From: Sasha Levin Date: Sun, 16 Apr 2023 11:53:23 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v4.14.313~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4836dc8cd304f24c30f352ce6168411addcc427f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch b/queue-6.1/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch new file mode 100644 index 00000000000..094fba873d2 --- /dev/null +++ b/queue-6.1/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch @@ -0,0 +1,61 @@ +From 0805c7c8aa041cda7c9e04d4638b161d9e563fd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 22:43:25 +0800 +Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ] + +In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring +to init priv->rings and bound &ring->work with p9_xen_response. + +When it calls xen_9pfs_front_event_handler to handle IRQ requests, +it will finally call schedule_work to start the work. + +When we call xen_9pfs_front_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in xen_9pfs_front_free. + +Note that, this bug is found by static analysis, which might be +false positive. + +CPU0 CPU1 + + |p9_xen_response +xen_9pfs_front_remove| + xen_9pfs_front_free| +kfree(priv) | +//free priv | + |p9_tag_lookup + |//use priv->client + +Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend") +Signed-off-by: Zheng Wang +Reviewed-by: Michal Swiatkowski +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index 75c03a82baf38..68027e4fb4216 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -278,6 +278,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) + write_unlock(&xen_9pfs_lock); + + for (i = 0; i < priv->num_rings; i++) { ++ struct xen_9pfs_dataring *ring = &priv->rings[i]; ++ ++ cancel_work_sync(&ring->work); ++ + if (!priv->rings[i].intf) + break; + if (priv->rings[i].irq > 0) +-- +2.39.2 + diff --git a/queue-6.1/acpi-resource-add-medion-s17413-to-irq-override-quir.patch b/queue-6.1/acpi-resource-add-medion-s17413-to-irq-override-quir.patch new file mode 100644 index 00000000000..065e186ae9b --- /dev/null +++ b/queue-6.1/acpi-resource-add-medion-s17413-to-irq-override-quir.patch @@ -0,0 +1,42 @@ +From 780c7d068923f5f4a0931bfd17634917c1f26602 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Mar 2023 03:12:05 +0100 +Subject: ACPI: resource: Add Medion S17413 to IRQ override quirk + +From: Aymeric Wibo + +[ Upstream commit 2d0ab14634a26e54f8d6d231b47b7ef233e84599 ] + +Add DMI info of the Medion S17413 (board M1xA) to the IRQ override +quirk table. This fixes the keyboard not working on these laptops. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Signed-off-by: Aymeric Wibo +[ rjw: Fixed up white space ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index a222bda7e15b0..d08818baea88f 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -400,6 +400,13 @@ static const struct dmi_system_id medion_laptop[] = { + DMI_MATCH(DMI_BOARD_NAME, "M17T"), + }, + }, ++ { ++ .ident = "MEDION S17413", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_BOARD_NAME, "M1xA"), ++ }, ++ }, + { } + }; + +-- +2.39.2 + diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-acer-a.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-acer-a.patch new file mode 100644 index 00000000000..b4ccc70f829 --- /dev/null +++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-acer-a.patch @@ -0,0 +1,45 @@ +From 67e3ff8629d85da17143ea926174b9b7850a0be8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 16:59:46 +0100 +Subject: ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG + +From: Hans de Goede + +[ Upstream commit 5e7a3bf65db57461d0f47955248fcadf37321a74 ] + +The Acer Aspire 3830TG predates Windows 8, so it defaults to using +acpi_video# for backlight control, but this is non functional on +this model. + +Add a DMI quirk to use the native backlight interface which does +work properly. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 42b5af5490a11..f0f41959faea6 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -530,6 +530,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Acer Aspire 3830TG */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 3830TG"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Acer Aspire 4810T */ +-- +2.39.2 + diff --git a/queue-6.1/arm-9290-1-uaccess-fix-kasan-false-positives.patch b/queue-6.1/arm-9290-1-uaccess-fix-kasan-false-positives.patch new file mode 100644 index 00000000000..12bcf0c273d --- /dev/null +++ b/queue-6.1/arm-9290-1-uaccess-fix-kasan-false-positives.patch @@ -0,0 +1,56 @@ +From 11fe8a9cf1208194cc55a89d8a8648d530cd6b29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 00:10:14 +0100 +Subject: ARM: 9290/1: uaccess: Fix KASAN false-positives + +From: Andrew Jeffery + +[ Upstream commit ceac10c83b330680cc01ceaaab86cd49f4f30d81 ] + +__copy_to_user_memcpy() and __clear_user_memset() had been calling +memcpy() and memset() respectively, leading to false-positive KASAN +reports when starting userspace: + + [ 10.707901] Run /init as init process + [ 10.731892] process '/bin/busybox' started with executable stack + [ 10.745234] ================================================================== + [ 10.745796] BUG: KASAN: user-memory-access in __clear_user_memset+0x258/0x3ac + [ 10.747260] Write of size 2687 at addr 000de581 by task init/1 + +Use __memcpy() and __memset() instead to allow userspace access, which +is of course the intent of these functions. + +Signed-off-by: Andrew Jeffery +Signed-off-by: Zev Weiss +Reviewed-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/lib/uaccess_with_memcpy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c +index 14eecaaf295fa..e4c2677cc1e9e 100644 +--- a/arch/arm/lib/uaccess_with_memcpy.c ++++ b/arch/arm/lib/uaccess_with_memcpy.c +@@ -116,7 +116,7 @@ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n) + tocopy = n; + + ua_flags = uaccess_save_and_enable(); +- memcpy((void *)to, from, tocopy); ++ __memcpy((void *)to, from, tocopy); + uaccess_restore(ua_flags); + to += tocopy; + from += tocopy; +@@ -178,7 +178,7 @@ __clear_user_memset(void __user *addr, unsigned long n) + tocopy = n; + + ua_flags = uaccess_save_and_enable(); +- memset((void *)addr, 0, tocopy); ++ __memset((void *)addr, 0, tocopy); + uaccess_restore(ua_flags); + addr += tocopy; + n -= tocopy; +-- +2.39.2 + diff --git a/queue-6.1/arm-dts-qcom-apq8026-lg-lenok-add-missing-reserved-m.patch b/queue-6.1/arm-dts-qcom-apq8026-lg-lenok-add-missing-reserved-m.patch new file mode 100644 index 00000000000..7073de445aa --- /dev/null +++ b/queue-6.1/arm-dts-qcom-apq8026-lg-lenok-add-missing-reserved-m.patch @@ -0,0 +1,45 @@ +From cbc8af670b6bd9a0e1ce6b685a6863f6b04f058d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 22:06:03 +0100 +Subject: ARM: dts: qcom: apq8026-lg-lenok: add missing reserved memory + +From: Luca Weiss + +[ Upstream commit ecd240875e877d78fd03efbc62292f550872df3f ] + +Turns out these two memory regions also need to be avoided, otherwise +weird things will happen when Linux tries to use this memory. + +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230308-lenok-reserved-memory-v1-1-b8bf6ff01207@z3ntu.xyz +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts b/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts +index 193569f0ca5f7..4bdadb7681c30 100644 +--- a/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts ++++ b/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts +@@ -26,6 +26,16 @@ + }; + + reserved-memory { ++ sbl_region: sbl@2f00000 { ++ reg = <0x02f00000 0x100000>; ++ no-map; ++ }; ++ ++ external_image_region: external-image@3100000 { ++ reg = <0x03100000 0x200000>; ++ no-map; ++ }; ++ + adsp_region: adsp@3300000 { + reg = <0x03300000 0x1400000>; + no-map; +-- +2.39.2 + diff --git a/queue-6.1/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch b/queue-6.1/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch new file mode 100644 index 00000000000..2d3afb2d0a7 --- /dev/null +++ b/queue-6.1/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch @@ -0,0 +1,158 @@ +From 1aa88a4dbf850965cbc8cb498e598996219c5236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:54 -0500 +Subject: asymmetric_keys: log on fatal failures in PE/pkcs7 + +From: Robbie Harwood + +[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ] + +These particular errors can be encountered while trying to kexec when +secureboot lockdown is in place. Without this change, even with a +signed debug build, one still needs to reboot the machine to add the +appropriate dyndbg parameters (since lockdown blocks debugfs). + +Accordingly, upgrade all pr_debug() before fatal error into pr_warn(). + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- + crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c +index f6321c785714c..3da32813e4412 100644 +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, + } + + if (sinfo->msgdigest_len != sig->digest_size) { +- pr_debug("Sig %u: Invalid digest size (%u)\n", +- sinfo->index, sinfo->msgdigest_len); ++ pr_warn("Sig %u: Invalid digest size (%u)\n", ++ sinfo->index, sinfo->msgdigest_len); + ret = -EBADMSG; + goto error; + } + + if (memcmp(sig->digest, sinfo->msgdigest, + sinfo->msgdigest_len) != 0) { +- pr_debug("Sig %u: Message digest doesn't match\n", +- sinfo->index); ++ pr_warn("Sig %u: Message digest doesn't match\n", ++ sinfo->index); + ret = -EKEYREJECTED; + goto error; + } +@@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, + const void *data, size_t datalen) + { + if (pkcs7->data) { +- pr_debug("Data already supplied\n"); ++ pr_warn("Data already supplied\n"); + return -EINVAL; + } + pkcs7->data = data; +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index fe1bb374239d7..22beaf2213a22 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + break; + + default: +- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); ++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic); + return -ELIBBAD; + } + +@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + ctx->certs_size = ddir->certs.size; + + if (!ddir->certs.virtual_address || !ddir->certs.size) { +- pr_debug("Unsigned PE binary\n"); ++ pr_warn("Unsigned PE binary\n"); + return -ENODATA; + } + +@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + unsigned len; + + if (ctx->sig_len < sizeof(wrapper)) { +- pr_debug("Signature wrapper too short\n"); ++ pr_warn("Signature wrapper too short\n"); + return -ELIBBAD; + } + +@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + * rounded up since 0.110. + */ + if (wrapper.length > ctx->sig_len) { +- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", +- ctx->sig_len, wrapper.length); ++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +- pr_debug("Signature is not revision 2.0\n"); ++ pr_warn("Signature is not revision 2.0\n"); + return -ENOTSUPP; + } + if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { +- pr_debug("Signature certificate type is not PKCS\n"); ++ pr_warn("Signature certificate type is not PKCS\n"); + return -ENOTSUPP; + } + +@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + ctx->sig_offset += sizeof(wrapper); + ctx->sig_len -= sizeof(wrapper); + if (ctx->sig_len < 4) { +- pr_debug("Signature data missing\n"); ++ pr_warn("Signature data missing\n"); + return -EKEYREJECTED; + } + +@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + return 0; + } + not_pkcs7: +- pr_debug("Signature data not PKCS#7\n"); ++ pr_warn("Signature data not PKCS#7\n"); + return -ELIBBAD; + } + +@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + digest_size = crypto_shash_digestsize(tfm); + + if (digest_size != ctx->digest_len) { +- pr_debug("Digest size mismatch (%zx != %x)\n", +- digest_size, ctx->digest_len); ++ pr_warn("Digest size mismatch (%zx != %x)\n", ++ digest_size, ctx->digest_len); + ret = -EBADMSG; + goto error_no_desc; + } +@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + * PKCS#7 certificate. + */ + if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { +- pr_debug("Digest mismatch\n"); ++ pr_warn("Digest mismatch\n"); + ret = -EKEYREJECTED; + } else { + pr_debug("The digests match!\n"); +-- +2.39.2 + diff --git a/queue-6.1/block-ublk_drv-mark-device-as-live-before-adding-dis.patch b/queue-6.1/block-ublk_drv-mark-device-as-live-before-adding-dis.patch new file mode 100644 index 00000000000..2ad2aa1668e --- /dev/null +++ b/queue-6.1/block-ublk_drv-mark-device-as-live-before-adding-dis.patch @@ -0,0 +1,52 @@ +From beba79eaaabc39d24e3af9a7011df32df1f172dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 22:12:31 +0800 +Subject: block: ublk_drv: mark device as LIVE before adding disk + +From: Ming Lei + +[ Upstream commit 4985e7b2c002eb4c5c794a1d3acd91b82c89a0fd ] + +IO can be started before add_disk() returns, such as reading parititon table, +then the monitor work should work for making forward progress. + +So mark device as LIVE before adding disk, meantime change to +DEAD if add_disk() fails. + +Fixed: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Reviewed-by: Ziyang Zhang +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20230318141231.55562-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 2ed994a313a91..c0cbc5f3eb266 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1571,17 +1571,18 @@ static int ublk_ctrl_start_dev(struct io_uring_cmd *cmd) + set_bit(GD_SUPPRESS_PART_SCAN, &disk->state); + + get_device(&ub->cdev_dev); ++ ub->dev_info.state = UBLK_S_DEV_LIVE; + ret = add_disk(disk); + if (ret) { + /* + * Has to drop the reference since ->free_disk won't be + * called in case of add_disk failure. + */ ++ ub->dev_info.state = UBLK_S_DEV_DEAD; + ublk_put_device(ub); + goto out_put_disk; + } + set_bit(UB_STATE_USED, &ub->state); +- ub->dev_info.state = UBLK_S_DEV_LIVE; + out_put_disk: + if (ret) + put_disk(disk); +-- +2.39.2 + diff --git a/queue-6.1/bluetooth-fix-printing-errors-if-le-connection-times.patch b/queue-6.1/bluetooth-fix-printing-errors-if-le-connection-times.patch new file mode 100644 index 00000000000..9d71788f2f8 --- /dev/null +++ b/queue-6.1/bluetooth-fix-printing-errors-if-le-connection-times.patch @@ -0,0 +1,149 @@ +From 2ff2f177efe1ae126dc9932df655c6cac0ab39f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 13:18:20 -0700 +Subject: Bluetooth: Fix printing errors if LE Connection times out + +From: Luiz Augusto von Dentz + +[ Upstream commit b62e72200eaad523f08d8319bba50fc652e032a8 ] + +This fixes errors like bellow when LE Connection times out since that +is actually not a controller error: + + Bluetooth: hci0: Opcode 0x200d failed: -110 + Bluetooth: hci0: request failed to create LE connection: err -110 + +Instead the code shall properly detect if -ETIMEDOUT is returned and +send HCI_OP_LE_CREATE_CONN_CANCEL to give up on the connection. + +Link: https://github.com/bluez/bluez/issues/340 +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_conn.c | 7 +++++-- + net/bluetooth/hci_event.c | 16 ++++++---------- + net/bluetooth/hci_sync.c | 13 ++++++++++--- + 4 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 7f585e5dd71b8..061fec6fd0152 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -953,6 +953,7 @@ enum { + HCI_CONN_STK_ENCRYPT, + HCI_CONN_AUTH_INITIATOR, + HCI_CONN_DROP, ++ HCI_CONN_CANCEL, + HCI_CONN_PARAM_REMOVAL_PEND, + HCI_CONN_NEW_LINK_KEY, + HCI_CONN_SCANNING, +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 1b80d94d639cc..c2c6dea01cc91 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1247,6 +1247,8 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + { + struct hci_conn *conn = data; + ++ bt_dev_dbg(hdev, "err %d", err); ++ + hci_dev_lock(hdev); + + if (!err) { +@@ -1254,8 +1256,6 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + goto done; + } + +- bt_dev_err(hdev, "request failed to create LE connection: err %d", err); +- + /* Check if connection is still pending */ + if (conn != hci_lookup_le_connect(hdev)) + goto done; +@@ -2796,6 +2796,9 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + { + int r = 0; + ++ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags)) ++ return 0; ++ + switch (conn->state) { + case BT_CONNECTED: + case BT_CONFIG: +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 0e2425eb6aa79..78c505f528a47 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2876,16 +2876,6 @@ static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, + + conn->resp_addr_type = peer_addr_type; + bacpy(&conn->resp_addr, peer_addr); +- +- /* We don't want the connection attempt to stick around +- * indefinitely since LE doesn't have a page timeout concept +- * like BR/EDR. Set a timer for any connection that doesn't use +- * the accept list for connecting. +- */ +- if (filter_policy == HCI_LE_USE_PEER_ADDR) +- queue_delayed_work(conn->hdev->workqueue, +- &conn->le_conn_timeout, +- conn->conn_timeout); + } + + static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) +@@ -5892,6 +5882,12 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, + if (status) + goto unlock; + ++ /* Drop the connection if it has been aborted */ ++ if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { ++ hci_conn_drop(conn); ++ goto unlock; ++ } ++ + if (conn->dst_type == ADDR_LE_DEV_PUBLIC) + addr_type = BDADDR_LE_PUBLIC; + else +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index f614f96c5c23d..9361fb3685cc7 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -246,8 +246,9 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + + skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk); + if (IS_ERR(skb)) { +- bt_dev_err(hdev, "Opcode 0x%4x failed: %ld", opcode, +- PTR_ERR(skb)); ++ if (!event) ++ bt_dev_err(hdev, "Opcode 0x%4x failed: %ld", opcode, ++ PTR_ERR(skb)); + return PTR_ERR(skb); + } + +@@ -5108,8 +5109,11 @@ static int hci_le_connect_cancel_sync(struct hci_dev *hdev, + if (test_bit(HCI_CONN_SCANNING, &conn->flags)) + return 0; + ++ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags)) ++ return 0; ++ + return __hci_cmd_sync_status(hdev, HCI_OP_LE_CREATE_CONN_CANCEL, +- 6, &conn->dst, HCI_CMD_TIMEOUT); ++ 0, NULL, HCI_CMD_TIMEOUT); + } + + static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn) +@@ -6084,6 +6088,9 @@ int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn) + conn->conn_timeout, NULL); + + done: ++ if (err == -ETIMEDOUT) ++ hci_le_connect_cancel_sync(hdev, conn); ++ + /* Re-enable advertising after the connection attempt is finished. */ + hci_resume_advertising_sync(hdev); + return err; +-- +2.39.2 + diff --git a/queue-6.1/bluetooth-hci_conn-fix-not-cleaning-up-on-le-connect.patch b/queue-6.1/bluetooth-hci_conn-fix-not-cleaning-up-on-le-connect.patch new file mode 100644 index 00000000000..3c48432beeb --- /dev/null +++ b/queue-6.1/bluetooth-hci_conn-fix-not-cleaning-up-on-le-connect.patch @@ -0,0 +1,118 @@ +From 8b2197fc8eb5bfaf0fe3553c1ad4da9656c5fc0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 10:57:55 -0700 +Subject: Bluetooth: hci_conn: Fix not cleaning up on LE Connection failure + +From: Luiz Augusto von Dentz + +[ Upstream commit 19cf60bf63cbaf5262eac400c707966e19999b83 ] + +hci_connect_le_scan_cleanup shall always be invoked to cleanup the +states and re-enable passive scanning if necessary, otherwise it may +cause the pending action to stay active causing multiple attempts to +connect. + +Fixes: 9b3628d79b46 ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 52 +++++++++++++++++++--------------------- + 1 file changed, 24 insertions(+), 28 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 6265614c748f8..1b80d94d639cc 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -68,7 +68,7 @@ static const struct sco_param esco_param_msbc[] = { + }; + + /* This function requires the caller holds hdev->lock */ +-static void hci_connect_le_scan_cleanup(struct hci_conn *conn) ++static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + { + struct hci_conn_params *params; + struct hci_dev *hdev = conn->hdev; +@@ -88,9 +88,28 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn) + + params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, + bdaddr_type); +- if (!params || !params->explicit_connect) ++ if (!params) + return; + ++ if (params->conn) { ++ hci_conn_drop(params->conn); ++ hci_conn_put(params->conn); ++ params->conn = NULL; ++ } ++ ++ if (!params->explicit_connect) ++ return; ++ ++ /* If the status indicates successful cancellation of ++ * the attempt (i.e. Unknown Connection Id) there's no point of ++ * notifying failure since we'll go back to keep trying to ++ * connect. The only exception is explicit connect requests ++ * where a timeout + cancel does indicate an actual failure. ++ */ ++ if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) ++ mgmt_connect_failed(hdev, &conn->dst, conn->type, ++ conn->dst_type, status); ++ + /* The connection attempt was doing scan for new RPA, and is + * in scan phase. If params are not associated with any other + * autoconnect action, remove them completely. If they are, just unmark +@@ -178,7 +197,7 @@ static void le_scan_cleanup(struct work_struct *work) + rcu_read_unlock(); + + if (c == conn) { +- hci_connect_le_scan_cleanup(conn); ++ hci_connect_le_scan_cleanup(conn, 0x00); + hci_conn_cleanup(conn); + } + +@@ -1193,31 +1212,8 @@ EXPORT_SYMBOL(hci_get_route); + static void hci_le_conn_failed(struct hci_conn *conn, u8 status) + { + struct hci_dev *hdev = conn->hdev; +- struct hci_conn_params *params; + +- params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, +- conn->dst_type); +- if (params && params->conn) { +- hci_conn_drop(params->conn); +- hci_conn_put(params->conn); +- params->conn = NULL; +- } +- +- /* If the status indicates successful cancellation of +- * the attempt (i.e. Unknown Connection Id) there's no point of +- * notifying failure since we'll go back to keep trying to +- * connect. The only exception is explicit connect requests +- * where a timeout + cancel does indicate an actual failure. +- */ +- if (status != HCI_ERROR_UNKNOWN_CONN_ID || +- (params && params->explicit_connect)) +- mgmt_connect_failed(hdev, &conn->dst, conn->type, +- conn->dst_type, status); +- +- /* Since we may have temporarily stopped the background scanning in +- * favor of connection establishment, we should restart it. +- */ +- hci_update_passive_scan(hdev); ++ hci_connect_le_scan_cleanup(conn, status); + + /* Enable advertising in case this was a failed connection + * attempt as a peripheral. +@@ -1254,7 +1250,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + hci_dev_lock(hdev); + + if (!err) { +- hci_connect_le_scan_cleanup(conn); ++ hci_connect_le_scan_cleanup(conn, 0x00); + goto done; + } + +-- +2.39.2 + diff --git a/queue-6.1/bluetooth-sco-fix-possible-circular-locking-dependen.patch b/queue-6.1/bluetooth-sco-fix-possible-circular-locking-dependen.patch new file mode 100644 index 00000000000..7bda1786728 --- /dev/null +++ b/queue-6.1/bluetooth-sco-fix-possible-circular-locking-dependen.patch @@ -0,0 +1,138 @@ +From 677bab479b184756bac641488fcec3ff87a40ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 14:45:03 -0700 +Subject: Bluetooth: SCO: Fix possible circular locking dependency + sco_sock_getsockopt + +From: Luiz Augusto von Dentz + +[ Upstream commit 975abc0c90fc485ff9b4a6afa475c3b1398d5d47 ] + +This attempts to fix the following trace: + +====================================================== +WARNING: possible circular locking dependency detected +6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted +------------------------------------------------------ +sco-tester/31 is trying to acquire lock: +ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at: +sco_sock_getsockopt+0x1fc/0xa90 + +but task is already holding lock: +ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: +sco_sock_getsockopt+0x104/0xa90 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: + lock_sock_nested+0x32/0x80 + sco_connect_cfm+0x118/0x4a0 + hci_sync_conn_complete_evt+0x1e6/0x3d0 + hci_event_packet+0x55c/0x7c0 + hci_rx_work+0x34c/0xa00 + process_one_work+0x575/0x910 + worker_thread+0x89/0x6f0 + kthread+0x14e/0x180 + ret_from_fork+0x2b/0x50 + +-> #1 (hci_cb_list_lock){+.+.}-{3:3}: + __mutex_lock+0x13b/0xcc0 + hci_sync_conn_complete_evt+0x1ad/0x3d0 + hci_event_packet+0x55c/0x7c0 + hci_rx_work+0x34c/0xa00 + process_one_work+0x575/0x910 + worker_thread+0x89/0x6f0 + kthread+0x14e/0x180 + ret_from_fork+0x2b/0x50 + +-> #0 (&hdev->lock){+.+.}-{3:3}: + __lock_acquire+0x18cc/0x3740 + lock_acquire+0x151/0x3a0 + __mutex_lock+0x13b/0xcc0 + sco_sock_getsockopt+0x1fc/0xa90 + __sys_getsockopt+0xe9/0x190 + __x64_sys_getsockopt+0x5b/0x70 + do_syscall_64+0x42/0x90 + entry_SYSCALL_64_after_hwframe+0x70/0xda + +other info that might help us debug this: + +Chain exists of: + &hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); + lock(hci_cb_list_lock); + lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); + lock(&hdev->lock); + + *** DEADLOCK *** + +1 lock held by sco-tester/31: + #0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, + at: sco_sock_getsockopt+0x104/0xa90 + +Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 1111da4e2f2bd..1755f91a66f6a 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -1129,6 +1129,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, + break; + } + ++ release_sock(sk); ++ + /* find total buffer size required to copy codec + caps */ + hci_dev_lock(hdev); + list_for_each_entry(c, &hdev->local_codecs, list) { +@@ -1146,15 +1148,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, + buf_len += sizeof(struct bt_codecs); + if (buf_len > len) { + hci_dev_put(hdev); +- err = -ENOBUFS; +- break; ++ return -ENOBUFS; + } + ptr = optval; + + if (put_user(num_codecs, ptr)) { + hci_dev_put(hdev); +- err = -EFAULT; +- break; ++ return -EFAULT; + } + ptr += sizeof(num_codecs); + +@@ -1194,12 +1194,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, + ptr += len; + } + +- if (!err && put_user(buf_len, optlen)) +- err = -EFAULT; +- + hci_dev_unlock(hdev); + hci_dev_put(hdev); + ++ lock_sock(sk); ++ ++ if (!err && put_user(buf_len, optlen)) ++ err = -EFAULT; ++ + break; + + default: +-- +2.39.2 + diff --git a/queue-6.1/bluetooth-set-iso-data-path-on-broadcast-sink.patch b/queue-6.1/bluetooth-set-iso-data-path-on-broadcast-sink.patch new file mode 100644 index 00000000000..5cc2bc9d4a6 --- /dev/null +++ b/queue-6.1/bluetooth-set-iso-data-path-on-broadcast-sink.patch @@ -0,0 +1,35 @@ +From 6e6661c41c5036101106385086c91c05bf7a3caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 14:19:18 +0300 +Subject: Bluetooth: Set ISO Data Path on broadcast sink + +From: Claudia Draghicescu + +[ Upstream commit d2e4f1b1cba8742db66aaf77374cab7c0c7c8656 ] + +This patch enables ISO data rx on broadcast sink. + +Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") +Signed-off-by: Claudia Draghicescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 78c505f528a47..42a3a19b111e3 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6981,7 +6981,7 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, + bis->iso_qos.in.latency = le16_to_cpu(ev->interval) * 125 / 100; + bis->iso_qos.in.sdu = le16_to_cpu(ev->max_pdu); + +- hci_connect_cfm(bis, ev->status); ++ hci_iso_setup_path(bis); + } + + hci_dev_unlock(hdev); +-- +2.39.2 + diff --git a/queue-6.1/bonding-fix-ns-validation-on-backup-slaves.patch b/queue-6.1/bonding-fix-ns-validation-on-backup-slaves.patch new file mode 100644 index 00000000000..1aa5f1aac64 --- /dev/null +++ b/queue-6.1/bonding-fix-ns-validation-on-backup-slaves.patch @@ -0,0 +1,88 @@ +From 410523c96de5ce5099da81323510e80c6948f7dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 16:23:50 +0800 +Subject: bonding: fix ns validation on backup slaves + +From: Hangbin Liu + +[ Upstream commit 4598380f9c548aa161eb4e990a1583f0a7d1e0d7 ] + +When arp_validate is set to 2, 3, or 6, validation is performed for +backup slaves as well. As stated in the bond documentation, validation +involves checking the broadcast ARP request sent out via the active +slave. This helps determine which slaves are more likely to function in +the event of an active slave failure. + +However, when the target is an IPv6 address, the NS message sent from +the active interface is not checked on backup slaves. Additionally, +based on the bond_arp_rcv() rule b, we must reverse the saddr and daddr +when checking the NS message. + +Note that when checking the NS message, the destination address is a +multicast address. Therefore, we must convert the target address to +solicited multicast in the bond_get_targets_ip6() function. + +Prior to the fix, the backup slaves had a mii status of "down", but +after the fix, all of the slaves' mii status was updated to "UP". + +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Reviewed-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + include/net/bonding.h | 8 ++++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 45d3cb557de73..9f6824a6537bc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3266,7 +3266,8 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, + + combined = skb_header_pointer(skb, 0, sizeof(_combined), &_combined); + if (!combined || combined->ip6.nexthdr != NEXTHDR_ICMP || +- combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT) ++ (combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION && ++ combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT)) + goto out; + + saddr = &combined->ip6.saddr; +@@ -3288,7 +3289,7 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, + else if (curr_active_slave && + time_after(slave_last_rx(bond, curr_active_slave), + curr_active_slave->last_link_up)) +- bond_validate_na(bond, slave, saddr, daddr); ++ bond_validate_na(bond, slave, daddr, saddr); + else if (curr_arp_slave && + bond_time_in_interval(bond, slave_last_tx(curr_arp_slave), 1)) + bond_validate_na(bond, slave, saddr, daddr); +diff --git a/include/net/bonding.h b/include/net/bonding.h +index e999f851738bd..768348008d0c9 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -765,13 +765,17 @@ static inline int bond_get_targets_ip(__be32 *targets, __be32 ip) + #if IS_ENABLED(CONFIG_IPV6) + static inline int bond_get_targets_ip6(struct in6_addr *targets, struct in6_addr *ip) + { ++ struct in6_addr mcaddr; + int i; + +- for (i = 0; i < BOND_MAX_NS_TARGETS; i++) +- if (ipv6_addr_equal(&targets[i], ip)) ++ for (i = 0; i < BOND_MAX_NS_TARGETS; i++) { ++ addrconf_addr_solict_mult(&targets[i], &mcaddr); ++ if ((ipv6_addr_equal(&targets[i], ip)) || ++ (ipv6_addr_equal(&mcaddr, ip))) + return i; + else if (ipv6_addr_any(&targets[i])) + break; ++ } + + return -1; + } +-- +2.39.2 + diff --git a/queue-6.1/bpf-arm64-fixed-a-bti-error-on-returning-to-patched-.patch b/queue-6.1/bpf-arm64-fixed-a-bti-error-on-returning-to-patched-.patch new file mode 100644 index 00000000000..84c1924cfcc --- /dev/null +++ b/queue-6.1/bpf-arm64-fixed-a-bti-error-on-returning-to-patched-.patch @@ -0,0 +1,119 @@ +From 73500e24b1487db0b8e3407674e883b35f6d8504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 19:41:44 -0400 +Subject: bpf, arm64: Fixed a BTI error on returning to patched function + +From: Xu Kuohai + +[ Upstream commit 738a96c4a8c36950803fdd27e7c30aca92dccefd ] + +When BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump +back to the instruction next to call site to call the patched function. +For BTI-enabled kernel, the instruction next to call site is usually +PACIASP, in this case, it's safe to jump back with BLR. But when +the call site is not followed by a PACIASP or bti, a BTI exception +is triggered. + +Here is a fault log: + + Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI + CPU: 0 PID: 263 Comm: test_progs Tainted: GF + Hardware name: linux,dummy-virt (DT) + pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c) + pc : bpf_fentry_test1+0xc/0x30 + lr : bpf_trampoline_6442573892_0+0x48/0x1000 + sp : ffff80000c0c3a50 + x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050 + x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a + x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0 + x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528 + x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101 + x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001 + x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001 + Kernel panic - not syncing: Unhandled exception + CPU: 0 PID: 263 Comm: test_progs Tainted: GF + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace+0xec/0x144 + show_stack+0x24/0x7c + dump_stack_lvl+0x8c/0xb8 + dump_stack+0x18/0x34 + panic+0x1cc/0x3ec + __el0_error_handler_common+0x0/0x130 + el1h_64_sync_handler+0x60/0xd0 + el1h_64_sync+0x78/0x7c + bpf_fentry_test1+0xc/0x30 + bpf_fentry_test1+0xc/0x30 + bpf_prog_test_run_tracing+0xdc/0x2a0 + __sys_bpf+0x438/0x22a0 + __arm64_sys_bpf+0x30/0x54 + invoke_syscall+0x78/0x110 + el0_svc_common.constprop.0+0x6c/0x1d0 + do_el0_svc+0x38/0xe0 + el0_svc+0x30/0xd0 + el0t_64_sync_handler+0x1ac/0x1b0 + el0t_64_sync+0x1a0/0x1a4 + Kernel Offset: disabled + CPU features: 0x0000,00034c24,f994fdab + Memory Limit: none + +And the instruction next to call site of bpf_fentry_test1 is ADD, +not PACIASP: + +: + bti c + nop + nop + add w0, w0, #0x1 + paciasp + +For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled +kernel, so there is no problem. To fix it, replace BLR with RET to bypass +the branch target check. + +Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64") +Reported-by: Florent Revest +Signed-off-by: Xu Kuohai +Signed-off-by: Daniel Borkmann +Tested-by: Florent Revest +Acked-by: Florent Revest +Link: https://lore.kernel.org/bpf/20230401234144.3719742-1-xukuohai@huaweicloud.com +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit.h | 4 ++++ + arch/arm64/net/bpf_jit_comp.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/net/bpf_jit.h b/arch/arm64/net/bpf_jit.h +index a6acb94ea3d63..c2edadb8ec6a3 100644 +--- a/arch/arm64/net/bpf_jit.h ++++ b/arch/arm64/net/bpf_jit.h +@@ -281,4 +281,8 @@ + /* DMB */ + #define A64_DMB_ISH aarch64_insn_gen_dmb(AARCH64_INSN_MB_ISH) + ++/* ADR */ ++#define A64_ADR(Rd, offset) \ ++ aarch64_insn_gen_adr(0, offset, Rd, AARCH64_INSN_ADR_TYPE_ADR) ++ + #endif /* _BPF_JIT_H */ +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index 30f76178608b3..8f16217c111c8 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1905,7 +1905,8 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, + restore_args(ctx, args_off, nargs); + /* call original func */ + emit(A64_LDR64I(A64_R(10), A64_SP, retaddr_off), ctx); +- emit(A64_BLR(A64_R(10)), ctx); ++ emit(A64_ADR(A64_LR, AARCH64_INSN_SIZE * 2), ctx); ++ emit(A64_RET(A64_R(10)), ctx); + /* store return value */ + emit(A64_STR64I(A64_R(0), A64_SP, retval_off), ctx); + /* reserve a nop for bpf_tramp_image_put */ +-- +2.39.2 + diff --git a/queue-6.1/bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch b/queue-6.1/bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch new file mode 100644 index 00000000000..1c5b0f1515b --- /dev/null +++ b/queue-6.1/bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch @@ -0,0 +1,49 @@ +From 8697f1c6fb58a9177b7b164bbab9d2186bd3c29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 17:42:32 -0700 +Subject: bpf: tcp: Use sock_gen_put instead of sock_put in bpf_iter_tcp + +From: Martin KaFai Lau + +[ Upstream commit 580031ff9952b7dbf48dedba6b56a100ae002bef ] + +While reviewing the udp-iter batching patches, noticed the bpf_iter_tcp +calling sock_put() is incorrect. It should call sock_gen_put instead +because bpf_iter_tcp is iterating the ehash table which has the req sk +and tw sk. This patch replaces all sock_put with sock_gen_put in the +bpf_iter_tcp codepath. + +Fixes: 04c7820b776f ("bpf: tcp: Bpf iter batching and lock_sock") +Signed-off-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230328004232.2134233-1-martin.lau@linux.dev +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index da46357f501b3..ad0a5f185a694 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2728,7 +2728,7 @@ static int tcp_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta, + static void bpf_iter_tcp_put_batch(struct bpf_tcp_iter_state *iter) + { + while (iter->cur_sk < iter->end_sk) +- sock_put(iter->batch[iter->cur_sk++]); ++ sock_gen_put(iter->batch[iter->cur_sk++]); + } + + static int bpf_iter_tcp_realloc_batch(struct bpf_tcp_iter_state *iter, +@@ -2889,7 +2889,7 @@ static void *bpf_iter_tcp_seq_next(struct seq_file *seq, void *v, loff_t *pos) + * st->bucket. See tcp_seek_last_pos(). + */ + st->offset++; +- sock_put(iter->batch[iter->cur_sk++]); ++ sock_gen_put(iter->batch[iter->cur_sk++]); + } + + if (iter->cur_sk < iter->end_sk) +-- +2.39.2 + diff --git a/queue-6.1/cgroup-freezer-hold-cpu_hotplug_lock-before-freezer_.patch b/queue-6.1/cgroup-freezer-hold-cpu_hotplug_lock-before-freezer_.patch new file mode 100644 index 00000000000..1ea58142507 --- /dev/null +++ b/queue-6.1/cgroup-freezer-hold-cpu_hotplug_lock-before-freezer_.patch @@ -0,0 +1,127 @@ +From b8ec84bade3d7ccb22df60a787d73ad1af1bf2e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 22:15:32 +0900 +Subject: cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex + +From: Tetsuo Handa + +[ Upstream commit 57dcd64c7e036299ef526b400a8d12b8a2352f26 ] + +syzbot is reporting circular locking dependency between cpu_hotplug_lock +and freezer_mutex, for commit f5d39b020809 ("freezer,sched: Rewrite core +freezer logic") replaced atomic_inc() in freezer_apply_state() with +static_branch_inc() which holds cpu_hotplug_lock. + +cpu_hotplug_lock => cgroup_threadgroup_rwsem => freezer_mutex + + cgroup_file_write() { + cgroup_procs_write() { + __cgroup_procs_write() { + cgroup_procs_write_start() { + cgroup_attach_lock() { + cpus_read_lock() { + percpu_down_read(&cpu_hotplug_lock); + } + percpu_down_write(&cgroup_threadgroup_rwsem); + } + } + cgroup_attach_task() { + cgroup_migrate() { + cgroup_migrate_execute() { + freezer_attach() { + mutex_lock(&freezer_mutex); + (...snipped...) + } + } + } + } + (...snipped...) + } + } + } + +freezer_mutex => cpu_hotplug_lock + + cgroup_file_write() { + freezer_write() { + freezer_change_state() { + mutex_lock(&freezer_mutex); + freezer_apply_state() { + static_branch_inc(&freezer_active) { + static_key_slow_inc() { + cpus_read_lock(); + static_key_slow_inc_cpuslocked(); + cpus_read_unlock(); + } + } + } + mutex_unlock(&freezer_mutex); + } + } + } + +Swap locking order by moving cpus_read_lock() in freezer_apply_state() +to before mutex_lock(&freezer_mutex) in freezer_change_state(). + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=c39682e86c9d84152f93 +Suggested-by: Hillf Danton +Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") +Signed-off-by: Tetsuo Handa +Acked-by: Peter Zijlstra (Intel) +Reviewed-by: Mukesh Ojha +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/legacy_freezer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/legacy_freezer.c b/kernel/cgroup/legacy_freezer.c +index 1b6b21851e9d4..936473203a6b5 100644 +--- a/kernel/cgroup/legacy_freezer.c ++++ b/kernel/cgroup/legacy_freezer.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + /* + * A cgroup is freezing if any FREEZING flags are set. FREEZING_SELF is +@@ -350,7 +351,7 @@ static void freezer_apply_state(struct freezer *freezer, bool freeze, + + if (freeze) { + if (!(freezer->state & CGROUP_FREEZING)) +- static_branch_inc(&freezer_active); ++ static_branch_inc_cpuslocked(&freezer_active); + freezer->state |= state; + freeze_cgroup(freezer); + } else { +@@ -361,7 +362,7 @@ static void freezer_apply_state(struct freezer *freezer, bool freeze, + if (!(freezer->state & CGROUP_FREEZING)) { + freezer->state &= ~CGROUP_FROZEN; + if (was_freezing) +- static_branch_dec(&freezer_active); ++ static_branch_dec_cpuslocked(&freezer_active); + unfreeze_cgroup(freezer); + } + } +@@ -379,6 +380,7 @@ static void freezer_change_state(struct freezer *freezer, bool freeze) + { + struct cgroup_subsys_state *pos; + ++ cpus_read_lock(); + /* + * Update all its descendants in pre-order traversal. Each + * descendant will try to inherit its parent's FREEZING state as +@@ -407,6 +409,7 @@ static void freezer_change_state(struct freezer *freezer, bool freeze) + } + rcu_read_unlock(); + mutex_unlock(&freezer_mutex); ++ cpus_read_unlock(); + } + + static ssize_t freezer_write(struct kernfs_open_file *of, +-- +2.39.2 + diff --git a/queue-6.1/clk-rs9-fix-suspend-resume.patch b/queue-6.1/clk-rs9-fix-suspend-resume.patch new file mode 100644 index 00000000000..2e9ac946e9f --- /dev/null +++ b/queue-6.1/clk-rs9-fix-suspend-resume.patch @@ -0,0 +1,43 @@ +From ed8c994ccdcc7b380e34ee12a74c4eebdb6fde46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 08:49:40 +0100 +Subject: clk: rs9: Fix suspend/resume + +From: Alexander Stein + +[ Upstream commit 632e04739c8f45c2d9ca4d4c5bd18d80c2ac9296 ] + +Disabling the cache in commit 2ff4ba9e3702 ("clk: rs9: Fix I2C accessors") +without removing cache synchronization in resume path results in a +kernel panic as map->cache_ops is unset, due to REGCACHE_NONE. +Enable flat cache again to support resume again. num_reg_defaults_raw +is necessary to read the cache defaults from hardware. Some registers +are strapped in hardware and cannot be provided in software. + +Fixes: 2ff4ba9e3702 ("clk: rs9: Fix I2C accessors") +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20230310074940.3475703-1-alexander.stein@ew.tq-group.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-renesas-pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c +index e6247141d0c05..3e98a16eba6bb 100644 +--- a/drivers/clk/clk-renesas-pcie.c ++++ b/drivers/clk/clk-renesas-pcie.c +@@ -144,8 +144,9 @@ static int rs9_regmap_i2c_read(void *context, + static const struct regmap_config rs9_regmap_config = { + .reg_bits = 8, + .val_bits = 8, +- .cache_type = REGCACHE_NONE, ++ .cache_type = REGCACHE_FLAT, + .max_register = RS9_REG_BCP, ++ .num_reg_defaults_raw = 0x8, + .rd_table = &rs9_readable_table, + .wr_table = &rs9_writeable_table, + .reg_write = rs9_regmap_i2c_write, +-- +2.39.2 + diff --git a/queue-6.1/clk-sprd-set-max_register-according-to-mapping-range.patch b/queue-6.1/clk-sprd-set-max_register-according-to-mapping-range.patch new file mode 100644 index 00000000000..c4f27eba731 --- /dev/null +++ b/queue-6.1/clk-sprd-set-max_register-according-to-mapping-range.patch @@ -0,0 +1,63 @@ +From 3b3b4e16572d8b75507ba5d0b1101b58ed2c48a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 10:36:24 +0800 +Subject: clk: sprd: set max_register according to mapping range + +From: Chunyan Zhang + +[ Upstream commit 47d43086531f10539470a63e8ad92803e686a3dd ] + +In sprd clock driver, regmap_config.max_register was set to a fixed value +which is likely larger than the address range configured in device tree, +when reading registers through debugfs it would cause access violation. + +Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure") +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230316023624.758204-1-chunyan.zhang@unisoc.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c +index ce81e4087a8fc..2bfbab8db94bf 100644 +--- a/drivers/clk/sprd/common.c ++++ b/drivers/clk/sprd/common.c +@@ -17,7 +17,6 @@ static const struct regmap_config sprdclk_regmap_config = { + .reg_bits = 32, + .reg_stride = 4, + .val_bits = 32, +- .max_register = 0xffff, + .fast_io = true, + }; + +@@ -43,6 +42,8 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + struct device *dev = &pdev->dev; + struct device_node *node = dev->of_node, *np; + struct regmap *regmap; ++ struct resource *res; ++ struct regmap_config reg_config = sprdclk_regmap_config; + + if (of_find_property(node, "sprd,syscon", NULL)) { + regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon"); +@@ -59,12 +60,14 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + return PTR_ERR(regmap); + } + } else { +- base = devm_platform_ioremap_resource(pdev, 0); ++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(base)) + return PTR_ERR(base); + ++ reg_config.max_register = resource_size(res) - reg_config.reg_stride; ++ + regmap = devm_regmap_init_mmio(&pdev->dev, base, +- &sprdclk_regmap_config); ++ ®_config); + if (IS_ERR(regmap)) { + pr_err("failed to init regmap\n"); + return PTR_ERR(regmap); +-- +2.39.2 + diff --git a/queue-6.1/dmaengine-apple-admac-fix-current_tx-not-getting-fre.patch b/queue-6.1/dmaengine-apple-admac-fix-current_tx-not-getting-fre.patch new file mode 100644 index 00000000000..c02224829d1 --- /dev/null +++ b/queue-6.1/dmaengine-apple-admac-fix-current_tx-not-getting-fre.patch @@ -0,0 +1,47 @@ +From 76b0f847a74d104bd35427d19c04b380f54e4278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 16:22:21 +0100 +Subject: dmaengine: apple-admac: Fix 'current_tx' not getting freed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit d9503be5a100c553731c0e8a82c7b4201e8a970c ] + +In terminate_all we should queue up all submitted descriptors to be +freed. We do that for the content of the 'issued' and 'submitted' lists, +but the 'current_tx' descriptor falls through the cracks as it's +removed from the 'issued' list once it gets assigned to be the current +descriptor. Explicitly queue up freeing of the 'current_tx' descriptor +to address a memory leak that is otherwise present. + +Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20230224152222.26732-2-povik+lin@cutebit.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/apple-admac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c +index b9132b495d181..4cf8da77bdd91 100644 +--- a/drivers/dma/apple-admac.c ++++ b/drivers/dma/apple-admac.c +@@ -512,7 +512,10 @@ static int admac_terminate_all(struct dma_chan *chan) + admac_stop_chan(adchan); + admac_reset_rings(adchan); + +- adchan->current_tx = NULL; ++ if (adchan->current_tx) { ++ list_add_tail(&adchan->current_tx->node, &adchan->to_free); ++ adchan->current_tx = NULL; ++ } + /* + * Descriptors can only be freed after the tasklet + * has been killed (in admac_synchronize). +-- +2.39.2 + diff --git a/queue-6.1/dmaengine-apple-admac-handle-global-interrupt-flags.patch b/queue-6.1/dmaengine-apple-admac-handle-global-interrupt-flags.patch new file mode 100644 index 00000000000..e8e77a62409 --- /dev/null +++ b/queue-6.1/dmaengine-apple-admac-handle-global-interrupt-flags.patch @@ -0,0 +1,72 @@ +From 4a48a731efe345a1cb470dc0e0a70b45dae5c314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 16:22:20 +0100 +Subject: dmaengine: apple-admac: Handle 'global' interrupt flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit a288fd158fbf85c06a9ac01cecabf97ac5d962e7 ] + +In addition to TX channel and RX channel interrupt flags there's +another class of 'global' interrupt flags with unknown semantics. Those +weren't being handled up to now, and they are the suspected cause of +stuck IRQ states that have been sporadically occurring. Check the global +flags and clear them if raised. + +Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20230224152222.26732-1-povik+lin@cutebit.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/apple-admac.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c +index 90f28bda29c8b..00cbfafe0ed9d 100644 +--- a/drivers/dma/apple-admac.c ++++ b/drivers/dma/apple-admac.c +@@ -75,6 +75,7 @@ + + #define REG_TX_INTSTATE(idx) (0x0030 + (idx) * 4) + #define REG_RX_INTSTATE(idx) (0x0040 + (idx) * 4) ++#define REG_GLOBAL_INTSTATE(idx) (0x0050 + (idx) * 4) + #define REG_CHAN_INTSTATUS(ch, idx) (0x8010 + (ch) * 0x200 + (idx) * 4) + #define REG_CHAN_INTMASK(ch, idx) (0x8020 + (ch) * 0x200 + (idx) * 4) + +@@ -672,13 +673,14 @@ static void admac_handle_chan_int(struct admac_data *ad, int no) + static irqreturn_t admac_interrupt(int irq, void *devid) + { + struct admac_data *ad = devid; +- u32 rx_intstate, tx_intstate; ++ u32 rx_intstate, tx_intstate, global_intstate; + int i; + + rx_intstate = readl_relaxed(ad->base + REG_RX_INTSTATE(ad->irq_index)); + tx_intstate = readl_relaxed(ad->base + REG_TX_INTSTATE(ad->irq_index)); ++ global_intstate = readl_relaxed(ad->base + REG_GLOBAL_INTSTATE(ad->irq_index)); + +- if (!tx_intstate && !rx_intstate) ++ if (!tx_intstate && !rx_intstate && !global_intstate) + return IRQ_NONE; + + for (i = 0; i < ad->nchannels; i += 2) { +@@ -693,6 +695,12 @@ static irqreturn_t admac_interrupt(int irq, void *devid) + rx_intstate >>= 1; + } + ++ if (global_intstate) { ++ dev_warn(ad->dev, "clearing unknown global interrupt flag: %x\n", ++ global_intstate); ++ writel_relaxed(~(u32) 0, ad->base + REG_GLOBAL_INTSTATE(ad->irq_index)); ++ } ++ + return IRQ_HANDLED; + } + +-- +2.39.2 + diff --git a/queue-6.1/dmaengine-apple-admac-set-src_addr_widths-capability.patch b/queue-6.1/dmaengine-apple-admac-set-src_addr_widths-capability.patch new file mode 100644 index 00000000000..776643756b1 --- /dev/null +++ b/queue-6.1/dmaengine-apple-admac-set-src_addr_widths-capability.patch @@ -0,0 +1,41 @@ +From ee86eee1bd4cd351f0c6fa074def48b3531db9d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 16:22:22 +0100 +Subject: dmaengine: apple-admac: Set src_addr_widths capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit 6e96adcaa7a29827ac8ee8df290a44957a4823ec ] + +Add missing setting of 'src_addr_widths', which is the same as for the +other direction. + +Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20230224152222.26732-3-povik+lin@cutebit.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/apple-admac.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c +index 00cbfafe0ed9d..b9132b495d181 100644 +--- a/drivers/dma/apple-admac.c ++++ b/drivers/dma/apple-admac.c +@@ -858,6 +858,9 @@ static int admac_probe(struct platform_device *pdev) + + dma->directions = BIT(DMA_MEM_TO_DEV) | BIT(DMA_DEV_TO_MEM); + dma->residue_granularity = DMA_RESIDUE_GRANULARITY_BURST; ++ dma->src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_1_BYTE) | ++ BIT(DMA_SLAVE_BUSWIDTH_2_BYTES) | ++ BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + dma->dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_1_BYTE) | + BIT(DMA_SLAVE_BUSWIDTH_2_BYTES) | + BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); +-- +2.39.2 + diff --git a/queue-6.1/drm-amdgpu-add-mes-resume-when-do-gfx-post-soft-rese.patch b/queue-6.1/drm-amdgpu-add-mes-resume-when-do-gfx-post-soft-rese.patch new file mode 100644 index 00000000000..7695811799d --- /dev/null +++ b/queue-6.1/drm-amdgpu-add-mes-resume-when-do-gfx-post-soft-rese.patch @@ -0,0 +1,55 @@ +From f7c5cd74bd571a4e8bf2913aa5922a03048fa43e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 15:24:22 +0800 +Subject: drm/amdgpu: add mes resume when do gfx post soft reset + +From: Tong Liu01 + +[ Upstream commit 4eb0b49a0ad3e004a6a65b84efe37bc7e66d560f ] + +[why] +when gfx do soft reset, mes will also do reset, if mes is not +resumed when do recover from soft reset, mes is unable to respond +in later sequence + +[how] +resume mes when do gfx post soft reset + +Signed-off-by: Tong Liu01 +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 90e739d9aeee7..7a13129842602 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -4625,6 +4625,14 @@ static bool gfx_v11_0_check_soft_reset(void *handle) + return false; + } + ++static int gfx_v11_0_post_soft_reset(void *handle) ++{ ++ /** ++ * GFX soft reset will impact MES, need resume MES when do GFX soft reset ++ */ ++ return amdgpu_mes_resume((struct amdgpu_device *)handle); ++} ++ + static uint64_t gfx_v11_0_get_gpu_clock_counter(struct amdgpu_device *adev) + { + uint64_t clock; +@@ -6068,6 +6076,7 @@ static const struct amd_ip_funcs gfx_v11_0_ip_funcs = { + .wait_for_idle = gfx_v11_0_wait_for_idle, + .soft_reset = gfx_v11_0_soft_reset, + .check_soft_reset = gfx_v11_0_check_soft_reset, ++ .post_soft_reset = gfx_v11_0_post_soft_reset, + .set_clockgating_state = gfx_v11_0_set_clockgating_state, + .set_powergating_state = gfx_v11_0_set_powergating_state, + .get_clockgating_state = gfx_v11_0_get_clockgating_state, +-- +2.39.2 + diff --git a/queue-6.1/drm-amdgpu-force-signal-hw_fences-that-are-embedded-.patch b/queue-6.1/drm-amdgpu-force-signal-hw_fences-that-are-embedded-.patch new file mode 100644 index 00000000000..a93f6c98fe1 --- /dev/null +++ b/queue-6.1/drm-amdgpu-force-signal-hw_fences-that-are-embedded-.patch @@ -0,0 +1,55 @@ +From 9b2bd985d8d074d8061b433eb03448dd428526a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 11:30:32 +0800 +Subject: drm/amdgpu: Force signal hw_fences that are embedded in non-sched + jobs + +From: YuBiao Wang + +[ Upstream commit 033c56474acf567a450f8bafca50e0b610f2b716 ] + +[Why] +For engines not supporting soft reset, i.e. VCN, there will be a failed +ib test before mode 1 reset during asic reset. The fences in this case +are never signaled and next time when we try to free the sa_bo, kernel +will hang. + +[How] +During pre_asic_reset, driver will clear job fences and afterwards the +fences' refcount will be reduced to 1. For drm_sched_jobs it will be +released in job_free_cb, and for non-sched jobs like ib_test, it's meant +to be released in sa_bo_free but only when the fences are signaled. So +we have to force signal the non_sched bad job's fence during +pre_asic_reset or the clear is not complete. + +Signed-off-by: YuBiao Wang +Acked-by: Luben Tuikov +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index 6fdb679321d0d..3cc1929285fc0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -624,6 +624,15 @@ void amdgpu_fence_driver_clear_job_fences(struct amdgpu_ring *ring) + ptr = &ring->fence_drv.fences[i]; + old = rcu_dereference_protected(*ptr, 1); + if (old && old->ops == &amdgpu_job_fence_ops) { ++ struct amdgpu_job *job; ++ ++ /* For non-scheduler bad job, i.e. failed ib test, we need to signal ++ * it right here or we won't be able to track them in fence_drv ++ * and they will remain unsignaled during sa_bo free. ++ */ ++ job = container_of(old, struct amdgpu_job, hw_fence); ++ if (!job->base.s_fence && !dma_fence_is_signaled(old)) ++ dma_fence_signal(old); + RCU_INIT_POINTER(*ptr, NULL); + dma_fence_put(old); + } +-- +2.39.2 + diff --git a/queue-6.1/drm-amdgpu-gfx-set-cg-flags-to-enter-exit-safe-mode.patch b/queue-6.1/drm-amdgpu-gfx-set-cg-flags-to-enter-exit-safe-mode.patch new file mode 100644 index 00000000000..e9b460b0415 --- /dev/null +++ b/queue-6.1/drm-amdgpu-gfx-set-cg-flags-to-enter-exit-safe-mode.patch @@ -0,0 +1,39 @@ +From 4e7458e5d45069bce87c2d186730b8173a3b97ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 18:59:59 +0800 +Subject: drm/amdgpu/gfx: set cg flags to enter/exit safe mode + +From: Jane Jian + +[ Upstream commit e06bfcc1a1c41bcb8c31470d437e147ce9f0acfd ] + +sriov needs to enter/exit safe mode in update umd p state +add the cg flag to let it enter or exit while needed + +Signed-off-by: Jane Jian +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 7a13129842602..0dd2fe4f071e8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -1316,6 +1316,11 @@ static int gfx_v11_0_sw_init(void *handle) + break; + } + ++ /* Enable CG flag in one VF mode for enabling RLC safe mode enter/exit */ ++ if (adev->ip_versions[GC_HWIP][0] == IP_VERSION(11, 0, 3) && ++ amdgpu_sriov_is_pp_one_vf(adev)) ++ adev->cg_flags = AMD_CG_SUPPORT_GFX_CGCG; ++ + /* EOP Event */ + r = amdgpu_irq_add_id(adev, SOC21_IH_CLIENTID_GRBM_CP, + GFX_11_0_0__SRCID__CP_EOP_INTERRUPT, +-- +2.39.2 + diff --git a/queue-6.1/drm-armada-fix-a-potential-double-free-in-an-error-h.patch b/queue-6.1/drm-armada-fix-a-potential-double-free-in-an-error-h.patch new file mode 100644 index 00000000000..ae523ecfeae --- /dev/null +++ b/queue-6.1/drm-armada-fix-a-potential-double-free-in-an-error-h.patch @@ -0,0 +1,36 @@ +From ce683e3c1250362f90adb7002eb10ae54be2d1de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 17:34:16 +0100 +Subject: drm/armada: Fix a potential double free in an error handling path + +From: Christophe JAILLET + +[ Upstream commit b89ce1177d42d5c124e83f3858818cd4e6a2c46f ] + +'priv' is a managed resource, so there is no need to free it explicitly or +there will be a double free(). + +Fixes: 90ad200b4cbc ("drm/armada: Use devm_drm_dev_alloc") +Signed-off-by: Christophe JAILLET +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/c4f3c9207a9fce35cb6dd2cc60e755275961588a.1640536364.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/armada/armada_drv.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c +index 0643887800b4d..142668cd6d7cd 100644 +--- a/drivers/gpu/drm/armada/armada_drv.c ++++ b/drivers/gpu/drm/armada/armada_drv.c +@@ -99,7 +99,6 @@ static int armada_drm_bind(struct device *dev) + if (ret) { + dev_err(dev, "[" DRM_NAME ":%s] can't kick out simple-fb: %d\n", + __func__, ret); +- kfree(priv); + return ret; + } + +-- +2.39.2 + diff --git a/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch b/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch new file mode 100644 index 00000000000..c0e89bf24c0 --- /dev/null +++ b/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch @@ -0,0 +1,55 @@ +From d65308715d53c9f006d6e4d5488021b2eae79a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 10:52:18 +0100 +Subject: drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F + +From: Hans de Goede + +[ Upstream commit 03aecb1acbcd7a660f97d645ca6c09d9de27ff9d ] + +Like the Windows Lenovo Yoga Book X91F/L the Android Lenovo Yoga Book +X90F/L has a portrait 1200x1920 screen used in landscape mode, +add a quirk for this. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20230301095218.28457-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 5522d610c5cfd..b1a38e6ce2f8f 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -328,10 +328,17 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, +- }, { /* Lenovo Yoga Book X90F / X91F / X91L */ ++ }, { /* Lenovo Yoga Book X90F / X90L */ + .matches = { +- /* Non exact match to match all versions */ +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* Lenovo Yoga Tablet 2 830F / 830L */ +-- +2.39.2 + diff --git a/queue-6.1/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch b/queue-6.1/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch new file mode 100644 index 00000000000..811b1971633 --- /dev/null +++ b/queue-6.1/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch @@ -0,0 +1,43 @@ +From 209f9c8afd82b87b599e6242ce657b5ccbffeb9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:31:03 +0100 +Subject: efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + +From: Hans de Goede + +[ Upstream commit 5ed213dd64681f84a01ceaa82fb336cf7d59ddcf ] + +Another Lenovo convertable which reports a landscape resolution of +1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer +has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/sysfb_efi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/firmware/efi/sysfb_efi.c b/drivers/firmware/efi/sysfb_efi.c +index e76d6803bdd08..456d0e5eaf78b 100644 +--- a/drivers/firmware/efi/sysfb_efi.c ++++ b/drivers/firmware/efi/sysfb_efi.c +@@ -272,6 +272,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = { + "IdeaPad Duet 3 10IGL5"), + }, + }, ++ { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), ++ }, ++ }, + {}, + }; + +-- +2.39.2 + diff --git a/queue-6.1/hwmon-peci-cputemp-fix-miscalculated-dts-for-skx.patch b/queue-6.1/hwmon-peci-cputemp-fix-miscalculated-dts-for-skx.patch new file mode 100644 index 00000000000..dd796c2ad0a --- /dev/null +++ b/queue-6.1/hwmon-peci-cputemp-fix-miscalculated-dts-for-skx.patch @@ -0,0 +1,51 @@ +From 938e32b178c09ac66ea808793a20005b2427fc28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 10:04:10 +0100 +Subject: hwmon: (peci/cputemp) Fix miscalculated DTS for SKX + +From: Iwona Winiarska + +[ Upstream commit 2b91c4a870c9830eaf95e744454c9c218cccb736 ] + +For Skylake, DTS temperature of the CPU is reported in S10.6 format +instead of S8.8. + +Reported-by: Paul Fertser +Link: https://lore.kernel.org/lkml/ZBhHS7v+98NK56is@home.paul.comp/ +Signed-off-by: Iwona Winiarska +Link: https://lore.kernel.org/r/20230321090410.866766-1-iwona.winiarska@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/peci/cputemp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/peci/cputemp.c b/drivers/hwmon/peci/cputemp.c +index 30850a479f61f..87d56f0fc888c 100644 +--- a/drivers/hwmon/peci/cputemp.c ++++ b/drivers/hwmon/peci/cputemp.c +@@ -537,6 +537,12 @@ static const struct cpu_info cpu_hsx = { + .thermal_margin_to_millidegree = &dts_eight_dot_eight_to_millidegree, + }; + ++static const struct cpu_info cpu_skx = { ++ .reg = &resolved_cores_reg_hsx, ++ .min_peci_revision = 0x33, ++ .thermal_margin_to_millidegree = &dts_ten_dot_six_to_millidegree, ++}; ++ + static const struct cpu_info cpu_icx = { + .reg = &resolved_cores_reg_icx, + .min_peci_revision = 0x40, +@@ -558,7 +564,7 @@ static const struct auxiliary_device_id peci_cputemp_ids[] = { + }, + { + .name = "peci_cpu.cputemp.skx", +- .driver_data = (kernel_ulong_t)&cpu_hsx, ++ .driver_data = (kernel_ulong_t)&cpu_skx, + }, + { + .name = "peci_cpu.cputemp.icx", +-- +2.39.2 + diff --git a/queue-6.1/hwmon-xgene-fix-ioremap-and-memremap-leak.patch b/queue-6.1/hwmon-xgene-fix-ioremap-and-memremap-leak.patch new file mode 100644 index 00000000000..74df071dc47 --- /dev/null +++ b/queue-6.1/hwmon-xgene-fix-ioremap-and-memremap-leak.patch @@ -0,0 +1,59 @@ +From cd7d7436193ab7adfa02e7c86601afdb16532a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 22:38:51 +0800 +Subject: hwmon: (xgene) Fix ioremap and memremap leak + +From: Tianyi Jing + +[ Upstream commit 813cc94c7847ae4a17e9f744fb4dbdf7df6bd732 ] + +Smatch reports: + +drivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn: +'ctx->pcc_comm_addr' from ioremap() not released on line: 757. + +This is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(), +ioremap and memremap is not released, which may cause a leak. + +To fix this, ioremap and memremap is modified to devm_ioremap and +devm_memremap. + +Signed-off-by: Tianyi Jing +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230318143851.2191625-1-jingfelix@hust.edu.cn +[groeck: Fixed formatting and subject] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/xgene-hwmon.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c +index d1abea49f01be..78d9f52e2a719 100644 +--- a/drivers/hwmon/xgene-hwmon.c ++++ b/drivers/hwmon/xgene-hwmon.c +@@ -698,14 +698,14 @@ static int xgene_hwmon_probe(struct platform_device *pdev) + ctx->comm_base_addr = pcc_chan->shmem_base_addr; + if (ctx->comm_base_addr) { + if (version == XGENE_HWMON_V2) +- ctx->pcc_comm_addr = (void __force *)ioremap( +- ctx->comm_base_addr, +- pcc_chan->shmem_size); ++ ctx->pcc_comm_addr = (void __force *)devm_ioremap(&pdev->dev, ++ ctx->comm_base_addr, ++ pcc_chan->shmem_size); + else +- ctx->pcc_comm_addr = memremap( +- ctx->comm_base_addr, +- pcc_chan->shmem_size, +- MEMREMAP_WB); ++ ctx->pcc_comm_addr = devm_memremap(&pdev->dev, ++ ctx->comm_base_addr, ++ pcc_chan->shmem_size, ++ MEMREMAP_WB); + } else { + dev_err(&pdev->dev, "Failed to get PCC comm region\n"); + rc = -ENODEV; +-- +2.39.2 + diff --git a/queue-6.1/i2c-hisi-avoid-redundant-interrupts.patch b/queue-6.1/i2c-hisi-avoid-redundant-interrupts.patch new file mode 100644 index 00000000000..ec70c0b9685 --- /dev/null +++ b/queue-6.1/i2c-hisi-avoid-redundant-interrupts.patch @@ -0,0 +1,43 @@ +From 9c51cf3f0bdaf883966259bc4e1e8f55c03c6a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:45:51 +0800 +Subject: i2c: hisi: Avoid redundant interrupts + +From: Yicong Yang + +[ Upstream commit cc9812a3096d1986caca9a23bee99effc45c08df ] + +After issuing all the messages we can disable the TX_EMPTY interrupts +to avoid handling redundant interrupts. For doing a sinlge bus +detection (i2cdetect -y -r 0) we can reduce ~97% interrupts (before +~12000 after ~400). + +Signed-off-by: Sheng Feng +Signed-off-by: Yicong Yang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-hisi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-hisi.c b/drivers/i2c/busses/i2c-hisi.c +index d30071f299879..8a61bee745a16 100644 +--- a/drivers/i2c/busses/i2c-hisi.c ++++ b/drivers/i2c/busses/i2c-hisi.c +@@ -314,6 +314,13 @@ static void hisi_i2c_xfer_msg(struct hisi_i2c_controller *ctlr) + max_write == 0) + break; + } ++ ++ /* ++ * Disable the TX_EMPTY interrupt after finishing all the messages to ++ * avoid overwhelming the CPU. ++ */ ++ if (ctlr->msg_tx_idx == ctlr->msg_num) ++ hisi_i2c_disable_int(ctlr, HISI_I2C_INT_TX_EMPTY); + } + + static irqreturn_t hisi_i2c_irq(int irq, void *context) +-- +2.39.2 + diff --git a/queue-6.1/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch b/queue-6.1/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch new file mode 100644 index 00000000000..7ef24aa1a20 --- /dev/null +++ b/queue-6.1/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch @@ -0,0 +1,36 @@ +From ee4a8ca797e0abd958dbedb232da0b6cdc651e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:32:46 +0100 +Subject: i2c: imx-lpi2c: clean rx/tx buffers upon new message + +From: Alexander Stein + +[ Upstream commit 987dd36c0141f6ab9f0fbf14d6b2ec3342dedb2f ] + +When start sending a new message clear the Rx & Tx buffer pointers in +order to avoid using stale pointers. + +Signed-off-by: Alexander Stein +Tested-by: Emanuele Ghidoli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 9b2f9544c5681..a49b14d52a986 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -463,6 +463,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter, + if (num == 1 && msgs[0].len == 0) + goto stop; + ++ lpi2c_imx->rx_buf = NULL; ++ lpi2c_imx->tx_buf = NULL; + lpi2c_imx->delivered = 0; + lpi2c_imx->msglen = msgs[i].len; + init_completion(&lpi2c_imx->complete); +-- +2.39.2 + diff --git a/queue-6.1/iavf-refactor-vlan-filter-states.patch b/queue-6.1/iavf-refactor-vlan-filter-states.patch new file mode 100644 index 00000000000..cda590ba600 --- /dev/null +++ b/queue-6.1/iavf-refactor-vlan-filter-states.patch @@ -0,0 +1,210 @@ +From f602fecda1cae566dac9de56dc2f5023c60f03e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 15:35:27 -0600 +Subject: iavf: refactor VLAN filter states + +From: Ahmed Zaki + +[ Upstream commit 0c0da0e951053fda20412cd284e2714bbbb31bff ] + +The VLAN filter states are currently being saved as individual bits. +This is error prone as multiple bits might be mistakenly set. + +Fix by replacing the bits with a single state enum. Also, add an +"ACTIVE" state for filters that are accepted by the PF. + +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Stable-dep-of: 9c85b7fa12ef ("iavf: remove active_cvlans and active_svlans bitmaps") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 15 +++++---- + drivers/net/ethernet/intel/iavf/iavf_main.c | 8 ++--- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 31 +++++++++---------- + 3 files changed, 28 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 2a9f1eeeb7015..fdbb5d9a554cf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -157,15 +157,18 @@ struct iavf_vlan { + u16 tpid; + }; + ++enum iavf_vlan_state_t { ++ IAVF_VLAN_INVALID, ++ IAVF_VLAN_ADD, /* filter needs to be added */ ++ IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */ ++ IAVF_VLAN_ACTIVE, /* filter is accepted by PF */ ++ IAVF_VLAN_REMOVE, /* filter needs to be removed */ ++}; ++ + struct iavf_vlan_filter { + struct list_head list; + struct iavf_vlan vlan; +- struct { +- u8 is_new_vlan:1; /* filter is new, wait for PF answer */ +- u8 remove:1; /* filter needs to be removed */ +- u8 add:1; /* filter needs to be added */ +- u8 padding:5; +- }; ++ enum iavf_vlan_state_t state; + }; + + #define IAVF_MAX_TRAFFIC_CLASS 4 +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 5f8fff6c701fc..8e4d0b0644e4a 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -791,7 +791,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + f->vlan = vlan; + + list_add_tail(&f->list, &adapter->vlan_filter_list); +- f->add = true; ++ f->state = IAVF_VLAN_ADD; + adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; + } + +@@ -813,7 +813,7 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan) + + f = iavf_find_vlan(adapter, vlan); + if (f) { +- f->remove = true; ++ f->state = IAVF_VLAN_REMOVE; + adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER; + } + +@@ -1296,11 +1296,11 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter) + /* remove all VLAN filters */ + list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list, + list) { +- if (vlf->add) { ++ if (vlf->state == IAVF_VLAN_ADD) { + list_del(&vlf->list); + kfree(vlf); + } else { +- vlf->remove = true; ++ vlf->state = IAVF_VLAN_REMOVE; + } + } + spin_unlock_bh(&adapter->mac_vlan_list_lock); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 2c03ca01fdd9c..68d6e7c1e52b1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -642,7 +642,7 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter) + + spin_lock_bh(&adapter->mac_vlan_list_lock); + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { +- if (f->is_new_vlan) { ++ if (f->state == IAVF_VLAN_IS_NEW) { + if (f->vlan.tpid == ETH_P_8021Q) + clear_bit(f->vlan.vid, + adapter->vsi.active_cvlans); +@@ -679,7 +679,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter) + spin_lock_bh(&adapter->mac_vlan_list_lock); + + list_for_each_entry(f, &adapter->vlan_filter_list, list) { +- if (f->add) ++ if (f->state == IAVF_VLAN_ADD) + count++; + } + if (!count || !VLAN_FILTERING_ALLOWED(adapter)) { +@@ -710,11 +710,10 @@ void iavf_add_vlans(struct iavf_adapter *adapter) + vvfl->vsi_id = adapter->vsi_res->vsi_id; + vvfl->num_elements = count; + list_for_each_entry(f, &adapter->vlan_filter_list, list) { +- if (f->add) { ++ if (f->state == IAVF_VLAN_ADD) { + vvfl->vlan_id[i] = f->vlan.vid; + i++; +- f->add = false; +- f->is_new_vlan = true; ++ f->state = IAVF_VLAN_IS_NEW; + if (i == count) + break; + } +@@ -760,7 +759,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter) + vvfl_v2->vport_id = adapter->vsi_res->vsi_id; + vvfl_v2->num_elements = count; + list_for_each_entry(f, &adapter->vlan_filter_list, list) { +- if (f->add) { ++ if (f->state == IAVF_VLAN_ADD) { + struct virtchnl_vlan_supported_caps *filtering_support = + &adapter->vlan_v2_caps.filtering.filtering_support; + struct virtchnl_vlan *vlan; +@@ -778,8 +777,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter) + vlan->tpid = f->vlan.tpid; + + i++; +- f->add = false; +- f->is_new_vlan = true; ++ f->state = IAVF_VLAN_IS_NEW; + } + } + +@@ -822,10 +820,11 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + * filters marked for removal to enable bailing out before + * sending a virtchnl message + */ +- if (f->remove && !VLAN_FILTERING_ALLOWED(adapter)) { ++ if (f->state == IAVF_VLAN_REMOVE && ++ !VLAN_FILTERING_ALLOWED(adapter)) { + list_del(&f->list); + kfree(f); +- } else if (f->remove) { ++ } else if (f->state == IAVF_VLAN_REMOVE) { + count++; + } + } +@@ -857,7 +856,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + vvfl->vsi_id = adapter->vsi_res->vsi_id; + vvfl->num_elements = count; + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { +- if (f->remove) { ++ if (f->state == IAVF_VLAN_REMOVE) { + vvfl->vlan_id[i] = f->vlan.vid; + i++; + list_del(&f->list); +@@ -901,7 +900,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + vvfl_v2->vport_id = adapter->vsi_res->vsi_id; + vvfl_v2->num_elements = count; + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { +- if (f->remove) { ++ if (f->state == IAVF_VLAN_REMOVE) { + struct virtchnl_vlan_supported_caps *filtering_support = + &adapter->vlan_v2_caps.filtering.filtering_support; + struct virtchnl_vlan *vlan; +@@ -2192,7 +2191,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + list_for_each_entry(vlf, + &adapter->vlan_filter_list, + list) +- vlf->add = true; ++ vlf->state = IAVF_VLAN_ADD; + + adapter->aq_required |= + IAVF_FLAG_AQ_ADD_VLAN_FILTER; +@@ -2252,7 +2251,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + list_for_each_entry(vlf, + &adapter->vlan_filter_list, + list) +- vlf->add = true; ++ vlf->state = IAVF_VLAN_ADD; + + aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; + } +@@ -2436,8 +2435,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + spin_lock_bh(&adapter->mac_vlan_list_lock); + list_for_each_entry(f, &adapter->vlan_filter_list, list) { +- if (f->is_new_vlan) { +- f->is_new_vlan = false; ++ if (f->state == IAVF_VLAN_IS_NEW) { ++ f->state = IAVF_VLAN_ACTIVE; + if (f->vlan.tpid == ETH_P_8021Q) + set_bit(f->vlan.vid, + adapter->vsi.active_cvlans); +-- +2.39.2 + diff --git a/queue-6.1/iavf-remove-active_cvlans-and-active_svlans-bitmaps.patch b/queue-6.1/iavf-remove-active_cvlans-and-active_svlans-bitmaps.patch new file mode 100644 index 00000000000..e6ef3d3aab1 --- /dev/null +++ b/queue-6.1/iavf-remove-active_cvlans-and-active_svlans-bitmaps.patch @@ -0,0 +1,275 @@ +From c577a655b5bdda17179b9ad062c156982a1f57c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 15:35:28 -0600 +Subject: iavf: remove active_cvlans and active_svlans bitmaps + +From: Ahmed Zaki + +[ Upstream commit 9c85b7fa12ef2e4fc11a4e31ac595fb5f9d0ddf9 ] + +The VLAN filters info is currently being held in a list and 2 bitmaps +(active_cvlans and active_svlans). We are experiencing some racing where +data is not in sync in the list and bitmaps. For example, the VLAN is +initially added to the list but only when the PF replies, it is added to +the bitmap. If a user adds many V2 VLANS before the PF responds: + + while [ $((i++)) ] + ip l add l eth0 name eth0.$i type vlan id $i + +we might end up with more VLAN list entries than the designated limit. +Also, The "ip link show" will show more links added than the PF limit. + +On the other and, the bitmaps are only used to check the number of VLAN +filters and to re-enable the filters when the interface goes from DOWN to +UP. + +This patch gets rid of the bitmaps and uses the list only. To do that, +the states of the VLAN filter are modified: +1 - IAVF_VLAN_REMOVE: the entry needs to be totally removed after informing + the PF. This is the "ip link del eth0.$i" path. +2 - IAVF_VLAN_DISABLE: (new) the netdev went down. The filter needs to be + removed from the PF and then marked INACTIVE. +3 - IAVF_VLAN_INACTIVE: (new) no PF filter exists, but the user did not + delete the VLAN. + +Fixes: 48ccc43ecf10 ("iavf: Add support VIRTCHNL_VF_OFFLOAD_VLAN_V2 during netdev config") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 7 +-- + drivers/net/ethernet/intel/iavf/iavf_main.c | 40 +++++++---------- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 45 ++++++++++--------- + 3 files changed, 45 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index fdbb5d9a554cf..93a998f169de7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -58,8 +58,6 @@ enum iavf_vsi_state_t { + struct iavf_vsi { + struct iavf_adapter *back; + struct net_device *netdev; +- unsigned long active_cvlans[BITS_TO_LONGS(VLAN_N_VID)]; +- unsigned long active_svlans[BITS_TO_LONGS(VLAN_N_VID)]; + u16 seid; + u16 id; + DECLARE_BITMAP(state, __IAVF_VSI_STATE_SIZE__); +@@ -162,7 +160,9 @@ enum iavf_vlan_state_t { + IAVF_VLAN_ADD, /* filter needs to be added */ + IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */ + IAVF_VLAN_ACTIVE, /* filter is accepted by PF */ +- IAVF_VLAN_REMOVE, /* filter needs to be removed */ ++ IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */ ++ IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */ ++ IAVF_VLAN_REMOVE, /* filter needs to be removed from list */ + }; + + struct iavf_vlan_filter { +@@ -260,6 +260,7 @@ struct iavf_adapter { + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; ++ int num_vlan_filters; + struct list_head mac_filter_list; + struct mutex crit_lock; + struct mutex client_lock; +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 8e4d0b0644e4a..34711a88dbaa0 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -792,6 +792,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + + list_add_tail(&f->list, &adapter->vlan_filter_list); + f->state = IAVF_VLAN_ADD; ++ adapter->num_vlan_filters++; + adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; + } + +@@ -828,14 +829,18 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan) + **/ + static void iavf_restore_filters(struct iavf_adapter *adapter) + { +- u16 vid; ++ struct iavf_vlan_filter *f; + + /* re-add all VLAN filters */ +- for_each_set_bit(vid, adapter->vsi.active_cvlans, VLAN_N_VID) +- iavf_add_vlan(adapter, IAVF_VLAN(vid, ETH_P_8021Q)); ++ spin_lock_bh(&adapter->mac_vlan_list_lock); + +- for_each_set_bit(vid, adapter->vsi.active_svlans, VLAN_N_VID) +- iavf_add_vlan(adapter, IAVF_VLAN(vid, ETH_P_8021AD)); ++ list_for_each_entry(f, &adapter->vlan_filter_list, list) { ++ if (f->state == IAVF_VLAN_INACTIVE) ++ f->state = IAVF_VLAN_ADD; ++ } ++ ++ spin_unlock_bh(&adapter->mac_vlan_list_lock); ++ adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; + } + + /** +@@ -844,8 +849,7 @@ static void iavf_restore_filters(struct iavf_adapter *adapter) + */ + u16 iavf_get_num_vlans_added(struct iavf_adapter *adapter) + { +- return bitmap_weight(adapter->vsi.active_cvlans, VLAN_N_VID) + +- bitmap_weight(adapter->vsi.active_svlans, VLAN_N_VID); ++ return adapter->num_vlan_filters; + } + + /** +@@ -928,11 +932,6 @@ static int iavf_vlan_rx_kill_vid(struct net_device *netdev, + return 0; + + iavf_del_vlan(adapter, IAVF_VLAN(vid, be16_to_cpu(proto))); +- if (proto == cpu_to_be16(ETH_P_8021Q)) +- clear_bit(vid, adapter->vsi.active_cvlans); +- else +- clear_bit(vid, adapter->vsi.active_svlans); +- + return 0; + } + +@@ -1293,16 +1292,11 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter) + } + } + +- /* remove all VLAN filters */ ++ /* disable all VLAN filters */ + list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list, +- list) { +- if (vlf->state == IAVF_VLAN_ADD) { +- list_del(&vlf->list); +- kfree(vlf); +- } else { +- vlf->state = IAVF_VLAN_REMOVE; +- } +- } ++ list) ++ vlf->state = IAVF_VLAN_DISABLE; ++ + spin_unlock_bh(&adapter->mac_vlan_list_lock); + } + +@@ -2905,6 +2899,7 @@ static void iavf_disable_vf(struct iavf_adapter *adapter) + list_del(&fv->list); + kfree(fv); + } ++ adapter->num_vlan_filters = 0; + + spin_unlock_bh(&adapter->mac_vlan_list_lock); + +@@ -3122,9 +3117,6 @@ static void iavf_reset_task(struct work_struct *work) + adapter->aq_required |= IAVF_FLAG_AQ_ADD_CLOUD_FILTER; + iavf_misc_irq_enable(adapter); + +- bitmap_clear(adapter->vsi.active_cvlans, 0, VLAN_N_VID); +- bitmap_clear(adapter->vsi.active_svlans, 0, VLAN_N_VID); +- + mod_delayed_work(adapter->wq, &adapter->watchdog_task, 2); + + /* We were running when the reset started, so we need to restore some +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 68d6e7c1e52b1..00dccdd290dce 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -643,15 +643,9 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter) + spin_lock_bh(&adapter->mac_vlan_list_lock); + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { + if (f->state == IAVF_VLAN_IS_NEW) { +- if (f->vlan.tpid == ETH_P_8021Q) +- clear_bit(f->vlan.vid, +- adapter->vsi.active_cvlans); +- else +- clear_bit(f->vlan.vid, +- adapter->vsi.active_svlans); +- + list_del(&f->list); + kfree(f); ++ adapter->num_vlan_filters--; + } + } + spin_unlock_bh(&adapter->mac_vlan_list_lock); +@@ -824,7 +818,12 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + !VLAN_FILTERING_ALLOWED(adapter)) { + list_del(&f->list); + kfree(f); +- } else if (f->state == IAVF_VLAN_REMOVE) { ++ adapter->num_vlan_filters--; ++ } else if (f->state == IAVF_VLAN_DISABLE && ++ !VLAN_FILTERING_ALLOWED(adapter)) { ++ f->state = IAVF_VLAN_INACTIVE; ++ } else if (f->state == IAVF_VLAN_REMOVE || ++ f->state == IAVF_VLAN_DISABLE) { + count++; + } + } +@@ -856,11 +855,18 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + vvfl->vsi_id = adapter->vsi_res->vsi_id; + vvfl->num_elements = count; + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { +- if (f->state == IAVF_VLAN_REMOVE) { ++ if (f->state == IAVF_VLAN_DISABLE) { + vvfl->vlan_id[i] = f->vlan.vid; ++ f->state = IAVF_VLAN_INACTIVE; + i++; ++ if (i == count) ++ break; ++ } else if (f->state == IAVF_VLAN_REMOVE) { ++ vvfl->vlan_id[i] = f->vlan.vid; + list_del(&f->list); + kfree(f); ++ adapter->num_vlan_filters--; ++ i++; + if (i == count) + break; + } +@@ -900,7 +906,8 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + vvfl_v2->vport_id = adapter->vsi_res->vsi_id; + vvfl_v2->num_elements = count; + list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) { +- if (f->state == IAVF_VLAN_REMOVE) { ++ if (f->state == IAVF_VLAN_DISABLE || ++ f->state == IAVF_VLAN_REMOVE) { + struct virtchnl_vlan_supported_caps *filtering_support = + &adapter->vlan_v2_caps.filtering.filtering_support; + struct virtchnl_vlan *vlan; +@@ -914,8 +921,13 @@ void iavf_del_vlans(struct iavf_adapter *adapter) + vlan->tci = f->vlan.vid; + vlan->tpid = f->vlan.tpid; + +- list_del(&f->list); +- kfree(f); ++ if (f->state == IAVF_VLAN_DISABLE) { ++ f->state = IAVF_VLAN_INACTIVE; ++ } else { ++ list_del(&f->list); ++ kfree(f); ++ adapter->num_vlan_filters--; ++ } + i++; + if (i == count) + break; +@@ -2435,15 +2447,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + spin_lock_bh(&adapter->mac_vlan_list_lock); + list_for_each_entry(f, &adapter->vlan_filter_list, list) { +- if (f->state == IAVF_VLAN_IS_NEW) { ++ if (f->state == IAVF_VLAN_IS_NEW) + f->state = IAVF_VLAN_ACTIVE; +- if (f->vlan.tpid == ETH_P_8021Q) +- set_bit(f->vlan.vid, +- adapter->vsi.active_cvlans); +- else +- set_bit(f->vlan.vid, +- adapter->vsi.active_svlans); +- } + } + spin_unlock_bh(&adapter->mac_vlan_list_lock); + } +-- +2.39.2 + diff --git a/queue-6.1/ib-mlx5-add-support-for-400g_8x-lane-speed.patch b/queue-6.1/ib-mlx5-add-support-for-400g_8x-lane-speed.patch new file mode 100644 index 00000000000..962b8ceff08 --- /dev/null +++ b/queue-6.1/ib-mlx5-add-support-for-400g_8x-lane-speed.patch @@ -0,0 +1,46 @@ +From 7c4eb896ef3de57394dcdd54540fedad43b73b83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 15:40:49 +0200 +Subject: IB/mlx5: Add support for 400G_8X lane speed + +From: Maher Sanalla + +[ Upstream commit 88c9483faf15ada14eca82714114656893063458 ] + +Currently, when driver queries PTYS to report which link speed is being +used on its RoCE ports, it does not check the case of having 400Gbps +transmitted over 8 lanes. Thus it fails to report the said speed and +instead it defaults to report 10G over 4 lanes. + +Add a check for the said speed when querying PTYS and report it back +correctly when needed. + +Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes") +Signed-off-by: Maher Sanalla +Reviewed-by: Aya Levin +Reviewed-by: Saeed Mahameed +Link: https://lore.kernel.org/r/ec9040548d119d22557d6a4b4070d6f421701fd4.1678973994.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index c669ef6e47e73..eaa35e1df2a85 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -442,6 +442,10 @@ static int translate_eth_ext_proto_oper(u32 eth_proto_oper, u16 *active_speed, + *active_width = IB_WIDTH_2X; + *active_speed = IB_SPEED_NDR; + break; ++ case MLX5E_PROT_MASK(MLX5E_400GAUI_8): ++ *active_width = IB_WIDTH_8X; ++ *active_speed = IB_SPEED_HDR; ++ break; + case MLX5E_PROT_MASK(MLX5E_400GAUI_4_400GBASE_CR4_KR4): + *active_width = IB_WIDTH_4X; + *active_speed = IB_SPEED_NDR; +-- +2.39.2 + diff --git a/queue-6.1/kvm-arm64-advertise-id_aa64pfr0_el1.csv2-3-to-protec.patch b/queue-6.1/kvm-arm64-advertise-id_aa64pfr0_el1.csv2-3-to-protec.patch new file mode 100644 index 00000000000..a7fd650a620 --- /dev/null +++ b/queue-6.1/kvm-arm64-advertise-id_aa64pfr0_el1.csv2-3-to-protec.patch @@ -0,0 +1,114 @@ +From b6d0bfc4107bb203b1fd142c363a4258006c792b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 16:23:21 +0100 +Subject: KVM: arm64: Advertise ID_AA64PFR0_EL1.CSV2/3 to protected VMs + +From: Fuad Tabba + +[ Upstream commit e81625218bf7986ba1351a98c43d346b15601d26 ] + +The existing pKVM code attempts to advertise CSV2/3 using values +initialized to 0, but never set. To advertise CSV2/3 to protected +guests, pass the CSV2/3 values to hyp when initializing hyp's +view of guests' ID_AA64PFR0_EL1. + +Similar to non-protected KVM, these are system-wide, rather than +per cpu, for simplicity. + +Fixes: 6c30bfb18d0b ("KVM: arm64: Add handlers for protected VM System Registers") +Signed-off-by: Fuad Tabba +Link: https://lore.kernel.org/r/20230404152321.413064-1-tabba@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/arm.c | 26 ++++++++++++++++++- + .../arm64/kvm/hyp/include/nvhe/fixed_config.h | 5 +++- + arch/arm64/kvm/hyp/nvhe/sys_regs.c | 7 ----- + 3 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c +index e40606a560997..6ce6888cf73d6 100644 +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -1870,9 +1870,33 @@ static int do_pkvm_init(u32 hyp_va_bits) + return ret; + } + ++static u64 get_hyp_id_aa64pfr0_el1(void) ++{ ++ /* ++ * Track whether the system isn't affected by spectre/meltdown in the ++ * hypervisor's view of id_aa64pfr0_el1, used for protected VMs. ++ * Although this is per-CPU, we make it global for simplicity, e.g., not ++ * to have to worry about vcpu migration. ++ * ++ * Unlike for non-protected VMs, userspace cannot override this for ++ * protected VMs. ++ */ ++ u64 val = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1); ++ ++ val &= ~(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2) | ++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3)); ++ ++ val |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2), ++ arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED); ++ val |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3), ++ arm64_get_meltdown_state() == SPECTRE_UNAFFECTED); ++ ++ return val; ++} ++ + static void kvm_hyp_init_symbols(void) + { +- kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1); ++ kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = get_hyp_id_aa64pfr0_el1(); + kvm_nvhe_sym(id_aa64pfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1); + kvm_nvhe_sym(id_aa64isar0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR0_EL1); + kvm_nvhe_sym(id_aa64isar1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR1_EL1); +diff --git a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h +index 07edfc7524c94..37440e1dda930 100644 +--- a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h ++++ b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h +@@ -33,11 +33,14 @@ + * Allow for protected VMs: + * - Floating-point and Advanced SIMD + * - Data Independent Timing ++ * - Spectre/Meltdown Mitigation + */ + #define PVM_ID_AA64PFR0_ALLOW (\ + ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_FP) | \ + ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_AdvSIMD) | \ +- ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_DIT) \ ++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_DIT) | \ ++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2) | \ ++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3) \ + ) + + /* +diff --git a/arch/arm64/kvm/hyp/nvhe/sys_regs.c b/arch/arm64/kvm/hyp/nvhe/sys_regs.c +index 0f9ac25afdf40..3d5121ee39777 100644 +--- a/arch/arm64/kvm/hyp/nvhe/sys_regs.c ++++ b/arch/arm64/kvm/hyp/nvhe/sys_regs.c +@@ -84,19 +84,12 @@ static u64 get_restricted_features_unsigned(u64 sys_reg_val, + + static u64 get_pvm_id_aa64pfr0(const struct kvm_vcpu *vcpu) + { +- const struct kvm *kvm = (const struct kvm *)kern_hyp_va(vcpu->kvm); + u64 set_mask = 0; + u64 allow_mask = PVM_ID_AA64PFR0_ALLOW; + + set_mask |= get_restricted_features_unsigned(id_aa64pfr0_el1_sys_val, + PVM_ID_AA64PFR0_RESTRICT_UNSIGNED); + +- /* Spectre and Meltdown mitigation in KVM */ +- set_mask |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2), +- (u64)kvm->arch.pfr0_csv2); +- set_mask |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3), +- (u64)kvm->arch.pfr0_csv3); +- + return (id_aa64pfr0_el1_sys_val & allow_mask) | set_mask; + } + +-- +2.39.2 + diff --git a/queue-6.1/kvm-arm64-initialise-hypervisor-copies-of-host-symbo.patch b/queue-6.1/kvm-arm64-initialise-hypervisor-copies-of-host-symbo.patch new file mode 100644 index 00000000000..bc455c027c8 --- /dev/null +++ b/queue-6.1/kvm-arm64-initialise-hypervisor-copies-of-host-symbo.patch @@ -0,0 +1,85 @@ +From 14c725d2bac3a60a427de8c8e57bc5f0f4795d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 19:02:48 +0000 +Subject: KVM: arm64: Initialise hypervisor copies of host symbols + unconditionally +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Will Deacon + +[ Upstream commit 6c165223e9a6384aa1e934b90f2650e71adb972a ] + +The nVHE object at EL2 maintains its own copies of some host variables +so that, when pKVM is enabled, the host cannot directly modify the +hypervisor state. When running in normal nVHE mode, however, these +variables are still mirrored at EL2 but are not initialised. + +Initialise the hypervisor symbols from the host copies regardless of +pKVM, ensuring that any reference to this data at EL2 with normal nVHE +will return a sensibly initialised value. + +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Vincent Donnefort +Signed-off-by: Will Deacon +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221110190259.26861-16-will@kernel.org +Stable-dep-of: e81625218bf7 ("KVM: arm64: Advertise ID_AA64PFR0_EL1.CSV2/3 to protected VMs") +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/arm.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c +index 94d33e296e10c..e40606a560997 100644 +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -1870,11 +1870,8 @@ static int do_pkvm_init(u32 hyp_va_bits) + return ret; + } + +-static int kvm_hyp_init_protection(u32 hyp_va_bits) ++static void kvm_hyp_init_symbols(void) + { +- void *addr = phys_to_virt(hyp_mem_base); +- int ret; +- + kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1); + kvm_nvhe_sym(id_aa64pfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1); + kvm_nvhe_sym(id_aa64isar0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR0_EL1); +@@ -1883,6 +1880,12 @@ static int kvm_hyp_init_protection(u32 hyp_va_bits) + kvm_nvhe_sym(id_aa64mmfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1); + kvm_nvhe_sym(id_aa64mmfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1); + kvm_nvhe_sym(id_aa64mmfr2_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR2_EL1); ++} ++ ++static int kvm_hyp_init_protection(u32 hyp_va_bits) ++{ ++ void *addr = phys_to_virt(hyp_mem_base); ++ int ret; + + ret = create_hyp_mappings(addr, addr + hyp_mem_size, PAGE_HYP); + if (ret) +@@ -2057,6 +2060,8 @@ static int init_hyp_mode(void) + cpu_prepare_hyp_mode(cpu); + } + ++ kvm_hyp_init_symbols(); ++ + if (is_protected_kvm_enabled()) { + init_cpu_logical_map(); + +@@ -2064,9 +2069,7 @@ static int init_hyp_mode(void) + err = -ENODEV; + goto out_err; + } +- } + +- if (is_protected_kvm_enabled()) { + err = kvm_hyp_init_protection(hyp_va_bits); + if (err) { + kvm_err("Failed to init hyp memory protection\n"); +-- +2.39.2 + diff --git a/queue-6.1/libbpf-fix-single-line-struct-definition-output-in-b.patch b/queue-6.1/libbpf-fix-single-line-struct-definition-output-in-b.patch new file mode 100644 index 00000000000..f881fb5ce33 --- /dev/null +++ b/queue-6.1/libbpf-fix-single-line-struct-definition-output-in-b.patch @@ -0,0 +1,49 @@ +From 86e17af37b08a86c00a793b15b590ac342437624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:15:00 -0800 +Subject: libbpf: Fix single-line struct definition output in btf_dump + +From: Andrii Nakryiko + +[ Upstream commit 872aec4b5f635d94111d48ec3c57fbe078d64e7d ] + +btf_dump APIs emit unnecessary tabs when emitting struct/union +definition that fits on the single line. Before this patch we'd get: + +struct blah {}; + +This patch fixes this and makes sure that we get more natural: + +struct blah {}; + +Fixes: 44a726c3f23c ("bpftool: Print newline before '}' for struct with padding only fields") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20221212211505.558851-2-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 80a15a6802094..4cd1d49c94d6d 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -1015,9 +1015,12 @@ static void btf_dump_emit_struct_def(struct btf_dump *d, + * Keep `struct empty {}` on a single line, + * only print newline when there are regular or padding fields. + */ +- if (vlen || t->size) ++ if (vlen || t->size) { + btf_dump_printf(d, "\n"); +- btf_dump_printf(d, "%s}", pfx(lvl)); ++ btf_dump_printf(d, "%s}", pfx(lvl)); ++ } else { ++ btf_dump_printf(d, "}"); ++ } + if (packed) + btf_dump_printf(d, " __attribute__((packed))"); + } +-- +2.39.2 + diff --git a/queue-6.1/loongarch-bpf-fix-jit-to-skip-speculation-barrier-op.patch b/queue-6.1/loongarch-bpf-fix-jit-to-skip-speculation-barrier-op.patch new file mode 100644 index 00000000000..f69357d231e --- /dev/null +++ b/queue-6.1/loongarch-bpf-fix-jit-to-skip-speculation-barrier-op.patch @@ -0,0 +1,74 @@ +From b7eb4d89773398e6d909b7e13cf7554bc0d67d90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:13:35 +0800 +Subject: LoongArch, bpf: Fix jit to skip speculation barrier opcode + +From: George Guo + +[ Upstream commit a6f6a95f25803500079513780d11a911ce551d76 ] + +Just skip the opcode(BPF_ST | BPF_NOSPEC) in the BPF JIT instead of +failing to JIT the entire program, given LoongArch currently has no +couterpart of a speculation barrier instruction. To verify the issue, +use the ltp testcase as shown below. + +Also, Wang says: + + I can confirm there's currently no speculation barrier equivalent + on LonogArch. (Loongson says there are builtin mitigations for + Spectre-V1 and V2 on their chips, and AFAIK efforts to port the + exploits to mips/LoongArch have all failed a few years ago.) + +Without this patch: + + $ ./bpf_prog02 + [...] + bpf_common.c:123: TBROK: Failed verification: ??? (524) + [...] + Summary: + passed 0 + failed 0 + broken 1 + skipped 0 + warnings 0 + +With this patch: + + $ ./bpf_prog02 + [...] + Summary: + passed 0 + failed 0 + broken 0 + skipped 0 + warnings 0 + +Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support") +Signed-off-by: George Guo +Signed-off-by: Daniel Borkmann +Acked-by: WANG Xuerui +Cc: Tiezhu Yang +Link: https://lore.kernel.org/bpf/20230328071335.2664966-1-guodongtai@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/loongarch/net/bpf_jit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c +index 2467bfb8889a9..82b4402810da0 100644 +--- a/arch/loongarch/net/bpf_jit.c ++++ b/arch/loongarch/net/bpf_jit.c +@@ -955,6 +955,10 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx, bool ext + emit_atomic(insn, ctx); + break; + ++ /* Speculation barrier */ ++ case BPF_ST | BPF_NOSPEC: ++ break; ++ + default: + pr_err("bpf_jit: unknown opcode %02x\n", code); + return -EINVAL; +-- +2.39.2 + diff --git a/queue-6.1/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch b/queue-6.1/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch new file mode 100644 index 00000000000..10686929f33 --- /dev/null +++ b/queue-6.1/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch @@ -0,0 +1,150 @@ +From 0e061adf8a192938e546a987ddea5d313cee42fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 16:21:44 -0700 +Subject: net: macb: fix a memory corruption in extended buffer descriptor mode + +From: Roman Gushchin + +[ Upstream commit e8b74453555872851bdd7ea43a7c0ec39659834f ] + +For quite some time we were chasing a bug which looked like a sudden +permanent failure of networking and mmc on some of our devices. +The bug was very sensitive to any software changes and even more to +any kernel debug options. + +Finally we got a setup where the problem was reproducible with +CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: + +[ 16.992082] ------------[ cut here ]------------ +[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] +[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 +[ 17.018977] Modules linked in: xxxxx +[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 +[ 17.045345] Hardware name: xxxxx +[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 17.054322] pc : check_unmap+0x6a0/0x900 +[ 17.058243] lr : check_unmap+0x6a0/0x900 +[ 17.062163] sp : ffffffc010003c40 +[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c +[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 +[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 +[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 +[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 +[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 +[ 17.097343] x17: 0000000000000000 x16: 0000000000000000 +[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 +[ 17.107959] x13: 0720072007200720 x12: 0720072007200720 +[ 17.113261] x11: 0720072007200720 x10: 0720072007200720 +[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d +[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 +[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 +[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 +[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 +[ 17.145082] Call trace: +[ 17.147524] check_unmap+0x6a0/0x900 +[ 17.151091] debug_dma_unmap_page+0x88/0x90 +[ 17.155266] gem_rx+0x114/0x2f0 +[ 17.158396] macb_poll+0x58/0x100 +[ 17.161705] net_rx_action+0x118/0x400 +[ 17.165445] __do_softirq+0x138/0x36c +[ 17.169100] irq_exit+0x98/0xc0 +[ 17.172234] __handle_domain_irq+0x64/0xc0 +[ 17.176320] gic_handle_irq+0x5c/0xc0 +[ 17.179974] el1_irq+0xb8/0x140 +[ 17.183109] xiic_process+0x5c/0xe30 +[ 17.186677] irq_thread_fn+0x28/0x90 +[ 17.190244] irq_thread+0x208/0x2a0 +[ 17.193724] kthread+0x130/0x140 +[ 17.196945] ret_from_fork+0x10/0x20 +[ 17.200510] ---[ end trace 7240980785f81d6f ]--- + +[ 237.021490] ------------[ cut here ]------------ +[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b +[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 +[ 237.041802] Modules linked in: xxxxx +[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 +[ 237.068941] Hardware name: xxxxx +[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 237.077900] pc : add_dma_entry+0x214/0x240 +[ 237.081986] lr : add_dma_entry+0x214/0x240 +[ 237.086072] sp : ffffffc010003c30 +[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 +[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 +[ 237.099987] x25: 0000000000000002 x24: 0000000000000000 +[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 +[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 +[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 +[ 237.121201] x17: 0000000000000000 x16: 0000000000000000 +[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 +[ 237.131807] x13: 0720072007200720 x12: 0720072007200720 +[ 237.137111] x11: 0720072007200720 x10: 0720072007200720 +[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 +[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 +[ 237.153022] x5 : ffffffc010003a20 x4 : 0000000000000001 +[ 237.158325] x3 : 0000000000000006 x2 : 0000000000000007 +[ 237.163628] x1 : 8ac721b3a7dc1c00 x0 : 0000000000000000 +[ 237.168932] Call trace: +[ 237.171373] add_dma_entry+0x214/0x240 +[ 237.175115] debug_dma_map_page+0xf8/0x120 +[ 237.179203] gem_rx_refill+0x190/0x280 +[ 237.182942] gem_rx+0x224/0x2f0 +[ 237.186075] macb_poll+0x58/0x100 +[ 237.189384] net_rx_action+0x118/0x400 +[ 237.193125] __do_softirq+0x138/0x36c +[ 237.196780] irq_exit+0x98/0xc0 +[ 237.199914] __handle_domain_irq+0x64/0xc0 +[ 237.204000] gic_handle_irq+0x5c/0xc0 +[ 237.207654] el1_irq+0xb8/0x140 +[ 237.210789] arch_cpu_idle+0x40/0x200 +[ 237.214444] default_idle_call+0x18/0x30 +[ 237.218359] do_idle+0x200/0x280 +[ 237.221578] cpu_startup_entry+0x20/0x30 +[ 237.225493] rest_init+0xe4/0xf0 +[ 237.228713] arch_call_rest_init+0xc/0x14 +[ 237.232714] start_kernel+0x47c/0x4a8 +[ 237.236367] ---[ end trace 7240980785f81d70 ]--- + +Lars was fast to find an explanation: according to the datasheet +bit 2 of the rx buffer descriptor entry has a different meaning in the +extended mode: + Address [2] of beginning of buffer, or + in extended buffer descriptor mode (DMA configuration register [28] = 1), + indicates a valid timestamp in the buffer descriptor entry. + +The macb driver didn't mask this bit while getting an address and it +eventually caused a memory corruption and a dma failure. + +The problem is resolved by explicitly clearing the problematic bit +if hw timestamping is used. + +Fixes: 7b4296148066 ("net: macb: Add support for PTP timestamps in DMA descriptors") +Signed-off-by: Roman Gushchin +Co-developed-by: Lars-Peter Clausen +Signed-off-by: Lars-Peter Clausen +Acked-by: Nicolas Ferre +Reviewed-by: Jacob Keller +Link: https://lore.kernel.org/r/20230412232144.770336-1-roman.gushchin@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index e255780f3867c..abd6cc0cd641f 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1010,6 +1010,10 @@ static dma_addr_t macb_get_addr(struct macb *bp, struct macb_dma_desc *desc) + } + #endif + addr |= MACB_BF(RX_WADDR, MACB_BFEXT(RX_WADDR, desc->addr)); ++#ifdef CONFIG_MACB_USE_HWSTAMP ++ if (bp->hw_dma_cap & HW_DMA_CAP_PTP) ++ addr &= ~GEM_BIT(DMA_RXVALID); ++#endif + return addr; + } + +-- +2.39.2 + diff --git a/queue-6.1/net-openvswitch-fix-race-on-port-output.patch b/queue-6.1/net-openvswitch-fix-race-on-port-output.patch new file mode 100644 index 00000000000..bdd7a60d197 --- /dev/null +++ b/queue-6.1/net-openvswitch-fix-race-on-port-output.patch @@ -0,0 +1,240 @@ +From c72313010eed1adb302849430f8b938b8ffde7b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 07:53:41 +0000 +Subject: net: openvswitch: fix race on port output + +From: Felix Huettner + +[ Upstream commit 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8 ] + +assume the following setup on a single machine: +1. An openvswitch instance with one bridge and default flows +2. two network namespaces "server" and "client" +3. two ovs interfaces "server" and "client" on the bridge +4. for each ovs interface a veth pair with a matching name and 32 rx and + tx queues +5. move the ends of the veth pairs to the respective network namespaces +6. assign ip addresses to each of the veth ends in the namespaces (needs + to be the same subnet) +7. start some http server on the server network namespace +8. test if a client in the client namespace can reach the http server + +when following the actions below the host has a chance of getting a cpu +stuck in a infinite loop: +1. send a large amount of parallel requests to the http server (around + 3000 curls should work) +2. in parallel delete the network namespace (do not delete interfaces or + stop the server, just kill the namespace) + +there is a low chance that this will cause the below kernel cpu stuck +message. If this does not happen just retry. +Below there is also the output of bpftrace for the functions mentioned +in the output. + +The series of events happening here is: +1. the network namespace is deleted calling + `unregister_netdevice_many_notify` somewhere in the process +2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and + then runs `synchronize_net` +3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER` +4. this is then handled by `dp_device_event` which calls + `ovs_netdev_detach_dev` (if a vport is found, which is the case for + the veth interface attached to ovs) +5. this removes the rx_handlers of the device but does not prevent + packages to be sent to the device +6. `dp_device_event` then queues the vport deletion to work in + background as a ovs_lock is needed that we do not hold in the + unregistration path +7. `unregister_netdevice_many_notify` continues to call + `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0 +8. port deletion continues (but details are not relevant for this issue) +9. at some future point the background task deletes the vport + +If after 7. but before 9. a packet is send to the ovs vport (which is +not deleted at this point in time) which forwards it to the +`dev_queue_xmit` flow even though the device is unregistering. +In `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is +a while loop (if the packet has a rx_queue recorded) that is infinite if +`dev->real_num_tx_queues` is zero. + +To prevent this from happening we update `do_output` to handle devices +without carrier the same as if the device is not found (which would +be the code path after 9. is done). + +Additionally we now produce a warning in `skb_tx_hash` if we will hit +the infinite loop. + +bpftrace (first word is function name): + +__dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1 +netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1 +dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2 +ovs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2 +netdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +netdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2 +dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 27, reg_state: 2 +dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 22, reg_state: 2 +dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 18, reg_state: 2 +netdev_unregister_kobject: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024 +synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024 +ovs_vport_send server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2 +__dev_queue_xmit server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2 +netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2 +broken device server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024 +ovs_dp_detach_port server: real_num_tx_queues: 0 cpu 9, pid: 9124, tid: 9124, reg_state: 2 +synchronize_rcu_expedited: cpu 9, pid: 33604, tid: 33604 + +stuck message: + +watchdog: BUG: soft lockup - CPU#5 stuck for 26s! [curl:1929279] +Modules linked in: veth pktgen bridge stp llc ip_set_hash_net nft_counter xt_set nft_compat nf_tables ip_set_hash_ip ip_set nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tls binfmt_misc nls_iso8859_1 input_leds joydev serio_raw dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua sch_fq_codel drm efi_pstore virtio_rng ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net ahci net_failover crypto_simd cryptd psmouse libahci virtio_blk failover +CPU: 5 PID: 1929279 Comm: curl Not tainted 5.15.0-67-generic #74-Ubuntu +Hardware name: OpenStack Foundation OpenStack Nova, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:netdev_pick_tx+0xf1/0x320 +Code: 00 00 8d 48 ff 0f b7 c1 66 39 ca 0f 86 e9 01 00 00 45 0f b7 ff 41 39 c7 0f 87 5b 01 00 00 44 29 f8 41 39 c7 0f 87 4f 01 00 00 f2 0f 1f 44 00 00 49 8b 94 24 28 04 00 00 48 85 d2 0f 84 53 01 +RSP: 0018:ffffb78b40298820 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: ffff9c8773adc2e0 RCX: 000000000000083f +RDX: 0000000000000000 RSI: ffff9c8773adc2e0 RDI: ffff9c870a25e000 +RBP: ffffb78b40298858 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff9c870a25e000 +R13: ffff9c870a25e000 R14: ffff9c87fe043480 R15: 0000000000000000 +FS: 00007f7b80008f00(0000) GS:ffff9c8e5f740000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7b80f6a0b0 CR3: 0000000329d66000 CR4: 0000000000350ee0 +Call Trace: + + netdev_core_pick_tx+0xa4/0xb0 + __dev_queue_xmit+0xf8/0x510 + ? __bpf_prog_exit+0x1e/0x30 + dev_queue_xmit+0x10/0x20 + ovs_vport_send+0xad/0x170 [openvswitch] + do_output+0x59/0x180 [openvswitch] + do_execute_actions+0xa80/0xaa0 [openvswitch] + ? kfree+0x1/0x250 + ? kfree+0x1/0x250 + ? kprobe_perf_func+0x4f/0x2b0 + ? flow_lookup.constprop.0+0x5c/0x110 [openvswitch] + ovs_execute_actions+0x4c/0x120 [openvswitch] + ovs_dp_process_packet+0xa1/0x200 [openvswitch] + ? ovs_ct_update_key.isra.0+0xa8/0x120 [openvswitch] + ? ovs_ct_fill_key+0x1d/0x30 [openvswitch] + ? ovs_flow_key_extract+0x2db/0x350 [openvswitch] + ovs_vport_receive+0x77/0xd0 [openvswitch] + ? __htab_map_lookup_elem+0x4e/0x60 + ? bpf_prog_680e8aff8547aec1_kfree+0x3b/0x714 + ? trace_call_bpf+0xc8/0x150 + ? kfree+0x1/0x250 + ? kfree+0x1/0x250 + ? kprobe_perf_func+0x4f/0x2b0 + ? kprobe_perf_func+0x4f/0x2b0 + ? __mod_memcg_lruvec_state+0x63/0xe0 + netdev_port_receive+0xc4/0x180 [openvswitch] + ? netdev_port_receive+0x180/0x180 [openvswitch] + netdev_frame_hook+0x1f/0x40 [openvswitch] + __netif_receive_skb_core.constprop.0+0x23d/0xf00 + __netif_receive_skb_one_core+0x3f/0xa0 + __netif_receive_skb+0x15/0x60 + process_backlog+0x9e/0x170 + __napi_poll+0x33/0x180 + net_rx_action+0x126/0x280 + ? ttwu_do_activate+0x72/0xf0 + __do_softirq+0xd9/0x2e7 + ? rcu_report_exp_cpu_mult+0x1b0/0x1b0 + do_softirq+0x7d/0xb0 + + + __local_bh_enable_ip+0x54/0x60 + ip_finish_output2+0x191/0x460 + __ip_finish_output+0xb7/0x180 + ip_finish_output+0x2e/0xc0 + ip_output+0x78/0x100 + ? __ip_finish_output+0x180/0x180 + ip_local_out+0x5e/0x70 + __ip_queue_xmit+0x184/0x440 + ? tcp_syn_options+0x1f9/0x300 + ip_queue_xmit+0x15/0x20 + __tcp_transmit_skb+0x910/0x9c0 + ? __mod_memcg_state+0x44/0xa0 + tcp_connect+0x437/0x4e0 + ? ktime_get_with_offset+0x60/0xf0 + tcp_v4_connect+0x436/0x530 + __inet_stream_connect+0xd4/0x3a0 + ? kprobe_perf_func+0x4f/0x2b0 + ? aa_sk_perm+0x43/0x1c0 + inet_stream_connect+0x3b/0x60 + __sys_connect_file+0x63/0x70 + __sys_connect+0xa6/0xd0 + ? setfl+0x108/0x170 + ? do_fcntl+0xe8/0x5a0 + __x64_sys_connect+0x18/0x20 + do_syscall_64+0x5c/0xc0 + ? __x64_sys_fcntl+0xa9/0xd0 + ? exit_to_user_mode_prepare+0x37/0xb0 + ? syscall_exit_to_user_mode+0x27/0x50 + ? do_syscall_64+0x69/0xc0 + ? __sys_setsockopt+0xea/0x1e0 + ? exit_to_user_mode_prepare+0x37/0xb0 + ? syscall_exit_to_user_mode+0x27/0x50 + ? __x64_sys_setsockopt+0x1f/0x30 + ? do_syscall_64+0x69/0xc0 + ? irqentry_exit+0x1d/0x30 + ? exc_page_fault+0x89/0x170 + entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7f7b8101c6a7 +Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34 24 89 +RSP: 002b:00007ffffd6b2198 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7b8101c6a7 +RDX: 0000000000000010 RSI: 00007ffffd6b2360 RDI: 0000000000000005 +RBP: 0000561f1370d560 R08: 00002795ad21d1ac R09: 0030312e302e302e +R10: 00007ffffd73f080 R11: 0000000000000246 R12: 0000561f1370c410 +R13: 0000000000000000 R14: 0000000000000005 R15: 0000000000000000 + + +Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") +Co-developed-by: Luca Czesla +Signed-off-by: Luca Czesla +Signed-off-by: Felix Huettner +Reviewed-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZC0pBXBAgh7c76CA@kernel-bug-kernel-bug +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 1 + + net/openvswitch/actions.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 24eae99dfe05a..a25b8741b1599 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3211,6 +3211,7 @@ static u16 skb_tx_hash(const struct net_device *dev, + } + + if (skb_rx_queue_recorded(skb)) { ++ DEBUG_NET_WARN_ON_ONCE(qcount == 0); + hash = skb_get_rx_queue(skb); + if (hash >= qoffset) + hash -= qoffset; +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index ca3ebfdb30231..a8cf9a88758ef 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -913,7 +913,7 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + { + struct vport *vport = ovs_vport_rcu(dp, out_port); + +- if (likely(vport)) { ++ if (likely(vport && netif_carrier_ok(vport->dev))) { + u16 mru = OVS_CB(skb)->mru; + u32 cutlen = OVS_CB(skb)->cutlen; + +-- +2.39.2 + diff --git a/queue-6.1/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch b/queue-6.1/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch new file mode 100644 index 00000000000..c98ec2f9abd --- /dev/null +++ b/queue-6.1/net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch @@ -0,0 +1,98 @@ +From 0a140d63a92b47108c5cdfe05d93bdf13cdeec98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 09:23:52 +0800 +Subject: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() + +From: Ziyang Xuan + +[ Upstream commit 6417070918de3bcdbe0646e7256dae58fd8083ba ] + +Syzbot reported a bug as following: + +===================================================== +BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 + qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 + qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519 + qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 + call_write_iter include/linux/fs.h:2189 [inline] + aio_write+0x63a/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 + kmalloc_reserve net/core/skbuff.c:492 [inline] + __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 + __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630 + qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446 + qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 + call_write_iter include/linux/fs.h:2189 [inline] + aio_write+0x63a/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt) +in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post(). +But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type +equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot +scenario. This triggers the uninit variable access bug. + +Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in +qrtr_endpoint_post() to fix the bug. + +Fixes: 5fdeb0d372ab ("net: qrtr: Implement outgoing flow control") +Reported-by: syzbot+4436c9630a45820fda76@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=c14607f0963d27d5a3d5f4c8639b500909e43540 +Suggested-by: Manivannan Sadhasivam +Signed-off-by: Ziyang Xuan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230410012352.3997823-1-william.xuanziyang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/qrtr/af_qrtr.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c +index 3a70255c8d02f..76f0434d3d06a 100644 +--- a/net/qrtr/af_qrtr.c ++++ b/net/qrtr/af_qrtr.c +@@ -498,6 +498,11 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + if (!size || len != ALIGN(size, 4) + hdrlen) + goto err; + ++ if ((cb->type == QRTR_TYPE_NEW_SERVER || ++ cb->type == QRTR_TYPE_RESUME_TX) && ++ size < sizeof(struct qrtr_ctrl_pkt)) ++ goto err; ++ + if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA && + cb->type != QRTR_TYPE_RESUME_TX) + goto err; +@@ -510,9 +515,6 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + /* Remote node endpoint can bridge other distant nodes */ + const struct qrtr_ctrl_pkt *pkt; + +- if (size < sizeof(*pkt)) +- goto err; +- + pkt = data + hdrlen; + qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); + } +-- +2.39.2 + diff --git a/queue-6.1/net-wwan-iosm-fix-error-handling-path-in-ipc_pcie_pr.patch b/queue-6.1/net-wwan-iosm-fix-error-handling-path-in-ipc_pcie_pr.patch new file mode 100644 index 00000000000..7dac14ea5e1 --- /dev/null +++ b/queue-6.1/net-wwan-iosm-fix-error-handling-path-in-ipc_pcie_pr.patch @@ -0,0 +1,56 @@ +From 7bcd4c32bf8030d1e3b76e797832f589a1a09f50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Apr 2023 12:43:21 -0700 +Subject: net: wwan: iosm: Fix error handling path in ipc_pcie_probe() + +From: Harshit Mogalapalli + +[ Upstream commit a56ef25619e079bd7d744636cf18d054d1e91982 ] + +Smatch reports: + drivers/net/wwan/iosm/iosm_ipc_pcie.c:298 ipc_pcie_probe() + warn: missing unwind goto? + +When dma_set_mask fails it directly returns without disabling pci +device and freeing ipc_pcie. Fix this my calling a correct goto label + +As dma_set_mask returns either 0 or -EIO, we can use a goto label, as +it finally returns -EIO. + +Add a set_mask_fail goto label which stands consistent with other goto +labels in this function.. + +Fixes: 035e3befc191 ("net: wwan: iosm: fix driver not working with INTEL_IOMMU disabled") +Reviewed-by: Simon Horman +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +index 5bf5a93937c9c..04517bd3325a2 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +@@ -295,7 +295,7 @@ static int ipc_pcie_probe(struct pci_dev *pci, + ret = dma_set_mask(ipc_pcie->dev, DMA_BIT_MASK(64)); + if (ret) { + dev_err(ipc_pcie->dev, "Could not set PCI DMA mask: %d", ret); +- return ret; ++ goto set_mask_fail; + } + + ipc_pcie_config_aspm(ipc_pcie); +@@ -323,6 +323,7 @@ static int ipc_pcie_probe(struct pci_dev *pci, + imem_init_fail: + ipc_pcie_resources_release(ipc_pcie); + resources_req_fail: ++set_mask_fail: + pci_disable_device(pci); + pci_enable_fail: + kfree(ipc_pcie); +-- +2.39.2 + diff --git a/queue-6.1/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch b/queue-6.1/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch new file mode 100644 index 00000000000..6a89d25cd39 --- /dev/null +++ b/queue-6.1/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch @@ -0,0 +1,42 @@ +From 3f43bcd027f788e63e85071e635945cb811b65f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 23:31:18 -0700 +Subject: niu: Fix missing unwind goto in niu_alloc_channels() + +From: Harshit Mogalapalli + +[ Upstream commit 8ce07be703456acb00e83d99f3b8036252c33b02 ] + +Smatch reports: drivers/net/ethernet/sun/niu.c:4525 + niu_alloc_channels() warn: missing unwind goto? + +If niu_rbr_fill() fails, then we are directly returning 'err' without +freeing the channels. + +Fix this by changing direct return to a goto 'out_err'. + +Fixes: a3138df9f20e ("[NIU]: Add Sun Neptune ethernet driver.") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index e6144d963eaaa..4bbf011d53e69 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -4522,7 +4522,7 @@ static int niu_alloc_channels(struct niu *np) + + err = niu_rbr_fill(np, rp, GFP_KERNEL); + if (err) +- return err; ++ goto out_err; + } + + tx_rings = kcalloc(num_tx_rings, sizeof(struct tx_ring_info), +-- +2.39.2 + diff --git a/queue-6.1/nvme-send-identify-with-cns-06h-only-to-i-o-controll.patch b/queue-6.1/nvme-send-identify-with-cns-06h-only-to-i-o-controll.patch new file mode 100644 index 00000000000..e675aa86398 --- /dev/null +++ b/queue-6.1/nvme-send-identify-with-cns-06h-only-to-i-o-controll.patch @@ -0,0 +1,40 @@ +From 9ffe85d7fd9bcd4b921114a08e1a38d2783bdf3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 17:20:09 +0530 +Subject: nvme: send Identify with CNS 06h only to I/O controllers + +From: Martin George + +[ Upstream commit def84ab600b71ea3fcc422a876d5d0d0daa7d4f3 ] + +Identify CNS 06h (I/O Command Set Specific Identify Controller data +structure) is supported only on i/o controllers. + +But nvme_init_non_mdts_limits() currently invokes this on all +controllers. Correct this by ensuring this is sent to I/O +controllers only. + +Signed-off-by: Martin George +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index cb71ce3413c2d..c54c6ffba0bcd 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3074,7 +3074,8 @@ static int nvme_init_non_mdts_limits(struct nvme_ctrl *ctrl) + else + ctrl->max_zeroes_sectors = 0; + +- if (nvme_ctrl_limited_cns(ctrl)) ++ if (ctrl->subsys->subtype != NVME_NQN_NVME || ++ nvme_ctrl_limited_cns(ctrl)) + return 0; + + id = kzalloc(sizeof(*id), GFP_KERNEL); +-- +2.39.2 + diff --git a/queue-6.1/power-supply-axp288_fuel_gauge-added-check-for-negat.patch b/queue-6.1/power-supply-axp288_fuel_gauge-added-check-for-negat.patch new file mode 100644 index 00000000000..5243ce23ebf --- /dev/null +++ b/queue-6.1/power-supply-axp288_fuel_gauge-added-check-for-negat.patch @@ -0,0 +1,39 @@ +From 33e1c831b2afd36ecfa079f8757c13852c860c4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 12:17:23 +0300 +Subject: power: supply: axp288_fuel_gauge: Added check for negative values + +From: Denis Arefev + +[ Upstream commit bf6c880d5d1448489ebf92e2d13d5713ff644930 ] + +Variable 'pirq', which may receive negative value +in platform_get_irq(). +Used as an index in a function regmap_irq_get_virq(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Denis Arefev +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp288_fuel_gauge.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c +index 8e6f8a6550790..05f4131784629 100644 +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -724,6 +724,8 @@ static int axp288_fuel_gauge_probe(struct platform_device *pdev) + + for (i = 0; i < AXP288_FG_INTR_NUM; i++) { + pirq = platform_get_irq(pdev, i); ++ if (pirq < 0) ++ continue; + ret = regmap_irq_get_virq(axp20x->regmap_irqc, pirq); + if (ret < 0) + return dev_err_probe(dev, ret, "getting vIRQ %d\n", pirq); +-- +2.39.2 + diff --git a/queue-6.1/power-supply-cros_usbpd-reclassify-default-case-as-d.patch b/queue-6.1/power-supply-cros_usbpd-reclassify-default-case-as-d.patch new file mode 100644 index 00000000000..17a009f61bd --- /dev/null +++ b/queue-6.1/power-supply-cros_usbpd-reclassify-default-case-as-d.patch @@ -0,0 +1,42 @@ +From 5ba97277572d2a05ffec1baede7168c5ab8a790e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:38:57 -0800 +Subject: power: supply: cros_usbpd: reclassify "default case!" as debug + +From: Grant Grundler + +[ Upstream commit 14c76b2e75bca4d96e2b85a0c12aa43e84fe3f74 ] + +This doesn't need to be printed every second as an error: +... +<3>[17438.628385] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17439.634176] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17440.640298] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +... + +Reduce priority from ERROR to DEBUG. + +Signed-off-by: Grant Grundler +Reviewed-by: Guenter Roeck +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cros_usbpd-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c +index cadb6a0c2cc7e..b6c96376776a9 100644 +--- a/drivers/power/supply/cros_usbpd-charger.c ++++ b/drivers/power/supply/cros_usbpd-charger.c +@@ -276,7 +276,7 @@ static int cros_usbpd_charger_get_power_info(struct port_data *port) + port->psy_current_max = 0; + break; + default: +- dev_err(dev, "Port %d: default case!\n", port->port_number); ++ dev_dbg(dev, "Port %d: default case!\n", port->port_number); + port->psy_usb_type = POWER_SUPPLY_USB_TYPE_SDP; + } + +-- +2.39.2 + diff --git a/queue-6.1/power-supply-rk817-fix-unsigned-comparison-with-less.patch b/queue-6.1/power-supply-rk817-fix-unsigned-comparison-with-less.patch new file mode 100644 index 00000000000..a87cb6f0f5b --- /dev/null +++ b/queue-6.1/power-supply-rk817-fix-unsigned-comparison-with-less.patch @@ -0,0 +1,51 @@ +From 67bf80f0c4e8fdcb2d63672501ecbba957a62030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 11:23:16 +0800 +Subject: power: supply: rk817: Fix unsigned comparison with less than zero + +From: Jiapeng Chong + +[ Upstream commit 3268a4d9b0b85a4382e93bdf7be5400a73db74c5 ] + +The tmp is defined as u32 type, which results in invalid processing of +tmp<0 in function rk817_read_or_set_full_charge_on_boot(). Therefore, +drop the comparison. + +drivers/power/supply/rk817_charger.c:828 rk817_read_or_set_full_charge_on_boot() warn: unsigned 'tmp' is never less than zero. +drivers/power/supply/rk817_charger.c:788 rk817_read_or_set_full_charge_on_boot() warn: unsigned 'tmp' is never less than zero. + +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3444 +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Tested-by: Chris Morgan +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/rk817_charger.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/power/supply/rk817_charger.c b/drivers/power/supply/rk817_charger.c +index 4f9c1c4179165..36f807b5ec442 100644 +--- a/drivers/power/supply/rk817_charger.c ++++ b/drivers/power/supply/rk817_charger.c +@@ -785,8 +785,6 @@ rk817_read_or_set_full_charge_on_boot(struct rk817_charger *charger, + regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_Q_PRES_H3, + bulk_reg, 4); + tmp = get_unaligned_be32(bulk_reg); +- if (tmp < 0) +- tmp = 0; + boot_charge_mah = ADC_TO_CHARGE_UAH(tmp, + charger->res_div) / 1000; + /* +@@ -825,8 +823,6 @@ rk817_read_or_set_full_charge_on_boot(struct rk817_charger *charger, + regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_Q_PRES_H3, + bulk_reg, 4); + tmp = get_unaligned_be32(bulk_reg); +- if (tmp < 0) +- tmp = 0; + boot_charge_mah = ADC_TO_CHARGE_UAH(tmp, charger->res_div) / 1000; + regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_OCV_VOL_H, + bulk_reg, 2); +-- +2.39.2 + diff --git a/queue-6.1/qlcnic-check-pci_reset_function-result.patch b/queue-6.1/qlcnic-check-pci_reset_function-result.patch new file mode 100644 index 00000000000..5041024407a --- /dev/null +++ b/queue-6.1/qlcnic-check-pci_reset_function-result.patch @@ -0,0 +1,49 @@ +From 29724ab45ae6cbc140b9293c2b74b7911ff357d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 10:18:49 +0300 +Subject: qlcnic: check pci_reset_function result + +From: Denis Plotnikov + +[ Upstream commit 7573099e10ca69c3be33995c1fcd0d241226816d ] + +Static code analyzer complains to unchecked return value. +The result of pci_reset_function() is unchecked. +Despite, the issue is on the FLR supported code path and in that +case reset can be done with pcie_flr(), the patch uses less invasive +approach by adding the result check of pci_reset_function(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism") +Signed-off-by: Denis Plotnikov +Reviewed-by: Simon Horman +Reviewed-by: Bjorn Helgaas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +index 87f76bac2e463..eb827b86ecae8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +@@ -628,7 +628,13 @@ int qlcnic_fw_create_ctx(struct qlcnic_adapter *dev) + int i, err, ring; + + if (dev->flags & QLCNIC_NEED_FLR) { +- pci_reset_function(dev->pdev); ++ err = pci_reset_function(dev->pdev); ++ if (err) { ++ dev_err(&dev->pdev->dev, ++ "Adapter reset failed (%d). Please reboot\n", ++ err); ++ return err; ++ } + dev->flags &= ~QLCNIC_NEED_FLR; + } + +-- +2.39.2 + diff --git a/queue-6.1/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch b/queue-6.1/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch new file mode 100644 index 00000000000..f8c50704ab0 --- /dev/null +++ b/queue-6.1/rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch @@ -0,0 +1,208 @@ +From 7c6eac4a32c08d6ef9203e51c4bcb3e21b09b043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 12:59:55 +0200 +Subject: RDMA/cma: Allow UD qp_type to join multicast only + +From: Mark Zhang + +[ Upstream commit 58e84f6b3e84e46524b7e5a916b53c1ad798bc8f ] + +As for multicast: +- The SIDR is the only mode that makes sense; +- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is + UD compatible. In this case qkey also needs to be set [1]. + +This patch allows only UD qp_type to join multicast, and set qkey to +default if it's not set, to fix an uninit-value error: the ib->rec.qkey +field is accessed without being initialized. + +===================================================== +BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] +BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 + cma_set_qkey drivers/infiniband/core/cma.c:510 [inline] + cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570 + cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline] + rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814 + ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 + ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546 + ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28c/0x520 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable ib.i created at: +cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline] +rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814 +ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479 + +CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/ + +Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join") +Reported-by: syzbot+8fcbb77276d43cc8b693@syzkaller.appspotmail.com +Signed-off-by: Mark Zhang +Link: https://lore.kernel.org/r/58a4a98323b5e6b1282e83f6b76960d06e43b9fa.1679309909.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 60 ++++++++++++++++++++--------------- + 1 file changed, 34 insertions(+), 26 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 8730674ceb2e1..c6a671edba5c8 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -624,22 +624,11 @@ static inline unsigned short cma_family(struct rdma_id_private *id_priv) + return id_priv->id.route.addr.src_addr.ss_family; + } + +-static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) ++static int cma_set_default_qkey(struct rdma_id_private *id_priv) + { + struct ib_sa_mcmember_rec rec; + int ret = 0; + +- if (id_priv->qkey) { +- if (qkey && id_priv->qkey != qkey) +- return -EINVAL; +- return 0; +- } +- +- if (qkey) { +- id_priv->qkey = qkey; +- return 0; +- } +- + switch (id_priv->id.ps) { + case RDMA_PS_UDP: + case RDMA_PS_IB: +@@ -659,6 +648,16 @@ static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) + return ret; + } + ++static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey) ++{ ++ if (!qkey || ++ (id_priv->qkey && (id_priv->qkey != qkey))) ++ return -EINVAL; ++ ++ id_priv->qkey = qkey; ++ return 0; ++} ++ + static void cma_translate_ib(struct sockaddr_ib *sib, struct rdma_dev_addr *dev_addr) + { + dev_addr->dev_type = ARPHRD_INFINIBAND; +@@ -1229,7 +1228,7 @@ static int cma_ib_init_qp_attr(struct rdma_id_private *id_priv, + *qp_attr_mask = IB_QP_STATE | IB_QP_PKEY_INDEX | IB_QP_PORT; + + if (id_priv->id.qp_type == IB_QPT_UD) { +- ret = cma_set_qkey(id_priv, 0); ++ ret = cma_set_default_qkey(id_priv); + if (ret) + return ret; + +@@ -4558,7 +4557,10 @@ static int cma_send_sidr_rep(struct rdma_id_private *id_priv, + memset(&rep, 0, sizeof rep); + rep.status = status; + if (status == IB_SIDR_SUCCESS) { +- ret = cma_set_qkey(id_priv, qkey); ++ if (qkey) ++ ret = cma_set_qkey(id_priv, qkey); ++ else ++ ret = cma_set_default_qkey(id_priv); + if (ret) + return ret; + rep.qp_num = id_priv->qp_num; +@@ -4763,9 +4765,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv, + enum ib_gid_type gid_type; + struct net_device *ndev; + +- if (!status) +- status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); +- else ++ if (status) + pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", + status); + +@@ -4793,7 +4793,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv, + } + + event->param.ud.qp_num = 0xFFFFFF; +- event->param.ud.qkey = be32_to_cpu(multicast->rec.qkey); ++ event->param.ud.qkey = id_priv->qkey; + + out: + if (ndev) +@@ -4812,8 +4812,11 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + READ_ONCE(id_priv->state) == RDMA_CM_DESTROYING) + goto out; + +- cma_make_mc_event(status, id_priv, multicast, &event, mc); +- ret = cma_cm_event_handler(id_priv, &event); ++ ret = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); ++ if (!ret) { ++ cma_make_mc_event(status, id_priv, multicast, &event, mc); ++ ret = cma_cm_event_handler(id_priv, &event); ++ } + rdma_destroy_ah_attr(&event.param.ud.ah_attr); + WARN_ON(ret); + +@@ -4866,9 +4869,11 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv, + if (ret) + return ret; + +- ret = cma_set_qkey(id_priv, 0); +- if (ret) +- return ret; ++ if (!id_priv->qkey) { ++ ret = cma_set_default_qkey(id_priv); ++ if (ret) ++ return ret; ++ } + + cma_set_mgid(id_priv, (struct sockaddr *) &mc->addr, &rec.mgid); + rec.qkey = cpu_to_be32(id_priv->qkey); +@@ -4945,9 +4950,6 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + cma_iboe_set_mgid(addr, &ib.rec.mgid, gid_type); + + ib.rec.pkey = cpu_to_be16(0xffff); +- if (id_priv->id.ps == RDMA_PS_UDP) +- ib.rec.qkey = cpu_to_be32(RDMA_UDP_QKEY); +- + if (dev_addr->bound_dev_if) + ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); + if (!ndev) +@@ -4973,6 +4975,9 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + if (err || !ib.rec.mtu) + return err ?: -EINVAL; + ++ if (!id_priv->qkey) ++ cma_set_default_qkey(id_priv); ++ + rdma_ip2gid((struct sockaddr *)&id_priv->id.route.addr.src_addr, + &ib.rec.port_gid); + INIT_WORK(&mc->iboe_join.work, cma_iboe_join_work_handler); +@@ -4998,6 +5003,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + READ_ONCE(id_priv->state) != RDMA_CM_ADDR_RESOLVED)) + return -EINVAL; + ++ if (id_priv->id.qp_type != IB_QPT_UD) ++ return -EINVAL; ++ + mc = kzalloc(sizeof(*mc), GFP_KERNEL); + if (!mc) + return -ENOMEM; +-- +2.39.2 + diff --git a/queue-6.1/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch b/queue-6.1/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch new file mode 100644 index 00000000000..eb2c3e504a2 --- /dev/null +++ b/queue-6.1/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch @@ -0,0 +1,38 @@ +From 0f2666bc048abdddc9d09501d990c3b088b68a63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:34:24 -0700 +Subject: RDMA/core: Fix GID entry ref leak when create_ah fails + +From: Saravanan Vajravel + +[ Upstream commit aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 ] + +If AH create request fails, release sgid_attr to avoid GID entry +referrence leak reported while releasing GID table + +Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp") +Link: https://lore.kernel.org/r/20230401063424.342204-1-saravanan.vajravel@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Saravanan Vajravel +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 11b1c1603aeb4..b99b3cc283b65 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -532,6 +532,8 @@ static struct ib_ah *_rdma_create_ah(struct ib_pd *pd, + else + ret = device->ops.create_ah(ah, &init_attr, NULL); + if (ret) { ++ if (ah->sgid_attr) ++ rdma_put_gid_attr(ah->sgid_attr); + kfree(ah); + return ERR_PTR(ret); + } +-- +2.39.2 + diff --git a/queue-6.1/rdma-erdma-defer-probing-if-netdevice-can-not-be-fou.patch b/queue-6.1/rdma-erdma-defer-probing-if-netdevice-can-not-be-fou.patch new file mode 100644 index 00000000000..39f304de14c --- /dev/null +++ b/queue-6.1/rdma-erdma-defer-probing-if-netdevice-can-not-be-fou.patch @@ -0,0 +1,37 @@ +From 38292fbedefbdea572d211d1cc11749c4efc1c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 16:46:52 +0800 +Subject: RDMA/erdma: Defer probing if netdevice can not be found + +From: Cheng Xu + +[ Upstream commit 6bd1bca858f1734a75572a788213d1e1143f2f0a ] + +ERDMA device may be probed before its associated netdevice, returning +-EPROBE_DEFER allows OS try to probe erdma device later. + +Fixes: d55e6fb4803c ("RDMA/erdma: Add the erdma module") +Signed-off-by: Cheng Xu +Link: https://lore.kernel.org/r/20230320084652.16807-5-chengyou@linux.alibaba.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_main.c b/drivers/infiniband/hw/erdma/erdma_main.c +index 49778bb294ae4..49d9319217414 100644 +--- a/drivers/infiniband/hw/erdma/erdma_main.c ++++ b/drivers/infiniband/hw/erdma/erdma_main.c +@@ -56,7 +56,7 @@ static int erdma_netdev_event(struct notifier_block *nb, unsigned long event, + static int erdma_enum_and_get_netdev(struct erdma_dev *dev) + { + struct net_device *netdev; +- int ret = -ENODEV; ++ int ret = -EPROBE_DEFER; + + /* Already binded to a net_device, so we skip. */ + if (dev->netdev) +-- +2.39.2 + diff --git a/queue-6.1/rdma-erdma-inline-mtt-entries-into-wqe-if-supported.patch b/queue-6.1/rdma-erdma-inline-mtt-entries-into-wqe-if-supported.patch new file mode 100644 index 00000000000..976ec50c3e7 --- /dev/null +++ b/queue-6.1/rdma-erdma-inline-mtt-entries-into-wqe-if-supported.patch @@ -0,0 +1,38 @@ +From b4232db92d776d682e5702280744bd3f0626286a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 16:46:51 +0800 +Subject: RDMA/erdma: Inline mtt entries into WQE if supported + +From: Cheng Xu + +[ Upstream commit 0dd83a4d7756713f81990d6c5547500f212a1190 ] + +The max inline mtt count supported is ERDMA_MAX_INLINE_MTT_ENTRIES. +When mr->mem.mtt_nents == ERDMA_MAX_INLINE_MTT_ENTRIES, inline mtt +is also supported, fix it. + +Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation") +Signed-off-by: Cheng Xu +Link: https://lore.kernel.org/r/20230320084652.16807-4-chengyou@linux.alibaba.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_qp.c b/drivers/infiniband/hw/erdma/erdma_qp.c +index 5fe1a339a4354..e3b0baa703e68 100644 +--- a/drivers/infiniband/hw/erdma/erdma_qp.c ++++ b/drivers/infiniband/hw/erdma/erdma_qp.c +@@ -402,7 +402,7 @@ static int erdma_push_one_sqe(struct erdma_qp *qp, u16 *pi, + FIELD_PREP(ERDMA_SQE_MR_MTT_CNT_MASK, + mr->mem.mtt_nents); + +- if (mr->mem.mtt_nents < ERDMA_MAX_INLINE_MTT_ENTRIES) { ++ if (mr->mem.mtt_nents <= ERDMA_MAX_INLINE_MTT_ENTRIES) { + attrs |= FIELD_PREP(ERDMA_SQE_MR_MTT_TYPE_MASK, 0); + /* Copy SGLs to SQE content to accelerate */ + memcpy(get_queue_entry(qp->kern_qp.sq_buf, idx + 1, +-- +2.39.2 + diff --git a/queue-6.1/rdma-erdma-update-default-eq-depth-to-4096-and-max_s.patch b/queue-6.1/rdma-erdma-update-default-eq-depth-to-4096-and-max_s.patch new file mode 100644 index 00000000000..7e2f6db7f37 --- /dev/null +++ b/queue-6.1/rdma-erdma-update-default-eq-depth-to-4096-and-max_s.patch @@ -0,0 +1,54 @@ +From bbf29f46c05babea2db7d80d6e4a9a4c72341b8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 16:46:50 +0800 +Subject: RDMA/erdma: Update default EQ depth to 4096 and max_send_wr to 8192 + +From: Cheng Xu + +[ Upstream commit 6256aa9ae955d10ec73a434533ca62034eff1b76 ] + +Max EQ depth of hardware is 32K, the current default EQ depth is too small +for some applications, so change the default depth to 4096. +Max send WRs the hardware can support is 8K, but the driver limits the +value to 4K. Remove this limitation. + +Fixes: be3cff0f242d ("RDMA/erdma: Add the hardware related definitions") +Fixes: db23ae64caac ("RDMA/erdma: Add verbs header file") +Signed-off-by: Cheng Xu +Link: https://lore.kernel.org/r/20230320084652.16807-3-chengyou@linux.alibaba.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_hw.h | 2 +- + drivers/infiniband/hw/erdma/erdma_verbs.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_hw.h b/drivers/infiniband/hw/erdma/erdma_hw.h +index e788887732e1f..c533c693e5e38 100644 +--- a/drivers/infiniband/hw/erdma/erdma_hw.h ++++ b/drivers/infiniband/hw/erdma/erdma_hw.h +@@ -420,7 +420,7 @@ struct erdma_reg_mr_sqe { + }; + + /* EQ related. */ +-#define ERDMA_DEFAULT_EQ_DEPTH 256 ++#define ERDMA_DEFAULT_EQ_DEPTH 4096 + + /* ceqe */ + #define ERDMA_CEQE_HDR_DB_MASK BIT_ULL(63) +diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.h b/drivers/infiniband/hw/erdma/erdma_verbs.h +index ab6380635e9e6..eabab8bba95af 100644 +--- a/drivers/infiniband/hw/erdma/erdma_verbs.h ++++ b/drivers/infiniband/hw/erdma/erdma_verbs.h +@@ -11,7 +11,7 @@ + + /* RDMA Capability. */ + #define ERDMA_MAX_PD (128 * 1024) +-#define ERDMA_MAX_SEND_WR 4096 ++#define ERDMA_MAX_SEND_WR 8192 + #define ERDMA_MAX_ORD 128 + #define ERDMA_MAX_IRD 128 + #define ERDMA_MAX_SGE_RD 1 +-- +2.39.2 + diff --git a/queue-6.1/rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch b/queue-6.1/rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch new file mode 100644 index 00000000000..28d2460dbfb --- /dev/null +++ b/queue-6.1/rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch @@ -0,0 +1,80 @@ +From 0b9977a01cce44717ba268242465fee00fc4d7ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:52:31 -0500 +Subject: RDMA/irdma: Add ipv4 check to irdma_find_listener() + +From: Tatyana Nikolova + +[ Upstream commit e4522c097ec10f23ea0933e9e69d4fa9d8ae9441 ] + +Add ipv4 check to irdma_find_listener(). Otherwise the function +incorrectly finds and returns a listener with a different addr family for +the zero IP addr, if a listener with a zero IP addr and the same port as +the one searched for has already been created. + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Signed-off-by: Tatyana Nikolova +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20230315145231.931-5-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/cm.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c +index 195aa9ea18b6c..8817864154af1 100644 +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -1458,13 +1458,15 @@ static int irdma_send_fin(struct irdma_cm_node *cm_node) + * irdma_find_listener - find a cm node listening on this addr-port pair + * @cm_core: cm's core + * @dst_addr: listener ip addr ++ * @ipv4: flag indicating IPv4 when true + * @dst_port: listener tcp port num + * @vlan_id: virtual LAN ID + * @listener_state: state to match with listen node's + */ + static struct irdma_cm_listener * +-irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port, +- u16 vlan_id, enum irdma_cm_listener_state listener_state) ++irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, bool ipv4, ++ u16 dst_port, u16 vlan_id, ++ enum irdma_cm_listener_state listener_state) + { + struct irdma_cm_listener *listen_node; + static const u32 ip_zero[4] = { 0, 0, 0, 0 }; +@@ -1477,7 +1479,7 @@ irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port, + list_for_each_entry (listen_node, &cm_core->listen_list, list) { + memcpy(listen_addr, listen_node->loc_addr, sizeof(listen_addr)); + listen_port = listen_node->loc_port; +- if (listen_port != dst_port || ++ if (listen_node->ipv4 != ipv4 || listen_port != dst_port || + !(listener_state & listen_node->listener_state)) + continue; + /* compare node pair, return node handle if a match */ +@@ -2902,9 +2904,10 @@ irdma_make_listen_node(struct irdma_cm_core *cm_core, + unsigned long flags; + + /* cannot have multiple matching listeners */ +- listener = irdma_find_listener(cm_core, cm_info->loc_addr, +- cm_info->loc_port, cm_info->vlan_id, +- IRDMA_CM_LISTENER_EITHER_STATE); ++ listener = ++ irdma_find_listener(cm_core, cm_info->loc_addr, cm_info->ipv4, ++ cm_info->loc_port, cm_info->vlan_id, ++ IRDMA_CM_LISTENER_EITHER_STATE); + if (listener && + listener->listener_state == IRDMA_CM_LISTENER_ACTIVE_STATE) { + refcount_dec(&listener->refcnt); +@@ -3153,6 +3156,7 @@ void irdma_receive_ilq(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *rbuf) + + listener = irdma_find_listener(cm_core, + cm_info.loc_addr, ++ cm_info.ipv4, + cm_info.loc_port, + cm_info.vlan_id, + IRDMA_CM_LISTENER_ACTIVE_STATE); +-- +2.39.2 + diff --git a/queue-6.1/rdma-irdma-do-not-generate-sw-completions-for-nops.patch b/queue-6.1/rdma-irdma-do-not-generate-sw-completions-for-nops.patch new file mode 100644 index 00000000000..14389f7a7db --- /dev/null +++ b/queue-6.1/rdma-irdma-do-not-generate-sw-completions-for-nops.patch @@ -0,0 +1,42 @@ +From 2772b920a472044961f0b521f1e815e900cba8ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:52:28 -0500 +Subject: RDMA/irdma: Do not generate SW completions for NOPs + +From: Mustafa Ismail + +[ Upstream commit 30ed9ee9a10a90ae719dcfcacead1d0506fa45ed ] + +Currently, artificial SW completions are generated for NOP wqes which can +generate unexpected completions with wr_id = 0. Skip the generation of +artificial completions for NOPs. + +Fixes: 81091d7696ae ("RDMA/irdma: Add SW mechanism to generate completions on error") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20230315145231.931-2-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 445e69e864097..7887230c867b1 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -2595,7 +2595,10 @@ void irdma_generate_flush_completions(struct irdma_qp *iwqp) + /* remove the SQ WR by moving SQ tail*/ + IRDMA_RING_SET_TAIL(*sq_ring, + sq_ring->tail + qp->sq_wrtrk_array[sq_ring->tail].quanta); +- ++ if (cmpl->cpi.op_type == IRDMAQP_OP_NOP) { ++ kfree(cmpl); ++ continue; ++ } + ibdev_dbg(iwqp->iwscq->ibcq.device, + "DEV: %s: adding wr_id = 0x%llx SQ Completion to list qp_id=%d\n", + __func__, cmpl->cpi.wr_id, qp->qp_id); +-- +2.39.2 + diff --git a/queue-6.1/rdma-irdma-fix-memory-leak-of-pble-objects.patch b/queue-6.1/rdma-irdma-fix-memory-leak-of-pble-objects.patch new file mode 100644 index 00000000000..7b2573d0876 --- /dev/null +++ b/queue-6.1/rdma-irdma-fix-memory-leak-of-pble-objects.patch @@ -0,0 +1,52 @@ +From c2adb354c933ed76b2bcdae16788cf02c670f40b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:52:29 -0500 +Subject: RDMA/irdma: Fix memory leak of PBLE objects + +From: Mustafa Ismail + +[ Upstream commit b69a6979dbaa2453675fe9c71bdc2497fedb11f9 ] + +On rmmod of irdma, the PBLE object memory is not being freed. PBLE object +memory are not statically pre-allocated at function initialization time +unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD) +for it can be dynamically allocated during scale up and SD's remain +allocated till function deinitialization. + +Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table +and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects(). + +Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20230315145231.931-3-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/hw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c +index 2e1e2bad04011..43dfa4761f069 100644 +--- a/drivers/infiniband/hw/irdma/hw.c ++++ b/drivers/infiniband/hw/irdma/hw.c +@@ -41,6 +41,7 @@ static enum irdma_hmc_rsrc_type iw_hmc_obj_types[] = { + IRDMA_HMC_IW_XFFL, + IRDMA_HMC_IW_Q1, + IRDMA_HMC_IW_Q1FL, ++ IRDMA_HMC_IW_PBLE, + IRDMA_HMC_IW_TIMER, + IRDMA_HMC_IW_FSIMC, + IRDMA_HMC_IW_FSIAV, +@@ -827,6 +828,8 @@ static int irdma_create_hmc_objs(struct irdma_pci_f *rf, bool privileged, + info.entry_type = rf->sd_type; + + for (i = 0; i < IW_HMC_OBJ_TYPE_NUM; i++) { ++ if (iw_hmc_obj_types[i] == IRDMA_HMC_IW_PBLE) ++ continue; + if (dev->hmc_info->hmc_obj[iw_hmc_obj_types[i]].cnt) { + info.rsrc_type = iw_hmc_obj_types[i]; + info.count = dev->hmc_info->hmc_obj[info.rsrc_type].cnt; +-- +2.39.2 + diff --git a/queue-6.1/rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch b/queue-6.1/rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch new file mode 100644 index 00000000000..bf3408be54c --- /dev/null +++ b/queue-6.1/rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch @@ -0,0 +1,39 @@ +From 8a4e105bb0f86799e82f475141a4e17a46989562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:52:30 -0500 +Subject: RDMA/irdma: Increase iWARP CM default rexmit count + +From: Mustafa Ismail + +[ Upstream commit 8385a875c9eecc429b2f72970efcbb0e5cb5b547 ] + +When running perftest with large number of connections in iWARP mode, the +passive side could be slow to respond. Increase the rexmit counter default +to allow scaling connections. + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20230315145231.931-4-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/cm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/cm.h b/drivers/infiniband/hw/irdma/cm.h +index 19c284975fc7c..7feadb3e1eda3 100644 +--- a/drivers/infiniband/hw/irdma/cm.h ++++ b/drivers/infiniband/hw/irdma/cm.h +@@ -41,7 +41,7 @@ + #define TCP_OPTIONS_PADDING 3 + + #define IRDMA_DEFAULT_RETRYS 64 +-#define IRDMA_DEFAULT_RETRANS 8 ++#define IRDMA_DEFAULT_RETRANS 32 + #define IRDMA_DEFAULT_TTL 0x40 + #define IRDMA_DEFAULT_RTT_VAR 6 + #define IRDMA_DEFAULT_SS_THRESH 0x3fffffff +-- +2.39.2 + diff --git a/queue-6.1/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch b/queue-6.1/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch new file mode 100644 index 00000000000..c3fb699863b --- /dev/null +++ b/queue-6.1/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch @@ -0,0 +1,44 @@ +From 37ce7b2dc1d9d25c141ad4d1274d6c7eea6c9435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 15:43:30 -0400 +Subject: sctp: fix a potential overflow in sctp_ifwdtsn_skip + +From: Xin Long + +[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ] + +Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only +checks the pos against the end of the chunk. However, the data left for +the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference +it as struct sctp_ifwdtsn_skip may cause coverflow. + +This patch fixes it by checking the pos against "the end of the chunk - +sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to +sctp_fwdtsn_skip. + +Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/stream_interleave.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c +index bb22b71df7a34..4fbd6d0529545 100644 +--- a/net/sctp/stream_interleave.c ++++ b/net/sctp/stream_interleave.c +@@ -1160,7 +1160,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn) + + #define _sctp_walk_ifwdtsn(pos, chunk, end) \ + for (pos = chunk->subh.ifwdtsn_hdr->skip; \ +- (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++) ++ (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \ ++ sizeof(struct sctp_ifwdtsn_skip); pos++) + + #define sctp_walk_ifwdtsn(pos, ch) \ + _sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \ +-- +2.39.2 + diff --git a/queue-6.1/selftests-bpf-fix-progs-find_vma_fail1.c-build-error.patch b/queue-6.1/selftests-bpf-fix-progs-find_vma_fail1.c-build-error.patch new file mode 100644 index 00000000000..21b4c31db54 --- /dev/null +++ b/queue-6.1/selftests-bpf-fix-progs-find_vma_fail1.c-build-error.patch @@ -0,0 +1,34 @@ +From d5bafff0b8e1437d71f4f9eff10087bcb1e87321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 12:41:18 -0800 +Subject: selftests/bpf: Fix progs/find_vma_fail1.c build error. + +From: Alexei Starovoitov + +[ Upstream commit 32513d40d908b267508d37994753d9bd1600914b ] + +The commit 11e456cae91e ("selftests/bpf: Fix compilation errors: Assign a value to a constant") +fixed the issue cleanly in bpf-next. +This is an alternative fix in bpf tree to avoid merge conflict between bpf and bpf-next. + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/find_vma_fail1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/progs/find_vma_fail1.c b/tools/testing/selftests/bpf/progs/find_vma_fail1.c +index b3b326b8e2d1c..6dab9cffda132 100644 +--- a/tools/testing/selftests/bpf/progs/find_vma_fail1.c ++++ b/tools/testing/selftests/bpf/progs/find_vma_fail1.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2021 Facebook */ + #include "vmlinux.h" + #include ++#define vm_flags vm_start + + char _license[] SEC("license") = "GPL"; + +-- +2.39.2 + diff --git a/queue-6.1/selftests-openvswitch-adjust-datapath-nl-message-dec.patch b/queue-6.1/selftests-openvswitch-adjust-datapath-nl-message-dec.patch new file mode 100644 index 00000000000..e9e905be4df --- /dev/null +++ b/queue-6.1/selftests-openvswitch-adjust-datapath-nl-message-dec.patch @@ -0,0 +1,39 @@ +From a9eef648b7b05d2438ba4f0e673527157b5f5645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 07:58:28 -0400 +Subject: selftests: openvswitch: adjust datapath NL message declaration + +From: Aaron Conole + +[ Upstream commit 306dc21361993f4fe50a15d4db6b1a4de5d0adb0 ] + +The netlink message for creating a new datapath takes an array +of ports for the PID creation. This shouldn't cause much issue +but correct it for future cases where we need to do decode of +datapath information that could include the per-cpu PID map. + +Fixes: 25f16c873fb1 ("selftests: add openvswitch selftest suite") +Signed-off-by: Aaron Conole +Link: https://lore.kernel.org/r/20230412115828.3991806-1-aconole@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/openvswitch/ovs-dpctl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py +index 3243c90d449e6..5d467d1993cb1 100644 +--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py ++++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py +@@ -62,7 +62,7 @@ class OvsDatapath(GenericNetlinkSocket): + nla_map = ( + ("OVS_DP_ATTR_UNSPEC", "none"), + ("OVS_DP_ATTR_NAME", "asciiz"), +- ("OVS_DP_ATTR_UPCALL_PID", "uint32"), ++ ("OVS_DP_ATTR_UPCALL_PID", "array(uint32)"), + ("OVS_DP_ATTR_STATS", "dpstats"), + ("OVS_DP_ATTR_MEGAFLOW_STATS", "megaflowstats"), + ("OVS_DP_ATTR_USER_FEATURES", "uint32"), +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index f1575ab5fa9..18f418a265e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -25,3 +25,69 @@ kvm-arm64-pmu-restore-the-guest-s-el0-event-counting-after-migration.patch fbcon-fix-error-paths-in-set_con2fb_map.patch fbcon-set_con2fb_map-needs-to-set-con2fb_map.patch drm-i915-dsi-fix-dss-ctl-register-offsets-for-tgl.patch +clk-sprd-set-max_register-according-to-mapping-range.patch +rdma-irdma-do-not-generate-sw-completions-for-nops.patch +rdma-irdma-fix-memory-leak-of-pble-objects.patch +rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch +rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch +ib-mlx5-add-support-for-400g_8x-lane-speed.patch +rdma-erdma-update-default-eq-depth-to-4096-and-max_s.patch +rdma-erdma-inline-mtt-entries-into-wqe-if-supported.patch +rdma-erdma-defer-probing-if-netdevice-can-not-be-fou.patch +clk-rs9-fix-suspend-resume.patch +rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch +bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch +loongarch-bpf-fix-jit-to-skip-speculation-barrier-op.patch +dmaengine-apple-admac-handle-global-interrupt-flags.patch +dmaengine-apple-admac-set-src_addr_widths-capability.patch +dmaengine-apple-admac-fix-current_tx-not-getting-fre.patch +9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch +bpf-arm64-fixed-a-bti-error-on-returning-to-patched-.patch +kvm-arm64-initialise-hypervisor-copies-of-host-symbo.patch +kvm-arm64-advertise-id_aa64pfr0_el1.csv2-3-to-protec.patch +niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch +tcp-restrict-net.ipv4.tcp_app_win.patch +bonding-fix-ns-validation-on-backup-slaves.patch +iavf-refactor-vlan-filter-states.patch +iavf-remove-active_cvlans-and-active_svlans-bitmaps.patch +net-openvswitch-fix-race-on-port-output.patch +bluetooth-hci_conn-fix-not-cleaning-up-on-le-connect.patch +bluetooth-fix-printing-errors-if-le-connection-times.patch +bluetooth-sco-fix-possible-circular-locking-dependen.patch +bluetooth-set-iso-data-path-on-broadcast-sink.patch +drm-armada-fix-a-potential-double-free-in-an-error-h.patch +qlcnic-check-pci_reset_function-result.patch +net-wwan-iosm-fix-error-handling-path-in-ipc_pcie_pr.patch +cgroup-freezer-hold-cpu_hotplug_lock-before-freezer_.patch +net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch +sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch +rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch +selftests-openvswitch-adjust-datapath-nl-message-dec.patch +udp6-fix-potential-access-to-stale-information.patch +net-macb-fix-a-memory-corruption-in-extended-buffer-.patch +skbuff-fix-a-race-between-coalescing-and-releasing-s.patch +libbpf-fix-single-line-struct-definition-output-in-b.patch +arm-9290-1-uaccess-fix-kasan-false-positives.patch +arm-dts-qcom-apq8026-lg-lenok-add-missing-reserved-m.patch +power-supply-rk817-fix-unsigned-comparison-with-less.patch +power-supply-cros_usbpd-reclassify-default-case-as-d.patch +power-supply-axp288_fuel_gauge-added-check-for-negat.patch +selftests-bpf-fix-progs-find_vma_fail1.c-build-error.patch +wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch +i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch +i2c-hisi-avoid-redundant-interrupts.patch +efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch +block-ublk_drv-mark-device-as-live-before-adding-dis.patch +acpi-video-add-backlight-native-dmi-quirk-for-acer-a.patch +drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch +hwmon-peci-cputemp-fix-miscalculated-dts-for-skx.patch +hwmon-xgene-fix-ioremap-and-memremap-leak.patch +verify_pefile-relax-wrapper-length-check.patch +asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch +nvme-send-identify-with-cns-06h-only-to-i-o-controll.patch +wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch +wifi-iwlwifi-mvm-protect-txq-list-manipulation.patch +drm-amdgpu-add-mes-resume-when-do-gfx-post-soft-rese.patch +drm-amdgpu-force-signal-hw_fences-that-are-embedded-.patch +drm-amdgpu-gfx-set-cg-flags-to-enter-exit-safe-mode.patch +acpi-resource-add-medion-s17413-to-irq-override-quir.patch diff --git a/queue-6.1/skbuff-fix-a-race-between-coalescing-and-releasing-s.patch b/queue-6.1/skbuff-fix-a-race-between-coalescing-and-releasing-s.patch new file mode 100644 index 00000000000..33d9ac70680 --- /dev/null +++ b/queue-6.1/skbuff-fix-a-race-between-coalescing-and-releasing-s.patch @@ -0,0 +1,98 @@ +From e66db83e8c526df35b494ce666bee794d2a22fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 17:03:53 +0800 +Subject: skbuff: Fix a race between coalescing and releasing SKBs + +From: Liang Chen + +[ Upstream commit 0646dc31ca886693274df5749cd0c8c1eaaeb5ca ] + +Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment +recycling") allowed coalescing to proceed with non page pool page and page +pool page when @from is cloned, i.e. + +to->pp_recycle --> false +from->pp_recycle --> true +skb_cloned(from) --> true + +However, it actually requires skb_cloned(@from) to hold true until +coalescing finishes in this situation. If the other cloned SKB is +released while the merging is in process, from_shinfo->nr_frags will be +set to 0 toward the end of the function, causing the increment of frag +page _refcount to be unexpectedly skipped resulting in inconsistent +reference counts. Later when SKB(@to) is released, it frees the page +directly even though the page pool page is still in use, leading to +use-after-free or double-free errors. So it should be prohibited. + +The double-free error message below prompted us to investigate: +BUG: Bad page state in process swapper/1 pfn:0e0d1 +page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000 +index:0x2 pfn:0xe0d1 +flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000 +raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000 +page dumped because: nonzero _refcount + +CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+ +Call Trace: + +dump_stack_lvl+0x32/0x50 +bad_page+0x69/0xf0 +free_pcp_prepare+0x260/0x2f0 +free_unref_page+0x20/0x1c0 +skb_release_data+0x10b/0x1a0 +napi_consume_skb+0x56/0x150 +net_rx_action+0xf0/0x350 +? __napi_schedule+0x79/0x90 +__do_softirq+0xc8/0x2b1 +__irq_exit_rcu+0xb9/0xf0 +common_interrupt+0x82/0xa0 + + +asm_common_interrupt+0x22/0x40 +RIP: 0010:default_idle+0xb/0x20 + +Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool") +Signed-off-by: Liang Chen +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230413090353.14448-1-liangchen.linux@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 51db260f471f4..cd4b3a610961f 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5409,18 +5409,18 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + if (skb_cloned(to)) + return false; + +- /* In general, avoid mixing slab allocated and page_pool allocated +- * pages within the same SKB. However when @to is not pp_recycle and +- * @from is cloned, we can transition frag pages from page_pool to +- * reference counted. +- * +- * On the other hand, don't allow coalescing two pp_recycle SKBs if +- * @from is cloned, in case the SKB is using page_pool fragment ++ /* In general, avoid mixing page_pool and non-page_pool allocated ++ * pages within the same SKB. Additionally avoid dealing with clones ++ * with page_pool pages, in case the SKB is using page_pool fragment + * references (PP_FLAG_PAGE_FRAG). Since we only take full page + * references for cloned SKBs at the moment that would result in + * inconsistent reference counts. ++ * In theory we could take full references if @from is cloned and ++ * !@to->pp_recycle but its tricky (due to potential race with ++ * the clone disappearing) and rare, so not worth dealing with. + */ +- if (to->pp_recycle != (from->pp_recycle && !skb_cloned(from))) ++ if (to->pp_recycle != from->pp_recycle || ++ (from->pp_recycle && skb_cloned(from))) + return false; + + if (len <= skb_tailroom(to)) { +-- +2.39.2 + diff --git a/queue-6.1/tcp-restrict-net.ipv4.tcp_app_win.patch b/queue-6.1/tcp-restrict-net.ipv4.tcp_app_win.patch new file mode 100644 index 00000000000..6ed94e08190 --- /dev/null +++ b/queue-6.1/tcp-restrict-net.ipv4.tcp_app_win.patch @@ -0,0 +1,74 @@ +From c3a1deea03d6712de71fd44c30609bab32766e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 14:34:50 +0800 +Subject: tcp: restrict net.ipv4.tcp_app_win + +From: YueHaibing + +[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ] + +UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23 +shift exponent 255 is too large for 32-bit type 'int' +CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x136/0x150 + __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0 + tcp_init_transfer.cold+0x3a/0xb9 + tcp_finish_connect+0x1d0/0x620 + tcp_rcv_state_process+0xd78/0x4d60 + tcp_v4_do_rcv+0x33d/0x9d0 + __release_sock+0x133/0x3b0 + release_sock+0x58/0x1b0 + +'maxwin' is int, shifting int for 32 or more bits is undefined behaviour. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: YueHaibing +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 2 ++ + net/ipv4/sysctl_net_ipv4.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index e7b3fa7bb3f73..4ecb549fd052e 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -337,6 +337,8 @@ tcp_app_win - INTEGER + Reserve max(window/2^tcp_app_win, mss) of window for application + buffer. Value 0 is special, it means that nothing is reserved. + ++ Possible values are [0, 31], inclusive. ++ + Default: 31 + + tcp_autocorking - BOOLEAN +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 9b8a6db7a66b3..39dbeb6071965 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -25,6 +25,7 @@ static int ip_local_port_range_min[] = { 1, 1 }; + static int ip_local_port_range_max[] = { 65535, 65535 }; + static int tcp_adv_win_scale_min = -31; + static int tcp_adv_win_scale_max = 31; ++static int tcp_app_win_max = 31; + static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS; + static int tcp_min_snd_mss_max = 65535; + static int ip_privileged_port_min; +@@ -1171,6 +1172,8 @@ static struct ctl_table ipv4_net_table[] = { + .maxlen = sizeof(u8), + .mode = 0644, + .proc_handler = proc_dou8vec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = &tcp_app_win_max, + }, + { + .procname = "tcp_adv_win_scale", +-- +2.39.2 + diff --git a/queue-6.1/udp6-fix-potential-access-to-stale-information.patch b/queue-6.1/udp6-fix-potential-access-to-stale-information.patch new file mode 100644 index 00000000000..043cc2481a4 --- /dev/null +++ b/queue-6.1/udp6-fix-potential-access-to-stale-information.patch @@ -0,0 +1,68 @@ +From bcdb6c98874a86068cb97b7f5a0209895bc1dd38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 13:03:08 +0000 +Subject: udp6: fix potential access to stale information +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit 1c5950fc6fe996235f1d18539b9c6b64b597f50f ] + +lena wang reported an issue caused by udpv6_sendmsg() +mangling msg->msg_name and msg->msg_namelen, which +are later read from ____sys_sendmsg() : + + /* + * If this is sendmmsg() and sending to current destination address was + * successful, remember it. + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; + if (msg_sys->msg_name) + memcpy(&used_address->name, msg_sys->msg_name, + used_address->name_len); + } + +udpv6_sendmsg() wants to pretend the remote address family +is AF_INET in order to call udp_sendmsg(). + +A fix would be to modify the address in-place, instead +of using a local variable, but this could have other side effects. + +Instead, restore initial values before we return from udpv6_sendmsg(). + +Fixes: c71d8ebe7a44 ("net: Fix security_socket_sendmsg() bypass problem.") +Reported-by: lena wang +Signed-off-by: Eric Dumazet +Reviewed-by: Maciej Å»enczykowski +Link: https://lore.kernel.org/r/20230412130308.1202254-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 98a64e8d9bdaa..17d721a6add72 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1391,9 +1391,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + msg->msg_name = &sin; + msg->msg_namelen = sizeof(sin); + do_udp_sendmsg: +- if (ipv6_only_sock(sk)) +- return -ENETUNREACH; +- return udp_sendmsg(sk, msg, len); ++ err = ipv6_only_sock(sk) ? ++ -ENETUNREACH : udp_sendmsg(sk, msg, len); ++ msg->msg_name = sin6; ++ msg->msg_namelen = addr_len; ++ return err; + } + } + +-- +2.39.2 + diff --git a/queue-6.1/verify_pefile-relax-wrapper-length-check.patch b/queue-6.1/verify_pefile-relax-wrapper-length-check.patch new file mode 100644 index 00000000000..92082317eab --- /dev/null +++ b/queue-6.1/verify_pefile-relax-wrapper-length-check.patch @@ -0,0 +1,61 @@ +From 1bfc454e3b4a563b0f894b5d8055321736693e30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:53 -0500 +Subject: verify_pefile: relax wrapper length check + +From: Robbie Harwood + +[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ] + +The PE Format Specification (section "The Attribute Certificate Table +(Image Only)") states that `dwLength` is to be rounded up to 8-byte +alignment when used for traversal. Therefore, the field is not required +to be an 8-byte multiple in the first place. + +Accordingly, pesign has not performed this alignment since version +0.110. This causes kexec failure on pesign'd binaries with "PEFILE: +Signature wrapper len wrong". Update the comment and relax the check. + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only +Link: https://github.com/rhboot/pesign +Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index 7553ab18db898..fe1bb374239d7 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + pr_debug("sig wrapper = { %x, %x, %x }\n", + wrapper.length, wrapper.revision, wrapper.cert_type); + +- /* Both pesign and sbsign round up the length of certificate table +- * (in optional header data directories) to 8 byte alignment. ++ /* sbsign rounds up the length of certificate table (in optional ++ * header data directories) to 8 byte alignment. However, the PE ++ * specification states that while entries are 8-byte aligned, this is ++ * not included in their length, and as a result, pesign has not ++ * rounded up since 0.110. + */ +- if (round_up(wrapper.length, 8) != ctx->sig_len) { +- pr_debug("Signature wrapper len wrong\n"); ++ if (wrapper.length > ctx->sig_len) { ++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch b/queue-6.1/wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch new file mode 100644 index 00000000000..074910ca64f --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch @@ -0,0 +1,97 @@ +From 49c450ec29e9ae4af3e8d0923b75b1dc42dcac0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 10:53:24 +0100 +Subject: wifi: iwlwifi: mvm: fix mvmtxq->stopped handling + +From: Johannes Berg + +[ Upstream commit b58e3d4311b54b6dd0e37165277965da0c9eb21d ] + +This could race if the queue is redirected while full, then +the flushing internally would start it while it's not yet +usable again. Fix it by using two state bits instead of just +one. + +Reviewed-by: Benjamin Berg +Tested-by: Jose Ignacio Tornos Martinez +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++++- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +++- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 4 ++-- + 4 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 8464c9b7baf1f..23e1413ef4719 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -729,7 +729,10 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80211_hw *hw, struct ieee80211_txq *txq) + + rcu_read_lock(); + do { +- while (likely(!mvmtxq->stopped && ++ while (likely(!test_bit(IWL_MVM_TXQ_STATE_STOP_FULL, ++ &mvmtxq->state) && ++ !test_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, ++ &mvmtxq->state) && + !test_bit(IWL_MVM_STATUS_IN_D3, &mvm->status))) { + skb = ieee80211_tx_dequeue(hw, txq); + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index 1ccb3cad7cdc1..b5089349ebb7a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -729,7 +729,9 @@ struct iwl_mvm_txq { + struct list_head list; + u16 txq_id; + atomic_t tx_request; +- bool stopped; ++#define IWL_MVM_TXQ_STATE_STOP_FULL 0 ++#define IWL_MVM_TXQ_STATE_STOP_REDIRECT 1 ++ unsigned long state; + }; + + static inline struct iwl_mvm_txq * +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 5b8e9a06f6d4a..79e151512fe73 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1680,7 +1680,10 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode, + + txq = sta->txq[tid]; + mvmtxq = iwl_mvm_txq_from_mac80211(txq); +- mvmtxq->stopped = !start; ++ if (start) ++ clear_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state); ++ else ++ set_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state); + + if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) + iwl_mvm_mac_itxq_xmit(mvm->hw, txq); +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index cbd8053a9e35a..41b1b8b6c1e1d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -692,7 +692,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid, + queue, iwl_mvm_ac_to_tx_fifo[ac]); + + /* Stop the queue and wait for it to empty */ +- txq->stopped = true; ++ set_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state); + + ret = iwl_trans_wait_tx_queues_empty(mvm->trans, BIT(queue)); + if (ret) { +@@ -735,7 +735,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid, + + out: + /* Continue using the queue */ +- txq->stopped = false; ++ clear_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state); + + return ret; + } +-- +2.39.2 + diff --git a/queue-6.1/wifi-iwlwifi-mvm-protect-txq-list-manipulation.patch b/queue-6.1/wifi-iwlwifi-mvm-protect-txq-list-manipulation.patch new file mode 100644 index 00000000000..04728098258 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-mvm-protect-txq-list-manipulation.patch @@ -0,0 +1,189 @@ +From 2f815ce6099d4a5d7417b6ab4d861eb0ebeed56a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 10:53:25 +0100 +Subject: wifi: iwlwifi: mvm: protect TXQ list manipulation + +From: Johannes Berg + +[ Upstream commit 923bf981eb6ecc027227716e30701bdcc1845fbf ] + +Some recent upstream debugging uncovered the fact that in +iwlwifi, the TXQ list manipulation is racy. + +Introduce a new state bit for when the TXQ is completely +ready and can be used without locking, and if that's not +set yet acquire the lock to check everything correctly. + +Reviewed-by: Benjamin Berg +Tested-by: Jose Ignacio Tornos Martinez +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 45 ++++++------------- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 + + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 1 + + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 25 +++++++++-- + 4 files changed, 39 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 23e1413ef4719..a841268e0709f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -757,42 +757,25 @@ static void iwl_mvm_mac_wake_tx_queue(struct ieee80211_hw *hw, + struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); + struct iwl_mvm_txq *mvmtxq = iwl_mvm_txq_from_mac80211(txq); + +- /* +- * Please note that racing is handled very carefully here: +- * mvmtxq->txq_id is updated during allocation, and mvmtxq->list is +- * deleted afterwards. +- * This means that if: +- * mvmtxq->txq_id != INVALID_QUEUE && list_empty(&mvmtxq->list): +- * queue is allocated and we can TX. +- * mvmtxq->txq_id != INVALID_QUEUE && !list_empty(&mvmtxq->list): +- * a race, should defer the frame. +- * mvmtxq->txq_id == INVALID_QUEUE && list_empty(&mvmtxq->list): +- * need to allocate the queue and defer the frame. +- * mvmtxq->txq_id == INVALID_QUEUE && !list_empty(&mvmtxq->list): +- * queue is already scheduled for allocation, no need to allocate, +- * should defer the frame. +- */ +- +- /* If the queue is allocated TX and return. */ +- if (!txq->sta || mvmtxq->txq_id != IWL_MVM_INVALID_QUEUE) { +- /* +- * Check that list is empty to avoid a race where txq_id is +- * already updated, but the queue allocation work wasn't +- * finished +- */ +- if (unlikely(txq->sta && !list_empty(&mvmtxq->list))) +- return; +- ++ if (likely(test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) || ++ !txq->sta) { + iwl_mvm_mac_itxq_xmit(hw, txq); + return; + } + +- /* The list is being deleted only after the queue is fully allocated. */ +- if (!list_empty(&mvmtxq->list)) +- return; ++ /* iwl_mvm_mac_itxq_xmit() will later be called by the worker ++ * to handle any packets we leave on the txq now ++ */ + +- list_add_tail(&mvmtxq->list, &mvm->add_stream_txqs); +- schedule_work(&mvm->add_stream_wk); ++ spin_lock_bh(&mvm->add_stream_lock); ++ /* The list is being deleted only after the queue is fully allocated. */ ++ if (list_empty(&mvmtxq->list) && ++ /* recheck under lock */ ++ !test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) { ++ list_add_tail(&mvmtxq->list, &mvm->add_stream_txqs); ++ schedule_work(&mvm->add_stream_wk); ++ } ++ spin_unlock_bh(&mvm->add_stream_lock); + } + + #define CHECK_BA_TRIGGER(_mvm, _trig, _tid_bm, _tid, _fmt...) \ +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +index b5089349ebb7a..f5c921c41be56 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -731,6 +731,7 @@ struct iwl_mvm_txq { + atomic_t tx_request; + #define IWL_MVM_TXQ_STATE_STOP_FULL 0 + #define IWL_MVM_TXQ_STATE_STOP_REDIRECT 1 ++#define IWL_MVM_TXQ_STATE_READY 2 + unsigned long state; + }; + +@@ -829,6 +830,7 @@ struct iwl_mvm { + struct iwl_mvm_tvqm_txq_info tvqm_info[IWL_MAX_TVQM_QUEUES]; + }; + struct work_struct add_stream_wk; /* To add streams to queues */ ++ spinlock_t add_stream_lock; + + const char *nvm_file_name; + struct iwl_nvm_data *nvm_data; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 79e151512fe73..994f597a7102a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1184,6 +1184,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg, + INIT_DELAYED_WORK(&mvm->scan_timeout_dwork, iwl_mvm_scan_timeout_wk); + INIT_WORK(&mvm->add_stream_wk, iwl_mvm_add_new_dqa_stream_wk); + INIT_LIST_HEAD(&mvm->add_stream_txqs); ++ spin_lock_init(&mvm->add_stream_lock); + + init_waitqueue_head(&mvm->rx_sync_waitq); + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 41b1b8b6c1e1d..013aca70c3d3b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -383,8 +383,11 @@ static int iwl_mvm_disable_txq(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + struct iwl_mvm_txq *mvmtxq = + iwl_mvm_txq_from_tid(sta, tid); + +- mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE; ++ spin_lock_bh(&mvm->add_stream_lock); + list_del_init(&mvmtxq->list); ++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); ++ mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE; ++ spin_unlock_bh(&mvm->add_stream_lock); + } + + /* Regardless if this is a reserved TXQ for a STA - mark it as false */ +@@ -478,8 +481,11 @@ static int iwl_mvm_remove_sta_queue_marking(struct iwl_mvm *mvm, int queue) + disable_agg_tids |= BIT(tid); + mvmsta->tid_data[tid].txq_id = IWL_MVM_INVALID_QUEUE; + +- mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE; ++ spin_lock_bh(&mvm->add_stream_lock); + list_del_init(&mvmtxq->list); ++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); ++ mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE; ++ spin_unlock_bh(&mvm->add_stream_lock); + } + + mvmsta->tfd_queue_msk &= ~BIT(queue); /* Don't use this queue anymore */ +@@ -1443,12 +1449,22 @@ void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk) + * a queue in the function itself. + */ + if (iwl_mvm_sta_alloc_queue(mvm, txq->sta, txq->ac, tid)) { ++ spin_lock_bh(&mvm->add_stream_lock); + list_del_init(&mvmtxq->list); ++ spin_unlock_bh(&mvm->add_stream_lock); + continue; + } + +- list_del_init(&mvmtxq->list); ++ /* now we're ready, any remaining races/concurrency will be ++ * handled in iwl_mvm_mac_itxq_xmit() ++ */ ++ set_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); ++ + local_bh_disable(); ++ spin_lock(&mvm->add_stream_lock); ++ list_del_init(&mvmtxq->list); ++ spin_unlock(&mvm->add_stream_lock); ++ + iwl_mvm_mac_itxq_xmit(mvm->hw, txq); + local_bh_enable(); + } +@@ -1862,8 +1878,11 @@ static void iwl_mvm_disable_sta_queues(struct iwl_mvm *mvm, + struct iwl_mvm_txq *mvmtxq = + iwl_mvm_txq_from_mac80211(sta->txq[i]); + ++ spin_lock_bh(&mvm->add_stream_lock); + mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE; + list_del_init(&mvmtxq->list); ++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); ++ spin_unlock_bh(&mvm->add_stream_lock); + } + } + +-- +2.39.2 + diff --git a/queue-6.1/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch b/queue-6.1/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch new file mode 100644 index 00000000000..3f1c632ae0b --- /dev/null +++ b/queue-6.1/wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch @@ -0,0 +1,57 @@ +From 4cc83fe8683a7e5df60651c329db444a48be750b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 14:25:23 +0100 +Subject: wifi: mwifiex: mark OF related data as maybe unused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 139f6973bf140c65d4d1d4bde5485badb4454d7a ] + +The driver can be compile tested with !CONFIG_OF making certain data +unused: + + drivers/net/wireless/marvell/mwifiex/sdio.c:498:34: error: ‘mwifiex_sdio_of_match_table’ defined but not used [-Werror=unused-const-variable=] + drivers/net/wireless/marvell/mwifiex/pcie.c:175:34: error: ‘mwifiex_pcie_of_match_table’ defined but not used [-Werror=unused-const-variable=] + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230312132523.352182-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 2 +- + drivers/net/wireless/marvell/mwifiex/sdio.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index 5dcf61761a165..9a698a16a8f38 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -172,7 +172,7 @@ static const struct mwifiex_pcie_device mwifiex_pcie8997 = { + .can_ext_scan = true, + }; + +-static const struct of_device_id mwifiex_pcie_of_match_table[] = { ++static const struct of_device_id mwifiex_pcie_of_match_table[] __maybe_unused = { + { .compatible = "pci11ab,2b42" }, + { .compatible = "pci1b4b,2b42" }, + { } +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index 9f506efa53705..ea1c1c2412e72 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -479,7 +479,7 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = { + {"EXTLAST", NULL, 0, 0xFE}, + }; + +-static const struct of_device_id mwifiex_sdio_of_match_table[] = { ++static const struct of_device_id mwifiex_sdio_of_match_table[] __maybe_unused = { + { .compatible = "marvell,sd8787" }, + { .compatible = "marvell,sd8897" }, + { .compatible = "marvell,sd8997" }, +-- +2.39.2 +