From: Sasha Levin Date: Sun, 18 Jun 2023 14:10:50 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.319~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f506442ff882c460ff97df9260c68ff517a0df1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/afs-fix-vlserver-probe-rtt-handling.patch b/queue-5.10/afs-fix-vlserver-probe-rtt-handling.patch new file mode 100644 index 00000000000..3ec7285d01c --- /dev/null +++ b/queue-5.10/afs-fix-vlserver-probe-rtt-handling.patch @@ -0,0 +1,48 @@ +From 68adafd693d382fe9c7cc671b5c70b3f342e49b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 22:39:39 +0100 +Subject: afs: Fix vlserver probe RTT handling + +From: David Howells + +[ Upstream commit ba00b190670809c1a89326d80de96d714f6004f2 ] + +In the same spirit as commit ca57f02295f1 ("afs: Fix fileserver probe +RTT handling"), don't rule out using a vlserver just because there +haven't been enough packets yet to calculate a real rtt. Always set the +server's probe rtt from the estimate provided by rxrpc_kernel_get_srtt, +which is capped at 1 second. + +This could lead to EDESTADDRREQ errors when accessing a cell for the +first time, even though the vl servers are known and have responded to a +probe. + +Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2023-June/006746.html +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/vl_probe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c +index d1c7068b4346f..58452b86e6727 100644 +--- a/fs/afs/vl_probe.c ++++ b/fs/afs/vl_probe.c +@@ -115,8 +115,8 @@ void afs_vlserver_probe_result(struct afs_call *call) + } + } + +- if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && +- rtt_us < server->probe.rtt) { ++ rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us); ++ if (rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + server->rtt = rtt_us; + alist->preferred = index; +-- +2.39.2 + diff --git a/queue-5.10/drm-nouveau-add-nv_encoder-pointer-check-for-null.patch b/queue-5.10/drm-nouveau-add-nv_encoder-pointer-check-for-null.patch new file mode 100644 index 00000000000..3b797f0c0e2 --- /dev/null +++ b/queue-5.10/drm-nouveau-add-nv_encoder-pointer-check-for-null.patch @@ -0,0 +1,43 @@ +From 832a2a94c4665de2658732e2da54ccf3b1070324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 13:33:20 +0300 +Subject: drm/nouveau: add nv_encoder pointer check for NULL + +From: Natalia Petrova + +[ Upstream commit 55b94bb8c42464bad3d2217f6874aa1a85664eac ] + +Pointer nv_encoder could be dereferenced at nouveau_connector.c +in case it's equal to NULL by jumping to goto label. +This patch adds a NULL-check to avoid it. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 3195c5f9784a ("drm/nouveau: set encoder for lvds") +Signed-off-by: Natalia Petrova +Reviewed-by: Lyude Paul +[Fixed patch title] +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230512103320.82234-1-n.petrova@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 7478f2a1411e6..b8884272d65e0 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -726,7 +726,8 @@ nouveau_connector_detect_lvds(struct drm_connector *connector, bool force) + #endif + + nouveau_connector_set_edid(nv_connector, edid); +- nouveau_connector_set_encoder(connector, nv_encoder); ++ if (nv_encoder) ++ nouveau_connector_set_encoder(connector, nv_encoder); + return status; + } + +-- +2.39.2 + diff --git a/queue-5.10/drm-nouveau-don-t-detect-dsm-for-non-nvidia-device.patch b/queue-5.10/drm-nouveau-don-t-detect-dsm-for-non-nvidia-device.patch new file mode 100644 index 00000000000..947b96b9e99 --- /dev/null +++ b/queue-5.10/drm-nouveau-don-t-detect-dsm-for-non-nvidia-device.patch @@ -0,0 +1,62 @@ +From 05192c6625bc623e3e9955a0d5fddde6f2d884ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 04:11:56 +0700 +Subject: drm/nouveau: don't detect DSM for non-NVIDIA device + +From: Ratchanan Srirattanamet + +[ Upstream commit 11d24327c2d7ad7f24fcc44fb00e1fa91ebf6525 ] + +The call site of nouveau_dsm_pci_probe() uses single set of output +variables for all invocations. So, we must not write anything to them +unless it's an NVIDIA device. Otherwise, if we are called with another +device after the NVIDIA device, we'll clober the result of the NVIDIA +device. + +For example, if the other device doesn't have _PR3 resources, the +detection later would miss the presence of power resource support, and +the rest of the code will keep using Optimus DSM, breaking power +management for that machine. + +Also, because we're detecting NVIDIA's DSM, it doesn't make sense to run +this detection on a non-NVIDIA device anyway. Thus, check at the +beginning of the detection code if this is an NVIDIA card, and just +return if it isn't. + +This, together with commit d22915d22ded ("drm/nouveau/devinit/tu102-: +wait for GFW_BOOT_PROGRESS == COMPLETED") developed independently and +landed earlier, fixes runtime power management of the NVIDIA card in +Lenovo Legion 5-15ARH05. Without this patch, the GPU resumption code +will "timeout", sometimes hanging userspace. + +As a bonus, we'll also stop preventing _PR3 usage from the bridge for +unrelated devices, which is always nice, I guess. + +Fixes: ccfc2d5cdb02 ("drm/nouveau: Use generic helper to check _PR3 presence") +Signed-off-by: Ratchanan Srirattanamet +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/79 +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/DM6PR19MB2780805D4BE1E3F9B3AC96D0BC409@DM6PR19MB2780.namprd19.prod.outlook.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c +index 69a84d0197d0a..7b946d44ab2c1 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c ++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c +@@ -220,6 +220,9 @@ static void nouveau_dsm_pci_probe(struct pci_dev *pdev, acpi_handle *dhandle_out + int optimus_funcs; + struct pci_dev *parent_pdev; + ++ if (pdev->vendor != PCI_VENDOR_ID_NVIDIA) ++ return; ++ + *has_pr3 = false; + parent_pdev = pci_upstream_bridge(pdev); + if (parent_pdev) { +-- +2.39.2 + diff --git a/queue-5.10/drm-nouveau-dp-check-for-null-nv_connector-native_mo.patch b/queue-5.10/drm-nouveau-dp-check-for-null-nv_connector-native_mo.patch new file mode 100644 index 00000000000..9f0456f5380 --- /dev/null +++ b/queue-5.10/drm-nouveau-dp-check-for-null-nv_connector-native_mo.patch @@ -0,0 +1,53 @@ +From 44f973858ae0211ded9d9a068d946ffe825ca075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 14:15:26 +0300 +Subject: drm/nouveau/dp: check for NULL nv_connector->native_mode + +From: Natalia Petrova + +[ Upstream commit 20a2ce87fbaf81e4c3dcb631d738e423959eb320 ] + +Add checking for NULL before calling nouveau_connector_detect_depth() in +nouveau_connector_get_modes() function because nv_connector->native_mode +could be dereferenced there since connector pointer passed to +nouveau_connector_detect_depth() and the same value of +nv_connector->native_mode is used there. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d4c2c99bdc83 ("drm/nouveau/dp: remove broken display depth function, use the improved one") + +Signed-off-by: Natalia Petrova +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230512111526.82408-1-n.petrova@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 9542fc63e7968..7478f2a1411e6 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -946,7 +946,7 @@ nouveau_connector_get_modes(struct drm_connector *connector) + /* Determine display colour depth for everything except LVDS now, + * DP requires this before mode_valid() is called. + */ +- if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS) ++ if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS && nv_connector->native_mode) + nouveau_connector_detect_depth(connector); + + /* Find the native mode if this is a digital panel, if we didn't +@@ -967,7 +967,7 @@ nouveau_connector_get_modes(struct drm_connector *connector) + * "native" mode as some VBIOS tables require us to use the + * pixel clock as part of the lookup... + */ +- if (connector->connector_type == DRM_MODE_CONNECTOR_LVDS) ++ if (connector->connector_type == DRM_MODE_CONNECTOR_LVDS && nv_connector->native_mode) + nouveau_connector_detect_depth(connector); + + if (nv_encoder->dcb->type == DCB_OUTPUT_TV) +-- +2.39.2 + diff --git a/queue-5.10/ext4-drop-the-call-to-ext4_error-from-ext4_get_group.patch b/queue-5.10/ext4-drop-the-call-to-ext4_error-from-ext4_get_group.patch new file mode 100644 index 00000000000..ca02c852ba0 --- /dev/null +++ b/queue-5.10/ext4-drop-the-call-to-ext4_error-from-ext4_get_group.patch @@ -0,0 +1,64 @@ +From da4da871f565906cbed3e0fc61191847cf6eff54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:02:55 +0200 +Subject: ext4: drop the call to ext4_error() from ext4_get_group_info() + +From: Fabio M. De Francesco + +[ Upstream commit f451fd97dd2b78f286379203a47d9d295c467255 ] + +A recent patch added a call to ext4_error() which is problematic since +some callers of the ext4_get_group_info() function may be holding a +spinlock, whereas ext4_error() must never be called in atomic context. + +This triggered a report from Syzbot: "BUG: sleeping function called from +invalid context in ext4_update_super" (see the link below). + +Therefore, drop the call to ext4_error() from ext4_get_group_info(). In +the meantime use eight characters tabs instead of nine characters ones. + +Reported-by: syzbot+4acc7d910e617b360859@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/00000000000070575805fdc6cdb2@google.com/ +Fixes: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail") +Suggested-by: Theodore Ts'o +Signed-off-by: Fabio M. De Francesco +Link: https://lore.kernel.org/r/20230614100446.14337-1-fmdefrancesco@gmail.com +Signed-off-by: Sasha Levin +--- + fs/ext4/balloc.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index a43167042b6b1..4efe71efe1277 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -322,17 +322,15 @@ static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb, + struct ext4_group_info *ext4_get_group_info(struct super_block *sb, + ext4_group_t group) + { +- struct ext4_group_info **grp_info; +- long indexv, indexh; +- +- if (unlikely(group >= EXT4_SB(sb)->s_groups_count)) { +- ext4_error(sb, "invalid group %u", group); +- return NULL; +- } +- indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb)); +- indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1); +- grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv); +- return grp_info[indexh]; ++ struct ext4_group_info **grp_info; ++ long indexv, indexh; ++ ++ if (unlikely(group >= EXT4_SB(sb)->s_groups_count)) ++ return NULL; ++ indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb)); ++ indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1); ++ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv); ++ return grp_info[indexh]; + } + + /* +-- +2.39.2 + diff --git a/queue-5.10/iavf-remove-mask-from-iavf_irq_enable_queues.patch b/queue-5.10/iavf-remove-mask-from-iavf_irq_enable_queues.patch new file mode 100644 index 00000000000..0182d945e72 --- /dev/null +++ b/queue-5.10/iavf-remove-mask-from-iavf_irq_enable_queues.patch @@ -0,0 +1,103 @@ +From 5ac309abbb93661d4c8c7f6bd87453e48757d74e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 13:02:26 -0700 +Subject: iavf: remove mask from iavf_irq_enable_queues() + +From: Ahmed Zaki + +[ Upstream commit c37cf54c12cfaa51e7aaf88708167b0d3259e64e ] + +Enable more than 32 IRQs by removing the u32 bit mask in +iavf_irq_enable_queues(). There is no need for the mask as there are no +callers that select individual IRQs through the bitmask. Also, if the PF +allocates more than 32 IRQs, this mask will prevent us from using all of +them. + +Modify the comment in iavf_register.h to show that the maximum number +allowed for the IRQ index is 63 as per the iAVF standard 1.0 [1]. + +link: [1] https://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/ethernet-adaptive-virtual-function-hardware-spec.pdf +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Reviewed-by: Simon Horman +Reviewed-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230608200226.451861-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + drivers/net/ethernet/intel/iavf/iavf_main.c | 15 ++++++--------- + drivers/net/ethernet/intel/iavf/iavf_register.h | 2 +- + 3 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a994a2970ab24..6a6b5f6e8276d 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -398,7 +398,7 @@ void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); + void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); + int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); +-void iavf_irq_enable_queues(struct iavf_adapter *adapter, u32 mask); ++void iavf_irq_enable_queues(struct iavf_adapter *adapter); + void iavf_free_all_tx_resources(struct iavf_adapter *adapter); + void iavf_free_all_rx_resources(struct iavf_adapter *adapter); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index ae96b552a3bb3..e45f3a1a11f36 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -234,21 +234,18 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) + } + + /** +- * iavf_irq_enable_queues - Enable interrupt for specified queues ++ * iavf_irq_enable_queues - Enable interrupt for all queues + * @adapter: board private structure +- * @mask: bitmap of queues to enable + **/ +-void iavf_irq_enable_queues(struct iavf_adapter *adapter, u32 mask) ++void iavf_irq_enable_queues(struct iavf_adapter *adapter) + { + struct iavf_hw *hw = &adapter->hw; + int i; + + for (i = 1; i < adapter->num_msix_vectors; i++) { +- if (mask & BIT(i - 1)) { +- wr32(hw, IAVF_VFINT_DYN_CTLN1(i - 1), +- IAVF_VFINT_DYN_CTLN1_INTENA_MASK | +- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK); +- } ++ wr32(hw, IAVF_VFINT_DYN_CTLN1(i - 1), ++ IAVF_VFINT_DYN_CTLN1_INTENA_MASK | ++ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK); + } + } + +@@ -262,7 +259,7 @@ void iavf_irq_enable(struct iavf_adapter *adapter, bool flush) + struct iavf_hw *hw = &adapter->hw; + + iavf_misc_irq_enable(adapter); +- iavf_irq_enable_queues(adapter, ~0); ++ iavf_irq_enable_queues(adapter); + + if (flush) + iavf_flush(hw); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_register.h b/drivers/net/ethernet/intel/iavf/iavf_register.h +index bf793332fc9d5..a19e88898a0bb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_register.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_register.h +@@ -40,7 +40,7 @@ + #define IAVF_VFINT_DYN_CTL01_INTENA_MASK IAVF_MASK(0x1, IAVF_VFINT_DYN_CTL01_INTENA_SHIFT) + #define IAVF_VFINT_DYN_CTL01_ITR_INDX_SHIFT 3 + #define IAVF_VFINT_DYN_CTL01_ITR_INDX_MASK IAVF_MASK(0x3, IAVF_VFINT_DYN_CTL01_ITR_INDX_SHIFT) +-#define IAVF_VFINT_DYN_CTLN1(_INTVF) (0x00003800 + ((_INTVF) * 4)) /* _i=0...15 */ /* Reset: VFR */ ++#define IAVF_VFINT_DYN_CTLN1(_INTVF) (0x00003800 + ((_INTVF) * 4)) /* _i=0...63 */ /* Reset: VFR */ + #define IAVF_VFINT_DYN_CTLN1_INTENA_SHIFT 0 + #define IAVF_VFINT_DYN_CTLN1_INTENA_MASK IAVF_MASK(0x1, IAVF_VFINT_DYN_CTLN1_INTENA_SHIFT) + #define IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_SHIFT 2 +-- +2.39.2 + diff --git a/queue-5.10/ib-isert-fix-dead-lock-in-ib_isert.patch b/queue-5.10/ib-isert-fix-dead-lock-in-ib_isert.patch new file mode 100644 index 00000000000..be859684cec --- /dev/null +++ b/queue-5.10/ib-isert-fix-dead-lock-in-ib_isert.patch @@ -0,0 +1,121 @@ +From 415deb58c9c7fb0f5b6e6ae9398101337112497c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 03:25:29 -0700 +Subject: IB/isert: Fix dead lock in ib_isert + +From: Saravanan Vajravel + +[ Upstream commit 691b0480933f0ce88a81ed1d1a0aff340ff6293a ] + +- When a iSER session is released, ib_isert module is taking a mutex + lock and releasing all pending connections. As part of this, ib_isert + is destroying rdma cm_id. To destroy cm_id, rdma_cm module is sending + CM events to CMA handler of ib_isert. This handler is taking same + mutex lock. Hence it leads to deadlock between ib_isert & rdma_cm + modules. + +- For fix, created local list of pending connections and release the + connection outside of mutex lock. + +Calltrace: +--------- +[ 1229.791410] INFO: task kworker/10:1:642 blocked for more than 120 seconds. +[ 1229.791416] Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 +[ 1229.791418] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 1229.791419] task:kworker/10:1 state:D stack: 0 pid: 642 ppid: 2 flags:0x80004000 +[ 1229.791424] Workqueue: ib_cm cm_work_handler [ib_cm] +[ 1229.791436] Call Trace: +[ 1229.791438] __schedule+0x2d1/0x830 +[ 1229.791445] ? select_idle_sibling+0x23/0x6f0 +[ 1229.791449] schedule+0x35/0xa0 +[ 1229.791451] schedule_preempt_disabled+0xa/0x10 +[ 1229.791453] __mutex_lock.isra.7+0x310/0x420 +[ 1229.791456] ? select_task_rq_fair+0x351/0x990 +[ 1229.791459] isert_cma_handler+0x224/0x330 [ib_isert] +[ 1229.791463] ? ttwu_queue_wakelist+0x159/0x170 +[ 1229.791466] cma_cm_event_handler+0x25/0xd0 [rdma_cm] +[ 1229.791474] cma_ib_handler+0xa7/0x2e0 [rdma_cm] +[ 1229.791478] cm_process_work+0x22/0xf0 [ib_cm] +[ 1229.791483] cm_work_handler+0xf4/0xf30 [ib_cm] +[ 1229.791487] ? move_linked_works+0x6e/0xa0 +[ 1229.791490] process_one_work+0x1a7/0x360 +[ 1229.791491] ? create_worker+0x1a0/0x1a0 +[ 1229.791493] worker_thread+0x30/0x390 +[ 1229.791494] ? create_worker+0x1a0/0x1a0 +[ 1229.791495] kthread+0x10a/0x120 +[ 1229.791497] ? set_kthread_struct+0x40/0x40 +[ 1229.791499] ret_from_fork+0x1f/0x40 + +[ 1229.791739] INFO: task targetcli:28666 blocked for more than 120 seconds. +[ 1229.791740] Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 +[ 1229.791741] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 1229.791742] task:targetcli state:D stack: 0 pid:28666 ppid: 5510 flags:0x00004080 +[ 1229.791743] Call Trace: +[ 1229.791744] __schedule+0x2d1/0x830 +[ 1229.791746] schedule+0x35/0xa0 +[ 1229.791748] schedule_preempt_disabled+0xa/0x10 +[ 1229.791749] __mutex_lock.isra.7+0x310/0x420 +[ 1229.791751] rdma_destroy_id+0x15/0x20 [rdma_cm] +[ 1229.791755] isert_connect_release+0x115/0x130 [ib_isert] +[ 1229.791757] isert_free_np+0x87/0x140 [ib_isert] +[ 1229.791761] iscsit_del_np+0x74/0x120 [iscsi_target_mod] +[ 1229.791776] lio_target_np_driver_store+0xe9/0x140 [iscsi_target_mod] +[ 1229.791784] configfs_write_file+0xb2/0x110 +[ 1229.791788] vfs_write+0xa5/0x1a0 +[ 1229.791792] ksys_write+0x4f/0xb0 +[ 1229.791794] do_syscall_64+0x5b/0x1a0 +[ 1229.791798] entry_SYSCALL_64_after_hwframe+0x65/0xca + +Fixes: bd3792205aae ("iser-target: Fix pending connections handling in target stack shutdown sequnce") +Reviewed-by: Sagi Grimberg +Signed-off-by: Selvin Xavier +Signed-off-by: Saravanan Vajravel +Link: https://lore.kernel.org/r/20230606102531.162967-2-saravanan.vajravel@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 2d0d966fba2c8..988b957107cc1 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2421,6 +2421,7 @@ isert_free_np(struct iscsi_np *np) + { + struct isert_np *isert_np = np->np_context; + struct isert_conn *isert_conn, *n; ++ LIST_HEAD(drop_conn_list); + + if (isert_np->cm_id) + rdma_destroy_id(isert_np->cm_id); +@@ -2440,7 +2441,7 @@ isert_free_np(struct iscsi_np *np) + node) { + isert_info("cleaning isert_conn %p state (%d)\n", + isert_conn, isert_conn->state); +- isert_connect_release(isert_conn); ++ list_move_tail(&isert_conn->node, &drop_conn_list); + } + } + +@@ -2451,11 +2452,16 @@ isert_free_np(struct iscsi_np *np) + node) { + isert_info("cleaning isert_conn %p state (%d)\n", + isert_conn, isert_conn->state); +- isert_connect_release(isert_conn); ++ list_move_tail(&isert_conn->node, &drop_conn_list); + } + } + mutex_unlock(&isert_np->mutex); + ++ list_for_each_entry_safe(isert_conn, n, &drop_conn_list, node) { ++ list_del_init(&isert_conn->node); ++ isert_connect_release(isert_conn); ++ } ++ + np->np_context = NULL; + kfree(isert_np); + } +-- +2.39.2 + diff --git a/queue-5.10/ib-isert-fix-incorrect-release-of-isert-connection.patch b/queue-5.10/ib-isert-fix-incorrect-release-of-isert-connection.patch new file mode 100644 index 00000000000..81a0b93baa5 --- /dev/null +++ b/queue-5.10/ib-isert-fix-incorrect-release-of-isert-connection.patch @@ -0,0 +1,45 @@ +From 93ae9e8512524393a70459dfb2a84043b145e16e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 03:25:31 -0700 +Subject: IB/isert: Fix incorrect release of isert connection + +From: Saravanan Vajravel + +[ Upstream commit 699826f4e30ab76a62c238c86fbef7e826639c8d ] + +The ib_isert module is releasing the isert connection both in +isert_wait_conn() handler as well as isert_free_conn() handler. +In isert_wait_conn() handler, it is expected to wait for iSCSI +session logout operation to complete. It should free the isert +connection only in isert_free_conn() handler. + +When a bunch of iSER target is cleared, this issue can lead to +use-after-free memory issue as isert conn is twice released + +Fixes: b02efbfc9a05 ("iser-target: Fix implicit termination of connections") +Reviewed-by: Sagi Grimberg +Signed-off-by: Saravanan Vajravel +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/20230606102531.162967-4-saravanan.vajravel@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index ed375f517e8ac..7cd90604502ec 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2560,8 +2560,6 @@ static void isert_wait_conn(struct iscsi_conn *conn) + isert_put_unsol_pending_cmds(conn); + isert_wait4cmds(conn); + isert_wait4logout(isert_conn); +- +- queue_work(isert_release_wq, &isert_conn->release_work); + } + + static void isert_free_conn(struct iscsi_conn *conn) +-- +2.39.2 + diff --git a/queue-5.10/ib-isert-fix-possible-list-corruption-in-cma-handler.patch b/queue-5.10/ib-isert-fix-possible-list-corruption-in-cma-handler.patch new file mode 100644 index 00000000000..7fd96b2d9a4 --- /dev/null +++ b/queue-5.10/ib-isert-fix-possible-list-corruption-in-cma-handler.patch @@ -0,0 +1,45 @@ +From bc3f6f6beecc00ebdbc61451e8ff4e6e9946b24b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 03:25:30 -0700 +Subject: IB/isert: Fix possible list corruption in CMA handler + +From: Saravanan Vajravel + +[ Upstream commit 7651e2d6c5b359a28c2d4c904fec6608d1021ca8 ] + +When ib_isert module receives connection error event, it is +releasing the isert session and removes corresponding list +node but it doesn't take appropriate mutex lock to remove +the list node. This can lead to linked list corruption + +Fixes: bd3792205aae ("iser-target: Fix pending connections handling in target stack shutdown sequnce") +Signed-off-by: Selvin Xavier +Signed-off-by: Saravanan Vajravel +Link: https://lore.kernel.org/r/20230606102531.162967-3-saravanan.vajravel@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 988b957107cc1..ed375f517e8ac 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -656,9 +656,13 @@ static int + isert_connect_error(struct rdma_cm_id *cma_id) + { + struct isert_conn *isert_conn = cma_id->qp->qp_context; ++ struct isert_np *isert_np = cma_id->context; + + ib_drain_qp(isert_conn->qp); ++ ++ mutex_lock(&isert_np->mutex); + list_del_init(&isert_conn->node); ++ mutex_unlock(&isert_np->mutex); + isert_conn->cm_id = NULL; + isert_put_conn(isert_conn); + +-- +2.39.2 + diff --git a/queue-5.10/ib-uverbs-fix-to-consider-event-queue-closing-also-u.patch b/queue-5.10/ib-uverbs-fix-to-consider-event-queue-closing-also-u.patch new file mode 100644 index 00000000000..fc470361a35 --- /dev/null +++ b/queue-5.10/ib-uverbs-fix-to-consider-event-queue-closing-also-u.patch @@ -0,0 +1,69 @@ +From c5f6e73cd7c969c33d5fe7042027ddd32a28b231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 13:33:25 +0300 +Subject: IB/uverbs: Fix to consider event queue closing also upon non-blocking + mode + +From: Yishai Hadas + +[ Upstream commit 62fab312fa1683e812e605db20d4f22de3e3fb2f ] + +Fix ib_uverbs_event_read() to consider event queue closing also upon +non-blocking mode. + +Once the queue is closed (e.g. hot-plug flow) all the existing events +are cleaned-up as part of ib_uverbs_free_event_queue(). + +An application that uses the non-blocking FD mode should get -EIO in +that case to let it knows that the device was removed already. + +Otherwise, it can loose the indication that the device was removed and +won't recover. + +As part of that, refactor the code to have a single flow with regards to +'is_closed' for both blocking and non-blocking modes. + +Fixes: 14e23bd6d221 ("RDMA/core: Fix locking in ib_uverbs_event_read") +Reviewed-by: Maor Gottlieb +Signed-off-by: Yishai Hadas +Link: https://lore.kernel.org/r/97b00116a1e1e13f8dc4ec38a5ea81cf8c030210.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_main.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c +index 4bb7c642f80c4..099f5acc749e5 100644 +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -222,8 +222,12 @@ static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue, + spin_lock_irq(&ev_queue->lock); + + while (list_empty(&ev_queue->event_list)) { +- spin_unlock_irq(&ev_queue->lock); ++ if (ev_queue->is_closed) { ++ spin_unlock_irq(&ev_queue->lock); ++ return -EIO; ++ } + ++ spin_unlock_irq(&ev_queue->lock); + if (filp->f_flags & O_NONBLOCK) + return -EAGAIN; + +@@ -233,12 +237,6 @@ static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue, + return -ERESTARTSYS; + + spin_lock_irq(&ev_queue->lock); +- +- /* If device was disassociated and no event exists set an error */ +- if (list_empty(&ev_queue->event_list) && ev_queue->is_closed) { +- spin_unlock_irq(&ev_queue->lock); +- return -EIO; +- } + } + + event = list_entry(ev_queue->event_list.next, struct ib_uverbs_event, list); +-- +2.39.2 + diff --git a/queue-5.10/igb-fix-nvm.ops.read-error-handling.patch b/queue-5.10/igb-fix-nvm.ops.read-error-handling.patch new file mode 100644 index 00000000000..6b8bb1d8c9b --- /dev/null +++ b/queue-5.10/igb-fix-nvm.ops.read-error-handling.patch @@ -0,0 +1,44 @@ +From 77eb6ffe096dbd708b01c568ad91b33c9a4d32b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 17:44:14 +0200 +Subject: igb: fix nvm.ops.read() error handling + +From: Aleksandr Loktionov + +[ Upstream commit 48a821fd58837800750ec1b3962f0f799630a844 ] + +Add error handling into igb_set_eeprom() function, in case +nvm.ops.read() fails just quit with error code asap. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index 5e3b0a5843a8e..d9de3b8115431 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -822,6 +822,8 @@ static int igb_set_eeprom(struct net_device *netdev, + */ + ret_val = hw->nvm.ops.read(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -841,6 +843,7 @@ static int igb_set_eeprom(struct net_device *netdev, + hw->nvm.ops.update(hw); + + igb_set_fw_version(adapter); ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.39.2 + diff --git a/queue-5.10/ipvlan-fix-bound-dev-checking-for-ipv6-l3s-mode.patch b/queue-5.10/ipvlan-fix-bound-dev-checking-for-ipv6-l3s-mode.patch new file mode 100644 index 00000000000..fb4dc0f57db --- /dev/null +++ b/queue-5.10/ipvlan-fix-bound-dev-checking-for-ipv6-l3s-mode.patch @@ -0,0 +1,50 @@ +From 00138fc6f18603245dbaf18dc9f1148e30aee7b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 17:15:02 +0800 +Subject: ipvlan: fix bound dev checking for IPv6 l3s mode + +From: Hangbin Liu + +[ Upstream commit ce57adc222aba32431c42632b396e9213d0eb0b8 ] + +The commit 59a0b022aa24 ("ipvlan: Make skb->skb_iif track skb->dev for l3s +mode") fixed ipvlan bonded dev checking by updating skb skb_iif. This fix +works for IPv4, as in raw_v4_input() the dif is from inet_iif(skb), which +is skb->skb_iif when there is no route. + +But for IPv6, the fix is not enough, because in ipv6_raw_deliver() -> +raw_v6_match(), the dif is inet6_iif(skb), which is returns IP6CB(skb)->iif +instead of skb->skb_iif if it's not a l3_slave. To fix the IPv6 part +issue. Let's set IP6CB(skb)->iif to correct ifindex. + +BTW, ipvlan handles NS/NA specifically. Since it works fine, I will not +reset IP6CB(skb)->iif when addr->atype is IPVL_ICMPV6. + +Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2196710 +Signed-off-by: Hangbin Liu +Reviewed-by: Larysa Zaremba +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_l3s.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c +index 71712ea25403d..d5b05e8032199 100644 +--- a/drivers/net/ipvlan/ipvlan_l3s.c ++++ b/drivers/net/ipvlan/ipvlan_l3s.c +@@ -102,6 +102,10 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb, + + skb->dev = addr->master->dev; + skb->skb_iif = skb->dev->ifindex; ++#if IS_ENABLED(CONFIG_IPV6) ++ if (addr->atype == IPVL_IPV6) ++ IP6CB(skb)->iif = skb->dev->ifindex; ++#endif + len = skb->len + ETH_HLEN; + ipvlan_count_rx(addr->master, len, true, false); + out: +-- +2.39.2 + diff --git a/queue-5.10/net-enetc-correct-the-indexes-of-highest-and-2nd-hig.patch b/queue-5.10/net-enetc-correct-the-indexes-of-highest-and-2nd-hig.patch new file mode 100644 index 00000000000..be885f304a6 --- /dev/null +++ b/queue-5.10/net-enetc-correct-the-indexes-of-highest-and-2nd-hig.patch @@ -0,0 +1,62 @@ +From 5969ccdfd6acfcdf100e0e45e47371e6842afdda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 17:10:48 +0800 +Subject: net: enetc: correct the indexes of highest and 2nd highest TCs + +From: Wei Fang + +[ Upstream commit 21225873be1472b7c59ed3650396af0e40578112 ] + +For ENETC hardware, the TCs are numbered from 0 to N-1, where N +is the number of TCs. Numerically higher TC has higher priority. +It's obvious that the highest priority TC index should be N-1 and +the 2nd highest priority TC index should be N-2. + +However, the previous logic uses netdev_get_prio_tc_map() to get +the indexes of highest priority and 2nd highest priority TCs, it +does not make sense and is incorrect to give a "tc" argument to +netdev_get_prio_tc_map(). So the driver may get the wrong indexes +of the two highest priotiry TCs which would lead to failed to set +the CBS for the two highest priotiry TCs. + +e.g. +$ tc qdisc add dev eno0 parent root handle 100: mqprio num_tc 6 \ + map 0 0 1 1 2 3 4 5 queues 1@0 1@1 1@2 1@3 2@4 2@6 hw 1 +$ tc qdisc replace dev eno0 parent 100:6 cbs idleslope 100000 \ + sendslope -900000 hicredit 12 locredit -113 offload 1 +$ Error: Specified device failed to setup cbs hardware offload. + ^^^^^ + +In this example, the previous logic deems the indexes of the two +highest priotiry TCs should be 3 and 2. Actually, the indexes are +5 and 4, because the number of TCs is 6. So it would be failed to +configure the CBS for the two highest priority TCs. + +Fixes: c431047c4efe ("enetc: add support Credit Based Shaper(CBS) for hardware offload") +Signed-off-by: Wei Fang +Reviewed-by: Vladimir Oltean +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc_qos.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +index 8d92dc6bc9945..d7215bd772f3e 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +@@ -196,8 +196,8 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + int bw_sum = 0; + u8 bw; + +- prio_top = netdev_get_prio_tc_map(ndev, tc_nums - 1); +- prio_next = netdev_get_prio_tc_map(ndev, tc_nums - 2); ++ prio_top = tc_nums - 1; ++ prio_next = tc_nums - 2; + + /* Support highest prio and second prio tc in cbs mode */ + if (tc != prio_top && tc != prio_next) +-- +2.39.2 + diff --git a/queue-5.10/net-lapbether-only-support-ethernet-devices.patch b/queue-5.10/net-lapbether-only-support-ethernet-devices.patch new file mode 100644 index 00000000000..fa4bc3ab27b --- /dev/null +++ b/queue-5.10/net-lapbether-only-support-ethernet-devices.patch @@ -0,0 +1,96 @@ +From a075035840748e231d22e591f3610c3cb633dae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:18:02 +0000 +Subject: net: lapbether: only support ethernet devices + +From: Eric Dumazet + +[ Upstream commit 9eed321cde22fc1afd76eac563ce19d899e0d6b2 ] + +It probbaly makes no sense to support arbitrary network devices +for lapbether. + +syzbot reported: + +skbuff: skb_under_panic: text:ffff80008934c100 len:44 put:40 head:ffff0000d18dd200 data:ffff0000d18dd1ea tail:0x16 end:0x140 dev:bond1 +kernel BUG at net/core/skbuff.c:200 ! +Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 5643 Comm: dhcpcd Not tainted 6.4.0-rc5-syzkaller-g4641cff8e810 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : skb_panic net/core/skbuff.c:196 [inline] +pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 +lr : skb_panic net/core/skbuff.c:196 [inline] +lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 +sp : ffff8000973b7260 +x29: ffff8000973b7270 x28: ffff8000973b7360 x27: dfff800000000000 +x26: ffff0000d85d8150 x25: 0000000000000016 x24: ffff0000d18dd1ea +x23: ffff0000d18dd200 x22: 000000000000002c x21: 0000000000000140 +x20: 0000000000000028 x19: ffff80008934c100 x18: ffff8000973b68a0 +x17: 0000000000000000 x16: ffff80008a43bfbc x15: 0000000000000202 +x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 +x11: 0000000000000201 x10: 0000000000000000 x9 : f22f7eb937cced00 +x8 : f22f7eb937cced00 x7 : 0000000000000001 x6 : 0000000000000001 +x5 : ffff8000973b6b78 x4 : ffff80008df9ee80 x3 : ffff8000805974f4 +x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 +Call trace: +skb_panic net/core/skbuff.c:196 [inline] +skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 +skb_push+0xf0/0x108 net/core/skbuff.c:2409 +ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1383 +dev_hard_header include/linux/netdevice.h:3137 [inline] +lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 +lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 +lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 +lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 +lapb_establish_data_link+0x94/0xec +lapb_device_event+0x348/0x4e0 +notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 +raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 +__dev_notify_flags+0x2bc/0x544 +dev_change_flags+0xd0/0x15c net/core/dev.c:8643 +devinet_ioctl+0x858/0x17e4 net/ipv4/devinet.c:1150 +inet_ioctl+0x2ac/0x4d8 net/ipv4/af_inet.c:979 +sock_do_ioctl+0x134/0x2dc net/socket.c:1201 +sock_ioctl+0x4ec/0x858 net/socket.c:1318 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:870 [inline] +__se_sys_ioctl fs/ioctl.c:856 [inline] +__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 +__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] +invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 +el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:142 +do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:191 +el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647 +el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665 +el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 +Code: aa1803e6 aa1903e7 a90023f5 947730f5 (d4210000) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index b965eb6a4bb17..24c53cc0c112f 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -341,6 +341,9 @@ static int lapbeth_new_device(struct net_device *dev) + + ASSERT_RTNL(); + ++ if (dev->type != ARPHRD_ETHER) ++ return -EINVAL; ++ + ndev = alloc_netdev(sizeof(*lapbeth), "lapb%d", NET_NAME_UNKNOWN, + lapbeth_setup); + if (!ndev) +-- +2.39.2 + diff --git a/queue-5.10/net-sched-cls_api-fix-lockup-on-flushing-explicitly-.patch b/queue-5.10/net-sched-cls_api-fix-lockup-on-flushing-explicitly-.patch new file mode 100644 index 00000000000..d6f8f7230ef --- /dev/null +++ b/queue-5.10/net-sched-cls_api-fix-lockup-on-flushing-explicitly-.patch @@ -0,0 +1,71 @@ +From 3ec77e9521f9d3f4d4e19e89f2cf21f103cb9f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 11:34:26 +0200 +Subject: net/sched: cls_api: Fix lockup on flushing explicitly created chain + +From: Vlad Buslov + +[ Upstream commit c9a82bec02c339cdda99b37c5e62b3b71fc4209c ] + +Mingshuai Ren reports: + +When a new chain is added by using tc, one soft lockup alarm will be + generated after delete the prio 0 filter of the chain. To reproduce + the problem, perform the following steps: +(1) tc qdisc add dev eth0 root handle 1: htb default 1 +(2) tc chain add dev eth0 +(3) tc filter del dev eth0 chain 0 parent 1: prio 0 +(4) tc filter add dev eth0 chain 0 parent 1: + +Fix the issue by accounting for additional reference to chains that are +explicitly created by RTM_NEWCHAIN message as opposed to implicitly by +RTM_NEWTFILTER message. + +Fixes: 726d061286ce ("net: sched: prevent insertion of new classifiers during chain flush") +Reported-by: Mingshuai Ren +Closes: https://lore.kernel.org/lkml/87legswvi3.fsf@nvidia.com/T/ +Signed-off-by: Vlad Buslov +Link: https://lore.kernel.org/r/20230612093426.2867183-1-vladbu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index befe42aad04ba..beedd0d2b5097 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -533,8 +533,8 @@ static void __tcf_chain_put(struct tcf_chain *chain, bool by_act, + { + struct tcf_block *block = chain->block; + const struct tcf_proto_ops *tmplt_ops; ++ unsigned int refcnt, non_act_refcnt; + bool free_block = false; +- unsigned int refcnt; + void *tmplt_priv; + + mutex_lock(&block->lock); +@@ -554,13 +554,15 @@ static void __tcf_chain_put(struct tcf_chain *chain, bool by_act, + * save these to temporary variables. + */ + refcnt = --chain->refcnt; ++ non_act_refcnt = refcnt - chain->action_refcnt; + tmplt_ops = chain->tmplt_ops; + tmplt_priv = chain->tmplt_priv; + +- /* The last dropped non-action reference will trigger notification. */ +- if (refcnt - chain->action_refcnt == 0 && !by_act) { +- tc_chain_notify_delete(tmplt_ops, tmplt_priv, chain->index, +- block, NULL, 0, 0, false); ++ if (non_act_refcnt == chain->explicitly_created && !by_act) { ++ if (non_act_refcnt == 0) ++ tc_chain_notify_delete(tmplt_ops, tmplt_priv, ++ chain->index, block, NULL, 0, 0, ++ false); + /* Last reference to chain, no need to lock. */ + chain->flushing = false; + } +-- +2.39.2 + diff --git a/queue-5.10/net-sched-cls_u32-fix-reference-counter-leak-leading.patch b/queue-5.10/net-sched-cls_u32-fix-reference-counter-leak-leading.patch new file mode 100644 index 00000000000..2f3ff4be40c --- /dev/null +++ b/queue-5.10/net-sched-cls_u32-fix-reference-counter-leak-leading.patch @@ -0,0 +1,77 @@ +From f680c4da0e201d2e00e0e945ed112273193bd6f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 08:29:03 +0100 +Subject: net/sched: cls_u32: Fix reference counter leak leading to overflow + +From: Lee Jones + +[ Upstream commit 04c55383fa5689357bcdd2c8036725a55ed632bc ] + +In the event of a failure in tcf_change_indev(), u32_set_parms() will +immediately return without decrementing the recently incremented +reference counter. If this happens enough times, the counter will +rollover and the reference freed, leading to a double free which can be +used to do 'bad things'. + +In order to prevent this, move the point of possible failure above the +point where the reference counter is incremented. Also save any +meaningful return values to be applied to the return data at the +appropriate point in time. + +This issue was caught with KASAN. + +Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") +Suggested-by: Eric Dumazet +Signed-off-by: Lee Jones +Reviewed-by: Eric Dumazet +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index da042bc8b239d..1ac8ff445a6d3 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -716,12 +716,18 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + struct nlattr *est, bool ovr, + struct netlink_ext_ack *extack) + { +- int err; ++ int err, ifindex = -1; + + err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr, true, extack); + if (err < 0) + return err; + ++ if (tb[TCA_U32_INDEV]) { ++ ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); ++ if (ifindex < 0) ++ return -EINVAL; ++ } ++ + if (tb[TCA_U32_LINK]) { + u32 handle = nla_get_u32(tb[TCA_U32_LINK]); + struct tc_u_hnode *ht_down = NULL, *ht_old; +@@ -756,13 +762,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + tcf_bind_filter(tp, &n->res, base); + } + +- if (tb[TCA_U32_INDEV]) { +- int ret; +- ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); +- if (ret < 0) +- return -EINVAL; +- n->ifindex = ret; +- } ++ if (ifindex >= 0) ++ n->ifindex = ifindex; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.10/net-tipc-resize-nlattr-array-to-correct-size.patch b/queue-5.10/net-tipc-resize-nlattr-array-to-correct-size.patch new file mode 100644 index 00000000000..df2915571e6 --- /dev/null +++ b/queue-5.10/net-tipc-resize-nlattr-array-to-correct-size.patch @@ -0,0 +1,51 @@ +From d6a63c261b761ad70bcd58d2ff4faae051b1d494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 20:06:04 +0800 +Subject: net: tipc: resize nlattr array to correct size + +From: Lin Ma + +[ Upstream commit 44194cb1b6045dea33ae9a0d54fb7e7cd93a2e09 ] + +According to nla_parse_nested_deprecated(), the tb[] is supposed to the +destination array with maxtype+1 elements. In current +tipc_nl_media_get() and __tipc_nl_media_set(), a larger array is used +which is unnecessary. This patch resize them to a proper size. + +Fixes: 1e55417d8fc6 ("tipc: add media set to new netlink api") +Fixes: 46f15c6794fb ("tipc: add media get/dump to new netlink api") +Signed-off-by: Lin Ma +Reviewed-by: Florian Westphal +Reviewed-by: Tung Nguyen +Link: https://lore.kernel.org/r/20230614120604.1196377-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 91e678fa3feb5..df6aba2246fa0 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1242,7 +1242,7 @@ int tipc_nl_media_get(struct sk_buff *skb, struct genl_info *info) + struct tipc_nl_msg msg; + struct tipc_media *media; + struct sk_buff *rep; +- struct nlattr *attrs[TIPC_NLA_BEARER_MAX + 1]; ++ struct nlattr *attrs[TIPC_NLA_MEDIA_MAX + 1]; + + if (!info->attrs[TIPC_NLA_MEDIA]) + return -EINVAL; +@@ -1291,7 +1291,7 @@ int __tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info) + int err; + char *name; + struct tipc_media *m; +- struct nlattr *attrs[TIPC_NLA_BEARER_MAX + 1]; ++ struct nlattr *attrs[TIPC_NLA_MEDIA_MAX + 1]; + + if (!info->attrs[TIPC_NLA_MEDIA]) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nfnetlink-skip-error-delivery-on-batch-in-.patch b/queue-5.10/netfilter-nfnetlink-skip-error-delivery-on-batch-in-.patch new file mode 100644 index 00000000000..8049de3bb4b --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink-skip-error-delivery-on-batch-in-.patch @@ -0,0 +1,36 @@ +From 4d5294f1b3ebab868e8f93b02beca37c3dabc176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 00:19:12 +0200 +Subject: netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM + +From: Pablo Neira Ayuso + +[ Upstream commit a1a64a151dae8ac3581c1cbde44b672045cb658b ] + +If caller reports ENOMEM, then stop iterating over the batch and send a +single netlink message to userspace to report OOM. + +Fixes: cbb8125eb40b ("netfilter: nfnetlink: deliver netlink errors on batch completion") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index edf386a020b9e..bec9ac8b8fbef 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -473,7 +473,8 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, + * processed, this avoids that the same error is + * reported several times when replaying the batch. + */ +- if (nfnl_err_add(&err_list, nlh, err, &extack) < 0) { ++ if (err == -ENOMEM || ++ nfnl_err_add(&err_list, nlh, err, &extack) < 0) { + /* We failed to enqueue an error, reset the + * list of errors and send OOM to userspace + * pointing to the batch header. +-- +2.39.2 + diff --git a/queue-5.10/octeontx2-af-fixed-resource-availability-check.patch b/queue-5.10/octeontx2-af-fixed-resource-availability-check.patch new file mode 100644 index 00000000000..e92e6eb047f --- /dev/null +++ b/queue-5.10/octeontx2-af-fixed-resource-availability-check.patch @@ -0,0 +1,41 @@ +From d80248a0b36d81911b4ed925daa17e0946b581d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 17:12:00 +0530 +Subject: octeontx2-af: fixed resource availability check + +From: Satha Rao + +[ Upstream commit 4e635f9d86165e47f5440196f2ebdb258efb8341 ] + +txschq_alloc response have two different arrays to store continuous +and non-continuous schedulers of each level. Requested count should +be checked for each array separately. + +Fixes: 5d9b976d4480 ("octeontx2-af: Support fixed transmit scheduler topology") +Signed-off-by: Satha Rao +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: Naveen Mamindlapalli +Reviewed-by: Sridhar Samudrala +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 9886a30e9723c..449f5224d1aeb 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -1385,7 +1385,8 @@ static int nix_check_txschq_alloc_req(struct rvu *rvu, int lvl, u16 pcifunc, + free_cnt = rvu_rsrc_free_count(&txsch->schq); + } + +- if (free_cnt < req_schq || req_schq > MAX_TXSCHQ_PER_FUNC) ++ if (free_cnt < req_schq || req->schq[lvl] > MAX_TXSCHQ_PER_FUNC || ++ req->schq_contig[lvl] > MAX_TXSCHQ_PER_FUNC) + return NIX_AF_ERR_TLX_ALLOC_FAIL; + + /* If contiguous queues are needed, check for availability */ +-- +2.39.2 + diff --git a/queue-5.10/ping6-fix-send-to-link-local-addresses-with-vrf.patch b/queue-5.10/ping6-fix-send-to-link-local-addresses-with-vrf.patch new file mode 100644 index 00000000000..cf0c1aefc88 --- /dev/null +++ b/queue-5.10/ping6-fix-send-to-link-local-addresses-with-vrf.patch @@ -0,0 +1,58 @@ +From b26cd8f89038ed8860b4bbec035953ada672b1c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 18:05:02 +0200 +Subject: ping6: Fix send to link-local addresses with VRF. + +From: Guillaume Nault + +[ Upstream commit 91ffd1bae1dafbb9e34b46813f5b058581d9144d ] + +Ping sockets can't send packets when they're bound to a VRF master +device and the output interface is set to a slave device. + +For example, when net.ipv4.ping_group_range is properly set, so that +ping6 can use ping sockets, the following kind of commands fails: + $ ip vrf exec red ping6 fe80::854:e7ff:fe88:4bf1%eth1 + +What happens is that sk->sk_bound_dev_if is set to the VRF master +device, but 'oif' is set to the real output device. Since both are set +but different, ping_v6_sendmsg() sees their value as inconsistent and +fails. + +Fix this by allowing 'oif' to be a slave device of ->sk_bound_dev_if. + +This fixes the following kselftest failure: + $ ./fcnal-test.sh -t ipv6_ping + [...] + TEST: ping out, vrf device+address bind - ns-B IPv6 LLA [FAIL] + +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/b6191f90-ffca-dbca-7d06-88a9788def9c@alu.unizg.hr/ +Tested-by: Mirsad Todorovac +Fixes: 5e457896986e ("net: ipv6: Fix ping to link-local addresses.") +Signed-off-by: Guillaume Nault +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/6c8b53108816a8d0d5705ae37bdc5a8322b5e3d9.1686153846.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ping.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c +index 6ac88fe24a8e0..7fab29f3ce6e8 100644 +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -96,7 +96,8 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + addr_type = ipv6_addr_type(daddr); + if ((__ipv6_addr_needs_scope_id(addr_type) && !oif) || + (addr_type & IPV6_ADDR_MAPPED) || +- (oif && sk->sk_bound_dev_if && oif != sk->sk_bound_dev_if)) ++ (oif && sk->sk_bound_dev_if && oif != sk->sk_bound_dev_if && ++ l3mdev_master_ifindex_by_index(sock_net(sk), oif) != sk->sk_bound_dev_if)) + return -EINVAL; + + /* TODO: use ip6_datagram_send_ctl to get options from cmsg */ +-- +2.39.2 + diff --git a/queue-5.10/rdma-cma-always-set-static-rate-to-0-for-roce.patch b/queue-5.10/rdma-cma-always-set-static-rate-to-0-for-roce.patch new file mode 100644 index 00000000000..2688ece833c --- /dev/null +++ b/queue-5.10/rdma-cma-always-set-static-rate-to-0-for-roce.patch @@ -0,0 +1,84 @@ +From 2d304806f359467ee77106f84cb2a0a9fe60f02f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 13:33:23 +0300 +Subject: RDMA/cma: Always set static rate to 0 for RoCE + +From: Mark Zhang + +[ Upstream commit 58030c76cce473b6cfd630bbecb97215def0dff8 ] + +Set static rate to 0 as it should be discovered by path query and +has no meaning for RoCE. +This also avoid of using the rtnl lock and ethtool API, which is +a bottleneck when try to setup many rdma-cm connections at the same +time, especially with multiple processes. + +Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices") +Signed-off-by: Mark Zhang +Link: https://lore.kernel.org/r/f72a4f8b667b803aee9fa794069f61afb5839ce4.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 4 ++-- + include/rdma/ib_addr.h | 23 ----------------------- + 2 files changed, 2 insertions(+), 25 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index fdcad8d6a5a07..db24f7dfa00f7 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3069,7 +3069,7 @@ static int cma_resolve_iboe_route(struct rdma_id_private *id_priv) + route->path_rec->traffic_class = tos; + route->path_rec->mtu = iboe_get_mtu(ndev->mtu); + route->path_rec->rate_selector = IB_SA_EQ; +- route->path_rec->rate = iboe_get_rate(ndev); ++ route->path_rec->rate = IB_RATE_PORT_CURRENT; + dev_put(ndev); + route->path_rec->packet_life_time_selector = IB_SA_EQ; + /* In case ACK timeout is set, use this value to calculate +@@ -4719,7 +4719,7 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + if (!ndev) + return -ENODEV; + +- ib.rec.rate = iboe_get_rate(ndev); ++ ib.rec.rate = IB_RATE_PORT_CURRENT; + ib.rec.hop_limit = 1; + ib.rec.mtu = iboe_get_mtu(ndev->mtu); + +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h +index b0e636ac66900..8c5c9582c4fb9 100644 +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -193,29 +193,6 @@ static inline enum ib_mtu iboe_get_mtu(int mtu) + return 0; + } + +-static inline int iboe_get_rate(struct net_device *dev) +-{ +- struct ethtool_link_ksettings cmd; +- int err; +- +- rtnl_lock(); +- err = __ethtool_get_link_ksettings(dev, &cmd); +- rtnl_unlock(); +- if (err) +- return IB_RATE_PORT_CURRENT; +- +- if (cmd.base.speed >= 40000) +- return IB_RATE_40_GBPS; +- else if (cmd.base.speed >= 30000) +- return IB_RATE_30_GBPS; +- else if (cmd.base.speed >= 20000) +- return IB_RATE_20_GBPS; +- else if (cmd.base.speed >= 10000) +- return IB_RATE_10_GBPS; +- else +- return IB_RATE_PORT_CURRENT; +-} +- + static inline int rdma_link_local_addr(struct in6_addr *addr) + { + if (addr->s6_addr32[0] == htonl(0xfe800000) && +-- +2.39.2 + diff --git a/queue-5.10/rdma-mlx5-initiate-dropless-rq-for-raw-ethernet-func.patch b/queue-5.10/rdma-mlx5-initiate-dropless-rq-for-raw-ethernet-func.patch new file mode 100644 index 00000000000..0bef3214f98 --- /dev/null +++ b/queue-5.10/rdma-mlx5-initiate-dropless-rq-for-raw-ethernet-func.patch @@ -0,0 +1,46 @@ +From 5cbf8943bf818fba83be5377d45ac446bc0a446f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 13:33:17 +0300 +Subject: RDMA/mlx5: Initiate dropless RQ for RAW Ethernet functions + +From: Maher Sanalla + +[ Upstream commit ee4d269eccfea6c17b18281bef482700d898e86f ] + +Delay drop data is initiated for PFs that have the capability of +rq_delay_drop and are in roce profile. + +However, PFs with RAW ethernet profile do not initiate delay drop data +on function load, causing kernel panic if delay drop struct members are +accessed later on in case a dropless RQ is created. + +Thus, stage the delay drop initialization as part of RAW ethernet +PF loading process. + +Fixes: b5ca15ad7e61 ("IB/mlx5: Add proper representors support") +Signed-off-by: Maher Sanalla +Reviewed-by: Maor Gottlieb +Link: https://lore.kernel.org/r/2e9d386785043d48c38711826eb910315c1de141.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 5ef37902e96b5..39ba7005f2c4c 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4746,6 +4746,9 @@ const struct mlx5_ib_profile raw_eth_profile = { + STAGE_CREATE(MLX5_IB_STAGE_POST_IB_REG_UMR, + mlx5_ib_stage_post_ib_reg_umr_init, + NULL), ++ STAGE_CREATE(MLX5_IB_STAGE_DELAY_DROP, ++ mlx5_ib_stage_delay_drop_init, ++ mlx5_ib_stage_delay_drop_cleanup), + STAGE_CREATE(MLX5_IB_STAGE_RESTRACK, + mlx5_ib_restrack_init, + NULL), +-- +2.39.2 + diff --git a/queue-5.10/rdma-rtrs-fix-the-last-iu-buf-leak-in-err-path.patch b/queue-5.10/rdma-rtrs-fix-the-last-iu-buf-leak-in-err-path.patch new file mode 100644 index 00000000000..0c303923022 --- /dev/null +++ b/queue-5.10/rdma-rtrs-fix-the-last-iu-buf-leak-in-err-path.patch @@ -0,0 +1,41 @@ +From b14b35dadcb529b526488c69fd30b580ea755fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 01:02:42 +0000 +Subject: RDMA/rtrs: Fix the last iu->buf leak in err path + +From: Li Zhijian + +[ Upstream commit 3bf3a7c6985c625f64e73baefdaa36f1c2045a29 ] + +The last iu->buf will leak if ib_dma_mapping_error() fails. + +Fixes: c0894b3ea69d ("RDMA/rtrs: core: lib functions shared between client and server modules") +Link: https://lore.kernel.org/r/1682384563-2-3-git-send-email-lizhijian@fujitsu.com +Signed-off-by: Li Zhijian +Acked-by: Guoqing Jiang +Acked-by: Jack Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs.c b/drivers/infiniband/ulp/rtrs/rtrs.c +index 4629bb758126a..76b993e8d672f 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs.c +@@ -37,8 +37,10 @@ struct rtrs_iu *rtrs_iu_alloc(u32 queue_size, size_t size, gfp_t gfp_mask, + goto err; + + iu->dma_addr = ib_dma_map_single(dma_dev, iu->buf, size, dir); +- if (ib_dma_mapping_error(dma_dev, iu->dma_addr)) ++ if (ib_dma_mapping_error(dma_dev, iu->dma_addr)) { ++ kfree(iu->buf); + goto err; ++ } + + iu->cqe.done = done; + iu->size = size; +-- +2.39.2 + diff --git a/queue-5.10/rdma-rxe-fix-the-use-before-initialization-error-of-.patch b/queue-5.10/rdma-rxe-fix-the-use-before-initialization-error-of-.patch new file mode 100644 index 00000000000..8a46f5900d2 --- /dev/null +++ b/queue-5.10/rdma-rxe-fix-the-use-before-initialization-error-of-.patch @@ -0,0 +1,82 @@ +From de575b09ae82e973d1a3a115c6afd864d0429e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 11:54:08 +0800 +Subject: RDMA/rxe: Fix the use-before-initialization error of resp_pkts + +From: Zhu Yanjun + +[ Upstream commit 2a62b6210ce876c596086ab8fd4c8a0c3d10611a ] + +In the following: + + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:982 [inline] + register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295 + __lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951 + lock_acquire kernel/locking/lockdep.c:5691 [inline] + lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 + skb_dequeue+0x20/0x180 net/core/skbuff.c:3639 + drain_resp_pkts drivers/infiniband/sw/rxe/rxe_comp.c:555 [inline] + rxe_completer+0x250d/0x3cc0 drivers/infiniband/sw/rxe/rxe_comp.c:652 + rxe_qp_do_cleanup+0x1be/0x820 drivers/infiniband/sw/rxe/rxe_qp.c:761 + execute_in_process_context+0x3b/0x150 kernel/workqueue.c:3473 + __rxe_cleanup+0x21e/0x370 drivers/infiniband/sw/rxe/rxe_pool.c:233 + rxe_create_qp+0x3f6/0x5f0 drivers/infiniband/sw/rxe/rxe_verbs.c:583 + +This is a use-before-initialization problem. + +It happens because rxe_qp_do_cleanup is called during error unwind before +the struct has been fully initialized. + +Move the initialization of the skb earlier. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20230602035408.741534-1-yanjun.zhu@intel.com +Reported-by: syzbot+eba589d8f49c73d356da@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 6ff6718fcde6b..4c938d841f768 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -192,6 +192,9 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, + spin_lock_init(&qp->rq.producer_lock); + spin_lock_init(&qp->rq.consumer_lock); + ++ skb_queue_head_init(&qp->req_pkts); ++ skb_queue_head_init(&qp->resp_pkts); ++ + atomic_set(&qp->ssn, 0); + atomic_set(&qp->skb_out, 0); + } +@@ -247,8 +250,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + qp->req.opcode = -1; + qp->comp.opcode = -1; + +- skb_queue_head_init(&qp->req_pkts); +- + rxe_init_task(&qp->req.task, qp, rxe_requester); + rxe_init_task(&qp->comp.task, qp, rxe_completer); + +@@ -294,8 +295,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + } + } + +- skb_queue_head_init(&qp->resp_pkts); +- + rxe_init_task(&qp->resp.task, qp, rxe_responder); + + qp->resp.opcode = OPCODE_NONE; +-- +2.39.2 + diff --git a/queue-5.10/rdma-rxe-remove-the-unused-variable-obj.patch b/queue-5.10/rdma-rxe-remove-the-unused-variable-obj.patch new file mode 100644 index 00000000000..56ae20809ae --- /dev/null +++ b/queue-5.10/rdma-rxe-remove-the-unused-variable-obj.patch @@ -0,0 +1,90 @@ +From 73bed2f4c6fa924133ac2b6dc62b1ecfed9aef34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:15 -0400 +Subject: RDMA/rxe: Remove the unused variable obj + +From: Zhu Yanjun + +[ Upstream commit f07853582d1f6ed282f8d9a0b1209a87dd761f58 ] + +The member variable obj in struct rxe_task is not needed. +So remove it to save memory. + +Link: https://lore.kernel.org/r/20220822011615.805603-4-yanjun.zhu@linux.dev +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Stable-dep-of: 2a62b6210ce8 ("RDMA/rxe: Fix the use-before-initialization error of resp_pkts") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 +++--- + drivers/infiniband/sw/rxe/rxe_task.c | 3 +-- + drivers/infiniband/sw/rxe/rxe_task.h | 3 +-- + 3 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 99c1b3553e6e0..b1bad20c76d46 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -249,9 +249,9 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + + skb_queue_head_init(&qp->req_pkts); + +- rxe_init_task(rxe, &qp->req.task, qp, ++ rxe_init_task(&qp->req.task, qp, + rxe_requester, "req"); +- rxe_init_task(rxe, &qp->comp.task, qp, ++ rxe_init_task(&qp->comp.task, qp, + rxe_completer, "comp"); + + qp->qp_timeout_jiffies = 0; /* Can't be set for UD/UC in modify_qp */ +@@ -298,7 +298,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + + skb_queue_head_init(&qp->resp_pkts); + +- rxe_init_task(rxe, &qp->resp.task, qp, ++ rxe_init_task(&qp->resp.task, qp, + rxe_responder, "resp"); + + qp->resp.opcode = OPCODE_NONE; +diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c +index 568cf56c236bc..f48882b20d6b2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_task.c ++++ b/drivers/infiniband/sw/rxe/rxe_task.c +@@ -95,10 +95,9 @@ void rxe_do_task(struct tasklet_struct *t) + task->ret = ret; + } + +-int rxe_init_task(void *obj, struct rxe_task *task, ++int rxe_init_task(struct rxe_task *task, + void *arg, int (*func)(void *), char *name) + { +- task->obj = obj; + task->arg = arg; + task->func = func; + snprintf(task->name, sizeof(task->name), "%s", name); +diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h +index 11d183fd33386..7f612a1c68a7b 100644 +--- a/drivers/infiniband/sw/rxe/rxe_task.h ++++ b/drivers/infiniband/sw/rxe/rxe_task.h +@@ -19,7 +19,6 @@ enum { + * called again. + */ + struct rxe_task { +- void *obj; + struct tasklet_struct tasklet; + int state; + spinlock_t state_lock; /* spinlock for task state */ +@@ -35,7 +34,7 @@ struct rxe_task { + * arg => parameter to pass to fcn + * func => function to call until it returns != 0 + */ +-int rxe_init_task(void *obj, struct rxe_task *task, ++int rxe_init_task(struct rxe_task *task, + void *arg, int (*func)(void *), char *name); + + /* cleanup task */ +-- +2.39.2 + diff --git a/queue-5.10/rdma-rxe-removed-unused-name-from-rxe_task-struct.patch b/queue-5.10/rdma-rxe-removed-unused-name-from-rxe_task-struct.patch new file mode 100644 index 00000000000..cfb858ffe66 --- /dev/null +++ b/queue-5.10/rdma-rxe-removed-unused-name-from-rxe_task-struct.patch @@ -0,0 +1,93 @@ +From c37f265ac88192975e22254693afa89a7588a3f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 15:01:04 -0500 +Subject: RDMA/rxe: Removed unused name from rxe_task struct + +From: Bob Pearson + +[ Upstream commit de669ae8af49ceed0eed44f5b3d51dc62affc5e4 ] + +The name field in struct rxe_task is never used. This patch removes it. + +Link: https://lore.kernel.org/r/20221021200118.2163-4-rpearsonhpe@gmail.com +Signed-off-by: Ian Ziemba +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Stable-dep-of: 2a62b6210ce8 ("RDMA/rxe: Fix the use-before-initialization error of resp_pkts") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 9 +++------ + drivers/infiniband/sw/rxe/rxe_task.c | 4 +--- + drivers/infiniband/sw/rxe/rxe_task.h | 4 +--- + 3 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index b1bad20c76d46..6ff6718fcde6b 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -249,10 +249,8 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + + skb_queue_head_init(&qp->req_pkts); + +- rxe_init_task(&qp->req.task, qp, +- rxe_requester, "req"); +- rxe_init_task(&qp->comp.task, qp, +- rxe_completer, "comp"); ++ rxe_init_task(&qp->req.task, qp, rxe_requester); ++ rxe_init_task(&qp->comp.task, qp, rxe_completer); + + qp->qp_timeout_jiffies = 0; /* Can't be set for UD/UC in modify_qp */ + if (init->qp_type == IB_QPT_RC) { +@@ -298,8 +296,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + + skb_queue_head_init(&qp->resp_pkts); + +- rxe_init_task(&qp->resp.task, qp, +- rxe_responder, "resp"); ++ rxe_init_task(&qp->resp.task, qp, rxe_responder); + + qp->resp.opcode = OPCODE_NONE; + qp->resp.msn = 0; +diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c +index f48882b20d6b2..5aa69947a9791 100644 +--- a/drivers/infiniband/sw/rxe/rxe_task.c ++++ b/drivers/infiniband/sw/rxe/rxe_task.c +@@ -95,12 +95,10 @@ void rxe_do_task(struct tasklet_struct *t) + task->ret = ret; + } + +-int rxe_init_task(struct rxe_task *task, +- void *arg, int (*func)(void *), char *name) ++int rxe_init_task(struct rxe_task *task, void *arg, int (*func)(void *)) + { + task->arg = arg; + task->func = func; +- snprintf(task->name, sizeof(task->name), "%s", name); + task->destroyed = false; + + tasklet_setup(&task->tasklet, rxe_do_task); +diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h +index 7f612a1c68a7b..b3dfd970d1dc6 100644 +--- a/drivers/infiniband/sw/rxe/rxe_task.h ++++ b/drivers/infiniband/sw/rxe/rxe_task.h +@@ -25,7 +25,6 @@ struct rxe_task { + void *arg; + int (*func)(void *arg); + int ret; +- char name[16]; + bool destroyed; + }; + +@@ -34,8 +33,7 @@ struct rxe_task { + * arg => parameter to pass to fcn + * func => function to call until it returns != 0 + */ +-int rxe_init_task(struct rxe_task *task, +- void *arg, int (*func)(void *), char *name); ++int rxe_init_task(struct rxe_task *task, void *arg, int (*func)(void *)); + + /* cleanup task */ + void rxe_cleanup_task(struct rxe_task *task); +-- +2.39.2 + diff --git a/queue-5.10/sctp-fix-an-error-code-in-sctp_sf_eat_auth.patch b/queue-5.10/sctp-fix-an-error-code-in-sctp_sf_eat_auth.patch new file mode 100644 index 00000000000..7c0a75a2e60 --- /dev/null +++ b/queue-5.10/sctp-fix-an-error-code-in-sctp_sf_eat_auth.patch @@ -0,0 +1,38 @@ +From 7dcab0aa87dda148ba7b0765d8c7a2b2ac10b386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 14:05:19 +0300 +Subject: sctp: fix an error code in sctp_sf_eat_auth() + +From: Dan Carpenter + +[ Upstream commit 75e6def3b26736e7ff80639810098c9074229737 ] + +The sctp_sf_eat_auth() function is supposed to enum sctp_disposition +values and returning a kernel error code will cause issues in the +caller. Change -ENOMEM to SCTP_DISPOSITION_NOMEM. + +Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") +Signed-off-by: Dan Carpenter +Acked-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index ee0b2b03657ca..1e82c51657a7e 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -4379,7 +4379,7 @@ enum sctp_disposition sctp_sf_eat_auth(struct net *net, + SCTP_AUTH_NEW_KEY, GFP_ATOMIC); + + if (!ev) +- return -ENOMEM; ++ return SCTP_DISPOSITION_NOMEM; + + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, + SCTP_ULPEVENT(ev)); +-- +2.39.2 + diff --git a/queue-5.10/selftests-ptp-fix-timestamp-printf-format-for-ptp_sy.patch b/queue-5.10/selftests-ptp-fix-timestamp-printf-format-for-ptp_sy.patch new file mode 100644 index 00000000000..0397b2af1f0 --- /dev/null +++ b/queue-5.10/selftests-ptp-fix-timestamp-printf-format-for-ptp_sy.patch @@ -0,0 +1,50 @@ +From 21cd279cdc0d7c7d4d9e29a33efd62e6fdaed76b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 09:34:04 +0100 +Subject: selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET + +From: Alex Maftei + +[ Upstream commit 76a4c8b82938bc5020b67663db41f451684bf327 ] + +Previously, timestamps were printed using "%lld.%u" which is incorrect +for nanosecond values lower than 100,000,000 as they're fractional +digits, therefore leading zeros are meaningful. + +This patch changes the format strings to "%lld.%09u" in order to add +leading zeros to the nanosecond value. + +Fixes: 568ebc5985f5 ("ptp: add the PTP_SYS_OFFSET ioctl to the testptp program") +Fixes: 4ec54f95736f ("ptp: Fix compiler warnings in the testptp utility") +Fixes: 6ab0e475f1f3 ("Documentation: fix misc. warnings") +Signed-off-by: Alex Maftei +Acked-by: Richard Cochran +Link: https://lore.kernel.org/r/20230615083404.57112-1-alex.maftei@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ptp/testptp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/ptp/testptp.c b/tools/testing/selftests/ptp/testptp.c +index f7911aaeb0075..aa474febb4712 100644 +--- a/tools/testing/selftests/ptp/testptp.c ++++ b/tools/testing/selftests/ptp/testptp.c +@@ -492,11 +492,11 @@ int main(int argc, char *argv[]) + interval = t2 - t1; + offset = (t2 + t1) / 2 - tp; + +- printf("system time: %lld.%u\n", ++ printf("system time: %lld.%09u\n", + (pct+2*i)->sec, (pct+2*i)->nsec); +- printf("phc time: %lld.%u\n", ++ printf("phc time: %lld.%09u\n", + (pct+2*i+1)->sec, (pct+2*i+1)->nsec); +- printf("system time: %lld.%u\n", ++ printf("system time: %lld.%09u\n", + (pct+2*i+2)->sec, (pct+2*i+2)->nsec); + printf("system/phc clock time offset is %" PRId64 " ns\n" + "system clock time delay is %" PRId64 " ns\n", +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 7e4c9a2fd96..0e9dfe08743 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -43,3 +43,32 @@ remove-decnet-support-from-kernel.patch usb-serial-option-add-quectel-em061kgl-series.patch serial-lantiq-add-missing-interrupt-ack.patch usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch +rdma-rtrs-fix-the-last-iu-buf-leak-in-err-path.patch +spi-fsl-dspi-avoid-sck-glitches-with-continuous-tran.patch +netfilter-nfnetlink-skip-error-delivery-on-batch-in-.patch +net-enetc-correct-the-indexes-of-highest-and-2nd-hig.patch +ping6-fix-send-to-link-local-addresses-with-vrf.patch +net-sched-cls_u32-fix-reference-counter-leak-leading.patch +rdma-rxe-remove-the-unused-variable-obj.patch +rdma-rxe-removed-unused-name-from-rxe_task-struct.patch +rdma-rxe-fix-the-use-before-initialization-error-of-.patch +iavf-remove-mask-from-iavf_irq_enable_queues.patch +octeontx2-af-fixed-resource-availability-check.patch +rdma-mlx5-initiate-dropless-rq-for-raw-ethernet-func.patch +rdma-cma-always-set-static-rate-to-0-for-roce.patch +ib-uverbs-fix-to-consider-event-queue-closing-also-u.patch +ib-isert-fix-dead-lock-in-ib_isert.patch +ib-isert-fix-possible-list-corruption-in-cma-handler.patch +ib-isert-fix-incorrect-release-of-isert-connection.patch +ipvlan-fix-bound-dev-checking-for-ipv6-l3s-mode.patch +sctp-fix-an-error-code-in-sctp_sf_eat_auth.patch +igb-fix-nvm.ops.read-error-handling.patch +drm-nouveau-don-t-detect-dsm-for-non-nvidia-device.patch +drm-nouveau-dp-check-for-null-nv_connector-native_mo.patch +drm-nouveau-add-nv_encoder-pointer-check-for-null.patch +ext4-drop-the-call-to-ext4_error-from-ext4_get_group.patch +net-sched-cls_api-fix-lockup-on-flushing-explicitly-.patch +net-lapbether-only-support-ethernet-devices.patch +net-tipc-resize-nlattr-array-to-correct-size.patch +selftests-ptp-fix-timestamp-printf-format-for-ptp_sy.patch +afs-fix-vlserver-probe-rtt-handling.patch diff --git a/queue-5.10/spi-fsl-dspi-avoid-sck-glitches-with-continuous-tran.patch b/queue-5.10/spi-fsl-dspi-avoid-sck-glitches-with-continuous-tran.patch new file mode 100644 index 00000000000..8c5a0ded363 --- /dev/null +++ b/queue-5.10/spi-fsl-dspi-avoid-sck-glitches-with-continuous-tran.patch @@ -0,0 +1,95 @@ +From d29766575372ddcfe0bf84f0255f851a610c9eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 01:34:02 +0300 +Subject: spi: fsl-dspi: avoid SCK glitches with continuous transfers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Oltean + +[ Upstream commit c5c31fb71f16ba75bad4ade208abbae225305b65 ] + +The DSPI controller has configurable timing for + +(a) tCSC: the interval between the assertion of the chip select and the + first clock edge + +(b) tASC: the interval between the last clock edge and the deassertion + of the chip select + +What is a bit surprising, but is documented in the figure "Example of +continuous transfer (CPHA=1, CONT=1)" in the datasheet, is that when the +chip select stays asserted between multiple TX FIFO writes, the tCSC and +tASC times still apply. With CONT=1, chip select remains asserted, but +SCK takes a break and goes to the idle state for tASC + tCSC ns. + +In other words, the default values (of 0 and 0 ns) result in SCK +glitches where the SCK transition to the idle state, as well as the SCK +transition from the idle state, will have no delay in between, and it +may appear that a SCK cycle has simply gone missing. The resulting +timing violation might cause data corruption in many peripherals, as +their chip select is asserted. + +The driver has device tree bindings for tCSC ("fsl,spi-cs-sck-delay") +and tASC ("fsl,spi-sck-cs-delay"), but these are only specified to apply +when the chip select toggles in the first place, and this timing +characteristic depends on each peripheral. Many peripherals do not have +explicit timing requirements, so many device trees do not have these +properties present at all. + +Nonetheless, the lack of SCK glitches is a common sense requirement, and +since the SCK stays in the idle state during transfers for tCSC+tASC ns, +and that in itself should look like half a cycle, then let's ensure that +tCSC and tASC are at least a quarter of a SCK period, such that their +sum is at least half of one. + +Fixes: 95bf15f38641 ("spi: fsl-dspi: Add ~50ns delay between cs and sck") +Reported-by: Lisa Chen (陈敏捷) +Debugged-by: Lisa Chen (陈敏捷) +Tested-by: Lisa Chen (陈敏捷) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230529223402.1199503-1-vladimir.oltean@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-dspi.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index fd004c9db9dc0..0d9201a2999de 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -975,7 +975,9 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr, + static int dspi_setup(struct spi_device *spi) + { + struct fsl_dspi *dspi = spi_controller_get_devdata(spi->controller); ++ u32 period_ns = DIV_ROUND_UP(NSEC_PER_SEC, spi->max_speed_hz); + unsigned char br = 0, pbr = 0, pcssck = 0, cssck = 0; ++ u32 quarter_period_ns = DIV_ROUND_UP(period_ns, 4); + u32 cs_sck_delay = 0, sck_cs_delay = 0; + struct fsl_dspi_platform_data *pdata; + unsigned char pasc = 0, asc = 0; +@@ -1003,6 +1005,19 @@ static int dspi_setup(struct spi_device *spi) + sck_cs_delay = pdata->sck_cs_delay; + } + ++ /* Since tCSC and tASC apply to continuous transfers too, avoid SCK ++ * glitches of half a cycle by never allowing tCSC + tASC to go below ++ * half a SCK period. ++ */ ++ if (cs_sck_delay < quarter_period_ns) ++ cs_sck_delay = quarter_period_ns; ++ if (sck_cs_delay < quarter_period_ns) ++ sck_cs_delay = quarter_period_ns; ++ ++ dev_dbg(&spi->dev, ++ "DSPI controller timing params: CS-to-SCK delay %u ns, SCK-to-CS delay %u ns\n", ++ cs_sck_delay, sck_cs_delay); ++ + clkrate = clk_get_rate(dspi->clk); + hz_to_spi_baud(&pbr, &br, spi->max_speed_hz, clkrate); + +-- +2.39.2 +