From: Sasha Levin Date: Mon, 5 Jun 2023 11:26:29 +0000 (-0400) Subject: Fixes for 6.3 X-Git-Tag: v4.14.317~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3af52215a70709dd1af93c33f5669ad813e52f7c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.3 Signed-off-by: Sasha Levin --- diff --git a/queue-6.3/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch b/queue-6.3/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch new file mode 100644 index 00000000000..a93a76fe42c --- /dev/null +++ b/queue-6.3/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch @@ -0,0 +1,58 @@ +From 4845ee743c5cc2e429639d80eb9624687991ff16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:03:07 +0000 +Subject: ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rubén Gómez + +[ Upstream commit 71a485624c4cbb144169852d7bb8ca8c0667d7a3 ] + +Add an ACPI IRQ override quirk for LG UltraPC 17U70P to address the +internal keyboard problem on it. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216983 +Signed-off-by: Rubén Gómez Agudo +[ rjw: Subject, changelog, white space damage fixes ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index e8492b3a393ab..0800a9d775580 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -516,6 +516,17 @@ static const struct dmi_system_id maingear_laptop[] = { + { } + }; + ++static const struct dmi_system_id lg_laptop[] = { ++ { ++ .ident = "LG Electronics 17U70P", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"), ++ DMI_MATCH(DMI_BOARD_NAME, "17U70P"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; +@@ -532,6 +543,7 @@ static const struct irq_override_cmp override_table[] = { + { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, ++ { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +-- +2.39.2 + diff --git a/queue-6.3/af_packet-do-not-use-read_once-in-packet_bind.patch b/queue-6.3/af_packet-do-not-use-read_once-in-packet_bind.patch new file mode 100644 index 00000000000..e7d478bb39b --- /dev/null +++ b/queue-6.3/af_packet-do-not-use-read_once-in-packet_bind.patch @@ -0,0 +1,64 @@ +From 929ac83dd8936cd7e378fe05a1bed6b41cc367ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 15:43:42 +0000 +Subject: af_packet: do not use READ_ONCE() in packet_bind() + +From: Eric Dumazet + +[ Upstream commit 6ffc57ea004234d9373c57b204fd10370a69f392 ] + +A recent patch added READ_ONCE() in packet_bind() and packet_bind_spkt() + +This is better handled by reading pkt_sk(sk)->num later +in packet_do_bind() while appropriate lock is held. + +READ_ONCE() in writers are often an evidence of something being wrong. + +Fixes: 822b5a1c17df ("af_packet: Fix data-races of pkt_sk(sk)->num.") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: Jiri Pirko +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230526154342.2533026-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index f3513316743ad..b79d2fa788061 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3193,6 +3193,9 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ if (!proto) ++ proto = po->num; ++ + rcu_read_lock(); + + if (po->fanout) { +@@ -3291,7 +3294,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data_min)); + name[sizeof(uaddr->sa_data_min)] = 0; + +- return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num)); ++ return packet_do_bind(sk, name, 0, 0); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) +@@ -3308,8 +3311,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- return packet_do_bind(sk, NULL, sll->sll_ifindex, +- sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num)); ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, sll->sll_protocol); + } + + static struct proto packet_proto = { +-- +2.39.2 + diff --git a/queue-6.3/af_packet-fix-data-races-of-pkt_sk-sk-num.patch b/queue-6.3/af_packet-fix-data-races-of-pkt_sk-sk-num.patch new file mode 100644 index 00000000000..9f6b72e6287 --- /dev/null +++ b/queue-6.3/af_packet-fix-data-races-of-pkt_sk-sk-num.patch @@ -0,0 +1,98 @@ +From cdfd5b49851494fc1f1cd30dea95ef1bd9a07753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 16:29:34 -0700 +Subject: af_packet: Fix data-races of pkt_sk(sk)->num. + +From: Kuniyuki Iwashima + +[ Upstream commit 822b5a1c17df7e338b9f05d1cfe5764e37c7f74f ] + +syzkaller found a data race of pkt_sk(sk)->num. + +The value is changed under lock_sock() and po->bind_lock, so we +need READ_ONCE() to access pkt_sk(sk)->num without these locks in +packet_bind_spkt(), packet_bind(), and sk_diag_fill(). + +Note that WRITE_ONCE() is already added by commit c7d2ef5dd4b0 +("net/packet: annotate accesses to po->bind"). + +BUG: KCSAN: data-race in packet_bind / packet_do_bind + +write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0: + packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236 + packet_bind+0x99/0xe0 net/packet/af_packet.c:3321 + __sys_bind+0x19b/0x1e0 net/socket.c:1803 + __do_sys_bind net/socket.c:1814 [inline] + __se_sys_bind net/socket.c:1812 [inline] + __x64_sys_bind+0x40/0x50 net/socket.c:1812 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1: + packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322 + __sys_bind+0x19b/0x1e0 net/socket.c:1803 + __do_sys_bind net/socket.c:1814 [inline] + __se_sys_bind net/socket.c:1812 [inline] + __x64_sys_bind+0x40/0x50 net/socket.c:1812 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x0300 -> 0x0000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 96ec6327144e ("packet: Diag core and basic socket info dumping") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 4 ++-- + net/packet/diag.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index db9c2fa71c50c..f3513316743ad 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3291,7 +3291,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data_min)); + name[sizeof(uaddr->sa_data_min)] = 0; + +- return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); ++ return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num)); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) +@@ -3309,7 +3309,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + return -EINVAL; + + return packet_do_bind(sk, NULL, sll->sll_ifindex, +- sll->sll_protocol ? : pkt_sk(sk)->num); ++ sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num)); + } + + static struct proto packet_proto = { +diff --git a/net/packet/diag.c b/net/packet/diag.c +index d704c7bf51b20..a68a84574c739 100644 +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -143,7 +143,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, + rp = nlmsg_data(nlh); + rp->pdiag_family = AF_PACKET; + rp->pdiag_type = sk->sk_type; +- rp->pdiag_num = ntohs(po->num); ++ rp->pdiag_num = ntohs(READ_ONCE(po->num)); + rp->pdiag_ino = sk_ino; + sock_diag_save_cookie(sk, rp->pdiag_cookie); + +-- +2.39.2 + diff --git a/queue-6.3/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch b/queue-6.3/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch new file mode 100644 index 00000000000..53df52b9a04 --- /dev/null +++ b/queue-6.3/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch @@ -0,0 +1,145 @@ +From 35fbf6a1cd639d0fd1c0319ad5b16efada766649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 09:30:59 +0800 +Subject: ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs. + +From: jasontao + +[ Upstream commit c51e431052e2eacfb23fbf6b39bc6c8770d9827a ] + +Add a set of HD Audio PCI IDS, and the HDMI codec vendor IDs for +Glenfly Gpus. + +- In default_bdl_pos_adj, set bdl to 128 as Glenfly Gpus have hardware +limitation, need to increase hdac interrupt interval. +- In azx_first_init, enable polling mode for Glenfly Gpu. When the codec +complete the command, it sends interrupt and writes response entries to +memory, howerver, the write requests sometimes are not actually +synchronized to memory when driver handle hdac interrupt on Glenfly Gpus. +If the RIRB status is not updated in the interrupt handler, +azx_rirb_get_response keeps trying to recevie a response from rirb until +1s timeout. Enabling polling mode for Glenfly Gpu can fix the issue. +- In patch_gf_hdmi, set Glenlfy Gpu Codec's no_sticky_stream as it need +driver to do actual clean-ups for the linked codec when switch from one +codec to another. + +Signed-off-by: jasontao +Signed-off-by: Reaper Li +Link: https://lore.kernel.org/r/20230426013059.4329-1-reaperlioc@glenfly.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 21 +++++++++++++++++++++ + sound/pci/hda/patch_hdmi.c | 22 ++++++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 881b2f3a1551f..3226691ac923c 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -227,6 +227,7 @@ enum { + AZX_DRIVER_ATI, + AZX_DRIVER_ATIHDMI, + AZX_DRIVER_ATIHDMI_NS, ++ AZX_DRIVER_GFHDMI, + AZX_DRIVER_VIA, + AZX_DRIVER_SIS, + AZX_DRIVER_ULI, +@@ -349,6 +350,7 @@ static const char * const driver_short_names[] = { + [AZX_DRIVER_ATI] = "HDA ATI SB", + [AZX_DRIVER_ATIHDMI] = "HDA ATI HDMI", + [AZX_DRIVER_ATIHDMI_NS] = "HDA ATI HDMI", ++ [AZX_DRIVER_GFHDMI] = "HDA GF HDMI", + [AZX_DRIVER_VIA] = "HDA VIA VT82xx", + [AZX_DRIVER_SIS] = "HDA SIS966", + [AZX_DRIVER_ULI] = "HDA ULI M5461", +@@ -1743,6 +1745,12 @@ static int default_bdl_pos_adj(struct azx *chip) + } + + switch (chip->driver_type) { ++ /* ++ * increase the bdl size for Glenfly Gpus for hardware ++ * limitation on hdac interrupt interval ++ */ ++ case AZX_DRIVER_GFHDMI: ++ return 128; + case AZX_DRIVER_ICH: + case AZX_DRIVER_PCH: + return 1; +@@ -1858,6 +1866,12 @@ static int azx_first_init(struct azx *chip) + pci_write_config_dword(pci, PCI_BASE_ADDRESS_1, 0); + } + #endif ++ /* ++ * Fix response write request not synced to memory when handle ++ * hdac interrupt on Glenfly Gpus ++ */ ++ if (chip->driver_type == AZX_DRIVER_GFHDMI) ++ bus->polling_mode = 1; + + err = pcim_iomap_regions(pci, 1 << 0, "ICH HD audio"); + if (err < 0) +@@ -1959,6 +1973,7 @@ static int azx_first_init(struct azx *chip) + chip->playback_streams = ATIHDMI_NUM_PLAYBACK; + chip->capture_streams = ATIHDMI_NUM_CAPTURE; + break; ++ case AZX_DRIVER_GFHDMI: + case AZX_DRIVER_GENERIC: + default: + chip->playback_streams = ICH6_NUM_PLAYBACK; +@@ -2727,6 +2742,12 @@ static const struct pci_device_id azx_ids[] = { + { PCI_DEVICE(0x1002, 0xab38), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS | + AZX_DCAPS_PM_RUNTIME }, ++ /* GLENFLY */ ++ { PCI_DEVICE(0x6766, PCI_ANY_ID), ++ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, ++ .class_mask = 0xffffff, ++ .driver_data = AZX_DRIVER_GFHDMI | AZX_DCAPS_POSFIX_LPIB | ++ AZX_DCAPS_NO_MSI | AZX_DCAPS_NO_64BIT }, + /* VIA VT8251/VT8237A */ + { PCI_DEVICE(0x1106, 0x3288), .driver_data = AZX_DRIVER_VIA }, + /* VIA GFX VT7122/VX900 */ +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index be2c6cff77011..7b5e09070ab9b 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4489,6 +4489,22 @@ static int patch_via_hdmi(struct hda_codec *codec) + return patch_simple_hdmi(codec, VIAHDMI_CVT_NID, VIAHDMI_PIN_NID); + } + ++static int patch_gf_hdmi(struct hda_codec *codec) ++{ ++ int err; ++ ++ err = patch_generic_hdmi(codec); ++ if (err) ++ return err; ++ ++ /* ++ * Glenfly GPUs have two codecs, stream switches from one codec to ++ * another, need to do actual clean-ups in codec_cleanup_stream ++ */ ++ codec->no_sticky_stream = 1; ++ return 0; ++} ++ + /* + * patch entries + */ +@@ -4584,6 +4600,12 @@ HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), ++HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d83, "Arise 83 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d84, "Arise 84 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d85, "Arise 85 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d86, "Arise 86 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d87, "Arise 87 HDMI/DP", patch_gf_hdmi), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), + HDA_CODEC_ENTRY(0x11069f81, "VX900 HDMI/DP", patch_via_hdmi), + HDA_CODEC_ENTRY(0x11069f84, "VX11 HDMI/DP", patch_generic_hdmi), +-- +2.39.2 + diff --git a/queue-6.3/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch b/queue-6.3/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch new file mode 100644 index 00000000000..a7a6700ae85 --- /dev/null +++ b/queue-6.3/alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch @@ -0,0 +1,78 @@ +From 3d9b590fdc7748fb9d7a84fdd0d7f5ab095c5b35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:15:10 +0300 +Subject: ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V + +From: Alexandru Sorodoc + +[ Upstream commit 4b963ae1df6426f0e51de64133d379d9bde50c48 ] + +These models use 2 CS35L41 amplifiers using SPI for down-facing +speakers. + +alc285_fixup_speaker2_to_dac1 is needed to fix volume control of the +down-facing speakers. + +Pin configs are needed to enable headset mic detection. + +Note that these models lack the ACPI _DSD properties needed to +initialize the amplifiers. They can be added during boot to get working +sound out of the speakers: + https://gist.github.com/lamperez/862763881c0e1c812392b5574727f6ff + +Signed-off-by: Alexandru Sorodoc +Link: https://lore.kernel.org/r/20230511161510.315170-1-ealex95@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 379f216158ab4..7b5f194513c7b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7063,6 +7063,8 @@ enum { + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC295_FIXUP_DISABLE_DAC3, + ALC285_FIXUP_SPEAKER2_TO_DAC1, ++ ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1, ++ ALC285_FIXUP_ASUS_HEADSET_MIC, + ALC280_FIXUP_HP_HEADSET_MIC, + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, +@@ -8033,6 +8035,22 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_THINKPAD_ACPI + }, ++ [ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ .chained = true, ++ .chain_id = ALC245_FIXUP_CS35L41_SPI_2 ++ }, ++ [ALC285_FIXUP_ASUS_HEADSET_MIC] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11050 }, ++ { 0x1b, 0x03a11c30 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_ASUS_SPEAKER2_TO_DAC1 ++ }, + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -9507,6 +9525,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), ++ SND_PCI_QUIRK(0x1043, 0x1473, "ASUS GU604V", ALC285_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1483, "ASUS GU603V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.39.2 + diff --git a/queue-6.3/alsa-oss-avoid-missing-prototype-warnings.patch b/queue-6.3/alsa-oss-avoid-missing-prototype-warnings.patch new file mode 100644 index 00000000000..bc4d1880445 --- /dev/null +++ b/queue-6.3/alsa-oss-avoid-missing-prototype-warnings.patch @@ -0,0 +1,64 @@ +From 2b3554e0ada3f71e8aa938c7bfcf79d2b53e7c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:50:42 +0200 +Subject: ALSA: oss: avoid missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 040b5a046a9e18098580d3ccd029e2318fca7859 ] + +Two functions are defined and used in pcm_oss.c but also optionally +used from io.c, with an optional prototype. If CONFIG_SND_PCM_OSS_PLUGINS +is disabled, this causes a warning as the functions are not static +and have no prototype: + +sound/core/oss/pcm_oss.c:1235:19: error: no previous prototype for 'snd_pcm_oss_write3' [-Werror=missing-prototypes] +sound/core/oss/pcm_oss.c:1266:19: error: no previous prototype for 'snd_pcm_oss_read3' [-Werror=missing-prototypes] + +Avoid this by making the prototypes unconditional. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516195046.550584-2-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/pcm_plugin.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/core/oss/pcm_plugin.h b/sound/core/oss/pcm_plugin.h +index 46e273bd4a786..50a6b50f5db4c 100644 +--- a/sound/core/oss/pcm_plugin.h ++++ b/sound/core/oss/pcm_plugin.h +@@ -141,6 +141,14 @@ int snd_pcm_area_copy(const struct snd_pcm_channel_area *src_channel, + + void *snd_pcm_plug_buf_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t size); + void snd_pcm_plug_buf_unlock(struct snd_pcm_substream *plug, void *ptr); ++#else ++ ++static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; } ++static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; } ++static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; } ++ ++#endif ++ + snd_pcm_sframes_t snd_pcm_oss_write3(struct snd_pcm_substream *substream, + const char *ptr, snd_pcm_uframes_t size, + int in_kernel); +@@ -151,14 +159,6 @@ snd_pcm_sframes_t snd_pcm_oss_writev3(struct snd_pcm_substream *substream, + snd_pcm_sframes_t snd_pcm_oss_readv3(struct snd_pcm_substream *substream, + void **bufs, snd_pcm_uframes_t frames); + +-#else +- +-static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; } +-static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; } +-static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; } +- +-#endif +- + #ifdef PLUGIN_DEBUG + #define pdprintf(fmt, args...) printk(KERN_DEBUG "plugin: " fmt, ##args) + #else +-- +2.39.2 + diff --git a/queue-6.3/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch b/queue-6.3/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch new file mode 100644 index 00000000000..3faa5cf341a --- /dev/null +++ b/queue-6.3/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch @@ -0,0 +1,71 @@ +From 1542a5ed91acc7befee1d0ac5ce122c18215f4f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 23:56:12 +0530 +Subject: amd-xgbe: fix the false linkup in xgbe_phy_status + +From: Raju Rangoju + +[ Upstream commit dc362e20cd6ab7a93d1b09669730c406f0910c35 ] + +In the event of a change in XGBE mode, the current auto-negotiation +needs to be reset and the AN cycle needs to be re-triggerred. However, +the current code ignores the return value of xgbe_set_mode(), leading to +false information as the link is declared without checking the status +register. + +Fix this by propagating the mode switch status information to +xgbe_phy_status(). + +Fixes: e57f7a3feaef ("amd-xgbe: Prepare for working with more than one type of phy") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Reviewed-by: Simon Horman +Acked-by: Shyam Sundar S K +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 33a9574e9e043..32d2c6fac6526 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1329,7 +1329,7 @@ static enum xgbe_mode xgbe_phy_status_aneg(struct xgbe_prv_data *pdata) + return pdata->phy_if.phy_impl.an_outcome(pdata); + } + +-static void xgbe_phy_status_result(struct xgbe_prv_data *pdata) ++static bool xgbe_phy_status_result(struct xgbe_prv_data *pdata) + { + struct ethtool_link_ksettings *lks = &pdata->phy.lks; + enum xgbe_mode mode; +@@ -1367,8 +1367,13 @@ static void xgbe_phy_status_result(struct xgbe_prv_data *pdata) + + pdata->phy.duplex = DUPLEX_FULL; + +- if (xgbe_set_mode(pdata, mode) && pdata->an_again) ++ if (!xgbe_set_mode(pdata, mode)) ++ return false; ++ ++ if (pdata->an_again) + xgbe_phy_reconfig_aneg(pdata); ++ ++ return true; + } + + static void xgbe_phy_status(struct xgbe_prv_data *pdata) +@@ -1398,7 +1403,8 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata) + return; + } + +- xgbe_phy_status_result(pdata); ++ if (xgbe_phy_status_result(pdata)) ++ return; + + if (test_bit(XGBE_LINK_INIT, &pdata->dev_state)) + clear_bit(XGBE_LINK_INIT, &pdata->dev_state); +-- +2.39.2 + diff --git a/queue-6.3/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch b/queue-6.3/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch new file mode 100644 index 00000000000..64ee19b6459 --- /dev/null +++ b/queue-6.3/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch @@ -0,0 +1,93 @@ +From 69e2730254a61adc6de1eeda61c29d26f3aa4001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 10:17:07 +0100 +Subject: ARM: 9295/1: unwind:fix unwind abort for uleb128 case + +From: Haibo Li + +[ Upstream commit fa3eeb638de0c1a9d2d860e5b48259facdd65176 ] + +When unwind instruction is 0xb2,the subsequent instructions +are uleb128 bytes. +For now,it uses only the first uleb128 byte in code. + +For vsp increments of 0x204~0x400,use one uleb128 byte like below: +0xc06a00e4 : 0x80b27fac + Compact model index: 0 + 0xb2 0x7f vsp = vsp + 1024 + 0xac pop {r4, r5, r6, r7, r8, r14} + +For vsp increments larger than 0x400,use two uleb128 bytes like below: +0xc06a00e4 : @0xc0cc9e0c + Compact model index: 1 + 0xb2 0x81 0x01 vsp = vsp + 1032 + 0xac pop {r4, r5, r6, r7, r8, r14} +The unwind works well since the decoded uleb128 byte is also 0x81. + +For vsp increments larger than 0x600,use two uleb128 bytes like below: +0xc06a00e4 : @0xc0cc9e0c + Compact model index: 1 + 0xb2 0x81 0x02 vsp = vsp + 1544 + 0xac pop {r4, r5, r6, r7, r8, r14} +In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)). +While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)). +The unwind aborts at this frame since it gets incorrect vsp. + +To fix this,add uleb128 decode to cover all the above case. + +Signed-off-by: Haibo Li +Reviewed-by: Linus Walleij +Reviewed-by: Alexandre Mergnat +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/unwind.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 53be7ea6181b3..9d2192156087b 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -308,6 +308,29 @@ static int unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl, + return URC_OK; + } + ++static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block *ctrl) ++{ ++ unsigned long bytes = 0; ++ unsigned long insn; ++ unsigned long result = 0; ++ ++ /* ++ * unwind_get_byte() will advance `ctrl` one instruction at a time, so ++ * loop until we get an instruction byte where bit 7 is not set. ++ * ++ * Note: This decodes a maximum of 4 bytes to output 28 bits data where ++ * max is 0xfffffff: that will cover a vsp increment of 1073742336, hence ++ * it is sufficient for unwinding the stack. ++ */ ++ do { ++ insn = unwind_get_byte(ctrl); ++ result |= (insn & 0x7f) << (bytes * 7); ++ bytes++; ++ } while (!!(insn & 0x80) && (bytes != sizeof(result))); ++ ++ return result; ++} ++ + /* + * Execute the current unwind instruction. + */ +@@ -361,7 +384,7 @@ static int unwind_exec_insn(struct unwind_ctrl_block *ctrl) + if (ret) + goto error; + } else if (insn == 0xb2) { +- unsigned long uleb128 = unwind_get_byte(ctrl); ++ unsigned long uleb128 = unwind_decode_uleb128(ctrl); + + ctrl->vrs[SP] += 0x204 + (uleb128 << 2); + } else { +-- +2.39.2 + diff --git a/queue-6.3/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch b/queue-6.3/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch new file mode 100644 index 00000000000..484742eb18d --- /dev/null +++ b/queue-6.3/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch @@ -0,0 +1,115 @@ +From bd7becaf92a5d3cf5abe88782baf56fe8a616b80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 22:45:38 +0200 +Subject: ARM: dts: stm32: add pin map for CAN controller on stm32f7 + +From: Dario Binacchi + +[ Upstream commit 011644249686f2675e142519cd59e81e04cfc231 ] + +Add pin configurations for using CAN controller on stm32f7. + +Signed-off-by: Dario Binacchi +Link: https://lore.kernel.org/all/20230427204540.3126234-4-dario.binacchi@amarulasolutions.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32f7-pinctrl.dtsi | 82 ++++++++++++++++++++++++++ + 1 file changed, 82 insertions(+) + +diff --git a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi +index c8e6c52fb248e..9f65403295ca0 100644 +--- a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi ++++ b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi +@@ -283,6 +283,88 @@ + slew-rate = <2>; + }; + }; ++ ++ can1_pins_a: can1-0 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can1_pins_b: can1-1 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can1_pins_c: can1-2 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ ++ }; ++ }; ++ ++ can1_pins_d: can1-3 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ ++ }; ++ }; ++ ++ can2_pins_a: can2-0 { ++ pins1 { ++ pinmux = ; /* CAN2_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN2_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can2_pins_b: can2-1 { ++ pins1 { ++ pinmux = ; /* CAN2_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN2_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can3_pins_a: can3-0 { ++ pins1 { ++ pinmux = ; /* CAN3_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN3_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can3_pins_b: can3-1 { ++ pins1 { ++ pinmux = ; /* CAN3_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN3_RX */ ++ bias-pull-up; ++ }; ++ }; + }; + }; + }; +-- +2.39.2 + diff --git a/queue-6.3/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch b/queue-6.3/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch new file mode 100644 index 00000000000..66b9334b6ba --- /dev/null +++ b/queue-6.3/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch @@ -0,0 +1,54 @@ +From 6a742380937189cf35ad5d3f4a685406d255a9c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 23:19:06 +0800 +Subject: arm64/mm: mark private VM_FAULT_X defines as vm_fault_t + +From: Min-Hua Chen + +[ Upstream commit d91d580878064b880f3574ac35b98d8b70ee8620 ] + +This patch fixes several sparse warnings for fault.c: + +arch/arm64/mm/fault.c:493:24: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:493:24: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:493:24: sparse: got int +arch/arm64/mm/fault.c:501:32: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:501:32: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:501:32: sparse: got int +arch/arm64/mm/fault.c:503:32: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:503:32: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:503:32: sparse: got int +arch/arm64/mm/fault.c:511:24: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:511:24: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:511:24: sparse: got int +arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer +arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer +arch/arm64/mm/fault.c:713:39: sparse: warning: restricted vm_fault_t degrades to integer + +Reported-by: kernel test robot +Signed-off-by: Min-Hua Chen +Link: https://lore.kernel.org/r/20230502151909.128810-1-minhuadotchen@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index f4cb0f85ccf49..d1136259b7b85 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -480,8 +480,8 @@ static void do_bad_area(unsigned long far, unsigned long esr, + } + } + +-#define VM_FAULT_BADMAP 0x010000 +-#define VM_FAULT_BADACCESS 0x020000 ++#define VM_FAULT_BADMAP ((__force vm_fault_t)0x010000) ++#define VM_FAULT_BADACCESS ((__force vm_fault_t)0x020000) + + static vm_fault_t __do_page_fault(struct mm_struct *mm, unsigned long addr, + unsigned int mm_flags, unsigned long vm_flags, +-- +2.39.2 + diff --git a/queue-6.3/arm64-vdso-pass-void-to-virt_to_page.patch b/queue-6.3/arm64-vdso-pass-void-to-virt_to_page.patch new file mode 100644 index 00000000000..06cc7b2f586 --- /dev/null +++ b/queue-6.3/arm64-vdso-pass-void-to-virt_to_page.patch @@ -0,0 +1,42 @@ +From d6a412031eaaa4bedb39d9dc11e05e485d53ab26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 08:48:11 +0200 +Subject: arm64: vdso: Pass (void *) to virt_to_page() + +From: Linus Walleij + +[ Upstream commit b0abde80620f42d1ceb3de5e4c1a49cdd5628229 ] + +Like the other calls in this function virt_to_page() expects +a pointer, not an integer. + +However since many architectures implement virt_to_pfn() as +a macro, this function becomes polymorphic and accepts both a +(unsigned long) and a (void *). + +Fix this up with an explicit cast. + +Signed-off-by: Linus Walleij +Link: http://lists.infradead.org/pipermail/linux-arm-kernel/2023-May/832583.html +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/vdso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c +index 0119dc91abb5d..d9e1355730ef5 100644 +--- a/arch/arm64/kernel/vdso.c ++++ b/arch/arm64/kernel/vdso.c +@@ -288,7 +288,7 @@ static int aarch32_alloc_kuser_vdso_page(void) + + memcpy((void *)(vdso_page + 0x1000 - kuser_sz), __kuser_helper_start, + kuser_sz); +- aarch32_vectors_page = virt_to_page(vdso_page); ++ aarch32_vectors_page = virt_to_page((void *)vdso_page); + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.3/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch b/queue-6.3/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch new file mode 100644 index 00000000000..f3a5f8a3b4d --- /dev/null +++ b/queue-6.3/asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch @@ -0,0 +1,41 @@ +From 0d9369e7456299051e60d3fa1d7755800dfba1b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 10:14:58 -0600 +Subject: ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12 + +From: Jeremy Soller + +[ Upstream commit 7b9891ad25246b18b5ccc19518da7abc7763aa0a ] + +Add pang12 quirk to enable the internal microphone. + +Signed-off-by: Jeremy Soller +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index b9958e5553674..84b401b685f7f 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -297,6 +297,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "8A22"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "System76"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "pang12"), ++ } ++ }, + {} + }; + +-- +2.39.2 + diff --git a/queue-6.3/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch b/queue-6.3/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch new file mode 100644 index 00000000000..a7093fc9db6 --- /dev/null +++ b/queue-6.3/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch @@ -0,0 +1,101 @@ +From bedfb6500304faed702f05dd4cb0d873521eb110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:34:12 +0200 +Subject: ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Povišer + +[ Upstream commit efb2bfd7b3d210c479b9361c176d7426e5eb8663 ] + +A bunch of TI's codecs have binding schemas which force #sound-dai-cells +to one despite those codecs only having a single DAI. Allow for bindings +with zero DAI cells and deprecate the former non-zero value. + +Signed-off-by: Martin Povišer +--- + Documentation/devicetree/bindings/sound/tas2562.yaml | 6 ++++-- + Documentation/devicetree/bindings/sound/tas2770.yaml | 6 ++++-- + Documentation/devicetree/bindings/sound/tas27xx.yaml | 6 ++++-- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/Documentation/devicetree/bindings/sound/tas2562.yaml b/Documentation/devicetree/bindings/sound/tas2562.yaml +index 1085592cefccc..81218c07079a8 100644 +--- a/Documentation/devicetree/bindings/sound/tas2562.yaml ++++ b/Documentation/devicetree/bindings/sound/tas2562.yaml +@@ -55,7 +55,9 @@ properties: + description: TDM TX current sense time slot. + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -72,7 +74,7 @@ examples: + codec: codec@4c { + compatible = "ti,tas2562"; + reg = <0x4c>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + shutdown-gpios = <&gpio1 15 0>; +diff --git a/Documentation/devicetree/bindings/sound/tas2770.yaml b/Documentation/devicetree/bindings/sound/tas2770.yaml +index 982949ba8a4be..cdb493db47f9b 100644 +--- a/Documentation/devicetree/bindings/sound/tas2770.yaml ++++ b/Documentation/devicetree/bindings/sound/tas2770.yaml +@@ -57,7 +57,9 @@ properties: + - 1 # Falling edge + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -74,7 +76,7 @@ examples: + codec: codec@41 { + compatible = "ti,tas2770"; + reg = <0x41>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + reset-gpio = <&gpio1 15 0>; +diff --git a/Documentation/devicetree/bindings/sound/tas27xx.yaml b/Documentation/devicetree/bindings/sound/tas27xx.yaml +index 0957dd435bb4b..2ef05aacc167a 100644 +--- a/Documentation/devicetree/bindings/sound/tas27xx.yaml ++++ b/Documentation/devicetree/bindings/sound/tas27xx.yaml +@@ -50,7 +50,9 @@ properties: + description: TDM TX voltage sense time slot. + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -67,7 +69,7 @@ examples: + codec: codec@38 { + compatible = "ti,tas2764"; + reg = <0x38>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + reset-gpios = <&gpio1 15 0>; +-- +2.39.2 + diff --git a/queue-6.3/asoc-dwc-limit-the-number-of-overrun-messages.patch b/queue-6.3/asoc-dwc-limit-the-number-of-overrun-messages.patch new file mode 100644 index 00000000000..02e1560afa8 --- /dev/null +++ b/queue-6.3/asoc-dwc-limit-the-number-of-overrun-messages.patch @@ -0,0 +1,44 @@ +From a700a2b9c85c47e4d6a824e46a51fa14c48640b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 09:28:20 +0300 +Subject: ASoC: dwc: limit the number of overrun messages + +From: Maxim Kochetkov + +[ Upstream commit ab6ecfbf40fccf74b6ec2ba7ed6dd2fc024c3af2 ] + +On slow CPU (FPGA/QEMU emulated) printing overrun messages from +interrupt handler to uart console may leads to more overrun errors. +So use dev_err_ratelimited to limit the number of error messages. + +Signed-off-by: Maxim Kochetkov +--- + sound/soc/dwc/dwc-i2s.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/dwc/dwc-i2s.c b/sound/soc/dwc/dwc-i2s.c +index 7f7dd07c63b2f..3496301582b22 100644 +--- a/sound/soc/dwc/dwc-i2s.c ++++ b/sound/soc/dwc/dwc-i2s.c +@@ -132,13 +132,13 @@ static irqreturn_t i2s_irq_handler(int irq, void *dev_id) + + /* Error Handling: TX */ + if (isr[i] & ISR_TXFO) { +- dev_err(dev->dev, "TX overrun (ch_id=%d)\n", i); ++ dev_err_ratelimited(dev->dev, "TX overrun (ch_id=%d)\n", i); + irq_valid = true; + } + + /* Error Handling: TX */ + if (isr[i] & ISR_RXFO) { +- dev_err(dev->dev, "RX overrun (ch_id=%d)\n", i); ++ dev_err_ratelimited(dev->dev, "RX overrun (ch_id=%d)\n", i); + irq_valid = true; + } + } +-- +2.39.2 + diff --git a/queue-6.3/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch b/queue-6.3/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch new file mode 100644 index 00000000000..d2f67232532 --- /dev/null +++ b/queue-6.3/asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch @@ -0,0 +1,72 @@ +From d28c5b4cc75bb24c228ce729255fe7450fac04df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:47:21 +0200 +Subject: ASoC: Intel: soc-acpi-cht: Add quirk for Nextbook Ares 8A tablet + +From: Hans de Goede + +[ Upstream commit ec6f82b4c63cc68f8dc03316e725106d242706be ] + +The Nextbook Ares 8A tablet which has Android as factory OS, has a buggy +DSDT with both ESSX8316 and 10EC5651 ACPI devices. + +This tablet actually uses an rt5651 codec, but the matching code ends up +picking the ESSX8316 device, add a quirk to ignote the ESSX8316 device +on this tablet. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Message-Id: <20230429104721.7176-1-hdegoede@redhat.com> +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + .../intel/common/soc-acpi-intel-cht-match.c | 26 +++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/sound/soc/intel/common/soc-acpi-intel-cht-match.c b/sound/soc/intel/common/soc-acpi-intel-cht-match.c +index 6beb00858c33f..cdcbf04b8832f 100644 +--- a/sound/soc/intel/common/soc-acpi-intel-cht-match.c ++++ b/sound/soc/intel/common/soc-acpi-intel-cht-match.c +@@ -50,6 +50,31 @@ static struct snd_soc_acpi_mach *cht_quirk(void *arg) + return mach; + } + ++/* ++ * Some tablets with Android factory OS have buggy DSDTs with an ESSX8316 device ++ * in the ACPI tables. While they are not using an ESS8316 codec. These DSDTs ++ * also have an ACPI device for the correct codec, ignore the ESSX8316. ++ */ ++static const struct dmi_system_id cht_ess8316_not_present_table[] = { ++ { ++ /* Nextbook Ares 8A */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ }, ++ { } ++}; ++ ++static struct snd_soc_acpi_mach *cht_ess8316_quirk(void *arg) ++{ ++ if (dmi_check_system(cht_ess8316_not_present_table)) ++ return NULL; ++ ++ return arg; ++} ++ + static const struct snd_soc_acpi_codecs rt5640_comp_ids = { + .num_codecs = 2, + .codecs = { "10EC5640", "10EC3276" }, +@@ -113,6 +138,7 @@ struct snd_soc_acpi_mach snd_soc_acpi_intel_cherrytrail_machines[] = { + .drv_name = "bytcht_es8316", + .fw_filename = "intel/fw_sst_22a8.bin", + .board = "bytcht_es8316", ++ .machine_quirk = cht_ess8316_quirk, + .sof_tplg_filename = "sof-cht-es8316.tplg", + }, + /* some CHT-T platforms rely on RT5640, use Baytrail machine driver */ +-- +2.39.2 + diff --git a/queue-6.3/asoc-jz4740-i2s-make-i2s-divider-calculations-more-r.patch b/queue-6.3/asoc-jz4740-i2s-make-i2s-divider-calculations-more-r.patch new file mode 100644 index 00000000000..3f999763ada --- /dev/null +++ b/queue-6.3/asoc-jz4740-i2s-make-i2s-divider-calculations-more-r.patch @@ -0,0 +1,126 @@ +From 30fab3e01c2ce1263beb2644d9c8dc26c2d959b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 13:51:34 +0100 +Subject: ASoC: jz4740-i2s: Make I2S divider calculations more robust + +From: Aidan MacDonald + +[ Upstream commit ad721bc919edfd8b4b06977458a412011e2f0c50 ] + +When the CPU supplies bit/frame clocks, the system clock (clk_i2s) +is divided to produce the bit clock. This is a simple 1/N divider +with a fairly limited range, so for a given system clock frequency +only a few sample rates can be produced. Usually a wider range of +sample rates is supported by varying the system clock frequency. + +The old calculation method was not very robust and could easily +produce the wrong clock rate, especially with non-standard rates. +For example, if the system clock is 1.99x the target bit clock +rate, the divider would be calculated as 1 instead of the more +accurate 2. + +Instead, use a more accurate method that considers two adjacent +divider settings and selects the one that produces the least error +versus the requested rate. If the error is 5% or higher then the +rate setting is rejected to prevent garbled audio. + +Skip divider calculation when the codec is supplying both the bit +and frame clock; in that case, the divider outputs are unused and +we don't want to constrain the sample rate. + +Signed-off-by: Aidan MacDonald +--- + sound/soc/jz4740/jz4740-i2s.c | 54 ++++++++++++++++++++++++++++++++--- + 1 file changed, 50 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/jz4740/jz4740-i2s.c b/sound/soc/jz4740/jz4740-i2s.c +index 6d9cfe0a50411..d0f6c945d9aee 100644 +--- a/sound/soc/jz4740/jz4740-i2s.c ++++ b/sound/soc/jz4740/jz4740-i2s.c +@@ -218,18 +218,48 @@ static int jz4740_i2s_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return 0; + } + ++static int jz4740_i2s_get_i2sdiv(unsigned long mclk, unsigned long rate, ++ unsigned long i2sdiv_max) ++{ ++ unsigned long div, rate1, rate2, err1, err2; ++ ++ div = mclk / (64 * rate); ++ if (div == 0) ++ div = 1; ++ ++ rate1 = mclk / (64 * div); ++ rate2 = mclk / (64 * (div + 1)); ++ ++ err1 = abs(rate1 - rate); ++ err2 = abs(rate2 - rate); ++ ++ /* ++ * Choose the divider that produces the smallest error in the ++ * output rate and reject dividers with a 5% or higher error. ++ * In the event that both dividers are outside the acceptable ++ * error margin, reject the rate to prevent distorted audio. ++ * (The number 5% is arbitrary.) ++ */ ++ if (div <= i2sdiv_max && err1 <= err2 && err1 < rate/20) ++ return div; ++ if (div < i2sdiv_max && err2 < rate/20) ++ return div + 1; ++ ++ return -EINVAL; ++} ++ + static int jz4740_i2s_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, struct snd_soc_dai *dai) + { + struct jz4740_i2s *i2s = snd_soc_dai_get_drvdata(dai); + struct regmap_field *div_field; ++ unsigned long i2sdiv_max; + unsigned int sample_size; +- uint32_t ctrl; +- int div; ++ uint32_t ctrl, conf; ++ int div = 1; + + regmap_read(i2s->regmap, JZ_REG_AIC_CTRL, &ctrl); +- +- div = clk_get_rate(i2s->clk_i2s) / (64 * params_rate(params)); ++ regmap_read(i2s->regmap, JZ_REG_AIC_CONF, &conf); + + switch (params_format(params)) { + case SNDRV_PCM_FORMAT_S8: +@@ -258,11 +288,27 @@ static int jz4740_i2s_hw_params(struct snd_pcm_substream *substream, + ctrl &= ~JZ_AIC_CTRL_MONO_TO_STEREO; + + div_field = i2s->field_i2sdiv_playback; ++ i2sdiv_max = GENMASK(i2s->soc_info->field_i2sdiv_playback.msb, ++ i2s->soc_info->field_i2sdiv_playback.lsb); + } else { + ctrl &= ~JZ_AIC_CTRL_INPUT_SAMPLE_SIZE; + ctrl |= FIELD_PREP(JZ_AIC_CTRL_INPUT_SAMPLE_SIZE, sample_size); + + div_field = i2s->field_i2sdiv_capture; ++ i2sdiv_max = GENMASK(i2s->soc_info->field_i2sdiv_capture.msb, ++ i2s->soc_info->field_i2sdiv_capture.lsb); ++ } ++ ++ /* ++ * Only calculate I2SDIV if we're supplying the bit or frame clock. ++ * If the codec is supplying both clocks then the divider output is ++ * unused, and we don't want it to limit the allowed sample rates. ++ */ ++ if (conf & (JZ_AIC_CONF_BIT_CLK_MASTER | JZ_AIC_CONF_SYNC_CLK_MASTER)) { ++ div = jz4740_i2s_get_i2sdiv(clk_get_rate(i2s->clk_i2s), ++ params_rate(params), i2sdiv_max); ++ if (div < 0) ++ return div; + } + + regmap_write(i2s->regmap, JZ_REG_AIC_CTRL, ctrl); +-- +2.39.2 + diff --git a/queue-6.3/asoc-sof-amd-fix-null-pointer-crash-in-acp_sof_ipc_m.patch b/queue-6.3/asoc-sof-amd-fix-null-pointer-crash-in-acp_sof_ipc_m.patch new file mode 100644 index 00000000000..2053286acb6 --- /dev/null +++ b/queue-6.3/asoc-sof-amd-fix-null-pointer-crash-in-acp_sof_ipc_m.patch @@ -0,0 +1,41 @@ +From 5cf6763c4d2a22a0e6e07fd919c84578c5687870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 12:35:08 +0530 +Subject: ASoC: SOF: amd: Fix NULL pointer crash in acp_sof_ipc_msg_data + function + +From: V sujith kumar Reddy + +[ Upstream commit 051d71e073614a72ad423d6dacba37a7eeff274d ] + +Check substream and runtime variables before assigning. + +Signed-off-by: V sujith kumar Reddy +--- + sound/soc/sof/amd/acp-ipc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/amd/acp-ipc.c b/sound/soc/sof/amd/acp-ipc.c +index 4e0c48a361599..749e856dc6011 100644 +--- a/sound/soc/sof/amd/acp-ipc.c ++++ b/sound/soc/sof/amd/acp-ipc.c +@@ -209,7 +209,12 @@ int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_sof_pcm_stream *sp + acp_mailbox_read(sdev, offset, p, sz); + } else { + struct snd_pcm_substream *substream = sps->substream; +- struct acp_dsp_stream *stream = substream->runtime->private_data; ++ struct acp_dsp_stream *stream; ++ ++ if (!substream || !substream->runtime) ++ return -ESTRPIPE; ++ ++ stream = substream->runtime->private_data; + + if (!stream) + return -ESTRPIPE; +-- +2.39.2 + diff --git a/queue-6.3/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch b/queue-6.3/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch new file mode 100644 index 00000000000..e46e3c09860 --- /dev/null +++ b/queue-6.3/asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch @@ -0,0 +1,53 @@ +From 8ff41e45e72c8ce2ad6f29efdfa1bfcbf483f099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 13:33:13 +0300 +Subject: ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions + +From: Pierre-Louis Bossart + +[ Upstream commit 3de975862f985f1c9e225a0d13aa3d501373f7c3 ] + +When a firmware IPC error happens during a pm_runtime suspend, we +ignore the error and suspend anyways. However, the code +unconditionally increases the runtime_pm counter. This results in a +confusing configuration where the code will suspend, resume but never +suspend again due to the use of pm_runtime_get_noresume(). + +The intent of the counter increase was to prevent entry in D3, but if +that transition to D3 is already started it cannot be stopped. In +addition, there's no point in that case in trying to prevent anything, +the firmware error is handled and the next resume will re-initialize +the firmware completely. + +This patch changes the logic to prevent suspend when the device is +pm_runtime active and has a use_count > 0. + +Signed-off-by: Pierre-Louis Bossart +--- + sound/soc/sof/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c +index ade0507328af4..5042312b1b98d 100644 +--- a/sound/soc/sof/debug.c ++++ b/sound/soc/sof/debug.c +@@ -437,8 +437,8 @@ void snd_sof_handle_fw_exception(struct snd_sof_dev *sdev, const char *msg) + /* should we prevent DSP entering D3 ? */ + if (!sdev->ipc_dump_printed) + dev_info(sdev->dev, +- "preventing DSP entering D3 state to preserve context\n"); +- pm_runtime_get_noresume(sdev->dev); ++ "Attempting to prevent DSP from entering D3 state to preserve context\n"); ++ pm_runtime_get_if_in_use(sdev->dev); + } + + /* dump vital information to the logs */ +-- +2.39.2 + diff --git a/queue-6.3/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch b/queue-6.3/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch new file mode 100644 index 00000000000..3c99ff641a1 --- /dev/null +++ b/queue-6.3/asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch @@ -0,0 +1,53 @@ +From 303c0c546bec5fe7e05e125b085a31692d75c55f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 13:33:14 +0300 +Subject: ASoC: SOF: pcm: fix pm_runtime imbalance in error handling + +From: Pierre-Louis Bossart + +[ Upstream commit da0fe8fd515a471d373acc3682bfb5522cca4d55 ] + +When an error occurs, we need to make sure the device can pm_runtime +suspend instead of keeping it active. + +Signed-off-by: Pierre-Louis Bossart +--- + sound/soc/sof/pcm.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/pcm.c b/sound/soc/sof/pcm.c +index 445acb5c3a21b..2570f33db9f3e 100644 +--- a/sound/soc/sof/pcm.c ++++ b/sound/soc/sof/pcm.c +@@ -616,16 +616,17 @@ static int sof_pcm_probe(struct snd_soc_component *component) + "%s/%s", + plat_data->tplg_filename_prefix, + plat_data->tplg_filename); +- if (!tplg_filename) +- return -ENOMEM; ++ if (!tplg_filename) { ++ ret = -ENOMEM; ++ goto pm_error; ++ } + + ret = snd_sof_load_topology(component, tplg_filename); +- if (ret < 0) { ++ if (ret < 0) + dev_err(component->dev, "error: failed to load DSP topology %d\n", + ret); +- return ret; +- } + ++pm_error: + pm_runtime_mark_last_busy(component->dev); + pm_runtime_put_autosuspend(component->dev); + +-- +2.39.2 + diff --git a/queue-6.3/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch b/queue-6.3/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch new file mode 100644 index 00000000000..ed1c8981ebb --- /dev/null +++ b/queue-6.3/asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch @@ -0,0 +1,74 @@ +From 543d40ecfef2cb3af4c3d8ac76d4e6535bee9df9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 13:46:38 +0300 +Subject: ASoC: SOF: pm: save io region state in case of errors in resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Vehmanen + +[ Upstream commit 171b53be635ac15d4feafeb33946035649b1ca14 ] + +If there are failures in DSP runtime resume, the device state will not +reach active and this makes it impossible e.g. to retrieve a possible +DSP panic dump via "exception" debugfs node. If +CONFIG_SND_SOC_SOF_DEBUG_ENABLE_DEBUGFS_CACHE=y is set, the data in +cache is stale. If debugfs cache is not used, the region simply cannot +be read. + +To allow debugging these scenarios, update the debugfs cache contents in +resume error handler. User-space can then later retrieve DSP panic and +other state via debugfs (requires SOF debugfs cache to be enabled in +build). + +Reported-by: Curtis Malainey +--- + sound/soc/sof/pm.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/pm.c b/sound/soc/sof/pm.c +index 85412aeb1ca16..40f392efd8246 100644 +--- a/sound/soc/sof/pm.c ++++ b/sound/soc/sof/pm.c +@@ -159,7 +159,7 @@ static int sof_resume(struct device *dev, bool runtime_resume) + ret = tplg_ops->set_up_all_pipelines(sdev, false); + if (ret < 0) { + dev_err(sdev->dev, "Failed to restore pipeline after resume %d\n", ret); +- return ret; ++ goto setup_fail; + } + } + +@@ -173,6 +173,18 @@ static int sof_resume(struct device *dev, bool runtime_resume) + dev_err(sdev->dev, "ctx_restore IPC error during resume: %d\n", ret); + } + ++setup_fail: ++#if IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_ENABLE_DEBUGFS_CACHE) ++ if (ret < 0) { ++ /* ++ * Debugfs cannot be read in runtime suspend, so cache ++ * the contents upon failure. This allows to capture ++ * possible DSP coredump information. ++ */ ++ sof_cache_debugfs(sdev); ++ } ++#endif ++ + return ret; + } + +-- +2.39.2 + diff --git a/queue-6.3/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch b/queue-6.3/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch new file mode 100644 index 00000000000..8918f5f5d74 --- /dev/null +++ b/queue-6.3/asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch @@ -0,0 +1,59 @@ +From 2a01d183ad3754e2fd388f4aada69312e33f7899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 13:33:15 +0300 +Subject: ASoC: SOF: sof-client-probes: fix pm_runtime imbalance in error + handling + +From: Pierre-Louis Bossart + +[ Upstream commit bc424273c74c1565c459c8f2a6ed95caee368d0a ] + +When an error occurs, we need to make sure the device can pm_runtime +suspend instead of keeping it active. + +Signed-off-by: Pierre-Louis Bossart +--- + sound/soc/sof/sof-client-probes.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/sof/sof-client-probes.c b/sound/soc/sof/sof-client-probes.c +index fff126808bc04..8d9e9d5f40e45 100644 +--- a/sound/soc/sof/sof-client-probes.c ++++ b/sound/soc/sof/sof-client-probes.c +@@ -218,12 +218,7 @@ static ssize_t sof_probes_dfs_points_read(struct file *file, char __user *to, + + ret = ipc->points_info(cdev, &desc, &num_desc); + if (ret < 0) +- goto exit; +- +- pm_runtime_mark_last_busy(dev); +- err = pm_runtime_put_autosuspend(dev); +- if (err < 0) +- dev_err_ratelimited(dev, "debugfs read failed to idle %d\n", err); ++ goto pm_error; + + for (i = 0; i < num_desc; i++) { + offset = strlen(buf); +@@ -241,6 +236,13 @@ static ssize_t sof_probes_dfs_points_read(struct file *file, char __user *to, + ret = simple_read_from_buffer(to, count, ppos, buf, strlen(buf)); + + kfree(desc); ++ ++pm_error: ++ pm_runtime_mark_last_busy(dev); ++ err = pm_runtime_put_autosuspend(dev); ++ if (err < 0) ++ dev_err_ratelimited(dev, "debugfs read failed to idle %d\n", err); ++ + exit: + kfree(buf); + return ret; +-- +2.39.2 + diff --git a/queue-6.3/asoc-ssm2602-add-workaround-for-playback-distortions.patch b/queue-6.3/asoc-ssm2602-add-workaround-for-playback-distortions.patch new file mode 100644 index 00000000000..49f33855064 --- /dev/null +++ b/queue-6.3/asoc-ssm2602-add-workaround-for-playback-distortions.patch @@ -0,0 +1,140 @@ +From 7556162aafa4aa9458317cd54a7765881fa36a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 13:30:37 +0200 +Subject: ASoC: ssm2602: Add workaround for playback distortions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paweł Anikiel + +[ Upstream commit f63550e2b165208a2f382afcaf5551df9569e1d4 ] + +Apply a workaround for what appears to be a hardware quirk. + +The problem seems to happen when enabling "whole chip power" (bit D7 +register R6) for the very first time after the chip receives power. If +either "output" (D4) or "DAC" (D3) aren't powered on at that time, +playback becomes very distorted later on. + +This happens on the Google Chameleon v3, as well as on a ZYBO Z7-10: +https://ez.analog.com/audio/f/q-a/543726/solved-ssm2603-right-output-offset-issue/480229 +I suspect this happens only when using an external MCLK signal (which +is the case for both of these boards). + +Here are some experiments run on a Google Chameleon v3. These were run +in userspace using a wrapper around the i2cset utility: +ssmset() { + i2cset -y 0 0x1a $(($1*2)) $2 +} + +For each of the following sequences, we apply power to the ssm2603 +chip, set the configuration registers R0-R5 and R7-R8, run the selected +sequence, and check for distortions on playback. + + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x87 # out, dac + ssmset 0x06 0x07 # chip + OK + + (disable MCLK) + ssmset 0x09 0x01 # core + ssmset 0x06 0x1f # chip + ssmset 0x06 0x07 # out, dac + (enable MCLK) + OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x1f # chip + ssmset 0x06 0x07 # out, dac + NOT OK + + ssmset 0x06 0x1f # chip + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # out, dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x0f # chip, out + ssmset 0x06 0x07 # dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x17 # chip, dac + ssmset 0x06 0x07 # out + NOT OK + +For each of the following sequences, we apply power to the ssm2603 +chip, run the selected sequence, issue a reset with R15, configure +R0-R5 and R7-R8, run one of the NOT OK sequences from above, and check +for distortions. + + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + OK + + (disable MCLK) + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + (enable MCLK after reset) + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x17 # chip, dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x0f # chip, out + NOT OK + + ssmset 0x06 0x07 # chip, out, dac + NOT OK + +Signed-off-by: Paweł Anikiel +--- + sound/soc/codecs/ssm2602.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c +index cbbe83b85adaf..cf7927222be15 100644 +--- a/sound/soc/codecs/ssm2602.c ++++ b/sound/soc/codecs/ssm2602.c +@@ -53,6 +53,18 @@ static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { + { .reg = 0x09, .def = 0x0000 } + }; + ++/* ++ * ssm2602 register patch ++ * Workaround for playback distortions after power up: activates digital ++ * core, and then powers on output, DAC, and whole chip at the same time ++ */ ++ ++static const struct reg_sequence ssm2602_patch[] = { ++ { SSM2602_ACTIVE, 0x01 }, ++ { SSM2602_PWR, 0x07 }, ++ { SSM2602_RESET, 0x00 }, ++}; ++ + + /*Appending several "None"s just for OSS mixer use*/ + static const char *ssm2602_input_select[] = { +@@ -589,6 +601,9 @@ static int ssm260x_component_probe(struct snd_soc_component *component) + return ret; + } + ++ regmap_register_patch(ssm2602->regmap, ssm2602_patch, ++ ARRAY_SIZE(ssm2602_patch)); ++ + /* set the update bits */ + regmap_update_bits(ssm2602->regmap, SSM2602_LINVOL, + LINVOL_LRIN_BOTH, LINVOL_LRIN_BOTH); +-- +2.39.2 + diff --git a/queue-6.3/atm-hide-unused-procfs-functions.patch b/queue-6.3/atm-hide-unused-procfs-functions.patch new file mode 100644 index 00000000000..e81b2d310a3 --- /dev/null +++ b/queue-6.3/atm-hide-unused-procfs-functions.patch @@ -0,0 +1,47 @@ +From a47b57429131b3d6b05ec921de33fa042fccdf42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:45:34 +0200 +Subject: atm: hide unused procfs functions + +From: Arnd Bergmann + +[ Upstream commit fb1b7be9b16c1f4626969ba4e95a97da2a452b41 ] + +When CONFIG_PROC_FS is disabled, the function declarations for some +procfs functions are hidden, but the definitions are still build, +as shown by this compiler warning: + +net/atm/resources.c:403:7: error: no previous prototype for 'atm_dev_seq_start' [-Werror=missing-prototypes] +net/atm/resources.c:409:6: error: no previous prototype for 'atm_dev_seq_stop' [-Werror=missing-prototypes] +net/atm/resources.c:414:7: error: no previous prototype for 'atm_dev_seq_next' [-Werror=missing-prototypes] + +Add another #ifdef to leave these out of the build. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516194625.549249-2-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index 2b2d33eeaf200..995d29e7fb138 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -400,6 +400,7 @@ int atm_dev_ioctl(unsigned int cmd, void __user *buf, int __user *sioc_len, + return error; + } + ++#ifdef CONFIG_PROC_FS + void *atm_dev_seq_start(struct seq_file *seq, loff_t *pos) + { + mutex_lock(&atm_dev_mutex); +@@ -415,3 +416,4 @@ void *atm_dev_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { + return seq_list_next(v, &atm_devs, pos); + } ++#endif +-- +2.39.2 + diff --git a/queue-6.3/block-deny-writable-memory-mapping-if-block-is-read-.patch b/queue-6.3/block-deny-writable-memory-mapping-if-block-is-read-.patch new file mode 100644 index 00000000000..82217b2c702 --- /dev/null +++ b/queue-6.3/block-deny-writable-memory-mapping-if-block-is-read-.patch @@ -0,0 +1,68 @@ +From 80f6863b3bbb73937ab4b54aa12e94dc1e8d9be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 09:42:23 +0200 +Subject: block: Deny writable memory mapping if block is read-only + +From: Loic Poulain + +[ Upstream commit 69baa3a623fd2e58624f24f2f23d46f87b817c93 ] + +User should not be able to write block device if it is read-only at +block level (e.g force_ro attribute). This is ensured in the regular +fops write operation (blkdev_write_iter) but not when writing via +user mapping (mmap), allowing user to actually write a read-only +block device via a PROT_WRITE mapping. + +Example: This can lead to integrity issue of eMMC boot partition +(e.g mmcblk0boot0) which is read-only by default. + +To fix this issue, simply deny shared writable mapping if the block +is readonly. + +Note: Block remains writable if switch to read-only is performed +after the initial mapping, but this is expected behavior according +to commit a32e236eb93e ("Partially revert "block: fail op_is_write() +requests to read-only partitions"")'. + +Signed-off-by: Loic Poulain +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230510074223.991297-1-loic.poulain@linaro.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/fops.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/block/fops.c b/block/fops.c +index d2e6be4e3d1c7..58d0aebc7313a 100644 +--- a/block/fops.c ++++ b/block/fops.c +@@ -678,6 +678,16 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, + return error; + } + ++static int blkdev_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct inode *bd_inode = bdev_file_inode(file); ++ ++ if (bdev_read_only(I_BDEV(bd_inode))) ++ return generic_file_readonly_mmap(file, vma); ++ ++ return generic_file_mmap(file, vma); ++} ++ + const struct file_operations def_blk_fops = { + .open = blkdev_open, + .release = blkdev_close, +@@ -685,7 +695,7 @@ const struct file_operations def_blk_fops = { + .read_iter = blkdev_read_iter, + .write_iter = blkdev_write_iter, + .iopoll = iocb_bio_iopoll, +- .mmap = generic_file_mmap, ++ .mmap = blkdev_mmap, + .fsync = blkdev_fsync, + .unlocked_ioctl = blkdev_ioctl, + #ifdef CONFIG_COMPAT +-- +2.39.2 + diff --git a/queue-6.3/block-rnbd-replace-req_op_flush-with-req_op_write.patch b/queue-6.3/block-rnbd-replace-req_op_flush-with-req_op_write.patch new file mode 100644 index 00000000000..5e7f07dea8d --- /dev/null +++ b/queue-6.3/block-rnbd-replace-req_op_flush-with-req_op_write.patch @@ -0,0 +1,72 @@ +From b4b4b59441c432247ad384f7a74113235572b1e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:46:31 +0800 +Subject: block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE + +From: Guoqing Jiang + +[ Upstream commit 5e6e08087a4acb4ee3574cea32dbff0f63c7f608 ] + +Since flush bios are implemented as writes with no data and +the preflush flag per Christoph's comment [1]. + +And we need to change it in rnbd accordingly. Otherwise, I +got splatting when create fs from rnbd client. + +[ 464.028545] ------------[ cut here ]------------ +[ 464.028553] WARNING: CPU: 0 PID: 65 at block/blk-core.c:751 submit_bio_noacct+0x32c/0x5d0 +[ ... ] +[ 464.028668] CPU: 0 PID: 65 Comm: kworker/0:1H Tainted: G OE 6.4.0-rc1 #9 +[ 464.028671] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 +[ 464.028673] Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] +[ 464.028717] RIP: 0010:submit_bio_noacct+0x32c/0x5d0 +[ 464.028720] Code: 03 0f 85 51 fe ff ff 48 8b 43 18 8b 88 04 03 00 00 85 c9 0f 85 3f fe ff ff e9 be fd ff ff 0f b6 d0 3c 0d 74 26 83 fa 01 74 21 <0f> 0b b8 0a 00 00 00 e9 56 fd ff ff 4c 89 e7 e8 70 a1 03 00 84 c0 +[ 464.028722] RSP: 0018:ffffaf3680b57c68 EFLAGS: 00010202 +[ 464.028724] RAX: 0000000000060802 RBX: ffffa09dcc18bf00 RCX: 0000000000000000 +[ 464.028726] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffa09dde081d00 +[ 464.028727] RBP: ffffaf3680b57c98 R08: ffffa09dde081d00 R09: ffffa09e38327200 +[ 464.028729] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa09dde081d00 +[ 464.028730] R13: ffffa09dcb06e1e8 R14: 0000000000000000 R15: 0000000000200000 +[ 464.028733] FS: 0000000000000000(0000) GS:ffffa09e3bc00000(0000) knlGS:0000000000000000 +[ 464.028735] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 464.028736] CR2: 000055a4e8206c40 CR3: 0000000119f06000 CR4: 00000000003506f0 +[ 464.028738] Call Trace: +[ 464.028740] +[ 464.028746] submit_bio+0x1b/0x80 +[ 464.028748] rnbd_srv_rdma_ev+0x50d/0x10c0 [rnbd_server] +[ 464.028754] ? percpu_ref_get_many.constprop.0+0x55/0x140 [rtrs_server] +[ 464.028760] ? __this_cpu_preempt_check+0x13/0x20 +[ 464.028769] process_io_req+0x1dc/0x450 [rtrs_server] +[ 464.028775] rtrs_srv_inv_rkey_done+0x67/0xb0 [rtrs_server] +[ 464.028780] __ib_process_cq+0xbc/0x1f0 [ib_core] +[ 464.028793] ib_cq_poll_work+0x2b/0xa0 [ib_core] +[ 464.028804] process_one_work+0x2a9/0x580 + +[1]. https://lore.kernel.org/all/ZFHgefWofVt24tRl@infradead.org/ + +Signed-off-by: Guoqing Jiang +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230512034631.28686-1-guoqing.jiang@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rnbd/rnbd-proto.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/rnbd/rnbd-proto.h b/drivers/block/rnbd/rnbd-proto.h +index ea7ac8bca63cf..da1d0542d7e2c 100644 +--- a/drivers/block/rnbd/rnbd-proto.h ++++ b/drivers/block/rnbd/rnbd-proto.h +@@ -241,7 +241,7 @@ static inline blk_opf_t rnbd_to_bio_flags(u32 rnbd_opf) + bio_opf = REQ_OP_WRITE; + break; + case RNBD_OP_FLUSH: +- bio_opf = REQ_OP_FLUSH | REQ_PREFLUSH; ++ bio_opf = REQ_OP_WRITE | REQ_PREFLUSH; + break; + case RNBD_OP_DISCARD: + bio_opf = REQ_OP_DISCARD; +-- +2.39.2 + diff --git a/queue-6.3/btrfs-abort-transaction-when-sibling-keys-check-fail.patch b/queue-6.3/btrfs-abort-transaction-when-sibling-keys-check-fail.patch new file mode 100644 index 00000000000..8d58ec8fed5 --- /dev/null +++ b/queue-6.3/btrfs-abort-transaction-when-sibling-keys-check-fail.patch @@ -0,0 +1,56 @@ +From b3e1fc1e250ca692a284634c2a9487fe1cbd48d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 11:51:35 +0100 +Subject: btrfs: abort transaction when sibling keys check fails for leaves + +From: Filipe Manana + +[ Upstream commit 9ae5afd02a03d4e22a17a9609b19400b77c36273 ] + +If the sibling keys check fails before we move keys from one sibling +leaf to another, we are not aborting the transaction - we leave that to +some higher level caller of btrfs_search_slot() (or anything else that +uses it to insert items into a b+tree). + +This means that the transaction abort will provide a stack trace that +omits the b+tree modification call chain. So change this to immediately +abort the transaction and therefore get a more useful stack trace that +shows us the call chain in the bt+tree modification code. + +It's also important to immediately abort the transaction just in case +some higher level caller is not doing it, as this indicates a very +serious corruption and we should stop the possibility of doing further +damage. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 26bb10b6ca85d..986827370d8e1 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -3222,6 +3222,7 @@ static int push_leaf_right(struct btrfs_trans_handle *trans, struct btrfs_root + + if (check_sibling_keys(left, right)) { + ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + btrfs_tree_unlock(right); + free_extent_buffer(right); + return ret; +@@ -3444,6 +3445,7 @@ static int push_leaf_left(struct btrfs_trans_handle *trans, struct btrfs_root + + if (check_sibling_keys(left, right)) { + ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + goto out; + } + return __push_leaf_left(trans, path, min_data_size, empty, left, +-- +2.39.2 + diff --git a/queue-6.3/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch b/queue-6.3/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch new file mode 100644 index 00000000000..1c12aa3bd6b --- /dev/null +++ b/queue-6.3/ceph-silence-smatch-warning-in-reconnect_caps_cb.patch @@ -0,0 +1,50 @@ +From b4cd5801409b9a5ae967125dbf1f93d6aa910150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 14:45:01 +0800 +Subject: ceph: silence smatch warning in reconnect_caps_cb() + +From: Xiubo Li + +[ Upstream commit 9aaa7eb018661b2da221362d9bacb096bd596f52 ] + +Smatch static checker warning: + + fs/ceph/mds_client.c:3968 reconnect_caps_cb() + warn: missing error code here? '__get_cap_for_mds()' failed. 'err' = '0' + +[ idryomov: Dan says that Smatch considers it intentional only if the + "ret = 0;" assignment is within 4 or 5 lines of the goto. ] + +Reported-by: Dan Carpenter +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 54e3c2ab21d22..1989c8deea55a 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3938,7 +3938,7 @@ static int reconnect_caps_cb(struct inode *inode, int mds, void *arg) + struct dentry *dentry; + struct ceph_cap *cap; + char *path; +- int pathlen = 0, err = 0; ++ int pathlen = 0, err; + u64 pathbase; + u64 snap_follows; + +@@ -3961,6 +3961,7 @@ static int reconnect_caps_cb(struct inode *inode, int mds, void *arg) + cap = __get_cap_for_mds(ci, mds); + if (!cap) { + spin_unlock(&ci->i_ceph_lock); ++ err = 0; + goto out_err; + } + dout(" adding %p ino %llx.%llx cap %p %lld %s\n", +-- +2.39.2 + diff --git a/queue-6.3/cpupower-fix-resource-leaks-in-sysfs_get_enabled.patch b/queue-6.3/cpupower-fix-resource-leaks-in-sysfs_get_enabled.patch new file mode 100644 index 00000000000..9545631360f --- /dev/null +++ b/queue-6.3/cpupower-fix-resource-leaks-in-sysfs_get_enabled.patch @@ -0,0 +1,73 @@ +From 2f5450c0216c5d830dce9e008642632f6e2bcfb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 09:30:56 +0800 +Subject: cpupower:Fix resource leaks in sysfs_get_enabled() + +From: Hao Zeng + +[ Upstream commit e652be0f59d4ba4d5c636b1f7f4dcb73aae049fa ] + +The sysfs_get_enabled() opened file processor not closed, +may cause a file handle leak. +Putting error handling and resource cleanup code together +makes the code easy to maintain and read. +Removed the unnecessary else if branch from the original +function, as it should return an error in cases other than '0'. + +Signed-off-by: Hao Zeng +Suggested-by: Shuah Khan +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/lib/powercap.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/tools/power/cpupower/lib/powercap.c b/tools/power/cpupower/lib/powercap.c +index 0ce29ee4c2e46..a7a59c6bacda8 100644 +--- a/tools/power/cpupower/lib/powercap.c ++++ b/tools/power/cpupower/lib/powercap.c +@@ -40,25 +40,34 @@ static int sysfs_get_enabled(char *path, int *mode) + { + int fd; + char yes_no; ++ int ret = 0; + + *mode = 0; + + fd = open(path, O_RDONLY); +- if (fd == -1) +- return -1; ++ if (fd == -1) { ++ ret = -1; ++ goto out; ++ } + + if (read(fd, &yes_no, 1) != 1) { +- close(fd); +- return -1; ++ ret = -1; ++ goto out_close; + } + + if (yes_no == '1') { + *mode = 1; +- return 0; ++ goto out_close; + } else if (yes_no == '0') { +- return 0; ++ goto out_close; ++ } else { ++ ret = -1; ++ goto out_close; + } +- return -1; ++out_close: ++ close(fd); ++out: ++ return ret; + } + + int powercap_get_enabled(int *mode) +-- +2.39.2 + diff --git a/queue-6.3/crypto-x86-aria-use-16-byte-alignment-for-gfni-const.patch b/queue-6.3/crypto-x86-aria-use-16-byte-alignment-for-gfni-const.patch new file mode 100644 index 00000000000..776e5af9c87 --- /dev/null +++ b/queue-6.3/crypto-x86-aria-use-16-byte-alignment-for-gfni-const.patch @@ -0,0 +1,46 @@ +From 15abe533abfec8f44c352f865da61d868e1bccc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 20:14:19 +0200 +Subject: crypto: x86/aria - Use 16 byte alignment for GFNI constant vectors + +From: Ard Biesheuvel + +[ Upstream commit 6ab39f99927eed605728b02d512438d828183c97 ] + +The GFNI routines in the AVX version of the ARIA implementation now use +explicit VMOVDQA instructions to load the constant input vectors, which +means they must be 16 byte aligned. So ensure that this is the case, by +dropping the section split and the incorrect .align 8 directive, and +emitting the constants into the 16-byte aligned section instead. + +Note that the AVX2 version of this code deviates from this pattern, and +does not require a similar fix, given that it loads these contants as +8-byte memory operands, for which AVX2 permits any alignment. + +Cc: Taehee Yoo +Fixes: 8b84475318641c2b ("crypto: x86/aria-avx - Do not use avx2 instructions") +Reported-by: syzbot+a6abcf08bad8b18fd198@syzkaller.appspotmail.com +Tested-by: syzbot+a6abcf08bad8b18fd198@syzkaller.appspotmail.com +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/aria-aesni-avx-asm_64.S | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/crypto/aria-aesni-avx-asm_64.S b/arch/x86/crypto/aria-aesni-avx-asm_64.S +index 9243f6289d34b..ed6c22fb16720 100644 +--- a/arch/x86/crypto/aria-aesni-avx-asm_64.S ++++ b/arch/x86/crypto/aria-aesni-avx-asm_64.S +@@ -773,8 +773,6 @@ + .octa 0x3F893781E95FE1576CDA64D2BA0CB204 + + #ifdef CONFIG_AS_GFNI +-.section .rodata.cst8, "aM", @progbits, 8 +-.align 8 + /* AES affine: */ + #define tf_aff_const BV8(1, 1, 0, 0, 0, 1, 1, 0) + .Ltf_aff_bitmatrix: +-- +2.39.2 + diff --git a/queue-6.3/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch b/queue-6.3/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch new file mode 100644 index 00000000000..1f96f5dfdbd --- /dev/null +++ b/queue-6.3/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch @@ -0,0 +1,56 @@ +From dc676895c6498d068f5dba2c7bda9433a0838bfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 13:32:10 +0300 +Subject: dmaengine: at_xdmac: fix potential Oops in + at_xdmac_prep_interleaved() + +From: Dan Carpenter + +[ Upstream commit 4d43acb145c363626d76f49febb4240c488cd1cf ] + +There are two place if the at_xdmac_interleaved_queue_desc() fails which +could lead to a NULL dereference where "first" is NULL and we call +list_add_tail(&first->desc_node, ...). In the first caller, the return +is not checked so add a check for that. In the next caller, the return +is checked but if it fails on the first iteration through the loop then +it will lead to a NULL pointer dereference. + +Fixes: 4e5385784e69 ("dmaengine: at_xdmac: handle numf > 1") +Fixes: 62b5cb757f1d ("dmaengine: at_xdmac: fix memory leak in interleaved mode") +Signed-off-by: Dan Carpenter +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/21282b66-9860-410a-83df-39c17fcf2f1b@kili.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 96f1b69f8a75e..ab13704f27f11 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1102,6 +1102,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, + NULL, + src_addr, dst_addr, + xt, xt->sgl); ++ if (!first) ++ return NULL; + + /* Length of the block is (BLEN+1) microblocks. */ + for (i = 0; i < xt->numf - 1; i++) +@@ -1132,8 +1134,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, + src_addr, dst_addr, + xt, chunk); + if (!desc) { +- list_splice_tail_init(&first->descs_list, +- &atchan->free_descs_list); ++ if (first) ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + return NULL; + } + +-- +2.39.2 + diff --git a/queue-6.3/dmaengine-pl330-rename-_start-to-prevent-build-error.patch b/queue-6.3/dmaengine-pl330-rename-_start-to-prevent-build-error.patch new file mode 100644 index 00000000000..6fa700e14bb --- /dev/null +++ b/queue-6.3/dmaengine-pl330-rename-_start-to-prevent-build-error.patch @@ -0,0 +1,85 @@ +From c5e0f4249441bb8990f649a852240a7cfc257c6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 21:53:10 -0700 +Subject: dmaengine: pl330: rename _start to prevent build error + +From: Randy Dunlap + +[ Upstream commit a1a5f2c887252dec161c1e12e04303ca9ba56fa9 ] + +"_start" is used in several arches and proably should be reserved +for ARCH usage. Using it in a driver for a private symbol can cause +a build error when it conflicts with ARCH usage of the same symbol. + +Therefore rename pl330's "_start" to "pl330_start_thread" so that there +is no conflict and no build error. + +drivers/dma/pl330.c:1053:13: error: '_start' redeclared as different kind of symbol + 1053 | static bool _start(struct pl330_thread *thrd) + | ^~~~~~ +In file included from ../include/linux/interrupt.h:21, + from ../drivers/dma/pl330.c:18: +arch/riscv/include/asm/sections.h:11:13: note: previous declaration of '_start' with type 'char[]' + 11 | extern char _start[]; + | ^~~~~~ + +Fixes: b7d861d93945 ("DMA: PL330: Merge PL330 driver into drivers/dma/") +Fixes: ae43b3289186 ("ARM: 8202/1: dmaengine: pl330: Add runtime Power Management support v12") +Signed-off-by: Randy Dunlap +Cc: Jaswinder Singh +Cc: Boojin Kim +Cc: Krzysztof Kozlowski +Cc: Russell King +Cc: Vinod Koul +Cc: dmaengine@vger.kernel.org +Cc: linux-riscv@lists.infradead.org +Link: https://lore.kernel.org/r/20230524045310.27923-1-rdunlap@infradead.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pl330.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 0d9257fbdfb0d..b4731fe6bbc14 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1050,7 +1050,7 @@ static bool _trigger(struct pl330_thread *thrd) + return true; + } + +-static bool _start(struct pl330_thread *thrd) ++static bool pl330_start_thread(struct pl330_thread *thrd) + { + switch (_state(thrd)) { + case PL330_STATE_FAULT_COMPLETING: +@@ -1702,7 +1702,7 @@ static int pl330_update(struct pl330_dmac *pl330) + thrd->req_running = -1; + + /* Get going again ASAP */ +- _start(thrd); ++ pl330_start_thread(thrd); + + /* For now, just make a list of callbacks to be done */ + list_add_tail(&descdone->rqd, &pl330->req_done); +@@ -2089,7 +2089,7 @@ static void pl330_tasklet(struct tasklet_struct *t) + } else { + /* Make sure the PL330 Channel thread is active */ + spin_lock(&pch->thread->dmac->lock); +- _start(pch->thread); ++ pl330_start_thread(pch->thread); + spin_unlock(&pch->thread->dmac->lock); + } + +@@ -2107,7 +2107,7 @@ static void pl330_tasklet(struct tasklet_struct *t) + if (power_down) { + pch->active = true; + spin_lock(&pch->thread->dmac->lock); +- _start(pch->thread); ++ pl330_start_thread(pch->thread); + spin_unlock(&pch->thread->dmac->lock); + power_down = false; + } +-- +2.39.2 + diff --git a/queue-6.3/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch b/queue-6.3/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch new file mode 100644 index 00000000000..b1a473a7617 --- /dev/null +++ b/queue-6.3/drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch @@ -0,0 +1,121 @@ +From 29139bd910f39e592bf9349eeaa3d2c096b1ce53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 14:11:14 +0530 +Subject: drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU + hotplug + +From: K Prateek Nayak + +[ Upstream commit 126310c9f669c9a8c875a3e5c2292299ca90225d ] + +While building the shared_cpu_map, check if the cache level and cache +type matches. On certain systems that build the cache topology based on +the instance ID, there are cases where the same ID may repeat across +multiple cache levels, leading inaccurate topology. + +In event of CPU offlining, the cache_shared_cpu_map_remove() does not +consider if IDs at same level are being compared. As a result, when same +IDs repeat across different cache levels, the CPU going offline is not +removed from all the shared_cpu_map. + +Below is the output of cache topology of CPU8 and it's SMT sibling after +CPU8 is offlined on a dual socket 3rd Generation AMD EPYC processor +(2 x 64C/128T) running kernel release v6.3: + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 + + # echo 0 > /sys/devices/system/cpu/cpu8/online + + # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136 + /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143 + +CPU8 is removed from index0 (L1i) but remains in the shared_cpu_list of +index1 (L1d) and index2 (L2). Since L1i, L1d, and L2 are shared by the +SMT siblings, and they have the same cache instance ID, CPU 2 is only +removed from the first index with matching ID which is index1 (L1i) in +this case. With this fix, the results are as expected when performing +the same experiment on the same system: + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 + + # echo 0 > /sys/devices/system/cpu/cpu8/online + + # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136 + /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 136 + /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 136 + /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143 + +When rebuilding topology, the same problem appears as +cache_shared_cpu_map_setup() implements a similar logic. Consider the +same 3rd Generation EPYC processor: CPUs in Core 1, that share the L1 +and L2 caches, have L1 and L2 instance ID as 1. For all the CPUs on +the second chiplet, the L3 ID is also 1 leading to grouping on CPUs from +Core 1 (1, 17) and the entire second chiplet (8-15, 24-31) as CPUs +sharing one cache domain. This went undetected since x86 processors +depended on arch specific populate_cache_leaves() method to repopulate +the shared_cpus_map when CPU came back online until kernel release +v6.3-rc5. + +Fixes: 198102c9103f ("cacheinfo: Fix shared_cpu_map to handle shared caches at different levels") +Signed-off-by: K Prateek Nayak +Reviewed-by: Sudeep Holla +Link: https://lore.kernel.org/r/20230508084115.1157-2-kprateek.nayak@amd.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/cacheinfo.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c +index ea8f416852bd9..6351db6ecb57f 100644 +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -380,6 +380,16 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) + continue;/* skip if itself or no cacheinfo */ + for (sib_index = 0; sib_index < cache_leaves(i); sib_index++) { + sib_leaf = per_cpu_cacheinfo_idx(i, sib_index); ++ ++ /* ++ * Comparing cache IDs only makes sense if the leaves ++ * belong to the same cache level of same type. Skip ++ * the check if level and type do not match. ++ */ ++ if (sib_leaf->level != this_leaf->level || ++ sib_leaf->type != this_leaf->type) ++ continue; ++ + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { + cpumask_set_cpu(cpu, &sib_leaf->shared_cpu_map); + cpumask_set_cpu(i, &this_leaf->shared_cpu_map); +@@ -411,6 +421,16 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) + + for (sib_index = 0; sib_index < cache_leaves(sibling); sib_index++) { + sib_leaf = per_cpu_cacheinfo_idx(sibling, sib_index); ++ ++ /* ++ * Comparing cache IDs only makes sense if the leaves ++ * belong to the same cache level of same type. Skip ++ * the check if level and type do not match. ++ */ ++ if (sib_leaf->level != this_leaf->level || ++ sib_leaf->type != this_leaf->type) ++ continue; ++ + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { + cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map); + cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map); +-- +2.39.2 + diff --git a/queue-6.3/drivers-base-cacheinfo-update-cpu_map_populated-duri.patch b/queue-6.3/drivers-base-cacheinfo-update-cpu_map_populated-duri.patch new file mode 100644 index 00000000000..033fc2ba870 --- /dev/null +++ b/queue-6.3/drivers-base-cacheinfo-update-cpu_map_populated-duri.patch @@ -0,0 +1,117 @@ +From 3c19786c092aebbff24eacc1d4a9dd4429b019e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 14:11:15 +0530 +Subject: drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug + +From: K Prateek Nayak + +[ Upstream commit c26fabe73330d983c7ce822c6b6ec0879b4da61f ] + +Until commit 5c2712387d48 ("cacheinfo: Fix LLC is not exported through +sysfs"), cacheinfo called populate_cache_leaves() for CPU coming online +which let the arch specific functions handle (at least on x86) +populating the shared_cpu_map. However, with the changes in the +aforementioned commit, populate_cache_leaves() is not called when a CPU +comes online as a result of hotplug since last_level_cache_is_valid() +returns true as the cacheinfo data is not discarded. The CPU coming +online is not present in shared_cpu_map, however, it will not be added +since the cpu_cacheinfo->cpu_map_populated flag is set (it is set in +populate_cache_leaves() when cacheinfo is first populated for x86) + +This can lead to inconsistencies in the shared_cpu_map when an offlined +CPU comes online again. Example below depicts the inconsistency in the +shared_cpu_list in cacheinfo when CPU8 is offlined and onlined again on +a 3rd Generation EPYC processor: + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 + + # echo 0 > /sys/devices/system/cpu/cpu8/online + # echo 1 > /sys/devices/system/cpu/cpu8/online + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8 + + # cat /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list + 136 + + # cat /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list + 9-15,136-143 + +Clear the flag when the CPU is removed from shared_cpu_map when +cache_shared_cpu_map_remove() is called during CPU hotplug. This will +allow cache_shared_cpu_map_setup() to add the CPU coming back online in +the shared_cpu_map. Set the flag again when the shared_cpu_map is setup. +Following are results of performing the same test as described above with +the changes: + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 + + # echo 0 > /sys/devices/system/cpu/cpu8/online + # echo 1 > /sys/devices/system/cpu/cpu8/online + + # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done + /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 + /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 + + # cat /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list + 8,136 + + # cat /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list + 8-15,136-143 + +Fixes: 5c2712387d48 ("cacheinfo: Fix LLC is not exported through sysfs") +Signed-off-by: K Prateek Nayak +Reviewed-by: Yicong Yang +Reviewed-by: Sudeep Holla +Link: https://lore.kernel.org/r/20230508084115.1157-3-kprateek.nayak@amd.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/cacheinfo.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c +index 6351db6ecb57f..0fc8fbe7b361d 100644 +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -402,11 +402,14 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) + coherency_max_size = this_leaf->coherency_line_size; + } + ++ /* shared_cpu_map is now populated for the cpu */ ++ this_cpu_ci->cpu_map_populated = true; + return 0; + } + + static void cache_shared_cpu_map_remove(unsigned int cpu) + { ++ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); + struct cacheinfo *this_leaf, *sib_leaf; + unsigned int sibling, index, sib_index; + +@@ -439,6 +442,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) + } + } + } ++ ++ /* cpu is no longer populated in the shared map */ ++ this_cpu_ci->cpu_map_populated = false; + } + + static void free_cache_attributes(unsigned int cpu) +-- +2.39.2 + diff --git a/queue-6.3/drm-amd-display-fix-memleak-in-aconnector-timing_req.patch b/queue-6.3/drm-amd-display-fix-memleak-in-aconnector-timing_req.patch new file mode 100644 index 00000000000..2a9b3294feb --- /dev/null +++ b/queue-6.3/drm-amd-display-fix-memleak-in-aconnector-timing_req.patch @@ -0,0 +1,52 @@ +From de291681671092492d3b373744c5da6c313f3e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 09:10:48 -0400 +Subject: drm/amd/display: fix memleak in aconnector->timing_requested + +From: Hersen Wu + +[ Upstream commit 025ce392b5f213696ca0af3e07735d0fae020694 ] + +[Why] +when amdgpu_dm_update_connector_after_detect is called +two times successively with valid sink, memory allocated of +aconnector->timing_requested for the first call is not free. +this causes memeleak. + +[How] +allocate memory only when aconnector->timing_requested +is null. + +Reviewed-by: Qingqing Zhuo +Acked-by: Qingqing Zhuo +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 0695c7c3d489d..ce46f3a061c44 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3095,9 +3095,12 @@ void amdgpu_dm_update_connector_after_detect( + aconnector->edid); + } + +- aconnector->timing_requested = kzalloc(sizeof(struct dc_crtc_timing), GFP_KERNEL); +- if (!aconnector->timing_requested) +- dm_error("%s: failed to create aconnector->requested_timing\n", __func__); ++ if (!aconnector->timing_requested) { ++ aconnector->timing_requested = ++ kzalloc(sizeof(struct dc_crtc_timing), GFP_KERNEL); ++ if (!aconnector->timing_requested) ++ dm_error("failed to create aconnector->requested_timing\n"); ++ } + + drm_connector_update_edid_property(connector, aconnector->edid); + amdgpu_dm_update_freesync_caps(connector, aconnector->edid); +-- +2.39.2 + diff --git a/queue-6.3/drm-amd-display-only-wait-for-blank-completion-if-ot.patch b/queue-6.3/drm-amd-display-only-wait-for-blank-completion-if-ot.patch new file mode 100644 index 00000000000..263d215f4cb --- /dev/null +++ b/queue-6.3/drm-amd-display-only-wait-for-blank-completion-if-ot.patch @@ -0,0 +1,51 @@ +From 7fb2cc87c25fbe27a114c813b7134e79b8a1fd3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 10:03:22 -0500 +Subject: drm/amd/display: Only wait for blank completion if OTG active + +From: Aric Cyr + +[ Upstream commit 82a10aff9428f1d190de55ef7971fdb84303cc7a ] + +[why] +If OTG is not active, waiting for blank completion will always fail and +timeout resulting in unnecessary driver delays. + +[how] +Check that OTG is enabled before waiting for blank. + +Reviewed-by: Alvin Lee +Acked-by: Qingqing Zhuo +Signed-off-by: Aric Cyr +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index d4a1670a54506..f07cba121d010 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1093,7 +1093,8 @@ static void phantom_pipe_blank( + otg_active_height, + 0); + +- hws->funcs.wait_for_blank_complete(opp); ++ if (tg->funcs->is_tg_enabled(tg)) ++ hws->funcs.wait_for_blank_complete(opp); + } + + static void disable_dangling_plane(struct dc *dc, struct dc_state *context) +@@ -1156,6 +1157,7 @@ static void disable_dangling_plane(struct dc *dc, struct dc_state *context) + if (old_stream->mall_stream_config.type == SUBVP_PHANTOM) { + if (tg->funcs->enable_crtc) { + int main_pipe_width, main_pipe_height; ++ + main_pipe_width = old_stream->mall_stream_config.paired_stream->dst.width; + main_pipe_height = old_stream->mall_stream_config.paired_stream->dst.height; + phantom_pipe_blank(dc, tg, main_pipe_width, main_pipe_height); +-- +2.39.2 + diff --git a/queue-6.3/drm-amdgpu-nv-update-vcn-3-max-hevc-encoding-resolut.patch b/queue-6.3/drm-amdgpu-nv-update-vcn-3-max-hevc-encoding-resolut.patch new file mode 100644 index 00000000000..cd11ec33a7d --- /dev/null +++ b/queue-6.3/drm-amdgpu-nv-update-vcn-3-max-hevc-encoding-resolut.patch @@ -0,0 +1,91 @@ +From 5324a0f9f81703daf12f702a8abddb517d93fceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 11:04:36 -0400 +Subject: drm/amdgpu/nv: update VCN 3 max HEVC encoding resolution + +From: Thong Thai + +[ Upstream commit 476ac50fc30540e29191615a26aaf5f9dee91c49 ] + +Update the maximum resolution reported for HEVC encoding on VCN 3 +devices to reflect its 8K encoding capability. + +v2: Also update the max height for H.264 encoding to match spec. +(Ruijing) + +Signed-off-by: Thong Thai +Reviewed-by: Ruijing Dong +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nv.c b/drivers/gpu/drm/amd/amdgpu/nv.c +index ebe0e2d7dbd1b..aa7f82b3fd6a9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -98,6 +98,16 @@ static const struct amdgpu_video_codecs nv_video_codecs_decode = + }; + + /* Sienna Cichlid */ ++static const struct amdgpu_video_codec_info sc_video_codecs_encode_array[] = { ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 2160, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 7680, 4352, 0)}, ++}; ++ ++static const struct amdgpu_video_codecs sc_video_codecs_encode = { ++ .codec_count = ARRAY_SIZE(sc_video_codecs_encode_array), ++ .codec_array = sc_video_codecs_encode_array, ++}; ++ + static const struct amdgpu_video_codec_info sc_video_codecs_decode_array_vcn0[] = + { + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +@@ -136,8 +146,8 @@ static const struct amdgpu_video_codecs sc_video_codecs_decode_vcn1 = + /* SRIOV Sienna Cichlid, not const since data is controlled by host */ + static struct amdgpu_video_codec_info sriov_sc_video_codecs_encode_array[] = + { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 2304, 0)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 2304, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 2160, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 7680, 4352, 0)}, + }; + + static struct amdgpu_video_codec_info sriov_sc_video_codecs_decode_array_vcn0[] = +@@ -237,12 +247,12 @@ static int nv_query_video_codecs(struct amdgpu_device *adev, bool encode, + } else { + if (adev->vcn.harvest_config & AMDGPU_VCN_HARVEST_VCN0) { + if (encode) +- *codecs = &nv_video_codecs_encode; ++ *codecs = &sc_video_codecs_encode; + else + *codecs = &sc_video_codecs_decode_vcn1; + } else { + if (encode) +- *codecs = &nv_video_codecs_encode; ++ *codecs = &sc_video_codecs_encode; + else + *codecs = &sc_video_codecs_decode_vcn0; + } +@@ -251,14 +261,14 @@ static int nv_query_video_codecs(struct amdgpu_device *adev, bool encode, + case IP_VERSION(3, 0, 16): + case IP_VERSION(3, 0, 2): + if (encode) +- *codecs = &nv_video_codecs_encode; ++ *codecs = &sc_video_codecs_encode; + else + *codecs = &sc_video_codecs_decode_vcn0; + return 0; + case IP_VERSION(3, 1, 1): + case IP_VERSION(3, 1, 2): + if (encode) +- *codecs = &nv_video_codecs_encode; ++ *codecs = &sc_video_codecs_encode; + else + *codecs = &yc_video_codecs_decode; + return 0; +-- +2.39.2 + diff --git a/queue-6.3/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch b/queue-6.3/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch new file mode 100644 index 00000000000..ce84e2ef05a --- /dev/null +++ b/queue-6.3/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch @@ -0,0 +1,118 @@ +From 5af526c608be17002e00dfcf356220f8e331dd53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 13:51:19 +0800 +Subject: drm/amdgpu: release gpu full access after + "amdgpu_device_ip_late_init" + +From: Chong Li + +[ Upstream commit 38eecbe086a4e52f54b2bbda8feba65d44addbef ] + +[WHY] + Function "amdgpu_irq_update()" called by "amdgpu_device_ip_late_init()" is an atomic context. + We shouldn't access registers through KIQ since "msleep()" may be called in "amdgpu_kiq_rreg()". + +[HOW] + Move function "amdgpu_virt_release_full_gpu()" after function "amdgpu_device_ip_late_init()", + to ensure that registers be accessed through RLCG instead of KIQ. + +Call Trace: + + show_stack+0x52/0x69 + dump_stack_lvl+0x49/0x6d + dump_stack+0x10/0x18 + __schedule_bug.cold+0x4f/0x6b + __schedule+0x473/0x5d0 + ? __wake_up_klogd.part.0+0x40/0x70 + ? vprintk_emit+0xbe/0x1f0 + schedule+0x68/0x110 + schedule_timeout+0x87/0x160 + ? timer_migration_handler+0xa0/0xa0 + msleep+0x2d/0x50 + amdgpu_kiq_rreg+0x18d/0x1f0 [amdgpu] + amdgpu_device_rreg.part.0+0x59/0xd0 [amdgpu] + amdgpu_device_rreg+0x3a/0x50 [amdgpu] + amdgpu_sriov_rreg+0x3c/0xb0 [amdgpu] + gfx_v10_0_set_gfx_eop_interrupt_state.constprop.0+0x16c/0x190 [amdgpu] + gfx_v10_0_set_eop_interrupt_state+0xa5/0xb0 [amdgpu] + amdgpu_irq_update+0x53/0x80 [amdgpu] + amdgpu_irq_get+0x7c/0xb0 [amdgpu] + amdgpu_fence_driver_hw_init+0x58/0x90 [amdgpu] + amdgpu_device_init.cold+0x16b7/0x2022 [amdgpu] + +Signed-off-by: Chong Li +Reviewed-by: JingWen.Chen2@amd.com +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 32 ++++++++++++---------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index aa46726dfdb01..464f0abc855e6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2523,8 +2523,6 @@ static int amdgpu_device_ip_init(struct amdgpu_device *adev) + amdgpu_fru_get_product_info(adev); + + init_failed: +- if (amdgpu_sriov_vf(adev)) +- amdgpu_virt_release_full_gpu(adev, true); + + return r; + } +@@ -3841,18 +3839,6 @@ int amdgpu_device_init(struct amdgpu_device *adev, + + r = amdgpu_device_ip_init(adev); + if (r) { +- /* failed in exclusive mode due to timeout */ +- if (amdgpu_sriov_vf(adev) && +- !amdgpu_sriov_runtime(adev) && +- amdgpu_virt_mmio_blocked(adev) && +- !amdgpu_virt_wait_reset(adev)) { +- dev_err(adev->dev, "VF exclusive mode timeout\n"); +- /* Don't send request since VF is inactive. */ +- adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME; +- adev->virt.ops = NULL; +- r = -EAGAIN; +- goto release_ras_con; +- } + dev_err(adev->dev, "amdgpu_device_ip_init failed\n"); + amdgpu_vf_error_put(adev, AMDGIM_ERROR_VF_AMDGPU_INIT_FAIL, 0, 0); + goto release_ras_con; +@@ -3924,8 +3910,10 @@ int amdgpu_device_init(struct amdgpu_device *adev, + msecs_to_jiffies(AMDGPU_RESUME_MS)); + } + +- if (amdgpu_sriov_vf(adev)) ++ if (amdgpu_sriov_vf(adev)) { ++ amdgpu_virt_release_full_gpu(adev, true); + flush_delayed_work(&adev->delayed_init_work); ++ } + + r = sysfs_create_files(&adev->dev->kobj, amdgpu_dev_attributes); + if (r) +@@ -3965,6 +3953,20 @@ int amdgpu_device_init(struct amdgpu_device *adev, + return 0; + + release_ras_con: ++ if (amdgpu_sriov_vf(adev)) ++ amdgpu_virt_release_full_gpu(adev, true); ++ ++ /* failed in exclusive mode due to timeout */ ++ if (amdgpu_sriov_vf(adev) && ++ !amdgpu_sriov_runtime(adev) && ++ amdgpu_virt_mmio_blocked(adev) && ++ !amdgpu_virt_wait_reset(adev)) { ++ dev_err(adev->dev, "VF exclusive mode timeout\n"); ++ /* Don't send request since VF is inactive. */ ++ adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME; ++ adev->virt.ops = NULL; ++ r = -EAGAIN; ++ } + amdgpu_release_ras_context(adev); + + failed: +-- +2.39.2 + diff --git a/queue-6.3/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch b/queue-6.3/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch new file mode 100644 index 00000000000..d0295fc2e1d --- /dev/null +++ b/queue-6.3/drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch @@ -0,0 +1,43 @@ +From 35d2fafdece93d3db7760ad88b6c3be6685e5af3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 14:01:05 +0800 +Subject: drm/amdgpu: set gfx9 onwards APU atomics support to be true + +From: Yifan Zhang + +[ Upstream commit af7828fbceed4f9e503034111066a0adef3db383 ] + +APUs w/ gfx9 onwards doesn't reply on PCIe atomics, rather +it is internal path w/ native atomic support. Set have_atomics_support +to true. + +Signed-off-by: Yifan Zhang +Reviewed-by: Lang Yu +Acked-by: Felix Kuehling +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 412cb3f1f8826..31413a604d0ae 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3737,6 +3737,12 @@ int amdgpu_device_init(struct amdgpu_device *adev, + adev->have_atomics_support = ((struct amd_sriov_msg_pf2vf_info *) + adev->virt.fw_reserve.p_pf2vf)->pcie_atomic_ops_support_flags == + (PCI_EXP_DEVCAP2_ATOMIC_COMP32 | PCI_EXP_DEVCAP2_ATOMIC_COMP64); ++ /* APUs w/ gfx9 onwards doesn't reply on PCIe atomics, rather it is a ++ * internal path natively support atomics, set have_atomics_support to true. ++ */ ++ else if ((adev->flags & AMD_IS_APU) && ++ (adev->ip_versions[GC_HWIP][0] > IP_VERSION(9, 0, 0))) ++ adev->have_atomics_support = true; + else + adev->have_atomics_support = + !pci_enable_atomic_ops_to_root(adev->pdev, +-- +2.39.2 + diff --git a/queue-6.3/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch b/queue-6.3/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch new file mode 100644 index 00000000000..618d7f01e46 --- /dev/null +++ b/queue-6.3/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch @@ -0,0 +1,52 @@ +From 0fcffb4ddab3605017265a99c842e55be04a9b0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 16:15:27 +0800 +Subject: drm/amdgpu: skip disabling fence driver src_irqs when device is + unplugged + +From: Guchun Chen + +[ Upstream commit c1a322a7a4a96cd0a3dde32ce37af437a78bf8cd ] + +When performing device unbind or halt, we have disabled all irqs at the +very begining like amdgpu_pci_remove or amdgpu_device_halt. So +amdgpu_irq_put for irqs stored in fence driver should not be called +any more, otherwise, below calltrace will arrive. + +[ 139.114088] WARNING: CPU: 2 PID: 1550 at drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c:616 amdgpu_irq_put+0xf6/0x110 [amdgpu] +[ 139.114655] Call Trace: +[ 139.114655] +[ 139.114657] amdgpu_fence_driver_hw_fini+0x93/0x130 [amdgpu] +[ 139.114836] amdgpu_device_fini_hw+0xb6/0x350 [amdgpu] +[ 139.114955] amdgpu_driver_unload_kms+0x51/0x70 [amdgpu] +[ 139.115075] amdgpu_pci_remove+0x63/0x160 [amdgpu] +[ 139.115193] ? __pm_runtime_resume+0x64/0x90 +[ 139.115195] pci_device_remove+0x3a/0xb0 +[ 139.115197] device_remove+0x43/0x70 +[ 139.115198] device_release_driver_internal+0xbd/0x140 + +Signed-off-by: Guchun Chen +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index f52d0ba91a770..a7d250809da99 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -582,7 +582,8 @@ void amdgpu_fence_driver_hw_fini(struct amdgpu_device *adev) + if (r) + amdgpu_fence_driver_force_completion(ring); + +- if (ring->fence_drv.irq_src) ++ if (!drm_dev_is_unplugged(adev_to_drm(adev)) && ++ ring->fence_drv.irq_src) + amdgpu_irq_put(adev, ring->fence_drv.irq_src, + ring->fence_drv.irq_type); + +-- +2.39.2 + diff --git a/queue-6.3/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch b/queue-6.3/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch new file mode 100644 index 00000000000..6e16aba2e80 --- /dev/null +++ b/queue-6.3/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch @@ -0,0 +1,77 @@ +From db2c2b4e8103a6747a5df95ae2b2e6a8b98f0ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Apr 2023 17:05:15 +0800 +Subject: drm/amdgpu: Use the default reset when loading or reloading the + driver + +From: lyndonli + +[ Upstream commit 4eea7fb980dc44545a32eec92e2662053b34cd9d ] + +Below call trace and errors are observed when reloading +amdgpu driver with the module parameter reset_method=3. + +It should do a default reset when loading or reloading the +driver, regardless of the module parameter reset_method. + +v2: add comments inside and modify commit messages. + +[ +2.180243] [drm] psp gfx command ID_LOAD_TOC(0x20) failed +and response status is (0x0) +[ +0.000011] [drm:psp_hw_start [amdgpu]] *ERROR* Failed to load toc +[ +0.000890] [drm:psp_hw_start [amdgpu]] *ERROR* PSP tmr init failed! +[ +0.020683] [drm:amdgpu_fill_buffer [amdgpu]] *ERROR* Trying to +clear memory with ring turned off. +[ +0.000003] RIP: 0010:amdgpu_bo_release_notify+0x1ef/0x210 [amdgpu] +[ +0.000004] Call Trace: +[ +0.000003] +[ +0.000008] ttm_bo_release+0x2c4/0x330 [amdttm] +[ +0.000026] amdttm_bo_put+0x3c/0x70 [amdttm] +[ +0.000020] amdgpu_bo_free_kernel+0xe6/0x140 [amdgpu] +[ +0.000728] psp_v11_0_ring_destroy+0x34/0x60 [amdgpu] +[ +0.000826] psp_hw_init+0xe7/0x2f0 [amdgpu] +[ +0.000813] amdgpu_device_fw_loading+0x1ad/0x2d0 [amdgpu] +[ +0.000731] amdgpu_device_init.cold+0x108e/0x2002 [amdgpu] +[ +0.001071] ? do_pci_enable_device+0xe1/0x110 +[ +0.000011] amdgpu_driver_load_kms+0x1a/0x160 [amdgpu] +[ +0.000729] amdgpu_pci_probe+0x179/0x3a0 [amdgpu] + +Signed-off-by: lyndonli +Signed-off-by: Yunxiang Li +Reviewed-by: Feifei Xu +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 464f0abc855e6..412cb3f1f8826 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3558,6 +3558,7 @@ int amdgpu_device_init(struct amdgpu_device *adev, + int r, i; + bool px = false; + u32 max_MBps; ++ int tmp; + + adev->shutdown = false; + adev->flags = flags; +@@ -3779,7 +3780,13 @@ int amdgpu_device_init(struct amdgpu_device *adev, + } + } + } else { ++ tmp = amdgpu_reset_method; ++ /* It should do a default reset when loading or reloading the driver, ++ * regardless of the module parameter reset_method. ++ */ ++ amdgpu_reset_method = AMD_RESET_METHOD_NONE; + r = amdgpu_asic_reset(adev); ++ amdgpu_reset_method = tmp; + if (r) { + dev_err(adev->dev, "asic reset on init failed\n"); + goto failed; +-- +2.39.2 + diff --git a/queue-6.3/drm-ast-fix-arm-compatibility.patch b/queue-6.3/drm-ast-fix-arm-compatibility.patch new file mode 100644 index 00000000000..47f867584c4 --- /dev/null +++ b/queue-6.3/drm-ast-fix-arm-compatibility.patch @@ -0,0 +1,45 @@ +From f71b5e2f7cef05d5cf3a0c5332dc256ef971d1dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 08:33:54 +0800 +Subject: drm/ast: Fix ARM compatibility + +From: Jammy Huang + +[ Upstream commit 4327a6137ed43a091d900b1ac833345d60f32228 ] + +ARM architecture only has 'memory', so all devices are accessed by +MMIO if possible. + +Signed-off-by: Jammy Huang +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230421003354.27767-1-jammy_huang@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index f83ce77127cb4..a6d0ee4da2b88 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -425,11 +425,12 @@ struct ast_private *ast_device_create(const struct drm_driver *drv, + return ERR_PTR(-EIO); + + /* +- * If we don't have IO space at all, use MMIO now and +- * assume the chip has MMIO enabled by default (rev 0x20 +- * and higher). ++ * After AST2500, MMIO is enabled by default, and it should be adopted ++ * to be compatible with Arm. + */ +- if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) { ++ if (pdev->revision >= 0x40) { ++ ast->ioregs = ast->regs + AST_IO_MM_OFFSET; ++ } else if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) { + drm_info(dev, "platform has no IO space, trying MMIO\n"); + ast->ioregs = ast->regs + AST_IO_MM_OFFSET; + } +-- +2.39.2 + diff --git a/queue-6.3/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch b/queue-6.3/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch new file mode 100644 index 00000000000..8a2fa3d0d45 --- /dev/null +++ b/queue-6.3/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch @@ -0,0 +1,42 @@ +From a903c7f0321400bb7b104f00c7f6093ad3dd92e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 15:20:37 -0700 +Subject: drm/msm: Be more shouty if per-process pgtables aren't working + +From: Rob Clark + +[ Upstream commit 5c054db54c43a5fcb5cc81012361f5e3fac37637 ] + +Otherwise it is not always obvious if a dt or iommu change is causing us +to fall back to global pgtable. + +Signed-off-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/537359/ +Link: https://lore.kernel.org/r/20230516222039.907690-2-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_iommu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c +index c2507582ecf34..0d6a69cd6f7a5 100644 +--- a/drivers/gpu/drm/msm/msm_iommu.c ++++ b/drivers/gpu/drm/msm/msm_iommu.c +@@ -234,7 +234,12 @@ struct msm_mmu *msm_iommu_pagetable_create(struct msm_mmu *parent) + /* Get the pagetable configuration from the domain */ + if (adreno_smmu->cookie) + ttbr1_cfg = adreno_smmu->get_ttbr1_cfg(adreno_smmu->cookie); +- if (!ttbr1_cfg) ++ ++ /* ++ * If you hit this WARN_ONCE() you are probably missing an entry in ++ * qcom_smmu_impl_of_match[] in arm-smmu-qcom.c ++ */ ++ if (WARN_ONCE(!ttbr1_cfg, "No per-process page tables")) + return ERR_PTR(-ENODEV); + + /* +-- +2.39.2 + diff --git a/queue-6.3/dt-bindings-serial-8250_omap-add-rs485-rts-active-hi.patch b/queue-6.3/dt-bindings-serial-8250_omap-add-rs485-rts-active-hi.patch new file mode 100644 index 00000000000..814dca5bc5f --- /dev/null +++ b/queue-6.3/dt-bindings-serial-8250_omap-add-rs485-rts-active-hi.patch @@ -0,0 +1,39 @@ +From 7560f793e0072cf24a1bfd4ea9d3f3aa64a15877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 13:10:38 +0200 +Subject: dt-bindings: serial: 8250_omap: add rs485-rts-active-high + +From: Francesco Dolcini + +[ Upstream commit 403e97d6ab2cb6fd0ac1ff968cd7b691771f1613 ] + +Add rs485-rts-active-high property, this was removed by mistake. +In general we just use rs485-rts-active-low property, however the OMAP +UART for legacy reason uses the -high one. + +Fixes: 767d3467eb60 ("dt-bindings: serial: 8250_omap: drop rs485 properties") +Closes: https://lore.kernel.org/all/ZGefR4mTHHo1iQ7H@francesco-nb.int.toradex.com/ +Signed-off-by: Francesco Dolcini +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230531111038.6302-1-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/serial/8250_omap.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/serial/8250_omap.yaml b/Documentation/devicetree/bindings/serial/8250_omap.yaml +index eb3488d8f9ee6..6a7be42da523c 100644 +--- a/Documentation/devicetree/bindings/serial/8250_omap.yaml ++++ b/Documentation/devicetree/bindings/serial/8250_omap.yaml +@@ -70,6 +70,7 @@ properties: + dsr-gpios: true + rng-gpios: true + dcd-gpios: true ++ rs485-rts-active-high: true + rts-gpio: true + power-domains: true + clock-frequency: true +-- +2.39.2 + diff --git a/queue-6.3/efi-bump-stub-image-version-for-macos-hvf-compatibil.patch b/queue-6.3/efi-bump-stub-image-version-for-macos-hvf-compatibil.patch new file mode 100644 index 00000000000..5729332c598 --- /dev/null +++ b/queue-6.3/efi-bump-stub-image-version-for-macos-hvf-compatibil.patch @@ -0,0 +1,99 @@ +From 6815bd330796cf36c5b9fc5e3e56b4c3e58b616c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 19:36:02 +0200 +Subject: efi: Bump stub image version for macOS HVF compatibility + +From: Akihiro Suda + +[ Upstream commit 36e4fc57fc1619f462e669e939209c45763bc8f5 ] + +The macOS hypervisor framework includes a host-side VMM called +VZLinuxBootLoader [1] which implements native support for booting the +Linux kernel inside a guest directly (instead of, e.g., via GRUB +installed inside the guest). On x86, it incorporates a BIOS style loader +that does not implement or expose EFI to the loaded kernel. However, +this loader appears to fail when the 'image minor version' field in the +kernel image's PE/COFF header (which is generally only used by EFI based +bootloaders) is set to any value other than 0x0. [2] + +Commit e346bebbd36b1576 ("efi: libstub: Always enable initrd command +line loader and bump version") incremented the EFI stub image minor +version to convey that all EFI stub kernels now implement support for +the initrd= command line option, and do so in a way where it can load +initrd images from any filesystem known to the EFI firmware (as opposed +to prior implementations that could only load initrds from the same +volume that the kernel image was loaded from). + +Unfortunately, bumping the version to v1.1 triggers this issue in +VZLinuxBootLoader, breaking the boot on x86. So let's keep the image +minor version at 0x0, and bump the image major version instead. + +While at it, convert this field to a bit field, so that individual +features are discoverable from it, as suggested by Linus. So let's bump +the major version to v3, and document the initrd= command line loading +feature as being represented by bit 1 in the mask. + +Note that, due to the prior interpretation as a monotonically increasing +version field, loaders are still permitted to assume that the LoadFile2 +initrd loading feature is supported for any major version value >= 1, +even if bit 0 is not set. + +[1] https://developer.apple.com/documentation/virtualization/vzlinuxbootloader +[2] https://lore.kernel.org/linux-efi/CAG8fp8Teu4G9JuenQrqGndFt2Gy+V4YgJ=hN1xX7AD940YKf3A@mail.gmail.com/ + +Fixes: e346bebbd36b1576 ("efi: libstub: Always enable initrd command ...") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217485 +Signed-off-by: Akihiro Suda +[ardb: rewrite comment and commit log] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + include/linux/pe.h | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/include/linux/pe.h b/include/linux/pe.h +index 6ffabf1e6d039..16754fb2f954a 100644 +--- a/include/linux/pe.h ++++ b/include/linux/pe.h +@@ -11,25 +11,26 @@ + #include + + /* +- * Linux EFI stub v1.0 adds the following functionality: +- * - Loading initrd from the LINUX_EFI_INITRD_MEDIA_GUID device path, +- * - Loading/starting the kernel from firmware that targets a different +- * machine type, via the entrypoint exposed in the .compat PE/COFF section. ++ * Starting from version v3.0, the major version field should be interpreted as ++ * a bit mask of features supported by the kernel's EFI stub: ++ * - 0x1: initrd loading from the LINUX_EFI_INITRD_MEDIA_GUID device path, ++ * - 0x2: initrd loading using the initrd= command line option, where the file ++ * may be specified using device path notation, and is not required to ++ * reside on the same volume as the loaded kernel image. + * + * The recommended way of loading and starting v1.0 or later kernels is to use + * the LoadImage() and StartImage() EFI boot services, and expose the initrd + * via the LINUX_EFI_INITRD_MEDIA_GUID device path. + * +- * Versions older than v1.0 support initrd loading via the image load options +- * (using initrd=, limited to the volume from which the kernel itself was +- * loaded), or via arch specific means (bootparams, DT, etc). ++ * Versions older than v1.0 may support initrd loading via the image load ++ * options (using initrd=, limited to the volume from which the kernel itself ++ * was loaded), or only via arch specific means (bootparams, DT, etc). + * +- * On x86, LoadImage() and StartImage() can be omitted if the EFI handover +- * protocol is implemented, which can be inferred from the version, +- * handover_offset and xloadflags fields in the bootparams structure. ++ * The minor version field must remain 0x0. ++ * (https://lore.kernel.org/all/efd6f2d4-547c-1378-1faa-53c044dbd297@gmail.com/) + */ +-#define LINUX_EFISTUB_MAJOR_VERSION 0x1 +-#define LINUX_EFISTUB_MINOR_VERSION 0x1 ++#define LINUX_EFISTUB_MAJOR_VERSION 0x3 ++#define LINUX_EFISTUB_MINOR_VERSION 0x0 + + /* + * LINUX_PE_MAGIC appears at offset 0x38 into the MS-DOS header of EFI bootable +-- +2.39.2 + diff --git a/queue-6.3/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch b/queue-6.3/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch new file mode 100644 index 00000000000..2dc6941c2d4 --- /dev/null +++ b/queue-6.3/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch @@ -0,0 +1,80 @@ +From 4e776da28db59230974cbc3dfbf7a54969f24fa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:08:41 +0800 +Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe + +From: Zheng Wang + +[ Upstream commit c75f5a55061091030a13fef71b9995b89bc86213 ] + +A use-after-free bug may occur if init_imstt invokes framebuffer_release +and free the info ptr. The caller, imsttfb_probe didn't notice that and +still keep the ptr as private data in pdev. + +If we remove the driver which will call imsttfb_remove to make cleanup, +UAF happens. + +Fix it by return error code if bad case happens in init_imstt. + +Signed-off-by: Zheng Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imsttfb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c +index bea45647184e1..975dd682fae4b 100644 +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1347,7 +1347,7 @@ static const struct fb_ops imsttfb_ops = { + .fb_ioctl = imsttfb_ioctl, + }; + +-static void init_imstt(struct fb_info *info) ++static int init_imstt(struct fb_info *info) + { + struct imstt_par *par = info->par; + __u32 i, tmp, *ip, *end; +@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *info) + || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { + printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); +@@ -1456,12 +1456,13 @@ static void init_imstt(struct fb_info *info) + + if (register_framebuffer(info) < 0) { + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; + fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", + info->fix.id, info->fix.smem_len >> 20, tmp); ++ return 0; + } + + static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1529,10 +1530,10 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (!par->cmap_regs) + goto error; + info->pseudo_palette = par->palette; +- init_imstt(info); +- +- pci_set_drvdata(pdev, info); +- return 0; ++ ret = init_imstt(info); ++ if (!ret) ++ pci_set_drvdata(pdev, info); ++ return ret; + + error: + if (par->dc_regs) +-- +2.39.2 + diff --git a/queue-6.3/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch b/queue-6.3/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch new file mode 100644 index 00000000000..c032446e950 --- /dev/null +++ b/queue-6.3/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch @@ -0,0 +1,36 @@ +From 67cd50b48561b57357a3a0ac8db173b0e271ba86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 23:24:26 +0200 +Subject: fbdev: modedb: Add 1920x1080 at 60 Hz video mode + +From: Helge Deller + +[ Upstream commit c8902258b2b8ecaa1b8d88c312853c5b14c2553d ] + +Add typical resolution for Full-HD monitors. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/modedb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c +index 6473e0dfe1464..e78ec7f728463 100644 +--- a/drivers/video/fbdev/core/modedb.c ++++ b/drivers/video/fbdev/core/modedb.c +@@ -257,6 +257,11 @@ static const struct fb_videomode modedb[] = { + { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0, + FB_VMODE_DOUBLE }, + ++ /* 1920x1080 @ 60 Hz, 67.3 kHz hsync */ ++ { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0, ++ FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ FB_VMODE_NONINTERLACED }, ++ + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */ + { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3, + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, +-- +2.39.2 + diff --git a/queue-6.3/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch b/queue-6.3/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch new file mode 100644 index 00000000000..31eea94021e --- /dev/null +++ b/queue-6.3/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch @@ -0,0 +1,32 @@ +From fa35127c33201d52a945867f5833392f707a905e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:50:33 +0200 +Subject: fbdev: stifb: Fix info entry in sti_struct on error path + +From: Helge Deller + +[ Upstream commit 0bdf1ad8d10bd4e50a8b1a2c53d15984165f7fea ] + +Minor fix to reset the info field to NULL in case of error. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/stifb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/stifb.c b/drivers/video/fbdev/stifb.c +index ef8a4c5fc6875..63f51783352dc 100644 +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -1413,6 +1413,7 @@ static int __init stifb_init_fb(struct sti_struct *sti, int bpp_pref) + iounmap(info->screen_base); + out_err0: + kfree(fb); ++ sti->info = NULL; + return -ENXIO; + } + +-- +2.39.2 + diff --git a/queue-6.3/gfs2-don-t-deref-jdesc-in-evict.patch b/queue-6.3/gfs2-don-t-deref-jdesc-in-evict.patch new file mode 100644 index 00000000000..a89b6d808b4 --- /dev/null +++ b/queue-6.3/gfs2-don-t-deref-jdesc-in-evict.patch @@ -0,0 +1,66 @@ +From cfa8d103203f7dd51b0039317eef73707888e74f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 12:07:46 -0400 +Subject: gfs2: Don't deref jdesc in evict + +From: Bob Peterson + +[ Upstream commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 ] + +On corrupt gfs2 file systems the evict code can try to reference the +journal descriptor structure, jdesc, after it has been freed and set to +NULL. The sequence of events is: + +init_journal() +... +fail_jindex: + gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL + if (gfs2_holder_initialized(&ji_gh)) + gfs2_glock_dq_uninit(&ji_gh); +fail: + iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode + evict() + gfs2_evict_inode() + evict_linked_inode() + ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); +<------references the now freed/zeroed sd_jdesc pointer. + +The call to gfs2_trans_begin is done because the truncate_inode_pages +call can cause gfs2 events that require a transaction, such as removing +journaled data (jdata) blocks from the journal. + +This patch fixes the problem by adding a check for sdp->sd_jdesc to +function gfs2_evict_inode. In theory, this should only happen to corrupt +gfs2 file systems, when gfs2 detects the problem, reports it, then tries +to evict all the system inodes it has read in up to that point. + +Reported-by: Yang Lan +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index a83fa62106f0e..7891f331082aa 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1410,6 +1410,14 @@ static void gfs2_evict_inode(struct inode *inode) + if (inode->i_nlink || sb_rdonly(sb) || !ip->i_no_addr) + goto out; + ++ /* ++ * In case of an incomplete mount, gfs2_evict_inode() may be called for ++ * system files without having an active journal to write to. In that ++ * case, skip the filesystem evict. ++ */ ++ if (!sdp->sd_jdesc) ++ goto out; ++ + gfs2_holder_mark_uninitialized(&gh); + ret = evict_should_delete(inode, &gh); + if (ret == SHOULD_DEFER_EVICTION) +-- +2.39.2 + diff --git a/queue-6.3/hid-logitech-hidpp-handle-timeout-differently-from-b.patch b/queue-6.3/hid-logitech-hidpp-handle-timeout-differently-from-b.patch new file mode 100644 index 00000000000..2bda8b6679a --- /dev/null +++ b/queue-6.3/hid-logitech-hidpp-handle-timeout-differently-from-b.patch @@ -0,0 +1,45 @@ +From bc65fd3922fad3266979219bb791336ce9fc0c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 10:24:28 +0200 +Subject: HID: logitech-hidpp: Handle timeout differently from busy + +From: Bastien Nocera + +[ Upstream commit 6199d23c91ce53bfed455f09a8c5ed170d516824 ] + +If an attempt at contacting a receiver or a device fails because the +receiver or device never responds, don't restart the communication, only +restart it if the receiver or device answers that it's busy, as originally +intended. + +This was the behaviour on communication timeout before commit 586e8fede795 +("HID: logitech-hidpp: Retry commands when device is busy"). + +This fixes some overly long waits in a critical path on boot, when +checking whether the device is connected by getting its HID++ version. + +Signed-off-by: Bastien Nocera +Suggested-by: Mark Lord +Fixes: 586e8fede795 ("HID: logitech-hidpp: Retry commands when device is busy") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217412 +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index da89e84c9cbeb..0853114e16a08 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -311,6 +311,7 @@ static int hidpp_send_message_sync(struct hidpp_device *hidpp, + dbg_hid("%s:timeout waiting for response\n", __func__); + memset(response, 0, sizeof(struct hidpp_report)); + ret = -ETIMEDOUT; ++ goto exit; + } + + if (response->report_id == REPORT_ID_HIDPP_SHORT && +-- +2.39.2 + diff --git a/queue-6.3/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch b/queue-6.3/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch new file mode 100644 index 00000000000..86778578eb1 --- /dev/null +++ b/queue-6.3/hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch @@ -0,0 +1,37 @@ +From 2634dd89db2e78c0cdb4826f096800bae3da1f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:33:37 -0500 +Subject: hwmon: (k10temp) Add PCI ID for family 19, model 78h + +From: Mario Limonciello + +[ Upstream commit 7d8accfaa0ab65e4282c8e58950f7d688342cd86 ] + +Enable k10temp on this system. + + [ bp: Massage. ] + +Signed-off-by: Mario Limonciello +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230427053338.16653-3-mario.limonciello@amd.com +Signed-off-by: Sasha Levin +--- + drivers/hwmon/k10temp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c +index be8bbb1c3a02d..823d0ca1d6059 100644 +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -507,6 +507,7 @@ static const struct pci_device_id k10temp_id_table[] = { + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M50H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M60H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M70H_DF_F3) }, ++ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) }, + { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) }, + {} + }; +-- +2.39.2 + diff --git a/queue-6.3/ice-recycle-free-all-of-the-fragments-from-multi-buf.patch b/queue-6.3/ice-recycle-free-all-of-the-fragments-from-multi-buf.patch new file mode 100644 index 00000000000..ec1470603e9 --- /dev/null +++ b/queue-6.3/ice-recycle-free-all-of-the-fragments-from-multi-buf.patch @@ -0,0 +1,92 @@ +From c4c2859a3f6b06afaf1e217214f5600f2aa3ff2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 08:44:57 -0700 +Subject: ice: recycle/free all of the fragments from multi-buffer frame + +From: Maciej Fijalkowski + +[ Upstream commit abaf8d51b0cedb16af51fb6b2189370d7515977c ] + +The ice driver caches next_to_clean value at the beginning of +ice_clean_rx_irq() in order to remember the first buffer that has to be +freed/recycled after main Rx processing loop. The end boundary is +indicated by first descriptor of frame that Rx processing loop has ended +its duties. Note that if mentioned loop ended in the middle of gathering +multi-buffer frame, next_to_clean would be pointing to the descriptor in +the middle of the frame BUT freeing/recycling stage will stop at the +first descriptor. This means that next iteration of ice_clean_rx_irq() +will miss the (first_desc, next_to_clean - 1) entries. + + When running various 9K MTU workloads, such splats were observed: + +[ 540.780716] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 540.787787] #PF: supervisor read access in kernel mode +[ 540.793002] #PF: error_code(0x0000) - not-present page +[ 540.798218] PGD 0 P4D 0 +[ 540.800801] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 540.805231] CPU: 18 PID: 3984 Comm: xskxceiver Tainted: G W 6.3.0-rc7+ #96 +[ 540.813619] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[ 540.824209] RIP: 0010:ice_clean_rx_irq+0x2b6/0xf00 [ice] +[ 540.829678] Code: 74 24 10 e9 aa 00 00 00 8b 55 78 41 31 57 10 41 09 c4 4d 85 ff 0f 84 83 00 00 00 49 8b 57 08 41 8b 4f 1c 65 8b 35 1a fa 4b 3f <48> 8b 02 48 c1 e8 3a 39 c6 0f 85 a2 00 00 00 f6 42 08 02 0f 85 98 +[ 540.848717] RSP: 0018:ffffc9000f42fc50 EFLAGS: 00010282 +[ 540.854029] RAX: 0000000000000004 RBX: 0000000000000002 RCX: 000000000000fffe +[ 540.861272] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff +[ 540.868519] RBP: ffff88984a05ac00 R08: 0000000000000000 R09: dead000000000100 +[ 540.875760] R10: ffff88983fffcd00 R11: 000000000010f2b8 R12: 0000000000000004 +[ 540.883008] R13: 0000000000000003 R14: 0000000000000800 R15: ffff889847a10040 +[ 540.890253] FS: 00007f6ddf7fe640(0000) GS:ffff88afdf800000(0000) knlGS:0000000000000000 +[ 540.898465] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 540.904299] CR2: 0000000000000000 CR3: 000000010d3da001 CR4: 00000000007706e0 +[ 540.911542] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 540.918789] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 540.926032] PKRU: 55555554 +[ 540.928790] Call Trace: +[ 540.931276] +[ 540.933418] ice_napi_poll+0x4ca/0x6d0 [ice] +[ 540.937804] ? __pfx_ice_napi_poll+0x10/0x10 [ice] +[ 540.942716] napi_busy_loop+0xd7/0x320 +[ 540.946537] xsk_recvmsg+0x143/0x170 +[ 540.950178] sock_recvmsg+0x99/0xa0 +[ 540.953729] __sys_recvfrom+0xa8/0x120 +[ 540.957543] ? do_futex+0xbd/0x1d0 +[ 540.961008] ? __x64_sys_futex+0x73/0x1d0 +[ 540.965083] __x64_sys_recvfrom+0x20/0x30 +[ 540.969155] do_syscall_64+0x38/0x90 +[ 540.972796] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 540.977934] RIP: 0033:0x7f6de5f27934 + +To fix this, set cached_ntc to first_desc so that at the end, when +freeing/recycling buffers, descriptors from first to ntc are not missed. + +Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Simon Horman +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230531154457.3216621-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index 059bd911c51d8..52d0a126eb616 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -1152,11 +1152,11 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + unsigned int total_rx_bytes = 0, total_rx_pkts = 0; + unsigned int offset = rx_ring->rx_offset; + struct xdp_buff *xdp = &rx_ring->xdp; ++ u32 cached_ntc = rx_ring->first_desc; + struct ice_tx_ring *xdp_ring = NULL; + struct bpf_prog *xdp_prog = NULL; + u32 ntc = rx_ring->next_to_clean; + u32 cnt = rx_ring->count; +- u32 cached_ntc = ntc; + u32 xdp_xmit = 0; + u32 cached_ntu; + bool failure; +-- +2.39.2 + diff --git a/queue-6.3/iio-adc-imx93-fix-a-signedness-bug-in-imx93_adc_read.patch b/queue-6.3/iio-adc-imx93-fix-a-signedness-bug-in-imx93_adc_read.patch new file mode 100644 index 00000000000..f25e4472362 --- /dev/null +++ b/queue-6.3/iio-adc-imx93-fix-a-signedness-bug-in-imx93_adc_read.patch @@ -0,0 +1,62 @@ +From de6e8c113f6f1299a6d1e5a6649f33ed6d8b0853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 18:47:30 +0300 +Subject: iio: adc: imx93: fix a signedness bug in imx93_adc_read_raw() + +From: Dan Carpenter + +[ Upstream commit 20f291b88ecf23f674ee2ed980a4d93b7f16a06f ] + +The problem is these lines: + + ret = vref_uv = regulator_get_voltage(adc->vref); + if (ret < 0) + +The "ret" variable is type long and "vref_uv" is u32 so that means +the condition can never be true on a 64bit system. A negative error +code from regulator_get_voltage() would be cast to a high positive +u32 value and then remain a high positive value when cast to a long. + +The "ret" variable only ever stores ints so it should be declared as +an int. We can delete the "vref_uv" variable and use "ret" directly. + +Fixes: 7d02296ac8b8 ("iio: adc: add imx93 adc support") +Signed-off-by: Dan Carpenter +Reviewed-by: Haibo Chen +Link: https://lore.kernel.org/r/Y+utEvjfjQRQo2QB@kili +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/imx93_adc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/imx93_adc.c b/drivers/iio/adc/imx93_adc.c +index a775d2e405671..dce9ec91e4a77 100644 +--- a/drivers/iio/adc/imx93_adc.c ++++ b/drivers/iio/adc/imx93_adc.c +@@ -236,8 +236,7 @@ static int imx93_adc_read_raw(struct iio_dev *indio_dev, + { + struct imx93_adc *adc = iio_priv(indio_dev); + struct device *dev = adc->dev; +- long ret; +- u32 vref_uv; ++ int ret; + + switch (mask) { + case IIO_CHAN_INFO_RAW: +@@ -253,10 +252,10 @@ static int imx93_adc_read_raw(struct iio_dev *indio_dev, + return IIO_VAL_INT; + + case IIO_CHAN_INFO_SCALE: +- ret = vref_uv = regulator_get_voltage(adc->vref); ++ ret = regulator_get_voltage(adc->vref); + if (ret < 0) + return ret; +- *val = vref_uv / 1000; ++ *val = ret / 1000; + *val2 = 12; + return IIO_VAL_FRACTIONAL_LOG2; + +-- +2.39.2 + diff --git a/queue-6.3/iommu-amd-add-missing-domain-type-checks.patch b/queue-6.3/iommu-amd-add-missing-domain-type-checks.patch new file mode 100644 index 00000000000..ea4016fc085 --- /dev/null +++ b/queue-6.3/iommu-amd-add-missing-domain-type-checks.patch @@ -0,0 +1,57 @@ +From 2860052f60377b21c53f8c7417655802b01b0b91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 16:04:15 -0300 +Subject: iommu/amd: Add missing domain type checks + +From: Jason Gunthorpe + +[ Upstream commit 29f54745f24547a84b18582e054df9bea1a7bf3e ] + +Drivers are supposed to list the domain types they support in their +domain_alloc() ops so when we add new domain types, like BLOCKING or SVA, +they don't start breaking. + +This ended up providing an empty UNMANAGED domain when the core code asked +for a BLOCKING domain, which happens to be the fallback for drivers that +don't support it, but this is completely wrong for SVA. + +Check for the DMA types AMD supports and reject every other kind. + +Fixes: 136467962e49 ("iommu: Add IOMMU SVA domain support") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Vasant Hegde +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/0-v1-2ac37b893728+da-amd_check_types_jgg@nvidia.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 478da9b4a1b14..8bd5390808784 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2065,7 +2065,7 @@ static struct protection_domain *protection_domain_alloc(unsigned int type) + { + struct io_pgtable_ops *pgtbl_ops; + struct protection_domain *domain; +- int pgtable = amd_iommu_pgtable; ++ int pgtable; + int mode = DEFAULT_PGTABLE_LEVEL; + int ret; + +@@ -2082,6 +2082,10 @@ static struct protection_domain *protection_domain_alloc(unsigned int type) + mode = PAGE_MODE_NONE; + } else if (type == IOMMU_DOMAIN_UNMANAGED) { + pgtable = AMD_IOMMU_V1; ++ } else if (type == IOMMU_DOMAIN_DMA || type == IOMMU_DOMAIN_DMA_FQ) { ++ pgtable = amd_iommu_pgtable; ++ } else { ++ return NULL; + } + + switch (pgtable) { +-- +2.39.2 + diff --git a/queue-6.3/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch b/queue-6.3/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch new file mode 100644 index 00000000000..5bb3e0482dd --- /dev/null +++ b/queue-6.3/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch @@ -0,0 +1,76 @@ +From 3119726a03f77fdc8524aeb3b4a3c47a3a256299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 21:11:53 +0100 +Subject: iommu/amd: Don't block updates to GATag if guest mode is on + +From: Joao Martins + +[ Upstream commit ed8a2f4ddef2eaaf864ab1efbbca9788187036ab ] + +On KVM GSI routing table updates, specially those where they have vIOMMUs +with interrupt remapping enabled (to boot >255vcpus setups without relying +on KVM_FEATURE_MSI_EXT_DEST_ID), a VMM may update the backing VF MSIs +with a new VCPU affinity. + +On AMD with AVIC enabled, the new vcpu affinity info is updated via: + avic_pi_update_irte() + irq_set_vcpu_affinity() + amd_ir_set_vcpu_affinity() + amd_iommu_{de}activate_guest_mode() + +Where the IRTE[GATag] is updated with the new vcpu affinity. The GATag +contains VM ID and VCPU ID, and is used by IOMMU hardware to signal KVM +(via GALog) when interrupt cannot be delivered due to vCPU is in +blocking state. + +The issue is that amd_iommu_activate_guest_mode() will essentially +only change IRTE fields on transitions from non-guest-mode to guest-mode +and otherwise returns *with no changes to IRTE* on already configured +guest-mode interrupts. To the guest this means that the VF interrupts +remain affined to the first vCPU they were first configured, and guest +will be unable to issue VF interrupts and receive messages like this +from spurious interrupts (e.g. from waking the wrong vCPU in GALog): + +[ 167.759472] __common_interrupt: 3.34 No irq handler for vector +[ 230.680927] mlx5_core 0000:00:02.0: mlx5_cmd_eq_recover:247:(pid +3122): Recovered 1 EQEs on cmd_eq +[ 230.681799] mlx5_core 0000:00:02.0: +wait_func_handle_exec_timeout:1113:(pid 3122): cmd[0]: CREATE_CQ(0x400) +recovered after timeout +[ 230.683266] __common_interrupt: 3.34 No irq handler for vector + +Given the fact that amd_ir_set_vcpu_affinity() uses +amd_iommu_activate_guest_mode() underneath it essentially means that VCPU +affinity changes of IRTEs are nops. Fix it by dropping the check for +guest-mode at amd_iommu_activate_guest_mode(). Same thing is applicable to +amd_iommu_deactivate_guest_mode() although, even if the IRTE doesn't change +underlying DestID on the host, the VFIO IRQ handler will still be able to +poke at the right guest-vCPU. + +Fixes: b9c6ff94e43a ("iommu/amd: Re-factor guest virtual APIC (de-)activation code") +Signed-off-by: Joao Martins +Reviewed-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20230419201154.83880-2-joao.m.martins@oracle.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 167da5b1a5e31..99ec06b0e09f6 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -3482,8 +3482,7 @@ int amd_iommu_activate_guest_mode(void *data) + struct irte_ga *entry = (struct irte_ga *) ir_data->entry; + u64 valid; + +- if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || +- !entry || entry->lo.fields_vapic.guest_mode) ++ if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || !entry) + return 0; + + valid = entry->lo.fields_vapic.valid; +-- +2.39.2 + diff --git a/queue-6.3/iommu-amd-fix-up-merge-conflict-resolution.patch b/queue-6.3/iommu-amd-fix-up-merge-conflict-resolution.patch new file mode 100644 index 00000000000..1344e2a5e0a --- /dev/null +++ b/queue-6.3/iommu-amd-fix-up-merge-conflict-resolution.patch @@ -0,0 +1,45 @@ +From 9cdf5ca80aab23540c93531ef193305778800add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 12:20:13 -0700 +Subject: iommu/amd: Fix up merge conflict resolution + +From: Jerry Snitselaar + +[ Upstream commit 8ec4e2befef10c7679cd59251956a428e783c0b5 ] + +Merge commit e17c6debd4b2 ("Merge branches 'arm/mediatek', 'arm/msm', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'x86/vt-d' and 'x86/amd' into next") +added amd_iommu_init_devices, amd_iommu_uninit_devices, +and amd_iommu_init_notifier back to drivers/iommu/amd/amd_iommu.h. +The only references to them are here, so clean them up. + +Fixes: e17c6debd4b2 ("Merge branches 'arm/mediatek', 'arm/msm', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'x86/vt-d' and 'x86/amd' into next") +Cc: Joerg Roedel +Cc: Suravee Suthikulpanit +Cc: Will Deacon +Cc: Robin Murphy +Signed-off-by: Jerry Snitselaar +Reviewed-by: Vasant Hegde +Link: https://lore.kernel.org/r/20230420192013.733331-1-jsnitsel@redhat.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/amd_iommu.h | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/iommu/amd/amd_iommu.h b/drivers/iommu/amd/amd_iommu.h +index 24c7e6c6c0de9..471f40351f4c8 100644 +--- a/drivers/iommu/amd/amd_iommu.h ++++ b/drivers/iommu/amd/amd_iommu.h +@@ -16,9 +16,6 @@ extern irqreturn_t amd_iommu_int_handler(int irq, void *data); + extern void amd_iommu_apply_erratum_63(struct amd_iommu *iommu, u16 devid); + extern void amd_iommu_restart_event_logging(struct amd_iommu *iommu); + extern void amd_iommu_restart_ga_log(struct amd_iommu *iommu); +-extern int amd_iommu_init_devices(void); +-extern void amd_iommu_uninit_devices(void); +-extern void amd_iommu_init_notifier(void); + extern void amd_iommu_set_rlookup_table(struct amd_iommu *iommu, u16 devid); + + #ifdef CONFIG_AMD_IOMMU_DEBUGFS +-- +2.39.2 + diff --git a/queue-6.3/iommu-amd-handle-galog-overflows.patch b/queue-6.3/iommu-amd-handle-galog-overflows.patch new file mode 100644 index 00000000000..8c204bd57b6 --- /dev/null +++ b/queue-6.3/iommu-amd-handle-galog-overflows.patch @@ -0,0 +1,139 @@ +From 82cc8b6eadbe1d1876695c8e525d334e449d9436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 21:11:54 +0100 +Subject: iommu/amd: Handle GALog overflows + +From: Joao Martins + +[ Upstream commit af47b0a24058e56e983881993752f88288ca6511 ] + +GALog exists to propagate interrupts into all vCPUs in the system when +interrupts are marked as non running (e.g. when vCPUs aren't running). A +GALog overflow happens when there's in no space in the log to record the +GATag of the interrupt. So when the GALOverflow condition happens, the +GALog queue is processed and the GALog is restarted, as the IOMMU +manual indicates in section "2.7.4 Guest Virtual APIC Log Restart +Procedure": + +| * Wait until MMIO Offset 2020h[GALogRun]=0b so that all request +| entries are completed as circumstances allow. GALogRun must be 0b to +| modify the guest virtual APIC log registers safely. +| * Write MMIO Offset 0018h[GALogEn]=0b. +| * As necessary, change the following values (e.g., to relocate or +| resize the guest virtual APIC event log): +| - the Guest Virtual APIC Log Base Address Register +| [MMIO Offset 00E0h], +| - the Guest Virtual APIC Log Head Pointer Register +| [MMIO Offset 2040h][GALogHead], and +| - the Guest Virtual APIC Log Tail Pointer Register +| [MMIO Offset 2048h][GALogTail]. +| * Write MMIO Offset 2020h[GALOverflow] = 1b to clear the bit (W1C). +| * Write MMIO Offset 0018h[GALogEn] = 1b, and either set +| MMIO Offset 0018h[GAIntEn] to enable the GA log interrupt or clear +| the bit to disable it. + +Failing to handle the GALog overflow means that none of the VFs (in any +guest) will work with IOMMU AVIC forcing the user to power cycle the +host. When handling the event it resumes the GALog without resizing +much like how it is done in the event handler overflow. The +[MMIO Offset 2020h][GALOverflow] bit might be set in status register +without the [MMIO Offset 2020h][GAInt] bit, so when deciding to poll +for GA events (to clear space in the galog), also check the overflow +bit. + +[suravee: Check for GAOverflow without GAInt, toggle CONTROL_GAINT_EN] + +Co-developed-by: Suravee Suthikulpanit +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Joao Martins +Reviewed-by: Vasant Hegde +Link: https://lore.kernel.org/r/20230419201154.83880-3-joao.m.martins@oracle.com +Signed-off-by: Joerg Roedel +Stable-dep-of: 8ec4e2befef1 ("iommu/amd: Fix up merge conflict resolution") +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/amd_iommu.h | 1 + + drivers/iommu/amd/init.c | 24 ++++++++++++++++++++++++ + drivers/iommu/amd/iommu.c | 9 ++++++++- + 3 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/amd_iommu.h b/drivers/iommu/amd/amd_iommu.h +index c160a332ce339..24c7e6c6c0de9 100644 +--- a/drivers/iommu/amd/amd_iommu.h ++++ b/drivers/iommu/amd/amd_iommu.h +@@ -15,6 +15,7 @@ extern irqreturn_t amd_iommu_int_thread(int irq, void *data); + extern irqreturn_t amd_iommu_int_handler(int irq, void *data); + extern void amd_iommu_apply_erratum_63(struct amd_iommu *iommu, u16 devid); + extern void amd_iommu_restart_event_logging(struct amd_iommu *iommu); ++extern void amd_iommu_restart_ga_log(struct amd_iommu *iommu); + extern int amd_iommu_init_devices(void); + extern void amd_iommu_uninit_devices(void); + extern void amd_iommu_init_notifier(void); +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index 19a46b9f73574..fd487c33b28aa 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -751,6 +751,30 @@ void amd_iommu_restart_event_logging(struct amd_iommu *iommu) + iommu_feature_enable(iommu, CONTROL_EVT_LOG_EN); + } + ++/* ++ * This function restarts event logging in case the IOMMU experienced ++ * an GA log overflow. ++ */ ++void amd_iommu_restart_ga_log(struct amd_iommu *iommu) ++{ ++ u32 status; ++ ++ status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); ++ if (status & MMIO_STATUS_GALOG_RUN_MASK) ++ return; ++ ++ pr_info_ratelimited("IOMMU GA Log restarting\n"); ++ ++ iommu_feature_disable(iommu, CONTROL_GALOG_EN); ++ iommu_feature_disable(iommu, CONTROL_GAINT_EN); ++ ++ writel(MMIO_STATUS_GALOG_OVERFLOW_MASK, ++ iommu->mmio_base + MMIO_STATUS_OFFSET); ++ ++ iommu_feature_enable(iommu, CONTROL_GAINT_EN); ++ iommu_feature_enable(iommu, CONTROL_GALOG_EN); ++} ++ + /* + * This function resets the command buffer if the IOMMU stopped fetching + * commands from it. +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 99ec06b0e09f6..478da9b4a1b14 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -845,6 +845,7 @@ amd_iommu_set_pci_msi_domain(struct device *dev, struct amd_iommu *iommu) { } + (MMIO_STATUS_EVT_OVERFLOW_INT_MASK | \ + MMIO_STATUS_EVT_INT_MASK | \ + MMIO_STATUS_PPR_INT_MASK | \ ++ MMIO_STATUS_GALOG_OVERFLOW_MASK | \ + MMIO_STATUS_GALOG_INT_MASK) + + irqreturn_t amd_iommu_int_thread(int irq, void *data) +@@ -868,10 +869,16 @@ irqreturn_t amd_iommu_int_thread(int irq, void *data) + } + + #ifdef CONFIG_IRQ_REMAP +- if (status & MMIO_STATUS_GALOG_INT_MASK) { ++ if (status & (MMIO_STATUS_GALOG_INT_MASK | ++ MMIO_STATUS_GALOG_OVERFLOW_MASK)) { + pr_devel("Processing IOMMU GA Log\n"); + iommu_poll_ga_log(iommu); + } ++ ++ if (status & MMIO_STATUS_GALOG_OVERFLOW_MASK) { ++ pr_info_ratelimited("IOMMU GA Log overflow\n"); ++ amd_iommu_restart_ga_log(iommu); ++ } + #endif + + if (status & MMIO_STATUS_EVT_OVERFLOW_INT_MASK) { +-- +2.39.2 + diff --git a/queue-6.3/iommu-make-ipmmu_vmsa-dependencies-more-strict.patch b/queue-6.3/iommu-make-ipmmu_vmsa-dependencies-more-strict.patch new file mode 100644 index 00000000000..536434383ae --- /dev/null +++ b/queue-6.3/iommu-make-ipmmu_vmsa-dependencies-more-strict.patch @@ -0,0 +1,67 @@ +From b741d19d92c24f5c12c39db4ad6294121269b641 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 09:58:17 -0700 +Subject: iommu: Make IPMMU_VMSA dependencies more strict + +From: Randy Dunlap + +[ Upstream commit e332003bb216a9f91e08004b9e2de0745f321290 ] + +On riscv64, linux-next-20233030 (and for several days earlier), +there is a kconfig warning: + +WARNING: unmet direct dependencies detected for IOMMU_IO_PGTABLE_LPAE + Depends on [n]: IOMMU_SUPPORT [=y] && (ARM || ARM64 || COMPILE_TEST [=n]) && !GENERIC_ATOMIC64 [=n] + Selected by [y]: + - IPMMU_VMSA [=y] && IOMMU_SUPPORT [=y] && (ARCH_RENESAS [=y] || COMPILE_TEST [=n]) && !GENERIC_ATOMIC64 [=n] + +and build errors: + +riscv64-linux-ld: drivers/iommu/io-pgtable-arm.o: in function `.L140': +io-pgtable-arm.c:(.init.text+0x1e8): undefined reference to `alloc_io_pgtable_ops' +riscv64-linux-ld: drivers/iommu/io-pgtable-arm.o: in function `.L168': +io-pgtable-arm.c:(.init.text+0xab0): undefined reference to `free_io_pgtable_ops' +riscv64-linux-ld: drivers/iommu/ipmmu-vmsa.o: in function `.L140': +ipmmu-vmsa.c:(.text+0xbc4): undefined reference to `free_io_pgtable_ops' +riscv64-linux-ld: drivers/iommu/ipmmu-vmsa.o: in function `.L0 ': +ipmmu-vmsa.c:(.text+0x145e): undefined reference to `alloc_io_pgtable_ops' + +Add ARM || ARM64 || COMPILE_TEST dependencies to IPMMU_VMSA to prevent +these issues, i.e., so that ARCH_RENESAS on RISC-V is not allowed. + +This makes the ARCH dependencies become: + depends on (ARCH_RENESAS && (ARM || ARM64)) || COMPILE_TEST +but that can be a bit hard to read. + +Fixes: 8292493c22c8 ("riscv: Kconfig.socs: Add ARCH_RENESAS kconfig option") +Signed-off-by: Randy Dunlap +Suggested-by: Geert Uytterhoeven +Cc: Joerg Roedel +Cc: Will Deacon +Cc: Robin Murphy +Cc: iommu@lists.linux.dev +Cc: Conor Dooley +Cc: Lad Prabhakar +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20230330165817.21920-1-rdunlap@infradead.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig +index 889c7efd050bc..18e68fbaec884 100644 +--- a/drivers/iommu/Kconfig ++++ b/drivers/iommu/Kconfig +@@ -287,6 +287,7 @@ config EXYNOS_IOMMU_DEBUG + config IPMMU_VMSA + bool "Renesas VMSA-compatible IPMMU" + depends on ARCH_RENESAS || COMPILE_TEST ++ depends on ARM || ARM64 || COMPILE_TEST + depends on !GENERIC_ATOMIC64 # for IOMMU_IO_PGTABLE_LPAE + select IOMMU_API + select IOMMU_IO_PGTABLE_LPAE +-- +2.39.2 + diff --git a/queue-6.3/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch b/queue-6.3/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch new file mode 100644 index 00000000000..5044b92e1df --- /dev/null +++ b/queue-6.3/iommu-mediatek-flush-iotlb-completely-only-if-domain.patch @@ -0,0 +1,58 @@ +From aab94b0a0eb0c855bb6ca02ddd12f83266a27842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 16:53:59 +0800 +Subject: iommu/mediatek: Flush IOTLB completely only if domain has been + attached + +From: Chen-Yu Tsai + +[ Upstream commit b3fc95709c54ffbe80f16801e0a792a4d2b3d55e ] + +If an IOMMU domain was never attached, it lacks any linkage to the +actual IOMMU hardware. Attempting to do flush_iotlb_all() on it will +result in a NULL pointer dereference. This seems to happen after the +recent IOMMU core rework in v6.4-rc1. + + Unable to handle kernel read from unreadable memory at virtual address 0000000000000018 + Call trace: + mtk_iommu_flush_iotlb_all+0x20/0x80 + iommu_create_device_direct_mappings.part.0+0x13c/0x230 + iommu_setup_default_domain+0x29c/0x4d0 + iommu_probe_device+0x12c/0x190 + of_iommu_configure+0x140/0x208 + of_dma_configure_id+0x19c/0x3c0 + platform_dma_configure+0x38/0x88 + really_probe+0x78/0x2c0 + +Check if the "bank" field has been filled in before actually attempting +the IOTLB flush to avoid it. The IOTLB is also flushed when the device +comes out of runtime suspend, so it should have a clean initial state. + +Fixes: 08500c43d4f7 ("iommu/mediatek: Adjust the structure") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Yong Wu +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230526085402.394239-1-wenst@chromium.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index 6a00ce208dc2b..248b8c2bc4071 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -738,7 +738,8 @@ static void mtk_iommu_flush_iotlb_all(struct iommu_domain *domain) + { + struct mtk_iommu_domain *dom = to_mtk_domain(domain); + +- mtk_iommu_tlb_flush_all(dom->bank->parent_data); ++ if (dom->bank) ++ mtk_iommu_tlb_flush_all(dom->bank->parent_data); + } + + static void mtk_iommu_iotlb_sync(struct iommu_domain *domain, +-- +2.39.2 + diff --git a/queue-6.3/iommu-rockchip-fix-unwind-goto-issue.patch b/queue-6.3/iommu-rockchip-fix-unwind-goto-issue.patch new file mode 100644 index 00000000000..7b3c5783b67 --- /dev/null +++ b/queue-6.3/iommu-rockchip-fix-unwind-goto-issue.patch @@ -0,0 +1,67 @@ +From f1611ccb1f80fa83ea96f831af10def10fe75eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 03:04:21 +0000 +Subject: iommu/rockchip: Fix unwind goto issue + +From: Chao Wang + +[ Upstream commit ec014683c564fb74fc68e8f5e84691d3b3839d24 ] + +Smatch complains that +drivers/iommu/rockchip-iommu.c:1306 rk_iommu_probe() warn: missing unwind goto? + +The rk_iommu_probe function, after obtaining the irq value through +platform_get_irq, directly returns an error if the returned value +is negative, without releasing any resources. + +Fix this by adding a new error handling label "err_pm_disable" and +use a goto statement to redirect to the error handling process. In +order to preserve the original semantics, set err to the value of irq. + +Fixes: 1aa55ca9b14a ("iommu/rockchip: Move irq request past pm_runtime_enable") +Signed-off-by: Chao Wang +Reviewed-by: Dongliang Mu +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20230417030421.2777-1-D202280639@hust.edu.cn +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/rockchip-iommu.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c +index f30db22ea5d7a..31cd1e2929e9f 100644 +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -1302,20 +1302,22 @@ static int rk_iommu_probe(struct platform_device *pdev) + for (i = 0; i < iommu->num_irq; i++) { + int irq = platform_get_irq(pdev, i); + +- if (irq < 0) +- return irq; ++ if (irq < 0) { ++ err = irq; ++ goto err_pm_disable; ++ } + + err = devm_request_irq(iommu->dev, irq, rk_iommu_irq, + IRQF_SHARED, dev_name(dev), iommu); +- if (err) { +- pm_runtime_disable(dev); +- goto err_remove_sysfs; +- } ++ if (err) ++ goto err_pm_disable; + } + + dma_set_mask_and_coherent(dev, rk_ops->dma_bit_mask); + + return 0; ++err_pm_disable: ++ pm_runtime_disable(dev); + err_remove_sysfs: + iommu_device_sysfs_remove(&iommu->iommu); + err_put_group: +-- +2.39.2 + diff --git a/queue-6.3/kvm-arm64-prevent-unconditional-donation-of-unmapped.patch b/queue-6.3/kvm-arm64-prevent-unconditional-donation-of-unmapped.patch new file mode 100644 index 00000000000..3fda4eb1d21 --- /dev/null +++ b/queue-6.3/kvm-arm64-prevent-unconditional-donation-of-unmapped.patch @@ -0,0 +1,79 @@ +From 663a166a8ccdeb8e43ab3e2ddc67a6edd6a3b727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 10:58:44 +0100 +Subject: KVM: arm64: Prevent unconditional donation of unmapped regions from + the host + +From: Will Deacon + +[ Upstream commit 09cce60bddd6461a93a5bf434265a47827d1bc6f ] + +Since host stage-2 mappings are created lazily, we cannot rely solely on +the pte in order to recover the target physical address when checking a +host-initiated memory transition as this permits donation of unmapped +regions corresponding to MMIO or "no-map" memory. + +Instead of inspecting the pte, move the addr_is_allowed_memory() check +into the host callback function where it is passed the physical address +directly from the walker. + +Cc: Quentin Perret +Fixes: e82edcc75c4e ("KVM: arm64: Implement do_share() helper for sharing memory") +Signed-off-by: Will Deacon +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230518095844.1178-1-will@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c +index 552653fa18be3..dab14d3ca7bb6 100644 +--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c ++++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c +@@ -568,7 +568,7 @@ struct pkvm_mem_donation { + + struct check_walk_data { + enum pkvm_page_state desired; +- enum pkvm_page_state (*get_page_state)(kvm_pte_t pte); ++ enum pkvm_page_state (*get_page_state)(kvm_pte_t pte, u64 addr); + }; + + static int __check_page_state_visitor(const struct kvm_pgtable_visit_ctx *ctx, +@@ -576,10 +576,7 @@ static int __check_page_state_visitor(const struct kvm_pgtable_visit_ctx *ctx, + { + struct check_walk_data *d = ctx->arg; + +- if (kvm_pte_valid(ctx->old) && !addr_is_allowed_memory(kvm_pte_to_phys(ctx->old))) +- return -EINVAL; +- +- return d->get_page_state(ctx->old) == d->desired ? 0 : -EPERM; ++ return d->get_page_state(ctx->old, ctx->addr) == d->desired ? 0 : -EPERM; + } + + static int check_page_state_range(struct kvm_pgtable *pgt, u64 addr, u64 size, +@@ -594,8 +591,11 @@ static int check_page_state_range(struct kvm_pgtable *pgt, u64 addr, u64 size, + return kvm_pgtable_walk(pgt, addr, size, &walker); + } + +-static enum pkvm_page_state host_get_page_state(kvm_pte_t pte) ++static enum pkvm_page_state host_get_page_state(kvm_pte_t pte, u64 addr) + { ++ if (!addr_is_allowed_memory(addr)) ++ return PKVM_NOPAGE; ++ + if (!kvm_pte_valid(pte) && pte) + return PKVM_NOPAGE; + +@@ -702,7 +702,7 @@ static int host_complete_donation(u64 addr, const struct pkvm_mem_transition *tx + return host_stage2_set_owner_locked(addr, size, host_id); + } + +-static enum pkvm_page_state hyp_get_page_state(kvm_pte_t pte) ++static enum pkvm_page_state hyp_get_page_state(kvm_pte_t pte, u64 addr) + { + if (!kvm_pte_valid(pte)) + return PKVM_NOPAGE; +-- +2.39.2 + diff --git a/queue-6.3/kvm-arm64-reload-pte-after-invoking-walker-callback-.patch b/queue-6.3/kvm-arm64-reload-pte-after-invoking-walker-callback-.patch new file mode 100644 index 00000000000..d06bc4b0f54 --- /dev/null +++ b/queue-6.3/kvm-arm64-reload-pte-after-invoking-walker-callback-.patch @@ -0,0 +1,90 @@ +From 1a08fe1e4ac12f99a1725b0f92ef5ba9976bacf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 11:32:58 +0100 +Subject: KVM: arm64: Reload PTE after invoking walker callback on preorder + traversal + +From: Fuad Tabba + +[ Upstream commit a9f0e3d5a089d0844abb679a5e99f15010d53e25 ] + +The preorder callback on the kvm_pgtable_stage2_map() path can replace +a table with a block, then recursively free the detached table. The +higher-level walking logic stashes the old page table entry and +then walks the freed table, invoking the leaf callback and +potentially freeing pgtable pages prematurely. + +In normal operation, the call to tear down the detached stage-2 +is indirected and uses an RCU callback to trigger the freeing. +RCU is not available to pKVM, which is where this bug is +triggered. + +Change the behavior of the walker to reload the page table entry +after invoking the walker callback on preorder traversal, as it +does for leaf entries. + +Tested on Pixel 6. + +Fixes: 5c359cca1faf ("KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make") +Suggested-by: Oliver Upton +Signed-off-by: Fuad Tabba +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230522103258.402272-1-tabba@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/kvm_pgtable.h | 6 +++--- + arch/arm64/kvm/hyp/pgtable.c | 14 +++++++++++++- + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/include/asm/kvm_pgtable.h b/arch/arm64/include/asm/kvm_pgtable.h +index dc3c072e862f1..93bd0975b15f5 100644 +--- a/arch/arm64/include/asm/kvm_pgtable.h ++++ b/arch/arm64/include/asm/kvm_pgtable.h +@@ -632,9 +632,9 @@ int kvm_pgtable_stage2_flush(struct kvm_pgtable *pgt, u64 addr, u64 size); + * + * The walker will walk the page-table entries corresponding to the input + * address range specified, visiting entries according to the walker flags. +- * Invalid entries are treated as leaf entries. Leaf entries are reloaded +- * after invoking the walker callback, allowing the walker to descend into +- * a newly installed table. ++ * Invalid entries are treated as leaf entries. The visited page table entry is ++ * reloaded after invoking the walker callback, allowing the walker to descend ++ * into a newly installed table. + * + * Returning a negative error code from the walker callback function will + * terminate the walk immediately with the same error code. +diff --git a/arch/arm64/kvm/hyp/pgtable.c b/arch/arm64/kvm/hyp/pgtable.c +index 140f82300db5a..faddf1e71c8de 100644 +--- a/arch/arm64/kvm/hyp/pgtable.c ++++ b/arch/arm64/kvm/hyp/pgtable.c +@@ -209,14 +209,26 @@ static inline int __kvm_pgtable_visit(struct kvm_pgtable_walk_data *data, + .flags = flags, + }; + int ret = 0; ++ bool reload = false; + kvm_pteref_t childp; + bool table = kvm_pte_table(ctx.old, level); + +- if (table && (ctx.flags & KVM_PGTABLE_WALK_TABLE_PRE)) ++ if (table && (ctx.flags & KVM_PGTABLE_WALK_TABLE_PRE)) { + ret = kvm_pgtable_visitor_cb(data, &ctx, KVM_PGTABLE_WALK_TABLE_PRE); ++ reload = true; ++ } + + if (!table && (ctx.flags & KVM_PGTABLE_WALK_LEAF)) { + ret = kvm_pgtable_visitor_cb(data, &ctx, KVM_PGTABLE_WALK_LEAF); ++ reload = true; ++ } ++ ++ /* ++ * Reload the page table after invoking the walker callback for leaf ++ * entries or after pre-order traversal, to allow the walker to descend ++ * into a newly installed or replaced table. ++ */ ++ if (reload) { + ctx.old = READ_ONCE(*ptep); + table = kvm_pte_table(ctx.old, level); + } +-- +2.39.2 + diff --git a/queue-6.3/kvm-arm64-vgic-fix-a-circular-locking-issue.patch b/queue-6.3/kvm-arm64-vgic-fix-a-circular-locking-issue.patch new file mode 100644 index 00000000000..5cbe09bb8b9 --- /dev/null +++ b/queue-6.3/kvm-arm64-vgic-fix-a-circular-locking-issue.patch @@ -0,0 +1,348 @@ +From bef0f4d7a2019ef71eec81416b1edec61b2008b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 11:09:15 +0100 +Subject: KVM: arm64: vgic: Fix a circular locking issue + +From: Jean-Philippe Brucker + +[ Upstream commit 59112e9c390be595224e427827475a6cd3726021 ] + +Lockdep reports a circular lock dependency between the srcu and the +config_lock: + +[ 262.179917] -> #1 (&kvm->srcu){.+.+}-{0:0}: +[ 262.182010] __synchronize_srcu+0xb0/0x224 +[ 262.183422] synchronize_srcu_expedited+0x24/0x34 +[ 262.184554] kvm_io_bus_register_dev+0x324/0x50c +[ 262.185650] vgic_register_redist_iodev+0x254/0x398 +[ 262.186740] vgic_v3_set_redist_base+0x3b0/0x724 +[ 262.188087] kvm_vgic_addr+0x364/0x600 +[ 262.189189] vgic_set_common_attr+0x90/0x544 +[ 262.190278] vgic_v3_set_attr+0x74/0x9c +[ 262.191432] kvm_device_ioctl+0x2a0/0x4e4 +[ 262.192515] __arm64_sys_ioctl+0x7ac/0x1ba8 +[ 262.193612] invoke_syscall.constprop.0+0x70/0x1e0 +[ 262.195006] do_el0_svc+0xe4/0x2d4 +[ 262.195929] el0_svc+0x44/0x8c +[ 262.196917] el0t_64_sync_handler+0xf4/0x120 +[ 262.198238] el0t_64_sync+0x190/0x194 +[ 262.199224] +[ 262.199224] -> #0 (&kvm->arch.config_lock){+.+.}-{3:3}: +[ 262.201094] __lock_acquire+0x2b70/0x626c +[ 262.202245] lock_acquire+0x454/0x778 +[ 262.203132] __mutex_lock+0x190/0x8b4 +[ 262.204023] mutex_lock_nested+0x24/0x30 +[ 262.205100] vgic_mmio_write_v3_misc+0x5c/0x2a0 +[ 262.206178] dispatch_mmio_write+0xd8/0x258 +[ 262.207498] __kvm_io_bus_write+0x1e0/0x350 +[ 262.208582] kvm_io_bus_write+0xe0/0x1cc +[ 262.209653] io_mem_abort+0x2ac/0x6d8 +[ 262.210569] kvm_handle_guest_abort+0x9b8/0x1f88 +[ 262.211937] handle_exit+0xc4/0x39c +[ 262.212971] kvm_arch_vcpu_ioctl_run+0x90c/0x1c04 +[ 262.214154] kvm_vcpu_ioctl+0x450/0x12f8 +[ 262.215233] __arm64_sys_ioctl+0x7ac/0x1ba8 +[ 262.216402] invoke_syscall.constprop.0+0x70/0x1e0 +[ 262.217774] do_el0_svc+0xe4/0x2d4 +[ 262.218758] el0_svc+0x44/0x8c +[ 262.219941] el0t_64_sync_handler+0xf4/0x120 +[ 262.221110] el0t_64_sync+0x190/0x194 + +Note that the current report, which can be triggered by the vgic_irq +kselftest, is a triple chain that includes slots_lock, but after +inverting the slots_lock/config_lock dependency, the actual problem +reported above remains. + +In several places, the vgic code calls kvm_io_bus_register_dev(), which +synchronizes the srcu, while holding config_lock (#1). And the MMIO +handler takes the config_lock while holding the srcu read lock (#0). + +Break dependency #1, by registering the distributor and redistributors +without holding config_lock. The ITS also uses kvm_io_bus_register_dev() +but already relies on slots_lock to serialize calls. + +The distributor iodev is created on the first KVM_RUN call. Multiple +threads will race for vgic initialization, and only the first one will +see !vgic_ready() under the lock. To serialize those threads, rely on +slots_lock rather than config_lock. + +Redistributors are created earlier, through KVM_DEV_ARM_VGIC_GRP_ADDR +ioctls and vCPU creation. Similarly, serialize the iodev creation with +slots_lock, and the rest with config_lock. + +Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230518100914.2837292-2-jean-philippe@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/vgic/vgic-init.c | 25 ++++++++++++++++----- + arch/arm64/kvm/vgic/vgic-kvm-device.c | 10 +++++++-- + arch/arm64/kvm/vgic/vgic-mmio-v3.c | 31 ++++++++++++++++++--------- + arch/arm64/kvm/vgic/vgic-mmio.c | 9 ++------ + arch/arm64/kvm/vgic/vgic-v2.c | 6 ------ + arch/arm64/kvm/vgic/vgic-v3.c | 7 ------ + 6 files changed, 51 insertions(+), 37 deletions(-) + +diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c +index 9d42c7cb2b588..c199ba2f192ef 100644 +--- a/arch/arm64/kvm/vgic/vgic-init.c ++++ b/arch/arm64/kvm/vgic/vgic-init.c +@@ -235,9 +235,9 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu) + * KVM io device for the redistributor that belongs to this VCPU. + */ + if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { +- mutex_lock(&vcpu->kvm->arch.config_lock); ++ mutex_lock(&vcpu->kvm->slots_lock); + ret = vgic_register_redist_iodev(vcpu); +- mutex_unlock(&vcpu->kvm->arch.config_lock); ++ mutex_unlock(&vcpu->kvm->slots_lock); + } + return ret; + } +@@ -446,11 +446,13 @@ int vgic_lazy_init(struct kvm *kvm) + int kvm_vgic_map_resources(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; ++ gpa_t dist_base; + int ret = 0; + + if (likely(vgic_ready(kvm))) + return 0; + ++ mutex_lock(&kvm->slots_lock); + mutex_lock(&kvm->arch.config_lock); + if (vgic_ready(kvm)) + goto out; +@@ -463,13 +465,26 @@ int kvm_vgic_map_resources(struct kvm *kvm) + else + ret = vgic_v3_map_resources(kvm); + +- if (ret) ++ if (ret) { + __kvm_vgic_destroy(kvm); +- else +- dist->ready = true; ++ goto out; ++ } ++ dist->ready = true; ++ dist_base = dist->vgic_dist_base; ++ mutex_unlock(&kvm->arch.config_lock); ++ ++ ret = vgic_register_dist_iodev(kvm, dist_base, ++ kvm_vgic_global_state.type); ++ if (ret) { ++ kvm_err("Unable to register VGIC dist MMIO regions\n"); ++ kvm_vgic_destroy(kvm); ++ } ++ mutex_unlock(&kvm->slots_lock); ++ return ret; + + out: + mutex_unlock(&kvm->arch.config_lock); ++ mutex_unlock(&kvm->slots_lock); + return ret; + } + +diff --git a/arch/arm64/kvm/vgic/vgic-kvm-device.c b/arch/arm64/kvm/vgic/vgic-kvm-device.c +index 07e727023deb7..bf4b3d9631ce1 100644 +--- a/arch/arm64/kvm/vgic/vgic-kvm-device.c ++++ b/arch/arm64/kvm/vgic/vgic-kvm-device.c +@@ -102,7 +102,11 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri + if (get_user(addr, uaddr)) + return -EFAULT; + +- mutex_lock(&kvm->arch.config_lock); ++ /* ++ * Since we can't hold config_lock while registering the redistributor ++ * iodevs, take the slots_lock immediately. ++ */ ++ mutex_lock(&kvm->slots_lock); + switch (attr->attr) { + case KVM_VGIC_V2_ADDR_TYPE_DIST: + r = vgic_check_type(kvm, KVM_DEV_TYPE_ARM_VGIC_V2); +@@ -182,6 +186,7 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri + if (r) + goto out; + ++ mutex_lock(&kvm->arch.config_lock); + if (write) { + r = vgic_check_iorange(kvm, *addr_ptr, addr, alignment, size); + if (!r) +@@ -189,9 +194,10 @@ static int kvm_vgic_addr(struct kvm *kvm, struct kvm_device_attr *attr, bool wri + } else { + addr = *addr_ptr; + } ++ mutex_unlock(&kvm->arch.config_lock); + + out: +- mutex_unlock(&kvm->arch.config_lock); ++ mutex_unlock(&kvm->slots_lock); + + if (!r && !write) + r = put_user(addr, uaddr); +diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c +index 472b18ac92a24..188d2187eede9 100644 +--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c +@@ -769,10 +769,13 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu) + struct vgic_io_device *rd_dev = &vcpu->arch.vgic_cpu.rd_iodev; + struct vgic_redist_region *rdreg; + gpa_t rd_base; +- int ret; ++ int ret = 0; ++ ++ lockdep_assert_held(&kvm->slots_lock); ++ mutex_lock(&kvm->arch.config_lock); + + if (!IS_VGIC_ADDR_UNDEF(vgic_cpu->rd_iodev.base_addr)) +- return 0; ++ goto out_unlock; + + /* + * We may be creating VCPUs before having set the base address for the +@@ -782,10 +785,12 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu) + */ + rdreg = vgic_v3_rdist_free_slot(&vgic->rd_regions); + if (!rdreg) +- return 0; ++ goto out_unlock; + +- if (!vgic_v3_check_base(kvm)) +- return -EINVAL; ++ if (!vgic_v3_check_base(kvm)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + + vgic_cpu->rdreg = rdreg; + vgic_cpu->rdreg_index = rdreg->free_index; +@@ -799,16 +804,20 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu) + rd_dev->nr_regions = ARRAY_SIZE(vgic_v3_rd_registers); + rd_dev->redist_vcpu = vcpu; + +- mutex_lock(&kvm->slots_lock); ++ mutex_unlock(&kvm->arch.config_lock); ++ + ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, rd_base, + 2 * SZ_64K, &rd_dev->dev); +- mutex_unlock(&kvm->slots_lock); +- + if (ret) + return ret; + ++ /* Protected by slots_lock */ + rdreg->free_index++; + return 0; ++ ++out_unlock: ++ mutex_unlock(&kvm->arch.config_lock); ++ return ret; + } + + static void vgic_unregister_redist_iodev(struct kvm_vcpu *vcpu) +@@ -834,12 +843,10 @@ static int vgic_register_all_redist_iodevs(struct kvm *kvm) + /* The current c failed, so iterate over the previous ones. */ + int i; + +- mutex_lock(&kvm->slots_lock); + for (i = 0; i < c; i++) { + vcpu = kvm_get_vcpu(kvm, i); + vgic_unregister_redist_iodev(vcpu); + } +- mutex_unlock(&kvm->slots_lock); + } + + return ret; +@@ -938,7 +945,9 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count) + { + int ret; + ++ mutex_lock(&kvm->arch.config_lock); + ret = vgic_v3_alloc_redist_region(kvm, index, addr, count); ++ mutex_unlock(&kvm->arch.config_lock); + if (ret) + return ret; + +@@ -950,8 +959,10 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count) + if (ret) { + struct vgic_redist_region *rdreg; + ++ mutex_lock(&kvm->arch.config_lock); + rdreg = vgic_v3_rdist_region_from_index(kvm, index); + vgic_v3_free_redist_region(rdreg); ++ mutex_unlock(&kvm->arch.config_lock); + return ret; + } + +diff --git a/arch/arm64/kvm/vgic/vgic-mmio.c b/arch/arm64/kvm/vgic/vgic-mmio.c +index 1939c94e0b248..ff558c05e990c 100644 +--- a/arch/arm64/kvm/vgic/vgic-mmio.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio.c +@@ -1096,7 +1096,6 @@ int vgic_register_dist_iodev(struct kvm *kvm, gpa_t dist_base_address, + enum vgic_type type) + { + struct vgic_io_device *io_device = &kvm->arch.vgic.dist_iodev; +- int ret = 0; + unsigned int len; + + switch (type) { +@@ -1114,10 +1113,6 @@ int vgic_register_dist_iodev(struct kvm *kvm, gpa_t dist_base_address, + io_device->iodev_type = IODEV_DIST; + io_device->redist_vcpu = NULL; + +- mutex_lock(&kvm->slots_lock); +- ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, dist_base_address, +- len, &io_device->dev); +- mutex_unlock(&kvm->slots_lock); +- +- return ret; ++ return kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, dist_base_address, ++ len, &io_device->dev); + } +diff --git a/arch/arm64/kvm/vgic/vgic-v2.c b/arch/arm64/kvm/vgic/vgic-v2.c +index 645648349c99b..7e9cdb78f7ce8 100644 +--- a/arch/arm64/kvm/vgic/vgic-v2.c ++++ b/arch/arm64/kvm/vgic/vgic-v2.c +@@ -312,12 +312,6 @@ int vgic_v2_map_resources(struct kvm *kvm) + return ret; + } + +- ret = vgic_register_dist_iodev(kvm, dist->vgic_dist_base, VGIC_V2); +- if (ret) { +- kvm_err("Unable to register VGIC MMIO regions\n"); +- return ret; +- } +- + if (!static_branch_unlikely(&vgic_v2_cpuif_trap)) { + ret = kvm_phys_addr_ioremap(kvm, dist->vgic_cpu_base, + kvm_vgic_global_state.vcpu_base, +diff --git a/arch/arm64/kvm/vgic/vgic-v3.c b/arch/arm64/kvm/vgic/vgic-v3.c +index 469d816f356f3..76af07e66d731 100644 +--- a/arch/arm64/kvm/vgic/vgic-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-v3.c +@@ -539,7 +539,6 @@ int vgic_v3_map_resources(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; + struct kvm_vcpu *vcpu; +- int ret = 0; + unsigned long c; + + kvm_for_each_vcpu(c, vcpu, kvm) { +@@ -569,12 +568,6 @@ int vgic_v3_map_resources(struct kvm *kvm) + return -EBUSY; + } + +- ret = vgic_register_dist_iodev(kvm, dist->vgic_dist_base, VGIC_V3); +- if (ret) { +- kvm_err("Unable to register VGICv3 dist MMIO regions\n"); +- return ret; +- } +- + if (kvm_vgic_global_state.has_gicv4_1) + vgic_v4_configure_vsgis(kvm); + +-- +2.39.2 + diff --git a/queue-6.3/kvm-arm64-vgic-fix-locking-comment.patch b/queue-6.3/kvm-arm64-vgic-fix-locking-comment.patch new file mode 100644 index 00000000000..c8eabb57e8c --- /dev/null +++ b/queue-6.3/kvm-arm64-vgic-fix-locking-comment.patch @@ -0,0 +1,45 @@ +From bc91b75278f960c9f091d7904c914c7836c51f62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 11:09:17 +0100 +Subject: KVM: arm64: vgic: Fix locking comment + +From: Jean-Philippe Brucker + +[ Upstream commit c38b8400aef99d63be2b1ff131bb993465dcafe1 ] + +It is now config_lock that must be held, not kvm lock. Replace the +comment with a lockdep annotation. + +Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230518100914.2837292-4-jean-philippe@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/vgic/vgic-v4.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kvm/vgic/vgic-v4.c b/arch/arm64/kvm/vgic/vgic-v4.c +index 3bb0034780605..c1c28fe680ba3 100644 +--- a/arch/arm64/kvm/vgic/vgic-v4.c ++++ b/arch/arm64/kvm/vgic/vgic-v4.c +@@ -184,13 +184,14 @@ static void vgic_v4_disable_vsgis(struct kvm_vcpu *vcpu) + } + } + +-/* Must be called with the kvm lock held */ + void vgic_v4_configure_vsgis(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; + struct kvm_vcpu *vcpu; + unsigned long i; + ++ lockdep_assert_held(&kvm->arch.config_lock); ++ + kvm_arm_halt_guest(kvm); + + kvm_for_each_vcpu(i, vcpu, kvm) { +-- +2.39.2 + diff --git a/queue-6.3/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch b/queue-6.3/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch new file mode 100644 index 00000000000..c8048f1488e --- /dev/null +++ b/queue-6.3/kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch @@ -0,0 +1,93 @@ +From 45ebfb229dfedc3e7ceea40611c5e795168a12f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 11:09:16 +0100 +Subject: KVM: arm64: vgic: Wrap vgic_its_create() with config_lock + +From: Jean-Philippe Brucker + +[ Upstream commit 9cf2f840c439b6b23bd99f584f2917ca425ae406 ] + +vgic_its_create() changes the vgic state without holding the +config_lock, which triggers a lockdep warning in vgic_v4_init(): + +[ 358.667941] WARNING: CPU: 3 PID: 178 at arch/arm64/kvm/vgic/vgic-v4.c:245 vgic_v4_init+0x15c/0x7a8 +... +[ 358.707410] vgic_v4_init+0x15c/0x7a8 +[ 358.708550] vgic_its_create+0x37c/0x4a4 +[ 358.709640] kvm_vm_ioctl+0x1518/0x2d80 +[ 358.710688] __arm64_sys_ioctl+0x7ac/0x1ba8 +[ 358.711960] invoke_syscall.constprop.0+0x70/0x1e0 +[ 358.713245] do_el0_svc+0xe4/0x2d4 +[ 358.714289] el0_svc+0x44/0x8c +[ 358.715329] el0t_64_sync_handler+0xf4/0x120 +[ 358.716615] el0t_64_sync+0x190/0x194 + +Wrap the whole of vgic_its_create() with config_lock since, in addition +to calling vgic_v4_init(), it also modifies the global kvm->arch.vgic +state. + +Fixes: f00327731131 ("KVM: arm64: Use config_lock to protect vgic state") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230518100914.2837292-3-jean-philippe@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/vgic/vgic-its.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c +index 750e51e3779a3..5fe2365a629f2 100644 +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -1936,6 +1936,7 @@ void vgic_lpi_translation_cache_destroy(struct kvm *kvm) + + static int vgic_its_create(struct kvm_device *dev, u32 type) + { ++ int ret; + struct vgic_its *its; + + if (type != KVM_DEV_TYPE_ARM_VGIC_ITS) +@@ -1945,9 +1946,12 @@ static int vgic_its_create(struct kvm_device *dev, u32 type) + if (!its) + return -ENOMEM; + ++ mutex_lock(&dev->kvm->arch.config_lock); ++ + if (vgic_initialized(dev->kvm)) { +- int ret = vgic_v4_init(dev->kvm); ++ ret = vgic_v4_init(dev->kvm); + if (ret < 0) { ++ mutex_unlock(&dev->kvm->arch.config_lock); + kfree(its); + return ret; + } +@@ -1960,12 +1964,10 @@ static int vgic_its_create(struct kvm_device *dev, u32 type) + + /* Yep, even more trickery for lock ordering... */ + #ifdef CONFIG_LOCKDEP +- mutex_lock(&dev->kvm->arch.config_lock); + mutex_lock(&its->cmd_lock); + mutex_lock(&its->its_lock); + mutex_unlock(&its->its_lock); + mutex_unlock(&its->cmd_lock); +- mutex_unlock(&dev->kvm->arch.config_lock); + #endif + + its->vgic_its_base = VGIC_ADDR_UNDEF; +@@ -1986,7 +1988,11 @@ static int vgic_its_create(struct kvm_device *dev, u32 type) + + dev->private = its; + +- return vgic_its_set_abi(its, NR_ITS_ABIS - 1); ++ ret = vgic_its_set_abi(its, NR_ITS_ABIS - 1); ++ ++ mutex_unlock(&dev->kvm->arch.config_lock); ++ ++ return ret; + } + + static void vgic_its_destroy(struct kvm_device *kvm_dev) +-- +2.39.2 + diff --git a/queue-6.3/loongarch-add-arch_has_fortify_source-selection.patch b/queue-6.3/loongarch-add-arch_has_fortify_source-selection.patch new file mode 100644 index 00000000000..310469d9d10 --- /dev/null +++ b/queue-6.3/loongarch-add-arch_has_fortify_source-selection.patch @@ -0,0 +1,38 @@ +From e70de81584b884522ba5329397d664d7e19c93ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:19:52 +0800 +Subject: LoongArch: Add ARCH_HAS_FORTIFY_SOURCE selection + +From: Qing Zhang + +[ Upstream commit d4c937c2a57bbba24790be6fe7a791456f5fbb60 ] + +FORTIFY_SOURCE could detect various overflows at compile and run time. +ARCH_HAS_FORTIFY_SOURCE means that the architecture can be built and run +with CONFIG_FORTIFY_SOURCE. So select it in LoongArch. + +See more about this feature from commit 6974f0c4555e285 ("include/linux/ +string.h: add the option of fortified string.h functions"). + +Signed-off-by: Qing Zhang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig +index 3ddde336e6a56..3e5d6acbf2409 100644 +--- a/arch/loongarch/Kconfig ++++ b/arch/loongarch/Kconfig +@@ -10,6 +10,7 @@ config LOONGARCH + select ARCH_ENABLE_MEMORY_HOTPLUG + select ARCH_ENABLE_MEMORY_HOTREMOVE + select ARCH_HAS_ACPI_TABLE_UPGRADE if ACPI ++ select ARCH_HAS_FORTIFY_SOURCE + select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS + select ARCH_HAS_PTE_SPECIAL + select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST +-- +2.39.2 + diff --git a/queue-6.3/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch b/queue-6.3/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch new file mode 100644 index 00000000000..4fe2ee6e4bd --- /dev/null +++ b/queue-6.3/loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch @@ -0,0 +1,241 @@ +From 66fc814a147e718b7f74fc0ed6e5ecf7638b80c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:19:27 +0800 +Subject: LoongArch: Relay BCE exceptions to userland as SIGSEGV with + si_code=SEGV_BNDERR + +From: WANG Xuerui + +[ Upstream commit c23e7f01cf621290770069d968ca4c8356a50d00 ] + +SEGV_BNDERR was introduced initially for supporting the Intel MPX, but +fell into disuse after the MPX support was removed. The LoongArch +bounds-checking instructions behave very differently than MPX, but +overall the interface is still kind of suitable for conveying the +information to userland when bounds-checking assertions trigger, so we +wouldn't have to invent more UAPI. Specifically, when the BCE triggers, +a SEGV_BNDERR is sent to userland, with si_addr set to the out-of-bounds +address or value (in asrt{gt,le}'s case), and one of si_lower or +si_upper set to the configured bound depending on the faulting +instruction. The other bound is set to either 0 or ULONG_MAX to resemble +a range with both lower and upper bounds. + +Note that it is possible to have si_addr == si_lower in case of a +failing asrtgt or {ld,st}gt, because those instructions test for strict +greater-than relationship. This should not pose a problem for userland, +though, because the faulting PC is available for the application to +associate back to the exact instruction for figuring out the +expectation. + +Example exception context generated by a faulting `asrtgt.d t0, t1` +(assert t0 > t1 or BCE) with t0=100 and t1=200: + +> pc 00005555558206a4 ra 00007ffff2d854fc tp 00007ffff2f2f180 sp 00007ffffbf9fb80 +> a0 0000000000000002 a1 00007ffffbf9fce8 a2 00007ffffbf9fd00 a3 00007ffff2ed4558 +> a4 0000000000000000 a5 00007ffff2f044c8 a6 00007ffffbf9fce0 a7 fffffffffffff000 +> t0 0000000000000064 t1 00000000000000c8 t2 00007ffffbfa2d5e t3 00007ffff2f12aa0 +> t4 00007ffff2ed6158 t5 00007ffff2ed6158 t6 000000000000002e t7 0000000003d8f538 +> t8 0000000000000005 u0 0000000000000000 s9 0000000000000000 s0 00007ffffbf9fce8 +> s1 0000000000000002 s2 0000000000000000 s3 00007ffff2f2c038 s4 0000555555820610 +> s5 00007ffff2ed5000 s6 0000555555827e38 s7 00007ffffbf9fd00 s8 0000555555827e38 +> ra: 00007ffff2d854fc +> ERA: 00005555558206a4 +> CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) +> PRMD: 00000007 (PPLV3 +PIE -PWE) +> EUEN: 00000000 (-FPE -SXE -ASXE -BTE) +> ECFG: 0007181c (LIE=2-4,11-12 VS=7) +> ESTAT: 000a0000 [BCE] (IS= ECode=10 EsubCode=0) +> PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) + +Signed-off-by: WANG Xuerui +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/asm/inst.h | 26 +++++++++ + arch/loongarch/kernel/genex.S | 1 + + arch/loongarch/kernel/traps.c | 92 +++++++++++++++++++++++++++++++ + 3 files changed, 119 insertions(+) + +diff --git a/arch/loongarch/include/asm/inst.h b/arch/loongarch/include/asm/inst.h +index a04fe755d7193..b09887ffcd15d 100644 +--- a/arch/loongarch/include/asm/inst.h ++++ b/arch/loongarch/include/asm/inst.h +@@ -121,6 +121,8 @@ enum reg2bstrd_op { + }; + + enum reg3_op { ++ asrtle_op = 0x02, ++ asrtgt_op = 0x03, + addw_op = 0x20, + addd_op = 0x21, + subw_op = 0x22, +@@ -176,6 +178,30 @@ enum reg3_op { + amord_op = 0x70c7, + amxorw_op = 0x70c8, + amxord_op = 0x70c9, ++ fldgts_op = 0x70e8, ++ fldgtd_op = 0x70e9, ++ fldles_op = 0x70ea, ++ fldled_op = 0x70eb, ++ fstgts_op = 0x70ec, ++ fstgtd_op = 0x70ed, ++ fstles_op = 0x70ee, ++ fstled_op = 0x70ef, ++ ldgtb_op = 0x70f0, ++ ldgth_op = 0x70f1, ++ ldgtw_op = 0x70f2, ++ ldgtd_op = 0x70f3, ++ ldleb_op = 0x70f4, ++ ldleh_op = 0x70f5, ++ ldlew_op = 0x70f6, ++ ldled_op = 0x70f7, ++ stgtb_op = 0x70f8, ++ stgth_op = 0x70f9, ++ stgtw_op = 0x70fa, ++ stgtd_op = 0x70fb, ++ stleb_op = 0x70fc, ++ stleh_op = 0x70fd, ++ stlew_op = 0x70fe, ++ stled_op = 0x70ff, + }; + + enum reg3sa2_op { +diff --git a/arch/loongarch/kernel/genex.S b/arch/loongarch/kernel/genex.S +index 44ff1ff642601..78f0663846575 100644 +--- a/arch/loongarch/kernel/genex.S ++++ b/arch/loongarch/kernel/genex.S +@@ -82,6 +82,7 @@ SYM_FUNC_END(except_vec_cex) + + BUILD_HANDLER ade ade badv + BUILD_HANDLER ale ale badv ++ BUILD_HANDLER bce bce none + BUILD_HANDLER bp bp none + BUILD_HANDLER fpe fpe fcsr + BUILD_HANDLER fpu fpu none +diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c +index de8ebe20b666c..03ebfd2a4392f 100644 +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -50,6 +51,7 @@ + + extern asmlinkage void handle_ade(void); + extern asmlinkage void handle_ale(void); ++extern asmlinkage void handle_bce(void); + extern asmlinkage void handle_sys(void); + extern asmlinkage void handle_bp(void); + extern asmlinkage void handle_ri(void); +@@ -430,6 +432,95 @@ static void bug_handler(struct pt_regs *regs) + } + } + ++asmlinkage void noinstr do_bce(struct pt_regs *regs) ++{ ++ bool user = user_mode(regs); ++ unsigned long era = exception_era(regs); ++ u64 badv = 0, lower = 0, upper = ULONG_MAX; ++ union loongarch_instruction insn; ++ irqentry_state_t state = irqentry_enter(regs); ++ ++ if (regs->csr_prmd & CSR_PRMD_PIE) ++ local_irq_enable(); ++ ++ current->thread.trap_nr = read_csr_excode(); ++ ++ die_if_kernel("Bounds check error in kernel code", regs); ++ ++ /* ++ * Pull out the address that failed bounds checking, and the lower / ++ * upper bound, by minimally looking at the faulting instruction word ++ * and reading from the correct register. ++ */ ++ if (__get_inst(&insn.word, (u32 *)era, user)) ++ goto bad_era; ++ ++ switch (insn.reg3_format.opcode) { ++ case asrtle_op: ++ if (insn.reg3_format.rd != 0) ++ break; /* not asrtle */ ++ badv = regs->regs[insn.reg3_format.rj]; ++ upper = regs->regs[insn.reg3_format.rk]; ++ break; ++ ++ case asrtgt_op: ++ if (insn.reg3_format.rd != 0) ++ break; /* not asrtgt */ ++ badv = regs->regs[insn.reg3_format.rj]; ++ lower = regs->regs[insn.reg3_format.rk]; ++ break; ++ ++ case ldleb_op: ++ case ldleh_op: ++ case ldlew_op: ++ case ldled_op: ++ case stleb_op: ++ case stleh_op: ++ case stlew_op: ++ case stled_op: ++ case fldles_op: ++ case fldled_op: ++ case fstles_op: ++ case fstled_op: ++ badv = regs->regs[insn.reg3_format.rj]; ++ upper = regs->regs[insn.reg3_format.rk]; ++ break; ++ ++ case ldgtb_op: ++ case ldgth_op: ++ case ldgtw_op: ++ case ldgtd_op: ++ case stgtb_op: ++ case stgth_op: ++ case stgtw_op: ++ case stgtd_op: ++ case fldgts_op: ++ case fldgtd_op: ++ case fstgts_op: ++ case fstgtd_op: ++ badv = regs->regs[insn.reg3_format.rj]; ++ lower = regs->regs[insn.reg3_format.rk]; ++ break; ++ } ++ ++ force_sig_bnderr((void __user *)badv, (void __user *)lower, (void __user *)upper); ++ ++out: ++ if (regs->csr_prmd & CSR_PRMD_PIE) ++ local_irq_disable(); ++ ++ irqentry_exit(regs, state); ++ return; ++ ++bad_era: ++ /* ++ * Cannot pull out the instruction word, hence cannot provide more ++ * info than a regular SIGSEGV in this case. ++ */ ++ force_sig(SIGSEGV); ++ goto out; ++} ++ + asmlinkage void noinstr do_bp(struct pt_regs *regs) + { + bool user = user_mode(regs); +@@ -797,6 +888,7 @@ void __init trap_init(void) + + set_handler(EXCCODE_ADE * VECSIZE, handle_ade, VECSIZE); + set_handler(EXCCODE_ALE * VECSIZE, handle_ale, VECSIZE); ++ set_handler(EXCCODE_BCE * VECSIZE, handle_bce, VECSIZE); + set_handler(EXCCODE_SYS * VECSIZE, handle_sys, VECSIZE); + set_handler(EXCCODE_BP * VECSIZE, handle_bp, VECSIZE); + set_handler(EXCCODE_INE * VECSIZE, handle_ri, VECSIZE); +-- +2.39.2 + diff --git a/queue-6.3/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch b/queue-6.3/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch new file mode 100644 index 00000000000..e25ec513c42 --- /dev/null +++ b/queue-6.3/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch @@ -0,0 +1,56 @@ +From 24ce045495fc69778a3044572c643875ff0e8df9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 12:22:09 +0300 +Subject: mailbox: mailbox-test: fix a locking issue in + mbox_test_message_write() + +From: Dan Carpenter + +[ Upstream commit 8fe72b76db79d694858e872370df49676bc3be8c ] + +There was a bug where this code forgot to unlock the tdev->mutex if the +kzalloc() failed. Fix this issue, by moving the allocation outside the +lock. + +Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()") +Signed-off-by: Dan Carpenter +Reviewed-by: Lee Jones +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-test.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c +index 6dd5b9614452b..abcee58e851c2 100644 +--- a/drivers/mailbox/mailbox-test.c ++++ b/drivers/mailbox/mailbox-test.c +@@ -97,6 +97,7 @@ static ssize_t mbox_test_message_write(struct file *filp, + size_t count, loff_t *ppos) + { + struct mbox_test_device *tdev = filp->private_data; ++ char *message; + void *data; + int ret; + +@@ -112,12 +113,13 @@ static ssize_t mbox_test_message_write(struct file *filp, + return -EINVAL; + } + +- mutex_lock(&tdev->mutex); +- +- tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); +- if (!tdev->message) ++ message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); ++ if (!message) + return -ENOMEM; + ++ mutex_lock(&tdev->mutex); ++ ++ tdev->message = message; + ret = copy_from_user(tdev->message, userbuf, count); + if (ret) { + ret = -EFAULT; +-- +2.39.2 + diff --git a/queue-6.3/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch b/queue-6.3/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch new file mode 100644 index 00000000000..10f20bd96a8 --- /dev/null +++ b/queue-6.3/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch @@ -0,0 +1,136 @@ +From 7127ad9425a71d74af62f10d6b60919988d0f28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 08:27:18 +0100 +Subject: mailbox: mailbox-test: Fix potential double-free in + mbox_test_message_write() + +From: Lee Jones + +[ Upstream commit 2d1e952a2b8e5e92d8d55ac88a7cf7ca5ea591ad ] + +If a user can make copy_from_user() fail, there is a potential for +UAF/DF due to a lack of locking around the allocation, use and freeing +of the data buffers. + +This issue is not theoretical. I managed to author a POC for it: + + BUG: KASAN: double-free in kfree+0x5c/0xac + Free of addr ffff29280be5de00 by task poc/356 + CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace.part.0+0xe0/0xf0 + show_stack+0x18/0x40 + dump_stack_lvl+0x64/0x80 + print_report+0x188/0x48c + kasan_report_invalid_free+0xa0/0xc0 + ____kasan_slab_free+0x174/0x1b0 + __kasan_slab_free+0x18/0x24 + __kmem_cache_free+0x130/0x2e0 + kfree+0x5c/0xac + mbox_test_message_write+0x208/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + + Allocated by task 356: + kasan_save_stack+0x3c/0x70 + kasan_set_track+0x2c/0x40 + kasan_save_alloc_info+0x24/0x34 + __kasan_kmalloc+0xb8/0xc0 + kmalloc_trace+0x58/0x70 + mbox_test_message_write+0x6c/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + + Freed by task 357: + kasan_save_stack+0x3c/0x70 + kasan_set_track+0x2c/0x40 + kasan_save_free_info+0x38/0x5c + ____kasan_slab_free+0x13c/0x1b0 + __kasan_slab_free+0x18/0x24 + __kmem_cache_free+0x130/0x2e0 + kfree+0x5c/0xac + mbox_test_message_write+0x208/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + +Signed-off-by: Lee Jones +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-test.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c +index 4555d678fadda..6dd5b9614452b 100644 +--- a/drivers/mailbox/mailbox-test.c ++++ b/drivers/mailbox/mailbox-test.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -38,6 +39,7 @@ struct mbox_test_device { + char *signal; + char *message; + spinlock_t lock; ++ struct mutex mutex; + wait_queue_head_t waitq; + struct fasync_struct *async_queue; + struct dentry *root_debugfs_dir; +@@ -110,6 +112,8 @@ static ssize_t mbox_test_message_write(struct file *filp, + return -EINVAL; + } + ++ mutex_lock(&tdev->mutex); ++ + tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); + if (!tdev->message) + return -ENOMEM; +@@ -144,6 +148,8 @@ static ssize_t mbox_test_message_write(struct file *filp, + kfree(tdev->message); + tdev->signal = NULL; + ++ mutex_unlock(&tdev->mutex); ++ + return ret < 0 ? ret : count; + } + +@@ -392,6 +398,7 @@ static int mbox_test_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, tdev); + + spin_lock_init(&tdev->lock); ++ mutex_init(&tdev->mutex); + + if (tdev->rx_channel) { + tdev->rx_buffer = devm_kzalloc(&pdev->dev, +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch b/queue-6.3/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch new file mode 100644 index 00000000000..eb3ecaa76a8 --- /dev/null +++ b/queue-6.3/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch @@ -0,0 +1,67 @@ +From fe00b0c85d51afe5601a480eb124b8120b29e548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 16:18:00 +0100 +Subject: media: dvb-core: Fix kernel WARNING for blocking operation in + wait_event*() + +From: Takashi Iwai + +[ Upstream commit b8c75e4a1b325ea0a9433fa8834be97b5836b946 ] + +Using a semaphore in the wait_event*() condition is no good idea. +It hits a kernel WARN_ON() at prepare_to_wait_event() like: + do not call blocking ops when !TASK_RUNNING; state=1 set at + prepare_to_wait_event+0x6d/0x690 + +For avoiding the potential deadlock, rewrite to an open-coded loop +instead. Unlike the loop in wait_event*(), this uses wait_woken() +after the condition check, hence the task state stays consistent. + +CVE-2023-31084 was assigned to this bug. + +Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de +Reported-by: Yu Hao +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084 +Signed-off-by: Takashi Iwai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index 947b61959b2b8..bc6950a5740f6 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, + } + + if (events->eventw == events->eventr) { +- int ret; ++ struct wait_queue_entry wait; ++ int ret = 0; + + if (flags & O_NONBLOCK) + return -EWOULDBLOCK; + +- ret = wait_event_interruptible(events->wait_queue, +- dvb_frontend_test_event(fepriv, events)); +- ++ init_waitqueue_entry(&wait, current); ++ add_wait_queue(&events->wait_queue, &wait); ++ while (!dvb_frontend_test_event(fepriv, events)) { ++ wait_woken(&wait, TASK_INTERRUPTIBLE, 0); ++ if (signal_pending(current)) { ++ ret = -ERESTARTSYS; ++ break; ++ } ++ } ++ remove_wait_queue(&events->wait_queue, &wait); + if (ret < 0) + return ret; + } +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-core-fix-use-after-free-due-on-race-condit.patch b/queue-6.3/media-dvb-core-fix-use-after-free-due-on-race-condit.patch new file mode 100644 index 00000000000..f8a2a89df52 --- /dev/null +++ b/queue-6.3/media-dvb-core-fix-use-after-free-due-on-race-condit.patch @@ -0,0 +1,138 @@ +From be213ad7e736f112703e87b9c1413628a1f1ef41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:23 +0000 +Subject: media: dvb-core: Fix use-after-free due on race condition at dvb_net + +From: Hyunwoo Kim + +[ Upstream commit 4172385b0c9ac366dcab78eda48c26814b87ed1a ] + +A race condition may occur between the .disconnect function, which +is called when the device is disconnected, and the dvb_device_open() +function, which is called when the device node is open()ed. +This results in several types of UAFs. + +The root cause of this is that you use the dvb_device_open() function, +which does not implement a conditional statement +that checks 'dvbnet->exit'. + +So, add 'remove_mutex` to protect 'dvbnet->exit' and use +locked_dvb_net_open() function to check 'dvbnet->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_net.c | 38 +++++++++++++++++++++++++++++--- + include/media/dvb_net.h | 4 ++++ + 2 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c +index 8a2febf33ce28..8bb8dd34c223e 100644 +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -1564,15 +1564,43 @@ static long dvb_net_ioctl(struct file *file, + return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl); + } + ++static int locked_dvb_net_open(struct inode *inode, struct file *file) ++{ ++ struct dvb_device *dvbdev = file->private_data; ++ struct dvb_net *dvbnet = dvbdev->priv; ++ int ret; ++ ++ if (mutex_lock_interruptible(&dvbnet->remove_mutex)) ++ return -ERESTARTSYS; ++ ++ if (dvbnet->exit) { ++ mutex_unlock(&dvbnet->remove_mutex); ++ return -ENODEV; ++ } ++ ++ ret = dvb_generic_open(inode, file); ++ ++ mutex_unlock(&dvbnet->remove_mutex); ++ ++ return ret; ++} ++ + static int dvb_net_close(struct inode *inode, struct file *file) + { + struct dvb_device *dvbdev = file->private_data; + struct dvb_net *dvbnet = dvbdev->priv; + ++ mutex_lock(&dvbnet->remove_mutex); ++ + dvb_generic_release(inode, file); + +- if(dvbdev->users == 1 && dvbnet->exit == 1) ++ if (dvbdev->users == 1 && dvbnet->exit == 1) { ++ mutex_unlock(&dvbnet->remove_mutex); + wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&dvbnet->remove_mutex); ++ } ++ + return 0; + } + +@@ -1580,7 +1608,7 @@ static int dvb_net_close(struct inode *inode, struct file *file) + static const struct file_operations dvb_net_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = dvb_net_ioctl, +- .open = dvb_generic_open, ++ .open = locked_dvb_net_open, + .release = dvb_net_close, + .llseek = noop_llseek, + }; +@@ -1599,10 +1627,13 @@ void dvb_net_release (struct dvb_net *dvbnet) + { + int i; + ++ mutex_lock(&dvbnet->remove_mutex); + dvbnet->exit = 1; ++ mutex_unlock(&dvbnet->remove_mutex); ++ + if (dvbnet->dvbdev->users < 1) + wait_event(dvbnet->dvbdev->wait_queue, +- dvbnet->dvbdev->users==1); ++ dvbnet->dvbdev->users == 1); + + dvb_unregister_device(dvbnet->dvbdev); + +@@ -1621,6 +1652,7 @@ int dvb_net_init (struct dvb_adapter *adap, struct dvb_net *dvbnet, + int i; + + mutex_init(&dvbnet->ioctl_mutex); ++ mutex_init(&dvbnet->remove_mutex); + dvbnet->demux = dmx; + + for (i=0; i +Date: Thu, 17 Nov 2022 04:59:24 +0000 +Subject: media: dvb-core: Fix use-after-free due to race at + dvb_register_device() + +From: Hyunwoo Kim + +[ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ] + +dvb_register_device() dynamically allocates fops with kmemdup() +to set the fops->owner. +And these fops are registered in 'file->f_ops' using replace_fops() +in the dvb_device_open() process, and kfree()d in dvb_free_device(). + +However, it is not common to use dynamically allocated fops instead +of 'static const' fops as an argument of replace_fops(), +and UAF may occur. +These UAFs can occur on any dvb type using dvb_register_device(), +such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. + +So, instead of kfree() the fops dynamically allocated in +dvb_register_device() in dvb_free_device() called during the +.disconnect() process, kfree() it collectively in exit_dvbdev() +called when the dvbdev.c module is removed. + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++--------- + include/media/dvbdev.h | 15 ++++++ + 2 files changed, 78 insertions(+), 21 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 0ed087caf7f3b..73d296f27ff92 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -27,6 +27,7 @@ + #include + + static DEFINE_MUTEX(dvbdev_mutex); ++static LIST_HEAD(dvbdevfops_list); + static int dvbdev_debug; + + module_param(dvbdev_debug, int, 0644); +@@ -453,14 +454,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + enum dvb_device_type type, int demux_sink_pads) + { + struct dvb_device *dvbdev; +- struct file_operations *dvbdevfops; ++ struct file_operations *dvbdevfops = NULL; ++ struct dvbdevfops_node *node = NULL, *new_node = NULL; + struct device *clsdev; + int minor; + int id, ret; + + mutex_lock(&dvbdev_register_lock); + +- if ((id = dvbdev_get_free_id (adap, type)) < 0){ ++ if ((id = dvbdev_get_free_id (adap, type)) < 0) { + mutex_unlock(&dvbdev_register_lock); + *pdvbdev = NULL; + pr_err("%s: couldn't find free device id\n", __func__); +@@ -468,18 +470,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + + *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); +- + if (!dvbdev){ + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + +- dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ /* ++ * When a device of the same type is probe()d more than once, ++ * the first allocated fops are used. This prevents memory leaks ++ * that can occur when the same device is probe()d repeatedly. ++ */ ++ list_for_each_entry(node, &dvbdevfops_list, list_head) { ++ if (node->fops->owner == adap->module && ++ node->type == type && ++ node->template == template) { ++ dvbdevfops = node->fops; ++ break; ++ } ++ } + +- if (!dvbdevfops){ +- kfree (dvbdev); +- mutex_unlock(&dvbdev_register_lock); +- return -ENOMEM; ++ if (dvbdevfops == NULL) { ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ if (!dvbdevfops) { ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); ++ if (!new_node) { ++ kfree(dvbdevfops); ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node->fops = dvbdevfops; ++ new_node->type = type; ++ new_node->template = template; ++ list_add_tail (&new_node->list_head, &dvbdevfops_list); + } + + memcpy(dvbdev, template, sizeof(struct dvb_device)); +@@ -490,20 +519,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdev->priv = priv; + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); +- + dvbdevfops->owner = adap->module; +- + list_add_tail (&dvbdev->list_head, &adap->device_list); +- + down_write(&minor_rwsem); + #ifdef CONFIG_DVB_DYNAMIC_MINORS + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- + if (minor == MAX_DVB_MINORS) { ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); +@@ -512,41 +541,47 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + #else + minor = nums2minor(adap->num, type, id); + #endif +- + dvbdev->minor = minor; + dvb_minors[minor] = dvb_device_get(dvbdev); + up_write(&minor_rwsem); +- + ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); + if (ret) { + pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", + __func__); +- ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return ret; + } + +- mutex_unlock(&dvbdev_register_lock); +- + clsdev = device_create(dvb_class, adap->device, + MKDEV(DVB_MAJOR, minor), + dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } ++ + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", + adap->num, dnames[type], id, minor, minor); + ++ mutex_unlock(&dvbdev_register_lock); + return 0; + } + EXPORT_SYMBOL(dvb_register_device); +@@ -575,7 +610,6 @@ static void dvb_free_device(struct kref *ref) + { + struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref); + +- kfree (dvbdev->fops); + kfree (dvbdev); + } + +@@ -1081,9 +1115,17 @@ static int __init init_dvbdev(void) + + static void __exit exit_dvbdev(void) + { ++ struct dvbdevfops_node *node, *next; ++ + class_destroy(dvb_class); + cdev_del(&dvb_device_cdev); + unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); ++ ++ list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { ++ list_del (&node->list_head); ++ kfree(node->fops); ++ kfree(node); ++ } + } + + subsys_initcall(init_dvbdev); +diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h +index 29d25c8a6f13f..8958e5e2fc5b7 100644 +--- a/include/media/dvbdev.h ++++ b/include/media/dvbdev.h +@@ -193,6 +193,21 @@ struct dvb_device { + void *priv; + }; + ++/** ++ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list ++ * ++ * @fops: Dynamically allocated fops for ->owner registration ++ * @type: type of dvb_device ++ * @template: dvb_device used for registration ++ * @list_head: list_head for dvbdevfops_list ++ */ ++struct dvbdevfops_node { ++ struct file_operations *fops; ++ enum dvb_device_type type; ++ const struct dvb_device *template; ++ struct list_head list_head; ++}; ++ + /** + * dvb_device_get - Increase dvb_device reference + * +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-core-fix-use-after-free-due-to-race-condit.patch b/queue-6.3/media-dvb-core-fix-use-after-free-due-to-race-condit.patch new file mode 100644 index 00000000000..c9d04797f56 --- /dev/null +++ b/queue-6.3/media-dvb-core-fix-use-after-free-due-to-race-condit.patch @@ -0,0 +1,129 @@ +From 7004996520ade6e9108c93be62e8980bd5dc990e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 06:33:08 +0000 +Subject: media: dvb-core: Fix use-after-free due to race condition at + dvb_ca_en50221 + +From: Hyunwoo Kim + +[ Upstream commit 280a8ab81733da8bc442253c700a52c4c0886ffd ] + +If the device node of dvb_ca_en50221 is open() and the +device is disconnected, a UAF may occur when calling +close() on the device node. + +The root cause is that wake_up() and wait_event() for +dvbdev->wait_queue are not implemented. + +So implement wait_event() function in dvb_ca_en50221_release() +and add 'remove_mutex' which prevents race condition +for 'ca->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index b6ca29dfb184a..baf64540dc00a 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -151,6 +151,12 @@ struct dvb_ca_private { + + /* mutex serializing ioctls */ + struct mutex ioctl_mutex; ++ ++ /* A mutex used when a device is disconnected */ ++ struct mutex remove_mutex; ++ ++ /* Whether the device is disconnected */ ++ int exit; + }; + + static void dvb_ca_private_free(struct dvb_ca_private *ca) +@@ -1711,12 +1717,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + +- if (!try_module_get(ca->pub->owner)) ++ mutex_lock(&ca->remove_mutex); ++ ++ if (ca->exit) { ++ mutex_unlock(&ca->remove_mutex); ++ return -ENODEV; ++ } ++ ++ if (!try_module_get(ca->pub->owner)) { ++ mutex_unlock(&ca->remove_mutex); + return -EIO; ++ } + + err = dvb_generic_open(inode, file); + if (err < 0) { + module_put(ca->pub->owner); ++ mutex_unlock(&ca->remove_mutex); + return err; + } + +@@ -1741,6 +1757,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dvb_ca_private_get(ca); + ++ mutex_unlock(&ca->remove_mutex); + return 0; + } + +@@ -1760,6 +1777,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ + /* mark the CA device as closed */ + ca->open = 0; + dvb_ca_en50221_thread_update_delay(ca); +@@ -1770,6 +1789,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dvb_ca_private_put(ca); + ++ if (dvbdev->users == 1 && ca->exit == 1) { ++ mutex_unlock(&ca->remove_mutex); ++ wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&ca->remove_mutex); ++ } ++ + return err; + } + +@@ -1893,6 +1919,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter, + } + + mutex_init(&ca->ioctl_mutex); ++ mutex_init(&ca->remove_mutex); + + if (signal_pending(current)) { + ret = -EINTR; +@@ -1935,6 +1962,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ ca->exit = 1; ++ mutex_unlock(&ca->remove_mutex); ++ ++ if (ca->dvbdev->users < 1) ++ wait_event(ca->dvbdev->wait_queue, ++ ca->dvbdev->users == 1); ++ + /* shutdown the thread if there was one */ + kthread_stop(ca->thread); + +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-core-fix-use-after-free-on-race-condition-.patch b/queue-6.3/media-dvb-core-fix-use-after-free-on-race-condition-.patch new file mode 100644 index 00000000000..fdc51c14aef --- /dev/null +++ b/queue-6.3/media-dvb-core-fix-use-after-free-on-race-condition-.patch @@ -0,0 +1,196 @@ +From 44cb96630bdead494fd381172509206b872a7782 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:22 +0000 +Subject: media: dvb-core: Fix use-after-free on race condition at dvb_frontend + +From: Hyunwoo Kim + +[ Upstream commit 6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f ] + +If the device node of dvb_frontend is open() and the device is +disconnected, many kinds of UAFs may occur when calling close() +on the device node. + +The root cause of this is that wake_up() for dvbdev->wait_queue +is implemented in the dvb_frontend_release() function, but +wait_event() is not implemented in the dvb_frontend_stop() function. + +So, implement wait_event() function in dvb_frontend_stop() and +add 'remove_mutex' which prevents race condition for 'fe->exit'. + +[mchehab: fix a couple of checkpatch warnings and some mistakes at the error handling logic] + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-2-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 53 ++++++++++++++++++++++----- + include/media/dvb_frontend.h | 6 ++- + 2 files changed, 49 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index cc0a789f09ae5..947b61959b2b8 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -809,15 +809,26 @@ static void dvb_frontend_stop(struct dvb_frontend *fe) + + dev_dbg(fe->dvb->device, "%s:\n", __func__); + ++ mutex_lock(&fe->remove_mutex); ++ + if (fe->exit != DVB_FE_DEVICE_REMOVED) + fe->exit = DVB_FE_NORMAL_EXIT; + mb(); + +- if (!fepriv->thread) ++ if (!fepriv->thread) { ++ mutex_unlock(&fe->remove_mutex); + return; ++ } + + kthread_stop(fepriv->thread); + ++ mutex_unlock(&fe->remove_mutex); ++ ++ if (fepriv->dvbdev->users < -1) { ++ wait_event(fepriv->dvbdev->wait_queue, ++ fepriv->dvbdev->users == -1); ++ } ++ + sema_init(&fepriv->sem, 1); + fepriv->state = FESTATE_IDLE; + +@@ -2761,9 +2772,13 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + struct dvb_adapter *adapter = fe->dvb; + int ret; + ++ mutex_lock(&fe->remove_mutex); ++ + dev_dbg(fe->dvb->device, "%s:\n", __func__); +- if (fe->exit == DVB_FE_DEVICE_REMOVED) +- return -ENODEV; ++ if (fe->exit == DVB_FE_DEVICE_REMOVED) { ++ ret = -ENODEV; ++ goto err_remove_mutex; ++ } + + if (adapter->mfe_shared == 2) { + mutex_lock(&adapter->mfe_lock); +@@ -2771,7 +2786,8 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + if (adapter->mfe_dvbdev && + !adapter->mfe_dvbdev->writers) { + mutex_unlock(&adapter->mfe_lock); +- return -EBUSY; ++ ret = -EBUSY; ++ goto err_remove_mutex; + } + adapter->mfe_dvbdev = dvbdev; + } +@@ -2794,8 +2810,10 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + while (mferetry-- && (mfedev->users != -1 || + mfepriv->thread)) { + if (msleep_interruptible(500)) { +- if (signal_pending(current)) +- return -EINTR; ++ if (signal_pending(current)) { ++ ret = -EINTR; ++ goto err_remove_mutex; ++ } + } + } + +@@ -2807,7 +2825,8 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + if (mfedev->users != -1 || + mfepriv->thread) { + mutex_unlock(&adapter->mfe_lock); +- return -EBUSY; ++ ret = -EBUSY; ++ goto err_remove_mutex; + } + adapter->mfe_dvbdev = dvbdev; + } +@@ -2866,6 +2885,8 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + + if (adapter->mfe_shared) + mutex_unlock(&adapter->mfe_lock); ++ ++ mutex_unlock(&fe->remove_mutex); + return ret; + + err3: +@@ -2887,6 +2908,9 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) + err0: + if (adapter->mfe_shared) + mutex_unlock(&adapter->mfe_lock); ++ ++err_remove_mutex: ++ mutex_unlock(&fe->remove_mutex); + return ret; + } + +@@ -2897,6 +2921,8 @@ static int dvb_frontend_release(struct inode *inode, struct file *file) + struct dvb_frontend_private *fepriv = fe->frontend_priv; + int ret; + ++ mutex_lock(&fe->remove_mutex); ++ + dev_dbg(fe->dvb->device, "%s:\n", __func__); + + if ((file->f_flags & O_ACCMODE) != O_RDONLY) { +@@ -2918,10 +2944,18 @@ static int dvb_frontend_release(struct inode *inode, struct file *file) + } + mutex_unlock(&fe->dvb->mdev_lock); + #endif +- if (fe->exit != DVB_FE_NO_EXIT) +- wake_up(&dvbdev->wait_queue); + if (fe->ops.ts_bus_ctrl) + fe->ops.ts_bus_ctrl(fe, 0); ++ ++ if (fe->exit != DVB_FE_NO_EXIT) { ++ mutex_unlock(&fe->remove_mutex); ++ wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&fe->remove_mutex); ++ } ++ ++ } else { ++ mutex_unlock(&fe->remove_mutex); + } + + dvb_frontend_put(fe); +@@ -3022,6 +3056,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb, + fepriv = fe->frontend_priv; + + kref_init(&fe->refcount); ++ mutex_init(&fe->remove_mutex); + + /* + * After initialization, there need to be two references: one +diff --git a/include/media/dvb_frontend.h b/include/media/dvb_frontend.h +index e7c44870f20de..367d5381217b5 100644 +--- a/include/media/dvb_frontend.h ++++ b/include/media/dvb_frontend.h +@@ -686,7 +686,10 @@ struct dtv_frontend_properties { + * @id: Frontend ID + * @exit: Used to inform the DVB core that the frontend + * thread should exit (usually, means that the hardware +- * got disconnected. ++ * got disconnected). ++ * @remove_mutex: mutex that avoids a race condition between a callback ++ * called when the hardware is disconnected and the ++ * file_operations of dvb_frontend. + */ + + struct dvb_frontend { +@@ -704,6 +707,7 @@ struct dvb_frontend { + int (*callback)(void *adapter_priv, int component, int cmd, int arg); + int id; + unsigned int exit; ++ struct mutex remove_mutex; + }; + + /** +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch b/queue-6.3/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch new file mode 100644 index 00000000000..6562ab0a9a2 --- /dev/null +++ b/queue-6.3/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch @@ -0,0 +1,63 @@ +From 1fe74629a0c21fc4b17401f0d5d4c59055c77446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 16:56:04 +0000 +Subject: media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() + +From: Wei Chen + +[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ] + +In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null, +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in +az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99. +However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0. +We add check on msg[i].len to prevent null-ptr-deref. + +Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 7d78ee09be5e1..a31c6f82f4e90 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + /* write/read request */ + if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) { + req = 0xB9; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff)); + value = msg[i].addr + (msg[i].len << 8); + length = msg[i + 1].len + 6; +@@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + + /* demod 16bit addr */ + req = 0xBD; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff)); + value = msg[i].addr + (2 << 8); + length = msg[i].len - 2; +@@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + } else { + + req = 0xBD; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = msg[i].buf[0] & 0x00FF; + value = msg[i].addr + (1 << 8); + length = msg[i].len - 1; +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch b/queue-6.3/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch new file mode 100644 index 00000000000..a00e1e1dd4d --- /dev/null +++ b/queue-6.3/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch @@ -0,0 +1,44 @@ +From 6d1782a1d8a75373c8b547b14f43005f03c69f35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 09:50:08 +0000 +Subject: media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() + +From: Wei Chen + +[ Upstream commit 9ded5bd2a49ce3015b7c936743eec0a0e6e11f0c ] + +In digitv_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach digitv_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. We add +check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313095008.1039689-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/digitv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c +index 2756815a780bc..32134be169148 100644 +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -63,6 +63,10 @@ static int digitv_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num + warn("more than 2 i2c messages at a time is not handled yet. TODO."); + + for (i = 0; i < num; i++) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + /* write/read request */ + if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) { + if (digitv_ctrl_msg(d, USB_READ_COFDM, msg[i].buf[0], NULL, 0, +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch b/queue-6.3/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch new file mode 100644 index 00000000000..3ac20d12fb8 --- /dev/null +++ b/queue-6.3/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch @@ -0,0 +1,40 @@ +From 6ec8421edb2fa7b1c85b3fb5bb182a3384487a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 13:44:16 +0100 +Subject: media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address + +From: Wei Chen + +[ Upstream commit a3fd1ef27aa686d871cefe207bd6168c4b0cd29e ] + +In su3000_read_mac_address, if i2c_transfer fails to execute two +messages, array mac address will not be initialized. Without handling +such error, later in function dvb_usb_adapter_dvb_init, proposed_mac +is accessed before initialization. + +Fix this error by returning a negative value if message execution fails. + +Link: https://lore.kernel.org/linux-media/20230328124416.560889-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index 0ca764282c767..8747960e61461 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -946,7 +946,7 @@ static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6]) + for (i = 0; i < 6; i++) { + obuf[1] = 0xf0 + i; + if (i2c_transfer(&d->i2c_adap, msg, 2) != 2) +- break; ++ return -1; + else + mac[i] = ibuf[0]; + } +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch b/queue-6.3/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch new file mode 100644 index 00000000000..8d8bb39b277 --- /dev/null +++ b/queue-6.3/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch @@ -0,0 +1,56 @@ +From 92b59cdc29282f18687d9d3f68f39b0112c71dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 09:27:51 +0000 +Subject: media: dvb-usb-v2: ce6230: fix null-ptr-deref in + ce6230_i2c_master_xfer() + +From: Wei Chen + +[ Upstream commit dff919090155fb22679869e8469168f270dcd97f ] + +In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. We add +check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/ce6230.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c +index 44540de1a2066..d3b5cb4a24daf 100644 +--- a/drivers/media/usb/dvb-usb-v2/ce6230.c ++++ b/drivers/media/usb/dvb-usb-v2/ce6230.c +@@ -101,6 +101,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap, + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { + if (msg[i].addr == + ce6230_zl10353_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = DEMOD_READ; + req.value = msg[i].addr >> 1; + req.index = msg[i].buf[0]; +@@ -117,6 +121,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap, + } else { + if (msg[i].addr == + ce6230_zl10353_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = DEMOD_WRITE; + req.value = msg[i].addr >> 1; + req.index = msg[i].buf[0]; +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch b/queue-6.3/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch new file mode 100644 index 00000000000..b0b4f8be280 --- /dev/null +++ b/queue-6.3/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch @@ -0,0 +1,65 @@ +From 32c9fedbaac088ca2cdf84fbda79a71153dd8d4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 08:58:53 +0000 +Subject: media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() + +From: Wei Chen + +[ Upstream commit a6dcefcc08eca1bf4e3d213c97c3cfb75f377935 ] + +In ec168_i2c_xfer, msg is controlled by user. When msg[i].buf is null +and msg[i].len is zero, former checks on msg[i].buf would be passed. +If accessing msg[i].buf[0] without sanity check, null pointer deref +would happen. We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313085853.3252349-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/ec168.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-usb-v2/ec168.c +index 7ed0ab9e429b1..0e4773fc025c9 100644 +--- a/drivers/media/usb/dvb-usb-v2/ec168.c ++++ b/drivers/media/usb/dvb-usb-v2/ec168.c +@@ -115,6 +115,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + while (i < num) { + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { + if (msg[i].addr == ec168_ec100_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = READ_DEMOD; + req.value = 0; + req.index = 0xff00 + msg[i].buf[0]; /* reg */ +@@ -131,6 +135,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + } + } else { + if (msg[i].addr == ec168_ec100_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = WRITE_DEMOD; + req.value = msg[i].buf[1]; /* val */ + req.index = 0xff00 + msg[i].buf[0]; /* reg */ +@@ -139,6 +147,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = ec168_ctrl_msg(d, &req); + i += 1; + } else { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = WRITE_I2C; + req.value = msg[i].buf[0]; /* val */ + req.index = 0x0100 + msg[i].addr; /* I2C addr */ +-- +2.39.2 + diff --git a/queue-6.3/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch b/queue-6.3/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch new file mode 100644 index 00000000000..c56f63e574f --- /dev/null +++ b/queue-6.3/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch @@ -0,0 +1,84 @@ +From 0aeb803655ef5204fd8510dd450d78a0e64079ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 15:52:47 +0100 +Subject: media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer + +From: Zhang Shurong + +[ Upstream commit aa4a447b81b84f69c1a89ad899df157f386d7636 ] + +In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com +Signed-off-by: Zhang Shurong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +index 795a012d40200..f7884bb56fccf 100644 +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -176,6 +176,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = -EOPNOTSUPP; + goto err_mutex_unlock; + } else if (msg[0].addr == 0x10) { ++ if (msg[0].len < 1 || msg[1].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 1 - integrated demod */ + if (msg[0].buf[0] == 0x00) { + /* return demod page from driver cache */ +@@ -189,6 +193,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = rtl28xxu_ctrl_msg(d, &req); + } + } else if (msg[0].len < 2) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 2 - old I2C */ + req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1); + req.index = CMD_I2C_RD; +@@ -217,8 +225,16 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = -EOPNOTSUPP; + goto err_mutex_unlock; + } else if (msg[0].addr == 0x10) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 1 - integrated demod */ + if (msg[0].buf[0] == 0x00) { ++ if (msg[0].len < 2) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* save demod page for later demod access */ + dev->page = msg[0].buf[1]; + ret = 0; +@@ -231,6 +247,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = rtl28xxu_ctrl_msg(d, &req); + } + } else if ((msg[0].len < 23) && (!dev->new_i2c_write)) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 2 - old I2C */ + req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1); + req.index = CMD_I2C_WR; +-- +2.39.2 + diff --git a/queue-6.3/media-dvb_ca_en50221-fix-a-size-write-bug.patch b/queue-6.3/media-dvb_ca_en50221-fix-a-size-write-bug.patch new file mode 100644 index 00000000000..7a92ad42cc5 --- /dev/null +++ b/queue-6.3/media-dvb_ca_en50221-fix-a-size-write-bug.patch @@ -0,0 +1,118 @@ +From cbec391dfdf8672508a5a2795c451589f92e2439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 13:50:27 +0100 +Subject: media: dvb_ca_en50221: fix a size write bug + +From: YongSu Yoo + +[ Upstream commit a4315e5be7020aac9b24a8151caf4bb85224cd0e ] + +The function of "dvb_ca_en50221_write_data" at source/drivers/media +/dvb-core/dvb_ca_en50221.c is used for two cases. +The first case is for writing APDU data in the function of +"dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/ +dvb_ca_en50221.c. +The second case is for writing the host link buf size on the +Command Register in the function of "dvb_ca_en50221_link_init" +at source/drivers/media/dvb-core/dvb_ca_en50221.c. +In the second case, there exists a bug like following. +In the function of the "dvb_ca_en50221_link_init", +after a TV host calculates the host link buf_size, +the TV host writes the calculated host link buf_size on the +Size Register. +Accroding to the en50221 Spec (the page 60 of +https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf), +before this writing operation, the "SW(CMDREG_SW)" flag in the +Command Register should be set. We can see this setting operation +in the function of the "dvb_ca_en50221_link_init" like below. +... + if ((ret = ca->pub->write_cam_control(ca->pub, slot, +CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0) + return ret; +... +But, after that, the real writing operation is implemented using +the function of the "dvb_ca_en50221_write_data" in the function of +"dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data" +includes the function of "ca->pub->write_cam_control", +and the function of the "ca->pub->write_cam_control" in the +function of the "dvb_ca_en50221_wrte_data" does not include +"CMDREG_SW" flag like below. +... + if ((status = ca->pub->write_cam_control(ca->pub, slot, +CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0) +... +In the above source code, we can see only the "IRQEN | CMDREG_HC", +but we cannot see the "CMDREG_SW". +The "CMDREG_SW" flag which was set in the function of the +"dvb_ca_en50221_link_init" was rollbacked by the follwoing function +of the "dvb_ca_en50221_write_data". +This is a bug. and this bug causes that the calculated host link buf_size +is not properly written in the CI module. +Through this patch, we fix this bug. + +Link: https://lore.kernel.org/linux-media/20220818125027.1131-1-yongsuyoo0215@gmail.com +Signed-off-by: YongSu Yoo +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index c2d2792227f86..b6ca29dfb184a 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca); + static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot, + u8 *ebuf, int ecount); + static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, +- u8 *ebuf, int ecount); ++ u8 *ebuf, int ecount, int size_write_flag); + + /** + * findstr - Safely find needle in haystack. +@@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot) + ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10); + if (ret) + return ret; +- ret = dvb_ca_en50221_write_data(ca, slot, buf, 2); ++ ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW); + if (ret != 2) + return -EIO; + ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN); +@@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot, + * @buf: The data in this buffer is treated as a complete link-level packet to + * be written. + * @bytes_write: Size of ebuf. ++ * @size_write_flag: A flag on Command Register which says whether the link size ++ * information will be writen or not. + * + * return: Number of bytes written, or < 0 on error. + */ + static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, +- u8 *buf, int bytes_write) ++ u8 *buf, int bytes_write, int size_write_flag) + { + struct dvb_ca_slot *sl = &ca->slot_info[slot]; + int status; +@@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, + + /* OK, set HC bit */ + status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, +- IRQEN | CMDREG_HC); ++ IRQEN | CMDREG_HC | size_write_flag); + if (status) + goto exit; + +@@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file, + + mutex_lock(&sl->slot_lock); + status = dvb_ca_en50221_write_data(ca, slot, fragbuf, +- fraglen + 2); ++ fraglen + 2, 0); + mutex_unlock(&sl->slot_lock); + if (status == (fraglen + 2)) { + written = 1; +-- +2.39.2 + diff --git a/queue-6.3/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch b/queue-6.3/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch new file mode 100644 index 00000000000..12c00914160 --- /dev/null +++ b/queue-6.3/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch @@ -0,0 +1,65 @@ +From 276752a53fcb8710958f40848db6e00efe5ce2cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Mar 2023 21:25:19 +0000 +Subject: media: dvb_demux: fix a bug for the continuity counter + +From: YongSu Yoo + +[ Upstream commit 7efb10d8dc70ea3000cc70dca53407c52488acd1 ] + +In dvb_demux.c, some logics exist which compare the expected +continuity counter and the real continuity counter. If they +are not matched each other, both of the expected continuity +counter and the real continuity counter should be printed. +But there exists a bug that the expected continuity counter +is not correctly printed. The expected continuity counter is +replaced with the real countinuity counter + 1 so that +the epected continuity counter is not correclty printed. +This is wrong. This bug is fixed. + +Link: https://lore.kernel.org/linux-media/20230305212519.499-1-yongsuyoo0215@gmail.com + +Signed-off-by: YongSu Yoo +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c +index 398c86279b5b0..7c4d86bfdd6c9 100644 +--- a/drivers/media/dvb-core/dvb_demux.c ++++ b/drivers/media/dvb-core/dvb_demux.c +@@ -115,12 +115,12 @@ static inline int dvb_dmx_swfilter_payload(struct dvb_demux_feed *feed, + + cc = buf[3] & 0x0f; + ccok = ((feed->cc + 1) & 0x0f) == cc; +- feed->cc = cc; + if (!ccok) { + set_buf_flags(feed, DMX_BUFFER_FLAG_DISCONTINUITY_DETECTED); + dprintk_sect_loss("missed packet: %d instead of %d!\n", + cc, (feed->cc + 1) & 0x0f); + } ++ feed->cc = cc; + + if (buf[1] & 0x40) // PUSI ? + feed->peslen = 0xfffa; +@@ -300,7 +300,6 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed, + + cc = buf[3] & 0x0f; + ccok = ((feed->cc + 1) & 0x0f) == cc; +- feed->cc = cc; + + if (buf[3] & 0x20) { + /* adaption field present, check for discontinuity_indicator */ +@@ -336,6 +335,7 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed, + feed->pusi_seen = false; + dvb_dmx_swfilter_section_new(feed); + } ++ feed->cc = cc; + + if (buf[1] & 0x40) { + /* PUSI=1 (is set), section boundary is here */ +-- +2.39.2 + diff --git a/queue-6.3/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch b/queue-6.3/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch new file mode 100644 index 00000000000..a48cffed3d6 --- /dev/null +++ b/queue-6.3/media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch @@ -0,0 +1,41 @@ +From 73a3d00385fac2664844f93276871cd0b48dce8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 11:39:05 +0100 +Subject: media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats + +From: Pin-yen Lin + +[ Upstream commit ed17f89e9502f03af493e130620a9bb74c07cf28 ] + +When VCODEC_CAPABILITY_4K_DISABLED is not set in dec_capability, skip +formats that are not MTK_FMT_DEC so only decoder formats is updated in +mtk_init_vdec_params. + +Fixes: e25528e1dbe5 ("media: mediatek: vcodec: Use 4K frame size when supported by stateful decoder") +Signed-off-by: Pin-yen Lin +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Yunfei Dong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c +index 29991551cf614..0fbd030026c72 100644 +--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c ++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateful.c +@@ -584,6 +584,9 @@ static void mtk_init_vdec_params(struct mtk_vcodec_ctx *ctx) + + if (!(ctx->dev->dec_capability & VCODEC_CAPABILITY_4K_DISABLED)) { + for (i = 0; i < num_supported_formats; i++) { ++ if (mtk_video_formats[i].type != MTK_FMT_DEC) ++ continue; ++ + mtk_video_formats[i].frmsize.max_width = + VCODEC_DEC_4K_CODED_WIDTH; + mtk_video_formats[i].frmsize.max_height = +-- +2.39.2 + diff --git a/queue-6.3/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch b/queue-6.3/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch new file mode 100644 index 00000000000..fe817aa0e7b --- /dev/null +++ b/queue-6.3/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch @@ -0,0 +1,44 @@ +From bc2934bd5b3444ab8f8ae59bb71a254a3e64fd2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 13:13:18 +0000 +Subject: media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID + table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit ae11c0efaec32fb45130ee9886689f467232eebc ] + +The driver will match mostly by DT table (even thought there is regular +ID table) so there is little benefit in of_match_ptr (this also allows +ACPI matching via PRP0001, even though it might not be relevant here). +This also fixes !CONFIG_OF error: + + drivers/media/dvb-frontends/mn88443x.c:782:34: error: ‘mn88443x_of_match’ defined but not used [-Werror=unused-const-variable=] + +Link: https://lore.kernel.org/linux-media/20230312131318.351173-28-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/mn88443x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c +index 1f1753f2ab1a3..0782f8377eb2f 100644 +--- a/drivers/media/dvb-frontends/mn88443x.c ++++ b/drivers/media/dvb-frontends/mn88443x.c +@@ -798,7 +798,7 @@ MODULE_DEVICE_TABLE(i2c, mn88443x_i2c_id); + static struct i2c_driver mn88443x_driver = { + .driver = { + .name = "mn88443x", +- .of_match_table = of_match_ptr(mn88443x_of_match), ++ .of_match_table = mn88443x_of_match, + }, + .probe_new = mn88443x_probe, + .remove = mn88443x_remove, +-- +2.39.2 + diff --git a/queue-6.3/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch b/queue-6.3/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch new file mode 100644 index 00000000000..1399ac9dc52 --- /dev/null +++ b/queue-6.3/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch @@ -0,0 +1,70 @@ +From ec40ae69f64e200a024e41f69c69e708b20f462b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 13:45:18 +0000 +Subject: media: netup_unidvb: fix irq init by register it at the end of probe + +From: Wei Chen + +[ Upstream commit e6ad6233592593079db5c8fa592c298e51bc1356 ] + +IRQ handler netup_spi_interrupt() takes spinlock spi->lock. The lock +is initialized in netup_spi_init(). However, irq handler is registered +before initializing the lock. + +Spinlock dma->lock and i2c->lock suffer from the same problem. + +Fix this by registering the irq at the end of probe. + +Link: https://lore.kernel.org/linux-media/20230315134518.1074497-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/pci/netup_unidvb/netup_unidvb_core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index aaa1d2dedebdd..d85bfbb77a250 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -887,12 +887,7 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + ndev->lmmio0, (u32)pci_resource_len(pci_dev, 0), + ndev->lmmio1, (u32)pci_resource_len(pci_dev, 1), + pci_dev->irq); +- if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED, +- "netup_unidvb", pci_dev) < 0) { +- dev_err(&pci_dev->dev, +- "%s(): can't get IRQ %d\n", __func__, pci_dev->irq); +- goto irq_request_err; +- } ++ + ndev->dma_size = 2 * 188 * + NETUP_DMA_BLOCKS_COUNT * NETUP_DMA_PACKETS_COUNT; + ndev->dma_virt = dma_alloc_coherent(&pci_dev->dev, +@@ -933,6 +928,14 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + dev_err(&pci_dev->dev, "netup_unidvb: DMA setup failed\n"); + goto dma_setup_err; + } ++ ++ if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED, ++ "netup_unidvb", pci_dev) < 0) { ++ dev_err(&pci_dev->dev, ++ "%s(): can't get IRQ %d\n", __func__, pci_dev->irq); ++ goto dma_setup_err; ++ } ++ + dev_info(&pci_dev->dev, + "netup_unidvb: device has been initialized\n"); + return 0; +@@ -951,8 +954,6 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + dma_free_coherent(&pci_dev->dev, ndev->dma_size, + ndev->dma_virt, ndev->dma_phys); + dma_alloc_err: +- free_irq(pci_dev->irq, pci_dev); +-irq_request_err: + iounmap(ndev->lmmio1); + pci_bar1_error: + iounmap(ndev->lmmio0); +-- +2.39.2 + diff --git a/queue-6.3/media-rcar-vin-fix-nv12-size-alignment.patch b/queue-6.3/media-rcar-vin-fix-nv12-size-alignment.patch new file mode 100644 index 00000000000..d06db92f25c --- /dev/null +++ b/queue-6.3/media-rcar-vin-fix-nv12-size-alignment.patch @@ -0,0 +1,48 @@ +From caa416378f2137d94f51921e99fc8da48085cc2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 21:54:32 +0100 +Subject: media: rcar-vin: Fix NV12 size alignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit cb88d8289fc222bd21b7a7f99b055e7e73e316f4 ] + +When doing format validation for NV12 the width and height should be +aligned to 32 pixels. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rcar-vin/rcar-dma.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +index cc6b59e5621ae..23598e22adc72 100644 +--- a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +@@ -1320,9 +1320,15 @@ static int rvin_mc_validate_format(struct rvin_dev *vin, struct v4l2_subdev *sd, + if (!vin->scaler) + return -EPIPE; + } else { +- if (fmt.format.width != vin->format.width || +- fmt.format.height != vin->format.height) +- return -EPIPE; ++ if (vin->format.pixelformat == V4L2_PIX_FMT_NV12) { ++ if (ALIGN(fmt.format.width, 32) != vin->format.width || ++ ALIGN(fmt.format.height, 32) != vin->format.height) ++ return -EPIPE; ++ } else { ++ if (fmt.format.width != vin->format.width || ++ fmt.format.height != vin->format.height) ++ return -EPIPE; ++ } + } + + if (fmt.format.code != vin->mbus_code) +-- +2.39.2 + diff --git a/queue-6.3/media-rcar-vin-gen3-can-not-scale-nv12.patch b/queue-6.3/media-rcar-vin-gen3-can-not-scale-nv12.patch new file mode 100644 index 00000000000..5d150d713b3 --- /dev/null +++ b/queue-6.3/media-rcar-vin-gen3-can-not-scale-nv12.patch @@ -0,0 +1,41 @@ +From fefe2953c9fa8bf10d5f075d2fb17023a7e73eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 21:54:31 +0100 +Subject: media: rcar-vin: Gen3 can not scale NV12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit 879c5a458e532b95783ce27f704d1b21573066f7 ] + +The VIN modules on Gen3 can not scale NV12, fail format validation if +the user tries. Currently no frames are produced if this is attempted. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rcar-vin/rcar-dma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +index 98bfd445a649b..cc6b59e5621ae 100644 +--- a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +@@ -1312,6 +1312,11 @@ static int rvin_mc_validate_format(struct rvin_dev *vin, struct v4l2_subdev *sd, + } + + if (rvin_scaler_needed(vin)) { ++ /* Gen3 can't scale NV12 */ ++ if (vin->info->model == RCAR_GEN3 && ++ vin->format.pixelformat == V4L2_PIX_FMT_NV12) ++ return -EPIPE; ++ + if (!vin->scaler) + return -EPIPE; + } else { +-- +2.39.2 + diff --git a/queue-6.3/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch b/queue-6.3/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch new file mode 100644 index 00000000000..2ac76182c6f --- /dev/null +++ b/queue-6.3/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch @@ -0,0 +1,49 @@ +From 64e913da3188d90985623154171366a66ea59498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 21:55:34 +0100 +Subject: media: rcar-vin: Select correct interrupt mode for + V4L2_FIELD_ALTERNATE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit e10707d5865c90d3dfe4ef589ce02ff4287fef85 ] + +When adding proper support for V4L2_FIELD_ALTERNATE it was missed that +this field format should trigger an interrupt for each field, not just +for the whole frame. Fix this by marking it as progressive in the +capture setup, which will then select the correct interrupt mode. + +Tested on both Gen2 and Gen3 with the result of a doubling of the frame +rate for V4L2_FIELD_ALTERNATE. From a PAL video source the frame rate is +now 50, which is expected for alternate field capture. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/renesas/rcar-vin/rcar-dma.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +index 23598e22adc72..2a77353f10b59 100644 +--- a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +@@ -728,11 +728,9 @@ static int rvin_setup(struct rvin_dev *vin) + case V4L2_FIELD_SEQ_TB: + case V4L2_FIELD_SEQ_BT: + case V4L2_FIELD_NONE: +- vnmc = VNMC_IM_ODD_EVEN; +- progressive = true; +- break; + case V4L2_FIELD_ALTERNATE: + vnmc = VNMC_IM_ODD_EVEN; ++ progressive = true; + break; + default: + vnmc = VNMC_IM_ODD; +-- +2.39.2 + diff --git a/queue-6.3/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch b/queue-6.3/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch new file mode 100644 index 00000000000..b62420a9a60 --- /dev/null +++ b/queue-6.3/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch @@ -0,0 +1,43 @@ +From 9ed6028415439f25e9aaaa13586af5bdf7cab5b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:25 +0000 +Subject: media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() + +From: Hyunwoo Kim + +[ Upstream commit 517a281338322ff8293f988771c98aaa7205e457 ] + +Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(), +which is called when the device is disconnected, dvb_frontend_free() +is not finally called. + +This causes a memory leak just by repeatedly plugging and +unplugging the device. + +Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb(). + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-5-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c +index 38822cedd93a9..c4474d4c44e28 100644 +--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c ++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c +@@ -1544,8 +1544,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec) + dvb_dmx_release(&dec->demux); + if (dec->fe) { + dvb_unregister_frontend(dec->fe); +- if (dec->fe->ops.release) +- dec->fe->ops.release(dec->fe); ++ dvb_frontend_detach(dec->fe); + } + dvb_unregister_adapter(&dec->adapter); + } +-- +2.39.2 + diff --git a/queue-6.3/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch b/queue-6.3/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch new file mode 100644 index 00000000000..8a61bc982d9 --- /dev/null +++ b/queue-6.3/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch @@ -0,0 +1,81 @@ +From a32c04c1deebd47a855171a632c8e09b3bf4df55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 10:45:59 +0100 +Subject: media: uvcvideo: Don't expose unsupported formats to userspace + +From: Laurent Pinchart + +[ Upstream commit 81f3affa19d6ab0c32aef46b053838219eef7e71 ] + +When the uvcvideo driver encounters a format descriptor with an unknown +format GUID, it creates a corresponding struct uvc_format instance with +the fcc field set to 0. Since commit 50459f103edf ("media: uvcvideo: +Remove format descriptions"), the driver relies on the V4L2 core to +provide the format description string, which the V4L2 core can't do +without a valid 4CC. This triggers a WARN_ON. + +As a format with a zero 4CC can't be selected, it is unusable for +applications. Ignore the format completely without creating a uvc_format +instance, which fixes the warning. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217252 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2180107 + +Fixes: 50459f103edf ("media: uvcvideo: Remove format descriptions") +Signed-off-by: Laurent Pinchart +Reviewed-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 7aefa76a42b31..d631ce4f9f7bb 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -251,14 +251,17 @@ static int uvc_parse_format(struct uvc_device *dev, + /* Find the format descriptor from its GUID. */ + fmtdesc = uvc_format_by_guid(&buffer[5]); + +- if (fmtdesc != NULL) { +- format->fcc = fmtdesc->fcc; +- } else { ++ if (!fmtdesc) { ++ /* ++ * Unknown video formats are not fatal errors, the ++ * caller will skip this descriptor. ++ */ + dev_info(&streaming->intf->dev, + "Unknown video format %pUl\n", &buffer[5]); +- format->fcc = 0; ++ return 0; + } + ++ format->fcc = fmtdesc->fcc; + format->bpp = buffer[21]; + + /* +@@ -675,7 +678,7 @@ static int uvc_parse_streaming(struct uvc_device *dev, + interval = (u32 *)&frame[nframes]; + + streaming->format = format; +- streaming->nformats = nformats; ++ streaming->nformats = 0; + + /* Parse the format descriptors. */ + while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE) { +@@ -689,7 +692,10 @@ static int uvc_parse_streaming(struct uvc_device *dev, + &interval, buffer, buflen); + if (ret < 0) + goto error; ++ if (!ret) ++ break; + ++ streaming->nformats++; + frame += format->nframes; + format++; + +-- +2.39.2 + diff --git a/queue-6.3/mptcp-add-annotations-around-msk-subflow-accesses.patch b/queue-6.3/mptcp-add-annotations-around-msk-subflow-accesses.patch new file mode 100644 index 00000000000..978953b48b7 --- /dev/null +++ b/queue-6.3/mptcp-add-annotations-around-msk-subflow-accesses.patch @@ -0,0 +1,118 @@ +From 22af5f7e54f7ef4c56137e509d3ae492866c140b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:37:04 -0700 +Subject: mptcp: add annotations around msk->subflow accesses + +From: Paolo Abeni + +[ Upstream commit 5b825727d0871b23e8867f6371183e61628b4a26 ] + +The MPTCP can access the first subflow socket in a few spots +outside the socket lock scope. That is actually safe, as MPTCP +will delete the socket itself only after the msk sock close(). + +Still the such accesses causes a few KCSAN splats, as reported +by Christoph. Silence the harmless warning adding a few annotation +around the relevant accesses. + +Fixes: 71ba088ce0aa ("mptcp: cleanup accept and poll") +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/402 +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 18 ++++++++++-------- + net/mptcp/protocol.h | 6 +++++- + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 676a6d24b4b71..f5c0a56f0f0ca 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -103,7 +103,7 @@ static int __mptcp_socket_create(struct mptcp_sock *msk) + return err; + + msk->first = ssock->sk; +- msk->subflow = ssock; ++ WRITE_ONCE(msk->subflow, ssock); + subflow = mptcp_subflow_ctx(ssock->sk); + list_add(&subflow->node, &msk->conn_list); + sock_hold(ssock->sk); +@@ -2254,7 +2254,7 @@ static void mptcp_dispose_initial_subflow(struct mptcp_sock *msk) + { + if (msk->subflow) { + iput(SOCK_INODE(msk->subflow)); +- msk->subflow = NULL; ++ WRITE_ONCE(msk->subflow, NULL); + } + } + +@@ -3109,7 +3109,7 @@ struct sock *mptcp_sk_clone(const struct sock *sk, + msk = mptcp_sk(nsk); + msk->local_key = subflow_req->local_key; + msk->token = subflow_req->token; +- msk->subflow = NULL; ++ WRITE_ONCE(msk->subflow, NULL); + msk->in_accept_queue = 1; + WRITE_ONCE(msk->fully_established, false); + if (mp_opt->suboptions & OPTION_MPTCP_CSUMREQD) +@@ -3157,7 +3157,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err, + struct socket *listener; + struct sock *newsk; + +- listener = msk->subflow; ++ listener = READ_ONCE(msk->subflow); + if (WARN_ON_ONCE(!listener)) { + *err = -EINVAL; + return NULL; +@@ -3723,10 +3723,10 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock, + + pr_debug("msk=%p", msk); + +- /* buggy applications can call accept on socket states other then LISTEN ++ /* Buggy applications can call accept on socket states other then LISTEN + * but no need to allocate the first subflow just to error out. + */ +- ssock = msk->subflow; ++ ssock = READ_ONCE(msk->subflow); + if (!ssock) + return -EINVAL; + +@@ -3800,10 +3800,12 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock, + state = inet_sk_state_load(sk); + pr_debug("msk=%p state=%d flags=%lx", msk, state, msk->flags); + if (state == TCP_LISTEN) { +- if (WARN_ON_ONCE(!msk->subflow || !msk->subflow->sk)) ++ struct socket *ssock = READ_ONCE(msk->subflow); ++ ++ if (WARN_ON_ONCE(!ssock || !ssock->sk)) + return 0; + +- return inet_csk_listen_poll(msk->subflow->sk); ++ return inet_csk_listen_poll(ssock->sk); + } + + if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) { +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index d6469b6ab38e3..84427b3697d89 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -306,7 +306,11 @@ struct mptcp_sock { + struct list_head rtx_queue; + struct mptcp_data_frag *first_pending; + struct list_head join_list; +- struct socket *subflow; /* outgoing connect/listener/!mp_capable */ ++ struct socket *subflow; /* outgoing connect/listener/!mp_capable ++ * The mptcp ops can safely dereference, using suitable ++ * ONCE annotation, the subflow outside the socket ++ * lock as such sock is freed after close(). ++ */ + struct sock *first; + struct mptcp_pm_data pm; + struct { +-- +2.39.2 + diff --git a/queue-6.3/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch b/queue-6.3/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch new file mode 100644 index 00000000000..fcd83781bf5 --- /dev/null +++ b/queue-6.3/mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch @@ -0,0 +1,124 @@ +From 61a8b077f4bdce7044ede12ce3463a9b562e4716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:37:07 -0700 +Subject: mptcp: add annotations around sk->sk_shutdown accesses + +From: Paolo Abeni + +[ Upstream commit 6b9831bfd9322b297eb6d44257808cc055fdc586 ] + +Christoph reported the mptcp variant of a recently addressed plain +TCP issue. Similar to commit e14cadfd80d7 ("tcp: add annotations around +sk->sk_shutdown accesses") add READ/WRITE ONCE annotations to silence +KCSAN reports around lockless sk_shutdown access. + +Fixes: 71ba088ce0aa ("mptcp: cleanup accept and poll") +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/401 +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 64d4910e337ea..17793aa733fd9 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -590,7 +590,7 @@ static bool mptcp_check_data_fin(struct sock *sk) + WRITE_ONCE(msk->ack_seq, msk->ack_seq + 1); + WRITE_ONCE(msk->rcv_data_fin, 0); + +- sk->sk_shutdown |= RCV_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN); + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ + + switch (sk->sk_state) { +@@ -897,7 +897,7 @@ static void mptcp_check_for_eof(struct mptcp_sock *msk) + /* hopefully temporary hack: propagate shutdown status + * to msk, when all subflows agree on it + */ +- sk->sk_shutdown |= RCV_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN); + + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ + sk->sk_data_ready(sk); +@@ -2498,7 +2498,7 @@ static void mptcp_check_fastclose(struct mptcp_sock *msk) + } + + inet_sk_state_store(sk, TCP_CLOSE); +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ + set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags); + +@@ -2934,7 +2934,7 @@ bool __mptcp_close(struct sock *sk, long timeout) + bool do_cancel_work = false; + int subflows_alive = 0; + +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) { + mptcp_listen_inuse_dec(sk); +@@ -3074,7 +3074,7 @@ static int mptcp_disconnect(struct sock *sk, int flags) + mptcp_pm_data_reset(msk); + mptcp_ca_reset(sk); + +- sk->sk_shutdown = 0; ++ WRITE_ONCE(sk->sk_shutdown, 0); + sk_error_report(sk); + return 0; + } +@@ -3793,9 +3793,6 @@ static __poll_t mptcp_check_writeable(struct mptcp_sock *msk) + { + struct sock *sk = (struct sock *)msk; + +- if (unlikely(sk->sk_shutdown & SEND_SHUTDOWN)) +- return EPOLLOUT | EPOLLWRNORM; +- + if (sk_stream_is_writeable(sk)) + return EPOLLOUT | EPOLLWRNORM; + +@@ -3813,6 +3810,7 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock, + struct sock *sk = sock->sk; + struct mptcp_sock *msk; + __poll_t mask = 0; ++ u8 shutdown; + int state; + + msk = mptcp_sk(sk); +@@ -3829,17 +3827,22 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock, + return inet_csk_listen_poll(ssock->sk); + } + ++ shutdown = READ_ONCE(sk->sk_shutdown); ++ if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) ++ mask |= EPOLLHUP; ++ if (shutdown & RCV_SHUTDOWN) ++ mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; ++ + if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) { + mask |= mptcp_check_readable(msk); +- mask |= mptcp_check_writeable(msk); ++ if (shutdown & SEND_SHUTDOWN) ++ mask |= EPOLLOUT | EPOLLWRNORM; ++ else ++ mask |= mptcp_check_writeable(msk); + } else if (state == TCP_SYN_SENT && inet_sk(sk)->defer_connect) { + /* cf tcp_poll() note about TFO */ + mask |= EPOLLOUT | EPOLLWRNORM; + } +- if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) +- mask |= EPOLLHUP; +- if (sk->sk_shutdown & RCV_SHUTDOWN) +- mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; + + /* This barrier is coupled with smp_wmb() in __mptcp_error_report() */ + smp_rmb(); +-- +2.39.2 + diff --git a/queue-6.3/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch b/queue-6.3/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch new file mode 100644 index 00000000000..570efd637e3 --- /dev/null +++ b/queue-6.3/mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch @@ -0,0 +1,65 @@ +From 5c4a08419c6826f073bf4cae439b122d75e8867b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 16:08:01 +0200 +Subject: mptcp: avoid unneeded __mptcp_nmpc_socket() usage + +From: Paolo Abeni + +[ Upstream commit 617612316953093bc859890e405e1b550c27d840 ] + +In a few spots, the mptcp code invokes the __mptcp_nmpc_socket() helper +multiple times under the same socket lock scope. Additionally, in such +places, the socket status ensures that there is no MP capable handshake +running. + +Under the above condition we can replace the later __mptcp_nmpc_socket() +helper invocation with direct access to the msk->subflow pointer and +better document such access is not supposed to fail with WARN(). + +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Stable-dep-of: 5b825727d087 ("mptcp: add annotations around msk->subflow accesses") +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index b998e9df53cef..676a6d24b4b71 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3157,7 +3157,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err, + struct socket *listener; + struct sock *newsk; + +- listener = __mptcp_nmpc_socket(msk); ++ listener = msk->subflow; + if (WARN_ON_ONCE(!listener)) { + *err = -EINVAL; + return NULL; +@@ -3377,7 +3377,7 @@ static int mptcp_get_port(struct sock *sk, unsigned short snum) + struct mptcp_sock *msk = mptcp_sk(sk); + struct socket *ssock; + +- ssock = __mptcp_nmpc_socket(msk); ++ ssock = msk->subflow; + pr_debug("msk=%p, subflow=%p", msk, ssock); + if (WARN_ON_ONCE(!ssock)) + return -EINVAL; +@@ -3723,7 +3723,10 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock, + + pr_debug("msk=%p", msk); + +- ssock = __mptcp_nmpc_socket(msk); ++ /* buggy applications can call accept on socket states other then LISTEN ++ * but no need to allocate the first subflow just to error out. ++ */ ++ ssock = msk->subflow; + if (!ssock) + return -EINVAL; + +-- +2.39.2 + diff --git a/queue-6.3/mptcp-avoid-unneeded-address-copy.patch b/queue-6.3/mptcp-avoid-unneeded-address-copy.patch new file mode 100644 index 00000000000..0fc689645f8 --- /dev/null +++ b/queue-6.3/mptcp-avoid-unneeded-address-copy.patch @@ -0,0 +1,38 @@ +From 01a12e84cebe293fbb69eec239cd86eb23743b94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 12:22:21 +0200 +Subject: mptcp: avoid unneeded address copy + +From: Paolo Abeni + +[ Upstream commit 2bb9a37f0e194ed95c70603b0efc7898a5a0d9b4 ] + +In the syn_recv fallback path, the msk is unused. We can skip +setting the socket address. + +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Stable-dep-of: 7e8b88ec35ee ("mptcp: consolidate passive msk socket initialization") +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 281c1cc8dc8dc..8a6bd2782dc97 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -823,8 +823,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + goto dispose_child; + } + +- if (new_msk) +- mptcp_copy_inaddrs(new_msk, child); + mptcp_subflow_drop_ctx(child); + goto out; + } +-- +2.39.2 + diff --git a/queue-6.3/mptcp-consolidate-passive-msk-socket-initialization.patch b/queue-6.3/mptcp-consolidate-passive-msk-socket-initialization.patch new file mode 100644 index 00000000000..da6304f64d4 --- /dev/null +++ b/queue-6.3/mptcp-consolidate-passive-msk-socket-initialization.patch @@ -0,0 +1,171 @@ +From 9d18f46846114103c986353747bd53c267e1e7b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:37:05 -0700 +Subject: mptcp: consolidate passive msk socket initialization + +From: Paolo Abeni + +[ Upstream commit 7e8b88ec35eef363040e08d99536d2bebef83774 ] + +When the msk socket is cloned at MPC handshake time, a few +fields are initialized in a racy way outside mptcp_sk_clone() +and the msk socket lock. + +The above is due historical reasons: before commit a88d0092b24b +("mptcp: simplify subflow_syn_recv_sock()") as the first subflow socket +carrying all the needed date was not available yet at msk creation +time + +We can now refactor the code moving the missing initialization bit +under the socket lock, removing the init race and avoiding some +code duplication. + +This will also simplify the next patch, as all msk->first write +access are now under the msk socket lock. + +Fixes: 0397c6d85f9c ("mptcp: keep unaccepted MPC subflow into join list") +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 35 ++++++++++++++++++++++++++++------- + net/mptcp/protocol.h | 8 ++++---- + net/mptcp/subflow.c | 28 +--------------------------- + 3 files changed, 33 insertions(+), 38 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index f5c0a56f0f0ca..8d0c03091c409 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3011,7 +3011,7 @@ static void mptcp_close(struct sock *sk, long timeout) + sock_put(sk); + } + +-void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk) ++static void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk) + { + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + const struct ipv6_pinfo *ssk6 = inet6_sk(ssk); +@@ -3088,9 +3088,10 @@ static struct ipv6_pinfo *mptcp_inet6_sk(const struct sock *sk) + } + #endif + +-struct sock *mptcp_sk_clone(const struct sock *sk, +- const struct mptcp_options_received *mp_opt, +- struct request_sock *req) ++struct sock *mptcp_sk_clone_init(const struct sock *sk, ++ const struct mptcp_options_received *mp_opt, ++ struct sock *ssk, ++ struct request_sock *req) + { + struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req); + struct sock *nsk = sk_clone_lock(sk, GFP_ATOMIC); +@@ -3122,10 +3123,30 @@ struct sock *mptcp_sk_clone(const struct sock *sk, + msk->setsockopt_seq = mptcp_sk(sk)->setsockopt_seq; + + sock_reset_flag(nsk, SOCK_RCU_FREE); +- /* will be fully established after successful MPC subflow creation */ +- inet_sk_state_store(nsk, TCP_SYN_RECV); +- + security_inet_csk_clone(nsk, req); ++ ++ /* this can't race with mptcp_close(), as the msk is ++ * not yet exposted to user-space ++ */ ++ inet_sk_state_store(nsk, TCP_ESTABLISHED); ++ ++ /* The msk maintain a ref to each subflow in the connections list */ ++ WRITE_ONCE(msk->first, ssk); ++ list_add(&mptcp_subflow_ctx(ssk)->node, &msk->conn_list); ++ sock_hold(ssk); ++ ++ /* new mpc subflow takes ownership of the newly ++ * created mptcp socket ++ */ ++ mptcp_token_accept(subflow_req, msk); ++ ++ /* set msk addresses early to ensure mptcp_pm_get_local_id() ++ * uses the correct data ++ */ ++ mptcp_copy_inaddrs(nsk, ssk); ++ mptcp_propagate_sndbuf(nsk, ssk); ++ ++ mptcp_rcv_space_init(msk, ssk); + bh_unlock_sock(nsk); + + /* note: the newly allocated socket refcount is 2 now */ +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 84427b3697d89..426b43d7ae642 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -620,7 +620,6 @@ int mptcp_is_checksum_enabled(const struct net *net); + int mptcp_allow_join_id0(const struct net *net); + unsigned int mptcp_stale_loss_cnt(const struct net *net); + int mptcp_get_pm_type(const struct net *net); +-void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk); + void mptcp_subflow_fully_established(struct mptcp_subflow_context *subflow, + const struct mptcp_options_received *mp_opt); + bool __mptcp_retransmit_pending_data(struct sock *sk); +@@ -690,9 +689,10 @@ void __init mptcp_proto_init(void); + int __init mptcp_proto_v6_init(void); + #endif + +-struct sock *mptcp_sk_clone(const struct sock *sk, +- const struct mptcp_options_received *mp_opt, +- struct request_sock *req); ++struct sock *mptcp_sk_clone_init(const struct sock *sk, ++ const struct mptcp_options_received *mp_opt, ++ struct sock *ssk, ++ struct request_sock *req); + void mptcp_get_options(const struct sk_buff *skb, + struct mptcp_options_received *mp_opt); + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 3b8abd79bfbd5..bb0301398d3b4 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -815,38 +815,12 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + ctx->setsockopt_seq = listener->setsockopt_seq; + + if (ctx->mp_capable) { +- ctx->conn = mptcp_sk_clone(listener->conn, &mp_opt, req); ++ ctx->conn = mptcp_sk_clone_init(listener->conn, &mp_opt, child, req); + if (!ctx->conn) + goto fallback; + + owner = mptcp_sk(ctx->conn); +- +- /* this can't race with mptcp_close(), as the msk is +- * not yet exposted to user-space +- */ +- inet_sk_state_store(ctx->conn, TCP_ESTABLISHED); +- +- /* record the newly created socket as the first msk +- * subflow, but don't link it yet into conn_list +- */ +- WRITE_ONCE(owner->first, child); +- +- /* new mpc subflow takes ownership of the newly +- * created mptcp socket +- */ +- owner->setsockopt_seq = ctx->setsockopt_seq; + mptcp_pm_new_connection(owner, child, 1); +- mptcp_token_accept(subflow_req, owner); +- +- /* set msk addresses early to ensure mptcp_pm_get_local_id() +- * uses the correct data +- */ +- mptcp_copy_inaddrs(ctx->conn, child); +- mptcp_propagate_sndbuf(ctx->conn, child); +- +- mptcp_rcv_space_init(owner, child); +- list_add(&ctx->node, &owner->conn_list); +- sock_hold(child); + + /* with OoO packets we can reach here without ingress + * mpc option +-- +2.39.2 + diff --git a/queue-6.3/mptcp-fix-data-race-around-msk-first-access.patch b/queue-6.3/mptcp-fix-data-race-around-msk-first-access.patch new file mode 100644 index 00000000000..36781fd74ff --- /dev/null +++ b/queue-6.3/mptcp-fix-data-race-around-msk-first-access.patch @@ -0,0 +1,57 @@ +From 0545614d0c7d286546c0bc5eca67615845d493d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:37:06 -0700 +Subject: mptcp: fix data race around msk->first access + +From: Paolo Abeni + +[ Upstream commit 1b1b43ee7a208096ecd79e626f2fc90d4a321111 ] + +The first subflow socket is accessed outside the msk socket lock +by mptcp_subflow_fail(), we need to annotate each write access +with WRITE_ONCE, but a few spots still lacks it. + +Fixes: 76a13b315709 ("mptcp: invoke MP_FAIL response when needed") +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 8d0c03091c409..64d4910e337ea 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -102,7 +102,7 @@ static int __mptcp_socket_create(struct mptcp_sock *msk) + if (err) + return err; + +- msk->first = ssock->sk; ++ WRITE_ONCE(msk->first, ssock->sk); + WRITE_ONCE(msk->subflow, ssock); + subflow = mptcp_subflow_ctx(ssock->sk); + list_add(&subflow->node, &msk->conn_list); +@@ -2391,7 +2391,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, + sock_put(ssk); + + if (ssk == msk->first) +- msk->first = NULL; ++ WRITE_ONCE(msk->first, NULL); + + out: + if (ssk == msk->last_snd) +@@ -2692,7 +2692,7 @@ static int __mptcp_init_sock(struct sock *sk) + WRITE_ONCE(msk->rmem_released, 0); + msk->timer_ival = TCP_RTO_MIN; + +- msk->first = NULL; ++ WRITE_ONCE(msk->first, NULL); + inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss; + WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk))); + WRITE_ONCE(msk->allow_infinite_fallback, true); +-- +2.39.2 + diff --git a/queue-6.3/mptcp-simplify-subflow_syn_recv_sock.patch b/queue-6.3/mptcp-simplify-subflow_syn_recv_sock.patch new file mode 100644 index 00000000000..75e25cfb79b --- /dev/null +++ b/queue-6.3/mptcp-simplify-subflow_syn_recv_sock.patch @@ -0,0 +1,134 @@ +From 1ba1b5bc57c79597fe8b53f8548863f082d86088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 12:22:22 +0200 +Subject: mptcp: simplify subflow_syn_recv_sock() + +From: Paolo Abeni + +[ Upstream commit a88d0092b24b8cddce57fe0e88e60a9e29e0b515 ] + +Postpone the msk cloning to the child process creation +so that we can avoid a bunch of conditionals. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/61 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Stable-dep-of: 7e8b88ec35ee ("mptcp: consolidate passive msk socket initialization") +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 41 +++++++++++++---------------------------- + 1 file changed, 13 insertions(+), 28 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 8a6bd2782dc97..3b8abd79bfbd5 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -695,14 +695,6 @@ static bool subflow_hmac_valid(const struct request_sock *req, + return !crypto_memneq(hmac, mp_opt->hmac, MPTCPOPT_HMAC_LEN); + } + +-static void mptcp_force_close(struct sock *sk) +-{ +- /* the msk is not yet exposed to user-space, and refcount is 2 */ +- inet_sk_state_store(sk, TCP_CLOSE); +- sk_common_release(sk); +- sock_put(sk); +-} +- + static void subflow_ulp_fallback(struct sock *sk, + struct mptcp_subflow_context *old_ctx) + { +@@ -757,7 +749,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + struct mptcp_subflow_request_sock *subflow_req; + struct mptcp_options_received mp_opt; + bool fallback, fallback_is_fatal; +- struct sock *new_msk = NULL; + struct mptcp_sock *owner; + struct sock *child; + +@@ -786,14 +777,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + * options. + */ + mptcp_get_options(skb, &mp_opt); +- if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPC)) { ++ if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPC)) + fallback = true; +- goto create_child; +- } + +- new_msk = mptcp_sk_clone(listener->conn, &mp_opt, req); +- if (!new_msk) +- fallback = true; + } else if (subflow_req->mp_join) { + mptcp_get_options(skb, &mp_opt); + if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPJ) || +@@ -822,21 +808,23 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP); + goto dispose_child; + } +- +- mptcp_subflow_drop_ctx(child); +- goto out; ++ goto fallback; + } + + /* ssk inherits options of listener sk */ + ctx->setsockopt_seq = listener->setsockopt_seq; + + if (ctx->mp_capable) { +- owner = mptcp_sk(new_msk); ++ ctx->conn = mptcp_sk_clone(listener->conn, &mp_opt, req); ++ if (!ctx->conn) ++ goto fallback; ++ ++ owner = mptcp_sk(ctx->conn); + + /* this can't race with mptcp_close(), as the msk is + * not yet exposted to user-space + */ +- inet_sk_state_store((void *)new_msk, TCP_ESTABLISHED); ++ inet_sk_state_store(ctx->conn, TCP_ESTABLISHED); + + /* record the newly created socket as the first msk + * subflow, but don't link it yet into conn_list +@@ -846,11 +834,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + /* new mpc subflow takes ownership of the newly + * created mptcp socket + */ +- mptcp_sk(new_msk)->setsockopt_seq = ctx->setsockopt_seq; ++ owner->setsockopt_seq = ctx->setsockopt_seq; + mptcp_pm_new_connection(owner, child, 1); + mptcp_token_accept(subflow_req, owner); +- ctx->conn = new_msk; +- new_msk = NULL; + + /* set msk addresses early to ensure mptcp_pm_get_local_id() + * uses the correct data +@@ -900,11 +886,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + } + } + +-out: +- /* dispose of the left over mptcp master, if any */ +- if (unlikely(new_msk)) +- mptcp_force_close(new_msk); +- + /* check for expected invariant - should never trigger, just help + * catching eariler subtle bugs + */ +@@ -922,6 +903,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + /* The last child reference will be released by the caller */ + return child; ++ ++fallback: ++ mptcp_subflow_drop_ctx(child); ++ return child; + } + + static struct inet_connection_sock_af_ops subflow_specific __ro_after_init; +-- +2.39.2 + diff --git a/queue-6.3/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch b/queue-6.3/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch new file mode 100644 index 00000000000..ed6584f83f4 --- /dev/null +++ b/queue-6.3/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch @@ -0,0 +1,67 @@ +From 6282ed2d5a5e3411193e7bd51e017c82422d6fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:21:24 +0200 +Subject: mtd: rawnand: ingenic: fix empty stub helper definitions + +From: Arnd Bergmann + +[ Upstream commit 650a8884a364ff2568b51cde9009cfd43cdae6ad ] + +A few functions provide an empty interface definition when +CONFIG_MTD_NAND_INGENIC_ECC is disabled, but they are accidentally +defined as global functions in the header: + +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:39:5: error: no previous prototype for 'ingenic_ecc_calculate' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:46:5: error: no previous prototype for 'ingenic_ecc_correct' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:53:6: error: no previous prototype for 'ingenic_ecc_release' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:57:21: error: no previous prototype for 'of_ingenic_ecc_get' + +Turn them into 'static inline' definitions instead. + +Fixes: 15de8c6efd0e ("mtd: rawnand: ingenic: Separate top-level and SoC specific code") +Signed-off-by: Arnd Bergmann +Reviewed-by: Paul Cercueil +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230516202133.559488-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/ingenic/ingenic_ecc.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h +index 2cda439b5e11b..017868f59f222 100644 +--- a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h ++++ b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h +@@ -36,25 +36,25 @@ int ingenic_ecc_correct(struct ingenic_ecc *ecc, + void ingenic_ecc_release(struct ingenic_ecc *ecc); + struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np); + #else /* CONFIG_MTD_NAND_INGENIC_ECC */ +-int ingenic_ecc_calculate(struct ingenic_ecc *ecc, ++static inline int ingenic_ecc_calculate(struct ingenic_ecc *ecc, + struct ingenic_ecc_params *params, + const u8 *buf, u8 *ecc_code) + { + return -ENODEV; + } + +-int ingenic_ecc_correct(struct ingenic_ecc *ecc, ++static inline int ingenic_ecc_correct(struct ingenic_ecc *ecc, + struct ingenic_ecc_params *params, u8 *buf, + u8 *ecc_code) + { + return -ENODEV; + } + +-void ingenic_ecc_release(struct ingenic_ecc *ecc) ++static inline void ingenic_ecc_release(struct ingenic_ecc *ecc) + { + } + +-struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np) ++static inline struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np) + { + return ERR_PTR(-ENODEV); + } +-- +2.39.2 + diff --git a/queue-6.3/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch b/queue-6.3/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch new file mode 100644 index 00000000000..e4460fe9dbf --- /dev/null +++ b/queue-6.3/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch @@ -0,0 +1,44 @@ +From 0e1e2557e34e29bcb036463783b4492449d08b7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:31:53 +1200 +Subject: mtd: rawnand: marvell: don't set the NAND frequency select + +From: Chris Packham + +[ Upstream commit c4d28e30a8d0b979e4029465ab8f312ab6ce2644 ] + +marvell_nfc_setup_interface() uses the frequency retrieved from the +clock associated with the nand interface to determine the timings that +will be used. By changing the NAND frequency select without reflecting +this in the clock configuration this means that the timings calculated +don't correctly meet the requirements of the NAND chip. This hasn't been +an issue up to now because of a different bug that was stopping the +timings being updated after they were initially set. + +Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()") +Signed-off-by: Chris Packham +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-2-chris.packham@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/marvell_nand.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index 52342f2c126da..2d34c2cb0f7ae 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2900,10 +2900,6 @@ static int marvell_nfc_init(struct marvell_nfc *nfc) + regmap_update_bits(sysctrl_base, GENCONF_CLK_GATING_CTRL, + GENCONF_CLK_GATING_CTRL_ND_GATE, + GENCONF_CLK_GATING_CTRL_ND_GATE); +- +- regmap_update_bits(sysctrl_base, GENCONF_ND_CLK_CTRL, +- GENCONF_ND_CLK_CTRL_EN, +- GENCONF_ND_CLK_CTRL_EN); + } + + /* Configure the DMA if appropriate */ +-- +2.39.2 + diff --git a/queue-6.3/mtd-rawnand-marvell-ensure-timing-values-are-written.patch b/queue-6.3/mtd-rawnand-marvell-ensure-timing-values-are-written.patch new file mode 100644 index 00000000000..ec49b83c1dd --- /dev/null +++ b/queue-6.3/mtd-rawnand-marvell-ensure-timing-values-are-written.patch @@ -0,0 +1,43 @@ +From 712cf47a971f19ef4aa23a2abd1a130f7792fadc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:31:52 +1200 +Subject: mtd: rawnand: marvell: ensure timing values are written + +From: Chris Packham + +[ Upstream commit 8a6f4d346f3bad9c68b4a87701eb3f7978542d57 ] + +When new timing values are calculated in marvell_nfc_setup_interface() +ensure that they will be applied in marvell_nfc_select_target() by +clearing the selected_chip pointer. + +Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()") +Suggested-by: Miquel Raynal +Signed-off-by: Chris Packham +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-1-chris.packham@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/marvell_nand.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index 3034916d2e252..52342f2c126da 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2457,6 +2457,12 @@ static int marvell_nfc_setup_interface(struct nand_chip *chip, int chipnr, + NDTR1_WAIT_MODE; + } + ++ /* ++ * Reset nfc->selected_chip so the next command will cause the timing ++ * registers to be updated in marvell_nfc_select_target(). ++ */ ++ nfc->selected_chip = NULL; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-6.3/nbd-fix-debugfs_create_dir-error-checking.patch b/queue-6.3/nbd-fix-debugfs_create_dir-error-checking.patch new file mode 100644 index 00000000000..dcdb12572c7 --- /dev/null +++ b/queue-6.3/nbd-fix-debugfs_create_dir-error-checking.patch @@ -0,0 +1,46 @@ +From 79d386dccfee6a72f235dc9ed74961754fa3d831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:05:32 +0400 +Subject: nbd: Fix debugfs_create_dir error checking + +From: Ivan Orlov + +[ Upstream commit 4913cfcf014c95f0437db2df1734472fd3e15098 ] + +The debugfs_create_dir function returns ERR_PTR in case of error, and the +only correct way to check if an error occurred is 'IS_ERR' inline function. +This patch will replace the null-comparison with IS_ERR. + +Signed-off-by: Ivan Orlov +Link: https://lore.kernel.org/r/20230512130533.98709-1-ivan.orlov0322@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index e1c954094b6c0..dd0adcf745ff5 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1666,7 +1666,7 @@ static int nbd_dev_dbg_init(struct nbd_device *nbd) + return -EIO; + + dir = debugfs_create_dir(nbd_name(nbd), nbd_dbg_dir); +- if (!dir) { ++ if (IS_ERR(dir)) { + dev_err(nbd_to_dev(nbd), "Failed to create debugfs dir for '%s'\n", + nbd_name(nbd)); + return -EIO; +@@ -1692,7 +1692,7 @@ static int nbd_dbg_init(void) + struct dentry *dbg_dir; + + dbg_dir = debugfs_create_dir("nbd", NULL); +- if (!dbg_dir) ++ if (IS_ERR(dbg_dir)) + return -EIO; + + nbd_dbg_dir = dbg_dir; +-- +2.39.2 + diff --git a/queue-6.3/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch b/queue-6.3/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch new file mode 100644 index 00000000000..c132cb4eb33 --- /dev/null +++ b/queue-6.3/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch @@ -0,0 +1,45 @@ +From 8f78573aa00de14573410e015755f60167e9391d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:52:23 +0200 +Subject: net: dsa: mv88e6xxx: Increase wait after reset deactivation + +From: Andreas Svensson + +[ Upstream commit 3c27f3d53d588618d81d30d6712459a3cc9489b8 ] + +A switch held in reset by default needs to wait longer until we can +reliably detect it. + +An issue was observed when testing on the Marvell 88E6393X (Link Street). +The driver failed to detect the switch on some upstarts. Increasing the +wait time after reset deactivation solves this issue. + +The updated wait time is now also the same as the wait time in the +mv88e6xxx_hardware_reset function. + +Fixes: 7b75e49de424 ("net: dsa: mv88e6xxx: wait after reset deactivation") +Signed-off-by: Andreas Svensson +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230530145223.1223993-1-andreas.svensson@axis.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 902f407213404..39770a5b74e2e 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -7158,7 +7158,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + goto out; + } + if (chip->reset) +- usleep_range(1000, 2000); ++ usleep_range(10000, 20000); + + /* Detect if the device is configured in single chip addressing mode, + * otherwise continue with address specific smi init/detection. +-- +2.39.2 + diff --git a/queue-6.3/net-ipa-use-correct-value-for-ipa_status_size.patch b/queue-6.3/net-ipa-use-correct-value-for-ipa_status_size.patch new file mode 100644 index 00000000000..f42dbdedd39 --- /dev/null +++ b/queue-6.3/net-ipa-use-correct-value-for-ipa_status_size.patch @@ -0,0 +1,39 @@ +From b5b45aaff7447f407fe9f6e969186cf8a6452b69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:36:19 +0200 +Subject: net: ipa: Use correct value for IPA_STATUS_SIZE + +From: Bert Karwatzki + +[ Upstream commit be7f8012a513f5099916ee2da28420156cbb8cf3 ] + +IPA_STATUS_SIZE was introduced in commit b8dc7d0eea5a as a replacement +for the size of the removed struct ipa_status which had size +sizeof(__le32[8]). Use this value as IPA_STATUS_SIZE. + +Fixes: b8dc7d0eea5a ("net: ipa: stop using sizeof(status)") +Signed-off-by: Bert Karwatzki +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230531103618.102608-1-spasswolf@web.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_endpoint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/ipa_endpoint.c b/drivers/net/ipa/ipa_endpoint.c +index 2ee80ed140b72..afa1d56d9095c 100644 +--- a/drivers/net/ipa/ipa_endpoint.c ++++ b/drivers/net/ipa/ipa_endpoint.c +@@ -119,7 +119,7 @@ enum ipa_status_field_id { + }; + + /* Size in bytes of an IPA packet status structure */ +-#define IPA_STATUS_SIZE sizeof(__le32[4]) ++#define IPA_STATUS_SIZE sizeof(__le32[8]) + + /* IPA status structure decoder; looks up field values for a structure */ + static u32 ipa_status_extract(struct ipa *ipa, const void *data, +-- +2.39.2 + diff --git a/queue-6.3/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch b/queue-6.3/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch new file mode 100644 index 00000000000..484ca6f2cf0 --- /dev/null +++ b/queue-6.3/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch @@ -0,0 +1,56 @@ +From daa8fbbb6c49f8d1fa22f87044a1be544b3e5b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 21:49:08 +0200 +Subject: net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure + +From: Thomas Bogendoerfer + +[ Upstream commit d68cb7cf1fd0ef4287bc0ecd1ed0b6ae8e05fc70 ] + +Do skb_put() after a new skb has been successfully allocated otherwise +the reused skb leads to skb_panics or incorrect packet sizes. + +Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") +Signed-off-by: Thomas Bogendoerfer +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230524194908.147145-1-tbogendoerfer@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c +index afa3b92a6905f..0d5a41a2ae010 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c +@@ -245,12 +245,6 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts) + + skb = priv->rx_skb[rx_pi_rem]; + +- skb_put(skb, datalen); +- +- skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */ +- +- skb->protocol = eth_type_trans(skb, netdev); +- + /* Alloc another RX SKB for this same index */ + rx_skb = mlxbf_gige_alloc_skb(priv, MLXBF_GIGE_DEFAULT_BUF_SZ, + &rx_buf_dma, DMA_FROM_DEVICE); +@@ -259,6 +253,13 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts) + priv->rx_skb[rx_pi_rem] = rx_skb; + dma_unmap_single(priv->dev, *rx_wqe_addr, + MLXBF_GIGE_DEFAULT_BUF_SZ, DMA_FROM_DEVICE); ++ ++ skb_put(skb, datalen); ++ ++ skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */ ++ ++ skb->protocol = eth_type_trans(skb, netdev); ++ + *rx_wqe_addr = rx_buf_dma; + } else if (rx_cqe & MLXBF_GIGE_RX_CQE_PKT_STATUS_MAC_ERR) { + priv->stats.rx_mac_errors++; +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5-drain-health-before-unregistering-devlink.patch b/queue-6.3/net-mlx5-drain-health-before-unregistering-devlink.patch new file mode 100644 index 00000000000..18dbfcf6a48 --- /dev/null +++ b/queue-6.3/net-mlx5-drain-health-before-unregistering-devlink.patch @@ -0,0 +1,49 @@ +From 48a0f4c67ee466b34d547914b5b1b934b5d5ed13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 12:31:59 +0300 +Subject: net/mlx5: Drain health before unregistering devlink + +From: Shay Drory + +[ Upstream commit 824c8dc4a470040bf0e56ba716543839c2498d49 ] + +mlx5 health mechanism is using devlink APIs, which are using devlink +notify APIs. After the cited patch, using devlink notify APIs after +devlink is unregistered triggers a WARN_ON(). +Hence, drain health WQ before devlink is unregistered. + +Fixes: cf530217408e ("devlink: Notify users when objects are accessible") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 62327b52f1acf..504179dbff9dd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1790,14 +1790,15 @@ static void remove_one(struct pci_dev *pdev) + struct devlink *devlink = priv_to_devlink(dev); + + set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state); +- /* mlx5_drain_fw_reset() is using devlink APIs. Hence, we must drain +- * fw_reset before unregistering the devlink. ++ /* mlx5_drain_fw_reset() and mlx5_drain_health_wq() are using ++ * devlink notify APIs. ++ * Hence, we must drain them before unregistering the devlink. + */ + mlx5_drain_fw_reset(dev); ++ mlx5_drain_health_wq(dev); + devlink_unregister(devlink); + mlx5_sriov_disable(pdev); + mlx5_crdump_disable(dev); +- mlx5_drain_health_wq(dev); + mlx5_uninit_one(dev); + mlx5_pci_close(dev); + mlx5_mdev_uninit(dev); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5-fix-post-parse-infra-to-only-parse-every-ac.patch b/queue-6.3/net-mlx5-fix-post-parse-infra-to-only-parse-every-ac.patch new file mode 100644 index 00000000000..e02d717a9c2 --- /dev/null +++ b/queue-6.3/net-mlx5-fix-post-parse-infra-to-only-parse-every-ac.patch @@ -0,0 +1,116 @@ +From 89e0b715f5445677ffc0adb17481cbd90dd0b844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 14:48:52 +0200 +Subject: net/mlx5: Fix post parse infra to only parse every action once + +From: Vlad Buslov + +[ Upstream commit 5d862ec631f3d3cc3b4f8cdb5b9fc5879663f1d3 ] + +Caller of mlx5e_tc_act_post_parse() needs it to parse only the subset of +actions starting after previous split and ending at the current action. +However, that range is not provided as arguments and +mlx5e_tc_act_post_parse() uses generic flow_action_for_each() that iterates +over all flow actions. Not only this is redundant, it also causes a bug +when mlx5e_tc_act->post_parse() callback is not idempotent since it will be +called for every split. For example, ct action tc_act_post_parse_ct() +callback obtains a reference to mlx5_ct_ft instance and calling it several +times during parsing stage will cause reference counter imbalance. + +Fix the issue by providing a proper action range of the current split +subset to mlx5e_tc_act_post_parse() and only calling +mlx5e_tc_act->post_parse() for actions inside the subset range. + +Fixes: 8300f225268b ("net/mlx5e: Create new flow attr for multi table actions") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c | 7 ++++++- + drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 +++++--- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +index fc923a99b6a48..0380a04c3691c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +@@ -84,7 +84,7 @@ mlx5e_tc_act_init_parse_state(struct mlx5e_tc_act_parse_state *parse_state, + + int + mlx5e_tc_act_post_parse(struct mlx5e_tc_act_parse_state *parse_state, +- struct flow_action *flow_action, ++ struct flow_action *flow_action, int from, int to, + struct mlx5_flow_attr *attr, + enum mlx5_flow_namespace_type ns_type) + { +@@ -96,6 +96,11 @@ mlx5e_tc_act_post_parse(struct mlx5e_tc_act_parse_state *parse_state, + priv = parse_state->flow->priv; + + flow_action_for_each(i, act, flow_action) { ++ if (i < from) ++ continue; ++ else if (i > to) ++ break; ++ + tc_act = mlx5e_tc_act_get(act->id, ns_type); + if (!tc_act || !tc_act->post_parse) + continue; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +index d7615e329e6d9..84c78d5f5bed8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +@@ -114,7 +114,7 @@ mlx5e_tc_act_init_parse_state(struct mlx5e_tc_act_parse_state *parse_state, + + int + mlx5e_tc_act_post_parse(struct mlx5e_tc_act_parse_state *parse_state, +- struct flow_action *flow_action, ++ struct flow_action *flow_action, int from, int to, + struct mlx5_flow_attr *attr, + enum mlx5_flow_namespace_type ns_type); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index a78e201fd883b..82b96196e97b7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -3975,8 +3975,8 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + struct mlx5_flow_attr *prev_attr; + struct flow_action_entry *act; + struct mlx5e_tc_act *tc_act; ++ int err, i, i_split = 0; + bool is_missable; +- int err, i; + + ns_type = mlx5e_get_flow_namespace(flow); + list_add(&attr->list, &flow->attrs); +@@ -4017,7 +4017,8 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + i < flow_action->num_entries - 1)) { + is_missable = tc_act->is_missable ? tc_act->is_missable(act) : false; + +- err = mlx5e_tc_act_post_parse(parse_state, flow_action, attr, ns_type); ++ err = mlx5e_tc_act_post_parse(parse_state, flow_action, i_split, i, attr, ++ ns_type); + if (err) + goto out_free_post_acts; + +@@ -4027,6 +4028,7 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + goto out_free_post_acts; + } + ++ i_split = i + 1; + list_add(&attr->list, &flow->attrs); + } + +@@ -4041,7 +4043,7 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + } + } + +- err = mlx5e_tc_act_post_parse(parse_state, flow_action, attr, ns_type); ++ err = mlx5e_tc_act_post_parse(parse_state, flow_action, i_split, i, attr, ns_type); + if (err) + goto out_free_post_acts; + +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5-fw_tracer-fix-event-handling.patch b/queue-6.3/net-mlx5-fw_tracer-fix-event-handling.patch new file mode 100644 index 00000000000..86d6b754372 --- /dev/null +++ b/queue-6.3/net-mlx5-fw_tracer-fix-event-handling.patch @@ -0,0 +1,40 @@ +From 853b8884d0e8c55ff71ffdb132571b9bf8fc9789 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 20:41:41 +0300 +Subject: net/mlx5: fw_tracer, Fix event handling + +From: Shay Drory + +[ Upstream commit 341a80de2468f481b1f771683709b5649cbfe513 ] + +mlx5 driver needs to parse traces with event_id inside the range of +first_string_trace and num_string_trace. However, mlx5 is parsing all +events with event_id >= first_string_trace. + +Fix it by checking for the correct range. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index f40497823e65f..7c0f2adbea000 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -490,7 +490,7 @@ static void poll_trace(struct mlx5_fw_tracer *tracer, + (u64)timestamp_low; + break; + default: +- if (tracer_event->event_id >= tracer->str_db.first_string_trace || ++ if (tracer_event->event_id >= tracer->str_db.first_string_trace && + tracer_event->event_id <= tracer->str_db.first_string_trace + + tracer->str_db.num_string_trace) { + tracer_event->type = TRACER_EVENT_TYPE_STRING; +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch b/queue-6.3/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch new file mode 100644 index 00000000000..56cd415d17d --- /dev/null +++ b/queue-6.3/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch @@ -0,0 +1,48 @@ +From de82f1a21bfcf72cf2b13261d478ab461f367986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 13:48:13 +0300 +Subject: net/mlx5: Read embedded cpu after init bit cleared + +From: Moshe Shemesh + +[ Upstream commit bbfa4b58997e3d38ba629c9f6fc0bd1c163aaf43 ] + +During driver load it reads embedded_cpu bit from initialization +segment, but the initialization segment is readable only after +initialization bit is cleared. + +Move the call to mlx5_read_embedded_cpu() right after initialization bit +cleared. + +Signed-off-by: Moshe Shemesh +Fixes: 591905ba9679 ("net/mlx5: Introduce Mellanox SmartNIC and modify page management logic") +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 504179dbff9dd..9058fa8c5b657 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -913,7 +913,6 @@ static int mlx5_pci_init(struct mlx5_core_dev *dev, struct pci_dev *pdev, + } + + mlx5_pci_vsc_init(dev); +- dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev); + return 0; + + err_clr_master: +@@ -1147,6 +1146,7 @@ static int mlx5_function_setup(struct mlx5_core_dev *dev, bool boot, u64 timeout + goto err_cmd_cleanup; + } + ++ dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev); + mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_UP); + + mlx5_start_health_poll(dev); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5-sf-drain-health-before-removing-device.patch b/queue-6.3/net-mlx5-sf-drain-health-before-removing-device.patch new file mode 100644 index 00000000000..0a31cc65c12 --- /dev/null +++ b/queue-6.3/net-mlx5-sf-drain-health-before-removing-device.patch @@ -0,0 +1,39 @@ +From cc1dfad10b31b4240d0df6b6f7066f00b3e372e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 12:46:06 +0300 +Subject: net/mlx5: SF, Drain health before removing device + +From: Shay Drory + +[ Upstream commit b4646da0573fae9dfa2b8f1f10936cb6eedd7230 ] + +There is no point in recovery during device removal. Also, if health +work started need to wait for it to avoid races and NULL pointer +access. + +Hence, drain health WQ before removing device. + +Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index a7377619ba6f2..2424cdf9cca99 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -63,6 +63,7 @@ static void mlx5_sf_dev_remove(struct auxiliary_device *adev) + struct mlx5_sf_dev *sf_dev = container_of(adev, struct mlx5_sf_dev, adev); + struct devlink *devlink = priv_to_devlink(sf_dev->mdev); + ++ mlx5_drain_health_wq(sf_dev->mdev); + devlink_unregister(devlink); + mlx5_uninit_one(sf_dev->mdev); + iounmap(sf_dev->mdev->iseg); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-consider-internal-buffers-size-in-port-buf.patch b/queue-6.3/net-mlx5e-consider-internal-buffers-size-in-port-buf.patch new file mode 100644 index 00000000000..c8d6461634e --- /dev/null +++ b/queue-6.3/net-mlx5e-consider-internal-buffers-size-in-port-buf.patch @@ -0,0 +1,208 @@ +From 45cf92784dad9e46e02723f2c7ae72aa159d2aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:31:40 +0300 +Subject: net/mlx5e: Consider internal buffers size in port buffer calculations + +From: Maher Sanalla + +[ Upstream commit 81fe2be062915e2a2fdc494c3cd90e946e946c25 ] + +Currently, when a user triggers a change in port buffer headroom +(buffers 0-7), the driver checks that the requested headroom does +not exceed the total port buffer size. However, this check does not +take into account the internal buffers (buffers 8-9), which are also +part of the total port buffer. This can result in treating invalid port +buffer change requests as valid, causing unintended changes to the shared +buffer. + +To address this, include the internal buffers size in the calculation of +available port buffer space which ensures that port buffer requests do not +exceed the correct limit. + +Furthermore, remove internal buffers (8-9) size from the total_size +calculation as these buffers are reserved for internal use and are not +exposed to the user. + +While at it, add verbosity to the debug prints in +mlx5e_port_query_buffer() function to ease future debugging. + +Fixes: ecdf2dadee8e ("net/mlx5e: Receive buffer support for DCBX") +Signed-off-by: Maher Sanalla +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/port_buffer.c | 42 ++++++++++++------- + .../mellanox/mlx5/core/en/port_buffer.h | 8 ++-- + .../ethernet/mellanox/mlx5/core/en_dcbnl.c | 7 ++-- + 3 files changed, 36 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +index 7ac1ad9c46de0..0d78527451bca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +@@ -51,7 +51,7 @@ int mlx5e_port_query_buffer(struct mlx5e_priv *priv, + if (err) + goto out; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + buffer = MLX5_ADDR_OF(pbmc_reg, out, buffer[i]); + port_buffer->buffer[i].lossy = + MLX5_GET(bufferx_reg, buffer, lossy); +@@ -73,14 +73,24 @@ int mlx5e_port_query_buffer(struct mlx5e_priv *priv, + port_buffer->buffer[i].lossy); + } + +- port_buffer->headroom_size = total_used; ++ port_buffer->internal_buffers_size = 0; ++ for (i = MLX5E_MAX_NETWORK_BUFFER; i < MLX5E_TOTAL_BUFFERS; i++) { ++ buffer = MLX5_ADDR_OF(pbmc_reg, out, buffer[i]); ++ port_buffer->internal_buffers_size += ++ MLX5_GET(bufferx_reg, buffer, size) * port_buff_cell_sz; ++ } ++ + port_buffer->port_buffer_size = + MLX5_GET(pbmc_reg, out, port_buffer_size) * port_buff_cell_sz; +- port_buffer->spare_buffer_size = +- port_buffer->port_buffer_size - total_used; +- +- mlx5e_dbg(HW, priv, "total buffer size=%d, spare buffer size=%d\n", +- port_buffer->port_buffer_size, ++ port_buffer->headroom_size = total_used; ++ port_buffer->spare_buffer_size = port_buffer->port_buffer_size - ++ port_buffer->internal_buffers_size - ++ port_buffer->headroom_size; ++ ++ mlx5e_dbg(HW, priv, ++ "total buffer size=%u, headroom buffer size=%u, internal buffers size=%u, spare buffer size=%u\n", ++ port_buffer->port_buffer_size, port_buffer->headroom_size, ++ port_buffer->internal_buffers_size, + port_buffer->spare_buffer_size); + out: + kfree(out); +@@ -206,11 +216,11 @@ static int port_update_pool_cfg(struct mlx5_core_dev *mdev, + if (!MLX5_CAP_GEN(mdev, sbcam_reg)) + return 0; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) + lossless_buff_count += ((port_buffer->buffer[i].size) && + (!(port_buffer->buffer[i].lossy))); + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + p = select_sbcm_params(&port_buffer->buffer[i], lossless_buff_count); + err = mlx5e_port_set_sbcm(mdev, 0, i, + MLX5_INGRESS_DIR, +@@ -293,7 +303,7 @@ static int port_set_buffer(struct mlx5e_priv *priv, + if (err) + goto out; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + void *buffer = MLX5_ADDR_OF(pbmc_reg, in, buffer[i]); + u64 size = port_buffer->buffer[i].size; + u64 xoff = port_buffer->buffer[i].xoff; +@@ -351,7 +361,7 @@ static int update_xoff_threshold(struct mlx5e_port_buffer *port_buffer, + { + int i; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + if (port_buffer->buffer[i].lossy) { + port_buffer->buffer[i].xoff = 0; + port_buffer->buffer[i].xon = 0; +@@ -408,7 +418,7 @@ static int update_buffer_lossy(struct mlx5_core_dev *mdev, + int err; + int i; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + prio_count = 0; + lossy_count = 0; + +@@ -515,7 +525,7 @@ int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv, + + if (change & MLX5E_PORT_BUFFER_PRIO2BUFFER) { + update_prio2buffer = true; +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) + mlx5e_dbg(HW, priv, "%s: requested to map prio[%d] to buffer %d\n", + __func__, i, prio2buffer[i]); + +@@ -530,7 +540,7 @@ int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv, + } + + if (change & MLX5E_PORT_BUFFER_SIZE) { +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + mlx5e_dbg(HW, priv, "%s: buffer[%d]=%d\n", __func__, i, buffer_size[i]); + if (!port_buffer.buffer[i].lossy && !buffer_size[i]) { + mlx5e_dbg(HW, priv, "%s: lossless buffer[%d] size cannot be zero\n", +@@ -544,7 +554,9 @@ int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv, + + mlx5e_dbg(HW, priv, "%s: total buffer requested=%d\n", __func__, total_used); + +- if (total_used > port_buffer.port_buffer_size) ++ if (total_used > port_buffer.headroom_size && ++ (total_used - port_buffer.headroom_size) > ++ port_buffer.spare_buffer_size) + return -EINVAL; + + update_buffer = true; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h +index a6ef118de758f..f4a19ffbb641c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h +@@ -35,7 +35,8 @@ + #include "en.h" + #include "port.h" + +-#define MLX5E_MAX_BUFFER 8 ++#define MLX5E_MAX_NETWORK_BUFFER 8 ++#define MLX5E_TOTAL_BUFFERS 10 + #define MLX5E_DEFAULT_CABLE_LEN 7 /* 7 meters */ + + #define MLX5_BUFFER_SUPPORTED(mdev) (MLX5_CAP_GEN(mdev, pcam_reg) && \ +@@ -60,8 +61,9 @@ struct mlx5e_bufferx_reg { + struct mlx5e_port_buffer { + u32 port_buffer_size; + u32 spare_buffer_size; +- u32 headroom_size; +- struct mlx5e_bufferx_reg buffer[MLX5E_MAX_BUFFER]; ++ u32 headroom_size; /* Buffers 0-7 */ ++ u32 internal_buffers_size; /* Buffers 8-9 */ ++ struct mlx5e_bufferx_reg buffer[MLX5E_MAX_NETWORK_BUFFER]; + }; + + int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +index 89de92d064836..ebee52a8361aa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +@@ -926,9 +926,10 @@ static int mlx5e_dcbnl_getbuffer(struct net_device *dev, + if (err) + return err; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) + dcb_buffer->buffer_size[i] = port_buffer.buffer[i].size; +- dcb_buffer->total_size = port_buffer.port_buffer_size; ++ dcb_buffer->total_size = port_buffer.port_buffer_size - ++ port_buffer.internal_buffers_size; + + return 0; + } +@@ -970,7 +971,7 @@ static int mlx5e_dcbnl_setbuffer(struct net_device *dev, + if (err) + return err; + +- for (i = 0; i < MLX5E_MAX_BUFFER; i++) { ++ for (i = 0; i < MLX5E_MAX_NETWORK_BUFFER; i++) { + if (port_buffer.buffer[i].size != dcb_buffer->buffer_size[i]) { + changed |= MLX5E_PORT_BUFFER_SIZE; + buffer_size = dcb_buffer->buffer_size; +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-ct-use-per-action-stats.patch b/queue-6.3/net-mlx5e-ct-use-per-action-stats.patch new file mode 100644 index 00000000000..4c303d7a7a5 --- /dev/null +++ b/queue-6.3/net-mlx5e-ct-use-per-action-stats.patch @@ -0,0 +1,121 @@ +From a031d53063d83ea4a83c4566081344c0eb86739d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 19:11:07 +0200 +Subject: net/mlx5e: CT: Use per action stats + +From: Paul Blakey + +[ Upstream commit 13aca17b450e87a8de4e4a3b3ad454efbc576740 ] + +CT action can miss in a middle of an action list, use +per action stats to correctly report stats for missed +packets. + +Signed-off-by: Paul Blakey +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Stable-dep-of: 5d862ec631f3 ("net/mlx5: Fix post parse infra to only parse every action once") +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc/act/act.h | 2 ++ + .../mellanox/mlx5/core/en/tc/act/ct.c | 9 ++++++++- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++++++-- + 3 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +index 8346557eeaf63..cdcddf6e1b08b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +@@ -56,6 +56,8 @@ struct mlx5e_tc_act { + const struct flow_action_entry *act, + struct mlx5_flow_attr *attr); + ++ bool (*is_missable)(const struct flow_action_entry *act); ++ + int (*offload_action)(struct mlx5e_priv *priv, + struct flow_offload_action *fl_act, + struct flow_action_entry *act); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c +index a829c94289c10..fce1c0fd24535 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c +@@ -95,10 +95,17 @@ tc_act_is_multi_table_act_ct(struct mlx5e_priv *priv, + return true; + } + ++static bool ++tc_act_is_missable_ct(const struct flow_action_entry *act) ++{ ++ return !(act->ct.action & TCA_CT_ACT_CLEAR); ++} ++ + struct mlx5e_tc_act mlx5e_tc_act_ct = { + .can_offload = tc_act_can_offload_ct, + .parse_action = tc_act_parse_ct, +- .is_multi_table_act = tc_act_is_multi_table_act_ct, + .post_parse = tc_act_post_parse_ct, ++ .is_multi_table_act = tc_act_is_multi_table_act_ct, ++ .is_missable = tc_act_is_missable_ct, + }; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index b5d23b159f345..82b76dcc05ac1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -3974,7 +3974,9 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + enum mlx5_flow_namespace_type ns_type; + struct mlx5e_priv *priv = flow->priv; + struct flow_action_entry *act, **_act; ++ struct mlx5_flow_attr *prev_attr; + struct mlx5e_tc_act *tc_act; ++ bool is_missable; + int err, i; + + flow_action_reorder.num_entries = flow_action->num_entries; +@@ -3991,6 +3993,9 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + flow_action_for_each(i, _act, &flow_action_reorder) { + jump_state.jump_target = false; + act = *_act; ++ is_missable = false; ++ prev_attr = attr; ++ + tc_act = mlx5e_tc_act_get(act->id, ns_type); + if (!tc_act) { + NL_SET_ERR_MSG_MOD(extack, "Not implemented offload action"); +@@ -4014,14 +4019,14 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + goto out_free; + + parse_state->actions |= attr->action; +- if (!tc_act->stats_action) +- attr->tc_act_cookies[attr->tc_act_cookies_count++] = act->cookie; + + /* Split attr for multi table act if not the last act. */ + if (jump_state.jump_target || + (tc_act->is_multi_table_act && + tc_act->is_multi_table_act(priv, act, attr) && + i < flow_action_reorder.num_entries - 1)) { ++ is_missable = tc_act->is_missable ? tc_act->is_missable(act) : false; ++ + err = mlx5e_tc_act_post_parse(parse_state, flow_action, attr, ns_type); + if (err) + goto out_free; +@@ -4034,6 +4039,16 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + + list_add(&attr->list, &flow->attrs); + } ++ ++ if (is_missable) { ++ /* Add counter to prev, and assign act to new (next) attr */ ++ prev_attr->action |= MLX5_FLOW_CONTEXT_ACTION_COUNT; ++ flow_flag_set(flow, USE_ACT_STATS); ++ ++ attr->tc_act_cookies[attr->tc_act_cookies_count++] = act->cookie; ++ } else if (!tc_act->stats_action) { ++ prev_attr->tc_act_cookies[prev_attr->tc_act_cookies_count++] = act->cookie; ++ } + } + + kfree(flow_action_reorder.entries); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-do-not-update-sbcm-when-prio2buffer-comman.patch b/queue-6.3/net-mlx5e-do-not-update-sbcm-when-prio2buffer-comman.patch new file mode 100644 index 00000000000..7432451ea42 --- /dev/null +++ b/queue-6.3/net-mlx5e-do-not-update-sbcm-when-prio2buffer-comman.patch @@ -0,0 +1,50 @@ +From 5e4391b7467bd397371f7495d6a6dc2df920a236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:56:01 +0300 +Subject: net/mlx5e: Do not update SBCM when prio2buffer command is invalid + +From: Maher Sanalla + +[ Upstream commit 623efc4cbd6115db36716e31037cb6d1f3ce6754 ] + +The shared buffer pools configuration which are stored in the SBCM +register are updated when the user changes the prio2buffer mapping. + +However, in case the user desired prio2buffer change is invalid, +which can occur due to mapping a lossless priority to a not large enough +buffer, the SBCM update should not be performed, as the user command is +failed. + +Thus, Perform the SBCM update only after xoff threshold calculation is +performed and the user prio2buffer mapping is validated. + +Fixes: a440030d8946 ("net/mlx5e: Update shared buffer along with device buffer changes") +Signed-off-by: Maher Sanalla +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +index 0d78527451bca..7e8e96cc5cd08 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +@@ -442,11 +442,11 @@ static int update_buffer_lossy(struct mlx5_core_dev *mdev, + } + + if (changed) { +- err = port_update_pool_cfg(mdev, port_buffer); ++ err = update_xoff_threshold(port_buffer, xoff, max_mtu, port_buff_cell_sz); + if (err) + return err; + +- err = update_xoff_threshold(port_buffer, xoff, max_mtu, port_buff_cell_sz); ++ err = port_update_pool_cfg(mdev, port_buffer); + if (err) + return err; + +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch b/queue-6.3/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch new file mode 100644 index 00000000000..234a0dead0f --- /dev/null +++ b/queue-6.3/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch @@ -0,0 +1,106 @@ +From 25693c3a71e565cad9a6e055c1d734e977d44dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 14:39:24 +0300 +Subject: net/mlx5e: Don't attach netdev profile while handling internal error + +From: Dmytro Linkin + +[ Upstream commit bdf274750fca17b289404ef03453c4070725302c ] + +As part of switchdev mode disablement, driver changes port netdevice +profile from uplink to nic. If this process is triggered by health +recovery flow (PCI reset, for ex.) profile attach would fail because all +fw commands aborted when internal error flag is set. As a result, nic +netdevice profile is not attached and driver fails to rollback to uplink +profile, which leave driver in broken state and cause crash later. + +To handle broken state do netdevice profile initialization only instead +of full attachment and release mdev resources on driver suspend as +expected. Actual netdevice attachment is done during driver load. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Dmytro Linkin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 35 ++++++++++++++++--- + 1 file changed, 31 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index ff579d7d8432c..a60610c7a7bb7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5798,8 +5798,8 @@ void mlx5e_detach_netdev(struct mlx5e_priv *priv) + } + + static int +-mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, +- const struct mlx5e_profile *new_profile, void *new_ppriv) ++mlx5e_netdev_init_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, void *new_ppriv) + { + struct mlx5e_priv *priv = netdev_priv(netdev); + int err; +@@ -5815,6 +5815,25 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + err = new_profile->init(priv->mdev, priv->netdev); + if (err) + goto priv_cleanup; ++ ++ return 0; ++ ++priv_cleanup: ++ mlx5e_priv_cleanup(priv); ++ return err; ++} ++ ++static int ++mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, void *new_ppriv) ++{ ++ struct mlx5e_priv *priv = netdev_priv(netdev); ++ int err; ++ ++ err = mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); ++ if (err) ++ return err; ++ + err = mlx5e_attach_netdev(priv); + if (err) + goto profile_cleanup; +@@ -5822,7 +5841,6 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + + profile_cleanup: + new_profile->cleanup(priv); +-priv_cleanup: + mlx5e_priv_cleanup(priv); + return err; + } +@@ -5841,6 +5859,12 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, + priv->profile->cleanup(priv); + mlx5e_priv_cleanup(priv); + ++ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { ++ mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); ++ return -EIO; ++ } ++ + err = mlx5e_netdev_attach_profile(netdev, mdev, new_profile, new_ppriv); + if (err) { /* roll back to original profile */ + netdev_warn(netdev, "%s: new profile init failed, %d\n", __func__, err); +@@ -5902,8 +5926,11 @@ static int mlx5e_suspend(struct auxiliary_device *adev, pm_message_t state) + struct net_device *netdev = priv->netdev; + struct mlx5_core_dev *mdev = priv->mdev; + +- if (!netif_device_present(netdev)) ++ if (!netif_device_present(netdev)) { ++ if (test_bit(MLX5E_STATE_DESTROYING, &priv->state)) ++ mlx5e_destroy_mdev_resources(mdev); + return -ENODEV; ++ } + + mlx5e_detach_netdev(priv); + mlx5e_destroy_mdev_resources(mdev); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-extract-remaining-tunnel-encap-code-to-ded.patch b/queue-6.3/net-mlx5e-extract-remaining-tunnel-encap-code-to-ded.patch new file mode 100644 index 00000000000..552615ba42f --- /dev/null +++ b/queue-6.3/net-mlx5e-extract-remaining-tunnel-encap-code-to-ded.patch @@ -0,0 +1,256 @@ +From 63fd8bc6042557b882154e28f491abae2d9ae275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 10:50:53 +0200 +Subject: net/mlx5e: Extract remaining tunnel encap code to dedicated file + +From: Chris Mi + +[ Upstream commit e2ab5aa11f191b54514f063a5b5c29f3559f4ab7 ] + +Move set_encap_dests() and clean_encap_dests() to the tunnel encap +dedicated file. And rename them to mlx5e_tc_tun_encap_dests_set() +and mlx5e_tc_tun_encap_dests_unset(). + +No functional change in this patch. It is needed in the next patch. + +Signed-off-by: Chris Mi +Signed-off-by: Saeed Mahameed +Stable-dep-of: 37c3b9fa7ccf ("net/mlx5e: Prevent encap offload when neigh update is running") +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc_tun_encap.c | 83 +++++++++++++++++ + .../mellanox/mlx5/core/en/tc_tun_encap.h | 9 ++ + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 89 +------------------ + 3 files changed, 94 insertions(+), 87 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index fbb392d54fa51..7655526222570 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -985,6 +985,89 @@ int mlx5e_attach_decap(struct mlx5e_priv *priv, + return err; + } + ++int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, ++ struct mlx5e_tc_flow *flow, ++ struct mlx5_flow_attr *attr, ++ struct netlink_ext_ack *extack, ++ bool *vf_tun) ++{ ++ struct mlx5e_tc_flow_parse_attr *parse_attr; ++ struct mlx5_esw_flow_attr *esw_attr; ++ struct net_device *encap_dev = NULL; ++ struct mlx5e_rep_priv *rpriv; ++ struct mlx5e_priv *out_priv; ++ int out_index; ++ int err = 0; ++ ++ if (!mlx5e_is_eswitch_flow(flow)) ++ return 0; ++ ++ parse_attr = attr->parse_attr; ++ esw_attr = attr->esw_attr; ++ *vf_tun = false; ++ ++ for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { ++ struct net_device *out_dev; ++ int mirred_ifindex; ++ ++ if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP)) ++ continue; ++ ++ mirred_ifindex = parse_attr->mirred_ifindex[out_index]; ++ out_dev = dev_get_by_index(dev_net(priv->netdev), mirred_ifindex); ++ if (!out_dev) { ++ NL_SET_ERR_MSG_MOD(extack, "Requested mirred device not found"); ++ err = -ENODEV; ++ goto out; ++ } ++ err = mlx5e_attach_encap(priv, flow, attr, out_dev, out_index, ++ extack, &encap_dev); ++ dev_put(out_dev); ++ if (err) ++ goto out; ++ ++ if (esw_attr->dests[out_index].flags & ++ MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE && ++ !esw_attr->dest_int_port) ++ *vf_tun = true; ++ ++ out_priv = netdev_priv(encap_dev); ++ rpriv = out_priv->ppriv; ++ esw_attr->dests[out_index].rep = rpriv->rep; ++ esw_attr->dests[out_index].mdev = out_priv->mdev; ++ } ++ ++ if (*vf_tun && esw_attr->out_count > 1) { ++ NL_SET_ERR_MSG_MOD(extack, "VF tunnel encap with mirroring is not supported"); ++ err = -EOPNOTSUPP; ++ goto out; ++ } ++ ++out: ++ return err; ++} ++ ++void mlx5e_tc_tun_encap_dests_unset(struct mlx5e_priv *priv, ++ struct mlx5e_tc_flow *flow, ++ struct mlx5_flow_attr *attr) ++{ ++ struct mlx5_esw_flow_attr *esw_attr; ++ int out_index; ++ ++ if (!mlx5e_is_eswitch_flow(flow)) ++ return; ++ ++ esw_attr = attr->esw_attr; ++ ++ for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { ++ if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP)) ++ continue; ++ ++ mlx5e_detach_encap(flow->priv, flow, attr, out_index); ++ kfree(attr->parse_attr->tun_info[out_index]); ++ } ++} ++ + static int cmp_route_info(struct mlx5e_route_key *a, + struct mlx5e_route_key *b) + { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h +index 8ad273dde40ee..5d7d67687cbcd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h +@@ -30,6 +30,15 @@ int mlx5e_attach_decap_route(struct mlx5e_priv *priv, + void mlx5e_detach_decap_route(struct mlx5e_priv *priv, + struct mlx5e_tc_flow *flow); + ++int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, ++ struct mlx5e_tc_flow *flow, ++ struct mlx5_flow_attr *attr, ++ struct netlink_ext_ack *extack, ++ bool *vf_tun); ++void mlx5e_tc_tun_encap_dests_unset(struct mlx5e_priv *priv, ++ struct mlx5e_tc_flow *flow, ++ struct mlx5_flow_attr *attr); ++ + struct ip_tunnel_info *mlx5e_dup_tun_info(const struct ip_tunnel_info *tun_info); + + int mlx5e_tc_set_attr_rx_tun(struct mlx5e_tc_flow *flow, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 3827dbc2b39c5..b5d23b159f345 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1727,91 +1727,6 @@ int mlx5e_tc_query_route_vport(struct net_device *out_dev, struct net_device *ro + return mlx5_eswitch_vhca_id_to_vport(esw, vhca_id, vport); + } + +-static int +-set_encap_dests(struct mlx5e_priv *priv, +- struct mlx5e_tc_flow *flow, +- struct mlx5_flow_attr *attr, +- struct netlink_ext_ack *extack, +- bool *vf_tun) +-{ +- struct mlx5e_tc_flow_parse_attr *parse_attr; +- struct mlx5_esw_flow_attr *esw_attr; +- struct net_device *encap_dev = NULL; +- struct mlx5e_rep_priv *rpriv; +- struct mlx5e_priv *out_priv; +- int out_index; +- int err = 0; +- +- if (!mlx5e_is_eswitch_flow(flow)) +- return 0; +- +- parse_attr = attr->parse_attr; +- esw_attr = attr->esw_attr; +- *vf_tun = false; +- +- for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { +- struct net_device *out_dev; +- int mirred_ifindex; +- +- if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP)) +- continue; +- +- mirred_ifindex = parse_attr->mirred_ifindex[out_index]; +- out_dev = dev_get_by_index(dev_net(priv->netdev), mirred_ifindex); +- if (!out_dev) { +- NL_SET_ERR_MSG_MOD(extack, "Requested mirred device not found"); +- err = -ENODEV; +- goto out; +- } +- err = mlx5e_attach_encap(priv, flow, attr, out_dev, out_index, +- extack, &encap_dev); +- dev_put(out_dev); +- if (err) +- goto out; +- +- if (esw_attr->dests[out_index].flags & +- MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE && +- !esw_attr->dest_int_port) +- *vf_tun = true; +- +- out_priv = netdev_priv(encap_dev); +- rpriv = out_priv->ppriv; +- esw_attr->dests[out_index].rep = rpriv->rep; +- esw_attr->dests[out_index].mdev = out_priv->mdev; +- } +- +- if (*vf_tun && esw_attr->out_count > 1) { +- NL_SET_ERR_MSG_MOD(extack, "VF tunnel encap with mirroring is not supported"); +- err = -EOPNOTSUPP; +- goto out; +- } +- +-out: +- return err; +-} +- +-static void +-clean_encap_dests(struct mlx5e_priv *priv, +- struct mlx5e_tc_flow *flow, +- struct mlx5_flow_attr *attr) +-{ +- struct mlx5_esw_flow_attr *esw_attr; +- int out_index; +- +- if (!mlx5e_is_eswitch_flow(flow)) +- return; +- +- esw_attr = attr->esw_attr; +- +- for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { +- if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP)) +- continue; +- +- mlx5e_detach_encap(priv, flow, attr, out_index); +- kfree(attr->parse_attr->tun_info[out_index]); +- } +-} +- + static int + verify_attr_actions(u32 actions, struct netlink_ext_ack *extack) + { +@@ -1848,7 +1763,7 @@ post_process_attr(struct mlx5e_tc_flow *flow, + if (err) + goto err_out; + +- err = set_encap_dests(flow->priv, flow, attr, extack, &vf_tun); ++ err = mlx5e_tc_tun_encap_dests_set(flow->priv, flow, attr, extack, &vf_tun); + if (err) + goto err_out; + +@@ -4439,7 +4354,7 @@ mlx5_free_flow_attr_actions(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *a + if (attr->post_act_handle) + mlx5e_tc_post_act_del(get_post_action(flow->priv), attr->post_act_handle); + +- clean_encap_dests(flow->priv, flow, attr); ++ mlx5e_tc_tun_encap_dests_unset(flow->priv, flow, attr); + + if (attr->action & MLX5_FLOW_CONTEXT_ACTION_COUNT) + mlx5_fc_destroy(counter_dev, attr->counter); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch b/queue-6.3/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch new file mode 100644 index 00000000000..ade4f3d3c26 --- /dev/null +++ b/queue-6.3/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch @@ -0,0 +1,58 @@ +From b1e204313ec92424f40e5859a6aca77bad39b575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 23:07:08 -0700 +Subject: net/mlx5e: Fix error handling in mlx5e_refresh_tirs + +From: Saeed Mahameed + +[ Upstream commit b6193d7030e3c59f1d4c75648c9c8fa40cad2bcd ] + +Allocation failure is outside the critical lock section and should +return immediately rather than jumping to the unlock section. + +Also unlock as soon as required and remove the now redundant jump label. + +Fixes: 80a2a9026b24 ("net/mlx5e: Add a lock on tir list") +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +index 993af4c12d909..21cd232c2c20c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +@@ -149,10 +149,8 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb, + + inlen = MLX5_ST_SZ_BYTES(modify_tir_in); + in = kvzalloc(inlen, GFP_KERNEL); +- if (!in) { +- err = -ENOMEM; +- goto out; +- } ++ if (!in) ++ return -ENOMEM; + + if (enable_uc_lb) + lb_flags = MLX5_TIRC_SELF_LB_BLOCK_BLOCK_UNICAST; +@@ -170,14 +168,13 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb, + tirn = tir->tirn; + err = mlx5_core_modify_tir(mdev, tirn, in); + if (err) +- goto out; ++ break; + } ++ mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock); + +-out: + kvfree(in); + if (err) + netdev_err(priv->netdev, "refresh tir(0x%x) failed, %d\n", tirn, err); +- mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock); + + return err; + } +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-move-ethernet-driver-debugfs-to-profile-in.patch b/queue-6.3/net-mlx5e-move-ethernet-driver-debugfs-to-profile-in.patch new file mode 100644 index 00000000000..62e5fb53b5f --- /dev/null +++ b/queue-6.3/net-mlx5e-move-ethernet-driver-debugfs-to-profile-in.patch @@ -0,0 +1,117 @@ +From 504f388101c8f7da67c468d5aa04458a8b3e2cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 02:28:02 +0000 +Subject: net/mlx5e: Move Ethernet driver debugfs to profile init callback + +From: Jianbo Liu + +[ Upstream commit c4c24fc30cc417ace332ceceaba4f70f81dcd521 ] + +As priv->dfs_root is cleared, and therefore missed, when change +eswitch mode, move the creation of the root debugfs to the init +callback of mlx5e_nic_profile and mlx5e_uplink_rep_profile, and +the destruction to the cleanup callback for symmeter. + +Fixes: 288eca60cc31 ("net/mlx5e: Add Ethernet driver debugfs") +Signed-off-by: Jianbo Liu +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++----- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 6 ++++++ + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index a60610c7a7bb7..7c72bed7f81aa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5226,12 +5226,16 @@ static int mlx5e_nic_init(struct mlx5_core_dev *mdev, + + mlx5e_timestamp_init(priv); + ++ priv->dfs_root = debugfs_create_dir("nic", ++ mlx5_debugfs_get_dev_root(mdev)); ++ + fs = mlx5e_fs_init(priv->profile, mdev, + !test_bit(MLX5E_STATE_DESTROYING, &priv->state), + priv->dfs_root); + if (!fs) { + err = -ENOMEM; + mlx5_core_err(mdev, "FS initialization failed, %d\n", err); ++ debugfs_remove_recursive(priv->dfs_root); + return err; + } + priv->fs = fs; +@@ -5252,6 +5256,7 @@ static void mlx5e_nic_cleanup(struct mlx5e_priv *priv) + mlx5e_health_destroy_reporters(priv); + mlx5e_ktls_cleanup(priv); + mlx5e_fs_cleanup(priv->fs); ++ debugfs_remove_recursive(priv->dfs_root); + priv->fs = NULL; + } + +@@ -5976,9 +5981,6 @@ static int mlx5e_probe(struct auxiliary_device *adev, + priv->profile = profile; + priv->ppriv = NULL; + +- priv->dfs_root = debugfs_create_dir("nic", +- mlx5_debugfs_get_dev_root(priv->mdev)); +- + err = profile->init(mdev, netdev); + if (err) { + mlx5_core_err(mdev, "mlx5e_nic_profile init failed, %d\n", err); +@@ -6007,7 +6009,6 @@ static int mlx5e_probe(struct auxiliary_device *adev, + err_profile_cleanup: + profile->cleanup(priv); + err_destroy_netdev: +- debugfs_remove_recursive(priv->dfs_root); + mlx5e_destroy_netdev(priv); + err_devlink_port_unregister: + mlx5e_devlink_port_unregister(mlx5e_dev); +@@ -6027,7 +6028,6 @@ static void mlx5e_remove(struct auxiliary_device *adev) + unregister_netdev(priv->netdev); + mlx5e_suspend(adev, state); + priv->profile->cleanup(priv); +- debugfs_remove_recursive(priv->dfs_root); + mlx5e_destroy_netdev(priv); + mlx5e_devlink_port_unregister(mlx5e_dev); + mlx5e_destroy_devlink(mlx5e_dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 6e18d91c3d766..992f3f9c11925 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -30,6 +30,7 @@ + * SOFTWARE. + */ + ++#include + #include + #include + #include +@@ -811,11 +812,15 @@ static int mlx5e_init_ul_rep(struct mlx5_core_dev *mdev, + { + struct mlx5e_priv *priv = netdev_priv(netdev); + ++ priv->dfs_root = debugfs_create_dir("nic", ++ mlx5_debugfs_get_dev_root(mdev)); ++ + priv->fs = mlx5e_fs_init(priv->profile, mdev, + !test_bit(MLX5E_STATE_DESTROYING, &priv->state), + priv->dfs_root); + if (!priv->fs) { + netdev_err(priv->netdev, "FS allocation failed\n"); ++ debugfs_remove_recursive(priv->dfs_root); + return -ENOMEM; + } + +@@ -828,6 +833,7 @@ static int mlx5e_init_ul_rep(struct mlx5_core_dev *mdev, + static void mlx5e_cleanup_rep(struct mlx5e_priv *priv) + { + mlx5e_fs_cleanup(priv->fs); ++ debugfs_remove_recursive(priv->dfs_root); + priv->fs = NULL; + } + +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-prevent-encap-offload-when-neigh-update-is.patch b/queue-6.3/net-mlx5e-prevent-encap-offload-when-neigh-update-is.patch new file mode 100644 index 00000000000..17af5ca3a7f --- /dev/null +++ b/queue-6.3/net-mlx5e-prevent-encap-offload-when-neigh-update-is.patch @@ -0,0 +1,198 @@ +From 115fe3910afb2eaa3eff25def8429161dac971c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 04:41:41 +0200 +Subject: net/mlx5e: Prevent encap offload when neigh update is running + +From: Chris Mi + +[ Upstream commit 37c3b9fa7ccf5caad6d87ba4d42bf00be46be1cf ] + +The cited commit adds a compeletion to remove dependency on rtnl +lock. But it causes a deadlock for multiple encapsulations: + + crash> bt ffff8aece8a64000 + PID: 1514557 TASK: ffff8aece8a64000 CPU: 3 COMMAND: "tc" + #0 [ffffa6d14183f368] __schedule at ffffffffb8ba7f45 + #1 [ffffa6d14183f3f8] schedule at ffffffffb8ba8418 + #2 [ffffa6d14183f418] schedule_preempt_disabled at ffffffffb8ba8898 + #3 [ffffa6d14183f428] __mutex_lock at ffffffffb8baa7f8 + #4 [ffffa6d14183f4d0] mutex_lock_nested at ffffffffb8baabeb + #5 [ffffa6d14183f4e0] mlx5e_attach_encap at ffffffffc0f48c17 [mlx5_core] + #6 [ffffa6d14183f628] mlx5e_tc_add_fdb_flow at ffffffffc0f39680 [mlx5_core] + #7 [ffffa6d14183f688] __mlx5e_add_fdb_flow at ffffffffc0f3b636 [mlx5_core] + #8 [ffffa6d14183f6f0] mlx5e_tc_add_flow at ffffffffc0f3bcdf [mlx5_core] + #9 [ffffa6d14183f728] mlx5e_configure_flower at ffffffffc0f3c1d1 [mlx5_core] + #10 [ffffa6d14183f790] mlx5e_rep_setup_tc_cls_flower at ffffffffc0f3d529 [mlx5_core] + #11 [ffffa6d14183f7a0] mlx5e_rep_setup_tc_cb at ffffffffc0f3d714 [mlx5_core] + #12 [ffffa6d14183f7b0] tc_setup_cb_add at ffffffffb8931bb8 + #13 [ffffa6d14183f810] fl_hw_replace_filter at ffffffffc0dae901 [cls_flower] + #14 [ffffa6d14183f8d8] fl_change at ffffffffc0db5c57 [cls_flower] + #15 [ffffa6d14183f970] tc_new_tfilter at ffffffffb8936047 + #16 [ffffa6d14183fac8] rtnetlink_rcv_msg at ffffffffb88c7c31 + #17 [ffffa6d14183fb50] netlink_rcv_skb at ffffffffb8942853 + #18 [ffffa6d14183fbc0] rtnetlink_rcv at ffffffffb88c1835 + #19 [ffffa6d14183fbd0] netlink_unicast at ffffffffb8941f27 + #20 [ffffa6d14183fc18] netlink_sendmsg at ffffffffb8942245 + #21 [ffffa6d14183fc98] sock_sendmsg at ffffffffb887d482 + #22 [ffffa6d14183fcb8] ____sys_sendmsg at ffffffffb887d81a + #23 [ffffa6d14183fd38] ___sys_sendmsg at ffffffffb88806e2 + #24 [ffffa6d14183fe90] __sys_sendmsg at ffffffffb88807a2 + #25 [ffffa6d14183ff28] __x64_sys_sendmsg at ffffffffb888080f + #26 [ffffa6d14183ff38] do_syscall_64 at ffffffffb8b9b6a8 + #27 [ffffa6d14183ff50] entry_SYSCALL_64_after_hwframe at ffffffffb8c0007c + crash> bt 0xffff8aeb07544000 + PID: 1110766 TASK: ffff8aeb07544000 CPU: 0 COMMAND: "kworker/u20:9" + #0 [ffffa6d14e6b7bd8] __schedule at ffffffffb8ba7f45 + #1 [ffffa6d14e6b7c68] schedule at ffffffffb8ba8418 + #2 [ffffa6d14e6b7c88] schedule_timeout at ffffffffb8baef88 + #3 [ffffa6d14e6b7d10] wait_for_completion at ffffffffb8ba968b + #4 [ffffa6d14e6b7d60] mlx5e_take_all_encap_flows at ffffffffc0f47ec4 [mlx5_core] + #5 [ffffa6d14e6b7da0] mlx5e_rep_update_flows at ffffffffc0f3e734 [mlx5_core] + #6 [ffffa6d14e6b7df8] mlx5e_rep_neigh_update at ffffffffc0f400bb [mlx5_core] + #7 [ffffa6d14e6b7e50] process_one_work at ffffffffb80acc9c + #8 [ffffa6d14e6b7ed0] worker_thread at ffffffffb80ad012 + #9 [ffffa6d14e6b7f10] kthread at ffffffffb80b615d + #10 [ffffa6d14e6b7f50] ret_from_fork at ffffffffb8001b2f + +After the first encap is attached, flow will be added to encap +entry's flows list. If neigh update is running at this time, the +following encaps of the flow can't hold the encap_tbl_lock and +sleep. If neigh update thread is waiting for that flow's init_done, +deadlock happens. + +Fix it by holding lock outside of the for loop. If neigh update is +running, prevent encap flows from offloading. Since the lock is held +outside of the for loop, concurrent creation of encap entries is not +allowed. So remove unnecessary wait_for_completion call for res_ready. + +Fixes: 95435ad7999b ("net/mlx5e: Only access fully initialized flows in neigh update") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc_tun_encap.c | 37 ++++++++++--------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index 7655526222570..bbab164eab546 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -492,6 +492,19 @@ void mlx5e_encap_put(struct mlx5e_priv *priv, struct mlx5e_encap_entry *e) + mlx5e_encap_dealloc(priv, e); + } + ++static void mlx5e_encap_put_locked(struct mlx5e_priv *priv, struct mlx5e_encap_entry *e) ++{ ++ struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; ++ ++ lockdep_assert_held(&esw->offloads.encap_tbl_lock); ++ ++ if (!refcount_dec_and_test(&e->refcnt)) ++ return; ++ list_del(&e->route_list); ++ hash_del_rcu(&e->encap_hlist); ++ mlx5e_encap_dealloc(priv, e); ++} ++ + static void mlx5e_decap_put(struct mlx5e_priv *priv, struct mlx5e_decap_entry *d) + { + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; +@@ -785,6 +798,8 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + uintptr_t hash_key; + int err = 0; + ++ lockdep_assert_held(&esw->offloads.encap_tbl_lock); ++ + parse_attr = attr->parse_attr; + tun_info = parse_attr->tun_info[out_index]; + mpls_info = &parse_attr->mpls_info[out_index]; +@@ -798,7 +813,6 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + + hash_key = hash_encap_info(&key); + +- mutex_lock(&esw->offloads.encap_tbl_lock); + e = mlx5e_encap_get(priv, &key, hash_key); + + /* must verify if encap is valid or not */ +@@ -809,15 +823,6 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + goto out_err; + } + +- mutex_unlock(&esw->offloads.encap_tbl_lock); +- wait_for_completion(&e->res_ready); +- +- /* Protect against concurrent neigh update. */ +- mutex_lock(&esw->offloads.encap_tbl_lock); +- if (e->compl_result < 0) { +- err = -EREMOTEIO; +- goto out_err; +- } + goto attach_flow; + } + +@@ -846,15 +851,12 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + INIT_LIST_HEAD(&e->flows); + hash_add_rcu(esw->offloads.encap_tbl, &e->encap_hlist, hash_key); + tbl_time_before = mlx5e_route_tbl_get_last_update(priv); +- mutex_unlock(&esw->offloads.encap_tbl_lock); + + if (family == AF_INET) + err = mlx5e_tc_tun_create_header_ipv4(priv, mirred_dev, e); + else if (family == AF_INET6) + err = mlx5e_tc_tun_create_header_ipv6(priv, mirred_dev, e); + +- /* Protect against concurrent neigh update. */ +- mutex_lock(&esw->offloads.encap_tbl_lock); + complete_all(&e->res_ready); + if (err) { + e->compl_result = err; +@@ -889,18 +891,15 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + } else { + flow_flag_set(flow, SLOW); + } +- mutex_unlock(&esw->offloads.encap_tbl_lock); + + return err; + + out_err: +- mutex_unlock(&esw->offloads.encap_tbl_lock); + if (e) +- mlx5e_encap_put(priv, e); ++ mlx5e_encap_put_locked(priv, e); + return err; + + out_err_init: +- mutex_unlock(&esw->offloads.encap_tbl_lock); + kfree(tun_info); + kfree(e); + return err; +@@ -996,6 +995,7 @@ int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, + struct net_device *encap_dev = NULL; + struct mlx5e_rep_priv *rpriv; + struct mlx5e_priv *out_priv; ++ struct mlx5_eswitch *esw; + int out_index; + int err = 0; + +@@ -1006,6 +1006,8 @@ int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, + esw_attr = attr->esw_attr; + *vf_tun = false; + ++ esw = priv->mdev->priv.eswitch; ++ mutex_lock(&esw->offloads.encap_tbl_lock); + for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { + struct net_device *out_dev; + int mirred_ifindex; +@@ -1044,6 +1046,7 @@ int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, + } + + out: ++ mutex_unlock(&esw->offloads.encap_tbl_lock); + return err; + } + +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-tc-move-main-flow-attribute-cleanup-to-hel.patch b/queue-6.3/net-mlx5e-tc-move-main-flow-attribute-cleanup-to-hel.patch new file mode 100644 index 00000000000..cadf84490fd --- /dev/null +++ b/queue-6.3/net-mlx5e-tc-move-main-flow-attribute-cleanup-to-hel.patch @@ -0,0 +1,110 @@ +From cdb7ea421cc23ee01f80e288975c55f5cc7e34cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 11:54:22 +0200 +Subject: net/mlx5e: TC, Move main flow attribute cleanup to helper func + +From: Paul Blakey + +[ Upstream commit a830ec485e8368a29e328d08e2eb28750bbc483f ] + +Actions that can be setup per flow attribute (so per split rule) +are cleaned up from mlx5_free_flow_attr(), mlx5e_tc_del_fdb_flow(), +and free_flow_post_acts(). + +Remove the duplication by re-using the helper function for +the main flow attribute and split rules attributes. + +Signed-off-by: Paul Blakey +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Stable-dep-of: 37c3b9fa7ccf ("net/mlx5e: Prevent encap offload when neigh update is running") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 27 +++++++------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index d9e651d33f8b8..3827dbc2b39c5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -183,7 +183,8 @@ static struct lock_class_key tc_ht_wq_key; + + static void mlx5e_put_flow_tunnel_id(struct mlx5e_tc_flow *flow); + static void free_flow_post_acts(struct mlx5e_tc_flow *flow); +-static void mlx5_free_flow_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr); ++static void mlx5_free_flow_attr_actions(struct mlx5e_tc_flow *flow, ++ struct mlx5_flow_attr *attr); + + void + mlx5e_tc_match_to_reg_match(struct mlx5_flow_spec *spec, +@@ -2028,7 +2029,7 @@ static void free_branch_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr * + if (!attr) + return; + +- mlx5_free_flow_attr(flow, attr); ++ mlx5_free_flow_attr_actions(flow, attr); + kvfree(attr->parse_attr); + kfree(attr); + } +@@ -2060,18 +2061,8 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + if (flow->decap_route) + mlx5e_detach_decap_route(priv, flow); + +- clean_encap_dests(priv, flow, attr); +- + mlx5_tc_ct_match_del(get_ct_priv(priv), &flow->attr->ct_attr); + +- if (attr->action & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR) { +- mlx5e_mod_hdr_dealloc(&attr->parse_attr->mod_hdr_acts); +- mlx5e_tc_detach_mod_hdr(priv, flow, attr); +- } +- +- if (attr->action & MLX5_FLOW_CONTEXT_ACTION_COUNT) +- mlx5_fc_destroy(esw_attr->counter_dev, attr->counter); +- + if (esw_attr->int_port) + mlx5e_tc_int_port_put(mlx5e_get_int_port_priv(priv), esw_attr->int_port); + +@@ -2084,8 +2075,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + mlx5e_tc_act_stats_del_flow(get_act_stats_handle(priv), flow); + + free_flow_post_acts(flow); +- free_branch_attr(flow, attr->branch_true); +- free_branch_attr(flow, attr->branch_false); ++ mlx5_free_flow_attr_actions(flow, attr); + + kvfree(attr->esw_attr->rx_tun_attr); + kvfree(attr->parse_attr); +@@ -3804,9 +3794,7 @@ free_flow_post_acts(struct mlx5e_tc_flow *flow) + if (list_is_last(&attr->list, &flow->attrs)) + break; + +- mlx5_free_flow_attr(flow, attr); +- free_branch_attr(flow, attr->branch_true); +- free_branch_attr(flow, attr->branch_false); ++ mlx5_free_flow_attr_actions(flow, attr); + + list_del(&attr->list); + kvfree(attr->parse_attr); +@@ -4441,7 +4429,7 @@ mlx5_alloc_flow_attr(enum mlx5_flow_namespace_type type) + } + + static void +-mlx5_free_flow_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr) ++mlx5_free_flow_attr_actions(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr) + { + struct mlx5_core_dev *counter_dev = get_flow_counter_dev(flow); + +@@ -4460,6 +4448,9 @@ mlx5_free_flow_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr) + mlx5e_mod_hdr_dealloc(&attr->parse_attr->mod_hdr_acts); + mlx5e_tc_detach_mod_hdr(flow->priv, flow, attr); + } ++ ++ free_branch_attr(flow, attr->branch_true); ++ free_branch_attr(flow, attr->branch_false); + } + + static int +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-tc-remove-ct-action-reordering.patch b/queue-6.3/net-mlx5e-tc-remove-ct-action-reordering.patch new file mode 100644 index 00000000000..6cf450f86c5 --- /dev/null +++ b/queue-6.3/net-mlx5e-tc-remove-ct-action-reordering.patch @@ -0,0 +1,186 @@ +From 5fcf3c4eff209575a3b61ecd09aa4ad9db1bc3ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 16:53:56 +0200 +Subject: net/mlx5e: TC, Remove CT action reordering + +From: Paul Blakey + +[ Upstream commit 67efaf45930df662111acf7c706d545c83f83999 ] + +CT action reordering was done as a workaround when CT misses +used to restore the relevant filter's tc chain and continuing sw processing +from that chain. As such, there was a need to reorder CT action to be before +any packet modifying actions (e.g mac rewrite). + +Currently (after patch "net/mlx5e: TC, Set CT miss to the specific ct +action instance"), CT misses continues from the relevant ct action in +software, and so reordering isn't needed anymore. + +Remove the reordering. + +Signed-off-by: Paul Blakey +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Stable-dep-of: 5d862ec631f3 ("net/mlx5: Fix post parse infra to only parse every action once") +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc/act/act.c | 20 ------------ + .../mellanox/mlx5/core/en/tc/act/act.h | 4 --- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 32 ++++++------------- + 3 files changed, 9 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +index eba0c86989263..fc923a99b6a48 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.c +@@ -82,26 +82,6 @@ mlx5e_tc_act_init_parse_state(struct mlx5e_tc_act_parse_state *parse_state, + parse_state->flow_action = flow_action; + } + +-void +-mlx5e_tc_act_reorder_flow_actions(struct flow_action *flow_action, +- struct mlx5e_tc_flow_action *flow_action_reorder) +-{ +- struct flow_action_entry *act; +- int i, j = 0; +- +- flow_action_for_each(i, act, flow_action) { +- /* Add CT action to be first. */ +- if (act->id == FLOW_ACTION_CT) +- flow_action_reorder->entries[j++] = act; +- } +- +- flow_action_for_each(i, act, flow_action) { +- if (act->id == FLOW_ACTION_CT) +- continue; +- flow_action_reorder->entries[j++] = act; +- } +-} +- + int + mlx5e_tc_act_post_parse(struct mlx5e_tc_act_parse_state *parse_state, + struct flow_action *flow_action, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +index cdcddf6e1b08b..d7615e329e6d9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/act.h +@@ -112,10 +112,6 @@ mlx5e_tc_act_init_parse_state(struct mlx5e_tc_act_parse_state *parse_state, + struct flow_action *flow_action, + struct netlink_ext_ack *extack); + +-void +-mlx5e_tc_act_reorder_flow_actions(struct flow_action *flow_action, +- struct mlx5e_tc_flow_action *flow_action_reorder); +- + int + mlx5e_tc_act_post_parse(struct mlx5e_tc_act_parse_state *parse_state, + struct flow_action *flow_action, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 82b76dcc05ac1..a78e201fd883b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -3967,32 +3967,22 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + struct flow_action *flow_action) + { + struct netlink_ext_ack *extack = parse_state->extack; +- struct mlx5e_tc_flow_action flow_action_reorder; + struct mlx5e_tc_flow *flow = parse_state->flow; + struct mlx5e_tc_jump_state jump_state = {}; + struct mlx5_flow_attr *attr = flow->attr; + enum mlx5_flow_namespace_type ns_type; + struct mlx5e_priv *priv = flow->priv; +- struct flow_action_entry *act, **_act; + struct mlx5_flow_attr *prev_attr; ++ struct flow_action_entry *act; + struct mlx5e_tc_act *tc_act; + bool is_missable; + int err, i; + +- flow_action_reorder.num_entries = flow_action->num_entries; +- flow_action_reorder.entries = kcalloc(flow_action->num_entries, +- sizeof(flow_action), GFP_KERNEL); +- if (!flow_action_reorder.entries) +- return -ENOMEM; +- +- mlx5e_tc_act_reorder_flow_actions(flow_action, &flow_action_reorder); +- + ns_type = mlx5e_get_flow_namespace(flow); + list_add(&attr->list, &flow->attrs); + +- flow_action_for_each(i, _act, &flow_action_reorder) { ++ flow_action_for_each(i, act, flow_action) { + jump_state.jump_target = false; +- act = *_act; + is_missable = false; + prev_attr = attr; + +@@ -4000,23 +3990,23 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + if (!tc_act) { + NL_SET_ERR_MSG_MOD(extack, "Not implemented offload action"); + err = -EOPNOTSUPP; +- goto out_free; ++ goto out_free_post_acts; + } + + if (!tc_act->can_offload(parse_state, act, i, attr)) { + err = -EOPNOTSUPP; +- goto out_free; ++ goto out_free_post_acts; + } + + err = tc_act->parse_action(parse_state, act, priv, attr); + if (err) +- goto out_free; ++ goto out_free_post_acts; + + dec_jump_count(act, tc_act, attr, priv, &jump_state); + + err = parse_branch_ctrl(act, tc_act, flow, attr, &jump_state, extack); + if (err) +- goto out_free; ++ goto out_free_post_acts; + + parse_state->actions |= attr->action; + +@@ -4024,17 +4014,17 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + if (jump_state.jump_target || + (tc_act->is_multi_table_act && + tc_act->is_multi_table_act(priv, act, attr) && +- i < flow_action_reorder.num_entries - 1)) { ++ i < flow_action->num_entries - 1)) { + is_missable = tc_act->is_missable ? tc_act->is_missable(act) : false; + + err = mlx5e_tc_act_post_parse(parse_state, flow_action, attr, ns_type); + if (err) +- goto out_free; ++ goto out_free_post_acts; + + attr = mlx5e_clone_flow_attr_for_post_act(flow->attr, ns_type); + if (!attr) { + err = -ENOMEM; +- goto out_free; ++ goto out_free_post_acts; + } + + list_add(&attr->list, &flow->attrs); +@@ -4051,8 +4041,6 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + } + } + +- kfree(flow_action_reorder.entries); +- + err = mlx5e_tc_act_post_parse(parse_state, flow_action, attr, ns_type); + if (err) + goto out_free_post_acts; +@@ -4063,8 +4051,6 @@ parse_tc_actions(struct mlx5e_tc_act_parse_state *parse_state, + + return 0; + +-out_free: +- kfree(flow_action_reorder.entries); + out_free_post_acts: + free_flow_post_acts(flow); + +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-tc-remove-unused-vf_tun-variable.patch b/queue-6.3/net-mlx5e-tc-remove-unused-vf_tun-variable.patch new file mode 100644 index 00000000000..d67ef193f28 --- /dev/null +++ b/queue-6.3/net-mlx5e-tc-remove-unused-vf_tun-variable.patch @@ -0,0 +1,89 @@ +From 7aa79dd7cb41ee6686481b72068e0e0fe205d4d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 12:04:58 +0200 +Subject: net/mlx5e: TC, Remove unused vf_tun variable + +From: Paul Blakey + +[ Upstream commit 7195d9a0c8df0ab78c9d7a587809d16b00432426 ] + +vf_tun is being assigned but never being used so remove it. + +Signed-off-by: Paul Blakey +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Stable-dep-of: 37c3b9fa7ccf ("net/mlx5e: Prevent encap offload when neigh update is running") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 53acd9a8a4c35..d9e651d33f8b8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1792,8 +1792,7 @@ set_encap_dests(struct mlx5e_priv *priv, + static void + clean_encap_dests(struct mlx5e_priv *priv, + struct mlx5e_tc_flow *flow, +- struct mlx5_flow_attr *attr, +- bool *vf_tun) ++ struct mlx5_flow_attr *attr) + { + struct mlx5_esw_flow_attr *esw_attr; + int out_index; +@@ -1802,17 +1801,11 @@ clean_encap_dests(struct mlx5e_priv *priv, + return; + + esw_attr = attr->esw_attr; +- *vf_tun = false; + + for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { + if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP)) + continue; + +- if (esw_attr->dests[out_index].flags & +- MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE && +- !esw_attr->dest_int_port) +- *vf_tun = true; +- + mlx5e_detach_encap(priv, flow, attr, out_index); + kfree(attr->parse_attr->tun_info[out_index]); + } +@@ -2046,7 +2039,6 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; + struct mlx5_flow_attr *attr = flow->attr; + struct mlx5_esw_flow_attr *esw_attr; +- bool vf_tun; + + esw_attr = attr->esw_attr; + mlx5e_put_flow_tunnel_id(flow); +@@ -2068,7 +2060,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + if (flow->decap_route) + mlx5e_detach_decap_route(priv, flow); + +- clean_encap_dests(priv, flow, attr, &vf_tun); ++ clean_encap_dests(priv, flow, attr); + + mlx5_tc_ct_match_del(get_ct_priv(priv), &flow->attr->ct_attr); + +@@ -4452,7 +4444,6 @@ static void + mlx5_free_flow_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr) + { + struct mlx5_core_dev *counter_dev = get_flow_counter_dev(flow); +- bool vf_tun; + + if (!attr) + return; +@@ -4460,7 +4451,7 @@ mlx5_free_flow_attr(struct mlx5e_tc_flow *flow, struct mlx5_flow_attr *attr) + if (attr->post_act_handle) + mlx5e_tc_post_act_del(get_post_action(flow->priv), attr->post_act_handle); + +- clean_encap_dests(flow->priv, flow, attr, &vf_tun); ++ clean_encap_dests(flow->priv, flow, attr); + + if (attr->action & MLX5_FLOW_CONTEXT_ACTION_COUNT) + mlx5_fc_destroy(counter_dev, attr->counter); +-- +2.39.2 + diff --git a/queue-6.3/net-mlx5e-use-query_special_contexts-cmd-only-once-p.patch b/queue-6.3/net-mlx5e-use-query_special_contexts-cmd-only-once-p.patch new file mode 100644 index 00000000000..eaad1fdd677 --- /dev/null +++ b/queue-6.3/net-mlx5e-use-query_special_contexts-cmd-only-once-p.patch @@ -0,0 +1,145 @@ +From e2dac0d053e37b9842eb731e403a8ab96dab86c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 15:48:30 +0300 +Subject: net/mlx5e: Use query_special_contexts cmd only once per mdev + +From: Dragos Tatulea + +[ Upstream commit 1db1f21caebbb1b6e9b1e7657df613616be3fb49 ] + +Don't query the firmware so many times (num rqs * num wqes * wqe frags) +because it slows down linearly the interface creation time when the +product is larger. Do it only once per mdev and store the result in +mlx5e_param. + +Due to helper function being called from different files, move it to +an appropriate location. Rename the function with a proper prefix and +add a small cleanup. + +This fix applies only for legacy rq. + +Fixes: 1b1e4868836a ("net/mlx5e: Use query_special_contexts for mkeys") +Signed-off-by: Dragos Tatulea +Reviewed-by: Or Har-Toov +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 + + .../net/ethernet/mellanox/mlx5/core/en_main.c | 24 +++---------------- + drivers/net/ethernet/mellanox/mlx5/core/mr.c | 21 ++++++++++++++++ + include/linux/mlx5/driver.h | 1 + + 4 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 4a19ef4a98110..5ee90a394fff9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -327,6 +327,7 @@ struct mlx5e_params { + unsigned int sw_mtu; + int hard_mtu; + bool ptp_rx; ++ __be32 terminate_lkey_be; + }; + + static inline u8 mlx5e_get_dcb_num_tc(struct mlx5e_params *params) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 579c2d217fdc6..ff579d7d8432c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -668,26 +668,6 @@ static void mlx5e_rq_free_shampo(struct mlx5e_rq *rq) + mlx5e_rq_shampo_hd_free(rq); + } + +-static __be32 mlx5e_get_terminate_scatter_list_mkey(struct mlx5_core_dev *dev) +-{ +- u32 out[MLX5_ST_SZ_DW(query_special_contexts_out)] = {}; +- u32 in[MLX5_ST_SZ_DW(query_special_contexts_in)] = {}; +- int res; +- +- if (!MLX5_CAP_GEN(dev, terminate_scatter_list_mkey)) +- return MLX5_TERMINATE_SCATTER_LIST_LKEY; +- +- MLX5_SET(query_special_contexts_in, in, opcode, +- MLX5_CMD_OP_QUERY_SPECIAL_CONTEXTS); +- res = mlx5_cmd_exec_inout(dev, query_special_contexts, in, out); +- if (res) +- return MLX5_TERMINATE_SCATTER_LIST_LKEY; +- +- res = MLX5_GET(query_special_contexts_out, out, +- terminate_scatter_list_mkey); +- return cpu_to_be32(res); +-} +- + static int mlx5e_alloc_rq(struct mlx5e_params *params, + struct mlx5e_xsk_param *xsk, + struct mlx5e_rq_param *rqp, +@@ -852,7 +832,7 @@ static int mlx5e_alloc_rq(struct mlx5e_params *params, + /* check if num_frags is not a pow of two */ + if (rq->wqe.info.num_frags < (1 << rq->wqe.info.log_num_frags)) { + wqe->data[f].byte_count = 0; +- wqe->data[f].lkey = mlx5e_get_terminate_scatter_list_mkey(mdev); ++ wqe->data[f].lkey = params->terminate_lkey_be; + wqe->data[f].addr = 0; + } + } +@@ -4973,6 +4953,8 @@ void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 + /* RQ */ + mlx5e_build_rq_params(mdev, params); + ++ params->terminate_lkey_be = mlx5_core_get_terminate_scatter_list_mkey(mdev); ++ + params->packet_merge.timeout = mlx5e_choose_lro_timeout(mdev, MLX5E_DEFAULT_LRO_TIMEOUT); + + /* CQ moderation params */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mr.c b/drivers/net/ethernet/mellanox/mlx5/core/mr.c +index 9d735c343a3b8..678f0be813752 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mr.c +@@ -32,6 +32,7 @@ + + #include + #include ++#include + #include "mlx5_core.h" + + int mlx5_core_create_mkey(struct mlx5_core_dev *dev, u32 *mkey, u32 *in, +@@ -122,3 +123,23 @@ int mlx5_core_destroy_psv(struct mlx5_core_dev *dev, int psv_num) + return mlx5_cmd_exec_in(dev, destroy_psv, in); + } + EXPORT_SYMBOL(mlx5_core_destroy_psv); ++ ++__be32 mlx5_core_get_terminate_scatter_list_mkey(struct mlx5_core_dev *dev) ++{ ++ u32 out[MLX5_ST_SZ_DW(query_special_contexts_out)] = {}; ++ u32 in[MLX5_ST_SZ_DW(query_special_contexts_in)] = {}; ++ u32 mkey; ++ ++ if (!MLX5_CAP_GEN(dev, terminate_scatter_list_mkey)) ++ return MLX5_TERMINATE_SCATTER_LIST_LKEY; ++ ++ MLX5_SET(query_special_contexts_in, in, opcode, ++ MLX5_CMD_OP_QUERY_SPECIAL_CONTEXTS); ++ if (mlx5_cmd_exec_inout(dev, query_special_contexts, in, out)) ++ return MLX5_TERMINATE_SCATTER_LIST_LKEY; ++ ++ mkey = MLX5_GET(query_special_contexts_out, out, ++ terminate_scatter_list_mkey); ++ return cpu_to_be32(mkey); ++} ++EXPORT_SYMBOL(mlx5_core_get_terminate_scatter_list_mkey); +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 7e225e41d55b8..68a3183d5d589 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1088,6 +1088,7 @@ void mlx5_cmdif_debugfs_cleanup(struct mlx5_core_dev *dev); + int mlx5_core_create_psv(struct mlx5_core_dev *dev, u32 pdn, + int npsvs, u32 *sig_index); + int mlx5_core_destroy_psv(struct mlx5_core_dev *dev, int psv_num); ++__be32 mlx5_core_get_terminate_scatter_list_mkey(struct mlx5_core_dev *dev); + void mlx5_core_put_rsc(struct mlx5_core_rsc_common *common); + int mlx5_query_odp_caps(struct mlx5_core_dev *dev, + struct mlx5_odp_caps *odp_caps); +-- +2.39.2 + diff --git a/queue-6.3/net-netlink-fix-netlink_list_memberships-length-repo.patch b/queue-6.3/net-netlink-fix-netlink_list_memberships-length-repo.patch new file mode 100644 index 00000000000..24626fe68f0 --- /dev/null +++ b/queue-6.3/net-netlink-fix-netlink_list_memberships-length-repo.patch @@ -0,0 +1,40 @@ +From 399b933f63796b13b3fce8340382ce041fc25ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:33:35 -0300 +Subject: net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report + +From: Pedro Tammela + +[ Upstream commit f4e4534850a9d18c250a93f8d7fbb51310828110 ] + +The current code for the length calculation wrongly truncates the reported +length of the groups array, causing an under report of the subscribed +groups. To fix this, use 'BITS_TO_BYTES()' which rounds up the +division by 8. + +Fixes: b42be38b2778 ("netlink: add API to retrieve all group memberships") +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230529153335.389815-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 45d47b39de225..717e27a4b66a0 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1779,7 +1779,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + break; + } + } +- if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) ++ if (put_user(ALIGN(BITS_TO_BYTES(nlk->ngroups), sizeof(u32)), optlen)) + err = -EFAULT; + netlink_unlock_table(); + return err; +-- +2.39.2 + diff --git a/queue-6.3/net-phy-mxl-gpy-extend-interrupt-fix-to-all-impacted.patch b/queue-6.3/net-phy-mxl-gpy-extend-interrupt-fix-to-all-impacted.patch new file mode 100644 index 00000000000..528f8f58ab9 --- /dev/null +++ b/queue-6.3/net-phy-mxl-gpy-extend-interrupt-fix-to-all-impacted.patch @@ -0,0 +1,67 @@ +From ddcdd531bee72bf770edd1950bf608069ac9d317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 15:48:22 +0800 +Subject: net: phy: mxl-gpy: extend interrupt fix to all impacted variants + +From: Xu Liang + +[ Upstream commit 519d6487640835d19461817c75907e6308074a73 ] + +The interrupt fix in commit 97a89ed101bb should be applied on all variants +of GPY2xx PHY and GPY115C. + +Fixes: 97a89ed101bb ("net: phy: mxl-gpy: disable interrupts on GPY215 by default") +Signed-off-by: Xu Liang +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230531074822.39136-1-lxu@maxlinear.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mxl-gpy.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c +index e5972b4ef6e8f..4041ebd7ad9b3 100644 +--- a/drivers/net/phy/mxl-gpy.c ++++ b/drivers/net/phy/mxl-gpy.c +@@ -267,13 +267,6 @@ static int gpy_config_init(struct phy_device *phydev) + return ret < 0 ? ret : 0; + } + +-static bool gpy_has_broken_mdint(struct phy_device *phydev) +-{ +- /* At least these PHYs are known to have broken interrupt handling */ +- return phydev->drv->phy_id == PHY_ID_GPY215B || +- phydev->drv->phy_id == PHY_ID_GPY215C; +-} +- + static int gpy_probe(struct phy_device *phydev) + { + struct device *dev = &phydev->mdio.dev; +@@ -293,8 +286,7 @@ static int gpy_probe(struct phy_device *phydev) + phydev->priv = priv; + mutex_init(&priv->mbox_lock); + +- if (gpy_has_broken_mdint(phydev) && +- !device_property_present(dev, "maxlinear,use-broken-interrupts")) ++ if (!device_property_present(dev, "maxlinear,use-broken-interrupts")) + phydev->dev_flags |= PHY_F_NO_IRQ; + + fw_version = phy_read(phydev, PHY_FWV); +@@ -652,11 +644,9 @@ static irqreturn_t gpy_handle_interrupt(struct phy_device *phydev) + * frame. Therefore, polling is the best we can do and won't do any more + * harm. + * It was observed that this bug happens on link state and link speed +- * changes on a GPY215B and GYP215C independent of the firmware version +- * (which doesn't mean that this list is exhaustive). ++ * changes independent of the firmware version. + */ +- if (gpy_has_broken_mdint(phydev) && +- (reg & (PHY_IMASK_LSTC | PHY_IMASK_LSPC))) { ++ if (reg & (PHY_IMASK_LSTC | PHY_IMASK_LSPC)) { + reg = gpy_mbox_read(phydev, REG_GPIO0_OUT); + if (reg < 0) { + phy_error(phydev); +-- +2.39.2 + diff --git a/queue-6.3/net-renesas-rswitch-fix-return-value-in-error-path-o.patch b/queue-6.3/net-renesas-rswitch-fix-return-value-in-error-path-o.patch new file mode 100644 index 00000000000..6d21040495e --- /dev/null +++ b/queue-6.3/net-renesas-rswitch-fix-return-value-in-error-path-o.patch @@ -0,0 +1,37 @@ +From 860707a00dc904e17c461ae4a63b8aa70f7dcdfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 16:38:17 +0900 +Subject: net: renesas: rswitch: Fix return value in error path of xmit + +From: Yoshihiro Shimoda + +[ Upstream commit a60caf039e96d806b1ced893242bae82ba3ccf0d ] + +Fix return value in the error path of rswitch_start_xmit(). If TX +queues are full, this function should return NETDEV_TX_BUSY. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20230529073817.1145208-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index c4f93d24c6a42..7855d9ef81eb1 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1487,7 +1487,7 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd + + if (rswitch_get_num_cur_queues(gq) >= gq->ring_size - 1) { + netif_stop_subqueue(ndev, 0); +- return ret; ++ return NETDEV_TX_BUSY; + } + + if (skb_put_padto(skb, ETH_ZLEN)) +-- +2.39.2 + diff --git a/queue-6.3/net-sched-fix-null-pointer-dereference-in-mq_attach.patch b/queue-6.3/net-sched-fix-null-pointer-dereference-in-mq_attach.patch new file mode 100644 index 00000000000..8c403c9d9be --- /dev/null +++ b/queue-6.3/net-sched-fix-null-pointer-dereference-in-mq_attach.patch @@ -0,0 +1,93 @@ +From bf83f2073f1c39a0115d4b563a54d6d5bc22a984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 17:37:47 +0800 +Subject: net: sched: fix NULL pointer dereference in mq_attach + +From: Zhengchao Shao + +[ Upstream commit 36eec020fab668719b541f34d97f44e232ffa165 ] + +When use the following command to test: +1)ip link add bond0 type bond +2)ip link set bond0 up +3)tc qdisc add dev bond0 root handle ffff: mq +4)tc qdisc replace dev bond0 parent ffff:fff1 handle ffff: mq + +The kernel reports NULL pointer dereference issue. The stack information +is as follows: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Internal error: Oops: 0000000096000006 [#1] SMP +Modules linked in: +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : mq_attach+0x44/0xa0 +lr : qdisc_graft+0x20c/0x5cc +sp : ffff80000e2236a0 +x29: ffff80000e2236a0 x28: ffff0000c0e59d80 x27: ffff0000c0be19c0 +x26: ffff0000cae3e800 x25: 0000000000000010 x24: 00000000fffffff1 +x23: 0000000000000000 x22: ffff0000cae3e800 x21: ffff0000c9df4000 +x20: ffff0000c9df4000 x19: 0000000000000000 x18: ffff80000a934000 +x17: ffff8000f5b56000 x16: ffff80000bb08000 x15: 0000000000000000 +x14: 0000000000000000 x13: 6b6b6b6b6b6b6b6b x12: 6b6b6b6b00000001 +x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 +x8 : ffff0000c0be0730 x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 +x5 : ffff0000cae3e864 x4 : 0000000000000000 x3 : 0000000000000001 +x2 : 0000000000000001 x1 : ffff8000090bc23c x0 : 0000000000000000 +Call trace: +mq_attach+0x44/0xa0 +qdisc_graft+0x20c/0x5cc +tc_modify_qdisc+0x1c4/0x664 +rtnetlink_rcv_msg+0x354/0x440 +netlink_rcv_skb+0x64/0x144 +rtnetlink_rcv+0x28/0x34 +netlink_unicast+0x1e8/0x2a4 +netlink_sendmsg+0x308/0x4a0 +sock_sendmsg+0x64/0xac +____sys_sendmsg+0x29c/0x358 +___sys_sendmsg+0x90/0xd0 +__sys_sendmsg+0x7c/0xd0 +__arm64_sys_sendmsg+0x2c/0x38 +invoke_syscall+0x54/0x114 +el0_svc_common.constprop.1+0x90/0x174 +do_el0_svc+0x3c/0xb0 +el0_svc+0x24/0xec +el0t_64_sync_handler+0x90/0xb4 +el0t_64_sync+0x174/0x178 + +This is because when mq is added for the first time, qdiscs in mq is set +to NULL in mq_attach(). Therefore, when replacing mq after adding mq, we +need to initialize qdiscs in the mq before continuing to graft. Otherwise, +it will couse NULL pointer dereference issue in mq_attach(). And the same +issue will occur in the attach functions of mqprio, taprio and htb. +ffff:fff1 means that the repalce qdisc is ingress. Ingress does not allow +any qdisc to be attached. Therefore, ffff:fff1 is incorrectly used, and +the command should be dropped. + +Fixes: 6ec1c69a8f64 ("net_sched: add classful multiqueue dummy scheduler") +Signed-off-by: Zhengchao Shao +Tested-by: Peilin Ye +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230527093747.3583502-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index a686d7cae5130..7045b67b5533e 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1604,6 +1604,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected"); + return -ELOOP; + } ++ if (clid == TC_H_INGRESS) { ++ NL_SET_ERR_MSG(extack, "Ingress cannot graft directly"); ++ return -EINVAL; ++ } + qdisc_refcount_inc(q); + goto graft; + } else { +-- +2.39.2 + diff --git a/queue-6.3/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch b/queue-6.3/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch new file mode 100644 index 00000000000..0e681d6a16b --- /dev/null +++ b/queue-6.3/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch @@ -0,0 +1,43 @@ +From ce87e67f4e51d2d5d7fdb549a843ea6ed68877db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:28:04 +0800 +Subject: net/sched: flower: fix possible OOB write in fl_set_geneve_opt() + +From: Hangyu Hua + +[ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ] + +If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total +size is 252 bytes(key->enc_opts.len = 252) then +key->enc_opts.len = opt->length = data_len / 4 = 0 when the third +TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This +bypasses the next bounds check and results in an out-of-bounds. + +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Reviewed-by: Pieter Jansen van Vuuren +Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index a1c4ee2e0be22..fd5dc47cb2134 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1153,6 +1153,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.39.2 + diff --git a/queue-6.3/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch b/queue-6.3/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch new file mode 100644 index 00000000000..ee50f329e86 --- /dev/null +++ b/queue-6.3/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch @@ -0,0 +1,60 @@ +From 8dcd9d036367380e78a86d64ef8d9b256b2588d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:54:26 -0700 +Subject: net/sched: Prohibit regrafting ingress or clsact Qdiscs + +From: Peilin Ye + +[ Upstream commit 9de95df5d15baa956c2b70b9e794842e790a8a13 ] + +Currently, after creating an ingress (or clsact) Qdisc and grafting it +under TC_H_INGRESS (TC_H_CLSACT), it is possible to graft it again under +e.g. a TBF Qdisc: + + $ ip link add ifb0 type ifb + $ tc qdisc add dev ifb0 handle 1: root tbf rate 20kbit buffer 1600 limit 3000 + $ tc qdisc add dev ifb0 clsact + $ tc qdisc link dev ifb0 handle ffff: parent 1:1 + $ tc qdisc show dev ifb0 + qdisc tbf 1: root refcnt 2 rate 20Kbit burst 1600b lat 560.0ms + qdisc clsact ffff: parent ffff:fff1 refcnt 2 + ^^^^^^^^ + +clsact's refcount has increased: it is now grafted under both +TC_H_CLSACT and 1:1. + +ingress and clsact Qdiscs should only be used under TC_H_INGRESS +(TC_H_CLSACT). Prohibit regrafting them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index b7c230f9c5b19..a686d7cae5130 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1594,6 +1594,11 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Invalid qdisc name"); + return -EINVAL; + } ++ if (q->flags & TCQ_F_INGRESS) { ++ NL_SET_ERR_MSG(extack, ++ "Cannot regraft ingress or clsact Qdiscs"); ++ return -EINVAL; ++ } + if (q == p || + (p && check_loop(q, p, 0))) { + NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected"); +-- +2.39.2 + diff --git a/queue-6.3/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch b/queue-6.3/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch new file mode 100644 index 00000000000..2258159cadc --- /dev/null +++ b/queue-6.3/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch @@ -0,0 +1,87 @@ +From 046c27ed4786d66bbbb7f157675d87975cc8989c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:54:03 -0700 +Subject: net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) + Qdiscs + +From: Peilin Ye + +[ Upstream commit f85fa45d4a9408d98c46c8fa45ba2e3b2f4bf219 ] + +Currently it is possible to add e.g. an HTB Qdisc under ffff:fff1 +(TC_H_INGRESS, TC_H_CLSACT): + + $ ip link add name ifb0 type ifb + $ tc qdisc add dev ifb0 parent ffff:fff1 htb + $ tc qdisc add dev ifb0 clsact + Error: Exclusivity flag on, cannot modify. + $ drgn + ... + >>> ifb0 = netdev_get_by_name(prog, "ifb0") + >>> qdisc = ifb0.ingress_queue.qdisc_sleeping + >>> print(qdisc.ops.id.string_().decode()) + htb + >>> qdisc.flags.value_() # TCQ_F_INGRESS + 2 + +Only allow ingress and clsact Qdiscs under ffff:fff1. Return -EINVAL +for everything else. Make TCQ_F_INGRESS a static flag of ingress and +clsact Qdiscs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 7 ++++++- + net/sched/sch_ingress.c | 4 ++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index aba789c30a2eb..b7c230f9c5b19 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1250,7 +1250,12 @@ static struct Qdisc *qdisc_create(struct net_device *dev, + sch->parent = parent; + + if (handle == TC_H_INGRESS) { +- sch->flags |= TCQ_F_INGRESS; ++ if (!(sch->flags & TCQ_F_INGRESS)) { ++ NL_SET_ERR_MSG(extack, ++ "Specified parent ID is reserved for ingress and clsact Qdiscs"); ++ err = -EINVAL; ++ goto err_out3; ++ } + handle = TC_H_MAKE(TC_H_INGRESS, 0); + } else { + if (handle == 0) { +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 35963929e1178..e43a454993723 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -140,7 +140,7 @@ static struct Qdisc_ops ingress_qdisc_ops __read_mostly = { + .cl_ops = &ingress_class_ops, + .id = "ingress", + .priv_size = sizeof(struct ingress_sched_data), +- .static_flags = TCQ_F_CPUSTATS, ++ .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, + .init = ingress_init, + .destroy = ingress_destroy, + .dump = ingress_dump, +@@ -281,7 +281,7 @@ static struct Qdisc_ops clsact_qdisc_ops __read_mostly = { + .cl_ops = &clsact_class_ops, + .id = "clsact", + .priv_size = sizeof(struct clsact_sched_data), +- .static_flags = TCQ_F_CPUSTATS, ++ .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, + .init = clsact_init, + .destroy = clsact_destroy, + .dump = ingress_dump, +-- +2.39.2 + diff --git a/queue-6.3/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch b/queue-6.3/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch new file mode 100644 index 00000000000..2deab31aa3a --- /dev/null +++ b/queue-6.3/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch @@ -0,0 +1,52 @@ +From 39eed55c2234a4fa2a474ca6095f198d1c636a59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:53:21 -0700 +Subject: net/sched: sch_clsact: Only create under TC_H_CLSACT + +From: Peilin Ye + +[ Upstream commit 5eeebfe6c493192b10d516abfd72742900f2a162 ] + +clsact Qdiscs are only supposed to be created under TC_H_CLSACT (which +equals TC_H_INGRESS). Return -EOPNOTSUPP if 'parent' is not +TC_H_CLSACT. + +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_ingress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index f9ef6deb27709..35963929e1178 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -225,6 +225,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + struct net_device *dev = qdisc_dev(sch); + int err; + ++ if (sch->parent != TC_H_CLSACT) ++ return -EOPNOTSUPP; ++ + net_inc_ingress_queue(); + net_inc_egress_queue(); + +@@ -254,6 +257,9 @@ static void clsact_destroy(struct Qdisc *sch) + { + struct clsact_sched_data *q = qdisc_priv(sch); + ++ if (sch->parent != TC_H_CLSACT) ++ return; ++ + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + +-- +2.39.2 + diff --git a/queue-6.3/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch b/queue-6.3/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch new file mode 100644 index 00000000000..3b84799713d --- /dev/null +++ b/queue-6.3/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch @@ -0,0 +1,54 @@ +From 0182c862482d80ad5d0e04100197bb6a05533ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:52:55 -0700 +Subject: net/sched: sch_ingress: Only create under TC_H_INGRESS + +From: Peilin Ye + +[ Upstream commit c7cfbd115001f94de9e4053657946a383147e803 ] + +ingress Qdiscs are only supposed to be created under TC_H_INGRESS. +Return -EOPNOTSUPP if 'parent' is not TC_H_INGRESS, similar to +mq_init(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/ +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_ingress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 84838128b9c5b..f9ef6deb27709 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -80,6 +80,9 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt, + struct net_device *dev = qdisc_dev(sch); + int err; + ++ if (sch->parent != TC_H_INGRESS) ++ return -EOPNOTSUPP; ++ + net_inc_ingress_queue(); + + mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress); +@@ -101,6 +104,9 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + ++ if (sch->parent != TC_H_INGRESS) ++ return; ++ + tcf_block_put_ext(q->block, sch, &q->block_info); + net_dec_ingress_queue(); + } +-- +2.39.2 + diff --git a/queue-6.3/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch b/queue-6.3/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch new file mode 100644 index 00000000000..01ee43e878d --- /dev/null +++ b/queue-6.3/net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch @@ -0,0 +1,87 @@ +From 1627298fe860f68d203795454fef1eccc8efa6ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 19:49:01 +0800 +Subject: net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK + +From: Wen Gu + +[ Upstream commit 71c6aa0305e3d2365d3bfd0134b4025d9e7ba388 ] + +We encountered a crash when using SMCRv2. It is caused by a logical +error in smc_llc_fill_ext_v2(). + + BUG: kernel NULL pointer dereference, address: 0000000000000014 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 7 PID: 453 Comm: kworker/7:4 Kdump: loaded Tainted: G W E 6.4.0-rc3+ #44 + Workqueue: events smc_llc_add_link_work [smc] + RIP: 0010:smc_llc_fill_ext_v2+0x117/0x280 [smc] + RSP: 0018:ffffacb5c064bd88 EFLAGS: 00010282 + RAX: ffff9a6bc1c3c02c RBX: ffff9a6be3558000 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000002 RDI: 000000000000000a + RBP: ffffacb5c064bdb8 R08: 0000000000000040 R09: 000000000000000c + R10: ffff9a6bc0910300 R11: 0000000000000002 R12: 0000000000000000 + R13: 0000000000000002 R14: ffff9a6bc1c3c02c R15: ffff9a6be3558250 + FS: 0000000000000000(0000) GS:ffff9a6eefdc0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000014 CR3: 000000010b078003 CR4: 00000000003706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + smc_llc_send_add_link+0x1ae/0x2f0 [smc] + smc_llc_srv_add_link+0x2c9/0x5a0 [smc] + ? cc_mkenc+0x40/0x60 + smc_llc_add_link_work+0xb8/0x140 [smc] + process_one_work+0x1e5/0x3f0 + worker_thread+0x4d/0x2f0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe5/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + + +When an alernate RNIC is available in system, SMC will try to add a new +link based on the RNIC for resilience. All the RMBs in use will be mapped +to the new link. Then the RMBs' MRs corresponding to the new link will be +filled into SMCRv2 LLC ADD LINK messages. + +However, smc_llc_fill_ext_v2() mistakenly accesses to unused RMBs which +haven't been mapped to the new link and have no valid MRs, thus causing +a crash. So this patch fixes the logic. + +Fixes: b4ba4652b3f8 ("net/smc: extend LLC layer for SMC-Rv2") +Signed-off-by: Wen Gu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_llc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c +index 8423e8e0063f4..7a8d9163d186e 100644 +--- a/net/smc/smc_llc.c ++++ b/net/smc/smc_llc.c +@@ -617,6 +617,8 @@ static int smc_llc_fill_ext_v2(struct smc_llc_msg_add_link_v2_ext *ext, + goto out; + buf_pos = smc_llc_get_first_rmb(lgr, &buf_lst); + for (i = 0; i < ext->num_rkeys; i++) { ++ while (buf_pos && !(buf_pos)->used) ++ buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos); + if (!buf_pos) + break; + rmb = buf_pos; +@@ -626,8 +628,6 @@ static int smc_llc_fill_ext_v2(struct smc_llc_msg_add_link_v2_ext *ext, + cpu_to_be64((uintptr_t)rmb->cpu_addr) : + cpu_to_be64((u64)sg_dma_address(rmb->sgt[lnk_idx].sgl)); + buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos); +- while (buf_pos && !(buf_pos)->used) +- buf_pos = smc_llc_get_next_rmb(lgr, &buf_lst, buf_pos); + } + len += i * sizeof(ext->rt[0]); + out: +-- +2.39.2 + diff --git a/queue-6.3/net-smc-scan-from-current-rmb-list-when-no-position-.patch b/queue-6.3/net-smc-scan-from-current-rmb-list-when-no-position-.patch new file mode 100644 index 00000000000..b2791b96e74 --- /dev/null +++ b/queue-6.3/net-smc-scan-from-current-rmb-list-when-no-position-.patch @@ -0,0 +1,39 @@ +From ae1d82f1dfd004f5862639a8e9765f2ba14ddac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 19:49:00 +0800 +Subject: net/smc: Scan from current RMB list when no position specified + +From: Wen Gu + +[ Upstream commit b24aa141c2ff26c919237aee61ea1818fc6780d9 ] + +When finding the first RMB of link group, it should start from the +current RMB list whose index is 0. So fix it. + +Fixes: b4ba4652b3f8 ("net/smc: extend LLC layer for SMC-Rv2") +Signed-off-by: Wen Gu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_llc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c +index a0840b8c935b8..8423e8e0063f4 100644 +--- a/net/smc/smc_llc.c ++++ b/net/smc/smc_llc.c +@@ -578,7 +578,10 @@ static struct smc_buf_desc *smc_llc_get_next_rmb(struct smc_link_group *lgr, + { + struct smc_buf_desc *buf_next; + +- if (!buf_pos || list_is_last(&buf_pos->list, &lgr->rmbs[*buf_lst])) { ++ if (!buf_pos) ++ return _smc_llc_get_next_rmb(lgr, buf_lst); ++ ++ if (list_is_last(&buf_pos->list, &lgr->rmbs[*buf_lst])) { + (*buf_lst)++; + return _smc_llc_get_next_rmb(lgr, buf_lst); + } +-- +2.39.2 + diff --git a/queue-6.3/net-stmmac-fix-call-trace-when-stmmac_xdp_xmit-is-in.patch b/queue-6.3/net-stmmac-fix-call-trace-when-stmmac_xdp_xmit-is-in.patch new file mode 100644 index 00000000000..2e2fde98411 --- /dev/null +++ b/queue-6.3/net-stmmac-fix-call-trace-when-stmmac_xdp_xmit-is-in.patch @@ -0,0 +1,117 @@ +From 975059d6a336156c77a2b217c65864a1dfb1c647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 20:57:14 +0800 +Subject: net: stmmac: fix call trace when stmmac_xdp_xmit() is invoked + +From: Wei Fang + +[ Upstream commit ffb3322181d9e8db880202e4f00991764a35d812 ] + +We encountered a kernel call trace issue which was related to +ndo_xdp_xmit callback on our i.MX8MP platform. The reproduce +steps show as follows. +1. The FEC port (eth0) connects to a PC port, and the PC uses +pktgen_sample03_burst_single_flow.sh to generate packets and +send these packets to the FEC port. Notice that the script must +be executed before step 2. +2. Run the "./xdp_redirect eth0 eth1" command on i.MX8MP, the +eth1 interface is the dwmac. Then there will be a call trace +issue soon. Please see the log for more details. +The root cause is that the NETDEV_XDP_ACT_NDO_XMIT feature is +enabled by default, so when the step 2 command is exexcuted +and packets have already been sent to eth0, the stmmac_xdp_xmit() +starts running before the stmmac_xdp_set_prog() finishes. To +resolve this issue, we disable the NETDEV_XDP_ACT_NDO_XMIT +feature by default and turn on/off this feature when the bpf +program is installed/uninstalled which just like the other +ethernet drivers. + +Call Trace log: +[ 306.311271] ------------[ cut here ]------------ +[ 306.315910] WARNING: CPU: 0 PID: 15 at lib/timerqueue.c:55 timerqueue_del+0x68/0x70 +[ 306.323590] Modules linked in: +[ 306.326654] CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.4.0-rc1+ #37 +[ 306.333277] Hardware name: NXP i.MX8MPlus EVK board (DT) +[ 306.338591] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 306.345561] pc : timerqueue_del+0x68/0x70 +[ 306.349577] lr : __remove_hrtimer+0x5c/0xa0 +[ 306.353777] sp : ffff80000b7c3920 +[ 306.357094] x29: ffff80000b7c3920 x28: 0000000000000000 x27: 0000000000000001 +[ 306.364244] x26: ffff80000a763a40 x25: ffff0000d0285a00 x24: 0000000000000001 +[ 306.371390] x23: 0000000000000001 x22: ffff000179389a40 x21: 0000000000000000 +[ 306.378537] x20: ffff000179389aa0 x19: ffff0000d2951308 x18: 0000000000001000 +[ 306.385686] x17: f1d3000000000000 x16: 00000000c39c1000 x15: 55e99bbe00001a00 +[ 306.392835] x14: 09000900120aa8c0 x13: e49af1d300000000 x12: 000000000000c39c +[ 306.399987] x11: 100055e99bbe0000 x10: ffff8000090b1048 x9 : ffff8000081603fc +[ 306.407133] x8 : 000000000000003c x7 : 000000000000003c x6 : 0000000000000001 +[ 306.414284] x5 : ffff0000d2950980 x4 : 0000000000000000 x3 : 0000000000000000 +[ 306.421432] x2 : 0000000000000001 x1 : ffff0000d2951308 x0 : ffff0000d2951308 +[ 306.428585] Call trace: +[ 306.431035] timerqueue_del+0x68/0x70 +[ 306.434706] __remove_hrtimer+0x5c/0xa0 +[ 306.438549] hrtimer_start_range_ns+0x2bc/0x370 +[ 306.443089] stmmac_xdp_xmit+0x174/0x1b0 +[ 306.447021] bq_xmit_all+0x194/0x4b0 +[ 306.450612] __dev_flush+0x4c/0x98 +[ 306.454024] xdp_do_flush+0x18/0x38 +[ 306.457522] fec_enet_rx_napi+0x6c8/0xc68 +[ 306.461539] __napi_poll+0x40/0x220 +[ 306.465038] net_rx_action+0xf8/0x240 +[ 306.468707] __do_softirq+0x128/0x3a8 +[ 306.472378] run_ksoftirqd+0x40/0x58 +[ 306.475961] smpboot_thread_fn+0x1c4/0x288 +[ 306.480068] kthread+0x124/0x138 +[ 306.483305] ret_from_fork+0x10/0x20 +[ 306.486889] ---[ end trace 0000000000000000 ]--- + +Fixes: 66c0e13ad236 ("drivers: net: turn on XDP features") +Signed-off-by: Wei Fang +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230524125714.357337-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +-- + drivers/net/ethernet/stmicro/stmmac/stmmac_xdp.c | 6 ++++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index f9cd063f1fe30..71f8f78ce0090 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -7176,8 +7176,7 @@ int stmmac_dvr_probe(struct device *device, + ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_RXCSUM; + ndev->xdp_features = NETDEV_XDP_ACT_BASIC | NETDEV_XDP_ACT_REDIRECT | +- NETDEV_XDP_ACT_XSK_ZEROCOPY | +- NETDEV_XDP_ACT_NDO_XMIT; ++ NETDEV_XDP_ACT_XSK_ZEROCOPY; + + ret = stmmac_tc_init(priv, priv); + if (!ret) { +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_xdp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_xdp.c +index 9d4d8c3dad0a3..aa6f16d3df649 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_xdp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_xdp.c +@@ -117,6 +117,9 @@ int stmmac_xdp_set_prog(struct stmmac_priv *priv, struct bpf_prog *prog, + return -EOPNOTSUPP; + } + ++ if (!prog) ++ xdp_features_clear_redirect_target(dev); ++ + need_update = !!priv->xdp_prog != !!prog; + if (if_running && need_update) + stmmac_xdp_release(dev); +@@ -131,5 +134,8 @@ int stmmac_xdp_set_prog(struct stmmac_priv *priv, struct bpf_prog *prog, + if (if_running && need_update) + stmmac_xdp_open(dev); + ++ if (prog) ++ xdp_features_set_redirect_target(dev, false); ++ + return 0; + } +-- +2.39.2 + diff --git a/queue-6.3/net-wwan-t7xx-ensure-init-is-completed-before-system.patch b/queue-6.3/net-wwan-t7xx-ensure-init-is-completed-before-system.patch new file mode 100644 index 00000000000..37defa4c7fc --- /dev/null +++ b/queue-6.3/net-wwan-t7xx-ensure-init-is-completed-before-system.patch @@ -0,0 +1,100 @@ +From 29b544f8b7592fbc6c625f3baa63529356cb1092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 13:24:51 +0800 +Subject: net: wwan: t7xx: Ensure init is completed before system sleep + +From: Kai-Heng Feng + +[ Upstream commit ab87603b251134441a67385ecc9d3371be17b7a7 ] + +When the system attempts to sleep while mtk_t7xx is not ready, the driver +cannot put the device to sleep: +[ 12.472918] mtk_t7xx 0000:57:00.0: [PM] Exiting suspend, modem in invalid state +[ 12.472936] mtk_t7xx 0000:57:00.0: PM: pci_pm_suspend(): t7xx_pci_pm_suspend+0x0/0x20 [mtk_t7xx] returns -14 +[ 12.473678] mtk_t7xx 0000:57:00.0: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x1b0 returns -14 +[ 12.473711] mtk_t7xx 0000:57:00.0: PM: failed to suspend async: error -14 +[ 12.764776] PM: Some devices failed to suspend, or early wake event detected + +Mediatek confirmed the device can take a rather long time to complete +its initialization, so wait for up to 20 seconds until init is done. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_pci.c | 18 ++++++++++++++++++ + drivers/net/wwan/t7xx/t7xx_pci.h | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/drivers/net/wwan/t7xx/t7xx_pci.c b/drivers/net/wwan/t7xx/t7xx_pci.c +index 226fc1703e90f..91256e005b846 100644 +--- a/drivers/net/wwan/t7xx/t7xx_pci.c ++++ b/drivers/net/wwan/t7xx/t7xx_pci.c +@@ -45,6 +45,7 @@ + #define T7XX_PCI_IREG_BASE 0 + #define T7XX_PCI_EREG_BASE 2 + ++#define T7XX_INIT_TIMEOUT 20 + #define PM_SLEEP_DIS_TIMEOUT_MS 20 + #define PM_ACK_TIMEOUT_MS 1500 + #define PM_AUTOSUSPEND_MS 20000 +@@ -96,6 +97,7 @@ static int t7xx_pci_pm_init(struct t7xx_pci_dev *t7xx_dev) + spin_lock_init(&t7xx_dev->md_pm_lock); + init_completion(&t7xx_dev->sleep_lock_acquire); + init_completion(&t7xx_dev->pm_sr_ack); ++ init_completion(&t7xx_dev->init_done); + atomic_set(&t7xx_dev->md_pm_state, MTK_PM_INIT); + + device_init_wakeup(&pdev->dev, true); +@@ -124,6 +126,7 @@ void t7xx_pci_pm_init_late(struct t7xx_pci_dev *t7xx_dev) + pm_runtime_mark_last_busy(&t7xx_dev->pdev->dev); + pm_runtime_allow(&t7xx_dev->pdev->dev); + pm_runtime_put_noidle(&t7xx_dev->pdev->dev); ++ complete_all(&t7xx_dev->init_done); + } + + static int t7xx_pci_pm_reinit(struct t7xx_pci_dev *t7xx_dev) +@@ -529,6 +532,20 @@ static void t7xx_pci_shutdown(struct pci_dev *pdev) + __t7xx_pci_pm_suspend(pdev); + } + ++static int t7xx_pci_pm_prepare(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct t7xx_pci_dev *t7xx_dev; ++ ++ t7xx_dev = pci_get_drvdata(pdev); ++ if (!wait_for_completion_timeout(&t7xx_dev->init_done, T7XX_INIT_TIMEOUT * HZ)) { ++ dev_warn(dev, "Not ready for system sleep.\n"); ++ return -ETIMEDOUT; ++ } ++ ++ return 0; ++} ++ + static int t7xx_pci_pm_suspend(struct device *dev) + { + return __t7xx_pci_pm_suspend(to_pci_dev(dev)); +@@ -555,6 +572,7 @@ static int t7xx_pci_pm_runtime_resume(struct device *dev) + } + + static const struct dev_pm_ops t7xx_pci_pm_ops = { ++ .prepare = t7xx_pci_pm_prepare, + .suspend = t7xx_pci_pm_suspend, + .resume = t7xx_pci_pm_resume, + .resume_noirq = t7xx_pci_pm_resume_noirq, +diff --git a/drivers/net/wwan/t7xx/t7xx_pci.h b/drivers/net/wwan/t7xx/t7xx_pci.h +index 112efa534eace..f08f1ab744691 100644 +--- a/drivers/net/wwan/t7xx/t7xx_pci.h ++++ b/drivers/net/wwan/t7xx/t7xx_pci.h +@@ -69,6 +69,7 @@ struct t7xx_pci_dev { + struct t7xx_modem *md; + struct t7xx_ccmni_ctrl *ccmni_ctlb; + bool rgu_pci_irq_en; ++ struct completion init_done; + + /* Low Power Items */ + struct list_head md_pm_entities; +-- +2.39.2 + diff --git a/queue-6.3/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch b/queue-6.3/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch new file mode 100644 index 00000000000..587b8612856 --- /dev/null +++ b/queue-6.3/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch @@ -0,0 +1,63 @@ +From 05fb770381f5030b78dc4a9a900df93401a0a6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 10:00:10 -0400 +Subject: netfilter: conntrack: define variables exp_nat_nla_policy and + any_addr with CONFIG_NF_NAT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 224a876e37543eee111bf9b6aa4935080e619335 ] + +gcc with W=1 and ! CONFIG_NF_NAT +net/netfilter/nf_conntrack_netlink.c:3463:32: error: + ‘exp_nat_nla_policy’ defined but not used [-Werror=unused-const-variable=] + 3463 | static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { + | ^~~~~~~~~~~~~~~~~~ +net/netfilter/nf_conntrack_netlink.c:2979:33: error: + ‘any_addr’ defined but not used [-Werror=unused-const-variable=] + 2979 | static const union nf_inet_addr any_addr; + | ^~~~~~~~ + +These variables use is controlled by CONFIG_NF_NAT, so should their definitions. + +Signed-off-by: Tom Rix +Reviewed-by: Simon Horman +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d40544cd61a6c..69c8c8c7e9b8e 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -2976,7 +2976,9 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb, + return -1; + } + ++#if IS_ENABLED(CONFIG_NF_NAT) + static const union nf_inet_addr any_addr; ++#endif + + static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) + { +@@ -3460,10 +3462,12 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x, + return 0; + } + ++#if IS_ENABLED(CONFIG_NF_NAT) + static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { + [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, + [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, + }; ++#endif + + static int + ctnetlink_parse_expect_nat(const struct nlattr *attr, +-- +2.39.2 + diff --git a/queue-6.3/netrom-fix-info-leak-in-nr_write_internal.patch b/queue-6.3/netrom-fix-info-leak-in-nr_write_internal.patch new file mode 100644 index 00000000000..ee56ff715c4 --- /dev/null +++ b/queue-6.3/netrom-fix-info-leak-in-nr_write_internal.patch @@ -0,0 +1,85 @@ +From 1920c9760fbd6678af74705297094341a5f0a09b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 14:14:56 +0000 +Subject: netrom: fix info-leak in nr_write_internal() + +From: Eric Dumazet + +[ Upstream commit 31642e7089df8fd3f54ca7843f7ee2952978cad1 ] + +Simon Kapadia reported the following issue: + + + +The Online Amateur Radio Community (OARC) has recently been experimenting +with building a nationwide packet network in the UK. +As part of our experimentation, we have been testing out packet on 300bps HF, +and playing with net/rom. For HF packet at this baud rate you really need +to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60, +and a net/rom PACLEN of 40 to go with that. +However the Linux net/rom support didn't work with a low PACLEN; +the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.: + +Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet! + +This didn't make any sense to me (if the packets are smaller why would they +be truncated?) so I started investigating. +I looked at the packets using ethereal, and found that many were just huge +compared to what I would expect. +A simple net/rom connection request packet had the request and then a bunch +of what appeared to be random data following it: + + + +Simon provided a patch that I slightly revised: +Not only we must not use skb_tailroom(), we also do +not want to count NR_NETWORK_LEN twice. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-Developed-by: Simon Kapadia +Signed-off-by: Simon Kapadia +Signed-off-by: Eric Dumazet +Tested-by: Simon Kapadia +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_subr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c +index 3f99b432ea707..e2d2af924cff4 100644 +--- a/net/netrom/nr_subr.c ++++ b/net/netrom/nr_subr.c +@@ -123,7 +123,7 @@ void nr_write_internal(struct sock *sk, int frametype) + unsigned char *dptr; + int len, timeout; + +- len = NR_NETWORK_LEN + NR_TRANSPORT_LEN; ++ len = NR_TRANSPORT_LEN; + + switch (frametype & 0x0F) { + case NR_CONNREQ: +@@ -141,7 +141,8 @@ void nr_write_internal(struct sock *sk, int frametype) + return; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(NR_NETWORK_LEN + len, GFP_ATOMIC); ++ if (!skb) + return; + + /* +@@ -149,7 +150,7 @@ void nr_write_internal(struct sock *sk, int frametype) + */ + skb_reserve(skb, NR_NETWORK_LEN); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + switch (frametype & 0x0F) { + case NR_CONNREQ: +-- +2.39.2 + diff --git a/queue-6.3/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch b/queue-6.3/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch new file mode 100644 index 00000000000..978f5863957 --- /dev/null +++ b/queue-6.3/nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch @@ -0,0 +1,123 @@ +From bdd8be874a1b21aa064f85630f3faa7c8b3eb142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 14:35:55 +0300 +Subject: nfsd: fix double fget() bug in __write_ports_addfd() + +From: Dan Carpenter + +[ Upstream commit c034203b6a9dae6751ef4371c18cb77983e30c28 ] + +The bug here is that you cannot rely on getting the same socket +from multiple calls to fget() because userspace can influence +that. This is a kind of double fetch bug. + +The fix is to delete the svc_alien_sock() function and instead do +the checking inside the svc_addsock() function. + +Fixes: 3064639423c4 ("nfsd: check passed socket's net matches NFSd superblock's one") +Signed-off-by: Dan Carpenter +Reviewed-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 7 +------ + include/linux/sunrpc/svcsock.h | 7 +++---- + net/sunrpc/svcsock.c | 24 ++++++------------------ + 3 files changed, 10 insertions(+), 28 deletions(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 7b8f17ee52243..ba07757f3cd0a 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -702,16 +702,11 @@ static ssize_t __write_ports_addfd(char *buf, struct net *net, const struct cred + if (err != 0 || fd < 0) + return -EINVAL; + +- if (svc_alien_sock(net, fd)) { +- printk(KERN_ERR "%s: socket net is different to NFSd's one\n", __func__); +- return -EINVAL; +- } +- + err = nfsd_create_serv(net); + if (err != 0) + return err; + +- err = svc_addsock(nn->nfsd_serv, fd, buf, SIMPLE_TRANSACTION_LIMIT, cred); ++ err = svc_addsock(nn->nfsd_serv, net, fd, buf, SIMPLE_TRANSACTION_LIMIT, cred); + + if (err >= 0 && + !nn->nfsd_serv->sv_nrthreads && !xchg(&nn->keep_active, 1)) +diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h +index bcc555c7ae9c6..13aff355d5a13 100644 +--- a/include/linux/sunrpc/svcsock.h ++++ b/include/linux/sunrpc/svcsock.h +@@ -59,10 +59,9 @@ int svc_recv(struct svc_rqst *, long); + int svc_send(struct svc_rqst *); + void svc_drop(struct svc_rqst *); + void svc_sock_update_bufs(struct svc_serv *serv); +-bool svc_alien_sock(struct net *net, int fd); +-int svc_addsock(struct svc_serv *serv, const int fd, +- char *name_return, const size_t len, +- const struct cred *cred); ++int svc_addsock(struct svc_serv *serv, struct net *net, ++ const int fd, char *name_return, const size_t len, ++ const struct cred *cred); + void svc_init_xprt_sock(void); + void svc_cleanup_xprt_sock(void); + struct svc_xprt *svc_sock_create(struct svc_serv *serv, int prot); +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index bf2d2cdca1185..e2a94589dd5df 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -1340,25 +1340,10 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv, + return svsk; + } + +-bool svc_alien_sock(struct net *net, int fd) +-{ +- int err; +- struct socket *sock = sockfd_lookup(fd, &err); +- bool ret = false; +- +- if (!sock) +- goto out; +- if (sock_net(sock->sk) != net) +- ret = true; +- sockfd_put(sock); +-out: +- return ret; +-} +-EXPORT_SYMBOL_GPL(svc_alien_sock); +- + /** + * svc_addsock - add a listener socket to an RPC service + * @serv: pointer to RPC service to which to add a new listener ++ * @net: caller's network namespace + * @fd: file descriptor of the new listener + * @name_return: pointer to buffer to fill in with name of listener + * @len: size of the buffer +@@ -1368,8 +1353,8 @@ EXPORT_SYMBOL_GPL(svc_alien_sock); + * Name is terminated with '\n'. On error, returns a negative errno + * value. + */ +-int svc_addsock(struct svc_serv *serv, const int fd, char *name_return, +- const size_t len, const struct cred *cred) ++int svc_addsock(struct svc_serv *serv, struct net *net, const int fd, ++ char *name_return, const size_t len, const struct cred *cred) + { + int err = 0; + struct socket *so = sockfd_lookup(fd, &err); +@@ -1380,6 +1365,9 @@ int svc_addsock(struct svc_serv *serv, const int fd, char *name_return, + + if (!so) + return err; ++ err = -EINVAL; ++ if (sock_net(so->sk) != net) ++ goto out; + err = -EAFNOSUPPORT; + if ((so->sk->sk_family != PF_INET) && (so->sk->sk_family != PF_INET6)) + goto out; +-- +2.39.2 + diff --git a/queue-6.3/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch b/queue-6.3/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch new file mode 100644 index 00000000000..d0f46463bc9 --- /dev/null +++ b/queue-6.3/nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch @@ -0,0 +1,50 @@ +From 22bc500e9b27b1b1441c0cdc6f5b224a6ee8a2e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 12:26:44 -0400 +Subject: nfsd: make a copy of struct iattr before calling notify_change + +From: Jeff Layton + +[ Upstream commit d53d70084d27f56bcdf5074328f2c9ec861be596 ] + +notify_change can modify the iattr structure. In particular it can +end up setting ATTR_MODE when ATTR_KILL_SUID is already set, causing +a BUG() if the same iattr is passed to notify_change more than once. + +Make a copy of the struct iattr before calling notify_change. + +Reported-by: Zhi Li +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2207969 +Tested-by: Zhi Li +Fixes: 34b91dda7124 ("NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY") +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/vfs.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 5783209f17fc5..e4884dde048ce 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -536,7 +536,15 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, + + inode_lock(inode); + for (retries = 1;;) { +- host_err = __nfsd_setattr(dentry, iap); ++ struct iattr attrs; ++ ++ /* ++ * notify_change() can alter its iattr argument, making ++ * @iap unsuitable for submission multiple times. Make a ++ * copy for every loop iteration. ++ */ ++ attrs = *iap; ++ host_err = __nfsd_setattr(dentry, &attrs); + if (host_err != -EAGAIN || !retries--) + break; + if (!nfsd_wait_for_delegreturn(rqstp, inode)) +-- +2.39.2 + diff --git a/queue-6.3/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch b/queue-6.3/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch new file mode 100644 index 00000000000..d23710c5ede --- /dev/null +++ b/queue-6.3/nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch @@ -0,0 +1,76 @@ +From 098e994b26ebf6c7bb9354f6e9e29d88fadb0894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 13:07:41 +0200 +Subject: nvme: do not let the user delete a ctrl before a complete + initialization + +From: Maurizio Lombardi + +[ Upstream commit 2eb94dd56a4a4e3fe286def3e2ba207804a37345 ] + +If a userspace application performes a "delete_controller" command +early during the ctrl initialization, the delete operation +may race against the init code and the kernel will crash. + +nvme nvme5: Connect command failed: host path error +nvme nvme5: failed to connect queue: 0 ret=880 +PF: supervisor write access in kernel mode +PF: error_code(0x0002) - not-present page + blk_mq_quiesce_queue+0x18/0x90 + nvme_tcp_delete_ctrl+0x24/0x40 [nvme_tcp] + nvme_do_delete_ctrl+0x7f/0x8b [nvme_core] + nvme_sysfs_delete.cold+0x8/0xd [nvme_core] + kernfs_fop_write_iter+0x124/0x1b0 + new_sync_write+0xff/0x190 + vfs_write+0x1ef/0x280 + +Fix the crash by checking the NVME_CTRL_STARTED_ONCE bit; +if it's not set it means that the nvme controller is still +in the process of getting initialized and the kernel +will return an -EBUSY error to userspace. +Set the NVME_CTRL_STARTED_ONCE later in the nvme_start_ctrl() +function, after the controller start operation is completed. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index bdf1601219fc4..c015393beeee8 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3585,6 +3585,9 @@ static ssize_t nvme_sysfs_delete(struct device *dev, + { + struct nvme_ctrl *ctrl = dev_get_drvdata(dev); + ++ if (!test_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags)) ++ return -EBUSY; ++ + if (device_remove_file_self(dev, attr)) + nvme_delete_ctrl_sync(ctrl); + return count; +@@ -5045,7 +5048,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl) + * that were missed. We identify persistent discovery controllers by + * checking that they started once before, hence are reconnecting back. + */ +- if (test_and_set_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags) && ++ if (test_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags) && + nvme_discovery_ctrl(ctrl)) + nvme_change_uevent(ctrl, "NVME_EVENT=rediscover"); + +@@ -5056,6 +5059,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl) + } + + nvme_change_uevent(ctrl, "NVME_EVENT=connected"); ++ set_bit(NVME_CTRL_STARTED_ONCE, &ctrl->flags); + } + EXPORT_SYMBOL_GPL(nvme_start_ctrl); + +-- +2.39.2 + diff --git a/queue-6.3/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch b/queue-6.3/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch new file mode 100644 index 00000000000..9ddf3c8f7a9 --- /dev/null +++ b/queue-6.3/nvme-fix-the-name-of-zone-append-for-verbose-logging.patch @@ -0,0 +1,36 @@ +From cda1075a0ba8adeea6f11b813eb672355e110976 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 14:54:54 +0200 +Subject: nvme: fix the name of Zone Append for verbose logging + +From: Christoph Hellwig + +[ Upstream commit 856303797724d28f1d65b702f0eadcee1ea7abf5 ] + +No Management involved in Zone Appened. + +Fixes: bd83fe6f2cd2 ("nvme: add verbose error logging") +Signed-off-by: Christoph Hellwig +Reviewed-by: Alan Adamson +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/constants.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/constants.c b/drivers/nvme/host/constants.c +index bc523ca022548..5e4f8848dce08 100644 +--- a/drivers/nvme/host/constants.c ++++ b/drivers/nvme/host/constants.c +@@ -21,7 +21,7 @@ static const char * const nvme_ops[] = { + [nvme_cmd_resv_release] = "Reservation Release", + [nvme_cmd_zone_mgmt_send] = "Zone Management Send", + [nvme_cmd_zone_mgmt_recv] = "Zone Management Receive", +- [nvme_cmd_zone_append] = "Zone Management Append", ++ [nvme_cmd_zone_append] = "Zone Append", + }; + + static const char * const nvme_admin_ops[] = { +-- +2.39.2 + diff --git a/queue-6.3/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch b/queue-6.3/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch new file mode 100644 index 00000000000..e61ee6ed5ff --- /dev/null +++ b/queue-6.3/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch @@ -0,0 +1,36 @@ +From 88f123892ecc32b21f2daf7fbe9d30d0c0198a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 09:53:45 +0200 +Subject: nvme-multipath: don't call blk_mark_disk_dead in + nvme_mpath_remove_disk + +From: Christoph Hellwig + +[ Upstream commit 1743e5f6000901a11f4e1cd741bfa9136f3ec9b1 ] + +nvme_mpath_remove_disk is called after del_gendisk, at which point a +blk_mark_disk_dead call doesn't make any sense. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 9171452e2f6d4..2bc159a318ff0 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -884,7 +884,6 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head) + { + if (!head->disk) + return; +- blk_mark_disk_dead(head->disk); + /* make sure all pending bios are cleaned up */ + kblockd_schedule_work(&head->requeue_work); + flush_work(&head->requeue_work); +-- +2.39.2 + diff --git a/queue-6.3/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch b/queue-6.3/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch new file mode 100644 index 00000000000..6909f442db2 --- /dev/null +++ b/queue-6.3/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch @@ -0,0 +1,37 @@ +From a23273e906fd49efa27f1287c12edf96d9b9da6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 18:57:33 +0300 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G + +From: Sagi Grimberg + +[ Upstream commit 1616d6c3717bae9041a4240d381ec56ccdaafedc ] + +Add a quirk to fix HS-SSD-FUTURE 2048G SSD drives reporting duplicate +nsids. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217384 +Reported-by: Andrey God +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index cd7873de31215..bbf96567365cd 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3445,6 +3445,8 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x10ec, 0x5763), /* TEAMGROUP T-FORCE CARDEA ZERO Z330 SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065), +-- +2.39.2 + diff --git a/queue-6.3/nvme-pci-add-quirk-for-missing-secondary-temperature.patch b/queue-6.3/nvme-pci-add-quirk-for-missing-secondary-temperature.patch new file mode 100644 index 00000000000..578f03fb3d4 --- /dev/null +++ b/queue-6.3/nvme-pci-add-quirk-for-missing-secondary-temperature.patch @@ -0,0 +1,79 @@ +From 29516b403059dfb2c13c39182c972bc45e77fa08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:58:54 +0300 +Subject: nvme-pci: add quirk for missing secondary temperature thresholds + +From: Hristo Venev + +[ Upstream commit bd375feeaf3408ed00e08c3bc918d6be15f691ad ] + +On Kingston KC3000 and Kingston FURY Renegade (both have the same PCI +IDs) accessing temp3_{min,max} fails with an invalid field error (note +that there is no problem setting the thresholds for temp1). + +This contradicts the NVM Express Base Specification 2.0b, page 292: + + The over temperature threshold and under temperature threshold + features shall be implemented for all implemented temperature sensors + (i.e., all Temperature Sensor fields that report a non-zero value). + +Define NVME_QUIRK_NO_SECONDARY_TEMP_THRESH that disables the thresholds +for all but the composite temperature and set it for this device. + +Signed-off-by: Hristo Venev +Reviewed-by: Guenter Roeck +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/hwmon.c | 4 +++- + drivers/nvme/host/nvme.h | 5 +++++ + drivers/nvme/host/pci.c | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/hwmon.c b/drivers/nvme/host/hwmon.c +index 9e6e56c20ec99..316f3e4ca7cc6 100644 +--- a/drivers/nvme/host/hwmon.c ++++ b/drivers/nvme/host/hwmon.c +@@ -163,7 +163,9 @@ static umode_t nvme_hwmon_is_visible(const void *_data, + case hwmon_temp_max: + case hwmon_temp_min: + if ((!channel && data->ctrl->wctemp) || +- (channel && data->log->temp_sensor[channel - 1])) { ++ (channel && data->log->temp_sensor[channel - 1] && ++ !(data->ctrl->quirks & ++ NVME_QUIRK_NO_SECONDARY_TEMP_THRESH))) { + if (data->ctrl->quirks & + NVME_QUIRK_NO_TEMP_THRESH_CHANGE) + return 0444; +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index bf46f122e9e1e..a2d4f59e0535a 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -149,6 +149,11 @@ enum nvme_quirks { + * Reports garbage in the namespace identifiers (eui64, nguid, uuid). + */ + NVME_QUIRK_BOGUS_NID = (1 << 18), ++ ++ /* ++ * No temperature thresholds for channels other than 0 (Composite). ++ */ ++ NVME_QUIRK_NO_SECONDARY_TEMP_THRESH = (1 << 19), + }; + + /* +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index bbf96567365cd..a7772c0194d5a 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3406,6 +3406,8 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(0x2646, 0x2263), /* KINGSTON A2000 NVMe SSD */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, ++ { PCI_DEVICE(0x2646, 0x5013), /* Kingston KC3000, Kingston FURY Renegade */ ++ .driver_data = NVME_QUIRK_NO_SECONDARY_TEMP_THRESH, }, + { PCI_DEVICE(0x2646, 0x5018), /* KINGSTON OM8SFP4xxxxP OS21012 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x5016), /* KINGSTON OM3PGP4xxxxP OS21011 NVMe SSD */ +-- +2.39.2 + diff --git a/queue-6.3/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch b/queue-6.3/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch new file mode 100644 index 00000000000..3e11f2f13a8 --- /dev/null +++ b/queue-6.3/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch @@ -0,0 +1,37 @@ +From 5e4dbc0771af43c369123680fa6ca1bf2de44c83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 14:32:32 -0700 +Subject: nvme-pci: Add quirk for Teamgroup MP33 SSD + +From: Daniel Smith + +[ Upstream commit 0649728123cf6a5518e154b4e1735fc85ea4f55c ] + +Add a quirk for Teamgroup MP33 that reports duplicate ids for disk. + +Signed-off-by: Daniel Smith +[kch: patch formatting] +Signed-off-by: Chaitanya Kulkarni +Tested-by: Daniel Smith +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index a389f1ea0b151..60f51155a6d20 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3449,6 +3449,8 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x10ec, 0x5765), /* TEAMGROUP MP33 2TB SSD */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065), +-- +2.39.2 + diff --git a/queue-6.3/nvme-pci-clamp-max_hw_sectors-based-on-dma-optimized.patch b/queue-6.3/nvme-pci-clamp-max_hw_sectors-based-on-dma-optimized.patch new file mode 100644 index 00000000000..4ecf30cc13c --- /dev/null +++ b/queue-6.3/nvme-pci-clamp-max_hw_sectors-based-on-dma-optimized.patch @@ -0,0 +1,131 @@ +From 2e72417634ad93a7d39dfb78bb2fd94ba6ae13f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:08:00 +0800 +Subject: nvme-pci: clamp max_hw_sectors based on DMA optimized limitation + +From: Adrian Huang + +[ Upstream commit 3710e2b056cb92ad816e4d79fa54a6a5b6ad8cbd ] + +When running the fio test on a 448-core AMD server + a NVME disk, +a soft lockup or a hard lockup call trace is shown: + +[soft lockup] +watchdog: BUG: soft lockup - CPU#126 stuck for 23s! [swapper/126:0] +RIP: 0010:_raw_spin_unlock_irqrestore+0x21/0x50 +... +Call Trace: + + fq_flush_timeout+0x7d/0xd0 + ? __pfx_fq_flush_timeout+0x10/0x10 + call_timer_fn+0x2e/0x150 + run_timer_softirq+0x48a/0x560 + ? __pfx_fq_flush_timeout+0x10/0x10 + ? clockevents_program_event+0xaf/0x130 + __do_softirq+0xf1/0x335 + irq_exit_rcu+0x9f/0xd0 + sysvec_apic_timer_interrupt+0xb4/0xd0 + + + asm_sysvec_apic_timer_interrupt+0x1f/0x30 +... + +Obvisouly, fq_flush_timeout spends over 20 seconds. Here is ftrace log: + + | fq_flush_timeout() { + | fq_ring_free() { + | put_pages_list() { + 0.170 us | free_unref_page_list(); + 0.810 us | } + | free_iova_fast() { + | free_iova() { + * 85622.66 us | _raw_spin_lock_irqsave(); + 2.860 us | remove_iova(); + 0.600 us | _raw_spin_unlock_irqrestore(); + 0.470 us | lock_info_report(); + 2.420 us | free_iova_mem.part.0(); + * 85638.27 us | } + * 85638.84 us | } + | put_pages_list() { + 0.230 us | free_unref_page_list(); + 0.470 us | } + ... ... + $ 31017069 us | } + +Most of cores are under lock contention for acquiring iova_rbtree_lock due +to the iova flush queue mechanism. + +[hard lockup] +NMI watchdog: Watchdog detected hard LOCKUP on cpu 351 +RIP: 0010:native_queued_spin_lock_slowpath+0x2d8/0x330 + +Call Trace: + + _raw_spin_lock_irqsave+0x4f/0x60 + free_iova+0x27/0xd0 + free_iova_fast+0x4d/0x1d0 + fq_ring_free+0x9b/0x150 + iommu_dma_free_iova+0xb4/0x2e0 + __iommu_dma_unmap+0x10b/0x140 + iommu_dma_unmap_sg+0x90/0x110 + dma_unmap_sg_attrs+0x4a/0x50 + nvme_unmap_data+0x5d/0x120 [nvme] + nvme_pci_complete_batch+0x77/0xc0 [nvme] + nvme_irq+0x2ee/0x350 [nvme] + ? __pfx_nvme_pci_complete_batch+0x10/0x10 [nvme] + __handle_irq_event_percpu+0x53/0x1a0 + handle_irq_event_percpu+0x19/0x60 + handle_irq_event+0x3d/0x60 + handle_edge_irq+0xb3/0x210 + __common_interrupt+0x7f/0x150 + common_interrupt+0xc5/0xf0 + + + asm_common_interrupt+0x2b/0x40 +... + +ftrace shows fq_ring_free spends over 10 seconds [1]. Again, most of +cores are under lock contention for acquiring iova_rbtree_lock due +to the iova flush queue mechanism. + +[Root Cause] +The root cause is that the max_hw_sectors_kb of nvme disk (mdts=10) +is 4096kb, which streaming DMA mappings cannot benefit from the +scalable IOVA mechanism introduced by the commit 9257b4a206fc +("iommu/iova: introduce per-cpu caching to iova allocation") if +the length is greater than 128kb. + +To fix the lock contention issue, clamp max_hw_sectors based on +DMA optimized limitation in order to leverage scalable IOVA mechanism. + +Note: The issue does not happen with another NVME disk (mdts = 5 +and max_hw_sectors_kb = 128) + +[1] https://gist.github.com/AdrianHuang/bf8ec7338204837631fbdaed25d19cc4 + +Suggested-by: Keith Busch +Reported-and-tested-by: Jiwei Sun +Signed-off-by: Adrian Huang +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index a7772c0194d5a..a389f1ea0b151 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2960,7 +2960,7 @@ static struct nvme_dev *nvme_pci_alloc_dev(struct pci_dev *pdev, + * over a single page. + */ + dev->ctrl.max_hw_sectors = min_t(u32, +- NVME_MAX_KB_SZ << 1, dma_max_mapping_size(&pdev->dev) >> 9); ++ NVME_MAX_KB_SZ << 1, dma_opt_mapping_size(&pdev->dev) >> 9); + dev->ctrl.max_segments = NVME_MAX_SEGS; + + /* +-- +2.39.2 + diff --git a/queue-6.3/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch b/queue-6.3/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch new file mode 100644 index 00000000000..c47f5e50c7c --- /dev/null +++ b/queue-6.3/perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch @@ -0,0 +1,56 @@ +From 40547a4e0fbd5b271744496456836881f97b044c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 14:20:38 -0700 +Subject: perf ftrace latency: Remove unnecessary "--" from --use-nsec option + +From: Namhyung Kim + +[ Upstream commit 8d73259ef23f449329294dc187932f7470268126 ] + +The option name should not have the dashes. Current version shows four +dashes for the option. + + $ perf ftrace latency -h + + Usage: perf ftrace [] [] + or: perf ftrace [] -- [] [] + or: perf ftrace {trace|latency} [] [] + or: perf ftrace {trace|latency} [] -- [] [] + + -b, --use-bpf Use BPF to measure function latency + -n, ----use-nsec Use nano-second histogram + -T, --trace-funcs + Show latency of given function + +Fixes: 84005bb6148618cc ("perf ftrace latency: Add -n/--use-nsec option") +Signed-off-by: Namhyung Kim +Tested-by: Arnaldo Carvalho de Melo +Cc: Adrian Hunter +Cc: Changbin Du +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230525212038.3535851-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c +index fb1b66ef2e167..ce482ef58e6f2 100644 +--- a/tools/perf/builtin-ftrace.c ++++ b/tools/perf/builtin-ftrace.c +@@ -1175,7 +1175,7 @@ int cmd_ftrace(int argc, const char **argv) + OPT_BOOLEAN('b', "use-bpf", &ftrace.target.use_bpf, + "Use BPF to measure function latency"), + #endif +- OPT_BOOLEAN('n', "--use-nsec", &ftrace.use_nsec, ++ OPT_BOOLEAN('n', "use-nsec", &ftrace.use_nsec, + "Use nano-second histogram"), + OPT_PARENT(common_options), + }; +-- +2.39.2 + diff --git a/queue-6.3/perf-x86-intel-ds-flush-pebs-ds-when-changing-pebs_d.patch b/queue-6.3/perf-x86-intel-ds-flush-pebs-ds-when-changing-pebs_d.patch new file mode 100644 index 00000000000..be2abf62416 --- /dev/null +++ b/queue-6.3/perf-x86-intel-ds-flush-pebs-ds-when-changing-pebs_d.patch @@ -0,0 +1,189 @@ +From af1c49ee62b9f128ce8680737e6dc3d14baffaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 11:45:28 -0700 +Subject: perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG + +From: Kan Liang + +[ Upstream commit b752ea0c28e3f7f0aaaad6abf84f735eebc37a60 ] + +Several similar kernel warnings can be triggered, + + [56605.607840] CPU0 PEBS record size 0, expected 32, config 0 cpuc->record_size=208 + +when the below commands are running in parallel for a while on SPR. + + while true; + do + perf record --no-buildid -a --intr-regs=AX \ + -e cpu/event=0xd0,umask=0x81/pp \ + -c 10003 -o /dev/null ./triad; + done & + + while true; + do + perf record -o /tmp/out -W -d \ + -e '{ld_blocks.store_forward:period=1000000, \ + MEM_TRANS_RETIRED.LOAD_LATENCY:u:precise=2:ldlat=4}' \ + -c 1037 ./triad; + done + +The triad program is just the generation of loads/stores. + +The warnings are triggered when an unexpected PEBS record (with a +different config and size) is found. + +A system-wide PEBS event with the large PEBS config may be enabled +during a context switch. Some PEBS records for the system-wide PEBS +may be generated while the old task is sched out but the new one +hasn't been sched in yet. When the new task is sched in, the +cpuc->pebs_record_size may be updated for the per-task PEBS events. So +the existing system-wide PEBS records have a different size from the +later PEBS records. + +The PEBS buffer should be flushed right before the hardware is +reprogrammed. The new size and threshold should be updated after the +old buffer has been flushed. + +Reported-by: Stephane Eranian +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230421184529.3320912-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/ds.c | 56 ++++++++++++++++++------------- + arch/x86/include/asm/perf_event.h | 3 ++ + 2 files changed, 35 insertions(+), 24 deletions(-) + +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index a2e566e53076e..df88576d6b2a5 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1229,12 +1229,14 @@ pebs_update_state(bool needed_cb, struct cpu_hw_events *cpuc, + struct perf_event *event, bool add) + { + struct pmu *pmu = event->pmu; ++ + /* + * Make sure we get updated with the first PEBS + * event. It will trigger also during removal, but + * that does not hurt: + */ +- bool update = cpuc->n_pebs == 1; ++ if (cpuc->n_pebs == 1) ++ cpuc->pebs_data_cfg = PEBS_UPDATE_DS_SW; + + if (needed_cb != pebs_needs_sched_cb(cpuc)) { + if (!needed_cb) +@@ -1242,7 +1244,7 @@ pebs_update_state(bool needed_cb, struct cpu_hw_events *cpuc, + else + perf_sched_cb_dec(pmu); + +- update = true; ++ cpuc->pebs_data_cfg |= PEBS_UPDATE_DS_SW; + } + + /* +@@ -1252,24 +1254,13 @@ pebs_update_state(bool needed_cb, struct cpu_hw_events *cpuc, + if (x86_pmu.intel_cap.pebs_baseline && add) { + u64 pebs_data_cfg; + +- /* Clear pebs_data_cfg and pebs_record_size for first PEBS. */ +- if (cpuc->n_pebs == 1) { +- cpuc->pebs_data_cfg = 0; +- cpuc->pebs_record_size = sizeof(struct pebs_basic); +- } +- + pebs_data_cfg = pebs_update_adaptive_cfg(event); +- +- /* Update pebs_record_size if new event requires more data. */ +- if (pebs_data_cfg & ~cpuc->pebs_data_cfg) { +- cpuc->pebs_data_cfg |= pebs_data_cfg; +- adaptive_pebs_record_size_update(); +- update = true; +- } ++ /* ++ * Be sure to update the thresholds when we change the record. ++ */ ++ if (pebs_data_cfg & ~cpuc->pebs_data_cfg) ++ cpuc->pebs_data_cfg |= pebs_data_cfg | PEBS_UPDATE_DS_SW; + } +- +- if (update) +- pebs_update_threshold(cpuc); + } + + void intel_pmu_pebs_add(struct perf_event *event) +@@ -1326,9 +1317,17 @@ static void intel_pmu_pebs_via_pt_enable(struct perf_event *event) + wrmsrl(base + idx, value); + } + ++static inline void intel_pmu_drain_large_pebs(struct cpu_hw_events *cpuc) ++{ ++ if (cpuc->n_pebs == cpuc->n_large_pebs && ++ cpuc->n_pebs != cpuc->n_pebs_via_pt) ++ intel_pmu_drain_pebs_buffer(); ++} ++ + void intel_pmu_pebs_enable(struct perf_event *event) + { + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); ++ u64 pebs_data_cfg = cpuc->pebs_data_cfg & ~PEBS_UPDATE_DS_SW; + struct hw_perf_event *hwc = &event->hw; + struct debug_store *ds = cpuc->ds; + unsigned int idx = hwc->idx; +@@ -1344,11 +1343,22 @@ void intel_pmu_pebs_enable(struct perf_event *event) + + if (x86_pmu.intel_cap.pebs_baseline) { + hwc->config |= ICL_EVENTSEL_ADAPTIVE; +- if (cpuc->pebs_data_cfg != cpuc->active_pebs_data_cfg) { +- wrmsrl(MSR_PEBS_DATA_CFG, cpuc->pebs_data_cfg); +- cpuc->active_pebs_data_cfg = cpuc->pebs_data_cfg; ++ if (pebs_data_cfg != cpuc->active_pebs_data_cfg) { ++ /* ++ * drain_pebs() assumes uniform record size; ++ * hence we need to drain when changing said ++ * size. ++ */ ++ intel_pmu_drain_large_pebs(cpuc); ++ adaptive_pebs_record_size_update(); ++ wrmsrl(MSR_PEBS_DATA_CFG, pebs_data_cfg); ++ cpuc->active_pebs_data_cfg = pebs_data_cfg; + } + } ++ if (cpuc->pebs_data_cfg & PEBS_UPDATE_DS_SW) { ++ cpuc->pebs_data_cfg = pebs_data_cfg; ++ pebs_update_threshold(cpuc); ++ } + + if (idx >= INTEL_PMC_IDX_FIXED) { + if (x86_pmu.intel_cap.pebs_format < 5) +@@ -1391,9 +1401,7 @@ void intel_pmu_pebs_disable(struct perf_event *event) + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); + struct hw_perf_event *hwc = &event->hw; + +- if (cpuc->n_pebs == cpuc->n_large_pebs && +- cpuc->n_pebs != cpuc->n_pebs_via_pt) +- intel_pmu_drain_pebs_buffer(); ++ intel_pmu_drain_large_pebs(cpuc); + + cpuc->pebs_enabled &= ~(1ULL << hwc->idx); + +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index 8fc15ed5e60bb..abf09882f58b6 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -121,6 +121,9 @@ + #define PEBS_DATACFG_LBRS BIT_ULL(3) + #define PEBS_DATACFG_LBR_SHIFT 24 + ++/* Steal the highest bit of pebs_data_cfg for SW usage */ ++#define PEBS_UPDATE_DS_SW BIT_ULL(63) ++ + /* + * Intel "Architectural Performance Monitoring" CPUID + * detection/enumeration details: +-- +2.39.2 + diff --git a/queue-6.3/perf-x86-intel-save-restore-cpuc-active_pebs_data_cf.patch b/queue-6.3/perf-x86-intel-save-restore-cpuc-active_pebs_data_cf.patch new file mode 100644 index 00000000000..8c7898b2e9a --- /dev/null +++ b/queue-6.3/perf-x86-intel-save-restore-cpuc-active_pebs_data_cf.patch @@ -0,0 +1,43 @@ +From b20624893aa0aa9a8c2260e513677151f48cd37d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 21:38:08 +0800 +Subject: perf/x86/intel: Save/restore cpuc->active_pebs_data_cfg when using + guest PEBS + +From: Like Xu + +[ Upstream commit 3c845304d2d723f20d5b91fef5d133ff94825d76 ] + +After commit b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing +PEBS_DATA_CFG"), the cpuc->pebs_data_cfg may save some bits that are not +supported by real hardware, such as PEBS_UPDATE_DS_SW. This would cause +the VMX hardware MSR switching mechanism to save/restore invalid values +for PEBS_DATA_CFG MSR, thus crashing the host when PEBS is used for guest. +Fix it by using the active host value from cpuc->active_pebs_data_cfg. + +Fixes: b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG") +Signed-off-by: Like Xu +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Kan Liang +Link: https://lore.kernel.org/r/20230517133808.67885-1-likexu@tencent.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index a3fb996a86a10..161b8f71eb5a7 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -4074,7 +4074,7 @@ static struct perf_guest_switch_msr *intel_guest_get_msrs(int *nr, void *data) + if (x86_pmu.intel_cap.pebs_baseline) { + arr[(*nr)++] = (struct perf_guest_switch_msr){ + .msr = MSR_PEBS_DATA_CFG, +- .host = cpuc->pebs_data_cfg, ++ .host = cpuc->active_pebs_data_cfg, + .guest = kvm_pmu->pebs_data_cfg, + }; + } +-- +2.39.2 + diff --git a/queue-6.3/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch b/queue-6.3/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch new file mode 100644 index 00000000000..814e15bd873 --- /dev/null +++ b/queue-6.3/phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch @@ -0,0 +1,38 @@ +From 190b217b1242e73ec3ef0473d3685dce106bcd93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 15:11:41 +0200 +Subject: phy: amlogic: phy-meson-g12a-mipi-dphy-analog: fix CNTL2_DIF_TX_CTL0 + value + +From: Neil Armstrong + +[ Upstream commit b949193011540bb17cf1da7795ec42af1b875203 ] + +Use the same CNTL2_DIF_TX_CTL0 value used by the vendor, it was reported +fixing timings issues. + +Fixes: 2a56dc650e54 ("phy: amlogic: Add G12A Analog MIPI D-PHY driver") +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230512-amlogic-v6-4-upstream-dsi-ccf-vim3-v4-10-2592c29ea263@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c b/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c +index c14089fa7db49..cabdddbbabfd7 100644 +--- a/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c ++++ b/drivers/phy/amlogic/phy-meson-g12a-mipi-dphy-analog.c +@@ -70,7 +70,7 @@ static int phy_g12a_mipi_dphy_analog_power_on(struct phy *phy) + HHI_MIPI_CNTL1_BANDGAP); + + regmap_write(priv->regmap, HHI_MIPI_CNTL2, +- FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL0, 0x459) | ++ FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL0, 0x45a) | + FIELD_PREP(HHI_MIPI_CNTL2_DIF_TX_CTL1, 0x2680)); + + reg = DSI_LANE_CLK; +-- +2.39.2 + diff --git a/queue-6.3/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch b/queue-6.3/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch new file mode 100644 index 00000000000..551075b0bb4 --- /dev/null +++ b/queue-6.3/platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch @@ -0,0 +1,65 @@ +From 9a03272d9a4c425184dc02fb0df9d6d40261778e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 10:23:44 -0400 +Subject: platform/mellanox: fix potential race in mlxbf-tmfifo driver + +From: Liming Sun + +[ Upstream commit 3d43f9f639542fadfb28f40b509bf147a6624d48 ] + +This commit adds memory barrier for the 'vq' update in function +mlxbf_tmfifo_virtio_find_vqs() to avoid potential race due to +out-of-order memory write. It also adds barrier for the 'is_ready' +flag to make sure the initializations are visible before this flag +is checked. + +Signed-off-by: Liming Sun +Reviewed-by: Vadim Pasternak +Link: https://lore.kernel.org/r/b98c0ab61d644ba38fa9b3fd1607b138b0dd820b.1682518748.git.limings@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index 91a077c35b8b8..a79318e90a139 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -784,7 +784,7 @@ static void mlxbf_tmfifo_rxtx(struct mlxbf_tmfifo_vring *vring, bool is_rx) + fifo = vring->fifo; + + /* Return if vdev is not ready. */ +- if (!fifo->vdev[devid]) ++ if (!fifo || !fifo->vdev[devid]) + return; + + /* Return if another vring is running. */ +@@ -980,9 +980,13 @@ static int mlxbf_tmfifo_virtio_find_vqs(struct virtio_device *vdev, + + vq->num_max = vring->num; + ++ vq->priv = vring; ++ ++ /* Make vq update visible before using it. */ ++ virtio_mb(false); ++ + vqs[i] = vq; + vring->vq = vq; +- vq->priv = vring; + } + + return 0; +@@ -1302,6 +1306,9 @@ static int mlxbf_tmfifo_probe(struct platform_device *pdev) + + mod_timer(&fifo->timer, jiffies + MLXBF_TMFIFO_TIMER_INTERVAL); + ++ /* Make all updates visible before setting the 'is_ready' flag. */ ++ virtio_mb(false); ++ + fifo->is_ready = true; + return 0; + +-- +2.39.2 + diff --git a/queue-6.3/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch b/queue-6.3/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch new file mode 100644 index 00000000000..82c8a3c93ca --- /dev/null +++ b/queue-6.3/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch @@ -0,0 +1,39 @@ +From cace2880418d09efe14780b5561d7b744b88f057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 17:49:32 +0200 +Subject: platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield + +From: Julian Winkler + +[ Upstream commit 4a9b6850c794e4394cad99e2b863d75f5bc8e92f ] + +This id was removed in commit b47018a778c1 ("platform/x86: intel_scu_ipc: +Remove Lincroft support"), saying it is only used on Moorestown, +but apparently the same id is also used on Medfield. + +Tested on the Medfield based Motorola RAZR i smartphone. + +Signed-off-by: Julian Winkler +Link: https://lore.kernel.org/r/20230416154932.6579-1-julian.winkler1@web.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_pcidrv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/intel_scu_pcidrv.c b/drivers/platform/x86/intel_scu_pcidrv.c +index 80abc708e4f2f..d904fad499aa5 100644 +--- a/drivers/platform/x86/intel_scu_pcidrv.c ++++ b/drivers/platform/x86/intel_scu_pcidrv.c +@@ -34,6 +34,7 @@ static int intel_scu_pci_probe(struct pci_dev *pdev, + + static const struct pci_device_id pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x080e) }, ++ { PCI_VDEVICE(INTEL, 0x082a) }, + { PCI_VDEVICE(INTEL, 0x08ea) }, + { PCI_VDEVICE(INTEL, 0x0a94) }, + { PCI_VDEVICE(INTEL, 0x11a0) }, +-- +2.39.2 + diff --git a/queue-6.3/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-6.3/rdma-bnxt_re-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..5af7b4019c5 --- /dev/null +++ b/queue-6.3/rdma-bnxt_re-fix-a-possible-memory-leak.patch @@ -0,0 +1,59 @@ +From 432dc087ed58a77742b2b89f5f7c6ee87ef0d8b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 01:10:59 -0700 +Subject: RDMA/bnxt_re: Fix a possible memory leak + +From: Kalesh AP + +[ Upstream commit 349e3c0cf239cc01d58a1e6c749e171de014cd6a ] + +Inside bnxt_qplib_create_cq(), when the check for NULL DPI fails, driver +returns directly without freeing the memory allocated inside +bnxt_qplib_alloc_init_hwq() routine. + +Fixed this by moving the check for NULL DPI before invoking +bnxt_qplib_alloc_init_hwq(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684397461-23082-2-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Kashyap Desai +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 96e581ced50e2..ab2cc1c67f70b 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2043,6 +2043,12 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + u32 pg_sz_lvl; + int rc; + ++ if (!cq->dpi) { ++ dev_err(&rcfw->pdev->dev, ++ "FP: CREATE_CQ failed due to NULL DPI\n"); ++ return -EINVAL; ++ } ++ + hwq_attr.res = res; + hwq_attr.depth = cq->max_wqe; + hwq_attr.stride = sizeof(struct cq_base); +@@ -2054,11 +2060,6 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + + RCFW_CMD_PREP(req, CREATE_CQ, cmd_flags); + +- if (!cq->dpi) { +- dev_err(&rcfw->pdev->dev, +- "FP: CREATE_CQ failed due to NULL DPI\n"); +- return -EINVAL; +- } + req.dpi = cpu_to_le32(cq->dpi->dpi); + req.cq_handle = cpu_to_le64(cq->cq_handle); + req.cq_size = cpu_to_le32(cq->hwq.max_elements); +-- +2.39.2 + diff --git a/queue-6.3/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch b/queue-6.3/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch new file mode 100644 index 00000000000..b678103f511 --- /dev/null +++ b/queue-6.3/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch @@ -0,0 +1,42 @@ +From f47fa9cb30c30820810e3c0eadc0b4244cac09c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 01:11:00 -0700 +Subject: RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx + +From: Kalesh AP + +[ Upstream commit 0fa0d520e2a878cb4c94c4dc84395905d3f14f54 ] + +bnxt_re_process_raw_qp_pkt_rx() always return 0 and ignores the return +value of bnxt_re_post_send_shadow_qp(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684397461-23082-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Hongguang Gao +Reviewed-by: Ajit Khaparde +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 989edc7896338..94222de1d3719 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -3241,9 +3241,7 @@ static int bnxt_re_process_raw_qp_pkt_rx(struct bnxt_re_qp *gsi_qp, + udwr.remote_qkey = gsi_sqp->qplib_qp.qkey; + + /* post data received in the send queue */ +- rc = bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr); +- +- return 0; ++ return bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr); + } + + static void bnxt_re_process_res_rawqp1_wc(struct ib_wc *wc, +-- +2.39.2 + diff --git a/queue-6.3/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch b/queue-6.3/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch new file mode 100644 index 00000000000..0c756d98fcb --- /dev/null +++ b/queue-6.3/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch @@ -0,0 +1,83 @@ +From 6c7c71c5adc7800e7f90f61e0c9758a5191122b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 11:29:29 -0700 +Subject: RDMA/bnxt_re: Fix the page_size used during the MR creation + +From: Selvin Xavier + +[ Upstream commit 08c7f09356e45d093d1867c7a3c6ac6526e2f98b ] + +Driver populates the list of pages used for Memory region wrongly when +page size is more than system page size. This is causing a failure when +some of the applications that creates MR with page size as 2M. Since HW +can support multiple page sizes, pass the correct page size while creating +the MR. + +Also, driver need not adjust the number of pages when HW Queues are +created with user memory. It should work with the number of dma blocks +returned by ib_umem_num_dma_blocks. Fix this calculation also. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Fixes: f6919d56388c ("RDMA/bnxt_re: Code refactor while populating user MRs") +Link: https://lore.kernel.org/r/1683484169-9539-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Kashyap Desai +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 12 ++---------- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 7 +++---- + 2 files changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 126d4f26f75ad..81b0c5e879f9e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -215,17 +215,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + return -EINVAL; + hwq_attr->sginfo->npages = npages; + } else { +- unsigned long sginfo_num_pages = ib_umem_num_dma_blocks( +- hwq_attr->sginfo->umem, hwq_attr->sginfo->pgsize); +- ++ npages = ib_umem_num_dma_blocks(hwq_attr->sginfo->umem, ++ hwq_attr->sginfo->pgsize); + hwq->is_user = true; +- npages = sginfo_num_pages; +- npages = (npages * PAGE_SIZE) / +- BIT_ULL(hwq_attr->sginfo->pgshft); +- if ((sginfo_num_pages * PAGE_SIZE) % +- BIT_ULL(hwq_attr->sginfo->pgshft)) +- if (!npages) +- npages++; + } + + if (npages == MAX_PBL_LVL_0_PGS && !hwq_attr->sginfo->nopte) { +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index b802981b71716..bae7d89261439 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -584,16 +584,15 @@ int bnxt_qplib_reg_mr(struct bnxt_qplib_res *res, struct bnxt_qplib_mrw *mr, + /* Free the hwq if it already exist, must be a rereg */ + if (mr->hwq.max_elements) + bnxt_qplib_free_hwq(res, &mr->hwq); +- /* Use system PAGE_SIZE */ + hwq_attr.res = res; + hwq_attr.depth = pages; +- hwq_attr.stride = buf_pg_size; ++ hwq_attr.stride = sizeof(dma_addr_t); + hwq_attr.type = HWQ_TYPE_MR; + hwq_attr.sginfo = &sginfo; + hwq_attr.sginfo->umem = umem; + hwq_attr.sginfo->npages = pages; +- hwq_attr.sginfo->pgsize = PAGE_SIZE; +- hwq_attr.sginfo->pgshft = PAGE_SHIFT; ++ hwq_attr.sginfo->pgsize = buf_pg_size; ++ hwq_attr.sginfo->pgshft = ilog2(buf_pg_size); + rc = bnxt_qplib_alloc_init_hwq(&mr->hwq, &hwq_attr); + if (rc) { + dev_err(&res->pdev->dev, +-- +2.39.2 + diff --git a/queue-6.3/rdma-efa-fix-unsupported-page-sizes-in-device.patch b/queue-6.3/rdma-efa-fix-unsupported-page-sizes-in-device.patch new file mode 100644 index 00000000000..2eabf7d994e --- /dev/null +++ b/queue-6.3/rdma-efa-fix-unsupported-page-sizes-in-device.patch @@ -0,0 +1,42 @@ +From b7e1e4344e37f30416576e7652892312a4f2d287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:51:03 +0000 +Subject: RDMA/efa: Fix unsupported page sizes in device + +From: Yonatan Nachum + +[ Upstream commit 866422cdddcdf59d8c68e9472d49ba1be29b5fcf ] + +Device uses 4KB size blocks for user pages indirect list while the +driver creates those blocks with the size of PAGE_SIZE of the kernel. On +kernels with PAGE_SIZE different than 4KB (ARM RHEL), this leads to a +failure on register MR with indirect list because of the miss +communication between driver and device. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://lore.kernel.org/r/20230511115103.13876-1-ynachum@amazon.com +Reviewed-by: Firas Jahjah +Reviewed-by: Michael Margolin +Signed-off-by: Yonatan Nachum +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 31454643f8c54..f9526a4c75b26 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1397,7 +1397,7 @@ static int pbl_continuous_initialize(struct efa_dev *dev, + */ + static int pbl_indirect_initialize(struct efa_dev *dev, struct pbl_context *pbl) + { +- u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, PAGE_SIZE); ++ u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, EFA_CHUNK_PAYLOAD_SIZE); + struct scatterlist *sgl; + int sg_dma_cnt, err; + +-- +2.39.2 + diff --git a/queue-6.3/rdma-hns-fix-base-address-table-allocation.patch b/queue-6.3/rdma-hns-fix-base-address-table-allocation.patch new file mode 100644 index 00000000000..2ba8c142585 --- /dev/null +++ b/queue-6.3/rdma-hns-fix-base-address-table-allocation.patch @@ -0,0 +1,103 @@ +From 915db4dfed7aaeb4bc5122986dafc00c2a24e898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:22:44 +0800 +Subject: RDMA/hns: Fix base address table allocation + +From: Chengchang Tang + +[ Upstream commit 7f3969b14f356dd65fa95b3528eb05c32e68bc06 ] + +For hns, the specification of an entry like resource (E.g. WQE/CQE/EQE) +depends on BT page size, buf page size and hopnum. For user mode, the buf +page size depends on UMEM. Therefore, the actual specification is +controlled by BT page size and hopnum. + +The current BT page size and hopnum are obtained from firmware. This makes +the driver inflexible and introduces unnecessary constraints. Resource +allocation failures occur in many scenarios. + +This patch will calculate whether the BT page size set by firmware is +sufficient before allocating BT, and increase the BT page size if it is +insufficient. + +Fixes: 1133401412a9 ("RDMA/hns: Optimize base address table config flow for qp buffer") +Link: https://lore.kernel.org/r/20230512092245.344442-3-huangjunxian6@hisilicon.com +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_mr.c | 43 +++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 37a5cf62f88b4..14376490ac226 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -33,6 +33,7 @@ + + #include + #include ++#include + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" + #include "hns_roce_hem.h" +@@ -909,6 +910,44 @@ static int mtr_init_buf_cfg(struct hns_roce_dev *hr_dev, + return page_cnt; + } + ++static u64 cal_pages_per_l1ba(unsigned int ba_per_bt, unsigned int hopnum) ++{ ++ return int_pow(ba_per_bt, hopnum - 1); ++} ++ ++static unsigned int cal_best_bt_pg_sz(struct hns_roce_dev *hr_dev, ++ struct hns_roce_mtr *mtr, ++ unsigned int pg_shift) ++{ ++ unsigned long cap = hr_dev->caps.page_size_cap; ++ struct hns_roce_buf_region *re; ++ unsigned int pgs_per_l1ba; ++ unsigned int ba_per_bt; ++ unsigned int ba_num; ++ int i; ++ ++ for_each_set_bit_from(pg_shift, &cap, sizeof(cap) * BITS_PER_BYTE) { ++ if (!(BIT(pg_shift) & cap)) ++ continue; ++ ++ ba_per_bt = BIT(pg_shift) / BA_BYTE_LEN; ++ ba_num = 0; ++ for (i = 0; i < mtr->hem_cfg.region_count; i++) { ++ re = &mtr->hem_cfg.region[i]; ++ if (re->hopnum == 0) ++ continue; ++ ++ pgs_per_l1ba = cal_pages_per_l1ba(ba_per_bt, re->hopnum); ++ ba_num += DIV_ROUND_UP(re->count, pgs_per_l1ba); ++ } ++ ++ if (ba_num <= ba_per_bt) ++ return pg_shift; ++ } ++ ++ return 0; ++} ++ + static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr, + unsigned int ba_page_shift) + { +@@ -917,6 +956,10 @@ static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr, + + hns_roce_hem_list_init(&mtr->hem_list); + if (!cfg->is_direct) { ++ ba_page_shift = cal_best_bt_pg_sz(hr_dev, mtr, ba_page_shift); ++ if (!ba_page_shift) ++ return -ERANGE; ++ + ret = hns_roce_hem_list_request(hr_dev, &mtr->hem_list, + cfg->region, cfg->region_count, + ba_page_shift); +-- +2.39.2 + diff --git a/queue-6.3/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch b/queue-6.3/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch new file mode 100644 index 00000000000..17866adab8e --- /dev/null +++ b/queue-6.3/rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch @@ -0,0 +1,100 @@ +From 1214fc71826e7ce86f8a1d64f22eaacee46366f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:22:43 +0800 +Subject: RDMA/hns: Fix timeout attr in query qp for HIP08 + +From: Chengchang Tang + +[ Upstream commit 58caa2a51ad4fd21763696cc6c4defc9fc1b4b4f ] + +On HIP08, the queried timeout attr is different from the timeout attr +configured by the user. + +It is found by rdma-core testcase test_rdmacm_async_traffic: + +====================================================================== +FAIL: test_rdmacm_async_traffic (tests.test_rdmacm.CMTestCase) +---------------------------------------------------------------------- +Traceback (most recent call last): + File "./tests/test_rdmacm.py", line 33, in test_rdmacm_async_traffic + self.two_nodes_rdmacm_traffic(CMAsyncConnection, self.rdmacm_traffic, + File "./tests/base.py", line 382, in two_nodes_rdmacm_traffic + raise(res) +AssertionError + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/20230512092245.344442-2-huangjunxian6@hisilicon.com +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 17 ++++++++++++++--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 2 ++ + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index dbf97fe5948ff..79954d99dc7a3 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5093,7 +5093,6 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp, + static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout) + { + #define QP_ACK_TIMEOUT_MAX_HIP08 20 +-#define QP_ACK_TIMEOUT_OFFSET 10 + #define QP_ACK_TIMEOUT_MAX 31 + + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { +@@ -5102,7 +5101,7 @@ static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout) + "local ACK timeout shall be 0 to 20.\n"); + return false; + } +- *timeout += QP_ACK_TIMEOUT_OFFSET; ++ *timeout += HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08; + } else if (hr_dev->pci_dev->revision > PCI_REVISION_ID_HIP08) { + if (*timeout > QP_ACK_TIMEOUT_MAX) { + ibdev_warn(&hr_dev->ib_dev, +@@ -5388,6 +5387,18 @@ static int hns_roce_v2_query_qpc(struct hns_roce_dev *hr_dev, u32 qpn, + return ret; + } + ++static u8 get_qp_timeout_attr(struct hns_roce_dev *hr_dev, ++ struct hns_roce_v2_qp_context *context) ++{ ++ u8 timeout; ++ ++ timeout = (u8)hr_reg_read(context, QPC_AT); ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) ++ timeout -= HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08; ++ ++ return timeout; ++} ++ + static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + int qp_attr_mask, + struct ib_qp_init_attr *qp_init_attr) +@@ -5465,7 +5476,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + qp_attr->max_dest_rd_atomic = 1 << hr_reg_read(&context, QPC_RR_MAX); + + qp_attr->min_rnr_timer = (u8)hr_reg_read(&context, QPC_MIN_RNR_TIME); +- qp_attr->timeout = (u8)hr_reg_read(&context, QPC_AT); ++ qp_attr->timeout = get_qp_timeout_attr(hr_dev, &context); + qp_attr->retry_cnt = hr_reg_read(&context, QPC_RETRY_NUM_INIT); + qp_attr->rnr_retry = hr_reg_read(&context, QPC_RNR_NUM_INIT); + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index af9d00225cdf5..b5a336e182f83 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -72,6 +72,8 @@ + #define HNS_ROCE_V2_IDX_ENTRY_SZ 4 + + #define HNS_ROCE_V2_SCCC_SZ 32 ++#define HNS_ROCE_V2_QP_ACK_TIMEOUT_OFS_HIP08 10 ++ + #define HNS_ROCE_V3_SCCC_SZ 64 + #define HNS_ROCE_V3_GMV_ENTRY_SZ 32 + +-- +2.39.2 + diff --git a/queue-6.3/rdma-hns-modify-the-value-of-long-message-loopback-s.patch b/queue-6.3/rdma-hns-modify-the-value-of-long-message-loopback-s.patch new file mode 100644 index 00000000000..02eeea9508a --- /dev/null +++ b/queue-6.3/rdma-hns-modify-the-value-of-long-message-loopback-s.patch @@ -0,0 +1,61 @@ +From 597715200c38f2af1b38901ad3ffa742ff07674e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:22:45 +0800 +Subject: RDMA/hns: Modify the value of long message loopback slice + +From: Yangyang Li + +[ Upstream commit 56518a603fd2bf74762d176ac980572db84a3e14 ] + +Long message loopback slice is used for achieving traffic balance between +QPs. It prevents the problem that QPs with large traffic occupying the +hardware pipeline for a long time and QPs with small traffic cannot be +scheduled. + +Currently, its maximum value is set to 16K, which means only after a QP +sends 16K will the second QP be scheduled. This value is too large, which +will lead to unbalanced traffic scheduling, and thus it needs to be +modified. + +The setting range of the long message loopback slice is modified to be +from 1024 (the lower limit supported by hardware) to mtu. Actual testing +shows that this value can significantly reduce error in hardware traffic +scheduling. + +This solution is compatible with both HIP08 and HIP09. The modified +lp_pktn_ini has a maximum value of 2 (when mtu is 256), so the range +checking code for lp_pktn_ini is no longer necessary and needs to be +deleted. + +Fixes: 0e60778efb07 ("RDMA/hns: Modify the value of MAX_LP_MSG_LEN to meet hardware compatibility") +Link: https://lore.kernel.org/r/20230512092245.344442-4-huangjunxian6@hisilicon.com +Signed-off-by: Yangyang Li +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 79954d99dc7a3..9369f93afaedd 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4664,11 +4664,9 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + mtu = ib_mtu_enum_to_int(ib_mtu); + if (WARN_ON(mtu <= 0)) + return -EINVAL; +-#define MAX_LP_MSG_LEN 16384 +- /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 16KB */ +- lp_pktn_ini = ilog2(MAX_LP_MSG_LEN / mtu); +- if (WARN_ON(lp_pktn_ini >= 0xF)) +- return -EINVAL; ++#define MIN_LP_MSG_LEN 1024 ++ /* mtu * (2 ^ lp_pktn_ini) should be in the range of 1024 to mtu */ ++ lp_pktn_ini = ilog2(max(mtu, MIN_LP_MSG_LEN) / mtu); + + if (attr_mask & IB_QP_PATH_MTU) { + hr_reg_write(context, QPC_MTU, ib_mtu); +-- +2.39.2 + diff --git a/queue-6.3/rdma-irdma-fix-local-invalidate-fencing.patch b/queue-6.3/rdma-irdma-fix-local-invalidate-fencing.patch new file mode 100644 index 00000000000..b326251e198 --- /dev/null +++ b/queue-6.3/rdma-irdma-fix-local-invalidate-fencing.patch @@ -0,0 +1,38 @@ +From d897431395d1c7aa2108eb58456cef9360fd0b4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 10:56:54 -0500 +Subject: RDMA/irdma: Fix Local Invalidate fencing + +From: Mustafa Ismail + +[ Upstream commit 5842d1d9c1b0d17e0c29eae65ae1f245f83682dd ] + +If the local invalidate fence is indicated in the WR, only the read fence +is currently being set in WQE. Fix this to set both the read and local +fence in the WQE. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20230522155654.1309-4-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 446a0ab3faaa5..d0bb21d3007c2 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3297,6 +3297,7 @@ static int irdma_post_send(struct ib_qp *ibqp, + break; + case IB_WR_LOCAL_INV: + info.op_type = IRDMA_OP_TYPE_INV_STAG; ++ info.local_fence = info.read_fence; + info.op.inv_local_stag.target_stag = ib_wr->ex.invalidate_rkey; + err = irdma_uk_stag_local_invalidate(ukqp, &info, true); + break; +-- +2.39.2 + diff --git a/queue-6.3/rdma-irdma-prevent-qp-use-after-free.patch b/queue-6.3/rdma-irdma-prevent-qp-use-after-free.patch new file mode 100644 index 00000000000..3c76e63a649 --- /dev/null +++ b/queue-6.3/rdma-irdma-prevent-qp-use-after-free.patch @@ -0,0 +1,57 @@ +From 807ba4fe3f6b96b252087335b19bb695b01e8279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 10:56:53 -0500 +Subject: RDMA/irdma: Prevent QP use after free + +From: Mustafa Ismail + +[ Upstream commit c8f304d75f6c6cc679a73f89591f9a915da38f09 ] + +There is a window where the poll cq may use a QP that has been freed. +This can happen if a CQE is polled before irdma_clean_cqes() can clear the +CQE's related to the QP and the destroy QP races to free the QP memory. +then the QP structures are used in irdma_poll_cq. Fix this by moving the +clearing of CQE's before the reference is removed and the QP is destroyed. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20230522155654.1309-3-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 1b2e3e800c9a6..446a0ab3faaa5 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -522,11 +522,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + if (!iwqp->user_mode) + cancel_delayed_work_sync(&iwqp->dwork_flush); + +- irdma_qp_rem_ref(&iwqp->ibqp); +- wait_for_completion(&iwqp->free_qp); +- irdma_free_lsmm_rsrc(iwqp); +- irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp); +- + if (!iwqp->user_mode) { + if (iwqp->iwscq) { + irdma_clean_cqes(iwqp, iwqp->iwscq); +@@ -534,6 +529,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + irdma_clean_cqes(iwqp, iwqp->iwrcq); + } + } ++ ++ irdma_qp_rem_ref(&iwqp->ibqp); ++ wait_for_completion(&iwqp->free_qp); ++ irdma_free_lsmm_rsrc(iwqp); ++ irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp); ++ + irdma_remove_push_mmap_entries(iwqp); + irdma_free_qp_rsrc(iwqp); + +-- +2.39.2 + diff --git a/queue-6.3/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch b/queue-6.3/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch new file mode 100644 index 00000000000..22c98820f60 --- /dev/null +++ b/queue-6.3/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch @@ -0,0 +1,49 @@ +From 68d8bf5cffecd0d23ad21f9baad533550206e66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:13:11 +0200 +Subject: riscv: Fix unused variable warning when BUILTIN_DTB is set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +[ Upstream commit 33d418da6f476b15e4510e0a590062583f63cd36 ] + +commit ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap +region") wrongly moved the #ifndef CONFIG_BUILTIN_DTB surrounding the pa +variable definition in create_fdt_early_page_table(), so move it back to +its right place to quiet the following warning: + +../arch/riscv/mm/init.c: In function ‘create_fdt_early_page_table’: +../arch/riscv/mm/init.c:925:12: warning: unused variable ‘pa’ [-Wunused-variable] + 925 | uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1); + +Fixes: ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap region") +Signed-off-by: Alexandre Ghiti +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20230519131311.391960-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index 6ebb75a9a6b9f..dc1793bf01796 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -846,9 +846,9 @@ static void __init create_kernel_page_table(pgd_t *pgdir, bool early) + static void __init create_fdt_early_page_table(uintptr_t fix_fdt_va, + uintptr_t dtb_pa) + { ++#ifndef CONFIG_BUILTIN_DTB + uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1); + +-#ifndef CONFIG_BUILTIN_DTB + /* Make sure the fdt fixmap address is always aligned on PMD size */ + BUILD_BUG_ON(FIX_FDT % (PMD_SIZE / PAGE_SIZE)); + +-- +2.39.2 + diff --git a/queue-6.3/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch b/queue-6.3/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch new file mode 100644 index 00000000000..bfd7815778e --- /dev/null +++ b/queue-6.3/rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch @@ -0,0 +1,59 @@ +From 212904955fdf59b79db03764f301a3818d906755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:01:44 -0400 +Subject: rtnetlink: add the missing IFLA_GRO_ tb check in validate_linkmsg + +From: Xin Long + +[ Upstream commit 65d6914e253f3d83b724a9bbfc889ae95711e512 ] + +This fixes the issue that dev gro_max_size and gso_ipv4_max_size +can be set to a huge value: + + # ip link add dummy1 type dummy + # ip link set dummy1 gro_max_size 4294967295 + # ip -d link show dummy1 + dummy addrgenmode eui64 ... gro_max_size 4294967295 + +Fixes: 0fe79f28bfaf ("net: allow gro_max_size to exceed 65536") +Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 7094569009b14..f235cc6832767 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2396,11 +2396,23 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], + return -EINVAL; + } + ++ if (tb[IFLA_GRO_MAX_SIZE] && ++ nla_get_u32(tb[IFLA_GRO_MAX_SIZE]) > GRO_MAX_SIZE) { ++ NL_SET_ERR_MSG(extack, "too big gro_max_size"); ++ return -EINVAL; ++ } ++ + if (tb[IFLA_GSO_IPV4_MAX_SIZE] && + nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) > dev->tso_max_size) { + NL_SET_ERR_MSG(extack, "too big gso_ipv4_max_size"); + return -EINVAL; + } ++ ++ if (tb[IFLA_GRO_IPV4_MAX_SIZE] && ++ nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) { ++ NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size"); ++ return -EINVAL; ++ } + } + + if (tb[IFLA_AF_SPEC]) { +-- +2.39.2 + diff --git a/queue-6.3/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch b/queue-6.3/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch new file mode 100644 index 00000000000..c3ffeda1584 --- /dev/null +++ b/queue-6.3/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch @@ -0,0 +1,64 @@ +From 73840398ca120ea6eb3b503f457d13fed5f3408d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:01:42 -0400 +Subject: rtnetlink: call validate_linkmsg in rtnl_create_link + +From: Xin Long + +[ Upstream commit b0ad3c179059089d809b477a1d445c1183a7b8fe ] + +validate_linkmsg() was introduced by commit 1840bb13c22f5b ("[RTNL]: +Validate hardware and broadcast address attribute for RTM_NEWLINK") +to validate tb[IFLA_ADDRESS/BROADCAST] for existing links. The same +check should also be done for newly created links. + +This patch adds validate_linkmsg() call in rtnl_create_link(), to +avoid the invalid address set when creating some devices like: + + # ip link add dummy0 type dummy + # ip link add link dummy0 name mac0 address 01:02 type macsec + +Fixes: 0e06877c6fdb ("[RTNETLINK]: rtnl_link: allow specifying initial device address") +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 6e44e92ebdf5d..f37deb18dd02e 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3282,6 +3282,7 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname, + struct net_device *dev; + unsigned int num_tx_queues = 1; + unsigned int num_rx_queues = 1; ++ int err; + + if (tb[IFLA_NUM_TX_QUEUES]) + num_tx_queues = nla_get_u32(tb[IFLA_NUM_TX_QUEUES]); +@@ -3317,13 +3318,18 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname, + if (!dev) + return ERR_PTR(-ENOMEM); + ++ err = validate_linkmsg(dev, tb, extack); ++ if (err < 0) { ++ free_netdev(dev); ++ return ERR_PTR(err); ++ } ++ + dev_net_set(dev, net); + dev->rtnl_link_ops = ops; + dev->rtnl_link_state = RTNL_LINK_INITIALIZING; + + if (tb[IFLA_MTU]) { + u32 mtu = nla_get_u32(tb[IFLA_MTU]); +- int err; + + err = dev_validate_mtu(dev, mtu, extack); + if (err) { +-- +2.39.2 + diff --git a/queue-6.3/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch b/queue-6.3/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch new file mode 100644 index 00000000000..d2519df00a2 --- /dev/null +++ b/queue-6.3/rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch @@ -0,0 +1,95 @@ +From f8c89825431e6d62115aa0fc9a21ac657674b3a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:01:43 -0400 +Subject: rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg + +From: Xin Long + +[ Upstream commit fef5b228dd38378148bc850f7e69a7783f3b95a4 ] + +These IFLA_GSO_* tb check should also be done for the new created link, +otherwise, they can be set to a huge value when creating links: + + # ip link add dummy1 gso_max_size 4294967295 type dummy + # ip -d link show dummy1 + dummy addrgenmode eui64 ... gso_max_size 4294967295 + +Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") +Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index f37deb18dd02e..7094569009b14 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2382,6 +2382,25 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], + if (tb[IFLA_BROADCAST] && + nla_len(tb[IFLA_BROADCAST]) < dev->addr_len) + return -EINVAL; ++ ++ if (tb[IFLA_GSO_MAX_SIZE] && ++ nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) > dev->tso_max_size) { ++ NL_SET_ERR_MSG(extack, "too big gso_max_size"); ++ return -EINVAL; ++ } ++ ++ if (tb[IFLA_GSO_MAX_SEGS] && ++ (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS || ++ nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) { ++ NL_SET_ERR_MSG(extack, "too big gso_max_segs"); ++ return -EINVAL; ++ } ++ ++ if (tb[IFLA_GSO_IPV4_MAX_SIZE] && ++ nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) > dev->tso_max_size) { ++ NL_SET_ERR_MSG(extack, "too big gso_ipv4_max_size"); ++ return -EINVAL; ++ } + } + + if (tb[IFLA_AF_SPEC]) { +@@ -2855,11 +2874,6 @@ static int do_setlink(const struct sk_buff *skb, + if (tb[IFLA_GSO_MAX_SIZE]) { + u32 max_size = nla_get_u32(tb[IFLA_GSO_MAX_SIZE]); + +- if (max_size > dev->tso_max_size) { +- err = -EINVAL; +- goto errout; +- } +- + if (dev->gso_max_size ^ max_size) { + netif_set_gso_max_size(dev, max_size); + status |= DO_SETLINK_MODIFIED; +@@ -2869,11 +2883,6 @@ static int do_setlink(const struct sk_buff *skb, + if (tb[IFLA_GSO_MAX_SEGS]) { + u32 max_segs = nla_get_u32(tb[IFLA_GSO_MAX_SEGS]); + +- if (max_segs > GSO_MAX_SEGS || max_segs > dev->tso_max_segs) { +- err = -EINVAL; +- goto errout; +- } +- + if (dev->gso_max_segs ^ max_segs) { + netif_set_gso_max_segs(dev, max_segs); + status |= DO_SETLINK_MODIFIED; +@@ -2892,11 +2901,6 @@ static int do_setlink(const struct sk_buff *skb, + if (tb[IFLA_GSO_IPV4_MAX_SIZE]) { + u32 max_size = nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]); + +- if (max_size > dev->tso_max_size) { +- err = -EINVAL; +- goto errout; +- } +- + if (dev->gso_ipv4_max_size ^ max_size) { + netif_set_gso_ipv4_max_size(dev, max_size); + status |= DO_SETLINK_MODIFIED; +-- +2.39.2 + diff --git a/queue-6.3/rxrpc-truncate-uts_release-for-rxrpc-version.patch b/queue-6.3/rxrpc-truncate-uts_release-for-rxrpc-version.patch new file mode 100644 index 00000000000..385cbae50f0 --- /dev/null +++ b/queue-6.3/rxrpc-truncate-uts_release-for-rxrpc-version.patch @@ -0,0 +1,101 @@ +From 338e5e58d990c00607f9999baa473ebe7206843e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 12:34:54 +0100 +Subject: rxrpc: Truncate UTS_RELEASE for rxrpc version + +From: David Howells + +[ Upstream commit 020c69c1a793ed29d28793808eddd75210c858dd ] + +UTS_RELEASE has a maximum length of 64 which can cause rxrpc_version to +exceed the 65 byte message limit. + +Per the rx spec[1]: "If a server receives a packet with a type value of 13, +and the client-initiated flag set, it should respond with a 65-byte payload +containing a string that identifies the version of AFS software it is +running." + +The current implementation causes a compile error when WERROR is turned on +and/or UTS_RELEASE exceeds the length of 49 (making the version string more +than 64 characters). + +Fix this by generating the string during module initialisation and limiting +the UTS_RELEASE segment of the string does not exceed 49 chars. We need to +make sure that the 64 bytes includes "linux-" at the front and " AF_RXRPC" +at the back as this may be used in pattern matching. + +Fixes: 44ba06987c0b ("RxRPC: Handle VERSION Rx protocol packets") +Reported-by: Kenny Ho +Link: https://lore.kernel.org/r/20230523223944.691076-1-Kenny.Ho@amd.com/ +Signed-off-by: David Howells +Acked-by: Kenny Ho +cc: Marc Dionne +cc: Andrew Lunn +cc: David Laight +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Link: https://web.mit.edu/kolya/afs/rx/rx-spec [1] +Reviewed-by: Simon Horman +Reviewed-by: Jeffrey Altman +Link: https://lore.kernel.org/r/654974.1685100894@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rxrpc/af_rxrpc.c | 1 + + net/rxrpc/ar-internal.h | 1 + + net/rxrpc/local_event.c | 11 ++++++++++- + 3 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c +index a6f0d29f35ef9..f5d1fc1266a5a 100644 +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -967,6 +967,7 @@ static int __init af_rxrpc_init(void) + BUILD_BUG_ON(sizeof(struct rxrpc_skb_priv) > sizeof_field(struct sk_buff, cb)); + + ret = -ENOMEM; ++ rxrpc_gen_version_string(); + rxrpc_call_jar = kmem_cache_create( + "rxrpc_call_jar", sizeof(struct rxrpc_call), 0, + SLAB_HWCACHE_ALIGN, NULL); +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index 5d44dc08f66d0..e8e14c6f904d9 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -1068,6 +1068,7 @@ int rxrpc_get_server_data_key(struct rxrpc_connection *, const void *, time64_t, + /* + * local_event.c + */ ++void rxrpc_gen_version_string(void); + void rxrpc_send_version_request(struct rxrpc_local *local, + struct rxrpc_host_header *hdr, + struct sk_buff *skb); +diff --git a/net/rxrpc/local_event.c b/net/rxrpc/local_event.c +index 5e69ea6b233da..993c69f97488c 100644 +--- a/net/rxrpc/local_event.c ++++ b/net/rxrpc/local_event.c +@@ -16,7 +16,16 @@ + #include + #include "ar-internal.h" + +-static const char rxrpc_version_string[65] = "linux-" UTS_RELEASE " AF_RXRPC"; ++static char rxrpc_version_string[65]; // "linux-" UTS_RELEASE " AF_RXRPC"; ++ ++/* ++ * Generate the VERSION packet string. ++ */ ++void rxrpc_gen_version_string(void) ++{ ++ snprintf(rxrpc_version_string, sizeof(rxrpc_version_string), ++ "linux-%.49s AF_RXRPC", UTS_RELEASE); ++} + + /* + * Reply to a version request +-- +2.39.2 + diff --git a/queue-6.3/s390-ipl-fix-ipib-virtual-vs-physical-address-confus.patch b/queue-6.3/s390-ipl-fix-ipib-virtual-vs-physical-address-confus.patch new file mode 100644 index 00000000000..6f6a5e256ff --- /dev/null +++ b/queue-6.3/s390-ipl-fix-ipib-virtual-vs-physical-address-confus.patch @@ -0,0 +1,48 @@ +From be3803016531e9302521600a9585c24c15266bdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 18:09:02 +0200 +Subject: s390/ipl: fix IPIB virtual vs physical address confusion + +From: Alexander Gordeev + +[ Upstream commit 2facd5d3980f3a26c04fe6ec8689a1d019a5812c ] + +The pointer to IPL Parameter Information Block is stored +in the absolute lowcore for later use by dump tools. That +pointer is a virtual address, though it should be physical +instead. + +Note, this does not fix a real issue, since virtual and +physical addresses are currently the same. + +Suggested-by: Heiko Carstens +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ipl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c +index 5f0f5c86963a9..e43ee9becbbb9 100644 +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -1936,14 +1936,13 @@ static struct shutdown_action __refdata dump_action = { + + static void dump_reipl_run(struct shutdown_trigger *trigger) + { +- unsigned long ipib = (unsigned long) reipl_block_actual; + struct lowcore *abs_lc; + unsigned int csum; + + csum = (__force unsigned int) + csum_partial(reipl_block_actual, reipl_block_actual->hdr.len, 0); + abs_lc = get_abs_lowcore(); +- abs_lc->ipib = ipib; ++ abs_lc->ipib = __pa(reipl_block_actual); + abs_lc->ipib_checksum = csum; + put_abs_lowcore(abs_lc); + dump_run(trigger); +-- +2.39.2 + diff --git a/queue-6.3/s390-pkey-zeroize-key-blobs.patch b/queue-6.3/s390-pkey-zeroize-key-blobs.patch new file mode 100644 index 00000000000..9ad10945a45 --- /dev/null +++ b/queue-6.3/s390-pkey-zeroize-key-blobs.patch @@ -0,0 +1,52 @@ +From aac57db9a682163c02efd1c650458ca1cc4155d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 14:34:10 +0200 +Subject: s390/pkey: zeroize key blobs + +From: Holger Dengler + +[ Upstream commit 844cf829e5f33e00b279230470c8c93b58b8c16f ] + +Key blobs for the IOCTLs PKEY_KBLOB2PROTK[23] may contain clear key +material. Zeroize the copies of these keys in kernel memory after +creating the protected key. + +Reviewed-by: Harald Freudenberger +Signed-off-by: Holger Dengler +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 5a05d1cdfec20..a8def50c149bd 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -1293,6 +1293,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + return PTR_ERR(kkey); + rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey); + DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) + break; +@@ -1426,6 +1427,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + kkey, ktp.keylen, &ktp.protkey); + DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc); + kfree(apqns); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) + break; +@@ -1552,6 +1554,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + protkey, &protkeylen); + DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc); + kfree(apqns); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) { + kfree(protkey); +-- +2.39.2 + diff --git a/queue-6.3/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch b/queue-6.3/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch new file mode 100644 index 00000000000..32fbba1b083 --- /dev/null +++ b/queue-6.3/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch @@ -0,0 +1,89 @@ +From 5e5e424283c1d71ac1fd84867c6b4cc8c8384923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:21:48 +0200 +Subject: s390/topology: honour nr_cpu_ids when adding CPUs + +From: Alexander Gordeev + +[ Upstream commit a33239be2d38ff5a44427db1707c08787508d34a ] + +When SMT thread CPUs are added to CPU masks the nr_cpu_ids +limit is not checked and could be exceeded. This leads to +a warning for example if CONFIG_DEBUG_PER_CPU_MAPS is set +and the command line parameter nr_cpus is set to 1. + +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/topology.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/s390/kernel/topology.c b/arch/s390/kernel/topology.c +index c6eecd4a5302d..10b20aeb27d3b 100644 +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -95,7 +95,7 @@ static void cpu_group_map(cpumask_t *dst, struct mask_info *info, unsigned int c + static void cpu_thread_map(cpumask_t *dst, unsigned int cpu) + { + static cpumask_t mask; +- int i; ++ unsigned int max_cpu; + + cpumask_clear(&mask); + if (!cpumask_test_cpu(cpu, &cpu_setup_mask)) +@@ -104,9 +104,10 @@ static void cpu_thread_map(cpumask_t *dst, unsigned int cpu) + if (topology_mode != TOPOLOGY_MODE_HW) + goto out; + cpu -= cpu % (smp_cpu_mtid + 1); +- for (i = 0; i <= smp_cpu_mtid; i++) { +- if (cpumask_test_cpu(cpu + i, &cpu_setup_mask)) +- cpumask_set_cpu(cpu + i, &mask); ++ max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1); ++ for (; cpu <= max_cpu; cpu++) { ++ if (cpumask_test_cpu(cpu, &cpu_setup_mask)) ++ cpumask_set_cpu(cpu, &mask); + } + out: + cpumask_copy(dst, &mask); +@@ -123,25 +124,26 @@ static void add_cpus_to_mask(struct topology_core *tl_core, + unsigned int core; + + for_each_set_bit(core, &tl_core->mask, TOPOLOGY_CORE_BITS) { +- unsigned int rcore; +- int lcpu, i; ++ unsigned int max_cpu, rcore; ++ int cpu; + + rcore = TOPOLOGY_CORE_BITS - 1 - core + tl_core->origin; +- lcpu = smp_find_processor_id(rcore << smp_cpu_mt_shift); +- if (lcpu < 0) ++ cpu = smp_find_processor_id(rcore << smp_cpu_mt_shift); ++ if (cpu < 0) + continue; +- for (i = 0; i <= smp_cpu_mtid; i++) { +- topo = &cpu_topology[lcpu + i]; ++ max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1); ++ for (; cpu <= max_cpu; cpu++) { ++ topo = &cpu_topology[cpu]; + topo->drawer_id = drawer->id; + topo->book_id = book->id; + topo->socket_id = socket->id; + topo->core_id = rcore; +- topo->thread_id = lcpu + i; ++ topo->thread_id = cpu; + topo->dedicated = tl_core->d; +- cpumask_set_cpu(lcpu + i, &drawer->mask); +- cpumask_set_cpu(lcpu + i, &book->mask); +- cpumask_set_cpu(lcpu + i, &socket->mask); +- smp_cpu_set_polarization(lcpu + i, tl_core->pp); ++ cpumask_set_cpu(cpu, &drawer->mask); ++ cpumask_set_cpu(cpu, &book->mask); ++ cpumask_set_cpu(cpu, &socket->mask); ++ smp_cpu_set_polarization(cpu, tl_core->pp); + } + } + } +-- +2.39.2 + diff --git a/queue-6.3/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch b/queue-6.3/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch new file mode 100644 index 00000000000..994b00146e3 --- /dev/null +++ b/queue-6.3/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch @@ -0,0 +1,51 @@ +From af7f3ecf9ec0099cf829cc2e258b4d5936584378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 15:01:56 +0800 +Subject: scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed + +From: Wenchao Hao + +[ Upstream commit 09e797c8641f6ad435c33ae24c223351197ea29a ] + +If scsi_dispatch_cmd() failed, the SCSI command was not sent to the target, +scsi_queue_rq() would return BLK_STS_RESOURCE and the related request would +be requeued. The timeout of this request would not fire, no one would +increase iodone_cnt. + +The above flow would result the iodone_cnt smaller than iorequest_cnt. So +decrease the iorequest_cnt if dispatch failed to workaround the issue. + +Signed-off-by: Wenchao Hao +Reported-by: Ming Lei +Closes: https://lore.kernel.org/r/ZF+zB+bB7iqe0wGd@ovpn-8-17.pek2.redhat.com +Link: https://lore.kernel.org/r/20230515070156.1790181-3-haowenchao2@huawei.com +Reviewed-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 03964b26f3f27..0226c9279cef6 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1485,6 +1485,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + */ + SCSI_LOG_MLQUEUE(3, scmd_printk(KERN_INFO, cmd, + "queuecommand : device blocked\n")); ++ atomic_dec(&cmd->device->iorequest_cnt); + return SCSI_MLQUEUE_DEVICE_BUSY; + } + +@@ -1517,6 +1518,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + trace_scsi_dispatch_cmd_start(cmd); + rtn = host->hostt->queuecommand(host, cmd); + if (rtn) { ++ atomic_dec(&cmd->device->iorequest_cnt); + trace_scsi_dispatch_cmd_error(cmd, rtn); + if (rtn != SCSI_MLQUEUE_DEVICE_BUSY && + rtn != SCSI_MLQUEUE_TARGET_BUSY) +-- +2.39.2 + diff --git a/queue-6.3/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch b/queue-6.3/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch new file mode 100644 index 00000000000..f792ad724a2 --- /dev/null +++ b/queue-6.3/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch @@ -0,0 +1,94 @@ +From 8588e9b52d6e5d7f208752463e38fb92faf21c06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:22:35 +0300 +Subject: scsi: qla2xxx: Fix NULL pointer dereference in target mode + +From: Gleb Chesnokov + +[ Upstream commit d54820b22e404b06b2b65877ff802cc7b31688bc ] + +When target mode is enabled, the pci_irq_get_affinity() function may return +a NULL value in qla_mapq_init_qp_cpu_map() due to the qla24xx_enable_msix() +code that handles IRQ settings for target mode. This leads to a crash due +to a NULL pointer dereference. + +This patch fixes the issue by adding a check for the NULL value returned by +pci_irq_get_affinity() and introducing a 'cpu_mapped' boolean flag to the +qla_qpair structure, ensuring that the qpair's CPU affinity is updated when +it has not been mapped to a CPU. + +Fixes: 1d201c81d4cc ("scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called") +Signed-off-by: Gleb Chesnokov +Link: https://lore.kernel.org/r/56b416f2-4e0f-b6cf-d6d5-b7c372e3c6a2@scst.dev +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_init.c | 3 +++ + drivers/scsi/qla2xxx/qla_inline.h | 3 +++ + drivers/scsi/qla2xxx/qla_isr.c | 3 +++ + 4 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h +index ec0e987b71fa5..807ae5ede44c6 100644 +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3797,6 +3797,7 @@ struct qla_qpair { + uint64_t retry_term_jiff; + struct qla_tgt_counters tgt_counters; + uint16_t cpuid; ++ bool cpu_mapped; + struct qla_fw_resources fwres ____cacheline_aligned; + struct qla_buf_pool buf_pool; + u32 cmd_cnt; +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index ec0423ec66817..1a955c3ff3d6c 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -9426,6 +9426,9 @@ struct qla_qpair *qla2xxx_create_qpair(struct scsi_qla_host *vha, int qos, + qpair->rsp->req = qpair->req; + qpair->rsp->qpair = qpair; + ++ if (!qpair->cpu_mapped) ++ qla_cpu_update(qpair, raw_smp_processor_id()); ++ + if (IS_T10_PI_CAPABLE(ha) && ql2xenabledif) { + if (ha->fw_attributes & BIT_4) + qpair->difdix_supported = 1; +diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h +index cce6e425c1214..7b42558a8839a 100644 +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -539,11 +539,14 @@ qla_mapq_init_qp_cpu_map(struct qla_hw_data *ha, + if (!ha->qp_cpu_map) + return; + mask = pci_irq_get_affinity(ha->pdev, msix->vector_base0); ++ if (!mask) ++ return; + qpair->cpuid = cpumask_first(mask); + for_each_cpu(cpu, mask) { + ha->qp_cpu_map[cpu] = qpair; + } + msix->cpuid = qpair->cpuid; ++ qpair->cpu_mapped = true; + } + + static inline void +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 71feda2cdb630..245e3a5d81fd3 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3770,6 +3770,9 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + + if (rsp->qpair->cpuid != smp_processor_id() || !rsp->qpair->rcv_intr) { + rsp->qpair->rcv_intr = 1; ++ ++ if (!rsp->qpair->cpu_mapped) ++ qla_cpu_update(rsp->qpair, raw_smp_processor_id()); + } + + #define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in) \ +-- +2.39.2 + diff --git a/queue-6.3/scsi-ufs-core-fix-mcq-nr_hw_queues.patch b/queue-6.3/scsi-ufs-core-fix-mcq-nr_hw_queues.patch new file mode 100644 index 00000000000..1934d92146f --- /dev/null +++ b/queue-6.3/scsi-ufs-core-fix-mcq-nr_hw_queues.patch @@ -0,0 +1,40 @@ +From b4e6d8e496d53c3f265a884bc193247a4338660e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 23:44:51 +0800 +Subject: scsi: ufs: core: Fix MCQ nr_hw_queues + +From: Po-Wen Kao + +[ Upstream commit 72a81bb0b6fc9b759ac0fdaca3ec5884a8b2f304 ] + +Since MAXQ is 0-based value, add one to obtain number of hardware queues. + +Signed-off-by: Po-Wen Kao +Link: https://lore.kernel.org/r/20230504154454.26654-4-powen.kao@mediatek.com +Reviewed-by: Bean Huo +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Bart Van Assche +Reviewed-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-mcq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c +index 937933d3f77c2..51b3c6ae781df 100644 +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -150,7 +150,8 @@ static int ufshcd_mcq_config_nr_queues(struct ufs_hba *hba) + u32 hba_maxq, rem, tot_queues; + struct Scsi_Host *host = hba->host; + +- hba_maxq = FIELD_GET(MAX_QUEUE_SUP, hba->mcq_capabilities); ++ /* maxq is 0 based value */ ++ hba_maxq = FIELD_GET(MAX_QUEUE_SUP, hba->mcq_capabilities) + 1; + + tot_queues = UFS_MCQ_NUM_DEV_CMD_QUEUES + read_queues + poll_queues + + rw_queues; +-- +2.39.2 + diff --git a/queue-6.3/scsi-ufs-core-fix-mcq-tag-calculation.patch b/queue-6.3/scsi-ufs-core-fix-mcq-tag-calculation.patch new file mode 100644 index 00000000000..1aec64d2625 --- /dev/null +++ b/queue-6.3/scsi-ufs-core-fix-mcq-tag-calculation.patch @@ -0,0 +1,59 @@ +From ea91d4368aadecf8c9c0e1d1f6a57e2551e23c16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 23:44:49 +0800 +Subject: scsi: ufs: core: Fix MCQ tag calculation + +From: Po-Wen Kao + +[ Upstream commit 5149452ca66289ef33d13897ee845a2f6f5b680f ] + +The transfer command descriptor is allocated in ufshcd_memory_alloc() and +referenced by the transfer request descriptor with stride size +sizeof_utp_transfer_cmd_desc() instead of sizeof(struct +utp_transfer_cmd_desc). + +Consequently, computing tag by address offset should also refer to the +same stride. + +Signed-off-by: Po-Wen Kao +Link: https://lore.kernel.org/r/20230504154454.26654-2-powen.kao@mediatek.com +Reviewed-by: Bart Van Assche +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Stanley Chu +Reviewed-by: Ziqi Chen +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-mcq.c | 2 +- + drivers/ufs/core/ufshcd.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c +index 202ff71e1b582..b7c5f39b50e6d 100644 +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -265,7 +265,7 @@ static int ufshcd_mcq_get_tag(struct ufs_hba *hba, + addr = (le64_to_cpu(cqe->command_desc_base_addr) & CQE_UCD_BA) - + hba->ucdl_dma_addr; + +- return div_u64(addr, sizeof(struct utp_transfer_cmd_desc)); ++ return div_u64(addr, sizeof_utp_transfer_cmd_desc(hba)); + } + + static void ufshcd_mcq_process_cqe(struct ufs_hba *hba, +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 8ac2945e849f4..a80eacbb8ef85 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8422,7 +8422,7 @@ static void ufshcd_release_sdb_queue(struct ufs_hba *hba, int nutrs) + { + size_t ucdl_size, utrdl_size; + +- ucdl_size = sizeof(struct utp_transfer_cmd_desc) * nutrs; ++ ucdl_size = sizeof_utp_transfer_cmd_desc(hba) * nutrs; + dmam_free_coherent(hba->dev, ucdl_size, hba->ucdl_base_addr, + hba->ucdl_dma_addr); + +-- +2.39.2 + diff --git a/queue-6.3/scsi-ufs-core-rename-symbol-sizeof_utp_transfer_cmd_.patch b/queue-6.3/scsi-ufs-core-rename-symbol-sizeof_utp_transfer_cmd_.patch new file mode 100644 index 00000000000..4853bfaf94e --- /dev/null +++ b/queue-6.3/scsi-ufs-core-rename-symbol-sizeof_utp_transfer_cmd_.patch @@ -0,0 +1,99 @@ +From 6e8a9ebb4fe5d04b6b5ef027ac1d80231f1461e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 23:44:50 +0800 +Subject: scsi: ufs: core: Rename symbol sizeof_utp_transfer_cmd_desc() + +From: Po-Wen Kao + +[ Upstream commit 06caeb536b2b21668efd2d6fa97c09461957b3a7 ] + +Naming the functions after standard operators like sizeof() may cause +confusion. Rename it to ufshcd_get_ucd_size(). + +Signed-off-by: Po-Wen Kao +Link: https://lore.kernel.org/r/20230504154454.26654-3-powen.kao@mediatek.com +Suggested-by: Manivannan Sadhasivam +Reviewed-by: Stanley Chu +Reviewed-by: Ziqi Chen +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-mcq.c | 2 +- + drivers/ufs/core/ufshcd.c | 10 +++++----- + include/ufs/ufshcd.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c +index b7c5f39b50e6d..937933d3f77c2 100644 +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -265,7 +265,7 @@ static int ufshcd_mcq_get_tag(struct ufs_hba *hba, + addr = (le64_to_cpu(cqe->command_desc_base_addr) & CQE_UCD_BA) - + hba->ucdl_dma_addr; + +- return div_u64(addr, sizeof_utp_transfer_cmd_desc(hba)); ++ return div_u64(addr, ufshcd_get_ucd_size(hba)); + } + + static void ufshcd_mcq_process_cqe(struct ufs_hba *hba, +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index a80eacbb8ef85..aec74987cb4e0 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -2821,10 +2821,10 @@ static void ufshcd_map_queues(struct Scsi_Host *shost) + static void ufshcd_init_lrb(struct ufs_hba *hba, struct ufshcd_lrb *lrb, int i) + { + struct utp_transfer_cmd_desc *cmd_descp = (void *)hba->ucdl_base_addr + +- i * sizeof_utp_transfer_cmd_desc(hba); ++ i * ufshcd_get_ucd_size(hba); + struct utp_transfer_req_desc *utrdlp = hba->utrdl_base_addr; + dma_addr_t cmd_desc_element_addr = hba->ucdl_dma_addr + +- i * sizeof_utp_transfer_cmd_desc(hba); ++ i * ufshcd_get_ucd_size(hba); + u16 response_offset = offsetof(struct utp_transfer_cmd_desc, + response_upiu); + u16 prdt_offset = offsetof(struct utp_transfer_cmd_desc, prd_table); +@@ -3733,7 +3733,7 @@ static int ufshcd_memory_alloc(struct ufs_hba *hba) + size_t utmrdl_size, utrdl_size, ucdl_size; + + /* Allocate memory for UTP command descriptors */ +- ucdl_size = sizeof_utp_transfer_cmd_desc(hba) * hba->nutrs; ++ ucdl_size = ufshcd_get_ucd_size(hba) * hba->nutrs; + hba->ucdl_base_addr = dmam_alloc_coherent(hba->dev, + ucdl_size, + &hba->ucdl_dma_addr, +@@ -3833,7 +3833,7 @@ static void ufshcd_host_memory_configure(struct ufs_hba *hba) + prdt_offset = + offsetof(struct utp_transfer_cmd_desc, prd_table); + +- cmd_desc_size = sizeof_utp_transfer_cmd_desc(hba); ++ cmd_desc_size = ufshcd_get_ucd_size(hba); + cmd_desc_dma_addr = hba->ucdl_dma_addr; + + for (i = 0; i < hba->nutrs; i++) { +@@ -8422,7 +8422,7 @@ static void ufshcd_release_sdb_queue(struct ufs_hba *hba, int nutrs) + { + size_t ucdl_size, utrdl_size; + +- ucdl_size = sizeof_utp_transfer_cmd_desc(hba) * nutrs; ++ ucdl_size = ufshcd_get_ucd_size(hba) * nutrs; + dmam_free_coherent(hba->dev, ucdl_size, hba->ucdl_base_addr, + hba->ucdl_dma_addr); + +diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h +index 431c3afb2ce0f..db70944c681aa 100644 +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -1138,7 +1138,7 @@ static inline size_t ufshcd_sg_entry_size(const struct ufs_hba *hba) + ({ (void)(hba); BUILD_BUG_ON(sg_entry_size != sizeof(struct ufshcd_sg_entry)); }) + #endif + +-static inline size_t sizeof_utp_transfer_cmd_desc(const struct ufs_hba *hba) ++static inline size_t ufshcd_get_ucd_size(const struct ufs_hba *hba) + { + return sizeof(struct utp_transfer_cmd_desc) + SG_ALL * ufshcd_sg_entry_size(hba); + } +-- +2.39.2 + diff --git a/queue-6.3/selftests-ftrace-choose-target-function-for-filter-t.patch b/queue-6.3/selftests-ftrace-choose-target-function-for-filter-t.patch new file mode 100644 index 00000000000..accc511c966 --- /dev/null +++ b/queue-6.3/selftests-ftrace-choose-target-function-for-filter-t.patch @@ -0,0 +1,102 @@ +From f31f4a9d91a7a923a79ca0c60a98ad17375af3a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Mar 2023 11:53:32 +0900 +Subject: selftests/ftrace: Choose target function for filter test from samples + +From: Masami Hiramatsu (Google) + +[ Upstream commit eb50d0f250e96ede9192d936d220cd97adc93b89 ] + +Since the event-filter-function.tc expects the 'exit_mmap()' directly +calls 'kmem_cache_free()', this is vulnerable to code modifications. + +Choose the target function for the filter test from the sample +event data so that it can keep test running correctly even if the caller +function name will be changed. + +Link: https://lore.kernel.org/linux-trace-kernel/167919441260.1922645.18355804179347364057.stgit@mhiramat.roam.corp.google.com/ + +Link: https://lore.kernel.org/all/CA+G9fYtF-XEKi9YNGgR=Kf==7iRb2FrmEC7qtwAeQbfyah-UhA@mail.gmail.com/ +Reported-by: Linux Kernel Functional Testing +Fixes: 7f09d639b8c4 ("tracing/selftests: Add test for event filtering on function name") +Signed-off-by: Masami Hiramatsu (Google) +Acked-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + .../test.d/filter/event-filter-function.tc | 45 +++++++++++-------- + 1 file changed, 27 insertions(+), 18 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc +index e2ff3bf4df80f..2de7c61d1ae30 100644 +--- a/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc ++++ b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc +@@ -9,18 +9,33 @@ fail() { #msg + exit_fail + } + +-echo "Test event filter function name" ++sample_events() { ++ echo > trace ++ echo 1 > events/kmem/kmem_cache_free/enable ++ echo 1 > tracing_on ++ ls > /dev/null ++ echo 0 > tracing_on ++ echo 0 > events/kmem/kmem_cache_free/enable ++} ++ + echo 0 > tracing_on + echo 0 > events/enable ++ ++echo "Get the most frequently calling function" ++sample_events ++ ++target_func=`cut -d: -f3 trace | sed 's/call_site=\([^+]*\)+0x.*/\1/' | sort | uniq -c | sort | tail -n 1 | sed 's/^[ 0-9]*//'` ++if [ -z "$target_func" ]; then ++ exit_fail ++fi + echo > trace +-echo 'call_site.function == exit_mmap' > events/kmem/kmem_cache_free/filter +-echo 1 > events/kmem/kmem_cache_free/enable +-echo 1 > tracing_on +-ls > /dev/null +-echo 0 > events/kmem/kmem_cache_free/enable + +-hitcnt=`grep kmem_cache_free trace| grep exit_mmap | wc -l` +-misscnt=`grep kmem_cache_free trace| grep -v exit_mmap | wc -l` ++echo "Test event filter function name" ++echo "call_site.function == $target_func" > events/kmem/kmem_cache_free/filter ++sample_events ++ ++hitcnt=`grep kmem_cache_free trace| grep $target_func | wc -l` ++misscnt=`grep kmem_cache_free trace| grep -v $target_func | wc -l` + + if [ $hitcnt -eq 0 ]; then + exit_fail +@@ -30,20 +45,14 @@ if [ $misscnt -gt 0 ]; then + exit_fail + fi + +-address=`grep ' exit_mmap$' /proc/kallsyms | cut -d' ' -f1` ++address=`grep " ${target_func}\$" /proc/kallsyms | cut -d' ' -f1` + + echo "Test event filter function address" +-echo 0 > tracing_on +-echo 0 > events/enable +-echo > trace + echo "call_site.function == 0x$address" > events/kmem/kmem_cache_free/filter +-echo 1 > events/kmem/kmem_cache_free/enable +-echo 1 > tracing_on +-sleep 1 +-echo 0 > events/kmem/kmem_cache_free/enable ++sample_events + +-hitcnt=`grep kmem_cache_free trace| grep exit_mmap | wc -l` +-misscnt=`grep kmem_cache_free trace| grep -v exit_mmap | wc -l` ++hitcnt=`grep kmem_cache_free trace| grep $target_func | wc -l` ++misscnt=`grep kmem_cache_free trace| grep -v $target_func | wc -l` + + if [ $hitcnt -eq 0 ]; then + exit_fail +-- +2.39.2 + diff --git a/queue-6.3/series b/queue-6.3/series index e69de29bb2d..116d41ace57 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -0,0 +1,189 @@ +rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch +phy-amlogic-phy-meson-g12a-mipi-dphy-analog-fix-cntl.patch +rdma-efa-fix-unsupported-page-sizes-in-device.patch +rdma-hns-fix-timeout-attr-in-query-qp-for-hip08.patch +rdma-hns-fix-base-address-table-allocation.patch +rdma-hns-modify-the-value-of-long-message-loopback-s.patch +dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch +rdma-bnxt_re-fix-a-possible-memory-leak.patch +rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch +iommu-make-ipmmu_vmsa-dependencies-more-strict.patch +iommu-rockchip-fix-unwind-goto-issue.patch +iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch +iommu-amd-handle-galog-overflows.patch +iommu-amd-fix-up-merge-conflict-resolution.patch +iommu-amd-add-missing-domain-type-checks.patch +nfsd-make-a-copy-of-struct-iattr-before-calling-noti.patch +dmaengine-pl330-rename-_start-to-prevent-build-error.patch +crypto-x86-aria-use-16-byte-alignment-for-gfni-const.patch +riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch +net-mlx5e-tc-remove-unused-vf_tun-variable.patch +net-mlx5e-tc-move-main-flow-attribute-cleanup-to-hel.patch +net-mlx5e-extract-remaining-tunnel-encap-code-to-ded.patch +net-mlx5e-prevent-encap-offload-when-neigh-update-is.patch +net-mlx5e-consider-internal-buffers-size-in-port-buf.patch +net-mlx5e-do-not-update-sbcm-when-prio2buffer-comman.patch +net-mlx5-drain-health-before-unregistering-devlink.patch +net-mlx5-sf-drain-health-before-removing-device.patch +net-mlx5-fw_tracer-fix-event-handling.patch +net-mlx5e-use-query_special_contexts-cmd-only-once-p.patch +net-mlx5e-ct-use-per-action-stats.patch +net-mlx5e-tc-remove-ct-action-reordering.patch +net-mlx5-fix-post-parse-infra-to-only-parse-every-ac.patch +net-mlx5e-don-t-attach-netdev-profile-while-handling.patch +net-mlx5e-move-ethernet-driver-debugfs-to-profile-in.patch +net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch +net-stmmac-fix-call-trace-when-stmmac_xdp_xmit-is-in.patch +netrom-fix-info-leak-in-nr_write_internal.patch +af_packet-fix-data-races-of-pkt_sk-sk-num.patch +tls-improve-lockless-access-safety-of-tls_err_abort.patch +amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch +perf-ftrace-latency-remove-unnecessary-from-use-nsec.patch +mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch +efi-bump-stub-image-version-for-macos-hvf-compatibil.patch +rdma-irdma-prevent-qp-use-after-free.patch +rdma-irdma-fix-local-invalidate-fencing.patch +af_packet-do-not-use-read_once-in-packet_bind.patch +tcp-deny-tcp_disconnect-when-threads-are-waiting.patch +tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch +rxrpc-truncate-uts_release-for-rxrpc-version.patch +net-smc-scan-from-current-rmb-list-when-no-position-.patch +net-smc-don-t-use-rmbs-not-mapped-to-new-link-in-smc.patch +net-sched-sch_ingress-only-create-under-tc_h_ingress.patch +net-sched-sch_clsact-only-create-under-tc_h_clsact.patch +net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch +net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch +net-sched-fix-null-pointer-dereference-in-mq_attach.patch +net-netlink-fix-netlink_list_memberships-length-repo.patch +udp6-fix-race-condition-in-udp6_sendmsg-connect.patch +nfsd-fix-double-fget-bug-in-__write_ports_addfd.patch +hid-logitech-hidpp-handle-timeout-differently-from-b.patch +nvme-fix-the-name-of-zone-append-for-verbose-logging.patch +net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch +net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch +sfc-fix-error-unwinds-in-tc-offload.patch +iommu-mediatek-flush-iotlb-completely-only-if-domain.patch +net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch +tcp-fix-mishandling-when-the-sack-compression-is-def.patch +net-ipa-use-correct-value-for-ipa_status_size.patch +net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch +mtd-rawnand-marvell-ensure-timing-values-are-written.patch +mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch +net-renesas-rswitch-fix-return-value-in-error-path-o.patch +net-phy-mxl-gpy-extend-interrupt-fix-to-all-impacted.patch +ice-recycle-free-all-of-the-fragments-from-multi-buf.patch +rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch +rtnetlink-move-ifla_gso_-tb-check-to-validate_linkms.patch +rtnetlink-add-the-missing-ifla_gro_-tb-check-in-vali.patch +mptcp-avoid-unneeded-__mptcp_nmpc_socket-usage.patch +mptcp-add-annotations-around-msk-subflow-accesses.patch +mptcp-avoid-unneeded-address-copy.patch +mptcp-simplify-subflow_syn_recv_sock.patch +mptcp-consolidate-passive-msk-socket-initialization.patch +mptcp-fix-data-race-around-msk-first-access.patch +mptcp-add-annotations-around-sk-sk_shutdown-accesses.patch +drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch +watchdog-menz069_wdt-fix-watchdog-initialisation.patch +alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch +drm-amd-display-fix-memleak-in-aconnector-timing_req.patch +loongarch-relay-bce-exceptions-to-userland-as-sigseg.patch +loongarch-add-arch_has_fortify_source-selection.patch +asoc-intel-soc-acpi-cht-add-quirk-for-nextbook-ares-.patch +drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch +mailbox-mailbox-test-fix-potential-double-free-in-mb.patch +drm-ast-fix-arm-compatibility.patch +btrfs-abort-transaction-when-sibling-keys-check-fail.patch +arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch +perf-x86-intel-ds-flush-pebs-ds-when-changing-pebs_d.patch +hwmon-k10temp-add-pci-id-for-family-19-model-78h.patch +media-rcar-vin-gen3-can-not-scale-nv12.patch +media-rcar-vin-fix-nv12-size-alignment.patch +media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch +platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch +platform-mellanox-fix-potential-race-in-mlxbf-tmfifo.patch +gfs2-don-t-deref-jdesc-in-evict.patch +drm-amdgpu-nv-update-vcn-3-max-hevc-encoding-resolut.patch +drm-amdgpu-set-gfx9-onwards-apu-atomics-support-to-b.patch +fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch +fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch +fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch +nbd-fix-debugfs_create_dir-error-checking.patch +block-rnbd-replace-req_op_flush-with-req_op_write.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch +nvme-pci-add-quirk-for-missing-secondary-temperature.patch +nvme-pci-clamp-max_hw_sectors-based-on-dma-optimized.patch +asoc-amd-yc-add-dmi-entry-to-support-system76-pangol.patch +asoc-dwc-limit-the-number-of-overrun-messages.patch +cpupower-fix-resource-leaks-in-sysfs_get_enabled.patch +asoc-sof-amd-fix-null-pointer-crash-in-acp_sof_ipc_m.patch +um-harddog-fix-modular-build.patch +xfrm-check-if_id-in-inbound-policy-secpath-match.patch +asoc-jz4740-i2s-make-i2s-divider-calculations-more-r.patch +asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch +alsa-hda-realtek-add-quirks-for-asus-gu604v-and-gu60.patch +asoc-ssm2602-add-workaround-for-playback-distortions.patch +media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch +media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch +media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch +media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch +media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch +media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch +media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch +media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch +media-dvb_ca_en50221-fix-a-size-write-bug.patch +media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch +media-mn88443x-fix-config_of-error-by-drop-of_match_.patch +media-dvb-core-fix-use-after-free-on-race-condition-.patch +media-dvb-core-fix-use-after-free-due-on-race-condit.patch +media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch +media-dvb-core-fix-kernel-warning-for-blocking-opera.patch +media-dvb-core-fix-use-after-free-due-to-race-condit.patch +asoc-sof-debug-conditionally-bump-runtime_pm-counter.patch +asoc-sof-pcm-fix-pm_runtime-imbalance-in-error-handl.patch +asoc-sof-sof-client-probes-fix-pm_runtime-imbalance-.patch +asoc-sof-pm-save-io-region-state-in-case-of-errors-i.patch +s390-pkey-zeroize-key-blobs.patch +s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch +s390-ipl-fix-ipib-virtual-vs-physical-address-confus.patch +acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch +wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch +arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch +arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch +arm64-vdso-pass-void-to-virt_to_page.patch +wifi-mac80211-simplify-chanctx-allocation.patch +wifi-mac80211-consider-reserved-chanctx-for-mindef.patch +wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch +wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch +scsi-ufs-core-fix-mcq-tag-calculation.patch +scsi-ufs-core-rename-symbol-sizeof_utp_transfer_cmd_.patch +scsi-ufs-core-fix-mcq-nr_hw_queues.patch +scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch +wifi-b43-fix-incorrect-__packed-annotation.patch +net-wwan-t7xx-ensure-init-is-completed-before-system.patch +netfilter-conntrack-define-variables-exp_nat_nla_pol.patch +nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch +nvme-do-not-let-the-user-delete-a-ctrl-before-a-comp.patch +alsa-oss-avoid-missing-prototype-warnings.patch +drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch +atm-hide-unused-procfs-functions.patch +ceph-silence-smatch-warning-in-reconnect_caps_cb.patch +drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch +ublk-fix-ab-ba-lockdep-warning.patch +nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch +block-deny-writable-memory-mapping-if-block-is-read-.patch +iio-adc-imx93-fix-a-signedness-bug-in-imx93_adc_read.patch +kvm-arm64-vgic-fix-a-circular-locking-issue.patch +kvm-arm64-vgic-wrap-vgic_its_create-with-config_lock.patch +kvm-arm64-vgic-fix-locking-comment.patch +kvm-arm64-prevent-unconditional-donation-of-unmapped.patch +scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch +perf-x86-intel-save-restore-cpuc-active_pebs_data_cf.patch +kvm-arm64-reload-pte-after-invoking-walker-callback-.patch +media-mediatek-vcodec-only-apply-4k-frame-sizes-on-d.patch +mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch +drivers-base-cacheinfo-fix-shared_cpu_map-changes-in.patch +drivers-base-cacheinfo-update-cpu_map_populated-duri.patch +dt-bindings-serial-8250_omap-add-rs485-rts-active-hi.patch +media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch +selftests-ftrace-choose-target-function-for-filter-t.patch +drm-amd-display-only-wait-for-blank-completion-if-ot.patch diff --git a/queue-6.3/sfc-fix-error-unwinds-in-tc-offload.patch b/queue-6.3/sfc-fix-error-unwinds-in-tc-offload.patch new file mode 100644 index 00000000000..10e90bbf889 --- /dev/null +++ b/queue-6.3/sfc-fix-error-unwinds-in-tc-offload.patch @@ -0,0 +1,48 @@ +From a619853a1221280b7089df6fcfe86231299adb3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:25:27 +0100 +Subject: sfc: fix error unwinds in TC offload + +From: Edward Cree + +[ Upstream commit 622ab656344a288acf4fb03d628c3bb5dd241f34 ] + +Failure ladders weren't exactly unwinding what the function had done up + to that point; most seriously, when we encountered an already offloaded + rule, the failure path tried to remove the new rule from the hashtable, + which would in fact remove the already-present 'old' rule (since it has + the same key) from the table, and leak its resources. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202305200745.xmIlkqjH-lkp@intel.com/ +Fixes: d902e1a737d4 ("sfc: bare bones TC offload on EF100") +Fixes: 17654d84b47c ("sfc: add offloading of 'foreign' TC (decap) rules") +Signed-off-by: Edward Cree +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230530202527.53115-1-edward.cree@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/tc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c +index deeaab9ee761d..217f3876af722 100644 +--- a/drivers/net/ethernet/sfc/tc.c ++++ b/drivers/net/ethernet/sfc/tc.c +@@ -379,9 +379,9 @@ static int efx_tc_flower_replace(struct efx_nic *efx, + if (old) { + netif_dbg(efx, drv, efx->net_dev, + "Already offloaded rule (cookie %lx)\n", tc->cookie); +- rc = -EEXIST; + NL_SET_ERR_MSG_MOD(extack, "Rule already offloaded"); +- goto release; ++ kfree(rule); ++ return -EEXIST; + } + + /* Parse actions */ +-- +2.39.2 + diff --git a/queue-6.3/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch b/queue-6.3/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch new file mode 100644 index 00000000000..67deb08b8fe --- /dev/null +++ b/queue-6.3/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch @@ -0,0 +1,186 @@ +From 8ac8da16f02b006581a344980ce9e8343ed929bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 16:34:58 +0000 +Subject: tcp: deny tcp_disconnect() when threads are waiting + +From: Eric Dumazet + +[ Upstream commit 4faeee0cf8a5d88d63cdbc3bab124fb0e6aed08c ] + +Historically connect(AF_UNSPEC) has been abused by syzkaller +and other fuzzers to trigger various bugs. + +A recent one triggers a divide-by-zero [1], and Paolo Abeni +was able to diagnose the issue. + +tcp_recvmsg_locked() has tests about sk_state being not TCP_LISTEN +and TCP REPAIR mode being not used. + +Then later if socket lock is released in sk_wait_data(), +another thread can call connect(AF_UNSPEC), then make this +socket a TCP listener. + +When recvmsg() is resumed, it can eventually call tcp_cleanup_rbuf() +and attempt a divide by 0 in tcp_rcv_space_adjust() [1] + +This patch adds a new socket field, counting number of threads +blocked in sk_wait_event() and inet_wait_for_connect(). + +If this counter is not zero, tcp_disconnect() returns an error. + +This patch adds code in blocking socket system calls, thus should +not hurt performance of non blocking ones. + +Note that we probably could revert commit 499350a5a6e7 ("tcp: +initialize rcv_mss to TCP_MIN_MSS instead of 0") to restore +original tcpi_rcv_mss meaning (was 0 if no payload was ever +received on a socket) + +[1] +divide error: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 13832 Comm: syz-executor.5 Not tainted 6.3.0-rc4-syzkaller-00224-g00c7b5f4ddc5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +RIP: 0010:tcp_rcv_space_adjust+0x36e/0x9d0 net/ipv4/tcp_input.c:740 +Code: 00 00 00 00 fc ff df 4c 89 64 24 48 8b 44 24 04 44 89 f9 41 81 c7 80 03 00 00 c1 e1 04 44 29 f0 48 63 c9 48 01 e9 48 0f af c1 <49> f7 f6 48 8d 04 41 48 89 44 24 40 48 8b 44 24 30 48 c1 e8 03 48 +RSP: 0018:ffffc900033af660 EFLAGS: 00010206 +RAX: 4a66b76cbade2c48 RBX: ffff888076640cc0 RCX: 00000000c334e4ac +RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000001 +RBP: 00000000c324e86c R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880766417f8 +R13: ffff888028fbb980 R14: 0000000000000000 R15: 0000000000010344 +FS: 00007f5bffbfe700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32f25000 CR3: 000000007ced0000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +tcp_recvmsg_locked+0x100e/0x22e0 net/ipv4/tcp.c:2616 +tcp_recvmsg+0x117/0x620 net/ipv4/tcp.c:2681 +inet6_recvmsg+0x114/0x640 net/ipv6/af_inet6.c:670 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg+0xe2/0x160 net/socket.c:1038 +____sys_recvmsg+0x210/0x5a0 net/socket.c:2720 +___sys_recvmsg+0xf2/0x180 net/socket.c:2762 +do_recvmmsg+0x25e/0x6e0 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0x20f/0x260 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5c0108c0f9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f5bffbfe168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00007f5c011ac050 RCX: 00007f5c0108c0f9 +RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000003 +RBP: 00007f5c010e7b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f5c012cfb1f R14: 00007f5bffbfe300 R15: 0000000000022000 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Reported-by: Paolo Abeni +Diagnosed-by: Paolo Abeni +Signed-off-by: Eric Dumazet +Tested-by: Paolo Abeni +Link: https://lore.kernel.org/r/20230526163458.2880232-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++++ + net/ipv4/af_inet.c | 2 ++ + net/ipv4/inet_connection_sock.c | 1 + + net/ipv4/tcp.c | 6 ++++++ + 4 files changed, 13 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 9cd0354221507..45e46a1c4afc6 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -336,6 +336,7 @@ struct sk_filter; + * @sk_cgrp_data: cgroup data for this cgroup + * @sk_memcg: this socket's memory cgroup association + * @sk_write_pending: a write to stream socket waits to start ++ * @sk_wait_pending: number of threads blocked on this socket + * @sk_state_change: callback to indicate change in the state of the sock + * @sk_data_ready: callback to indicate there is data to be processed + * @sk_write_space: callback to indicate there is bf sending space available +@@ -428,6 +429,7 @@ struct sock { + unsigned int sk_napi_id; + #endif + int sk_rcvbuf; ++ int sk_wait_pending; + + struct sk_filter __rcu *sk_filter; + union { +@@ -1174,6 +1176,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + + #define sk_wait_event(__sk, __timeo, __condition, __wait) \ + ({ int __rc; \ ++ __sk->sk_wait_pending++; \ + release_sock(__sk); \ + __rc = __condition; \ + if (!__rc) { \ +@@ -1183,6 +1186,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + } \ + sched_annotate_sleep(); \ + lock_sock(__sk); \ ++ __sk->sk_wait_pending--; \ + __rc = __condition; \ + __rc; \ + }) +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 70fd769f1174b..daeec363b0976 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -586,6 +586,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + + add_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending += writebias; ++ sk->sk_wait_pending++; + + /* Basic assumption: if someone sets sk->sk_err, he _must_ + * change state of the socket from TCP_SYN_*. +@@ -601,6 +602,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + } + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending -= writebias; ++ sk->sk_wait_pending--; + return timeo; + } + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 65ad4251f6fd8..1386787eaf1a5 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1142,6 +1142,7 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + if (newsk) { + struct inet_connection_sock *newicsk = inet_csk(newsk); + ++ newsk->sk_wait_pending = 0; + inet_sk_set_state(newsk, TCP_SYN_RECV); + newicsk->icsk_bind_hash = NULL; + newicsk->icsk_bind2_hash = NULL; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index ed63ee8f0d7e3..f4b243cc7f4a5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3080,6 +3080,12 @@ int tcp_disconnect(struct sock *sk, int flags) + int old_state = sk->sk_state; + u32 seq; + ++ /* Deny disconnect if other threads are blocked in sk_wait_event() ++ * or inet_wait_for_connect(). ++ */ ++ if (sk->sk_wait_pending) ++ return -EBUSY; ++ + if (old_state != TCP_CLOSE) + tcp_set_state(sk, TCP_CLOSE); + +-- +2.39.2 + diff --git a/queue-6.3/tcp-fix-mishandling-when-the-sack-compression-is-def.patch b/queue-6.3/tcp-fix-mishandling-when-the-sack-compression-is-def.patch new file mode 100644 index 00000000000..22be59e77fd --- /dev/null +++ b/queue-6.3/tcp-fix-mishandling-when-the-sack-compression-is-def.patch @@ -0,0 +1,99 @@ +From 0a944b969b3111734e4a99dfb1bef72bc8c49220 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 16:01:50 +0800 +Subject: tcp: fix mishandling when the sack compression is deferred. + +From: fuyuanli + +[ Upstream commit 30c6f0bf9579debce27e45fac34fdc97e46acacc ] + +In this patch, we mainly try to handle sending a compressed ack +correctly if it's deferred. + +Here are more details in the old logic: +When sack compression is triggered in the tcp_compressed_ack_kick(), +if the sock is owned by user, it will set TCP_DELACK_TIMER_DEFERRED +and then defer to the release cb phrase. Later once user releases +the sock, tcp_delack_timer_handler() should send a ack as expected, +which, however, cannot happen due to lack of ICSK_ACK_TIMER flag. +Therefore, the receiver would not sent an ack until the sender's +retransmission timeout. It definitely increases unnecessary latency. + +Fixes: 5d9f4262b7ea ("tcp: add SACK compression") +Suggested-by: Eric Dumazet +Signed-off-by: fuyuanli +Signed-off-by: Jason Xing +Link: https://lore.kernel.org/netdev/20230529113804.GA20300@didi-ThinkCentre-M920t-N000/ +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230531080150.GA20424@didi-ThinkCentre-M920t-N000 +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 + + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_timer.c | 16 +++++++++++++--- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 76bf0a11bdc77..99c74fc300839 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -632,6 +632,7 @@ void tcp_reset(struct sock *sk, struct sk_buff *skb); + void tcp_skb_mark_lost_uncond_verify(struct tcp_sock *tp, struct sk_buff *skb); + void tcp_fin(struct sock *sk); + void tcp_check_space(struct sock *sk); ++void tcp_sack_compress_send_ack(struct sock *sk); + + /* tcp_timer.c */ + void tcp_init_xmit_timers(struct sock *); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 10776c54ff784..dee174c40e874 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4530,7 +4530,7 @@ static void tcp_sack_maybe_coalesce(struct tcp_sock *tp) + } + } + +-static void tcp_sack_compress_send_ack(struct sock *sk) ++void tcp_sack_compress_send_ack(struct sock *sk) + { + struct tcp_sock *tp = tcp_sk(sk); + +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index cb79127f45c34..0b5d0a2867a8c 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -290,9 +290,19 @@ static int tcp_write_timeout(struct sock *sk) + void tcp_delack_timer_handler(struct sock *sk) + { + struct inet_connection_sock *icsk = inet_csk(sk); ++ struct tcp_sock *tp = tcp_sk(sk); + +- if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) || +- !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ++ return; ++ ++ /* Handling the sack compression case */ ++ if (tp->compressed_ack) { ++ tcp_mstamp_refresh(tp); ++ tcp_sack_compress_send_ack(sk); ++ return; ++ } ++ ++ if (!(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) + return; + + if (time_after(icsk->icsk_ack.timeout, jiffies)) { +@@ -312,7 +322,7 @@ void tcp_delack_timer_handler(struct sock *sk) + inet_csk_exit_pingpong_mode(sk); + icsk->icsk_ack.ato = TCP_ATO_MIN; + } +- tcp_mstamp_refresh(tcp_sk(sk)); ++ tcp_mstamp_refresh(tp); + tcp_send_ack(sk); + __NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS); + } +-- +2.39.2 + diff --git a/queue-6.3/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch b/queue-6.3/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch new file mode 100644 index 00000000000..67d04f99a02 --- /dev/null +++ b/queue-6.3/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch @@ -0,0 +1,50 @@ +From 83f388225e9bc6432186334e47e366be9fbf992d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 12:03:17 +0800 +Subject: tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss + set + +From: Cambda Zhu + +[ Upstream commit 34dfde4ad87b84d21278a7e19d92b5b2c68e6c4d ] + +This patch replaces the tp->mss_cache check in getting TCP_MAXSEG +with tp->rx_opt.user_mss check for CLOSE/LISTEN sock. Since +tp->mss_cache is initialized with TCP_MSS_DEFAULT, checking if +it's zero is probably a bug. + +With this change, getting TCP_MAXSEG before connecting will return +default MSS normally, and return user_mss if user_mss is set. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Jack Yang +Suggested-by: Eric Dumazet +Link: https://lore.kernel.org/netdev/CANn89i+3kL9pYtkxkwxwNMzvC_w3LNUum_2=3u+UyLBmGmifHA@mail.gmail.com/#t +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/netdev/14D45862-36EA-4076-974C-EA67513C92F6@linux.alibaba.com/ +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230527040317.68247-1-cambda@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f4b243cc7f4a5..6bb8eb8031051 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4077,7 +4077,8 @@ int do_tcp_getsockopt(struct sock *sk, int level, + switch (optname) { + case TCP_MAXSEG: + val = tp->mss_cache; +- if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) ++ if (tp->rx_opt.user_mss && ++ ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) + val = tp->rx_opt.user_mss; + if (tp->repair) + val = tp->rx_opt.mss_clamp; +-- +2.39.2 + diff --git a/queue-6.3/tls-improve-lockless-access-safety-of-tls_err_abort.patch b/queue-6.3/tls-improve-lockless-access-safety-of-tls_err_abort.patch new file mode 100644 index 00000000000..d2230b0f8fa --- /dev/null +++ b/queue-6.3/tls-improve-lockless-access-safety-of-tls_err_abort.patch @@ -0,0 +1,59 @@ +From 886c05c76858275a8eb45bd9ddd9114364ceb1d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 22:17:41 -0700 +Subject: tls: improve lockless access safety of tls_err_abort() + +From: Jakub Kicinski + +[ Upstream commit 8a0d57df8938e9fd2e99d47a85b7f37d86f91097 ] + +Most protos' poll() methods insert a memory barrier between +writes to sk_err and sk_error_report(). This dates back to +commit a4d258036ed9 ("tcp: Fix race in tcp_poll"). + +I guess we should do the same thing in TLS, tcp_poll() does +not hold the socket lock. + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Jakub Kicinski +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tls/tls_strp.c | 4 +++- + net/tls/tls_sw.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index da95abbb7ea32..f37f4a0fcd3c2 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -20,7 +20,9 @@ static void tls_strp_abort_strp(struct tls_strparser *strp, int err) + strp->stopped = 1; + + /* Report an error on the lower socket */ +- strp->sk->sk_err = -err; ++ WRITE_ONCE(strp->sk->sk_err, -err); ++ /* Paired with smp_rmb() in tcp_poll() */ ++ smp_wmb(); + sk_error_report(strp->sk); + } + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 6e6a7c37d685c..1a53c8f481e9a 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -70,7 +70,9 @@ noinline void tls_err_abort(struct sock *sk, int err) + { + WARN_ON_ONCE(err >= 0); + /* sk->sk_err should contain a positive error code. */ +- sk->sk_err = -err; ++ WRITE_ONCE(sk->sk_err, -err); ++ /* Paired with smp_rmb() in tcp_poll() */ ++ smp_wmb(); + sk_error_report(sk); + } + +-- +2.39.2 + diff --git a/queue-6.3/ublk-fix-ab-ba-lockdep-warning.patch b/queue-6.3/ublk-fix-ab-ba-lockdep-warning.patch new file mode 100644 index 00000000000..1f406eee43e --- /dev/null +++ b/queue-6.3/ublk-fix-ab-ba-lockdep-warning.patch @@ -0,0 +1,65 @@ +From dcc47fe3523c85cc9e828f15f987a3e9dafbec2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 21:34:08 +0800 +Subject: ublk: fix AB-BA lockdep warning + +From: Ming Lei + +[ Upstream commit ac5902f84bb546c64aea02c439c2579cbf40318f ] + +When handling UBLK_IO_FETCH_REQ, ctx->uring_lock is grabbed first, then +ub->mutex is acquired. + +When handling UBLK_CMD_STOP_DEV or UBLK_CMD_DEL_DEV, ub->mutex is +grabbed first, then calling io_uring_cmd_done() for canceling uring +command, in which ctx->uring_lock may be required. + +Real deadlock only happens when all the above commands are issued from +same uring context, and in reality different uring contexts are often used +for handing control command and IO command. + +Fix the issue by using io_uring_cmd_complete_in_task() to cancel command +in ublk_cancel_dev(ublk_cancel_queue). + +Reported-by: Shinichiro Kawasaki +Closes: https://lore.kernel.org/linux-block/becol2g7sawl4rsjq2dztsbc7mqypfqko6wzsyoyazqydoasml@rcxarzwidrhk +Cc: Ziyang Zhang +Signed-off-by: Ming Lei +Tested-by: Shinichiro Kawasaki +Link: https://lore.kernel.org/r/20230517133408.210944-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 41c35ab2c25a1..4db5f1bcac44a 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1122,6 +1122,11 @@ static inline bool ublk_queue_ready(struct ublk_queue *ubq) + return ubq->nr_io_ready == ubq->q_depth; + } + ++static void ublk_cmd_cancel_cb(struct io_uring_cmd *cmd, unsigned issue_flags) ++{ ++ io_uring_cmd_done(cmd, UBLK_IO_RES_ABORT, 0, issue_flags); ++} ++ + static void ublk_cancel_queue(struct ublk_queue *ubq) + { + int i; +@@ -1133,8 +1138,8 @@ static void ublk_cancel_queue(struct ublk_queue *ubq) + struct ublk_io *io = &ubq->ios[i]; + + if (io->flags & UBLK_IO_FLAG_ACTIVE) +- io_uring_cmd_done(io->cmd, UBLK_IO_RES_ABORT, 0, +- IO_URING_F_UNLOCKED); ++ io_uring_cmd_complete_in_task(io->cmd, ++ ublk_cmd_cancel_cb); + } + + /* all io commands are canceled */ +-- +2.39.2 + diff --git a/queue-6.3/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch b/queue-6.3/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch new file mode 100644 index 00000000000..f3593f5c8fa --- /dev/null +++ b/queue-6.3/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch @@ -0,0 +1,63 @@ +From 0a494cd97f3fe44b04b536303fc87247f67becda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 14:39:41 +0300 +Subject: udp6: Fix race condition in udp6_sendmsg & connect + +From: Vladislav Efanov + +[ Upstream commit 448a5ce1120c5bdbce1f1ccdabcd31c7d029f328 ] + +Syzkaller got the following report: +BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018 +Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255 + +The function sk_setup_caps (called by ip6_sk_dst_store_flow-> +ip6_dst_store) referenced already freed memory as this memory was +freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow-> +sk_dst_check. + + task1 (connect) task2 (udp6_sendmsg) + sk_setup_caps->sk_dst_set | + | sk_dst_check-> + | sk_dst_set + | dst_release + sk_setup_caps references | + to already freed dst_entry| + +The reason for this race condition is: sk_setup_caps() keeps using +the dst after transferring the ownership to the dst cache. + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Vladislav Efanov +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index c258887953905..3fd71f343c9f2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2386,7 +2386,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + { + u32 max_segs = 1; + +- sk_dst_set(sk, dst); + sk->sk_route_caps = dst->dev->features; + if (sk_is_tcp(sk)) + sk->sk_route_caps |= NETIF_F_GSO; +@@ -2405,6 +2404,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + } + } + sk->sk_gso_max_segs = max_segs; ++ sk_dst_set(sk, dst); + } + EXPORT_SYMBOL_GPL(sk_setup_caps); + +-- +2.39.2 + diff --git a/queue-6.3/um-harddog-fix-modular-build.patch b/queue-6.3/um-harddog-fix-modular-build.patch new file mode 100644 index 00000000000..bc6b18a807f --- /dev/null +++ b/queue-6.3/um-harddog-fix-modular-build.patch @@ -0,0 +1,134 @@ +From 93947a6616daf0e8d1bd13e8c76bc4e542c1cf42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 10:38:37 +0200 +Subject: um: harddog: fix modular build + +From: Johannes Berg + +[ Upstream commit 73a23d7710331a530e972903318528b75e5a5f58 ] + +Since we no longer (want to) export any libc symbols the +_user portions of any drivers need to be built into image +rather than the module. I missed this for the watchdog. +Fix the watchdog accordingly. + +Reported-by: kernel test robot +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/Makefile | 4 +++- + arch/um/drivers/harddog.h | 9 +++++++++ + arch/um/drivers/harddog_kern.c | 7 +------ + arch/um/drivers/harddog_user.c | 1 + + arch/um/drivers/harddog_user_exp.c | 9 +++++++++ + 5 files changed, 23 insertions(+), 7 deletions(-) + create mode 100644 arch/um/drivers/harddog.h + create mode 100644 arch/um/drivers/harddog_user_exp.c + +diff --git a/arch/um/drivers/Makefile b/arch/um/drivers/Makefile +index dee6f66353b33..a461a950f0518 100644 +--- a/arch/um/drivers/Makefile ++++ b/arch/um/drivers/Makefile +@@ -16,7 +16,8 @@ mconsole-objs := mconsole_kern.o mconsole_user.o + hostaudio-objs := hostaudio_kern.o + ubd-objs := ubd_kern.o ubd_user.o + port-objs := port_kern.o port_user.o +-harddog-objs := harddog_kern.o harddog_user.o ++harddog-objs := harddog_kern.o ++harddog-builtin-$(CONFIG_UML_WATCHDOG) := harddog_user.o harddog_user_exp.o + rtc-objs := rtc_kern.o rtc_user.o + + LDFLAGS_pcap.o = $(shell $(CC) $(KBUILD_CFLAGS) -print-file-name=libpcap.a) +@@ -60,6 +61,7 @@ obj-$(CONFIG_PTY_CHAN) += pty.o + obj-$(CONFIG_TTY_CHAN) += tty.o + obj-$(CONFIG_XTERM_CHAN) += xterm.o xterm_kern.o + obj-$(CONFIG_UML_WATCHDOG) += harddog.o ++obj-y += $(harddog-builtin-y) $(harddog-builtin-m) + obj-$(CONFIG_BLK_DEV_COW_COMMON) += cow_user.o + obj-$(CONFIG_UML_RANDOM) += random.o + obj-$(CONFIG_VIRTIO_UML) += virtio_uml.o +diff --git a/arch/um/drivers/harddog.h b/arch/um/drivers/harddog.h +new file mode 100644 +index 0000000000000..6d9ea60e7133e +--- /dev/null ++++ b/arch/um/drivers/harddog.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef UM_WATCHDOG_H ++#define UM_WATCHDOG_H ++ ++int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock); ++void stop_watchdog(int in_fd, int out_fd); ++int ping_watchdog(int fd); ++ ++#endif /* UM_WATCHDOG_H */ +diff --git a/arch/um/drivers/harddog_kern.c b/arch/um/drivers/harddog_kern.c +index e6d4f43deba82..60d1c6cab8a95 100644 +--- a/arch/um/drivers/harddog_kern.c ++++ b/arch/um/drivers/harddog_kern.c +@@ -47,6 +47,7 @@ + #include + #include + #include "mconsole.h" ++#include "harddog.h" + + MODULE_LICENSE("GPL"); + +@@ -60,8 +61,6 @@ static int harddog_out_fd = -1; + * Allow only one person to hold it open + */ + +-extern int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock); +- + static int harddog_open(struct inode *inode, struct file *file) + { + int err = -EBUSY; +@@ -92,8 +91,6 @@ static int harddog_open(struct inode *inode, struct file *file) + return err; + } + +-extern void stop_watchdog(int in_fd, int out_fd); +- + static int harddog_release(struct inode *inode, struct file *file) + { + /* +@@ -112,8 +109,6 @@ static int harddog_release(struct inode *inode, struct file *file) + return 0; + } + +-extern int ping_watchdog(int fd); +- + static ssize_t harddog_write(struct file *file, const char __user *data, size_t len, + loff_t *ppos) + { +diff --git a/arch/um/drivers/harddog_user.c b/arch/um/drivers/harddog_user.c +index 070468d22e394..9ed89304975ed 100644 +--- a/arch/um/drivers/harddog_user.c ++++ b/arch/um/drivers/harddog_user.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include "harddog.h" + + struct dog_data { + int stdin_fd; +diff --git a/arch/um/drivers/harddog_user_exp.c b/arch/um/drivers/harddog_user_exp.c +new file mode 100644 +index 0000000000000..c74d4b815d143 +--- /dev/null ++++ b/arch/um/drivers/harddog_user_exp.c +@@ -0,0 +1,9 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include "harddog.h" ++ ++#if IS_MODULE(CONFIG_UML_WATCHDOG) ++EXPORT_SYMBOL(start_watchdog); ++EXPORT_SYMBOL(stop_watchdog); ++EXPORT_SYMBOL(ping_watchdog); ++#endif +-- +2.39.2 + diff --git a/queue-6.3/watchdog-menz069_wdt-fix-watchdog-initialisation.patch b/queue-6.3/watchdog-menz069_wdt-fix-watchdog-initialisation.patch new file mode 100644 index 00000000000..c4b666787e7 --- /dev/null +++ b/queue-6.3/watchdog-menz069_wdt-fix-watchdog-initialisation.patch @@ -0,0 +1,71 @@ +From ea6f77514fb66f7325d4536f0fa80eabf8e8561b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 19:25:30 +0200 +Subject: watchdog: menz069_wdt: fix watchdog initialisation + +From: Johannes Thumshirn + +[ Upstream commit 87b22656ca6a896d0378e9e60ffccb0c82f48b08 ] + +Doing a 'cat /dev/watchdog0' with menz069_wdt as watchdog0 will result in +a NULL pointer dereference. + +This happens because we're passing the wrong pointer to +watchdog_register_device(). Fix this by getting rid of the static +watchdog_device structure and use the one embedded into the driver's +per-instance private data. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230418172531.177349-2-jth@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/menz69_wdt.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/watchdog/menz69_wdt.c b/drivers/watchdog/menz69_wdt.c +index 8973f98bc6a56..bca0938f3429f 100644 +--- a/drivers/watchdog/menz69_wdt.c ++++ b/drivers/watchdog/menz69_wdt.c +@@ -98,14 +98,6 @@ static const struct watchdog_ops men_z069_ops = { + .set_timeout = men_z069_wdt_set_timeout, + }; + +-static struct watchdog_device men_z069_wdt = { +- .info = &men_z069_info, +- .ops = &men_z069_ops, +- .timeout = MEN_Z069_DEFAULT_TIMEOUT, +- .min_timeout = 1, +- .max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ, +-}; +- + static int men_z069_probe(struct mcb_device *dev, + const struct mcb_device_id *id) + { +@@ -125,15 +117,19 @@ static int men_z069_probe(struct mcb_device *dev, + goto release_mem; + + drv->mem = mem; ++ drv->wdt.info = &men_z069_info; ++ drv->wdt.ops = &men_z069_ops; ++ drv->wdt.timeout = MEN_Z069_DEFAULT_TIMEOUT; ++ drv->wdt.min_timeout = 1; ++ drv->wdt.max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ; + +- drv->wdt = men_z069_wdt; + watchdog_init_timeout(&drv->wdt, 0, &dev->dev); + watchdog_set_nowayout(&drv->wdt, nowayout); + watchdog_set_drvdata(&drv->wdt, drv); + drv->wdt.parent = &dev->dev; + mcb_set_drvdata(dev, drv); + +- return watchdog_register_device(&men_z069_wdt); ++ return watchdog_register_device(&drv->wdt); + + release_mem: + mcb_release_mem(mem); +-- +2.39.2 + diff --git a/queue-6.3/wifi-b43-fix-incorrect-__packed-annotation.patch b/queue-6.3/wifi-b43-fix-incorrect-__packed-annotation.patch new file mode 100644 index 00000000000..a81084dbaab --- /dev/null +++ b/queue-6.3/wifi-b43-fix-incorrect-__packed-annotation.patch @@ -0,0 +1,69 @@ +From 7f4136a6a181d158611d962c95dacd71b9b7634c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 20:34:22 +0200 +Subject: wifi: b43: fix incorrect __packed annotation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 212457ccbd60dba34f965e4ffbe62f0e4f970538 ] + +clang warns about an unpacked structure inside of a packed one: + +drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access] + +The problem here is that the anonymous union has the default alignment +from its members, apparently because the original author mixed up the +placement of the __packed attribute by placing it next to the struct +member rather than the union definition. As the struct itself is +also marked as __packed, there is no need to mark its members, so just +move the annotation to the inner type instead. + +As Michael noted, the same problem is present in b43legacy, so +change both at the same time. + +Acked-by: Michael Büsch +Reported-by: kernel test robot +Reviewed-by: Simon Horman +Tested-by: Larry Finger +Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/b43.h | 2 +- + drivers/net/wireless/broadcom/b43legacy/b43legacy.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h +index 9fc7c088a539e..67b4bac048e58 100644 +--- a/drivers/net/wireless/broadcom/b43/b43.h ++++ b/drivers/net/wireless/broadcom/b43/b43.h +@@ -651,7 +651,7 @@ struct b43_iv { + union { + __be16 d16; + __be32 d32; +- } data __packed; ++ } __packed data; + } __packed; + + +diff --git a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h +index 6b0cec467938f..f49365d14619f 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h ++++ b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h +@@ -379,7 +379,7 @@ struct b43legacy_iv { + union { + __be16 d16; + __be32 d32; +- } data __packed; ++ } __packed data; + } __packed; + + #define B43legacy_PHYMODE(phytype) (1 << (phytype)) +-- +2.39.2 + diff --git a/queue-6.3/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch b/queue-6.3/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch new file mode 100644 index 00000000000..796f6663b72 --- /dev/null +++ b/queue-6.3/wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch @@ -0,0 +1,50 @@ +From aa9a1b537cca4e48e61b64406131ccc6a6ff4130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:55 +0300 +Subject: wifi: iwlwifi: mvm: Add locking to the rate read flow + +From: Ariel Malamud + +[ Upstream commit a8938bc881d2a03f9b77f19fae924fe798a01285 ] + +The rs_drv_get_rate flow reads the lq_sta to return the optimal rate +for tx frames. This read flow is not protected thereby leaving +a small window, a few instructions wide, open to contention by an +asynchronous rate update. Indeed this race condition was hit and the +update occurred in the middle of the read. + +Fix this by locking the lq_sta struct during read. + +Signed-off-by: Ariel Malamud +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.b52c9ed5c379.I15290b78e0d966c1b68278263776ca9de841d5fe@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +index 0b50b816684a0..2be6801d48aca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -2692,6 +2692,8 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta, + return; + + lq_sta = mvm_sta; ++ ++ spin_lock(&lq_sta->pers.lock); + iwl_mvm_hwrate_to_tx_rate_v1(lq_sta->last_rate_n_flags, + info->band, &info->control.rates[0]); + info->control.rates[0].count = 1; +@@ -2706,6 +2708,7 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta, + iwl_mvm_hwrate_to_tx_rate_v1(last_ucode_rate, info->band, + &txrc->reported_rate); + } ++ spin_unlock(&lq_sta->pers.lock); + } + + static void *rs_drv_alloc_sta(void *mvm_rate, struct ieee80211_sta *sta, +-- +2.39.2 + diff --git a/queue-6.3/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch b/queue-6.3/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch new file mode 100644 index 00000000000..68ce494a2d1 --- /dev/null +++ b/queue-6.3/wifi-mac80211-consider-reserved-chanctx-for-mindef.patch @@ -0,0 +1,279 @@ +From cbecc84a603698787e5cb178609fcfd21ac992ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:03 +0300 +Subject: wifi: mac80211: consider reserved chanctx for mindef + +From: Johannes Berg + +[ Upstream commit b72a455a2409fd94d6d9b4eb51d659a88213243b ] + +When a chanctx is reserved for a new vif and we recalculate +the minimal definition for it, we need to consider the new +interface it's being reserved for before we assign it, so it +can be used directly with the correct min channel width. + +Fix the code to - optionally - consider that, and use that +option just before doing the reassignment. + +Also, when considering channel context reservations, we +should only consider the one link we're currently working with. +Change the boolean argument to a link pointer to do that. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-4-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/chan.c | 72 +++++++++++++++++++++++--------------- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/util.c | 2 +- + 3 files changed, 47 insertions(+), 30 deletions(-) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index d23d1a7b4cc39..1b182cf9d6610 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -258,7 +258,8 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata, + + static enum nl80211_chan_width + ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata, +- struct ieee80211_chanctx_conf *conf) ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_link_data *rsvd_for) + { + enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT; + struct ieee80211_vif *vif = &sdata->vif; +@@ -267,13 +268,14 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata, + rcu_read_lock(); + for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) { + enum nl80211_chan_width width = NL80211_CHAN_WIDTH_20_NOHT; +- struct ieee80211_bss_conf *link_conf = +- rcu_dereference(sdata->vif.link_conf[link_id]); ++ struct ieee80211_link_data *link = ++ rcu_dereference(sdata->link[link_id]); + +- if (!link_conf) ++ if (!link) + continue; + +- if (rcu_access_pointer(link_conf->chanctx_conf) != conf) ++ if (link != rsvd_for && ++ rcu_access_pointer(link->conf->chanctx_conf) != &ctx->conf) + continue; + + switch (vif->type) { +@@ -287,7 +289,7 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata, + * point, so take the width from the chandef, but + * account also for TDLS peers + */ +- width = max(link_conf->chandef.width, ++ width = max(link->conf->chandef.width, + ieee80211_get_max_required_bw(sdata, link_id)); + break; + case NL80211_IFTYPE_P2P_DEVICE: +@@ -296,7 +298,7 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata, + case NL80211_IFTYPE_ADHOC: + case NL80211_IFTYPE_MESH_POINT: + case NL80211_IFTYPE_OCB: +- width = link_conf->chandef.width; ++ width = link->conf->chandef.width; + break; + case NL80211_IFTYPE_WDS: + case NL80211_IFTYPE_UNSPECIFIED: +@@ -316,7 +318,8 @@ ieee80211_get_chanctx_vif_max_required_bw(struct ieee80211_sub_if_data *sdata, + + static enum nl80211_chan_width + ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local, +- struct ieee80211_chanctx_conf *conf) ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_link_data *rsvd_for) + { + struct ieee80211_sub_if_data *sdata; + enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT; +@@ -328,7 +331,8 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local, + if (!ieee80211_sdata_running(sdata)) + continue; + +- width = ieee80211_get_chanctx_vif_max_required_bw(sdata, conf); ++ width = ieee80211_get_chanctx_vif_max_required_bw(sdata, ctx, ++ rsvd_for); + + max_bw = max(max_bw, width); + } +@@ -336,8 +340,8 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local, + /* use the configured bandwidth in case of monitor interface */ + sdata = rcu_dereference(local->monitor_sdata); + if (sdata && +- rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf) == conf) +- max_bw = max(max_bw, conf->def.width); ++ rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf) == &ctx->conf) ++ max_bw = max(max_bw, ctx->conf.def.width); + + rcu_read_unlock(); + +@@ -349,8 +353,10 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local, + * the max of min required widths of all the interfaces bound to this + * channel context. + */ +-static u32 _ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, +- struct ieee80211_chanctx *ctx) ++static u32 ++_ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_link_data *rsvd_for) + { + enum nl80211_chan_width max_bw; + struct cfg80211_chan_def min_def; +@@ -370,7 +376,7 @@ static u32 _ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, + return 0; + } + +- max_bw = ieee80211_get_chanctx_max_required_bw(local, &ctx->conf); ++ max_bw = ieee80211_get_chanctx_max_required_bw(local, ctx, rsvd_for); + + /* downgrade chandef up to max_bw */ + min_def = ctx->conf.def; +@@ -448,9 +454,10 @@ static void ieee80211_chan_bw_change(struct ieee80211_local *local, + * channel context. + */ + void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, +- struct ieee80211_chanctx *ctx) ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_link_data *rsvd_for) + { +- u32 changed = _ieee80211_recalc_chanctx_min_def(local, ctx); ++ u32 changed = _ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for); + + if (!changed) + return; +@@ -464,10 +471,11 @@ void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, + ieee80211_chan_bw_change(local, ctx, false); + } + +-static void ieee80211_change_chanctx(struct ieee80211_local *local, +- struct ieee80211_chanctx *ctx, +- struct ieee80211_chanctx *old_ctx, +- const struct cfg80211_chan_def *chandef) ++static void _ieee80211_change_chanctx(struct ieee80211_local *local, ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_chanctx *old_ctx, ++ const struct cfg80211_chan_def *chandef, ++ struct ieee80211_link_data *rsvd_for) + { + u32 changed; + +@@ -492,7 +500,7 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local, + ieee80211_chan_bw_change(local, old_ctx, true); + + if (cfg80211_chandef_identical(&ctx->conf.def, chandef)) { +- ieee80211_recalc_chanctx_min_def(local, ctx); ++ ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for); + return; + } + +@@ -502,7 +510,7 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local, + + /* check if min chanctx also changed */ + changed = IEEE80211_CHANCTX_CHANGE_WIDTH | +- _ieee80211_recalc_chanctx_min_def(local, ctx); ++ _ieee80211_recalc_chanctx_min_def(local, ctx, rsvd_for); + drv_change_chanctx(local, ctx, changed); + + if (!local->use_chanctx) { +@@ -514,6 +522,14 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local, + ieee80211_chan_bw_change(local, old_ctx, false); + } + ++static void ieee80211_change_chanctx(struct ieee80211_local *local, ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_chanctx *old_ctx, ++ const struct cfg80211_chan_def *chandef) ++{ ++ _ieee80211_change_chanctx(local, ctx, old_ctx, chandef, NULL); ++} ++ + static struct ieee80211_chanctx * + ieee80211_find_chanctx(struct ieee80211_local *local, + const struct cfg80211_chan_def *chandef, +@@ -638,7 +654,7 @@ ieee80211_alloc_chanctx(struct ieee80211_local *local, + ctx->conf.rx_chains_dynamic = 1; + ctx->mode = mode; + ctx->conf.radar_enabled = false; +- _ieee80211_recalc_chanctx_min_def(local, ctx); ++ _ieee80211_recalc_chanctx_min_def(local, ctx, NULL); + + return ctx; + } +@@ -873,12 +889,12 @@ static int ieee80211_assign_link_chanctx(struct ieee80211_link_data *link, + ieee80211_recalc_chanctx_chantype(local, curr_ctx); + ieee80211_recalc_smps_chanctx(local, curr_ctx); + ieee80211_recalc_radar_chanctx(local, curr_ctx); +- ieee80211_recalc_chanctx_min_def(local, curr_ctx); ++ ieee80211_recalc_chanctx_min_def(local, curr_ctx, NULL); + } + + if (new_ctx && ieee80211_chanctx_num_assigned(local, new_ctx) > 0) { + ieee80211_recalc_txpower(sdata, false); +- ieee80211_recalc_chanctx_min_def(local, new_ctx); ++ ieee80211_recalc_chanctx_min_def(local, new_ctx, NULL); + } + + if (sdata->vif.type != NL80211_IFTYPE_P2P_DEVICE && +@@ -1270,7 +1286,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link) + + ieee80211_link_update_chandef(link, &link->reserved_chandef); + +- ieee80211_change_chanctx(local, new_ctx, old_ctx, chandef); ++ _ieee80211_change_chanctx(local, new_ctx, old_ctx, chandef, link); + + vif_chsw[0].vif = &sdata->vif; + vif_chsw[0].old_ctx = &old_ctx->conf; +@@ -1300,7 +1316,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link) + if (ieee80211_chanctx_refcount(local, old_ctx) == 0) + ieee80211_free_chanctx(local, old_ctx); + +- ieee80211_recalc_chanctx_min_def(local, new_ctx); ++ ieee80211_recalc_chanctx_min_def(local, new_ctx, NULL); + ieee80211_recalc_smps_chanctx(local, new_ctx); + ieee80211_recalc_radar_chanctx(local, new_ctx); + +@@ -1665,7 +1681,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local) + ieee80211_recalc_chanctx_chantype(local, ctx); + ieee80211_recalc_smps_chanctx(local, ctx); + ieee80211_recalc_radar_chanctx(local, ctx); +- ieee80211_recalc_chanctx_min_def(local, ctx); ++ ieee80211_recalc_chanctx_min_def(local, ctx, NULL); + + list_for_each_entry_safe(link, link_tmp, &ctx->reserved_links, + reserved_chanctx_list) { +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index e082582e0aa28..eba7ae63fac45 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2494,7 +2494,8 @@ int ieee80211_chanctx_refcount(struct ieee80211_local *local, + void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local, + struct ieee80211_chanctx *chanctx); + void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, +- struct ieee80211_chanctx *ctx); ++ struct ieee80211_chanctx *ctx, ++ struct ieee80211_link_data *rsvd_for); + bool ieee80211_is_radar_required(struct ieee80211_local *local); + + void ieee80211_dfs_cac_timer(unsigned long data); +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 8c397650b96f6..d7b382866b260 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -3007,7 +3007,7 @@ void ieee80211_recalc_min_chandef(struct ieee80211_sub_if_data *sdata, + + chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, + conf); +- ieee80211_recalc_chanctx_min_def(local, chanctx); ++ ieee80211_recalc_chanctx_min_def(local, chanctx, NULL); + } + unlock: + mutex_unlock(&local->chanctx_mtx); +-- +2.39.2 + diff --git a/queue-6.3/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch b/queue-6.3/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch new file mode 100644 index 00000000000..3f56bf0ffc8 --- /dev/null +++ b/queue-6.3/wifi-mac80211-recalc-chanctx-mindef-before-assigning.patch @@ -0,0 +1,52 @@ +From c22295bd57a9fddb500f9fdc87b1d5d4f17dce75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:04 +0300 +Subject: wifi: mac80211: recalc chanctx mindef before assigning + +From: Johannes Berg + +[ Upstream commit 04312de4ced4b152749614e8179f3978a20a992f ] + +When we allocate a new channel context, or find an existing one +that is compatible, we currently assign it to a link before its +mindef is updated. This leads to strange situations, especially +in link switching where you switch to an 80 MHz link and expect +it to be active immediately, but the mindef is still configured +to 20 MHz while assigning. Also, it's strange that the chandef +passed to the assign method's argument is wider than the one in +the context. + +Fix this by calculating the mindef with the new link considered +before calling the driver. + +In particular, this fixes an iwlwifi problem during link switch +where the firmware would assert because the (link) station that +was added for the AP is configured to transmit at a bandwidth +that's wider than the channel context that it's configured on. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-5-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/chan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index 1b182cf9d6610..77c90ed8f5d7d 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -871,6 +871,9 @@ static int ieee80211_assign_link_chanctx(struct ieee80211_link_data *link, + } + + if (new_ctx) { ++ /* recalc considering the link we'll use it for now */ ++ ieee80211_recalc_chanctx_min_def(local, new_ctx, link); ++ + ret = drv_assign_vif_chanctx(local, sdata, link->conf, new_ctx); + if (ret) + goto out; +-- +2.39.2 + diff --git a/queue-6.3/wifi-mac80211-simplify-chanctx-allocation.patch b/queue-6.3/wifi-mac80211-simplify-chanctx-allocation.patch new file mode 100644 index 00000000000..548eeb1188f --- /dev/null +++ b/queue-6.3/wifi-mac80211-simplify-chanctx-allocation.patch @@ -0,0 +1,38 @@ +From d9380878db486797fdae63afd5ff578e62a6f6e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:02 +0300 +Subject: wifi: mac80211: simplify chanctx allocation + +From: Johannes Berg + +[ Upstream commit 860e1b43da94551cd1e73adc36b3c64cc3e5dc01 ] + +There's no need to call ieee80211_recalc_chanctx_min_def() +since it cannot and won't call the driver anyway; just use +_ieee80211_recalc_chanctx_min_def() instead. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-3-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/chan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index dbc34fbe7c8f4..d23d1a7b4cc39 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -638,7 +638,7 @@ ieee80211_alloc_chanctx(struct ieee80211_local *local, + ctx->conf.rx_chains_dynamic = 1; + ctx->mode = mode; + ctx->conf.radar_enabled = false; +- ieee80211_recalc_chanctx_min_def(local, ctx); ++ _ieee80211_recalc_chanctx_min_def(local, ctx); + + return ctx; + } +-- +2.39.2 + diff --git a/queue-6.3/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch b/queue-6.3/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch new file mode 100644 index 00000000000..8fd5e689958 --- /dev/null +++ b/queue-6.3/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch @@ -0,0 +1,73 @@ +From 0a7bad2f807754fb399c88f5aa89848d916152d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:20:55 +0800 +Subject: wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value + +From: Yun Lu + +[ Upstream commit 20429444e653ee8242dfbf815c0c37866beb371b ] + +When using rtl8192cu with rtl8xxxu driver to connect wifi, there is a +probability of failure, which shows "authentication with ... timed out". +Through debugging, it was found that the RCR register has been inexplicably +modified to an incorrect value, resulting in the nic not being able to +receive authenticated frames. + +To fix this problem, add regrcr in rtl8xxxu_priv struct, and store +the RCR value every time the register is written, and use it the next +time the register need to be modified. + +Signed-off-by: Yun Lu +Link: https://lore.kernel.org/all/20230427020512.1221062-1-luyun_611@163.com +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230512012055.2990472-1-luyun_611@163.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 1 + + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index c8cee4a247551..4088aaa1c618d 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1518,6 +1518,7 @@ struct rtl8xxxu_priv { + u32 rege9c; + u32 regeb4; + u32 regebc; ++ u32 regrcr; + int next_mbox; + int nr_out_eps; + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 54ca6f2ced3f3..74ff5130971e2 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4049,6 +4049,7 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw) + RCR_ACCEPT_MGMT_FRAME | RCR_HTC_LOC_CTRL | + RCR_APPEND_PHYSTAT | RCR_APPEND_ICV | RCR_APPEND_MIC; + rtl8xxxu_write32(priv, REG_RCR, val32); ++ priv->regrcr = val32; + + if (priv->rtl_chip == RTL8188F) { + /* Accept all data frames */ +@@ -6269,7 +6270,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw, + unsigned int *total_flags, u64 multicast) + { + struct rtl8xxxu_priv *priv = hw->priv; +- u32 rcr = rtl8xxxu_read32(priv, REG_RCR); ++ u32 rcr = priv->regrcr; + + dev_dbg(&priv->udev->dev, "%s: changed_flags %08x, total_flags %08x\n", + __func__, changed_flags, *total_flags); +@@ -6315,6 +6316,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw, + */ + + rtl8xxxu_write32(priv, REG_RCR, rcr); ++ priv->regrcr = rcr; + + *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_BCN_PRBRESP_PROMISC | + FIF_CONTROL | FIF_OTHER_BSS | FIF_PSPOLL | +-- +2.39.2 + diff --git a/queue-6.3/xfrm-check-if_id-in-inbound-policy-secpath-match.patch b/queue-6.3/xfrm-check-if_id-in-inbound-policy-secpath-match.patch new file mode 100644 index 00000000000..9c350c3a0b1 --- /dev/null +++ b/queue-6.3/xfrm-check-if_id-in-inbound-policy-secpath-match.patch @@ -0,0 +1,79 @@ +From 0d476ee3d9da69333b195fb411299ade41903bb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 01:14:14 +0000 +Subject: xfrm: Check if_id in inbound policy/secpath match + +From: Benedict Wong + +[ Upstream commit 8680407b6f8f5fba59e8f1d63c869abc280f04df ] + +This change ensures that if configured in the policy, the if_id set in +the policy and secpath states match during the inbound policy check. +Without this, there is potential for ambiguity where entries in the +secpath differing by only the if_id could be mismatched. + +Notably, this is checked in the outbound direction when resolving +templates to SAs, but not on the inbound path when matching SAs and +policies. + +Test: Tested against Android kernel unit tests & CTS +Signed-off-by: Benedict Wong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 21a3a1cd3d6de..6d15788b51231 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3312,7 +3312,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) + + static inline int + xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, +- unsigned short family) ++ unsigned short family, u32 if_id) + { + if (xfrm_state_kern(x)) + return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family); +@@ -3323,7 +3323,8 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, + (tmpl->allalgs || (tmpl->aalgos & (1<props.aalgo)) || + !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && + !(x->props.mode != XFRM_MODE_TRANSPORT && +- xfrm_state_addr_cmp(tmpl, x, family)); ++ xfrm_state_addr_cmp(tmpl, x, family)) && ++ (if_id == 0 || if_id == x->if_id); + } + + /* +@@ -3335,7 +3336,7 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, + */ + static inline int + xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start, +- unsigned short family) ++ unsigned short family, u32 if_id) + { + int idx = start; + +@@ -3345,7 +3346,7 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star + } else + start = -1; + for (; idx < sp->len; idx++) { +- if (xfrm_state_ok(tmpl, sp->xvec[idx], family)) ++ if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id)) + return ++idx; + if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { + if (start == -1) +@@ -3724,7 +3725,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + * are implied between each two transformations. + */ + for (i = xfrm_nr-1, k = 0; i >= 0; i--) { +- k = xfrm_policy_ok(tpp[i], sp, k, family); ++ k = xfrm_policy_ok(tpp[i], sp, k, family, if_id); + if (k < 0) { + if (k < -1) + /* "-2 - errored_index" returned */ +-- +2.39.2 +