100 +Subject: tls: break out of main loop when PEEK gets a non-data record + +From: Sabrina Dubroca + +[ Upstream commit 10f41d0710fc81b7af93fa6106678d57b1ff24a7 ] + +PEEK needs to leave decrypted records on the rx_list so that we can +receive them later on, so it jumps back into the async code that +queues the skb. Unfortunately that makes us skip the +TLS_RECORD_TYPE_DATA check at the bottom of the main loop, so if two +records of the same (non-DATA) type are queued, we end up merging +them. + +Add the same record type check, and make it unlikely to not penalize +the async fastpath. Async decrypt only applies to data record, so this +check is only needed for PEEK. + +process_rx_list also has similar issues. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/3df2eef4fdae720c55e69472b5bea668772b45a2.1708007371.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 9fbc70200cd0f..78aedfc682ba8 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2064,6 +2064,8 @@ int tls_sw_recvmsg(struct sock *sk, + decrypted += chunk; + len -= chunk; + __skb_queue_tail(&ctx->rx_list, skb); ++ if (unlikely(control != TLS_RECORD_TYPE_DATA)) ++ break; + continue; + } + +-- +2.43.0 + diff --git a/queue-6.7/tls-don-t-skip-over-different-type-records-from-the-.patch b/queue-6.7/tls-don-t-skip-over-different-type-records-from-the-.patch new file mode 100644 index 00000000000..39c6f875be8 --- /dev/null +++ b/queue-6.7/tls-don-t-skip-over-different-type-records-from-the-.patch @@ -0,0 +1,123 @@ +From 2ef0dd498a4bd489a0aa393e92c61d4c21e8b169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:17:31 +0100 +Subject: tls: don't skip over different type records from the rx_list + +From: Sabrina Dubroca + +[ Upstream commit ec823bf3a479d42c589dc0f28ef4951c49cd2d2a ] + +If we queue 3 records: + - record 1, type DATA + - record 2, some other type + - record 3, type DATA +and do a recv(PEEK), the rx_list will contain the first two records. + +The next large recv will walk through the rx_list and copy data from +record 1, then stop because record 2 is a different type. Since we +haven't filled up our buffer, we will process the next available +record. It's also DATA, so we can merge it with the current read. + +We shouldn't do that, since there was a record in between that we +ignored. + +Add a flag to let process_rx_list inform tls_sw_recvmsg that it had +more data available. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/f00c0c0afa080c60f016df1471158c1caf983c34.1708007371.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 43dd0d82b6ed7..de96959336c48 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1772,7 +1772,8 @@ static int process_rx_list(struct tls_sw_context_rx *ctx, + u8 *control, + size_t skip, + size_t len, +- bool is_peek) ++ bool is_peek, ++ bool *more) + { + struct sk_buff *skb = skb_peek(&ctx->rx_list); + struct tls_msg *tlm; +@@ -1785,7 +1786,7 @@ static int process_rx_list(struct tls_sw_context_rx *ctx, + + err = tls_record_content_type(msg, tlm, control); + if (err <= 0) +- goto out; ++ goto more; + + if (skip < rxm->full_len) + break; +@@ -1803,12 +1804,12 @@ static int process_rx_list(struct tls_sw_context_rx *ctx, + + err = tls_record_content_type(msg, tlm, control); + if (err <= 0) +- goto out; ++ goto more; + + err = skb_copy_datagram_msg(skb, rxm->offset + skip, + msg, chunk); + if (err < 0) +- goto out; ++ goto more; + + len = len - chunk; + copied = copied + chunk; +@@ -1844,6 +1845,10 @@ static int process_rx_list(struct tls_sw_context_rx *ctx, + + out: + return copied ? : err; ++more: ++ if (more) ++ *more = true; ++ goto out; + } + + static bool +@@ -1947,6 +1952,7 @@ int tls_sw_recvmsg(struct sock *sk, + int target, err; + bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); + bool is_peek = flags & MSG_PEEK; ++ bool rx_more = false; + bool released = true; + bool bpf_strp_enabled; + bool zc_capable; +@@ -1966,12 +1972,12 @@ int tls_sw_recvmsg(struct sock *sk, + goto end; + + /* Process pending decrypted records. It must be non-zero-copy */ +- err = process_rx_list(ctx, msg, &control, 0, len, is_peek); ++ err = process_rx_list(ctx, msg, &control, 0, len, is_peek, &rx_more); + if (err < 0) + goto end; + + copied = err; +- if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA)) ++ if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA) || rx_more) + goto end; + + target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); +@@ -2130,10 +2136,10 @@ int tls_sw_recvmsg(struct sock *sk, + /* Drain records from the rx_list & copy if required */ + if (is_peek || is_kvec) + err = process_rx_list(ctx, msg, &control, copied, +- decrypted, is_peek); ++ decrypted, is_peek, NULL); + else + err = process_rx_list(ctx, msg, &control, 0, +- async_copy_bytes, is_peek); ++ async_copy_bytes, is_peek, NULL); + } + + copied += decrypted; +-- +2.43.0 + diff --git a/queue-6.7/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch b/queue-6.7/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch new file mode 100644 index 00000000000..30668d690e4 --- /dev/null +++ b/queue-6.7/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch @@ -0,0 +1,44 @@ +From 20f5381f6e7863bde76bc65f6088c01532dc3442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:17:30 +0100 +Subject: tls: stop recv() if initial process_rx_list gave us non-DATA + +From: Sabrina Dubroca + +[ Upstream commit fdfbaec5923d9359698cbb286bc0deadbb717504 ] + +If we have a non-DATA record on the rx_list and another record of the +same type still on the queue, we will end up merging them: + - process_rx_list copies the non-DATA record + - we start the loop and process the first available record since it's + of the same type + - we break out of the loop since the record was not DATA + +Just check the record type and jump to the end in case process_rx_list +did some work. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/bd31449e43bd4b6ff546f5c51cf958c31c511deb.1708007371.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 78aedfc682ba8..43dd0d82b6ed7 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1971,7 +1971,7 @@ int tls_sw_recvmsg(struct sock *sk, + goto end; + + copied = err; +- if (len <= copied) ++ if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA)) + goto end; + + target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); +-- +2.43.0 + diff --git a/queue-6.7/tools-ynl-don-t-leak-mcast_groups-on-init-error.patch b/queue-6.7/tools-ynl-don-t-leak-mcast_groups-on-init-error.patch new file mode 100644 index 00000000000..54d9b65089d --- /dev/null +++ b/queue-6.7/tools-ynl-don-t-leak-mcast_groups-on-init-error.patch @@ -0,0 +1,45 @@ +From 02619e1ffb4e5aa8ad8765092fd42ad0a4f00a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 08:11:12 -0800 +Subject: tools: ynl: don't leak mcast_groups on init error + +From: Jakub Kicinski + +[ Upstream commit 5d78b73e851455d525a064f3b042b29fdc0c1a4a ] + +Make sure to free the already-parsed mcast_groups if +we don't get an ack from the kernel when reading family info. +This is part of the ynl_sock_create() error path, so we won't +get a call to ynl_sock_destroy() to free them later. + +Fixes: 86878f14d71a ("tools: ynl: user space helpers") +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20240220161112.2735195-3-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/lib/ynl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/net/ynl/lib/ynl.c b/tools/net/ynl/lib/ynl.c +index 65975a8306738..591f5f50ddaab 100644 +--- a/tools/net/ynl/lib/ynl.c ++++ b/tools/net/ynl/lib/ynl.c +@@ -584,7 +584,13 @@ static int ynl_sock_read_family(struct ynl_sock *ys, const char *family_name) + return err; + } + +- return ynl_recv_ack(ys, err); ++ err = ynl_recv_ack(ys, err); ++ if (err < 0) { ++ free(ys->mcast_groups); ++ return err; ++ } ++ ++ return 0; + } + + struct ynl_sock * +-- +2.43.0 + diff --git a/queue-6.7/tools-ynl-make-sure-we-always-pass-yarg-to-mnl_cb_ru.patch b/queue-6.7/tools-ynl-make-sure-we-always-pass-yarg-to-mnl_cb_ru.patch new file mode 100644 index 00000000000..88aa676fdb4 --- /dev/null +++ b/queue-6.7/tools-ynl-make-sure-we-always-pass-yarg-to-mnl_cb_ru.patch @@ -0,0 +1,79 @@ +From c6d34919cb82e3ec49ea7a47dcae5998d140f493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 08:11:11 -0800 +Subject: tools: ynl: make sure we always pass yarg to mnl_cb_run + +From: Jakub Kicinski + +[ Upstream commit e4fe082c38cd74a8fa384bc7542cf3edf1cb7318 ] + +There is one common error handler in ynl - ynl_cb_error(). +It expects priv to be a pointer to struct ynl_parse_arg AKA yarg. +To avoid potential crashes if we encounter a stray NLMSG_ERROR +always pass yarg as priv (or a struct which has it as the first +member). + +ynl_cb_null() has a similar problem directly - it expects yarg +but priv passed by the caller is ys. + +Found by code inspection. + +Fixes: 86878f14d71a ("tools: ynl: user space helpers") +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20240220161112.2735195-2-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/lib/ynl.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/net/ynl/lib/ynl.c b/tools/net/ynl/lib/ynl.c +index 830d25097009a..65975a8306738 100644 +--- a/tools/net/ynl/lib/ynl.c ++++ b/tools/net/ynl/lib/ynl.c +@@ -462,6 +462,8 @@ ynl_gemsg_start_dump(struct ynl_sock *ys, __u32 id, __u8 cmd, __u8 version) + + int ynl_recv_ack(struct ynl_sock *ys, int ret) + { ++ struct ynl_parse_arg yarg = { .ys = ys, }; ++ + if (!ret) { + yerr(ys, YNL_ERROR_EXPECT_ACK, + "Expecting an ACK but nothing received"); +@@ -474,7 +476,7 @@ int ynl_recv_ack(struct ynl_sock *ys, int ret) + return ret; + } + return mnl_cb_run(ys->rx_buf, ret, ys->seq, ys->portid, +- ynl_cb_null, ys); ++ ynl_cb_null, &yarg); + } + + int ynl_cb_null(const struct nlmsghdr *nlh, void *data) +@@ -737,11 +739,14 @@ static int ynl_ntf_parse(struct ynl_sock *ys, const struct nlmsghdr *nlh) + + static int ynl_ntf_trampoline(const struct nlmsghdr *nlh, void *data) + { +- return ynl_ntf_parse((struct ynl_sock *)data, nlh); ++ struct ynl_parse_arg *yarg = data; ++ ++ return ynl_ntf_parse(yarg->ys, nlh); + } + + int ynl_ntf_check(struct ynl_sock *ys) + { ++ struct ynl_parse_arg yarg = { .ys = ys, }; + ssize_t len; + int err; + +@@ -763,7 +768,7 @@ int ynl_ntf_check(struct ynl_sock *ys) + return len; + + err = mnl_cb_run2(ys->rx_buf, len, ys->seq, ys->portid, +- ynl_ntf_trampoline, ys, ++ ynl_ntf_trampoline, &yarg, + ynl_cb_array, NLMSG_MIN_TYPE); + if (err < 0) + return err; +-- +2.43.0 + diff --git a/queue-6.7/x86-numa-fix-the-address-overlap-check-in-numa_fill_.patch b/queue-6.7/x86-numa-fix-the-address-overlap-check-in-numa_fill_.patch new file mode 100644 index 00000000000..3941591fa95 --- /dev/null +++ b/queue-6.7/x86-numa-fix-the-address-overlap-check-in-numa_fill_.patch @@ -0,0 +1,116 @@ +From 354a034ec822d1eba18e27c0c4e0e318a8324a43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 12:09:50 -0800 +Subject: x86/numa: Fix the address overlap check in numa_fill_memblks() + +From: Alison Schofield + +[ Upstream commit 9b99c17f7510bed2adbe17751fb8abddba5620bc ] + +numa_fill_memblks() fills in the gaps in numa_meminfo memblks over a +physical address range. To do so, it first creates a list of existing +memblks that overlap that address range. The issue is that it is off +by one when comparing to the end of the address range, so memblks +that do not overlap are selected. + +The impact of selecting a memblk that does not actually overlap is +that an existing memblk may be filled when the expected action is to +do nothing and return NUMA_NO_MEMBLK to the caller. The caller can +then add a new NUMA node and memblk. + +Replace the broken open-coded search for address overlap with the +memblock helper memblock_addrs_overlap(). Update the kernel doc +and in code comments. + +Suggested by: "Huang, Ying" + +Fixes: 8f012db27c95 ("x86/numa: Introduce numa_fill_memblks()") +Signed-off-by: Alison Schofield +Acked-by: Mike Rapoport (IBM) +Acked-by: Dave Hansen +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/10a3e6109c34c21a8dd4c513cf63df63481a2b07.1705085543.git.alison.schofield@intel.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + arch/x86/mm/numa.c | 19 +++++++------------ + include/linux/memblock.h | 2 ++ + mm/memblock.c | 5 +++-- + 3 files changed, 12 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index b29ceb19e46ec..efc5f1be8d3af 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -974,14 +974,12 @@ static struct numa_memblk *numa_memblk_list[NR_NODE_MEMBLKS] __initdata; + * @start: address to begin fill + * @end: address to end fill + * +- * Find and extend numa_meminfo memblks to cover the @start-@end +- * physical address range, such that the first memblk includes +- * @start, the last memblk includes @end, and any gaps in between +- * are filled. ++ * Find and extend numa_meminfo memblks to cover the physical ++ * address range @start-@end + * + * RETURNS: + * 0 : Success +- * NUMA_NO_MEMBLK : No memblk exists in @start-@end range ++ * NUMA_NO_MEMBLK : No memblks exist in address range @start-@end + */ + + int __init numa_fill_memblks(u64 start, u64 end) +@@ -993,17 +991,14 @@ int __init numa_fill_memblks(u64 start, u64 end) + + /* + * Create a list of pointers to numa_meminfo memblks that +- * overlap start, end. Exclude (start == bi->end) since +- * end addresses in both a CFMWS range and a memblk range +- * are exclusive. +- * +- * This list of pointers is used to make in-place changes +- * that fill out the numa_meminfo memblks. ++ * overlap start, end. The list is used to make in-place ++ * changes that fill out the numa_meminfo memblks. + */ + for (int i = 0; i < mi->nr_blks; i++) { + struct numa_memblk *bi = &mi->blk[i]; + +- if (start < bi->end && end >= bi->start) { ++ if (memblock_addrs_overlap(start, end - start, bi->start, ++ bi->end - bi->start)) { + blk[count] = &mi->blk[i]; + count++; + } +diff --git a/include/linux/memblock.h b/include/linux/memblock.h +index ae3bde302f704..ccf0176ba3681 100644 +--- a/include/linux/memblock.h ++++ b/include/linux/memblock.h +@@ -121,6 +121,8 @@ int memblock_reserve(phys_addr_t base, phys_addr_t size); + int memblock_physmem_add(phys_addr_t base, phys_addr_t size); + #endif + void memblock_trim_memory(phys_addr_t align); ++unsigned long memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1, ++ phys_addr_t base2, phys_addr_t size2); + bool memblock_overlaps_region(struct memblock_type *type, + phys_addr_t base, phys_addr_t size); + int memblock_mark_hotplug(phys_addr_t base, phys_addr_t size); +diff --git a/mm/memblock.c b/mm/memblock.c +index 1572956c5e31e..9a5248fe9cf97 100644 +--- a/mm/memblock.c ++++ b/mm/memblock.c +@@ -180,8 +180,9 @@ static inline phys_addr_t memblock_cap_size(phys_addr_t base, phys_addr_t *size) + /* + * Address comparison utilities + */ +-static unsigned long __init_memblock memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1, +- phys_addr_t base2, phys_addr_t size2) ++unsigned long __init_memblock ++memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1, phys_addr_t base2, ++ phys_addr_t size2) + { + return ((base1 < (base2 + size2)) && (base2 < (base1 + size1))); + } +-- +2.43.0 + diff --git a/queue-6.7/x86-numa-fix-the-sort-compare-func-used-in-numa_fill.patch b/queue-6.7/x86-numa-fix-the-sort-compare-func-used-in-numa_fill.patch new file mode 100644 index 00000000000..3c0162d369a --- /dev/null +++ b/queue-6.7/x86-numa-fix-the-sort-compare-func-used-in-numa_fill.patch @@ -0,0 +1,50 @@ +From 0b250eb267f5f24bac76f7120046ca0fc56f6442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 12:09:51 -0800 +Subject: x86/numa: Fix the sort compare func used in numa_fill_memblks() + +From: Alison Schofield + +[ Upstream commit b626070ffc14acca5b87a2aa5f581db98617584c ] + +The compare function used to sort memblks into starting address +order fails when the result of its u64 address subtraction gets +truncated to an int upon return. + +The impact of the bad sort is that memblks will be filled out +incorrectly. Depending on the set of memblks, a user may see no +errors at all but still have a bad fill, or see messages reporting +a node overlap that leads to numa init failure: + +[] node 0 [mem: ] overlaps with node 1 [mem: ] +[] No NUMA configuration found + +Replace with a comparison that can only result in: 1, 0, -1. + +Fixes: 8f012db27c95 ("x86/numa: Introduce numa_fill_memblks()") +Signed-off-by: Alison Schofield +Acked-by: Dave Hansen +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/99dcb3ae87e04995e9f293f6158dc8fa0749a487.1705085543.git.alison.schofield@intel.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + arch/x86/mm/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index efc5f1be8d3af..9d63cfff1fd41 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -964,7 +964,7 @@ static int __init cmp_memblk(const void *a, const void *b) + const struct numa_memblk *ma = *(const struct numa_memblk **)a; + const struct numa_memblk *mb = *(const struct numa_memblk **)b; + +- return ma->start - mb->start; ++ return (ma->start > mb->start) - (ma->start < mb->start); + } + + static struct numa_memblk *numa_memblk_list[NR_NODE_MEMBLKS] __initdata; +-- +2.43.0 + diff --git a/queue-6.7/xsk-add-truesize-to-skb_add_rx_frag.patch b/queue-6.7/xsk-add-truesize-to-skb_add_rx_frag.patch new file mode 100644 index 00000000000..66e7a1eafeb --- /dev/null +++ b/queue-6.7/xsk-add-truesize-to-skb_add_rx_frag.patch @@ -0,0 +1,48 @@ +From 930ed316a8920b47981f4961a2c89c4f36a65d6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 17:32:20 +0100 +Subject: xsk: Add truesize to skb_add_rx_frag(). + +From: Sebastian Andrzej Siewior + +[ Upstream commit 2127c604383666675789fd4a5fc2aead46c73aad ] + +xsk_build_skb() allocates a page and adds it to the skb via +skb_add_rx_frag() and specifies 0 for truesize. This leads to a warning +in skb_add_rx_frag() with CONFIG_DEBUG_NET enabled because size is +larger than truesize. + +Increasing truesize requires to add the same amount to socket's +sk_wmem_alloc counter in order not to underflow the counter during +release in the destructor (sock_wfree()). + +Pass the size of the allocated page as truesize to skb_add_rx_frag(). +Add this mount to socket's sk_wmem_alloc counter. + +Fixes: cf24f5a5feea ("xsk: add support for AF_XDP multi-buffer on Tx path") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Daniel Borkmann +Acked-by: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/20240202163221.2488589-1-bigeasy@linutronix.de +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 688e641cd2784..da1582de6e84a 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -711,7 +711,8 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs, + memcpy(vaddr, buffer, len); + kunmap_local(vaddr); + +- skb_add_rx_frag(skb, nr_frags, page, 0, len, 0); ++ skb_add_rx_frag(skb, nr_frags, page, 0, len, PAGE_SIZE); ++ refcount_add(PAGE_SIZE, &xs->sk.sk_wmem_alloc); + } + } + +-- +2.43.0 +