From: Sasha Levin Date: Mon, 15 Apr 2024 08:56:15 +0000 (-0400) Subject: Fixes for 6.8 X-Git-Tag: v5.15.156~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d0e4416d9cf2ecbed4e42b732f81d68bef593ba;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.8 Signed-off-by: Sasha Levin --- diff --git a/queue-6.8/acpi-bus-allow-_uid-matching-for-integer-zero.patch b/queue-6.8/acpi-bus-allow-_uid-matching-for-integer-zero.patch new file mode 100644 index 00000000000..6b3aaae80cc --- /dev/null +++ b/queue-6.8/acpi-bus-allow-_uid-matching-for-integer-zero.patch @@ -0,0 +1,57 @@ +From 65f3c4513d59a1b0b1499dbe5345a71bf1bd7413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 09:25:40 +0530 +Subject: ACPI: bus: allow _UID matching for integer zero + +From: Raag Jadav + +[ Upstream commit aca1a5287ea328fd1f7e2bfa6806646486d86a70 ] + +Commit b2b32a173881 ("ACPI: bus: update acpi_dev_hid_uid_match() to +support multiple types") added _UID matching support for both integer +and string types, which satisfies NULL @uid2 argument for string types +using inversion, but this logic prevents _UID comparision in case the +argument is integer 0, which may result in false positives. + +Fix this using _Generic(), which will allow NULL @uid2 argument for +string types as well as _UID matching for all possible integer values. + +Fixes: b2b32a173881 ("ACPI: bus: update acpi_dev_hid_uid_match() to support multiple types") +Signed-off-by: Raag Jadav +[ rjw: Comment adjustment ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/acpi/acpi_bus.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h +index 446225aada50d..8b45b82cd5edc 100644 +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -911,17 +911,19 @@ static inline bool acpi_int_uid_match(struct acpi_device *adev, u64 uid2) + * acpi_dev_hid_uid_match - Match device by supplied HID and UID + * @adev: ACPI device to match. + * @hid2: Hardware ID of the device. +- * @uid2: Unique ID of the device, pass 0 or NULL to not check _UID. ++ * @uid2: Unique ID of the device, pass NULL to not check _UID. + * + * Matches HID and UID in @adev with given @hid2 and @uid2. Absence of @uid2 + * will be treated as a match. If user wants to validate @uid2, it should be + * done before calling this function. + * +- * Returns: %true if matches or @uid2 is 0 or NULL, %false otherwise. ++ * Returns: %true if matches or @uid2 is NULL, %false otherwise. + */ + #define acpi_dev_hid_uid_match(adev, hid2, uid2) \ + (acpi_dev_hid_match(adev, hid2) && \ +- (!(uid2) || acpi_dev_uid_match(adev, uid2))) ++ /* Distinguish integer 0 from NULL @uid2 */ \ ++ (_Generic(uid2, ACPI_STR_TYPES(!(uid2)), default: 0) || \ ++ acpi_dev_uid_match(adev, uid2))) + + void acpi_dev_clear_dependencies(struct acpi_device *supplier); + bool acpi_dev_ready_for_enumeration(const struct acpi_device *device); +-- +2.43.0 + diff --git a/queue-6.8/acpi-hmat-cxl-add-retrieval-of-generic-port-coordina.patch b/queue-6.8/acpi-hmat-cxl-add-retrieval-of-generic-port-coordina.patch new file mode 100644 index 00000000000..a090f296865 --- /dev/null +++ b/queue-6.8/acpi-hmat-cxl-add-retrieval-of-generic-port-coordina.patch @@ -0,0 +1,107 @@ +From c7dc68788629d1d50adea0c3c8fb35ee277ef750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:23 -0700 +Subject: ACPI: HMAT / cxl: Add retrieval of generic port coordinates for both + access classes + +From: Dave Jiang + +[ Upstream commit bd98cbbbf82a3086423865816e1b5ab4bb4b6c60 ] + +Update acpi_get_genport_coordinates() to allow retrieval of both access +classes of the 'struct access_coordinate' for a generic target. The update +will allow CXL code to compute access coordinates for both access class. + +Cc: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-5-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 8 ++++++-- + drivers/cxl/acpi.c | 8 +++++--- + drivers/cxl/core/port.c | 2 +- + drivers/cxl/cxl.h | 2 +- + 4 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index a1257888a6dfd..75e9aac43228a 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -126,7 +126,8 @@ static struct memory_target *acpi_find_genport_target(u32 uid) + /** + * acpi_get_genport_coordinates - Retrieve the access coordinates for a generic port + * @uid: ACPI unique id +- * @coord: The access coordinates written back out for the generic port ++ * @coord: The access coordinates written back out for the generic port. ++ * Expect 2 levels array. + * + * Return: 0 on success. Errno on failure. + * +@@ -142,7 +143,10 @@ int acpi_get_genport_coordinates(u32 uid, + if (!target) + return -ENOENT; + +- *coord = target->coord[NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL]; ++ coord[ACCESS_COORDINATE_LOCAL] = ++ target->coord[NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL]; ++ coord[ACCESS_COORDINATE_CPU] = ++ target->coord[NODE_ACCESS_CLASS_GENPORT_SINK_CPU]; + + return 0; + } +diff --git a/drivers/cxl/acpi.c b/drivers/cxl/acpi.c +index 1a3e6aafbdcc3..af5cb818f84d6 100644 +--- a/drivers/cxl/acpi.c ++++ b/drivers/cxl/acpi.c +@@ -530,13 +530,15 @@ static int get_genport_coordinates(struct device *dev, struct cxl_dport *dport) + if (kstrtou32(acpi_device_uid(hb), 0, &uid)) + return -EINVAL; + +- rc = acpi_get_genport_coordinates(uid, &dport->hb_coord); ++ rc = acpi_get_genport_coordinates(uid, dport->hb_coord); + if (rc < 0) + return rc; + + /* Adjust back to picoseconds from nanoseconds */ +- dport->hb_coord.read_latency *= 1000; +- dport->hb_coord.write_latency *= 1000; ++ for (int i = 0; i < ACCESS_COORDINATE_MAX; i++) { ++ dport->hb_coord[i].read_latency *= 1000; ++ dport->hb_coord[i].write_latency *= 1000; ++ } + + return 0; + } +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index e59d9d37aa650..612bf7e1e8474 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -2152,7 +2152,7 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + } + + /* Augment with the generic port (host bridge) perf data */ +- combine_coordinates(&c, &dport->hb_coord); ++ combine_coordinates(&c, &dport->hb_coord[ACCESS_COORDINATE_LOCAL]); + + /* Get the calculated PCI paths bandwidth */ + pdev = to_pci_dev(port->uport_dev->parent); +diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h +index 003feebab79b5..fe7448f2745e1 100644 +--- a/drivers/cxl/cxl.h ++++ b/drivers/cxl/cxl.h +@@ -671,7 +671,7 @@ struct cxl_dport { + struct cxl_port *port; + struct cxl_regs regs; + struct access_coordinate sw_coord; +- struct access_coordinate hb_coord; ++ struct access_coordinate hb_coord[ACCESS_COORDINATE_MAX]; + long link_latency; + }; + +-- +2.43.0 + diff --git a/queue-6.8/acpi-hmat-introduce-2-levels-of-generic-port-access-.patch b/queue-6.8/acpi-hmat-introduce-2-levels-of-generic-port-access-.patch new file mode 100644 index 00000000000..e06b8d55096 --- /dev/null +++ b/queue-6.8/acpi-hmat-introduce-2-levels-of-generic-port-access-.patch @@ -0,0 +1,83 @@ +From 58f788f27d2f9c69fae04bf874e6a99f07e36055 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:22 -0700 +Subject: ACPI: HMAT: Introduce 2 levels of generic port access class + +From: Dave Jiang + +[ Upstream commit 1745a7b364dfd339ab2696b7d51d7ed950ed2598 ] + +In order to compute access0 and access1 classes for CXL memory, 2 levels +of generic port information must be stored. Access0 will indicate the +generic port access coordinates to the closest initiator and access1 +will indicate the generic port access coordinates to the cloest CPU. + +Cc: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-4-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index e0144cfbf1f31..a1257888a6dfd 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -59,7 +59,8 @@ struct target_cache { + }; + + enum { +- NODE_ACCESS_CLASS_GENPORT_SINK = ACCESS_COORDINATE_MAX, ++ NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL = ACCESS_COORDINATE_MAX, ++ NODE_ACCESS_CLASS_GENPORT_SINK_CPU, + NODE_ACCESS_CLASS_MAX, + }; + +@@ -141,7 +142,7 @@ int acpi_get_genport_coordinates(u32 uid, + if (!target) + return -ENOENT; + +- *coord = target->coord[NODE_ACCESS_CLASS_GENPORT_SINK]; ++ *coord = target->coord[NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL]; + + return 0; + } +@@ -695,7 +696,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + int i; + + /* Don't update for generic port if there's no device handle */ +- if (access == NODE_ACCESS_CLASS_GENPORT_SINK && ++ if ((access == NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL || ++ access == NODE_ACCESS_CLASS_GENPORT_SINK_CPU) && + !(*(u16 *)target->gen_port_device_handle)) + return; + +@@ -736,7 +738,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + list_for_each_entry(initiator, &initiators, node) { + u32 value; + +- if (access == ACCESS_COORDINATE_CPU && ++ if ((access == ACCESS_COORDINATE_CPU || ++ access == NODE_ACCESS_CLASS_GENPORT_SINK_CPU) && + !initiator->has_cpu) { + clear_bit(initiator->processor_pxm, p_nodes); + continue; +@@ -775,7 +778,9 @@ static void hmat_update_generic_target(struct memory_target *target) + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); + + hmat_update_target_attrs(target, p_nodes, +- NODE_ACCESS_CLASS_GENPORT_SINK); ++ NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL); ++ hmat_update_target_attrs(target, p_nodes, ++ NODE_ACCESS_CLASS_GENPORT_SINK_CPU); + } + + static void hmat_register_target_initiators(struct memory_target *target) +-- +2.43.0 + diff --git a/queue-6.8/af_unix-clear-stale-u-oob_skb.patch b/queue-6.8/af_unix-clear-stale-u-oob_skb.patch new file mode 100644 index 00000000000..61fffd15577 --- /dev/null +++ b/queue-6.8/af_unix-clear-stale-u-oob_skb.patch @@ -0,0 +1,104 @@ +From 29504bd540cf35eb107f24fdf78dcebb5c750ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:10:57 -0700 +Subject: af_unix: Clear stale u->oob_skb. + +From: Kuniyuki Iwashima + +[ Upstream commit b46f4eaa4f0ec38909fb0072eea3aeddb32f954e ] + +syzkaller started to report deadlock of unix_gc_lock after commit +4090fa373f0e ("af_unix: Replace garbage collection algorithm."), but +it just uncovers the bug that has been there since commit 314001f0bf92 +("af_unix: Add OOB support"). + +The repro basically does the following. + + from socket import * + from array import array + + c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) + c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array("i", [c2.fileno()]))], MSG_OOB) + c2.recv(1) # blocked as no normal data in recv queue + + c2.close() # done async and unblock recv() + c1.close() # done async and trigger GC + +A socket sends its file descriptor to itself as OOB data and tries to +receive normal data, but finally recv() fails due to async close(). + +The problem here is wrong handling of OOB skb in manage_oob(). When +recvmsg() is called without MSG_OOB, manage_oob() is called to check +if the peeked skb is OOB skb. In such a case, manage_oob() pops it +out of the receive queue but does not clear unix_sock(sk)->oob_skb. +This is wrong in terms of uAPI. + +Let's say we send "hello" with MSG_OOB, and "world" without MSG_OOB. +The 'o' is handled as OOB data. When recv() is called twice without +MSG_OOB, the OOB data should be lost. + + >>> from socket import * + >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0) + >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data + 5 + >>> c1.send(b'world') + 5 + >>> c2.recv(5) # OOB data is not received + b'hell' + >>> c2.recv(5) # OOB date is skipped + b'world' + >>> c2.recv(5, MSG_OOB) # This should return an error + b'o' + +In the same situation, TCP actually returns -EINVAL for the last +recv(). + +Also, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set +EPOLLPRI even though the data has passed through by previous recv(). + +To avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing +it from recv queue. + +The reason why the old GC did not trigger the deadlock is because the +old GC relied on the receive queue to detect the loop. + +When it is triggered, the socket with OOB data is marked as GC candidate +because file refcount == inflight count (1). However, after traversing +all inflight sockets, the socket still has a positive inflight count (1), +thus the socket is excluded from candidates. Then, the old GC lose the +chance to garbage-collect the socket. + +With the old GC, the repro continues to create true garbage that will +never be freed nor detected by kmemleak as it's linked to the global +inflight list. That's why we couldn't even notice the issue. + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: syzbot+7f7f201cc2668a8fd169@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7f7f201cc2668a8fd169 +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240405221057.2406-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0748e7ea5210e..484874872fa6f 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2604,7 +2604,9 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + } + } else if (!(flags & MSG_PEEK)) { + skb_unlink(skb, &sk->sk_receive_queue); +- consume_skb(skb); ++ WRITE_ONCE(u->oob_skb, NULL); ++ if (!WARN_ON_ONCE(skb_unref(skb))) ++ kfree_skb(skb); + skb = skb_peek(&sk->sk_receive_queue); + } + } +-- +2.43.0 + diff --git a/queue-6.8/af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch b/queue-6.8/af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch new file mode 100644 index 00000000000..c9e2f4f896c --- /dev/null +++ b/queue-6.8/af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch @@ -0,0 +1,147 @@ +From b5fdf9c87fd4f1e7f949a81ca9e16709d20ca98f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 09:08:53 -0800 +Subject: af_unix: Do not use atomic ops for unix_sk(sk)->inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit 97af84a6bba2ab2b9c704c08e67de3b5ea551bb2 ] + +When touching unix_sk(sk)->inflight, we are always under +spin_lock(&unix_gc_lock). + +Let's convert unix_sk(sk)->inflight to the normal unsigned long. + +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 47d8ac011fe1 ("af_unix: Fix garbage collector racing against connect()") +Signed-off-by: Sasha Levin +--- + include/net/af_unix.h | 2 +- + net/unix/af_unix.c | 4 ++-- + net/unix/garbage.c | 17 ++++++++--------- + net/unix/scm.c | 8 +++++--- + 4 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/include/net/af_unix.h b/include/net/af_unix.h +index afd40dce40f3d..d1b07ddbe677e 100644 +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -55,7 +55,7 @@ struct unix_sock { + struct mutex iolock, bindlock; + struct sock *peer; + struct list_head link; +- atomic_long_t inflight; ++ unsigned long inflight; + spinlock_t lock; + unsigned long gc_flags; + #define UNIX_GC_CANDIDATE 0 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 484874872fa6f..e37cf913818a1 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -980,11 +980,11 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, + sk->sk_write_space = unix_write_space; + sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen; + sk->sk_destruct = unix_sock_destructor; +- u = unix_sk(sk); ++ u = unix_sk(sk); ++ u->inflight = 0; + u->path.dentry = NULL; + u->path.mnt = NULL; + spin_lock_init(&u->lock); +- atomic_long_set(&u->inflight, 0); + INIT_LIST_HEAD(&u->link); + mutex_init(&u->iolock); /* single task reading lock */ + mutex_init(&u->bindlock); /* single task binding lock */ +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 027c86e804f8a..aea222796dfdc 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -166,17 +166,18 @@ static void scan_children(struct sock *x, void (*func)(struct unix_sock *), + + static void dec_inflight(struct unix_sock *usk) + { +- atomic_long_dec(&usk->inflight); ++ usk->inflight--; + } + + static void inc_inflight(struct unix_sock *usk) + { +- atomic_long_inc(&usk->inflight); ++ usk->inflight++; + } + + static void inc_inflight_move_tail(struct unix_sock *u) + { +- atomic_long_inc(&u->inflight); ++ u->inflight++; ++ + /* If this still might be part of a cycle, move it to the end + * of the list, so that it's checked even if it was already + * passed over +@@ -237,14 +238,12 @@ void unix_gc(void) + */ + list_for_each_entry_safe(u, next, &gc_inflight_list, link) { + long total_refs; +- long inflight_refs; + + total_refs = file_count(u->sk.sk_socket->file); +- inflight_refs = atomic_long_read(&u->inflight); + +- BUG_ON(inflight_refs < 1); +- BUG_ON(total_refs < inflight_refs); +- if (total_refs == inflight_refs) { ++ BUG_ON(!u->inflight); ++ BUG_ON(total_refs < u->inflight); ++ if (total_refs == u->inflight) { + list_move_tail(&u->link, &gc_candidates); + __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags); + __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); +@@ -271,7 +270,7 @@ void unix_gc(void) + /* Move cursor to after the current position. */ + list_move(&cursor, &u->link); + +- if (atomic_long_read(&u->inflight) > 0) { ++ if (u->inflight) { + list_move_tail(&u->link, ¬_cycle_list); + __clear_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); + scan_children(&u->sk, inc_inflight_move_tail, NULL); +diff --git a/net/unix/scm.c b/net/unix/scm.c +index 822ce0d0d7915..e92f2fad64105 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -53,12 +53,13 @@ void unix_inflight(struct user_struct *user, struct file *fp) + if (s) { + struct unix_sock *u = unix_sk(s); + +- if (atomic_long_inc_return(&u->inflight) == 1) { ++ if (!u->inflight) { + BUG_ON(!list_empty(&u->link)); + list_add_tail(&u->link, &gc_inflight_list); + } else { + BUG_ON(list_empty(&u->link)); + } ++ u->inflight++; + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } +@@ -75,10 +76,11 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + if (s) { + struct unix_sock *u = unix_sk(s); + +- BUG_ON(!atomic_long_read(&u->inflight)); ++ BUG_ON(!u->inflight); + BUG_ON(list_empty(&u->link)); + +- if (atomic_long_dec_and_test(&u->inflight)) ++ u->inflight--; ++ if (!u->inflight) + list_del_init(&u->link); + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); +-- +2.43.0 + diff --git a/queue-6.8/af_unix-fix-garbage-collector-racing-against-connect.patch b/queue-6.8/af_unix-fix-garbage-collector-racing-against-connect.patch new file mode 100644 index 00000000000..392535cf13e --- /dev/null +++ b/queue-6.8/af_unix-fix-garbage-collector-racing-against-connect.patch @@ -0,0 +1,122 @@ +From 985bbf97ce34e34cadfd7a3f7e92d198ac711703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:09:39 +0200 +Subject: af_unix: Fix garbage collector racing against connect() + +From: Michal Luczaj + +[ Upstream commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 ] + +Garbage collector does not take into account the risk of embryo getting +enqueued during the garbage collection. If such embryo has a peer that +carries SCM_RIGHTS, two consecutive passes of scan_children() may see a +different set of children. Leading to an incorrectly elevated inflight +count, and then a dangling pointer within the gc_inflight_list. + +sockets are AF_UNIX/SOCK_STREAM +S is an unconnected socket +L is a listening in-flight socket bound to addr, not in fdtable +V's fd will be passed via sendmsg(), gets inflight count bumped + +connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() +---------------- ------------------------- ----------- + +NS = unix_create1() +skb1 = sock_wmalloc(NS) +L = unix_find_other(addr) +unix_state_lock(L) +unix_peer(S) = NS + // V count=1 inflight=0 + + NS = unix_peer(S) + skb2 = sock_alloc() + skb_queue_tail(NS, skb2[V]) + + // V became in-flight + // V count=2 inflight=1 + + close(V) + + // V count=1 inflight=1 + // GC candidate condition met + + for u in gc_inflight_list: + if (total_refs == inflight_refs) + add u to gc_candidates + + // gc_candidates={L, V} + + for u in gc_candidates: + scan_children(u, dec_inflight) + + // embryo (skb1) was not + // reachable from L yet, so V's + // inflight remains unchanged +__skb_queue_tail(L, skb1) +unix_state_unlock(L) + for u in gc_candidates: + if (u.inflight) + scan_children(u, inc_inflight_move_tail) + + // V count=1 inflight=2 (!) + +If there is a GC-candidate listening socket, lock/unlock its state. This +makes GC wait until the end of any ongoing connect() to that socket. After +flipping the lock, a possibly SCM-laden embryo is already enqueued. And if +there is another embryo coming, it can not possibly carry SCM_RIGHTS. At +this point, unix_inflight() can not happen because unix_gc_lock is already +taken. Inflight graph remains unaffected. + +Fixes: 1fd05ba5a2f2 ("[AF_UNIX]: Rewrite garbage collector, fixes race.") +Signed-off-by: Michal Luczaj +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index aea222796dfdc..8734c0c1fc197 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -235,11 +235,22 @@ void unix_gc(void) + * receive queues. Other, non candidate sockets _can_ be + * added to queue, so we must make sure only to touch + * candidates. ++ * ++ * Embryos, though never candidates themselves, affect which ++ * candidates are reachable by the garbage collector. Before ++ * being added to a listener's queue, an embryo may already ++ * receive data carrying SCM_RIGHTS, potentially making the ++ * passed socket a candidate that is not yet reachable by the ++ * collector. It becomes reachable once the embryo is ++ * enqueued. Therefore, we must ensure that no SCM-laden ++ * embryo appears in a (candidate) listener's queue between ++ * consecutive scan_children() calls. + */ + list_for_each_entry_safe(u, next, &gc_inflight_list, link) { ++ struct sock *sk = &u->sk; + long total_refs; + +- total_refs = file_count(u->sk.sk_socket->file); ++ total_refs = file_count(sk->sk_socket->file); + + BUG_ON(!u->inflight); + BUG_ON(total_refs < u->inflight); +@@ -247,6 +258,11 @@ void unix_gc(void) + list_move_tail(&u->link, &gc_candidates); + __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags); + __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); ++ ++ if (sk->sk_state == TCP_LISTEN) { ++ unix_state_lock(sk); ++ unix_state_unlock(sk); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-6.8/arm-omap2-fix-bogus-mmc-gpio-labels-on-nokia-n8x0.patch b/queue-6.8/arm-omap2-fix-bogus-mmc-gpio-labels-on-nokia-n8x0.patch new file mode 100644 index 00000000000..586e2759792 --- /dev/null +++ b/queue-6.8/arm-omap2-fix-bogus-mmc-gpio-labels-on-nokia-n8x0.patch @@ -0,0 +1,53 @@ +From 558c49b63bd404c94ae81733d0cae4ea26db4ed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:14:35 +0200 +Subject: ARM: OMAP2+: fix bogus MMC GPIO labels on Nokia N8x0 + +From: Aaro Koskinen + +[ Upstream commit 95f37eb52e18879a1b16e51b972d992b39e50a81 ] + +The GPIO bank width is 32 on OMAP2, so all labels are incorrect. + +Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +Signed-off-by: Aaro Koskinen +Message-ID: <20240223181439.1099750-2-aaro.koskinen@iki.fi> +Reviewed-by: Linus Walleij +Acked-by: Ulf Hansson +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-n8x0.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index 31755a378c736..3e48f34016c19 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -144,8 +144,7 @@ static struct gpiod_lookup_table nokia8xx_mmc_gpio_table = { + .dev_id = "mmci-omap.0", + .table = { + /* Slot switch, GPIO 96 */ +- GPIO_LOOKUP("gpio-80-111", 16, +- "switch", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("gpio-96-127", 0, "switch", GPIO_ACTIVE_HIGH), + { } + }, + }; +@@ -154,11 +153,9 @@ static struct gpiod_lookup_table nokia810_mmc_gpio_table = { + .dev_id = "mmci-omap.0", + .table = { + /* Slot index 1, VSD power, GPIO 23 */ +- GPIO_LOOKUP_IDX("gpio-16-31", 7, +- "vsd", 1, GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP_IDX("gpio-0-31", 23, "vsd", 1, GPIO_ACTIVE_HIGH), + /* Slot index 1, VIO power, GPIO 9 */ +- GPIO_LOOKUP_IDX("gpio-0-15", 9, +- "vio", 1, GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP_IDX("gpio-0-31", 9, "vio", 1, GPIO_ACTIVE_HIGH), + { } + }, + }; +-- +2.43.0 + diff --git a/queue-6.8/arm-omap2-fix-n810-mmc-gpiod-table.patch b/queue-6.8/arm-omap2-fix-n810-mmc-gpiod-table.patch new file mode 100644 index 00000000000..27644e421cb --- /dev/null +++ b/queue-6.8/arm-omap2-fix-n810-mmc-gpiod-table.patch @@ -0,0 +1,69 @@ +From 3c37a1c21e45da3fc88a156dc4ebd3b9bf26b5fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:14:36 +0200 +Subject: ARM: OMAP2+: fix N810 MMC gpiod table + +From: Aaro Koskinen + +[ Upstream commit 480d44d0820dd5ae043dc97c0b46dabbe53cb1cf ] + +Trying to append a second table for the same dev_id doesn't seem to work. +The second table is just silently ignored. As a result eMMC GPIOs are not +present. + +Fix by using separate tables for N800 and N810. + +Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +Signed-off-by: Aaro Koskinen +Message-ID: <20240223181439.1099750-3-aaro.koskinen@iki.fi> +Reviewed-by: Linus Walleij +Acked-by: Ulf Hansson +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-n8x0.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index 3e48f34016c19..c933a91751e4f 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -140,7 +140,7 @@ static int slot1_cover_open; + static int slot2_cover_open; + static struct device *mmc_device; + +-static struct gpiod_lookup_table nokia8xx_mmc_gpio_table = { ++static struct gpiod_lookup_table nokia800_mmc_gpio_table = { + .dev_id = "mmci-omap.0", + .table = { + /* Slot switch, GPIO 96 */ +@@ -152,6 +152,8 @@ static struct gpiod_lookup_table nokia8xx_mmc_gpio_table = { + static struct gpiod_lookup_table nokia810_mmc_gpio_table = { + .dev_id = "mmci-omap.0", + .table = { ++ /* Slot switch, GPIO 96 */ ++ GPIO_LOOKUP("gpio-96-127", 0, "switch", GPIO_ACTIVE_HIGH), + /* Slot index 1, VSD power, GPIO 23 */ + GPIO_LOOKUP_IDX("gpio-0-31", 23, "vsd", 1, GPIO_ACTIVE_HIGH), + /* Slot index 1, VIO power, GPIO 9 */ +@@ -412,8 +414,6 @@ static struct omap_mmc_platform_data *mmc_data[OMAP24XX_NR_MMC]; + + static void __init n8x0_mmc_init(void) + { +- gpiod_add_lookup_table(&nokia8xx_mmc_gpio_table); +- + if (board_is_n810()) { + mmc1_data.slots[0].name = "external"; + +@@ -426,6 +426,8 @@ static void __init n8x0_mmc_init(void) + mmc1_data.slots[1].name = "internal"; + mmc1_data.slots[1].ban_openended = 1; + gpiod_add_lookup_table(&nokia810_mmc_gpio_table); ++ } else { ++ gpiod_add_lookup_table(&nokia800_mmc_gpio_table); + } + + mmc1_data.nr_slots = 2; +-- +2.43.0 + diff --git a/queue-6.8/arm-omap2-fix-usb-regression-on-nokia-n8x0.patch b/queue-6.8/arm-omap2-fix-usb-regression-on-nokia-n8x0.patch new file mode 100644 index 00000000000..8a6badcf0c9 --- /dev/null +++ b/queue-6.8/arm-omap2-fix-usb-regression-on-nokia-n8x0.patch @@ -0,0 +1,41 @@ +From b9c899839708151b9514d8094003f682b069f73b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:16:56 +0200 +Subject: ARM: OMAP2+: fix USB regression on Nokia N8x0 + +From: Aaro Koskinen + +[ Upstream commit 4421405e3634a3189b541cf1e34598e44260720d ] + +GPIO chip labels are wrong for OMAP2, so the USB does not work. Fix. + +Fixes: 8e0285ab95a9 ("ARM/musb: omap2: Remove global GPIO numbers from TUSB6010") +Signed-off-by: Aaro Koskinen +Reviewed-by: Linus Walleij +Message-ID: <20240223181656.1099845-1-aaro.koskinen@iki.fi> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-n8x0.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index c933a91751e4f..ff2a4a4d82204 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -79,10 +79,8 @@ static struct musb_hdrc_platform_data tusb_data = { + static struct gpiod_lookup_table tusb_gpio_table = { + .dev_id = "musb-tusb", + .table = { +- GPIO_LOOKUP("gpio-0-15", 0, "enable", +- GPIO_ACTIVE_HIGH), +- GPIO_LOOKUP("gpio-48-63", 10, "int", +- GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("gpio-0-31", 0, "enable", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("gpio-32-63", 26, "int", GPIO_ACTIVE_HIGH), + { } + }, + }; +-- +2.43.0 + diff --git a/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw72xx-2x-fix-usb-.patch b/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw72xx-2x-fix-usb-.patch new file mode 100644 index 00000000000..d9785d76ae8 --- /dev/null +++ b/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw72xx-2x-fix-usb-.patch @@ -0,0 +1,49 @@ +From 90cb6f40cce01fe0603f93f497bb7b08e6aa4ef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 12:02:15 -0800 +Subject: arm64: dts: freescale: imx8mp-venice-gw72xx-2x: fix USB vbus + regulator + +From: Tim Harvey + +[ Upstream commit 8cb10cba124c4798b6cb333245ecdc8dde78aeae ] + +When using usb-conn-gpio to control USB role and VBUS, the vbus-supply +property must be present in the usb-conn-gpio node. Additionally it +should not be present in the phy node as that isn't what controls vbus +and will upset the use count. + +This resolves an issue where VBUS is enabled with OTG in peripheral +mode. + +Fixes: ad9a12f7a522 ("arm64: dts: imx8mp-venice: Fix USB connector description") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi +index 41c79d2ebdd62..f24b14744799e 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi +@@ -14,6 +14,7 @@ connector { + pinctrl-0 = <&pinctrl_usbcon1>; + type = "micro"; + label = "otg"; ++ vbus-supply = <®_usb1_vbus>; + id-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>; + + port { +@@ -183,7 +184,6 @@ &usb3_0 { + }; + + &usb3_phy0 { +- vbus-supply = <®_usb1_vbus>; + status = "okay"; + }; + +-- +2.43.0 + diff --git a/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw73xx-2x-fix-usb-.patch b/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw73xx-2x-fix-usb-.patch new file mode 100644 index 00000000000..c70d1f15f00 --- /dev/null +++ b/queue-6.8/arm64-dts-freescale-imx8mp-venice-gw73xx-2x-fix-usb-.patch @@ -0,0 +1,49 @@ +From 0219867594bc567162e80e83224c069c0a5443e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 12:02:16 -0800 +Subject: arm64: dts: freescale: imx8mp-venice-gw73xx-2x: fix USB vbus + regulator + +From: Tim Harvey + +[ Upstream commit 6f8e0aca838e163e81fde176e945161d50679339 ] + +When using usb-conn-gpio to control USB role and VBUS, the vbus-supply +property must be present in the usb-conn-gpio node. Additionally it +should not be present in the phy node as that isn't what controls vbus +and will upset the use count. + +This resolves an issue where VBUS is enabled with OTG in peripheral +mode. + +Fixes: ad9a12f7a522 ("arm64: dts: imx8mp-venice: Fix USB connector description") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi +index d5c400b355af5..f5491a608b2f3 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi +@@ -14,6 +14,7 @@ connector { + pinctrl-0 = <&pinctrl_usbcon1>; + type = "micro"; + label = "otg"; ++ vbus-supply = <®_usb1_vbus>; + id-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>; + + port { +@@ -202,7 +203,6 @@ &usb3_0 { + }; + + &usb3_phy0 { +- vbus-supply = <®_usb1_vbus>; + status = "okay"; + }; + +-- +2.43.0 + diff --git a/queue-6.8/arm64-dts-imx8-ss-conn-fix-usdhc-wrong-lpcg-clock-or.patch b/queue-6.8/arm64-dts-imx8-ss-conn-fix-usdhc-wrong-lpcg-clock-or.patch new file mode 100644 index 00000000000..bd23582cc30 --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-conn-fix-usdhc-wrong-lpcg-clock-or.patch @@ -0,0 +1,95 @@ +From ace4fae128b5256586602ea08c834bb90759dbc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 12:47:05 -0400 +Subject: arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order + +From: Frank Li + +[ Upstream commit c6ddd6e7b166532a0816825442ff60f70aed9647 ] + +The actual clock show wrong frequency: + + echo on >/sys/devices/platform/bus\@5b000000/5b010000.mmc/power/control + cat /sys/kernel/debug/mmc0/ios + + clock: 200000000 Hz + actual clock: 166000000 Hz + ^^^^^^^^^ + ..... + +According to + +sdhc0_lpcg: clock-controller@5b200000 { + compatible = "fsl,imx8qxp-lpcg"; + reg = <0x5b200000 0x10000>; + #clock-cells = <1>; + clocks = <&clk IMX_SC_R_SDHC_0 IMX_SC_PM_CLK_PER>, + <&conn_ipg_clk>, <&conn_axi_clk>; + clock-indices = , , + ; + clock-output-names = "sdhc0_lpcg_per_clk", + "sdhc0_lpcg_ipg_clk", + "sdhc0_lpcg_ahb_clk"; + power-domains = <&pd IMX_SC_R_SDHC_0>; + } + +"per_clk" should be IMX_LPCG_CLK_0 instead of IMX_LPCG_CLK_5. + +After correct clocks order: + + echo on >/sys/devices/platform/bus\@5b000000/5b010000.mmc/power/control + cat /sys/kernel/debug/mmc0/ios + + clock: 200000000 Hz + actual clock: 198000000 Hz + ^^^^^^^^ + ... + +Fixes: 16c4ea7501b1 ("arm64: dts: imx8: switch to new lpcg clock binding") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi +index 3c42240e78e24..af2259e997967 100644 +--- a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi +@@ -67,8 +67,8 @@ usdhc1: mmc@5b010000 { + interrupts = ; + reg = <0x5b010000 0x10000>; + clocks = <&sdhc0_lpcg IMX_LPCG_CLK_4>, +- <&sdhc0_lpcg IMX_LPCG_CLK_0>, +- <&sdhc0_lpcg IMX_LPCG_CLK_5>; ++ <&sdhc0_lpcg IMX_LPCG_CLK_5>, ++ <&sdhc0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_0>; + status = "disabled"; +@@ -78,8 +78,8 @@ usdhc2: mmc@5b020000 { + interrupts = ; + reg = <0x5b020000 0x10000>; + clocks = <&sdhc1_lpcg IMX_LPCG_CLK_4>, +- <&sdhc1_lpcg IMX_LPCG_CLK_0>, +- <&sdhc1_lpcg IMX_LPCG_CLK_5>; ++ <&sdhc1_lpcg IMX_LPCG_CLK_5>, ++ <&sdhc1_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_1>; + fsl,tuning-start-tap = <20>; +@@ -91,8 +91,8 @@ usdhc3: mmc@5b030000 { + interrupts = ; + reg = <0x5b030000 0x10000>; + clocks = <&sdhc2_lpcg IMX_LPCG_CLK_4>, +- <&sdhc2_lpcg IMX_LPCG_CLK_0>, +- <&sdhc2_lpcg IMX_LPCG_CLK_5>; ++ <&sdhc2_lpcg IMX_LPCG_CLK_5>, ++ <&sdhc2_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "ahb", "per"; + power-domains = <&pd IMX_SC_R_SDHC_2>; + status = "disabled"; +-- +2.43.0 + diff --git a/queue-6.8/base-node-acpi-enumerate-node-access-class-for-struc.patch b/queue-6.8/base-node-acpi-enumerate-node-access-class-for-struc.patch new file mode 100644 index 00000000000..66e6f60fab1 --- /dev/null +++ b/queue-6.8/base-node-acpi-enumerate-node-access-class-for-struc.patch @@ -0,0 +1,206 @@ +From b434fe9dd6d73f121a3f032249e7aed9fd0abb77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:21 -0700 +Subject: base/node / ACPI: Enumerate node access class for 'struct + access_coordinate' + +From: Dave Jiang + +[ Upstream commit 11270e526276ffad4c4237acb393da82a3287487 ] + +Both generic node and HMAT handling code have been using magic numbers to +indicate access classes for 'struct access_coordinate'. Introduce enums to +enumerate the access0 and access1 classes shared by the two subsystems. +Update the function parameters and callers as appropriate to utilize the +new enum. + +Access0 is named to ACCESS_COORDINATE_LOCAL in order to indicate that the +access class is for 'struct access_coordinate' between a target node and +the nearest initiator node. + +Access1 is named to ACCESS_COORDINATE_CPU in order to indicate that the +access class is for 'struct access_coordinate' between a target node and +the nearest CPU node. + +Cc: Greg Kroah-Hartman +Cc: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Acked-by: Greg Kroah-Hartman +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-3-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 26 ++++++++++++++------------ + drivers/base/node.c | 6 +++--- + include/linux/node.h | 18 +++++++++++++++--- + 3 files changed, 32 insertions(+), 18 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index a26e7793ec4ef..e0144cfbf1f31 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -59,9 +59,7 @@ struct target_cache { + }; + + enum { +- NODE_ACCESS_CLASS_0 = 0, +- NODE_ACCESS_CLASS_1, +- NODE_ACCESS_CLASS_GENPORT_SINK, ++ NODE_ACCESS_CLASS_GENPORT_SINK = ACCESS_COORDINATE_MAX, + NODE_ACCESS_CLASS_MAX, + }; + +@@ -374,11 +372,11 @@ static __init void hmat_update_target(unsigned int tgt_pxm, unsigned int init_px + + if (target && target->processor_pxm == init_pxm) { + hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_0); ++ ACCESS_COORDINATE_LOCAL); + /* If the node has a CPU, update access 1 */ + if (node_state(pxm_to_node(init_pxm), N_CPU)) + hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_1); ++ ACCESS_COORDINATE_CPU); + } + } + +@@ -709,7 +707,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + */ + if (target->processor_pxm != PXM_INVAL) { + cpu_nid = pxm_to_node(target->processor_pxm); +- if (access == 0 || node_state(cpu_nid, N_CPU)) { ++ if (access == ACCESS_COORDINATE_LOCAL || ++ node_state(cpu_nid, N_CPU)) { + set_bit(target->processor_pxm, p_nodes); + return; + } +@@ -737,7 +736,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + list_for_each_entry(initiator, &initiators, node) { + u32 value; + +- if (access == 1 && !initiator->has_cpu) { ++ if (access == ACCESS_COORDINATE_CPU && ++ !initiator->has_cpu) { + clear_bit(initiator->processor_pxm, p_nodes); + continue; + } +@@ -782,8 +782,10 @@ static void hmat_register_target_initiators(struct memory_target *target) + { + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); + +- __hmat_register_target_initiators(target, p_nodes, 0); +- __hmat_register_target_initiators(target, p_nodes, 1); ++ __hmat_register_target_initiators(target, p_nodes, ++ ACCESS_COORDINATE_LOCAL); ++ __hmat_register_target_initiators(target, p_nodes, ++ ACCESS_COORDINATE_CPU); + } + + static void hmat_register_target_cache(struct memory_target *target) +@@ -854,8 +856,8 @@ static void hmat_register_target(struct memory_target *target) + if (!target->registered) { + hmat_register_target_initiators(target); + hmat_register_target_cache(target); +- hmat_register_target_perf(target, NODE_ACCESS_CLASS_0); +- hmat_register_target_perf(target, NODE_ACCESS_CLASS_1); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); + target->registered = true; + } + mutex_unlock(&target_lock); +@@ -927,7 +929,7 @@ static int hmat_calculate_adistance(struct notifier_block *self, + return NOTIFY_OK; + + mutex_lock(&target_lock); +- hmat_update_target_attrs(target, p_nodes, 1); ++ hmat_update_target_attrs(target, p_nodes, ACCESS_COORDINATE_CPU); + mutex_unlock(&target_lock); + + perf = &target->coord[1]; +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 1c05640461dd1..a73b0c9a401ad 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -126,7 +126,7 @@ static void node_access_release(struct device *dev) + } + + static struct node_access_nodes *node_init_node_access(struct node *node, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node_access_nodes *access_node; + struct device *dev; +@@ -191,7 +191,7 @@ static struct attribute *access_attrs[] = { + * @access: The access class the for the given attributes + */ + void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node_access_nodes *c; + struct node *node; +@@ -689,7 +689,7 @@ int register_cpu_under_node(unsigned int cpu, unsigned int nid) + */ + int register_memory_node_under_compute_node(unsigned int mem_nid, + unsigned int cpu_nid, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node *init_node, *targ_node; + struct node_access_nodes *initiator, *target; +diff --git a/include/linux/node.h b/include/linux/node.h +index 25b66d705ee2e..dfc004e4bee74 100644 +--- a/include/linux/node.h ++++ b/include/linux/node.h +@@ -34,6 +34,18 @@ struct access_coordinate { + unsigned int write_latency; + }; + ++/* ++ * ACCESS_COORDINATE_LOCAL correlates to ACCESS CLASS 0 ++ * - access_coordinate between target node and nearest initiator node ++ * ACCESS_COORDINATE_CPU correlates to ACCESS CLASS 1 ++ * - access_coordinate between target node and nearest CPU node ++ */ ++enum access_coordinate_class { ++ ACCESS_COORDINATE_LOCAL, ++ ACCESS_COORDINATE_CPU, ++ ACCESS_COORDINATE_MAX ++}; ++ + enum cache_indexing { + NODE_CACHE_DIRECT_MAP, + NODE_CACHE_INDEXED, +@@ -66,7 +78,7 @@ struct node_cache_attrs { + #ifdef CONFIG_HMEM_REPORTING + void node_add_cache(unsigned int nid, struct node_cache_attrs *cache_attrs); + void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, +- unsigned access); ++ enum access_coordinate_class access); + #else + static inline void node_add_cache(unsigned int nid, + struct node_cache_attrs *cache_attrs) +@@ -75,7 +87,7 @@ static inline void node_add_cache(unsigned int nid, + + static inline void node_set_perf_attrs(unsigned int nid, + struct access_coordinate *coord, +- unsigned access) ++ enum access_coordinate_class access) + { + } + #endif +@@ -137,7 +149,7 @@ extern void unregister_memory_block_under_nodes(struct memory_block *mem_blk); + + extern int register_memory_node_under_compute_node(unsigned int mem_nid, + unsigned int cpu_nid, +- unsigned access); ++ enum access_coordinate_class access); + #else + static inline void node_dev_init(void) + { +-- +2.43.0 + diff --git a/queue-6.8/block-fix-q-blkg_list-corruption-during-disk-rebind.patch b/queue-6.8/block-fix-q-blkg_list-corruption-during-disk-rebind.patch new file mode 100644 index 00000000000..ef6cb01c99d --- /dev/null +++ b/queue-6.8/block-fix-q-blkg_list-corruption-during-disk-rebind.patch @@ -0,0 +1,100 @@ +From ee999fbf711a3f31aeb96c920cd9e1d5281a13e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 20:59:10 +0800 +Subject: block: fix q->blkg_list corruption during disk rebind + +From: Ming Lei + +[ Upstream commit 8b8ace080319a866f5dfe9da8e665ae51d971c54 ] + +Multiple gendisk instances can allocated/added for single request queue +in case of disk rebind. blkg may still stay in q->blkg_list when calling +blkcg_init_disk() for rebind, then q->blkg_list becomes corrupted. + +Fix the list corruption issue by: + +- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only +- move calling blkg_init_queue() into blk_alloc_queue() + +The list corruption should be started since commit f1c006f1c685 ("blk-cgroup: +synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()") +which delays removing blkg from q->blkg_list into blkg_free_workfn(). + +Fixes: f1c006f1c685 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()") +Fixes: 1059699f87eb ("block: move blkcg initialization/destroy into disk allocation/release handler") +Cc: Yu Kuai +Cc: Tejun Heo +Signed-off-by: Ming Lei +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20240407125910.4053377-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-cgroup.c | 9 ++++++--- + block/blk-cgroup.h | 2 ++ + block/blk-core.c | 2 ++ + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index ff93c385ba5af..4529122e0cbdb 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1409,6 +1409,12 @@ static int blkcg_css_online(struct cgroup_subsys_state *css) + return 0; + } + ++void blkg_init_queue(struct request_queue *q) ++{ ++ INIT_LIST_HEAD(&q->blkg_list); ++ mutex_init(&q->blkcg_mutex); ++} ++ + int blkcg_init_disk(struct gendisk *disk) + { + struct request_queue *q = disk->queue; +@@ -1416,9 +1422,6 @@ int blkcg_init_disk(struct gendisk *disk) + bool preloaded; + int ret; + +- INIT_LIST_HEAD(&q->blkg_list); +- mutex_init(&q->blkcg_mutex); +- + new_blkg = blkg_alloc(&blkcg_root, disk, GFP_KERNEL); + if (!new_blkg) + return -ENOMEM; +diff --git a/block/blk-cgroup.h b/block/blk-cgroup.h +index b927a4a0ad030..5b0bdc268ade9 100644 +--- a/block/blk-cgroup.h ++++ b/block/blk-cgroup.h +@@ -188,6 +188,7 @@ struct blkcg_policy { + extern struct blkcg blkcg_root; + extern bool blkcg_debug_stats; + ++void blkg_init_queue(struct request_queue *q); + int blkcg_init_disk(struct gendisk *disk); + void blkcg_exit_disk(struct gendisk *disk); + +@@ -481,6 +482,7 @@ struct blkcg { + }; + + static inline struct blkcg_gq *blkg_lookup(struct blkcg *blkcg, void *key) { return NULL; } ++static inline void blkg_init_queue(struct request_queue *q) { } + static inline int blkcg_init_disk(struct gendisk *disk) { return 0; } + static inline void blkcg_exit_disk(struct gendisk *disk) { } + static inline int blkcg_policy_register(struct blkcg_policy *pol) { return 0; } +diff --git a/block/blk-core.c b/block/blk-core.c +index de771093b5268..99d684085719d 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -431,6 +431,8 @@ struct request_queue *blk_alloc_queue(int node_id) + init_waitqueue_head(&q->mq_freeze_wq); + mutex_init(&q->mq_freeze_lock); + ++ blkg_init_queue(q); ++ + /* + * Init percpu_ref in atomic mode so that it's faster to shutdown. + * See blk_register_queue() for details. +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch b/queue-6.8/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch new file mode 100644 index 00000000000..250c3e071fb --- /dev/null +++ b/queue-6.8/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch @@ -0,0 +1,78 @@ +From d6ba34426d8ba4e879d7d3a46032de93feb314ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 16:46:50 -0400 +Subject: Bluetooth: hci_sock: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit b2186061d6043d6345a97100460363e990af0d46 ] + +Check user input length before copying data. + +Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sock.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 3e7cd330d731a..3f5f0932330d2 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -1946,10 +1946,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + + switch (optname) { + case HCI_DATA_DIR: +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + if (opt) + hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; +@@ -1958,10 +1957,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + break; + + case HCI_TIME_STAMP: +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + if (opt) + hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; +@@ -1979,11 +1977,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + +- len = min_t(unsigned int, len, sizeof(uf)); +- if (copy_from_sockptr(&uf, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); ++ if (err) + break; +- } + + if (!capable(CAP_NET_RAW)) { + uf.type_mask &= hci_sec_filter.type_mask; +@@ -2042,10 +2038,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, + goto done; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + hci_pi(sk)->mtu = opt; + break; +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-hci_sync-fix-using-the-same-interval-and-w.patch b/queue-6.8/bluetooth-hci_sync-fix-using-the-same-interval-and-w.patch new file mode 100644 index 00000000000..5b4d82d1208 --- /dev/null +++ b/queue-6.8/bluetooth-hci_sync-fix-using-the-same-interval-and-w.patch @@ -0,0 +1,48 @@ +From 526cd2d58274c5cedbaa603946e0e14c596d00b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:58:10 -0400 +Subject: Bluetooth: hci_sync: Fix using the same interval and window for Coded + PHY + +From: Luiz Augusto von Dentz + +[ Upstream commit 53cb4197e63ab2363aa28c3029061e4d516e7626 ] + +Coded PHY recommended intervals are 3 time bigger than the 1M PHY so +this aligns with that by multiplying by 3 the values given to 1M PHY +since the code already used recommended values for that. + +Fixes: 288c90224eec ("Bluetooth: Enable all supported LE PHY by default") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 89bd1c1a3e0e8..e1050d7d21a59 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2664,8 +2664,8 @@ static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type, + if (qos->bcast.in.phy & BT_ISO_PHY_CODED) { + cp->scanning_phys |= LE_SCAN_PHY_CODED; + hci_le_scan_phy_params(phy, type, +- interval, +- window); ++ interval * 3, ++ window * 3); + num_phy++; + phy++; + } +@@ -2685,7 +2685,7 @@ static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type, + + if (scan_coded(hdev)) { + cp->scanning_phys |= LE_SCAN_PHY_CODED; +- hci_le_scan_phy_params(phy, type, interval, window); ++ hci_le_scan_phy_params(phy, type, interval * 3, window * 3); + num_phy++; + phy++; + } +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-hci_sync-use-qos-to-determine-which-phy-to.patch b/queue-6.8/bluetooth-hci_sync-use-qos-to-determine-which-phy-to.patch new file mode 100644 index 00000000000..333eb177ba1 --- /dev/null +++ b/queue-6.8/bluetooth-hci_sync-use-qos-to-determine-which-phy-to.patch @@ -0,0 +1,125 @@ +From 7dac1a3d5a53fc6da14e89692e34cf3300146be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 09:38:10 -0500 +Subject: Bluetooth: hci_sync: Use QoS to determine which PHY to scan + +From: Luiz Augusto von Dentz + +[ Upstream commit 22cbf4f84c00da64196eb15034feee868e63eef0 ] + +This used the hci_conn QoS to determine which PHY to scan when creating +a PA Sync. + +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 53cb4197e63a ("Bluetooth: hci_sync: Fix using the same interval and window for Coded PHY") +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 66 +++++++++++++++++++++++++++++++++------- + 1 file changed, 55 insertions(+), 11 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 824ce03bb361b..89bd1c1a3e0e8 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2611,6 +2611,14 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + return filter_policy; + } + ++static void hci_le_scan_phy_params(struct hci_cp_le_scan_phy_params *cp, ++ u8 type, u16 interval, u16 window) ++{ ++ cp->type = type; ++ cp->interval = cpu_to_le16(interval); ++ cp->window = cpu_to_le16(window); ++} ++ + static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type, + u16 interval, u16 window, + u8 own_addr_type, u8 filter_policy) +@@ -2618,7 +2626,7 @@ static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type, + struct hci_cp_le_set_ext_scan_params *cp; + struct hci_cp_le_scan_phy_params *phy; + u8 data[sizeof(*cp) + sizeof(*phy) * 2]; +- u8 num_phy = 0; ++ u8 num_phy = 0x00; + + cp = (void *)data; + phy = (void *)cp->data; +@@ -2628,28 +2636,64 @@ static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type, + cp->own_addr_type = own_addr_type; + cp->filter_policy = filter_policy; + ++ /* Check if PA Sync is in progress then select the PHY based on the ++ * hci_conn.iso_qos. ++ */ ++ if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) { ++ struct hci_cp_le_add_to_accept_list *sent; ++ ++ sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); ++ if (sent) { ++ struct hci_conn *conn; ++ ++ conn = hci_conn_hash_lookup_ba(hdev, ISO_LINK, ++ &sent->bdaddr); ++ if (conn) { ++ struct bt_iso_qos *qos = &conn->iso_qos; ++ ++ if (qos->bcast.in.phy & BT_ISO_PHY_1M || ++ qos->bcast.in.phy & BT_ISO_PHY_2M) { ++ cp->scanning_phys |= LE_SCAN_PHY_1M; ++ hci_le_scan_phy_params(phy, type, ++ interval, ++ window); ++ num_phy++; ++ phy++; ++ } ++ ++ if (qos->bcast.in.phy & BT_ISO_PHY_CODED) { ++ cp->scanning_phys |= LE_SCAN_PHY_CODED; ++ hci_le_scan_phy_params(phy, type, ++ interval, ++ window); ++ num_phy++; ++ phy++; ++ } ++ ++ if (num_phy) ++ goto done; ++ } ++ } ++ } ++ + if (scan_1m(hdev) || scan_2m(hdev)) { + cp->scanning_phys |= LE_SCAN_PHY_1M; +- +- phy->type = type; +- phy->interval = cpu_to_le16(interval); +- phy->window = cpu_to_le16(window); +- ++ hci_le_scan_phy_params(phy, type, interval, window); + num_phy++; + phy++; + } + + if (scan_coded(hdev)) { + cp->scanning_phys |= LE_SCAN_PHY_CODED; +- +- phy->type = type; +- phy->interval = cpu_to_le16(interval); +- phy->window = cpu_to_le16(window); +- ++ hci_le_scan_phy_params(phy, type, interval, window); + num_phy++; + phy++; + } + ++done: ++ if (!num_phy) ++ return -EINVAL; ++ + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS, + sizeof(*cp) + sizeof(*phy) * num_phy, + data, HCI_CMD_TIMEOUT); +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-iso-align-broadcast-sync_timeout-with-conn.patch b/queue-6.8/bluetooth-iso-align-broadcast-sync_timeout-with-conn.patch new file mode 100644 index 00000000000..2b2d9abedb0 --- /dev/null +++ b/queue-6.8/bluetooth-iso-align-broadcast-sync_timeout-with-conn.patch @@ -0,0 +1,53 @@ +From 793d1adc4e846a72e05b52c16b900dc00ebc4541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 11:58:17 -0500 +Subject: Bluetooth: ISO: Align broadcast sync_timeout with connection timeout + +From: Luiz Augusto von Dentz + +[ Upstream commit 42ed95de82c01184a88945d3ca274be6a7ea607d ] + +This aligns broadcast sync_timeout with existing connection timeouts +which are 20 seconds long. + +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: b37cab587aa3 ("Bluetooth: ISO: Don't reject BT_ISO_QOS if parameters are unset") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 2 ++ + net/bluetooth/iso.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index 7ffa8c192c3f2..9fe95a22abeb7 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -164,6 +164,8 @@ struct bt_voice { + #define BT_ISO_QOS_BIG_UNSET 0xff + #define BT_ISO_QOS_BIS_UNSET 0xff + ++#define BT_ISO_SYNC_TIMEOUT 0x07d0 /* 20 secs */ ++ + struct bt_iso_io_qos { + __u32 interval; + __u16 latency; +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 04f6572d35f17..4fa1f3b779a71 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -837,10 +837,10 @@ static struct bt_iso_qos default_qos = { + .bcode = {0x00}, + .options = 0x00, + .skip = 0x0000, +- .sync_timeout = 0x4000, ++ .sync_timeout = BT_ISO_SYNC_TIMEOUT, + .sync_cte_type = 0x00, + .mse = 0x00, +- .timeout = 0x4000, ++ .timeout = BT_ISO_SYNC_TIMEOUT, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-iso-don-t-reject-bt_iso_qos-if-parameters-.patch b/queue-6.8/bluetooth-iso-don-t-reject-bt_iso_qos-if-parameters-.patch new file mode 100644 index 00000000000..213ad53fb1d --- /dev/null +++ b/queue-6.8/bluetooth-iso-don-t-reject-bt_iso_qos-if-parameters-.patch @@ -0,0 +1,57 @@ +From 111a212a95a11594741a69f348263ffb271ba68a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 15:43:18 -0400 +Subject: Bluetooth: ISO: Don't reject BT_ISO_QOS if parameters are unset + +From: Luiz Augusto von Dentz + +[ Upstream commit b37cab587aa3c9ab29c6b10aa55627dad713011f ] + +Consider certain values (0x00) as unset and load proper default if +an application has not set them properly. + +Fixes: 0fe8c8d07134 ("Bluetooth: Split bt_iso_qos into dedicated structures") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 4fa1f3b779a71..3681e3673654a 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1430,8 +1430,8 @@ static bool check_ucast_qos(struct bt_iso_qos *qos) + + static bool check_bcast_qos(struct bt_iso_qos *qos) + { +- if (qos->bcast.sync_factor == 0x00) +- return false; ++ if (!qos->bcast.sync_factor) ++ qos->bcast.sync_factor = 0x01; + + if (qos->bcast.packing > 0x01) + return false; +@@ -1454,6 +1454,9 @@ static bool check_bcast_qos(struct bt_iso_qos *qos) + if (qos->bcast.skip > 0x01f3) + return false; + ++ if (!qos->bcast.sync_timeout) ++ qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; ++ + if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000) + return false; + +@@ -1463,6 +1466,9 @@ static bool check_bcast_qos(struct bt_iso_qos *qos) + if (qos->bcast.mse > 0x1f) + return false; + ++ if (!qos->bcast.timeout) ++ qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; ++ + if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000) + return false; + +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch b/queue-6.8/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch new file mode 100644 index 00000000000..960685b9c2f --- /dev/null +++ b/queue-6.8/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch @@ -0,0 +1,107 @@ +From 84b7ddd1da7548f70f370167829509a08d6b2778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:56:50 -0400 +Subject: Bluetooth: ISO: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 9e8742cdfc4b0e65266bb4a901a19462bda9285e ] + +Check user input length before copying data. + +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS") +Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 36 ++++++++++++------------------------ + 1 file changed, 12 insertions(+), 24 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 3681e3673654a..a8b05baa8e5a9 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1479,7 +1479,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; +- int len, err = 0; ++ int err = 0; + struct bt_iso_qos qos = default_qos; + u32 opt; + +@@ -1494,10 +1494,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -1506,10 +1505,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_PKT_STATUS: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); +@@ -1524,17 +1522,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- len = min_t(unsigned int, sizeof(qos), optlen); +- +- if (copy_from_sockptr(&qos, optval, len)) { +- err = -EFAULT; +- break; +- } +- +- if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) { +- err = -EINVAL; ++ err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); ++ if (err) + break; +- } + + iso_pi(sk)->qos = qos; + iso_pi(sk)->qos_user_set = true; +@@ -1549,18 +1539,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + } + + if (optlen > sizeof(iso_pi(sk)->base)) { +- err = -EOVERFLOW; ++ err = -EINVAL; + break; + } + +- len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen); +- +- if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, ++ optlen); ++ if (err) + break; +- } + +- iso_pi(sk)->base_len = len; ++ iso_pi(sk)->base_len = optlen; + + break; + +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-l2cap-don-t-double-set-the-hci_conn_mgmt_c.patch b/queue-6.8/bluetooth-l2cap-don-t-double-set-the-hci_conn_mgmt_c.patch new file mode 100644 index 00000000000..57d890ae8fe --- /dev/null +++ b/queue-6.8/bluetooth-l2cap-don-t-double-set-the-hci_conn_mgmt_c.patch @@ -0,0 +1,38 @@ +From 8fc42216a27df2358f85db565c545dc522943eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 18:50:23 +0800 +Subject: Bluetooth: l2cap: Don't double set the HCI_CONN_MGMT_CONNECTED bit + +From: Archie Pusaka + +[ Upstream commit 600b0bbe73d3a9a264694da0e4c2c0800309141e ] + +The bit is set and tested inside mgmt_device_connected(), therefore we +must not set it just outside the function. + +Fixes: eeda1bf97bb5 ("Bluetooth: hci_event: Fix not indicating new connection for BIG Sync") +Signed-off-by: Archie Pusaka +Reviewed-by: Manish Mandlik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index ab5a9d42fae71..706d2478ddb33 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4054,8 +4054,7 @@ static int l2cap_connect_req(struct l2cap_conn *conn, + return -EPROTO; + + hci_dev_lock(hdev); +- if (hci_dev_test_flag(hdev, HCI_MGMT) && +- !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) ++ if (hci_dev_test_flag(hdev, HCI_MGMT)) + mgmt_device_connected(hdev, hcon, NULL, 0); + hci_dev_unlock(hdev); + +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch b/queue-6.8/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch new file mode 100644 index 00000000000..f1699960ece --- /dev/null +++ b/queue-6.8/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch @@ -0,0 +1,165 @@ +From 6406c4efea8729b59e4bf68cdb9fe519d79b3f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:50:47 -0400 +Subject: Bluetooth: L2CAP: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ] + +Check user input length before copying data. + +Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c") +Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 52 +++++++++++++++----------------------- + 1 file changed, 20 insertions(+), 32 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index ee7a41d6994fc..1eeea5d1306c2 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -726,7 +726,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + struct sock *sk = sock->sk; + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; +- int len, err = 0; ++ int err = 0; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -753,11 +753,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + opts.max_tx = chan->max_tx; + opts.txwin_size = chan->tx_win; + +- len = min_t(unsigned int, sizeof(opts), optlen); +- if (copy_from_sockptr(&opts, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); ++ if (err) + break; +- } + + if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { + err = -EINVAL; +@@ -800,10 +798,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + break; + + case L2CAP_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt & L2CAP_LM_FIPS) { + err = -EINVAL; +@@ -884,7 +881,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + struct bt_security sec; + struct bt_power pwr; + struct l2cap_conn *conn; +- int len, err = 0; ++ int err = 0; + u32 opt; + u16 mtu; + u8 mode; +@@ -910,11 +907,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level < BT_SECURITY_LOW || + sec.level > BT_SECURITY_FIPS) { +@@ -959,10 +954,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) { + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -974,10 +968,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_FLUSHABLE: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt > BT_FLUSHABLE_ON) { + err = -EINVAL; +@@ -1009,11 +1002,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; + +- len = min_t(unsigned int, sizeof(pwr), optlen); +- if (copy_from_sockptr(&pwr, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); ++ if (err) + break; +- } + + if (pwr.force_active) + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); +@@ -1022,10 +1013,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_CHANNEL_POLICY: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + err = -EOPNOTSUPP; + break; +@@ -1054,10 +1044,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); ++ if (err) + break; +- } + + if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && + sk->sk_state == BT_CONNECTED) +@@ -1085,10 +1074,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mode, optval, sizeof(u8))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); ++ if (err) + break; +- } + + BT_DBG("mode %u", mode); + +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-rfcomm-fix-not-validating-setsockopt-user-.patch b/queue-6.8/bluetooth-rfcomm-fix-not-validating-setsockopt-user-.patch new file mode 100644 index 00000000000..e5aeace0814 --- /dev/null +++ b/queue-6.8/bluetooth-rfcomm-fix-not-validating-setsockopt-user-.patch @@ -0,0 +1,83 @@ +From 0bf64134f75715972040cd9bd0434cf982e7982b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:43:45 -0400 +Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 ] + +syzbot reported rfcomm_sock_setsockopt_old() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old +net/bluetooth/rfcomm/sock.c:632 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 +net/bluetooth/rfcomm/sock.c:673 +Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 + +Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") +Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/rfcomm/sock.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index b54e8a530f55a..29aa07e9db9d7 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, + + switch (optname) { + case RFCOMM_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { ++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { + err = -EFAULT; + break; + } +@@ -664,7 +664,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, + struct sock *sk = sock->sk; + struct bt_security sec; + int err = 0; +- size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -686,11 +685,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level > BT_SECURITY_HIGH) { + err = -EINVAL; +@@ -706,10 +703,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +-- +2.43.0 + diff --git a/queue-6.8/bluetooth-sco-fix-not-validating-setsockopt-user-inp.patch b/queue-6.8/bluetooth-sco-fix-not-validating-setsockopt-user-inp.patch new file mode 100644 index 00000000000..09f37ad02ce --- /dev/null +++ b/queue-6.8/bluetooth-sco-fix-not-validating-setsockopt-user-inp.patch @@ -0,0 +1,122 @@ +From 899c9390c16b2cb6ce89da9b1382a5db18ad139a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:41:52 -0400 +Subject: Bluetooth: SCO: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 51eda36d33e43201e7a4fd35232e069b2c850b01 ] + +syzbot reported sco_sock_setsockopt() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 +net/bluetooth/sco.c:893 +Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578 + +Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") +Fixes: b96e9c671b05 ("Bluetooth: Add BT_DEFER_SETUP option to sco socket") +Fixes: 00398e1d5183 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections") +Fixes: f6873401a608 ("Bluetooth: Allow setting of codec for HFP offload use case") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 9 +++++++++ + net/bluetooth/sco.c | 23 ++++++++++------------- + 2 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index 9fe95a22abeb7..eaec5d6caa29d 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -585,6 +585,15 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, + return skb; + } + ++static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, ++ sockptr_t src, size_t src_size) ++{ ++ if (dst_size > src_size) ++ return -EINVAL; ++ ++ return copy_from_sockptr(dst, src, dst_size); ++} ++ + int bt_to_errno(u16 code); + __u8 bt_status(int err); + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index c736186aba26b..8e4f39b8601cb 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -823,7 +823,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; +- int len, err = 0; ++ int err = 0; + struct bt_voice voice; + u32 opt; + struct bt_codecs *codecs; +@@ -842,10 +842,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -862,11 +861,10 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + + voice.setting = sco_pi(sk)->setting; + +- len = min_t(unsigned int, sizeof(voice), optlen); +- if (copy_from_sockptr(&voice, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, ++ optlen); ++ if (err) + break; +- } + + /* Explicitly check for these values */ + if (voice.setting != BT_VOICE_TRANSPARENT && +@@ -889,10 +887,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_PKT_STATUS: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); +@@ -933,9 +930,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(buffer, optval, optlen)) { ++ err = bt_copy_from_sockptr(buffer, optlen, optval, optlen); ++ if (err) { + hci_dev_put(hdev); +- err = -EFAULT; + break; + } + +-- +2.43.0 + diff --git a/queue-6.8/bnxt_en-fix-error-recovery-for-roce-ulp-client.patch b/queue-6.8/bnxt_en-fix-error-recovery-for-roce-ulp-client.patch new file mode 100644 index 00000000000..f8ab898a84d --- /dev/null +++ b/queue-6.8/bnxt_en-fix-error-recovery-for-roce-ulp-client.patch @@ -0,0 +1,41 @@ +From b0ca1dce0dc3f6445d41f731e6e646c321b1569c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 16:55:12 -0700 +Subject: bnxt_en: Fix error recovery for RoCE ulp client + +From: Vikas Gupta + +[ Upstream commit b5ea7d33ba2a42b95b4298d08d2af9cdeeaf0090 ] + +Since runtime MSIXs vector allocation/free has been removed, +the L2 driver needs to repopulate the MSIX entries for the +ulp client as the irq table may change during the recovery +process. + +Fixes: 303432211324 ("bnxt_en: Remove runtime interrupt vector allocation") +Reviewed-by: Andy Gospodarek +Signed-off-by: Vikas Gupta +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index a5f9c9090a6b0..195c02dc06830 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -210,6 +210,9 @@ void bnxt_ulp_start(struct bnxt *bp, int err) + if (err) + return; + ++ if (edev->ulp_tbl->msix_requested) ++ bnxt_fill_msix_vecs(bp, edev->msix_entries); ++ + if (aux_priv) { + struct auxiliary_device *adev; + +-- +2.43.0 + diff --git a/queue-6.8/bnxt_en-fix-possible-memory-leak-in-bnxt_rdma_aux_de.patch b/queue-6.8/bnxt_en-fix-possible-memory-leak-in-bnxt_rdma_aux_de.patch new file mode 100644 index 00000000000..d7669f0ed10 --- /dev/null +++ b/queue-6.8/bnxt_en-fix-possible-memory-leak-in-bnxt_rdma_aux_de.patch @@ -0,0 +1,45 @@ +From 919e30801f4269fe5663698af8996ab1578b2336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 16:55:11 -0700 +Subject: bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() + +From: Vikas Gupta + +[ Upstream commit 7ac10c7d728d75bc9daaa8fade3c7a3273b9a9ff ] + +If ulp = kzalloc() fails, the allocated edev will leak because it is +not properly assigned and the cleanup path will not be able to free it. +Fix it by assigning it properly immediately after allocation. + +Fixes: 303432211324 ("bnxt_en: Remove runtime interrupt vector allocation") +Reviewed-by: Andy Gospodarek +Signed-off-by: Vikas Gupta +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 93f9bd55020f2..a5f9c9090a6b0 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -392,12 +392,13 @@ void bnxt_rdma_aux_device_init(struct bnxt *bp) + if (!edev) + goto aux_dev_uninit; + ++ aux_priv->edev = edev; ++ + ulp = kzalloc(sizeof(*ulp), GFP_KERNEL); + if (!ulp) + goto aux_dev_uninit; + + edev->ulp_tbl = ulp; +- aux_priv->edev = edev; + bp->edev = edev; + bnxt_set_edev_info(edev, bp); + +-- +2.43.0 + diff --git a/queue-6.8/bnxt_en-reset-ptp-tx_avail-after-possible-firmware-r.patch b/queue-6.8/bnxt_en-reset-ptp-tx_avail-after-possible-firmware-r.patch new file mode 100644 index 00000000000..6882cc0b82a --- /dev/null +++ b/queue-6.8/bnxt_en-reset-ptp-tx_avail-after-possible-firmware-r.patch @@ -0,0 +1,42 @@ +From 4be6f72f4d1487e076b88e5dc90be49feaad8df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 16:55:13 -0700 +Subject: bnxt_en: Reset PTP tx_avail after possible firmware reset + +From: Pavan Chebbi + +[ Upstream commit faa12ca245585379d612736a4b5e98e88481ea59 ] + +It is possible that during error recovery and firmware reset, +there is a pending TX PTP packet waiting for the timestamp. +We need to reset this condition so that after recovery, the +tx_avail count for PTP is reset back to the initial value. +Otherwise, we may not accept any PTP TX timestamps after +recovery. + +Fixes: 118612d519d8 ("bnxt_en: Add PTP clock APIs, ioctls, and ethtool methods") +Reviewed-by: Kalesh AP +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 39845d556bafc..5e6e32d708e24 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11526,6 +11526,8 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + /* VF-reps may need to be re-opened after the PF is re-opened */ + if (BNXT_PF(bp)) + bnxt_vf_reps_open(bp); ++ if (bp->ptp_cfg) ++ atomic_set(&bp->ptp_cfg->tx_avail, BNXT_MAX_TX_TS); + bnxt_ptp_init_rtc(bp, true); + bnxt_ptp_cfg_tstamp_filters(bp); + return 0; +-- +2.43.0 + diff --git a/queue-6.8/cxl-core-fix-initialization-of-mbox_cmd.size_out-in-.patch b/queue-6.8/cxl-core-fix-initialization-of-mbox_cmd.size_out-in-.patch new file mode 100644 index 00000000000..61af0ef20f4 --- /dev/null +++ b/queue-6.8/cxl-core-fix-initialization-of-mbox_cmd.size_out-in-.patch @@ -0,0 +1,61 @@ +From 0ee83074fabb2ea114d12f16cf8b590f4986176a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 17:14:03 +0900 +Subject: cxl/core: Fix initialization of mbox_cmd.size_out in get event + +From: Kwangjin Ko + +[ Upstream commit f7c52345ccc96343c0a05bdea3121c8ac7b67d5f ] + +Since mbox_cmd.size_out is overwritten with the actual output size in +the function below, it needs to be initialized every time. + +cxl_internal_send_cmd -> __cxl_pci_mbox_send_cmd + +Problem scenario: + +1) The size_out variable is initially set to the size of the mailbox. +2) Read an event. + - size_out is set to 160 bytes(header 32B + one event 128B). + - Two event are created while reading. +3) Read the new *two* events. + - size_out is still set to 160 bytes. + - Although the value of out_len is 288 bytes, only 160 bytes are + copied from the mailbox register to the local variable. + - record_count is set to 2. + - Accessing records[1] will result in reading incorrect data. + +Fixes: 6ebe28f9ec72 ("cxl/mem: Read, trace, and clear events on driver load") +Tested-by: Ira Weiny +Reviewed-by: Ira Weiny +Reviewed-by: Jonathan Cameron +Signed-off-by: Kwangjin Ko +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/mbox.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c +index 50146161887d5..f0f54aeccc872 100644 +--- a/drivers/cxl/core/mbox.c ++++ b/drivers/cxl/core/mbox.c +@@ -958,13 +958,14 @@ static void cxl_mem_get_records_log(struct cxl_memdev_state *mds, + .payload_in = &log_type, + .size_in = sizeof(log_type), + .payload_out = payload, +- .size_out = mds->payload_size, + .min_out = struct_size(payload, records, 0), + }; + + do { + int rc, i; + ++ mbox_cmd.size_out = mds->payload_size; ++ + rc = cxl_internal_send_cmd(mds, &mbox_cmd); + if (rc) { + dev_err_ratelimited(dev, +-- +2.43.0 + diff --git a/queue-6.8/cxl-core-regs-fix-usage-of-map-reg_type-in-cxl_decod.patch b/queue-6.8/cxl-core-regs-fix-usage-of-map-reg_type-in-cxl_decod.patch new file mode 100644 index 00000000000..a7b48ab67fb --- /dev/null +++ b/queue-6.8/cxl-core-regs-fix-usage-of-map-reg_type-in-cxl_decod.patch @@ -0,0 +1,53 @@ +From 5382167bdfd3a20cebcd0f0f4ff8d20c6a3f0a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 11:15:08 -0700 +Subject: cxl/core/regs: Fix usage of map->reg_type in cxl_decode_regblock() + before assigned + +From: Dave Jiang + +[ Upstream commit 5c88a9ccd4c431d58b532e4158b6999a8350062c ] + +In the error path, map->reg_type is being used for kernel warning +before its value is setup. Found by code inspection. Exposure to +user is wrong reg_type being emitted via kernel log. Use a local +var for reg_type and retrieve value for usage. + +Fixes: 6c7f4f1e51c2 ("cxl/core/regs: Make cxl_map_{component, device}_regs() device generic") +Reviewed-by: Dan Williams +Reviewed-by: Davidlohr Bueso +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/regs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/cxl/core/regs.c b/drivers/cxl/core/regs.c +index 372786f809555..3c42f984eeafa 100644 +--- a/drivers/cxl/core/regs.c ++++ b/drivers/cxl/core/regs.c +@@ -271,6 +271,7 @@ EXPORT_SYMBOL_NS_GPL(cxl_map_device_regs, CXL); + static bool cxl_decode_regblock(struct pci_dev *pdev, u32 reg_lo, u32 reg_hi, + struct cxl_register_map *map) + { ++ u8 reg_type = FIELD_GET(CXL_DVSEC_REG_LOCATOR_BLOCK_ID_MASK, reg_lo); + int bar = FIELD_GET(CXL_DVSEC_REG_LOCATOR_BIR_MASK, reg_lo); + u64 offset = ((u64)reg_hi << 32) | + (reg_lo & CXL_DVSEC_REG_LOCATOR_BLOCK_OFF_LOW_MASK); +@@ -278,11 +279,11 @@ static bool cxl_decode_regblock(struct pci_dev *pdev, u32 reg_lo, u32 reg_hi, + if (offset > pci_resource_len(pdev, bar)) { + dev_warn(&pdev->dev, + "BAR%d: %pr: too small (offset: %pa, type: %d)\n", bar, +- &pdev->resource[bar], &offset, map->reg_type); ++ &pdev->resource[bar], &offset, reg_type); + return false; + } + +- map->reg_type = FIELD_GET(CXL_DVSEC_REG_LOCATOR_BLOCK_ID_MASK, reg_lo); ++ map->reg_type = reg_type; + map->resource = pci_resource_start(pdev, bar) + offset; + map->max_size = pci_resource_len(pdev, bar) - offset; + return true; +-- +2.43.0 + diff --git a/queue-6.8/cxl-fix-retrieving-of-access_coordinates-in-pcie-pat.patch b/queue-6.8/cxl-fix-retrieving-of-access_coordinates-in-pcie-pat.patch new file mode 100644 index 00000000000..a9336141ec1 --- /dev/null +++ b/queue-6.8/cxl-fix-retrieving-of-access_coordinates-in-pcie-pat.patch @@ -0,0 +1,92 @@ +From 68ff081a0b3e95008ea3092a8e54fc59fe38a818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 08:47:13 -0700 +Subject: cxl: Fix retrieving of access_coordinates in PCIe path + +From: Dave Jiang + +[ Upstream commit 592780b8391fe31f129ef4823c1513528f4dcb76 ] + +Current loop in cxl_endpoint_get_perf_coordinates() incorrectly assumes +the Root Port (RP) dport is the one with generic port access_coordinate. +However those coordinates are one level up in the Host Bridge (HB). +Current code causes the computation code to pick up 0s as the coordinates +and cause minimal bandwidth to result in 0. + +Add check to skip RP when combining coordinates. + +Fixes: 14a6960b3e92 ("cxl: Add helper function that calculate performance data for downstream ports") +Reported-by: Jonathan Cameron +Reviewed-by: Jonathan Cameron +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/20240403154844.3403859-3-dave.jiang@intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/port.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index 0332b431117db..4ae441ef32174 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -2128,6 +2128,11 @@ int cxl_hb_get_perf_coordinates(struct cxl_port *port, + return 0; + } + ++static bool parent_port_is_cxl_root(struct cxl_port *port) ++{ ++ return is_cxl_root(to_cxl_port(port->dev.parent)); ++} ++ + /** + * cxl_endpoint_get_perf_coordinates - Retrieve performance numbers stored in dports + * of CXL path +@@ -2147,27 +2152,31 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + struct cxl_dport *dport; + struct pci_dev *pdev; + unsigned int bw; ++ bool is_cxl_root; + + if (!is_cxl_endpoint(port)) + return -EINVAL; + +- dport = iter->parent_dport; +- + /* +- * Exit the loop when the parent port of the current port is cxl root. +- * The iterative loop starts at the endpoint and gathers the +- * latency of the CXL link from the current iter to the next downstream +- * port each iteration. If the parent is cxl root then there is +- * nothing to gather. ++ * Exit the loop when the parent port of the current iter port is cxl ++ * root. The iterative loop starts at the endpoint and gathers the ++ * latency of the CXL link from the current device/port to the connected ++ * downstream port each iteration. + */ +- while (!is_cxl_root(to_cxl_port(iter->dev.parent))) { +- cxl_coordinates_combine(&c, &c, &dport->sw_coord); ++ do { ++ dport = iter->parent_dport; ++ iter = to_cxl_port(iter->dev.parent); ++ is_cxl_root = parent_port_is_cxl_root(iter); ++ ++ /* ++ * There's no valid access_coordinate for a root port since RPs do not ++ * have CDAT and therefore needs to be skipped. ++ */ ++ if (!is_cxl_root) ++ cxl_coordinates_combine(&c, &c, &dport->sw_coord); + c.write_latency += dport->link_latency; + c.read_latency += dport->link_latency; +- +- iter = to_cxl_port(iter->dev.parent); +- dport = iter->parent_dport; +- } ++ } while (!is_cxl_root); + + /* Get the calculated PCI paths bandwidth */ + pdev = to_pci_dev(port->uport_dev->parent); +-- +2.43.0 + diff --git a/queue-6.8/cxl-mem-fix-for-the-index-of-clear-event-record-hand.patch b/queue-6.8/cxl-mem-fix-for-the-index-of-clear-event-record-hand.patch new file mode 100644 index 00000000000..7a18a5fbd84 --- /dev/null +++ b/queue-6.8/cxl-mem-fix-for-the-index-of-clear-event-record-hand.patch @@ -0,0 +1,42 @@ +From d51e50a700ef761fcca77c793017b42b41857c0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 10:29:28 +0800 +Subject: cxl/mem: Fix for the index of Clear Event Record Handle + +From: Yuquan Wang + +[ Upstream commit b7c59b038c656214f56432867056997c2e0fc268 ] + +The dev_dbg info for Clear Event Records mailbox command would report +the handle of the next record to clear not the current one. + +This was because the index 'i' had incremented before printing the +current handle value. + +Fixes: 6ebe28f9ec72 ("cxl/mem: Read, trace, and clear events on driver load") +Signed-off-by: Yuquan Wang +Reviewed-by: Jonathan Cameron +Reviewed-by: Dan Williams +Reviewed-by: Fan Ni +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/mbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c +index 9adda4795eb78..50146161887d5 100644 +--- a/drivers/cxl/core/mbox.c ++++ b/drivers/cxl/core/mbox.c +@@ -915,7 +915,7 @@ static int cxl_clear_event_record(struct cxl_memdev_state *mds, + + payload->handles[i++] = gen->hdr.handle; + dev_dbg(mds->cxlds.dev, "Event log '%d': Clearing %u\n", log, +- le16_to_cpu(payload->handles[i])); ++ le16_to_cpu(payload->handles[i - 1])); + + if (i == max_handles) { + payload->nr_recs = i; +-- +2.43.0 + diff --git a/queue-6.8/cxl-remove-checking-of-iter-in-cxl_endpoint_get_perf.patch b/queue-6.8/cxl-remove-checking-of-iter-in-cxl_endpoint_get_perf.patch new file mode 100644 index 00000000000..091a148560c --- /dev/null +++ b/queue-6.8/cxl-remove-checking-of-iter-in-cxl_endpoint_get_perf.patch @@ -0,0 +1,44 @@ +From 8943cced8ea6c077eb842255cf56b8d4610876bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 08:47:12 -0700 +Subject: cxl: Remove checking of iter in cxl_endpoint_get_perf_coordinates() + +From: Dave Jiang + +[ Upstream commit 648dae58a830ecceea3b1bebf68432435980f137 ] + +The while() loop in cxl_endpoint_get_perf_coordinates() checks to see if +'iter' is valid as part of the condition breaking out of the loop. +is_cxl_root() will stop the loop before the next iteration could go NULL. +Remove the iter check. + +The presence of the iter or removing the iter does not impact the behavior +of the code. This is a code clean up and not a bug fix. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Davidlohr Bueso +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/20240403154844.3403859-2-dave.jiang@intel.com +Signed-off-by: Dave Jiang +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index b2a2f6c34886d..0332b431117db 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -2160,7 +2160,7 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + * port each iteration. If the parent is cxl root then there is + * nothing to gather. + */ +- while (iter && !is_cxl_root(to_cxl_port(iter->dev.parent))) { ++ while (!is_cxl_root(to_cxl_port(iter->dev.parent))) { + cxl_coordinates_combine(&c, &c, &dport->sw_coord); + c.write_latency += dport->link_latency; + c.read_latency += dport->link_latency; +-- +2.43.0 + diff --git a/queue-6.8/cxl-split-out-combine_coordinates-for-common-shared-.patch b/queue-6.8/cxl-split-out-combine_coordinates-for-common-shared-.patch new file mode 100644 index 00000000000..6a74f0b76b9 --- /dev/null +++ b/queue-6.8/cxl-split-out-combine_coordinates-for-common-shared-.patch @@ -0,0 +1,135 @@ +From fb265edad75cfdf43d03e08ba394369a5608ec3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:24 -0700 +Subject: cxl: Split out combine_coordinates() for common shared usage + +From: Dave Jiang + +[ Upstream commit 032f7b37adff6985e22516053698b77131c2ce96 ] + +Refactor the common code of combining coordinates in order to reduce code. +Create a new function cxl_cooordinates_combine() it combine two 'struct +access_coordinate'. + +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-6-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/cdat.c | 32 +++++++++++++++++++++++--------- + drivers/cxl/core/port.c | 18 ++---------------- + drivers/cxl/cxl.h | 4 ++++ + 3 files changed, 29 insertions(+), 25 deletions(-) + +diff --git a/drivers/cxl/core/cdat.c b/drivers/cxl/core/cdat.c +index 0363ca434ef45..4739a9d776a65 100644 +--- a/drivers/cxl/core/cdat.c ++++ b/drivers/cxl/core/cdat.c +@@ -185,15 +185,7 @@ static int cxl_port_perf_data_calculate(struct cxl_port *port, + xa_for_each(dsmas_xa, index, dent) { + int qos_class; + +- dent->coord.read_latency = dent->coord.read_latency + +- c.read_latency; +- dent->coord.write_latency = dent->coord.write_latency + +- c.write_latency; +- dent->coord.read_bandwidth = min_t(int, c.read_bandwidth, +- dent->coord.read_bandwidth); +- dent->coord.write_bandwidth = min_t(int, c.write_bandwidth, +- dent->coord.write_bandwidth); +- ++ cxl_coordinates_combine(&dent->coord, &dent->coord, &c); + dent->entries = 1; + rc = cxl_root->ops->qos_class(cxl_root, &dent->coord, 1, + &qos_class); +@@ -484,4 +476,26 @@ void cxl_switch_parse_cdat(struct cxl_port *port) + } + EXPORT_SYMBOL_NS_GPL(cxl_switch_parse_cdat, CXL); + ++/** ++ * cxl_coordinates_combine - Combine the two input coordinates ++ * ++ * @out: Output coordinate of c1 and c2 combined ++ * @c1: input coordinates ++ * @c2: input coordinates ++ */ ++void cxl_coordinates_combine(struct access_coordinate *out, ++ struct access_coordinate *c1, ++ struct access_coordinate *c2) ++{ ++ if (c1->write_bandwidth && c2->write_bandwidth) ++ out->write_bandwidth = min(c1->write_bandwidth, ++ c2->write_bandwidth); ++ out->write_latency = c1->write_latency + c2->write_latency; ++ ++ if (c1->read_bandwidth && c2->read_bandwidth) ++ out->read_bandwidth = min(c1->read_bandwidth, ++ c2->read_bandwidth); ++ out->read_latency = c1->read_latency + c2->read_latency; ++} ++ + MODULE_IMPORT_NS(CXL); +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index 612bf7e1e8474..af9458b2678cf 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -2096,20 +2096,6 @@ bool schedule_cxl_memdev_detach(struct cxl_memdev *cxlmd) + } + EXPORT_SYMBOL_NS_GPL(schedule_cxl_memdev_detach, CXL); + +-static void combine_coordinates(struct access_coordinate *c1, +- struct access_coordinate *c2) +-{ +- if (c2->write_bandwidth) +- c1->write_bandwidth = min(c1->write_bandwidth, +- c2->write_bandwidth); +- c1->write_latency += c2->write_latency; +- +- if (c2->read_bandwidth) +- c1->read_bandwidth = min(c1->read_bandwidth, +- c2->read_bandwidth); +- c1->read_latency += c2->read_latency; +-} +- + /** + * cxl_endpoint_get_perf_coordinates - Retrieve performance numbers stored in dports + * of CXL path +@@ -2143,7 +2129,7 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + * nothing to gather. + */ + while (iter && !is_cxl_root(to_cxl_port(iter->dev.parent))) { +- combine_coordinates(&c, &dport->sw_coord); ++ cxl_coordinates_combine(&c, &c, &dport->sw_coord); + c.write_latency += dport->link_latency; + c.read_latency += dport->link_latency; + +@@ -2152,7 +2138,7 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + } + + /* Augment with the generic port (host bridge) perf data */ +- combine_coordinates(&c, &dport->hb_coord[ACCESS_COORDINATE_LOCAL]); ++ cxl_coordinates_combine(&c, &c, &dport->hb_coord[ACCESS_COORDINATE_LOCAL]); + + /* Get the calculated PCI paths bandwidth */ + pdev = to_pci_dev(port->uport_dev->parent); +diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h +index fe7448f2745e1..fab2da4b1f04e 100644 +--- a/drivers/cxl/cxl.h ++++ b/drivers/cxl/cxl.h +@@ -882,6 +882,10 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + + void cxl_memdev_update_perf(struct cxl_memdev *cxlmd); + ++void cxl_coordinates_combine(struct access_coordinate *out, ++ struct access_coordinate *c1, ++ struct access_coordinate *c2); ++ + /* + * Unit test builds overrides this to __weak, find the 'strong' version + * of these symbols in tools/testing/cxl/. +-- +2.43.0 + diff --git a/queue-6.8/cxl-split-out-host-bridge-access-coordinates.patch b/queue-6.8/cxl-split-out-host-bridge-access-coordinates.patch new file mode 100644 index 00000000000..03f81501100 --- /dev/null +++ b/queue-6.8/cxl-split-out-host-bridge-access-coordinates.patch @@ -0,0 +1,155 @@ +From ea392ea84ceeedff240fb9e61ef5fd92f844b34f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:25 -0700 +Subject: cxl: Split out host bridge access coordinates + +From: Dave Jiang + +[ Upstream commit 863027d40993f13155451bd898bfe4c4e9b7002f ] + +The difference between access class 0 and access class 1 for 'struct +access_coordinate', if any, is that class 0 is for the distance from +the target to the closest initiator and that class 1 is for the distance +from the target to the closest CPU. For CXL memory, the nearest initiator +may not necessarily be a CPU node. The performance path from the CXL +endpoint to the host bridge should remain the same. However, the numbers +extracted and stored from HMAT is the difference for the two access +classes. Split out the performance numbers for the host bridge (generic +target) from the calculation of the entire path in order to allow +calculation of both access classes for a CXL region. + +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-7-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 592780b8391f ("cxl: Fix retrieving of access_coordinates in PCIe path") +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/cdat.c | 28 ++++++++++++++++++++++------ + drivers/cxl/core/port.c | 35 ++++++++++++++++++++++++++++++++--- + drivers/cxl/cxl.h | 2 ++ + 3 files changed, 56 insertions(+), 9 deletions(-) + +diff --git a/drivers/cxl/core/cdat.c b/drivers/cxl/core/cdat.c +index 4739a9d776a65..fbf167f9d59d4 100644 +--- a/drivers/cxl/core/cdat.c ++++ b/drivers/cxl/core/cdat.c +@@ -162,15 +162,22 @@ static int cxl_cdat_endpoint_process(struct cxl_port *port, + static int cxl_port_perf_data_calculate(struct cxl_port *port, + struct xarray *dsmas_xa) + { +- struct access_coordinate c; ++ struct access_coordinate ep_c; ++ struct access_coordinate coord[ACCESS_COORDINATE_MAX]; + struct dsmas_entry *dent; + int valid_entries = 0; + unsigned long index; + int rc; + +- rc = cxl_endpoint_get_perf_coordinates(port, &c); ++ rc = cxl_endpoint_get_perf_coordinates(port, &ep_c); + if (rc) { +- dev_dbg(&port->dev, "Failed to retrieve perf coordinates.\n"); ++ dev_dbg(&port->dev, "Failed to retrieve ep perf coordinates.\n"); ++ return rc; ++ } ++ ++ rc = cxl_hb_get_perf_coordinates(port, coord); ++ if (rc) { ++ dev_dbg(&port->dev, "Failed to retrieve hb perf coordinates.\n"); + return rc; + } + +@@ -185,10 +192,19 @@ static int cxl_port_perf_data_calculate(struct cxl_port *port, + xa_for_each(dsmas_xa, index, dent) { + int qos_class; + +- cxl_coordinates_combine(&dent->coord, &dent->coord, &c); ++ cxl_coordinates_combine(&dent->coord, &dent->coord, &ep_c); ++ /* ++ * Keeping the host bridge coordinates separate from the dsmas ++ * coordinates in order to allow calculation of access class ++ * 0 and 1 for region later. ++ */ ++ cxl_coordinates_combine(&coord[ACCESS_COORDINATE_LOCAL], ++ &coord[ACCESS_COORDINATE_LOCAL], ++ &dent->coord); + dent->entries = 1; +- rc = cxl_root->ops->qos_class(cxl_root, &dent->coord, 1, +- &qos_class); ++ rc = cxl_root->ops->qos_class(cxl_root, ++ &coord[ACCESS_COORDINATE_LOCAL], ++ 1, &qos_class); + if (rc != 1) + continue; + +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index af9458b2678cf..b2a2f6c34886d 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -2096,6 +2096,38 @@ bool schedule_cxl_memdev_detach(struct cxl_memdev *cxlmd) + } + EXPORT_SYMBOL_NS_GPL(schedule_cxl_memdev_detach, CXL); + ++/** ++ * cxl_hb_get_perf_coordinates - Retrieve performance numbers between initiator ++ * and host bridge ++ * ++ * @port: endpoint cxl_port ++ * @coord: output access coordinates ++ * ++ * Return: errno on failure, 0 on success. ++ */ ++int cxl_hb_get_perf_coordinates(struct cxl_port *port, ++ struct access_coordinate *coord) ++{ ++ struct cxl_port *iter = port; ++ struct cxl_dport *dport; ++ ++ if (!is_cxl_endpoint(port)) ++ return -EINVAL; ++ ++ dport = iter->parent_dport; ++ while (iter && !is_cxl_root(to_cxl_port(iter->dev.parent))) { ++ iter = to_cxl_port(iter->dev.parent); ++ dport = iter->parent_dport; ++ } ++ ++ coord[ACCESS_COORDINATE_LOCAL] = ++ dport->hb_coord[ACCESS_COORDINATE_LOCAL]; ++ coord[ACCESS_COORDINATE_CPU] = ++ dport->hb_coord[ACCESS_COORDINATE_CPU]; ++ ++ return 0; ++} ++ + /** + * cxl_endpoint_get_perf_coordinates - Retrieve performance numbers stored in dports + * of CXL path +@@ -2137,9 +2169,6 @@ int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + dport = iter->parent_dport; + } + +- /* Augment with the generic port (host bridge) perf data */ +- cxl_coordinates_combine(&c, &c, &dport->hb_coord[ACCESS_COORDINATE_LOCAL]); +- + /* Get the calculated PCI paths bandwidth */ + pdev = to_pci_dev(port->uport_dev->parent); + bw = pcie_bandwidth_available(pdev, NULL, NULL, NULL); +diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h +index fab2da4b1f04e..de477eb7f5d54 100644 +--- a/drivers/cxl/cxl.h ++++ b/drivers/cxl/cxl.h +@@ -879,6 +879,8 @@ void cxl_switch_parse_cdat(struct cxl_port *port); + + int cxl_endpoint_get_perf_coordinates(struct cxl_port *port, + struct access_coordinate *coord); ++int cxl_hb_get_perf_coordinates(struct cxl_port *port, ++ struct access_coordinate *coord); + + void cxl_memdev_update_perf(struct cxl_memdev *cxlmd); + +-- +2.43.0 + diff --git a/queue-6.8/drm-msm-add-newlines-to-some-debug-prints.patch b/queue-6.8/drm-msm-add-newlines-to-some-debug-prints.patch new file mode 100644 index 00000000000..9ace851b5d3 --- /dev/null +++ b/queue-6.8/drm-msm-add-newlines-to-some-debug-prints.patch @@ -0,0 +1,84 @@ +From aa0496a3295d921b488ea4feda118fdda82ce33a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:08:09 -0700 +Subject: drm/msm: Add newlines to some debug prints + +From: Stephen Boyd + +[ Upstream commit c588f7d67044d6d59ef92d75a970b64929984d89 ] + +These debug prints are missing newlines, leading to multiple messages +being printed on one line and hard to read logs. Add newlines to have +the debug prints on separate lines. The DBG macro used to add a newline, +but I missed that while migrating to drm_dbg wrappers. + +Fixes: 7cb017db1896 ("drm/msm: Move FB debug prints to drm_dbg_state()") +Fixes: 721c6e0c6aed ("drm/msm: Move vblank debug prints to drm_dbg_vbl()") +Signed-off-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/584769/ +Link: https://lore.kernel.org/r/20240325210810.1340820-1-swboyd@chromium.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_fb.c | 6 +++--- + drivers/gpu/drm/msm/msm_kms.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_fb.c b/drivers/gpu/drm/msm/msm_fb.c +index e3f61c39df69b..80166f702a0db 100644 +--- a/drivers/gpu/drm/msm/msm_fb.c ++++ b/drivers/gpu/drm/msm/msm_fb.c +@@ -89,7 +89,7 @@ int msm_framebuffer_prepare(struct drm_framebuffer *fb, + + for (i = 0; i < n; i++) { + ret = msm_gem_get_and_pin_iova(fb->obj[i], aspace, &msm_fb->iova[i]); +- drm_dbg_state(fb->dev, "FB[%u]: iova[%d]: %08llx (%d)", ++ drm_dbg_state(fb->dev, "FB[%u]: iova[%d]: %08llx (%d)\n", + fb->base.id, i, msm_fb->iova[i], ret); + if (ret) + return ret; +@@ -176,7 +176,7 @@ static struct drm_framebuffer *msm_framebuffer_init(struct drm_device *dev, + const struct msm_format *format; + int ret, i, n; + +- drm_dbg_state(dev, "create framebuffer: mode_cmd=%p (%dx%d@%4.4s)", ++ drm_dbg_state(dev, "create framebuffer: mode_cmd=%p (%dx%d@%4.4s)\n", + mode_cmd, mode_cmd->width, mode_cmd->height, + (char *)&mode_cmd->pixel_format); + +@@ -232,7 +232,7 @@ static struct drm_framebuffer *msm_framebuffer_init(struct drm_device *dev, + + refcount_set(&msm_fb->dirtyfb, 1); + +- drm_dbg_state(dev, "create: FB ID: %d (%p)", fb->base.id, fb); ++ drm_dbg_state(dev, "create: FB ID: %d (%p)\n", fb->base.id, fb); + + return fb; + +diff --git a/drivers/gpu/drm/msm/msm_kms.c b/drivers/gpu/drm/msm/msm_kms.c +index 84c21ec2ceeae..af6a6fcb11736 100644 +--- a/drivers/gpu/drm/msm/msm_kms.c ++++ b/drivers/gpu/drm/msm/msm_kms.c +@@ -149,7 +149,7 @@ int msm_crtc_enable_vblank(struct drm_crtc *crtc) + struct msm_kms *kms = priv->kms; + if (!kms) + return -ENXIO; +- drm_dbg_vbl(dev, "crtc=%u", crtc->base.id); ++ drm_dbg_vbl(dev, "crtc=%u\n", crtc->base.id); + return vblank_ctrl_queue_work(priv, crtc, true); + } + +@@ -160,7 +160,7 @@ void msm_crtc_disable_vblank(struct drm_crtc *crtc) + struct msm_kms *kms = priv->kms; + if (!kms) + return; +- drm_dbg_vbl(dev, "crtc=%u", crtc->base.id); ++ drm_dbg_vbl(dev, "crtc=%u\n", crtc->base.id); + vblank_ctrl_queue_work(priv, crtc, false); + } + +-- +2.43.0 + diff --git a/queue-6.8/drm-msm-adreno-set-highest_bank_bit-for-a619.patch b/queue-6.8/drm-msm-adreno-set-highest_bank_bit-for-a619.patch new file mode 100644 index 00000000000..a69a91e9841 --- /dev/null +++ b/queue-6.8/drm-msm-adreno-set-highest_bank_bit-for-a619.patch @@ -0,0 +1,45 @@ +From a346b2298acce2f8f3d773d7ce56258fc8b89173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 09:02:45 +0100 +Subject: drm/msm/adreno: Set highest_bank_bit for A619 + +From: Luca Weiss + +[ Upstream commit 9dc23cba0927d09cb481da064c8413eb9df42e2b ] + +The default highest_bank_bit of 15 didn't seem to cause issues so far +but downstream defines it to be 14. But similar to [0] leaving it on 14 +(or 15 for that matter) causes some corruption issues with some +resolutions with DisplayPort, like 1920x1200. + +So set it to 13 for now so that there's no screen corruption. + +[0] commit 6a0dbcd20ef2 ("drm/msm/a6xx: set highest_bank_bit to 13 for a610") + +Fixes: b7616b5c69e6 ("drm/msm/adreno: Add A619 support") +Signed-off-by: Luca Weiss +Patchwork: https://patchwork.freedesktop.org/patch/585215/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +index fd60e49b8ec4d..792a4c60a20c2 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -1295,6 +1295,10 @@ static void a6xx_calc_ubwc_config(struct adreno_gpu *gpu) + if (adreno_is_a618(gpu)) + gpu->ubwc_config.highest_bank_bit = 14; + ++ if (adreno_is_a619(gpu)) ++ /* TODO: Should be 14 but causes corruption at e.g. 1920x1200 on DP */ ++ gpu->ubwc_config.highest_bank_bit = 13; ++ + if (adreno_is_a619_holi(gpu)) + gpu->ubwc_config.highest_bank_bit = 13; + +-- +2.43.0 + diff --git a/queue-6.8/drm-msm-dpu-don-t-allow-overriding-data-from-catalog.patch b/queue-6.8/drm-msm-dpu-don-t-allow-overriding-data-from-catalog.patch new file mode 100644 index 00000000000..c491c64dcea --- /dev/null +++ b/queue-6.8/drm-msm-dpu-don-t-allow-overriding-data-from-catalog.patch @@ -0,0 +1,53 @@ +From f232e0a59847f95008760fb01871240f811dcaae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 03:10:41 +0200 +Subject: drm/msm/dpu: don't allow overriding data from catalog + +From: Dmitry Baryshkov + +[ Upstream commit 4f3b77ae5ff5b5ba9d99c5d5450db388dbee5107 ] + +The data from catalog is marked as const, so it is a part of the RO +segment. Allowing userspace to write to it through debugfs can cause +protection faults. Set debugfs file mode to read-only for debug entries +corresponding to perf_cfg coming from catalog. + +Fixes: abda0d925f9c ("drm/msm/dpu: Mark various data tables as const") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/582844/ +Link: https://lore.kernel.org/r/20240314-dpu-perf-rework-v3-1-79fa4e065574@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c +index ef871239adb2a..68fae048a9a83 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c +@@ -459,15 +459,15 @@ int dpu_core_perf_debugfs_init(struct dpu_kms *dpu_kms, struct dentry *parent) + &perf->core_clk_rate); + debugfs_create_u32("enable_bw_release", 0600, entry, + (u32 *)&perf->enable_bw_release); +- debugfs_create_u32("threshold_low", 0600, entry, ++ debugfs_create_u32("threshold_low", 0400, entry, + (u32 *)&perf->perf_cfg->max_bw_low); +- debugfs_create_u32("threshold_high", 0600, entry, ++ debugfs_create_u32("threshold_high", 0400, entry, + (u32 *)&perf->perf_cfg->max_bw_high); +- debugfs_create_u32("min_core_ib", 0600, entry, ++ debugfs_create_u32("min_core_ib", 0400, entry, + (u32 *)&perf->perf_cfg->min_core_ib); +- debugfs_create_u32("min_llcc_ib", 0600, entry, ++ debugfs_create_u32("min_llcc_ib", 0400, entry, + (u32 *)&perf->perf_cfg->min_llcc_ib); +- debugfs_create_u32("min_dram_ib", 0600, entry, ++ debugfs_create_u32("min_dram_ib", 0400, entry, + (u32 *)&perf->perf_cfg->min_dram_ib); + debugfs_create_file("perf_mode", 0600, entry, + (u32 *)perf, &dpu_core_perf_mode_fops); +-- +2.43.0 + diff --git a/queue-6.8/drm-msm-dpu-make-error-messages-at-dpu_core_irq_regi.patch b/queue-6.8/drm-msm-dpu-make-error-messages-at-dpu_core_irq_regi.patch new file mode 100644 index 00000000000..08419c75e8c --- /dev/null +++ b/queue-6.8/drm-msm-dpu-make-error-messages-at-dpu_core_irq_regi.patch @@ -0,0 +1,53 @@ +From bde3808a54c805165d7839d79b8d9fd5e67caa80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 05:53:22 +0200 +Subject: drm/msm/dpu: make error messages at dpu_core_irq_register_callback() + more sensible + +From: Dmitry Baryshkov + +[ Upstream commit 8844f467d6a58dc915f241e81c46e0c126f8c070 ] + +There is little point in using %ps to print a value known to be NULL. On +the other hand it makes sense to print the callback symbol in the +'invalid IRQ' message. Correct those two error messages to make more +sense. + +Fixes: 6893199183f8 ("drm/msm/dpu: stop using raw IRQ indices in the kernel output") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/585565/ +Link: https://lore.kernel.org/r/20240330-dpu-irq-messages-v1-1-9ce782ae35f9@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index 946dd0135dffc..6a0a74832fb64 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -525,14 +525,14 @@ int dpu_core_irq_register_callback(struct dpu_kms *dpu_kms, + int ret; + + if (!irq_cb) { +- DPU_ERROR("invalid IRQ=[%d, %d] irq_cb:%ps\n", +- DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx), irq_cb); ++ DPU_ERROR("IRQ=[%d, %d] NULL callback\n", ++ DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx)); + return -EINVAL; + } + + if (!dpu_core_irq_is_valid(irq_idx)) { +- DPU_ERROR("invalid IRQ=[%d, %d]\n", +- DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx)); ++ DPU_ERROR("invalid IRQ=[%d, %d] irq_cb:%ps\n", ++ DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx), irq_cb); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-6.8/drm-xe-display-fix-double-mutex-initialization.patch b/queue-6.8/drm-xe-display-fix-double-mutex-initialization.patch new file mode 100644 index 00000000000..c358dac3561 --- /dev/null +++ b/queue-6.8/drm-xe-display-fix-double-mutex-initialization.patch @@ -0,0 +1,48 @@ +From 713cd033a79e86c84d3ce0c0938d59532f518eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 13:07:11 -0700 +Subject: drm/xe/display: Fix double mutex initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas De Marchi + +[ Upstream commit 50a9b7fc151e67b9e642232d32e8c5a5ac13e64a ] + +All of these mutexes are already initialized by the display side since +commit 3fef3e6ff86a ("drm/i915: move display mutex inits to display +code"), so the xe shouldn´t initialize them. + +Fixes: 44e694958b95 ("drm/xe/display: Implement display support") +Cc: Jani Nikula +Cc: Arun R Murthy +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240405200711.2041428-1-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 117de185edf2c5767f03575219bf7a43b161ff0d) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_display.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_display.c b/drivers/gpu/drm/xe/xe_display.c +index e4db069f0db3f..6ec375c1c4b6c 100644 +--- a/drivers/gpu/drm/xe/xe_display.c ++++ b/drivers/gpu/drm/xe/xe_display.c +@@ -108,11 +108,6 @@ int xe_display_create(struct xe_device *xe) + xe->display.hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0); + + drmm_mutex_init(&xe->drm, &xe->sb_lock); +- drmm_mutex_init(&xe->drm, &xe->display.backlight.lock); +- drmm_mutex_init(&xe->drm, &xe->display.audio.mutex); +- drmm_mutex_init(&xe->drm, &xe->display.wm.wm_mutex); +- drmm_mutex_init(&xe->drm, &xe->display.pps.mutex); +- drmm_mutex_init(&xe->drm, &xe->display.hdcp.hdcp_mutex); + xe->enabled_irq_mask = ~0; + + err = drmm_add_action_or_reset(&xe->drm, display_destroy, NULL); +-- +2.43.0 + diff --git a/queue-6.8/drm-xe-hwmon-cast-result-to-output-precision-on-left.patch b/queue-6.8/drm-xe-hwmon-cast-result-to-output-precision-on-left.patch new file mode 100644 index 00000000000..c0cb14ddf74 --- /dev/null +++ b/queue-6.8/drm-xe-hwmon-cast-result-to-output-precision-on-left.patch @@ -0,0 +1,55 @@ +From 1f894180823e6837feccb0b48f1b25f11f170344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 18:31:27 +0530 +Subject: drm/xe/hwmon: Cast result to output precision on left shift of + operand + +From: Karthik Poosa + +[ Upstream commit a8ad8715472bb8f6a2ea8b4072a28151eb9f4f24 ] + +Address potential overflow in result of left shift of a +lower precision (u32) operand before assignment to higher +precision (u64) variable. + +v2: + - Update commit message. (Himal) + +Fixes: 4446fcf220ce ("drm/xe/hwmon: Expose power1_max_interval") +Signed-off-by: Karthik Poosa +Reviewed-by: Anshuman Gupta +Cc: Badal Nilawar +Link: https://patchwork.freedesktop.org/patch/msgid/20240405130127.1392426-5-karthik.poosa@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 883232b47b81108b0252197c747f396ecd51455a) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_hwmon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_hwmon.c b/drivers/gpu/drm/xe/xe_hwmon.c +index 174ed2185481e..a6f43446c779a 100644 +--- a/drivers/gpu/drm/xe/xe_hwmon.c ++++ b/drivers/gpu/drm/xe/xe_hwmon.c +@@ -288,7 +288,7 @@ xe_hwmon_power1_max_interval_show(struct device *dev, struct device_attribute *a + * As y can be < 2, we compute tau4 = (4 | x) << y + * and then add 2 when doing the final right shift to account for units + */ +- tau4 = ((1 << x_w) | x) << y; ++ tau4 = (u64)((1 << x_w) | x) << y; + + /* val in hwmon interface units (millisec) */ + out = mul_u64_u32_shr(tau4, SF_TIME, hwmon->scl_shift_time + x_w); +@@ -328,7 +328,7 @@ xe_hwmon_power1_max_interval_store(struct device *dev, struct device_attribute * + r = FIELD_PREP(PKG_MAX_WIN, PKG_MAX_WIN_DEFAULT); + x = REG_FIELD_GET(PKG_MAX_WIN_X, r); + y = REG_FIELD_GET(PKG_MAX_WIN_Y, r); +- tau4 = ((1 << x_w) | x) << y; ++ tau4 = (u64)((1 << x_w) | x) << y; + max_win = mul_u64_u32_shr(tau4, SF_TIME, hwmon->scl_shift_time + x_w); + + if (val > max_win) +-- +2.43.0 + diff --git a/queue-6.8/dt-bindings-display-msm-sm8150-mdss-add-dp-node.patch b/queue-6.8/dt-bindings-display-msm-sm8150-mdss-add-dp-node.patch new file mode 100644 index 00000000000..80903313ae4 --- /dev/null +++ b/queue-6.8/dt-bindings-display-msm-sm8150-mdss-add-dp-node.patch @@ -0,0 +1,46 @@ +From 190fed8f15f7ea25838a2aa83cfdfc97817449d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 05:57:15 +0300 +Subject: dt-bindings: display/msm: sm8150-mdss: add DP node + +From: Dmitry Baryshkov + +[ Upstream commit be1b7acb929137e3943fe380671242beb485190c ] + +As Qualcomm SM8150 got support for the DisplayPort, add displayport@ +node as a valid child to the MDSS node. + +Fixes: 88806318e2c2 ("dt-bindings: display: msm: dp: declare compatible string for sm8150") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/586156/ +Link: https://lore.kernel.org/r/20240402-fd-fix-schema-v3-1-817ea6ddf775@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + .../bindings/display/msm/qcom,sm8150-mdss.yaml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml +index c0d6a4fdff97e..e6dc5494baee2 100644 +--- a/Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml ++++ b/Documentation/devicetree/bindings/display/msm/qcom,sm8150-mdss.yaml +@@ -53,6 +53,15 @@ patternProperties: + compatible: + const: qcom,sm8150-dpu + ++ "^displayport-controller@[0-9a-f]+$": ++ type: object ++ additionalProperties: true ++ ++ properties: ++ compatible: ++ contains: ++ const: qcom,sm8150-dp ++ + "^dsi@[0-9a-f]+$": + type: object + additionalProperties: true +-- +2.43.0 + diff --git a/queue-6.8/firmware-arm_ffa-fix-the-partition-id-check-in-ffa_n.patch b/queue-6.8/firmware-arm_ffa-fix-the-partition-id-check-in-ffa_n.patch new file mode 100644 index 00000000000..308de4487ec --- /dev/null +++ b/queue-6.8/firmware-arm_ffa-fix-the-partition-id-check-in-ffa_n.patch @@ -0,0 +1,43 @@ +From d4158f79d55e1231144bb03be441ec49a3f72b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 12:07:00 +0100 +Subject: firmware: arm_ffa: Fix the partition ID check in + ffa_notification_info_get() + +From: Jens Wiklander + +[ Upstream commit 1a4bd2b128fb5ca62e4d1c5ca298d3d06b9c1e8e ] + +FFA_NOTIFICATION_INFO_GET retrieves information about pending +notifications. Notifications can be either global or per VCPU. Global +notifications are reported with the partition ID only in the list of +endpoints with pending notifications. ffa_notification_info_get() +incorrectly expect no ID at all for global notifications. Fix this by +checking for ID = 1 instead of ID = 0. + +Fixes: 3522be48d82b ("firmware: arm_ffa: Implement the NOTIFICATION_INFO_GET interface") +Signed-off-by: Jens Wiklander +Reviewed-by: Lorenzo Pieralisi +Link: https://lore.kernel.org/r/20240311110700.2367142-1-jens.wiklander@linaro.org +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index f2556a8e94015..9bc2e10381afd 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -790,7 +790,7 @@ static void ffa_notification_info_get(void) + + part_id = packed_id_list[ids_processed++]; + +- if (!ids_count[list]) { /* Global Notification */ ++ if (ids_count[list] == 1) { /* Global Notification */ + __do_sched_recv_cb(part_id, 0, false); + continue; + } +-- +2.43.0 + diff --git a/queue-6.8/firmware-arm_scmi-make-raw-debugfs-entries-non-seeka.patch b/queue-6.8/firmware-arm_scmi-make-raw-debugfs-entries-non-seeka.patch new file mode 100644 index 00000000000..d3bd7736300 --- /dev/null +++ b/queue-6.8/firmware-arm_scmi-make-raw-debugfs-entries-non-seeka.patch @@ -0,0 +1,80 @@ +From 7eb1552ddde305420ad872fa5140160562e662b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 14:03:24 +0000 +Subject: firmware: arm_scmi: Make raw debugfs entries non-seekable + +From: Cristian Marussi + +[ Upstream commit b70c7996d4ffb2e02895132e8a79a37cee66504f ] + +SCMI raw debugfs entries are used to inject and snoop messages out of the +SCMI core and, as such, the underlying virtual files have no reason to +support seeking. + +Modify the related file_operations descriptors to be non-seekable. + +Fixes: 3c3d818a9317 ("firmware: arm_scmi: Add core raw transmission support") +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20240315140324.231830-1-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/raw_mode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/raw_mode.c b/drivers/firmware/arm_scmi/raw_mode.c +index 3505735185033..130d13e9cd6be 100644 +--- a/drivers/firmware/arm_scmi/raw_mode.c ++++ b/drivers/firmware/arm_scmi/raw_mode.c +@@ -921,7 +921,7 @@ static int scmi_dbg_raw_mode_open(struct inode *inode, struct file *filp) + rd->raw = raw; + filp->private_data = rd; + +- return 0; ++ return nonseekable_open(inode, filp); + } + + static int scmi_dbg_raw_mode_release(struct inode *inode, struct file *filp) +@@ -950,6 +950,7 @@ static const struct file_operations scmi_dbg_raw_mode_reset_fops = { + .open = scmi_dbg_raw_mode_open, + .release = scmi_dbg_raw_mode_release, + .write = scmi_dbg_raw_mode_reset_write, ++ .llseek = no_llseek, + .owner = THIS_MODULE, + }; + +@@ -959,6 +960,7 @@ static const struct file_operations scmi_dbg_raw_mode_message_fops = { + .read = scmi_dbg_raw_mode_message_read, + .write = scmi_dbg_raw_mode_message_write, + .poll = scmi_dbg_raw_mode_message_poll, ++ .llseek = no_llseek, + .owner = THIS_MODULE, + }; + +@@ -975,6 +977,7 @@ static const struct file_operations scmi_dbg_raw_mode_message_async_fops = { + .read = scmi_dbg_raw_mode_message_read, + .write = scmi_dbg_raw_mode_message_async_write, + .poll = scmi_dbg_raw_mode_message_poll, ++ .llseek = no_llseek, + .owner = THIS_MODULE, + }; + +@@ -998,6 +1001,7 @@ static const struct file_operations scmi_dbg_raw_mode_notification_fops = { + .release = scmi_dbg_raw_mode_release, + .read = scmi_test_dbg_raw_mode_notif_read, + .poll = scmi_test_dbg_raw_mode_notif_poll, ++ .llseek = no_llseek, + .owner = THIS_MODULE, + }; + +@@ -1021,6 +1025,7 @@ static const struct file_operations scmi_dbg_raw_mode_errors_fops = { + .release = scmi_dbg_raw_mode_release, + .read = scmi_test_dbg_raw_mode_errors_read, + .poll = scmi_test_dbg_raw_mode_errors_poll, ++ .llseek = no_llseek, + .owner = THIS_MODULE, + }; + +-- +2.43.0 + diff --git a/queue-6.8/geneve-fix-header-validation-in-geneve-6-_xmit_skb.patch b/queue-6.8/geneve-fix-header-validation-in-geneve-6-_xmit_skb.patch new file mode 100644 index 00000000000..dd2457ba060 --- /dev/null +++ b/queue-6.8/geneve-fix-header-validation-in-geneve-6-_xmit_skb.patch @@ -0,0 +1,166 @@ +From 8d71ea74be08209c0b6ada0b185b5626fac687be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 10:30:34 +0000 +Subject: geneve: fix header validation in geneve[6]_xmit_skb + +From: Eric Dumazet + +[ Upstream commit d8a6213d70accb403b82924a1c229e733433a5ef ] + +syzbot is able to trigger an uninit-value in geneve_xmit() [1] + +Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) +uses skb_protocol(skb, true), pskb_inet_may_pull() is only using +skb->protocol. + +If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, +pskb_inet_may_pull() does nothing at all. + +If a vlan tag was provided by the caller (af_packet in the syzbot case), +the network header might not point to the correct location, and skb +linear part could be smaller than expected. + +Add skb_vlan_inet_prepare() to perform a complete mac validation. + +Use this in geneve for the moment, I suspect we need to adopt this +more broadly. + +v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest + - Only call __vlan_get_protocol() for vlan types. +Link: https://lore.kernel.org/netdev/20240404100035.3270a7d5@kernel.org/ + +v2,v3 - Addressed Sabrina comments on v1 and v2 +Link: https://lore.kernel.org/netdev/Zg1l9L2BNoZWZDZG@hog/ + +[1] + +BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] + BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 + geneve_xmit_skb drivers/net/geneve.c:910 [inline] + geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 + __netdev_start_xmit include/linux/netdevice.h:4903 [inline] + netdev_start_xmit include/linux/netdevice.h:4917 [inline] + xmit_one net/core/dev.c:3531 [inline] + dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 + __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 + dev_queue_xmit include/linux/netdevice.h:3091 [inline] + packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3081 [inline] + packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + __sys_sendto+0x685/0x830 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1318 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 + packet_alloc_skb net/packet/af_packet.c:2930 [inline] + packet_snd net/packet/af_packet.c:3024 [inline] + packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + __sys_sendto+0x685/0x830 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 + +Fixes: d13f048dd40e ("net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb") +Reported-by: syzbot+9ee20ec1de7b3168db09@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/000000000000d19c3a06152f9ee4@google.com/ +Signed-off-by: Eric Dumazet +Cc: Phillip Potter +Cc: Sabrina Dubroca +Reviewed-by: Sabrina Dubroca +Reviewed-by: Phillip Potter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 4 ++-- + include/net/ip_tunnels.h | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 097a8db0d1d99..7f00fca0c538c 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -830,7 +830,7 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be16 sport; + int err; + +- if (!pskb_inet_may_pull(skb)) ++ if (!skb_vlan_inet_prepare(skb)) + return -EINVAL; + + if (!gs4) +@@ -937,7 +937,7 @@ static int geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, + __be16 sport; + int err; + +- if (!pskb_inet_may_pull(skb)) ++ if (!skb_vlan_inet_prepare(skb)) + return -EINVAL; + + if (!gs6) +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 2d746f4c9a0a4..6690939f241a4 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -360,6 +360,39 @@ static inline bool pskb_inet_may_pull(struct sk_buff *skb) + return pskb_network_may_pull(skb, nhlen); + } + ++/* Variant of pskb_inet_may_pull(). ++ */ ++static inline bool skb_vlan_inet_prepare(struct sk_buff *skb) ++{ ++ int nhlen = 0, maclen = ETH_HLEN; ++ __be16 type = skb->protocol; ++ ++ /* Essentially this is skb_protocol(skb, true) ++ * And we get MAC len. ++ */ ++ if (eth_type_vlan(type)) ++ type = __vlan_get_protocol(skb, type, &maclen); ++ ++ switch (type) { ++#if IS_ENABLED(CONFIG_IPV6) ++ case htons(ETH_P_IPV6): ++ nhlen = sizeof(struct ipv6hdr); ++ break; ++#endif ++ case htons(ETH_P_IP): ++ nhlen = sizeof(struct iphdr); ++ break; ++ } ++ /* For ETH_P_IPV6/ETH_P_IP we make sure to pull ++ * a base network header in skb->head. ++ */ ++ if (!pskb_may_pull(skb, maclen + nhlen)) ++ return false; ++ ++ skb_set_network_header(skb, maclen); ++ return true; ++} ++ + static inline int ip_encap_hlen(struct ip_tunnel_encap *e) + { + const struct ip_tunnel_encap_ops *ops; +-- +2.43.0 + diff --git a/queue-6.8/iommu-vt-d-allocate-local-memory-for-page-request-qu.patch b/queue-6.8/iommu-vt-d-allocate-local-memory-for-page-request-qu.patch new file mode 100644 index 00000000000..4e1720cdcc2 --- /dev/null +++ b/queue-6.8/iommu-vt-d-allocate-local-memory-for-page-request-qu.patch @@ -0,0 +1,39 @@ +From 7e47d4a091d6fb7b2c9ecec67c3086a97de601e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:07:43 +0800 +Subject: iommu/vt-d: Allocate local memory for page request queue + +From: Jacob Pan + +[ Upstream commit a34f3e20ddff02c4f12df2c0635367394e64c63d ] + +The page request queue is per IOMMU, its allocation should be made +NUMA-aware for performance reasons. + +Fixes: a222a7f0bb6c ("iommu/vt-d: Implement page request handling") +Signed-off-by: Jacob Pan +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240403214007.985600-1-jacob.jun.pan@linux.intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c +index ec47ec81f0ecd..4d269df0082fb 100644 +--- a/drivers/iommu/intel/svm.c ++++ b/drivers/iommu/intel/svm.c +@@ -67,7 +67,7 @@ int intel_svm_enable_prq(struct intel_iommu *iommu) + struct page *pages; + int irq, ret; + +- pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, PRQ_ORDER); ++ pages = alloc_pages_node(iommu->node, GFP_KERNEL | __GFP_ZERO, PRQ_ORDER); + if (!pages) { + pr_warn("IOMMU: %s: Failed to allocate page request queue\n", + iommu->name); +-- +2.43.0 + diff --git a/queue-6.8/iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch b/queue-6.8/iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch new file mode 100644 index 00000000000..5e5b448e8ef --- /dev/null +++ b/queue-6.8/iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch @@ -0,0 +1,116 @@ +From 71d9fc6a8402eff38afb835ce5b0fba5a4b5d863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:07:44 +0800 +Subject: iommu/vt-d: Fix WARN_ON in iommu probe path + +From: Lu Baolu + +[ Upstream commit 89436f4f54125b1297aec1f466efd8acb4ec613d ] + +Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed +devices") adds all devices probed by the iommu driver in a rbtree +indexed by the source ID of each device. It assumes that each device +has a unique source ID. This assumption is incorrect and the VT-d +spec doesn't state this requirement either. + +The reason for using a rbtree to track devices is to look up the device +with PCI bus and devfunc in the paths of handling ATS invalidation time +out error and the PRI I/O page faults. Both are PCI ATS feature related. + +Only track the devices that have PCI ATS capabilities in the rbtree to +avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some +platforms below kernel splat will be displayed and the iommu probe results +in failure. + + WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 + Call Trace: + + ? __warn+0x7e/0x180 + ? intel_iommu_probe_device+0x319/0xd90 + ? report_bug+0x1f8/0x200 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x18/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? intel_iommu_probe_device+0x319/0xd90 + ? debug_mutex_init+0x37/0x50 + __iommu_probe_device+0xf2/0x4f0 + iommu_probe_device+0x22/0x70 + iommu_bus_notifier+0x1e/0x40 + notifier_call_chain+0x46/0x150 + blocking_notifier_call_chain+0x42/0x60 + bus_notify+0x2f/0x50 + device_add+0x5ed/0x7e0 + platform_device_add+0xf5/0x240 + mfd_add_devices+0x3f9/0x500 + ? preempt_count_add+0x4c/0xa0 + ? up_write+0xa2/0x1b0 + ? __debugfs_create_file+0xe3/0x150 + intel_lpss_probe+0x49f/0x5b0 + ? pci_conf1_write+0xa3/0xf0 + intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] + pci_device_probe+0x95/0x120 + really_probe+0xd9/0x370 + ? __pfx___driver_attach+0x10/0x10 + __driver_probe_device+0x73/0x150 + driver_probe_device+0x19/0xa0 + __driver_attach+0xb6/0x180 + ? __pfx___driver_attach+0x10/0x10 + bus_for_each_dev+0x77/0xd0 + bus_add_driver+0x114/0x210 + driver_register+0x5b/0x110 + ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] + do_one_initcall+0x57/0x2b0 + ? kmalloc_trace+0x21e/0x280 + ? do_init_module+0x1e/0x210 + do_init_module+0x5f/0x210 + load_module+0x1d37/0x1fc0 + ? init_module_from_file+0x86/0xd0 + init_module_from_file+0x86/0xd0 + idempotent_init_module+0x17c/0x230 + __x64_sys_finit_module+0x56/0xb0 + do_syscall_64+0x6e/0x140 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +Fixes: 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10689 +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20240407011429.136282-1-baolu.lu@linux.intel.com +Reviewed-by: Kevin Tian +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 5dba58f322f03..d7e10f1311aaf 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4381,9 +4381,11 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev) + } + + dev_iommu_priv_set(dev, info); +- ret = device_rbtree_insert(iommu, info); +- if (ret) +- goto free; ++ if (pdev && pci_ats_supported(pdev)) { ++ ret = device_rbtree_insert(iommu, info); ++ if (ret) ++ goto free; ++ } + + if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev)) { + ret = intel_pasid_alloc_table(dev); +@@ -4410,7 +4412,8 @@ static void intel_iommu_release_device(struct device *dev) + struct intel_iommu *iommu = info->iommu; + + mutex_lock(&iommu->iopf_lock); +- device_rbtree_remove(info); ++ if (dev_is_pci(dev) && pci_ats_supported(to_pci_dev(dev))) ++ device_rbtree_remove(info); + mutex_unlock(&iommu->iopf_lock); + + if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev) && +-- +2.43.0 + diff --git a/queue-6.8/iommu-vt-d-fix-wrong-use-of-pasid-config.patch b/queue-6.8/iommu-vt-d-fix-wrong-use-of-pasid-config.patch new file mode 100644 index 00000000000..c64c7789794 --- /dev/null +++ b/queue-6.8/iommu-vt-d-fix-wrong-use-of-pasid-config.patch @@ -0,0 +1,39 @@ +From 2509ad076d6268edb77979b73048c71041e021ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:07:42 +0800 +Subject: iommu/vt-d: Fix wrong use of pasid config + +From: Xuchun Shang + +[ Upstream commit 5b3625a4f6422e8982f90f0c11b5546149c962b8 ] + +The commit "iommu/vt-d: Add IOMMU perfmon support" introduce IOMMU +PMU feature, but use the wrong config when set pasid filter. + +Fixes: 7232ab8b89e9 ("iommu/vt-d: Add IOMMU perfmon support") +Signed-off-by: Xuchun Shang +Reviewed-by: Kan Liang +Link: https://lore.kernel.org/r/20240401060753.3321318-1-xuchun.shang@linux.alibaba.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/perfmon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/perfmon.c b/drivers/iommu/intel/perfmon.c +index cf43e798eca49..44083d01852db 100644 +--- a/drivers/iommu/intel/perfmon.c ++++ b/drivers/iommu/intel/perfmon.c +@@ -438,7 +438,7 @@ static int iommu_pmu_assign_event(struct iommu_pmu *iommu_pmu, + iommu_pmu_set_filter(domain, event->attr.config1, + IOMMU_PMU_FILTER_DOMAIN, idx, + event->attr.config1); +- iommu_pmu_set_filter(pasid, event->attr.config1, ++ iommu_pmu_set_filter(pasid, event->attr.config2, + IOMMU_PMU_FILTER_PASID, idx, + event->attr.config1); + iommu_pmu_set_filter(ats, event->attr.config2, +-- +2.43.0 + diff --git a/queue-6.8/ipv4-route-avoid-unused-but-set-variable-warning.patch b/queue-6.8/ipv4-route-avoid-unused-but-set-variable-warning.patch new file mode 100644 index 00000000000..82ed9edc71d --- /dev/null +++ b/queue-6.8/ipv4-route-avoid-unused-but-set-variable-warning.patch @@ -0,0 +1,51 @@ +From 3fa5067f790b818da75ce531e6110b195e2d0705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:42:03 +0200 +Subject: ipv4/route: avoid unused-but-set-variable warning + +From: Arnd Bergmann + +[ Upstream commit cf1b7201df59fb936f40f4a807433fe3f2ce310a ] + +The log_martians variable is only used in an #ifdef, causing a 'make W=1' +warning with gcc: + +net/ipv4/route.c: In function 'ip_rt_send_redirect': +net/ipv4/route.c:880:13: error: variable 'log_martians' set but not used [-Werror=unused-but-set-variable] + +Change the #ifdef to an equivalent IS_ENABLED() to let the compiler +see where the variable is used. + +Fixes: 30038fc61adf ("net: ip_rt_send_redirect() optimization") +Reviewed-by: David Ahern +Signed-off-by: Arnd Bergmann +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240408074219.3030256-2-arnd@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 16615d107cf06..15c37c8113fc8 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -926,13 +926,11 @@ void ip_rt_send_redirect(struct sk_buff *skb) + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); + peer->rate_last = jiffies; + ++peer->n_redirects; +-#ifdef CONFIG_IP_ROUTE_VERBOSE +- if (log_martians && ++ if (IS_ENABLED(CONFIG_IP_ROUTE_VERBOSE) && log_martians && + peer->n_redirects == ip_rt_redirect_number) + net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", + &ip_hdr(skb)->saddr, inet_iif(skb), + &ip_hdr(skb)->daddr, &gw); +-#endif + } + out_put_peer: + inet_putpeer(peer); +-- +2.43.0 + diff --git a/queue-6.8/ipv6-fib-hide-unused-pn-variable.patch b/queue-6.8/ipv6-fib-hide-unused-pn-variable.patch new file mode 100644 index 00000000000..df235e7e71d --- /dev/null +++ b/queue-6.8/ipv6-fib-hide-unused-pn-variable.patch @@ -0,0 +1,60 @@ +From 09aaa57dfd752fe1a1648117bdf32ec7455b122e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:42:02 +0200 +Subject: ipv6: fib: hide unused 'pn' variable + +From: Arnd Bergmann + +[ Upstream commit 74043489fcb5e5ca4074133582b5b8011b67f9e7 ] + +When CONFIG_IPV6_SUBTREES is disabled, the only user is hidden, causing +a 'make W=1' warning: + +net/ipv6/ip6_fib.c: In function 'fib6_add': +net/ipv6/ip6_fib.c:1388:32: error: variable 'pn' set but not used [-Werror=unused-but-set-variable] + +Add another #ifdef around the variable declaration, matching the other +uses in this file. + +Fixes: 66729e18df08 ("[IPV6] ROUTE: Make sure we have fn->leaf when adding a node on subtree.") +Link: https://lore.kernel.org/netdev/20240322131746.904943-1-arnd@kernel.org/ +Reviewed-by: David Ahern +Signed-off-by: Arnd Bergmann +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240408074219.3030256-1-arnd@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 54294f6a8ec51..8184076a3924e 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1375,7 +1375,10 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + struct nl_info *info, struct netlink_ext_ack *extack) + { + struct fib6_table *table = rt->fib6_table; +- struct fib6_node *fn, *pn = NULL; ++ struct fib6_node *fn; ++#ifdef CONFIG_IPV6_SUBTREES ++ struct fib6_node *pn = NULL; ++#endif + int err = -ENOMEM; + int allow_create = 1; + int replace_required = 0; +@@ -1399,9 +1402,9 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + goto out; + } + ++#ifdef CONFIG_IPV6_SUBTREES + pn = fn; + +-#ifdef CONFIG_IPV6_SUBTREES + if (rt->fib6_src.plen) { + struct fib6_node *sn; + +-- +2.43.0 + diff --git a/queue-6.8/ipv6-fix-race-condition-between-ipv6_get_ifaddr-and-.patch b/queue-6.8/ipv6-fix-race-condition-between-ipv6_get_ifaddr-and-.patch new file mode 100644 index 00000000000..5baec9b20ed --- /dev/null +++ b/queue-6.8/ipv6-fix-race-condition-between-ipv6_get_ifaddr-and-.patch @@ -0,0 +1,133 @@ +From 6c60f7904908a82a2179b888ea4db660340f917b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 16:18:21 +0200 +Subject: ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr + +From: Jiri Benc + +[ Upstream commit 7633c4da919ad51164acbf1aa322cc1a3ead6129 ] + +Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it +still means hlist_for_each_entry_rcu can return an item that got removed +from the list. The memory itself of such item is not freed thanks to RCU +but nothing guarantees the actual content of the memory is sane. + +In particular, the reference count can be zero. This can happen if +ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry +from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all +references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough +timing, this can happen: + +1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry. + +2. Then, the whole ipv6_del_addr is executed for the given entry. The + reference count drops to zero and kfree_rcu is scheduled. + +3. ipv6_get_ifaddr continues and tries to increments the reference count + (in6_ifa_hold). + +4. The rcu is unlocked and the entry is freed. + +5. The freed entry is returned. + +Prevent increasing of the reference count in such case. The name +in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe. + +[ 41.506330] refcount_t: addition on 0; use-after-free. +[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130 +[ 41.507413] Modules linked in: veth bridge stp llc +[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14 +[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130 +[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff +[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282 +[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000 +[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900 +[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff +[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000 +[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48 +[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000 +[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0 +[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 41.516799] Call Trace: +[ 41.517037] +[ 41.517249] ? __warn+0x7b/0x120 +[ 41.517535] ? refcount_warn_saturate+0xa5/0x130 +[ 41.517923] ? report_bug+0x164/0x190 +[ 41.518240] ? handle_bug+0x3d/0x70 +[ 41.518541] ? exc_invalid_op+0x17/0x70 +[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20 +[ 41.521325] ? refcount_warn_saturate+0xa5/0x130 +[ 41.521708] ipv6_get_ifaddr+0xda/0xe0 +[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0 +[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10 +[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0 +[ 41.523102] ? netlink_unicast+0x30f/0x390 +[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 +[ 41.523832] netlink_rcv_skb+0x53/0x100 +[ 41.524157] netlink_unicast+0x23b/0x390 +[ 41.524484] netlink_sendmsg+0x1f2/0x440 +[ 41.524826] __sys_sendto+0x1d8/0x1f0 +[ 41.525145] __x64_sys_sendto+0x1f/0x30 +[ 41.525467] do_syscall_64+0xa5/0x1b0 +[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a +[ 41.526213] RIP: 0033:0x7fbc4cfcea9a +[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 41.527942] RSP: 002b:00007ffcf54012a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 41.528593] RAX: ffffffffffffffda RBX: 00007ffcf5401368 RCX: 00007fbc4cfcea9a +[ 41.529173] RDX: 000000000000002c RSI: 00007fbc4b9d9bd0 RDI: 0000000000000005 +[ 41.529786] RBP: 00007fbc4bafb040 R08: 00007ffcf54013e0 R09: 000000000000000c +[ 41.530375] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 41.530977] R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007fbc4ca85d1b +[ 41.531573] + +Fixes: 5c578aedcb21d ("IPv6: convert addrconf hash list to RCU") +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jiri Benc +Link: https://lore.kernel.org/r/8ab821e36073a4a406c50ec83c9e8dc586c539e4.1712585809.git.jbenc@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/addrconf.h | 4 ++++ + net/ipv6/addrconf.c | 7 ++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index 61ebe723ee4d5..facb7a469efad 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -437,6 +437,10 @@ static inline void in6_ifa_hold(struct inet6_ifaddr *ifp) + refcount_inc(&ifp->refcnt); + } + ++static inline bool in6_ifa_hold_safe(struct inet6_ifaddr *ifp) ++{ ++ return refcount_inc_not_zero(&ifp->refcnt); ++} + + /* + * compute link-local solicited-node multicast address +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 055230b669cf2..37d48aa073c3c 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2061,9 +2061,10 @@ struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, const struct in6_addr *add + if (ipv6_addr_equal(&ifp->addr, addr)) { + if (!dev || ifp->idev->dev == dev || + !(ifp->scope&(IFA_LINK|IFA_HOST) || strict)) { +- result = ifp; +- in6_ifa_hold(ifp); +- break; ++ if (in6_ifa_hold_safe(ifp)) { ++ result = ifp; ++ break; ++ } + } + } + } +-- +2.43.0 + diff --git a/queue-6.8/lib-checksum-hide-unused-expected_csum_ipv6_magic.patch b/queue-6.8/lib-checksum-hide-unused-expected_csum_ipv6_magic.patch new file mode 100644 index 00000000000..c7b195fb7e0 --- /dev/null +++ b/queue-6.8/lib-checksum-hide-unused-expected_csum_ipv6_magic.patch @@ -0,0 +1,62 @@ +From 330a3608edd186cc9754af27bd87777947a1d901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 18:36:45 +0200 +Subject: lib: checksum: hide unused expected_csum_ipv6_magic[] + +From: Arnd Bergmann + +[ Upstream commit e9d47b7b31563a6524b9f64ea70ed0289cc4d9c4 ] + +When CONFIG_NET is disabled, an extra warning shows up for this +unused variable: + +lib/checksum_kunit.c:218:18: error: 'expected_csum_ipv6_magic' defined but not used [-Werror=unused-const-variable=] + +Replace the #ifdef with an IS_ENABLED() check that makes the compiler's +dead-code-elimination take care of the link failure. + +Fixes: f24a70106dc1 ("lib: checksum: Fix build with CONFIG_NET=n") +Suggested-by: Christophe Leroy +Acked-by: Palmer Dabbelt +Acked-by: Jakub Kicinski +Signed-off-by: Arnd Bergmann +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/checksum_kunit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/checksum_kunit.c b/lib/checksum_kunit.c +index bf70850035c76..404dba36bae38 100644 +--- a/lib/checksum_kunit.c ++++ b/lib/checksum_kunit.c +@@ -594,13 +594,15 @@ static void test_ip_fast_csum(struct kunit *test) + + static void test_csum_ipv6_magic(struct kunit *test) + { +-#if defined(CONFIG_NET) + const struct in6_addr *saddr; + const struct in6_addr *daddr; + unsigned int len; + unsigned char proto; + __wsum csum; + ++ if (!IS_ENABLED(CONFIG_NET)) ++ return; ++ + const int daddr_offset = sizeof(struct in6_addr); + const int len_offset = sizeof(struct in6_addr) + sizeof(struct in6_addr); + const int proto_offset = sizeof(struct in6_addr) + sizeof(struct in6_addr) + +@@ -618,7 +620,6 @@ static void test_csum_ipv6_magic(struct kunit *test) + CHECK_EQ(to_sum16(expected_csum_ipv6_magic[i]), + csum_ipv6_magic(saddr, daddr, len, proto, csum)); + } +-#endif /* !CONFIG_NET */ + } + + static struct kunit_case __refdata checksum_test_cases[] = { +-- +2.43.0 + diff --git a/queue-6.8/mmc-omap-fix-broken-slot-switch-lookup.patch b/queue-6.8/mmc-omap-fix-broken-slot-switch-lookup.patch new file mode 100644 index 00000000000..8fc97cecc10 --- /dev/null +++ b/queue-6.8/mmc-omap-fix-broken-slot-switch-lookup.patch @@ -0,0 +1,58 @@ +From 56f9aa5421419a190c4b4b9e7fe326f4901bd5f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:14:37 +0200 +Subject: mmc: omap: fix broken slot switch lookup + +From: Aaro Koskinen + +[ Upstream commit d4debbcbffa45c3de5df0040af2eea74a9e794a3 ] + +The lookup is done before host->dev is initialized. It will always just +fail silently, and the MMC behaviour is totally unpredictable as the switch +is left in an undefined state. Fix that. + +Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +Signed-off-by: Aaro Koskinen +Message-ID: <20240223181439.1099750-4-aaro.koskinen@iki.fi> +Reviewed-by: Linus Walleij +Acked-by: Ulf Hansson +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index 9fb8995b43a1c..aa40e1a9dc29e 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -1384,13 +1384,6 @@ static int mmc_omap_probe(struct platform_device *pdev) + if (IS_ERR(host->virt_base)) + return PTR_ERR(host->virt_base); + +- host->slot_switch = gpiod_get_optional(host->dev, "switch", +- GPIOD_OUT_LOW); +- if (IS_ERR(host->slot_switch)) +- return dev_err_probe(host->dev, PTR_ERR(host->slot_switch), +- "error looking up slot switch GPIO\n"); +- +- + INIT_WORK(&host->slot_release_work, mmc_omap_slot_release_work); + INIT_WORK(&host->send_stop_work, mmc_omap_send_stop_work); + +@@ -1409,6 +1402,12 @@ static int mmc_omap_probe(struct platform_device *pdev) + host->dev = &pdev->dev; + platform_set_drvdata(pdev, host); + ++ host->slot_switch = gpiod_get_optional(host->dev, "switch", ++ GPIOD_OUT_LOW); ++ if (IS_ERR(host->slot_switch)) ++ return dev_err_probe(host->dev, PTR_ERR(host->slot_switch), ++ "error looking up slot switch GPIO\n"); ++ + host->id = pdev->id; + host->irq = irq; + host->phys_base = res->start; +-- +2.43.0 + diff --git a/queue-6.8/mmc-omap-fix-deferred-probe.patch b/queue-6.8/mmc-omap-fix-deferred-probe.patch new file mode 100644 index 00000000000..2655a2f68ea --- /dev/null +++ b/queue-6.8/mmc-omap-fix-deferred-probe.patch @@ -0,0 +1,66 @@ +From 8265a1e84b703ce1e8fbd3eaef4fa6f235672156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:14:38 +0200 +Subject: mmc: omap: fix deferred probe + +From: Aaro Koskinen + +[ Upstream commit f6862c7f156d04f81c38467e1c304b7e9517e810 ] + +After a deferred probe, GPIO descriptor lookup will fail with EBUSY. Fix by +using managed descriptors. + +Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +Signed-off-by: Aaro Koskinen +Message-ID: <20240223181439.1099750-5-aaro.koskinen@iki.fi> +Reviewed-by: Linus Walleij +Acked-by: Ulf Hansson +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index aa40e1a9dc29e..50408771ae01c 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -1259,18 +1259,18 @@ static int mmc_omap_new_slot(struct mmc_omap_host *host, int id) + slot->pdata = &host->pdata->slots[id]; + + /* Check for some optional GPIO controls */ +- slot->vsd = gpiod_get_index_optional(host->dev, "vsd", +- id, GPIOD_OUT_LOW); ++ slot->vsd = devm_gpiod_get_index_optional(host->dev, "vsd", ++ id, GPIOD_OUT_LOW); + if (IS_ERR(slot->vsd)) + return dev_err_probe(host->dev, PTR_ERR(slot->vsd), + "error looking up VSD GPIO\n"); +- slot->vio = gpiod_get_index_optional(host->dev, "vio", +- id, GPIOD_OUT_LOW); ++ slot->vio = devm_gpiod_get_index_optional(host->dev, "vio", ++ id, GPIOD_OUT_LOW); + if (IS_ERR(slot->vio)) + return dev_err_probe(host->dev, PTR_ERR(slot->vio), + "error looking up VIO GPIO\n"); +- slot->cover = gpiod_get_index_optional(host->dev, "cover", +- id, GPIOD_IN); ++ slot->cover = devm_gpiod_get_index_optional(host->dev, "cover", ++ id, GPIOD_IN); + if (IS_ERR(slot->cover)) + return dev_err_probe(host->dev, PTR_ERR(slot->cover), + "error looking up cover switch GPIO\n"); +@@ -1402,8 +1402,8 @@ static int mmc_omap_probe(struct platform_device *pdev) + host->dev = &pdev->dev; + platform_set_drvdata(pdev, host); + +- host->slot_switch = gpiod_get_optional(host->dev, "switch", +- GPIOD_OUT_LOW); ++ host->slot_switch = devm_gpiod_get_optional(host->dev, "switch", ++ GPIOD_OUT_LOW); + if (IS_ERR(host->slot_switch)) + return dev_err_probe(host->dev, PTR_ERR(host->slot_switch), + "error looking up slot switch GPIO\n"); +-- +2.43.0 + diff --git a/queue-6.8/mmc-omap-restore-original-power-up-down-steps.patch b/queue-6.8/mmc-omap-restore-original-power-up-down-steps.patch new file mode 100644 index 00000000000..d03b76d1c49 --- /dev/null +++ b/queue-6.8/mmc-omap-restore-original-power-up-down-steps.patch @@ -0,0 +1,65 @@ +From 0e272756d86e4155ac86454305af3a22e533b85e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 20:14:39 +0200 +Subject: mmc: omap: restore original power up/down steps + +From: Aaro Koskinen + +[ Upstream commit 894ad61b85d6ba8efd4274aa8719d9ff1c89ea54 ] + +Commit e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +moved Nokia N810 MMC power up/down from the board file into the MMC driver. + +The change removed some delays, and ordering without a valid reason. +Restore power up/down to match the original code. This matters only on N810 +where the 2nd GPIO is in use. Other boards will see an additional delay but +that should be a lesser concern than omitting delays altogether. + +Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors") +Signed-off-by: Aaro Koskinen +Message-ID: <20240223181439.1099750-6-aaro.koskinen@iki.fi> +Reviewed-by: Linus Walleij +Acked-by: Ulf Hansson +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index 50408771ae01c..13fa8588e38c1 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -1119,10 +1119,25 @@ static void mmc_omap_set_power(struct mmc_omap_slot *slot, int power_on, + + host = slot->host; + +- if (slot->vsd) +- gpiod_set_value(slot->vsd, power_on); +- if (slot->vio) +- gpiod_set_value(slot->vio, power_on); ++ if (power_on) { ++ if (slot->vsd) { ++ gpiod_set_value(slot->vsd, power_on); ++ msleep(1); ++ } ++ if (slot->vio) { ++ gpiod_set_value(slot->vio, power_on); ++ msleep(1); ++ } ++ } else { ++ if (slot->vio) { ++ gpiod_set_value(slot->vio, power_on); ++ msleep(50); ++ } ++ if (slot->vsd) { ++ gpiod_set_value(slot->vsd, power_on); ++ msleep(50); ++ } ++ } + + if (slot->pdata->set_power != NULL) + slot->pdata->set_power(mmc_dev(slot->mmc), slot->id, power_on, +-- +2.43.0 + diff --git a/queue-6.8/net-dsa-mt7530-trap-link-local-frames-regardless-of-.patch b/queue-6.8/net-dsa-mt7530-trap-link-local-frames-regardless-of-.patch new file mode 100644 index 00000000000..fffa9713ec1 --- /dev/null +++ b/queue-6.8/net-dsa-mt7530-trap-link-local-frames-regardless-of-.patch @@ -0,0 +1,495 @@ +From 3a6959ccccc084881268d57488a84c5cbf8453c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 18:01:14 +0300 +Subject: net: dsa: mt7530: trap link-local frames regardless of ST Port State +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 17c560113231ddc20088553c7b499b289b664311 ] + +In Clause 5 of IEEE Std 802-2014, two sublayers of the data link layer +(DLL) of the Open Systems Interconnection basic reference model (OSI/RM) +are described; the medium access control (MAC) and logical link control +(LLC) sublayers. The MAC sublayer is the one facing the physical layer. + +In 8.2 of IEEE Std 802.1Q-2022, the Bridge architecture is described. A +Bridge component comprises a MAC Relay Entity for interconnecting the Ports +of the Bridge, at least two Ports, and higher layer entities with at least +a Spanning Tree Protocol Entity included. + +Each Bridge Port also functions as an end station and shall provide the MAC +Service to an LLC Entity. Each instance of the MAC Service is provided to a +distinct LLC Entity that supports protocol identification, multiplexing, +and demultiplexing, for protocol data unit (PDU) transmission and reception +by one or more higher layer entities. + +It is described in 8.13.9 of IEEE Std 802.1Q-2022 that in a Bridge, the LLC +Entity associated with each Bridge Port is modeled as being directly +connected to the attached Local Area Network (LAN). + +On the switch with CPU port architecture, CPU port functions as Management +Port, and the Management Port functionality is provided by software which +functions as an end station. Software is connected to an IEEE 802 LAN that +is wholly contained within the system that incorporates the Bridge. +Software provides access to the LLC Entity associated with each Bridge Port +by the value of the source port field on the special tag on the frame +received by software. + +We call frames that carry control information to determine the active +topology and current extent of each Virtual Local Area Network (VLAN), +i.e., spanning tree or Shortest Path Bridging (SPB) and Multiple VLAN +Registration Protocol Data Units (MVRPDUs), and frames from other link +constrained protocols, such as Extensible Authentication Protocol over LAN +(EAPOL) and Link Layer Discovery Protocol (LLDP), link-local frames. They +are not forwarded by a Bridge. Permanently configured entries in the +filtering database (FDB) ensure that such frames are discarded by the +Forwarding Process. In 8.6.3 of IEEE Std 802.1Q-2022, this is described in +detail: + +Each of the reserved MAC addresses specified in Table 8-1 +(01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]) shall be +permanently configured in the FDB in C-VLAN components and ERs. + +Each of the reserved MAC addresses specified in Table 8-2 +(01-80-C2-00-00-[01,02,03,04,05,06,07,08,09,0A,0E]) shall be permanently +configured in the FDB in S-VLAN components. + +Each of the reserved MAC addresses specified in Table 8-3 +(01-80-C2-00-00-[01,02,04,0E]) shall be permanently configured in the FDB +in TPMR components. + +The FDB entries for reserved MAC addresses shall specify filtering for all +Bridge Ports and all VIDs. Management shall not provide the capability to +modify or remove entries for reserved MAC addresses. + +The addresses in Table 8-1, Table 8-2, and Table 8-3 determine the scope of +propagation of PDUs within a Bridged Network, as follows: + + The Nearest Bridge group address (01-80-C2-00-00-0E) is an address that + no conformant Two-Port MAC Relay (TPMR) component, Service VLAN (S-VLAN) + component, Customer VLAN (C-VLAN) component, or MAC Bridge can forward. + PDUs transmitted using this destination address, or any other addresses + that appear in Table 8-1, Table 8-2, and Table 8-3 + (01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]), can + therefore travel no further than those stations that can be reached via a + single individual LAN from the originating station. + + The Nearest non-TPMR Bridge group address (01-80-C2-00-00-03), is an + address that no conformant S-VLAN component, C-VLAN component, or MAC + Bridge can forward; however, this address is relayed by a TPMR component. + PDUs using this destination address, or any of the other addresses that + appear in both Table 8-1 and Table 8-2 but not in Table 8-3 + (01-80-C2-00-00-[00,03,05,06,07,08,09,0A,0B,0C,0D,0F]), will be relayed + by any TPMRs but will propagate no further than the nearest S-VLAN + component, C-VLAN component, or MAC Bridge. + + The Nearest Customer Bridge group address (01-80-C2-00-00-00) is an + address that no conformant C-VLAN component, MAC Bridge can forward; + however, it is relayed by TPMR components and S-VLAN components. PDUs + using this destination address, or any of the other addresses that appear + in Table 8-1 but not in either Table 8-2 or Table 8-3 + (01-80-C2-00-00-[00,0B,0C,0D,0F]), will be relayed by TPMR components and + S-VLAN components but will propagate no further than the nearest C-VLAN + component or MAC Bridge. + +Because the LLC Entity associated with each Bridge Port is provided via CPU +port, we must not filter these frames but forward them to CPU port. + +In a Bridge, the transmission Port is majorly decided by ingress and egress +rules, FDB, and spanning tree Port State functions of the Forwarding +Process. For link-local frames, only CPU port should be designated as +destination port in the FDB, and the other functions of the Forwarding +Process must not interfere with the decision of the transmission Port. We +call this process trapping frames to CPU port. + +Therefore, on the switch with CPU port architecture, link-local frames must +be trapped to CPU port, and certain link-local frames received by a Port of +a Bridge comprising a TPMR component or an S-VLAN component must be +excluded from it. + +A Bridge of the switch with CPU port architecture cannot comprise a +Two-Port MAC Relay (TPMR) component as a TPMR component supports only a +subset of the functionality of a MAC Bridge. A Bridge comprising two Ports +(Management Port doesn't count) of this architecture will either function +as a standard MAC Bridge or a standard VLAN Bridge. + +Therefore, a Bridge of this architecture can only comprise S-VLAN +components, C-VLAN components, or MAC Bridge components. Since there's no +TPMR component, we don't need to relay PDUs using the destination addresses +specified on the Nearest non-TPMR section, and the proportion of the +Nearest Customer Bridge section where they must be relayed by TPMR +components. + +One option to trap link-local frames to CPU port is to add static FDB +entries with CPU port designated as destination port. However, because that +Independent VLAN Learning (IVL) is being used on every VID, each entry only +applies to a single VLAN Identifier (VID). For a Bridge comprising a MAC +Bridge component or a C-VLAN component, there would have to be 16 times +4096 entries. This switch intellectual property can only hold a maximum of +2048 entries. Using this option, there also isn't a mechanism to prevent +link-local frames from being discarded when the spanning tree Port State of +the reception Port is discarding. + +The remaining option is to utilise the BPC, RGAC1, RGAC2, RGAC3, and RGAC4 +registers. Whilst this applies to every VID, it doesn't contain all of the +reserved MAC addresses without affecting the remaining Standard Group MAC +Addresses. The REV_UN frame tag utilised using the RGAC4 register covers +the remaining 01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F] destination +addresses. It also includes the 01-80-C2-00-00-22 to 01-80-C2-00-00-FF +destination addresses which may be relayed by MAC Bridges or VLAN Bridges. +The latter option provides better but not complete conformance. + +This switch intellectual property also does not provide a mechanism to trap +link-local frames with specific destination addresses to CPU port by +Bridge, to conform to the filtering rules for the distinct Bridge +components. + +Therefore, regardless of the type of the Bridge component, link-local +frames with these destination addresses will be trapped to CPU port: + +01-80-C2-00-00-[00,01,02,03,0E] + +In a Bridge comprising a MAC Bridge component or a C-VLAN component: + + Link-local frames with these destination addresses won't be trapped to + CPU port which won't conform to IEEE Std 802.1Q-2022: + + 01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F] + +In a Bridge comprising an S-VLAN component: + + Link-local frames with these destination addresses will be trapped to CPU + port which won't conform to IEEE Std 802.1Q-2022: + + 01-80-C2-00-00-00 + + Link-local frames with these destination addresses won't be trapped to + CPU port which won't conform to IEEE Std 802.1Q-2022: + + 01-80-C2-00-00-[04,05,06,07,08,09,0A] + +Currently on this switch intellectual property, if the spanning tree Port +State of the reception Port is discarding, link-local frames will be +discarded. + +To trap link-local frames regardless of the spanning tree Port State, make +the switch regard them as Bridge Protocol Data Units (BPDUs). This switch +intellectual property only lets the frames regarded as BPDUs bypass the +spanning tree Port State function of the Forwarding Process. + +With this change, the only remaining interference is the ingress rules. +When the reception Port has no PVID assigned on software, VLAN-untagged +frames won't be allowed in. There doesn't seem to be a mechanism on the +switch intellectual property to have link-local frames bypass this function +of the Forwarding Process. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Reviewed-by: Daniel Golle +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20240409-b4-for-net-mt7530-fix-link-local-when-stp-discarding-v2-1-07b1150164ac@arinc9.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 229 +++++++++++++++++++++++++++++++++------ + drivers/net/dsa/mt7530.h | 5 + + 2 files changed, 200 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 40ae44c9945b1..22b97505fa536 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -998,20 +998,173 @@ static void mt7530_setup_port5(struct dsa_switch *ds, phy_interface_t interface) + mutex_unlock(&priv->reg_mutex); + } + +-/* On page 205, section "8.6.3 Frame filtering" of the active standard, IEEE Std +- * 802.1Q™-2022, it is stated that frames with 01:80:C2:00:00:00-0F as MAC DA +- * must only be propagated to C-VLAN and MAC Bridge components. That means +- * VLAN-aware and VLAN-unaware bridges. On the switch designs with CPU ports, +- * these frames are supposed to be processed by the CPU (software). So we make +- * the switch only forward them to the CPU port. And if received from a CPU +- * port, forward to a single port. The software is responsible of making the +- * switch conform to the latter by setting a single port as destination port on +- * the special tag. ++/* In Clause 5 of IEEE Std 802-2014, two sublayers of the data link layer (DLL) ++ * of the Open Systems Interconnection basic reference model (OSI/RM) are ++ * described; the medium access control (MAC) and logical link control (LLC) ++ * sublayers. The MAC sublayer is the one facing the physical layer. + * +- * This switch intellectual property cannot conform to this part of the standard +- * fully. Whilst the REV_UN frame tag covers the remaining :04-0D and :0F MAC +- * DAs, it also includes :22-FF which the scope of propagation is not supposed +- * to be restricted for these MAC DAs. ++ * In 8.2 of IEEE Std 802.1Q-2022, the Bridge architecture is described. A ++ * Bridge component comprises a MAC Relay Entity for interconnecting the Ports ++ * of the Bridge, at least two Ports, and higher layer entities with at least a ++ * Spanning Tree Protocol Entity included. ++ * ++ * Each Bridge Port also functions as an end station and shall provide the MAC ++ * Service to an LLC Entity. Each instance of the MAC Service is provided to a ++ * distinct LLC Entity that supports protocol identification, multiplexing, and ++ * demultiplexing, for protocol data unit (PDU) transmission and reception by ++ * one or more higher layer entities. ++ * ++ * It is described in 8.13.9 of IEEE Std 802.1Q-2022 that in a Bridge, the LLC ++ * Entity associated with each Bridge Port is modeled as being directly ++ * connected to the attached Local Area Network (LAN). ++ * ++ * On the switch with CPU port architecture, CPU port functions as Management ++ * Port, and the Management Port functionality is provided by software which ++ * functions as an end station. Software is connected to an IEEE 802 LAN that is ++ * wholly contained within the system that incorporates the Bridge. Software ++ * provides access to the LLC Entity associated with each Bridge Port by the ++ * value of the source port field on the special tag on the frame received by ++ * software. ++ * ++ * We call frames that carry control information to determine the active ++ * topology and current extent of each Virtual Local Area Network (VLAN), i.e., ++ * spanning tree or Shortest Path Bridging (SPB) and Multiple VLAN Registration ++ * Protocol Data Units (MVRPDUs), and frames from other link constrained ++ * protocols, such as Extensible Authentication Protocol over LAN (EAPOL) and ++ * Link Layer Discovery Protocol (LLDP), link-local frames. They are not ++ * forwarded by a Bridge. Permanently configured entries in the filtering ++ * database (FDB) ensure that such frames are discarded by the Forwarding ++ * Process. In 8.6.3 of IEEE Std 802.1Q-2022, this is described in detail: ++ * ++ * Each of the reserved MAC addresses specified in Table 8-1 ++ * (01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]) shall be ++ * permanently configured in the FDB in C-VLAN components and ERs. ++ * ++ * Each of the reserved MAC addresses specified in Table 8-2 ++ * (01-80-C2-00-00-[01,02,03,04,05,06,07,08,09,0A,0E]) shall be permanently ++ * configured in the FDB in S-VLAN components. ++ * ++ * Each of the reserved MAC addresses specified in Table 8-3 ++ * (01-80-C2-00-00-[01,02,04,0E]) shall be permanently configured in the FDB in ++ * TPMR components. ++ * ++ * The FDB entries for reserved MAC addresses shall specify filtering for all ++ * Bridge Ports and all VIDs. Management shall not provide the capability to ++ * modify or remove entries for reserved MAC addresses. ++ * ++ * The addresses in Table 8-1, Table 8-2, and Table 8-3 determine the scope of ++ * propagation of PDUs within a Bridged Network, as follows: ++ * ++ * The Nearest Bridge group address (01-80-C2-00-00-0E) is an address that no ++ * conformant Two-Port MAC Relay (TPMR) component, Service VLAN (S-VLAN) ++ * component, Customer VLAN (C-VLAN) component, or MAC Bridge can forward. ++ * PDUs transmitted using this destination address, or any other addresses ++ * that appear in Table 8-1, Table 8-2, and Table 8-3 ++ * (01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]), can ++ * therefore travel no further than those stations that can be reached via a ++ * single individual LAN from the originating station. ++ * ++ * The Nearest non-TPMR Bridge group address (01-80-C2-00-00-03), is an ++ * address that no conformant S-VLAN component, C-VLAN component, or MAC ++ * Bridge can forward; however, this address is relayed by a TPMR component. ++ * PDUs using this destination address, or any of the other addresses that ++ * appear in both Table 8-1 and Table 8-2 but not in Table 8-3 ++ * (01-80-C2-00-00-[00,03,05,06,07,08,09,0A,0B,0C,0D,0F]), will be relayed by ++ * any TPMRs but will propagate no further than the nearest S-VLAN component, ++ * C-VLAN component, or MAC Bridge. ++ * ++ * The Nearest Customer Bridge group address (01-80-C2-00-00-00) is an address ++ * that no conformant C-VLAN component, MAC Bridge can forward; however, it is ++ * relayed by TPMR components and S-VLAN components. PDUs using this ++ * destination address, or any of the other addresses that appear in Table 8-1 ++ * but not in either Table 8-2 or Table 8-3 (01-80-C2-00-00-[00,0B,0C,0D,0F]), ++ * will be relayed by TPMR components and S-VLAN components but will propagate ++ * no further than the nearest C-VLAN component or MAC Bridge. ++ * ++ * Because the LLC Entity associated with each Bridge Port is provided via CPU ++ * port, we must not filter these frames but forward them to CPU port. ++ * ++ * In a Bridge, the transmission Port is majorly decided by ingress and egress ++ * rules, FDB, and spanning tree Port State functions of the Forwarding Process. ++ * For link-local frames, only CPU port should be designated as destination port ++ * in the FDB, and the other functions of the Forwarding Process must not ++ * interfere with the decision of the transmission Port. We call this process ++ * trapping frames to CPU port. ++ * ++ * Therefore, on the switch with CPU port architecture, link-local frames must ++ * be trapped to CPU port, and certain link-local frames received by a Port of a ++ * Bridge comprising a TPMR component or an S-VLAN component must be excluded ++ * from it. ++ * ++ * A Bridge of the switch with CPU port architecture cannot comprise a Two-Port ++ * MAC Relay (TPMR) component as a TPMR component supports only a subset of the ++ * functionality of a MAC Bridge. A Bridge comprising two Ports (Management Port ++ * doesn't count) of this architecture will either function as a standard MAC ++ * Bridge or a standard VLAN Bridge. ++ * ++ * Therefore, a Bridge of this architecture can only comprise S-VLAN components, ++ * C-VLAN components, or MAC Bridge components. Since there's no TPMR component, ++ * we don't need to relay PDUs using the destination addresses specified on the ++ * Nearest non-TPMR section, and the proportion of the Nearest Customer Bridge ++ * section where they must be relayed by TPMR components. ++ * ++ * One option to trap link-local frames to CPU port is to add static FDB entries ++ * with CPU port designated as destination port. However, because that ++ * Independent VLAN Learning (IVL) is being used on every VID, each entry only ++ * applies to a single VLAN Identifier (VID). For a Bridge comprising a MAC ++ * Bridge component or a C-VLAN component, there would have to be 16 times 4096 ++ * entries. This switch intellectual property can only hold a maximum of 2048 ++ * entries. Using this option, there also isn't a mechanism to prevent ++ * link-local frames from being discarded when the spanning tree Port State of ++ * the reception Port is discarding. ++ * ++ * The remaining option is to utilise the BPC, RGAC1, RGAC2, RGAC3, and RGAC4 ++ * registers. Whilst this applies to every VID, it doesn't contain all of the ++ * reserved MAC addresses without affecting the remaining Standard Group MAC ++ * Addresses. The REV_UN frame tag utilised using the RGAC4 register covers the ++ * remaining 01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F] destination ++ * addresses. It also includes the 01-80-C2-00-00-22 to 01-80-C2-00-00-FF ++ * destination addresses which may be relayed by MAC Bridges or VLAN Bridges. ++ * The latter option provides better but not complete conformance. ++ * ++ * This switch intellectual property also does not provide a mechanism to trap ++ * link-local frames with specific destination addresses to CPU port by Bridge, ++ * to conform to the filtering rules for the distinct Bridge components. ++ * ++ * Therefore, regardless of the type of the Bridge component, link-local frames ++ * with these destination addresses will be trapped to CPU port: ++ * ++ * 01-80-C2-00-00-[00,01,02,03,0E] ++ * ++ * In a Bridge comprising a MAC Bridge component or a C-VLAN component: ++ * ++ * Link-local frames with these destination addresses won't be trapped to CPU ++ * port which won't conform to IEEE Std 802.1Q-2022: ++ * ++ * 01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F] ++ * ++ * In a Bridge comprising an S-VLAN component: ++ * ++ * Link-local frames with these destination addresses will be trapped to CPU ++ * port which won't conform to IEEE Std 802.1Q-2022: ++ * ++ * 01-80-C2-00-00-00 ++ * ++ * Link-local frames with these destination addresses won't be trapped to CPU ++ * port which won't conform to IEEE Std 802.1Q-2022: ++ * ++ * 01-80-C2-00-00-[04,05,06,07,08,09,0A] ++ * ++ * To trap link-local frames to CPU port as conformant as this switch ++ * intellectual property can allow, link-local frames are made to be regarded as ++ * Bridge Protocol Data Units (BPDUs). This is because this switch intellectual ++ * property only lets the frames regarded as BPDUs bypass the spanning tree Port ++ * State function of the Forwarding Process. ++ * ++ * The only remaining interference is the ingress rules. When the reception Port ++ * has no PVID assigned on software, VLAN-untagged frames won't be allowed in. ++ * There doesn't seem to be a mechanism on the switch intellectual property to ++ * have link-local frames bypass this function of the Forwarding Process. + */ + static void + mt753x_trap_frames(struct mt7530_priv *priv) +@@ -1019,35 +1172,43 @@ mt753x_trap_frames(struct mt7530_priv *priv) + /* Trap 802.1X PAE frames and BPDUs to the CPU port(s) and egress them + * VLAN-untagged. + */ +- mt7530_rmw(priv, MT753X_BPC, MT753X_PAE_EG_TAG_MASK | +- MT753X_PAE_PORT_FW_MASK | MT753X_BPDU_EG_TAG_MASK | +- MT753X_BPDU_PORT_FW_MASK, +- MT753X_PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_PAE_PORT_FW(MT753X_BPDU_CPU_ONLY) | +- MT753X_BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_BPDU_CPU_ONLY); ++ mt7530_rmw(priv, MT753X_BPC, ++ MT753X_PAE_BPDU_FR | MT753X_PAE_EG_TAG_MASK | ++ MT753X_PAE_PORT_FW_MASK | MT753X_BPDU_EG_TAG_MASK | ++ MT753X_BPDU_PORT_FW_MASK, ++ MT753X_PAE_BPDU_FR | ++ MT753X_PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_PAE_PORT_FW(MT753X_BPDU_CPU_ONLY) | ++ MT753X_BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_BPDU_CPU_ONLY); + + /* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and egress + * them VLAN-untagged. + */ +- mt7530_rmw(priv, MT753X_RGAC1, MT753X_R02_EG_TAG_MASK | +- MT753X_R02_PORT_FW_MASK | MT753X_R01_EG_TAG_MASK | +- MT753X_R01_PORT_FW_MASK, +- MT753X_R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_R02_PORT_FW(MT753X_BPDU_CPU_ONLY) | +- MT753X_R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_BPDU_CPU_ONLY); ++ mt7530_rmw(priv, MT753X_RGAC1, ++ MT753X_R02_BPDU_FR | MT753X_R02_EG_TAG_MASK | ++ MT753X_R02_PORT_FW_MASK | MT753X_R01_BPDU_FR | ++ MT753X_R01_EG_TAG_MASK | MT753X_R01_PORT_FW_MASK, ++ MT753X_R02_BPDU_FR | ++ MT753X_R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_R02_PORT_FW(MT753X_BPDU_CPU_ONLY) | ++ MT753X_R01_BPDU_FR | ++ MT753X_R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_BPDU_CPU_ONLY); + + /* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and egress + * them VLAN-untagged. + */ +- mt7530_rmw(priv, MT753X_RGAC2, MT753X_R0E_EG_TAG_MASK | +- MT753X_R0E_PORT_FW_MASK | MT753X_R03_EG_TAG_MASK | +- MT753X_R03_PORT_FW_MASK, +- MT753X_R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY) | +- MT753X_R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | +- MT753X_BPDU_CPU_ONLY); ++ mt7530_rmw(priv, MT753X_RGAC2, ++ MT753X_R0E_BPDU_FR | MT753X_R0E_EG_TAG_MASK | ++ MT753X_R0E_PORT_FW_MASK | MT753X_R03_BPDU_FR | ++ MT753X_R03_EG_TAG_MASK | MT753X_R03_PORT_FW_MASK, ++ MT753X_R0E_BPDU_FR | ++ MT753X_R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY) | ++ MT753X_R03_BPDU_FR | ++ MT753X_R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) | ++ MT753X_BPDU_CPU_ONLY); + } + + static int +diff --git a/drivers/net/dsa/mt7530.h b/drivers/net/dsa/mt7530.h +index 75bc9043c8c0a..ddefeb69afda1 100644 +--- a/drivers/net/dsa/mt7530.h ++++ b/drivers/net/dsa/mt7530.h +@@ -65,6 +65,7 @@ enum mt753x_id { + + /* Registers for BPDU and PAE frame control*/ + #define MT753X_BPC 0x24 ++#define MT753X_PAE_BPDU_FR BIT(25) + #define MT753X_PAE_EG_TAG_MASK GENMASK(24, 22) + #define MT753X_PAE_EG_TAG(x) FIELD_PREP(MT753X_PAE_EG_TAG_MASK, x) + #define MT753X_PAE_PORT_FW_MASK GENMASK(18, 16) +@@ -75,20 +76,24 @@ enum mt753x_id { + + /* Register for :01 and :02 MAC DA frame control */ + #define MT753X_RGAC1 0x28 ++#define MT753X_R02_BPDU_FR BIT(25) + #define MT753X_R02_EG_TAG_MASK GENMASK(24, 22) + #define MT753X_R02_EG_TAG(x) FIELD_PREP(MT753X_R02_EG_TAG_MASK, x) + #define MT753X_R02_PORT_FW_MASK GENMASK(18, 16) + #define MT753X_R02_PORT_FW(x) FIELD_PREP(MT753X_R02_PORT_FW_MASK, x) ++#define MT753X_R01_BPDU_FR BIT(9) + #define MT753X_R01_EG_TAG_MASK GENMASK(8, 6) + #define MT753X_R01_EG_TAG(x) FIELD_PREP(MT753X_R01_EG_TAG_MASK, x) + #define MT753X_R01_PORT_FW_MASK GENMASK(2, 0) + + /* Register for :03 and :0E MAC DA frame control */ + #define MT753X_RGAC2 0x2c ++#define MT753X_R0E_BPDU_FR BIT(25) + #define MT753X_R0E_EG_TAG_MASK GENMASK(24, 22) + #define MT753X_R0E_EG_TAG(x) FIELD_PREP(MT753X_R0E_EG_TAG_MASK, x) + #define MT753X_R0E_PORT_FW_MASK GENMASK(18, 16) + #define MT753X_R0E_PORT_FW(x) FIELD_PREP(MT753X_R0E_PORT_FW_MASK, x) ++#define MT753X_R03_BPDU_FR BIT(9) + #define MT753X_R03_EG_TAG_MASK GENMASK(8, 6) + #define MT753X_R03_EG_TAG(x) FIELD_PREP(MT753X_R03_EG_TAG_MASK, x) + #define MT753X_R03_PORT_FW_MASK GENMASK(2, 0) +-- +2.43.0 + diff --git a/queue-6.8/net-ena-fix-incorrect-descriptor-free-behavior.patch b/queue-6.8/net-ena-fix-incorrect-descriptor-free-behavior.patch new file mode 100644 index 00000000000..d5c5a709833 --- /dev/null +++ b/queue-6.8/net-ena-fix-incorrect-descriptor-free-behavior.patch @@ -0,0 +1,72 @@ +From dc8f4c5581680d1a485aaaaa16ab50ac913925c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 09:13:57 +0000 +Subject: net: ena: Fix incorrect descriptor free behavior + +From: David Arinzon + +[ Upstream commit bf02d9fe00632d22fa91d34749c7aacf397b6cde ] + +ENA has two types of TX queues: +- queues which only process TX packets arriving from the network stack +- queues which only process TX packets forwarded to it by XDP_REDIRECT + or XDP_TX instructions + +The ena_free_tx_bufs() cycles through all descriptors in a TX queue +and unmaps + frees every descriptor that hasn't been acknowledged yet +by the device (uncompleted TX transactions). +The function assumes that the processed TX queue is necessarily from +the first category listed above and ends up using napi_consume_skb() +for descriptors belonging to an XDP specific queue. + +This patch solves a bug in which, in case of a VF reset, the +descriptors aren't freed correctly, leading to crashes. + +Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") +Signed-off-by: Shay Agroskin +Signed-off-by: David Arinzon +Reviewed-by: Shannon Nelson +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 1835581cd7230..95ed32542edfe 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -696,8 +696,11 @@ void ena_unmap_tx_buff(struct ena_ring *tx_ring, + static void ena_free_tx_bufs(struct ena_ring *tx_ring) + { + bool print_once = true; ++ bool is_xdp_ring; + u32 i; + ++ is_xdp_ring = ENA_IS_XDP_INDEX(tx_ring->adapter, tx_ring->qid); ++ + for (i = 0; i < tx_ring->ring_size; i++) { + struct ena_tx_buffer *tx_info = &tx_ring->tx_buffer_info[i]; + +@@ -717,10 +720,15 @@ static void ena_free_tx_bufs(struct ena_ring *tx_ring) + + ena_unmap_tx_buff(tx_ring, tx_info); + +- dev_kfree_skb_any(tx_info->skb); ++ if (is_xdp_ring) ++ xdp_return_frame(tx_info->xdpf); ++ else ++ dev_kfree_skb_any(tx_info->skb); + } +- netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, +- tx_ring->qid)); ++ ++ if (!is_xdp_ring) ++ netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, ++ tx_ring->qid)); + } + + static void ena_free_all_tx_bufs(struct ena_adapter *adapter) +-- +2.43.0 + diff --git a/queue-6.8/net-ena-fix-potential-sign-extension-issue.patch b/queue-6.8/net-ena-fix-potential-sign-extension-issue.patch new file mode 100644 index 00000000000..2449d44939d --- /dev/null +++ b/queue-6.8/net-ena-fix-potential-sign-extension-issue.patch @@ -0,0 +1,66 @@ +From a034ad50c2f1c24f0d60c6d809a792d30f378484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 09:13:55 +0000 +Subject: net: ena: Fix potential sign extension issue + +From: David Arinzon + +[ Upstream commit 713a85195aad25d8a26786a37b674e3e5ec09e3c ] + +Small unsigned types are promoted to larger signed types in +the case of multiplication, the result of which may overflow. +In case the result of such a multiplication has its MSB +turned on, it will be sign extended with '1's. +This changes the multiplication result. + +Code example of the phenomenon: +------------------------------- +u16 x, y; +size_t z1, z2; + +x = y = 0xffff; +printk("x=%x y=%x\n",x,y); + +z1 = x*y; +z2 = (size_t)x*y; + +printk("z1=%lx z2=%lx\n", z1, z2); + +Output: +------- +x=ffff y=ffff +z1=fffffffffffe0001 z2=fffe0001 + +The expected result of ffff*ffff is fffe0001, and without the +explicit casting to avoid the unwanted sign extension we got +fffffffffffe0001. + +This commit adds an explicit casting to avoid the sign extension +issue. + +Fixes: 689b2bdaaa14 ("net: ena: add functions for handling Low Latency Queues in ena_com") +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David Arinzon +Reviewed-by: Shannon Nelson +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c +index 633b321d7fdd9..4db689372980e 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -362,7 +362,7 @@ static int ena_com_init_io_sq(struct ena_com_dev *ena_dev, + ENA_COM_BOUNCE_BUFFER_CNTRL_CNT; + io_sq->bounce_buf_ctrl.next_to_use = 0; + +- size = io_sq->bounce_buf_ctrl.buffer_size * ++ size = (size_t)io_sq->bounce_buf_ctrl.buffer_size * + io_sq->bounce_buf_ctrl.buffers_num; + + dev_node = dev_to_node(ena_dev->dmadev); +-- +2.43.0 + diff --git a/queue-6.8/net-ena-set-tx_info-xdpf-value-to-null.patch b/queue-6.8/net-ena-set-tx_info-xdpf-value-to-null.patch new file mode 100644 index 00000000000..3aecf0b8f9f --- /dev/null +++ b/queue-6.8/net-ena-set-tx_info-xdpf-value-to-null.patch @@ -0,0 +1,71 @@ +From 98c37948c8e22fea0c5043e967a60f4095859672 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 09:13:58 +0000 +Subject: net: ena: Set tx_info->xdpf value to NULL + +From: David Arinzon + +[ Upstream commit 36a1ca01f0452f2549420e7279c2588729bd94df ] + +The patch mentioned in the `Fixes` tag removed the explicit assignment +of tx_info->xdpf to NULL with the justification that there's no need +to set tx_info->xdpf to NULL and tx_info->num_of_bufs to 0 in case +of a mapping error. Both values won't be used once the mapping function +returns an error, and their values would be overridden by the next +transmitted packet. + +While both values do indeed get overridden in the next transmission +call, the value of tx_info->xdpf is also used to check whether a TX +descriptor's transmission has been completed (i.e. a completion for it +was polled). + +An example scenario: +1. Mapping failed, tx_info->xdpf wasn't set to NULL +2. A VF reset occurred leading to IO resource destruction and + a call to ena_free_tx_bufs() function +3. Although the descriptor whose mapping failed was freed by the + transmission function, it still passes the check + if (!tx_info->skb) + + (skb and xdp_frame are in a union) +4. The xdp_frame associated with the descriptor is freed twice + +This patch returns the assignment of NULL to tx_info->xdpf to make the +cleaning function knows that the descriptor is already freed. + +Fixes: 504fd6a5390c ("net: ena: fix DMA mapping function issues in XDP") +Signed-off-by: Shay Agroskin +Signed-off-by: David Arinzon +Reviewed-by: Shannon Nelson +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_xdp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_xdp.c b/drivers/net/ethernet/amazon/ena/ena_xdp.c +index fc1c4ef73ba32..34d73c72f7803 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_xdp.c ++++ b/drivers/net/ethernet/amazon/ena/ena_xdp.c +@@ -89,7 +89,7 @@ int ena_xdp_xmit_frame(struct ena_ring *tx_ring, + + rc = ena_xdp_tx_map_frame(tx_ring, tx_info, xdpf, &ena_tx_ctx); + if (unlikely(rc)) +- return rc; ++ goto err; + + ena_tx_ctx.req_id = req_id; + +@@ -112,7 +112,9 @@ int ena_xdp_xmit_frame(struct ena_ring *tx_ring, + + error_unmap_dma: + ena_unmap_tx_buff(tx_ring, tx_info); ++err: + tx_info->xdpf = NULL; ++ + return rc; + } + +-- +2.43.0 + diff --git a/queue-6.8/net-ena-wrong-missing-io-completions-check-order.patch b/queue-6.8/net-ena-wrong-missing-io-completions-check-order.patch new file mode 100644 index 00000000000..599b99166e4 --- /dev/null +++ b/queue-6.8/net-ena-wrong-missing-io-completions-check-order.patch @@ -0,0 +1,108 @@ +From 9d2247e80f0e0c33ff7444d05341c91ef4d63220 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 09:13:56 +0000 +Subject: net: ena: Wrong missing IO completions check order + +From: David Arinzon + +[ Upstream commit f7e417180665234fdb7af2ebe33d89aaa434d16f ] + +Missing IO completions check is called every second (HZ jiffies). +This commit fixes several issues with this check: + +1. Duplicate queues check: + Max of 4 queues are scanned on each check due to monitor budget. + Once reaching the budget, this check exits under the assumption that + the next check will continue to scan the remainder of the queues, + but in practice, next check will first scan the last already scanned + queue which is not necessary and may cause the full queue scan to + last a couple of seconds longer. + The fix is to start every check with the next queue to scan. + For example, on 8 IO queues: + Bug: [0,1,2,3], [3,4,5,6], [6,7] + Fix: [0,1,2,3], [4,5,6,7] + +2. Unbalanced queues check: + In case the number of active IO queues is not a multiple of budget, + there will be checks which don't utilize the full budget + because the full scan exits when reaching the last queue id. + The fix is to run every TX completion check with exact queue budget + regardless of the queue id. + For example, on 7 IO queues: + Bug: [0,1,2,3], [4,5,6], [0,1,2,3] + Fix: [0,1,2,3], [4,5,6,0], [1,2,3,4] + The budget may be lowered in case the number of IO queues is less + than the budget (4) to make sure there are no duplicate queues on + the same check. + For example, on 3 IO queues: + Bug: [0,1,2,0], [1,2,0,1] + Fix: [0,1,2], [0,1,2] + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Amit Bernstein +Signed-off-by: David Arinzon +Reviewed-by: Shannon Nelson +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 21 +++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 5482015411f2f..1835581cd7230 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3421,10 +3421,11 @@ static void check_for_missing_completions(struct ena_adapter *adapter) + { + struct ena_ring *tx_ring; + struct ena_ring *rx_ring; +- int i, budget, rc; ++ int qid, budget, rc; + int io_queue_count; + + io_queue_count = adapter->xdp_num_queues + adapter->num_io_queues; ++ + /* Make sure the driver doesn't turn the device in other process */ + smp_rmb(); + +@@ -3437,27 +3438,29 @@ static void check_for_missing_completions(struct ena_adapter *adapter) + if (adapter->missing_tx_completion_to == ENA_HW_HINTS_NO_TIMEOUT) + return; + +- budget = ENA_MONITORED_TX_QUEUES; ++ budget = min_t(u32, io_queue_count, ENA_MONITORED_TX_QUEUES); + +- for (i = adapter->last_monitored_tx_qid; i < io_queue_count; i++) { +- tx_ring = &adapter->tx_ring[i]; +- rx_ring = &adapter->rx_ring[i]; ++ qid = adapter->last_monitored_tx_qid; ++ ++ while (budget) { ++ qid = (qid + 1) % io_queue_count; ++ ++ tx_ring = &adapter->tx_ring[qid]; ++ rx_ring = &adapter->rx_ring[qid]; + + rc = check_missing_comp_in_tx_queue(adapter, tx_ring); + if (unlikely(rc)) + return; + +- rc = !ENA_IS_XDP_INDEX(adapter, i) ? ++ rc = !ENA_IS_XDP_INDEX(adapter, qid) ? + check_for_rx_interrupt_queue(adapter, rx_ring) : 0; + if (unlikely(rc)) + return; + + budget--; +- if (!budget) +- break; + } + +- adapter->last_monitored_tx_qid = i % io_queue_count; ++ adapter->last_monitored_tx_qid = qid; + } + + /* trigger napi schedule after 2 consecutive detections */ +-- +2.43.0 + diff --git a/queue-6.8/net-ks8851-handle-softirqs-at-the-end-of-irq-thread-.patch b/queue-6.8/net-ks8851-handle-softirqs-at-the-end-of-irq-thread-.patch new file mode 100644 index 00000000000..ffe8c7890c1 --- /dev/null +++ b/queue-6.8/net-ks8851-handle-softirqs-at-the-end-of-irq-thread-.patch @@ -0,0 +1,101 @@ +From cefa97aa24cc7d4a87c6b394c6adcca0dd8ead8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 22:30:40 +0200 +Subject: net: ks8851: Handle softirqs at the end of IRQ thread to fix hang + +From: Marek Vasut + +[ Upstream commit be0384bf599cf1eb8d337517feeb732d71f75a6f ] + +The ks8851_irq() thread may call ks8851_rx_pkts() in case there are +any packets in the MAC FIFO, which calls netif_rx(). This netif_rx() +implementation is guarded by local_bh_disable() and local_bh_enable(). +The local_bh_enable() may call do_softirq() to run softirqs in case +any are pending. One of the softirqs is net_rx_action, which ultimately +reaches the driver .start_xmit callback. If that happens, the system +hangs. The entire call chain is below: + +ks8851_start_xmit_par from netdev_start_xmit +netdev_start_xmit from dev_hard_start_xmit +dev_hard_start_xmit from sch_direct_xmit +sch_direct_xmit from __dev_queue_xmit +__dev_queue_xmit from __neigh_update +__neigh_update from neigh_update +neigh_update from arp_process.constprop.0 +arp_process.constprop.0 from __netif_receive_skb_one_core +__netif_receive_skb_one_core from process_backlog +process_backlog from __napi_poll.constprop.0 +__napi_poll.constprop.0 from net_rx_action +net_rx_action from __do_softirq +__do_softirq from call_with_stack +call_with_stack from do_softirq +do_softirq from __local_bh_enable_ip +__local_bh_enable_ip from netif_rx +netif_rx from ks8851_irq +ks8851_irq from irq_thread_fn +irq_thread_fn from irq_thread +irq_thread from kthread +kthread from ret_from_fork + +The hang happens because ks8851_irq() first locks a spinlock in +ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...) +and with that spinlock locked, calls netif_rx(). Once the execution +reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again +which attempts to claim the already locked spinlock again, and the +hang happens. + +Move the do_softirq() call outside of the spinlock protected section +of ks8851_irq() by disabling BHs around the entire spinlock protected +section of ks8851_irq() handler. Place local_bh_enable() outside of +the spinlock protected section, so that it can trigger do_softirq() +without the ks8851_par.c ks8851_lock_par() spinlock being held, and +safely call ks8851_start_xmit_par() without attempting to lock the +already locked spinlock. + +Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable() +now, replace netif_rx() with __netif_rx() which is not duplicating the +local_bh_disable()/local_bh_enable() calls. + +Fixes: 797047f875b5 ("net: ks8851: Implement Parallel bus operations") +Signed-off-by: Marek Vasut +Link: https://lore.kernel.org/r/20240405203204.82062-2-marex@denx.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8851_common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851_common.c b/drivers/net/ethernet/micrel/ks8851_common.c +index 896d43bb8883d..d4cdf3d4f5525 100644 +--- a/drivers/net/ethernet/micrel/ks8851_common.c ++++ b/drivers/net/ethernet/micrel/ks8851_common.c +@@ -299,7 +299,7 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + ks8851_dbg_dumpkkt(ks, rxpkt); + + skb->protocol = eth_type_trans(skb, ks->netdev); +- netif_rx(skb); ++ __netif_rx(skb); + + ks->netdev->stats.rx_packets++; + ks->netdev->stats.rx_bytes += rxlen; +@@ -330,6 +330,8 @@ static irqreturn_t ks8851_irq(int irq, void *_ks) + unsigned long flags; + unsigned int status; + ++ local_bh_disable(); ++ + ks8851_lock(ks, &flags); + + status = ks8851_rdreg16(ks, KS_ISR); +@@ -406,6 +408,8 @@ static irqreturn_t ks8851_irq(int irq, void *_ks) + if (status & IRQ_LCI) + mii_check_link(&ks->mii); + ++ local_bh_enable(); ++ + return IRQ_HANDLED; + } + +-- +2.43.0 + diff --git a/queue-6.8/net-ks8851-inline-ks8851_rx_skb.patch b/queue-6.8/net-ks8851-inline-ks8851_rx_skb.patch new file mode 100644 index 00000000000..a4410897e52 --- /dev/null +++ b/queue-6.8/net-ks8851-inline-ks8851_rx_skb.patch @@ -0,0 +1,138 @@ +From 0f6d62be1de90b54f76661676c3ec1979ecdacbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 22:30:39 +0200 +Subject: net: ks8851: Inline ks8851_rx_skb() + +From: Marek Vasut + +[ Upstream commit f96f700449b6d190e06272f1cf732ae8e45b73df ] + +Both ks8851_rx_skb_par() and ks8851_rx_skb_spi() call netif_rx(skb), +inline the netif_rx(skb) call directly into ks8851_common.c and drop +the .rx_skb callback and ks8851_rx_skb() wrapper. This removes one +indirect call from the driver, no functional change otherwise. + +Signed-off-by: Marek Vasut +Link: https://lore.kernel.org/r/20240405203204.82062-1-marex@denx.de +Signed-off-by: Jakub Kicinski +Stable-dep-of: be0384bf599c ("net: ks8851: Handle softirqs at the end of IRQ thread to fix hang") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8851.h | 3 --- + drivers/net/ethernet/micrel/ks8851_common.c | 12 +----------- + drivers/net/ethernet/micrel/ks8851_par.c | 11 ----------- + drivers/net/ethernet/micrel/ks8851_spi.c | 11 ----------- + 4 files changed, 1 insertion(+), 36 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.h b/drivers/net/ethernet/micrel/ks8851.h +index e5ec0a363aff8..31f75b4a67fd7 100644 +--- a/drivers/net/ethernet/micrel/ks8851.h ++++ b/drivers/net/ethernet/micrel/ks8851.h +@@ -368,7 +368,6 @@ union ks8851_tx_hdr { + * @rdfifo: FIFO read callback + * @wrfifo: FIFO write callback + * @start_xmit: start_xmit() implementation callback +- * @rx_skb: rx_skb() implementation callback + * @flush_tx_work: flush_tx_work() implementation callback + * + * The @statelock is used to protect information in the structure which may +@@ -423,8 +422,6 @@ struct ks8851_net { + struct sk_buff *txp, bool irq); + netdev_tx_t (*start_xmit)(struct sk_buff *skb, + struct net_device *dev); +- void (*rx_skb)(struct ks8851_net *ks, +- struct sk_buff *skb); + void (*flush_tx_work)(struct ks8851_net *ks); + }; + +diff --git a/drivers/net/ethernet/micrel/ks8851_common.c b/drivers/net/ethernet/micrel/ks8851_common.c +index 0bf13b38b8f5b..896d43bb8883d 100644 +--- a/drivers/net/ethernet/micrel/ks8851_common.c ++++ b/drivers/net/ethernet/micrel/ks8851_common.c +@@ -231,16 +231,6 @@ static void ks8851_dbg_dumpkkt(struct ks8851_net *ks, u8 *rxpkt) + rxpkt[12], rxpkt[13], rxpkt[14], rxpkt[15]); + } + +-/** +- * ks8851_rx_skb - receive skbuff +- * @ks: The device state. +- * @skb: The skbuff +- */ +-static void ks8851_rx_skb(struct ks8851_net *ks, struct sk_buff *skb) +-{ +- ks->rx_skb(ks, skb); +-} +- + /** + * ks8851_rx_pkts - receive packets from the host + * @ks: The device information. +@@ -309,7 +299,7 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + ks8851_dbg_dumpkkt(ks, rxpkt); + + skb->protocol = eth_type_trans(skb, ks->netdev); +- ks8851_rx_skb(ks, skb); ++ netif_rx(skb); + + ks->netdev->stats.rx_packets++; + ks->netdev->stats.rx_bytes += rxlen; +diff --git a/drivers/net/ethernet/micrel/ks8851_par.c b/drivers/net/ethernet/micrel/ks8851_par.c +index 2a7f298542670..381b9cd285ebd 100644 +--- a/drivers/net/ethernet/micrel/ks8851_par.c ++++ b/drivers/net/ethernet/micrel/ks8851_par.c +@@ -210,16 +210,6 @@ static void ks8851_wrfifo_par(struct ks8851_net *ks, struct sk_buff *txp, + iowrite16_rep(ksp->hw_addr, txp->data, len / 2); + } + +-/** +- * ks8851_rx_skb_par - receive skbuff +- * @ks: The device state. +- * @skb: The skbuff +- */ +-static void ks8851_rx_skb_par(struct ks8851_net *ks, struct sk_buff *skb) +-{ +- netif_rx(skb); +-} +- + static unsigned int ks8851_rdreg16_par_txqcr(struct ks8851_net *ks) + { + return ks8851_rdreg16_par(ks, KS_TXQCR); +@@ -298,7 +288,6 @@ static int ks8851_probe_par(struct platform_device *pdev) + ks->rdfifo = ks8851_rdfifo_par; + ks->wrfifo = ks8851_wrfifo_par; + ks->start_xmit = ks8851_start_xmit_par; +- ks->rx_skb = ks8851_rx_skb_par; + + #define STD_IRQ (IRQ_LCI | /* Link Change */ \ + IRQ_RXI | /* RX done */ \ +diff --git a/drivers/net/ethernet/micrel/ks8851_spi.c b/drivers/net/ethernet/micrel/ks8851_spi.c +index 54f2eac11a631..55f6f9f6d030e 100644 +--- a/drivers/net/ethernet/micrel/ks8851_spi.c ++++ b/drivers/net/ethernet/micrel/ks8851_spi.c +@@ -298,16 +298,6 @@ static unsigned int calc_txlen(unsigned int len) + return ALIGN(len + 4, 4); + } + +-/** +- * ks8851_rx_skb_spi - receive skbuff +- * @ks: The device state +- * @skb: The skbuff +- */ +-static void ks8851_rx_skb_spi(struct ks8851_net *ks, struct sk_buff *skb) +-{ +- netif_rx(skb); +-} +- + /** + * ks8851_tx_work - process tx packet(s) + * @work: The work strucutre what was scheduled. +@@ -435,7 +425,6 @@ static int ks8851_probe_spi(struct spi_device *spi) + ks->rdfifo = ks8851_rdfifo_spi; + ks->wrfifo = ks8851_wrfifo_spi; + ks->start_xmit = ks8851_start_xmit_spi; +- ks->rx_skb = ks8851_rx_skb_spi; + ks->flush_tx_work = ks8851_flush_tx_work_spi; + + #define STD_IRQ (IRQ_LCI | /* Link Change */ \ +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5-correctly-compare-pkt-reformat-ids.patch b/queue-6.8/net-mlx5-correctly-compare-pkt-reformat-ids.patch new file mode 100644 index 00000000000..423908a2a13 --- /dev/null +++ b/queue-6.8/net-mlx5-correctly-compare-pkt-reformat-ids.patch @@ -0,0 +1,74 @@ +From ce0698248539325e2a1f24ac5b4a16cb2a98115f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:13 +0300 +Subject: net/mlx5: Correctly compare pkt reformat ids + +From: Cosmin Ratiu + +[ Upstream commit 9eca93f4d5ab03905516a68683674d9c50ff95bd ] + +struct mlx5_pkt_reformat contains a naked union of a u32 id and a +dr_action pointer which is used when the action is SW-managed (when +pkt_reformat.owner is set to MLX5_FLOW_RESOURCE_OWNER_SW). Using id +directly in that case is incorrect, as it maps to the least significant +32 bits of the 64-bit pointer in mlx5_fs_dr_action and not to the pkt +reformat id allocated in firmware. + +For the purpose of comparing whether two rules are identical, +interpreting the least significant 32 bits of the mlx5_fs_dr_action +pointer as an id mostly works... until it breaks horribly and produces +the outcome described in [1]. + +This patch fixes mlx5_flow_dests_cmp to correctly compare ids using +mlx5_fs_dr_action_get_pkt_reformat_id for the SW-managed rules. + +Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com/T/#u [1] + +Fixes: 6a48faeeca10 ("net/mlx5: Add direct rule fs_cmd implementation") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Mark Bloch +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 2a9421342a503..cf085a478e3e4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1664,6 +1664,16 @@ static int create_auto_flow_group(struct mlx5_flow_table *ft, + return err; + } + ++static bool mlx5_pkt_reformat_cmp(struct mlx5_pkt_reformat *p1, ++ struct mlx5_pkt_reformat *p2) ++{ ++ return p1->owner == p2->owner && ++ (p1->owner == MLX5_FLOW_RESOURCE_OWNER_FW ? ++ p1->id == p2->id : ++ mlx5_fs_dr_action_get_pkt_reformat_id(p1) == ++ mlx5_fs_dr_action_get_pkt_reformat_id(p2)); ++} ++ + static bool mlx5_flow_dests_cmp(struct mlx5_flow_destination *d1, + struct mlx5_flow_destination *d2) + { +@@ -1675,8 +1685,8 @@ static bool mlx5_flow_dests_cmp(struct mlx5_flow_destination *d1, + ((d1->vport.flags & MLX5_FLOW_DEST_VPORT_VHCA_ID) ? + (d1->vport.vhca_id == d2->vport.vhca_id) : true) && + ((d1->vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID) ? +- (d1->vport.pkt_reformat->id == +- d2->vport.pkt_reformat->id) : true)) || ++ mlx5_pkt_reformat_cmp(d1->vport.pkt_reformat, ++ d2->vport.pkt_reformat) : true)) || + (d1->type == MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE && + d1->ft == d2->ft) || + (d1->type == MLX5_FLOW_DESTINATION_TYPE_TIR && +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5-offset-comp-irq-index-in-name-by-one.patch b/queue-6.8/net-mlx5-offset-comp-irq-index-in-name-by-one.patch new file mode 100644 index 00000000000..07dd0ca5ded --- /dev/null +++ b/queue-6.8/net-mlx5-offset-comp-irq-index-in-name-by-one.patch @@ -0,0 +1,62 @@ +From 4bbad4701e16a29eeeb104b3af851cb8433f5288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:11 +0300 +Subject: net/mlx5: offset comp irq index in name by one + +From: Michael Liang + +[ Upstream commit 9f7e8fbb91f8fa29548e2f6ab50c03b628c67ede ] + +The mlx5 comp irq name scheme is changed a little bit between +commit 3663ad34bc70 ("net/mlx5: Shift control IRQ to the last index") +and commit 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation"). +The index in the comp irq name used to start from 0 but now it starts +from 1. There is nothing critical here, but it's harmless to change +back to the old behavior, a.k.a starting from 0. + +Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation") +Reviewed-by: Mohamed Khalfella +Reviewed-by: Yuanyuan Zhong +Signed-off-by: Michael Liang +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +index 4dcf995cb1a20..6bac8ad70ba60 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +@@ -19,6 +19,7 @@ + #define MLX5_IRQ_CTRL_SF_MAX 8 + /* min num of vectors for SFs to be enabled */ + #define MLX5_IRQ_VEC_COMP_BASE_SF 2 ++#define MLX5_IRQ_VEC_COMP_BASE 1 + + #define MLX5_EQ_SHARE_IRQ_MAX_COMP (8) + #define MLX5_EQ_SHARE_IRQ_MAX_CTRL (UINT_MAX) +@@ -246,6 +247,7 @@ static void irq_set_name(struct mlx5_irq_pool *pool, char *name, int vecidx) + return; + } + ++ vecidx -= MLX5_IRQ_VEC_COMP_BASE; + snprintf(name, MLX5_MAX_IRQ_NAME, "mlx5_comp%d", vecidx); + } + +@@ -585,7 +587,7 @@ struct mlx5_irq *mlx5_irq_request_vector(struct mlx5_core_dev *dev, u16 cpu, + struct mlx5_irq_table *table = mlx5_irq_table_get(dev); + struct mlx5_irq_pool *pool = table->pcif_pool; + struct irq_affinity_desc af_desc; +- int offset = 1; ++ int offset = MLX5_IRQ_VEC_COMP_BASE; + + if (!pool->xa_num_irqs.max) + offset = 0; +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5-properly-link-new-fs-rules-into-the-tree.patch b/queue-6.8/net-mlx5-properly-link-new-fs-rules-into-the-tree.patch new file mode 100644 index 00000000000..bade4e47627 --- /dev/null +++ b/queue-6.8/net-mlx5-properly-link-new-fs-rules-into-the-tree.patch @@ -0,0 +1,66 @@ +From 3e47a0882f0bc1818e7faa2a1bae261c02ed1a31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:12 +0300 +Subject: net/mlx5: Properly link new fs rules into the tree + +From: Cosmin Ratiu + +[ Upstream commit 7c6782ad4911cbee874e85630226ed389ff2e453 ] + +Previously, add_rule_fg would only add newly created rules from the +handle into the tree when they had a refcount of 1. On the other hand, +create_flow_handle tries hard to find and reference already existing +identical rules instead of creating new ones. + +These two behaviors can result in a situation where create_flow_handle +1) creates a new rule and references it, then +2) in a subsequent step during the same handle creation references it + again, +resulting in a rule with a refcount of 2 that is not linked into the +tree, will have a NULL parent and root and will result in a crash when +the flow group is deleted because del_sw_hw_rule, invoked on rule +deletion, assumes node->parent is != NULL. + +This happened in the wild, due to another bug related to incorrect +handling of duplicate pkt_reformat ids, which lead to the code in +create_flow_handle incorrectly referencing a just-added rule in the same +flow handle, resulting in the problem described above. Full details are +at [1]. + +This patch changes add_rule_fg to add new rules without parents into +the tree, properly initializing them and avoiding the crash. This makes +it more consistent with how rules are added to an FTE in +create_flow_handle. + +Fixes: 74491de93712 ("net/mlx5: Add multi dest support") +Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com/T/#u [1] +Signed-off-by: Cosmin Ratiu +Reviewed-by: Tariq Toukan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index e6bfa7e4f146c..2a9421342a503 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1808,8 +1808,9 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg, + } + trace_mlx5_fs_set_fte(fte, false); + ++ /* Link newly added rules into the tree. */ + for (i = 0; i < handle->num_rules; i++) { +- if (refcount_read(&handle->rule[i]->node.refcount) == 1) { ++ if (!handle->rule[i]->node.parent) { + tree_add_node(&handle->rule[i]->node, &fte->node); + trace_mlx5_fs_add_rule(handle->rule[i]); + } +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5-register-devlink-first-under-devlink-lock.patch b/queue-6.8/net-mlx5-register-devlink-first-under-devlink-lock.patch new file mode 100644 index 00000000000..5fc32ca87fc --- /dev/null +++ b/queue-6.8/net-mlx5-register-devlink-first-under-devlink-lock.patch @@ -0,0 +1,180 @@ +From a3768164e1f8860ebab37d380f6f26c57cfb95a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:10 +0300 +Subject: net/mlx5: Register devlink first under devlink lock + +From: Shay Drory + +[ Upstream commit c6e77aa9dd82bc18a89bf49418f8f7e961cfccc8 ] + +In case device is having a non fatal FW error during probe, the +driver will report the error to user via devlink. This will trigger +a WARN_ON, since mlx5 is calling devlink_register() last. +In order to avoid the WARN_ON[1], change mlx5 to invoke devl_register() +first under devlink lock. + +[1] +WARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0 +CPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core] +RIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0 +Call Trace: + + ? __warn+0x79/0x120 + ? devlink_recover_notify.constprop.0+0xb8/0xc0 + ? report_bug+0x17c/0x190 + ? handle_bug+0x3c/0x60 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? devlink_recover_notify.constprop.0+0xb8/0xc0 + devlink_health_report+0x4a/0x1c0 + mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core] + process_one_work+0x1bb/0x3c0 + ? process_one_work+0x3c0/0x3c0 + worker_thread+0x4d/0x3c0 + ? process_one_work+0x3c0/0x3c0 + kthread+0xc6/0xf0 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Fixes: cf530217408e ("devlink: Notify users when objects are accessible") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/main.c | 37 ++++++++++--------- + .../mellanox/mlx5/core/sf/dev/driver.c | 1 - + 2 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index bccf6e53556c6..131a836c127e3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1480,6 +1480,14 @@ int mlx5_init_one_devl_locked(struct mlx5_core_dev *dev) + if (err) + goto err_register; + ++ err = mlx5_crdump_enable(dev); ++ if (err) ++ mlx5_core_err(dev, "mlx5_crdump_enable failed with error code %d\n", err); ++ ++ err = mlx5_hwmon_dev_register(dev); ++ if (err) ++ mlx5_core_err(dev, "mlx5_hwmon_dev_register failed with error code %d\n", err); ++ + mutex_unlock(&dev->intf_state_mutex); + return 0; + +@@ -1505,7 +1513,10 @@ int mlx5_init_one(struct mlx5_core_dev *dev) + int err; + + devl_lock(devlink); ++ devl_register(devlink); + err = mlx5_init_one_devl_locked(dev); ++ if (err) ++ devl_unregister(devlink); + devl_unlock(devlink); + return err; + } +@@ -1517,6 +1528,8 @@ void mlx5_uninit_one(struct mlx5_core_dev *dev) + devl_lock(devlink); + mutex_lock(&dev->intf_state_mutex); + ++ mlx5_hwmon_dev_unregister(dev); ++ mlx5_crdump_disable(dev); + mlx5_unregister_device(dev); + + if (!test_bit(MLX5_INTERFACE_STATE_UP, &dev->intf_state)) { +@@ -1534,6 +1547,7 @@ void mlx5_uninit_one(struct mlx5_core_dev *dev) + mlx5_function_teardown(dev, true); + out: + mutex_unlock(&dev->intf_state_mutex); ++ devl_unregister(devlink); + devl_unlock(devlink); + } + +@@ -1680,16 +1694,20 @@ int mlx5_init_one_light(struct mlx5_core_dev *dev) + } + + devl_lock(devlink); ++ devl_register(devlink); ++ + err = mlx5_devlink_params_register(priv_to_devlink(dev)); +- devl_unlock(devlink); + if (err) { + mlx5_core_warn(dev, "mlx5_devlink_param_reg err = %d\n", err); + goto query_hca_caps_err; + } + ++ devl_unlock(devlink); + return 0; + + query_hca_caps_err: ++ devl_unregister(devlink); ++ devl_unlock(devlink); + mlx5_function_disable(dev, true); + out: + dev->state = MLX5_DEVICE_STATE_INTERNAL_ERROR; +@@ -1702,6 +1720,7 @@ void mlx5_uninit_one_light(struct mlx5_core_dev *dev) + + devl_lock(devlink); + mlx5_devlink_params_unregister(priv_to_devlink(dev)); ++ devl_unregister(devlink); + devl_unlock(devlink); + if (dev->state != MLX5_DEVICE_STATE_UP) + return; +@@ -1943,16 +1962,7 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_init_one; + } + +- err = mlx5_crdump_enable(dev); +- if (err) +- dev_err(&pdev->dev, "mlx5_crdump_enable failed with error code %d\n", err); +- +- err = mlx5_hwmon_dev_register(dev); +- if (err) +- mlx5_core_err(dev, "mlx5_hwmon_dev_register failed with error code %d\n", err); +- + pci_save_state(pdev); +- devlink_register(devlink); + return 0; + + err_init_one: +@@ -1973,16 +1983,9 @@ static void remove_one(struct pci_dev *pdev) + struct devlink *devlink = priv_to_devlink(dev); + + set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state); +- /* mlx5_drain_fw_reset() and mlx5_drain_health_wq() are using +- * devlink notify APIs. +- * Hence, we must drain them before unregistering the devlink. +- */ + mlx5_drain_fw_reset(dev); + mlx5_drain_health_wq(dev); +- devlink_unregister(devlink); + mlx5_sriov_disable(pdev, false); +- mlx5_hwmon_dev_unregister(dev); +- mlx5_crdump_disable(dev); + mlx5_uninit_one(dev); + mlx5_pci_close(dev); + mlx5_mdev_uninit(dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index bc863e1f062e6..e3bf8c7e4baa6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -101,7 +101,6 @@ static void mlx5_sf_dev_remove(struct auxiliary_device *adev) + devlink = priv_to_devlink(mdev); + set_bit(MLX5_BREAK_FW_WAIT, &mdev->intf_state); + mlx5_drain_health_wq(mdev); +- devlink_unregister(devlink); + if (mlx5_dev_is_lightweight(mdev)) + mlx5_uninit_one_light(mdev); + else +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5-sf-stop-waiting-for-fw-as-teardown-was-call.patch b/queue-6.8/net-mlx5-sf-stop-waiting-for-fw-as-teardown-was-call.patch new file mode 100644 index 00000000000..51f5bbb6b7e --- /dev/null +++ b/queue-6.8/net-mlx5-sf-stop-waiting-for-fw-as-teardown-was-call.patch @@ -0,0 +1,69 @@ +From 71cd2019aaba11e17c4b4ff99bc60c8775f50a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 14:24:09 +0200 +Subject: net/mlx5: SF, Stop waiting for FW as teardown was called + +From: Moshe Shemesh + +[ Upstream commit 137cef6d55564fb687d12fbc5f85be43ff7b53a7 ] + +When PF/VF teardown is called the driver sets the flag +MLX5_BREAK_FW_WAIT to stop waiting for FW loading and initializing. Same +should be applied to SF driver teardown to cut waiting time. On +mlx5_sf_dev_remove() set the flag before draining health WQ as recovery +flow may also wait for FW reloading while it is not relevant anymore. + +Signed-off-by: Moshe Shemesh +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Stable-dep-of: c6e77aa9dd82 ("net/mlx5: Register devlink first under devlink lock") +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/sf/dev/driver.c | 21 ++++++++++++------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index 169c2c68ed5c2..bc863e1f062e6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -95,24 +95,29 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + static void mlx5_sf_dev_remove(struct auxiliary_device *adev) + { + struct mlx5_sf_dev *sf_dev = container_of(adev, struct mlx5_sf_dev, adev); +- struct devlink *devlink = priv_to_devlink(sf_dev->mdev); ++ struct mlx5_core_dev *mdev = sf_dev->mdev; ++ struct devlink *devlink; + +- mlx5_drain_health_wq(sf_dev->mdev); ++ devlink = priv_to_devlink(mdev); ++ set_bit(MLX5_BREAK_FW_WAIT, &mdev->intf_state); ++ mlx5_drain_health_wq(mdev); + devlink_unregister(devlink); +- if (mlx5_dev_is_lightweight(sf_dev->mdev)) +- mlx5_uninit_one_light(sf_dev->mdev); ++ if (mlx5_dev_is_lightweight(mdev)) ++ mlx5_uninit_one_light(mdev); + else +- mlx5_uninit_one(sf_dev->mdev); +- iounmap(sf_dev->mdev->iseg); +- mlx5_mdev_uninit(sf_dev->mdev); ++ mlx5_uninit_one(mdev); ++ iounmap(mdev->iseg); ++ mlx5_mdev_uninit(mdev); + mlx5_devlink_free(devlink); + } + + static void mlx5_sf_dev_shutdown(struct auxiliary_device *adev) + { + struct mlx5_sf_dev *sf_dev = container_of(adev, struct mlx5_sf_dev, adev); ++ struct mlx5_core_dev *mdev = sf_dev->mdev; + +- mlx5_unload_one(sf_dev->mdev, false); ++ set_bit(MLX5_BREAK_FW_WAIT, &mdev->intf_state); ++ mlx5_unload_one(mdev, false); + } + + static const struct auxiliary_device_id mlx5_sf_dev_id_table[] = { +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5e-do-not-produce-metadata-freelist-entries-i.patch b/queue-6.8/net-mlx5e-do-not-produce-metadata-freelist-entries-i.patch new file mode 100644 index 00000000000..48afd511a05 --- /dev/null +++ b/queue-6.8/net-mlx5e-do-not-produce-metadata-freelist-entries-i.patch @@ -0,0 +1,84 @@ +From 90148aab3243a42119dd75d81cdfe8445c5375e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:17 +0300 +Subject: net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE + xmit + +From: Rahul Rameshbabu + +[ Upstream commit 86b0ca5b118d3a0bae5e5645a13e66f8a4f6c525 ] + +Free Tx port timestamping metadata entries in the NAPI poll context and +consume metadata enties in the WQE xmit path. Do not free a Tx port +timestamping metadata entry in the WQE xmit path even in the error path to +avoid a race between two metadata entry producers. + +Fixes: 3178308ad4ca ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-10-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/ptp.h | 8 +++++++- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 7 +++---- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.h b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.h +index 86f1854698b4e..883c044852f1d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.h +@@ -95,9 +95,15 @@ static inline void mlx5e_ptp_metadata_fifo_push(struct mlx5e_ptp_metadata_fifo * + } + + static inline u8 ++mlx5e_ptp_metadata_fifo_peek(struct mlx5e_ptp_metadata_fifo *fifo) ++{ ++ return fifo->data[fifo->mask & fifo->cc]; ++} ++ ++static inline void + mlx5e_ptp_metadata_fifo_pop(struct mlx5e_ptp_metadata_fifo *fifo) + { +- return fifo->data[fifo->mask & fifo->cc++]; ++ fifo->cc++; + } + + static inline void +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 2fa076b23fbea..e21a3b4128ce8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -398,6 +398,8 @@ mlx5e_txwqe_complete(struct mlx5e_txqsq *sq, struct sk_buff *skb, + (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP))) { + u8 metadata_index = be32_to_cpu(eseg->flow_table_metadata); + ++ mlx5e_ptp_metadata_fifo_pop(&sq->ptpsq->metadata_freelist); ++ + mlx5e_skb_cb_hwtstamp_init(skb); + mlx5e_ptp_metadata_map_put(&sq->ptpsq->metadata_map, skb, + metadata_index); +@@ -496,9 +498,6 @@ mlx5e_sq_xmit_wqe(struct mlx5e_txqsq *sq, struct sk_buff *skb, + + err_drop: + stats->dropped++; +- if (unlikely(sq->ptpsq && (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP))) +- mlx5e_ptp_metadata_fifo_push(&sq->ptpsq->metadata_freelist, +- be32_to_cpu(eseg->flow_table_metadata)); + dev_kfree_skb_any(skb); + mlx5e_tx_flush(sq); + } +@@ -657,7 +656,7 @@ static void mlx5e_cqe_ts_id_eseg(struct mlx5e_ptpsq *ptpsq, struct sk_buff *skb, + { + if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)) + eseg->flow_table_metadata = +- cpu_to_be32(mlx5e_ptp_metadata_fifo_pop(&ptpsq->metadata_freelist)); ++ cpu_to_be32(mlx5e_ptp_metadata_fifo_peek(&ptpsq->metadata_freelist)); + } + + static void mlx5e_txwqe_build_eseg(struct mlx5e_priv *priv, struct mlx5e_txqsq *sq, +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5e-fix-mlx5e_priv_init-cleanup-flow.patch b/queue-6.8/net-mlx5e-fix-mlx5e_priv_init-cleanup-flow.patch new file mode 100644 index 00000000000..23c4fb7c240 --- /dev/null +++ b/queue-6.8/net-mlx5e-fix-mlx5e_priv_init-cleanup-flow.patch @@ -0,0 +1,109 @@ +From 555300bc67785a17231b0e9a74057823620cea80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:15 +0300 +Subject: net/mlx5e: Fix mlx5e_priv_init() cleanup flow + +From: Carolina Jubran + +[ Upstream commit ecb829459a841198e142f72fadab56424ae96519 ] + +When mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which +calls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using +lockdep_is_held(). + +Acquire the state_lock in mlx5e_selq_cleanup(). + +Kernel log: +============================= +WARNING: suspicious RCU usage +6.8.0-rc3_net_next_841a9b5 #1 Not tainted +----------------------------- +drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by systemd-modules/293: + #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core] + #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core] + +stack backtrace: +CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x8a/0xa0 + lockdep_rcu_suspicious+0x154/0x1a0 + mlx5e_selq_apply+0x94/0xa0 [mlx5_core] + mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core] + mlx5e_priv_init+0x2be/0x2f0 [mlx5_core] + mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core] + rdma_init_netdev+0x4e/0x80 [ib_core] + ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core] + ipoib_intf_init+0x64/0x550 [ib_ipoib] + ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib] + ipoib_add_one+0xb0/0x360 [ib_ipoib] + add_client_context+0x112/0x1c0 [ib_core] + ib_register_client+0x166/0x1b0 [ib_core] + ? 0xffffffffa0573000 + ipoib_init_module+0xeb/0x1a0 [ib_ipoib] + do_one_initcall+0x61/0x250 + do_init_module+0x8a/0x270 + init_module_from_file+0x8b/0xd0 + idempotent_init_module+0x17d/0x230 + __x64_sys_finit_module+0x61/0xb0 + do_syscall_64+0x71/0x140 + entry_SYSCALL_64_after_hwframe+0x46/0x4e + + +Fixes: 8bf30be75069 ("net/mlx5e: Introduce select queue parameters") +Signed-off-by: Carolina Jubran +Reviewed-by: Tariq Toukan +Reviewed-by: Dragos Tatulea +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-8-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/selq.c | 2 ++ + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/selq.c b/drivers/net/ethernet/mellanox/mlx5/core/en/selq.c +index f675b1926340f..f66bbc8464645 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/selq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/selq.c +@@ -57,6 +57,7 @@ int mlx5e_selq_init(struct mlx5e_selq *selq, struct mutex *state_lock) + + void mlx5e_selq_cleanup(struct mlx5e_selq *selq) + { ++ mutex_lock(selq->state_lock); + WARN_ON_ONCE(selq->is_prepared); + + kvfree(selq->standby); +@@ -67,6 +68,7 @@ void mlx5e_selq_cleanup(struct mlx5e_selq *selq) + + kvfree(selq->standby); + selq->standby = NULL; ++ mutex_unlock(selq->state_lock); + } + + void mlx5e_selq_prepare_params(struct mlx5e_selq *selq, struct mlx5e_params *params) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index c8e8f512803ef..952f1f98138cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5695,9 +5695,7 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + kfree(priv->tx_rates); + kfree(priv->txq2sq); + destroy_workqueue(priv->wq); +- mutex_lock(&priv->state_lock); + mlx5e_selq_cleanup(&priv->selq); +- mutex_unlock(&priv->state_lock); + free_cpumask_var(priv->scratchpad.cpumask); + + for (i = 0; i < priv->htb_max_qos_sqs; i++) +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5e-htb-fix-inconsistencies-with-qos-sqs-numbe.patch b/queue-6.8/net-mlx5e-htb-fix-inconsistencies-with-qos-sqs-numbe.patch new file mode 100644 index 00000000000..8cdfca15fb6 --- /dev/null +++ b/queue-6.8/net-mlx5e-htb-fix-inconsistencies-with-qos-sqs-numbe.patch @@ -0,0 +1,83 @@ +From b73822aace2d7911e55d8debe4dc261792dcc84e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:16 +0300 +Subject: net/mlx5e: HTB, Fix inconsistencies with QoS SQs number + +From: Carolina Jubran + +[ Upstream commit 2f436f1869771d46e1a9f85738d5a1a7c5653a4e ] + +When creating a new HTB class while the interface is down, +the variable that follows the number of QoS SQs (htb_max_qos_sqs) +may not be consistent with the number of HTB classes. + +Previously, we compared these two values to ensure that +the node_qid is lower than the number of QoS SQs, and we +allocated stats for that SQ when they are equal. + +Change the check to compare the node_qid with the current +number of leaf nodes and fix the checking conditions to +ensure allocation of stats_list and stats for each node. + +Fixes: 214baf22870c ("net/mlx5e: Support HTB offload") +Signed-off-by: Carolina Jubran +Reviewed-by: Tariq Toukan +Reviewed-by: Dragos Tatulea +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-9-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/qos.c | 33 ++++++++++--------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c +index 34adf8c3f81a0..922bc5b7c10e3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c +@@ -83,24 +83,25 @@ int mlx5e_open_qos_sq(struct mlx5e_priv *priv, struct mlx5e_channels *chs, + + txq_ix = mlx5e_qid_from_qos(chs, node_qid); + +- WARN_ON(node_qid > priv->htb_max_qos_sqs); +- if (node_qid == priv->htb_max_qos_sqs) { +- struct mlx5e_sq_stats *stats, **stats_list = NULL; +- +- if (priv->htb_max_qos_sqs == 0) { +- stats_list = kvcalloc(mlx5e_qos_max_leaf_nodes(priv->mdev), +- sizeof(*stats_list), +- GFP_KERNEL); +- if (!stats_list) +- return -ENOMEM; +- } ++ WARN_ON(node_qid >= mlx5e_htb_cur_leaf_nodes(priv->htb)); ++ if (!priv->htb_qos_sq_stats) { ++ struct mlx5e_sq_stats **stats_list; ++ ++ stats_list = kvcalloc(mlx5e_qos_max_leaf_nodes(priv->mdev), ++ sizeof(*stats_list), GFP_KERNEL); ++ if (!stats_list) ++ return -ENOMEM; ++ ++ WRITE_ONCE(priv->htb_qos_sq_stats, stats_list); ++ } ++ ++ if (!priv->htb_qos_sq_stats[node_qid]) { ++ struct mlx5e_sq_stats *stats; ++ + stats = kzalloc(sizeof(*stats), GFP_KERNEL); +- if (!stats) { +- kvfree(stats_list); ++ if (!stats) + return -ENOMEM; +- } +- if (stats_list) +- WRITE_ONCE(priv->htb_qos_sq_stats, stats_list); ++ + WRITE_ONCE(priv->htb_qos_sq_stats[node_qid], stats); + /* Order htb_max_qos_sqs increment after writing the array pointer. + * Pairs with smp_load_acquire in en_stats.c. +-- +2.43.0 + diff --git a/queue-6.8/net-mlx5e-rss-block-changing-channels-number-when-rx.patch b/queue-6.8/net-mlx5e-rss-block-changing-channels-number-when-rx.patch new file mode 100644 index 00000000000..8857aa24139 --- /dev/null +++ b/queue-6.8/net-mlx5e-rss-block-changing-channels-number-when-rx.patch @@ -0,0 +1,61 @@ +From b2ce2b74ea0f7be8bc625d76722e71041441637a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 22:08:14 +0300 +Subject: net/mlx5e: RSS, Block changing channels number when RXFH is + configured + +From: Carolina Jubran + +[ Upstream commit ee3572409f74a838154af74ce1e56e62c17786a8 ] + +Changing the channels number after configuring the receive flow hash +indirection table may affect the RSS table size. The previous +configuration may no longer be compatible with the new receive flow +hash indirection table. + +Block changing the channels number when RXFH is configured and changing +the channels number requires resizing the RSS table size. + +Fixes: 74a8dadac17e ("net/mlx5e: Preparations for supporting larger number of channels") +Signed-off-by: Carolina Jubran +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240409190820.227554-7-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en_ethtool.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index cc51ce16df14a..93461b0c5703b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -451,6 +451,23 @@ int mlx5e_ethtool_set_channels(struct mlx5e_priv *priv, + + mutex_lock(&priv->state_lock); + ++ /* If RXFH is configured, changing the channels number is allowed only if ++ * it does not require resizing the RSS table. This is because the previous ++ * configuration may no longer be compatible with the new RSS table. ++ */ ++ if (netif_is_rxfh_configured(priv->netdev)) { ++ int cur_rqt_size = mlx5e_rqt_size(priv->mdev, cur_params->num_channels); ++ int new_rqt_size = mlx5e_rqt_size(priv->mdev, count); ++ ++ if (new_rqt_size != cur_rqt_size) { ++ err = -EINVAL; ++ netdev_err(priv->netdev, ++ "%s: RXFH is configured, block changing channels number that affects RSS table size (new: %d, current: %d)\n", ++ __func__, new_rqt_size, cur_rqt_size); ++ goto out; ++ } ++ } ++ + /* Don't allow changing the number of channels if HTB offload is active, + * because the numeration of the QoS SQs will change, while per-queue + * qdiscs are attached. +-- +2.43.0 + diff --git a/queue-6.8/net-openvswitch-fix-unwanted-error-log-on-timeout-po.patch b/queue-6.8/net-openvswitch-fix-unwanted-error-log-on-timeout-po.patch new file mode 100644 index 00000000000..1bd1e421368 --- /dev/null +++ b/queue-6.8/net-openvswitch-fix-unwanted-error-log-on-timeout-po.patch @@ -0,0 +1,60 @@ +From 2bc31139386be125dc9decbd2b6ed8dcc9a4ad10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 22:38:01 +0200 +Subject: net: openvswitch: fix unwanted error log on timeout policy probing + +From: Ilya Maximets + +[ Upstream commit 4539f91f2a801c0c028c252bffae56030cfb2cae ] + +On startup, ovs-vswitchd probes different datapath features including +support for timeout policies. While probing, it tries to execute +certain operations with OVS_PACKET_ATTR_PROBE or OVS_FLOW_ATTR_PROBE +attributes set. These attributes tell the openvswitch module to not +log any errors when they occur as it is expected that some of the +probes will fail. + +For some reason, setting the timeout policy ignores the PROBE attribute +and logs a failure anyway. This is causing the following kernel log +on each re-start of ovs-vswitchd: + + kernel: Failed to associated timeout policy `ovs_test_tp' + +Fix that by using the same logging macro that all other messages are +using. The message will still be printed at info level when needed +and will be rate limited, but with a net rate limiter instead of +generic printk one. + +The nf_ct_set_timeout() itself will still print some info messages, +but at least this change makes logging in openvswitch module more +consistent. + +Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action") +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240403203803.2137962-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/conntrack.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 3019a4406ca4f..74b63cdb59923 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -1380,8 +1380,9 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, + if (ct_info.timeout[0]) { + if (nf_ct_set_timeout(net, ct_info.ct, family, key->ip.proto, + ct_info.timeout)) +- pr_info_ratelimited("Failed to associated timeout " +- "policy `%s'\n", ct_info.timeout); ++ OVS_NLERR(log, ++ "Failed to associated timeout policy '%s'", ++ ct_info.timeout); + else + ct_info.nf_ct_timeout = rcu_dereference( + nf_ct_timeout_find(ct_info.ct)->timeout); +-- +2.43.0 + diff --git a/queue-6.8/net-sparx5-fix-wrong-config-being-used-when-reconfig.patch b/queue-6.8/net-sparx5-fix-wrong-config-being-used-when-reconfig.patch new file mode 100644 index 00000000000..6e9a9d6c62a --- /dev/null +++ b/queue-6.8/net-sparx5-fix-wrong-config-being-used-when-reconfig.patch @@ -0,0 +1,47 @@ +From e35648481506948784cf1eefa931635521bda136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 12:41:59 +0200 +Subject: net: sparx5: fix wrong config being used when reconfiguring PCS + +From: Daniel Machon + +[ Upstream commit 33623113a48ea906f1955cbf71094f6aa4462e8f ] + +The wrong port config is being used if the PCS is reconfigured. Fix this +by correctly using the new config instead of the old one. + +Fixes: 946e7fd5053a ("net: sparx5: add port module support") +Signed-off-by: Daniel Machon +Reviewed-by: Jacob Keller +Link: https://lore.kernel.org/r/20240409-link-mode-reconfiguration-fix-v2-1-db6a507f3627@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_port.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +index 3a1b1a1f5a195..60dd2fd603a85 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +@@ -731,7 +731,7 @@ static int sparx5_port_pcs_low_set(struct sparx5 *sparx5, + bool sgmii = false, inband_aneg = false; + int err; + +- if (port->conf.inband) { ++ if (conf->inband) { + if (conf->portmode == PHY_INTERFACE_MODE_SGMII || + conf->portmode == PHY_INTERFACE_MODE_QSGMII) + inband_aneg = true; /* Cisco-SGMII in-band-aneg */ +@@ -948,7 +948,7 @@ int sparx5_port_pcs_set(struct sparx5 *sparx5, + if (err) + return -EINVAL; + +- if (port->conf.inband) { ++ if (conf->inband) { + /* Enable/disable 1G counters in ASM */ + spx5_rmw(ASM_PORT_CFG_CSC_STAT_DIS_SET(high_speed_dev), + ASM_PORT_CFG_CSC_STAT_DIS, +-- +2.43.0 + diff --git a/queue-6.8/netfilter-complete-validation-of-user-input.patch b/queue-6.8/netfilter-complete-validation-of-user-input.patch new file mode 100644 index 00000000000..b04c80f44c8 --- /dev/null +++ b/queue-6.8/netfilter-complete-validation-of-user-input.patch @@ -0,0 +1,102 @@ +From e2a8d74ae532074343b8ebb842ba0b90b5ad28c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 12:07:41 +0000 +Subject: netfilter: complete validation of user input + +From: Eric Dumazet + +[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ] + +In my recent commit, I missed that do_replace() handlers +use copy_from_sockptr() (which I fixed), followed +by unsafe copy_from_sockptr_offset() calls. + +In all functions, we can perform the @optlen validation +before even calling xt_alloc_table_info() with the following +check: + +if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; + +Fixes: 0c83842df40f ("netfilter: validate user input for expected length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/arp_tables.c | 4 ++++ + net/ipv4/netfilter/ip_tables.c | 4 ++++ + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 3 files changed, 12 insertions(+) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index b150c9929b12e..14365b20f1c5c 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -966,6 +966,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +@@ -1266,6 +1268,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 4876707595781..fe89a056eb06c 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1118,6 +1118,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +@@ -1504,6 +1506,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 636b360311c53..131f7bb2110d3 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1135,6 +1135,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +@@ -1513,6 +1515,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) + return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; ++ if ((u64)len < (u64)tmp.size + sizeof(tmp)) ++ return -EINVAL; + + tmp.name[sizeof(tmp.name)-1] = 0; + +-- +2.43.0 + diff --git a/queue-6.8/nouveau-fix-function-cast-warning.patch b/queue-6.8/nouveau-fix-function-cast-warning.patch new file mode 100644 index 00000000000..ea128168e1a --- /dev/null +++ b/queue-6.8/nouveau-fix-function-cast-warning.patch @@ -0,0 +1,51 @@ +From 9fd59e475c1f42dc704f1808afa11dad6219342e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 18:02:25 +0200 +Subject: nouveau: fix function cast warning + +From: Arnd Bergmann + +[ Upstream commit 185fdb4697cc9684a02f2fab0530ecdd0c2f15d4 ] + +Calling a function through an incompatible pointer type causes breaks +kcfi, so clang warns about the assignment: + +drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c:73:10: error: cast from 'void (*)(const void *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 73 | .fini = (void(*)(void *))kfree, + +Avoid this with a trivial wrapper. + +Fixes: c39f472e9f14 ("drm/nouveau: remove symlinks, move core/ to nvkm/ (no code changes)") +Signed-off-by: Arnd Bergmann +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240404160234.2923554-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c +index 4bf486b571013..cb05f7f48a98b 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c +@@ -66,11 +66,16 @@ of_init(struct nvkm_bios *bios, const char *name) + return ERR_PTR(-EINVAL); + } + ++static void of_fini(void *p) ++{ ++ kfree(p); ++} ++ + const struct nvbios_source + nvbios_of = { + .name = "OpenFirmware", + .init = of_init, +- .fini = (void(*)(void *))kfree, ++ .fini = of_fini, + .read = of_read, + .size = of_size, + .rw = false, +-- +2.43.0 + diff --git a/queue-6.8/octeontx2-af-fix-nix-sq-mode-and-bp-config.patch b/queue-6.8/octeontx2-af-fix-nix-sq-mode-and-bp-config.patch new file mode 100644 index 00000000000..56f0b9d2cd9 --- /dev/null +++ b/queue-6.8/octeontx2-af-fix-nix-sq-mode-and-bp-config.patch @@ -0,0 +1,59 @@ +From 65adfc8dd96b08d0f55db342ad60334d9612830f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 12:06:43 +0530 +Subject: octeontx2-af: Fix NIX SQ mode and BP config + +From: Geetha sowjanya + +[ Upstream commit faf23006185e777db18912685922c5ddb2df383f ] + +NIX SQ mode and link backpressure configuration is required for +all platforms. But in current driver this code is wrongly placed +under specific platform check. This patch fixes the issue by +moving the code out of platform check. + +Fixes: 5d9b976d4480 ("octeontx2-af: Support fixed transmit scheduler topology") +Signed-off-by: Geetha sowjanya +Link: https://lore.kernel.org/r/20240408063643.26288-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/af/rvu_nix.c | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 66203a90f052b..42db213fb69a6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -4721,18 +4721,18 @@ static int rvu_nix_block_init(struct rvu *rvu, struct nix_hw *nix_hw) + */ + rvu_write64(rvu, blkaddr, NIX_AF_CFG, + rvu_read64(rvu, blkaddr, NIX_AF_CFG) | 0x40ULL); ++ } + +- /* Set chan/link to backpressure TL3 instead of TL2 */ +- rvu_write64(rvu, blkaddr, NIX_AF_PSE_CHANNEL_LEVEL, 0x01); ++ /* Set chan/link to backpressure TL3 instead of TL2 */ ++ rvu_write64(rvu, blkaddr, NIX_AF_PSE_CHANNEL_LEVEL, 0x01); + +- /* Disable SQ manager's sticky mode operation (set TM6 = 0) +- * This sticky mode is known to cause SQ stalls when multiple +- * SQs are mapped to same SMQ and transmitting pkts at a time. +- */ +- cfg = rvu_read64(rvu, blkaddr, NIX_AF_SQM_DBG_CTL_STATUS); +- cfg &= ~BIT_ULL(15); +- rvu_write64(rvu, blkaddr, NIX_AF_SQM_DBG_CTL_STATUS, cfg); +- } ++ /* Disable SQ manager's sticky mode operation (set TM6 = 0) ++ * This sticky mode is known to cause SQ stalls when multiple ++ * SQs are mapped to same SMQ and transmitting pkts at a time. ++ */ ++ cfg = rvu_read64(rvu, blkaddr, NIX_AF_SQM_DBG_CTL_STATUS); ++ cfg &= ~BIT_ULL(15); ++ rvu_write64(rvu, blkaddr, NIX_AF_SQM_DBG_CTL_STATUS, cfg); + + ltdefs = rvu->kpu.lt_def; + /* Calibrate X2P bus to check if CGX/LBK links are fine */ +-- +2.43.0 + diff --git a/queue-6.8/octeontx2-pf-fix-transmit-scheduler-resource-leak.patch b/queue-6.8/octeontx2-pf-fix-transmit-scheduler-resource-leak.patch new file mode 100644 index 00000000000..10fc7a27210 --- /dev/null +++ b/queue-6.8/octeontx2-pf-fix-transmit-scheduler-resource-leak.patch @@ -0,0 +1,41 @@ +From 26f78dcc619ea2e9c2647d51c05569d0aa609563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 16:54:27 +0530 +Subject: octeontx2-pf: Fix transmit scheduler resource leak + +From: Hariprasad Kelam + +[ Upstream commit bccb798e07f8bb8b91212fe8ed1e421685449076 ] + +Inorder to support shaping and scheduling, Upon class creation +Netdev driver allocates trasmit schedulers. + +The previous patch which added support for Round robin scheduling has +a bug due to which driver is not freeing transmit schedulers post +class deletion. + +This patch fixes the same. + +Fixes: 47a9656f168a ("octeontx2-pf: htb offload support for Round Robin scheduling") +Signed-off-by: Hariprasad Kelam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c +index 1e77bbf5d22a1..1723e9912ae07 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c +@@ -382,6 +382,7 @@ static void otx2_qos_read_txschq_cfg_tl(struct otx2_qos_node *parent, + otx2_qos_read_txschq_cfg_tl(node, cfg); + cnt = cfg->static_node_pos[node->level]; + cfg->schq_contig_list[node->level][cnt] = node->schq; ++ cfg->schq_index_used[node->level][cnt] = true; + cfg->schq_contig[node->level]++; + cfg->static_node_pos[node->level]++; + otx2_qos_read_txschq_cfg_schq(node, cfg); +-- +2.43.0 + diff --git a/queue-6.8/pds_core-fix-pdsc_check_pci_health-function-to-use-w.patch b/queue-6.8/pds_core-fix-pdsc_check_pci_health-function-to-use-w.patch new file mode 100644 index 00000000000..9c2e714fb59 --- /dev/null +++ b/queue-6.8/pds_core-fix-pdsc_check_pci_health-function-to-use-w.patch @@ -0,0 +1,147 @@ +From cc8cad4820b77e9b93de2343b927eadb6f713aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:35:40 -0700 +Subject: pds_core: Fix pdsc_check_pci_health function to use work thread + +From: Brett Creeley + +[ Upstream commit 81665adf25d28a00a986533f1d3a5df76b79cad9 ] + +When the driver notices fw_status == 0xff it tries to perform a PCI +reset on itself via pci_reset_function() in the context of the driver's +health thread. However, pdsc_reset_prepare calls +pdsc_stop_health_thread(), which attempts to stop/flush the health +thread. This results in a deadlock because the stop/flush will never +complete since the driver called pci_reset_function() from the health +thread context. Fix by changing the pdsc_check_pci_health_function() +to queue a newly introduced pdsc_pci_reset_thread() on the pdsc's +work queue. + +Unloading the driver in the fw_down/dead state uncovered another issue, +which can be seen in the following trace: + +WARNING: CPU: 51 PID: 6914 at kernel/workqueue.c:1450 __queue_work+0x358/0x440 +[...] +RIP: 0010:__queue_work+0x358/0x440 +[...] +Call Trace: + + ? __warn+0x85/0x140 + ? __queue_work+0x358/0x440 + ? report_bug+0xfc/0x1e0 + ? handle_bug+0x3f/0x70 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? __queue_work+0x358/0x440 + queue_work_on+0x28/0x30 + pdsc_devcmd_locked+0x96/0xe0 [pds_core] + pdsc_devcmd_reset+0x71/0xb0 [pds_core] + pdsc_teardown+0x51/0xe0 [pds_core] + pdsc_remove+0x106/0x200 [pds_core] + pci_device_remove+0x37/0xc0 + device_release_driver_internal+0xae/0x140 + driver_detach+0x48/0x90 + bus_remove_driver+0x6d/0xf0 + pci_unregister_driver+0x2e/0xa0 + pdsc_cleanup_module+0x10/0x780 [pds_core] + __x64_sys_delete_module+0x142/0x2b0 + ? syscall_trace_enter.isra.18+0x126/0x1a0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7fbd9d03a14b +[...] + +Fix this by preventing the devcmd reset if the FW is not running. + +Fixes: d9407ff11809 ("pds_core: Prevent health thread from running during reset/remove") +Reviewed-by: Shannon Nelson +Signed-off-by: Brett Creeley +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/pds_core/core.c | 13 ++++++++++++- + drivers/net/ethernet/amd/pds_core/core.h | 2 ++ + drivers/net/ethernet/amd/pds_core/dev.c | 3 +++ + drivers/net/ethernet/amd/pds_core/main.c | 1 + + 4 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/pds_core/core.c b/drivers/net/ethernet/amd/pds_core/core.c +index 0d148795a8d09..dd4f0965bbe64 100644 +--- a/drivers/net/ethernet/amd/pds_core/core.c ++++ b/drivers/net/ethernet/amd/pds_core/core.c +@@ -595,6 +595,16 @@ void pdsc_fw_up(struct pdsc *pdsc) + pdsc_teardown(pdsc, PDSC_TEARDOWN_RECOVERY); + } + ++void pdsc_pci_reset_thread(struct work_struct *work) ++{ ++ struct pdsc *pdsc = container_of(work, struct pdsc, pci_reset_work); ++ struct pci_dev *pdev = pdsc->pdev; ++ ++ pci_dev_get(pdev); ++ pci_reset_function(pdev); ++ pci_dev_put(pdev); ++} ++ + static void pdsc_check_pci_health(struct pdsc *pdsc) + { + u8 fw_status; +@@ -609,7 +619,8 @@ static void pdsc_check_pci_health(struct pdsc *pdsc) + if (fw_status != PDS_RC_BAD_PCI) + return; + +- pci_reset_function(pdsc->pdev); ++ /* prevent deadlock between pdsc_reset_prepare and pdsc_health_thread */ ++ queue_work(pdsc->wq, &pdsc->pci_reset_work); + } + + void pdsc_health_thread(struct work_struct *work) +diff --git a/drivers/net/ethernet/amd/pds_core/core.h b/drivers/net/ethernet/amd/pds_core/core.h +index f410f7d132056..401ff56eba0dc 100644 +--- a/drivers/net/ethernet/amd/pds_core/core.h ++++ b/drivers/net/ethernet/amd/pds_core/core.h +@@ -197,6 +197,7 @@ struct pdsc { + struct pdsc_qcq notifyqcq; + u64 last_eid; + struct pdsc_viftype *viftype_status; ++ struct work_struct pci_reset_work; + }; + + /** enum pds_core_dbell_bits - bitwise composition of dbell values. +@@ -312,5 +313,6 @@ int pdsc_firmware_update(struct pdsc *pdsc, const struct firmware *fw, + + void pdsc_fw_down(struct pdsc *pdsc); + void pdsc_fw_up(struct pdsc *pdsc); ++void pdsc_pci_reset_thread(struct work_struct *work); + + #endif /* _PDSC_H_ */ +diff --git a/drivers/net/ethernet/amd/pds_core/dev.c b/drivers/net/ethernet/amd/pds_core/dev.c +index e65a1632df505..bfb79c5aac391 100644 +--- a/drivers/net/ethernet/amd/pds_core/dev.c ++++ b/drivers/net/ethernet/amd/pds_core/dev.c +@@ -229,6 +229,9 @@ int pdsc_devcmd_reset(struct pdsc *pdsc) + .reset.opcode = PDS_CORE_CMD_RESET, + }; + ++ if (!pdsc_is_fw_running(pdsc)) ++ return 0; ++ + return pdsc_devcmd(pdsc, &cmd, &comp, pdsc->devcmd_timeout); + } + +diff --git a/drivers/net/ethernet/amd/pds_core/main.c b/drivers/net/ethernet/amd/pds_core/main.c +index 345b16127fe8b..a375d612d2875 100644 +--- a/drivers/net/ethernet/amd/pds_core/main.c ++++ b/drivers/net/ethernet/amd/pds_core/main.c +@@ -238,6 +238,7 @@ static int pdsc_init_pf(struct pdsc *pdsc) + snprintf(wq_name, sizeof(wq_name), "%s.%d", PDS_CORE_DRV_NAME, pdsc->uid); + pdsc->wq = create_singlethread_workqueue(wq_name); + INIT_WORK(&pdsc->health_work, pdsc_health_thread); ++ INIT_WORK(&pdsc->pci_reset_work, pdsc_pci_reset_thread); + timer_setup(&pdsc->wdtimer, pdsc_wdtimer_cb, 0); + pdsc->wdtimer_period = PDSC_WATCHDOG_SECS * HZ; + +-- +2.43.0 + diff --git a/queue-6.8/pds_core-use-pci_reset_function-for-health-reset.patch b/queue-6.8/pds_core-use-pci_reset_function-for-health-reset.patch new file mode 100644 index 00000000000..9aa1186c170 --- /dev/null +++ b/queue-6.8/pds_core-use-pci_reset_function-for-health-reset.patch @@ -0,0 +1,82 @@ +From 5dfb8857416edd2453d7965162a5e83637431a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 14:29:52 -0800 +Subject: pds_core: use pci_reset_function for health reset + +From: Shannon Nelson + +[ Upstream commit 2cbab3c296f1addd73b40549a2271b30f960df8b ] + +We get the benefit of all the PCI reset locking and recovery if +we use the existing pci_reset_function() that will call our +local reset handlers. + +Reviewed-by: Brett Creeley +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Stable-dep-of: 81665adf25d2 ("pds_core: Fix pdsc_check_pci_health function to use work thread") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/pds_core/core.c | 3 +-- + drivers/net/ethernet/amd/pds_core/core.h | 3 --- + drivers/net/ethernet/amd/pds_core/main.c | 7 ++++--- + 3 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/amd/pds_core/core.c b/drivers/net/ethernet/amd/pds_core/core.c +index 7658a72867675..0d148795a8d09 100644 +--- a/drivers/net/ethernet/amd/pds_core/core.c ++++ b/drivers/net/ethernet/amd/pds_core/core.c +@@ -609,8 +609,7 @@ static void pdsc_check_pci_health(struct pdsc *pdsc) + if (fw_status != PDS_RC_BAD_PCI) + return; + +- pdsc_reset_prepare(pdsc->pdev); +- pdsc_reset_done(pdsc->pdev); ++ pci_reset_function(pdsc->pdev); + } + + void pdsc_health_thread(struct work_struct *work) +diff --git a/drivers/net/ethernet/amd/pds_core/core.h b/drivers/net/ethernet/amd/pds_core/core.h +index 110c4b826b22d..f410f7d132056 100644 +--- a/drivers/net/ethernet/amd/pds_core/core.h ++++ b/drivers/net/ethernet/amd/pds_core/core.h +@@ -283,9 +283,6 @@ int pdsc_devcmd_init(struct pdsc *pdsc); + int pdsc_devcmd_reset(struct pdsc *pdsc); + int pdsc_dev_init(struct pdsc *pdsc); + +-void pdsc_reset_prepare(struct pci_dev *pdev); +-void pdsc_reset_done(struct pci_dev *pdev); +- + int pdsc_intr_alloc(struct pdsc *pdsc, char *name, + irq_handler_t handler, void *data); + void pdsc_intr_free(struct pdsc *pdsc, int index); +diff --git a/drivers/net/ethernet/amd/pds_core/main.c b/drivers/net/ethernet/amd/pds_core/main.c +index 0050c5894563b..345b16127fe8b 100644 +--- a/drivers/net/ethernet/amd/pds_core/main.c ++++ b/drivers/net/ethernet/amd/pds_core/main.c +@@ -468,7 +468,7 @@ static void pdsc_restart_health_thread(struct pdsc *pdsc) + mod_timer(&pdsc->wdtimer, jiffies + 1); + } + +-void pdsc_reset_prepare(struct pci_dev *pdev) ++static void pdsc_reset_prepare(struct pci_dev *pdev) + { + struct pdsc *pdsc = pci_get_drvdata(pdev); + +@@ -477,10 +477,11 @@ void pdsc_reset_prepare(struct pci_dev *pdev) + + pdsc_unmap_bars(pdsc); + pci_release_regions(pdev); +- pci_disable_device(pdev); ++ if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); + } + +-void pdsc_reset_done(struct pci_dev *pdev) ++static void pdsc_reset_done(struct pci_dev *pdev) + { + struct pdsc *pdsc = pci_get_drvdata(pdev); + struct device *dev = pdsc->dev; +-- +2.43.0 + diff --git a/queue-6.8/revert-drm-qxl-simplify-qxl_fence_wait.patch b/queue-6.8/revert-drm-qxl-simplify-qxl_fence_wait.patch new file mode 100644 index 00000000000..7c38077b945 --- /dev/null +++ b/queue-6.8/revert-drm-qxl-simplify-qxl_fence_wait.patch @@ -0,0 +1,115 @@ +From b51ccd7de1182edfee949f9de4bb7e7130767d18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 19:14:48 +0100 +Subject: Revert "drm/qxl: simplify qxl_fence_wait" + +From: Alex Constantino + +[ Upstream commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea ] + +This reverts commit 5a838e5d5825c85556011478abde708251cc0776. + +Changes from commit 5a838e5d5825 ("drm/qxl: simplify qxl_fence_wait") would +result in a '[TTM] Buffer eviction failed' exception whenever it reached a +timeout. +Due to a dependency to DMA_FENCE_WARN this also restores some code deleted +by commit d72277b6c37d ("dma-buf: nuke DMA_FENCE_TRACE macros v2"). + +Fixes: 5a838e5d5825 ("drm/qxl: simplify qxl_fence_wait") +Link: https://lore.kernel.org/regressions/ZTgydqRlK6WX_b29@eldamar.lan/ +Reported-by: Timo Lindfors +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054514 +Signed-off-by: Alex Constantino +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20240404181448.1643-2-dreaming.about.electric.sheep@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_release.c | 50 +++++++++++++++++++++++++++---- + include/linux/dma-fence.h | 7 +++++ + 2 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c +index 368d26da0d6a2..9febc8b73f09e 100644 +--- a/drivers/gpu/drm/qxl/qxl_release.c ++++ b/drivers/gpu/drm/qxl/qxl_release.c +@@ -58,16 +58,56 @@ static long qxl_fence_wait(struct dma_fence *fence, bool intr, + signed long timeout) + { + struct qxl_device *qdev; ++ struct qxl_release *release; ++ int count = 0, sc = 0; ++ bool have_drawable_releases; + unsigned long cur, end = jiffies + timeout; + + qdev = container_of(fence->lock, struct qxl_device, release_lock); ++ release = container_of(fence, struct qxl_release, base); ++ have_drawable_releases = release->type == QXL_RELEASE_DRAWABLE; + +- if (!wait_event_timeout(qdev->release_event, +- (dma_fence_is_signaled(fence) || +- (qxl_io_notify_oom(qdev), 0)), +- timeout)) +- return 0; ++retry: ++ sc++; ++ ++ if (dma_fence_is_signaled(fence)) ++ goto signaled; ++ ++ qxl_io_notify_oom(qdev); ++ ++ for (count = 0; count < 11; count++) { ++ if (!qxl_queue_garbage_collect(qdev, true)) ++ break; ++ ++ if (dma_fence_is_signaled(fence)) ++ goto signaled; ++ } ++ ++ if (dma_fence_is_signaled(fence)) ++ goto signaled; ++ ++ if (have_drawable_releases || sc < 4) { ++ if (sc > 2) ++ /* back off */ ++ usleep_range(500, 1000); ++ ++ if (time_after(jiffies, end)) ++ return 0; ++ ++ if (have_drawable_releases && sc > 300) { ++ DMA_FENCE_WARN(fence, ++ "failed to wait on release %llu after spincount %d\n", ++ fence->context & ~0xf0000000, sc); ++ goto signaled; ++ } ++ goto retry; ++ } ++ /* ++ * yeah, original sync_obj_wait gave up after 3 spins when ++ * have_drawable_releases is not set. ++ */ + ++signaled: + cur = jiffies; + if (time_after(cur, end)) + return 0; +diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h +index e06bad467f55e..c3f9bb6602ba2 100644 +--- a/include/linux/dma-fence.h ++++ b/include/linux/dma-fence.h +@@ -682,4 +682,11 @@ static inline bool dma_fence_is_container(struct dma_fence *fence) + return dma_fence_is_array(fence) || dma_fence_is_chain(fence); + } + ++#define DMA_FENCE_WARN(f, fmt, args...) \ ++ do { \ ++ struct dma_fence *__ff = (f); \ ++ pr_warn("f %llu#%llu: " fmt, __ff->context, __ff->seqno,\ ++ ##args); \ ++ } while (0) ++ + #endif /* __LINUX_DMA_FENCE_H */ +-- +2.43.0 + diff --git a/queue-6.8/revert-s390-ism-fix-receive-message-buffer-allocatio.patch b/queue-6.8/revert-s390-ism-fix-receive-message-buffer-allocatio.patch new file mode 100644 index 00000000000..c7484a06909 --- /dev/null +++ b/queue-6.8/revert-s390-ism-fix-receive-message-buffer-allocatio.patch @@ -0,0 +1,94 @@ +From 8568beeed3944bd4bf4c3683993a9df6ae53fbb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:37:53 +0200 +Subject: Revert "s390/ism: fix receive message buffer allocation" + +From: Gerd Bayer + +[ Upstream commit d51dc8dd6ab6f93a894ff8b38d3b8d02c98eb9fb ] + +This reverts commit 58effa3476536215530c9ec4910ffc981613b413. +Review was not finished on this patch. So it's not ready for +upstreaming. + +Signed-off-by: Gerd Bayer +Link: https://lore.kernel.org/r/20240409113753.2181368-1-gbayer@linux.ibm.com +Fixes: 58effa347653 ("s390/ism: fix receive message buffer allocation") +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ism_drv.c | 38 +++++++++----------------------------- + 1 file changed, 9 insertions(+), 29 deletions(-) + +diff --git a/drivers/s390/net/ism_drv.c b/drivers/s390/net/ism_drv.c +index affb05521e146..2c8e964425dc3 100644 +--- a/drivers/s390/net/ism_drv.c ++++ b/drivers/s390/net/ism_drv.c +@@ -14,8 +14,6 @@ + #include + #include + #include +-#include +-#include + + #include "ism.h" + +@@ -294,15 +292,13 @@ static int ism_read_local_gid(struct ism_dev *ism) + static void ism_free_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + { + clear_bit(dmb->sba_idx, ism->sba_bitmap); +- dma_unmap_page(&ism->pdev->dev, dmb->dma_addr, dmb->dmb_len, +- DMA_FROM_DEVICE); +- folio_put(virt_to_folio(dmb->cpu_addr)); ++ dma_free_coherent(&ism->pdev->dev, dmb->dmb_len, ++ dmb->cpu_addr, dmb->dma_addr); + } + + static int ism_alloc_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + { + unsigned long bit; +- int rc; + + if (PAGE_ALIGN(dmb->dmb_len) > dma_get_max_seg_size(&ism->pdev->dev)) + return -EINVAL; +@@ -319,30 +315,14 @@ static int ism_alloc_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + test_and_set_bit(dmb->sba_idx, ism->sba_bitmap)) + return -EINVAL; + +- dmb->cpu_addr = +- folio_address(folio_alloc(GFP_KERNEL | __GFP_NOWARN | +- __GFP_NOMEMALLOC | __GFP_NORETRY, +- get_order(dmb->dmb_len))); ++ dmb->cpu_addr = dma_alloc_coherent(&ism->pdev->dev, dmb->dmb_len, ++ &dmb->dma_addr, ++ GFP_KERNEL | __GFP_NOWARN | ++ __GFP_NOMEMALLOC | __GFP_NORETRY); ++ if (!dmb->cpu_addr) ++ clear_bit(dmb->sba_idx, ism->sba_bitmap); + +- if (!dmb->cpu_addr) { +- rc = -ENOMEM; +- goto out_bit; +- } +- dmb->dma_addr = dma_map_page(&ism->pdev->dev, +- virt_to_page(dmb->cpu_addr), 0, +- dmb->dmb_len, DMA_FROM_DEVICE); +- if (dma_mapping_error(&ism->pdev->dev, dmb->dma_addr)) { +- rc = -ENOMEM; +- goto out_free; +- } +- +- return 0; +- +-out_free: +- kfree(dmb->cpu_addr); +-out_bit: +- clear_bit(dmb->sba_idx, ism->sba_bitmap); +- return rc; ++ return dmb->cpu_addr ? 0 : -ENOMEM; + } + + int ism_register_dmb(struct ism_dev *ism, struct ism_dmb *dmb, +-- +2.43.0 + diff --git a/queue-6.8/s390-ism-fix-receive-message-buffer-allocation.patch b/queue-6.8/s390-ism-fix-receive-message-buffer-allocation.patch new file mode 100644 index 00000000000..b71d5e6e728 --- /dev/null +++ b/queue-6.8/s390-ism-fix-receive-message-buffer-allocation.patch @@ -0,0 +1,110 @@ +From 01991151ff2636abc3d3545f19efb890d22286c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 13:16:06 +0200 +Subject: s390/ism: fix receive message buffer allocation + +From: Gerd Bayer + +[ Upstream commit 58effa3476536215530c9ec4910ffc981613b413 ] + +Since [1], dma_alloc_coherent() does not accept requests for GFP_COMP +anymore, even on archs that may be able to fulfill this. Functionality that +relied on the receive buffer being a compound page broke at that point: +The SMC-D protocol, that utilizes the ism device driver, passes receive +buffers to the splice processor in a struct splice_pipe_desc with a +single entry list of struct pages. As the buffer is no longer a compound +page, the splice processor now rejects requests to handle more than a +page worth of data. + +Replace dma_alloc_coherent() and allocate a buffer with folio_alloc and +create a DMA map for it with dma_map_page(). Since only receive buffers +on ISM devices use DMA, qualify the mapping as FROM_DEVICE. +Since ISM devices are available on arch s390, only and on that arch all +DMA is coherent, there is no need to introduce and export some kind of +dma_sync_to_cpu() method to be called by the SMC-D protocol layer. + +Analogously, replace dma_free_coherent by a two step dma_unmap_page, +then folio_put to free the receive buffer. + +[1] https://lore.kernel.org/all/20221113163535.884299-1-hch@lst.de/ + +Fixes: c08004eede4b ("s390/ism: don't pass bogus GFP_ flags to dma_alloc_coherent") +Signed-off-by: Gerd Bayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ism_drv.c | 38 +++++++++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/ism_drv.c b/drivers/s390/net/ism_drv.c +index 2c8e964425dc3..affb05521e146 100644 +--- a/drivers/s390/net/ism_drv.c ++++ b/drivers/s390/net/ism_drv.c +@@ -14,6 +14,8 @@ + #include + #include + #include ++#include ++#include + + #include "ism.h" + +@@ -292,13 +294,15 @@ static int ism_read_local_gid(struct ism_dev *ism) + static void ism_free_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + { + clear_bit(dmb->sba_idx, ism->sba_bitmap); +- dma_free_coherent(&ism->pdev->dev, dmb->dmb_len, +- dmb->cpu_addr, dmb->dma_addr); ++ dma_unmap_page(&ism->pdev->dev, dmb->dma_addr, dmb->dmb_len, ++ DMA_FROM_DEVICE); ++ folio_put(virt_to_folio(dmb->cpu_addr)); + } + + static int ism_alloc_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + { + unsigned long bit; ++ int rc; + + if (PAGE_ALIGN(dmb->dmb_len) > dma_get_max_seg_size(&ism->pdev->dev)) + return -EINVAL; +@@ -315,14 +319,30 @@ static int ism_alloc_dmb(struct ism_dev *ism, struct ism_dmb *dmb) + test_and_set_bit(dmb->sba_idx, ism->sba_bitmap)) + return -EINVAL; + +- dmb->cpu_addr = dma_alloc_coherent(&ism->pdev->dev, dmb->dmb_len, +- &dmb->dma_addr, +- GFP_KERNEL | __GFP_NOWARN | +- __GFP_NOMEMALLOC | __GFP_NORETRY); +- if (!dmb->cpu_addr) +- clear_bit(dmb->sba_idx, ism->sba_bitmap); ++ dmb->cpu_addr = ++ folio_address(folio_alloc(GFP_KERNEL | __GFP_NOWARN | ++ __GFP_NOMEMALLOC | __GFP_NORETRY, ++ get_order(dmb->dmb_len))); + +- return dmb->cpu_addr ? 0 : -ENOMEM; ++ if (!dmb->cpu_addr) { ++ rc = -ENOMEM; ++ goto out_bit; ++ } ++ dmb->dma_addr = dma_map_page(&ism->pdev->dev, ++ virt_to_page(dmb->cpu_addr), 0, ++ dmb->dmb_len, DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ism->pdev->dev, dmb->dma_addr)) { ++ rc = -ENOMEM; ++ goto out_free; ++ } ++ ++ return 0; ++ ++out_free: ++ kfree(dmb->cpu_addr); ++out_bit: ++ clear_bit(dmb->sba_idx, ism->sba_bitmap); ++ return rc; + } + + int ism_register_dmb(struct ism_dev *ism, struct ism_dmb *dmb, +-- +2.43.0 + diff --git a/queue-6.8/scsi-hisi_sas-modify-the-deadline-for-ata_wait_after.patch b/queue-6.8/scsi-hisi_sas-modify-the-deadline-for-ata_wait_after.patch new file mode 100644 index 00000000000..0801a2a102e --- /dev/null +++ b/queue-6.8/scsi-hisi_sas-modify-the-deadline-for-ata_wait_after.patch @@ -0,0 +1,43 @@ +From 2758295e301119a272247fa831ad4e38d3922177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 11:55:13 +0800 +Subject: scsi: hisi_sas: Modify the deadline for ata_wait_after_reset() + +From: Xiang Chen + +[ Upstream commit 0098c55e0881f0b32591f2110410d5c8b7f9bd5a ] + +We found that the second parameter of function ata_wait_after_reset() is +incorrectly used. We call smp_ata_check_ready_type() to poll the device +type until the 30s timeout, so the correct deadline should be (jiffies + +30000). + +Fixes: 3c2673a09cf1 ("scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset") +Co-developed-by: xiabing +Signed-off-by: xiabing +Co-developed-by: Yihang Li +Signed-off-by: Yihang Li +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/20240402035513.2024241-3-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 1abc62b07d24c..05c38e43f140a 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1792,7 +1792,7 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device) + if (dev_is_sata(device)) { + struct ata_link *link = &device->sata_dev.ap->link; + +- rc = ata_wait_after_reset(link, HISI_SAS_WAIT_PHYUP_TIMEOUT, ++ rc = ata_wait_after_reset(link, jiffies + HISI_SAS_WAIT_PHYUP_TIMEOUT, + smp_ata_check_ready_type); + } else { + msleep(2000); +-- +2.43.0 + diff --git a/queue-6.8/scsi-qla2xxx-fix-off-by-one-in-qla_edif_app_getstats.patch b/queue-6.8/scsi-qla2xxx-fix-off-by-one-in-qla_edif_app_getstats.patch new file mode 100644 index 00000000000..e3769cbf2ac --- /dev/null +++ b/queue-6.8/scsi-qla2xxx-fix-off-by-one-in-qla_edif_app_getstats.patch @@ -0,0 +1,39 @@ +From 06e9651711d1eea04493d41f7810ae3b02f65ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 12:56:54 +0300 +Subject: scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() + +From: Dan Carpenter + +[ Upstream commit 4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd ] + +The app_reply->elem[] array is allocated earlier in this function and it +has app_req.num_ports elements. Thus this > comparison needs to be >= to +prevent memory corruption. + +Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/5c125b2f-92dd-412b-9b6f-fc3a3207bd60@moroto.mountain +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index 26e6b3e3af431..dcde55c8ee5de 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -1100,7 +1100,7 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + if (fcport->edif.enable) { +- if (pcnt > app_req.num_ports) ++ if (pcnt >= app_req.num_ports) + break; + + app_reply->elem[pcnt].rekey_count = +-- +2.43.0 + diff --git a/queue-6.8/series b/queue-6.8/series index ca1cd0a515c..ef2c1b7a8cf 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -17,3 +17,90 @@ acpi-scan-do-not-increase-dep_unmet-for-already-met-dependencies.patch pm-s2idle-make-sure-cpus-will-wakeup-directly-on-resume.patch media-cec-core-remove-length-check-of-timer-status.patch btrfs-tests-allocate-dummy-fs_info-and-root-in-test_find_delalloc.patch +arm-omap2-fix-bogus-mmc-gpio-labels-on-nokia-n8x0.patch +arm-omap2-fix-n810-mmc-gpiod-table.patch +mmc-omap-fix-broken-slot-switch-lookup.patch +mmc-omap-fix-deferred-probe.patch +mmc-omap-restore-original-power-up-down-steps.patch +arm-omap2-fix-usb-regression-on-nokia-n8x0.patch +firmware-arm_ffa-fix-the-partition-id-check-in-ffa_n.patch +firmware-arm_scmi-make-raw-debugfs-entries-non-seeka.patch +cxl-mem-fix-for-the-index-of-clear-event-record-hand.patch +cxl-core-regs-fix-usage-of-map-reg_type-in-cxl_decod.patch +arm64-dts-freescale-imx8mp-venice-gw72xx-2x-fix-usb-.patch +arm64-dts-freescale-imx8mp-venice-gw73xx-2x-fix-usb-.patch +drm-msm-add-newlines-to-some-debug-prints.patch +drm-msm-dpu-don-t-allow-overriding-data-from-catalog.patch +drm-msm-dpu-make-error-messages-at-dpu_core_irq_regi.patch +dt-bindings-display-msm-sm8150-mdss-add-dp-node.patch +arm64-dts-imx8-ss-conn-fix-usdhc-wrong-lpcg-clock-or.patch +cxl-core-fix-initialization-of-mbox_cmd.size_out-in-.patch +revert-drm-qxl-simplify-qxl_fence_wait.patch +nouveau-fix-function-cast-warning.patch +drm-msm-adreno-set-highest_bank_bit-for-a619.patch +scsi-hisi_sas-modify-the-deadline-for-ata_wait_after.patch +scsi-qla2xxx-fix-off-by-one-in-qla_edif_app_getstats.patch +net-openvswitch-fix-unwanted-error-log-on-timeout-po.patch +u64_stats-fix-u64_stats_init-for-lockdep-when-used-r.patch +xsk-validate-user-input-for-xdp_-umem-completion-_fi.patch +octeontx2-pf-fix-transmit-scheduler-resource-leak.patch +block-fix-q-blkg_list-corruption-during-disk-rebind.patch +lib-checksum-hide-unused-expected_csum_ipv6_magic.patch +geneve-fix-header-validation-in-geneve-6-_xmit_skb.patch +s390-ism-fix-receive-message-buffer-allocation.patch +bnxt_en-fix-possible-memory-leak-in-bnxt_rdma_aux_de.patch +bnxt_en-fix-error-recovery-for-roce-ulp-client.patch +bnxt_en-reset-ptp-tx_avail-after-possible-firmware-r.patch +acpi-bus-allow-_uid-matching-for-integer-zero.patch +base-node-acpi-enumerate-node-access-class-for-struc.patch +acpi-hmat-introduce-2-levels-of-generic-port-access-.patch +acpi-hmat-cxl-add-retrieval-of-generic-port-coordina.patch +cxl-split-out-combine_coordinates-for-common-shared-.patch +cxl-split-out-host-bridge-access-coordinates.patch +cxl-remove-checking-of-iter-in-cxl_endpoint_get_perf.patch +cxl-fix-retrieving-of-access_coordinates-in-pcie-pat.patch +net-ks8851-inline-ks8851_rx_skb.patch +net-ks8851-handle-softirqs-at-the-end-of-irq-thread-.patch +af_unix-clear-stale-u-oob_skb.patch +octeontx2-af-fix-nix-sq-mode-and-bp-config.patch +ipv6-fib-hide-unused-pn-variable.patch +ipv4-route-avoid-unused-but-set-variable-warning.patch +ipv6-fix-race-condition-between-ipv6_get_ifaddr-and-.patch +pds_core-use-pci_reset_function-for-health-reset.patch +pds_core-fix-pdsc_check_pci_health-function-to-use-w.patch +bluetooth-iso-align-broadcast-sync_timeout-with-conn.patch +bluetooth-iso-don-t-reject-bt_iso_qos-if-parameters-.patch +bluetooth-hci_sync-use-qos-to-determine-which-phy-to.patch +bluetooth-hci_sync-fix-using-the-same-interval-and-w.patch +bluetooth-sco-fix-not-validating-setsockopt-user-inp.patch +bluetooth-rfcomm-fix-not-validating-setsockopt-user-.patch +bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch +bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch +bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch +bluetooth-l2cap-don-t-double-set-the-hci_conn_mgmt_c.patch +netfilter-complete-validation-of-user-input.patch +net-mlx5-sf-stop-waiting-for-fw-as-teardown-was-call.patch +net-mlx5-register-devlink-first-under-devlink-lock.patch +net-mlx5-offset-comp-irq-index-in-name-by-one.patch +net-mlx5-properly-link-new-fs-rules-into-the-tree.patch +net-mlx5-correctly-compare-pkt-reformat-ids.patch +net-mlx5e-rss-block-changing-channels-number-when-rx.patch +net-mlx5e-fix-mlx5e_priv_init-cleanup-flow.patch +net-mlx5e-htb-fix-inconsistencies-with-qos-sqs-numbe.patch +net-mlx5e-do-not-produce-metadata-freelist-entries-i.patch +net-sparx5-fix-wrong-config-being-used-when-reconfig.patch +revert-s390-ism-fix-receive-message-buffer-allocatio.patch +net-dsa-mt7530-trap-link-local-frames-regardless-of-.patch +af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch +af_unix-fix-garbage-collector-racing-against-connect.patch +net-ena-fix-potential-sign-extension-issue.patch +net-ena-wrong-missing-io-completions-check-order.patch +net-ena-fix-incorrect-descriptor-free-behavior.patch +net-ena-set-tx_info-xdpf-value-to-null.patch +drm-xe-display-fix-double-mutex-initialization.patch +drm-xe-hwmon-cast-result-to-output-precision-on-left.patch +tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch +tracing-hide-unused-ftrace_event_id_fops.patch +iommu-vt-d-fix-wrong-use-of-pasid-config.patch +iommu-vt-d-allocate-local-memory-for-page-request-qu.patch +iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch diff --git a/queue-6.8/tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch b/queue-6.8/tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch new file mode 100644 index 00000000000..91518457b3b --- /dev/null +++ b/queue-6.8/tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch @@ -0,0 +1,42 @@ +From 79326350482222b75a68b9c0ce0d6a414babbe10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 17:48:01 +0530 +Subject: tracing: Fix FTRACE_RECORD_RECURSION_SIZE Kconfig entry + +From: Prasad Pandit + +[ Upstream commit d96c36004e31e2baaf8ea1b449b7d0b2c2bfb41a ] + +Fix FTRACE_RECORD_RECURSION_SIZE entry, replace tab with +a space character. It helps Kconfig parsers to read file +without error. + +Link: https://lore.kernel.org/linux-trace-kernel/20240322121801.1803948-1-ppandit@redhat.com + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Fixes: 773c16705058 ("ftrace: Add recording of functions that caused recursion") +Signed-off-by: Prasad Pandit +Reviewed-by: Randy Dunlap +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig +index 61c541c36596d..47345bf1d4a9f 100644 +--- a/kernel/trace/Kconfig ++++ b/kernel/trace/Kconfig +@@ -965,7 +965,7 @@ config FTRACE_RECORD_RECURSION + + config FTRACE_RECORD_RECURSION_SIZE + int "Max number of recursed functions to record" +- default 128 ++ default 128 + depends on FTRACE_RECORD_RECURSION + help + This defines the limit of number of functions that can be +-- +2.43.0 + diff --git a/queue-6.8/tracing-hide-unused-ftrace_event_id_fops.patch b/queue-6.8/tracing-hide-unused-ftrace_event_id_fops.patch new file mode 100644 index 00000000000..ed19d129b4c --- /dev/null +++ b/queue-6.8/tracing-hide-unused-ftrace_event_id_fops.patch @@ -0,0 +1,76 @@ +From 31801148bea151f0691cf623372b6ca194681685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:24 +0200 +Subject: tracing: hide unused ftrace_event_id_fops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 5281ec83454d70d98b71f1836fb16512566c01cd ] + +When CONFIG_PERF_EVENTS, a 'make W=1' build produces a warning about the +unused ftrace_event_id_fops variable: + +kernel/trace/trace_events.c:2155:37: error: 'ftrace_event_id_fops' defined but not used [-Werror=unused-const-variable=] + 2155 | static const struct file_operations ftrace_event_id_fops = { + +Hide this in the same #ifdef as the reference to it. + +Link: https://lore.kernel.org/linux-trace-kernel/20240403080702.3509288-7-arnd@kernel.org + +Cc: Masami Hiramatsu +Cc: Oleg Nesterov +Cc: Mathieu Desnoyers +Cc: Zheng Yejian +Cc: Kees Cook +Cc: Ajay Kaher +Cc: Jinjie Ruan +Cc: Clément Léger +Cc: Dan Carpenter +Cc: "Tzvetomir Stoyanov (VMware)" +Fixes: 620a30e97feb ("tracing: Don't pass file_operations array to event_create_dir()") +Signed-off-by: Arnd Bergmann +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 7c364b87352ee..52f75c36bbca4 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1670,6 +1670,7 @@ static int trace_format_open(struct inode *inode, struct file *file) + return 0; + } + ++#ifdef CONFIG_PERF_EVENTS + static ssize_t + event_id_read(struct file *filp, char __user *ubuf, size_t cnt, loff_t *ppos) + { +@@ -1684,6 +1685,7 @@ event_id_read(struct file *filp, char __user *ubuf, size_t cnt, loff_t *ppos) + + return simple_read_from_buffer(ubuf, cnt, ppos, buf, len); + } ++#endif + + static ssize_t + event_filter_read(struct file *filp, char __user *ubuf, size_t cnt, +@@ -2152,10 +2154,12 @@ static const struct file_operations ftrace_event_format_fops = { + .release = seq_release, + }; + ++#ifdef CONFIG_PERF_EVENTS + static const struct file_operations ftrace_event_id_fops = { + .read = event_id_read, + .llseek = default_llseek, + }; ++#endif + + static const struct file_operations ftrace_event_filter_fops = { + .open = tracing_open_file_tr, +-- +2.43.0 + diff --git a/queue-6.8/u64_stats-fix-u64_stats_init-for-lockdep-when-used-r.patch b/queue-6.8/u64_stats-fix-u64_stats_init-for-lockdep-when-used-r.patch new file mode 100644 index 00000000000..fb7ce66147f --- /dev/null +++ b/queue-6.8/u64_stats-fix-u64_stats_init-for-lockdep-when-used-r.patch @@ -0,0 +1,56 @@ +From da88890068fabea278de001459fddc744a6b611f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 09:57:40 +0200 +Subject: u64_stats: fix u64_stats_init() for lockdep when used repeatedly in + one file + +From: Petr Tesarik + +[ Upstream commit 38a15d0a50e0a43778561a5861403851f0b0194c ] + +Fix bogus lockdep warnings if multiple u64_stats_sync variables are +initialized in the same file. + +With CONFIG_LOCKDEP, seqcount_init() is a macro which declares: + + static struct lock_class_key __key; + +Since u64_stats_init() is a function (albeit an inline one), all calls +within the same file end up using the same instance, effectively treating +them all as a single lock-class. + +Fixes: 9464ca650008 ("net: make u64_stats_init() a function") +Closes: https://lore.kernel.org/netdev/ea1567d9-ce66-45e6-8168-ac40a47d1821@roeck-us.net/ +Signed-off-by: Petr Tesarik +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240404075740.30682-1-petr@tesarici.cz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/u64_stats_sync.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/include/linux/u64_stats_sync.h b/include/linux/u64_stats_sync.h +index ffe48e69b3f3a..457879938fc19 100644 +--- a/include/linux/u64_stats_sync.h ++++ b/include/linux/u64_stats_sync.h +@@ -135,10 +135,11 @@ static inline void u64_stats_inc(u64_stats_t *p) + p->v++; + } + +-static inline void u64_stats_init(struct u64_stats_sync *syncp) +-{ +- seqcount_init(&syncp->seq); +-} ++#define u64_stats_init(syncp) \ ++ do { \ ++ struct u64_stats_sync *__s = (syncp); \ ++ seqcount_init(&__s->seq); \ ++ } while (0) + + static inline void __u64_stats_update_begin(struct u64_stats_sync *syncp) + { +-- +2.43.0 + diff --git a/queue-6.8/xsk-validate-user-input-for-xdp_-umem-completion-_fi.patch b/queue-6.8/xsk-validate-user-input-for-xdp_-umem-completion-_fi.patch new file mode 100644 index 00000000000..998cc706f38 --- /dev/null +++ b/queue-6.8/xsk-validate-user-input-for-xdp_-umem-completion-_fi.patch @@ -0,0 +1,176 @@ +From 5d19ca6a73914e9eb9dc303dd55b3fa40c859564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 20:27:38 +0000 +Subject: xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit 237f3cf13b20db183d3706d997eedc3c49eacd44 ] + +syzbot reported an illegal copy in xsk_setsockopt() [1] + +Make sure to validate setsockopt() @optlen parameter. + +[1] + + BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] + BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] + BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 +Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549 + +CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] + copy_from_sockptr include/linux/sockptr.h:55 [inline] + xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 + do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 + __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 +RIP: 0033:0x7fb40587de69 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69 +RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006 +RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000 +R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08 + + +Allocated by task 7549: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:370 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slub.c:3966 [inline] + __kmalloc+0x233/0x4a0 mm/slub.c:3979 + kmalloc include/linux/slab.h:632 [inline] + __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 + do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 + __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +The buggy address belongs to the object at ffff888028c6cde0 + which belongs to the cache kmalloc-8 of size 8 +The buggy address is located 1 bytes to the right of + allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2) + +The buggy address belongs to the physical page: +page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c +anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001 +raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223 + set_page_owner include/linux/page_owner.h:31 [inline] + post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 + prep_new_page mm/page_alloc.c:1540 [inline] + get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311 + __alloc_pages+0x256/0x680 mm/page_alloc.c:4569 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + alloc_slab_page+0x5f/0x160 mm/slub.c:2175 + allocate_slab mm/slub.c:2338 [inline] + new_slab+0x84/0x2f0 mm/slub.c:2391 + ___slab_alloc+0xc73/0x1260 mm/slub.c:3525 + __slab_alloc mm/slub.c:3610 [inline] + __slab_alloc_node mm/slub.c:3663 [inline] + slab_alloc_node mm/slub.c:3835 [inline] + __do_kmalloc_node mm/slub.c:3965 [inline] + __kmalloc_node+0x2db/0x4e0 mm/slub.c:3973 + kmalloc_node include/linux/slab.h:648 [inline] + __vmalloc_area_node mm/vmalloc.c:3197 [inline] + __vmalloc_node_range+0x5f9/0x14a0 mm/vmalloc.c:3392 + __vmalloc_node mm/vmalloc.c:3457 [inline] + vzalloc+0x79/0x90 mm/vmalloc.c:3530 + bpf_check+0x260/0x19010 kernel/bpf/verifier.c:21162 + bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895 + __sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631 + __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 +page last free pid 6650 tgid 6647 stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1140 [inline] + free_unref_page_prepare+0x95d/0xa80 mm/page_alloc.c:2346 + free_unref_page_list+0x5a3/0x850 mm/page_alloc.c:2532 + release_pages+0x2117/0x2400 mm/swap.c:1042 + tlb_batch_pages_flush mm/mmu_gather.c:98 [inline] + tlb_flush_mmu_free mm/mmu_gather.c:293 [inline] + tlb_flush_mmu+0x34d/0x4e0 mm/mmu_gather.c:300 + tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:392 + exit_mmap+0x4b6/0xd40 mm/mmap.c:3300 + __mmput+0x115/0x3c0 kernel/fork.c:1345 + exit_mm+0x220/0x310 kernel/exit.c:569 + do_exit+0x99e/0x27e0 kernel/exit.c:865 + do_group_exit+0x207/0x2c0 kernel/exit.c:1027 + get_signal+0x176e/0x1850 kernel/signal.c:2907 + arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310 + exit_to_user_mode_loop kernel/entry/common.c:105 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline] + syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212 + do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Memory state around the buggy address: + ffff888028c6cc80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc + ffff888028c6cd00: fa fc fc fc fa fc fc fc 00 fc fc fc 06 fc fc fc +>ffff888028c6cd80: fa fc fc fc fa fc fc fc fa fc fc fc 02 fc fc fc + ^ + ffff888028c6ce00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc + ffff888028c6ce80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc + +Fixes: 423f38329d26 ("xsk: add umem fill queue support and mmap") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: "Björn Töpel" +Cc: Magnus Karlsson +Cc: Maciej Fijalkowski +Cc: Jonathan Lemon +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/r/20240404202738.3634547-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index b78c0e095e221..7d1c0986f9bb3 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -1414,6 +1414,8 @@ static int xsk_setsockopt(struct socket *sock, int level, int optname, + struct xsk_queue **q; + int entries; + ++ if (optlen < sizeof(entries)) ++ return -EINVAL; + if (copy_from_sockptr(&entries, optval, sizeof(entries))) + return -EFAULT; + +-- +2.43.0 +